Training is everyone’s responsibility
Cybersecurity training is one of the most powerful tools organizations have to defend against modern cyber threats, but too often, it’s treated as a one-and-done exercise. It starts with a single click. A distracted employee, rushing to clear their inbox before the end of the day, opens what looks like a routine invoice. Within minutes, attackers are inside the network—a scenario that plays out in organizations across Canada every day.
Herbert A. Simon, a Nobel Prize-winning social scientist, argued that organizational effectiveness depends less on the brilliance of individuals and more on the structured coordination of many rules, routines and communication systems. This insight underscores why cybersecurity training must go beyond IT departments and become a regular, organization-wide practice.
According to the 2025 CIRA Cybersecurity Survey, 98 per cent of Canadian organizations provide some form of cybersecurity awareness training. That’s a strong foundation, but frequency hasn’t kept pace with the threat landscape.
Most organizations are training employees at the same rate they did three years ago, despite rising threats. Among organizations that offer training, 29 per cent do so annually or less, 57 per cent quarterly and only 14 per cent monthly—virtually unchanged since 2022.
Human error remains one of the biggest security risks. One ill-judged click can unleash a damaging cyber attack. Rising threats demand more training and faster response.
Don’t forget the forgetting curve
Why is more training better? For one thing, a large body of research shows that we quickly forget the information we’ve learned when we don’t make a conscious effort to retain it. The so-called “forgetting curve” shows people forget 50 per cent of new information within an hour, 70 per cent within 24 hours, and up to 90 per cent after a week. This is exactly how critical training lapses happen—not because employees don’t care, but because information simply fades over time.
Not surprisingly, more frequent training improves retention. A 2023 study found that employees who received weekly phishing simulations were 2.74 times more effective at reducing phishing risk than those trained quarterly.
Bottom line: no matter how informative, engaging and useful any training session is, your employees’ ability to remember what they’ve learned and put it into practice effectively every day depends on repetition and reinforcement.
Stay ahead of the rapid pace of change
The fallibility of memory is only part of the challenge. The speed with which the cybersecurity landscape is evolving, especially as generative AI adoption accelerates, is another key factor. This year’s survey data found that over four-in-ten (42 per cent) experienced a breach, up from 29 per cent in 2022. Even seasoned cybersecurity professionals are struggling to keep up, let alone non-experts. Generative AI-enabled attacks are more scalable, personalized, adaptive and convincing, raising the bar for defenders.
Organizations that increase the frequency and quality of their cybersecurity training are better positioned to keep pace with these evolving threats. While too much training can overburden employees, even slightly increasing the frequency (especially among high-risk groups) can be a cost-effective way to move the risk needle in any organization.
In a world where a single click can compromise an entire organization, frequent, high-quality cybersecurity training is one of the most effective defences you have.
Learn how CIRA cybersecurity awareness training can help your organization improve your security posture.
Eric is a Product Marketing Manager with CIRA Cybersecurity Services. His background in digital marketing has led him to appreciate the vital role data plays for Canadian organizations and individuals, and the need to keep it safe. Eric has an MBA in International Business from Sup de Co La Rochelle.
