NCSC’s Ten Steps in-depth: Chapter 2 – engagement and training

The National Cyber Security Centre’s (“NCSC”) Ten Steps to Cyber Security guidance aims to help medium and large organisations improve their security posture. It takes the form of ten chapters – each on a separate topic or ‘step’. Combined, these 10 Steps deliver a holistic approach to information security.  In this series of articles, we will take a granular look at each of the NCSC’s 10 Steps in chronological order.  

Is the NCSC’s Ten Step guidance right for my organisation?

The NCSC’s 10 Steps are suitable for medium to large companies with at least one employee whose role is dedicated to cyber security. 10 Steps focuses on more than critical security controls, which is the remit of Cyber Essentials, by covering security management considerations like risk management, incident management, supply chain security and security awareness. We have written a detailed guide on Cyber Essentials, which you can download for free.  

Step 2: Engagement and training – put people at the heart of your cyber security strategy

The second step centres on engagement and training. It is about ensuring that you provide your staff with the knowledge and resources they need to work securely.  

Thorough training programmes are an excellent way to communicate security requirements and expectations across the organisation, giving companies a vehicle for explaining security policies and procedures, and rules of behaviour and ensuring users feel accountable.  

As you create a training programme, you will hear three distinct terms: awareness, education and training. It’s essential to understand the difference between these three. As NIST Special Publication 800-16 notes:  

“Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognise IT security concerns and respond accordingly.  

In awareness activities, the learner is the recipient of information, whereas the learner in a training environment has a more active role. Awareness relies on reaching broad audiences with attractive packaging techniques. Training is more formal, having a goal of building knowledge and skills to facilitate the job performance.” 

There are more differences, too, between education and training. Whereas education aims to provide the recipient with an understanding of a subject, training validates the individual’s knowledge – perhaps through a written or online test.  

You’ll notice, also, that engagement is in the title of this step. This is because an in-depth training programme will only be successful if employees are thoroughly engaged and digest the information provided.  

Treating training as a tick-box exercise rarely results in the desired changes in employee behaviour. There’s a place for e-learning, but online training alone will not create the proper cultural practices. Likewise, online training is usually generic and doesn’t typically address the specific operational context and working practices of the organisation.  

An effective security awareness and training programme should be ongoing and delivered using a combination of approaches to improve employee knowledge and information security behaviours, with the aim of creating a genuine security culture. 

Why are engagement and training important for effective cyber security?

Humans are a common attack vector for malicious actors. Social engineering attacks, for example, prey on victims inadvertently clicking malicious links or attachments, while weak passwords were responsible for four-fifths of data breaches in 2020, according to the Verizon Data Breach Investigations report.  

The 2021 version of the same report found that 85% of data breaches involve some form of a human element: an employee, partner or supplier who accidentally – or, more rarely, intentionally – compromises security. This is why it is so vital for organisations to take a holistic approach to security. At the end of the day, we are all human and, innately, we will make mistakes at some point. It’s therefore paramount to create a security framework that protects your people from the worst-case scenario.  

As well as implementing robust security solutions, companies must also introduce robust awareness and training programmes that inform their employees about cybersecurity responsibilities, expected behaviour, organisational policies and how to use and safeguard company data and resources correctly.  

Who should my training programme be aimed at?

Security engagement and training should be a company-wide initiative aimed at the organisation’s entire user population. However, this is not to say that one training type will suit the whole organisation.  

While some modules will apply to all users, organisations should make a concerted effort to tailor their training modules to different audiences. Management teams, for example, may need incident response training. Similarly, specific functions with access to more sensitive information assets and escalated access privileges will need role-based training. These can include Software Development IT, HR and Finance personnel. 

How to design a suitable training programme?

The development of a security training programme can be broken down into three main steps: design of the programme, development, supporting material and, lastly, implementation. Your programme must be designed with specific goals in mind. The best training programmes feel relevant to the user and applicable to the organisation’s culture and IT architecture.  

How you go about designing and implementing your training programme will depend on the maturity of your IT security programme. Some organisations already have established awareness and training programmes, while others lack the funding and resources to develop a training programme internally.  

An excellent way to begin is to set the tone from the top. Have your senior executives communicate the importance of good security awareness and participation in training through formal and informal communications. This helps set the training apart from ‘boring compliance training’ to something more strategic and helps cascade down the right messaging through line managers. 

Resources to consider

There are numerous resources designed to help organisations develop and implement successful security training programmes. As mentioned, though, companies do not have to go at this process alone. Rather than creating a programme from scratch, you can seek the assistance of an established security provider, who will manage security awareness and training on your behalf.  

To learn more about this topic, we advise reading NIST Special Publication 800-50, which provides detailed guidance on how to create an information security training programme. As in the title of this piece, the NCSC’s 10 steps also has thought-provoking questions and considerations to help you establish a formal programme. The NCSC’s You Shape Security guidance also provides insights into building a positive security culture.  

Need Help?

We can provide onsite and live-online training and ongoing awareness programmes for you that are tailored to your business, the nature of the information assets you work with, your risk tolerance, and the roles of the individuals to be trained. Contact us today.