A Single Click Cost MGM Resorts $100 Million

In September 2023, a social engineering phone call to an MGM Resorts IT help desk led to one of the most expensive breaches in hospitality history. The threat actor didn't exploit a zero-day vulnerability. They didn't write a single line of malicious code for initial access. They called a human being and talked their way in. The aftermath: an estimated $100 million in losses, days of disrupted operations, and the personal data of millions of guests exposed.

That incident should be required reading for every executive who still treats cybersecurity training for employees as a checkbox compliance exercise. Because the firewall didn't fail. The endpoint detection didn't fail. A person — an untrained or under-trained person — failed to recognize a well-crafted social engineering attack.

This post is for security leaders, HR directors, and business owners who want to know what actually works when training employees to be the last line of defense. I'll walk through what the data says, where most programs fall short, and the specific steps that produce measurable results in 2025.

The $4.88 Million Lesson Most Organizations Learn Too Late

IBM's 2024 Cost of a Data Breach Report put the global average cost of a breach at $4.88 million. That's a 10% jump from the previous year and the highest figure IBM has ever recorded. The report also found that organizations with security awareness training and phishing simulation programs spent an average of $258,629 less per breach than those without them.

That's not pocket change. And it's not theoretical. It's the measured difference between organizations that invest in their people and those that don't.

The Verizon 2024 Data Breach Investigations Report tells the same story from a different angle. Sixty-eight percent of breaches involved a human element — whether through credential theft, phishing, social engineering, or simple misconfiguration. That number has hovered between 68% and 82% for years. The attack surface changes. The human element doesn't.

Why Most Cybersecurity Training for Employees Fails

I've audited training programs at dozens of organizations. The pattern of failure is remarkably consistent. Here's what I see over and over.

The Once-a-Year Slideshow

Annual compliance training — a 45-minute slideshow with a quiz at the end — does almost nothing to change behavior. Employees click through it as fast as possible, pass a multiple-choice test they could ace without watching, and forget everything within two weeks. Research from USENIX consistently shows that security awareness knowledge decays significantly after four to six months without reinforcement.

Generic Content That Doesn't Match Real Threats

When your training covers threats from 2018 but ignores the QR code phishing campaigns and AI-generated deepfake voice attacks of 2025, employees are being prepared for the wrong war. Threat actors evolve quarterly. Your training content must keep pace.

No Measurement, No Accountability

If you can't tell me your organization's phishing simulation click rate, your repeat offender list, or your mean time to report a suspicious email, your program isn't a program. It's a formality. Effective cybersecurity training for employees is measured, tracked, and improved continuously — just like any other business process.

What Actually Changes Employee Behavior

Let me be specific about what works. These aren't theories. They're practices I've seen reduce phishing click rates from 30%+ down to under 5% within 12 months.

Frequent, Short, Role-Based Training

Replace the annual marathon with monthly micro-training sessions of 5-10 minutes. Tailor content by role. Your finance team needs to understand business email compromise. Your developers need to understand supply chain attacks. Your front desk staff needs to recognize pretexting and tailgating. One-size-fits-all training fits nobody well.

A comprehensive cybersecurity awareness training program delivers role-specific content that employees actually retain because it connects to their daily work.

Realistic Phishing Simulations — Run Monthly

Simulations are the closest thing we have to a fire drill for cyber threats. Run them monthly. Vary the templates. Use current tactics — credential harvesting pages, fake MFA prompts, invoice scams, package delivery lures. When someone clicks, don't punish them. Route them immediately to a brief training module that explains what they missed and why.

If you're looking to stand up a simulation program, phishing awareness training designed for organizations gives you the framework to test, measure, and improve employee resilience against real-world attacks.

Positive Reporting Culture

The single most important metric in any security awareness program isn't the click rate — it's the report rate. I want employees who see something suspicious and immediately flag it. That only happens in organizations where reporting is easy (one-click button in the email client) and rewarded (public recognition, gamification, or simply a thank-you from the security team).

Organizations that punish employees for clicking phishing simulations create a culture of hiding mistakes. That's the exact opposite of what you want.

Multi-Factor Authentication as a Behavioral Standard

Training must reinforce technical controls. Every employee should understand why multi-factor authentication exists, how to use it, and why they should never approve an MFA prompt they didn't initiate. The 2023 MGM breach succeeded partly because the attackers convinced help desk staff to reset MFA for a compromised account. Training on MFA hygiene is non-negotiable.

What Is the Most Effective Cybersecurity Training for Employees?

The most effective cybersecurity training for employees combines three elements: short, frequent, role-specific training modules delivered monthly; realistic phishing simulations that mirror current threat actor tactics; and a positive reporting culture where employees are encouraged to flag suspicious activity without fear of punishment. Programs that include all three elements consistently show phishing click rates below 5% and significantly faster incident reporting times, according to data from industry benchmarks like the Verizon DBIR and NIST guidelines.

The Zero Trust Connection: Training Isn't Optional

If your organization is pursuing a zero trust architecture — and in 2025, you should be — employee training is a foundational pillar, not an afterthought. CISA's Zero Trust Maturity Model explicitly includes identity governance and user awareness as critical components. Zero trust assumes breach. It assumes every access request could be malicious. But the humans inside your perimeter still make decisions every day — which links to click, which MFA prompts to approve, which requests to fulfill.

You can deploy the most sophisticated identity verification system on the market, and a well-crafted social engineering attack can still defeat it if the person on the other end hasn't been trained to recognize the manipulation.

Building a Program That Survives Budget Cuts

Security awareness budgets are always under pressure. Here's how I've helped organizations build programs that leadership actually defends during budget season.

Tie Training to Breach Cost Data

Show leadership the IBM numbers. A $258,000 reduction in breach costs per incident is easy to compare against the cost of a training platform. When you frame cybersecurity training for employees as risk reduction with a measurable return, it stops being an overhead line item.

Report Metrics That Executives Understand

Don't present click rates in a vacuum. Translate them. "Our phishing simulation click rate dropped from 27% to 4% over 10 months. Based on our industry's average breach cost, that behavior change reduces our estimated annual risk exposure by $X." That's a language the C-suite speaks.

Align With Compliance Frameworks

If you operate under HIPAA, PCI DSS, CMMC, SOC 2, or state privacy laws, security awareness training isn't optional — it's mandated. Use compliance requirements as the floor, not the ceiling. The NIST Cybersecurity Framework lists awareness and training as a core protective function (PR.AT). Reference it in your proposals.

What 2025 Threats Demand From Your Training Program

The threat landscape in 2025 demands specific training updates. Here's what your program must address right now.

AI-Generated Phishing and Deepfakes

Large language models have made phishing emails nearly indistinguishable from legitimate communication. The grammatical errors and awkward phrasing that employees once relied on as red flags are gone. Your training must teach employees to verify through out-of-band channels — calling the sender directly, checking with a manager — rather than relying on spotting typos.

Deepfake audio and video are being used in business email compromise variants. In early 2024, a multinational firm in Hong Kong lost $25 million after an employee was deceived by a deepfake video call impersonating the company's CFO. Train employees to verify any financial request through established protocols, regardless of how convincing the source appears.

QR Code Phishing (Quishing)

Attackers are embedding malicious QR codes in emails, physical mail, and even parking meters. These bypass traditional email security filters because there's no clickable URL to scan. Employees need to understand that QR codes can be just as dangerous as links — and that they should never scan a code from an unexpected source.

Ransomware Through Credential Theft

The FBI's 2023 IC3 Annual Report documented a sharp increase in ransomware complaints, with losses exceeding $59 million in reported payments alone — and the actual figure is far higher. Most ransomware attacks begin with stolen credentials or phishing. Training employees to use strong, unique passwords and recognize credential harvesting attempts directly reduces ransomware risk.

A 90-Day Implementation Roadmap

Here's the exact playbook I recommend for organizations starting or overhauling their cybersecurity training for employees.

Days 1-30: Baseline and Buy-In

  • Run a baseline phishing simulation across the organization. Don't announce it. Document click rates, report rates, and credential submission rates by department.
  • Present results to leadership with breach cost data. Secure budget and executive sponsorship.
  • Select a training platform that supports role-based content, simulations, and automated reporting.

Days 31-60: Launch and Train

  • Roll out your first round of micro-training modules. Keep them under 10 minutes. Cover phishing, social engineering, password hygiene, and MFA best practices.
  • Deploy a one-click phishing report button in your email client.
  • Run your second phishing simulation using different templates. Compare against baseline.
  • Enroll high-risk departments (finance, HR, executive assistants) in specialized phishing awareness training that addresses business email compromise and wire fraud scenarios.

Days 61-90: Measure and Refine

  • Analyze click rate trends, report rates, and training completion rates. Identify repeat clickers for additional coaching — not punishment.
  • Run a third simulation using an advanced template (e.g., a fake MFA reset prompt or a QR code lure).
  • Deliver a 90-day report to leadership showing trend lines and risk reduction estimates.
  • Set a quarterly review cadence to update training content based on emerging threats.

The Metric That Matters Most

After working in this space for years, I'll tell you the one number that tells me whether an organization's training program is working: time to report. Not the click rate. The report rate and the speed of reporting.

When an employee receives a phishing email, recognizes it, and reports it to the security team within minutes, you've built a human sensor network. That's worth more than any single tool in your security stack. A fast report can be the difference between a blocked attack and a full-blown data breach.

Every minute matters. Train for speed. Train for confidence. Train for the instinct to report rather than ignore.

Your Employees Are Your Attack Surface — Train Accordingly

Threat actors will always take the path of least resistance. Right now, in 2025, that path runs straight through your employees' inboxes, phone lines, and collaboration platforms. No firewall, no EDR tool, no SIEM dashboard changes that reality.

What changes it is deliberate, consistent, measured investment in your people. Start with a comprehensive cybersecurity awareness training program that gives your workforce the knowledge to recognize threats. Layer in realistic simulations. Build a culture where reporting is celebrated.

The organizations that treat cybersecurity training for employees as a strategic function — not a compliance chore — are the ones that don't end up in the next breach headline. That's a position worth defending.