HomeGuidesCulture, Training & Awareness › CTA-03
CTA-03 Culture, Training & Awareness 8% of OML score

Are employees aware of common cyber risks such as phishing, fake emails, or scams?

Do your employees know what phishing emails, fake messages, and common scams look like, and do they know what to do if they see one? This is about making sure your team can spot and report suspicious emails or links before they click and cause damage.

Why This Matters to Your Business

Without awareness, even one employee clicking a fake login link can give attackers access to your entire business—customer data, invoices, bank details, everything. A manufacturing unit in Bangalore lost ₹18 lakhs when staff clicked a fake GST portal email and handed over login credentials. Auditors and customers doing security checks will fail you if you cannot show staff have been trained. Ransomware attacks that lock up your data often start with one person opening a malicious attachment thinking it's a genuine invoice or tax notice.

📊
What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You walk around the office and employees have never heard the word 'phishing' or don't know what to do with a suspicious email. If they get a strange message, they either ignore it or open it without thinking.

Level 1
Initial

You ask staff about phishing and a few senior people have heard the term, but training is random and informal—maybe someone mentioned it once in a meeting. Most people still open attachments from unknown senders without checking.

Level 2
Developing

All staff have received a basic one-time email or poster about spotting suspicious messages, with examples of what phishing looks like. Some employees remember the training, but there is no way to measure who actually absorbed it or what happens if they spot something real.

Level 3
Defined

New employees get mandatory cyber awareness training during onboarding covering phishing, fake calls, and password safety. Refresher emails go out quarterly with real examples. You have a clear process for staff to report suspicious emails to IT or management.

Level 4
Managed

All staff complete an annual formal cyber awareness training with a test or quiz to confirm understanding. You run simulated phishing campaigns monthly and track which staff click, then provide immediate feedback and extra training. Reporting suspicious emails is easy (one-click button in email) and people do report them.

Level 5
Optimised

Cyber awareness is woven into everyday business culture. Employees proactively spot and report phishing without prompting. You measure awareness quarterly through real campaigns, adjust training based on results, and reward safe behavior. New threats (like AI-generated fake voice calls) are communicated within 48 hours of discovery.

🚀
How to Move Up — Practical Steps
StepWhat to DoWhoEffort
0 → 1 Hold a 30-minute informal meeting or send a clear email explaining what phishing is, with 3–4 real examples of fake bank/GST/vendor emails. Ask staff to forward anything suspicious to their manager or IT. Business owner or IT person 1 day
1 → 2 Create a simple one-page cyber awareness guide (in English and regional language if needed) covering phishing, fake calls, USB risks, and password basics. Print and post it near desks or send as a PDF. Get all staff to acknowledge receipt. IT person or external consultant 1 week
2 → 3 Conduct formal 45-minute annual training for all staff (live or recorded) with quiz at the end. Document who attended and their scores. Set up a simple email alias (e.g., phishing@company.in) for reporting suspicious emails and publicize it. IT person or external trainer 2-4 weeks
3 → 4 Launch quarterly simulated phishing campaigns using free or low-cost tools. Send fake emails to staff and track who clicks. Provide immediate micro-training to those who fail. Publish a monthly 'tip of the week' on a shared board or Slack channel. IT person with support from HR 1-2 months
4 → 5 Integrate cyber awareness into performance reviews and recognition programs. Update training monthly based on new threats in the news. Conduct tabletop exercises twice yearly where staff practice responding to a real-world scenario (e.g., ransomware discovered). Share results and learnings with the whole team. IT person, HR, and senior management Ongoing (1-2 hours per week)
📁
Evidence You Should Have

Documents and records that prove your maturity level.

  • Signed attendance sheet or email acknowledgment showing all staff completed cyber awareness training with date and topic
  • Training materials (slides, video, or written guide) covering phishing, fake emails, suspicious links, and reporting procedure
  • Quiz or assessment results showing staff understanding (e.g., 'At least 80% of staff scored ≥70% on phishing recognition test')
  • Simulated phishing campaign reports showing number of staff targeted, number who clicked, and follow-up training provided
  • Documented process or email address where staff can report suspicious emails, and a log of reports received and actions taken
🔍
What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

  • "Can you show me evidence that all your staff, including contractors and new hires, have completed cyber awareness training in the last 12 months? What topics were covered?"
  • "How do you measure whether employees actually understand phishing risks? Do you test them or track their behavior?"
  • "If an employee receives a suspicious email claiming to be from your bank asking to verify GST credentials, what are they supposed to do, and how would you know they did it?"
  • "Have you ever received a report of a phishing attack from your staff? If so, how did you respond, and what did you do to prevent it happening again?"
  • "How do you keep staff aware of new types of scams or attacks? What was the most recent threat you communicated to your team?"
🛠
Tools That Work in India
PurposeFree OptionPaid Option
Send simulated phishing emails to staff and track who clicks to measure awareness gaps Gophish (self-hosted, technical setup required), or use free tier of KnowBe4 for small teams (up to 50 users) KnowBe4 ₹50,000–150,000/year; Proofpoint Security Awareness Training ₹1,50,000+/year; Microsoft Phish & Learn (bundled in Microsoft 365 for ₹4,500–15,000/user/year)
Deliver and track online training courses with quizzes to staff Google Forms for quizzes; Moodle (self-hosted LMS, free); Coursera for Business free tier has limited cyber content Coursera for Business ₹2,000–5,000/user/year; Udemy Business ₹5,000–10,000/year for company account; LinkedIn Learning ₹3,000–8,000/user/year
Email gateway that flags and quarantines suspicious emails before staff see them Protonmail (for company email, free tier has limits), Gmail built-in phishing detection (if using Google Workspace) Microsoft Defender for Office 365 ₹200–400/user/year (bundled in Microsoft 365); Cisco Secure Email ₹15,000–50,000/year; Sophos Email Security ₹8,000–30,000/year depending on user count
🛡
How This Makes You More Resilient
When employees can spot phishing and report it, you stop attackers before they get inside your network—preventing data theft, ransomware infections, and costly downtime. A trained team also means fewer successful credential thefts, which means your customer data and business operations stay safer. In short, awareness is your cheapest and most effective defense against the most common attacks.
⚠️
Common Pitfalls in India
  • One-time training that staff forget within weeks—deliver refresher messages monthly, not once a year, and tie it to real incidents or new threats in the news
  • Training in English only when your factory floor, customer service, or finance teams speak Tamil, Marathi, or Hindi—translate key messages into regional languages and use visual posters, not just text
  • Creating a culture of blame where staff who fall for a phishing email get fired or publicly shamed, so they hide the incident instead of reporting it—make reporting safe and treat failures as a learning opportunity
  • Assuming IT staff or managers are immune to phishing and excluding them from training—attackers often target senior staff and IT people precisely because they think they are careful
  • No way to report suspicious emails, so staff who spot something real give up and do nothing—make reporting dead simple (one email address, one button in email client, or one Slack command) and acknowledge reports within 24 hours
⚖️
Compliance References
StandardRelevant Section
DPDP Act 2023 Section 8 (reasonable security practices) and Schedule 2 (security requirements) require organizations to implement safeguards including staff awareness to protect personal data
CERT-In 2022 Guidelines on Information Security Practices (GISP) recommend periodic security awareness and training of all personnel on data protection and cyber hygiene
ISO 27001:2022 Clause 6.3 (information security awareness, education and training) and Annex A, A.6.2 require organizations to ensure personnel are competent and aware of information security risks
NIST CSF 2.0 Govern & Protect functions: GV.RO-02 (training and awareness) and PR.AT-01 (all personnel receive cybersecurity awareness and training)

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →