How do you embed Cyber Resilience in New Employees?
75% of UK workers will be job hunting this January (according to Reed). With many workers pondering new year career resolutions, as a business, you might also be welcoming new starters into your office (or even remotely).
But what information and tasks should a new employee complete before starting a new job to help keep themselves and your business secure? To help, we have created a Cyber Security New Employee Checklist for employers, which includes further tips and links to other security resources to help your business improve its resilience to cybercrime.
New Employee Cyber Security Checklist for Employers
Recent research showed that UK workers are still going into the office (an average of 1.5 days a week), so you must lay down the basic policies and instructions for any new employee.
Cyber Security Guidance specific to office-based employees
Implement Security Policies - Manuals, IT Guidance, Confidentiality (or Non-Disclosure) Agreements
Provide them with physical security access - Keycard, Parking pass, etc
Set up their account access - websites, social media accounts, software, Slack, Canva
Device setup - Laptop, account, GDrive access
Ensure firewalls and anti-virus software are enabled
Give them password guidance & access to your password manager
Show them how to store physical and digital files
Tell them how to share sensitive data with colleagues
Ensure they know how to lock their computer and desktop
Do they know what to do if they receive a phishing email or are the victim of a cyber attack?
Do they need to know their role in your company's Cyber Incident Response Plan?
Are your employees using ChatGPT?
Make sure you clearly define the scope for which employees could use chatbots (like ChatGPT) and the limitations that might be in place.
Make sure you regularly review this to ensure it is up to date with any new regulations or legislation that may emerge.
Cyber Security Guidance specific to Asset Management
The NCSC offers a working definition of an asset, points to valuable data sources, and details how asset management and cyber security can be mutually beneficial. Learn more about Asset Management here.
What devices do your employees have access to?
Laptop / Computer / Phone / Tablet
Guidance specific to Remote / Hybrid Workers
With the growing trend of companies having employees who work 100% remotely or spend a couple of days in the office, you must make employees aware of the security risks they may face. So here are some of the questions you should ask any new hires.
Are they suited to working from home or working remotely? What do they need?
Do you have a policy on home working / remote working / BYOD?
Ensure employees do not use personal social media or eCommerce accounts on work devices.
Make sure employees have account access across multiple devices
Ensure they're aware of your Password Manager
Setup with your company VPN
Recommended when they can/can't work away from home and how to secure themselves in remote environments (cafes/airports/hotels)
What policies should be covered by employers with employees?
Businesses can implement as many policies as they like, but they must cover anything relevant to your company and processes. To help you get started, here are five policies that every business should implement with employees.
Cyber Security Policy
The more we rely on technology to collect, store and manage information, the more vulnerable we are to security breaches. Human errors, cyber-attacks and system malfunctions can cause financial damage and may jeopardise your company's reputation.
A cyber security policy outlines your guidelines and provisions for securing your data and technology infrastructure.
Anti-Virus / Anti-Malware Policy
An Anti-Virus policy aims to promote the use of anti-virus and anti-malware software. Employees should be educated about the Policy and given directions to ensure all legal regulations are followed.
Hacked passwords are among the most common causes of data breaches, and it's not surprising when people set weak passwords such as '123456' and 'Password'. Businesses should mitigate this threat by creating a password policy that outlines specific password creation instructions.
Device Usage Policy
This Policy explains your company's rules on using work devices and personal devices used during work hours and when working remotely.
Work From Home (WFH) / Hybrid Working Policy
Working from home needs to be managed carefully, especially with new hires; you must have a valid working-from-home policy. Your Policy should outline what homeworking means and how employees can ask to work from home. In addition, it should outline some of the working-from-home rules that are specific to your business.
What guidance is needed when using work devices?
If you hand over a new laptop, mobile or tablet to employees, they must know the security basics. Check out our guide on 'How to ensure new devices are secure from cyber attacks.'
Show them how to create a data backup - does this include the cloud and an external drive?
Show them how to update software, applications and devices
Make sure that devices have encryption enabled
Ensure each device has a VPN and document access to your company network
What company account passwords and account access do they need?
What guidance is needed for using any online company accounts?
If you hand over the keys to your Twitter account to employees, they need to know some basics.
What passwords are on each account? Do they need guidance when creating their account?
Run them through the accounts privacy settings
Ensure they have specific user roles - avoid giving admin access
Which devices can they be logged in to?
Do they need a Bring Your Own Device (BYOD) policy?
What guidance do employees need when using Social Media?
Do they need guidance on what they post on their personal social media accounts?
Do they need guidance on what they post on work social media accounts?
Make sure you review the personal privacy settings on these accounts.
What training should a new employee receive?
All employees should receive a basic level of Security Awareness Training
Has it been completed?
Where to go if they have any technical issues?
Training on the basics of GDPR and how you handle data
Training on the use of Social Media at work and when talking about the business
Training on any In-house systems your business uses
Training on new and emerging software like ChatGPT and AI