Firms lag on tailored training as cyber & harassment rules loom

Most organisations are still relying on generic compliance courses despite approaching deadlines for tougher rules on cyber security, harassment and sanctions, according to new polling by VinciWorks.

The survey of 131 HR, learning and development and compliance professionals found that only 9% of organisations offer fully personalised compliance training. Most respondents reported significant gaps in how training is designed, targeted and embedded into workplace practice.

The findings indicate that much compliance learning continues to take a one-size-fits-all form. This sits against a backdrop of new legal duties due in 2026, including stricter incident reporting for cyber attacks and more explicit obligations on employers to prevent harassment.

VinciWorks reported that 32% of organisations provide the same general compliance training to most employees, regardless of role. A further 40% offer some tailoring by department or job function. The remaining organisations either do not personalise training or are unsure of their approach.

"If a junior warehouse operative and a senior finance officer are receiving the same cyber training, that organisation is not managing its risk effectively," said Nick Henderson-Mayo, Head of Compliance at VinciWorks. "Training needs to reflect the real-world decisions people make in their roles. Personalisation helps employees understand how compliance applies to them, and that's what changes behaviour."

Cyber readiness

The poll suggests that cyber security training remains limited in both scope and frequency ahead of incoming legislation. The planned Cyber Security and Resilience Bill will introduce mandatory 24-hour incident reporting for some sectors, widen the range of regulated companies and grant the Information Commissioner's Office new enforcement powers.

Only 16.8% of respondents said their organisation trains staff on cyber security quarterly or more often. Most, 57.3%, provide cyber training once a year. A further 8.4% do not provide any cyber security training at all.

VinciWorks said this pattern leaves organisations exposed as incident reporting thresholds rise and regulatory expectations increase. More frequent and targeted instruction is likely to be necessary in sectors covered by the new regime.

Harassment obligations

The survey also points to uneven preparation for new harassment prevention duties. The Employment Rights Bill will place explicit requirements on employers around proactive steps to prevent sexual harassment. This will include documented training for staff and managers.

One in five organisations, or 20.9%, do not currently offer any training on sexual harassment. Only 20.2% of respondents described their organisation's harassment training as very effective. A majority, 58.9%, rated it as only moderately effective, not effective, or said they were unsure about its impact.

Regulators have already intervened in several high-profile workplace cases. The Equality and Human Rights Commission has required remedial action by large retail chains including McDonalds and Lidl for failings in harassment prevention.

Sanctions exposure

Sanctions compliance training appears even less established, despite an expanded regime and strict liability rules in the UK. These rules require firms to demonstrate that they took reasonable steps to prevent breaches, even where no deliberate wrongdoing was intended.

VinciWorks found that 34.3% of organisations do not offer any training on sanctions compliance. A further 16.7% of respondents were unsure whether their organisation provides such training. Only 21.6% said their organisation provides dedicated sanctions training to all relevant teams.

The poll suggests that more than half of organisations lack clear evidence of structured training in this area. That may weaken their position if regulators investigate a suspected breach.

"With strict liability rules in place, businesses must be able to show they have done everything they can to train staff and and protect the business," said Henderson-Mayo. "If you're not training the right people in the right areas, you risk even an accidental breach."

Role-based learning

The research also looked at how learning and development teams plan to respond. Respondents identified three priorities for 2026: aligning training with the actual risks faced by each department and role, integrating compliance into onboarding and leadership development, and using data and feedback to track behavioural outcomes rather than just completion rates.

VinciWorks said many organisations struggle to adapt compliance materials for different teams. It cited the need for tools that allow real-time editing, multiple versions of courses and internal review processes. The aim is faster updates when policies change and clearer alignment between specific job risks and what staff learn.

"Too many firms are spending their training budget on content no one remembers and dashboards no one trusts," added Henderson-Mayo. "Training must be flexible, dynamic and relevant if it's going to change behaviour."

Regulatory scrutiny

The polling results come as regulators and boards increase scrutiny of culture, conduct and individual accountability. Organisations face tighter timetables for reporting security incidents, more explicit expectations on harassment prevention, and rising penalties for sanctions breaches.

Ruth Mittelmann Cohen, Head of Legal and Compliance at VinciWorks, said evidence of impact will become central to compliance strategies.

"Robust training is not a 'nice to have'," said Ruth Mittelmann Cohen, Head of Legal and Compliance at VinciWorks. "Regulators expect evidence that your training reduces risk and supports a strong compliance culture. That means programmes must be tailored, updated and relevant to staff across the organisation. Paper policies and completion rates are not enough."