Your staff are your
strongest defence.
The majority of breaches involve a non-malicious human element, whether through errors or manipulation by an attacker (Verizon DBIR). We train your people to recognise attacks, respond correctly, and become your strongest line of defence.
Why locally relevant security training is different
Generic security awareness training fails because it uses examples from Western contexts: phishing emails impersonating PayPal, phishing sites pretending to be UK banks, scenarios that your staff across Africa will not recognise as relevant.
We design training specifically for African organisations:
- Examples use locally relevant brands; for Rwandan teams that means BNR, RDB, banks operating in Rwanda, MTN, Airtel
- Attack scenarios reflect actual threats targeting African institutions, not US or European case studies
- Phishing simulations use locally-relevant pretexts (BNR compliance notifications, RRA tax alerts, local bank security notices)
- Manipulation and pretext scenarios include mobile money agent fraud, SIM swap pretexts, and vishing using local phone conventions
- Available in English; French and Kinyarwanda versions available on request
Training modules
Delivered as standalone sessions or as a full annual programme
Phishing & Email Security
Recognising phishing emails, spear phishing, BEC attacks. How to verify sender identity. What to do when you suspect an email is malicious. Includes hands-on exercises with real examples.
Password Hygiene & MFA
Why password reuse is catastrophic. How to use a password manager. Setting up MFA correctly. What happens when credentials are stolen, and how to tell.
Manipulation & Vishing
Recognising manipulation techniques. How to verify caller identity. Refusing unusual requests from apparent authority figures. Reporting suspicious contacts.
Incident Reporting
What counts as a security incident. How and where to report it. Why fast reporting is critical. No-blame culture and why hiding incidents makes things worse.
Mobile & Remote Work Security
Safe use of public WiFi. Mobile device security. Secure remote access via VPN. BYOD risks. What not to do with a bank laptop in a cafe.
Data Protection & Compliance
What data you handle, how to classify it, and how to protect it. BNR data handling requirements. Rwanda data protection law. Practical clean desk and clear screen habits.
How a training programme works
Baseline phishing simulation
We run a simulated phishing campaign before any training to establish your current click and report rates. This gives us a baseline and identifies which departments need the most attention.
Training delivery
On-site sessions (half-day or full-day) or live-online sessions. We tailor content to your industry, your typical threat scenarios, and your staff roles. Management briefings available separately.
Follow-up phishing simulation
4-6 weeks after training, we run a second simulation with a different scenario. Comparing click rates and report rates measures training effectiveness.
Completion certificates & reporting
All attendees receive a completion certificate. You receive a programme report with participation rates, simulation results before and after, and recommendations for ongoing training cadence.
Quarterly refresh (optional)
Security awareness fades. Ongoing quarterly micro-sessions (30-45 minutes) and phishing simulations maintain high awareness levels throughout the year.
Delivery formats
- On-site, Kigali: Full or half-day sessions at your offices. Best for initial training and management briefings.
- On-site, regional: Available across Africa with advance notice.
- Live-online: Interactive sessions via video conference. Suitable for remote or distributed teams.
- Blended: On-site for core modules, online for quarterly refreshers.
Compliance alignment
Security awareness training is not a nice-to-have; it features as a regulatory requirement for financial institutions in Rwanda and across Africa. Our training programme supports your compliance with:
- BNR Regulation N°50/2022 on cyber security: requires supervised institutions to run cybersecurity awareness training for staff as part of a cybersecurity programme that addresses human factors within the institution's overall security posture
- PCI DSS v4.0: Requirement 12.6 mandates security awareness training for all personnel upon hire and at least annually thereafter. Requirement 12.6.2 requires training content to address current threats and vulnerabilities relevant to the organisation
- ISO 27001:2022: Control 6.3 (Information security awareness, education and training) requires all personnel to receive appropriate awareness education relevant to their role. Control 6.2 (Terms and conditions of employment) requires security responsibilities to be communicated to all staff
- Rwanda Data Protection Law No 058/2021: requires data controllers and processors to implement appropriate technical and organisational security measures. Staff training is a core organisational security measure that demonstrates compliance
For a real example of how human-factor weaknesses translate into financial loss, and why training matters, see our analysis: lessons from a major bank fraud incident in Rwanda. For information on our flagship services: penetration testing, security assessments, custom tooling, and managed security.
Frequently asked questions
Who is the training for?
What topics does the training cover?
Is the training tailored to our organisation?
How is the training delivered?
How do you measure whether the training works?
How do we scope a training programme?
Request a training programme
Tell us your team size, location, and training objectives. We will design a programme that fits your needs and budget.
Book a Free Call Download free resources