People are often the weakest link when it comes to business security lapses. Here’s a guide to getting started with security training and awareness for your staff.
Educate your staff about the dangers
Assume that most of your employees will know little about the dangers that exist on the Internet and the threats to your business. Arrange a training session for employees, either all at once or in groups, depending on the size of your business.
If you don’t feel you have the expertise in-house to do this, hire a specialist consultant to do the awareness training. However you do it, ensure the training includes essentials such as guarding against malware, protecting passwords, identifying and preventing a phishing attack, protecting company data and safe mobile computing. Assuming you have put the technical resources in place for security, such as endpoint security software and network firewalls, much of the training can focus on soft skills such as not falling for social engineering tricks.
Try and make the sessions as friendly as possible and be realistic about the threats without sensationalizing them. You want your staff to feel motivated about security and protecting the business, not scared into inactivity. People are more likely to be more security aware if they feel they are part of a team and have a shared responsibility for the sustainability of the business.
Produce a safer computing guide
A printed set of guidelines on safer computing is highly desirable. This should include information on the threats and data risks that would have been covered in your training sessions. It should also make staff aware of the company’s security policies and the acceptable use of all company IT equipment – this would include not just security measures but also what is not allowed such as visiting gambling or adult sites (see below).
These days, many staff bring their own devices to work and their use should be covered in the guide. It should also make staff aware of their responsibilities to protect company data and equipment. Make it better than the average company booklet. Make it interesting and engaging: use illustrations if possible to highlight security issues and list examples of real life scams. Ensure every member of staff has a copy and that all new staff are given a copy as part of a welcome pack. Finally, because online security changes all the time, the guide should be reviewed and revised as often as needed.
Draft an Acceptable Use Policy
Depending on the size of your business its important that you get employees to read and sign an Acceptable Use Policy (AUP) agreement. This will outline exactly what is and isn’t allowed when using company IT equipment, networks and email services. It should also make clear what the penalties are for breaking the rules. Remember that the company may well be held responsible for data breaches caused by employee negligence or illegal activities committed on company PCs. If your company is not large enough to have its own HR department then employ an employment law specialist to help you draft an AUP to make sure it is legal, fair and reasonable. Above all, make sure your employees understand that the AUP is a serious legal document, an integral part of their employment agreement, and that by signing it they are bound by its terms.
Keep reminding people about security
Threats and types of malware continue to evolve as do the legal obligations on businesses to protect data. Because of this you need to maintain security education to take account of changing conditions. Aim to hold refresher training sessions, as often as very six months, and update your security handbook as and when required. Put up posters. Put reminders on desks. Continue the dialogue with your staff and make them feel part of the process to keep the business secure. Make secure thinking second nature as much as good timekeeping or being professional with customers or clients. Security should not be an afterthought or a chore but a shared responsibility.
Author Rob Waugh, We Live Security