Question to the Department for Digital, Culture, Media & Sport:

To ask the Secretary of State for Culture, Media and Sport, whether the Cyber Essentials scheme includes requirements to educate staff on the risk of (a) phishing attacks through email and (b) other user induced attacks.

The Cyber Essentials scheme sets out the basic technical controls which all organisations relying on the internet should have in place to prevent common online attacks. The scheme requires up-to-date malware protection software to be installed on all internet-connected computers: this is designed to detect and disable the malicious software which an organisation might be exposed to via phishing attacks, and prevent users making connections to malicious websites on the internet.

Cyber Essentials is a technical scheme and staff awareness training is therefore out of scope; however other pieces of guidance from the Government do recommend this. For example, the ‘10 Steps to Cyber Security’, the Government’s key piece of advice for organisations on managing cyber risk, sets out the importance of user education and awareness.

The Government offers a range of free online cyber security training programmes at https://www.gov.uk/government/collections/cyber-security-training-for-business. In addition, the National Cyber Security Centre recently published a blog about phishing and user training, which explains that phishing is best tackled by implementing good technical defences and combining these with reasonable levels of user awareness, education and training: https://www.ncsc.gov.uk/blog-post/im-gonna-stop-you-little-phishie