Most organizations have security awareness training. That does not mean they have reduced human risk. Verizon’s 2025 Data Breach Investigations Report found that the human element was involved in roughly 60% of breaches, and credential abuse accounted for 22% of initial access in non-error, non-misuse breaches.

For public sector organizations, that should be a wake-up call. Verizon’s 2025 Public Sector Snapshot found that System Intrusion, Miscellaneous Errors, and Basic Web Application Attacks accounted for 78% of public sector breaches, and for state, local, tribal, and territorial entities those top patterns accounted for 79% of breaches. The same snapshot notes that in social engineering incidents, phishing remains the “tried-and-true favorite.”

The FBI’s 2024 IC3 report reinforces the same point. Phishing/spoofing generated 193,407 complaints, making it the most reported cybercrime category, while business email compromise caused about $2.77 billion in reported losses.

Why training still misses the mark

The problem is not that organizations ignore awareness training. The problem is that many programs are built to satisfy compliance, not to change behavior. NIST research found that 84% of programs measured effectiveness through training completion rates and 72% relied on phishing click rates. Those are easy to track, but they do not prove employees are consistently making better security decisions.

That gap is where many programs fail. Employees may complete annual training, acknowledge policies, and even participate in phishing simulations, while the organization still struggles with repeat offenders, weak reporting habits, and little evidence that risky behavior is actually declining. NIST’s research specifically notes that organizations often rely on policy-compliance metrics rather than measuring real impact.

Why this matters for local government and GovTech SaaS

Local governments are high-value targets because they provide essential public services and often operate with constrained resources. GovTech SaaS providers face a related challenge: they are trusted vendors in the public-sector ecosystem, so human failure inside the provider can become operational, reputational, or third-party risk for customers. Verizon’s 2025 DBIR also found that third-party involvement in breaches rose from 15% to 30%, making vendor-side human risk even harder to ignore.

Why this still shows up in SOC 2 environments

A SOC 2 Type II report is valuable, but it is not proof that security awareness training is effective. Publicly available data does not provide a reliable benchmark for the percentage of SOC 2 Type II reports with SAT-related exceptions, because those reports are generally restricted-use. What is clear, however, is that organizations can have policies, training platforms, and scheduled campaigns in place and still fail to operate those controls consistently enough to reduce risk. That is the difference between documenting a control and proving it works. NIST’s findings on overreliance on completion and click-rate metrics help explain why that gap persists.

What stronger programs do differently

Effective programs are run like risk-reduction programs, not annual HR exercises. They focus on behavior, repetition, and accountability. The strongest organizations measure reporting rates, repeat failures, and trends over time. They use short, continuous reinforcement instead of once-a-year awareness events. They connect phishing failures to coaching, align training to current threats, and support awareness with technical controls such as phishing-resistant MFA, stronger email security, and tighter access controls. Verizon’s data on credential abuse and third-party exposure makes clear why awareness must be paired with real operational controls.

The bottom line

Security awareness training is not failing because employees do not care. It is failing because too many programs are designed to prove completion instead of reduce human risk. For local governments and GovTech SaaS providers, that is a dangerous mistake. The organizations that improve outcomes are the ones that treat security awareness as an ongoing business risk issue, not a yearly compliance task.

How Iron Wing Security Can Help

At Iron Wing Security, we help organizations move beyond checkbox awareness programs and build practical security awareness strategies that actually reduce risk.

If your team is completing training but phishing, credential misuse, and user-driven exposure are still showing up in audits, incidents, or near misses, it may be time to rethink the program.

Iron Wing Security can help you assess your current approach, identify gaps, and build a measurable awareness strategy that stands up to both real-world threats and compliance scrutiny.

‍

‍