Without basic email and internet safety training, your employees become the easiest entry point for hackers. A manufacturing business in Bangalore lost ₹8 lakhs when an employee clicked a fake invoice link that looked like it came from their vendor, giving attackers access to their entire accounting system. Without guidance, staff might also share passwords, leave computers unlocked, or store customer data on personal phones, putting you at risk of data breach fines under DPDP Act 2023, customer trust loss, and operational shutdown during ransomware attacks.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You find no written guidance anywhere. Employees learn by trial and error or by asking friends.
Initial
You have informal rules—maybe the IT person told a few people verbally not to open strange emails—but nothing documented or consistent across the organization.
Developing
You have a simple one-page email and internet safety document that was circulated once or twice, but staff don't remember it and there is no regular reminder.
Defined
You conduct annual training for all staff on email safety and password hygiene, keep a sign-in sheet, and send occasional email reminders about phishing risks.
Managed
You run quarterly training sessions with role-specific scenarios (e.g., different guidance for finance vs. operations), track completion, test employees with fake phishing emails monthly, and adjust training based on what you learn.
Optimised
You operate a continuous learning program with monthly updated scenarios, real-time alerts when someone clicks a suspicious link, automatic learning reinforcement, independent testing, board-level reporting on training metrics, and documented improvement in employee behavior.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Have the IT person or an external consultant spend 2 hours documenting 5–7 basic email safety rules (do not click unknown links, do not share passwords, lock your screen when away, report strange emails to IT, do not download files from untrusted senders) and email them to all staff. | IT person or external consultant | 2–3 hours |
| 1 → 2 | Create a simple one-page 'Email & Internet Safety' poster with pictures, print 5–10 copies, and post them near common areas (cafeteria, entrance). Send the same content as a PDF via email and add it to your employee handbook. | HR or IT person | 1 day |
| 2 → 3 | Conduct a 30-minute in-person or video training session for all staff, covering phishing examples, password safety, and how to report suspicious activity. Keep attendance records and send a follow-up email with the key points and a test link showing how phishing works (safe test). | HR or IT person, possibly external trainer | 2–3 weeks including scheduling and follow-up |
| 3 → 4 | Introduce role-based training (finance staff get invoice fraud examples; operations staff get vendor impersonation examples). Send monthly phishing test emails and track who clicks. Maintain a log of training completion and test results. Brief management monthly on progress. | IT person with HR support | 1–2 months initial setup; 2–4 hours monthly thereafter |
| 4 → 5 | Integrate continuous micro-learning into daily operations: push a 2-minute security tip every Friday, use email gateway alerts to flag and log suspicious emails in real time, run unannounced phishing tests, conduct quarterly refresher workshops, and report metrics (training completion %, phishing click rate, incident trends) to leadership quarterly. Adjust training based on incident post-mortems. | IT person with executive sponsorship | Ongoing; 5–6 hours per month for management and updates |
Documents and records that prove your maturity level.
- Documented email and internet safety policy or guidelines (one-page minimum, approved and dated)
- Training attendance records or sign-in sheets showing all employees have received instruction (dated and signed)
- Training materials (slides, handouts, video links, or posters) with specific content on phishing, password safety, and incident reporting
- Phishing test results or logs showing when tests were sent, who clicked, and follow-up actions taken
- Email reminder communications (monthly or quarterly) reinforcing key safety messages with dates sent
Prepare for these questions from customers or third-party reviewers.
- "Do you have a documented policy on safe email and internet use, and can you show me when it was last updated and who approved it?"
- "How many employees have received training on email security in the last 12 months, and can you provide proof of their attendance?"
- "Have you tested your employees' ability to identify phishing emails, and what were the results?"
- "What process do employees follow when they receive a suspicious email, and how do you track incidents reported this way?"
- "How do you ensure new employees receive this training before they get email access?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Send fake phishing emails to test employee awareness and track who clicks | Phishtank (educational resource); KnowBe4's free version limited; many email providers (Gmail, Outlook) have built-in reporting features | KnowBe4 (₹50,000–₹2,00,000/year depending on size); Gophish (₹0 open-source but requires setup); Proofpoint (₹3,00,000+/year for SMEs) |
| Create and deliver training videos or host training materials online | Google Workspace (free version includes Meet for video training); YouTube (host unlisted videos); Canva (free templates for posters/handouts) | Teachable (₹5,000–₹10,000/month); Moodle hosting (₹10,000–₹30,000/year); LinkedIn Learning (₹15,000/year per user) |
| Filter and flag suspicious emails before they reach employees | Gmail's built-in spam filters; Zoho Mail (free plan with basic filtering) | Fortinet FortiMail (₹2,00,000–₹5,00,000/year); Mimecast (₹1,50,000–₹3,50,000/year); Barracuda (₹1,50,000+/year) |
- Training is done once and then forgotten: staff are never reminded, new hires skip it, and old guidance becomes irrelevant. Conduct training at least annually and reinforce monthly.
- Training is generic or too technical: employees tune out because it does not feel relevant to their job. Create role-specific examples (e.g., finance staff should learn about invoice fraud, not just generic phishing).
- No follow-up or accountability: there is no record of who was trained or whether they retained anything. Always keep attendance records and follow up with people who fail phishing tests.
- Assuming educated staff 'already know' security: even senior employees and technical staff fall for phishing if not regularly trained and tested; do not skip anyone.
- Not reporting or learning from incidents: when an employee does click a bad link or reports a phishing email, treat it as a training opportunity, not a punishment, so staff feel safe reporting instead of hiding mistakes.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 5 (data principals' rights) and Schedule I (Reasonable Security Practices) mandate that organizations ensure personnel are made aware of data protection obligations and security practices |
| CERT-In Guidelines 2022 | Annexure A: Awareness and training requirement; mandates organizations to conduct periodic awareness training for all employees on information security best practices |
| ISO 27001:2022 | Clause 6.3 (awareness) and Clause A.6.2 (information security awareness, education and training) require organizations to ensure all personnel are made aware of security responsibilities and trained accordingly |
| NIST CSF 2.0 | Govern Function (GV.RO-01) and Protect Function (PR.AT-01 and PR.AT-02) require awareness programs and training on security roles and responsibilities |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →