Cybersecurity · Vancouver, BC
Security Awareness Training for Vancouver Businesses
Hexafusion runs security awareness training and phishing simulation programs for Vancouver and Lower Mainland businesses. Monthly simulated phishing campaigns, short targeted training modules, board-ready reporting, and the documentation cyber-insurance underwriters and BC privacy regulators ask for. Every program is scoped to your industry and headcount, not pulled off a generic template.
Written by Alex Barari, founder of Hexafusion and a former PCI DSS Internal Security Assessor (ISA). The patterns described here come from running awareness programs at BC dental, legal, accounting, manufacturing, and professional-services clients.
Why training matters even when you have EDR and MFA
EDR catches what slips past prevention. MFA blocks credential reuse. Both are necessary. Neither stops a CFO from wiring funds to an attacker who spoofed the CEO's email. Neither stops an accounts-payable clerk from approving a fake invoice. Neither stops an executive from clicking a deepfake video that asks for an urgent password reset. Those attacks bypass technical controls because the human is the attack surface.
Three reasons awareness training is non-negotiable in 2026:
- Phishing is still the #1 initial-access vector in every annual breach report (Verizon DBIR, IBM Cost of a Data Breach, Canadian Centre for Cyber Security). 91 percent of cyberattacks begin with a phishing email.
- Business email compromise (BEC) and wire fraud hit Canadian small and mid-market businesses harder than ransomware in dollar terms. Real-estate brokerages, accounting firms, and law firms in BC have lost six and seven-figure amounts to BEC attacks that better email security alone could not have stopped.
- PIPEDA, BC PIPA, and cyber insurance all require it. Documented evidence of training, completion rates, and remediation programs is a baseline expectation. Without it, you fail audits and renewals.
What we run for every client
Monthly phishing simulations
12 campaigns per year, sent at unpredictable times. Templates rotate across credential harvest, malware delivery, wire-fraud pretexting, voice-cloning vishing, QR-code phishing, and current-events lures (tax season, holiday shopping, election). Click rate and reporting rate tracked per user.
Just-in-time training
When a user clicks, they immediately get a short interactive module on the specific tactic that fooled them. Five to ten minutes, completion mandatory. Learning sticks better in the moment than during scheduled training weeks later.
Quarterly all-staff modules
Refresher modules on PIPEDA and BC PIPA basics, data handling, removable media, working from home, public Wi-Fi, password hygiene. Each module 10 to 15 minutes, accessible on the user's schedule.
Executive tabletops
Quarterly half-hour walkthroughs of realistic incident scenarios: a fake wire transfer request, a ransomware notification, a phishing campaign targeting the CEO, a leaked credentials alert. Leadership rehearses decisions before they have to make them under pressure.
New-hire onboarding sequence
First-week training covers the basics. Second-week simulation tests retention. Manager gets a completion notification. New hires are baselined and tracked from day one.
Reporting
Quarterly executive report with click rate, reporting rate, completion rate, repeat-offender list, and trend lines. Annual statement of controls for cyber insurance renewal and any external audits.
Platforms we deploy
Platform choice depends on existing licensing, content depth needs, and integration requirements.
KnowBe4
Largest content library, broadest template selection, mature reporting. Our default for clients without existing Microsoft 365 E5 licensing. Good Canadian content coverage.
Microsoft Defender Attack Simulation
Included with Microsoft 365 E5 and Defender for Office 365 Plan 2. No additional license cost. Smaller content library than KnowBe4 but tight integration with Defender for Office 365 telemetry.
Hoxhunt
Strongest behavioural-science engagement model. Game-mechanics keep participation high over multi-year programs where users typically drift. Best fit for larger teams (75 plus users).
Proofpoint Security Awareness
Strong fit when Proofpoint email security is already deployed. Real attack-data informs simulation campaigns. Premium tier.
A realistic 12-month rollout
What the program actually looks like across a year for a typical 25-person Vancouver business:
| Month | Activity | Expected outcome |
|---|---|---|
| Month 1 | Baseline phishing campaign + kickoff all-staff training. | Establish baseline click rate, often 20 to 30 percent. |
| Months 2-3 | Monthly simulations of medium difficulty. Just-in-time training on each click. | Click rate drops 30 to 50 percent from baseline. |
| Month 3 end | First quarterly executive report. Tabletop exercise for leadership. | Identify repeat clickers and high-risk roles. |
| Months 4-6 | Difficulty increases (BEC, wire fraud, voice cloning templates). Quarterly all-staff PIPEDA refresher. | Click rate continues dropping. Reporting rate (users flagging suspicious emails) rises sharply. |
| Months 7-9 | Targeted high-difficulty campaigns at finance, HR, executive roles. Tabletop on a real-world BEC scenario. | High-risk roles trained against the attacks they actually face. |
| Months 10-12 | Annual maturity assessment. Year-end report. Statement of controls drafted for renewal. | Click rate typically 5 percent or lower. Documented evidence ready for insurer and auditor. |
Industry-specific scenarios we run
Generic phishing templates train for generic threats. The attacks that actually succeed are industry-specific. We tune simulations to the verticals we serve:
- Dental and medical clinics. Fake patient referral letters, insurance-claim phishing, vendor invoices for dental supplies, lab-result delivery lures.
- Law firms. Fake court filings, opposing-counsel impersonation, real-estate closing wire-transfer attacks (real-estate-related BEC is one of the highest-loss attack types in BC).
- Accounting firms. Tax-season lures, CRA impersonation, vendor banking-update fraud, client-impersonation requests for trust-account transfers.
- Manufacturing and construction. Supplier banking-update fraud, fake purchase orders, shipping-notification phishing, contractor-impersonation.
- Non-profits. Donor-impersonation, grant-application phishing, board-member email impersonation.
- Financial services. Client-impersonation, regulatory-portal phishing, FINTRAC-related social engineering.
What we will not do
Ethical lines we hold in every program:
- No personal-tragedy lures. Fake "your spouse has been in an accident" templates exist. We do not use them.
- No naming and shaming. Individual results are visible only to the user, their manager, and the security team. Public click leaderboards crush engagement and breach the spirit of awareness training.
- No surprise tabletop exercises with executives. Leadership scenarios are scheduled. Surprise drills exist for incident response, not for awareness training.
- No bonus or compensation tied to click rate. Tying performance reviews to phishing results encourages staff to hide clicks rather than report them, which is the opposite of what good awareness training is supposed to produce.
- No campaigns that abuse internal systems. We do not impersonate HR with fake performance-review or compensation-change emails. The cost of broken trust outweighs the training benefit.
Frequently asked questions
Does security awareness training actually reduce risk?
Yes, measurably. Baseline click rates of 25 to 30 percent drop to under 5 percent after 12 months of monthly simulations plus targeted training. Training alone (without simulation) does not produce this result. The simulation is the active ingredient.
What's included?
Monthly phishing simulations, just-in-time training after clicks, quarterly all-staff modules, executive tabletops, new-hire onboarding, and quarterly reporting. Annual statement of controls for cyber insurance renewal.
Will simulations offend staff?
Not when run correctly. No naming and shaming, aggregate reporting only, respectful tone, no personal-tragedy templates. We have run this at many BC firms without staff complaints when scoped properly.
How does this satisfy PIPEDA and BC PIPA?
PIPEDA Principle 4.1.4 requires staff training as part of the safeguards program. BC PIPA imposes similar expectations. Our documented evidence (delivery, completion, refresh) is exactly what the Office of the Privacy Commissioner cites as missing in breach decisions.
Does cyber insurance ask about training?
Yes. The 2026 questionnaire covers frequency, content, simulation cadence, completion tracking, and remediation. Carriers want evidence the program is real. We supply renewal-ready statements of controls annually.
What platforms do you use?
KnowBe4, Hoxhunt, Proofpoint Security Awareness, or Microsoft Defender Attack Simulation Training. Choice depends on existing Microsoft 365 licensing, content depth, and client preference.
What happens to repeat clickers?
Three-strike model. Each strike adds remediation: targeted training, manager one-on-one, tightened conditional access. The goal is to reduce risk, not punish, but persistently high-risk users do get extra controls.
Do you train executives differently?
Yes. Executive training covers BEC, wire-fraud red flags, deepfake awareness, and quarterly leadership tabletops. Their threat surface is different (spear phishing, voice cloning) and the training reflects that.
Run a phishing baseline test
Free baseline phishing campaign across your team, anonymous aggregate report, and a recommendation on the right program scope. No commitment.
Run a baseline testRelated cybersecurity topics
Part of our broader cybersecurity coverage for Vancouver and the Lower Mainland.