One of the ways that companies have tried to improve education and awareness about the risks of phishing is the use of phishing tests to see if colleagues click on the link or open the suspect attachment in an unsuspecting yet controled environment. If they do, some instant education comes their way. There are those that think that this approach keeps the topic at the front of everyone's mind, and there are those that think that it can have the effect of chilling the relationship between IT/Security and the rest of the organisation. There are a lot of variables in the equation like how you respond when someone clicks on the phish, how you encourage reporting of potential phishing and more, so the answer is a resounding "it depends."
We also cover some of the increased security challenges that come with the now more common "working remotely," and what happens when you walk into an empty castle after having gotten past the moat and door, but there is no one inside to defend it.