Guidance

10 Steps: User Education and Awareness

Updated 16 January 2015

This guidance was withdrawn on

This content has been moved to the CESG website: https://www.cesg.gov.uk/10-steps-cyber-security

1. Summary

Unfortunately the use made by employees of an organisation’s Information and Communications Technologies (ICT) brings with it various risks. It is critical for all staff to be aware of their personal security responsibilities and the requirement to comply with corporate security policies. This can be achieved through systematic delivery of a security training and awareness programme that actively seeks to increase the levels of security expertise and knowledge across the organisation as well as a security-conscious culture.

2. What is the risk?

Organisations that do not produce user security policies or train their users in recognised good security practices will be vulnerable to many of the following risks:

Unacceptable use

Without a clear policy on what is considered to be acceptable, certain actions by users may contravene good security practice and could lead to the compromise of personal or sensitive commercial information that could result in legal or regulatory sanctions and reputational damage

Removable media and personally owned devices

Unless it is clearly set out in policy and regularly communicated, staff may consider it acceptable to use their own removable media or connect their personal devices to the corporate infrastructure. This could potentially lead to the import of malware and the compromise of personal or sensitive commercial information

If users are not aware of any special handling or the reporting requirements for particular classes of sensitive information the organisation may be subject to legal and regulatory sanctions

Incident reporting

If users do not report incidents promptly the impact of any incident could be compounded

Security Operating Procedures

If users are not trained in the secure use of their organisation’s ICT systems or the functions of a security control, they may accidentally misuse the system, potentially compromising a security control and the confidentiality, integrity and availability of the information held on the system

External attack

Users remain the weakest link in the security chain and they will always be a primary focus for a range of attacks (phishing, social engineering, etc) because, when compared to a technical attack, there is a greater likelihood of success and the attacks are cheaper to mount. In many instances, a successful attack only requires one user to divulge a logon credential or open an email with malicious content

Insider threat

A significant change in an employee’s personal situation could make them vulnerable to coercion and they may release personal or sensitive commercial information to others. Dissatisfied users may try to abuse their system level privileges or coerce other users, to gain access to information or systems to which they are not authorised. Equally, they may attempt to steal or physically deface computer resources

3. How can the risk be managed?

3.1 Produce a user security policy

The organisation should develop and produce a user security policy (as part of their overarching corporate security policy) that covers acceptable use. Security procedures for all ICT systems should be produced that are appropriate and relevant to all business roles and processes.

3.2 Establish a staff induction process

New users (including contractors and third party users) should be made aware of their personal responsibility to comply with the corporate security policies as part of the induction process. The terms and conditions for their employment (contracts for contractors and third party users) must be formally acknowledged and retained to support any subsequent disciplinary action. Ideally, the initial user registration process should also be linked to the organisation’s technical access controls.

3.3 Maintain user awareness of the cyber risks faced by the organisation

Without exception, all users should receive regular refresher training on the cyber risks to the organisation and to them as both employees and individuals.

3.4 Support the formal assessment of Information Assurance (IA) skills

Staff in security roles should be encouraged to develop and formally validate their IA skills through enrolment on a recognised certification scheme for IA Professionals. Some security related roles such as system administrators, incident management team members and forensic investigators will require specialist training.

3.5 Monitor the effectiveness of security training

Establish mechanisms to test the effectiveness and value of the security training provided to all staff. This should be done through formal feedback and potentially by including questions in the staff survey on security training and the organisation’s security culture. Those areas that regularly feature in security reports or achieve the lowest feedback ratings should be targeted for remedial action.

3.6 Promote an incident reporting culture

The organisation should enable a security culture that empowers staff to voice their concerns about poor security practices and security incidents to senior managers, without fear of recrimination.

3.7 Establish a formal disciplinary process

All staff should be made aware that any abuse of the organisation’s security policies will result in disciplinary action being taken against them.