I work at an educational institution that doesn't really prioritize security, or anything IT related for that matter. We are a very small team (3 people) and we can't really enforce any institution-wide training. We send regular PSA emails and that's about it.
Of course, we have control over password policies and external access through workspace management tools, but we don't have control over a lot of higher-up decisions. I wish I could enforce even stricter password policies but it's just not possible for the higherups.
I was thinking of raising funding for some sort of cybersecurity day event at the institution, but when it comes to funding, you know how generous educational institutions are.