When KnowBe4 tested 14.5 million employees across 62,400 organisations in 2025, one in three clicked on a simulated phishing email before receiving any training. That 33.1% baseline click rate is sobering on its own. Pair it with a UC San Diego Health study of 19,500 employees that found annual cybersecurity training had no significant effect on whether people fell for phishing, and the picture gets clearer: the old approach to security education is broken.
It’s not that people don’t care. Most employees genuinely want to do the right thing. The problem is that organisations continue delivering training in formats that don’t stick, then act surprised when behaviour doesn’t change.
The good news is that many organisations already have the tools to fix this. Eighty-three percent of companies now use a learning management system, yet few deploy it for structured, ongoing cybersecurity education. That’s the gap LMS courses are built to close, replacing annual slide decks with continuous, measurable skill development courses that actually change how people respond to threats.
The UC San Diego researchers ran 10 different phishing campaigns over eight months. Embedded training, the pop-up lesson employees receive after clicking a simulated phishing link, reduced click rates by just 2%. Meanwhile, the Verizon 2025 Data Breach Investigations Report confirmed that around 60% of breaches still involve a human element, with a small subset of 8% of employees driving 80% of incidents.
The issue is timing and format, not motivation. Annual or quarterly sessions ask people to remember everything from a single sitting and apply it months later. In practice, employees click malicious links within 21 seconds of opening a phishing email. A once-a-year course simply cannot compete with that reflex.
There’s also a cognitive problem at play. People learn best when information arrives close to the moment they’ll actually use it. A compliance session in January does very little to help someone recognise a well-crafted spear-phishing email in September.
Traditional training fails on three fronts: it happens too rarely, it treats every employee the same, and it offers no real way to measure behavioural change. A well-configured learning management system addresses all three.
Think of it as an always-on programme rather than a calendar event. The World Economic Forum’s Global Cybersecurity Outlook 2026 found that 45% of organisations rank the cybersecurity skills shortage as a top challenge to resilience. LMS training courses can chip away at that gap daily, delivering short modules that employees complete in minutes rather than hours.
The features that make this work are already standard in most modern platforms:
Here is something worth remembering too: most organisations already own the tool. The gap is in using that system deliberately for cybersecurity skill development courses, rather than only for onboarding or compliance requirements. And because an LMS tracks completion and performance data automatically, security teams can identify exactly who needs additional support without relying on guesswork or spreadsheets.
The strongest argument for LMS-delivered cybersecurity education is that every improvement is measurable. KnowBe4’s data shows organisations running continuous training through their platform reduced phishing susceptibility by 86% over 12 months, bringing click rates from 33.1% down to 4.1%. Separately, companies using adaptive training models saw phishing reporting rates climb from 7% to 60% within a year, according to Brightside AI’s 2025 analysis.
Those numbers translate directly into financial language the board understands. With the average global data breach costing $4.44 million, according to the 2025 IBM/Ponemon study, and well-designed training programmes returning three to seven times their investment, the business case becomes clear.
It’s also worth considering the reputational cost, which rarely shows up in a spreadsheet but can linger for years. Customers and partners pay attention to how an organisation handles a breach, and whether it had reasonable defences in place matters during that scrutiny.
That raises an important question for leadership teams: can you justify not measuring whether your training actually works, when the cost of a single breach runs into the millions?
The organisations seeing the best outcomes are the ones treating cybersecurity education as a continuous skill, not an annual event. LMS courses give them the mechanism to do this at scale, with built-in measurement that proves what is working and flags what is not.
As AI-generated phishing, deepfakes and vishing become more convincing, with 77% of organisations reporting increased cyber-enabled fraud in 2025 according to the World Economic Forum, the frequency and adaptability of training will matter more with every passing quarter. Organisations that build genuine cybersecurity competency through structured, ongoing LMS training courses are the ones their people will be better equipped to protect. For a broader look at the foundational practices that support this kind of security culture, cybersecurity best practices every business should follow is a practical starting point.
The real question is whether your organisation will be one of them.