View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Leadership
  2. Digital Transformation
February 6, 2017updated 07 Feb 2017 9:37am

Getting staff to take security seriously

The next two years will see massive changes in enterprise cyber security. Changing regulations which can impose fines of up to four per cent of global turnover will put proper security to the centre of business strategy – the cost of failure is just too big.

By John Oates

This means the way staff are trained needs to change too.

Relying on a box ticking exercise when new staff join the firm just won’t cut it any more. Although getting new staff trained on day one, not two weeks after they start, is still sensible.

The new regulations mean businesses will have to prove that they’ve done all they could possibly do to ensure the safety of data which they hold.

That means staff at every level need to understand the importance of following best practise.

But it also means creating an environment where staff are security aware but not encouraged to cover up mistakes or possible breaches.

Staff need to understand the real risks of not taking security seriously but still feel able to admit they’ve made a mistake.

Best practise is to create an atmosphere where security is seen as everyone’s responsibility but where failures will not lead to a search for someone to blame.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

The first step is to decide on a baseline of knowledge and understanding for everyone in the organisation from board directors to the post room. This would include a check on understanding of your security and data policies as well as knowledge of the sort of attacks your organisation is likely to face.

Once that has been achieved you probably need to create some profiles for different types of staff in order to create tailored training for different people.

Finance and accounting staff are more likely to be targeted by phishing attacks for instance. Anyone involved in company procurement, or anyone else with a company credit card, needs to be aware of the dangers of card cloning and fraud.

Staff who spend time on the road need to know the dangers of rogue wireless networks as well as keeping a close eye on their laptop and phone.

IT staff involved in setting up profiles and permissions need to be aware of the risks inherent in making mistakes.

All of this needs documenting.

An accurate log of security incidents, whether malware attacks or data losses, will tell you where your training is succeeding and where it needs more work.

Equally you need to document how the training is working and how much is staying with staff.

The best way to learn is not once a year.

Regular and repeated education is more likely to work. Making, or buying, materials which are accessible from anywhere at any time will help staff stay up to date. And just because cyber security is serious there’s no need for the training to be dull and boring.

Even the best training won’t solve every problem. But it can hugely reduce the risks your business is taking.

It can also minimise the damage if something does go wrong.

Security training should always include what to do if something does go wrong, or even if staff just suspect something has gone wrong.

The perfect training programme will be something staff enjoy doing, which gives them real ways to reduce risks and which reacts quickly to changing threats.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.