Awareness training is a requirement for companies that follow a security framework like ISO 27001, PCI-DSS, GDPR, HIPPA, NIST and several others. If you’re holding personal data on even a thousand customers, it’s highly likely if not required that your organisation is required to have annual and on-boarding awareness training for staff.
It’s also required if your company is seeking industry certifications like SOC2 and ISO from assessing bodies. Regulatory agencies will also expect to see a training program in place, particularly in instances where a data breach has occured. Lack of an effective program will be an aggravating factor in assessing penalties and sanctions in many cases.