So you have done cyber awareness training in the past and have decided that it’s sufficient to tick a box…. Hmm maybe not. If you are the sort of business that works with personal data, and or has a turnover of staff or seasonal staff, it’s vital that everyone is up to speed when it comes to cyber awareness.
Remember cyber threats and risk are around every single day so being trained to be vigilant will pay dividends, either by reducing risk in the first place, or if heaven forbid you were involved in a breach, the regulators would see that you do and are taking measures to reduce risk and could look more favourably on you if it came to financial penalties.
The relatively low cost of being able to deliver and evidence ongoing training can be a drop in the ocean compared to the potential fines or reputational damage a breach might cause. Lets explore:
Regulatory Compliance
ICO and GDPR Requirements
The Information Commissioner’s Office (ICO) mandates that all staff and volunteers with access to data should receive cyber awareness training as part of their induction within 30 days of starting. Additionally, the ICO expects organisations to have:
- An all-staff training programme that is comprehensive and covers key areas of data protection
- Regular review of the programme to ensure it remains accurate and up-to-date
- Induction and refresher training for all staff
Note: the ICO has the power to impose substantial fines of up to £17.5 million, or 4% of your total worldwide annual turnover, whichever is higher. You can see actions taken and real world examples of penalties issued here https://ico.org.uk/action-weve-taken/
PECR Compliance
PECR (Privacy and Electronic Communications Regulations) compliance is closely tied to GDPR. Regular training ensures staff are aware of the latest requirements for electronic communications and marketing.
Cyber Security Insurance
Continuous training can positively impact cyber insurance terms:
- Insurers evaluate an organisation’s cybersecurity practices, including staff training, to determine coverage and premiums.
- Up-to-date training programs can mitigate risks, lower premiums, and improve overall insurance outcomes demonstrating a robust training programme can be considered as mitigating circumstances when deciding on financial penalties in case of a breach.
Ongoing Staff Training and Onboarding
Seasonal Staff Considerations
For companies that have seasonal fluctuations in staffing:
- Regular training ensures that all staff, including seasonal hires, are up-to-date with the latest cybersecurity practices.
- Continuous training programs can be more easily adapted to accommodate new hires throughout the year.
Effectiveness of Continuous Training
- Cybersecurity threats evolve rapidly, making one-time training every three years insufficient
- Staff knowledge of GDPR and cybersecurity practices fades over time unless reinforced regularly
- Annual refresher training is considered good practice to keep staff updated on the latest changes in data privacy law
Risk Reduction
- 90% of successful breaches occur due to simple human error, emphasising the need for ongoing staff training
- One small business in the UK is successfully hacked every 19 seconds, highlighting the constant threat landscape
In Summary
By carrying out training every few years, businesses may be exposing themselves to unnecessary risks and potential non-compliance and in inconsistency of who knows what.
Continuous training through a service like Bob’s Business available from HM Network, not only ensures regulatory compliance but also significantly reduces cybersecurity risks, potentially lowers insurance premiums, and keeps all staff, including seasonal workers, consistently updated on the latest threats and best practices.
