Documenting and training staff in your organisation's cyber security systems and plans helps drive a clear and shared understanding of expectations and culture. Cyber security documentation loses its value if staff are not made aware of its existence and use.
Staff will always be an organisation's greatest asset and greatest risk---especially when it comes to cyber security. One wrong click by a staff member, whether intentional or not, can destroy networks.
Improving staff awareness of cyber security issues and threats, including the risk environment for your organisaiton, needs to be a priority for all businesses, and there are some easy and effective ways to do it.
Promote your processes and documentation
Design a program
Design a program to be delivered over the next year or two, based around the current awareness level and goals for improvement. Basic components should include:
training for new starters
refresher training for existing staff members
regular communication to staff about cyber threats
reminders about safe online behaviour, both at work and at home.
Many staff members are cyber-weary, hearing constant messages about password safety, clicking only on safe links and so on. Awareness programs need to be fresh and empowering, not repetitive and arduous. Develop training and information that is interesting to staff, highlighting the value for them as well as the organisation.
Use examples to illustrate the risks
There are plenty of case studies in the news to choose from when it comes to cyber breaches or system infections---many stemming from accidental clicks or malware. You're your staff about the specific impacts of a cyber incident, to bring the value of practising safe online behaviour to life.
Keep it relevant
Ensure awareness messages are current and relevant to your industry and specific business needs. For example, if employees are allowed to connect their own devices to an organisation's network, explain the risks and need for the devices to meet basic security requirements.
Make the content relevant to your staff, not just your business. Many of the same cyber security measures you might want your staff to do in the workplace are also relevant at home, and showing how cyber security can protect their family's safety can greatly increase the impact of your messaging.
Throughout the year, many events can be linked to online threats and risks to individuals and business. For example, Valentine's Day is a prime time for an attacker to send false emails asking people to click on links or open attachments about collecting flowers. At tax time, attackers have used logos and text to claim their malicious messages were from the government. These events could present opportunities to raise awareness around security.
Treat cyber security as another risk that can impact all areas of business, rather than just as an 'IT problem'.
Boards and directors must become comfortable with the challenge of understanding cyber security risks. Add a regular cyber security update to the board agenda to raise visibility and understanding at the highest level.
Everybody loves to feel clever, so teach staff how hackers access networks or how malware deploys and what it does to systems---perhaps through an online game.
The more an employee understands, the more real the risk becomes for them and the safer their behaviour. Consider offering short secondments to IT security teams to practically demonstrate how networks are protected.
Consider including rewards in security awareness, such as creating a social media competition, a short online quiz or a problem-solving scenario. Encourage employees to contribute ideas to staying safe online. Reward those employees who are proactive and highlight risks or threats before they become incidents.
Promote safe behaviour to customers
Promote safe behaviour relevant to your business through channels like social media. For example:
retailers could provide safe online shopping tips
financial services businesses might highlight the risk of sharing passwords and using unsecure Wi-Fi networks.
Extend training to suppliers
Work with your IT or information security contacts at your suppliers to ensure they get appropriate training. Establish minimum security standards that suppliers must comply with and validate compliance through audits.
Measure the results
Programs can only be improved if they are assessed and results are measured. For example, you could consider sending employees fake emails to test whether they are practicing safe online behaviours.