ICO mandate cybersecurity training for all employees.

cybersecurity image blog

Most organisations understand the need to take cybersecurity seriously, spending increasing amounts of money on firewalls, anti-virus, password complexity and multi-factor authentication. However, a vital part of Cybersecurity protection still isn’t getting the attention it deserves. Employee training is arguably one of the most critical elements of an organisations defence. Training staff once does not provide enough protection against cybercrime. Training should be comprehensive and regular and the Information Commissioners office (ICO) has now mandated this for organisations.

The Information Commissioners Office (ICO) is the UK body that is responsible for prosecuting organisations that fail to keep data safe. In December 2021 the ICO issued new guidance saying that they expected that all staff and volunteers that have access to data, should receive cyber awareness training as part of their induction, within 30 days of starting and before the employee is granted access to any databases containing personal or sensitive data. Furthermore, they mandate that training should be ongoing for all employees.

If an organisation suffers a cybersecurity breach and (as is required) reports it to the ICO, the ICO will expect that organisation to be able demonstrate completion of training by all new starters and ongoing training for all employees and management of non-attendees. The official guidance is here, but to summarise from the ICO website:

Induction and refresher training

Your training programme includes induction and refresher training for all staff on data protection and information governance.

Ways to meet our expectations:

  • Appropriate staff, such as the DPO or an information governance manager, oversee or approve induction training.
  • Your staff receive induction and refresher training, regardless of how long they will be working for your organisation, their contractual status or grade.
  • Your staff receive induction training prior to accessing personal data and within one month of their start date.
  • Your staff complete refresher training at appropriate intervals.

Have you considered the effectiveness of your accountability measures?

  • Could we observe your training delivery methods?
  • Is it effective?
  • Do you follow up on ‘no shows’?
  • Could staff explain their training records?

Although all employees should receive the training, we have noted from support calls to our helpdesk, cybercriminals often target new starters using LinkedIN harvesting, to track when people start new jobs. New starters are unfamiliar with the organisation and people they are working with, and keen to make a good impression, which makes them easy picking for cybercriminals

Failure to comply with this guidance could lead to a greater fine or other penalties in the event of a breach. We recommend all organisations have in a place a regular, comprehensive and trackable cybersecurity awareness training solution.

ramsac have partnered with KnowBe4 – who offer the world’s largest library of cyber training.  Cybersecurity awareness training from ramsac is an easy to administer, companywide training & awareness programme, delivered in bite-size, videos, directly to your inbox every month. The interactive training gives users a fresh new learner experience that makes learning fun and engaging, the most popular series on the platform is the award-winning original series ‘The Inside Man’ which feels more like watching a Netflix drama!  The platform records who has and hasn’t completed the learning, and reminds non attendees – and their manager, if they are falling behind,  automating most of your management obligations.

Cybersecurity awareness training

Protect your organisation from Cybercrime.

Contact us for more information on how cybersecurity awareness training can help comply with ICO guidance and improve your cybersecurity protection.

Related Posts

  • What is Zero Trust security and where should you start?

    What is Zero Trust security and where should you start?

    Cybersecurity

    Zero Trust security removes assumptions about trusting a user, even when they're inside your network. This means users and devices must be verified. Read here. [...]

    Read article

  • Why are charities increasingly being attacked by cyber criminals? 

    Why are charities increasingly being attacked by cyber criminals? 

    Cybersecurity

    More than a quarter of charities were reportedly the target of cybercrimes in the last year alone. But why are charities increasingly the victims of cyberattacks? Find out here… [...]

    Read article

  • Introducing the Cyber Resilience Certification from ramsac

    Introducing the Cyber Resilience Certification from ramsac

    Cybersecurity

    ramsac is committed to helping organisations to protect themselves against cybercrime, to help organisations understand where they are on their cyber resilience journey, we have created the ramsac cyber [...]

    Read article

  • How aware are you when it comes to social engineering?

    How aware are you when it comes to social engineering?

    Cybersecurity

    Cybercrime is huge; indeed, no other criminal activity is quite so lucrative, thus it is imperative that you prepare and protect both your business and your personal life to [...]

    Read article

  • Common telephone cybersecurity risks for businesses

    Common telephone cybersecurity risks for businesses

    Cybersecurity

    Companies are at risk from telephone hacks every day. Discover what common tactics are, and how you can prevent them. [...]

    Read article

  • Is Russian based Kaspersky Anti-virus a threat?

    Is Russian based Kaspersky Anti-virus a threat?

    Cybersecurity

    Kaspersky is a russian based anti-virus, in this blog we explore the NCSC latest advice for organisations using Russian – nexus products and services [...]

    Read article