Security Awareness & Culture
People are your strongest defence — or your biggest risk. We build cyber-aware cultures through engaging training, simulations, and leadership coaching.
Technology alone doesn’t secure organisations—people do. Human error remains the leading cause of cyber breaches, from phishing attacks and weak passwords to accidental data leaks. At IGCCD, our Security Awareness & Culture services go beyond checkbox training. We help you build a security-aware workforce and an organisational culture that supports secure behaviours by default. Whether you’re aiming for ISO 27001 compliance or real behavioural change, we deliver tailored, impactful programmes that make security stick.
-
Security Awareness Training Programmes
We create and deliver engaging, relevant, and role-based awareness training programmes—either live (in-person or virtual), on-demand, or hybrid. Topics include phishing, password hygiene, secure remote work, insider threats, data protection, and more.
Phishing Simulations
We run realistic phishing campaigns to test, train, and improve staff responses. These simulations include fake login pages, malicious attachment tests, or social engineering bait—with anonymised reporting and follow-up training.
Executive & Board Cyber Briefings
Leadership needs to model good security behaviour too. We provide concise, strategic briefings for executives and board members on cyber risks, threats, and governance responsibilities—without technical jargon.
Culture Change Campaigns
We work with HR, comms, and security teams to roll out internal security campaigns that use behaviour science, positive reinforcement, and storytelling to build lasting culture change. This includes branding, posters, videos, gamification, and internal champions.
Insider Threat & Social Engineering Workshops
We help staff recognise signs of insider risk and social engineering, including baiting, pretexting, and manipulation tactics. These workshops include red team case studies and simulated attacks.
Security Champion Programmes
We train and support nominated security champions within teams to act as local security advocates—bridging the gap between central cyber teams and daily business operations.
-
You’re preparing for ISO 27001, Cyber Essentials Plus, or NIS2 audits.
Your staff regularly fall for phishing attacks or mishandle sensitive data.
Cybersecurity is seen as “someone else’s job” in the organisation.
You want measurable improvements in behaviour, not just tick-box training.
You're rolling out new tools (e.g., MFA, DLP) and need user buy-in.
-
We begin with a cultural and behavioural baseline assessment—using surveys, phishing test data, interviews, and policy reviews. We then co-design a strategy aligned to your business, audience, and regulatory context. Training is customised for different roles (e.g., execs, IT, frontline), delivered using the best format for your culture. We reinforce key behaviours using spaced learning, nudges, and internal comms, while measuring impact using KPIs, incident trends, and feedback.
-
ISO/IEC 27001: A.6.3 – Information security awareness, education, and training
NIST SP 800-50 / 800-53 AT controls – Awareness and training
Cyber Essentials Plus – User training and phishing resilience
NIS2 Directive – Organisational awareness and culture
DORA / PCI DSS v4.0 / HIPAA – Sector-specific awareness mandates
-
Awareness Training Plan & Delivery Report
Phishing Simulation Results – With click-through rates, heatmaps, and trends
Executive Cyber Briefing Pack – Tailored for board/senior leadership
Culture Change Toolkit – Campaign assets, internal comms, posters, templates
Workshop Outputs – Feedback, scenario responses, and recommendations
Security Champion Playbook – Role guide, activity plans, reporting templates
-
KnowBe4, Wombat, or custom LMS integrations
Phish testing tools (GoPhish, Microsoft Attack Simulator, Proofpoint)
SurveyMonkey, MS Forms, or bespoke culture assessment tools
Canva, Adobe Creative Cloud for awareness materials
Slack/Teams bots for security nudges or micro-learning
-
Provide access to internal comms channels (email, Slack, MS Teams, Intranet)
Identify target audiences and learning preferences
Share policies, prior training materials, and incident stats (if any)
Nominate stakeholders from HR, IT, Comms, and leadership
-
Training Rollout: 2–4 weeks (for core programmes)
Phishing Simulation Campaigns: 1–2 weeks per round
Executive Briefing: 1–2 days
Culture Change Campaign: 4–8 weeks depending on scope
Security Champion Programme: 2–4 weeks to design and launch
Milestones:
Cultural Assessment & Awareness Needs Analysis
Training/Campaign Design & Stakeholder Sign-Off
Training Delivery & Campaign Launch
Impact Measurement & Continuous Improvement
-
Risk: “Tick-box” fatigue and disengagement
Mitigation: Role-based training, interactive content, and real storiesRisk: Phishing tests demotivate staff
Mitigation: Focus on positive reinforcement, anonymised results, and coachingRisk: Execs skip training and model poor behaviour
Mitigation: Board-focused briefings and visible leadership commitmentRisk: No way to measure improvement
Mitigation: Pre/post metrics, trend tracking, and cultural KPIs
-
Q: What’s better—live training or online modules?
It depends on your culture, geography, and team roles. We usually recommend a hybrid model tailored to your workforce.Q: How often should we run phishing simulations?
Quarterly is common—but we adjust based on risk appetite, staff size, and baseline resilience.Q: Will this help with ISO 27001 or NIS2 compliance?
Yes. We map directly to the training and awareness clauses and provide evidence packs for audits. -
Awareness Programme Design: From £3,500
Phishing Simulation Campaigns: From £1,800 per round
Executive Briefings: From £1,200 per session
Culture Change Campaign: From £5,500
Security Champion Launch Pack: From £2,500
Annual Awareness-as-a-Service Packages also available.