Cybersecurity awareness ENS: training your team.

95% of cybersecurity incidents have a human-error component. An employee who clicks on a phishing link, reuses a weak password across services or plugs in an unauthorised USB drive can compromise the entire security posture of your organisation, no matter how sophisticated the technical controls. That is why the ENS (Spanish National Security Framework) dedicates specific controls to staff training and awareness, and why auditors carefully assess whether those controls are applied effectively.

For the general context of the framework, see my definitive guide to the ENS.

What does the ENS require on training and awareness?

Control mp.per.3 of the ENS sets out the awareness requirements. At BASIC category, every member of staff must know the security rules that apply to them, the consequences of non-compliance and how to act in the event of an incident. At MEDIUM category, specific training is required for the security officer and the technical staff who administer the systems. At HIGH category, periodic, up-to-date training is added, together with an evaluation of the effectiveness of training actions.

Additionally, control mp.per.2 (duties and obligations) requires each person to know their specific security responsibilities, and that their formal acceptance is documented.

Designing an effective awareness programme

An awareness programme that genuinely works and satisfies ENS requirements has to go beyond the typical annual mandatory training session that nobody remembers a month later.

Defining measurable objectives

Before designing activities, define what you want to achieve with specific metrics. For example: reduce the click rate in phishing simulations below 5%, ensure 100% of staff know the incident reporting procedure, or get 90% of staff to identify at least three types of social engineering attacks.

Initial training for new hires

Every new employee must receive a security session before being granted access to the systems. This session should cover the security policy and the rules that apply to them, acceptable use of information systems, password management and multi-factor authentication, identification of phishing emails, the incident reporting procedure, and the consequences of non-compliance.

Periodic micro-learning

Instead of a single long annual session (which is quickly forgotten), distribute training in short capsules throughout the year. A monthly 10-15 minute capsule on a specific topic is far more effective than a full annual session.

Topics can rotate across phishing and malicious emails, password security and credential management, protection of confidential information, remote-working security, mobile device security, telephone-based social engineering, safe browsing, physical and clear-desk security, secure use of email, and incident response.

Phishing simulations

Phishing simulations are the most effective tool to measure and improve awareness. They consist of sending simulated phishing emails to employees and measuring who clicks, who enters credentials, who reports the suspicious email and who simply ignores it.

Simulations should be realistic but not aggressive (the goal is to educate, not to humiliate), progressive in difficulty, accompanied by immediate training for whoever falls for the simulation, and documented with time-series metrics.

A reasonable cadence is one simulation per quarter, rotating the scenarios: impersonation of a known supplier, a fake message from the IT department, a fictitious prize draw, or a supposed pending invoice.

CCN tools for awareness

The CCN-CERT makes the ANGELES platform available to the public sector, offering cybersecurity training courses tailored to different profiles (executives, technical staff, end users), ready-to-use awareness materials, and assessments to measure the level of knowledge.

INCIBE also provides free awareness materials through its website, including the awareness kit for businesses, which contains graphic resources, videos and ready-to-use presentations.

Metrics of an effective awareness programme

To demonstrate to ENS auditors that your programme works, record and monitor the relevant metrics. The click rate in phishing simulations is the most direct indicator: a rate below 5% indicates maturity. The report rate — the percentage of users who report suspicious emails to the security team — is even more important than the click rate. The percentage of staff who have completed mandatory training must be 100%. And the results of knowledge assessments are evidence of the effectiveness of the training.

Present these metrics in the security committee and in the management review. The positive evolution of these indicators is the best evidence of the effectiveness of your programme.

Security culture: beyond training

The ultimate goal is not for employees to pass an exam, but for security to become part of the organisation's culture. This is achieved through leadership by example (if executives don't follow the rules, nobody will), positive error management (if someone falls for a phishing attempt, they are trained, not publicly sanctioned), recognition of good practice (rewarding those who report incidents), and constant communication (sharing relevant cybersecurity news, alerting on current threats). Related: ENS Audit: Preparation and Keys to Pass It.

See my article on email security for technical measures that complement anti-phishing training.

Do you need to design a cybersecurity awareness programme for your organisation? Let's talk. I'll help you create an effective programme that complies with the ENS and turns your team into your first line of defence.

---

Authorship: Ángel Ortega Castro · independent consultant on strategy, quality and digitalisation for SMEs. Related: MAGERIT Risk Analysis for the ENS: Practical Guide.

Frequently asked questions

Who must comply with the ENS?

All bodies of the Spanish Public Administration and private suppliers that provide ICT services to the public sector. The CCN-CERT makes the ANGELES platform available, offering cybersecurity training courses tailored to different profiles (executives, technical staff, end users), ready-to-use awareness materials and assessments to measure knowledge.

What are the categories of the ENS?

The ENS has three categories — BASIC, MEDIUM and HIGH — depending on the impact a security incident would have on the information processed. Control mp.per.3 sets the awareness requirements. At BASIC, all staff must know the security rules that apply to them, the consequences of non-compliance and how to act in case of an incident.

What is the deadline to comply with the ENS?

Royal Decree 311/2022 set staggered deadlines based on each organisation's starting point; in general, full adaptation must be completed within 24 months from its publication. A real awareness programme that satisfies the ENS must go beyond the typical annual mandatory training session that nobody remembers a month later.

What happens if the ENS is not complied with?

Non-compliance with the ENS prevents contracting with the Spanish Public Administration and may lead to sanctions under the applicable sectoral regulations. Every new employee must receive a security session before being granted access to the systems.