Thomas Wold Johansen knows all about when security awareness training doesn’t work. In a previous role he was dealing with a static, inflexible process of sharing IT-security throughout the company, and had problems getting staff to engage in IT security training programs.
The European Free Trade Association (EFTA) is the intergovernmental organisation of Iceland, Liechtenstein, Norway and Switzerland, set up for the promotion of free trade and economic integration between its members, within Europe and globally.
When Thomas Wold Johansen joined EFTA as Head of IT, he brought with him a clear vision of what cybersecurity training should, and shouldn’t, be. In a previous role, he had worked with a cumbersome, traditional training platform that relied on classroom-based learning. Attendance was low, engagement was minimal, and the training content was static and far from practical.
Upon starting his new role, one of his first priorities was to establish a solid cybersecurity training solution that employees would actually value and benefit from. For him, finding the right partner in cybersecurity training was essential, a “no brainer” in building an effective security culture across the organization.
“The program needed to engage a multinational workforce, stay relevant to modern cyber threats, and allow our employees to develop awareness without time-consuming administrative tasks,” Thomas said.
The initial impression of Nimblr was overwhelmingly positive. The platform was straightforward to implement and administer, offering SaaS-based convenience and an expert-driven focus on the latest cyber threats.
“The platform requires minimal time on my part, and operates autonomously,” Thomas said. “It was straightforward to implement and administer, offering SaaS-based convenience and an expert-driven focus on the latest cyber threats.”
“The awareness level has increased significantly. Nimblr’s automated tracking and reminders for missed courses have been invaluable, making it easy to monitor and follow up on employee participation, ensuring steady engagement.”
The training modules and phishing simulations are designed to address real-world, current threats, engaging users in highly relevant, bite-sized microlearning sessions. For a globally dispersed workforce of 160-170 users, the company found great value in Nimblr’s multilingual support, and both the tone and quality of the training content were well received.
Nimblr also identified trends within the organization. For instance, there was a spike in the click rate annually as contract employees cycled out and new employees began training. This insight allowed Thomas to proactively address new employees' learning needs, reducing their click rates faster over time.
Thomas noted a strong internal response, especially to the phishing simulations, which sparked conversations among employees. Staff were curious about details such as the sender's identity, language, and the logo or company represented in the phishing emails. These discussions helped raise awareness about cybersecurity practices across the organization.
“As an IT professional, I take things like domain security for granted, but not everyone has that background, and it’s essential for them to learn,” Thomas said.
One standout result was HR's active engagement, as they present quarterly reports on training progress to upper management, fostering interest and raising awareness at the executive level. This collaboration has also sparked a friendly competition between departments, helping to increase overall cybersecurity awareness, Thomas noted.
“The awareness level has increased significantly, Thomas said. “Nimblr’s automated tracking and reminders for missed courses have been invaluable, making it easy to monitor and follow up on employee participation, ensuring steady engagement.”
Furthermore, quarterly reporting provided clear insights into participation and progress, creating a data-driven approach to improving cybersecurity. The automation of reminders and follow-ups relieved the Head of IT of administrative tasks, while flexible course timings and learning modules suited users who were often traveling, working remotely, or on varied schedules. The accessibility and continuity of the training contributed to a smooth, consistent learning experience for all employees.
One of the most rewarding outcomes has been the close collaboration with HR and executive management. The visibility and recognition of the cybersecurity initiatives have helped highlight the importance of training across all departments. Additionally, the security awareness programs had a measurable impact on company culture; with employees casually discussing phishing campaigns, even at the coffee machine.
“The partnership with HR and management has been one of the most surprising and positive experiences, by far,” Thomas concludes.