Blog entry by Darren Bindert
Cybersecurity Awareness Training sits in an unusual position among compliance topics. There is no single law that directly mandates it for most UK businesses. There is no threshold below which you are automatically exempt. And yet, for a growing number of small businesses, the question is no longer whether to provide it but what it needs to cover and how to prove it happened.
The practical pressure comes from three directions: UK GDPR accountability obligations, cyber insurance underwriting requirements, and the Cyber Essentials scheme. This post covers what each of those means for a business with fewer than 200 employees, what cybersecurity awareness training should actually include, and what a defensible record of completion looks like.
Where the obligation comes from
UK GDPR does not name cybersecurity awareness training as a requirement. What it does require, under Article 32, is that organisations implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing personal data. Staff training is consistently treated by the Information Commissioner’s Office (ICO) as one of those organisational measures.
When the ICO investigates a personal data breach, it examines whether staff were adequately trained as part of its assessment of whether the organisation took appropriate measures. Breaches caused by phishing attacks, misdirected emails, weak passwords, or accidental disclosure are the most common categories reported to the ICO, and all of them are, at least in part, addressable through staff training. An organisation that cannot demonstrate training was in place will find that a significant factor in any enforcement action.
Beyond regulation, the insurance dimension has become increasingly significant for small businesses. Cyber insurance underwriters have tightened their requirements substantially since the volume and severity of ransomware and phishing attacks on SMEs increased sharply in the early 2020s. Many standard cyber insurance policies now include a requirement for documented staff awareness training as a condition of cover. A business that suffers a cyber incident and cannot evidence that training was in place may find its claim challenged or its policy voided.
The Cyber Essentials scheme, run by the National Cybersecurity Centre (NCSC), is a government-backed certification that demonstrates a baseline level of cyber hygiene. While Cyber Essentials does not formally require staff training, the controls it covers — including secure configuration, access control, and malware protection — are significantly harder to maintain without a workforce that understands why those controls matter. For businesses pursuing Cyber Essentials certification, training complements the technical requirements.
SkillsCircle includes a Cybersecurity Awareness course as part of its pre-loaded compliance catalogue. Our Compliance Pathways deliver training from one single learning platform, with auto-provisioning, training tracking, automatic renewal notifications and comprehensive reporting and dashboards. This is the ultimate digital learning and compliance platform for UK SMEs, trusted by major UK Tech and AI companies.
What Cybersecurity Awareness Training should cover
Effective Cybersecurity Awareness Training for a small business workforce does not need to be technically complex. Its purpose is to give employees the knowledge to avoid the most common attack vectors and to respond appropriately when something goes wrong. The core topics to cover are:
-
Phishing and social engineering: how to recognise phishing emails, smishing (SMS phishing), and phone-based social engineering attempts; what to do when a suspicious message is received; and why clicking links or downloading attachments from unknown sources creates risk.
-
Password hygiene: the case for strong, unique passwords and the practical use of password managers; why reusing passwords across work and personal accounts creates risk; and the value of multi-factor authentication (MFA).
-
Safe handling of data: how to handle sensitive data securely, including the risks of sharing files via personal email or unsecured file-sharing services, the appropriate use of company systems, and the basics of encryption for sensitive documents.
-
Remote and hybrid working risks: the additional risks associated with working outside the office, including the use of public Wi-Fi, working on personal devices, and the importance of using a VPN where provided.
-
Incident reporting: what constitutes a reportable incident under UK GDPR, how to report a suspected breach internally, and why prompt reporting matters. Under UK GDPR, certain personal data breaches must be reported to the ICO within 72 hours of the organisation becoming aware of them.
-
Device and software security: keeping devices and software up to date, why software updates matter for security, and the basic rules around installing unapproved applications on work devices.
This breadth of coverage does not require a lengthy course. Well-designed Cybersecurity Awareness Training can cover all of these areas in under an hour and retain the information effectively through scenario-based content rather than passive reading. The goal is behavioural change, not technical knowledge for its own sake.
How often does it need to be refreshed?
Annual refresh training is the standard expectation for cybersecurity awareness, and it is what most cyber insurance policies and the ICO’s guidance point toward. The threat landscape changes quickly enough that training completed three or four years ago is likely to be materially out of date, particularly on phishing techniques, which have become significantly more convincing with the wider availability of AI-assisted content generation.
New starters should complete training at induction, regardless of where they fall in the annual cycle. Following a significant incident or near-miss, such as a successful phishing attempt, a misdirected email containing personal data, or a ransomware attack, additional targeted training is appropriate and demonstrates to the ICO that the organisation took the incident seriously.
For small businesses managing renewal tracking manually, this is often where the process breaks down. SkillsCircle handles the reminder cycle automatically: once renewal dates are set, the platform sends reminder emails to employees as deadlines approach and follow-up chasers to those who have not yet completed. Admins can monitor completion status across teams and programmes through the built-in dashboard, and a manager-level role is available for team leads who need visibility of their own team\u2019s progress without full administrative access. The result is that annual refresh happens reliably, without anyone having to remember to chase it
What a defensible record looks like
For Cybersecurity Awareness Training to serve its purpose in the event of an ICO investigation or an insurance claim, the record needs to show more than that training generally takes place. It needs to show that a specific employee completed specific training on a specific date.
That means individual-level completion records with timestamps, not a sign-in sheet from a team briefing. It means certificate or confirmation downloads that can be retrieved quickly under pressure. And it means a renewal tracking system that flags when an annual refresh is due rather than relying on someone to remember.
For small businesses managing this through spreadsheets or email threads, producing that evidence retrospectively after an incident is harder than it sounds. The records that matter most are the ones that were kept before anything went wrong.
How SkillsCircle helps
SkillsCircle is a ready-made LMS for businesses with fewer than 200 employees. Its pre-loaded compliance catalogue includes a Cybersecurity Awareness course alongside health and safety, equality and diversity, data protection, and modern slavery training. There is no content to build and no specialist resource required. Staff complete courses online, individual completion records and certificates are generated automatically, and renewal dates are tracked within the platform.
Pricing starts from £8 per user per month with no setup costs*.