Phishing simulations combined with structured awareness campaigns are a required, evidence-able control under the Compliance Framework's Essential Cybersecurity Controls (ECC – 2 : 2024) Control 1-10-1; this post gives a practical, small-business-focused playbook for designing, running, measuring and documenting those programs so you meet the control and reduce real-world risk.
Why this control matters and the risk of non‑implementation
Control 1-10-1 seeks proof that an organization actively tests its human layer through simulated phishing and follows up with education. Without a consistent simulation-and-awareness program you increase the likelihood of credential compromise, business email compromise (BEC), ransomware initiation and regulatory exposure; for a small business a single successful phishing attack can cause months of downtime, lost client trust and significant financial loss. From a compliance perspective, lack of documented campaigns, results and remediation actions can lead to audit findings, contract penalties or insurance claim denials.
Designing a compliant simulation and awareness program (practical steps)
Start by documenting the program in a formal policy or control procedure that maps to the Compliance Framework. Required elements: goals (reduce phish-prone rate by X%), scope (which users/groups), cadence (monthly/quarterly), acceptable scenarios, data handling, escalation paths and retention period for evidence. Assign roles — owner (usually security lead or CISO), campaign operator (IT/security analyst), HR/legal reviewer, and data custodian. Record approvals in change control or configuration management so auditors can see governance.
Scoping and segmentation
Segment users into buckets: executives, finance, IT, sales, contractors and general staff. Small businesses can start with three segments (executive, high-risk functions, general) to keep campaigns manageable. Create a baseline campaign to measure initial phish-prone percentage per segment (use a simple credential-less template or a “click + awareness page” flow). Document segmentation rationale and any exclusions (e.g., third-party vendors on separate domains) to satisfy Compliance Framework requirements on scope and justification.
Technical implementation details and tooling
Pick a tool that supports evidence export and integrates with your email environment: commercial options (KnowBe4, Proofpoint, Cofense, Mimecast) and open-source (GoPhish) are acceptable if you can produce logs and attachments. Technical setup: provision a dedicated sending domain/subdomain (phish.example.com), publish SPF/DKIM records for that domain, and allowlist the sending IP in your outbound filter to avoid being blocked by your own gateway. Configure landing pages to never capture plain-text credentials; instead show an awareness page and log only metadata (user, timestamp, campaign id, IP). For Microsoft 365 customers, consider using Attack Simulator (part of E5) for integrated telemetry into Defender and Audit logs.
Integration with other controls
Ensure your simulation platform's events feed into your SIEM/Log management (or ticketing system) so clicks and reports are traceable. Automate just-in-time training: when a user clicks, create a ticket assigned to the user with a 15–30 minute micro-lesson and require completion within a set window; retain training completion evidence (certificate or LMS record). For repeated offenders, trigger escalation to manager review or HR per the documented policy. Keep all evidence (campaign definitions, emails sent, click logs, remediation actions) for the retention period defined in the Compliance Framework.
Campaign planning, example scenarios and small-business use cases
Start simple: 1) credential-themed email claiming suspicious login; 2) invoice/finance request to finance group; 3) HR update to all staff. For a small business of 25–100 employees, run a baseline campaign, then two targeted campaigns and one company-wide awareness month per quarter. Example: baseline shows 27% phish-prone for general staff; run focused finance scenario for finance group, reduce finance phish-prone from 40% to 12% after 90 days with follow-up microtraining. Document each campaign’s objective, template, recipient list, time window, and results in a compliance evidence binder (spreadsheet + exported logs + screenshots).
Metrics, KPIs and compliance evidence
Key metrics to collect and store: click-through rate (CTR), report rate (users who used “Report Phish”), time-to-report median, training completion rate within SLA, phish-prone percentage by cohort, and repeat-offender list. Set realistic targets (example roadmap: reduce overall phish-prone rate to <15% in 3 months, <7% in 12 months). For auditors, export raw campaign logs, email content, landing page snapshot, and training completion records; include an executive summary and risk acceptance statements for any residual high-risk user groups.
Compliance tips and best practices
Tips: 1) Obtain legal and HR sign-off upfront and document their approval; 2) Avoid collecting sensitive personal data in simulation logs and protect logs with encryption and limited access; 3) Notify employees generally (policy statement) that simulations occur without revealing timing or specifics; 4) Use ethical templates that test behavior without embarrassing individuals; 5) Retain anonymized executive-level reporting for leadership and detailed logs only for auditors and program owners; 6) If you must reset credentials when a user enters a real password, define that procedure in incident response workflow and record the action.
In summary, meeting ECC Control 1-10-1 requires a documented, repeatable program that combines realistic phishing simulations with measurable awareness and remediation workflows; small businesses can implement this with pragmatic segmentation, low-cost tooling, clear governance, and consistent evidence collection to both reduce phishing risk and pass compliance audits.
