HMRC has spent £262,251 on cybersecurity training for its staff over the two most recent financial years.
According to data obtained under a Freedom of Information request by thinktank Parliament Street, HMRC spent £150,456 on security training in 2019/20, compared to £111,795 in the most recent financial year. This equated to 80 training enrolments in 2020/21, and 69 in 2019/20 for staffers operating in the chief digital and information officer group. All HMRC staff were, however, made to complete a compulsory course on phishing attacks, which was free of charge.
HMRC’s most expensive security training course in 2020/21 - which was not available in 2019/20 - was a residential course to become a certified cloud security professional, which cost HMRC £34,103 to train seven staffers.
Additionally, 11 employees went on a six-day bootcamp to become certified information systems security professionals, while nine people enrolled in an “introduction to cybersecurity” course.
Area vice-president in EMEA at cybersecurity firm Absolute Software, Edward Blake said: “Organisations which handle large volumes of personal financial information like HMRC are a top target for cybercriminals, so ensuring staff are fully trained with the latest cyber skills is essential to prevent a potential data breach.
“With the Covid-19 pandemic forcing many employees to work from home, it’s also critical that organisations like HMRC ensure they have complete visibility into the security standards across all devices such as laptops, to ensure encryption is turned on and cyber protection is in place for each and every employee.”
HMRC is one of the most impersonated organisations in the UK for cyber scams, with Covid-19 causing a 73% surge in HMRC-branded phishing scams.
Cyber specialist and chief executive of security software company Tessian, Tim Sadler said: “Security training plays an extremely important role, but it needs to be more than just a compulsory, one-off session if the learnings are going to stick. As companies invest heavily in security training, they must ensure that the programmes resonate and help employees think twice before clicking on a scam.
“It’s telling that staff were most interested in a training course on the art of hacking. Research shows that people learn best when training is relevant and contextual, so educating staff on the ways they could be targeted in phishing emails and teaching them the techniques that cybercriminals use to trick them, is a really effective way of raising awareness of threats and helping people to realise they are being scammed.”