Principle: B6 Staff Awareness and Training
Staff have appropriate awareness, knowledge and skills to carry out their organisational roles effectively in relation to the security of network and information systems supporting the operation of essential functions.
This means that your organisation should ensure that employees have the information, knowledge and skills they need to support the security of your organisation, its networks, information systems and data.
To be effective, any security awareness and training programme needs to be tailored to reflect the way people really work with security in an organisation, as part of creating a positive security culture. It should focus on people’s real needs and not be used to try and tackle risks that are better dealt with via technical, procedural or policy means.
Security education and awareness should be scoped to the type and degree of change that any implemented method can realistically achieve, with expectations and metrics set for these accordingly. These methods should be implemented by suitably-skilled and qualified individuals, ideally learning and development professionals.
Staff should be educated on what constitutes a security issue or incident, as well as on when and how it should be reported to the responsible individuals for investigation.
Policy
The following requirements are placed on government departments:
- Government Organisations shall meet the CAF requirements of the relevant Government Profile under this principle.
Guidance
- The people who operate and support essential functions should be provided with all they need to carry out their job while supporting the organisation’s cyber security. You shape security will help you ensure there is a continuous dialogue with your staff to understand ways of working, difficult processes and pressure points. Through continuously improving your security processes and assisting your staff to navigate them, you will reduce the use of loopholes to avoid processes which increase your risk of compromise. Security policies and processes should be user-centred, defining the performance of activities that those users are reasonably capable of doing, have the right opportunities to do, and are motivated to do.
- Efforts should be made to take the burden of security risks off end users and treat the root causes of issues rather than the symptoms with technical design and controls. Adopting a Secure by default approach will give users the confidence that products that were designed to be secure will have better usability as a result. This compares to products where security is considered an afterthought and users are required to use products in specific ways to compensate for design deficiencies. Secure by Default encourages that security should not require specific technical understanding or non-obvious behaviour outside of the capabilities of a user’s role. Your organisation should analyse a specific audience, understand its capabilities and design secure ways of working that are in-line with those capabilities.
- Training and engagement activities should provide appropriate cyber security skills for the job role based on an understanding of how people really work with systems. Your organisation should make efforts to ensure that users do not feel caught out or deceived by a particular awareness exercise, but are instead encouraged to understand a particular security theme or issue and how it relates to their role. The end goals of your awareness campaigns should reflect behavioural changes that will genuinely help your organisation to be more secure, with metrics which demonstrate meaningful improvements as opposed to simply counting user clicks. Engagement and training from the NCSC’s 10 Steps to Cyber Security encourages embedding security in your leadership, ensuring effective means of dialogue are maintained and utilising awareness campaigns and training structures which are tailored to your employees roles and responsibilities.
- During an extended period of heightened cyber threat, your systems, processes and workforce will come under pressure. Maintaining a sustainable strengthened cyber security posture will guide you on how empowering staff to make decisions, spreading their workloads and placing value on their overall wellbeing will improve productivity and lead to better security hygiene. Setting up the appropriate communication channels with teams and individuals will also ensure effective coordination when identifying, escalating, triaging and responding to an incident.
Available tools
- Top tips for staff is a free product built by the NCSC which introduces why cyber security is important and how cyber attacks happen, and then covers areas including phishing awareness, password use, device management and incident reporting. This package represents a realistic level and volume of training to expect regular staff to complete, and take on board. You should not aim to do substantially more than this in order to avoid fatiguing your user, reducing their appetite for security awareness and taking them away from their duties for a period that impacts core delivery.
- The Suspicious Email Reporting Service is an NCSC-led initiative which allows anyone to report a phishing email. This initiative may be promoted amongst your user base, it will allow the NCSC to investigate any suspicious email which is reported to them and take actions to remove malicious email addresses and websites.
- The NCSC’s Takedown Service is a scheme run to protect registered organisations from spam and phishing websites which seek to imitate their online services. The service utilises spam and phishing feeds as well as the Suspicious Email Reporting Service to discover potential sources of cyber attack and then issues takedown notices to the relevant service provider.
Further information
- The NCSC Certified training scheme provides a number of assured third-party security training courses which are tiered at ‘awareness’, ‘application’ and ‘courseware’ level. While awareness is aimed at beginners, application is scoped for individuals looking for professional security development. Finally, courseware is to be used in conjunction with a certified trainer and quality management system.
- For security practitioners, the Government Security Profession Career Framework provides role expectations, behavioural competencies and development pathways for a variety of cyber security roles.
Further guidance and information can be found on the NCSC’s CAF Guidance webpage.