Most government departments do not have a specific IT security
training budget, a
Freedom of Information (FOI) request has revealed.
Only one in nine government departments that responded to the
FOI request from
Firebrand Training said it had a specific budget for training
staff in IT security.
The Ministry of Transport said it had allocated £106,000 for IT
security training for 2008/9, but reported a reduced overall IT
staff training budget on the year before.
The Ministry of Justice, which admitted in August 2008 that it
lost the personal details of 45,000 people in the previous
year, is among those with no specific IT security budget.
Despite the number of
high-profile public sector data breaches in 2008, most
government departments have a general budget to cover all IT
training.
But, two departments said they had no IT staff training budget,
four said the budget was reduced from the previous year and only
four reported an increased budget.
The lack of a specific IT security training budget means that
this is often neglected as organisations look to cut costs or delay
spending wherever they can.
This approach is short-sighted, according to Robert Chapman,
chief executive of Firebrand Training.
"Training people is about improving their effectiveness and if
they do not understand how to protect against security threats, the
risk of exposure is much higher," he said.
Cyber-criminals continue to develop increasingly sophisticated
ways of stealing sensitive information for gain, according to a
slew of IT security reports.
Public and private organisations cannot afford to stand still
and need to continually update employees on best practice in IT
security, said Chapman.
"The FOI results reveal fundamentally broken thinking in
government departments. They are relying on policy and procedure
without educating IT users," he said.
According to Chapman, failure to train users of data on how to
limit the risks will continue to expose government departments to
potentially catastrophic data breaches.