The day started out just like any other workday for Thomas. He drove in to work, flashed his badge to the security guard at the front desk, said hello to his desk neighbor and settled in at his workstation to address a backlog of emails in his inbox. That’s when things went sideways.

A message from a vendor. A companywide announcement. Yet another “reply all” to an ongoing email thread. This morning’s emails were nothing out of the usual. Then a strange email caught Thomas’ eye: a request from corporate IT, asking him to update his company profile, including his date of birth, social security number, employee ID and account password.

With a pile of work to do, an all-hands meeting coming up in a few minutes and a million other things on his mind, Thomas clicked the link in the email and complied with request from IT. Having completed the task, he moved on with his busy day without a second thought. Little did he know, Thomas had just joined countless other victims of the most widespread form of cyberattack: the phishing email.

According to Verizon’s 2021 Data Breach Investigation Report, 85% of cyberattacks last year included a human element. It is typically easier to trick a person than it is to bypass, break or hack a computer system. When cyber-criminals are planning their attack, the path of least resistance often leads them to target human weakness.

Thomas is not a bad employee. He has never clicked a phishing email before and is a stellar performer. He has attended company-mandated cybersecurity training twice per year. But his failure to spot a phishing email allowed an attacker to harvest his personal and company data, leaving him and the company more vulnerable to future attacks. Further, by clicking their link, Thomas has potentially allowed the attackers to access his company’s network. This is how ransomware, malware and other crippling incidents happen.

What can be done? GI Joe says knowing is half the battle; the other half is training. While many companies mandate employees take time out of their schedules to attend PowerPoint-based presentations on the scary nature of the threat, rarely do businesses (outside of the Fortune 100) conduct real, meaningful training on this front. Having attended numerous slideshow presentations, I can confidently say that rarely do they “move the needle” in terms of our behavior outside of the classroom.

Here are a few features of a successful cybersecurity training and awareness program:

Managed by third party professionals. When an internal IT team decides to conduct their own security training and risk assessment, they inherently have a blind spot. It’s like asking a student to create their own report card: will they ever give themselves an F? The Seal Teams moved away from in-house training and assessment for this exact reason.

Fun, fun, fun! If you’ve ever sat through a slideshow, you know the urge to nod off can be strong. To truly engage the target audience (your people), the training should be entertaining, not dry and antiseptic. This topic is too important to be taken seriously.

Not punitive. Our instinct as managers might be to make an example out of employees like Thomas, so that others know what not to do. This is wrong. If we squash Thomas for making a mistake, neither he nor any other members of your team will never report possible breaches for fear of facing your wrath. We want people reporting phishing attempts and other potential sources of breach.

Automated. Too often, I hear about businesses who say they have a phishing awareness and training program, only to find out that nobody actually “owns” the program. This means it’s an afterthought that usually gets cut when other tasks get prioritized. You need a program that runs every month without requiring a time commitment from your time-strapped IT staff.

Custom. A one-size-fits-all approach is suboptimal when it comes to measuring your company’s risk profile. Sure, people can normally spot a generic phishing attempt (like a Starbucks gift card made out to “valued employee”), but can your CFO spot a spear phishing attempt that uses his actual personal information gathered on social media? Most of us are vulnerable in one way or another, so it is imperative that our security training program reflects our unique set of vulnerabilities.

The steady drumbeat of news stories covering the latest breaches, often of giant companies and government agencies, can leave us feeling like the fight is futile. The only way to change this narrative is to train regularly and foster a culture of “healthy paranoia” both within ourselves and our companies. If we’re going to overcome the scourge of cyber-attacks, this is the only way. Nobody is coming to save us.

Jack Sterling is the co-founder of CloudHound, based in Greenville, South Carolina.