Student Loans Company splashes out on 20,000 cybersecurity training courses – for just 3,300 employees

FoI request details £76,800 in training fees, most of which went to staff security-specific departments


The Student Loans Company (SLC) spent £76,800 on cybersecurity training over its previous two fiscal years – including a sudden and unsurprising interest in security in a work-from-home environment.

According to the SLC's response to a Freedom of Information (FoI) Act request, which was made by self-described "niche litigation practice" Griffin Law, almost 20,000 specialist courses were booked and completed in the 2019/2020 and 2020/2021 financial years ended this April. At a total spend of just over £76,800, that's a miserly £3.84 per course – but the released figures don't necessarily cover everything.

"£77,000 may appear to be low, especially if this is distributed over two years," opined security specialist Sean Wright of the figures. "It could actually be an appropriate amount if the training which they are purchasing helps their employees and organisation.

"Companies need to spend the time to select training which is appropriate for them and their employees. Simply throwing money at the problem is not going to solve it. We've seen this in security tooling, where some companies attempt to throw loads of money on new tools but without properly evaluating those tools and ensuring that they fit the purpose for their organisation and teams. Training should be no different."

The breakdown of courses includes fees paid to third-party agencies, but not costs involved with internal training developed within SLC itself – such as an anti-money laundering course, which the overwhelming majority of the organisation's staff took in both 2019-2020 and 2020-2021.

Some courses, such as "Counter-Fraud, Bribery, and Corruption", had a roughly even number of attendees year to year. Others, including "Role of the Manager Security MasterClass", saw a spike from 20 attendees in the first financial year to 142 in the second.

Oh gosh - we can't keep an eye on staff anymore

The 2020-2021 financial year, meanwhile, saw a big spike in training related to one key topic: trusting staff who might not be working in the office any more due to a certain virus. "Defending SLC from Phishing Attacks", "Power to your Passwords", and "Working from Home Securely" were all new for the financial year just ended – though only a small minority of staff were treated to these, with "Working from Home Securely" attended by just 189 staff out of the organisation's 3,300 members.

The course that cost the most in third-party fees, "Mastering GDPR, Governance Security, and Compliance in Office 365", was attended by only three SLC staff at an overall cost of £9,780: that's £3,260 per head. It formed part of role-specific training for the organisation's Technology Group Security Team and Information Governance and Compliance Team, which between the pair ate up the lion's share of the budget, according to the FOI response.

While the case could be made for SLC spending too much or too little on this course or that course, experts agreed that there's no dodging the need for training. "It is encouraging to see the SLC making a proactive effort to equip and train its employees with the latest cyber security skills," claimed Barracuda Networks' senior veep of sales Chris Ross, "especially given the high volume of financial data it is tasked with managing.

"This effort must be supported by the necessary cyber protection systems to identify and quarantine malicious attacks before they reach the inbox of employees as well as having the right backup systems in place in the event of a ransomware attack."

"Training is a vital part of an organisation's approach to security," agreed Wright. "We have seen, on numerous occasions, breaches happening as a result of lack of awareness and knowledge. Training helps reduce this, empowering employees to have the appropriate knowledge and awareness to make the right decisions and actions."

An SLC spokesperson told The Register: "Malicious online activity affects every organisation and individual, this has become an everyday part of modern life. As such, cybersecurity will always remain a top priority for SLC, and we will continue to invest in training, technical expertise and the robust resources required to keep our customers' information safe." ®


Other stories you might like

  • Biden considers removal of Trump-era China tariffs to ease inflation
    But US administration split on loss of leverage, according to reports

    US president Joe Biden is debating whether to end or cut Trump-era tariffs imposed on Chinese imports into the United States, according to reports.

    Introduced in 2018 during the Trump administration, tariffs on more than $300 billion in imports from China — including products and components vital in consumer and business technologies — were inherited by the Biden administration.

    According to Bloomberg, president Biden and his cabinet have discussed the inflationary impact of these levies with Treasury Secretary Janet Yellen. The cabinet was looking at all of the possible ways to curb inflation and to provide some relief on cost of living for Americans, the report said.

    Continue reading
  • Semiconductor market to be hit by fresh wave of rising component costs
    Chemicals supplier warns it expects to raise prices, may cut some product lines

    More red flags about the semiconductor market are being raised with the news that a key supplier to chipmakers such as TSMC is planning to hike prices, which will likely have a knock-on effect on chip prices.

    Japan-based chemicals company Showa Denko has warned it expects to raise prices and may have to cut back some of its unprofitable product lines. The company is a major supplier of chemicals and gases that are used in the semiconductor manufacturing industry for the creation of silicon wafers and in the etching process to create chips.

    In an interview with Bloomberg, Showa Denko chief financial officer Hideki Somemiya said the company had already raised prices at least a dozen times this year, citing issues such as COVID-19 lockdowns, increasing energy costs and other factors. However, he confirmed "the current market moves require us to ask twice the amount we had previously calculated."

    Continue reading
  • Germany unveils plan to tackle cyberattacks on satellites
    Vendors get checklist on what to do when crooks inevitably turn up in space

    The German Federal Office for Information Security (BSI) has put out an IT baseline protection profile for space infrastructure amid concerns that attackers could turn their gaze skywards.

    The document, published last week, is the result of a year of work by Airbus Defence and Space, the German Space Agency at the German Aerospace Center (DLR), and BSI, among others. It is focused on defining minimum requirements for cyber security for satellites and, a cynic might say, is a little late to the party considering how rapidly companies such as SpaceX are slinging spacecraft into orbit.

    The guide categorizes the protection requirements of various satellite missions from "Normal" to "Very High" with the goal of covering as many missions as possible. It is also intended to cover information security from manufacture through to operation of satellites.

    Continue reading
  • Gtk 5 might drop X.11 support, says GNOME dev
    Linux's Wayland-only future takes a tentative step closer

    One of the GNOME developers has suggested that the next major release of Gtk could drop support for the X window system.

    Emmanuele Bassi opened a discussion last week on the GNOME project's Gitlab instance that asked whether the developers could drop X.11 support in the next release of Gtk.

    At this point, it is only a suggestion, but if it gets traction, this could significantly accelerate the move to the Wayland display server and the end of X.11.

    Continue reading

Biting the hand that feeds IT © 1998–2022