Service

Security Awareness Training

Your people are your first line of defence. Train them.

Request a quote

The problem

The most sophisticated technical controls can be bypassed by a single employee clicking a phishing link. In Tanzania, phishing campaigns are increasingly targeting M-Pesa and mobile banking accounts, Microsoft 365 login pages, and fake regulatory notices — in both English and Swahili. Your technical defences cannot protect against a staff member who does not know how to recognise the threat. Awareness training turns your team from a vulnerability into an asset.

Our methodology

  • Quarterly phishing simulations using realistic local lures: mobile money confirmations, Microsoft 365 re-authentication requests, fake BoT or PDPC notices
  • Simulations available in English and Swahili to reflect real threat actor tactics
  • Employees who click are redirected to immediate, brief training rather than being shamed
  • Monthly 30-minute micro-training modules covering current threats, delivered via email or platform of choice
  • Executive dashboard reporting on click rates, training completion, and improvement over time
  • Annual security culture assessment

What you will receive

  • Quarterly phishing simulation report (per-department click rates, trend data)
  • Monthly training completion report
  • Annual security culture trend report
  • Phishing awareness quick-reference card for staff

Estimated timeline

Quarterly programme, per 50 staff. Annual commitment recommended for measurable improvement.

Overview

Technology alone cannot stop a determined phishing attack aimed at your staff. The human layer of your security requires the same structured attention as your technical controls — regular assessment, targeted improvement, and measurable progress over time.

Security awareness training gives your team the knowledge, habits, and instincts to be the last line of defence — and to hold that line.

The Tanzanian Threat Context

Phishing in Tanzania is not generic. Attackers craft lures that exploit what people actually use: M-Pesa confirmations, Airtel Money transfer notices, fake BoT circulars, PDPC enforcement warnings, Microsoft 365 password expiry alerts. Increasingly, these are in Swahili — because that is how people communicate and what they trust.

Generic awareness training built for Western markets misses this entirely. Our simulations use the lures that are actually being deployed against Tanzanian SMEs.

The Cycle

Quarter 1 — Establish baseline. Run the first phishing simulation. Deliver the first three monthly modules. Report baseline click rate and completion.

Quarter 2 — Build the habit. Second simulation with new lure type. Modules continue. Click rate comparison against baseline.

Quarter 3 — Measure progress. Third simulation. By this point, most organisations see meaningful reduction in click rates. Identify departments or individuals for additional focus.

Quarter 4 — Annual culture assessment. Full-year trend report. Programme design for the following year.

Reporting to Leadership

After each simulation and each quarter, you receive a clear, non-technical report showing how your organisation is tracking. Click rates are shown by department so you can direct attention where it is needed. The trend over time tells the story of your security culture improving — and gives you something concrete to show auditors, regulators, or clients who ask about security training.

Frequently asked questions

What happens to employees who fail the phishing simulation?

They receive immediate, constructive micro-training — not a punitive response. Research consistently shows that fear-based approaches reduce morale without improving security behaviour. Employees who click are redirected to a short, engaging training moment explaining what they missed and how to spot it next time. Over time, click rates fall across the whole organisation. The goal is culture change, not blame.

Can training be done in Swahili?

Yes. Our phishing simulations include Swahili-language lures, because real attackers use Swahili. Training content can be adapted to Swahili for organisations where English is not the primary working language. We believe awareness training that does not reflect how your staff actually communicate is less effective.

How do we measure improvement?

We track three metrics over time: phishing simulation click rate (the percentage of staff who click on simulated phishing), training completion rate (the percentage who complete monthly modules), and a self-reported security confidence score from the annual culture assessment. Improvement in click rate is the most direct measure of effectiveness, and we typically see meaningful reduction over two to three quarterly simulation cycles.

What if the training catches a real phishing email that is not one of ours?

This is the goal. Staff who are primed to look for phishing signals will apply those skills to real threats. We encourage organisations to set up a simple reporting mechanism — a mailbox or button — where staff can forward suspicious emails. The awareness programme builds the habit of scrutiny.

We are a small team of 10 people. Is this worth it?

Phishing attacks do not discriminate by company size. A 10-person business is often a softer target than a large organisation with dedicated security teams — attackers know this. For small teams, we can run a condensed version of the programme and combine it with a Cloud Security Posture Assessment for broad coverage at a sensible scope.

Related services

Cloud Security Posture Assessment

Know exactly where your Microsoft 365 and Azure environment stands.

Incident Response Readiness

Know exactly what to do when — not if — something goes wrong.

Virtual CISO (vCISO) Retainer

Executive-level security leadership — without the full-time hire.

Ready to get started?

All engagements begin with a free 30-minute discovery call. No commitment, no jargon — just an honest conversation about your situation.

Request a quote View all services