The Changing UK Cyberpolicing and Cyberskills scene - an update
This is an update (updated again on 11th September) to my blog earlier this year (after summarising the DCMS report on the State of the UK Cyber Security Sector). My original objective was to support the launch of the Cybersecurity Council. I now know that delays in funding mean it is unlikely to have its careers work stream operational much before the end of the year. I have therefore done an update to cover recent changes and announcements. I plan to make time over the summer to fill some of the gaps with regard to courses, qualifications and skills programmes. I also hope to be able to include reference to changes due to be announced in September.
The Covid Lockdown unleashed a torrent of benefits, employment and skills related fraud, as criminals seize the opportunity to loot the new programmes , as they did the Individual Learning Accounts after Y2K, at the same time as victimising job seekers and infiltrating those seeking to recruit new staff to support recovery. Hence, for example, the relaunch of SaferJobs on a much larger scale as Jobsaware.
There is an urgent need to make rapid use of the trusted partner programmes of the new Cyber Resilience Centres to help businesses of all sizes (and charities, schools, reputable training providers and others) to implement and check effective vetting, authorisation and access management processes, perhaps using digital identities that are worth more than the paper they are not printed on. There is similarly urgent need for those seeking cybersecurity talent to actively support their regional local Cyberchoices programmes, to retrieve those at risk of turning to dark side and turn a major problem into an opportunity.
I hope readers will find this blog and also help the gaps until such time as the Cybersecurity Council or one of its members/partners can take over.
Background:
The scale and nature of demand for cybersecurity skills have changed radically over the past year in the face of transformations in the threats and responses needed. Fraud is now perceived as national threat and the Economic Crime Statement of Progress lists over fifty actions under way, giving context to changes in the structure and nature of the UK police response with Cyber Resilience Centres mapped onto the ROCUs and the automation of intelligence gathering to aid targeted response. Cybersecurity has become an £8.9 billion business in the UK but fraud against the public sector alone (80% of it cyber-enabled) has an estimated turnover many times that. That against DWP alone may be over £8 billion. Hence the plans to create a Counter-Fraud “profession” on at least the same scale as that for Cybersecurity. The overlap between the two will almost certainly impact the way demand for “cybersecurity” skills evolves.
The way demand for cybersecurity skills is measured has not kept pace. The statistical definitions commonly used reflect neither the skills in demand nor those used to analyse the structure of the industry. Those for cyberwarfare, needed by GCHQ and MoD, overlap with those to protect Megabank and its Customers, but are not the same. They, in turn, overlap with those to protect children, adults and microbusinesses, but are not the same. Those to secure critical national infrastructures, on-line networks and connected devices also overlap, but are not the same.
A focus on the areas of overlap, including glossaries of terms, defining these as “the profession”, is essential if we are to improve the supply of those competent to handle the areas of overlap, but it is not enough. In consequence the work to create the Cyber Security Council is essential, but not enough. The scale and nature of its outreach programmes will be critical. But they will, in turn, depend on the support it receives after the launch, including from Government as the UK’s largest employer and victim.
There may be a shortage of “Professionals” competent to protect large organisation from targeted attacks by organised crime but there is a much bigger shortage (proportions and numbers) of “Technicians” capable of helping advise and protect SMEs and end-users. Then there are the issues of training end-users to protect themselves and what to do when “attacked” or victimised.
We need to unpack demand for digital and cyber skills and map these regionally and locally onto the new structures for policing and the four “P”: prevent, pursue, protect and prepare. We then need to take effective action to attract and train those with the skills necessary and ensure they are provided with employment frameworks and terms of reference which enable them to work together constructively, including with other trades and professions .
Contents
1 Unpacking Demand
2 The Police Structures and Strategies
3 Skills Initiatives and Partnerships
4 Points of leverage
5 Action Plan
6 Appendices – Qualifications, Sources of Guidance
1 Unpacking Demand
The main current focus, including of those planning the Cybersecurity Council workstream on “Careers and Learning“, is on:
- the needs of those collectively seeking a few hundred post-graduates with “deep skills”,
- the needs of those collectively seeking thousands capable of becoming rounded “professionals”, for a relatively small number of security consultancies and large organisations,
- opening up alternative career paths as technicians (e.g. penetration testers) for individuals with “extreme talent” who would otherwise be at risk of recruitment by organised crime.
Demand can be split between the providers of cybersecurity products and services (including the security services and law enforcement such as MoD, GCHQ and those in their supply chains) and their customers.
The recent DCMS Analysis of the UK Cybersecurity Industry indicates that the supply side currently employs the equivalent of 47,000 full time staff. Two thirds work in the cyber-security operations of under 150 service and/or product suppliers, in teams averaging over 200 staff, i.e. large enough to have in-house training and/or apprenticeship operations. Most are within large telco, defence, consulting, product or outsourcing operations. Most of the other 15,000 work in fewer than 200 specialist operations large enough (teams averaging a little over 50) to employ and supervise more than a couple of trainees.
To put this in wider context. The UK has only 7,500 businesses with more than 250 staff – i.e. likely to consider hiring a security technician/professional. There are only 42,000 businesses with more than 50 staff, i.e. likely to have a member of staff with the digital competence to enable the organisation to meet the expectations for Cyber Essentials.
By contrast there are over 1.4 million business with under 50 staff, plus several million sole traders who need access to affordable “virtual CISO” services. That implies local support operations (not just on-line services), with staff competent to the level of (for example) CompTIA Security + .
But most employers also need sector and/or application specific skills e.g. to secure financial services, hospitality, logistics/transport, retail, construction, critical infrastructure, light or heavy engineering, consumer, entertainment, sports, educational or employment products and services. The skills to develop, maintain and operate secure applications have seen the sharpest recent rise in demand, followed by those for cloud security. Meanwhile the skills in local demand vary geographically with the employment mix.
Thus an exercise some years ago to look at security skills sought by London-based financial services organisations (serving customers globally as well as nationally) found that the most serious gap was with those related to “Identity and Access Management”, developing and implementing systems (including people processes for checking claimed certifications, competence, experience, probity and qualifications) to help users decide who should be trusted, with what access, to which data, under what circumstances. These skills moved into crisis with lockdown and mass homeworking.
The exercise also found that organisations large enough to have career development and training frameworks rarely have HR staff with the skills and knowledge to organise and procure training related to Cybersecurity. The main exceptions were those for which this was a major business area: e.g. Accenture, BAe, BT, Deloitte, HP, IBM, KPMG, PWC, Qinetiq, EY etc. Several of these had “academies” organised in co-operation with large training providers like QA and BPP and/or Universities like Royal Holloway or Warwick.
Most such employers make heavy use of a limited number of training providers and/or universities. Thus BPP (now with University status) and its competitors handles the content delivery side of the “apprenticeship” programmes for most major accounting practices and law firms as well as for professional bodies such as the Chartered Institute of Marketing. DSS (part of Newham College) runs digital apprenticeship programmes for several large financial services employers as well as for O2.
2 The Police Structures and Strategies
2.1 The National Structure
The pace of change to the structures, priorities and working practice of the UK cybersecurity and law enforcement agencies has accelerated over the past year in response to the sharp rise in on-line abuse, espionage, extortion, fraud, impersonation and nation state activity during lockdown. Boundaries have been removed, although some remain for accountability and civil liberties reasons. Co-operation, with regard to incident notification, intelligence sharing and investigation has improved with the removal of those boundaries not required for accountability, civil liberties and security reasons.
The NCSC is the public face of GCHQ whose remit has been expanded to include Civilian Cybersecurity and Serious and Organised Crime as well as Counter Terrorism, Nation State Activities Cyberwarfare and support for the MoD. Over the past year then the NCSC, in co-operation with the National Crime Agency , has begun hosting a wide variety of advice and guidance as well as intelligence sharing and security operations centres in partnership with the public sector, (particularly the NHS), private sector organisations with large in-house security operations, (e.g. telecoms, financial services, defence and aerospace plus their outsource providers) and the children’s charities.
Changes to the handling of economic crime, including Fraud Reporting and response are under way, with the transfer of the National Police Chief’s Council lead to the City of London Police to go alongside Action Fraud and the Intelligence sharing and investigation activities co-funded by the UK Financial Services sector. Progress is slower with regard to organising co-operation across the armies of regulators and agencies with overlapping powers over governance and skills, from the FCA and PRA through the ICO and IPCO to National Trading Standards, OfCOM, Ofsted and UKAS
In parallel UK Cyber Policing has re-organised locally and regionally to improve the capability of the NCA Regional Organised Crime Units and Local Police Forces, working together, supported by NCSC, to reduce cyber risk by collating intelligence (not just “reporting”) and responding collectively to common threats and major attacks. There are also programmes like Cyberchoices which link national guidance for children and adolescents at risk of becoming trapped in a world of cybercrime to regional and local programmes to harness their talents.
2.2 The Regional Structures
The National Cybercrime Programme enables every police force in England and Wales to have a dedicated cybercrime unit in place, supported by a network of Regional Organised Crime Units ROCUs). Each ROCU now links to a Cyber Resilience Centre (CRC). Constituted as a Not-for-Profit organisation, each CRC is a public/private partnership there to promote increased cyber resilience across the SME audience as well as the wider community The CRC’s are at different stages of development but the intention is that all will provide free access to NCSC and Police guidance using supervised cyber security students from universities recommended by BRIM (which is contracted nationally to help with formation and co-ordination of the CRCs) plus arrangements with trusted local and national partners to provide access to affordable services. The processes for selecting partners are evolving but the initial filter is accreditation via IASME to Cyber Essentials Plus The services include security awareness training, corporate internet investigation, individual internet investigation, remote vulnerability assessment, internal vulnerability assessment, web app vulnerability assessment, security policy review, cyber business continuity review and partner resource support.
The CRC for Manchester opened in 2019, with support from players like CGI, Northropp Grumman, NCC Group and Siemens and a consortium of five local Universities. The North East CRC is supported by Accenture and Sheffield Hallam and Northumbria Universities. The East Midlands is supported by Nottingham and De Montfort Universities. West Midlands is supported by Wolverhampton University). The South East became operational in January, includes the Thames Valley, has major users like Bank of America, Domino’s Pizza, Marriott Hotels and Save the Children on its board, and has links to Oxford, Portsmouth, Southampton and Surrey Universities and JISC. The South West is expected to have strong links to GCHQ and its supply chain. Those for Wales and the East of England are in the process of formation. Cyber Scotland brings together the longer established Scottish Business Resilience Centre (now in its 9th year) and the NCSC information sharing programmes.
London is handled differently. Last year the City of London Police Commissioner became the national police chiefs lead for Cyber (as well as Business Crime), hosting the team organising co-ordination. CoLP hosts Action Fraud and has the UK’s largest economic crime unit. Meanwhile the Police Digital Cybersecurity Centre, which provides guidance to SMEs comes under the PCPI (crime prevention) stream of the NPCC and is hosted via MOPAC , the supervisory body for the Metropolitan Police. UK Finance funds specialist teams to handle attacks on financial services, like the DCPCU .
2.3 Incident Reporting
NCSC hosts central reporting services for phishing e-mails and suspicious websites while and CoLP hosts the national reporting service for fraud.
Police Cyber Alarm connects to police monitoring services to give a real-time view of potentially malicious activity as it happens. The service is designed for SMEs but could be used by larger firms and the public sector, such as schools. It shares personnel, analyses and tools with the bulk reporting processes that are also being piloted with large organisations in defence, aerospace, pharmaceutical, financial services, telecoms and some other sectors. Local support is via the Cyber Resilience Centres and the map on the website shows where it is live and where it will be released soon.
The key to improving intelligence collection, reporting, investigation and victim support at affordable cost is automation. The Cyber Help-Line is based on a three year old network of volunteer security professionals who developed a 24/7 chatbot that appears to be 80% accurate in identifying the problems faced by individuals and sole-traders.
Their 60 or so volunteers currently handle 4 – 500 cases a month. They need many times that number to enable the service to be expanded and linked locally to the Cyber Resilience Centres, let alone to the Cyberhood Watch component of Neighbourhood Watch and the Neighbourhood Alert networks.
On-line sexual abuse and related issues can be reported centrally to CEOP which became a command within the National Crime Agency some years ago.
Ofcom and the Information Commissioner have a joint action plan for reporting addressing nuisance telephone calls and texts.
2.4 Guidance
There is a need to complement and support the new structures with practical and realistic guidance on self-protection and reporting for use by Neighbourhood Watch, Business Watch and Safer Neighbourhood Partnerships and Teams as well as by public and private sector organisations of all shapes and sizes. That implies extending and promoting current NCSC and ROCU guidance for business (sample here) and individuals (sample here) and programmes such as NCSC Cyberaware (of which the 2021 Cyber Security Breaches Survey says 34% of business are aware, although the update service has only 27,000 followers and Get Safe On-line. The NCSC has issued over 900 items of guidance , some of which appear well-read (21% aware of that on home working and video conferencing services). Awareness of Cyber Essentials is lower (14%), on a par with the guidance on moving your business on-line (also 14%).
Guidance on Fraud protection includes that from UK Finance (Take Five) and the Financial Conduct Authority (ScamSmart) and well as from individual banks (e.g. the NatWest Fraud Guide or the guidance from Arbuthnot Latham) or the Consumer Association . The checklist for the IASME Counter Fraud Fundamentals is here .
Guidance with regard to Employment Fraud and Impersonation is available from Safer Jobs, UKIFA and the JobsAware campaign. The Better Hiring Institute website carries sector by sector guidance for checking the credentials of potential employers.
NCSC now provides resources for schools, parents and employers and the NCA (and ROCUs) offer Cyberchoices but the main sites with regard to child protection are those of CEOP itself, the Safer Internet Centre and the Grids for Learning (e.g. SWGfL and LGfL). Other sites provide DfE guidance for those running out-of-school activities , for handling peer-on-peer abuse and hate crimes and extremism . There are also operations supported by the mobile Phone Operators and others to help with social media awareness and safety such as Digital Awareness , Beyond Equality and The Breck Foundation, and to help with wider on-line awareness, Project Evolve, supported by DfE. The Association of Child Protection Professionals has also gone on-line.
There is a need to provide a variety of audience-friendly front-ends, with regularly updated cross referencing, for inclusion in Section 5 (being Safe and Responsible On-line) of programmes delivered to the National Standards for Essential Digital skills.
3 Skills Initiatives and Partnerships
Many of the Cybersecurity skills partnerships, local and national, that are beginning to emerge to harness currently neglected talent are organised by professional bodies and trade associations also involved with the work to create the Cybersecurity Council as an umbrella for such activities.
The studies and contract which led to the creation of the Council pre-date the accelerating changes of the past year. In consequence those responsible for the body of knowledge, Cybok, being collected in support of work to define the skills on which the Council is expected to focus, only recently began collecting material reflecting the wider remit of GCHQ/NCSC, let alone of those in the private sector from whom “Cyber Security” is commonly a subset of “Risk Management”, alongside abuse, business continuity, compliance (anti-money laundering, data protection etc.) and fraud.
My summary of the recent DCMS studies into the skills market indicates a marked difference between the aptitudes, attitudes and technical skills needed by those expected to work in teams to secure the systems of medium to large organisations and those needed by the much larger number for whom “cyber” is a subset of a broader role. The 2021 Data Breaches Survey reinforces that picture. Leaving aside micro firms, around 60% of businesses have an external cyber secueity provider, rising to 74% in finance and insurance. many more businesses (28%) adhere to PCI/DSS (rising to 50% or more in food, hospitality, retail and wholesale) compared to only 7% using ISO 27001, 5% for NIST (10% in finance and insurance) and 4% for Cyber Essentials (1% audited to Cyber Essentials Plus).
3.1 Apprenticeships
The Institute for Apprenticeships is part of a triumvirate with Ofqual and Ofsted which agrees standards, funding levels and providers for programmes which can be charged against the apprenticeship levy via EFSA listed training providers, before unspent funds revert to HM Treasury.
The Cybersecurity standards are:
Cyber security technician, Level 3 – £11,000 – provided via DSS, SWATPRO and 12 others, EPA: BCS
(organised by e-Skills when the process excluded most industry recognised qualifications).
Cyber security technologist, Level 4, £18,000 – organised via BPP, DSS, Firebrand, QA, 2 ITECs, 19 FE Colleges, 30 others. EPA : BCS, City and Guilds, Accelerate (includes. Comptia Security + etc.)
Cyber Intrusion Analyst – Level 4, £18,000 – via DSS, Firebrand, Barking and Dagenham, Plymouth City and 3 other FE Colleges, 10 others (focussed more on the needs of large proganisations)
Cyber security technical professional – level 6, £24,000, organised by TP Degrees: via QA, De Montfort, Central Lancashire, Edinburgh Napier, Northumbria, Gloucestershire, Bedfordshire, Croydon College (degree linked apprenticeships organised by TP Degrees , now part of TechUK)
Other standards relevant to converged (cyber and physical) security, crime and investigation include:
Security First Line Manager level 3 £5,000 Organised by G4S
Intelligence Analyst – level 4 £11,000 – led by Home Office
Counter Fraud Investigator – Level 4 £15,000 – organised by HMRC
Serious and Complex Crime Investigator – level 6 £19,000 – organised by NCA
3.2 Other programmes include:
- Employers offering Covid Traineeships can claim £1,000 per trainee on prorammes which can range from 6 weeks to 6 months with varying requirements.
- Kickstart is for those aged 16 – 24 who are out of work, on Universal Credit and at risk of long-term unemployment.
- T-Levels require 45 week industry placements.
- The Essential Digital Skills entitlement , fully funded basic digital user skills.
- National Skills Fund covers Level 3 skills programmes and Regional Boot Camps via: Derby and Notts LEP D2N2LEP, the Lancashire Digital Skills Partnership, Heart of the South West LEP (boot camp graduates available to recruit from March 12th plus Bounce Back Digital, including Cybersecurity), Leeds , Liverpool and West Midlands (Code programmes fully booked). Other funded boot camps include Comptia Cyber Ready
- The Hacked programme for “at risk” teenagers vetted and referred by the ROCUs. The first referrals now work for, inter alia, GHCQ.
3.3 Generic Careers Guidance Programmes (see 3.n for Cybersecurity Careers Programmes)
JISC hosts the shared signposting service for the University Careers Services Prospects. The start point for most Employers and Schools is the Careers and Enterprise Company with 3,500 advisors serving over 2,000 schools via LEP partnerships, including “Careers Hubs” bringing over half of them alongside local colleges, careers professionals, universities and employers with support from over 100 national employers. Founders4Schools works with the Careers and Enterprise Company and others to connect business leaders with over a thousand schools. Speakers for Schools which provides on-line work experience as well as motivational speakers is seeking to work with those covering cyber. There are also 30,000 STEM Ambassadors grouped into 19 regional STEM hubs. Tech UK carries a page of links to digital careers sites. Other employer and industry groupings with careers activities include FISSS, 5% Club.
3.4 Cyber Security Technical and Professional Partnerships
The Cyber Security Council has gained charitable status, launched its first initiatives work , published a glossary of terms and begun recruiting members.
The Council is to:
- be the self-regulatory body for Cyber Profession
- support the delivery of the Government Cyber strategy
- set standards nationally and internationally for the profession with ethical guidelines
The UK technical authority will remain the NCSC. The role of the Council is complementary, setting professional standards and providing a voice to the technical authority from the profession.
The founding partners are (ISC2), BCS, CIISEC, CIPD, CompTIA, CREST, CSFS, Engineering Council, IAAC, IAP, IET, InstMC , ISACA, Security Institute, Tech UK and WCIT.
The four pillars are:
- Professional development: The Council will begin by mapping the qualifications and certifications already available back to the knowledge areas in Cybok and through to create pathways so people can find how to enter and navigate their way through the profession. (See Appendix for Qualifications accredited by the founding members)
- Outreach and Diversity: the long term focus is pupils before they decide their educational direction (boys 12-14, girls earlier). Shorter term it is on recruitment from parallel disciplines. There is also a need to look at gender, ethnic and neuro diversity and at inclusivity.
- Ethics. Enforced against agreed baseline standards will through the professional bodies with the Council providing assurance and a route for appeal.
- Thought leadership and influence with regard to new technologies, e.g. Cloud, AI, Machine Learning, Quantum. NCSC provides technical guidance.
The Council has to be self-sustaining after seed corn funding from DCMS. Membership will be open to any organization that can show that it has an interest in developing the profession and for which cyber security is a core or important part of what they do. That will include professional bodies, training, certification and qualification providers, plus a range of employers of cybersecurity professionals to help ensure that the needs of the public sector, defence, transport, finance and health are covered.
3.5 Other cybersecurity qualification/certification providers and their programmes include:
NCSC Academic Centres of Excellence in Cyber Security (ACE-CSE): 8 Universities and a call for additional centres currently out.
NCSC Certified Degrees (Batchelor, Integrated Masters and Masters : 23 Universities
AWS, CISCO, IBM, Microsoft , Oracle Samsung, SAP, Juniper, Palo Alto, SANS, Open University, City and Guilds, Pearson, Huawei. IASME runs the Cybersecurity Essentials certification that is mandatory for those in Government procurement supply chains.
3.6 Education, Training, Geographic and Application Sector Partnerships
Cybersecurity Talent Attraction and Careers Guidance programmes include: Cyberfirst (the umbrella for NCSC funded competitions and courses), (Cybersecurity Challenge funded by an industry consortium) and Cybergirls First (employer supported schools events to stimulate wider engagement). Salute my Job (and other similar guidance operations) for those leaving the armed forces.
Association of Career Colleges: Two Cyberhubs are operational (Plymouth and Barking and Dagenham). Two are expected to be operation within three months (Birmingham and Liverpool). Another is expected to be operational by summer (Manchester). Subject to the success of the first five the lead sponsor (AWS) has agreed to support one per Career College (currently 22).
Tech Skills is the accreditation operation previously run by e-Skills, now a subsidiary of Tech UK. It is used by over 200 employers and 38 Colleges/Universities for their degrees and apprenticeships.
Institute of Coding organises courses and qualifications (specified with inputs from employer panels) covering advanced “coding” skills (AI, Big Data etc.) at a variety of levels for boot camps to post graduate.
University Technical Colleges : UTC Cybergroup 21, including MATs giving a total of over 50 Schools. Sponsors include Fujitsu who sponsored an on-line challenge day with Immersive labs attended by over 800 pupils.
UK Finance (which funds the DCPCU, Financial Fraud Action etc),
Global Cyber Alliance Anglo-US which uses the proceeds of crime to reduce vulnerabilities by providing free tool-kits
Vendorcom Brings together on-line payment and transaction providers
West Midlands Digital Road Map BT, PWC, Lloyds Bank, Microsoft, Google, Coursera., Good Things, Fircroft College, Dudley College, Halesowen College, Birmingham University, OU, Comptia
3.7. Apprenticeship, Training and Awareness Providers:
Althaus digital apprenticeship (including Cyber) provider. Runs theD2N2 cybersecurity boot camps.
Bluescreen IT cyber-security audit and skills provider to defence and aerospace operating to international (NATO) not just UK standards. It pioneered the cyberhub: secure, shared, networked skills incubators-cum-SOCs, operating within contractual processes for ethical co-operation.
Bobs Business a small business security training co-operation which grow out of the EU-funded collaboratiion which made South Yorkshire “the safest place to go on-line” in the UK. See also Bob’s Compliance
DSS the digital arm of Newham College which also co-ordinates apprenticeship operations for London North of the River Thames. South Bank University does South of the Thames. Newham commonly works in tandem with QMUL
Firebrand has trained over 100,000 individuals since its launch in 2001. Its training centre in Wyboston is currently closed and all courses are on-line,
Good Things is the UK’s main digital inclusion charity running and/or involved with many digital literacy and inclusion programmes, national and locally.
Immersive labs Bristol-based multi-national providing AI based on-line cyber-security training materials and courses, including uncharged access for registered pupils and students.
Net Security high end cyber-security security training for 11,000 individuals since 2003. Self-study modules here
QA Probably the UK largest digital (including cyber security) training provider. Runs boot camp programmes for Amazon (e.g. Cloud Security for Army veterans, wives and dependents), BAe (thousands of applicant down to hundreds capable of UK eyes only security clearance) etc.
The Security Company Arguably the largest and best known UK-based provider of Corporate Security Awareness programmes.
Cybok , the project to collate the Cybersecurity Body of Knowledge has collated material on uncharged learning materials and courses, including from Udemy , SANS and Open Security library . The sources have not been curated for quality/provenance.
3.8 Generic Training Providers and Libraries of materials with Digital/Cyber offerings include:
Cybrary, Pluralsight, Udemy, Learning Tree, Reed , The Knowledge Academy,: Learning 247 .
3.9 Recruitment Agencies and Sites include:
Barclay Simpson, Harvey Nash Hays, Reed , Indeed
3.10 Applicant Screening
There are a wide variety of requirements to check claimed identities and audit the processes used from “know your customer” and DBS checks, through trade association standards, such as those of the Payment Card Industry or Government requirements such as BPSS. The scale and nature of Employment and Education fraud make it essential to also be able to check the authenticity of job sites and offer and the provenance of claimed qualifications and supposedly accredited training providers.
The Better Hiring Institute brings together, on one website, links to authoritative guidance and resources to help employers check the qualifications and certifications of applicants, including for regulated sectors such as financial services, health and education. Some of its sector working groups have also begun work on “digital skills passports” for regulated sectors (e.g. health). See also Jobs Aware for other employment guidance.
The NCSC guidance is here. The best known email authentication tools are those available at no charge from the Global Cyber Alliance which also runs boot camps on their use to secure and check domain names etc. Those services doing business with Government are required to be accredited to Cyber Essential + but this is not always enforced. The CPNI Employment Screening guidance includes support documentation such as: CPNI Document verification guidance and CPNI employment Screen Good Practice .
Many organisations offer screening services using a variety of processes. Some automated and on-line, others not. Their value depends on the processes and sources they use. CIFAS is the main clearing house for general fraud prevention information and guidance on identity protection . UKIFA has just been launched, with support from the London Fraud Forum , Reed Screening and others as a UK clearing operation for advice, guidance and reporting on impersonation and identity fraud. ADVP is the trade association for those providing the electronic validation of identity documents in the UK. Founding members included Passport Proven and Prospects HEDD , the portal for validating claimed UK degrees. Veriff and Qualification Check offer global services. Other services for checking documents supposedly issued by Governments and/or other claimed identities include Onfido and Junio.
Appendix 1 lists the main organisations providing cybersecurity qualifications and the processes for checking accredited individuals and training providers.
3.11 Onwards: Identity and Access Management Identity and Access Management, Data Protection and Information Governance, Risk Management, Trading Standards, Investigation, Prosecution/Redress [to be added ]
Include reference to reference Arrow , Forgerock IT Governance
4 Points of Leverage
4.1 Formation and launch of the Cyber Security Council
The Cyber Security Council is expected to provide outreach to other relevant professional bodies, trade associations and regulators. To do so it will far more resource than is currently envisaged.
The activities below should not divert effort from the formation and launch of the Council, but be progressed in parallel, with the expectation and intention that they will come under the aegis of the Council as it grows and matures.
4.2 Joining up guidance on reporting and safeguarding
NCSC has issued Cyber Aware for sole traders and small firms but has not yet produced guidance for individuals and families It is focused on improving password practice, adopting two factor authentication, software updating and forwarding phishing e-mails.
There is currently fragmented guidance for reporting: scam texts) phone calls (e.g. Protecting you from scams | BT Help ), phishing e-mails (e.g. simple forwarding or generic guidance ), employment fraud (Safer Jobs), financial fraud (e.g. Take Five and Action Fraud) and the various types of abuse (e.g. Child Abuse , Hate Crime, Revenge Porn ) and impersonation (e.g. Amazon, Apple, Facebook, Google, Instagram, Twitter etc.).
Given the scale and nature of fraud and impersonation, authoritative and reputable guidance needs to be accessible via a robust, secure and usable (by a variety of audiences) front ends, including via:
- Neighbourhood Watch and Safer Neighbourhood Partnership Teams,
- Local Police Force and Cyber Resilience Centre Programme
- Corporate websites (e.g. via links from “Report Abuse/Problem” buttons
- Schools, business, children and adults as well as professionals, technicians and advisors.
4.3 Guidance on public funding for training, on tax breaks and on use of the apprenticeship levy
Employers can claim £1,000 per Traineeship, which may range from 6weeks to 6 months with varying requirements. Kickstart is for those aged 16 – 24 who are out of work, on Universal Credit and at risk of long-term unemployment. T-Levels require 45 week industry placements. The Essential Digital Skills entitlement is fully funded and covers basic skills.
There are varying incentives for apprenticeships according to age. There are also programmes to enable the re-use of unused apprenticeship levy – such as that being piloted under the aegis of the Positive Transformation Group with the Shaw Trust. There is also a need to promote guidance on good practice in running apprenticeships programmes such as that from Investors in People.
4.4 Guidance on identifying applicants and reputable training providers
There is a serious problem with education, training employment fraud (from obtaining the credentials of applicants to enable access, through frees for worthless/unnecessary checks and qualifications to the “insertion” of unqualified/malicious applicant. There are also issues to do with the quality, relevance, competence and probity of training providers. This problem will become very much worse, very quickly as fraudsters seek to exploit the skills programmes announced in the budget on 3rd March.
4.5 Guidance on Safeguarding pupils and students of all ages
Reference and links to London Grid for Learning, Safer Internet Centre, JISC, NSPCC, Elder Abuse etc. and new DfE funded SWGfL programme.
5 Action Plan
5.1 Use the revision and completion of this paper to identify partners, publicity channels and invitees for CyberSecurity Skills partnerships being organised locally and nationally involving the Cybersecurity Regional Centres, SASIG, the Digital Policy Alliance and others
5.2 Use the process to identify those interested in piloting a secure (e.g. DNS checked) portal for use by schools, colleges, careers advisors, pupils and partners to access reputable careers information via Janet and the Grids for Learning
5.3 Use the revision of this paper in the light of experience and feed-back to help inform those planning skills outreach programmes for the Security Council
5.4 Use the revision of this paper to help those seeking to join up activities at the local and regional, not just national, level.
5.5 Use the revision of this paper to help inform those planning and implementing policy development and implementation: central and local government, regulatory and corporate.
The audiences include Communication, Financial Services, Data Protection and other regulators as well as Home Office, BEIS, DCMS, DWP, Treasury and their agencies.
5.6 Use the revision of this paper to help form “coalitions of the willing”, publicise their success in moving from words to deed, and encourage others to join them.
6 Appendices (yet to be completed)
Appendix 1- Providers of Cyber Security Qualifications and how to check the claims of accreditation by individuals and providers
- Tech UK visit TP Degrees for a list of accredited degrees and use Prospects Hedd to check individual claims
- NCSC Certified Degrees and NCSC Academic Centres of Excellence in Cyber Security , individual clams can be checked via Prospects Hedd
- (ISC2) , 7,900 UK members with CISSP, claims can be checked via Member Verification (isc2.org) and Official Training Providers (isc2.org)
- BCS : Certificate Checker (bcs.org)
- CIISEC :
- CIPD :
- CompTIA : CompTIA Digital Badges | CompTIA IT Certifications , Delivery Partner List (comptia.org)
- CREST :
- CSFS :
- IAP :
- IET :
- InstMC :
- ISACA, CRISC, CGEIT, CDPSE, Verify a Certification (isaca.org) , Find an Accredited Training Partner (isaca.org)
- Security Institute,
- SANS :Find a Certified GIAC Professional | Directory
- IASME : Cybersecurity Essentials
- City and Guilds : Certificate Verification , Training Provider Accreditation , employer training programme accreditation
- AWS, CISCO, IBM, Microsoft , Oracle Samsung, SAP, Juniper, Palo Alto, Open University, , Pearson, Huawei.
The relevant CIFAS services for checking against lists of known fraudsters include: Local Authority screening service (cifas.org.uk) , Enhanced Internal Fraud Database | Cifas
The CPNI guidance for checking hard copy documentation includes CPNI: CPNI Employment Screening guidance CPNI Document verification guidance CPNI employment Screen Good Practice
Top 10 Digital qualifcations in order of global demand: ITIL Foundation, CCNA Cisco Certified Network Associate, CISA Certified Information Systems Auditor, CCNP Cisco Certified Network Professional, Comptia A+ , CISM Certified Information Security Manager, Comptia Security + , Comptia Network + , CCA-V Citrix Certified Associate – Virtualisation, AWS Certified Solution Architect