The employment contracts specify the responsibilities of the employee and the organization for cyber security.
Contracts should include e.g.:
All employees handling confidential information should sign a confidentiality or non-disclosure agreement before processing confidential information.
The agreement should include e.g.:
Confidentiality and non-disclosure requirements are reviewed at regular intervals and whenever changes affecting these requirements occur.