If you search for advice on building a security awareness program, most of what you find is written for enterprise security teams with dedicated headcount, a training budget, and time to run it properly. It assumes a level of resource that most IT managers at small and mid-sized businesses simply do not have.
The reality for a one-to-three person IT team is different. Security awareness training is one item on a long list of competing priorities. It needs to be built in a way that does not depend on someone having the time to manage it - because that rarely happens.
This is a practical guide to building a security awareness program that works for lean IT teams: what it needs to include, how to structure it, and how to make it sustainable without adding to an already full workload.
Start With What You Are Actually Trying to Achieve
Before choosing a platform or scheduling a simulation, it is worth being clear on what success looks like. Most organisations default to completion rates as the measure of a functioning program. As we covered in this series, completion rates are a poor proxy for actual resilience.
A better starting point is to define what you want employees to be able to do differently because of the program. Specifically:
- Recognise and report phishing attempts across multiple channels
- Apply consistent judgement when handling sensitive data or unusual requests
- Understand their responsibilities under relevant compliance frameworks - NIS2, ISO 27001, Cyber Essentials
These outcomes are measurable over time. Completion rates are not. Starting with the outcome shapes everything else: what training you choose, how frequently you run it, and how you report on it.
The Four Components of a Functioning Program
A security awareness program that reduces human risk needs four things working together.
1. Ongoing simulation, not periodic campaigns
A single annual phishing simulation - or even a quarterly one - is not enough to build lasting habits. Research on awareness decay shows that employees who receive infrequent training return to baseline behaviour within months. Effective simulation needs to be continuous and varied, so employees stay alert rather than learning to spot a predictable pattern.
This does not mean running manual campaigns every two weeks. It means choosing a platform that handles simulation automatically, without requiring ongoing administration.
2. Training that reflects real attacks
Generic simulations built from template libraries teach employees to recognise training. Real attacks are personalised, timely, and contextual - referencing tools employees use, mimicking communication styles they encounter daily. Training that mirrors this is significantly more effective at building genuine threat recognition than a standard phishing email with obvious warning signs.
3. Feedback when it matters
When an employee falls for a simulation, what happens immediately after is more important than any module they complete later. Contextual, immediate feedback - explaining why the simulation looked convincing and what to look for next time - is how mistakes convert into learning. A program without this feedback loop is measuring failure, not addressing it.
4. Reporting that does not require manual assembly
Compliance frameworks require documented evidence of ongoing security awareness activity. Boards and senior leadership ask whether the program is working. Both needs require reporting - and for a lean IT team, that reporting needs to be generated automatically rather than assembled from raw data before every review.
Making it Sustainable
The biggest risk in building a security awareness program is designing one that depends on consistent manual input to keep running. A program built around scheduled campaigns, manual reporting, and periodic content updates will degrade over time as other priorities compete for attention. Not because the IT manager does not care - but because the operational reality of a small team makes sustained manual effort unsustainable.
Karsten Winther Hansen, Operations Director at Frie, described the shift clearly:
"Practice removed the burden of planning campaigns, collecting data, and evaluating results. The program challenges each employee at their own level and provides clear, simple reporting. Pistachio has streamlined our awareness training and strengthened our organization's cybersecurity."
A program that runs in the background - simulating continuously, adapting to each employee, generating reports automatically - is one that does not stop when things get busy.
Compliance as a By-Product, Not a Goal
One of the practical benefits of a well-structured security awareness program is that compliance documentation becomes a by-product of running it, rather than a separate workload. ISO 27001 requires evidence of ongoing security awareness activity. NIS2 requires organisations to address human risk as part of their security posture. Cyber Essentials expects staff training to be in place.
A program that runs continuously and generates audit-ready reports means that when a review arrives, the evidence is already there. The alternative - pulling together documentation manually in the weeks before an audit - is a familiar experience for many IT managers, and not a pleasant one.
How Practice Is Built for This
Practice was designed around the constraints of lean IT teams rather than the assumptions of enterprise security programs.
Deployment takes ten minutes via Microsoft Entra ID. Simulations run automatically across email and Teams, and are personalised to each employee's role and the tools they use. Training adapts to individual performance over time. Reporting is generated automatically and aligned to ISO 27001, NIS2, and Cyber Essentials.
The result is a program that meets all four components outlined above - continuous simulation, realistic content, immediate feedback, and automated reporting - without requiring ongoing administration from a team that does not have the capacity for it.
Automation is Key
A security awareness program that depends on someone finding time to manage it is not a program - it is a task that keeps getting deprioritised. Building something sustainable means choosing an approach that runs continuously, adapts automatically, and reports without manual effort.
The goal is a program that is still running properly in twelve months, not one that looked good in the first quarter and quietly degraded from there.
See how Practice builds lasting resilience. Email contact@pistachioapp.com to book your 15-minute demo.
