The door no firewall closes
Every organization with some level of security maturity invests in technology. Firewall, EDR, multi-factor authentication, network monitoring. These are necessary, non-negotiable layers. But there is one vector that none of these tools can block on its own. The human decision made under pressure, with incomplete information, in a moment of distraction.
The Verizon Data Breach Investigations Report 2025 recorded that the human factor is present in 60% of data breaches globally. In Brazil, the IBM Cost of a Data Breach 2024 indicates that the average cost of a data breach reached R$ 6.75 million, and that phishing attacks were the most common initial vector, present in 16% of incidents. These numbers show that the impact is not only operational. It is financial, legal, and reputational.
The problem is that the human attack surface grows alongside the sophistication of threats, while most companies still treat employee training as a mere formality, failing to recognize how important its role is for information security.
What AI changed in the social engineering game
For years, identifying a phishing attack required little more than basic user attention. Spelling errors, strange senders or domains, poorly formatted layouts, and so on. The indicators were obvious enough that an introductory training could cover them.
That scenario has changed. With mass access to generative AI tools, producing a personalized message in the right tone, with the appropriate vocabulary for each role and without any visible sign of fraud, is no longer the privilege of sophisticated threat groups. Today, any attacker with intent and internet access can build a communication tailored to a specific user that slips past the visual filters people traditionally learned to apply.
More than that, attacks are becoming multi-channel. An e-mail that appears to come from the legal department, followed by a call from someone presenting themselves as the same sender, with details only an insider would know, is layered social engineering. Voice deepfakes have already been used in real attacks to impersonate executives and authorize transfers. An employee who has never trained for this level of sophistication has no way to be intuitively prepared. AI has not just accelerated the volume of attacks; it has raised the quality bar. And that demands a proportional response.
Why annual training can't keep up
The most common practice is still mandatory annual training. An online module that everyone completes on autopilot, a presentation in a general meeting, or a security policy sent by e-mail for signature. Once the task is done, the topic disappears until the next cycle.
That model was insufficient before AI. With AI, it becomes unsustainable. It is worth highlighting that, as the risk landscape changes, organizations need to be prepared to react adequately. This is a duty-of-care paradigm that, if not properly met, can amount to negligent management. And that can surface precisely when the company least wants to talk about it: in the event of incidents, lawsuits, or actions by regulatory bodies such as the ANPD. There is a fundamental difference between managers: those who only want to give a hollow demonstration of compliance, and those who really want to manage risk properly. Each of these scenarios, by the way, can be easily verified by third parties, which is why the first choice exposes the entire organization to fairly complex risk scenarios.
Knowledge without reinforcement dissolves fast. An employee who watched a phishing presentation in January and never dealt with the topic again will react in August exactly as they would have reacted without any training at all. On instinct. And instinct, without practice, is exactly what attackers count on.
Secure behavior is not built with one-off information. It is built with repetition, with controlled exposure to real situations, and with immediate feedback when something goes wrong. Phishing simulations work because they create exactly that. The concrete experience of being tricked in a controlled environment, with no real consequences, with learning that sticks because it was lived, not just read.
The difference between an employee who has read about phishing and one who has already clicked on a simulation and understood where they went wrong is the same difference between knowing the theory of driving and having actually driven the route. One of them will react better when the unexpected appears.
Every role carries a different risk profile
Treating the entire organization with the same training content is one of the most common and most expensive mistakes in awareness programs. The risk the finance team faces is not the same that threatens the IT team or the executive board, and training that ignores those differences fails to protect anyone properly.
Finance is a priority target for business e-mail compromise, attacks in which the intruder impersonates a supplier, executive, or customer to redirect payments or obtain sensitive information. These attacks are built specifically around financial approval flows, often with real context gathered from open sources, and they require training that covers the specific signs of that vector inside that team's routine.
The IT team faces a paradox. Technical familiarity creates a confidence that can work against security. Attacks aimed at infrastructure professionals use the right vocabulary, simulate alerts from known systems, and exploit the tendency of those who work with technology to assume they can identify what is legitimate. Often they cannot, because the attack was built exactly for that.
Leadership is the target of highly personalized attacks, with extensive prior research in open sources, that exploit the privileged access and decision-making authority of those at the top of the organizational chart. An executive who authorizes an action based on a carefully fabricated communication did not make a common judgment error. They were the victim of a sophisticated attack that most technical controls are not positioned to catch.
Effective training is the one that makes sense to whoever receives it, within the reality of that person's work. Anything beyond that is a compliance check, not real protection.
What happens when getting it wrong has a high cost
There is one element that determines whether an awareness program works or not, and it rarely shows up in discussions about the topic. What the organization does when someone makes a mistake.
If an employee clicks on a simulated phishing and feels they will be exposed, blamed, or treated as the one responsible for a problem, they quickly learn one thing. They start hiding it when something suspicious happens. That reflex, in a real incident, is catastrophic. The difference between an attack contained in the first few hours and an incident that spreads over days is, most of the time, how fast someone reported it.
Organizations that build an environment where reporting is the expected and recognized behavior, where the employee who pointed something suspicious out gets positive feedback and not embarrassed silence, those organizations have faster incident responses and more controlled damage. Not because the security team is more competent. Because they receive information in time to act.
That isn't built with a written policy. It is built with consistency. With how the security team responds when someone comes with a question. With the posture of leadership when an incident is communicated before it turns into a catastrophe.
LGPD in this context
Brazil's General Data Protection Law (LGPD) does not mention training explicitly, but Article 6 establishes the principle of accountability. Being compliant is not enough; it is necessary to demonstrate that technical and administrative measures were adopted to protect personal data. A documented training program, with records of periodicity and scope, is part of that demonstration.
The ANPD intensified its enforcement throughout 2024 and 2025, and the absence of evidence of training has appeared as an aggravating factor in infraction notices. In addition, civil liability for data leaks is strict under the LGPD, regardless of proven fault. Demonstrating that the organization invested in awareness is also a concrete line of legal defense.
How BrownPipe operates on this front
BrownPipe develops training programs and simulated phishing campaigns customized to each client's reality. The starting point is not a catalog of generic modules. It is the understanding of the organization's profile, the most relevant vectors for the sector, and the roles that concentrate the greatest exposure.
These are not generic mass blasts. They are messages crafted based on the organization's profile, the sector it operates in, and the most exposed roles. The goal is not to produce a click-rate report. It is to identify where the team is vulnerable before an attacker identifies it first, and to deliver learning that changes employee behavior.
If your company wants to structure or review its awareness program, our team is available to analyze the scenario and recommend the most appropriate approach.
Content produced by the BrownPipe team. Sources: Verizon DBIR 2025, Check Point Research 2024, Fortinet Security Awareness and Training Global Research Report 2025.