September 21, 2020
Cybersecurity article series:
- Cybersecurity risk analysis
- Staff training
- Detecting a breach and immediate action
- Recovering from a breach
Training Staff on Cybersecurity
All it takes is one click on the wrong link by one staff member and your data and systems are at risk.
Every single person in your organisation is responsible for your company’s information security. The responsibility no longer solely relies on the IT team and firewalls. Your staff must be made aware and engaged or even the most sophisticated safeguards become useless.
Cyber awareness must be integrated into the culture of a business to ensure that staff at every level understand their role in keeping data, hardware and personnel safe. A robust and constantly evolving staff training program is key to building that awareness.
Cyber awareness training should begin as early as possible for new staff members, there is even an argument for asking some basic information security questions at the interview stage for a new hire. Certainly, training should begin no later than at the time of onboarding and must be constantly evolving to adapt to current threats, new business practices or policies and updated technology. Conducting a needs assessment for a training program is a good place to start building. This assessment should include:
When you are ready to put together the content for your training program, start with the basics. Some people will already know much of the information, but you must ensure that all staff are reminded of this information as it is easy to get complacent.
Keeping up with the ever-changing threats to our data and systems can be a daunting task, but knowledge of new threats and effective countermeasures will help to keep your business ahead of malicious actors. Including a discussion of the current threat landscape in your training program will keep your staff knowledgeable on what they should be keeping an eye out for. There are several useful resources that provide up to date security and threat information to help you stay informed.
Training logs are a key component in any training program. Used properly they ensure accurate training records and can help to identify deficiencies. If a security incident occurs, training logs should be reviewed to identify any gaps in knowledge caused by personnel being absent or a missing training component. They should not be used to single out a staff member who completed your training but still made a mistake. Instead, use the training records to review if your training was truly effective and to update it if necessary.
The key to ensuring your data is secure is having a team that is aware that your business is a target, regardless of how large or small it might be. Personal data is everywhere, and we all have a responsibility to keep it as safe as possible. Without a training program that gives your staff the tools to provide a proactive defence against malicious actors, events can quickly and easily cascade into large-scale incidents. Those large-scale incidents are the ones that pop up on page 1 of a Google search for your business later. An aware and knowledgeable team is the best way to mitigate the financial and reputational risks your business faces.