News Own Your Online External Link Report it
News Own Your Online External Link
  1. Welcome to the National Cyber Security Centre
  2. Protect your organisation
  3. Critical Controls
  4. Build security awareness in your organisation

Build security awareness in your organisation

This control helps you to build cyber security awareness in your organisation and create a positive security culture that rewards positive behaviours.

Security awareness building

Your people play a key role in making sure that your organisation and information are kept secure.

Reports show that many breaches involve a human element, such as clicking on links or downloading and opening/executing files, to give attackers valid credentials or access into a network or system.

Investing in your people’s security awareness and training, alongside implementing technical controls, is a long-term commitment to improving the security of your organisation. It’s critical that people in your organisation understand the security risks they face, so they can play their part in the protection of your systems and information. 

You can empower them to do this by providing appropriate security awareness training, programmes, and tools.

How to create an effective security awareness programme

Security awareness programmes are essentially about managing human risk. An effective awareness program should not just be a one-off induction or yearly training video. Regular, ongoing user training and human interaction will empower and encourage people to report 'near-misses', issues and security incidents.

It starts at the top

If you want to create an effective security awareness and training programme, you'll need support from your leadership team. 

Often leaders want to know how any type of programme that may require resource fits into the organisation’s business priorities, especially if costs are involved. And it can be difficult to show how investing in your people’s security awareness has a dollar value. 

Use what you know; incident data can help you show what impact managing human risk can have. Highlight to your team the impact that reducing human-targeted cyber security incidents will have on your organisation. 

It’s also important for leadership to understand that cyber security is no longer just an IT problem. Everyone should be invested in creating a more robust security model. 

Create a test team

When you start creating your program you will likely need help and support from different areas, depending on the size of your organisation. 

You may need your marketing and communications team to help promote it or your human resources team to create resources for it. Or for smaller organisations, it could be a team of two or three.

Whatever the size of the group, it’s a good idea to have people who support you, that you can test ideas on, and get feedback from. 

People are your best asset

Make every user a security champion in your organisation. 

A person spotting a phishing email and reporting it is useful information to the security team. A person being tricked into running a malicious file that they downloaded and then alerting the security team when they realise what they’ve done is invaluable in the protection of your networks.

Continuous training should inform users about current phishing campaigns, messages about strong password-use, media reports of password dumps and data breaches, the rise of phishing during Christmas time, or increased awareness of malicious package delivery emails and messages during the holidays.

Ensure that positive behaviour is rewarded rather than punishing mistakes. Negative reinforcement can lead to people in the organisation hiding issues as they arise rather than reporting them for fear of punishment. 

Make security policies easily accessible to staff. Similarly, try not to make cyber security a chore. For example, have a password policy that uses strong, unique passwords rather than requiring uses to change them every few months. 

Make it easy to report

Create an easy and well-known process to report any 'near miss', suspected issues or security incidents to the security team. This could involve a button to report phishing emails, an easy-to-remember generic email address or phone number from the security team. 

Tips and topics

It's a good idea to have a person in your team(s) who is considered the cyber security representative. This person should be able to answer basic cyber security questions from other team members, know the incident response plan, and have a good relationship with the security team to get further help.

The following are good, simple topics you could consider for an awareness campaign. 

  • How to identify phishing messages.
  • Social engineering techniques used by attackers.
  • Safe online browsing practices.
  • Creating good passwords and password hygiene.
  • How to use password managers.
  • Setting up and using multi-factor authentication (also called two-factor authentication).
  • Updating devices and software.
  • Social networking and privacy policies.
  • Data storage, protection, classification and destruction – vital if you have customer data.
  • Managing security and accessibility on mobile devices.
  • How to be secure when working remotely, including working from home.
  • What to do if your organisation experiences a cyber security incident – working through your incident response plan.

You don’t have to start from scratch when putting together information for your people on these topics. Our website Own Your Online has a range of guides that can support you on advice for your people.

Guides – Own Your Online External Link  

There are all sorts of activities you can run as part of a campaign to make it more interesting for your people. 

  • Get a cyber security specialist in to give a presentation to your users (NCSC can help with that!).
  • Put articles about cyber security on your intranet.
  • Run quizzes.
  • Add screensavers to user computers.
  • Provide competition prizes (like printed t-shirts).
  • Hand out desktop or table cards with cyber security tips on them.
  • Highlight cyber security on your internal communications channels.
  • Encourage the reporting of malicious emails, phone calls and unknown behaviour to your security team.
  • Sign up for Cyber Smart Week. NCSC runs an annual security awareness campaign each October which
  • provides resources and information for you to run the campaign within your organisation. 
  • Maintain a good relationship between your security team and users (example provide appropriate rewards for reporting security incidents or risks or regular updates and presentations).
  • Create a cyber security policy for your organisation. Make it simple, short (1-2 pages) and easy to understand.

These are all activities that we’ve seen work well – but you may have other ideas for activities better suited to your organisation.

Regardless of what you decide, sharing information about cyber security won’t just help your people understand how to keep the organisation’s information and systems secure, it’ll help them protect their personal information online too, so everyone benefits.

Create an online security policy for your organisation – Own Your Online External Link

Cyber Smart Week

How to measure success

Building security awareness is an ongoing journey that should be factored into your organisation’s priorities. 

  • Your people are familiar with your incident response plan, what is required from them, and how to report potential security issues and incidents.
  • Your people can identify common scams or attacks, such as phishing emails and invoice scams.
  • Your people are provided with a simple, standardised way to report potential security issues and incidents.
  • Reported issues and incidents are followed up by your security team and your people are informed of the outcomes.
  • Your organisation has an ongoing security training and awareness programme which keeps people up to date on expected reporting processes, current threats, and issues. 

Key takeaways

  • Make it easy to report potential security issues.
  • Educate your people on the process to report potential security issues and how to use the security reporting tools you have provided.
  • Encourage people to report potential issues, even if they are unsure. 
  • Don’t stigmatise mistakes. Focus on rewarding positive behaviours, remembering that most of the time, people are victims or targets of attacks rather than systems.
  • Increase trust and collaboration within your organisation across all services. 
  • Ideally, everyone is a security champion and is invested in the identification and active reporting of threats to your networks/systems.
  • Involve your people when practicing your incident response plan so that they know what to expect if an incident should occur. Communicate any expectations required of people and ensure your incident response plan is accessible to all.
  • Run regular security awareness campaigns. It will let them know why cyber security is important, what you’re doing to keep the organisation secure online, what this means for them and what you need them to do. Security awareness should not be a one a year tick box exercise.