Brian Sims
Editor
Brian Sims
Editor
HER MAJESTY’S Revenue & Customs (HMRC) has spent £262,251 on cyber security training for its members of staff over the two most recent financial years. That’s according to official figures. The data was obtained and analysed under a Freedom of Information request submitted by the Parliament Street Think Tank.
The Freedom of Information response received from HMRC reveals that £150,456 was spent on security training in FY 2019-2020 compared to £111,795 in the most recent financial year. This equated to 80 training enrolments in FY 2020-2021 and 69 in FY 2019-2020 for staffers operating in the Chief Digital and Information Officer Group. However, all HMRC staff (approximately 9,500 of them according to the Freedom of Information request response) were made to complete a compulsory course on ‘Phishing attacks’ (which was free of charge).
The most popular security training course among ‘staffers’ in the Chief Digital and Information Officer Group was to become certified in ‘The Art of Hacking’, which saw 12 attendants for a cost of £15,978.
The most expensive security training course in FY 2020-2021, which was not available in FY 2019-2020, was a residential course to become a Certified Cloud Security Professional. This cost the sum of £34,103 to train seven staffers.
Additionally, 11 ‘staffers’ went on a six-day ‘bootcamp’ to become Certified Information Systems Security Professionals, two trained to become certified in Ethical Hacking and nine enrolled in an ‘Introduction to Cyber Security’ course.
Cyber scams
HMRC is one of the most impersonated organisations in the UK when it comes to cyber scams. It was even revealed that COVID-19 has sparked a 73% surge in HMRC-branded phishing scams. According to experts in the cyber security field, HMRC should be commended for its investment in continued training for all staff.
Security expert Edward Blake, area vice-president (EMEA) at Absolute Software, commented: “Organisations like HMRC which handle large volumes of personal financial information are a top target for the cyber criminals. It stands to reason that ensuring staff are fully trained and equipped with the latest cyber skills is essential to prevent a potential data breach.”
Blake continued: “With the COVID-19 pandemic forcing many employees to work from home, it’s also critical that organisations like HMRC ensure they have complete visibility into the security standards across all devices such as laptops in order to ensure that encryption is turned on and cyber protection is in place for each and every employee.”
He added: “It’s also important that organisations can track, freeze and wipe lost or stolen devices so as to keep taxpayers’ data completely safe from outsider threats.”
Important role
Cyber specialist Tim Sadler, CEO at Tessian, observed: “Security training plays an extremely important role, but it needs to be more than just a compulsory one-off session if the learnings are going to stick. As companies invest heavily in security training, they must ensure that the education programmes resonate and help employees think twice before clicking on a scam e-mail.”
Sadler went on to explain: “It’s telling that staff were most interested in a training course on the art of hacking. Research shows that people learn best when training is relevant and contextual, so it follows that educating staff on the ways in which they could be targeted in phishing e-mails and teaching them the techniques that cyber criminals use to trick them is a really effective way of raising awareness around threats and helping people to realise they’re being scammed. It’s a shift away from how training has traditionally been delivered, but it’ll drive lasting and positive behavioural changes as a result.”