SECURITY TRAINING

Your staff are your
strongest defence.

The majority of breaches involve a non-malicious human element, whether through errors or manipulation by an attacker (Verizon DBIR). We train your people to recognise attacks, respond correctly, and become your strongest line of defence.

Security awareness training is a secondary offering that complements our VAPT and assessment work. Training lands best after a penetration test or assessment has shown where the human-factor gaps are; we align the curriculum with those findings. See our flagship services: penetration testing, security assessments, and custom tooling.
Book a Free Call Assess your posture
68% of breaches involved a non-malicious human element (Verizon 2024 DBIR)
44% of breaches analysed involved ransomware (Verizon DBIR 2025)
1 in 3 baseline phish-prone rate at untrained organisations (KnowBe4 Phishing by Industry Benchmarking Report)

Why locally relevant security training is different

Generic security awareness training fails because it uses examples from Western contexts: phishing emails impersonating PayPal, phishing sites pretending to be UK banks, scenarios that your staff across Africa will not recognise as relevant.

We design training specifically for African organisations:

  • Examples use locally relevant brands; for Rwandan teams that means BNR, RDB, banks operating in Rwanda, MTN, Airtel
  • Attack scenarios reflect actual threats targeting African institutions, not US or European case studies
  • Phishing simulations use locally-relevant pretexts (BNR compliance notifications, RRA tax alerts, local bank security notices)
  • Manipulation and pretext scenarios include mobile money agent fraud, SIM swap pretexts, and vishing using local phone conventions
  • Available in English; French and Kinyarwanda versions available on request

Training modules

Delivered as standalone sessions or as a full annual programme

MODULE 01

Phishing & Email Security

Recognising phishing emails, spear phishing, BEC attacks. How to verify sender identity. What to do when you suspect an email is malicious. Includes hands-on exercises with real examples.

MODULE 02

Password Hygiene & MFA

Why password reuse is catastrophic. How to use a password manager. Setting up MFA correctly. What happens when credentials are stolen, and how to tell.

MODULE 03

Manipulation & Vishing

Recognising manipulation techniques. How to verify caller identity. Refusing unusual requests from apparent authority figures. Reporting suspicious contacts.

MODULE 04

Incident Reporting

What counts as a security incident. How and where to report it. Why fast reporting is critical. No-blame culture and why hiding incidents makes things worse.

MODULE 05

Mobile & Remote Work Security

Safe use of public WiFi. Mobile device security. Secure remote access via VPN. BYOD risks. What not to do with a bank laptop in a cafe.

MODULE 06

Data Protection & Compliance

What data you handle, how to classify it, and how to protect it. BNR data handling requirements. Rwanda data protection law. Practical clean desk and clear screen habits.

How a training programme works

1

Baseline phishing simulation

We run a simulated phishing campaign before any training to establish your current click and report rates. This gives us a baseline and identifies which departments need the most attention.

2

Training delivery

On-site sessions (half-day or full-day) or live-online sessions. We tailor content to your industry, your typical threat scenarios, and your staff roles. Management briefings available separately.

3

Follow-up phishing simulation

4-6 weeks after training, we run a second simulation with a different scenario. Comparing click rates and report rates measures training effectiveness.

4

Completion certificates & reporting

All attendees receive a completion certificate. You receive a programme report with participation rates, simulation results before and after, and recommendations for ongoing training cadence.

5

Quarterly refresh (optional)

Security awareness fades. Ongoing quarterly micro-sessions (30-45 minutes) and phishing simulations maintain high awareness levels throughout the year.

Want this as a managed programme? IMIZI Aware packages this training as a managed, year-round awareness programme: scheduled phishing simulations, recurring micro-sessions, and the before-and-after reporting, run for you on a recurring engagement instead of as one-off sessions.
BNR compliance: The National Bank of Rwanda's Regulation N°50/2022 on cyber security requires supervised institutions to run security awareness training for staff. Our programme supports your compliance with this obligation and provides the documentation your compliance team needs: participation records, training content overview, and assessment results.

Delivery formats

  • On-site, Kigali: Full or half-day sessions at your offices. Best for initial training and management briefings.
  • On-site, regional: Available across Africa with advance notice.
  • Live-online: Interactive sessions via video conference. Suitable for remote or distributed teams.
  • Blended: On-site for core modules, online for quarterly refreshers.

Compliance alignment

Security awareness training is not a nice-to-have; it features as a regulatory requirement for financial institutions in Rwanda and across Africa. Our training programme supports your compliance with:

  • BNR Regulation N°50/2022 on cyber security: requires supervised institutions to run cybersecurity awareness training for staff as part of a cybersecurity programme that addresses human factors within the institution's overall security posture
  • PCI DSS v4.0: Requirement 12.6 mandates security awareness training for all personnel upon hire and at least annually thereafter. Requirement 12.6.2 requires training content to address current threats and vulnerabilities relevant to the organisation
  • ISO 27001:2022: Control 6.3 (Information security awareness, education and training) requires all personnel to receive appropriate awareness education relevant to their role. Control 6.2 (Terms and conditions of employment) requires security responsibilities to be communicated to all staff
  • Rwanda Data Protection Law No 058/2021: requires data controllers and processors to implement appropriate technical and organisational security measures. Staff training is a core organisational security measure that demonstrates compliance

For a real example of how human-factor weaknesses translate into financial loss, and why training matters, see our analysis: lessons from a major bank fraud incident in Rwanda. For information on our flagship services: penetration testing, security assessments, custom tooling, and managed security.

Frequently asked questions

Who is the training for?
We train all staff at regulated institutions across Africa, from frontline and back-office teams to engineering, security, and leadership. Programmes are aimed at banks, MFIs, payment providers, telecoms, insurers, government bodies, ministries, healthcare institutions, and fintechs that need to reduce human-factor risk and meet BNR training obligations.
What topics does the training cover?
Core modules cover phishing and email security, password hygiene and MFA, manipulation and vishing, incident reporting, mobile and remote work security, and data protection and compliance. We can deliver these as standalone sessions or as a full annual programme, with management briefings available separately.
Is the training tailored to our organisation?
Yes. We tailor content to your industry, your typical threat scenarios, and your staff roles. Examples and phishing pretexts use locally-relevant brands and scenarios that African staff will recognise, rather than Western case studies, so the training lands with your people.
How is the training delivered?
On-site in Kigali, on-site regionally across Africa with advance notice, live-online for remote or distributed teams, or a blended format with on-site core modules and online quarterly refreshers. Content is available in English, with French and Kinyarwanda versions on request.
How do you measure whether the training works?
We run a baseline phishing simulation before training to establish your current click and report rates, then a follow-up simulation 4-6 weeks afterwards with a different scenario. Comparing the results measures effectiveness, and you receive a programme report with participation rates and before-and-after results.
How do we scope a training programme?
Tell us your team size, location, and training objectives, and we design a programme that fits your needs and budget. Training lands best after a penetration test or assessment has shown where the human-factor gaps are; we align the curriculum with those findings.

Request a training programme

Tell us your team size, location, and training objectives. We will design a programme that fits your needs and budget.

Book a Free Call Download free resources