Information Security and your staff

20 Sep, 2017

In our recent blog we look at some common information security breaches likely to be made by employees and ways to avoid them.

You would have to have been living in a bunker over the last few years to have missed all the hype around information security and its relevance to your business.  Most businesses appreciate by now that improved secure technology is a good way to protect your biggest business asset, your data.  No doubt as a business you have various technological improvements in place to assist your information security.

But do you realise that your staff can be your biggest information security threat?

Have you considered the following which are all examples of how employees can breach your information security?

  • Opening unknown e-mail attachments;
  • Forwarding suspicious e-mails;
  • Clicking links in e-mails;
  • Visiting unsecure websites;
  • Leaving confidential paperwork on desks;

And what about these ones?

  • Holding conversations about clients in open plan reception areas;
  • Allowing unauthorised individuals to wander around your office;
  • Leaving computer screens open;
  • Taking paperwork out of the office;
  • Home working;
  • Working on public transport;
  • Using their own devices for work purposes.

So what can you do to help your staff become part of the information security solution for your business not the problem?

Robust Procedures

It goes without saying that the starting point has to be putting robust policies and procedures in place.  All businesses should have something in place in this regard.  If you haven’t already, create policies and procedures that are relevant to your business.  These should not be complex or overly long but cover all the things needed to protect your business such as e-mail usage, internet usage and document control.  Polices should be in plain English and avoid jargon.  (We will be covering information security policy content in more detail in our next article).

Policies should be easy to access by staff and regularly updated to take account of the rapidly changing nature of information security knowledge.

Relevant Training

On policies

You can have all the great policies and procedures you like but if you don’t train your staff in their usage they are all but useless.  Therefore staff training is essential.  All new starters upon induction should be made aware of the policies.  It is best practice to get them to sign that they have read and understood these policies.

As for existing staff, they should be trained as part of integration of the policies.

Staff should be made aware of the importance of the policies i.e. that they are not just there to make their job more difficult.  Staff may try to circumvent processes and procedures if they feel that they are slow.  However, frequent reminders that they are in place to provide a method for securing confidential data will help avoid this.  Further, it will probably serve you well to remind employees that as their employer you hold significant confidential data on them and therefore any data breach could have an impact upon them not just your clients.

On the basics of information security

Whilst it’s a good idea not to seek to scare employees with too much information, teaching them the basics of good information security habits/terms is a good thing.

Firstly, all employees should be made aware of the following:

  • Spam
  • Malicious e-mails
  • Phishing whereby e-mail or malicious websites are used to collect personal or financial date or infect machines with malware/viruses;
  • Spear phishing targeted against smaller groups;
  • Password usage (see our previous article on effective password management here)
  • Confidential waste;
  • Data encryption in e-mails;
  • Securing paper files in filing cabinets;
  • Clean desk policy;

Secondly, all employees should be reminded that any updates that are prompted by their computer/tablet/mobile should be done immediately.  It is easy to hit ‘cancel’ when these pop up but it is important to have the most up to date software to handle the most recent viruses and bugs.

Ongoing Training

Training of staff should be ongoing.  Even if your polices don’t change, ongoing staff training acts as a useful reminder for staff about the things they should be doing to minimise your threat of an information security breach.  Further it helps to keep on top of emerging threats and how to deal with them.  As a minimum we would suggest quarterly updates for staff.

Open reporting environment

The key thing for employees is to create a safe environment for them to report if they feel either that they have breached your information security policy or if they feel another member of staff has.  Employers should operate on a no blame basis where employees learn from errors to ensure that the same thing does not occur again.

For more information on information security and how ISO 27001 can help you and your staff please click here or contact our Client Services Team on 01905 670303.


ISO Quality Services Ltd are proud to specialise in the implementation and certification of the Internationally recognised ISO and BS EN Management Standards.

Do you want to get ahead of your competition? Win more tenders or save time and money on reoccurring issues? Contact us today on 0330 058 5551 or email

Alternatively, you can request a quote by filling out our enquiry form and a member of our team will be in touch shortly.

Related Posts

Why Make Your Recruitment Agency Your Partner?

12 Sep, 2022

In a candidate driven market how can you not only attract the right applicants, but ensure you’re gaining a long-term employee who will grow with your business?

Environmental: Aerial view of green land and blue sky

How Can SECR Help You Reach Net Zero?

16 Aug, 2022

Net Zero, Greenhouse Gas and Environment issues are driving Commercial Energy obligations and responsibilities are changing worldwide. The UK is leading this revolution.

Our Award-Winning Week!

15 Jul, 2022

Less than a week after our win at the Worcestershire Social Media Awards, we were proud to be taking home another award, but what did we win this time?

ISOQSL Bingo Box an Award Winning Campaign

4 Jul, 2022

We were excited to attend the Worcestershire Social Media Awards last week where we were up for a whopping five awards including Best Social Media Campaign by a Business for our Christmas charity campaign.  Here’s how we got on…