Shadow minister Jo Platt says current situation is ‘a free-for-all’

The Cabinet Office has been urged to adopt more consistent cybersecurity training standards across government departments, after a probe revealed discrepancies in training requirements for staff.

Questions submitted to government departments by Labour’s shadow Cabinet Office minister Jo Platt have revealed that the type and availability of cybersecurity training on offer to civil servants varies considerably between departments. Some said they had no mandatory training in this area for all of their staff, apart from some elements included in an e-learning induction course on handling information.

And responding to one of the questions, Cabinet Office minister David Lidington said that although all departments are required to provide some element of security training in staff inductions, there is no central record of training.

“Government departments are responsible for ensuring their staff receive adequate training to meet their needs,” he said.

Platt said the “huge variation between departmental cyberstandards” was the result of a “failure to coordinate effectively across government”, and called for a more consistent approach.

Related content

• Why cybersecurity would lead a Labour government’s digital transformation agenda
• ‘A vibrant cyber sector could revitalise post-industrial towns’ – Labour MP Platt
• Government admits failure of bid to recruit chief security officer

The responses came as awareness of the importance of tight cybersecurity in government grows, highlighted by recent data breaches and controversy over a potential security risk to the UK’s future 5G network. An analysis by PublicTechnology found that the Ministry of Justice alone was responsible for 3,184 data breaches in 2017-18.

Almost all of the departments that responded to Platt’s question, with the exception of the Ministry of Justice, said their staff were required to complete an e-learning course related to the handling of information, Responsible for Information, either on induction or annually. The course includes some cybersecurity elements.

An MoJ response initially said the department required no cybersecurity training, but a spokesperson clarified that all staff must complete the Responsible for Information course.

“This course is designed to make civil servants aware of their responsibilities when it comes to handling information, being alert to the dangers of fraud, ensuring information is protected and handled responsibly without preventing it from being shared appropriately, and how best to protect themselves and the information they hold when they are working remotely on online,” transport minister Jesse Norman said in his response.

However, the answers suggest some variation in cybersecurity-specific training across departments.

The Ministry for Housing, Communities and Local Government runs cybersecurity sessions as part of its “core curriculum” in-house learning and development programme. This programme has included a cybersecurity week aimed at all staff, including presentations and drop-in sessions from specialists.

At the Ministry of Defence, training is “regularly repeated, including through annual general security briefs, by direct promulgation of cybersecurity awareness material and through continuously available awareness material”.

The response added that the department does “not comment publicly on specific security arrangements or procedures”.

Other departments said they offered optional cybersecurity courses through the departments’ intranet, but no other mandatory department-wide training beyond the information handling course.

The Department for Health and Social Care said staff were not required to undertake mandatory training “specifically relating to cybersecurity”, adding that “guidance on security culture, including cybersecurity and managing digital footprints, is available to staff through the department’s intranet”.

Some, including the Department for Digital, Culture, Media and Sport and the Treasury, said “an element of cybersecurity awareness” was included in staff induction training.

Commenting on the responses, Platt said they revealed that “right now, government cybersecurity is a free-for-all”.

“There is little to no coordination of cybersecurity across government. Departments often develop their own standards and practices and the result is a chaotic mix that creates more problems than it solves,” she said.

“The government must get its house in order and ensure that every department is fit to handle our data safely and securely,” she added.