Principles and processes relating to the protection of all data and information, no matter how or where it is stored.
Information Security should be a leading priority for any business or organisation. According to the DCMS’ 2022 Cyber Breaches survey around four in five (82%) of boards or senior management within UK businesses rate cyber security as a ‘very high’ or ‘fairly high’ priority, rising from 77%. Leaders and decision makers are starting to recognise the importance in doing everything in their power to protect information and data. The founding principles of Information Security are confidentiality, integrity and availability. In this edition of our newsletter, we outline the important role training of employees and contractors plays in implementing and maintaining this triad.
Human error is a leading factor in data breaches. Employees or contractors have what external agents do not: access. With security measures getting more sophisticated and widespread, people are becoming the weakest link of protective efforts.
Having an Information Security training programme can reduce the number of breaches by educating people, increasing defences; the NCSC note engagement and training as one of their 10 Steps to Cyber Security. It is important that any training materials or sessions are mandatory, and issued to all employees, no matter their job role, level of seniority or perceived knowledge base. At Clear Thinking we practise what we preach, and even our most senior technicians carry out the same training as their colleagues. Communication is key – the training will be more effective if people are engaged to understand why it has been assigned and the positive impact it can have, as opposed to seeing it as a box-ticking exercise. Training should leave people able to understand, identify and avoid threats to Information Security.
Training modules should cover a vast range of topics, and it is important to remember that Information Security covers physical data, such as a printed CV, as well as digital files. Important modules include phishing, password management, access control, social engineering, GDPR, clear desk policies, public Wi-fi and Information Security Managements Systems (ISMS).
Businesses can adopt an ISMS and obtain a certification of their commitment managing and protecting information, such as ISO 27001. Training will be key to qualification as a major factor of ISO 27001 is that everybody in the organisation can, and should be encouraged to, suggest changes and improvements to the measures put in place. They won’t be able to contribute without a knowledge base or understanding of existing measures to refer to.
In summary, the key factors of Information Security Training to consider should be:
- Building a culture of security – Strong communication and mass rollout are key to success. Encourage everybody to suggest improvements to your framework.
- Frequency – Ensure everybody retakes training at least once a year, and that the materials are reviewed and updated in line with causes of breaches. Reissuing training helps foster the culture of security, keeping it at the forefront of peoples’ minds.
- Participation – A top-down approach whereby everybody follows the same plan helps to get more people onboard and ensures a consistent, harmonious approach.
Subscribe & share to spread the word on a range of topics covering Cyber Security, Risk & Compliance.
Clear Thinking partner with businesses to provide multi-layered cyber security solutions, including certifications, compliance, disaster recovery and more. Further details can be found here: https://clearthinking.co.uk/cyber-security/