InfoSec / Cyber

Freedom of information text on a white keyboard

How to Assess your Data Security

Cyber attacks are on the up, and with the education sector seeing the highest number of cyber attacks of any sector since the start of the pandemic, as well as the highest increase in attacks in that same period

(read our article on it here), we’re all aware of how important cyber security has become, and the steps organisations must take to protect themselves against these attacks. However, it can be hard to understand exactly what steps your organisation can take, and the metrics we can measure to better understand how well protected we are from these attacks. An article by SANS has provided a breakdown of how your organisation can look at the security measures you have in place, and what to assess in order to establish whether or not you are in a good position to protect yourself against cyber attacks. The end goal of this is to create a security awareness program with a strong metrics framework.

The article first says that an organisation should measure their top human risks. For most, this is Phishing, Passwords and Updating. This article will be split into these different categories, and will detail how your organisation can define the behaviours that manage these risks, as well as how you can measure these behaviours. The sans article also suggests that you should decide on whether you want to measure behaviour based on individuals, or by role/department. If you decide to do it on an individual basis, you should ensure that your organisation is taking steps to protect the data and security of each individual.


Globally, Phishing has been the number one driver for breaches for the last three years. It's a key area of infiltration for cyber attackers, and they continually bypass any controls that are put in place to counter them. Therefore it's vital that individuals in your organisation are trained to identify and report them. After training your employees, it's important to test their response to phishing emails, and ensure that they aren’t susceptible to them. There are various metrics you can use to assess your employees’ responses to phishing emails:

Click Rate- Once you first train employees, click rates should fall a fair amount, from around 20% to ~2%. Your aim isn’t to have a 0% click rate however, as for some (newer employees) this would be their first phishing training event.

Repeat Clicks- This is the best tool for phishing that your organisation can use, as it shows who is repeatedly clicking through the phishing emails and aren’t changing their behaviour, meaning that they are continually susceptible to phishing scams. These employees would therefore pose the highest risk to your organisation, and should be trained more thoroughly.

Reporting Rates- This is a useful tool, as a workforce that has been trained to report any suspicious emails is an organisation’s best tool to counter any harmful phishing attacks. The metric to look for here isn’t the total number of reports, but how quickly the IT/security team are receiving reports of suspicious emails from employees, as the faster the relevant team(s) becomes aware of any suspicious emails, the quicker they can work to minimise/eradicate any negative impacts.

At Data Protection Education, we have our own Phishing Simulation Tool which allows you to carry out the practices mentioned above by sending ‘fake’ emails to employees, and receive feedback on the number of clicks, and who gives information that they shouldn’t be providing.


Passwords also continue to be one of the main ways in which attackers gain access to an organisation. Hackers have moved recently to attacking networks by using legitimate accounts, which means that they can go undetected for longer periods of time. Therefore it's vital that your organisation uses strong passwords, and the use of passwords is secure. In terms of using strong passwords, it is now recommended that passwords are long, and Passphrases are used. You can test the strength of passwords by using ‘brute force/cracking solutions’ against password databases. Using multi factor authentication is also a good way of securing the use of passwords. Assess how many of your workforce are using MFA, and encourage/ensure that employees are doing so. It is also important to understand if employees are reusing passwords for multiple accounts, or sharing passwords with other employees. This can be done through the use of surveys to understand if there exists a culture within the organisation to carry out these practices. Once you are aware that employees are potentially using the same passwords/sharing theirs with others, steps can be taken to outline to employees that this poses a danger, and increases your risk of being a victim of a cyber attack.


The sans article states that of the three areas of discussion, this one may not apply to your organisation. It’s important that the systems, software and hardware that people in an organisation use are up to date and have the newest anti virus software. For some organisations though this might not be an issue, as employees might not have admin rights, and the tech that they use will be automatically updated companywide, and actively patched by IT. However, this is actually becoming a bigger issue as more and more people are working from home since the pandemic, and are using personal networks and their own devices. The article outlines three ways that this can be measured.


  1. For any devices that are used in your organisation, the IT department should be able to remotely track the update status of them to ensure that employees are using the most up to date software and network versions.
  2. For any Learning Management System, it may be able to track any software, device or browser version of anything that connects to it.
  3. Ensure your workforce are aware of the importance of keeping their devices up to date when it comes to preventing cyber attacks.

Strategic Metrics

Collecting data on the above metrics then allows you to understand the human risk that your organisation needs to counter when it comes to data security. You can identify which departments, teams or areas or the workforce have behaviours that leave you at higher risk of being cyber attacked, as well as the departments, teams and areas of the workforce that are the most successful at being aware of the steps they need to take, and why they are doing this. This can then give you an idea of how to train those whose behaviours need to change, with the aim being to have a workforce who as a unit understand how they play a vital role in minimising the likelihood of your organisation being victim to a cyber attack.

The full article by sans can be read by clicking here.