We've been using KnowBe4 for the past couple years. All of our users go through an annual training series and then we do a simulated phishing attack at least once per month. We also schedule a security tip/reminder to go out once per month as well.

I don't know that "going to the cloud" has changed anything, per se, but this program has greatly improved our user's awareness of what threats are out there - they're a lot more suspicious of everything and take more time verifying communications before opening anything (or processing wire transfers...)

Training and guidance tended to be more reactive than would have been ideal, even getting an email out to the organisation about some security basics wasn't seen as a priority for some time.  Eventually, there was a heightened sense of security but this was more about backend improvements like next generation firewalls, a 3rd party email threat protection system plus starting to implement Multi-Factor Authentication. It was heading in the direction that Stephan mentioned of simulated phishing attacks and more organised training but that seemed a long way off.  

This didn't really change with the cloud transition except there was, with some reminding, the awareness that users are increasingly working outside the protection of the corporate firewall and they could be using all sorts of equipment that we couldn't easily control.    

I am a firm believer staff are one of your biggest allies against cyber-attacks.  Equip them with the knowledge on how to spot the tale-tale signs of intrusion and if in doubt to seek guidance and to err on the side of caution.  There is a reason IT Pros almost never get hit with malware or phishing attacks, as we can easily (most of the time) distinguish these intrusion attempts.

As I mentioned in this thread, how many staff would fall for the emails below? I'd really encourage employers to take part in CyberSecMonth/National Cyber Security Awareness Month this October, it's a great opportunity to impart cyber security skills.