We use cookies on the site to improve our service. By clicking any link you are giving consent for use of cookies. Click here for more information

Staff Training

An educated workforce is the main line of defence against online threats in business. For example, the best anti-virus program is no good if employees do not know how to spot a phishing email. Effective training is one of the best methods of ensuring online safety and defending against intrusion by cyber criminals because simple human error, ignorance or omission is one of the most common causes of a security breach. Employees need to be enabled to acquire security knowledge by using their own reason, intuition and perception in order to demonstrate the correct behaviours.

Objectives

The objective is to get employees into the habit of asking themselves the following questions and knowing the correct answers:

  • “What corporate data do I have access to?”
  • “What are the consequences of a breach … to the organisation / to me?”
  • “What are the risks?”
  • “What controls do we have in place?”

Training Approach

“I hear and I forget. I see and I remember. I do and I understand.”

There is a variety of different methods you can use to deliver effective training. These will vary according to the organisation, the audience and your messages, so the programme must be tailored to your specific needs. You should alternate between different methods, often introducing an element of fun, but always a degree of interactivity. 

  • Classroom based training can be highly interactive and is a familiar, comfortable environment for many people – especially with the presence of a trainer or coach.
  • Computer-based training is excellent for reinforcement and good for training on specific topics, which can be delivered as modules. It is normally designed to be accessible at a time and place to suit the employee. It can also include some interactivity.
  • Roadshows and presentations are especially well suited to introducing new subject matter, and for organisations with multiple sites.
  • Videos provide a highly demonstrative medium for various topics (as evidenced by YouTube).
  • Posters provide visible and consistent reinforcement on generic and specific aspects.
  • Round-table events / lunch & learns can be provide a social, fun element.
  • Emails are a good vehicle for reinforcement and also to invite employees to training events.

When to Train

  • When staff join the company they need to be clear about the company’s security policies and routine practices such as logging in and physical access to the building.
  • You can build on this ‘day to day’ security soon after they join with some more general security training.
  • Remedial training and company-wide reminders may be necessary in the light of a security incident or an emerging threat in the wider world.
  • Annual refresher training is valuable.
  • You can also give people access to this website and other online security advice for self-study.
  • In each case, training should include an overview of the reasons why information security is important, including coverage of the threats and risks.

Induction Training

  • Company specific policies, such as appropriate use policies.
  • Routine information such as how to connect to company servers, change passwords etc.
  • Who to ask when they need support.
  • Initial familiarisation with the risks, such as viruses, hackers, fraudsters, software piracy, harassment, data protection issues, protection of information assets.

General Security

Business users face many of the same challenges as home users. The main difference is that an employee holds the entire business at risk whereas a home user is responsible only for what happens at home. In addition, businesses face additional risks and threats which require additional measures.

  • PC security: how to carry out updates, switch on a firewall, prevent viruses and spyware.
  • Using a web browser safely, prevent pop-ups, avoid fraudulent sites, how to check that an e-commerce or banking transaction is encrypted.
  • Behavioural issues: physical security, hoax emails, phishing, passwords, fraud and identity theft and how to avoid them, what to do if there is a problem or uncertainty about something.
  • Business issues: data protection issues, employment law, contract law, protecting sensitive company information and avoiding software piracy.

 

See also...

 

Business Security Plan
Why security planning is important, and what to include.

Staff Policies
How to create a simple staff policy document and why.