← All topics
Cyber-insurance readiness

Human Layer — Training

Security awareness across all staff.

Why it matters

Staff are the largest attack surface; trained employees report instead of click.

What strong practice looks like

Security and phishing-awareness training for all staff.

What this area covers

How often do all staff receive security / phishing training?

This is about your team itself — most breaches happen when a person is tricked, not when technology fails.

  • Phishing is a fake message (usually email) designed to trick someone into clicking a bad link, opening a malicious file, or entering their password on a fake site.
  • Social engineering is the broader version — manipulating a person into giving up access or information, often by pretending to be someone they trust (a boss, a vendor, IT support).

Training means regularly teaching staff to recognize these tricks — often with safe, simulated phishing emails. Carriers ask because your people are the most-targeted way in, and a trained team is one of the cheapest, most effective defenses there is.

CISA — Teach Employees to Avoid Phishing ↗ — what good looks like

This library is general education, not advice about your specific organization. It describes what each control is and what strong practice looks like; whether and how any of it applies to you is your decision, in consultation with your carrier, broker, or counsel.