Guide - improving staff awareness

Staff will always be an organisation’s greatest asset and greatest risk – especially when it comes to cyber security. One wrong click by a staff member can destroy networks.

Improving staff awareness of cyber security issues and threats needs to be a priority for all businesses, and there are some easy and effective ways to do it.

Many staff members are cyber-weary, hearing constant messages about password safety, clicking on the safest links and so on. Awareness programs need to be fresh and empowering, not repetitive and arduous. Develop training and information that is interesting to staff, highlighting the value for all.

Here are some practical ideas to improve staff awareness:

Design a program

Design a program to be delivered over the next year or two. The program should include the current awareness level and goals for improvement. Basic components should include training for new starters, refresher training for existing staff members, regular communication to staff about cyber threats and reminders about safe online behaviour. Regular newsletters, posters in visible locations, and desktop screen savers are all ways to keep the program visible all year round. Track the program’s success and use the results to fine tune future awareness programs.

Use examples to illustrate the risks

There are plenty of case studies in the news to choose from when it comes to cyber breaches or system infections – many stemming from accidental clicks or interaction with malware. Educate staff about the specific impacts of a cyber incident as well as the value of practising safe online behaviour.

Keep it relevant

Ensure awareness messages are current and relevant to industry and specific businesses. If employees are allowed to connect their own devices to an organisation’s network, explain the risks and need for the devices to meet basic security requirements.

Throughout the year, many events can be linked to online threats and risks to individuals and business. For example, Valentine’s Day is a prime time for an attacker to send false emails asking people to click on links or open attachments about collecting flowers. At tax time, attackers have used logos and text to claim their malicious messages were from the government. These events could present opportunities to raise awareness around security.

Involve employees

Everybody loves to feel clever, so teach staff how hackers access networks or how malware deploys and what it does to systems – perhaps through an online game. The more an employee understands, the more real the risk becomes for them and the safer their behaviour. This could be achieved through offering a few short secondments to IT security teams to practically demonstrate how networks are protected.

Board-level buy-in

Treat cyber security as another risk that can impact all areas of business, rather than just as an ‘IT problem’.

Boards and directors must become comfortable with the challenge of understanding cyber security risks. Add a regular cyber security update to the board agenda to raise visibility and understanding at the highest level.

Get competitive

Consider including rewards in security awareness, such as creating a social media competition, a short online quiz or a problem-solving scenario. Encourage employees to contribute ideas to staying safe online. Reward those employees who are proactive and highlight risks or threats before they become incidents.

Promote safe behaviour to customers

Promote safe behaviour through channels like social media. Retailers could provide safe online shopping tips, financial services businesses may highlight the risk of sharing passwords and using unsecure Wi-Fi networks.

Extend training to suppliers

Work with your IT or information security contacts at your suppliers to ensure training programs are made available. Establish minimum security standards that suppliers must comply with and validate compliance through audits.

Measure the results

Programs can only be improved if they are assessed and results are measured. For example, employees could be sent fake emails to test whether safe online behaviours are being put into practice.