You are using an outdated browser. For a faster, safer browsing experience, upgrade for free today.

A security-conscious culture: educating your users

Dave in Accounts might be your biggest security risk. It’s an unsettling fact, but employees (or system users) are central to the vast majority of successful cyber attacks on organisations – either through deliberate actions, inadvertent coercion, or pure human error.

Your staff are therefore crucial in helping keep your organisation secure – turning them from potential risks into super-effective threat detection tools – but only if they’re educated on it.

If you read our blog before Christmas, you’ll know how important it is to put together a robust cyber management regime. In doing this, it’s highly likely you will light upon the risks presented by the very people manning your business – people emailing hundreds of times a day, transporting laptops, plugging in their own devices, setting their own passwords, clicking links, using social media and cloud storage, downloading documents – or even rogue staff members who deliberately steal data or sabotage systems.

From phishing to sensitive data leaks, the most effective way of countering these risks is to make your users aware of them, educate and empower them to look out for cyber security threats, know how to identify one, and what action to take. Without impacting on their ability to do their job.

As the National Cyber Security Centre put it:

“Users have a critical role to play in helping to keep the organisation secure, but they must also be able to effectively do their jobs. Organisations that do not effectively support employees with the right tools and awareness may be vulnerable”.


So what are the best ways to do this, instilling a security-conscious culture that works, without obstructing work?

  • 1. Produce a user security policy (as part of your overall cyber risk policy) outlining acceptable and secure use of your systems and the internet. Make it readable, engaging, and jargon-free.

  • 2. Run workshops to get people’s heads round the realities of the policy, and make it a core part of induction training.

  • 3. Engage everyone in the organisation as active, interested participants not bored box tickers. Get the intern as engaged as the Board members and CEO. Make it clear that everyone has a personal responsibility, ideally making it a contractual term of employment.

  • 4. Make the training interactive and interesting – there are really engaging tools available to simulate and test staff on phishing scams and other security breaches. Make the learning bitesize, relatable – almost fun. And test it now and then to check users are really learning and adapting their behaviour.

  • 5. Keep at it - continually revisit and update the policy and give annual refresher training. Consider offering a forum for questions, advice and updates.

  • 6. Promote a positive incident-reporting culture, where users aren’t shy about reporting, or worried about recriminations. Acknowledge that ‘this security stuff’ is above and beyond most people’s core job role, and make them feel valued for making the effort.

  • 7. Establish – and publicise - a formal disciplinary process to follow should anyone breach the user security policy.

And don’t be shy about seeking advice yourself – bodies like the National Cyber Security Centre offer excellent guidance, whilst at Hexegic we provide training at Board, management and leadership level on identifying and acting on cyber risks and how to spot them.

Educate and engage your users in a positive incident-reporting culture, and turn Dave from Accounts from your biggest security risk to your biggest security asset.

Back To Blog Page