My colleague Neeraj Thomas in his previous cyber security blog wrote of the old adage that “prevention is better than cure” when it comes to managing cyber security risk.

In the 2016 Cyber Security Intelligence Index, IBM found that sixty per cent of all attacks were carried out by insiders, i.e. employees. Of these attacks, three-quarters involved malicious intent, and one-quarter involved inadvertent actors. Prevention therefore starts at home.

A key step which employers can take to reduce “internal” cyber security risk is to ensure that they have effective written policies and procedures in place in relation to use of information and IT systems. Policies on data protection, acceptable and secure use of IT systems, bring your own device to work and use of social media should now form part of the suite of standard policies every employer should have in place.

Contracts of employment and contractual arrangements for atypical workers should also reflect the importance of compliance with internal policies and procedures and include appropriate protections in relation to data protection, confidential information and protection of intellectual property.

But, of course, it’s not enough just to have robust written policies and contracts in place. Users must be aware of these, educated on them, and warned of the consequences of failure to comply - both in terms of risk to the organisation but also as far as their own future employment or engagement is concerned…

From an employment law perspective, breach of well drafted and relevant employment policies and procedures can justify disciplinary action up to and including dismissal where employees are aware of the procedures and warned as to the consequences of failure to comply with them.