Internal staff training is an important step for any organisation for improving efficiency, skillset and policy/security awareness. The ICO even has a checklist for small and medium sized organizations https://ico.org.uk/media/for-organisations/documents/1606/training-checklist.pdf
In Sept 2017 we started a new approach to our staff training session and system. The approach we followed was
- Created a training group which included senior members of our technical team from programming and server division which acted as both mentors and training coordinators.
- The group discussed frequently the topics needed for training/revision and when these can be scheduled.
- A selected topic was then assigned to one of the group members who when has to create a whitepaper for this, which will be used as reference for the training session.
- A training session was conducted which included all our staff members. We always have a Q&A session included.
- Video recording of the training session (usually the screen projected and the voice) is also done.
- The whitepaper and video are shared at the end of the training session.
- An assignment may also be given to the staff based on the topic which needs to be completed in limited time frame.
- Additionally, staff members also have to clear a questionnaire which asks a series of questions on a given topic. Its declared completed if they answer all the questions right.
Over the past 5 months we have had sessions on the following
- Our official handbook, which covered ICO recommendations on privacy and how to respond during a security incident.
- The new GIT version control process, and how emergency changes have to be done. Basically GIT helps keep track of the version of the application, what changes are being done by whom, when, and allow reverting back if needed.
- GIT special case scenarios.
- Using X-Send file for authenticated download, and using Linux malware detection and virus detection with an antivirus for file upload. This helps secure our file uploads in light of file uploads being exploited, and ensure an efficient method for authenticated download.
- OWASP top 10 security vulnerabilities (over multiple sessions). This included live demonstrations of vulnerabilities and their fixes.
- Basic sever commands in Linux. Our expert server administrator demonstrated the commands and their use.
- Apache, PHP, MySQL behind the scene and configuration.
- Page speed optimization.
- Our PHP framework.
- Normalization and efficient SQL queries.
During this time we also conducted 2 short surveys to get feedback from our team. To ensure the staff can answer honestly we used google form https://www.google.com/forms/about/ and did not force login so that the feedback was anonymous.
We got some interesting feedback which helped us tweak our training sessions, including shifting the sessions in a different room for comfort, and adjusting the frequency of the sessions. We also got great response on the topics that our staff was interested in which helped us shape our next sessions.
We recommend all organisations to approach internal staff training, and here are few tips we have learnt over time
- Keep the presentations/sessions short and ideally not more than 1 hour.
- Keep it funny and interactive so that staff does not get bored.
- Include the right staff members for the session.
- Inform about the session well in advance.
- Follow up the sessions with whitepaper and videos so that staff can refer to it, and those who missed can follow up.
- Conduct simple 1 minute survey to get feedback.