Student Loans Company splashes out on 20,000 cybersecurity training courses – for just 3,300 employees

The Student Loans Company (SLC) spent £76,800 on cybersecurity training over its previous two fiscal years – including a sudden and unsurprising interest in security in a work-from-home environment.

According to the SLC's response to a Freedom of Information (FoI) Act request, which was made by self-described "niche litigation practice" Griffin Law, almost 20,000 specialist courses were booked and completed in the 2019/2020 and 2020/2021 financial years ended this April. At a total spend of just over £76,800, that's a miserly £3.84 per course – but the released figures don't necessarily cover everything.

"£77,000 may appear to be low, especially if this is distributed over two years," opined security specialist Sean Wright of the figures. "It could actually be an appropriate amount if the training which they are purchasing helps their employees and organisation.

"Companies need to spend the time to select training which is appropriate for them and their employees. Simply throwing money at the problem is not going to solve it. We've seen this in security tooling, where some companies attempt to throw loads of money on new tools but without properly evaluating those tools and ensuring that they fit the purpose for their organisation and teams. Training should be no different."

The breakdown of courses includes fees paid to third-party agencies, but not costs involved with internal training developed within SLC itself – such as an anti-money laundering course, which the overwhelming majority of the organisation's staff took in both 2019-2020 and 2020-2021.

Some courses, such as "Counter-Fraud, Bribery, and Corruption", had a roughly even number of attendees year to year. Others, including "Role of the Manager Security MasterClass", saw a spike from 20 attendees in the first financial year to 142 in the second.

• Capgemini scores £150m contract to help Student Loan Company overcome its IT problems 5 years after £50m superfail
• Adobe about to pull the plug on Creative Cloud freebie 'at-home' access for students
• Student Loans Company burns £50 million in IT project superfail
• ICO raps UK Student Loans Co for leaking MEDICAL files and more

Oh gosh - we can't keep an eye on staff anymore

The 2020-2021 financial year, meanwhile, saw a big spike in training related to one key topic: trusting staff who might not be working in the office any more due to a certain virus. "Defending SLC from Phishing Attacks", "Power to your Passwords", and "Working from Home Securely" were all new for the financial year just ended – though only a small minority of staff were treated to these, with "Working from Home Securely" attended by just 189 staff out of the organisation's 3,300 members.

The course that cost the most in third-party fees, "Mastering GDPR, Governance Security, and Compliance in Office 365", was attended by only three SLC staff at an overall cost of £9,780: that's £3,260 per head. It formed part of role-specific training for the organisation's Technology Group Security Team and Information Governance and Compliance Team, which between the pair ate up the lion's share of the budget, according to the FOI response.

While the case could be made for SLC spending too much or too little on this course or that course, experts agreed that there's no dodging the need for training. "It is encouraging to see the SLC making a proactive effort to equip and train its employees with the latest cyber security skills," claimed Barracuda Networks' senior veep of sales Chris Ross, "especially given the high volume of financial data it is tasked with managing.

"This effort must be supported by the necessary cyber protection systems to identify and quarantine malicious attacks before they reach the inbox of employees as well as having the right backup systems in place in the event of a ransomware attack."

"Training is a vital part of an organisation's approach to security," agreed Wright. "We have seen, on numerous occasions, breaches happening as a result of lack of awareness and knowledge. Training helps reduce this, empowering employees to have the appropriate knowledge and awareness to make the right decisions and actions."

An SLC spokesperson told The Register: "Malicious online activity affects every organisation and individual, this has become an everyday part of modern life. As such, cybersecurity will always remain a top priority for SLC, and we will continue to invest in training, technical expertise and the robust resources required to keep our customers' information safe." ®