Powered by

# Educate Checklist

Use this checklist to confirm that the company has assigned cybersecurity education ownership, trained employees on practical risks, provided role-based training for high-risk teams, built a strong reporting culture, practiced common scenarios, and tracked evidence and improvement.

The goal of Educate is not to make every employee a cybersecurity expert. The goal is to make sure people understand the risks connected to their work, know what safe behavior looks like, and report suspicious activity or mistakes quickly.

# Security Awareness Ownership and Training Plan Checklist

☐ Assign a security awareness owner.

☐ Define who supports the training program, including HR, IT, managers, MSPs, compliance, or leadership where needed.

☐ Identify all groups that need training, including employees, new hires, executives, finance, HR, IT, managers, remote workers, contractors, and vendors with access.

☐ Define the core cybersecurity topics every employee must understand.

☐ Define which roles require additional role-based training.

☐ Create a basic annual cybersecurity training schedule.

☐ Include cybersecurity training in new employee onboarding.

☐ Include access removal, device return, and ownership transfer reminders in offboarding.

☐ Define how training completion will be tracked.

☐ Define where training evidence will be stored.

☐ Update training after incidents, near misses, new tools, new risks, or repeated mistakes.

☐ Review the training plan at least once per year.

# Core Employee Cybersecurity Training Checklist

☐ Train employees on phishing and suspicious messages.

☐ Train employees on fake login pages, malicious attachments, unknown QR codes, and social engineering.

☐ Train employees on password safety and use of the approved password manager.

☐ Train employees not to share passwords or reuse work passwords on personal sites.

☐ Train employees not to approve unexpected MFA prompts.

☐ Train employees to report suspicious MFA prompts immediately.

☐ Train employees on safe email, link, and attachment handling.

☐ Train employees on safe data sharing and recipient checking.

☐ Train employees to use approved tools for company work.

☐ Train employees to avoid personal email, personal cloud storage, and unmanaged file-sharing tools for company data.

☐ Train employees on device safety, updates, screen locking, lost-device reporting, and remote work expectations.

☐ Train employees on payment fraud warning signs and urgent request scams.

☐ Train employees to report suspicious activity quickly.

☐ Train employees to report mistakes immediately.

☐ Use short real-world scenarios to reinforce the training.

☐ Track completion of core employee training.

# Role-Based and High-Risk Team Training Checklist

☐ Identify high-risk teams and roles.

☐ Include executives and senior managers in role-based training.

☐ Include finance and accounting in role-based training.

☐ Include HR and payroll in role-based training.

☐ Include IT, administrators, and MSP-facing contacts in role-based training.

☐ Include developers and technical teams where relevant.

☐ Include sales, customer service, operations, procurement, legal, compliance, and managers where relevant.

☐ Define the main cyber risks faced by each high-risk role.

☐ Train finance on invoice fraud, payment diversion, bank-detail changes, payroll fraud, and verification procedures.

☐ Train HR on employee data protection, fake applicant attachments, onboarding, offboarding, payroll data, and sensitive document sharing.

☐ Train executives on impersonation, approval pressure, cyber risk decisions, incident communication, and leadership responsibility.

☐ Train IT and administrators on privileged access, MFA resets, vendor access, patching, logging, backups, and evidence preservation.

☐ Train developers on secure coding, secrets management, repository access, dependency risk, cloud access, and CI/CD security where relevant.

☐ Train customer-facing teams on suspicious customer messages, account-change requests, CRM data handling, and escalation.

☐ Train procurement and operations on supplier impersonation, vendor changes, shipment redirection, and third-party file sharing.

☐ Train managers on access approval, offboarding, reporting culture, exceptions, and temporary workaround approval.

☐ Use role-specific scenarios.

☐ Track role-based training separately from general training.

☐ Update role-based training after incidents, near misses, or process changes.

# Reporting Culture, Simulations, and Practice Checklist

☐ Define a clear no-blame reporting message.

☐ Tell employees that fast reporting is expected and appreciated.

☐ Tell employees that honest mistakes should be reported immediately.

☐ Define what employees should report.

☐ Include suspicious emails, links, attachments, QR codes, fake login pages, unexpected MFA prompts, payment-change requests, lost devices, data mistakes, strange device behavior, and possible malware.

☐ Create simple reporting channels.

☐ Provide a phishing report button where available.

☐ Provide a dedicated security email address or helpdesk category.

☐ Provide an urgent escalation path for serious incidents.

☐ Tell employees what to do immediately after clicking a suspicious link, entering a password, opening a suspicious attachment, approving an MFA prompt, losing a device, or sending data to the wrong person.

☐ Run phishing or social engineering simulations where appropriate.

☐ Measure reporting rates, not only click rates.

☐ Avoid simulations that shame or embarrass employees.

☐ Run short practical drills for common scenarios.

☐ Include drills for suspicious emails, unexpected MFA prompts, payment fraud, lost devices, public file-sharing mistakes, and ransomware first actions.

☐ Run tabletop exercises for leadership, IT, finance, HR, operations, and other key teams.

☐ Include managers in reporting and escalation practice.

☐ Track exercise participation and findings.

☐ Turn simulation and exercise findings into improvement actions.

# Training Evidence, Metrics, and Continuous Improvement Checklist

☐ Define what training evidence must be retained.

☐ Keep training plans, materials, attendance records, completion records, quiz results, acknowledgement forms, role-based training records, simulation results, tabletop records, and improvement actions.

☐ Track core training completion for all employees.

☐ Track onboarding cybersecurity training for new employees.

☐ Track role-based training separately.

☐ Track simulation, drill, and tabletop exercise results.

☐ Define useful training metrics.

☐ Track training completion rate.

☐ Track overdue training.

☐ Track role-based training completion.

☐ Track phishing simulation reporting rate.

☐ Track phishing simulation click rate.

☐ Track average time to report suspicious activity.

☐ Track number of employee security reports.

☐ Track number of real issues found through employee reporting.

☐ Track repeated training gaps.

☐ Track open and overdue training-related improvement actions.

☐ Review training metrics with leadership at least once per year.

☐ Protect training and simulation records from unnecessary access.

☐ Avoid using individual results to shame employees.

☐ Use metrics to improve training, reporting paths, and controls.

☐ Update training after incidents, near misses, repeated mistakes, new tools, new vendors, or new business processes.

# Final Educate Section Outputs

☐ Security awareness owner assigned.

☐ Training audiences defined.

☐ Core employee training topics documented.

☐ Role-based training topics documented.

☐ High-risk teams identified.

☐ Annual training schedule created.

☐ Onboarding training defined.

☐ Offboarding security reminders included.

☐ Reporting channels defined.

☐ Employee reporting message written.

☐ Manager escalation guidance created.

☐ Phishing simulation or reporting practice plan created.

☐ Practical drill schedule created.

☐ Tabletop exercise plan created.

☐ Training completion tracker created.

☐ Training evidence storage location defined.

☐ Training metrics defined.

☐ Leadership reporting format created.

☐ Training improvement actions tracked.

☐ Training records protected.

☐ Training program review schedule created.

# Objective

Educate should create safer behavior, faster reporting, and better decision-making.

The company should leave this section able to say:

“Our people know the risks tied to their roles, know how to report suspicious activity, practice common scenarios, and receive training that is tracked, reviewed, and improved over time.”

© Copyright 2026. All rights reserved.