Your people are
part of the system

Most incidents start with normal behaviour, not elite hacking. I run human risk as a year-long programme - steady practice and a reporting habit, not one annual lecture.

Year-long programme · 6 topics a year · security champions · priced by scope

Book a call

This programme is available on its own - the better path is the Retained Security Partner retainer, where you get it automatically once your security maturity is ready.

The Problem

Annual training does not change behaviour

Most companies do awareness backwards: one training a year, maybe one phishing test, then silence until the next audit. Behaviour does not move on that schedule.

A once-a-year session is forgotten within weeks. Habits need repetition, not a single deadline.
Phishing tests on their own become "gotcha" theatre. They measure clicks but build resentment, not a reporting culture.
An SME does not need a corporate learning platform. It needs a few practical habits and people who know who to ask.

Human Risk Management

One topic every two months

Six topics fill a year. Each one stays active for a month, then the next begins. Fewer topics, done properly, beat a long checklist nobody remembers.

Core - every company

The fixed topics every workforce needs.

Phishing & reportingPasswordsMFA & account takeoverInvoice and CEO fraud

Tailored to you

Chosen from your risks, sector, and tools.

Customer-data handlingShadow IT & SaaSRemote work & travelAI tool usage

Personal & home

Useful off the clock, so people actually listen.

Home & family securityChildren onlineDisinformationDevice loss & theft

How a single topic runs over its month

Each active topic moves through the same four steps.

Intro email

At the start of the month, a short note tells everyone the topic, why it matters here, and what to expect: posters, a webcast, and someone to ask.

Physical campaign

A few posters appear in shared spaces - the kitchen, the entrance, the restroom door. They are made to be seen and to start a conversation, not to lecture.

Webcast demo

A practical session under 30 minutes that shows the real attack: cracking a weak password hash, sending a convincing phishing mail, or building a deepfake. People remember what they have seen done.

Champion briefing

Department champions are trained on the month's topic so they can answer the everyday questions locally, without waiting for an external consultant.

What Makes It Work

Champions, a hub, and short practice

Human risk is not fixed by one training. It is reduced by repeated practice, clear reporting paths, and a few internal people who know what good security looks like.

Security champions

One non-technical person per department, trained on each topic. They are the local point of contact while I work remotely, and they nudge habits that only a colleague notices - the password on a sticky note, the file shared with the wrong group.

Awareness hub

A small internal site that holds the material people actually need: a practical extract of the security policy, what to do during an incident, the onboarding guide, and the plan for the year. People do not read long security documents, so the hub stays short and usable.

Micro-learning

Short scenarios under five minutes, written for your company and your real cases rather than generic stock video. Delivered through a company mascot so the material feels familiar. This delivery format is being built and expanded over time.

Co-created rules

When a rule affects daily work - password length, file sharing, device use - champions help shape it before it ships. People follow rules they helped write, so adoption is far higher than a policy handed down from above.

Who It Fits

Built for SMEs with fragmented ownership

Companies of roughly 30 to 250 people, where security ownership is spread across several roles.
Organisations under customer assurance, supplier pressure, or working towards ISO 27001 ISO 27001 The international standard for an information security management system. Customers and partners often ask for it as proof that security is run properly. .
Companies in NIS2 NIS2 An EU directive that raises security and reporting duties for many medium and large companies in important sectors. Staff awareness is an explicit expectation. scope, or handling personal data under GDPR GDPR The EU data protection law. How staff handle customer and employee data day to day is a large part of staying compliant. , where staff behaviour is part of the obligation.
Founder-led businesses that want a reporting culture and stronger habits without hiring an internal security team.

Where It Fits

An add-on, scoped to your company

The programme runs as an add-on to the Retained Security Partner engagement, usually starting after the Roadmap Assessment. It is scoped and priced separately from the base retainer, based on what your company actually needs, rather than tied to a fixed number of consulting days. Behaviour, champions, and reporting culture mature over time, so this is not sold as a single workshop.

Size and departments

How many people take part, and how many departments need their own champion and local support.

Topic mix

How many topics are tailored to your sector and risks beyond the fixed core set, and how specific they need to be.

Delivery formats

Which formats you want each topic to use: physical campaigns, webcast demos, micro-learning, and phishing or reporting exercises.

Languages and sites

Multiple locations or working languages add to material and champion effort.

Process

How We Collaborate

Scope & year plan

We agree the six topics for the year - core, tailored, and personal - and the schedule. Usually a 30-minute call plus a short review of your context.

Champions onboarding

We pick one champion per department and run a first briefing so the local points of contact are in place before topic one.

Run the topics

Every two months a new topic goes live: intro email, posters, a webcast demo, and a champion briefing. Phishing and reporting practice is added where it helps.

Half-year review

Every six months you get a short management summary covering the three topics from that period: what ran, what reporting looks like, and the plan for the next half.

This works as a programme, not a single session. Behaviour change needs repetition, so the value comes from running the full year inside the retainer.

Start the human risk programme

Book a 30-minute call to plan the year, or send a question first. We will agree the topics, the champions, and how it fits your retainer before anything starts.

Send a Question Book a call

Have questions? See the FAQ →

Looking for the tactical exercise on its own? See Phishing Simulation, or the full Retained Security Partner retainer.

Your people are part of the system