Your staff are your
strongest defence.
The majority of breaches involve a non-malicious human element, whether through errors or social engineering (Verizon DBIR). We train your people to recognise attacks, respond correctly, and become your strongest line of defence.
Why security training in East Africa is different
Generic security awareness training fails because it uses examples from Western contexts: phishing emails impersonating PayPal, phishing sites pretending to be UK banks, scenarios that your staff in Kigali will not recognise as relevant.
We design training specifically for East African organisations:
- Examples use local brands: BNR, RDB, banks operating in Rwanda, MTN, Airtel
- Attack scenarios reflect actual threats targeting East African institutions, not US or European case studies
- Phishing simulations use locally-relevant pretexts (BNR compliance notifications, RRA tax alerts, local bank security notices)
- Social engineering scenarios include mobile money agent fraud, SIM swap pretexts, and vishing using local phone conventions
- Available in English; French and Kinyarwanda versions available on request
Training modules
Delivered as standalone sessions or as a full annual programme
Phishing & Email Security
Recognising phishing emails, spear phishing, BEC attacks. How to verify sender identity. What to do when you suspect an email is malicious. Includes hands-on exercises with real examples.
Password Hygiene & MFA
Why password reuse is catastrophic. How to use a password manager. Setting up MFA correctly. What happens when credentials are stolen, and how to tell.
Social Engineering & Vishing
Recognising manipulation techniques. How to verify caller identity. Refusing unusual requests from apparent authority figures. Reporting suspicious contacts.
Incident Reporting
What counts as a security incident. How and where to report it. Why fast reporting is critical. No-blame culture and why hiding incidents makes things worse.
Mobile & Remote Work Security
Safe use of public WiFi. Mobile device security. Secure remote access via VPN. BYOD risks. What not to do with a bank laptop in a cafe.
Data Protection & Compliance
What data you handle, how to classify it, and how to protect it. BNR data handling requirements. Rwanda data protection law. Practical clean desk and clear screen habits.
How a training programme works
Baseline phishing simulation
We run a simulated phishing campaign before any training to establish your current click and report rates. This gives us a baseline and identifies which departments need the most attention.
Training delivery
On-site sessions (half-day or full-day) or live-online sessions. We tailor content to your industry, your typical threat scenarios, and your staff roles. Management briefings available separately.
Follow-up phishing simulation
4-6 weeks after training, we run a second simulation with a different scenario. Comparing click rates and report rates measures training effectiveness.
Completion certificates & reporting
All attendees receive a completion certificate. You receive a programme report with participation rates, simulation results before and after, and recommendations for ongoing training cadence.
Quarterly refresh (optional)
Security awareness fades. Ongoing quarterly micro-sessions (30-45 minutes) and phishing simulations maintain high awareness levels throughout the year.
Delivery formats
- On-site, Kigali: Full or half-day sessions at your offices. Best for initial training and management briefings.
- On-site, regional: Available across East Africa with advance notice.
- Live-online: Interactive sessions via video conference. Suitable for remote or distributed teams.
- Blended: On-site for core modules, online for quarterly refreshers.
Compliance alignment
Security awareness training is not a nice-to-have; it is a regulatory requirement for financial institutions in Rwanda and East Africa. Our training programme satisfies:
- BNR Regulation on Cyber Resilience for the Financial Sector: requires supervised institutions to conduct cybersecurity awareness training for all staff, and mandates a cybersecurity programme that addresses human factors as part of the institution's overall security posture
- PCI DSS v4.0: Requirement 12.6 mandates security awareness training for all personnel upon hire and at least annually thereafter. Requirement 12.6.2 requires training content to address current threats and vulnerabilities relevant to the organisation
- ISO 27001:2022: Control 6.3 (Information security awareness, education and training) requires all personnel to receive appropriate awareness education relevant to their role. Control 6.2 (Terms and conditions of employment) requires security responsibilities to be communicated to all staff
- Rwanda Data Protection Law No 058/2021: Article 30 includes organisational measures as a requirement for data protection. Staff training is a core organisational security measure that demonstrates compliance
For the full picture of social engineering threats and why training matters, see our article: social engineering threats facing East African financial institutions. For information on our flagship services: penetration testing, security assessments, custom tooling, and managed security.
Request a training programme
Tell us your team size, location, and training objectives. We will design a programme that fits your needs and budget.
Request a training programme Download free resources