When employees don't know cybersecurity is their job, they become your biggest security risk. A common scenario in Indian SMEs: an employee receives a phishing email posing as your bank, clicks a malicious link, and a competitor or criminal gains access to your customer database or GST records. Without awareness, no one reports suspicious emails, everyone uses the same password, and data walks out the door. You could face DPDP Act fines (up to ₹5 crore for large breaches), lose customer contracts (many buyers now audit vendor security), and have operations disrupted while you respond to a breach.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You walk into the office and ask three random employees what cybersecurity means to them—they shrug or say 'IT's problem.' No one has heard any message from leadership about security responsibilities.
Initial
You find that management has sent a one-time email about password rules, but when you ask employees, half of them haven't read it and don't know what it says or why it applies to them.
Developing
You discover that employees have attended a basic one-hour security training (possibly during onboarding), and some can name two or three security rules, but they don't clearly understand how their daily work relates to protecting data.
Defined
You observe that employees receive annual security training with a quiz, and most can explain their responsibility to report phishing emails, handle customer data carefully, and not share passwords—they understand it's part of their job.
Managed
You find that employees receive quarterly security updates or monthly reminders, can explain specific data protection practices relevant to their role, and actively report suspicious activity; managers reinforce these messages regularly.
Optimised
You see that security awareness is woven into everyday work—posters and checklists are visible, employees refer to security guidelines naturally in meetings, new hires receive role-specific training in their first week, and a culture exists where reporting risks is rewarded.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Draft and send a short written statement from the MD or owner saying cybersecurity is everyone's responsibility, not just IT's. Include one or two real consequences (e.g., data breach could shut us down, customers will leave, GST audit trouble). | Owner or MD | 1 day |
| 1 → 2 | Conduct a half-day in-person or online security awareness session. Cover: what data we protect, why it matters, top 3 risks (phishing, weak passwords, USB drives), and what each employee should do. Record attendance. | IT lead or external trainer | 1 week (prep) + 0.5 day (delivery) |
| 2 → 3 | Create a simple one-page 'Security Handbook' for each employee covering their role in protecting data. Add a short quiz after training. Make it annual and track scores. | HR + IT lead | 2–3 weeks |
| 3 → 4 | Set up quarterly 15-minute refresher sessions (email tips, phishing simulations, or department-specific scenarios). Build a simple internal comms calendar. Tie awareness to performance reviews. | HR + IT lead | 1–2 months (setup) + ongoing |
| 4 → 5 | Embed security into daily work culture: put security posters in common areas, include security agenda item in monthly all-hands, create a safe channel for reporting risks (not just to IT), and celebrate employees who spot and report threats. | Owner/MD + HR + IT lead | Ongoing (2–3 hours/month) |
Documents and records that prove your maturity level.
- Written policy or memo from leadership stating cybersecurity is a job responsibility for all employees, with date of issue
- Training attendance records or sign-in sheets showing employees have attended security awareness session(s), with names, dates, and topics covered
- Training materials or slides used (e.g., PowerPoint, video, handouts) that cover data protection and employee responsibilities
- Training completion quiz or assessment results showing employee understanding of key security rules (passwords, phishing, data handling)
- Evidence of ongoing communication: email reminders, posters, internal newsletters, or calendar entries for quarterly/monthly security updates
Prepare for these questions from customers or third-party reviewers.
- "Can you show me evidence that all employees have been told cybersecurity is part of their job? How do you communicate this?"
- "What security training have your employees received? When was the last session, and who attended?"
- "If I pick a random employee and ask them, what security responsibilities should they be able to name for their role?"
- "How do you keep security awareness fresh—is it a one-time thing, or do employees hear about it regularly?"
- "Do you have a way for employees to report security problems or concerns? How is that communicated?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Create and track training completion and quizzes to document awareness | Google Forms (basic quizzes) + Google Sheets (attendance tracking) | Moodle (open-source LMS, minimal cost) or Udemy for Business (₹5,000–15,000/year for small team) |
| Send simulated phishing emails to test employee awareness and identify weak spots | GoPhish (setup-intensive) or free tier of KnowBe4 (limited) | KnowBe4 (₹30,000–80,000/year for SMEs) or Gophish professional support |
| Host and share training videos and security content for employees to access anytime | YouTube unlisted videos + internal wiki (Notion, Confluence free tier) | Confluence or Slack channels for internal comms (₹300–1,000/user/year) |
- One-time training is treated as 'done'—employees attend a 2-hour session in Year 1 and then forget it; you need reinforcement at least annually, ideally quarterly
- Training is too technical or IT-heavy—employees zone out when you use jargon; tailor the message to each role (accountant hears about invoice fraud, operations hears about USB risks) and use real examples from Indian news (TCS breach, GST data theft, etc.)
- No clear reporting channel—employees are told to 'report suspicious emails' but don't know to whom or how, so they stay silent; create a simple, safe way to flag issues (email, anonymous form, or a designated person) and confirm receipt so people feel heard
- Security is seen as punishment, not protection—rules are enforced as 'don't do this' without explaining the 'why'; frame security as protecting customer trust, your jobs, and the business, not as IT policing employees
- New hires and contractors are skipped—you train existing staff but forget that new joiners and third-party vendors add risk; build awareness into your onboarding checklist so every person, every time, understands the expectations
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (consent and notice) and Section 10 (purpose limitation)—employees must understand their role in protecting personal data of customers and comply with data handling rules |
| CERT-In 2022 Guidelines | Appendix A—recommends organization shall create a security awareness program and ensure employees understand their security roles |
| ISO 27001:2022 | Clause 6.3 (awareness) and Annex A.6.2 (information security awareness, education and training) |
| NIST CSF 2.0 | Govern function (GV) and Protect function (PR)—emphasis on organizational awareness and training as foundation for security culture |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →