Cyber threats are growing more complex, targeted and relentless. Powered by artificial intelligence (AI), common cyber threats are no longer confined to easily spotted scams or clumsy phishing attempts — they are capable of producing convincing deepfakes and tailored impersonations, leaving employees none the wiser. Since 2024 there has been a 197% increase in email-based attacks, with 40% of phishing attempts now generated by AI. Additional data also shows that between 2024 and Q1 2025, identity-driven cyberattacks targeting employee credentials surged by 156% — with tools like phishing-as-a-service platforms enabling even low-skilled cybercriminals to bypass multi-factor authentication protections.

In this shifting landscape, employees remain one of the top cyber threats within an organization. Recent data from Traliant found that 78% of employees lack total confidence in spotting more sophisticated threats like video deepfakes and voice spoofing. Equipping employees with up‑to‑date knowledge of emerging threats is essential, as every individual plays a critical role in defending against cyber-attacks.

However, as the complexity of attacks grows, it’s not always guaranteed that employees will know what to do when presented with a potential cybersecurity situation. This is a wake-up call for more advanced and relevant cybersecurity education across the workforce.

The Employee Cybersecurity Challenge: Alarming Gaps and Risky Behavior

There is a troubling disconnect between the cybersecurity behaviors exhibited by many workers and the urgency of cybersecurity threats that are poised to compromise the company’s most sensitive data. According to Traliant’s findings, less than half (46%) report using multi-factor authentication (MFA) regularly and just 30% use password managers. Even more alarmingly, 23% still write their passwords down on paper. Weak password habits can lead to unauthorized access, data breaches and potentially financial losses.

Additionally, employee convenience often trumps caution. Forty-two percent of employees admit to using personal devices like cell phones or laptops to access sensitive company information without IT approval. This trend is particularly prevalent among younger generations, with 51% of millennials and 48% of Gen Z employees engaging in this practice. Even more concerning is the human response to cyber threats.

This data points to a critical disconnect. Employees are on the front lines of organizational cybersecurity, yet their behaviors suggest a lack of preparedness for the sophistication of today’s digital threats.

The Power of Training: Building Cyber Resilience from the Ground Up

While technology plays an essential role in preventing cyberattacks, human behavior remains a primary line of defense. Effective cybersecurity training empowers employees to recognize threats, take proactive steps and respond quickly when incidents occur. Encouragingly, 90% of employees report receiving cybersecurity training either annually (60%) or more frequently (30%). However, frequency alone is not enough.

The real challenge lies in relevance and engagement. Forty percent of employees find cybersecurity training only somewhat, not very or not at all relatable to their daily responsibilities. If training feels abstract or disconnected from real-world scenarios, employees are less likely to retain the information or apply it when needed. Training that mirrors the threats employees face, such as phishing simulations or AI-driven attack examples, can make a significant difference. Relevance boosts not only knowledge retention but also the confidence to act in the face of real threats.

Moreover, training needs to be inclusive of all employees. For example, while Gen Z workers often express higher confidence in spotting digital threats, this can lead to overconfidence and potentially lax behavior. Conversely, baby boomers and Gen X workers report lower confidence in spotting AI-based threats and often find training less relatable. Tailoring content by role, responsibility and experience level ensures that every employee benefits fully.

Practical Steps to Strengthen Cybersecurity Training

To create a truly cyber-resilient workforce, organizations must rethink how they deliver cybersecurity education. Organizations that conduct regular security awareness training experience up to 70% fewer successful phishing attacks, emphasizing the importance of continuous education.

Here are four key actions to help learning and development (L&D) leaders modernize and elevate training programs:

1. Incorporate microlearning and simulations: Move away from long, one-time modules in favor of bite-sized microlearning sessions that focus on a single threat or behavior. These are easier to digest and integrate into the workday. Phishing simulations — realistic mock attacks — give employees hands-on experience and help identify who may need retraining.
2. Focus on relatability and real-world scenarios: Build training around everyday tasks and threats employees encounter, such as accessing cloud tools, working on mobile devices, managing passwords and receiving suspicious emails. Include role-specific risks and industry-tailored content to drive engagement and application.
3. Promote secure digital habits: Encourage widespread use of password managers and enforce MFA policies organization wide. Provide demonstrations and tutorials for tools already available to employees. Emphasize how security tools like MFA protect them both professionally and personally.
4. Establish a continuous learning culture: Cybersecurity isn’t a set-it-and-forget-it initiative. Ongoing training, reinforced with regular updates and communication from IT, L&D and leadership, builds muscle memory and improves response time. Recognize employees who identify and report threats, and create an environment where cybersecurity is a shared responsibility — not just an IT concern.

The Road Ahead: A Culture of Shared Responsibility

Cybersecurity risks affect every team member, from interns to executives. With AI accelerating the pace and sophistication of cyber threats, organizations must embed security awareness into the very culture of the workplace.

By modernizing training, tailoring it to real-life scenarios and making it a regular part of employees’ learning journeys, companies can transform their people into powerful allies against cybercrime. As the digital frontier continues to expand, proactive, relevant and continuous cybersecurity training isn’t just best practice, it’s a business imperative.