Almost every security awareness programme I see in hospitality was originally designed for somebody else. The modules were built for an insurance broker, a law firm, an accountancy practice - businesses where people sit at the same desk every day, have a corporate laptop, a long induction, an HR portal they actually use, and a quiet thirty minutes a quarter to click through a slide deck. None of that is true on a busy Friday service in Fitzrovia. So when an operator tells me their awareness training is “in place” and I look at the click-through rates and the reporting numbers, I am rarely surprised. The programme is in place. It just was not built for the people who have to use it.
This post is about how to fix that. It is aimed at HR leads, ops directors and GMs in hospitality who already know that staff are the front line of cyber risk and want a programme that actually shifts behaviour rather than ticks a box.
Why hospitality is a harder training environment
Hospitality is one of the toughest environments in which to deliver any kind of staff training, and security awareness is no exception. Five things make it harder than the office equivalent.
Turnover is high. In a typical operator I work with, more than a third of the front-of-house team will have changed in a year. Whatever you build has to onboard new starters constantly, not assume a stable population.
Shifts, not days. People are on at 06:00, 11:00, 16:00, late doors. There is no natural “Tuesday morning all-hands” slot when everyone is at a desk. If your training assumes one, it will quietly never happen for half the team.
No dedicated desk time. Most of your people do not have a chair, a screen and forty-five spare minutes. They have a phone in a pocket, ten minutes between covers and a manager telling them the printer is jammed.
Mixed device use. Staff log in on EPOS terminals, kitchen tablets, back-office PCs, shared rota apps and personal phones. The “device” the training assumes - a managed corporate laptop - is the exception, not the rule.
Language diversity. A good London hospitality team is multilingual by design. Training that only works in dense corporate English will land for some of the team and bounce off the rest.
A programme that ignores any of these realities will fail not because your people do not care, but because the format is wrong for the job.
The three goals worth chasing
Before you choose a tool or write a module, get clear on what you are actually trying to achieve. There are dozens of metrics in this space, but in hospitality I would focus on three.
- Reduce phishing click-through. Fewer people clicking the dodgy link, opening the dodgy attachment, or handing credentials to the dodgy login page.
- Reduce password reuse. Fewer staff using the same password across their personal email, the rota app, the EPOS portal and the supplier ordering system.
- Increase incident reporting. More people telling somebody, quickly, when something looks off - a strange email, a stranger in the office, a USB stick on the bar.
Of those three, the third is the one operators most often forget about and the one that matters most. A team that reports things fast contains incidents fast. A team that does not report at all is invisible to you until the breach is on the news.
What does not work
It is worth being blunt about the formats that do not move any of those numbers.
The annual 45-minute module. Once a year, somebody chases everyone to complete a long e-learning course on a laptop they do not have, and the completion report goes in a folder that nobody opens until the auditor asks. Behaviour change: nil.
Compliance box-ticking. Generic content written for a generic audience, delivered because the policy says so. Staff can smell this a mile off, and the moment they decide the training is not for them, you have lost them for everything that follows.
Punitive simulations. Phishing simulations that are followed by a public list of “the people who clicked”, a telling-off from the GM, or a note on someone’s file. This is the single fastest way to destroy a reporting culture. People who are afraid of being shamed do not report - they delete the email and hope it goes away.
If your current programme is built on any of those three foundations, replacing it is not optional. You are not getting the outcome you think you are paying for.
What actually works
The programmes I see shifting numbers in hospitality look almost nothing like the corporate norm. They share a few features.
Short micro-training in the flow of work. Two or three minutes, on a phone, between covers or at the start of a shift. One idea, one example, one ask. Not a slide deck.
Frequent cadence. A little every month beats a lot once a year. The aim is to keep security top of mind, not to dump everything in one sitting and hope it sticks.
Role-relevant content. What front of house need to know is different from what the kitchen need, which is different again from what your back office and head office team need. Generic training treats them all the same. Good training does not.
Praise for reporting, not punishment for clicking. Every reported phish - even the ones that turn out to be nothing - gets a quick, visible thank you. Every click in a simulation gets a kind, private nudge towards a thirty-second refresher, not a public list. Over time, reporting becomes the thing the team is proud of.
Integrated with onboarding. Day one, on the same screen they use to do their right-to-work check, with a short module that covers the three or four things you most want a brand-new starter to know. Not a separate task that gets bolted on six weeks later when somebody remembers.
Plain language, multilingual where it helps. Short sentences. Real examples from real hospitality contexts. Subtitles and translations where your team needs them.
A practical programme structure
Here is the shape I would put in front of any operator starting from scratch.
Day one - onboarding. A ten-minute module covering passwords, phishing, reporting and physical security, delivered as part of the standard new-starter flow. Same login, same device, same moment they are doing their other paperwork.
Every month - micro-training. A two to three minute piece of content pushed to staff in the format they actually use - a short video, a single-screen quiz, a one-question check-in. Different topic each month: invoice fraud, fake login pages, supplier impersonation, USB sticks, oversharing on rota apps, lost devices, public Wi-Fi.
Every quarter - simulated phishing. A controlled, fair phishing simulation across the whole team. Not a gotcha - a learning exercise. The metric you care about is the trend, not any individual result.
Once a year - refresh and review. A slightly longer session that ties the year together, covers anything new in the threat landscape, and updates the team on what has changed in your own policies. This is also when you brief managers on the year’s data and what it means for the sites they run.
That cadence is realistic for a hospitality operation. It does not assume desk time you do not have, it does not depend on a single annual marathon, and it builds the habit you actually want.
Tools that do this well
You do not need to build any of this yourself. Several platforms are good at it, and the right choice depends on your existing stack and your budget. The ones I see used most often, all worth a look:
- KnowBe4. The big incumbent. Huge content library, well-developed simulated phishing, mature reporting. Probably the safest default for a multi-site operator who wants something proven.
- Sophos PhishThreat. Strong fit if you are already in the Sophos ecosystem. Tightly integrated with their email and endpoint products, sensible pricing, content that is not trying too hard.
- Hoxhunt. The most behaviourally interesting of the bunch - built around gamified, personalised micro-training and a strong reporting button. Genuinely good at moving the report-rate metric.
- Microsoft Defender Attack Simulator. If your estate is Microsoft 365 E5 or you already have the right licensing, this is included. Less polished than the dedicated platforms, but it is right there in the tenant.
There is no single right answer. There are several decent ones and a lot of bad implementations of all of them. The platform matters less than the programme around it.
Measuring what matters
Three numbers, tracked over time, will tell you whether your programme is working.
Click rate trend. What share of your team clicks a simulated phish, measured over months and quarters. The number itself matters less than the direction. A team that started at 28% and is now at 9% is doing something right.
Report rate trend. What share of staff actively report a suspicious email - real or simulated - using whatever reporting button you have given them. This is the metric I care about most. A high report rate means a culture where people speak up, which is the single best defence you have against the things your filters miss.
Time to report. How long, on average, between an email landing and the first staff report. If that number is dropping, your incident response window is shrinking, and that has real value the next time something gets through.
Notice what is not on the list: completion rates. Completion of a module tells you somebody clicked Next eight times. It does not tell you anything about what they will do on Friday night.
Where CloudMatters fits
We run security awareness programmes designed for hospitality environments - built around shifts, not desks, and around the realities of an EPOS-and-tablets estate rather than a corporate laptop fleet. We help operators choose the right platform, build the cadence into onboarding, write content that fits the team, and report on the numbers that actually matter to a board. It sits alongside the rest of what we do for hospitality IT clients, including the underlying network and segmentation work that gives any awareness programme something solid to stand on.
If your current programme is the annual-module-and-hope variety, or you have a tender or insurer asking what you do for staff training and you want a proper answer, talk to our cyber awareness training team. We will help you put something in place that your team will actually use - and, more importantly, that actually moves the numbers you care about.