The Student Loans Company (SLC) has spent over 76,800 pounds on cyber security training for its staffers, over the two most recent financial years (FY 19/20, FY 20/21), according to official figures.
The data obtained and analysed using the Freedom of Information (FOI) Act by Griffin Law, the niche litigation practice, shows that nearly 20,000 specialist courses were completed in areas, such as phishing, password protection, bribery, corruption, and privacy standards.
The data shows that 9,334 cyber courses were completed in FY 19/20, with 10,142 courses completed in FY 20/21. The SLC has just over 3,300 staff, meaning many participants attended multiple courses.
Ransomware threat for UK Education Sector
The most popular course across both years was for ‘Anti-Money Laundering’
This news arrives just a few days after the National Cyber Security Centre raised a new cyber alert around the surging ransomware threat, facing the UK Education Sector.
The most popular course across both years was for ‘Anti-Money Laundering’, which saw 3,321 participants in FY 19/20, and 3,249 participants in FY 20/21. The second most popular course was for ‘Counter Fraud and Bribery Corruption’, drawing in 3,044 attendees in FY 19/20 and 3,215 participants in FY 20/21, and the ‘Protection Information’ course was attended by 2,941 and 3,181 staffers, respectively, across both years.
Cyber security training courses
Another course, the ‘Role of the Security Manager - Security Masterclass’, surged from 20 attendants in FY 19/20 to 142 in FY 20/21.
Most of the remaining courses were only introduced to staffers in the most recent financial year. These include: ‘Defending SLC from Phishing Attacks’ course, attended by 63 participants; ‘Power to your Passwords’ course, attended by 72 participants; and ‘Working from Home Securely’ course, attended by 189 participants. These courses were most likely influenced by the COVID-19 pandemic.
Technology Group Security Team
Finally, 39 of the recorded participants were training for specific full-time positions in SLC’s Technology Group Security Team and Information Governance and Compliance Team. This included training to become a CompTIA Cyber Security Analyst, an AWS Security Engineer and Certified Information Privacy Manager, among others.
Interestingly, the role-specific training took up most of SLC’s cyber training budget, costing them 52,493.50 pounds, out of the total 76,800 pounds budget expenditure.
Rise in cyber threats during COVID-19 period
The cyber threat facing employees has surged over the course of the COVID-19 pandemic"
Security expert Chris Ross, Senior Vice President at Barracuda Networks commented, “The cyber threat facing employees has surged over the course of the COVID-19 pandemic. Our own research even revealed a disproportionate quantity of email phishing attacks targeting organisations in the education sector, in an effort to steal personal data, while millions are forced to work and learn from home. This threat has also been exacerbated by the cyber skills gap across the UK, with a widening shortage of certified security professionals leaving many organisations vulnerable to the surging cyber threat levels.”
Chris Ross adds, “It is encouraging to see the SLC making a proactive effort to equip and train its employees with the latest cyber security skills, especially given the high volume of financial data it is tasked with managing. This effort must be supported by the necessary cyber protection systems to identify and quarantine malicious attacks, before they reach the inbox of employees, as well as having the right backup systems in place, in the event of a ransomware attack.”
Importance of Security Awareness Training
Cyber expert, Tim Sadler, the Chief Executive Officer (CEO) at Tessian stated, “Whilst Security Awareness Training is extremely important, it is just as important that organisations understand exactly how to implement it, so that it is effective, addresses the right issues, and is not forgotten. Too many security training sessions today are tick box sessions designed to appease shareholders, regulators and customers.”
Tim Sadler adds, “This is why businesses must ensure that they adopt a new approach, one that is automated, in-the-moment, and long lasting, with training, which is tailored to each user and addresses specific security weaknesses, effecting a user or a business.”
Securing the education sector from cyber attacks
Edward Blake, Area Vice President for Absolute Software, stated “The education sector is a top target for hackers, who are undoubtedly looking to seize control of the goldmine of invaluable information stored on its servers. What’s more, with remote learning still in force, there will be more devices on the move than ever before, creating the perfect opportunity for device theft and cyber breaches.”
Edward Blake adds, “As well as security training, all potential targets in the education sector, including staffers and students, must equip their devices with resilient end point security software that allows an allocated security officer to freeze, control or lockdown any breached devices, so that a stolen device does not necessarily equate to a breach of data.”