Updated May 22, 2026
The European Free Trade Association (EFTA) is the intergovernmental organisation of Iceland, Liechtenstein, Norway and Switzerland, set up for the promotion of free trade and economic integration between its members, within Europe and globally.
The Challenge
When Thomas Johansson joined EFTA as Head of IT, security awareness training existed but only barely. Initiatives were ad hoc, inconsistent, and disconnected from the daily rhythms of the organisation. With a small IT team and a fast-moving threat landscape, maintaining a relevant programme internally was simply not feasible.
"There were some ad hoc initiatives in the past, but there was a missing piece related to doing this on a continuous basis," Thomas said. What he needed was something that ran itself and actually changed behaviour.
The Solution
EFTA implemented Nimblr and integrated it directly with their identity management system, Entra ID. New employees are automatically enrolled from day one; when someone leaves, they're removed. The programme runs itself.
Monthly phishing simulations and training modules run on a continuous schedule, with the platform adapting based on how individual users respond. For Thomas, this low-touch model was essential: the day-to-day management now takes just a few hours a month.
The training modules and phishing simulations are designed to address real-world, current threats. For a globally dispersed workforce of 160–170 users, Nimblr's multilingual support was particularly valuable, and both the tone and quality of the training content were well received.
Critically, this became an organisational project, not just an IT one. EFTA's HR team co-owns the programme, helps phrase feedback to divisions, and presents progress to leadership quarterly driving buy-in at every level.
"The platform requires minimal time on my part and operates autonomously. It was straightforward to implement and administer, offering SaaS-based convenience and an expert-driven focus on the latest cyber threats." — Thomas Johansson, Head of IT, EFTA
The Results
After two and a half years and nearly 4,000 simulations sent, EFTA's organisation-wide click rate sits at approximately 3%.
That number means more when you see what it's measured against. One simulation mimicking a message asking "is this you in this photo?" recorded a 40% click rate when first deployed. It's a striking illustration of how even careful, technically-minded employees can be caught off guard, and exactly why continuous training matters.
Nimblr also identified a recurring trend: click rates spiked annually as contract employees cycled out and new staff began training. This insight allowed Thomas to proactively address new employees' learning needs, reducing their click rates faster over time.
Quarterly reporting provided clear insights into participation and progress, creating a data-driven approach to improving cybersecurity. The automation of reminders and follow-ups relieved the Head of IT of administrative tasks, while flexible course timings and learning modules suited users who were often travelling, working remotely, or on varied schedules contributing to a smooth, consistent learning experience for all employees.
One standout result was HR's active engagement, presenting quarterly reports on training progress to upper management and fostering a friendly competition between departments helping to increase overall cybersecurity awareness across the organisation.
The numbers tell one story. The culture tells another. Thomas recalls walking past a coffee area and overhearing colleagues debating whether a recent simulation was real. That moment, he says, was a bigger win than any metric.
"When you have one example at 40%, it really hits. But our overall click rate is around 3%, which I think shows that the programme is working." — Thomas Johansson, Head of IT, EFTA
The End User Perspective
Nathan Ricks works in the Financial Mechanism Office (FMO), a division of EFTA and comes to cybersecurity not as an IT professional, but as a user.
"I don't have a specific cybersecurity background," he says. "But with each training, you learn something new a different angle to approach things from. It gives you a general confidence as a user."
That confidence has become practical. Nathan and his colleagues now routinely hover over links to inspect full URLs, scrutinise domain structures in emails, and report suspicious messages directly from their email client, a feature EFTA recently introduced.
What's changed most is the parallel with real life. EFTA is now receiving actual phishing attempts that mirror the simulations almost exactly a sign of how current the training content is, and how much it matters.
"What we're seeing in the trainings is what we're getting in real life. It gives us the grounding to fall back on something." Nathan Ricks, FMO, EFTA
The Takeaway
The partnership with HR and management, the blameless culture around mistakes, and the integration from day one of onboarding — these are what turned a security tool into a security culture.
"The partnership with HR and management has been one of the most surprising and positive experiences, by far." — Thomas Johansson, Head of IT, EFTA
About EFTA
The European Free Trade Association (EFTA) is the intergovernmental organisation of Iceland, Liechtenstein, Norway and Switzerland, set up for the promotion of free trade and economic integration between its members, within Europe and globally.
About Nimblr
The training modules and phishing simulations are designed to address real-world, current threats, engaging users in highly relevant, bite-sized microlearning sessions.
"The awareness level has increased significantly. Nimblr's automated tracking and reminders for missed courses have been invaluable, making it easy to monitor and follow up on employee participation, ensuring steady engagement." — Thomas Johansson, Head of IT, EFTA
