Making staff aware of security issues should not be a onetime training exercise, and everybody needs to be involved irrespective of their position in the hierarchy. The staff within your business are the last line of defence; your employees must be able to identify and avoid potentially malicious emails, reducing the threat to your business. Email security training needs to be an evolving process.
The most common cyberattack is phishing; it is thought to be successful in as much as 20% of the attempts. If an employee is drawn into one phishing attempt, they are also likely to fall for it a second time. If you do not educate your staff, statistics suggest this cycle will continue. User education can be the most effective way of increasing awareness and changing repeat behaviour. This firewall of adjusted behaviour can improve the security across your network, simply by slowing your colleagues down, causing them to evaluate the mail they receive, can help them to recognise an attempt.
More and more companies are choosing to use a simulated attack as a training tool in how to spot the criminal phishes. Security officers think these types of attacks are a valuable training tool to trick people into opening emails, with education being the key to the attack, checking the susceptibility of your human firewall can give you an understanding of the risks to your company and the level of understanding amongst your staff.
If a real attack was to be successful, this could have a huge impact on your reputation and even your bottom line. The national cyber security centre has published guidelines on how to prevent falling for an attack (https://www.ncsc.gov.uk/guidance/phishing-what-it-and-how-does-it-affect-me), but simply raising awareness can reduce the risk; maybe running a dummy attack could reduce the risk even further.