Cybersecurity Awareness: Why Technology Alone Isn’t Enough

7 min read

84 percent of German companies hit by a cyberattack in 2025 report phishing as the attack vector. Yet only 24 percent train their entire workforce. The rest skimp exactly where attackers wield their sharpest tools. Since 6 December 2025 this is no longer merely negligent—it is illegal: the NIS2 Implementation Act makes awareness training mandatory for around 30,000 companies in Germany. Failure to train risks fines up to €10 million.

Key Takeaways

What is NIS2 Awareness Training Mandatory?

NIS2 awareness training is mandatory in 2025 because the topic directly determines cyber resilience, security operations and regulatory compliance. The article shows, using synaforce as an example, which requirements, KPIs and operational steps matter in practice.

The Gap Between Technology and Human Behavior

The firewall is configured, MFA is enabled, endpoint protection is deployed. Then an employee clicks a link in a deceptively genuine Microsoft 365 email and enters their credentials. The BSI Situation Report 2025 documents 950 reported ransomware attacks in the reporting period, 80 percent of them at small and medium-sized enterprises. 119 new vulnerabilities per day, up 24 percent year-over-year.

Yet the numbers tell only half the story. The Verizon Data Breach Investigations Report 2025 finds that 60 percent of confirmed global security breaches involved a human element. No exploit, no zero-day—just a person clicking a link, sharing credentials or sending sensitive data to the wrong address.

The problem is not that companies lack technology. The problem is that the best technology fails when the human in front of it does not think twice. And that is where the gap yawns: according to BSI, 79 percent of companies train staff on IT-security topics. Sounds good. But only 24 percent train every employee. Fifty-five percent train only selected roles. And one in five companies skips training altogether.

NIS2 turns awareness into a legal obligation

Since 6 December 2025, Germany’s NIS2 Implementation Act has been in force. It affects around 30,000 companies with at least 50 employees or annual revenues of 10 million Euro across 18 sectors. Registration with the BSI has been mandatory since 6 January 2026.

Two paragraphs are pivotal for awareness requirements. § 30 paragraph 2 BSIG obliges affected companies to provide cyber-security training and awareness-raising as part of mandatory risk-mitigation measures. § 38 paragraph 3 BSIG goes further: senior management must attend regular training themselves and demonstrate adequate risk-assessment knowledge. In September 2025 the BSI published guidance on NIS2 executive training, including concrete content.

Fines are steep. For essential entities: up to 10 million Euro or 2 % of global annual turnover, whichever is higher. For important entities: up to 7 million Euro or 1.4 %. There is no grace period; measures apply immediately from entry into force.

Yet the 2025 TÜV Cybersecurity Study found only 50 % of affected companies are even aware of the NIS2 Directive—and half of those do not realise they are in scope.

AI is reshaping the attack surface

The old-fashioned phishing e-mail with typos and dodgy senders is dead. KnowBe4 reports that 82.6 % of phishing mails now embed AI elements: grammatically flawless copy, personalised greetings, context-aware content. AI-generated phishing achieves a 54 % click-through rate—roughly 4.5 times higher than conventional attempts.

Even more alarming is the surge in deepfake vishing. Deepfake voice-cloning attacks jumped more than 1,600 % in Q1 2025 versus the prior quarter. The headline case: a finance employee at UK engineering firm Arup wired 25 million US-Dollar after joining a fake video call populated by AI-generated deepfake avatars of the CFO and executives. The TÜV study confirms 51 % of German IT-security professionals already see AI-assisted cyber-attacks; among large enterprises the figure is 81 %.

At the same time, only 10 % of German companies use AI for their own defence. Attackers are adopting AI faster than defenders, widening the awareness gap: staff trained to spot typos and odd sender addresses are powerless against AI-crafted lures.

“91 % of companies rate their cyber-security as good or excellent, yet one in seven was successfully breached last year. This perception gap is one of the biggest risks.”
TÜV Cybersecurity Study 2025 (506 companies, Ipsos survey)

What Works: From Mandatory Training to Behavioral Change

The typical security training: a 45-minute online session in January, a mandatory check, and forgotten by next January. The click rate on phishing emails drops briefly but returns to its original level within three months. One-off training doesn’t change behavior. Behavioral change requires repetition, relevance, and feedback.

The KnowBe4 Phishing Industry Benchmarking Report 2025 provides the largest data set to date on this topic: 14.5 million users across 62,400 organizations, 67.7 million simulated phishing tests. The result is clear. Before training, the average phishing click rate is 33.1 percent—one in three employees clicks a dangerous link. After 90 days of continuous training, the rate drops by more than 40 percent. After twelve months, it stands at 4.1 percent. That’s an 86 percent reduction.

What these programs share: they use phishing simulations (monthly, progressive difficulty), micro-learning modules (3 to 5 minutes, weekly or after specific events), gamification (leaderboards for departments, badges, team challenges), and a simple report button in Outlook or Gmail. The goal isn’t training compliance—it’s a security culture where employees report suspicious emails before they click.

The key indicator isn’t the click rate—it’s the report rate: how many employees actively report suspicious emails? Mature programs achieve report rates above 70 percent. That means seven out of ten employees spot a phishing attempt and report it before damage occurs.

Cyber Insurance: Awareness as a Contract Condition

Today, anyone taking out or renewing cyber insurance quickly learns: awareness training is no longer a nice-to-have—it’s an underwriting criterion. Allianz explicitly lists awareness training among its twelve core criteria for policyholders. AXA offers six months of free awareness portal with every cyber policy. The GDV risk questionnaire for cyber includes explicit questions about training measures.

Without proof, companies face higher premiums or exclusions for phishing damages. With average phishing attack costs in Germany at €4.15 million, this is a risk no CFO should take.

The ROI of an Awareness Program

The math is straightforward. For a mid-sized company with 200 employees, an awareness program costs between €10,000 and €20,000 per year. KnowBe4 starts at $18 per user per year, Proofpoint at $25. Add 2 to 4 hours of internal admin time each month.

Against that stand average phishing incident costs of €4.15 million. Reducing click rates from 33 to 4 percent cuts the risk of a successful phishing attack by 86 percent. Even with conservative risk estimates: if the program prevents just one successful attack over ten years, it pays for itself many times over.

Bottom line: Train or pay

The equation has shifted. Before NIS2, awareness training was an optional measure—some companies took it seriously, most treated it as a box-ticking exercise. Since December 2025 it’s the law. The executive board is personally liable. Cyber insurers now demand it. And attackers are raising the bar with AI-powered phishing and deepfake vishing.

The good news: it works. An 86 percent drop in click-through rates after twelve months isn’t a marketing claim—it’s the real-world data from 14.5 million users. The tools are mature, the costs are manageable, and the ROI is clear. What’s missing in many organisations is simply the decision to start.

Frequently Asked Questions

Featured-image source: Pexels / Pavel Danilyuk (px:8761533)