Simplifying cybersecurity for non-technical users – what really works?

Hi all,
As an IT service provider, we often see that most of the security breaches start from simple user-level actions rather than advanced technical failures.
The challenge is not awareness – it’s simplicity and consistency.
In most cases, we have seen that following simple rules can avoid a lot of exposure:

Strong authentication (preferably MFA)
Regular update of your systems and applications
Awareness of phishing attacks:

From your observations of user behavior, what has the most impact on security incidents?
Have you implemented any user training strategies that actually worked long-term?

We’re always looking to refine our approach and would value insights from other professionals here.