Staff training and awareness
Educating staff about security will not only help them to recognise possible risks and vulnerabilities but also help organisations identify new threats from the feedback they receive from a more alert workforce.
Oversights or weaknesses in any plans will often only be discovered when put to the test. Rehearsals, drills and exercises will not only provide evidence of whether measures and response plans are working, but also ensure staff are familiar with any procedures and tasks that they are expected to perform.
It is generally recommended that most aspects of the security plan are tested at least annually in every location. Greater frequency may be required depending on the nature of the business (such as level of staff turnover).
All employees must take responsibility for their adherence to the organisation’s security policies, but it is down to the employer to ensure that they are appropriately trained. Security training for all staff – whether permanent, temporary or a contractor – should begin during any induction process, followed by regular ‘refresher’ training and briefings.
Ongoing task-specific training should then be provided according to the specifics of each role. In some circumstances it may also be appropriate to incorporate an element of assessment.
Training techniques might include formal presentations, workshops or scenario based role-plays etc but could also include less formal formats such as road shows, intranet content, films or desk-top packages.
Periodically gauging staff opinion about security habits can help determine whether measures and procedures are both appropriate and understood.
Demonstrate that this is a transparent process by sharing the results – both positive and negative – with staff along with any resulting actions.
Clear, succinct, jargon-free guidance about security standards and procedures should be freely provided. Where detailed procedural documents are necessary they should be accompanied by at-a-glance summaries or checklists covering essential points such as the actions to be followed in the event of an incident or security breach.
Security messages should be kept visible to both staff and visitors by making use of available internal communications such as posters, leaflets, newsletters, staff magazines, message boards and desk furniture.