Knowledge base for security awareness, phishing and NIS2

The 2LRN4 knowledge base is built for topical authority. It includes 146 in-depth articles on phishing, employee behavior, NIS2, security awareness strategy and incidents or data breaches.

Book demo View platform

All topics Employee behavior (30) Security awareness strategy (30) NIS2 and compliance (40) Incidents and data breaches (15) Sales & partners (12) Phishing (19)

Employee behavior

API security awareness for end users

Practical guidance on api security awareness for end users for organizations that want to improve secure behavior structurally.

Behavior change in security awareness

Practical guidance on behavior change in security awareness for organizations that want to improve secure behavior structurally.

Clean desk policy explained

Practical guidance on clean desk policy for organizations that want to improve secure behavior structurally.

Cloud security basics for end users

Practical guidance on cloud security basics for end users for organizations that want to improve secure behavior structurally.

Device security basics

Practical guidance on device security basics for organizations that want to improve secure behavior structurally.

Employees are more digitally skilled than you think

Never underestimate your employees' digital skill, at most underestimate how poorly we sometimes explain things. Treat people as professionals and your weakest link becomes your strongest defence.

How do I get employees to actually take security training?

Practical guidance on getting employees to take security training for organizations that want to improve secure behavior structurally.

How do I make security training engaging?

Practical guidance on making security training engaging for organizations that want to improve secure behavior structurally.

How to build a security culture

Practical guidance on security culture for organizations that want to improve secure behavior structurally.

How to engage employees in security awareness

Practical guidance on how to engage employees in security awareness for organizations that want to improve secure behavior structurally.

How to secure the mobile workplace

Practical guidance on secure the mobile workplace for organizations that want to improve secure behavior structurally.

Implementing multi-factor authentication in your organisation

Multi-factor authentication is one of the most effective measures against account takeover. This is how to roll it out step by step, without too much friction or unclear exceptions derailing the project.

Incident reporting without blame

Practical guidance on incident reporting without blame for organizations that want to improve secure behavior structurally.

Microlearning for employees with limited time

Practical guidance on microlearning for employees for organizations that want to improve secure behavior structurally.

Password management best practices

Practical guidance on password management best practices for organizations that want to improve secure behavior structurally.

Physical security awareness in the workplace

Practical guidance on physical security awareness for organizations that want to improve secure behavior structurally.

Recognising personal data in your daily work

Privacy starts with recognition. Once you know which data is personal data, you handle it more carefully by default. A practical guide for your daily work.

Security awareness in education

Practical guidance on security awareness education for organizations that want to improve secure behavior structurally.

Security awareness in onboarding new employees

The most underrated awareness opportunity is onboarding. Why the first weeks set the tone, why a simple welcome video beats a glossy e-learning, and how it becomes a flywheel.

Security awareness onboarding for teachers and staff

Practical guidance on security awareness onboarding education for organizations that want to improve secure behavior structurally.

Use mobile data or secure Wi-Fi while travelling

Free public Wi-Fi is convenient but risky for work email and sensitive accounts. Why mobile data is almost always safer, how to recognise public networks, and what to give your employees concretely.

What are the most common security mistakes employees make?

Practical guidance on common security mistakes employees make for organizations that want to improve secure behavior structurally.

What to do with a privacy request from a customer or colleague

Someone asks what data you hold on them, or wants it deleted. What are data subjects' rights under the GDPR, and what do you, as an employee, do when such a request reaches you?

When a VPN for employees does and doesn't help

Practical guidance on vpn for employees for organizations that want to improve secure behavior structurally.

When gamification in awareness backfires

Gamification only motivates when the game is about safety, not about points. Why the score can crowd out safe behaviour, and how to use game elements well.

When gamification works in awareness

Practical guidance on gamification in awareness for organizations that want to improve secure behavior structurally.

Why employees click on phishing

Practical guidance on why employees click on phishing for organizations that want to improve secure behavior structurally.

Why employees do not report security incidents

An employee who does not report is not a risk but a symptom of a culture that punishes. Why reporting must be easy and safe, and how to build a reporting culture.

Why security awareness lands faster in private life

Practical guidance on security awareness private life for organizations that want to improve secure behavior structurally.

Why small behavior interventions often have bigger impact

Practical guidance on behavior interventions security awareness for organizations that want to improve secure behavior structurally.

Security awareness strategy

A communication plan for security awareness

Practical guidance on security awareness communication plan for organizations that want to improve secure behavior structurally.

Awareness for HR and onboarding

Practical guidance on awareness for HR and onboarding for organizations that want to improve secure behavior structurally.

Awareness programmes fail without a risk analysis

If you train on everything, nobody learns what really matters. Why role-based segmentation, built on a risk analysis, makes awareness shorter, sharper and more effective.

Cyber charlatans: beware of fear sellers in awareness

Whoever sells awareness with fear sells not safety but dependence. How to recognise fear sellers and why real awareness builds competence, not panic.

How long should security training take?

Practical guidance on how long security training for organizations that want to improve secure behavior structurally.

How much does security awareness elearning cost?

Practical guidance on how much does security awareness elearning cost for organizations that want to improve secure behavior structurally.

How often should employees take security training?

Practical guidance on how often security training for organizations that want to improve secure behavior structurally.

How to build a security awareness program

Practical guidance on build a security awareness program for organizations that want to improve secure behavior structurally.

How to choose a security awareness platform

Practical guidance on choose a security awareness platform for organizations that want to improve secure behavior structurally.

How to choose between SCORM and a standalone awareness platform

Practical guidance on scorm vs standalone awareness platform for organizations that want to improve secure behavior structurally.

How to choose security awareness content

Practical guidance on choose security awareness content for organizations that want to improve secure behavior structurally.

How to measure security awareness

Practical guidance on how to measure security awareness for organizations that want to improve secure behavior structurally.

Localizing security awareness content

Practical guidance on localizing security awareness content for organizations that want to improve secure behavior structurally.

Security awareness and customer trust

Practical guidance on security awareness customer trust for organizations that want to improve secure behavior structurally.

Security awareness elearning vs standalone training

Comparison for organizations choosing between a structural elearning approach and standalone awareness sessions.

Security awareness for government and municipalities

Practical guidance on security awareness government for organizations that want to improve secure behavior structurally.

Security awareness in healthcare

Practical guidance on security awareness healthcare for organizations that want to improve secure behavior structurally.

Security awareness KPIs for CISOs

Practical guidance on security awareness KPIs for organizations that want to improve secure behavior structurally.

Security awareness roadmap for 12 months

Practical guidance on security awareness roadmap for organizations that want to improve secure behavior structurally.

Security awareness ROI: what does it actually deliver?

Practical guidance on security awareness ROI for organizations that want to improve secure behavior structurally.

Security awareness stays 'an IT thing'

Security feels technical until you show it happens in your own pocket every day. Why recognition, not technology, drives behaviour change, and how to make security everyone's.

Security awareness vendor selection: the right questions

Practical guidance on security awareness vendor selection for organizations that want to improve secure behavior structurally.

The pitfall of the baseline survey in awareness

A baseline nobody dares to discuss is not a measurement but a reckoning. Why a baseline survey only works when it feels safe, and how to turn it into a starting point.

What is security awareness elearning?

Definition and practical guidance for teams that want to understand when elearning fits within an awareness approach.

What is security awareness?

Practical guidance on what is security awareness for organizations that want to improve secure behavior structurally.

What the shrinking time-to-exploit means for your organisation

The time-to-exploit is shrinking from a year to just over a day, and possibly to hours. What that means for your IT, your organisation and your security awareness programme.

Which topics should a security training cover?

Practical guidance on topics security training employees for organizations that want to improve secure behavior structurally.

Why awareness programs fail

Practical guidance on why awareness programs fail for organizations that want to improve secure behavior structurally.

Why security awareness collapses during busy periods

Awareness does not collapse because of busyness, but because of plans that pretend the busyness does not exist. How to plan smarter, not do more.

Why security awareness often fails

When fewer than 1% of staff take part, it is rarely the training content. Awareness is change management: meaning, leadership and rhythm decide whether it lands.

NIS2 and compliance

Acceptable use policy (AUP): what it should cover

Practical guidance on acceptable use policy aup for organizations that want to improve secure behavior structurally.

AI governance and awareness in one program

Practical guidance on AI governance awareness for organizations that want to improve secure behavior structurally.

Board reporting and awareness in the public sector

Practical guidance on board reporting public sector awareness for organizations that want to improve secure behavior structurally.

Board reporting for awareness without noise

Practical guidance on board reporting awareness for organizations that want to improve secure behavior structurally.

CIA triad versus the GDPR: integrity and confidentiality, twice

Information security uses the CIA triad; the GDPR names integrity and confidentiality as a principle. The same words, a different scope. The difference explained for your awareness programme.

Connecting breach reporting and awareness

Practical guidance on breach reporting awareness for organizations that want to improve secure behavior structurally.

Data classification and the need-to-know principle

Not all data needs the same protection. How classification and the need-to-know principle help share the right data with the right people.

Data minimisation in practice: collect only what you need

The less data you have, the less can leak. Data minimisation explained, with practical examples for forms, email and storage.

Data protection and privacy: GDPR essentials for employees

Practical guidance on data protection and privacy gdpr for organizations that want to improve secure behavior structurally.

Data subject rights: access, rectification and erasure

People have rights over their own data. Which rights the GDPR grants, what a request means for you, and how to handle it correctly.

DORA for financial institutions, what awareness means

Practical guidance on dora awareness for organizations that want to improve secure behavior structurally.

Government baseline security in Europe: meeting the awareness requirement step by step

Most European governments work to a national baseline for information security, and all of them require demonstrable awareness. This is how public bodies meet that requirement step by step, with training, repetition and audit-ready proof.

Healthcare information security awareness across European member states

Practical guidance on healthcare information security awareness europe for organizations that want to improve secure behavior structurally.

How do I track which employees have completed training?

Practical guidance on tracking security training completion for organizations that want to improve secure behavior structurally.

How to collect audit evidence for awareness

Practical guidance on audit evidence awareness for organizations that want to improve secure behavior structurally.

How to write a security awareness policy

Practical guidance on security awareness policy for organizations that want to improve secure behavior structurally.

ISO 27001 awareness requirements explained

Practical guidance on ISO 27001 awareness requirements for organizations that want to improve secure behavior structurally.

ISO/IEC 27002:2022 updated: what does it mean for your security awareness programme?

ISO/IEC 27002:2022 makes awareness more explicit: demonstrable, role-based and repeated. What changed, and how to set up your programme without turning it into a tick-box exercise.

Medical personal data is highly sought after: why healthcare is a target

Medical data is often worth more than credit card data on the black market. Why healthcare is a favourite target, which legislation applies, and how employees make the difference.

NIS2 awareness checklist for organizations

Practical guidance on NIS2 awareness checklist for organizations that want to improve secure behavior structurally.

NIS2 awareness for healthcare organizations

Practical guidance on NIS2 awareness healthcare for organizations that want to improve secure behavior structurally.

NIS2 board training obligation across European member states

Practical guidance on nis2 board training obligation europe for organizations that want to improve secure behavior structurally.

NIS2 roles and responsibilities around awareness

Practical guidance on NIS2 roles awareness for organizations that want to improve secure behavior structurally.

NIS2 transposition across European member states

Practical guidance on nis2 transposition europe for organizations that want to improve secure behavior structurally.

Privacy by design and by default: privacy from the start

Privacy is not arranged afterwards, but from the start. What privacy by design and by default mean, and how to apply them in projects and daily choices.

Privacy implications of AI-driven platforms

AI platforms often process large amounts of personal data. What privacy risks this brings, what the GDPR and the AI Act require, and which agreements employees need.

Recognising and preventing identity theft

In identity theft, someone uses your data to impersonate you. How it works, how to recognise it, and what to do if it happens to you.

Recognising personal data: what counts and what doesn't?

Names and addresses are not the only personal data. Learn to recognise what falls under the GDPR, including less obvious examples like IP addresses and licence plates.

Securely destroying data: paper, drives and cloud data

Deleting is not the same as destroying, and not all data may simply be thrown away. How to make paper, drives and cloud data truly unreadable, and how legal retention obligations set your timeframe.

Should security training be mandatory?

Practical guidance on should security training be mandatory for organizations that want to improve secure behavior structurally.

Special category data: extra protection, extra rules

Health, religion and biometrics are special category data. Which categories exist, why they get extra protection, and how to handle them in practice.

Supplier security awareness in the supply chain

Practical guidance on supplier security awareness for organizations that want to improve secure behavior structurally.

The six legal bases for processing personal data

You cannot just process personal data: you need a legal basis. The six legal bases of the GDPR explained, with practical examples.

What happens when employees skip security training?

Practical guidance on consequences employees skipping security training for organizations that want to improve secure behavior structurally.

What is NIS2 awareness?

Practical guidance on what is NIS2 awareness for organizations that want to improve secure behavior structurally.

What is the difference between security training and compliance training?

Practical guidance on difference security training and compliance training for organizations that want to improve secure behavior structurally.

What is the GDPR and what does it mean for you?

The GDPR is not a distant law for lawyers; it shapes how you handle data every day. What the GDPR asks of you in your daily work, in plain language.

What is the GDPR? The basics in plain language

The GDPR in plain language: what the law is, who it applies to, and which principles shape your daily work with personal data.

Which compliance requirements mandate security awareness training?

Practical guidance on compliance requirements security awareness training for organizations that want to improve secure behavior structurally.

Which security topics matter most for executives and boards?

Practical guidance on security topics for executives and boards for organizations that want to improve secure behavior structurally.

Incidents and data breaches

Accidental data sharing: how to prevent it

Practical guidance on accidental data sharing for organizations that want to improve secure behavior structurally.

Business email compromise explained

Practical guidance on business email compromise for organizations that want to improve secure behavior structurally.

Common data breach scenarios in organizations

Practical guidance on common data breach scenarios for organizations that want to improve secure behavior structurally.

Employee incident response explained

Practical guidance on employee incident response for organizations that want to improve secure behavior structurally.

Epe municipality: why a national ID number and an ID copy are gold for criminals

In the hack on the Dutch municipality of Epe (March 2026), data on nearly all residents was stolen, including national ID numbers and copies of identity documents. The lesson: not all personal data is equal, and in government everything hinges on reporting culture.

How to recognize MFA fatigue attacks

Practical guidance on MFA fatigue attacks for organizations that want to improve secure behavior structurally.

Incident lessons from remote work

Practical guidance on remote work incident lessons for organizations that want to improve secure behavior structurally.

Lost devices and reporting duties

Practical guidance on lost devices reporting for organizations that want to improve secure behavior structurally.

Marks & Spencer and Scattered Spider: the help desk as front door

In 2025 the group Scattered Spider crippled Marks & Spencer — not through an exploit, but by calling the IT help desk and asking for a password reset. The textbook case of help-desk social engineering, and what it means for your awareness programme.

Ransomware and employee behavior

Practical guidance on ransomware employee behavior for organizations that want to improve secure behavior structurally.

Recognizing insider risk signals early

Practical guidance on insider risk signals for organizations that want to improve secure behavior structurally.

Shadow IT risks for awareness and governance

Practical guidance on shadow IT risks for organizations that want to improve secure behavior structurally.

The Canvas/Instructure breach: supplier risk and cloud dependency in education

In May 2026 an attack on the Canvas learning platform (Instructure) hit hundreds of millions of users worldwide, including seven Dutch universities. The lesson: one central platform means one central risk, and your preparation starts with a CIA-triad risk analysis.

The ChipSoft attack: what a supplier hack means for your awareness programme

In April 2026 a ransomware attack hit ChipSoft, the supplier of the electronic patient record used by around 70% of Dutch hospitals. The lesson: you are only as secure as your weakest supplier — and awareness does not stop at your own front door.

The Odido breach: how one phone call to customer service exposed 6 million people

In February 2026, attackers combined a phishing email with a fake IT phone call to break into Dutch telecom provider Odido. The awareness lesson: customer service is a target, MFA can be bypassed, and the real damage comes from follow-up phishing.

Sales & partners

Awareness does not work without management involvement

Without visible leadership, every awareness programme stays non-committal. Why top-down example sets the tone, what visible leadership looks like, and how to win the board over.

Getting management buy-in for security awareness

Practical guidance on security awareness management buy-in for organizations that want to improve secure behavior structurally.

How to avoid the pitfalls of white-label

You cannot sell white-label awareness without mastering the platform and the subject yourself. The biggest pitfalls and how to avoid them, from ownership to email delivery.

How to become a security awareness reseller

Want to become a security awareness reseller? Compare the three sales models (reseller, managed service and white-label) and choose what fits your margin, brand and customer relationship.

How to easily book a meeting

Objections when booking a meeting are handled by asking questions: an objection about the product is your opening, an objection about the meeting itself you take away. What to say to eight responses.

How to get past the gatekeeper

Gatekeeper objections are not solved with your full pitch but by getting to the right person, briefly and confidently. What to say to the six most common responses.

How to organise your support as a partner

Who handles support and service delivery depends on your sales model. From reseller (sales only) to white-label (sales, marketing, advice and support), and how you grow with it.

How to sell security awareness to your customers

Selling security awareness is a consultative conversation, not a feature pitch. Follow six steps: understand the need first, present to it, and close apart from price.

Security awareness for IT service providers and resellers

Practical guidance on security awareness IT service providers for organizations that want to improve secure behavior structurally.

Why white-label security awareness delivers more than you think

Security awareness white-label feels like a lot of work, but it gives you your own brand, the highest margin and the strongest customer loyalty. What it really takes and delivers.

Why You Should NOT Handle Support Yourself (Not Yet)

The biggest pitfall of handling support yourself is thinking you can answer questions better than the platform itself. This article warns of three critical risks before taking support in-house.

Why you should NOT handle support yourself (yet)

Why partners should NOT handle support themselves until they're ready: three critical risks and how you move beyond them.