Educating staff about cyber security

Recent data tells us human error is a factor in almost 30% of data breaches. Educating staff during the onboarding process and at regular intervals thereafter is critical to keeping your information safe.

Key staff education topics

Education topics should align with your end-user security policy.  The top topics staff need to know about are:

• How to choose a strong password
• How to spot scam and phishing emails
• How to avoid clicking on links or open attachments in a suspect, unsolicited or unexpected email
• Never to respond to emails requesting personal, financial information and passwords
• Where and how to store sensitive information
• How to avoid reusing passwords or sharing user accounts unsafely
• How to keep devices secure
• How to respond to a suspected or actual security incident or data breach.

Cyber security policy

A staff cyber security policy coupled with training can do more to keep your workplace computers safe than any single piece of software. The policy should guide staff and volunteers to using the internet and other communications technologies appropriately, covering topics such as:

• which uses of email and the internet are acceptable
• how to handle sensitive data
• keeping equipment secure
• how to use the internet safely
• what to do if working off-site.

You should run through it with new staff and train them in the safe use of technology.

Safe use of email

The manner in which email is used can be a security risk. Staff may unintentionally install harmful programs by clicking on links  or opening infected attachments. This can lead to security incidents and data breaches. 

Email scammers put a great deal of effort into creating believable, hard-to-ignore messages, so you should be cautious every time you get a message from someone you don’t know – and sometimes when you get a message from someone you do know. If a colleague or friend’s email account has been hacked, you may receive suspicious messages from that account  without your friend or colleague knowing.

There are a few simple rules for safely opening email:

• Be cautious of any email that asks you for passwords, log in information or personal details (especially banking details!)
• Check that the sender’s email address is legitimate
• Only open attachments or click on links from people you know
• If you're unsure, ask for help
• Know who your IT support person is in case of an emergency
• Stay up-to-date with online scams by checking ACCC’s Scamwatch site.
• Email isn’t a good way to send sensitive information, and in the case of some information – for example when you’re dealing with clients’ health data – you’re required to use a secure messaging system instead.

Share this phishing quiz from the Australian Cyber Security Centre with your staff to demonstrate the importance of protecting your information.

Check out this useful information from Microsoft on how to stay protected from phishing.

This cyber security information from Microsoft is useful in thinking about and designing your cyber security protections and user education.

Learn more

Even when you think you have the right technology, training and processes in place, things can still go wrong. Read how one organisation became a victim of cyber crime.