Staff have appropriate awareness, knowledge and skills to carry out their organisational roles effectively in relation to the security of network and information systems supporting the delivery of essential services.
Staff are central to any organisation’s ability to operate securely. Therefore, operators of essential services should ensure that their employees have the information, knowledge, and skills they need to support the security of networks and information systems.
To be effective any security awareness and training programme needs to recognise and be tailored to reflect the way people really work with security in an organisation, as part of creating a positive security culture.
The people who operate and support essential services should be provided with all they need to carry out their job while supporting the organisation's cyber security. In line with the design of service protection policies and processes, you should apply the same people-focussed approach to staff awareness and training.
Training and awareness activities should provide appropriate cyber security skills for the job role based on an understanding of how people really work with the systems, with ongoing reminders and top-up training to maintain skills.
Using a range of approaches to training and awareness can improve understanding and information retention, from briefings, online courses and blogs to simulated cyber attack. You may achieve the widest uptake of training and awareness by accommodating different learning preferences and using various delivery methods. Operators may find the GCHQ certified training scheme useful when considering commercial offerings.
Operators of essential services should aim to create a positive security culture, where people are aware of their role in maintaining security and actively take part and contribute to improving security. This is particularly important where a technical solution is not possible, so security relies on people making the right cyber security decisions. Developing a positive security culture is likely to take some time, with some changes possibly taking years to become established and is unlikely to be achieved simply through written guidance or training events.
These outcomes are best achieved when organisations actively engage with staff and communicate effectively with them about network and information system security and how it relates to their jobs. This should be more easily achieved where organisations create and promote a long-term security culture vision that is endorsed and supported by senior management, then make incremental, focused changes to address specific business issues. Some essential service sectors may be able to draw on activities supporting positive safety culture to build up the organisation's cyber security culture.
NCSC 10 Steps: User Education and Awareness
CPNI's guidance on developing a security culture
GCHQ certified training scheme
< Back to Principle B5 Forward to Principle C1 >