10 Security Awareness Issues That Show Up During Customer Due Diligence

Security awareness becomes commercially visible when customers ask for evidence. It is not enough to say the team is careful; customers may ask how staff are trained, how often awareness happens and whether records are kept.

These are the awareness issues that commonly show up during due diligence.

Quick Answer

Customer due diligence can expose awareness issues such as missing training records, no onboarding evidence, unclear phishing guidance, weak incident reporting, no policy acknowledgement and no proof that contractors receive relevant security expectations.

Due diligence issues to prepare for

  • No training completion records: Keep dates, topics, audience and completion records.
  • No onboarding evidence: Record first-week security onboarding for employees and relevant contractors.
  • No phishing guidance: Document phishing examples, reporting routes and reminders.
  • No incident reporting process: Keep a simple reporting process and evidence it has been communicated.
  • No policy acknowledgement: Track acknowledgement for core policies and security expectations.

10 Security Awareness Issues That Show Up During Customer Due Diligence

Use this list as a practical review prompt. Each item is either a visible issue, a behaviour to reinforce, a responsibility to assign or an action to take before customer, audit or growth pressure makes the gap harder to fix.

1. No training completion records

Customers may ask whether staff receive security awareness training and how completion is tracked.

What to do: Keep dates, topics, audience and completion records.

2. No onboarding evidence

If new starters are not covered, the awareness programme looks incomplete.

What to do: Record first-week security onboarding for employees and relevant contractors.

3. No phishing guidance

Customers may expect staff to know how phishing is handled and reported.

What to do: Document phishing examples, reporting routes and reminders.

4. No incident reporting process

Awareness should tell staff how to report suspicious activity or mistakes.

What to do: Keep a simple reporting process and evidence it has been communicated.

5. No policy acknowledgement

Policies are weaker if staff have not seen or acknowledged them.

What to do: Track acknowledgement for core policies and security expectations.

6. No contractor awareness

Contractors may handle customer data or systems, but are often left out of training.

What to do: Include contractors based on access level and data exposure.

7. No evidence folder

If evidence is scattered, due diligence becomes slower and more stressful.

What to do: Centralise awareness records, reminders, onboarding and policy acknowledgements.

8. No role-specific training

Customers may ask whether staff with sensitive roles receive relevant guidance.

What to do: Create additional awareness for finance, support, engineering and leadership.

9. No review cadence

Awareness that is never reviewed may look stale.

What to do: Set a review date for topics, records and effectiveness.

How to Turn These Issues Into Action

The fastest way to make this useful is to turn each issue into an owner, an action, a review date and a simple piece of evidence.

Issue / Area Action to Take Evidence to Keep
No training completion records Keep dates, topics, audience and completion records. Owner, review date and supporting evidence
No onboarding evidence Record first-week security onboarding for employees and relevant contractors. Owner, review date and supporting evidence
No phishing guidance Document phishing examples, reporting routes and reminders. Owner, review date and supporting evidence
No incident reporting process Keep a simple reporting process and evidence it has been communicated. Owner, review date and supporting evidence
No policy acknowledgement Track acknowledgement for core policies and security expectations. Owner, review date and supporting evidence
No contractor awareness Include contractors based on access level and data exposure. Owner, review date and supporting evidence

Which Next Step Fits?

If you need clarity

Use the quiz to identify visible security gaps across awareness, access, vendors, risk and evidence.

Take the quiz →

If you need a programme

Use the toolkit to turn awareness into onboarding, reminders, scenarios, evidence and behaviour change.

View the awareness toolkit →

If you need judgement

Book a consultation if awareness issues are connected to customer pressure, audit readiness or unclear leadership decisions.

Book a consultation →

Security awareness next step

Turn awareness into behaviour your team can repeat.

Use practical prompts, onboarding, scenarios and evidence so security awareness does not stay as a one-off training task.

Get a Security Readiness Audit

Find the gaps first

Not sure where your awareness gaps are showing?

Use the quiz to identify visible security gaps across awareness, access, vendors, risk and evidence before customer pressure makes them harder to fix.

Take the security quiz to identify gaps

Frequently Asked Questions

What awareness evidence do customers ask for?

They may ask for training records, onboarding evidence, phishing guidance, incident reporting procedures and policy acknowledgement.

How should startups prepare awareness evidence?

Create a central evidence folder with completion records, topics, dates, reminders, onboarding and policy acknowledgements.

When should a startup use a readiness audit?

Use a readiness audit when customer due diligence is approaching and evidence is scattered or incomplete.

References