Security Awareness Training for Small Business Staff

Key awareness training topics

While the content of cybersecurity training should be tailored to the specific needs of each business and the challenges they might face, some cybersecurity awareness topics that employee training should cover include:

Password Management: The importance of unique passwords (minimum 10 characters), using password managers and never saving passwords in browsers or physically.

Email Security: How to identify and handle phishing emails, as well as advising employees to only open attachments from trusted contacts and to never respond to emails requesting personal or sensitive information. Restrict usage of emails for work purposes and don’t allow employees to register their work email address for personal online account usage.

Safe Browsing: Best practices for internet use and avoiding malicious websites.

Data Protection: How to handle and store sensitive information or data securely. For instance, understanding the risks of externally storing information outside internal business storage systems, such as transferring data to non-work devices.

Securing Work Devices: Installing reputable anti-malware applications, only obtaining applications or software from trusted sources, as well as utilising access control functions, such as passwords and multi-factor authentication across the operating environment.

Guidance for Working Remotely: Best practices when working outside of the regular workplace. For instance, to avoid connecting business devices to unknown or unsecure networks, employees can tether connectivity from their mobile phone. Further, ensuring documents containing sensitive information are never left unattended in public areas.

Incident Response: Steps to take if a compromise or cyber incident occurs, such as resetting passwords, securing vulnerabilities and where to report.

‍

Additional guidance for training employees on cybersecurity

1. Develop a cyber security policy

While a cyber security policy may sound unnecessary for smaller businesses, creating thorough guidelines for how your online systems and operations should be executed safely can minimise risk. It can help employees understand their role in protecting the technology and information assets of the business. This policy should be easily accessible to all employees and continuously updated to address new and emerging vulnerabilities. For support on what information a cyber security policy should include, visit business.gov.au.

2. Provide regular cyber training and updates

While all employees should undergo cybersecurity training during their onboarding process, periodically providing additional training for employees is important to maximise their awareness of potential threats. Employers should take advantage of online cybersecurity courses and resources for training employees, either paid or unpaid.

CyberWardens provides free and simple online cyber security training, funded by the Government, for both small business employers and employees.

3. Promoting a culture of security awareness

Making cybersecurity awareness an ongoing conversation involves positioning cybersecurity as an important consideration in the business’s operations and discussions, as opposed to being an occasional training topic. Employers can promote this by sharing updates about recent threats that may be relevant for the business and regularly discussing the importance of good security practices.

4. Encourage reporting of vulnerabilities and suspicious activity

Employers should encourage employees to report any observed areas of weakness, or opportunities for improvement of information security management within the business. Employers should also encourage employees to report signs of suspicious activity or indicators of compromise, such as the sudden appearance of unrecognised apps or programs on their devices or strange pop-ups.

‍

For additional support or information, contact IDCARE by submitting a Get Help Form or call 1800 595 160 (Aus) or 0800 121 068 (NZ).

Disclaimer

Identity Care Australia & New Zealand Ltd (IDCARE) provides identity and cyber security incident response services (the Services) in accordance with the following disclaimer of service:

• IDCARE is Australia and New Zealand’s national identity and cyber incident community support service. IDCARE is a not-for-profit and registered Australian charity.
• The Services provided do not constitute legal advice. IDCARE recommends that you consult your own legal counsel in relation to your legal rights and obligations, including but not limited to your legal rights or obligations under Australian and international privacy and data protection laws.
• While every effort has been made to ensure the accuracy of the content provided, to the maximum extent permitted by law all conditions, terms, representations, and warranties (in each case, whether express or implied) in connection with the provision of the Services which might otherwise be binding upon IDCARE are excluded.
• IDCARE’S liability for any loss or damage suffered by any person or organisation (including, without limitation, any direct, indirect or consequential loss or damage) arising out of or in connection with the Services (including without limited liability for any negligent act or omission, or statement, representation or misrepresentation of any officers, employees, agents, contractors or consultants of IDCARE) shall be limited to the fees paid by you to IDCARE in respect of the Services. For the avoidance of doubt, this limitation of liability extends to any liability arising from any actions performed or not performed as a result of any recommendations made in the course of providing the Services.
• If you would like to provide feedback please use our Feedback Form.