Security awareness training your team will

What Is Security Awareness Training?

Security awareness training is a structured program that teaches employees to recognize and respond correctly to cyberattacks. The primary focus is phishing — the technique used in the majority of documented Canadian SMB breaches — but effective programs also cover social engineering, credential theft, business email compromise (BEC), and the specific data-handling obligations that apply under Canadian privacy law.

The goal is not to turn every staff member into a security analyst. It is to remove the low-hanging fruit that attackers harvest every day: the employee who clicks a fake DocuSign link, enters their Microsoft 365 password on a convincing lookalike page, and unknowingly hands an attacker the keys to the network. That specific sequence of events — phishing email, credential submission, unauthorized access — accounts for the vast majority of initial access events against Canadian SMBs according to data from the Canadian Centre for Cyber Security (cyber.gc.ca).

A complete security awareness program has two interlocking components. The first is education content: short, engaging modules (typically 4–8 minutes each) delivered through a learning management system. Each module covers a specific threat type and ends with a brief quiz that reinforces the key recognition signals. The second component is simulated phishing: controlled, fake phishing emails sent to your own staff at scheduled intervals to test whether the training is actually changing behaviour. Both components are essential. Education without testing produces knowledge that decays. Testing without education produces anxiety without improvement.

Security awareness training differs fundamentally from a one-time lunch-and-learn or an annual compliance video. Effective programs are ongoing: new content is introduced quarterly, simulations run at least monthly, and click-rate trends are tracked and reported. Employees who fail a simulation receive immediate, non-punitive feedback explaining what they missed and why it worked — a teachable moment delivered within seconds, not days. This approach, supported by research published by Proofpoint, KnowBe4, and the CCCS, consistently produces the fastest and most durable improvement in organizational click rates.

A one-off annual training event can satisfy the letter of an HR policy. It will not meaningfully change the probability that your team clicks a well-crafted phishing email six months from now. The distinction matters because the email that arrives in March with a convincing CRA assessment notice or a spoofed Microsoft 365 login prompt looks nothing like the generic training video from the previous October.

The Canadian Phishing Threat Landscape

Canada presents an attractive target profile for cybercriminals for specific structural reasons. The country has a high proportion of small and medium businesses operating in regulated, data-rich sectors — professional services, healthcare, finance, and legal — that hold valuable personal information but lack the security headcount to defend it. The CIRA Cybersecurity Survey 2024 found that 59% of Canadian organizations experienced at least one significant cyber incident in the previous year. Of those incidents, 23% led to documented data loss or a regulated breach notification requirement.

The phishing problem is more acute than most business owners realize. Data from the CCCS shows that email-borne threats account for over 90% of initial access events against Canadian SMBs. Attackers do not need to breach a firewall or exploit a software vulnerability when they can simply send a convincing email to a staff member who has access to everything they want. The human is the attack surface, and training is the patch.

The financial exposure is not theoretical. IBM's Cost of a Data Breach Report 2024 put the average total breach cost for Canadian organizations at CA$6.94 million — a figure that includes business interruption, regulatory exposure, legal fees, notification and remediation costs, and forensic investigation. For an SMB with 20 employees, even a fraction of that exposure — say CA$150,000 in downtime, IT recovery, and breach-notification compliance — represents a potentially company-ending event.

Canadian phishing lures are highly specific and updated continuously. Tax-season attacks impersonate the Canada Revenue Agency with spoofed refund notices and My Account credential resets that peak between February and April. Benefits-related attacks impersonate Service Canada and ESDC. Healthcare phishing campaigns target clinic staff with fake eHealth credential prompts. Law firms and accounting practices receive fake wire transfer approvals that appear to come from a named senior partner, known as Business Email Compromise (BEC) — the attack type that the RCMP's National Cybercrime Coordination Centre (NC3) identified as the top financial cybercrime by dollar value in Canada in both 2023 and 2024.

The seasonal pattern matters for program design. A security awareness training program that runs CRA impersonation simulations in January, vendor invoice fraud simulations in spring, and delivery-notification lures in November is teaching staff to recognize the attacks that will actually reach their inboxes, rather than generic scenarios from a vendor's default content library.

The cost of not running a program is not zero. It is the ongoing probability of a successful attack multiplied by the expected cost of the resulting breach — a probability that Canadian insurers, regulators, and the threat intelligence community agree is increasing year over year for businesses in the SMB segment.

The Four Components of an Effective Program

An organization that implements only one or two of the following components sees modest, temporary click-rate improvement that decays within 60–90 days. A program that runs all four in parallel produces durable behaviour change that compounds over 12 months.

1. Core curriculum. A foundation of 8–12 modules covering the threat landscape relevant to your industry. Modules must be short (5–8 minutes), scenario-based, and end with a quiz that tests comprehension, not just recall. Content must be current: a phishing awareness module built in 2021 will not address QR code phishing, AI-generated deepfake voice attacks (vishing), or Microsoft Teams-based social engineering — all of which appear in documented Canadian incidents since 2023. Your training vendor should update their library at minimum quarterly; verify this before signing a multi-year contract.

2. Simulated phishing campaigns. Controlled fake phishing emails sent to your staff on a defined schedule. A quality simulation library contains hundreds of templates across multiple attack types — credential harvesting, malicious attachment lures, fake invoice approvals, impersonated executives — and includes Canada-specific scenarios: CRA notices, major Canadian bank alerts, Canada Post delivery notifications, and Microsoft 365 / Google Workspace login prompts. Campaigns are tracked by three metrics: click rate, credential submission rate, and report rate.

3. Immediate feedback loops. When an employee clicks a simulated phishing link, they should not receive a delayed email saying they failed. They should land on an immediate educational page explaining exactly what visual signals they missed — the mismatched sender domain, the urgency language, the unexpected request — along with a 3–5 minute micro-module for immediate reinforcement. In-context feedback delivered within seconds of the error is what the research literature shows produces lasting behaviour change. A follow-up remediation video assigned three days later does not.

4. Reporting and trending. A dashboard that tracks your organization's click rate, report rate, module completion rate, and trending over time, benchmarked against your industry peers. This data serves three functions: it tells you whether the program is working, it gives leadership talking points for team communications, and it constitutes documented evidence of organizational safeguards for PIPEDA compliance audits and cyber insurance applications. A program that runs but produces no exportable records has no regulatory value.

How Simulated Phishing Campaigns Work

A simulated phishing campaign begins with template selection. Your platform or managed provider selects one or more phishing email templates from a content library and configures the campaign for your organization. Good libraries offer templates stratified by difficulty: easy (obvious spelling errors, generic sender, implausible premise), moderate (plausible sender domain, relevant subject line, reasonable request), and hard (company-specific context, impersonated known contact, highly convincing visual design). For a first campaign, starting at moderate difficulty produces the most actionable baseline data without triggering widespread confusion or alarm.

The campaign is configured with a send schedule — either a synchronized blast or a staggered send over several days to avoid triggering email security appliances that could tip off staff before the campaign is complete. The platform constructs the email with a spoofed sender address matching the scenario (for example, a CRA impersonation using a domain like cra-arc-gouv.ca), embeds a tracked link to a controlled fake landing page, and delivers it to all enrolled users or a defined cohort.

The platform tracks three outcomes per recipient. Click: the employee clicked the link in the email. Data submission: the employee proceeded to enter credentials or personal information on the fake landing page — the highest-risk behaviour, indicating that the attack would have succeeded completely against a real threat actor. Report: the employee used the organization's designated "Report Phish" button to flag the email as suspicious — the correct response, and the behaviour the program is ultimately trying to build.

Employees who click see an immediate educational landing page. This page shows the exact visual cues they overlooked: the mismatched domain visible on hover, the generic salutation, the urgency trigger phrase, the unusual request type. It typically embeds a 3–5 minute micro-module for immediate reinforcement. Employees who report receive a brief positive message — reinforcement for the correct security behaviour. The aim is to make reporting feel rewarding and clicking feel illuminating, not punishing.

Campaign results compile into a report showing organization-wide click rate, departmental breakdown, trending versus prior campaigns, and industry-benchmark comparison. Most enterprise platforms show a percentile rank, so a 15-person Halifax accounting firm can compare its click rate to similar-sized Canadian professional-services organizations. This context matters: a 9% click rate looks alarming in isolation but is above-average for a first-campaign organization in a high-phish-volume sector.

For Canadian organizations, a practical simulation cadence is: monthly campaigns during the first six months to build a fast improvement curve, then bi-monthly once click rates stabilize below 5%. Finance, HR, and executive assistant cohorts — roles with payment authority or access to sensitive personnel data — benefit from additional targeted campaigns at all stages of the program regardless of overall organizational performance.

Phishing Click-Rate Benchmarks for Canadian SMBs

The following benchmarks draw from aggregated platform data published by Proofpoint and KnowBe4 in their 2024 annual reports, cross-referenced with CCCS guidance and the Verizon Data Breach Investigations Report 2024. Canadian-specific figures where available; North American SMB data elsewhere.

• Untrained organizations — first campaign: 11–16% average click rate for organizations under 100 staff with no prior phishing simulation. Some first campaigns in high-exposure sectors (healthcare, professional services) run 20–25% when using convincing, industry-specific templates.
• After 90 days — 3 simulations: 5–8% average. The largest single-period improvement occurs between the first and second simulation, as the baseline population of "never-considered-phishing" staff resets rapidly after their first click-and-feedback experience.
• After 6 months — 6 simulations: 3–5% average. Improvement rate slows as the easy gains are realized and the remaining clickers are the more consistently susceptible population who require targeted coaching rather than additional volume.
• After 12 months — consistent program: 2–3% average for well-run programs. Canadian cyber insurers and PIPEDA compliance assessors generally regard sub-3% as an acceptable residual risk level, acknowledging that a zero click rate is not achievable at scale.
• The residual clicker: Research consistently identifies approximately 2% of any user population who will click phishing emails regardless of training frequency. For this group, technical controls — conditional access policies, email sandboxing, enforced MFA — are more effective than additional training volume.

The report rate is as strategically significant as the click rate. A team with a 3% click rate and a 40% report rate is materially more secure than one with a 3% click rate and a 5% report rate, because active reporters function as a human sensor network. Real phishing campaigns sent to 50-person organizations often produce 2–3 clicks. If 20 of those 50 people report the suspicious email to IT within minutes, the security team can contain the damage before those 2–3 clicks have time to propagate into a full credential-compromise event.

Training Modules: What to Cover and When

A Canadian SMB security awareness curriculum should cover the following topics over a 12-month cycle. The order is not arbitrary: foundational modules addressing the highest-probability threats come first. Compliance-specific and vertical content comes later, once staff have the base knowledge to contextualize it.

Months 1–2: Phishing and Social Engineering. The mechanics of phishing — how emails are constructed, why they work psychologically, and the five visual cues that expose a fake: mismatched sender domain on hover, urgency language designed to suppress deliberate thought, generic salutation (Dear Customer/Valued User), a link destination that does not match the sender organization, and an unusual request (reset a password, approve a payment, verify an account). Include Canadian-specific lures: CRA, Service Canada, major Canadian banks (RBC, TD, Scotiabank), and common SaaS platforms used in Canadian businesses (Microsoft 365, QuickBooks Online, DocuSign, Shopify).

Month 3: Password Hygiene and MFA. Why passwords fail — credential stuffing, password reuse, dictionary attacks — and the practical case for a password manager. How to enable MFA on the platforms your organization uses, and why MFA renders a stolen password insufficient for an attacker. This module pairs directly with the practical MFA deployment guide if you are rolling out technical controls in parallel.

Month 4: Business Email Compromise. How attackers impersonate executives and vendors, the anatomy of a fake wire transfer instruction, and the internal verification procedures that stop BEC before money moves. Specific Canadian scenarios: law firm trust-account wire request, real estate closing fund transfer, contractor payment redirect, payroll account update fraud. The RCMP NC3 logged over CA$60 million in reported BEC losses in Canada in 2023; the actual figure, accounting for unreported incidents, is estimated to be significantly higher.

Month 5: Personal Information Handling Under Canadian Law. What constitutes personal information under PIPEDA and Quebec Law 25, how it must be collected, stored, shared, and disposed of, what to do when a staff member suspects data has been disclosed without authorization, and how to complete an internal breach notification report so the privacy officer can evaluate whether regulatory reporting is required. This module creates a direct paper trail showing that staff received PIPEDA-relevant training on data-handling obligations — valuable documentation in a Principle 7 compliance review.

Month 6: Remote Work and Mobile Security. Home Wi-Fi configuration, VPN use discipline, physical security at home offices, the risks of public networks for work-related access, and the data-handling rules that apply outside the office perimeter. The CIRA 2024 report found that 61% of Canadian organizations had experienced a remote-work-related security incident, and the shift to hybrid work arrangements has permanently expanded the attack surface that training needs to address.

Months 7–12: Advanced and Refresher Modules. AI-generated phishing and deepfake voice fraud; mobile device security; cloud-storage data risk; supply-chain phishing (vendor and third-party impersonation); USB and physical security; sector-specific compliance refreshers. Rotate foundational modules annually so returning content feels fresh rather than mandatory — completion rates for refreshed content consistently outperform recycled identical content by 20–35% on managed platforms.

PIPEDA and Quebec Law 25: Training as a Compliance Obligation

Canadian privacy law does not specify security awareness training by name, but it comes very close — and the regulatory interpretation is consistent and well-documented. PIPEDA's Principle 7 (Safeguards) requires organizations to "protect personal information with security safeguards appropriate to the sensitivity of the information." The Office of the Privacy Commissioner of Canada (OPC, at priv.gc.ca) has consistently interpreted this to require both technical safeguards (encryption, access controls, secure transmission) and organizational safeguards — a term the OPC explicitly defines to include staff education and training.

This is not a theoretical reading. In multiple investigation reports following data breaches, the OPC has cited the absence of documented staff training as a Principle 7 failure. In several findings involving small to mid-size organizations, the Commissioner's office noted that affected employees had access to personal financial or health data but had received no documented phishing awareness or data-handling training. In each case, the absence of training was cited in the remediation order, and the organizations were required to implement and document a training program as a condition of compliance.

Quebec's Law 25 — An Act to modernize legislative provisions as regards the protection of personal information (known informally as Bill 64, fully in force since September 2023) — creates a more prescriptive compliance regime than PIPEDA for organizations operating in Quebec. Under sections 3.1, 13, and 20, organizations must designate a privacy officer, establish a formal privacy governance framework, and document the administrative and technical measures in place to protect personal information. Training records, simulation reports, click-rate trending data, and individual remediation logs all constitute documented evidence of administrative safeguards directly referenced in Law 25's requirements.

In the event of a breach investigation by the Commission d'accès à l'information (CAI), the organization will be asked to produce its safeguards documentation. An organization that can produce 12 months of structured training records, phishing simulation reports with click-rate trending, and documented remediation actions for repeat clickers is in a materially better regulatory position than one that cannot. The CAI's enforcement actions since September 2023 have resulted in public remediation orders against multiple organizations that lacked documented administrative controls, with absent or undocumented staff training among the most frequently cited gaps.

The insurance dimension adds urgency. Cyber insurers writing Canadian commercial policies in 2025–2026 are increasingly treating documented training programs as an underwriting criterion rather than a nice-to-have. Several major Canadian insurers now explicitly ask whether the applicant runs a phishing simulation program as part of the commercial cyber insurance application process. The answer influences both premium pricing and coverage terms. A lack of documented training can result in a specific coverage exclusion for social-engineering losses — which is precisely the loss category most likely to occur from a successful phishing attack. Some insurers have begun requiring annual evidence of training program execution (not just a policy statement that training exists) as a condition of renewal.

Organizations currently working through Law 25 compliance requirements should review the broader Law 25 and PIPEDA compliance guide to understand how training documentation fits within the larger privacy governance framework that the legislation requires.

Security Awareness Training Pricing in Canada (CA$)

Pricing varies by delivery model, feature depth, user count, and billing term. The table below reflects 2026 Canadian market rates across the three main tiers. Prices are per user per month on annual billing; monthly billing adds approximately 15–20%.

For a 10-person Canadian SMB, the annual cost of a Standard managed program is approximately CA$2,160–$3,360 — less than the average cost of a single IT recovery event following a successful ransomware infection in an organization of that size (typically CA$15,000–$60,000 in downtime and remediation, before regulatory exposure or legal fees). Many Canadian managed IT providers bundle security awareness training into their managed security service packages. If your organization already has a managed IT contract, ask explicitly whether training is included or available as a reduced-cost add-on before purchasing a standalone platform.

DIY vs Managed Program: A Side-by-Side Comparison

Running your own program through a self-service platform is viable if you have an IT manager with genuine and consistent bandwidth, a reliable process for tracking and acting on campaign results, and the organizational discipline to run campaigns on schedule through busy periods. For most Canadian SMBs under 75 staff, these conditions are not consistently met, which is why managed programs produce better long-term click-rate outcomes even at higher nominal cost.

The real cost advantage of a DIY platform narrows sharply when you account for internal staff time. A mid-level IT coordinator in Toronto or Calgary earning CA$65,000–$75,000 per year costs approximately CA$32–$37 per hour fully loaded. Running three campaign cycles per quarter at four hours each adds CA$1,500–$2,200 per year in hidden labour costs — before accounting for the inconsistency and compliance gaps that arise when campaigns slide during tax season, year-end, or periods of IT project overload. For most Canadian SMBs, the managed model costs the same or less on a total-cost basis once internal time is properly valued.

Step-by-Step: Launch a Security Awareness Program in 30 Days

The following sequence applies whether you are implementing a self-service platform or onboarding a managed provider. It is designed to produce a running program with a first real dataset within one calendar month, without shortcutting the organizational foundations that determine long-term success.

1. Days 1–3: Define scope and assign ownership. Decide whether the program is IT-led, co-led with HR, or fully outsourced. Identify who will be enrolled (all staff, specific departments, contractors, seasonal employees). Assign a named program owner who will receive campaign reports, escalate high-risk behaviours to management, and act as the internal point of contact for the vendor. Assign a backup owner. This decision takes 30 minutes but significantly affects program continuity; programs with no named owner are the ones that go dormant.
2. Days 4–5: Select a platform or managed provider. Key evaluation criteria for a Canadian SMB context: (a) Canadian data residency — confirm that user records and training completion data are stored in Canada or with a certified Canadian cloud partner, a requirement for regulated sectors and a strong signal of vendor maturity; (b) French-language module availability if you employ Quebec-based staff, which Law 25 compliance in French-language workplaces effectively requires; (c) integration with your email platform (Microsoft 365 or Google Workspace) for the "Report Phish" button and simulation delivery; and (d) PIPEDA-aligned compliance report templates exportable for regulatory documentation.
3. Days 6–8: Enroll users and configure the platform. Import your user list — name, email, department, manager. Configure the Report Phish button in your email client so staff can flag suspicious emails with one click. Whitelist the simulation platform's sending domains in your email security gateway so simulation emails are delivered normally but do not trigger security alerts that would tip off staff before the campaign runs. Set your notification preferences for weekly digest reports to the program owner.
4. Days 9–10: Run a baseline phishing simulation. Before assigning any training content, send a single moderate-difficulty phishing simulation to all enrolled users. Do not announce it in advance. The result — your organization's baseline click rate — is your starting benchmark. It is not a judgment; it is a data point. Most first-campaign Canadian organizations see 10–18% click rates. Communicate this framing clearly to leadership before results are shared, to prevent a punitive response that would undermine the program from launch.
5. Days 11–15: Assign core curriculum modules. Assign the phishing recognition and social engineering modules first, with a two-week completion deadline. Keep the mandatory time commitment under 20 minutes per module. Use the platform's automated reminder function for non-completers. Do not assign more than two modules simultaneously in the first wave — overloading the queue reduces completion rates markedly.
6. Days 16–20: Brief management and establish the communication framework. Share the baseline click rate with management or ownership, contextualized against Canadian industry benchmarks. Gain explicit leadership endorsement for the program — staff completion rates improve materially when training is introduced with a message from a senior leader explaining the business rationale, not just an automated platform notification. Draft the staff announcement for days 21–25.
7. Days 21–25: Announce the program to all staff. Issue a communication from the named senior leader explaining what the program is, why it exists, that simulated phishing will occur on an unannounced schedule, and that clicking a simulation is a learning opportunity with no employment consequences. The tone of this communication shapes whether staff approach training as a skill they are building or a compliance trap they are trying to avoid. The former produces better outcomes in every dimension.
8. Days 26–30: Run the second phishing simulation and review preliminary results. After the majority of staff have completed the first assigned module, run a second simulation. Compare the click rate to baseline. Most organizations see a 25–45% improvement at this stage. Prepare a summary showing the baseline-to-current trend and share it with management as evidence of early program traction. This is also the point at which to schedule the quarterly reporting cadence going forward.

Five Common Mistakes That Make Training Programs Fail

Security awareness programs fail more often for program-design reasons than for content-quality reasons. These are the five most common failure modes observed in Canadian SMB implementations, in order of frequency.

1. Running campaigns annually rather than continuously. An annual mandatory training event satisfies an HR policy checkbox. It does not change the probability that an employee clicks a well-crafted phishing email in month 10. Click rates return to near-baseline within 60–90 days without reinforcement. The CCCS's published guidance on Employee Cybersecurity Awareness (cyber.gc.ca) explicitly recommends ongoing, periodic testing rather than episodic events. If your program only runs once a year, it is not a security program; it is a compliance document.

2. Punishing clickers publicly or using shame as a deterrent. Organizations that send "you failed the phishing test" emails, display click rates by name in team meetings, or apply disciplinary consequences for simulation failures consistently produce the same outcome: staff stop reporting suspicious emails because they are afraid of being identified as a clicker. The organizational cost of a real phishing attack going unreported for 12 hours — because the employee who noticed it was afraid to say they clicked — is far greater than any deterrence value generated by public shaming. Use non-punitive immediate feedback pages. Make reporting feel safe and praiseworthy.

3. Using wrong-difficulty simulations. A first campaign using a highly convincing spear-phishing template — impersonating the CEO with personal details pulled from LinkedIn — sent to a team that has never received training will produce an 80–90% click rate that demoralizes staff and undermines leadership confidence in the program. A campaign using an obviously fake template full of typos and a suspicious sender domain will produce a 1% click rate that does not reveal true organizational vulnerability. Calibrate template difficulty to your organization's current baseline and increase progressively as scores improve.

4. Excluding contractors, vendors, and temporary staff. Many documented Canadian SMB breaches originate through third-party accounts with broad system access. Legal practices with contract paralegals on shared document platforms, healthcare clinics with locum physicians, retailers with seasonal holiday-period employees — all create attack surface that a staff-only training program leaves unaddressed. Extend enrollment to anyone with access to company email, shared files, or internal systems.

5. Running training without producing exportable records. A program that runs but generates no archived documentation has no regulatory or insurance value. If you cannot produce training completion records, simulation campaign reports, and click-rate trending in a breach investigation or compliance audit, the program did not — from a PIPEDA Principle 7 standpoint — happen. Use your platform's compliance export function to archive quarterly records in a system that would survive a ransomware event, meaning off the local network and ideally in an immutable cloud backup.

Case Study: A 22-Person Toronto Professional Services Firm

This case is anonymized but based on a real implementation carried out with a Canadian managed security provider in 2024. The firm — a mixed accounting and business consulting practice in downtown Toronto — had never run a formal security awareness program. Their environment was Microsoft 365 with MFA enforced on email, next-generation antivirus on all endpoints, and no prior phishing simulation history. They engaged a managed training provider in February 2024 after a close call: a senior associate had nearly authorized a wire transfer of CA$84,000 based on an email appearing to come from one of their largest corporate clients requesting an urgent payment to a new vendor account.

Baseline (Week 1 simulation): A Microsoft SharePoint "shared document" notification template was deployed to all 22 staff. Click rate: 27%. Credential submission rate: 4 individuals entered their Microsoft 365 credentials on the fake landing page. This is the template type that most effectively exploits the daily workflow of Microsoft 365 users, who regularly receive legitimate SharePoint sharing notifications and are conditioned to click and authenticate quickly.

Month 2: Core phishing and BEC awareness modules assigned. 95% completion in 18 days, driven by a direct request from the managing partner in the launch communication. A second simulation using a CRA "Assessment Notice" template ran in week six. Click rate: 14%. Credential submissions: 1. Report rate: 18% — nearly a fifth of the firm proactively flagged the simulation as suspicious, a strong early signal.

Month 3: A CRA-specific module was added to the curriculum following the month-2 results. IT Cares' on-site cybersecurity specialists working with the firm reviewed the departmental click-rate breakdown and identified that the firm's administrative staff cohort had a consistently higher click rate than professional staff — a common pattern, because administrative staff receive higher volumes of legitimate external email and are trained by their role to be responsive and action-oriented. A targeted BEC simulation using an "urgent payment approval from a partner" scenario was run specifically for the administrative cohort.

Month 6: Click rate: 4.5%. Report rate: 41%. The firm's commercial cyber insurance renewal in September 2024 included the six-month simulation report in the application package. The insurer applied a 12% premium reduction, citing the documented training program as evidence of active risk management. The annual premium saving offset approximately 30% of the annual training program cost.

Month 12: Click rate: 2.8%. Report rate: 49%. The firm's annual PIPEDA review included training completion records and click-rate trend charts as Principle 7 safeguards documentation. The managing partner's assessment: the program had effectively paid for itself by the close call it would have prevented had it been in place in January. The total program cost for the year was CA$6,380 — CA$23.90 per user per month at the managed Standard tier. The avoided cost of the wire transfer that almost went through: CA$84,000 in funds, plus the breach investigation and notification costs that would have followed.

Metrics and Reporting: What to Track and Present

A program that runs but produces no structured reporting will eventually lose organizational support and budget. These are the metrics to track and the reporting format to use at each cadence.

Monthly operational metrics (tracked in your platform dashboard):

• Phishing click rate: percentage of enrolled users who clicked the simulation link. Track monthly absolute and 3-month rolling average to distinguish trend from variance.
• Credential submission rate: percentage of clickers who also entered data on the fake landing page. This is the highest-risk behaviour. Track separately from click rate because improvement here is what matters most from an actual breach-prevention standpoint.
• Report rate: percentage of enrolled users who actively flagged the simulation using the Report Phish button. Target above 30% within 12 months of program launch.
• Module completion rate: percentage of assigned modules completed within the stated deadline. Target 90%+ within two weeks of assignment for mandatory content.
• Repeat clicker flags: users who clicked in two or more consecutive simulations. These individuals need individualized coaching or additional technical controls, not more simulation volume.

Quarterly board or owner summary format: A one-page report showing current click rate versus industry benchmark, 12-month trend line, number of campaigns run in the quarter, module completion rates, compliance documentation status (PIPEDA/Law 25 records current and archived), and a three-point action plan for the next quarter. This format takes under one hour to produce from platform exports and gives ownership or a board the information they need to make an informed decision about program continuation and investment level. Organizations undergoing a formal cybersecurity risk assessment should include quarterly training reports as a core artifact demonstrating organizational safeguards.

Annual compliance archive: At year-end, export and preserve: all campaign reports with dates, templates used, click rates by department, and user-level completion data (anonymized in line with your HR policy on individual performance data); all module completion records with assignment and completion timestamps; and any documented remediation actions taken for repeat clickers. Archive in your secure backup system — not only on the local network — and reference this package explicitly in your PIPEDA Principle 7 documentation and your Law 25 privacy governance framework.

Ongoing Program: Quarterly Calendar and Annual Review

Security awareness training is not a project with a finish line. It is a continuously running program that adapts to the evolving threat landscape, organizational growth, and the data your simulation results produce. The following calendar provides a repeatable structure for Year 2 and beyond, after the initial 30-day launch sequence is complete.

• January: New-year security kick-off communication from leadership. Catch-up simulation for staff hired in Q3–Q4. Tax-season preparation module assigned ahead of the February–April peak period for CRA impersonation attacks.
• February–March: Tax-season phishing simulations using CRA and CRA-adjacent lures — T4 delivery notices, audit notifications, My Account credential resets. This is the highest-risk window in the Canadian calendar for this specific attack type and the period when click rates among unaware staff spike.
• April: Quarterly compliance report to management or board. Refresh curriculum assignments for any staff who failed Q1 simulations. MFA enrollment audit — confirm that all staff are enrolled on all company platforms, not just email.
• May–June: BEC and vendor impersonation simulation targeting finance team, executive assistants, and anyone with payment authorization. End-of-fiscal-year transaction volume increases the plausibility of "urgent payment" scenarios. Advanced BEC module assigned for high-risk roles.
• July: Remote work and travel security module (peak vacation period; elevated exposure via hotel and airport Wi-Fi). Simulate a credential-harvesting campaign using a VPN or remote-access login prompt scenario.
• August: Lighter operational month. Update user enrollment for summer hires and departures. Verify Report Phish button functionality across all enrolled devices. Platform health check — confirm simulation delivery is not being blocked by updated email security appliances.
• September: Cyber insurance renewal preparation — compile and format the 12-month training and simulation package for the insurer application. Social engineering and vishing (phone phishing) awareness module assigned — phone-based social engineering is an attack vector that training programs commonly underweight relative to its actual frequency in Canadian incidents.
• October: Cybersecurity Awareness Month, recognized in Canada with support from the CCCS. Organizational communications push reinforcing training messages. Good window to introduce a new attack-type module — QR code phishing, Microsoft Teams social engineering, or AI-generated voice fraud — to maintain staff engagement and address emerging threat vectors documented in CCCS bulletins.
• November–December: Seasonal phishing simulations using package delivery notifications, year-end charitable donation requests, and gift card purchase requests — all peak attack types for the November–December period in Canada. Year-end compliance documentation export and secure archive. Annual program review: click-rate trend analysis, platform satisfaction assessment, budget submission for the following year.

Organizations evaluating their broader security infrastructure can explore how training fits within a managed security service engagement in the managed IT services guide. Many Canadian managed IT providers include security awareness training in their security service tiers, and understanding that scope before signing is worth the 15-minute conversation during the sales process.

Frequently Asked Questions