Powered by

# Goals

Core cybersecurity training gives every employee the basic habits needed to avoid common incidents and report problems quickly.

The goal is not to make employees technical experts. The goal is to help them recognize risky situations, make safer decisions, and know exactly what to do when something seems wrong.

Training should be short, practical, repeated, and connected to real business scenarios. One long annual training session is not enough by itself. Employees need regular reminders about the risks they actually face: phishing, fake login pages, suspicious attachments, payment fraud, unexpected MFA prompts, unsafe file sharing, password misuse, lost devices, and reporting mistakes quickly.

# Step 1: Teach the Most Common Attack Patterns

Employees should understand the common ways attackers target businesses.

Training should cover:

  • Phishing emails
  • Fake login pages
  • Malicious attachments
  • QR code phishing
  • Text message and messaging app scams
  • Voice phishing and impersonation calls
  • Executive impersonation
  • Invoice fraud
  • Bank-detail change scams
  • Fake vendor or customer messages
  • Password theft
  • MFA prompt abuse
  • Malware and ransomware warning signs

Employees should learn that many attacks are designed to create urgency, fear, curiosity, routine pressure, or trust in a familiar name.

# Step 2: Teach Email and Message Safety

Employees should know how to slow down and inspect messages before acting.

Training should explain how to check sender addresses, links, attachments, unexpected requests, login prompts, payment instructions, file-sharing notices, and messages that create urgency.

Employees should be trained not to click suspicious links, open unexpected attachments, scan unknown QR codes, approve unusual requests, or reply to suspicious messages without verification.

They should also know how to report suspicious emails using the approved reporting path.

# Step 3: Teach Password and MFA Safety

Employees should understand why passwords and MFA matter.

Training should cover:

  • Use strong, unique passwords.
  • Use the approved password manager.
  • Do not reuse work passwords on personal sites.
  • Do not store passwords in spreadsheets, browser notes, email, or chat.
  • Do not share passwords.
  • Do not approve unexpected MFA prompts.
  • Report unexpected MFA prompts immediately.
  • Report fake login pages immediately.
  • Report password mistakes quickly.

The key message is simple: a password mistake can be fixed quickly if the company knows about it early.

# Step 4: Teach Safe Data Handling

Employees should understand how to handle company data safely.

Training should explain how to identify sensitive data, share files only through approved tools, avoid public links unless authorized, check recipients before sending, avoid sending sensitive files to personal accounts, and report accidental sharing quickly.

Core data topics should include:

  • Customer data
  • Employee data
  • Financial records
  • Contracts
  • Payroll records
  • Credentials
  • Internal reports
  • Confidential business documents
  • Source code or technical documents, where relevant

Employees should know that reporting a data mistake early is better than hiding it.

# Step 5: Teach Approved Tools and Safe Workarounds

Employees should know which tools are approved for company work.

Training should explain why personal email, unmanaged file-sharing links, personal cloud storage, unapproved messaging apps, shared passwords, and uncontrolled spreadsheets can create risk.

Employees should also know what to do when a normal tool is unavailable.

The company should provide approved fallback options instead of leaving employees to improvise during pressure.

# Step 6: Teach Device and Remote Work Safety

Employees should understand basic device security expectations.

Training should cover:

  • Lock screens when away.
  • Install updates when prompted.
  • Restart devices after updates.
  • Do not ignore security warnings.
  • Do not disable endpoint protection.
  • Do not install unapproved software.
  • Protect laptops and phones from loss or theft.
  • Use approved Wi-Fi or remote access methods.
  • Avoid public computers for company work.
  • Report lost or stolen devices immediately.

Employees should understand that reporting device issues early helps reduce damage.

# Step 7: Teach Reporting and Mistake Handling

Employees should know exactly where to report suspicious activity.

Training should clearly state how to report:

  • Suspicious emails
  • Suspicious links
  • Fake login pages
  • Unexpected MFA prompts
  • Lost or stolen devices
  • Payment fraud attempts
  • Data sent to the wrong person
  • Files shared publicly by mistake
  • Strange device behavior
  • Possible malware
  • Any mistake involving passwords, money, systems, or sensitive data
  • The training should say clearly: report quickly, even if you made a mistake.

The company should not punish honest mistakes reported promptly. Fast reporting helps protect the business.

# Step 8: Use Short Scenarios

Training should include realistic examples.

Examples:

  • “You receive a message from the CEO asking you to buy gift cards urgently.”

  • “A vendor emails new bank details before a payment.”

  • “You receive an MFA prompt when you are not logging in.”

  • “A customer says they received a strange email from your mailbox.”

  • “You accidentally shared a file with anyone who has the link.”

  • “You clicked a link and entered your password.”

  • “Your laptop starts showing strange pop-ups.”

  • “You receive a QR code invoice from an unknown sender.”

Short scenarios help employees understand what to do in real situations.

# Step 9: Reinforce Training Regularly

Core training should not be a one-time event.

Use short reminders throughout the year.

Useful reminder topics include:

  • How to report suspicious emails
  • Unexpected MFA prompts
  • Payment-change verification
  • Safe file sharing
  • Password manager use
  • Recognizing fake login pages
  • Reporting lost devices
  • Avoiding unsafe workarounds
  • Handling sensitive data

Quarterly reminders are often more useful than one annual session that employees forget.

# Step 10: Track Completion and Understanding

The company should track who completed training and whether the training is working.

Track:

  • Training completion
  • Missed training
  • Quiz results, if used
  • Phishing simulation results, if used
  • Employee reporting rates
  • Repeated mistakes
  • Departments needing extra guidance
  • Questions employees ask after training

Training should be adjusted when the same issue keeps happening.

# Core Training Topics

Every employee should receive basic training on:

  • Phishing and suspicious messages
  • Social engineering
  • Password safety
  • MFA safety
  • Email attachments and links
  • QR code scams
  • Safe data sharing
  • Approved tools
  • Device security
  • Remote work safety
  • Lost or stolen devices
  • Payment fraud warning signs
  • Reporting suspicious activity
  • Reporting mistakes quickly
  • Basic incident response expectations

# Simple Employee Rules

Use these as the recurring message:

  • Stop before clicking links, opening attachments, scanning QR codes, or approving unusual requests.

  • Verify payment changes, bank-detail changes, and urgent executive requests through a separate trusted channel.

  • Use the approved password manager.

  • Never approve an unexpected MFA prompt.

  • Share company data only through approved tools.

  • Do not use personal email or personal cloud storage for company work.

  • Report suspicious activity quickly.

  • Report mistakes immediately.

# Recommended Free, Open-Source, and Affordable Resources

Seek out the free and open source options in lieu of more expensive training if necessary:

Resource or Tool Link Type Best Use
CISA Secure Our World CISA Secure Our World Free resource Simple awareness materials on passwords, MFA, phishing, and updates
CISA Cybersecurity Awareness Month Resources CISA Awareness Resources Free resource Posters, tip sheets, and awareness materials for year-round use
FTC Cybersecurity for Small Business FTC Cybersecurity for Small Business Free resource SME-friendly guidance on phishing, ransomware, email authentication, vendors, and data protection
NCSC Top Tips for Staff NCSC Top Tips for Staff Free training Short staff cybersecurity training suitable for non-technical employees
SANS OUCH! Newsletter SANS OUCH! Free newsletter Monthly employee-friendly security awareness topics
Cyber Readiness Institute Cyber Readiness Institute Free resource Small-business cybersecurity training and planning resources
Google Phishing Quiz Google Phishing Quiz Free exercise Quick phishing recognition practice
Microsoft Security Awareness Resources Microsoft Security Awareness Free/commercial resources Awareness materials for Microsoft-based organizations
OWASP Security Awareness Campaigns OWASP Awareness Campaigns Open-source/free Posters and awareness material, especially useful for technical teams
OWASP Cheat Sheet Series OWASP Cheat Sheets Open-source/free Practical security guidance for technical staff and developers
Gophish Gophish Open-source Phishing simulation and awareness testing
Moodle Moodle Open-source LMS Hosting internal cybersecurity training and tracking completion
H5P H5P Open-source/free options Creating interactive quizzes, scenarios, and training content
Canvas LMS Free for Teacher Canvas Free for Teacher Free/affordable LMS option Lightweight online training delivery
TalentLMS TalentLMS Affordable commercial LMS Small-team training delivery and completion tracking
Google Forms Google Forms Free with Google account / Workspace Quizzes, acknowledgement forms, and training checks
Microsoft Forms Microsoft Forms Included with many Microsoft 365 plans Quizzes, acknowledgements, and training completion records
BookStack BookStack Open-source Internal security handbook and training reference pages
Wiki.js Wiki.js Open-source Internal knowledge base for security guidance
Nextcloud Nextcloud Open-source/commercial Controlled storage for training materials, sign-off records, and security documents

# Practical Training Stack for SMEs

# Very small company:

Use CISA Secure Our World, FTC Cybersecurity for Small Business, NCSC Top Tips for Staff, SANS OUCH!, Google Forms or Microsoft Forms, and a simple spreadsheet to track completion.

# Microsoft-based SME:

Use Microsoft Forms, SharePoint, Teams, Microsoft security awareness resources, Outlook phishing reporting, and Microsoft 365 training records where available.

# Google Workspace SME:

Use Google Forms, Google Drive, Google Meet, Google Groups, Google phishing materials, and a simple completion tracker.

# Cost-conscious open-source setup:

Use Moodle for training delivery, H5P for quizzes and scenarios, BookStack or Wiki.js for the internal security handbook, Gophish for phishing simulation, and Nextcloud for controlled document storage.

# More mature SME:

Use Moodle or TalentLMS for structured training, Gophish for simulations, ticketing data for reporting metrics, employee quizzes for knowledge checks, and quarterly awareness campaigns tied to real incidents and near misses.

# Core Training Record Template

Use a simple tracker with these fields:

  • Employee name
  • Department
  • Role
  • Training assigned
  • Training completed
  • Completion date
  • Quiz score, if used
  • Role-based training required
  • Missed training
  • Follow-up required
  • Evidence location
  • Next due date

# Expected Outputs from This Section

At the end of this section, the company should have:

  • A defined core employee training curriculum.
  • A simple employee reporting message.
  • Training materials selected or created.
  • Scenario examples included.
  • Training delivery method chosen.
  • Completion tracking method created.
  • Training evidence stored.
  • Recurring reminder topics defined.
  • A process for updating training after incidents, near misses, or repeated mistakes.

# Objective

Core training should teach the actions employees need to take during real situations.

A company should leave this section able to say:

“Our employees know how to avoid common risks, use approved tools, protect data, and report suspicious activity or mistakes quickly.”

That is core employee cybersecurity training.

© Copyright 2026. All rights reserved.