A good way to get employees motivated to do the training is to first run a simulated phishing attack, said Ferrara.
Not only does that provide a baseline metric for how often phishing emails are clicked on, but it also demonstrates to employees that they are vulnerable.
"We had a customer who ran a simulated attack against their IT organization and they had a huge failure rate -- it was a real eye-opener for them -- more than 50 percent of the people failed," said Ferrara. "We used that as motivation to get them to take training. As long as you don't hammer them over the head or belittle them, you can get a great response."
Sign up for CIO Asia eNewsletters.