Security Check for your Organisation

Knowing where you are, before knowing where to begin

How secure is my organisation? It is more important than ever to ensure that information security best practice is adhered to, both in the office and when working from home.

Depending on what that best practice looks like can vary depending on your organisations size, industry, and what information it holds on customers, stakeholders, and staff.

The constant in this situation, is the need to determine the point your information security is at. Before deciding what changes need to be implemented to increase your organisation’s security, you must first understand where standards are currently.

Start at the beginning

So first we need to know what good looks like – what the steps are in getting there and how to avoid pitfalls.

Good for us is about secure culture – where we are successfully changing behaviours and having a palpable impact on risk. Where security is talked about and considered business as usual.

But when it comes to assessing your organisation’s current security level and the steps needed to ‘level up’ only you can properly work out whether your house is made from straw, sticks or bricks.

So, how secure is my organisation?

When assessing how secure your organisation is currently, we recommend following The SANS Institute’s cybersecurity maturity model, which breaks the stages of organisational security maturity into five levels.

Step one: No Awareness Programme

No security awareness programme currently exists within your organisation. Your employees are unaware of the potential risks they face, which means they are susceptible to potential security risks such as phishing, ransomware, and non-compliance with GDPR and theData Protection Act.

Step Two: Compliance Focus

Your organisation is at a stage where security is being considered, but its merely an exercise in ‘ticking the boxes’. This usually means that organisations will engage their employees in once-per-year, uninspired training, usually consisting of quick videos and unengaging instruction, neither of which produce meaningful behavioural change

Step Three: Promoting Awareness and Behaviour Change

Your organisation has bought into the importance of security awareness and the importance of making positive changes to your organisation’s security culture. The training programme in place is regular and involves the use of simulated phishing to give an idea of how employees behave when faced with a threat. Your employees are getting used to being secure throughout all aspects of their work, but its still not their first instinct.

Step Four: Long-term sustainment and culture change

The security awareness programme in your organisation has been in place for some time, and gradually, staff are starting to think of security before performing all tasks involving data or potential security threats, for example instinctually checking that a person in your office they don’t recognise is in the right place. Whilst doing so however, employees still feel as if they are going ‘above and beyond’ what is expected of them.

Step Five: Robust Metrics Framework

Security now feels like second nature in your organisation. Staff understand why these procedures are so important, and perform them without question, regarding this behaviour as a key part of their responsibilities. Further to this, the team within your organisation who manage the security awareness initiative meet regularly to discuss what areas can still be improved, and this information is communicated to the senior management team regularly to ensure that employees and the organisation as a whole is always improving and moving forward.

To assess where you need to go next with your organisation’s security awareness and asking the eternal question of how secure is my organisation, you need to objectively determine currently stand in relation to this model.

There is no shame in being in the early stages of, or perhaps not having even considered security awareness. Recognising this and planning on how your organisations security awareness can be improved is the crucial first step.

I’ve determined how secure my organisation is currently. Now what?

Once you have determined where your organisation’s awareness sits currently, you will be able to determine the steps needed to begin building a secure culture within the organisation.

The best security awareness programme for your organisation will consist of training that happens frequently that your employees buy into. This coupled with great internal comms from management that demonstrate the importance of security awareness and why everyone needs to adapt these behaviours, will have your organisation on its way to improving security and ensuring that potential issues are recognised and resolved before they become a problem.

Finding training that helps build a comprehensive solution to the issue of human error also allows an organisation to not only mitigate the risk to information security, but also allows a business to avoid the reputational damage that comes with a data breach. Not to mention the large fines that are now levied against organisations in violation of data protection.

Hut Six Information Security Awareness Training

Featuring twenty-six comprehensive tutorials covering all aspects of information and cyber security, Hut Six’s training is focused on demonstrating learning outcomes. With Hut Six’s learning management system (LMS), employers can assess and track the achievements of staff and better understand areas for improvement.

If you would like to learn more about how you can protect your greatest assets with unique and engaging information security awareness training, click the link below.

Security Awareness for your Organisation

Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.


Ransomware Propagation

How Does Ransomware get on your Computer?

How Does Ransomware get on your Computer? Chances are that in the last few years you've heard the term "ransomware". Blog by Hut Six Security.

Auditing for GDPR Compliance - Guest Blog

Guest Blog: How to Audit Your Business for GDPR Compliance

How to Audit Your Business for GDPR Compliance with a GDPR Business audit. Hut Six Security guest blog by

The Data Protection Act - Personal Data Breaches

What is a Breach of Data Protection?

What is a Breach of Data Protection? The Data Protection Act - Personal Data Breaches, Reporting and Consequences. Blog by Hut Six Security

Ransomware in the Education Sector

University Hit With $1.14m Ransomware Attack

University of California Ransomware Attack: a $1.1.4m ransom has been paid following a ransomware attack on University of California's School of Medicine.

Purpose of the Data Protection Act

What is the Purpose of the Data Protection Act?

What is the Purpose of the Data Protection Act? Blog by information security awareness training solution provider Hut Six Security.

Remote Working Security

Top 3 Remote Work Security Lessons

Top 3 Remote Work Security Lessons: remote work security blog by information security awareness provider Hut Six Security.

Data Protection Act Regulators

Who Regulates the Data Protection Act?

Who Regulates the Data Protection Act? Data Protection Blog by Information Security Awareness Training provider Hut Six Security

NHS Phishing Attacks

NHS Email Accounts Compromised in Phishing Attack

NHS phishing attack sees email accounts compromised as part of an attack targeting a wide range of organisations Blog by Hut Six Security.

Data Protection Act Enforcers

Who Enforces the Data Protection Act?

Who Enforces the Data Protection Act? Principles, Protections and Penalties. Blog by Information Security Awareness Training provider Hut Six Security.

How to improve your password security

How Secure is Your Password Process?

How Secure is your Password Process? Password security blog from Information Security Awareness Training provider Hut Six Security.

Speak to us about your Cyber Awareness