10 Steps to Cyber Security: Step 5 – User Education and Awareness

10 Steps to Cyber Security: Step 5 – User Education and Awareness


It is important to ensure that the employees within your business have been trained or at least given the minimum-security information. This will benefit the company as it will stop human error, for example, opening a spam email.

What is the risk?

Employees who have not been educated will not be aware of the following risks:

  • Removable media and personally owned devices – knowing that connecting unknown devices to the corporate infrastructure may lead to the unintentionally importing malware. This could crash the system or even allow hackers to gain access to sensitive information.
  • Legal and regulatory sanction – ensuring that employees are aware how to handle and deal with confidential information, will prevent the origination from being subject to any legal action be taken against them.
  • Incident reporting – ensuring that employees are able to use the correct dialogue to express what has happened during the incident, helping the security team to retrieve deleted or missing information.
  • Security operating procedure – ensuring that the correct procedures are put in place and employees only have access to the information or data they need.
  • External attack – ensuring employees are knowledgeable enough to spot a potential phishing or social engineering attack. Also, what to do if they think someone is trying to use those methods to gain access to the businesses systems.
  • Insider threat – this could be an employee whose personal situation could make them vulnerable to coercion or an employee that may have been fired and is trying to damage the business reputation. They may try to abuse their system level privileges or attempt to steal or physically deface computer resources.

How can the risk be managed?

The risks listed above can be manged by putting the following procedures into place:

  • Produce a user security policy – ensure your business has a security policy put into place. One that will explain to all employees, no matter their rank within the business, what action should be taken place. The policy should include actions for different roles and procedures.
  • Establish an employee induction process – any knew users, such as contractors and third party users, should be made aware of the security policies and the subsequent disciplinary actions, that may occur if they do not follow the policies.
  • Maintain user awareness – ensuring users understand the security risks the business faces. This may be done via regular refresher training and by having somewhere the employees can query or discuss anything.
  • Support the formal assessment of security skills – you can do this by encouraging you employees to enrol on recognised certification schemes. Some roles such as system administrator, forensic investigators and incident management team member’s may require specialist training.
  • Monitor the effectiveness of security training – find a way to test the policies put in place. This will show if more training is required and ideally allow easy dialogue between the security team and the users when issues arise.
  • Promote an incident reporting culture – employees should feel that they are able to voice their concerns about poor security practices or the way in which incidents are dealt, without fear of recrimination. Process should be easily understood by all employees and any issues should be taken seriously.
  • Establish a formal disciplinary process - whilst employee training is taken place ad security policies are being explained, employees should also be aware that any misconduct and abuse of said polices will result in disciplinary actions being taken against them.

 For more information please email [email protected]

Related News

Member Log-In

Welcome to the SBRC Members Lounge, login details will be issued to members in due course.

Forgot password?