M.6) Make sure that the founders and employees are sensitized

Category:        Periodic, Corporate Security

Responsible:   CSR

Effort:              5 hours, 1 hour per employee

Based on:       BSI IT Grundschutz M 2.312 / M 2.331 / M 2.332 / M 2.557

Since it is impossible to prevent events relating to information security it is important that every employee in the company (also the founders, freelancers and trainees) know how to deal with such an event. Therefore it’s necessary to work on the awareness of employees by doing regular trainings, providing well-designed information and sending regular news and warning messages about current threats.

The following approach should be an example:

1) Create training material and an emergency process

Before employees can be trained the information security responsible(s) should think about their target audience and what they want to communicate to the staff. Based on those thoughts training material should be created and also made available to everyone in the company.

In measures of this guide there are recommendations to

  1. Create a place where all information about security is stored
  2. Establish information security incident management procedures

Like it’s advisable to store the emergency instructions and checklists in a central IT-Security directory, it is also advisable to store training materials there as well (or at least a link to them if trainings are managed globally).

It is necessary to differentiate between the emergency procedures of employees and those for the information security responsibles. While the IT-Security responsibles may need checklists for documentation, preservation of evidences, restoring servers and databases, etc. employees only need to do the following:

  • Document what happened
  • Inform the information security responsibles
  • Disconnect the computer from the internet/network

More details can be found in chapter measure 15


2) Perform annual trainings

Each employee needs to know

  • what kind of basic threats there are,
  • what kind of symptoms they show,
  • how they can be recognized and
  • what he or she needs to do in case of an emergency or in a suspected case.

Because not everyone in a company studied informatics or information security it is necessary to train people on these topics. This should at least be done once for new employees. But it’s also good to iterate this kind of information spreading. This could be done periodically in team meetings or in explicit annual brush-up trainings.


3) Establish additional information channels (each month or quarter)

In most cases a training once a year is not enough to sensitize everyone within a company. People need to be reminded and confronted with the topic information security, so that everyone is aware of the threats and how to deal with them.




The information contained in this website is for general information purposes only. You can find more information about the accuracy of the information on the disclaimer and terms and conditions pages.