10 Security Awareness Issues That Show Up During Customer Due Diligence
Security awareness becomes commercially visible when customers ask for evidence. It is not enough to say the team is careful; customers may ask how staff are trained, how often awareness happens and whether records are kept.
These are the awareness issues that commonly show up during due diligence.
Customer due diligence can expose awareness issues such as missing training records, no onboarding evidence, unclear phishing guidance, weak incident reporting, no policy acknowledgement and no proof that contractors receive relevant security expectations.
Due diligence issues to prepare for
- No training completion records: Keep dates, topics, audience and completion records.
- No onboarding evidence: Record first-week security onboarding for employees and relevant contractors.
- No phishing guidance: Document phishing examples, reporting routes and reminders.
- No incident reporting process: Keep a simple reporting process and evidence it has been communicated.
- No policy acknowledgement: Track acknowledgement for core policies and security expectations.
In this list
10 Security Awareness Issues That Show Up During Customer Due Diligence
Use this list as a practical review prompt. Each item is either a visible issue, a behaviour to reinforce, a responsibility to assign or an action to take before customer, audit or growth pressure makes the gap harder to fix.
1. No training completion records
Customers may ask whether staff receive security awareness training and how completion is tracked.
What to do: Keep dates, topics, audience and completion records.
2. No onboarding evidence
If new starters are not covered, the awareness programme looks incomplete.
What to do: Record first-week security onboarding for employees and relevant contractors.
3. No phishing guidance
Customers may expect staff to know how phishing is handled and reported.
What to do: Document phishing examples, reporting routes and reminders.
4. No incident reporting process
Awareness should tell staff how to report suspicious activity or mistakes.
What to do: Keep a simple reporting process and evidence it has been communicated.
5. No policy acknowledgement
Policies are weaker if staff have not seen or acknowledged them.
What to do: Track acknowledgement for core policies and security expectations.
6. No contractor awareness
Contractors may handle customer data or systems, but are often left out of training.
What to do: Include contractors based on access level and data exposure.
7. No evidence folder
If evidence is scattered, due diligence becomes slower and more stressful.
What to do: Centralise awareness records, reminders, onboarding and policy acknowledgements.
8. No role-specific training
Customers may ask whether staff with sensitive roles receive relevant guidance.
What to do: Create additional awareness for finance, support, engineering and leadership.
9. No review cadence
Awareness that is never reviewed may look stale.
What to do: Set a review date for topics, records and effectiveness.
10. No link to wider security controls
Awareness should connect to access, incident response, data handling and vendor security.
What to do: Map awareness evidence to the controls customers ask about.
How to Turn These Issues Into Action
The fastest way to make this useful is to turn each issue into an owner, an action, a review date and a simple piece of evidence.
| Issue / Area | Action to Take | Evidence to Keep |
|---|---|---|
| No training completion records | Keep dates, topics, audience and completion records. | Owner, review date and supporting evidence |
| No onboarding evidence | Record first-week security onboarding for employees and relevant contractors. | Owner, review date and supporting evidence |
| No phishing guidance | Document phishing examples, reporting routes and reminders. | Owner, review date and supporting evidence |
| No incident reporting process | Keep a simple reporting process and evidence it has been communicated. | Owner, review date and supporting evidence |
| No policy acknowledgement | Track acknowledgement for core policies and security expectations. | Owner, review date and supporting evidence |
| No contractor awareness | Include contractors based on access level and data exposure. | Owner, review date and supporting evidence |
Which Next Step Fits?
If you need clarity
Use the quiz to identify visible security gaps across awareness, access, vendors, risk and evidence.
Take the quiz →If you need a programme
Use the toolkit to turn awareness into onboarding, reminders, scenarios, evidence and behaviour change.
View the awareness toolkit →If you need judgement
Book a consultation if awareness issues are connected to customer pressure, audit readiness or unclear leadership decisions.
Book a consultation →Security awareness next step
Turn awareness into behaviour your team can repeat.
Use practical prompts, onboarding, scenarios and evidence so security awareness does not stay as a one-off training task.
Get a Security Readiness AuditFind the gaps first
Not sure where your awareness gaps are showing?
Use the quiz to identify visible security gaps across awareness, access, vendors, risk and evidence before customer pressure makes them harder to fix.
Take the security quiz to identify gapsFrequently Asked Questions
What awareness evidence do customers ask for?
They may ask for training records, onboarding evidence, phishing guidance, incident reporting procedures and policy acknowledgement.
How should startups prepare awareness evidence?
Create a central evidence folder with completion records, topics, dates, reminders, onboarding and policy acknowledgements.
When should a startup use a readiness audit?
Use a readiness audit when customer due diligence is approaching and evidence is scattered or incomplete.