Staff security
Te whakatītina i te ahurea haumarutanga tuihono ngākaupai i tō pakihi

Build a positive online security culture in your business

Protecting your business from online security threats involves technology and processes, but there’s another important defence – your people.

Why it matters

Your processes and technology are only as good as the people who use them. If your staff don’t follow the processes or use the technology properly, your business will still be at risk.

People are more likely to do what you need them to do if they understand why it’s required – educate them about the risks, what to look out for, and the potential impact of an attack.

How to do it

The information below will help you to build a positive online security culture in your business.

Define your values

Define and display your online security values somewhere the whole team can see them. Your values will depend on the type of business you are.

For example, if you're a technology business your values may be centered around:

  • including security in the early design and planning of your software
  • never pushing out a change or new feature that has a high risk security problem
  • putting the privacy of your customers and their data first.

If you're a service business, your security values may be focused on:

  • keeping customer data safe and confidential
  • prioritising securing the devices and systems that store customer data to make sure the data remains secure.

Your values could be included in your on-boarding process for new staff, in your performance framework, and should be communicated on a regular basis. They should also be a part of your online security policy.

Creating an online security policy for your business

Provide processes and tools

Decide what online security actions you want your people to take.

For example:

  • quickly reporting messages that might be phishing attempts
  • raising an incident report when their systems or devices are not operating as they expect
  • using long, strong and unique passwords for each of their accounts
  • updating their devices as soon as updates are available.

Then make it easy for them to follow the processes. For example:

  • set up warning notifications to prompt checks if an external email comes from someone they have never interacted with before
    have a single phone number, email address, or tool that makes it easy to contact IT support
  • provide a password manager to generate unique and long passwords, and store them safely.

Managing passwords and authentication in your business 

Communicate your expectations

Once you have the right tools and processes in place, make sure your people know:

  • what they are
  • how to use them
  • why they’re important.

You might want to have a regular programme of reminders and demonstrations.

Lead by example

Ensure you and your leaders actively display the security values that you've set for the organisation. Even minor actions can impact. For example, if a leader is presenting from their laptop and their computer reminds them it’s time to restart to install security updates, they could:

  • laugh it off and say, “time to snooze that alert for another week” – sending the message that leadership and management don’t take security seriously, or
  • say to the team, “looks like there’s an update available, I’ll get onto that after this presentation – be sure to check your own devices when you get back to your desks”.

Promoting a positive cyber security culture takes time and effort but it’s well worth the investment.

Educating your staff about online security