HMRC has spent £262,251 on cyber security training for its staff over the last two years, according to official figures
The revelation follows a freedom of information (FOI) request from the Parliament Street think tank, which showed that HMRC had spent £150,456 on cyber security training in the financial year 2019-20, compared to £111,795 in the last financial year.
This equated to 80 training enrolments in financial year 2020-21, and 69 in 19-20 for staff working in HMRC’s chief digital and information officer group. The most popular security training course for the group was the Art of Hacking which saw 12 attendants trained to become certified in the craft, for a cost of £15,978.
Additionally, 11 staffers went on a six-day bootcamp to become a certified information systems security professional, two trained to become certified in ethical hacking, and nine enrolled in an introduction to cyber security course.
The most expensive security training course in the financial year 20-21, which was not available in the previous year, was a residential course to become a certified cloud security professional. This cost £34,103 to train seven staffers.
HMRC has been praised by cyber security experts for its investment in cyber training for all staff.
Security expert Edward Blake, area vice president EMEA, Absolute Software said: ‘Organisations which handle large volumes of personal financial information like HMRC are a top target for cyber criminals, so ensuring staff are fully trained with the latest cyber skills is essential to prevent a potential data breach.
‘With the Covid-19 pandemic forcing many employees to work from home, it’s also critical that organisations like HMRC ensure they have complete visibility into the security standards across all devices such as laptops, to ensure encryption is turned on and cyber protection is in place for each and every employee.
‘It’s also important that organisations can track, freeze and wipe lost or stolen devices, in the event of loss or theft, to keep taxpayer data completely safe from outsider threats.’
HMRC is one of the most impersonated organisations in the UK for cyber scams, with the covid-19 pandemic sparking a 73% surge in HMRC-branded phishing scams.
HMRC staff are already made to complete a compulsory course on phishing attacks, which is free of charge in order to combat this rise.
Cyber specialist Tim Sadler, CEO at Tessian said: ‘Security training plays an extremely important role, but it needs to be more than just a compulsory, one-off session if the learnings are going to stick. As companies invest heavily in security training, they must ensure that the programmes resonate and help employees think twice before clicking on a scam.
‘It’s telling that staff were most interested in a training course on the art of hacking. Research shows that people learn best when training is relevant and contextual, so educating staff on the ways they could be targeted in phishing emails and teaching them the techniques that cybercriminals use to trick them, is a really effective way of raising awareness of threats and helping people to realise they are being scammed. It’s a shift away from how training has traditionally been delivered, but it will drive lasting behavioural changes as a result.’