ICO mandate cybersecurity training for all employees.

cybersecurity image blog

Most organisations understand the need to take cybersecurity seriously, spending increasing amounts of money on firewalls, anti-virus, password complexity and multi-factor authentication. However, a vital part of Cybersecurity protection still isn’t getting the attention it deserves. Employee training is arguably one of the most critical elements of an organisations defence. Training staff once does not provide enough protection against cybercrime. Training should be comprehensive and regular and the Information Commissioners office (ICO) has now mandated this for organisations.

The Information Commissioners Office (ICO) is the UK body that is responsible for prosecuting organisations that fail to keep data safe. In December 2021 the ICO issued new guidance saying that they expected that all staff and volunteers that have access to data, should receive cyber awareness training as part of their induction, within 30 days of starting and before the employee is granted access to any databases containing personal or sensitive data. Furthermore, they mandate that training should be ongoing for all employees.

If an organisation suffers a cybersecurity breach and (as is required) reports it to the ICO, the ICO will expect that organisation to be able demonstrate completion of training by all new starters and ongoing training for all employees and management of non-attendees. The official guidance is here, but to summarise from the ICO website:

Induction and refresher training

Your training programme includes induction and refresher training for all staff on data protection and information governance.

Ways to meet our expectations:

  • Appropriate staff, such as the DPO or an information governance manager, oversee or approve induction training.
  • Your staff receive induction and refresher training, regardless of how long they will be working for your organisation, their contractual status or grade.
  • Your staff receive induction training prior to accessing personal data and within one month of their start date.
  • Your staff complete refresher training at appropriate intervals.

Have you considered the effectiveness of your accountability measures?

  • Could we observe your training delivery methods?
  • Is it effective?
  • Do you follow up on ‘no shows’?
  • Could staff explain their training records?

Although all employees should receive the training, we have noted from support calls to our helpdesk, cybercriminals often target new starters using LinkedIN harvesting, to track when people start new jobs. New starters are unfamiliar with the organisation and people they are working with, and keen to make a good impression, which makes them easy picking for cybercriminals

Failure to comply with this guidance could lead to a greater fine or other penalties in the event of a breach. We recommend all organisations have in a place a regular, comprehensive and trackable cybersecurity awareness training solution.

ramsac have partnered with KnowBe4 – who offer the world’s largest library of cyber training.  Cybersecurity awareness training from ramsac is an easy to administer, companywide training & awareness programme, delivered in bite-size, videos, directly to your inbox every month. The interactive training gives users a fresh new learner experience that makes learning fun and engaging, the most popular series on the platform is the award-winning original series ‘The Inside Man’ which feels more like watching a Netflix drama!  The platform records who has and hasn’t completed the learning, and reminds non attendees – and their manager, if they are falling behind,  automating most of your management obligations.

Cybersecurity awareness training

Protect your organisation from Cybercrime.

Contact us for more information on how cybersecurity awareness training can help comply with ICO guidance and improve your cybersecurity protection.

Related Posts

  • Understanding the dangers of ‘Permission Creep’

    Understanding the dangers of ‘Permission Creep’


    This blog post explains what permission creep is, how it can expose sensitive data to unauthorised users, and what steps an organisation can take to prevent permission creep. [...]

    Read article

  • Using cybersecurity training to reduce an organisation’s risk of a cyberattack.

    Using cybersecurity training to reduce an organisation’s risk of a cyberattack.


    Cybersecurity training is an important tool for organisations to prevent and mitigate cyberattacks, we explore the types of training available to organisations. [...]

    Read article

  • The risks of ChatGPT, and the Rise of AI.

    The risks of ChatGPT, and the Rise of AI.


    Artificial intelligence (AI) is a game-changing technology in this blog we explore the risks and benefits of using AI-powered language models such as ChatGPT [...]

    Read article

  • How secure is MFA based on SMS and Voice calls?

    How secure is MFA based on SMS and Voice calls?


    In this blog ramsac's cybersecurity expert Voke Augoye explores how secure Multi-factor authentication is when using SMS and voice calls. [...]

    Read article

  • Microsoft Office – High Severity Vulnerability

    Microsoft Office – High Severity Vulnerability


    Earlier this month Microsoft announced there was a High Severity vulnerability affecting Microsoft Office products. In this blog we explain what the vulnerability is and how to protect against it. [...]

    Read article

  • EDR, MDR, XDR, SIEM, SOC – understanding the jargon in cybersecurity monitoring

    EDR, MDR, XDR, SIEM, SOC – understanding the jargon in cybersecurity monitoring


    The cybersecurity product market is full of acronyms which can make it hard to determine what security monitoring services you need, and what benefits you get from them, this [...]

    Read article