Most energy organisations already have some form of security awareness training in place. The question worth asking is whether it is working across the full breadth of the workforce, not just the people sitting at desks.
That distinction matters more in energy, oil, and gas than in almost any other sector. Because the workforce is not uniform, and the training most organisations are running was not designed with that in mind.
The Workforce Problem Most Training Programmes Ignore
A large energy organisation might employ offshore rig workers, field engineers, maritime crews, plant operators, refinery staff, corporate finance teams, and procurement managers, all within the same organisation. They access different systems, work in different environments, have different levels of digital literacy, and face different threats.
A generic phishing simulation built around a corporate email template tells a field engineer or an offshore worker very little about the threats they are likely to encounter. Someone working on a remote site with limited connectivity and no dedicated IT support needs training that reflects their specific situation, not a one-size programme designed for a desk-based environment.
This is not a minor gap. The energy sector's combination of IT and operational technology means a compromised account can have consequences well beyond a data breach. The convergence of systems managing data and communications alongside systems controlling physical infrastructure creates attack surfaces where the stakes of human error are unusually high. And yet the training delivered to the people operating those systems is often the same generic annual module delivered to everyone else.
The Threat Has Moved Faster Than Most Programmes
68% of breaches involve the human element[1]. In energy, as in every other sector, phishing and social engineering remain the most common initial access vectors. That is not new information. What is new is the scale and sophistication of the threat. Ransomware attacks targeting energy, oil, and utilities organisations increased by 80% in 2024 compared to the previous year[2]. The UK Government's Energy Sector Cyber Security Strategy notes that critical energy infrastructure has been subject to sustained targeting from both financially motivated criminal groups and state-affiliated actors, with the NCSC warning this activity may be laying the groundwork for future disruption[3].
The Quality of Individual Attacks
AI-generated phishing messages now arrive personalised, contextually accurate, and written in tone and format that mirrors genuine supplier communications or internal alerts. For employees trained to look for spelling errors and suspicious formatting, those signals are gone. A fake invoice request, a plausible system alert, or an urgent message impersonating a colleague can now be constructed convincingly enough to fool people who completed awareness training last year.
The 2021 Colonial Pipeline attack, which forced the shutdown of the largest fuel pipeline in the US and triggered fuel shortages across the east coast, began with a single set of leaked credentials[4]. The incident demonstrates how a single compromised credential can trigger operational consequences far beyond the initial point of access.
If the training programme has not been updated to reflect the current threat landscape, employees are being prepared for attacks that no longer look the way they used to.
Annual Training Is Not Producing Measurable Behaviour Change
Most organisations in the sector have already invested in awareness training. But if training completion rates are high and phishing susceptibility remains unchanged, the organisation has measured participation rather than risk reduction.
The issue is not usually a lack of training. It is that traditional awareness programmes are not designed to change behaviour over time. Annual modules tick a compliance box and are largely forgotten within weeks. Infrequent, obviously constructed phishing simulations teach employees to recognise the exercise format rather than the threat itself. And manual programmes that require IT teams to build campaigns, update templates, chase completions, and compile reports are consuming scarce security resource on administration rather than risk reduction.
NIS2 is also sharpening scrutiny in this area. For European energy organisations, the directive increases scrutiny on whether awareness programmes can demonstrate effectiveness rather than simply proving completion. Boards and senior management are expected to demonstrate oversight of cybersecurity risk management, and "we ran the annual training" is becoming an insufficient answer.
What Effective Training Looks Like in This Environment
The characteristics of effective security awareness training for energy organisations follow from the problem. It needs to be continuous rather than annual, because the threat landscape changes faster than yearly update cycles. It needs to be role-specific, because a field engineer and a finance manager face different threats and need different preparation. And it needs to run without placing significant administrative burden on IT teams that are already stretched across infrastructure, support, compliance, and operations.
Continuous, automated simulations built around the specific communications employees in this sector receive tend to produce stronger engagement and lower phishing susceptibility than generic annual programmes. When difficulty adapts based on individual performance, every employee is being challenged at the right level rather than sitting through content they have already absorbed or that bears no resemblance to the threats they face.
Organisations addressing this are increasingly moving towards automated, adaptive awareness programmes that deliver role-specific training at scale without increasing administrative burden. The goal is not more training. It is training that reaches the right people, reflects the threats they face, and runs consistently without consuming security resource to maintain.
How Can I Achieve This?
Practice from Pistachio delivers security awareness training that changes employee behaviour. It integrates natively with Microsoft 365 and deploys in under 10 minutes, with phishing simulations and training scenarios running automatically from there:
- Staff receive phishing scenarios relevant to their role and the communications they handle, not generic templates
- Training difficulty adapts automatically based on individual performance, with no manual intervention required
- Reporting is built in, supporting NIS2 compliance documentation without additional administrative overhead
- Zero ongoing maintenance: no campaigns to build, no templates to update, no completions to chase
Energy organisations including MFT Energy, Helgeland Kraft, Kalundborg Refinery, and Global Wind Service are already running Practice across their teams.
Most energy organisations already have awareness training in place. The real question is whether it would prevent the next credential compromise before it becomes an operational incident.
See how energy organisations are closing the gap between training and genuine resilience. Email contact@pistachioapp.com to book your 15-minute demo.
