Educating your workforce is the main line of defence against online threats and breaches in information security. The best internet security software is of little use if employees do not know how to spot a phishing email, and the most robust firewallineffective without proper password control.
Get Safe Online's top tips...
- Thorough training on cyber and information security should be carried out from the point of an employee commencing work, and then at regular intervals.
- Tailor training to your organisation's risks and business model.
- Consider engaging an external training specialist.
Effective training is one of the best methods of ensuring online safety and defending against intrusion by cyber criminals because simple human error – ignorance, omission or relapsing back into bad habits – is one of the most common causes of a security breach. Employees need to be enabled to acquire security knowledge by using their own reason, intuition and perception in order to demonstrate the correct behaviours.
Objectives
The objective is to get employees into the habit of asking themselves the following questions as second nature – and knowing the correct answers:
- “What corporate data do I have access to?”
- “What are the consequences of a breach … to the organisation / to me?”
- “What are the risks?”
- “What controls do we have in place?”
Training approach
The well-known expression: “I hear and I forget. I see and I remember. I do and I understand” is especially true when it comes to cyber and information security.
There is a variety of methods you can use to deliver effective training. These will vary according to the organisation, the audience and your messages, so the programme must be tailored to your organisation’s specific needs. You should alternate between different methods, perhaps introducing an element of fun into the mix, but always a degree of interactivity.
- Classroom based training can be highly interactive and is a familiar, comfortable environment for many people – especially with the presence of an engaging trainer or coach.
- Computer-based training is excellent for reinforcement and good for training on specific topics, which can be delivered as modules. It is normally designed to be accessible at a time and place to suit the employee. It can also include some interactivity.
- Roadshows and presentations are especially well suited to introducing new subject matter, and for organisations with multiple sites.
- Videos provide a highly demonstrative medium for various topics (as evidenced by YouTube).
- Posters provide visible and consistent reinforcement on generic and specific aspects.
- Round-table events / lunch & learns can be provide a social, fun element.
- emails can be used for reinforcement and also to invite employees to training events.
When to train
- When staff join the company they need to be clear about the company’s security policies and routine practices such as logging in – just as they would about physical access to the building.
- You can build on this ‘day-to-day’ security soon after they join with some more general security training.
- Remedial training and company-wide reminders may be necessary in the light of a security incident or an emerging threat in the wider world.
- Annual (or more frequent) refresher training is valuable.
- You can also give people access to this website and other online security advice for self-study.
- In each case, training should include an overview of the reasons why information security is important, including coverage of the threats and risks.
Induction training
- Company specific policies, such as appropriate use policies.
- Routine information such as how to connect to company servers, change passwords etc.
- Who to ask when support or advice is required.
- Initial familiarisation with the risks, such as malware, hacking, fraud, software piracy, harassment, data protection, protection of information assets.
General security
Business users face many of the same challenges as home users. The main difference is that an the actions of an employee may impact the entire business, whereas a home user is responsible only for what happens at home. In addition, businesses face additional risks and threats which require specific measures.
- Computer and mobile device security: how to carry out updates, switch on a firewall, prevent malware.
- Using a web browser safely, preventing pop-ups, avoiding fraudulent sites, checking that an e-commerce or banking transaction is encrypted.
- Behavioural issues: physical security, hoax emails, phishing, passwords, fraud and identity theft and how to avoid them, what to do if there is a problem or uncertainty about something.
- Business issues: data protection issues, employment law, contract law, protecting sensitive company information and avoiding software or other piracy.