SECURITY AWARENESS TRAINING STARTER KIT

Implementation steps

• Identify your primary driver: compliance (FTC Safeguards, HIPAA, SOC 2), insurance requirement, or genuine risk reduction.
• Decide whether you need a training platform or whether you can start with free materials and a phishing tool.
• Set a measurable 90-day goal: e.g., "100% of employees complete training" or "phishing click rate below 10%."
• Identify executive sponsorship — programs that lack visible leadership support fail to achieve meaningful adoption.

Practical note

Free starting point: CISA provides free security awareness materials at cisa.gov/resources-tools/resources/free-cybersecurity-services-and-tools

Implementation steps

• Finance and accounts payable staff: highest risk for business email compromise (BEC) and wire fraud.
• HR and recruiting: high volume of external email attachment opens; frequent credential phishing targets.
• Executive leadership: targeted by spear phishing and whaling attacks; often bypassed by IT security controls.
• IT and system administrators: compromise provides broadest access; require elevated security hygiene.

Practical note

High-risk roles should receive role-specific training modules in addition to general all-staff curriculum.

Implementation steps

• Phishing recognition: how to identify suspicious sender addresses, urgent language, and unexpected attachments or links.
• Password hygiene and MFA: why passwords fail, how to use a password manager, how to enroll and use MFA.
• Safe web browsing and software installation: avoiding malicious downloads, recognizing browser security warnings.
• Physical security: clean desk policy, tailgating, locking screens, handling printed sensitive documents.
• Incident reporting: what to do when something seems wrong — who to call, how to report, why it matters to report early.
• Data handling and classification: what counts as sensitive data, how to share it safely, what not to send over email.

Practical note

Modules should be 5–10 minutes each. Attention drops sharply after 10 minutes for awareness training.

Implementation steps

• Minimum compliance baseline: one full curriculum per year, documented with completion records.
• Recommended: quarterly short modules (5–10 min) reinforcing a single topic, plus annual full curriculum.
• New employee onboarding: complete security training within the first two weeks of employment.
• Triggered training: automatically assign targeted modules when an employee fails a phishing simulation.
• Post-incident training: use real incidents (anonymized) as teaching moments to reinforce awareness.

Practical note

Build training into existing workflows — lunch-and-learns, team meetings, or onboarding checklists — rather than asking employees to fit it around their day.

Implementation steps

• Start with a baseline phishing test before any training — this gives you a real starting click rate.
• Send simulated phishing emails at least quarterly; monthly is better for ongoing conditioning.
• Vary the lure type: credential harvesting, attachment-based, voice phishing (vishing) awareness, and QR code phishing.
• When an employee clicks, provide an immediate micro-training moment — brief and non-punitive.
• Track click rates per department and per role to identify where to focus training intensity.

Practical note

Do not use phishing simulations as a disciplinary tool. Punitive programs cause employees to hide incidents — the opposite of what you want.

Implementation steps

• Phishing click rate trend: measure quarterly and aim for continuous reduction over 12 months.
• Incident reporting rate: the number of employees proactively reporting suspicious emails should increase over time.
• Training completion rate: track by department; gaps often reflect manager engagement, not employee indifference.
• Time to report: how quickly employees flag a suspicious email after receiving it.
• Post-simulation improvement: compare click rates before and after targeted training interventions.

Practical note

A rising incident report rate is a positive signal, not a negative one — it means employees are engaging with security rather than ignoring it.

Implementation steps

• Send a quarterly one-page summary to leadership: completion rate, phishing click rate trend, and any notable incidents.
• Frame metrics as risk indicators: "Our phishing click rate dropped from 22% to 8% in six months, reducing our BEC exposure significantly."
• Include benchmark context where available — industry average click rates help leadership understand relative risk.
• Flag departments or roles that are consistently underperforming and propose targeted interventions.

Practical note

Connect training outcomes to insurance: improved metrics can support lower premiums or better coverage terms at renewal.

Implementation steps

• Free / minimal cost: KnowBe4 free tools, CISA materials, and Microsoft Attack Simulator (included with Microsoft 365 E3/E5 or Defender for Office 365 Plan 2).
• SMB-tier ($15–30/user/year): KnowBe4 Silver, Proofpoint Security Awareness Training Essentials, Cofense PhishMe.
• Mid-market ($30–60/user/year): Proofpoint Advanced, Mimecast Awareness Training, Terranova Security.
• Platform evaluation criteria: phishing template library size, reporting depth, LMS integration, automated workflow for failed simulations.

Practical note

For organizations under 50 employees: Microsoft Attack Simulator plus the CISA phishing awareness poster set is a fully functional zero-cost starting point.