Getting started with cyber security training and awareness

When it comes to cyber security, we sometimes get so focused on technology and fighting fires that we forget people have a huge part to play in defending every organisation from cyber crime.  

Businesses must focus on uplifting their people so they can understand their importance in the fight against cyber-crime and be armed with the tools and knowledge they need to make good security decisions in their day-to-day work. 

That is why cyber security and awareness training is so important to any business.  

To get started, you would first need to identify a face and voice to lead your programme. This could be anyone in your business that is passionate about information protection.   

Then sit down and list your risks associated with people in your business. Consider the likelihood of those happening. What would the impact be of a phishing email or a rogue email attachment be to your operations and customers? If people are not understanding or adhering to your policies, what could that mean for your business and the information you’re entrusted to keep secure?  

A simple risk exercise will flush out the big ticket items you need to focus on and will help craft key messages. These messages will help people understand why security matters to your business, and should be used as consistent reference points throughout your awareness activities.  

Writing a plan will keep your stakeholders aware of planned activities, remind you of your purposes and lay out some timelines. Keep it simple, but adaptability is key! Work out what you’re going to do, why, and how (and potentially a budget) to tackle each top risk. 

For example, you may need to ensure your frontline staff understand how to handle email attachments and links and you plan to do this through a short e-learning module. 

Or, you’re rolling out a password manager to the business. You need people to understand why, what, and how to use it. You may decide a video tutorial and an intranet article are good vehicles for communicating this change to the way people work. 

Lastly, once you know the what and the when, see what you are able to do in-house and what you will need help with. Think about what delivery channels you already have available and use them as guidance to create your content.  

You may experience push back from communications teams who have a packed schedule of other important messages to convey to staff. Think outside the square – how can you combine some information security messaging into other communications. For example, if someone’s talking about health and safety, that’s a great opportunity to contribute a little something about information security too! 

Remember that change can be hard in any business, so keep your content relatable and easy to understand and interact with. Focus on the things that will make the biggest difference first and give people the chance to put learning into practice before moving onto the next thing.  

If you have no idea where to get started with content, be sure to check out the fantastic, free resources on the CERT NZ website. And check out the helpful five-step-guide to getting started with cyber security training and awareness from Mindshift, available to download on our resources page.

Empowering those who matter most is an integral part of your cyber security journey. For more tips and advice on how you could uplift your people, check out our resource page.