We recently reported on a Cisco survey, which found that staff are the biggest cyber security threat to UK businesses. Only 61% of respondents thought their company had a security policy, but 48% claimed they weren’t concerned about it as it didn’t affect them. 37% said they only became aware of a corporate security policy when their security settings stopped them doing something.
Another survey, by SailPoint, found that employees are indifferent to protecting corporate data: 56% reuse passwords for the personal and corporate applications they access daily and as many as 14% of employees use the same password across all applications. Moreover, one in seven employees admitted they would sell their passwords for as little as USD$150.
Raising staff awareness is undoubtedly one of the biggest challenges for organisations when it comes to cyber security.
Faced with rising cyber threats and a multitude of security regulations, standards and emerging technologies, organisations must take a proactive approach to raising staff awareness. Most importantly, they need to ensure their approach is effective. Here are a few tips on how to start:
1. Rigorously enforce security policies
Ensure that your information security policy is up to date and employees adhere to it. This may require regular input from your IT team in the form of email reminders, updates and help with password resets and other security issues. Emails or verbal reminders are often ignored, so organisations should consider alternative methods to educate employees. While updates from the IT department on new threats and security issues are useful, they should be combined with more effective methods designed to not only inform, but also test your employees’ understanding and knowledge.
2. Consider a staff awareness method that will suit your organisation and employees
Carefully consider your requirements, objectives and resources before selecting a training method so that you find the one that will best suit your organisation. In principle, the options with the widest application for educating non-technical staff are in-house training and web-based e-learning.
In-house training is similar to a classroom-based approach, but is delivered by a consultant or trainer to staff in their own workplace. In-house training addresses the need to train large numbers of staff in a particular discipline on a one-off basis, and is more adaptable to the needs of a particular organisation. In-house training is less flexible than e-learning as it depends on the availability of all staff on the day of training and the teacher’s timetable.
E-learning is the flexible alternative to in-house training, and allows delegates to learn in their own time, in a location of their choice, but still within the carefully structured confines of a formal learning course. Students’ performance is automatically assessed online, reducing administration and providing automatic records suitable for audit.
3. Decide on the contents of the course
Once you have chosen your preferred method, you need to make sure the staff awareness course meets your requirements as closely as possible.
Are you looking for a generic information security course, or do you need to address security awareness training for compliance with ISO 27001, the Payment Card Industry Data Security Standard (PCI DSS) or the Data Protection Act (DPA), for example?
Both the in-house and e-learning options provide you with the opportunity to tailor the course to your needs as well as producing evidence that training has taken place, which might be necessary to meet compliance requirements.
4. Test your employees’ knowledge
Telling employees what to do is not sufficient. You should test their knowledge after they have taken a course. Those who do not pass should re-sit the tests. This is particularly simple with an e-learning course. You might also want to see if they actually follow your corporate guidelines by staging a test situation and monitoring their behaviour.
5. Select your training organisation
Most organisations rely on external specialist providers to deliver staff awareness training as this not only saves time, but also ensures the course is fit for purpose and the desired objectives will be achieved.
When choosing your provider it is important that you take into account their reputation, credentials and qualifications, and pricing.