| Security awareness is the ongoing process of educating staff to recognise, avoid, and report cyber threats. In 2026, with AI-powered phishing fooling even experienced employees, a strong security awareness programme is no longer a compliance checkbox. It is the single most important defence a business has. |
Your technology can be configured perfectly and your firewalls can be flawless, but a single staff member clicking one convincing link can undo all of it. The reality in 2026 is that attackers have stopped trying to break through your systems. They target your people instead, because people are now the easiest way in.
This guide covers why security awareness matters more than ever, how AI has changed what your staff are up against, and the practical steps that build a genuinely security-aware team in the current threat environment.
Why Security Awareness Matters More Than Ever
Security awareness has always been important. What has changed in 2026 is that the gap between a trained team and an untrained one is now the difference between staying in business and not.
| AI-assisted phishing now achieves a 54% click-through rate, compared to 12% for traditional phishing. Nearly one in two staff who receive an AI-crafted phishing email will click. Despite this, NZ research indicates around 25% of businesses still have no security awareness programme at all. |
That combination is the problem. The attacks are now far more effective, yet a quarter of NZ businesses still have no structured defence against them. Picture an accounts clerk receiving an email that appears to come from a supplier they deal with weekly, referencing a real invoice, written in the supplier’s usual tone, asking to update the bank account for the next payment. It passes the spam filter. It looks completely normal. Technology alone will not stop it. Only a trained person who pauses to verify will.
The human layer is where these attacks now succeed or fail. The clerk who picks up the phone to check the bank account change is the control that worked. A team trained to verify before acting stops the attack that technology let through. As we covered in our guide to how AI has changed phishing scams, the warning signs staff were once taught to look for no longer apply. Awareness training has to evolve with the threat.
How AI Has Changed What Your Team Is Up Against
To train your team effectively, you need to understand what they are actually facing. The threats reaching your staff in 2026 are fundamentally different from those of even two years ago.
Phishing that passes every traditional test
The old advice was to look for poor grammar, generic greetings, and suspicious links. AI has made all of that obsolete. Phishing emails are now grammatically perfect, personalised with details scraped from LinkedIn and company websites, and visually identical to legitimate correspondence. Staff trained only on the old warning signs are being caught out daily.
Deepfake voice and video impersonation
Voice cloning attacks rose sharply through 2025. Attackers now use AI to replicate the voice of a manager, supplier, or executive and call staff directly to request urgent payments or credentials. Video deepfakes on calls are emerging as the highest-impact version. Your staff need to know these attacks exist, because the instruction will come from a voice and face they recognise and trust.
Attacks that exploit urgency and authority
AI-crafted social engineering is designed to create plausible urgency. A message that appears to come from the managing director asking for a quick favour before a meeting is far more effective than a generic threat. Staff need to understand that urgency itself is a warning sign, and that verifying a request is always acceptable no matter who appears to be asking.
What a Strong Security Awareness Programme Includes
Effective security awareness is not a single annual training session. It is an ongoing programme built into how your business operates. These are the elements that make the difference.
Regular, scenario-based training
Training should use realistic examples of the threats staff actually face, including AI-generated phishing and deepfake scenarios. Abstract advice does not change behaviour. Showing staff a convincing fake and walking through how to spot and report it does.
Phishing simulations
Simulated phishing campaigns test whether training is working and identify which staff need additional support. They also build the habit of scepticism in a safe environment. Combined with broader cyber awareness across the business, simulations turn training from a one-off event into an ongoing capability.
A clear verification protocol
Every staff member should know the rule: any request involving a payment, a credential, or access to data must be verified through a second, independent channel. A phone call to a known number, not a reply to the email. This single habit prevents the majority of successful attacks, regardless of how convincing the original message was.
Deepfake recognition
Staff need specific awareness that voices and faces can now be faked convincingly. The defence is process, not detection. The same verification rule applies: an unusual or urgent request gets confirmed through a separate, trusted channel before anyone acts, even when the voice on the line sounds exactly right. Removing the expectation that staff should be able to detect a deepfake themselves is the point. They do not need to. The process catches what the ear cannot.
A blame-free reporting culture
Staff who fear punishment for clicking a malicious link will hide it, and that silence is the worst possible outcome. The faster an incident is reported, the faster it can be contained. The staff member who owns up to a click within minutes is protecting the business, and a security-aware culture treats that person as having done exactly the right thing. Punish the mistake and you train everyone else to stay quiet.
How Often Should Security Awareness Training Happen?
Annual training is no longer enough. The threats change from one quarter to the next, and a single session in January leaves staff working with outdated knowledge for the other eleven months.
| The global cyber skills gap grew 8% since 2024, and NZ research shows the majority of businesses have never tested their staff with a phishing simulation. Quarterly training combined with regular simulations is now the realistic minimum for meaningful protection. |
The shift to a quarterly cadence reflects how fast attacks evolve. A team trained on the threats of January is not prepared for the techniques circulating by June. Shorter, more frequent sessions also work better for retention than a single long annual session that staff forget within weeks.
| Training Activity | Recommended Frequency |
| Core training session | Quarterly. Cover new threats, recent examples, and refresh the verification protocol. |
| Phishing simulation | Monthly to quarterly. Test staff with realistic scenarios and provide immediate feedback. |
| New staff onboarding | On day one. Security awareness should be part of induction, not something added later. |
| Threat alerts | As needed. When a new attack type emerges, a short alert keeps staff current between sessions. |
| Leadership briefing | Quarterly. Executives are high-value targets and need awareness tailored to whaling and BEC. |
What an Untrained Team Actually Costs
Security awareness is easy to deprioritise because the cost of skipping it is invisible until something goes wrong. It is worth being clear about what is actually at stake, because the numbers are not small.
A single successful business email compromise attack can move tens or hundreds of thousands of dollars to an attacker-controlled account before anyone notices. Once that transfer leaves the country, banks rarely recover it. For most NZ small and medium businesses, a loss of that size is not a line item. It is the difference between a good year and a bad one.
The damage rarely stops at the direct loss. A compromised email account is often used to attack your clients and suppliers next, sending convincing fraudulent requests from your real address. The reputational cost of your contacts learning they were targeted through you is hard to measure and harder to repair. For professional services firms and healthcare providers handling sensitive client information, a breach can also trigger notification obligations under the NZ Privacy Act, with the regulatory and trust consequences that follow.
Set against this, the cost of a structured awareness programme is modest. It is one of the few security investments where the return is measured in losses that never happen. That makes it difficult to celebrate, but it is exactly why it matters.
Common Mistakes Businesses Make With Awareness Training
Plenty of NZ businesses run some form of security awareness training and still get caught out. The problem is usually not the existence of training but how it is run. These are the mistakes that quietly undermine it.
Treating it as a one-off tick-box exercise
A single onboarding session that is never revisited gives staff a false sense of competence while their knowledge dates within months. Training that happens once is training that has already expired. Awareness only works as an ongoing programme, not a single event filed away after completion.
Using generic, irrelevant content
Off-the-shelf training built for a large overseas corporate rarely reflects how a NZ business actually operates or the threats it faces. Staff disengage from content that feels irrelevant to their day. Training lands when the examples look like the emails and calls your team genuinely receives.
It also helps to localise the examples. A scenario built around a NZ supplier, a local bank, or an end-of-financial-year invoice will register with staff far more than a generic American template. The closer the training is to their real working life, the more likely they are to recognise the real thing when it arrives.
Measuring completion instead of behaviour
Recording that everyone finished the training tells you nothing about whether anyone changed how they act. The measure that matters is behavioural: do phishing simulation click rates fall over time, and do staff report suspicious messages more readily? Completion is an input. Behaviour is the outcome you are actually paying for.
Forgetting the people most at risk
Senior leaders and finance staff are the highest-value targets, yet are often the hardest to get into a training room and the most likely to assume the rules apply to everyone else. The people with the authority to approve payments and access sensitive systems need the most awareness, not the least.
There is a simpler way to frame all of this. Awareness training is not really about teaching staff facts. It is about building a single shared instinct across the business: when something feels off, stop and check before acting. A team that has internalised that one habit will catch attacks that no policy document or filter ever could, and will keep catching them as the specific techniques change.
Building a Security-Aware Culture That Lasts
The goal of security awareness is not to make staff memorise rules. It is to change how they instinctively respond when something does not feel right. That is a cultural shift, and it takes more than training sessions.
Leadership has to model it
When executives take security seriously, follow the verification protocols themselves, and talk about it openly, staff follow. When leadership treats security as someone else’s job, so does everyone else. Leadership’s role in building a secure culture is one of the strongest predictors of whether an awareness programme actually works.
Make security part of everyday conversation
Security awareness fades when it is confined to formal training. Businesses with strong security cultures talk about threats regularly, share examples of attacks they have spotted, and treat near-misses as learning opportunities. This keeps awareness alive between formal sessions.
Connect awareness to the bigger picture
Staff engage more deeply when they understand that their vigilance protects real things: client data, the business’s reputation, and their colleagues’ jobs. Framing security awareness as part of the business’s broader cyber readiness gives it meaning beyond compliance. People protect what they understand and care about.
Is Your Team Ready for AI-Powered Threats?
Exodesk provides security awareness training, phishing simulations, and ongoing staff education for South Island businesses from our offices in Christchurch and Dunedin. If your team has only had annual training, or none at all, they are not prepared for the attacks reaching them in 2026.
We offer an honest, no-obligation assessment of your current security awareness programme and where the gaps are.
Contact us today to discuss how we can help your business or connect with us on LinkedIn to stay updated with more insights.
Frequently Asked Questions About Security Awareness
What is security awareness?
Security awareness is the ongoing process of educating staff to recognise, avoid, and report cyber threats such as phishing, social engineering, and deepfake attacks. It turns employees from a potential vulnerability into an active line of defence. In 2026, with AI-powered attacks bypassing technical controls, security awareness is widely considered the single most important defence a business has.
Why is security awareness so important in 2026?
AI has made cyber attacks dramatically more effective. AI-assisted phishing achieves a 54% click-through rate compared to 12% for traditional attacks, and these emails now pass spam filters and reference real colleagues. Technology alone cannot stop attacks that are designed to fool people. A trained, security-aware team is what stops the threats that technology lets through.
How often should security awareness training happen?
Annual training is no longer adequate. The threats change from one quarter to the next, so quarterly core training combined with monthly or quarterly phishing simulations is now the realistic minimum. New staff should receive training on day one as part of induction, and short threat alerts should be issued whenever a significant new attack type emerges.
What should a security awareness programme include?
A strong programme includes regular scenario-based training using realistic examples, phishing simulations to test and reinforce learning, a clear verification protocol for sensitive requests, deepfake recognition guidance, and a blame-free reporting culture. It should also have visible leadership involvement, as executive engagement is one of the strongest predictors of success.
How do I train staff to recognise deepfake attacks?
The defence against deepfakes is process, not detection. Train staff that any unusual or urgent request involving payments, credentials, or data access must be verified by calling the person back on a known number, even when the voice or video appears completely genuine. Removing the expectation that staff should detect a fake themselves is the point. The verification process catches what the human eye and ear cannot.
What is a phishing simulation and why does it matter?
A phishing simulation is a controlled, harmless fake phishing campaign sent to your own staff to test whether they recognise and report threats. It identifies which staff need additional support and builds the habit of scepticism in a safe environment where mistakes carry no real consequences. Regular simulations turn security awareness from a one-off training event into an ongoing capability.
How do I build a security-aware culture rather than just running training?
Culture comes from leadership modelling good behaviour, making security part of everyday conversation, and connecting awareness to things staff care about, such as protecting client data and colleagues’ jobs. Treat near-misses as learning opportunities rather than failures, and recognise staff who report incidents quickly. Training sessions build knowledge, but culture is what changes instinctive behaviour.
What should staff do if they think they have clicked a phishing link?
They should report it immediately to your IT provider or internal IT team, no matter how worried they are about having made a mistake. The faster an incident is reported, the faster it can be contained. This is why a blame-free reporting culture matters. Staff who fear punishment hide their mistakes, which gives attackers more time inside your systems.
Are small businesses really targeted, or just large companies?
Small and medium businesses are increasingly targeted precisely because attackers assume they are less well-defended than large enterprises. AI has also made it cheap to target many small businesses at once. A small NZ business with no security awareness programme is often an easier target than a large company with mature defences, which is why awareness training matters regardless of size.
How does Exodesk help build security awareness?
Exodesk provides security awareness training, phishing simulations, deepfake awareness guidance, and ongoing staff education tailored to the current threat environment. Our teams are based in Christchurch and Dunedin and work with South Island businesses on fixed-price arrangements that include regular training updates as threats evolve, so your team stays current rather than relying on a single annual session.
