Educating staff about cyber security

Staff education is an essential part of cyber security. Take a look at our list of key staff education topics, aspects of cyber security policy and email protocols for your organisation.
Educating staff about cyber security

Recent data tells us human error is a factor in almost 40% of data breaches, mostly through phishing scams. Educating staff during the onboarding process and at regular intervals thereafter is critical to keeping your information safe.

Share this phishing quiz from the Australian Cyber Security Centre with your staff to demonstrate the importance of protecting your information.

This cyber security information from Microsoft is useful in thinking about and designing your cyber security protections and user education.

Key staff education topics

Education topics should align with your IT policy.  The top topics staff need to know about are:

  • Choosing strong passwords
  • How to spot scam emails, and other relevant scams and security risks
  • Not clicking on links or attachments in a suspect, unsolicited or unexpected email
  • Never responding to emails requesting your personal, financial information and passwords
  • Where and how to store sensitive information
  • Not reusing passwords or sharing accounts
  • How to respond to a suspected or actual security risk or data breach.

Cyber security policy

A staff cyber security policy coupled with training can do more to keep your workplace computers safe than any single piece of software.  The policy should guide staff and volunteers to use the internet and other communications technologies appropriately and cover topics such as:

  • which uses of email and the internet are acceptable
  • how to handle sensitive data
  • keeping equipment secure
  • how to use the internet safely
  • what to do if working off-site.

You should run through it with new staff and train them in safe use of technology.


Because of its popularity, email can be a security risk. Staff may unintentionally install harmful programs by opening links to dodgy websites or opening infected attachments. This can lead to data loss and privacy breaches. 

Email scammers put a great deal of effort into creating believable, hard-to-ignore messages, so you should be cautious every time you get a message from someone you don’t know – and sometimes when you get a message from someone you do know. If someone has hacked a friend’s email account, that account may be sending you suspicious messages without your friend knowing.

There are a few simple rules for safely opening email:

  • Be cautious of any email that asks you for passwords, log in information or personal details (especially banking details!)
  • Check that the sender’s email address is legitimate
  • Only open attachments or click on links from people you know
  • If you're unsure, ask for help
  • Know who your IT support person is in case of an emergency
  • Stay up-to-date with online scams by checking ACMA’s Spam site.

Email isn’t a good way to send sensitive information, and in the case of some information – for example when you’re dealing with clients’ health data – you’re required to use a secure messaging system instead.

Even when you think you have the right technology, training and processes in place, things can still go wrong. Read how one organisation became a victim of cyber crime.

Rate this guide

Average: 5 (3 votes)

Status message

Thanks for rating this guide.

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.