Service

Cybersecurity Employee Training Programs

Build a security-literate workforce, from the boardroom to the front desk.

The problem

Most SMEs address cybersecurity as a technology problem and overlook their greatest vulnerability: untrained staff. Tanzania's Personal Data Protection Act (2022) places explicit obligations on organisations to train personnel who handle personal data — most businesses are not meeting this requirement. Beyond compliance, staff who do not understand basic cybersecurity hygiene create risk daily: sharing passwords, clicking unsafe links, misconfiguring cloud tools, or mishandling customer data. A one-hour phishing simulation is not a training program. A structured curriculum is.

Our methodology

Training needs assessment — identify roles, existing knowledge gaps, and compliance obligations (PDPA, BoT guidelines where relevant)
Curriculum design: separate learning tracks for executives and board, IT and technical staff, and general employees
Content development using Tanzania-relevant scenarios, local regulatory references, and real threat examples from the East African context
Delivery via instructor-led workshops (in-person or virtual), self-paced e-learning modules, or a blended approach
Knowledge assessment at the end of each module — short quizzes with pass thresholds
Completion records and certificates for HR files and compliance evidence
Post-training summary report with per-staff and per-department completion and assessment results

What you will receive

Training needs assessment report
Custom curriculum outline (role-based: executive, IT, general staff)
Delivered training sessions or e-learning module set
Per-participant knowledge assessment results
Certificates of completion for all participants
Post-training summary report (suitable for auditor or regulator evidence)
Quick-reference job aids for each role (printable one-pagers)

Estimated timeline

4–6 weeks from needs assessment to first delivery. Ongoing annual refresh available.

Overview

A security-aware workforce is not built by a single all-staff email or a 20-minute generic video. It is built through structured learning — relevant to each person’s role, grounded in the real threats they face, and evidenced with records that demonstrate your organisation takes this seriously.

Hawrat Cyber’s employee training programs are designed specifically for East African businesses: local threat scenarios, Tanzania PDPA compliance framing, and delivery that works for teams with mixed technical backgrounds.

Why Role-Based Training Matters

The security risks facing your CEO are different from those facing your accounts team, which are different again from those facing your IT support staff. A single generic training session treats these roles identically — which means it is too basic for the technical staff and too detailed for everyone else.

We design separate learning tracks for each group:

Executive and board track — Focuses on governance responsibility, regulatory liability under PDPA, cyber risk as business risk, what to expect from a security incident, and how to ask the right questions of your IT and security teams. This session is built for busy decision-makers: 90 minutes, no jargon.

General staff track — Practical, scenario-based training covering the situations employees encounter daily: recognising phishing and social engineering, secure password practices, safe file sharing and email use, handling customer or personal data in line with PDPA obligations, and what to do if something goes wrong. Delivered in plain language with local examples.

IT and technical staff track — Covers secure configuration practices, incident detection and initial response, handling security alerts, access control responsibilities, and technical control obligations under relevant frameworks. This session assumes a technical foundation and covers material at the appropriate depth.

The Tanzania PDPA Compliance Angle

Article 27 of the Tanzania Personal Data Protection Act requires that data controllers and processors take measures to ensure that employees are aware of and comply with data protection obligations. The PDPC guidance reinforces this with expectations around staff training as part of organisational measures.

Completing this training program gives you:

Documented evidence that training was conducted and who attended
Assessment results demonstrating comprehension, not just attendance
Certificates of completion for HR records
A post-training report that summarises coverage and outcomes — ready for a regulator, auditor, or client due diligence request

For businesses pursuing ISO 27001 alignment or preparing for a PDPA audit, this is a foundational control.

Delivery Options

Instructor-led workshops — Live sessions delivered in-person (Dar es Salaam and surrounds) or via video call. Best for teams that benefit from discussion, Q&A, and scenario walkthroughs. We adapt to your schedule.

Blended delivery — Instructor-led session followed by self-paced reinforcement modules and an online assessment. Combines the engagement of live training with the flexibility of self-paced completion.

Annual refresh — Security threats and regulatory requirements evolve. We offer an annual curriculum refresh to update content, re-assess staff knowledge, and maintain your compliance evidence trail.

Frequently asked questions

How is this different from your Security Awareness Training service?

Security Awareness Training is an ongoing quarterly programme focused on behavioural change through phishing simulations and short micro-modules — it builds habits over time. Employee Training Programs are structured, curriculum-based learning delivered in defined sessions, covering a broad range of cybersecurity topics with formal knowledge assessments and completion certificates. They serve different purposes: the training program builds foundational knowledge and meets compliance requirements; the awareness programme reinforces those habits continuously. Many clients run both.

Does the Tanzania PDPA require staff training?

Yes. The Personal Data Protection Act (2022) and supporting PDPC guidance place obligations on data controllers and processors to ensure that personnel handling personal data understand their responsibilities. An undocumented 'we told them' does not meet this standard. A structured training program with documented completion records, assessment results, and certificates gives you defensible evidence that you have met the obligation — which matters when a regulator asks.

Can you train a team of mixed technical and non-technical staff?

Yes — role-based tracks are central to how we design these programs. Executives receive a governance-focused session covering risk, regulatory liability, and their personal responsibilities under PDPA. General staff receive practical, scenario-based training on topics like password hygiene, phishing recognition, secure file sharing, and handling customer data. IT and technical staff receive a more detailed session covering secure configuration, incident handling, and technical control responsibilities. Each group gets content relevant to their actual role.

Can training be delivered in Swahili?

Yes. For organisations where Swahili is the primary working language, we can deliver sessions in Swahili and provide job aids and reference materials in Swahili. Training is only effective if participants genuinely understand it — language is not a secondary consideration.

How many staff can you train at once?

Workshop sessions work best with groups of 10–30. For larger organisations, we run multiple sessions across departments. For fully self-paced e-learning delivery, there is no practical upper limit on participant numbers.

Ready to get started?

All engagements begin with a free 30-minute discovery call. No commitment, no jargon — just an honest conversation about your situation.

Request a quote View all services