Employees and Cyber Security – The Importance of Education

Employees and Cyber Security – The Importance of Education

  • 26 Sep 2019
  • Written by David

It is tempting for business owners to think that their organisation’s cyber security risk is completely mitigated by installing software. Or they believe that the IT department or company is wholly in control – this is not true.

The right tools are critical, of course.  However, as the proverbial phrase goes: a tool is only as good as its user. 

In IT, especially, we are all dependent on end-users to know how to react when they get warnings or prompts from programs.  It’s unreasonable to expect employees to take risks seriously if they don’t understand them.

So how can you truly and effectively reduce business risk? 

Employee education.  Your staff have elements of control over all types of IT security.  It follows that their cyber security understanding directly impacts your business’ cyber security risk. 

The importance of policy as a precursor to cyber security awareness education

The first step to take is to develop the right policy for your organisation.  Without policy, there is no clarity. 

For example, organising generic user awareness training without having an underlying policy means the understanding gained by your staff isn’t applicable to their daily roles. Hence, it isn’t truly enforceable.

Furthermore, asking an IT company to come into your business without any groundwork on how you want to manage IT business risk will lead to misunderstanding.  Often, the IT provider will have to enforce industry best practice which, for many companies, might be overkill. It could lead to a restrictive working environment.


Policies regarding cyber security risk might fit under:

  • A generic IT / Acceptable Use policy;
  • A more specific security policy;
  • Niche policies on, for example, device usage.


Build education on a strong foundation of company policy. Ensure that it includes all of the areas which pose a business risk.

Let’s look at four common areas that pose a risk to SMEs:

  1. Public / untrusted Wi-Fi;
  2. Phishing;
  3. Password management;
  4. Devices

These are some of the most employee-involved aspects of cyber security. Other areas of cyber security tend to run silently in the background and don’t require much user/employee input.

Public and Untrusted Wi-Fi - cyber security risk

Your employees need to be educated on what the policies are, and how they should apply them in everyday life.  For example, should they refrain from opening company documents on public Wi-Fi networks?  Will you provide them with additional security steps to take in these environments?  Or should public networks be avoided entirely? In Are All Public Wi-Fi Hotspots Created Equal?, we discuss the perils of public Wi-Fi. It’s packed with advice and it lays out your options as a business.

Employee Cyber Security Blog Quote

Phishing response - a key area for cyber security awareness

Phishing is probably the most commonly used tactic to maliciously compromise your business. And it’s often successful.  Your employees are the main line of defence against this considerable business risk.

If you’re unsure of what I mean by phishing, take a look at our previous blog “Phishing - What SMEs Need to Know”.

At Nimbus Blue, we split phishing education into three main steps: train, test, analyse.  The programs run for 12 months in quarterly cycles. The aim is to expose your users to phishing simulations before facing the real deal.

The cycles allow us to pick up on who is struggling to understand how to identify and process phishing attacks.  This isn’t run as a trap to make employees feel bad. It’s a way of working out who and what to focus on regarding cyber security risk.

Password management as business risk management

Do your staff know if it’s safe to use Apple keychain or thumbprint recognition?  How about Face ID, or internet browsers storing passwords to autofill?  There are many aspects to educating users on passwords. Consider conducting an audit within an organisation to assess the level of understanding. This provides a basis for more learning and potential improvements.

The importance of device usage

In SMEs, device management issues are rife – and I don’t say this lightly!  Fortunately, compliance has trickled down from large corporates, so SMEs are becoming more mature in managing laptops and servers.  However, we live in a world where over 36% of us have smartphones. Many of these smartphones double as work phones.  

Perhaps your employees are accessing sensitive documents on cloud-based systems like DropBox on publicly accessible networks without the strong security of your office environment.

Small businesses need to wake up to this risk, perhaps more than any other, and look seriously into MDM: Mobile Device Management. 

Depending on your company’s stance, written into policy, you might:

  • Encourage BYOD (Bring Your Own Device), which must then be carefully monitored to ensure personal access isn’t compromising organisation security - perhaps access to work resources is given only through a whitelist;
  • Give staff company-owned mobile phones - this can be unpopular, as many people don’t want to carry more than one mobile phone.

Unlike desktops and laptops, the lines between personal and work usage of mobile phones are blurry.  Therefore, the solution in policy needs to fit the organisation. It needs to subsequently be enforced as soon as someone joins your company.

Cyber security awareness - policy, then education

The risks and threats might seem scary, but they don’t have to be.  Take small steps.  Decide your company’s stance on risks; develop policy; organise education and training.

Your security is only as strong as your weakest link.  Though an overused phrase, it is an entirely accurate analogy in the world of cyber security risk.  You might be undermining all of the work you’ve done in other areas of IT just by allowing staff to connect their personal devices to the corporate network without having the right education or awareness.

Nimbus Blue helps its clients to put in place cybersecurity measures and educate staff. For example, in BYOD, we would create a wall inside devices – focusing on everything that is work-related. We can, therefore, help you to control and manage devices through encryption and protection.


If you’d like to find out more about how Nimbus Blue can help address your business risk, contact Jamie on 01224 608190 or This email address is being protected from spambots. You need JavaScript enabled to view it..

Got a question?

Speak to our friendly team about keeping your IT systems secure and running smoothly.

Get in touch