Security awareness training for UK SMEs: a practical guide to reducing human risk

Firewalls, endpoint protection, and patching schedules matter — but none of them stop an employee from clicking a malicious link or handing over credentials to someone pretending to be their bank. Security awareness training for UK SMEs is the practical answer to this problem. It is not about turning every member of staff into a security expert. It is about giving people enough knowledge to recognise common threats, know what to do when something looks wrong, and build habits that reduce risk across the business.

Why human risk is your biggest attack surface

The National Cyber Security Centre (NCSC) consistently reports that phishing is the most common initial access method used against UK organisations. The 2024 Cyber Security Breaches Survey found that 84% of UK businesses that identified a cyber attack in the previous twelve months cited phishing as the attack vector.

Technical controls can filter a significant proportion of malicious emails, but they will never catch everything. Attackers continually refine their tactics, and even well-configured email gateways will occasionally let something through. When that happens, your staff are the last line of defence.

The problem is not that people are careless. It is that most staff have not been shown what a sophisticated phishing attempt looks like, have not been told what to do when they receive one, and have no easy way to report it. A well-designed awareness programme fixes all three of those gaps.

Understanding the human side of cyber attacks in more depth is worth your time — the social engineering and human risk landscape is broader than phishing alone, and includes pretexting, vishing, and insider threat scenarios that awareness training should address.

What good security awareness training actually looks like

Poor awareness training is a forty-five-minute PowerPoint completed once a year that staff click through as fast as possible to get a completion certificate. It produces compliance paperwork, not behaviour change.

Good awareness training is shorter, more frequent, and directly relevant to the threats your staff actually face. It is delivered in formats that work for your team — short videos, scenario-based quizzes, or brief team discussions — rather than formats that work for a compliance auditor.

The core topics every programme should cover

Regardless of how you deliver training, certain topics need to be in scope for all staff.

Phishing and email threats. Staff need to know how to recognise suspicious sender addresses, urgent language designed to bypass critical thinking, unexpected attachments, and links that do not match the claimed destination. They also need a clear process for reporting suspicious emails rather than simply deleting them.

Password and account security. This includes using unique passwords for each account, understanding why password managers are the practical solution, and recognising when multi-factor authentication (MFA) prompts are being triggered unexpectedly — which can indicate a credential stuffing or account takeover attempt.

Device and remote working security. With many SME staff working from home at least part of the time, this covers the risks of unsecured Wi-Fi, the importance of locking screens, and what to do if a device is lost or stolen.

Data handling and the ICO's expectations. The Information Commissioner's Office (ICO) makes clear that human error is a leading cause of personal data breaches reported under UK GDPR. Staff who handle personal data need to understand what constitutes a breach and how to escalate one promptly. The ICO's reporting deadline of 72 hours from discovery means slow internal escalation creates real regulatory exposure.

Recognising social engineering beyond email. Vishing (voice phishing), smishing (SMS phishing), and in-person pretexting are all live threats for SMEs. Staff should know they are allowed — and expected — to verify identities before acting on requests, even from someone claiming to be internal IT or a supplier.

Free NCSC resources worth using now

The NCSC offers a range of free resources specifically designed for UK organisations that do not have large security budgets.

The Top Tips for Staff e-learning package is a free, NCSC-certified course covering the fundamentals: passwords, phishing, mobile devices, and remote working. It is self-contained, takes around thirty minutes to complete, and produces a completion certificate. For many SMEs it is an appropriate starting point.

The Cyber Aware campaign materials provide ready-to-use guidance on the most impactful security behaviours. The NCSC designed these specifically for small businesses and non-technical audiences.

The Suspicious Email Reporting Service (SERS) — [email protected] — gives staff somewhere to forward suspicious emails. Promoting this address internally serves two purposes: it gives staff a clear action to take when they spot something, and it contributes to national threat intelligence.

The NCSC's Exercise in a Box tool lets you run tabletop exercises without external facilitation. It includes scenarios relevant to SMEs and helps your team think through their response to incidents before they happen, which connects directly to having a tested incident response plan.

Phishing simulations: testing what training has changed

Awareness training tells people what phishing looks like. Phishing simulations test whether they have absorbed that knowledge under realistic conditions.

A phishing simulation involves sending staff a controlled, fake phishing email and recording who clicks the link, who enters credentials, and — crucially — who reports the email through your reporting channel. The goal is not to catch people out and name them publicly. It is to generate data that tells you where your training needs to focus.

Before running a simulation, make sure your leadership team understands the purpose and has agreed to the approach. Run a brief communication to staff explaining that phishing simulations happen periodically as part of your security programme — this is standard practice and transparency about it does not reduce its effectiveness.

Free simulation tools exist, including GoPhish, which is open source. Commercial platforms such as KnowBe4, Proofpoint Security Awareness Training, and Hoxhunt offer more automation and reporting, and many have pricing tiers accessible to SMEs.

Run simulations at least quarterly if budget allows. Track your click rate and report rate over time. An improving report rate — more staff forwarding suspicious emails — is often a more meaningful indicator of cultural change than a declining click rate alone.

Building a programme on a small business budget

A structured awareness programme does not require a dedicated security team or a large software subscription.

Year one: establish the baseline. Use the NCSC's Top Tips for Staff for all staff, run one phishing simulation, and document your results. Create a short policy — one page is fine — that sets out expectations around email, passwords, devices, and data handling. Get staff to acknowledge it.

Ongoing: monthly micro-learning. Short, topical content delivered via email, your intranet, or a messaging platform like Slack or Teams takes less than five minutes per month per person. The NCSC publishes regular threat intelligence and guidance you can repurpose. Rotate topics so staff are exposed to different threat types across the year.

Quarterly: phishing simulations. Even a single simulation per quarter generates useful data and keeps phishing recognition front of mind.

Annual: policy review and refresher. Review your security policies once a year, update them if needed, and require staff to re-acknowledge them. If you have onboarded new staff during the year, confirm they completed training before receiving access to business systems.

New starters represent a particular risk window. They are eager to make a good impression and may be less likely to question unusual requests. Include security awareness in your onboarding checklist as a non-negotiable step before system access is provisioned.

Measuring whether your programme is working

Training without measurement is an expense without accountability. The metrics do not need to be complicated.

Phishing simulation click rate. Track the percentage of staff who click simulated phishing links over time. A downward trend indicates the training is having an effect.

Suspicious email report rate. Track how many staff forward suspicious emails to your reporting address or IT team. An upward trend here is a strong signal that staff are engaged and acting on their training.

Policy acknowledgement rate. Track the percentage of staff who have acknowledged your current security policies. A rate below 100% for active staff indicates a process gap.

Incident frequency. Over a longer time horizon — twelve to twenty-four months — you should be able to observe whether the volume of security incidents involving human error is declining.

These metrics give you something concrete to present to leadership when making the case for continued investment in awareness activity.

How awareness training connects to Cyber Essentials and ISO 27001

Cyber Essentials does not explicitly list awareness training as a technical control, but several of its requirements depend on staff behaviour. The requirement to control user access means staff need to understand why they should not share credentials or use personal accounts for business systems. IASME, which administers the Cyber Essentials scheme in the UK, looks for evidence that staff understand their security responsibilities — awareness training directly supports this.

ISO 27001 is more explicit. Clause 7.3 requires that staff are aware of the information security policy, their contribution to the effectiveness of the ISMS, and the implications of not conforming with requirements. If you are pursuing ISO 27001 certification, documented awareness training with completion records is not optional.

Even if you are not pursuing formal certification, aligning your awareness programme with the expectations of these frameworks gives you a defensible position if you face a regulatory enquiry following an incident.

Taking the next step

A security awareness programme does not need to be perfect on day one. It needs to exist, be consistent, and improve over time. Starting with the NCSC's free resources and one phishing simulation this quarter will put you ahead of the majority of UK SMEs who have no structured programme at all.

If you would like help assessing your current security posture, designing a training programme that fits your team and budget, or preparing for Cyber Essentials or ISO 27001, take a look at the services available for UK SMEs. A practical, proportionate approach to human risk is achievable for businesses of any size — and it makes every other security investment you make more effective.