ICO mandate cybersecurity training for all employees.

cybersecurity image blog

Most organisations understand the need to take cybersecurity seriously, spending increasing amounts of money on firewalls, anti-virus, password complexity and multi-factor authentication. However, a vital part of Cybersecurity protection still isn’t getting the attention it deserves. Employee training is arguably one of the most critical elements of an organisations defence. Training staff once does not provide enough protection against cybercrime. Training should be comprehensive and regular and the Information Commissioners office (ICO) has now mandated this for organisations.

The Information Commissioners Office (ICO) is the UK body that is responsible for prosecuting organisations that fail to keep data safe. In December 2021 the ICO issued new guidance saying that they expected that all staff and volunteers that have access to data, should receive cyber awareness training as part of their induction, within 30 days of starting and before the employee is granted access to any databases containing personal or sensitive data. Furthermore, they mandate that training should be ongoing for all employees.

If an organisation suffers a cybersecurity breach and (as is required) reports it to the ICO, the ICO will expect that organisation to be able demonstrate completion of training by all new starters and ongoing training for all employees and management of non-attendees. The official guidance is here, but to summarise from the ICO website:

Induction and refresher training

Your training programme includes induction and refresher training for all staff on data protection and information governance.

Ways to meet our expectations:

  • Appropriate staff, such as the DPO or an information governance manager, oversee or approve induction training.
  • Your staff receive induction and refresher training, regardless of how long they will be working for your organisation, their contractual status or grade.
  • Your staff receive induction training prior to accessing personal data and within one month of their start date.
  • Your staff complete refresher training at appropriate intervals.

Have you considered the effectiveness of your accountability measures?

  • Could we observe your training delivery methods?
  • Is it effective?
  • Do you follow up on ‘no shows’?
  • Could staff explain their training records?

Although all employees should receive the training, we have noted from support calls to our helpdesk, cybercriminals often target new starters using LinkedIN harvesting, to track when people start new jobs. New starters are unfamiliar with the organisation and people they are working with, and keen to make a good impression, which makes them easy picking for cybercriminals

Failure to comply with this guidance could lead to a greater fine or other penalties in the event of a breach. We recommend all organisations have in a place a regular, comprehensive and trackable cybersecurity awareness training solution.

ramsac have partnered with KnowBe4 – who offer the world’s largest library of cyber training.  Cybersecurity awareness training from ramsac is an easy to administer, companywide training & awareness programme, delivered in bite-size, videos, directly to your inbox every month. The interactive training gives users a fresh new learner experience that makes learning fun and engaging, the most popular series on the platform is the award-winning original series ‘The Inside Man’ which feels more like watching a Netflix drama!  The platform records who has and hasn’t completed the learning, and reminds non attendees – and their manager, if they are falling behind,  automating most of your management obligations.

Cybersecurity awareness training

Protect your organisation from Cybercrime.

Contact us for more information on how cybersecurity awareness training can help comply with ICO guidance and improve your cybersecurity protection.

Related Posts

  • Data Protection and Innovation: The Role of the ICO Regulatory Sandbox in the UK

    Data Protection and Innovation: The Role of the ICO Regulatory Sandbox in the UK


    In this blog, we'll explore the concept of the ICO Regulatory Sandbox and its objectives in the data protection landscape in the UK [...]

    Read article

  • What is a break glass account?

    What is a break glass account?


    If you’re creating a business continuity plan, have you considered a break glass account? Learn what one is and how to create one here. [...]

    Read article

  • Cybersecurity vs cyber resilience – what is the difference?

    Cybersecurity vs cyber resilience – what is the difference?


    What’s the difference between cybersecurity and cyber resilience, and how can you implement them? We cover this and more. [...]

    Read article

  • Celebrating 20 Years of Cybersecurity Awareness Month

    Celebrating 20 Years of Cybersecurity Awareness Month


    October is Cybersecurity awareness month, follow us on LinkedIn or Twitter for daily tips on how you can protect your organisation against Cybercrime. [...]

    Read article

  • How much should businesses invest in cyber resilience? 

    How much should businesses invest in cyber resilience? 


    In this blog we explore how much organisations should invest in cyber resilience to protect against cybercrime [...]

    Read article

  • The European Cyber Resilience Act explained – how it impacts your business

    The European Cyber Resilience Act explained – how it impacts your business


    On the 15th of September 2022, the European Commission published its proposal for new regulation regarding cybersecurity requirements for products with digital elements (such as smart fridges, cameras, TVs [...]

    Read article