Compulsory cyber awareness training for Cardiff council staff
Cyber awareness training is being made mandatory for all staff and elected members of Cardiff Council, in a coordinated effort to build cyber resilience across the council.
Cardiff Council has made cyber awareness a key priority to counter the cyber attacks on councils happening daily.
Cyber awareness training will be delivered at the council by using Dojo: Local Government, an accessible animated video-based modular awareness series with supporting SCORM compliant eLearning, covering password management to social media, personal data to offline security and more.
Alongside emergency and resilience planning, the senior leadership at Cardiff Council recognised the importance of cyber as an attack surface and organisational risk. The key to mitigating these risks was to ensure all staff were fully aware of how cyber attacks take place and understand that they each had a role to play in keeping the council safe.
Head of IT at Cardiff Council, Phil Bear, explains the approach they took: “To ensure a comprehensive approach to cyber awareness two key elements were required; baselining the risk to the council across all our staff and identifying accessible, focused training to give every member of staff the knowledge they need to keep the council and themselves safe.”
To understand the level of cyber awareness at the start, Cardiff Council ran a simulated phishing exercise across all staff, which recorded the likelihood of officers, senior leaders, elected members and the IT team itself, clicking on malicious links or sharing personal credentials. The exercise was run with leading phishing experts Safehack UK.
To understand the effect the training had, Phil and his team recently ran a second simulated phishing exercise across all staff who had undergone the training and the results were significant.
Phil added: “The second exercise showed a 61% drop in staff engaging with malicious emails and clicking erroneous links, and a 67% drop in people sharing their log-in credentials with the scam.
“This has given us the evidence required not only to make the training mandatory but focus further training on those people who may still succumb to a phishing attack. The Dojo: Cyber training has had a significant impact on the council’s cybersecurity and we believe it will help staff in their personal lives as well.”
The Dojo:Cyber training is already used by over 100 local authorities. A further group of eight councils has finished work on Dojo: InfoGov – training which looks to build confidence around information governance and underpin public sector partnership working. New modules are currently in pre-production looking to extend training for councillors, who face some unique cyber and GDPR challenges. Developed by BAFTA-winning film makers, the course was designed to engage staff at all levels, cover the key areas of cyber security and was available in both England and Welsh language to ensure 100% take up.
Last year, three of the UK’s most senior officers had told a parliamentary committee that police forces and other law-enforcement agencies need more resources and new legal frameworks to operate in a world where most crimes rely on digital technology.
According to the Cyber Security Breaches, though GDPR appears to have had a positive impact on cybersecurity, councils still need to make progress beyond GDPR. There is still more that organisations can do to protect themselves from cyber risks. This includes taking important actions that are still relatively uncommon, around board-level involvement in cyber security, monitoring suppliers and planning incident response.
Data itself is valuable and local authorities hold a significant amount of personal, business and planning information, which makes them targets for cyber criminals.