How often should Canadian businesses conduct cybersecurity awareness training?

The Canadian Centre for Cyber Security recommends that security awareness training be conducted on a regular and ongoing basis, not as a one-time event. Most organizations find that annual formal training combined with shorter monthly or quarterly refreshers provides a reasonable balance between thoroughness and operational impact.

Is cybersecurity awareness training required by law in Canada?

There is no single federal law mandating cybersecurity awareness training for all Canadian businesses. However, organizations subject to PIPEDA or provincial privacy legislation have obligations to protect personal information, which in practice requires staff training. Certain regulated industries such as finance and healthcare may have sector-specific training requirements.

What topics should a cybersecurity training program cover for employees?

According to CCCS guidance, training should cover recognizing phishing emails and social engineering attempts, safe browsing and email practices, password hygiene, reporting suspicious activity, and understanding your organization's security policies. Training content should be tailored to the roles and responsibilities of different staff members.

BC.6 7 min read

Security Awareness Training — Canadian Baseline Control BC.6

By Cybersecurity Canada Editorial Team | Last updated March 8, 2026

What Security Awareness Training Means

Security awareness training is the practice of educating employees about cyber threats and safe computing practices so they can recognize and avoid common attacks. Under the Canadian Centre for Cyber Security's Baseline Cyber Security Controls for Small and Medium Organizations (ITSM.10.089), control BC.6 addresses the need for organizations to establish an ongoing security awareness program that helps all staff understand their role in protecting business data and systems.

Human error remains one of the most common factors in successful cyberattacks. Phishing emails, social engineering calls, and fraudulent websites exploit people rather than technology. A well-designed training program reduces this risk by giving employees the knowledge and habits they need to act as a first line of defence.

This page provides educational information based on publicly available Canadian Centre for Cyber Security guidance. It is not professional cybersecurity advice. Organizations should consult qualified professionals for advice tailored to their specific circumstances.

What the Canadian Centre for Cyber Security Recommends

The CCCS Baseline Controls (ITSM.10.089) recommend that organizations provide security awareness training to all employees on a regular basis. The guidance emphasizes that training should be practical, relevant, and ongoing rather than a one-time exercise.

Key recommendations from the CCCS include:

Educate all staff on recognizing phishing emails, suspicious links, and social engineering techniques.
Establish acceptable use policies and ensure employees understand the rules for using organizational IT resources.
Conduct training regularly, not just at onboarding, to address evolving threats and reinforce good practices.
Tailor training to roles so that staff with access to sensitive data or administrative privileges receive additional, relevant instruction.
Encourage reporting of suspicious activity without fear of blame, so potential incidents are flagged early.

The CCCS also maintains the Get Cyber Safe campaign, a Government of Canada public awareness initiative that provides free resources, guides, and materials that organizations can use to supplement their internal training programs.

Why This Matters for Canadian Businesses

Phishing and social engineering are consistently among the most reported cyber threats facing Canadian organizations. The CCCS National Cyber Threat Assessment has repeatedly highlighted that cybercriminals target employees as a primary entry point, particularly in small and medium businesses that may lack dedicated security teams.

For Canadian SMBs, the consequences of a successful phishing attack can include:

Financial loss from business email compromise, wire fraud, or ransomware payments.
Data breaches involving customer or employee personal information, triggering obligations under PIPEDA and provincial privacy laws to notify affected individuals and the Office of the Privacy Commissioner of Canada.
Business disruption if systems are compromised and operations are halted during incident response and recovery.
Reputational damage that can erode customer trust and affect future business.

Training is one of the most cost-effective security controls available. It does not require expensive technology purchases and can meaningfully reduce the likelihood of successful attacks across multiple threat categories.

How to Get Started

Implementing a security awareness training program does not require a large budget or a dedicated security team. The following steps provide a practical starting point for Canadian SMBs.

1. Assess Your Current State

Before building a training program, understand where your organization stands. Our free cybersecurity assessment evaluates your organization across all 13 Baseline Controls, including security awareness training, and identifies gaps to prioritize.

2. Define Your Training Scope

Identify what topics to cover based on your organization's risk profile. At a minimum, training should address:

Recognizing phishing emails and suspicious messages
Safe password practices and the importance of strong authentication
Identifying social engineering tactics (phone calls, impersonation, pretexting)
Safe web browsing habits and recognizing fraudulent websites
Your organization's policies for handling sensitive data and reporting incidents
Physical security basics such as locking screens and securing devices

3. Leverage Free Canadian Resources

The Government of Canada's Get Cyber Safe website offers free materials including tip sheets, videos, and guides that can be distributed to employees. These resources are written in plain language and cover common threats relevant to Canadians.

4. Establish a Regular Training Cadence

Conduct formal training sessions at least annually, with shorter refreshers throughout the year. Consider tying training to current events — for example, when a major phishing campaign is in the news, use it as a teaching moment. New employees should receive security orientation as part of onboarding.

5. Consider Phishing Simulations

Simulated phishing exercises send realistic but harmless test emails to employees to measure how many click on suspicious links. These exercises provide measurable data on your organization's susceptibility and help identify individuals or departments that need additional training. Several Canadian and international vendors offer affordable phishing simulation platforms suitable for SMBs.

6. Make Training Role-Based

Not all employees face the same threats. Staff who handle financial transactions may need focused training on business email compromise. IT administrators need training on securing systems and recognizing technical attacks. Executives, who are frequently targeted in whaling and spear-phishing campaigns, benefit from tailored awareness sessions.

7. Measure and Improve

Track metrics that indicate the effectiveness of your program:

Phishing simulation click rates over time
Number of suspicious emails reported by staff
Training completion rates
Time to report actual incidents

Use these metrics to identify areas where your training program needs improvement and to demonstrate progress to organizational leadership.

Common Mistakes to Avoid

Even organizations that invest in security awareness training can make errors that undermine their program's effectiveness. Watch out for these common pitfalls.

One-and-Done Training

Conducting a single annual session and assuming employees will retain the information for the entire year is insufficient. Cyber threats evolve constantly, and retention of training material decreases over time. Regular, shorter reinforcements throughout the year are more effective than a single lengthy session.

Generic, Irrelevant Content

Training that feels disconnected from employees' actual work environments generates disengagement. Use realistic examples relevant to your industry and your organization's specific tools and workflows. Where possible, reference real-world incidents that affected Canadian organizations.

Punitive Approach to Failures

Punishing employees who fail phishing simulations or make security mistakes discourages reporting and creates a culture of fear rather than awareness. The CCCS guidance emphasizes creating an environment where staff feel comfortable reporting suspicious activity. Focus on education and improvement rather than blame.

Ignoring Non-Technical Staff

Security training is sometimes treated as an IT department concern. In practice, every employee who uses a computer, email, or phone is a potential target. Reception staff, accounting teams, and senior executives all need appropriate training for their roles.

Not Connecting Training to Policy

Training is most effective when it reinforces documented policies. Ensure your organization has clear, written acceptable use policies and incident response procedures, and that training directly references these documents so employees know exactly what is expected of them.

Connecting Security Training to Other Controls

Security awareness training does not exist in isolation. It supports and is supported by other Baseline Controls:

Authentication (BC.5) — Training reinforces the importance of strong passwords and multi-factor authentication by helping employees understand why these measures are necessary.
Incident Response (BC.1) — Trained employees who recognize and report threats quickly are a critical component of effective incident response.
Anti-Malware (BC.3) — Awareness training teaches employees not to disable security software and to avoid downloading untrusted files, complementing technical anti-malware controls.

For a complete view of how all 13 Baseline Controls work together, visit the controls overview page or take the free assessment to evaluate your organization's current posture.

Additional Resources

Disclaimer: The information provided on this website is for general educational and informational purposes only and does not constitute professional cybersecurity, legal, IT, compliance, or risk management advice. All content, including assessment results, scores, grades, and recommendations, is provided on a best-effort, "as is" basis without warranties of any kind. We expressly disclaim liability for any errors, omissions, or inaccuracies. Organizations should consult with qualified cybersecurity professionals and legal counsel to assess their specific situation. Use of this website or the assessment tool does not create a professional-client relationship. See our Terms of Use for full details.

Cybersecurity Canada is an independent resource and is not affiliated with, endorsed by, or connected to the Canadian Centre for Cyber Security, the Communications Security Establishment, or the Government of Canada.

How does your organization score on Security Awareness Training?

Take our free cybersecurity assessment to evaluate your organization across all 13 Baseline Controls. 50 questions, under 30 minutes, 100% confidential — your answers never leave your browser.

Take the Free Assessment