ICO mandate cybersecurity training for all employees.

Posted on March 3, 2022 by Louise Howland

Most organisations understand the need to take cybersecurity seriously, spending increasing amounts of money on firewalls, anti-virus, password complexity and multi-factor authentication. However, a vital part of Cybersecurity protection still isn’t getting the attention it deserves. Employee training is arguably one of the most critical elements of an organisations defence. Training staff once does not provide enough protection against cybercrime. Training should be comprehensive and regular and the Information Commissioners office (ICO) has now mandated this for organisations.

The Information Commissioners Office (ICO) is the UK body that is responsible for prosecuting organisations that fail to keep data safe. In December 2021 the ICO issued new guidance saying that they expected that all staff and volunteers that have access to data, should receive cyber awareness training as part of their induction, within 30 days of starting and before the employee is granted access to any databases containing personal or sensitive data. Furthermore, they mandate that training should be ongoing for all employees.

If an organisation suffers a cybersecurity breach and (as is required) reports it to the ICO, the ICO will expect that organisation to be able demonstrate completion of training by all new starters and ongoing training for all employees and management of non-attendees. The official guidance is here, but to summarise from the ICO website:

Induction and refresher training

Your training programme includes induction and refresher training for all staff on data protection and information governance.

Ways to meet our expectations:

Appropriate staff, such as the DPO or an information governance manager, oversee or approve induction training.
Your staff receive induction and refresher training, regardless of how long they will be working for your organisation, their contractual status or grade.
Your staff receive induction training prior to accessing personal data and within one month of their start date.
Your staff complete refresher training at appropriate intervals.

Have you considered the effectiveness of your accountability measures?

Could we observe your training delivery methods?
Is it effective?
Do you follow up on ‘no shows’?
Could staff explain their training records?

Although all employees should receive the training, we have noted from support calls to our helpdesk, cybercriminals often target new starters using LinkedIN harvesting, to track when people start new jobs. New starters are unfamiliar with the organisation and people they are working with, and keen to make a good impression, which makes them easy picking for cybercriminals

Failure to comply with this guidance could lead to a greater fine or other penalties in the event of a breach. We recommend all organisations have in a place a regular, comprehensive and trackable cybersecurity awareness training solution.

ramsac have partnered with KnowBe4 – who offer the world’s largest library of cyber training. Cybersecurity awareness training from ramsac is an easy to administer, companywide training & awareness programme, delivered in bite-size, videos, directly to your inbox every month. The interactive training gives users a fresh new learner experience that makes learning fun and engaging, the most popular series on the platform is the award-winning original series ‘The Inside Man’ which feels more like watching a Netflix drama! The platform records who has and hasn’t completed the learning, and reminds non attendees – and their manager, if they are falling behind, automating most of your management obligations.