Security awareness training is required by most compliance frameworks — PIPEDA, HIPAA, PCI DSS, CMMC 2.0, SOC 2, ISO 27001, the Australian Essential Eight, and UK GDPR all require it in some form. The challenge for MSPs with clients across multiple jurisdictions is that most major platforms are built around US law. Covering Canadian privacy law (PIPEDA, Quebec Law 25, PHIPA, YCJA), UK law (UK GDPR, DPA 2018, RIPA, safeguarding obligations), Australian law (Privacy Act 1988, APPs, NDB scheme, Essential Eight), and EU law (GDPR, NIS2, DORA) typically requires custom modules, additional licensing, or accepting that your clients' real regulatory environment is not covered.
What to look for
- Jurisdiction-specific content depth — generic "privacy awareness" is not the same as a course explaining PIPEDA's RROSH threshold, Quebec Law 25's PIA requirement, Australia's Notifiable Data Breaches scheme, or UK GDPR's 72-hour ICO reporting deadline
- Vertical industry courses — healthcare, legal, financial services, government, and especially the vulnerable sector have obligations that general courses cannot cover
- Phishing simulation quality and configurability — number of templates, targeting by department or risk group, reporting depth
- Phishing Reporter user experience — does the button explain the email to the user, or just submit it to an admin queue?
- Compliance framework courses — 35+ frameworks including Australian Essential Eight, CMMC, CPCSC, FINTRAC, CCPA/CPRA, NYDFS, EU NIS2, DORA, UK Cyber Essentials, and all Canadian provincial privacy laws
- Policy acknowledgement — can users be required to acknowledge a specific GRC policy document as part of completing a course?
- Multi-tenant management — one admin dashboard across all client companies with per-company reporting
- Pricing model — per-seat per-year platforms add up quickly at MSP scale
Jurisdiction coverage at a glance
| Jurisdiction | Lavawall® | KnowBe4 | Proofpoint SA | Mimecast SA |
|---|---|---|---|---|
| 🇨🇦 Canada (PIPEDA, Law 25, PHIPA, YCJA, NERC CIP) | Included | Partial / extra | Not included | Not included |
| 🇺🇸 United States (HIPAA, FERPA, COPPA, CCPA) | Included | Included | Included | Partial |
| 🇬🇧 United Kingdom (UK GDPR, DPA 2018, RIPA, safeguarding) | Included | Partial | Partial | Partial |
| 🇦🇺 Australia (Privacy Act, Essential Eight, NDB scheme) | Included | Not included | Not included | Not included |
| 🇪🇺 European Union (GDPR, NIS2, DORA, CRA) | Included | Partial | Partial | Not included |
| EU GDPR for non-EU businesses (CA + US variants) | Included | Not included | Not included | Not included |
Platform evaluations
Lavawall® Best for multi-jurisdiction MSPs
Lavawall® is a full MSP platform — patch management, GRC compliance, M365/Entra configuration monitoring, breach detection, and security awareness training — with training included at no additional per-seat cost. Courses are jurisdiction-specific for five regions. Each jurisdiction's courses reference only that jurisdiction's laws: Australian courses cite the Privacy Act 1988, APPs, and the ACSC Essential Eight; Canadian courses cite PIPEDA, Law 25, and PHIPA; UK courses cite UK GDPR, the DPA 2018, and the ICO; EU courses cite EU GDPR, NIS2, and DORA.
The course catalog includes 25 vertical industry courses in each jurisdiction (Legal, Construction, Real Estate, Insurance, Accounting, Dental/Healthcare, Automotive, Hospitality, Transport, Property Management, Staffing, K-12, Higher Education, Architecture/Engineering, Marketing/Media, Energy, Pharmacy/Life Sciences, Agriculture, Municipal Government, Social Services, Sports/Recreation, Environmental, Telecommunications, Fintech, Security/Investigations), plus 33 compliance framework courses, working-from-home and business travel courses, and specialist courses for vulnerable sector organizations and non-profits.
The Phishing Reporter Outlook add-in gives every user near-instant plain-English feedback on every reported email: domain age, SPF/DKIM/DMARC authentication, attachment risk, link destinations. Users learn from every report. Policy acknowledgement links course completion to specific GRC policy document sign-off. Phishing simulations are included.
Best for: MSPs with Canadian, UK, Australian, or EU clients; organizations in regulated industries requiring jurisdiction-specific training; teams that want training integrated with their GRC and security platform rather than as a separate subscription.
Where it falls short: Smaller general content library than KnowBe4. Organizations that need thousands of short-form videos on a very wide range of non-jurisdiction-specific topics may want to supplement.
KnowBe4
KnowBe4 is the market leader in security awareness training by seat count. Its content library is the largest in the category — thousands of short modules, videos, games, and assessments updated regularly. Its phishing simulation engine is mature, highly configurable, and supports thousands of simulation templates with sophisticated targeting and reporting.
Best for: Organizations that need a very large general content library, advanced phishing simulation configurability, or a purpose-built training platform with deep analytics. Strong for US clients.
Where it falls short: Canadian-specific content (PIPEDA, Law 25, PHIPA, YCJA, provincial laws), Australian-specific content (Privacy Act, Essential Eight, NDB scheme), and EU-specific content (NIS2, DORA) are not included by default and require extra configuration or cost. The Phishing Reporter (PhishAlert) is report-and-submit only — users receive no explanation of why an email is suspicious. Operates as a separate platform from your security stack. Per-seat pricing.
Proofpoint Security Awareness Training
Proofpoint's training platform integrates meaningfully with Proofpoint email security, feeding real threat intelligence into training content and simulation targeting. If your MSP runs Proofpoint email security, this integration is valuable.
Best for: Organizations already using Proofpoint email security who want training driven by their real threat landscape.
Where it falls short: Canadian, Australian, and EU content depth is limited. No Phishing Reporter that explains emails to users. Per-seat pricing. Separate from your security stack.
Mimecast Awareness Training
Mimecast offers short-form "micro-training" content focused on brief, frequent interventions. Integrates with Mimecast email security. Content is professionally produced and easy to consume in small doses.
Best for: Organizations preferring micro-learning formats that are already using Mimecast for email security.
Where it falls short: Smaller overall content library. Australian, Canadian, and EU-specific content is very limited. No Phishing Reporter that explains emails to users. Per-seat pricing. Separate from your security stack.
Cofense PhishMe / Triage
Cofense is primarily a phishing simulation and threat intelligence platform. Its simulation engine is high quality. Triage provides SOC-level analysis of reported phishing emails. Primarily enterprise-focused, not MSP multi-tenant.
Best for: Enterprise organizations with dedicated security operations teams that want deep phishing analysis infrastructure.
Where it falls short: Not designed for MSP multi-tenant use. Training content library is secondary to the simulation engine. Expensive. No jurisdiction-specific content for Canada, UK, Australia, or EU. No Phishing Reporter explaining emails to users.
Frequently asked questions
- What compliance frameworks require security awareness training?
- PIPEDA and most Canadian provincial privacy laws (implied by the accountability principle), HIPAA Security Rule §164.308(a)(5), PCI DSS v4 Requirement 12.6, CMMC 2.0 AT domain, Australian Essential Eight (ML2 and above require security awareness training for staff), UK GDPR (staff training is a recognised safeguard), EU GDPR Article 39(1)(b) (for DPOs), SOC 2 CC1.4/CC2.2, ISO 27001:2022 A.6.3, NIST CSF PR.AT, and CIS Controls v8 Safeguard 14.1-14.9 all require security awareness training in some form.
- Does training content need to be jurisdiction-specific to satisfy compliance requirements?
- For most frameworks, the requirement is for "appropriate" training. For Canadian organisations subject to PIPEDA, Law 25, or PHIPA, a generic US-focused course that does not mention Canadian law is unlikely to satisfy an OPC investigator or internal audit looking for evidence of adequate awareness. For Australian organisations, a course that mentions HIPAA but not the Privacy Act 1988 or Essential Eight is similarly inadequate. UK regulators and the ICO expect training to cover UK GDPR specifically.
- How does the Phishing Reporter differ from KnowBe4 PhishAlert?
- KnowBe4 PhishAlert, Proofpoint's report button, and Mimecast's equivalent collect the reported email and send it to an admin queue. The user gets a generic confirmation. Analysis is admin-only. The Lavawall® Phishing Reporter shows the user — in the Outlook taskpane within three seconds — the specific reasons the email should or should not be trusted, in plain English. Users learn from every report. This matters for training outcomes: understanding why an email is suspicious reinforces the habit.
- What does policy acknowledgement do?
- When creating a training assignment, you can require users to acknowledge a specific policy document from your GRC library as part of completing the course. The acknowledgement is timestamped, linked to the enrollment record, and visible in the admin dashboard with the date and, optionally, the user's typed full name as a signature. This creates an auditable record suitable for regulatory and compliance purposes.