If your team doesn't know how to spot a phishing email or handle customer data correctly, one employee click can leak customer information, cost you a major contract, or trigger regulatory action. For example, a Delhi-based export company lost ₹8 lakhs when an employee wired funds to a fake vendor email address that had been spoofed—the employee had never been trained on email verification. Without regular awareness review, you cannot meet DPDP Act requirements around staff responsibility, you won't pass customer audits (especially if you work with e-commerce platforms or banks), and your cyber insurance may be invalid if you claim negligence on training.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no formal training program, no records of any security awareness activity, and most staff have never heard about phishing or password security. When asked, no one can tell you when (or if) they last received any security guidance.
Initial
You have run one training session—maybe a video or a talk—but there's no schedule, no tracking of who attended, and nothing done since. You might have a policy document on a shelf that nobody reads.
Developing
You conduct basic training once a year (often compliance-driven), you have an attendance sheet, and you cover common topics like passwords and email safety. After training, you do nothing to reinforce the message until next year.
Defined
Training happens every 6 months, attendance is tracked, you test knowledge via simple quizzes, and you have documented policies that staff sign. You also send occasional security reminders (like a monthly email about current threats).
Managed
You run quarterly training adapted to different roles (e.g., finance staff get payment fraud training; developers get secure coding training), quiz results are recorded, and you track metrics like phishing email report rates. You actively measure whether awareness is improving.
Optimised
Training is continuous and role-specific, reinforcement happens monthly through newsletters and alerts, you run quarterly simulated phishing campaigns and track improvement, staff sign annual acknowledgments, security culture is visible in hiring and promotion, and external auditors confirm your program meets best practice.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Schedule one 1-hour security awareness session covering passwords, phishing recognition, and data handling; document attendance and date; create a simple one-page 'Security Do's and Don'ts' poster and post it in the office | IT Manager or Owner | 1-2 days |
| 1 → 2 | Repeat training every 6 months, keep signed attendance sheets, add a 5-question quiz after each session, record quiz scores, and create a simple Cybersecurity Policy document that staff acknowledge in writing | IT Manager or HR Manager | 1 week to set up, then 1 day per session |
| 2 → 3 | Send 2–3 short security tips via email or WhatsApp group monthly (e.g., 'How to spot fake login pages'), document these communications, conduct one unannounced phishing simulation test (send a fake phishing email and track who clicks), and record results | IT Manager | 2-4 weeks |
| 3 → 4 | Create role-based training modules (e.g., finance staff: payment fraud; developers: secure coding; receptionists: social engineering), run quarterly training instead of annually, establish a scorecard tracking phishing report rates and quiz pass rates, and report metrics monthly to management | IT Manager with input from department heads | 4-8 weeks |
| 4 → 5 | Integrate security culture into hiring criteria and promotion reviews, run monthly security bulletins with real-world Indian business breach examples, conduct quarterly advanced phishing simulations with increasing difficulty, arrange annual third-party audit of training program, and establish an internal security champion program where trained staff mentor others | IT Manager, HR Manager, and Compliance Officer | Ongoing (1-2 hours per week) |
Documents and records that prove your maturity level.
- Dated training session records (attendance sheets with names, dates, topics covered, and signatures) from the last 12 months—at least one session per year minimum
- Cybersecurity policy or awareness policy document signed and dated by each employee within the last 12 months
- Quiz or assessment results (even simple Yes/No forms) showing that staff were tested on key topics like phishing, password safety, and data handling
- Communications log showing security reminders or tips sent to staff (emails, WhatsApp messages, posters) with dates—at least 2–4 per year
- Phishing simulation test results (if conducted) showing dates, number of staff who clicked, number who reported the test email, and any trend improvement
Prepare for these questions from customers or third-party reviewers.
- "When was the last time you conducted cybersecurity awareness training for all staff? Can you show me the attendance records and what was covered?"
- "Do your employees sign any acknowledgment that they have understood your cybersecurity or data protection policies? Can I see a signed copy from the last 12 months?"
- "How do you know whether staff are actually applying what they learned? Do you measure this in any way (e.g., through quizzes, phishing tests, or incident reports)?"
- "What topics were covered in your most recent training? Were different training modules provided to different roles (e.g., different content for IT staff vs. finance vs. general office staff)?"
- "If I asked one of your employees today, 'What should you do if you receive a suspicious email?', what would they likely tell me? How confident are you in that answer?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Record attendance at training sessions and track completion over time | Google Forms or Microsoft Forms (built into free Microsoft 365) with a spreadsheet to track responses; LibreOffice Calc for offline tracking | KnowBe4 employee training platform (~₹15,000–30,000/year for small team) or Mimecast security awareness (~₹10,000–50,000/year depending on users) |
| Send phishing simulation emails to test if staff click suspicious links, and track results automatically | GOPHISH (open-source, requires technical setup) or free tier of Phish Alert Button plugin for email | KnowBe4 Phishing Simulator (~₹10,000–25,000/year), Cofense PhishMe (~₹50,000+/year), or Gremlin simulations (~₹20,000/year) |
| Create and distribute security awareness content (videos, infographics, monthly tips) tailored to Indian context and export/banking/e-commerce sectors | Canva (free tier for design), YouTube for hosting video training, SANS Security Awareness newsletters (free email), CERT-In advisories and alerts (free, emailed by CERT-In) | LinkedIn Learning cybersecurity courses (~₹200–500/month per user), Udemy bulk licensing (~₹5,000–10,000 per 10 courses), or custom training from local consulting firms (~₹50,000–200,000 per workshop) |
- One-time training that is never repeated: Many Indian MSMEs conduct training once for compliance, then do nothing. Threats and staff turnover mean you must train every 6–12 months. Without a calendar reminder, this gets forgotten.
- Training only for IT staff or 'senior' staff: Receptionists, finance staff, and warehouse workers are often targeted in scams and phishing. Training must include everyone who touches data or email.
- No documented proof: When a customer auditor or DPDP compliance officer asks 'Can you prove your staff were trained?', attendance sheets and signed acknowledgments are mandatory. Verbal claims and vague memories do not count.
- Training irrelevant to Indian business context: Generic global training on 'ransomware' may not resonate; staff remember better when examples include local scams (e.g., fake RazorPay invoices, spoofed GST dept. emails, or vendor email compromise in logistics).
- Not measuring whether training worked: If quiz scores are never reviewed, or phishing simulation results are ignored, you cannot prove the program is effective—to yourself or to auditors. Metrics matter.
- Confusing 'awareness' with 'compliance checkbox': Some businesses run training just to tick a box and then ignore the results. Real awareness means staff change behavior, incident reports go up (because staff report suspicious activity), and fewer breaches occur.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (Accountability Principle) and Schedule 1 require organizations to demonstrate staff competency and awareness of data protection obligations; Section 12 (Consent) requires documented processes and staff who can explain them |
| CERT-In 2022 Directions | Direction 4 (Vulnerability Management) and Direction 5 (Incident Management) implicitly require trained staff to execute these processes; Section 7 requires security measures including human-factor controls |
| ISO 27001:2022 | Clause 6.2 (Competence) requires competence assessment and training plans; Clause 7.3 (Awareness) explicitly requires security awareness and training programs; Annex A.6.1 and A.6.2 |
| NIST CSF 2.0 | Govern: Supply Chain Risk Management (GV.SC-2, GV.SC-3); Protect: Access Control and Identity Management (PR.AC-2, PR.AC-3); Detect: Awareness and Training (DE.CM-1) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →