How we created a new security training course for the Civil Service

In recent weeks we’ve been rolling out a new mandatory training course, ‘Security and Data Protection Training’, to staff across Defra group.

The work began two years ago as a project, driven by our team alongside Defra HR learning and development colleagues. The initial scope was to identify improvements to the previous ‘Responsible for Information (RFI)’ training package, a mandatory piece of learning that everyone in the Civil Service, including contractors and temporary workers, must complete.

The favoured solution from very early on was to develop a brand new, bespoke Defra digital training product. However, we also felt that our new product could potentially have wider use across government as it used a behavioural science approach, coupled with more relevant and engaging material.

Putting our users first

The new training is designed for a generalist audience (relevant to everyone whether they work in an office developing policy, or in the field delivering services), with content that reflects current issues and ways of working.
That content has been designed to be reflective of diversity within the Civil Service too. We reached out to several specialist groups across Defra offering them the opportunity to provide feedback or to take part in the testing phases. This engagement enabled us to identify and address potential issues around diversity and inclusion. The new training is also shorter, and it’s more engaging, utilising a variety of technologies and delivery methods.

We’re all responsible

A key benefit of this training is that it reminds us of our responsibilities in the control and handling of information. It’s the only specific security training undertaken by the whole of Defra group on a regular basis. It explains an individual’s responsibilities, what the risks are, what we can do to minimise those, and what we should do if something goes wrong.

The course is also designed to meet guidelines on web content accessibility (usable and understandable for most people with or without disabilities). This is a Civil Service Learning (CSL) requirement. For those with hearing issues all video and audio components are accompanied by a transcript.

Testing to improve, sharing our knowledge

As you might expect extensive testing took place before we launched last month. This testing involved not just the project team, but a range of other stakeholders and specialist groups within Defra too. We used the Defra internal comms network to trawl for volunteers. Those volunteers were sifted to ensure they were representative of the diverse Defra workforce.

Our approach to this challenge addresses some of the issues raised in the recently published Government Cyber Security Strategy, which specifically highlights the importance of staff awareness and training. That strategy, which aligns with the National Cyber Security Strategy, sets out the government’s approach to building a cyber resilient public sector. It will help make core government functions – from the delivery of essential public services to the operation of our National Security apparatus and critical national infrastructure – more resilient to cyber-attack.

Good cyber security is essential to deliver government services and protect government information. We know that our systems are being relentlessly targeted. Of the 777 incidents managed by the National Cyber Security Centre (NCSC) between 2020 and 2021, around 40% were aimed at the public sector.

We know too that our adversaries are increasingly capable. And so having civil servants fully up to speed with these issues is a priority, and one which we’ve been glad to play our part in supporting.

More information

Read the Government Cyber Security Strategy, which sets out the government’s approach to building a cyber resilient public sector.