Recent data tells us human error is a factor in almost 30% of data breaches. Educating staff during the onboarding process and at regular intervals thereafter is critical to keeping your information safe.
Key staff education topics
Education topics should align with your end-user security policy. The top topics staff need to know about are:
- How to choose a strong password
- How to spot scam and phishing emails
- How to avoid clicking on links or open attachments in a suspect, unsolicited or unexpected email
- Never to respond to emails requesting personal, financial information and passwords
- Where and how to store sensitive information
- How to avoid reusing passwords or sharing user accounts unsafely
- How to keep devices secure
- How to respond to a suspected or actual security incident or data breach.
Some organisational processes require a security lens
For the finance and HR teams, for example, verify requests to change bank account details via an alternate channel. If a change request is made via email, phone the person/organisation to verify the request.
If you receive a request to log into a system, use the existing known link you have instead of the link provided in the email/text message.
Cyber security policy
A staff cyber security policy coupled with training can do more to keep your workplace computers safe than any single piece of software. The policy should guide staff and volunteers to using the internet and other communications technologies appropriately, covering topics such as:
- which uses of email and the internet are acceptable
- how to handle sensitive data
- keeping equipment secure
- how to use the internet safely
- what to do if working off-site.
You should run through it with new staff and train them in the safe use of technology.
Safe use of email
How email is used can be a security risk. Staff may unintentionally install harmful programs by clicking on links or opening infected attachments. This can lead to security incidents and data breaches.
Email scammers put a great deal of effort into creating believable, hard-to-ignore messages, so you should be cautious every time you get a message from someone you don’t know – and sometimes when you get a message from someone you do know. If a colleague or friend’s email account has been hacked, you may receive suspicious messages from that account without your friend or colleague knowing.
There are a few simple rules for safely opening email:
- Be cautious of any email that asks you for passwords, log in information or personal details (especially banking details!)
- Check that the sender’s email address is legitimate
- Only open attachments or click on links from people you know
- If you're unsure, ask for help
- Know who your IT support person is in case of an emergency
- Stay up-to-date with online scams by checking ACCC’s Scamwatch site.
- Email isn’t a good way to send sensitive information, and in the case of some information – for example when you’re dealing with clients’ health data – you’re required to use a secure messaging system instead.
Share these phishing quiz library from the Australian Cyber Security Centre with your staff to demonstrate the importance of protecting your information.
Check out this useful information from Microsoft on how to stay protected from phishing.
This cyber security information from Microsoft is useful in thinking about and designing your cyber security protections and user education.
Learn more
Even when you think you have the right technology, training and processes in place, things can still go wrong. Read how one organisation became a victim of cyber crime.
Status message
Thanks for rating this guide.