What the UK Can Learn From German Employee Cybersecurity Training

Having worked in both UK and German organisations, Pearl Kasirye compares apples for apples in cybersecurity training and employee onboarding, finding some of the apples are a lot healthier than others…

I’ve had the privilege of working internationally. I worked at an agency in London for about three years, and now I work for Helpling Group in Berlin, Germany. During the onboarding and training process, it was clear that there was a significant difference in the way the German company handled cybersecurity. Within the first week of employment, all new employees are required to undergo an online cybersecurity training course that is developed by cybersecurity experts and GDPR legal experts. At the end of the course, there is a brief assessment to check whether employees fully understand the concepts and what is at stake if they are negligent with cybersecurity. This made us all pay closer attention to what we were learning because we knew an assessment would be sent to HR for review. Once the assessment is passed, employees receive a certificate to prove they’ve completed the course and are ready to handle sensitive company information and work with client data.

“Within the first week of employment, all new employees are required to undergo an online cybersecurity training course”

Cybersecurity and data protection laws in the EU are very strict, and this was the first time I had worked for a German company. I was accustomed to British corporations that did not prioritise training all employees in cybersecurity. Perhaps it’s because the laws are not as stringent in the UK as in Germany, but it has taught me a few things.

Cybersecurity isn’t just for the IT department

Companies in the UK can learn from what German companies are doing by providing cybersecurity and data protection training to their employees at the start of their employment. This means that anyone handling company or client data should be well-trained to avoid causing security breaches in the system. Whether it is an intern working for a few months or an employee working in customer relationship management or finance, each employee should have the same training to create a higher standard of cybersecurity across the company.

The most crucial cybersecurity principles I learned in this German company have entirely changed how I handle company data. It has also encouraged me to let go of many of the old habits I’d picked up when I worked in the UK. The German company gets every employee a new laptop and ensures they follow the strict rules about downloading apps on the work laptop.

My team and I learned to:

1. Think twice before downloading new software (we always consult the IT department)
2. Avoid connecting to unsecured public WiFi networks without a VPN
3. Monthly training on avoiding phishing scams
4. How to handle sensitive client data according to the EU’s GDPR regulations
5. Handle company documents with care and ensure that we only use our work emails for work stuff
6. How to create and store secure passwords using software tools like OnePassword

The list goes on, but these are some of the top things we learned during our first week. This set the tone for our time at this company and forced us to unlearn some bad habits we’d picked up from previous companies we’d worked at. Since the company invested time in training us on cybersecurity and data protection, we were well-equipped to do our part in protecting company and client data.

The British company I previously worked for did not offer this much training and only spoke briefly about avoiding phishing, but not much else. This meant that we were vulnerable to cyber attacks as most employees were unaware of the risks involved with some of their online behaviour. Companies shouldn’t assume these things are straightforward because they’re not. It’s important to set a standard so that every new employee is given the necessary tools to do their job well and help keep company and client data safe and secure.

My advice is…

Take a moment to consider whether your company is doing enough to educate and train employees in different departments about cybersecurity and data protection. Are employees required to learn about the basic principles of cybersecurity? Are the employees all held to the same standards? Are there regular phishing exercises used to show employees the most common types of email scams online? Cybersecurity can be compromised by anyone in the company who has access to company and client data, which is why anyone who has access to this type of data should receive the same level of cybersecurity education. Equip them with the understanding that they need to do their part in protecting the company’s cybersecurity.