Security awareness training for SMBs: approach and results

A large share of cyber incidents at Dutch SMBs doesn't start with a technical breach but with an employee clicking the wrong link at the wrong moment. Numbers from the Dutch National Cyber Security Centre have shown the same pattern for years: 80 to 90 per cent of successful attacks begin with phishing or another form of social engineering. The firewall and the mail filter do their job, but a single distracted colleague on a busy Wednesday is often enough.

Security awareness training is meant to reverse that momentum. But the way it's usually delivered — a mandatory 30-minute e-learning, once a year, with a tick-box at the end — doesn't work. This article describes which approach does deliver results in 2026 for SMBs of 25 to 250 employees, what you can expect from it, and how to set up a programme that doesn't turn your organisation into a permanent state of alarm.

This article complements our blogs phishing herkennen: 7 voorbeelden and cybersecurity for SMBs. Those cover the technology and the baseline measures — this one is about the people.

What is security awareness training, and why is it needed?

Security awareness training is a structured programme that teaches employees to recognise digital risks and respond to them. It's not an IT course, it's not an exam — it's continuous practice in noticing and reporting.

The human factor in cybersecurity

In nearly every incident report we've seen the past few years, the path leads back to one of four scenarios. Someone clicks a link in an email that at first glance looked like it came from the bank or the bookkeeper. Someone enters credentials on a fake website that ranked first in Google. Someone forwards an invoice without noticing that the bank account number in the mail had been altered. Or someone lets a colleague look over their shoulder at a terminal and doesn't recognise that this "colleague" is a new IT vendor who shouldn't have walked in.

In all of these cases, the employee isn't deliberately doing anything wrong. They lack the cues to recognise the threat. That is exactly what training can fix — not by raising the fear level, but by making patterns recognisable.

Why an annual e-learning doesn't work

We see three recurring problems with the classic approach:

1. Forgetting. Average retention from a one-off e-learning drops below 20 per cent after three months. Phishing attacks arrive daily, not once a year.
2. No practice. Theory without practice doesn't stick. People only really learn to recognise an attack when they experience one in a controlled setting.
3. No feedback loop. If nobody knows how many people fell for last year's simulation, there is no baseline to measure improvement or steer the programme.

The four elements of a working training programme

An effective programme isn't a single product. It consists of four interlinked components that reinforce each other.

Element 1: phishing simulations that aren't one-offs

The backbone is an ongoing series of controlled phishing emails — typically one to two per employee per month. Variation matters: a fake supplier invoice, an internal IT notice, a Microsoft sign-in page, an AI-generated voice deepfake aimed at executives. Whoever clicks lands on a brief explainer page ("this was a test, here are the signs, this is what to look for next time"). No punishment, no public ranking — but registration so the trend is visible.

In practice, click rates drop from 25-30 per cent in month one to 4-8 per cent after six months. That isn't because employees become smarter — it's because they learn to *slow down* at a suspicious moment.

Element 2: short modules instead of an annual marathon

Instead of one 45-minute e-learning, a programme of micro-modules of 3-5 minutes works better. Once a month, one topic: how to spot a fake invoice, what to do with a suspicious SMS, why a password manager is safer than sticky notes, how to report an incident. A good platform tracks who has completed what and sends automatic reminders.

Total time spent per employee comes out at 30 to 45 minutes per year — less than the old annual marathon, but spaced and repeated.

Element 3: role-specific training

A receptionist, a finance employee and a system administrator face different risks. The finance employee needs training on CEO fraud, invoice manipulation and bank-change emails. The sysadmin on privilege escalation and supply-chain risks. The receptionist on tailgating and social engineering at the front desk or by phone. A programme that recognises this feels less generic, and the content sticks longer.

Element 4: culture and measurement, not exams

Security awareness only works if reporting feels safer than ignoring. Concretely: add a low-friction "report phishing" button to Outlook. Acknowledge every report, even false alarms — that keeps people reporting. Track one monthly metric (phishing simulation click rate) and discuss the trend in the management meeting, not to punish but to see whether the programme has effect.

What it actually delivers

For SMB clients we run continuous training with for a year, we consistently see four results:

• Phishing simulation click rate drops from 25-30 per cent to 4-8 per cent.
• Internal reports of suspicious mail rise — often a threefold increase in the first six months. That is good, because every report is an attack that didn't land.
• Time-to-report on a real incident drops from hours to minutes. In a ransomware scenario, that's the difference between one infected workstation and an entire server.
• Audit-readiness for NIS2 and NEN 7510 becomes considerably easier. Both standards require demonstrable, repeated awareness activities — not one e-learning a year.

What it does *not* deliver: an organisation that is never hit again. Someone will eventually fall for a well-crafted attack. The programme limits the damage and accelerates the response.

Approach for an SMB of 25 to 250 employees

A pragmatic four-quarter rollout looks roughly like this.

Quarter 1: baseline and basics

Start with an unannounced phishing simulation so you have a starting point. Set up the platform (in our setup we use Microsoft Defender for Office 365 Attack Simulator or a specialist provider such as KnowBe4 or Hoxhunt — depending on budget and M365 licence tier). Activate the report button in Outlook. Make sure the management team has completed the first module before everyone else.

Quarter 2: build a rhythm

One phishing simulation per month, one micro-module per month. Agree how to handle colleagues who repeatedly fail — not punitively, but with a personal conversation or additional training.

Quarter 3: role-specific deepening

Roll out role-specific modules for finance, IT and management. Run the first audit-style report: where was the baseline click rate, where are we now, which topics turn out to be the trickiest.

Quarter 4: embedding

Make it part of onboarding (a new hire follows the first module in week one). Connect the annual report to NIS2/NEN 7510 evidence. Decide whether to extend, expand or recalibrate the programme.

Frequently asked questions

How much time does this take per employee per month?

Three to five minutes for the monthly module and a few seconds to assess a phishing simulation. Roughly 30-45 minutes per employee per year — less than the old annual e-learning.

What if someone keeps failing the phishing simulation?

Three or more clicks in six months is a signal for a personal conversation, not a formal warning. The cause is almost always workload or a specific weakness (a particular type of mail that gets through). Extra support works better than sanctions — sanctions lead to underreporting, and that is exactly what you want to avoid.

Does it count for NIS2 or NEN 7510?

Yes. Both standards require demonstrable and periodic awareness activities. A continuous programme with measurement and reporting capabilities directly produces the evidence an auditor wants to see. See also our article on the NIS2 directive for the full scope question.

Should we also train executives and directors?

Yes, and ideally first. Phishing at executive level (CEO fraud, deepfakes, targeted spear phishing) is a growing problem. Executives are a high-value target, and a ransomware attack on the management mailbox can knock an entire organisation offline.

What does it cost roughly?

For an SMB of 50-100 employees, a continuous programme typically lands somewhere between 6 and 12 euros per employee per month, depending on platform and level of guidance. Set that against the average cost of one successful phishing attack on an SMB — 35,000-75,000 euros — and one prevented incident more than pays for the annual investment.

How Virtual Computing handles this

We don't sell security awareness training as a stand-alone service but as part of our cybersecurity package for SMB clients. Concretely that means:

• A continuous phishing simulation programme via Microsoft Defender for Office 365 or a specialised platform
• Monthly micro-modules in Dutch
• A "Phish Alert" button connected to our SOC so suspicious mails are analysed immediately
• Monthly reporting and quarterly review with the client's IT coordinator
• Audit evidence for NIS2, NEN 7510 and ISO 27001

Want to see what a programme for your organisation could look like? Get in touch or call 085-013 4500 for a free advisory call.