You can have the latest and greatest security technology, but it will be of limited use unless your staff understand their role and responsibilities in safeguarding your business.
It is also important to realise that staff security training never ends. Staff change, their roles change, people require refreshers or reminders and the cyber threats to organisations change and evolve. Below are some of the things you should consider when developing security training for your staff.
Note: different organisations, industries, technology and businesses will have different requirements and will be exposed to different risks. Please consult an IT security professional if you are unsure on what your staff should be taught.
Set the Rules, Policies and Procedures
You should already have the rules policies and procedures in place to help your staff practice good cybersecurity behaviour.
For example, while it's important to educate staff on following good password practices (such as strong passwords, separate passwords for each account, biometric authentication) it's also important your organisation have already set the rules that support this. Where possible are systems set up so that they only allow strong passwords? Do they prompt users to change passwords after a specified timeframe? Do you have a policy that states staff must set strong passwords, and not share their login details? What are the consequences?
Learn more about; Cyber Security Policies, Acceptable Use Policies and BYOD policies.
Staff should understand that even clicking a link for viewing can compromise their computer, your network and create unwanted problems without their knowledge. They should also know not to open suspicious links in email, tweets, posts, online ads, messages or attachments – even if they know the source.
They should be educated about threats such as ransomware, phishing and prevention methods like antivirus software, staying safe in Google Searches etc.
All staff should be responsible for accepting current virus protection software updates on company PCs and portable devices. Staff should know not to plug in personal devices like USB drives, MP3 players and smart phones without permission from IT.
Instruct staff on your company's spam filters and how to use them to prevent unwanted email. And why it's important to accept software updates, if this responsibility falls to them.
Protecting Company Information
It's important to stress to staff their role in protecting company information and how you expect to do this. Some ideas to discuss (and put policies around);
- Portable devices
- Work in user mode not admin mode whenever possible Always lock computer and mobile phone when not in use Educate your staff not to give out confidential information that could compromise your company's both over the phone or online?
- Forwarding emails and attachments without reviewing content of email chain/attachments
- Use of passwords, strong passwords, risks of sharing passwords/logins
Check out preventing data theft and tips for creating a strong password.
Do you staff do work from home? What devices are they allowed to use? Do you require them to use a VPN (virtual private network)? Staff should be educated on what your company policy is with regarding to use devices not owned or supported by your business. You probably don't want staff to use an unprotected computer (e.g. one without the latest virus definitions or security patches, or one where there is no firewall) as it will leave your business and business' information vulnerable.
Your company should have clear rules for what employees can install and keep on their work computers. Make sure they understand and abide by these rules.
Advise staff that unknown outside programs can open security vulnerabilities in your network. In addition some programmes can conflict with other programmes or operating systems and cause issues.
Also, your organisation should be tracking the software that is governed by licensing agreements to make sure you are not in breach of your agreement.
Use Secure Wi-Fi
Inform them on how to use Wi-Fi securely. Many assume that the Wi-Fi provided by airports and cafes is fine to use for email, or accessing confidential information. Check out How to use Wi-Fi securely.
Train your staff on safeguarding their computers and mobile devices from theft by locking them or keeping them in a secure place. Educate them on using common sense and not leaving portables devices where they can be seen (such as through a car or office window).
Backing up Their Work
Whether you set your staff's computers to back up automatically or ask that they do it themselves, staff should be instructed on their role in protecting their work. Critical information should be backed up routinely, with backup copies kept in a secure location.
Make sure your staff know to avoid emailed or online links that are suspicious or from unknown sources. Such links can release malicious software, infect computers and steal company data. Your organisation should establish and publicise safe browsing rules and limits on employee Internet usage in the workplace.
Staff should know which websites to trust for information and how to identify secure webpages. You might also like to provide them with tips on how to stay safe when shopping online.
Responsible email use is one of the best ways for preventing data theft. Staff should be aware of scams and not respond to email they do not recognise. Educate them on the risk of social engineering. Make sure your staff know to only open emails that:
- Comes from someone they know.
- Comes from someone they have received mail from before.
- Is something they were expecting.
- Does not look odd with unusual spellings or characters.
- Passes your anti-virus program.
Educate your staff on your expectations around social media and what your social media policy dictates that they can/cannot do. For example, you may prohibit the use of Social Media tools to discuss, promote or comment on company activities or staff, customers or the organisation unless company approval has been gained.
At a very minimum, you should communicate to staff your expectations around the use of a company email address to register, post or receive social media.
Social Media Privacy Settings
Inform staff that it is highly recommended to apply maximum privacy settings on their social media accounts such as Facebook, Twitter and Google+. Ask them to make sure that only their contacts can see their personal information such as birth date, location, etc.
Educating them about good practice outside of the workplace can still benefit your organisation. By limiting the personal information available online, the vulnerability to phishing attacks as well as identity theft can be reduced.
Learn more about Social Media Privacy settings.
Make sure you communicate your mobile device policy to your employees for company-owned and personally owned devices used during the course of business.
Also check out keeping your portable devices secure.
Importance of Reporting
Your training should stress the importance of reporting a security incident immediately. They should be encouraged to stay watchful and speak up if they notice strange things occurring on their computer. Staff should know the process to follow when an incident occurs, who they should report it to, and any paperwork they may be required to complete.
Take a look at our articles about Establishing an Incident Management Plan and an emergency incident checklist.
You should try and develop a culture where staff are not 'scared to report'. A culture where staff take an active role in security. If they become aware of an incident, even after it has happened, reporting can often mean something can be done to minimise the damage.
Remind staff that stolen devices can be an entry point for attackers to gain access to confidential data and impress on them the urgency of immediately reporting lost or stolen devices. Often the IT provider can remotely wipe devices so early discovery can make all the difference.
Staff should agree somewhere (either in their employment agreement or as part of a policy) that they will practice good cyber security behaviour.
You should provide them with regular training to ensure they continue to understand your requirements and are aware of any changes or new threats.
Make the training relevant to their home-life too - they then personally benefit from the training and can be safe outside of work as well. You might like to recommend they complete the Digital Citizenship assessment.
It is designed for home users, takes 10 mins to complete, and will provide recommendations on how they can stay safe when online.
Remember, the more security savvy your staff are, the more protected your business is.