Many organizations have rolled out multi-factor authentication (a must) and other controls to protect their networks. Email threat detection is deployed and URL rewriting in place. Investments are made in antivirus, EDR, and threat detection solutions; vulnerability scanners are used to scan for known risks. Even with all the layers, technologies cannot protect your organization fully. Your Human Firewall is critically important.
Your Human Firewall = your users. Education of users is usually considered, even implemented to a point. Once is not enough though! Even annually does not cut it anymore. Ongoing security education within emails, newsletters, team presentations, training, phishing simulations, and individual follow-ups are all part of a comprehensive program. Reinforcing the tools available for data protection, detailing social engineering scenarios and things to look for, and reiterating acceptable use policies should all be included.
Let's be honest, your users are busy. They are looking at emails quickly on cell phones and are not paying as close attention to security threats as you would like. Security it not always top-of-mind and needs to be reinforced as a regular part of everyone's role - NOT just annually when completing compliance training.
There are certainly lots of tools available for security awareness and phishing if you have the budget. If you don't, maybe consider allocating budget next year. But keep in mind that education can happen via tools you already own - emails, newsletters, PowerPoint slides, hand-outs, team meetings, etc. However you do it, just make sure you do it. You will be glad you did.