ICO mandate cybersecurity training for all employees.

cybersecurity image blog

Most organisations understand the need to take cybersecurity seriously, spending increasing amounts of money on firewalls, anti-virus, password complexity and multi-factor authentication. However, a vital part of Cybersecurity protection still isn’t getting the attention it deserves. Employee training is arguably one of the most critical elements of an organisations defence. Training staff once does not provide enough protection against cybercrime. Training should be comprehensive and regular and the Information Commissioners office (ICO) has now mandated this for organisations.

The Information Commissioners Office (ICO) is the UK body that is responsible for prosecuting organisations that fail to keep data safe. In December 2021 the ICO issued new guidance saying that they expected that all staff and volunteers that have access to data, should receive cyber awareness training as part of their induction, within 30 days of starting and before the employee is granted access to any databases containing personal or sensitive data. Furthermore, they mandate that training should be ongoing for all employees.

If an organisation suffers a cybersecurity breach and (as is required) reports it to the ICO, the ICO will expect that organisation to be able demonstrate completion of training by all new starters and ongoing training for all employees and management of non-attendees. The official guidance is here, but to summarise from the ICO website:

Induction and refresher training

Your training programme includes induction and refresher training for all staff on data protection and information governance.

Ways to meet our expectations:

  • Appropriate staff, such as the DPO or an information governance manager, oversee or approve induction training.
  • Your staff receive induction and refresher training, regardless of how long they will be working for your organisation, their contractual status or grade.
  • Your staff receive induction training prior to accessing personal data and within one month of their start date.
  • Your staff complete refresher training at appropriate intervals.

Have you considered the effectiveness of your accountability measures?

  • Could we observe your training delivery methods?
  • Is it effective?
  • Do you follow up on ‘no shows’?
  • Could staff explain their training records?

Although all employees should receive the training, we have noted from support calls to our helpdesk, cybercriminals often target new starters using LinkedIN harvesting, to track when people start new jobs. New starters are unfamiliar with the organisation and people they are working with, and keen to make a good impression, which makes them easy picking for cybercriminals

Failure to comply with this guidance could lead to a greater fine or other penalties in the event of a breach. We recommend all organisations have in a place a regular, comprehensive and trackable cybersecurity awareness training solution.

ramsac have partnered with KnowBe4 – who offer the world’s largest library of cyber training.  Cybersecurity awareness training from ramsac is an easy to administer, companywide training & awareness programme, delivered in bite-size, videos, directly to your inbox every month. The interactive training gives users a fresh new learner experience that makes learning fun and engaging, the most popular series on the platform is the award-winning original series ‘The Inside Man’ which feels more like watching a Netflix drama!  The platform records who has and hasn’t completed the learning, and reminds non attendees – and their manager, if they are falling behind,  automating most of your management obligations.

Cybersecurity awareness training

Protect your organisation from Cybercrime.

Contact us for more information on how cybersecurity awareness training can help comply with ICO guidance and improve your cybersecurity protection.

Related Posts

  • Inherent risk vs residual risk: What’s the difference?

    Inherent risk vs residual risk: What’s the difference?


    Inherent risk and residual risk are key elements of any effective risk management process designed to strengthen cybersecurity defences and protect your company’s data. Read on. [...]

    Read article

  • What is cybersecurity monitoring? How important is it in 2024?

    What is cybersecurity monitoring? How important is it in 2024?


    Cybersecurity monitoring is the continuous surveillance of digital systems to detect and respond to security threats and data breaches in real-time. Discover how cybersecurity monitoring software can protect your [...]

    Read article

  • Examples of sensitive data in your organisation

    Examples of sensitive data in your organisation


    Any confidential information that’s stored, processed, or managed by an organisation or individual is classified as sensitive data. Read our sensitive data examples today. [...]

    Read article

  • How to set up a secure password policy in Microsoft 365

    How to set up a secure password policy in Microsoft 365


    Discover the essentials of a robust password policy for cybersecurity in Microsoft 365. Learn what to include and what to avoid. Read the blog today. [...]

    Read article

  • A guide to sensitivity labels and how to apply them

    A guide to sensitivity labels and how to apply them


    Sensitivity labels allow you to manage, organise, and protect sensitive emails, files, and documents as part of the Microsoft 365 suite. Read on. [...]

    Read article

  • MFA vs 2FA: What’s the Difference?

    MFA vs 2FA: What’s the Difference?


    Features like user facial recognition that are difficult to replicate means multi-factor authentication offers more cybersecurity layers than two-factor authentication. Find out more. [...]

    Read article