What’s the Highest-ROI Security Spend? Staff Awareness Training

There's a version of cyber security that costs hundreds of thousands of dollars. Enterprise SIEMs, 24/7 SOC teams, penetration testing programmes - all valuable, all largely irrelevant to most New Zealand SMBs.

And then there's this: for roughly the cost of a coffee per staff member per month, you can eliminate the attack vector responsible for 9 out of 10 breaches.

That's not a sales pitch. That's just where the data points.

Or this: 90% of breaches result from human error that have resulted in $4M+ in direct cyber losses per quarter across NZ alone.

Why attackers love your inbox

Phishing is the dominant entry point for cyber-attacks on SMBs because it works. It bypasses your firewall. It bypasses your antivirus. It lands directly in front of a human being and asks them to made a decision - usually under time pressure, often disguised as something routine.

A fake invoice from a known supplier. A password reset request that looks exactly like Microsoft's. An urgent email from "the boss" asking for a quick bank transfer.

These aren't exotic attacks. They're effective precisely because they're ordinary. And the only defense against them isn't a piece of software - it's a trained human being who recognises what they're looking at.

The simulation that changes behavior

The most powerful tool in a modern awareness training programme isn't a video or a quiz. It's a simulated phishing test.

Here's how it works: your staff receive a realistic (but safe) phishing email, crafted to mimic the kinds of attacks currently circulating. Those who click receive immediate, in-the-moment coaching - not a telling off, but a brief explanation of what to look for and why it matters. Those who report it correctly are reinforced for doing the right thing.

The research on this is consistent. Organisations that run regular phishing simulations see click rates drop dramatically within the first 90 days. More importantly, staff start applying that awareness to real emails - slowing down, questioning unusual requests, and reporting suspicious activity rather than quietly hoping it goes away.

What $5 per user actually buys you

Swerve's Staff Awareness Training programme is priced for NZ SMBs not enterprise IT departments. At around $5 per user per month, here's what's included:

  • Monthly training videos covering real, current threats

  • Regular phishing simulations

  • Quiz and completion tracking with reporting your insurer can see

  • Dark web monitoring for your domain and staff credentials

  • Acceptable use policy templates and sign-off documentation

  • A dashboard that shows progress over time, not just a green tick

For a team of 20 people, that's around $100/month. The average cost of a successful cyber incident for an NZ SMB including downtime, recovery, reputational damage, and potential regulatory exposure - runs into tens of thousands of dollars at minimum.

The math is not complicated..

The insurance angle

We covered this in our last blog, but it's worth repeating - cyber insurers are now asking specific questions about staff training. If you can show a 12-month history of training completions, phishing simulation results, and policy acknowledgements, you are a materially lower risk in their eyes, and that's reflected in both your coverage and your premiums over time.

If an incident occurs and there's no evidence of training, that absence becomes part of the claims investigation. Documentation matters. Consistency matters. A $5/month programme that runs automatically and produces reports is infinitely better than a once-a-year session nobody remembers.

"But our team is pretty switched on"

This is the most common thing we hear - and it's usually said with genuine confidence by business owners whose teams are, genuinely, capable and smart people.

The problem is that phishing attacks aren't testing intelligence. They're testing attention, under pressure, in the middle of a busy day. Even switched-on people click links they shouldn't when they're rushing to clear their inbox before a 2pm call.

The businesses that run phishing simulations are often surprised by the results. Not because their people are careless, but because modern social engineering is specifically designed to defeat normal attentiveness.

Training doesn't insult your team. It gives them a fair advantage against attacks that are deliberately designed to be hard to spot.

Getting started is simpler than you think

There's no complex deployment. No lengthy onboarding. Swerve's programme connects to your Microsoft 365 or Google Workspace environment, and your first simulated phishing test can be running within days.

You get a clear picture of where your team stands today and a structured programme to improve it month by month.

John Harris

Managing Director & Customer Lead

Next
Next

Your Cyber Insurance Won't Cover a Click