Alexa metrics

Five Tips to a Secure Employee Culture

21 September 2018 by Jenn Granger

At UKFast, we know that every single person across the business is a fundamental part of what makes us, us. Chances are, the business wouldn’t survive without these incredible individuals putting in the work, day in, day out – and we’re guessing neither would yours.

Russell And LowriBut did you know that all your hard work to make your business GDPR compliant and cyber secure may be wasted if you don’t train your employees to be secure too?

That’s right, although we tend to think of data breaches as the result of criminal hackers out to expose data to the world, in a recent UKFast webinar, the security experts revealed that shockingly the majority of data breaches happen because of a mistake made by someone inside the company.

Often, these mistakes are simply down to a lack of awareness and training, so, if you take the time to train your staff to be secure, then the internal threat can be minimised.

With this in mind, we’ve put together five tips from our webinar speakers to help you begin the journey of shifting to a secure employee culture.

Our experts:

  • Nicola Frost, Head of Legal at UKFast
  • Paul Mason, Training Manager at Secarma
  • Andy Larkum, Cybersecurity Consultant and GDPR Expert at ADL Consulting

1.       Where to begin?

For a start, every employee should understand what constitutes personal data, and this data should be provided on a ‘least privilege’ basis.

Paul Mason explained: “If it is not essential to a role, the member of staff should not have access. Regular ‘access audits’, where access privileges are reviewed, should be commonplace.”

This might sound harsh, but the less people that have access to your business data, the easier it is to control how it’s handled.

2.       The basics are essential

Nicola Frost suggests that once you’ve established who has access to what systems, you ‘craft your training around this’.

As Paul Mason pointed out, this may mean teaching everyone the basics: “Anyone who has access to the system, who can be tricked or socially engineered, needs to be trained – whether they are a cleaner or the boss. Hackers have no care for status or gender, they just want your database.”

After everyone has the basics nailed down you’re on the right track. In addition, it might be that a smaller number of people will need further training, like PCI compliance or technical training, depending on their job role and access privileges.

3.       A sense of purpose

Making sure that staff learn to be secure not only at work but also at home, where they can feel a personal sense of security and achievement from training, gives them inner motivation to absorb the information.

Andy Larkum commented on how important instilling this inner motivation is, he said: “Engaging employees and getting solid home security to translate into the work environment, makes improving overall cybersecurity and implementing GDPR compliance so much easier.”

4.       Make it fun

Let’s face it, no one likes a three hour PowerPoint presentation and even the best experts in the world can make the worst teachers.

Paul Mason highly recommends employing real educators that are trained to engage and present the learning material in an effective way, even if it costs a bit more – it’ll be worth the fantastic results of an engaged and interested team!

5.       Keep up the good work

Last but not least, there’s no point in training your staff in cybersecurity if it only happens every five years. By then, you could have a whole new team and the online landscape changed a hundred times over!

Paul Mason is passionate about this point, he said: “Training needs to be regularly updated. One single training session as part of induction is going to be forgotten in six months’ time, it needs to be reinforced continuously.”

The bottom line? If employees are secure, your business naturally becomes secure.

If you want to know more about securing employee culture, watch our free on-demand webinar

here