Security awareness across all staff.
Staff are the largest attack surface; trained employees report instead of click.
What strong practice looks like
Security and phishing-awareness training for all staff.
What this area covers
How often do all staff receive security / phishing training?
This is about your team itself — most breaches happen when a person is tricked, not when technology fails.
- Phishing is a fake message (usually email) designed to trick someone into clicking a bad link, opening a malicious file, or entering their password on a fake site.
- Social engineering is the broader version — manipulating a person into giving up access or information, often by pretending to be someone they trust (a boss, a vendor, IT support).
Training means regularly teaching staff to recognize these tricks — often with safe, simulated phishing emails. Carriers ask because your people are the most-targeted way in, and a trained team is one of the cheapest, most effective defenses there is.
CISA — Teach Employees to Avoid Phishing ↗ — what good looks like
This library is general education, not advice about your specific organization. It describes what each control is and what strong practice looks like; whether and how any of it applies to you is your decision, in consultation with your carrier, broker, or counsel.