Cybersecurity is no longer just a technical challenge; it’s a human one. At the European Free Trade Association (EFTA), this realization prompted a fundamental shift in how security awareness is approached across the organization.
When Thomas Johansson joined EFTA as Head of IT, strong technical controls were already in place. But something was missing. Security awareness existed, yet it was fragmented and inconsistent driven by occasional initiatives rather than embedded into everyday work. For a small IT team operating in a rapidly evolving threat landscape, this approach wasn’t sustainable.
The solution
Integrating security awareness into daily work
EFTA needed a solution that was scalable, low‑effort, and continuous, one that wouldn’t rely on manual administration or one‑off training sessions. The answer was to integrate security awareness directly into the employee lifecycle.
Today, every new employee is automatically enrolled in security awareness training from day one. Monthly micro‑trainings and phishing simulations run continuously in the background, exposing staff to real‑world scenarios without disrupting their daily work. Once set up, the program largely runs on autopilot, requiring only a few hours per month from IT.
Realistic phishing simulations, real results
Realistic phishing simulations proved to be one of the most effective elements. Messages were designed to mirror real attacks and appeared to come from familiar internal senders such as HR or senior leadership.
Some campaigns revealed clear areas of risk: a social‑media‑style message asking “Is this you in this photo?” resulted in a click rate of around 40%. But over time, awareness improved significantly. Across the organization, EFTA’s average phishing click rate has dropped to approximately 3%.
Behavioral Change
Driving behavioral change through culture and collaboration
Just as important as the metrics was the cultural shift that followed. By working closely with HR and deliberately promoting a blameless approach, security became a shared responsibility rather than an IT‑only concern.
Employees were encouraged to talk openly about suspicious emails, mistakes, and near‑misses turning security awareness into a regular topic of conversation, not a source of anxiety.
Today, phishing awareness isn’t confined to dashboards or reports. It shows up in everyday interactions, sometimes even in conversations over coffee.
As Thomas puts it: technical defenses are essential, but without people, something is always missing. At EFTA, continuous security awareness training has become that missing link: helping turn employees into a strong, informed first line of defense.
Want to learn more about EFTA’s approach? Sign up here to access the full session.
.jpg?width=457&height=300&name=Container%20(1).jpg)
