Awareness
When driving a car we are expected to learn the ‘rules of the road’ so we understand both the risk of our actions and expectations on our behaviours. In cyber security we call this awareness, a structured way for you and your users to understand what risks there are and how they should act to reduce them (and keep themselves cyber-safe).
In a bit more detail:
Awareness is the result of everyone in your business having a broad understanding of cyber security and its associated risks, as well as the behaviours they should undertake to keep themselves and the business safe. From the moment someone joins your company the coaching begins in the form of onboarding inductions and continues throughout their employee lifecycle, including regular refresher sessions and role specific training.
Here are 4 quick wins to start you on your cyber-health journey to improve in cyber awareness; click on the icon or scroll down to see more detail:
Understand your business’s cyber security awareness needs
Generate/buy awareness material
Distribute awareness content
Targeted training for high-risk communities
Understand your business’s cyber security awareness needs
The way each business runs is unique, but there are common cyber risks that apply to almost all companies.
To supplement the common risks, understanding the business specific cyber risks will help you generate more awareness to keep your business safe.
Some simple steps you can take to understand your awareness needs are:
- Ensure your employees understand what a phishing attack is and what action to take as almost all business use email
- Create awareness on what information can and can’t be shared as almost all businesses hold confidential information
- Map out how your business interacts with the outside world and target awareness in those areas that would be impacted most if information was lost or publicly exposed
Generate/buy awareness material
Now that you understand where to focus your efforts, your business can look to find the right way to create awareness within your company. How this is done will be based on your business’s structure.
Some simple steps you can take to create awareness material are:
- Source or buy on-line training content for your users, there are lots for free and paid options
- Create awareness content based on how your business operates and keep it simple
- Update your awareness content on a regular basis to keep it relevant
Distribute awareness content
Awareness content is only useful if it is used and can be easily accessed. Once you have your awareness content, it needs to be distributed. This can be done in various ways and forms.
Simple steps you can take to distribute your awareness content are:
- Send company-wide comms on your awareness campaign i.e., call an all-staff or department meeting to explain the importance of cyber awareness
- Send employees links to material and training that you have created or selected
- Require users to send confirmation that they have read and understood the material and train them at least annually
Targeted training for high-risk communities
Employees with the most access to sensitive company information are most likely to be targeted by attackers. This will include people such as system administrators and business executives.
This community may need enhanced awareness training.
Some simple steps you can take to protect these users:
- Identify those within your company that have a high level of access to your systems or those that hold executive power (such as directors)
- Create awareness focused on the additional risks their position poses (i.e., a director who has their email hacked could cause damage by sending damaging false emails from their account)
- Train this community of users more frequently to maintain their level of awareness