Security awareness and phishing simulation: turning employees into a human firewall
How to protect your SME from cyberattacks through phishing simulations and security awareness training while meeting the legal NIS2 requirements.
The human factor as a gateway in the German Mittelstand
While mid-sized companies invest considerable sums in firewalls and spam filters, the human being often remains the weakest link in the security chain. Cybercriminals deliberately use psychological manipulation, known as social engineering, to elegantly bypass technical hurdles. Managing directors and IT leads in particular carry an enormous responsibility here, because the current BSI situation report 2025 makes the scale of this threat clear: a full 80 percent of registered ransomware attacks were directed against small and mid-sized companies[1]. The attackers know that businesses with fewer than 500 employees often do not have comprehensively trained workforces. A single careless click on a prepared link is enough to paralyze the entire company network.
Why social engineering is so successful in the Mittelstand
Social engineering works because it exploits human behaviors such as helpfulness, respect for authority, or simple curiosity. Perpetrators forge emails from superiors (CEO fraud), pretend there are urgent transfer requests, or send deceptively genuine invoices. Since many small and mid-sized companies meet only 56 percent of the basic IT security requirements on average[1], these highly personalized attacks find easy targets. Making matters worse, the Mittelstand often suffers from a pronounced shortage of skilled workers, which is why security checks frequently fall short in everyday operations. Modern protection must therefore go beyond mere antivirus programs and rely on holistic cybersecurity that includes the employee as an active line of defense.
| Security indicator for SMEs | Current value (BSI / studies) | Significance for management |
|---|---|---|
| Share of ransomware attacks on SMEs | 80 % of all recorded incidents[[cite:https://www.bios-tec.de/2025/11/12/bsi-lagebericht-2025-warum-bayerische-kmu-jetzt-handeln-muessen-950-ransomware-angriffe-und-steigende-bedrohung/]] | Small and mid-sized businesses are in the direct focus of professional attackers. |
| Fulfillment of basic IT security standards | 56 % on average[[cite:https://www.bios-tec.de/2025/11/12/bsi-lagebericht-2025-warum-bayerische-kmu-jetzt-handeln-muessen-950-ransomware-angriffe-und-steigende-bedrohung/]] | The majority of SMEs have significant security gaps in their basic protection. |
| Optimal preparation for cyberattacks | Only 2 %[[cite:https://www.bios-tec.de/2025/11/12/bsi-lagebericht-2025-warum-bayerische-kmu-jetzt-handeln-muessen-950-ransomware-angriffe-und-steigende-bedrohung/]] | Practically no SME is sufficiently prepared for the worst case of a professional hack. |
These figures make clear that conventional IT security concepts are often incomplete. Effective protection requires a combination of technical monitoring and continuous education in the area of security awareness. This is exactly where the holistic cybersecurity of CAVRIX comes in. Through the integration of automated phishing simulations and targeted training, employees are no longer viewed as a security risk but are actively integrated into the company's defense system. Together with our modules for Managed IT and Compliance, this creates a seamless security net that meets the requirements of the modern Mittelstand.
Why classic IT security alone falls short
In many mid-sized companies, the belief still prevails that modern firewalls, spam filters, and antivirus software offer sufficient protection against cyber threats. But this purely technical defense falls short in practice. When attackers send highly sophisticated, deceptively genuine emails, even the best firewall is of no use once credentials are voluntarily entered on fake pages. Cybercriminals deliberately exploit the human factor in order to bypass technical hurdles effortlessly.
According to the representative study by the digital association Bitkom on economic protection in 2024, 81 percent of all companies in Germany were affected by data theft, espionage, or sabotage over the past twelve months[2]. In addition, 65 percent of companies now feel that their existence is threatened by cyberattacks[2]. Attackers increasingly rely on highly sophisticated social engineering to deliberately capture passwords or inject malware. Conventional filters fail against this psychological manipulation.
The limits of technical protective measures in daily operations
Modern email filters and security software do block a large share of standardized spam waves. But with targeted attacks (spear phishing), often composed flawlessly with the help of artificial intelligence and in the name of known business partners, technical systems reach their limits. As soon as a slipped-in email reaches the inbox, the entire security of the company depends on the vigilance of the employees.
- Technical filters can hardly recognize AI-generated, individually tailored texts as a threat anymore.
- Forged sender addresses and deceptively genuine replicas of login portals lead even experienced employees to disclose confidential data.
- A single careless click can be enough to activate malware across the entire company network and compromise sensitive customer data.
Sustainable protection therefore requires a rethink, away from pure faith in technology and toward a human firewall. This succeeds only through a sensible combination of modern technology and regular training. Within CAVRIX Cybersecurity, this holistic approach is implemented consistently. As a service operated by CITO GmbH, headquartered in Hamburg, CAVRIX combines state-of-the-art technical monitoring with hands-on training.
Effective protection only emerges when technical cybersecurity and the building of threat awareness go hand in hand. Through continuous phishing simulations, employees learn in a protected setting to recognize suspicious patterns immediately and to repel attacks before they cause harm.
Phishing simulations: learning by experience instead of dry theory
Purely technical protective measures regularly fail in the German Mittelstand when the workforce is not trained as an active human firewall. According to the Bitkom study on economic protection in 2024, around 26 percent of the recorded damages are attributable to phishing attacks, in which criminals deliberately exploit the trustfulness of employees. Classic frontal lectures or dry PDF documents, however, achieve little in practice, because they create no real threat awareness. A continuous, hands-on phishing simulation breaks through this dry theory by recreating attacks under real conditions in everyday work.
How simulated attacks work in everyday operations
The principle is simple and highly effective: in the background, harmless but deceptively genuine phishing emails are generated and sent to the employees. These emails imitate typical everyday scenarios such as supposed parcel notifications, fake invoices, or urgent security warnings. If an employee clicks on such a simulated link, they are not punished but immediately receive short, visual feedback. This microlearning explains in an understandable way which concrete features, such as a deviating sender address or an unusual request, could have exposed the phishing email.
- Immediate feedback: employees learn right at the moment of the mistake, which massively increases the learning effect compared to annual training.
- No public shaming: the system works without a wagging finger in order to foster a positive security culture in the company.
- Adjustable difficulty: the simulations adapt to the individual knowledge level of the workforce and become more demanding over time.
- Regularity: short, recurring prompts firmly anchor vigilance in everyday work.
A positive learning effect instead of a blame culture
An essential success factor for protecting mid-sized companies is moving away from a classic blame culture in which mistakes are sanctioned. Fear is a poor advisor in IT security. If employees have to fear being reprimanded or publicly shamed for a wrong click, they are more likely to conceal incidents, which drastically increases the damage in an emergency. The modern modules in the area of cybersecurity from CAVRIX therefore rely on positive reinforcement. Employees are encouraged to actively report suspicious emails, which sustainably strengthens the collective security level.
Measurability of the security level and NIS2 conformity
For managing directors and IT leads, the continuous training of employees is not only a matter of self-protection but increasingly a legal obligation. The European cybersecurity directive requires affected companies to demonstrate training measures for risk reduction. With CAVRIX, this process is documented automatically. The current level of training and the click rates can be viewed at any time in the central Command Center. This transparent measurability provides the necessary evidence to quickly and easily prove legal compliance in the event of an audit. This way, the workforce becomes a reliable part of the defense strategy that sensibly complements the technical barriers.
The role of security awareness within NIS2 conformity
The new European NIS2 directive drastically tightens the cybersecurity requirements in the German Mittelstand. Technical protective barriers such as firewalls and antivirus programs are indispensable, but they fall short when the human factor is not taken into account. A large share of all successful cyberattacks begins with a deceptively genuine phishing email that is opened by an unprepared employee. For this reason, the continuous training of the workforce (security awareness) within a holistic cyber resilience is coming into the focus of lawmakers. Employees must no longer be regarded as a vulnerability but must act as an active human firewall through targeted training.
NIS2 training requirements and the obligations of leadership
The legal requirements are precisely formulated here. Under section 38 paragraph 3 of the new BSI Act (BSIG), members of the management of affected companies are legally obliged to take part in training regularly in order to acquire sufficient knowledge to identify and assess risks[3]. This obligation applies equally to managing directors, IT leads, and internal security officers. It is not only about understanding technical details but about the strategic assessment of cyber risks for maintaining business services. The training obligation of the management forms the foundation for a company-wide security culture.
Failures in this area have far-reaching consequences. If the company management does not fulfill its training and oversight obligation, significant personal liability of the management is looming. In the event of damage, managing directors may be liable with their private assets if it is proven that fundamental security measures and employee training were neglected. The BSI therefore urgently recommends sensitizing not only the executive level but also the entire workforce through ongoing training and phishing simulations in order to effectively reduce the risk of successful attacks.
Minimizing liability risks through seamless documentation
A central aspect for meeting the legal requirements is audit-proof verifiability in everyday operations. The current BSI situation report makes clear that the threat situation for small and mid-sized companies is steadily growing and that cybersecurity is a permanent task[4]. During an audit or after a security incident, managing directors must be able to present seamless evidence of training and simulations carried out. Without this documentation, not only severe fines are looming but also the loss of insurance coverage under cyber insurance policies. A structured training system is therefore an integral part of legally compliant company management.
- Regular management training on risk assessment under section 38 paragraph 3 BSIG.
- Ongoing, interactive security awareness training for all employees.
- Hands-on, unannounced phishing simulations to check security behavior.
- Audit-proof and automated documentation of all training activities for audits.
To handle this regulatory effort without additional burden on internal IT resources, an integrated approach is required. With its service portfolio from the areas of Cybersecurity and Compliance, CAVRIX offers a turnkey solution. Through the central Command Center, managing directors and IT leads can view the current training status and the compliance documentation in real time. This ensures that the company meets the requirements for NIS2 compliance seamlessly from day one and that employees are effectively prepared for real cyber threats.
Establishing a sustainable security culture with the right partner
A resilient defense against cyber risks cannot be achieved through technical protective walls alone. As the Bitkom study \"Economic Protection 2024\" shows, the annual damage to the German economy from theft, espionage, and sabotage amounts to around 267 billion Euro[2]. Phishing attacks are among the most frequent causes of damage and affect around 26 percent of the companies surveyed[2]. Technical barriers do filter out a large share of harmful emails, but the remaining attacks aim directly at the human factor. To minimize this risk effectively, companies must continuously train their employees and establish them as a human firewall.
Continuous training versus one-off training
Classic training concepts such as annual in-person seminars or dry mandatory videos rarely achieve a lasting effect. The knowledge conveyed there quickly fades in everyday operations, while attackers refine their methods week by week. An effective security awareness only emerges through a continuous training program running in the background. Through regular, realistic phishing simulations, employees learn directly at their workplace to recognize suspicious features in emails in a fraction of a second. This approach anchors vigilance as a fixed part of the daily work routine without disrupting business processes.
- Ongoing hands-on prompts instead of sluggish theory sessions on an annual cycle
- Immediate education right after a simulated click instead of delayed reprimands
- Automatic adjustment of the difficulty level to the individual security level of the departments
Relieving the IT department through smart integration
For the already heavily burdened IT teams in the Mittelstand, building and maintaining their own training program is barely manageable. Creating authentic phishing templates, running the campaigns, and evaluating them manually tie up valuable resources. This is exactly where the professionally managed service comes in. When companies outsource their cybersecurity protection, the service provider takes over the entire management of the awareness campaigns in the background.
The integration with the entire IT operation is decisive here. Within Managed IT, technical protection and human prevention mesh seamlessly. All results, reports, and current threat situations come together directly in the Command Center. IT leads keep full transparency over the security status of the organization through their familiar communication channels such as Microsoft Teams or Slack, without having to monitor additional dashboards.
| Criterion | Internal in-house operation | Managed service (CAVRIX) |
|---|---|---|
| Time effort for IT leadership | High due to design, execution, and evaluation | Minimal due to automated operation in the background |
| Currency of the simulations | Static and rarely adapted to new threats | Dynamic and continuously updated based on real attacks |
| Transparency in daily operations | Spread across isolated individual solutions and reports | Centrally bundled in the Command Center for a quick overview |
Frequently asked questions
What is a phishing simulation and how does it work?
A phishing simulation is a controlled, fake cyberattack by email that is carried out during real everyday work. Employees receive a deceptively genuine email. Anyone who clicks on it is immediately trained interactively and in a data-protection-compliant way about the dangers, without any real damage occurring. This way, recognizing suspicious features is trained in a hands-on manner.
Why is a classic firewall no longer enough for SMEs?
Technical protective measures never catch all attacks. Since, according to Bitkom, phishing attacks are responsible for 26 percent of all damages, criminals primarily exploit the human factor. If an employee clicks on a malicious link or discloses credentials, even the best firewall is bypassed and rendered ineffective.
What legal training obligations does NIS2 bring for companies?
The European NIS2 directive obliges affected companies to carry out regular security briefings and training for all employees and the management. Managing directors are personally liable for compliance and must be able to provide corresponding training evidence.
How often should phishing simulations be carried out in the company?
One-off training quickly fizzles out in everyday work. Experts recommend continuous training in which employees are confronted at irregular intervals of a few weeks with various current phishing scenarios. This keeps security awareness permanently high.
How high is the economic damage caused by cyberattacks in Germany?
According to Bitkom, the total annual damage to the German economy amounts to an immense 266.6 billion Euro from data theft, sabotage, and espionage. A large share of this damage can be prevented through improved security controls and the awareness of the workforce.
How can SMEs implement employee training in a resource-efficient way?
Small and mid-sized companies rarely have their own departments for IT security training. An external service provider that offers Cybersecurity and Managed IT from a single source integrates the simulations fully automatically into everyday work and documents NIS2 compliance without additional internal effort.