HomeGuidesCulture, Training & Awareness › CTA-13
CTA-13 Culture, Training & Awareness 8% of OML score

Is cybersecurity awareness tailored to the size and nature of the business?

Is your cybersecurity training actually useful for the people who work here, or are you giving the same boring training to everyone regardless of their job? This question asks whether your awareness program matches what your business actually does and how big it is.

Why This Matters to Your Business

Generic, one-size-fits-all training wastes money and doesn't stick—employees ignore it, which means your biggest security gap remains open. A Delhi manufacturing business that gave all 50 staff identical 2-hour compliance videos saw zero behavior change; three months later a factory floor worker opened a phishing email and an attacker stole customer designs worth ₹15 lakhs. When a breach happens, auditors and customers ask 'what training did the person receive?'—if it wasn't relevant to their role, you look negligent and lose contracts. Tailored awareness prevents real mistakes at the source: the person actually making daily decisions.

📊
What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You have no training program at all, or maybe a single 30-minute video everyone watches once at hire and never again. Nobody knows what 'phishing' means or why passwords matter.

Level 1
Initial

You run one annual training session for everyone together, covering generic topics like 'don't share passwords' and 'lock your computer.' The content is the same for the receptionist, the accountant, and the warehouse manager.

Level 2
Developing

You've created two or three different training tracks based on broad groups (office staff vs. operations staff), and employees take the right one based on their department. Training happens once a year and covers role-relevant risks like handling customer data or managing physical access.

Level 3
Defined

You have a documented training plan that maps specific risks to job roles (e.g., finance staff get training on invoice fraud and payment verification; sales staff on phishing and social engineering). Training happens twice yearly and includes short follow-up sessions or reminders between full sessions.

Level 4
Managed

Your training is role-specific, role-based refreshers happen quarterly, and you test whether people actually learned (quizzes, simulations). You track who attended what, identify gaps, and adjust content based on incidents or near-misses within your own business.

Level 5
Optimised

Awareness is continuous and integrated into daily work (posters, email tips, incident simulations tailored to actual threats you face). You conduct regular phishing simulations with role-specific scenarios, measure improvements, and adjust based on real breach data and industry changes relevant to your sector.

🚀
How to Move Up — Practical Steps
StepWhat to DoWhoEffort
0 → 1 Identify your three largest employee groups by role (e.g., admin/HR, finance, operations). Write one simple 15-minute training module covering phishing, passwords, and incident reporting; deliver it to all staff at once. HR Manager or IT person 3–5 days
1 → 2 Split your training into 2–3 tracks based on actual job roles. For each track, list the top 3 security risks specific to that role (e.g., finance risks: fake invoices, payment diversion; frontline risks: physical access, social engineering). Create short, role-specific modules addressing those risks. HR Manager + IT person + department heads 1–2 weeks
2 → 3 Document your training plan in a simple table: role, top 3 risks for that role, training content, delivery schedule (twice per year), and who's responsible. Schedule sessions in advance and track attendance. Add brief monthly email reminders (e.g., 'this month: spot a phishing email'). HR Manager + IT person 2–3 weeks
3 → 4 Add a simple knowledge check after each training session (10 questions, 5 minutes, pass/fail). Run a simulated phishing email campaign once per quarter targeting a sample of staff; measure open rates and clicks. Document results and repeat higher-risk training if needed. IT person + HR Manager 4–6 weeks to design and execute first round; then ongoing quarterly
4 → 5 Launch monthly awareness campaigns (posters, email tips, 2-minute video clips) tied to real risks you've seen or incidents in your industry. Run quarterly phishing simulations with scenarios matching your actual threats (e.g., if you're an export business, simulate falsified shipping documents). Review all security incidents monthly and identify which training gap allowed each one; adjust content accordingly. IT person + HR Manager + Security lead (if hired) Ongoing; 4–6 hours per month
📁
Evidence You Should Have

Documents and records that prove your maturity level.

  • Written document listing job roles and the top 2–3 cybersecurity risks for each role (e.g., 'Finance team: invoice fraud, payment diversion' or 'Warehouse: physical access control, package tampering')
  • Training calendar or schedule showing which role gets what training and when (e.g., 'Finance team: phishing and payment fraud training in January and June')
  • Attendance records for each training session, with employee names, date, role/department, and what module they completed
  • Simple quiz, test, or assessment results showing that staff who completed training understood key points (pass/fail, score, date)
  • Record of at least one phishing simulation campaign (email sent, date, number of recipients, number who clicked/reported it, follow-up action)
🔍
What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

  • "Walk me through your training program. How is it different for someone in finance versus someone in operations?"
  • "How often does each role receive training? How do you decide what content each group gets?"
  • "Show me evidence that people actually completed the training and understood it. Do you test them?"
  • "Have you run a phishing simulation? What were the results, and what did you do differently based on what you learned?"
  • "Can you show me attendance records and training completion for the last 12 months? Are there any roles or individuals with gaps?"
🛠
Tools That Work in India
PurposeFree OptionPaid Option
Create and manage role-based training modules, track attendance, and send reminders Google Forms (for quizzes) + Google Drive (to organize content); Mattermost or open-source Wiki for internal documentation Coursera/Udemy for India (₹500–2,000 for bulk business licenses per year); KnowBe4 (₹1,50,000–3,00,000/year for SMEs); Vyom Learning (Indian LMS, ₹50,000–2,00,000/year)
Run simulated phishing campaigns to test awareness and measure behavior change Gophish (self-hosted, free open-source tool; requires technical setup); Phishtank + internal manual email for very basic testing KnowBe4 Phishing Simulator (included in platform, ₹1,50,000–3,00,000/year); Proofpoint Security Awareness Training (₹2,00,000+/year)
Host awareness content (videos, posters, tips) and share role-specific guides Google Sites, Notion, or SharePoint (if using Microsoft 365); YouTube (upload unlisted internal videos); Canva Free for posters Microsoft SharePoint + Teams (₹400–700/user/month if not already licensed); Docebo LMS (₹1,50,000+/year)
🛡
How This Makes You More Resilient
When training matches what your staff actually do, they remember and follow it—preventing the majority of breaches that start with a click or shared password. Your team spots phishing, handles customer data correctly, and reports suspicious activity instead of hiding it, dramatically reducing the damage from insider mistakes. You also recover faster from incidents because staff know exactly what to do, and auditors see a mature program rather than a checkbox exercise.
⚠️
Common Pitfalls in India
  • Creating one generic training video and assuming everyone learns the same thing; a warehouse guard and an accountant have completely different daily risks, so they need different content.
  • Training only at hire, then never again; after 6 months, staff forget what they learned, and new threats emerge that aren't covered—refresh at least twice a year.
  • No follow-up or testing; you send an email training module, assume people read it, and never check; when a breach happens, you realize nobody even opened it.
  • Ignoring your own incidents; if a staff member fell for a phishing email last month, repeating generic training won't help—you need role-specific training on that exact threat.
  • Treating training as a compliance checkbox rather than a real protection; if it feels forced and irrelevant, people ignore it; make it short, practical, and obviously useful.
⚖️
Compliance References
StandardRelevant Section
DPDP Act 2023 Section 8 (data protection obligations); Section 10 (processing personal data lawfully); Schedule 1 (reasonable security safeguards, which include staff awareness)
CERT-In 2022 Directions Direction 5 (staff awareness on information security); Direction 6 (documented security policies and training)
ISO 27001:2022 Clause 6.3 (awareness); Clause A.6.2 (competence); Clause A.6.3 (awareness)
NIST CSF 2.0 GV.AT-1 (Awareness and training programs); GV.RO-2 (Incident response role assignment); GV.RM-2 (Risk information and implications)

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →