Staff training is critical to business security
An educated workforce is the main line of defence against online threats in business. For example, the best anti-virus program in the world is no good if employees don’t know how to use it. Proper training not only reduces the risk of problems at work but it can improve their IT skills, make them more confident online and encourage them to use better security at home too.
How to plan training
- Train the trainer. Training is a skill in itself.
- With training, a ‘little but often’ beats ‘too much occasionally.’
- Different people learn in different ways. Reinforce the message with different media: chalk-and-talk lectures, handouts, email reminders, posters, at-the-desk personal attention, staff policies and quizzes all support one another.
- Tailor the training to your company’s specific circumstances. There’s no need to train people about technology you don’t need or to train people who don’t use computers, for example.
When to train
- When staff join the company they need to be clear about the company’s security policies and routine practices like logging in and physical access to the building.
- You can build on this ‘day to day’ security soon after they join with some more general security training.
- Remedial training and company-wide reminders may be necessary in the light of a security incident or an emerging threat in the wider world.
- Annual refresher training is valuable.
- You can also give people access to this website and other online security advice for self-study.
- In each case, training should include an overview of the reasons why information security is important, including coverage of the threats and risks.
IT security syllabus
- Company specific policies; such as appropriate use policies.
- Routine information such as how to connect to company servers, change passwords etc.
- Who to ask when they need support.
- Initial familiarisation with the risks: viruses, hackers, fraudsters, software piracy, harassment, data protection issues, protection of information assets.
Business users face many of the same challenges as home users. The main difference is that an employee holds the entire business at risk whereas a home user is responsible only for themselves. In addition, businesses face additional risks and threats which require additional measures.
- PC security: how to do updates, switch on a firewall, prevent viruses and spyware.
- Using a web browser safely, prevent pop-ups, avoid dodgy sites, how to check that an e-commerce or banking transaction is encrypted.
- Behavioural issues: physical security, hoax emails, phishing, passwords, fraud and identity theft and how to avoid them, what to do if there is a problem or if unsure about something.
- Business issues: data protection issues, employment law, contract law, protecting sensitive company information and avoiding software piracy.
If you would like to discuss how implement a plan for security training, give us a ring on 01239 712345 or email firstname.lastname@example.org. Funding for training is currently available from the Welsh Assembly Government.