Security awareness building

Your people play a key role in making sure that your organisation and information are kept secure.

Reports show that 82% of all breaches involve a human element, such as clicking on links or downloading and opening/executing files, to give attackers valid credentials or access into a network or system.

Investing in your people’s security awareness and training, alongside implementing technical controls, is a long-term commitment to improving the security of your organisation. It’s critical that people in your organisation understand the security risks they face, so they can play their part in the protection of your systems. 

You can empower them to do this by providing appropriate security awareness training, programmes, and tools. 


The intent of this control is to ensure that your organisation provides adequate security awareness and training to your people and creates a positive security culture with a focus on rewarding positive behaviours.

Measuring success

Security awareness building is an ongoing journey that should be factored into your organisation’s priorities. 

  • They are familiar with your incident response plan, what is required from them, and how to report potential security issues and incidents.
  • Your people can identify common scams or attacks, such as phishing emails and invoice scams.
  • Your people are provided with a simple, standardised way to report potential security issues and incidents.
  • Reported issues and incidents are followed up by your security team and your people are informed of the outcomes.
  • Your organisation has an ongoing security training and awareness programme which keeps people up-to-date on expected reporting processes, current threats, and issues. 

Security awareness: key takeaways

  • Make it easy to report potential security issues.
  • Educate your people on the process to report potential security issues and how to use the security reporting tools you have provided.
  • Encourage people to report potential issues, even if they are unsure. 
  • Don’t stigmatise mistakes. Focus on rewarding positive behaviours, remembering that most of the time, people are victims or targets of attacks rather than systems.
  • Increase trust and collaboration within your organisation across all services. 
  • Ideally, everyone is a security champion and is invested in the identification and active reporting of threats to your networks/systems.
  • Involve your people when practicing your incident response plan so that they know what to expect if an incident should occur. Communicate any expectations required of people and ensure your incident response plan is accessible to all.
  • Run regular security awareness campaigns. It will let them know why cyber security is important, what you’re doing to keep the organisation secure online, what this means for them and what you need them to do. Security awareness should not be a one a year tick box exercise.

Advice for implementation

Creating an effective security awareness program