Step #5: User Education & Awareness

This section from within the NCSC's '10 Steps To Cyber Security' concerns User Education and Awareness.

Summary

Users have a critical role to play in their organisation’s security and so it's important that security rules and the technology provided enable users to do their job as well as help keep the organisation secure. This can be supported by a systematic delivery of awareness programmes and training that deliver security expertise as well helping to establish a security-conscious culture.

What is the Risk?

Users have a critical role to play in helping to keep the organisation secure, but they must also be able to effectively do their jobs. Organisations that do not effectively support employees with the right tools and awareness may be vulnerable to the following risks:

  • Removable media and personally owned devices:Without clearly defined and usable policies on the use of removable media and personally owned devices, staff may connect devices to the corporate infrastructure that might lead to the inadvertent import of malware or compromise of sensitive information
  • Legal and regulatory sanction: If users are not aware and supported in how they handle particular classes of sensitive information, the organisation may be subject to legal and regulatory sanction
  • Incident reporting culture: Without an effective reporting culture there will be poor dialogue between users and the security team. This is essential to uncovering near misses and areas where technology and processes can be improved, as well as reporting actual incidents.
  • Security  Operating  Procedures: If security operating procedures are not balanced to support how users perform their duties, security can be seen as a blocker and possibly ignored entirely. Alternatively, if users follow the procedures carefully this might damage legitimate business activity.
  • External attack:  Since users have legitimate system accesses and rights, they can be a primary focus for external attackers. Attacks such as phishing or social engineering attempts rely on taking advantage of legitimate user capabilities and functions.
  • Insider threat: Changes over time in an employee’s personal situation could make them vulnerable to coercion, and they may release personal or sensitive commercial information to others. Dissatisfied employees may try to abuse their system level privileges or coerce other employees to gain access to information or systems to which they are not authorised. Equally, they may attempt to steal or physically deface computer resources.

How Can the Risk be Managed?

Produce a user security policy: Develop a user security policy, as part of the overarching corporate security policy. Security procedures for all systems should be produced with consideration to different business roles and processes. A 'one size fits all' approach is typically not appropriate for many organisations. Policies and procedures should be described in simple business-relevant terms with limited jargon.

Establish a staff induction process: New users (including contractors and third party users) should be made aware of their personal responsibility to comply with the corporate security policies as part of the induction process. The terms and conditions for their employment, or contract, should be formally acknowledged and retained to support any subsequent disciplinary action.

Maintain user awareness of the security risks faced by the organisation: All users should receive regular refresher training on the security risks to the organisation. Consider providing a platform for users to enquire about security risks and discuss the advice they are given. On the whole, users want to do the right thing, so giving them guidance to put security advice into practice will help.

Support the formal assessment of security skills: Staff in security roles should be encouraged to develop and formally validate their security skills through enrolment on a recognised certification scheme. Some security related roles such as system administrators, incident management team members and forensic investigators may require specialist training.

Monitor the effectiveness of security training: Establish mechanisms to test the effectiveness and value of the security training provided to all users. This will allow training improvements and the opportunity to clarify any possible misunderstandings. Ideally the training provided will allow for a two-way dialogue between the security team and users.

Promote an incident reporting culture: The organisation should enable a security culture that empowers staff to voice their concerns about poor security practices and security incidents to senior managers, without fear of recrimination. This should be reciprocated with a culture where security professionals acknowledge that security-related effort by non-security staff is time away from their work, and is helping to protect the organisation.

Establish a formal disciplinary process: All staff should be made aware that any abuse of the organisation’s security policies will result in disciplinary action being taken against them. All sanctions detailed in policy should be enforceable at a practical level.

What Next?

IS Know How Pointer:

You may also be interested to read the next phase of the 10 Steps;

Disclaimer:

The above resources and content "Contains public sector information licensed under the Open Government Licence v1.0." unless stated with the text "IS Know How Pointer:" which is where ISKH would like to input a call to action to it's visitor's and clients.

ISKH is in no way affiliated with, or working on behalf of the National Cyber Security Centre (NCSC). ISKH is quite simply reproducing their 10 Steps to Cyber Security information, to be able to put it in front of our Third Sector target audience(s) as much as possible.

Additionally, this should further support the NCSC's drive to show that Cyber Security, has a positive impact on a business or organisations Cyber / Data Security Positioning.

Any externally linked NCSC content in the ISKH website, including PDF documents or video media, is offered for information purposes only, as is.

Contact Us

Phone
02921-679-021 (Sales ONLY)
Address
Britannia House, Caerphilly Business Park, Van Road, Caerphilly, Wales, UK. CF83 3GG
Legal Reg Info
Information Security Know How Ltd. is a Limited Company, Registered in England & Wales.

Company No: 09648503
VAT No: GB 232 2137 53

ISKH Site Newsletter

Sharpen your Third Sector Data & Cyber Security Mitigation Knowledge, by Subscribing to Our 'Mitigation Bits & Bytes'. Sharing a Myriad of Sector and Security Focused News, Infrequent Updates about IS Know How's Managed Cyber Security Service(s) Offers, Surveys, Research, Discussions and more...

Third Sector Organisation Personnel?

captcha 




By selecting 'Yes, Sign Me Up!' above, You Consent that we may Collect, Store and Process your Personal Data in accordance with Our Privacy Policy, Cookies Policy & Website Terms & Conditions.
All Newsletter Emails include an Unsubscribe / Modify Subscription link, where you may Opt-Out or Amend your Preferences at any time. You can also do the same from the 'My Account' menu, if you Register for a full FREE IS Know How Account.

Proud Members Of:

IS Know How is a Proud Member of Cyber Exchange

Our CEO & Founder, Robert Stones is also a ‘Member of the Fraud Advisory Panel’ See more information about them here: About the Fraud Advisory Panel

Payments By:

Powered by Stripe Logo
Stripe Subscription Accepted Payment Cards

Subscribe to the IS Know How 'Mitigation Bits & Bytes' Newsletter.

ISKHIcon100x100Instantly begin your Third Sector Data & Cyber Security Mitigation Journey Today!ISKHIcon100x100

Sharpen your Third Sector Data & Cyber Security Mitigation Knowledge, by Subscribing to Our 'Mitigation Bits & Bytes'. Sharing a Myriad of Sector and Security Focused News, Infrequent Updates about IS Know How's Managed Cyber Security Service(s) Offers, Surveys, Research, Discussions and more...

Third Sector Organisation Personnel?

captcha 




By selecting 'Yes, Sign Me Up!' above, You Consent that we may Collect, Store and Process your Personal Data in accordance with Our Privacy Policy, Cookies Policy & Website Terms & Conditions.
All Newsletter Emails include an Unsubscribe / Modify Subscription link, where you may Opt-Out or Amend your Preferences at any time. You can also do the same from the 'My Account' menu, if you Register for a full FREE IS Know How Account.