Employees are the weakest link in cybersecurity—most breaches happen because someone clicked a malicious link or shared a password. If you don't remind them regularly, old bad habits creep back in and new threats go unnoticed. A Delhi IT services company lost ₹45 lakhs to a phishing attack after three new employees never received security training. Without reminders, your team forgets rules, regulatory audits fail, and a single employee mistake can expose customer data or payment information, leading to fines under DPDP Act 2023 and loss of client contracts.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no formal training or reminders at all. Employees learn cybersecurity by accident, word-of-mouth, or not at all.
Initial
You did a one-time training session (maybe a PowerPoint presentation) when someone joined, but nothing happens after that. Most employees have forgotten it by now.
Developing
You send out a cybersecurity email or message once or twice a year, like before monsoon or during Diwali holidays when threats increase. It's sporadic and not tracked.
Defined
You have a quarterly reminder schedule—emails, posters, or short videos every three months covering topics like password safety or phishing. You keep a basic record of who received it.
Managed
You run monthly reminders with different topics each time (phishing one month, data classification the next, USB safety the next). Employees acknowledge receipt and you track completion. You include real examples of recent breaches.
Optimised
You have a documented annual training and awareness calendar with monthly or bi-weekly reminders using multiple channels (email, posters, team meetings, microlearning videos). Topics rotate based on emerging threats. You measure effectiveness through quizzes, simulations, and incident data, and adjust content based on what's working.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Conduct a one-time 30-45 minute in-person or online training session covering passwords, phishing recognition, data handling, and clean desk policy. Document attendance with signatures or email confirmations. | IT person or external trainer | 3-5 days (including preparation) |
| 1 → 2 | Create a simple 1-2 page cybersecurity reminder checklist covering top 5 risks. Email it to all staff at least twice a year (e.g., January and July). Keep a dated email log as proof. | IT person or HR | 1 week |
| 2 → 3 | Build a quarterly reminder schedule (4 emails/posters per year) with rotating topics: Q1=Passwords, Q2=Phishing, Q3=Data Protection, Q4=USB/Device Safety. Add a sign-off or acknowledgment requirement. Create a simple tracker spreadsheet. | IT person + management | 2-3 weeks |
| 3 → 4 | Increase frequency to monthly reminders. Create 12 different short briefs (1-2 paragraphs each) tied to real-world scenarios or recent threats. Include a simple 2-3 question quiz at the end. Track completion and scores in a spreadsheet or free Google Form. | IT person + designated awareness champion | 4-6 weeks |
| 4 → 5 | Formalize an annual Awareness & Training Plan document. Add quarterly phishing simulations, short-form videos (2-3 min), posters rotating in offices/pantry, and integration into team meetings. Measure effectiveness through quiz results, simulation click rates, and incident trends. Review and adjust quarterly. | IT person + HR + leadership | Ongoing (4-8 hours per month) |
Documents and records that prove your maturity level.
- A documented Cybersecurity Awareness & Training Calendar or Schedule showing reminder topics, dates, and frequency (annual or quarterly plan)
- Copies of at least 4 recent reminder communications (emails, posters, SMS, or messages) sent to employees in the past 12 months with distribution dates
- An attendance, acknowledgment, or completion log (spreadsheet, email chain, or form responses) showing which employees received and acknowledged each reminder
- A brief training record or certificate from at least one formal training session in the past 24 months, with participant names and dates
- Evidence of at least one phishing simulation or short quiz sent to employees in the past 6 months, with response/completion data
Prepare for these questions from customers or third-party reviewers.
- "Show me your training and awareness calendar for this year. How often do you remind employees, and what topics do you cover?"
- "Can you provide copies of the last 3-4 reminders you sent? What method did you use (email, chat, poster) and how do you confirm employees saw them?"
- "How do you decide what to include in these reminders? Do you base it on actual incidents, new threats, or compliance requirements?"
- "Have you tested whether employees actually remember the training—for example, through a phishing simulation or quiz? What were the results?"
- "If an employee was involved in a security incident (like falling for phishing), how would this reminder program have helped prevent it?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Send scheduled reminder emails to all staff with tracking and acknowledgment | Google Forms + Gmail, or Mailchimp (free tier up to 500 contacts) | HubSpot Marketing Hub (₹3,000-5,000/month) or Constant Contact (₹400-600/month) |
| Create and distribute short-form cybersecurity training videos and microlearning content | YouTube, Canva (free templates), or OBS Studio (screen recording and editing) | Udemy for Business (custom course hosting, ₹500-2,000 per user/year) or TalentLMS (₹80-300/month) |
| Run phishing simulations and measure employee click rates to test awareness | SANS Phishing Simulation (limited, primarily for learning) or DIY using email templates | KnowBe4 (₹2,50,000-4,00,000/year for small teams) or Gophish (₹0 software but requires hosting, ~₹5,000-10,000/year on cloud) |
| Track and manage training attendance, quiz completion, and awareness metrics | Google Sheets, Airtable (free tier), or Microsoft Forms + Excel | Workday or SAP SuccessFactors (enterprise, ₹10+ lakhs/year) or Moodle hosting (₹15,000-30,000/year) |
| Design and print or display awareness posters and visual reminders | Canva (free tier with cybersecurity templates) or Piktochart | Canva Premium (₹120/month) or hire local designer for custom posters (₹2,000-5,000 per design) |
- One-time training trap: Conducting annual training once and assuming employees remember. Most forget within 3-6 months if not reinforced.
- No proof of reminders: Assuming emails were read without asking for acknowledgment. Auditors want evidence that employees actually received and understood the message (read receipts, quizzes, sign-offs).
- Generic, irrelevant content: Sending boilerplate corporate training that doesn't match your business context (e.g., a manufacturing firm sending finance-focused phishing tips). Employees tune out if it doesn't feel relevant to their job.
- Forgetting new hires: Adding training to onboarding but skipping reminders for existing staff, or not retraining when threat landscape changes (e.g., new payment fraud tactics in your industry).
- No measurement or follow-up: Sending reminders but never testing whether they worked (no phishing simulations, no incident analysis to see if awareness gaps caused breaches). This wastes effort and compliance fails when auditors ask 'how do you know this works?'
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (obligations of entity handling personal data) and Schedule 2 (reasonable security safeguards including staff awareness) |
| CERT-In Directions 2022 | Direction 5 (information security policy must include user awareness and training) and Direction 6 (periodic training mandatory for sensitive roles) |
| ISO 27001:2022 | Clause 6.3 (awareness) and Annex A, Control A.6.3 (information security awareness, education and training) |
| NIST CSF 2.0 | Govern Function (GV.AT: Awareness and Training Program) and Protect Function (PR.AT: Workforce security awareness and training) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →