When offices closed in March 2020, most employees stepped outside the corporate firewall almost overnight. Home networks, personal devices, and hastily configured VPN connections created an attack surface that very few IT teams had planned for. In many Turkish companies, this transition happened within days and with little preparation. While IT teams scrambled to keep infrastructure running, employee security training was quietly pushed aside. That was precisely the moment when pandemic-themed phishing attacks began accelerating. Emails disguised as official health authority notifications, government aid application forms, or urgent company policy updates reached employees at their most anxious and distracted. Employees who would have paused at the office clicked far more readily from home. Deferring security awareness training at this point means leaving the organisation’s most exploitable vulnerability completely unguarded.
The core problem with remote training is that traditional formats do not transfer well to this environment. A half-day classroom session on cybersecurity does not work for an accountant or customer service representative sitting at a kitchen table. Attention spans shorten, motivation drops, and content loses its connection to the daily workflow. Observations from mid-sized Turkish companies suggest that completion rates for long online sessions fall noticeably compared to in-person delivery. The first design decision for any remote programme is therefore how to break the content down. The micro-learning approach divides topics into independent five-to-ten-minute modules, each targeting a single behaviour: how to spot a suspicious attachment, how to verify your VPN connection, how to use a password manager. Short, focused, and completable content can be integrated into a working day without disrupting it.
Simulation-based training is the most measurable component of any awareness programme. Sending test emails that mimic real phishing attempts reveals which employees respond to which types of content. There is an important consideration for Turkish organisations applying this method: the simulation must be positioned as a teaching tool, not a disciplinary one. Labelling an employee who clicks as having ‘failed’ is counterproductive. Showing a brief feedback screen at the moment of the click, explaining why the email was dangerous, produces far more durable learning. HR and IT teams need to align on this framing before launching any simulation campaign; without that alignment, the programme generates anxiety and distrust rather than awareness. During the pandemic, the most effective simulation scenarios have carried subject lines referencing government support schemes, remote work policy updates, or company health insurance changes — content that mirrors what employees are actually receiving in their inboxes.
Sustaining a remote training programme requires organisational structure as much as technical infrastructure. Who produces the content, who distributes it, and how are completion rates tracked? In the majority of Turkish SMEs, these questions do not have clear answers. If the IT function is a single person or an outsourced provider, building a comprehensive content production pipeline is not realistic. This is where security awareness platforms offering ready-made content libraries become relevant. These platforms provide Turkish-language content, completion tracking, and simulation modules under annual subscription models. One evaluation criterion deserves particular attention: is the platform content adapted to the Turkish business context? Training built on foreign scenarios and examples struggles to connect with local employees. Before committing to a platform, assess the quality of Turkish-language content and the availability of locally relevant scenarios. In the current environment of currency pressure, dollar- or euro-denominated subscription costs also need to be factored into budget planning.
Measuring programme effectiveness is as important as running the programme itself. Simulation click-through rates, module completion percentages, and knowledge assessment scores show where the programme is working and where it is not. That said, these metrics have a clear limitation: an employee who passes a simulation test may still behave differently under a real attack, because real attacks are far more sophisticated and contextually specific than test scenarios. Measurement data should therefore be used to continuously update the programme, not to declare success. When reporting to senior management, shifting the question from ‘how many people completed the training’ to ‘which behaviours have changed’ makes the programme’s organisational value far more visible and defensible.
Employee fatigue is a genuine obstacle to sustaining remote security training. During the pandemic, employees are managing dozens of new applications, policies, and meetings simultaneously. Inserting a training programme into that noise is difficult. Training frequency and timing are therefore strategic decisions. One five-minute module per week leaves a far more lasting impression than one fifty-minute session per month. Embedding training content into the communication channels employees already use — internal email newsletters, channels within collaboration tools like Teams — places learning inside familiar workflows. In Turkish companies, this integration typically requires coordination between HR and IT teams; a breakdown in communication between those two functions is consistently the most common failure point in awareness programmes.
Security awareness is not a one-time project. It is a continuous programme of organisational behaviour change, and the pandemic has made that reality impossible to ignore. While employees work from home, access company data from personal devices, and spend every day distinguishing legitimate communications from fraudulent ones, even the strongest technical defences are not sufficient on their own. When building a remote programme, combine short modules, realistic simulations, measurable metrics, and a regular update cycle. In Turkish conditions, this work happens under real budget and resource constraints, so start with the highest-risk behaviours and the most exposed groups. Waiting for a perfect programme while deferring basic awareness training means leaving your organisation’s most significant security gap open.
This article was originally written in Turkish by Gökhan MERCANOĞLU on May 18, 2020 and has been automatically translated into English and other languages using machine translation.