From education to employment

Student Loans Company staffers complete 20,000 cyber crime training courses

Photo by Mikhail Nilov from Pexels

The Student Loans Company (SLC) has spent over £76,800 on cyber security training for its staffers over the two most recent financial years (FY 19/20, FY 20/21), according to official figures.

The data obtained and analysed using the Freedom of Information (FOI) Act by Griffin Law, the niche litigation practice, shows that nearly 20,000 specialist courses were completed in areas such as phishing, password protection, bribery, corruption, and privacy standards. The data shows that 9,334 cyber courses were completed in FY 19/20 with 10,142 completed in FY 20/21. The SLC has just over 3,300 staff, meaning many participants attended multiple courses.

This news arrives just a few days after the National Cyber Security Centre raised a new cyber alert around the surging ransomware threat facing the UK Education Sector.

The most popular course across both years was for ‘Anti-Money Laundering’ which saw 3,321 participants in FY 19/20, and 3,249 in FY 20/21. The second most popular was for ‘Counter Fraud and Bribery Corruption’ drawing in 3,044 attendees in FY 19/20 and 3,215 in FY 20/21, and the ‘Protection Information’ course was attended by 2,941 and 3,181 staffers respectively across both years.

Another course, the ‘Role of the Security Manager Security Masterclass’, surged from 20 attendants in FY 19/20 to 142 in FY 20/21.

Most of the remaining courses were only introduced to staffers in the most recent financial year, these were: ‘Defending SLC from Phishing Attacks’, attended by 63; ‘Power to your Passwords’, attended by 72; ‘Working from Home Securely’ attended by 189. These courses were most likely influenced by the pandemic.

Finally, 39 of the recorded participants were training for specific full-time positions in SLC’s Technology Group Security Team and Information Governance and Compliance Team. This included training to become a CompTIA Cyber Security Analyst, an AWS Security Engineer and Certified Information Privacy Manager, amongst others.

Interestingly, the role specific training took up the most of SLC’s cyber training budget, costing them £52,493.50 out of the £76,800 total expenditure.

Security expert Chris Ross, SVP, Barracuda Networks comments:

“The cyber threat facing employees has surged over the course of the pandemic. Our own research even revealed a disproportionate quantity of email phishing attacks targeting organisations in the education sector in an effort to steal personal data whilst millions are forced to work and learn from home. This threat has also been exacerbated by the cyber skills gap across the UK, with a widening shortage of certified security professionals leaving many organisations vulnerable to the surging cyber threat levels.

“It is encouraging to see the SLC making a proactive effort to equip and train its employees with the latest cyber security skills, especially given the high volume of financial data it is tasked with managing. This effort must be supported by the necessary cyber protection systems to identify and quarantine malicious attacks before they reach the inbox of employees as well as having the right backup systems in place in the event of a ransomware attack.”

Cyber expert Tim Sadler, CEO, Tessian commented:

“Whilst Security Awareness Training is extremely important, it is just as important that organisations understand exactly how to implement it so that it is effective, addresses the right issues, and is not forgotten. Too many security training sessions today are ‘tick box’ sessions designed to appease shareholders, regulators and customers.

“This is why businesses must ensure that they adopt a new approach, one that is automated, in-the-moment, and long-lasting, with training which is tailored to each user and addresses specific security weaknesses effecting a user or a business.”

Edward Blake, Area Vice President for Absolute Software comments:

“The education sector is a top target for hackers, who are undoubtedly looking to seize control of the goldmine of invaluable information stored on its servers. What’s more, with remote learning still in force, there will be more devices on the move than ever before, creating the perfect opportunity for device theft and cyber breaches.

“As well as security training, all potential targets in the education sector, including staffers and students, must equip their devices with resilient end point security software that allows an allocated security officer to freeze, control or lockdown any breached devices – so that a stolen device does not necessarily equate to a breach of data.”

Full FOI Table:


Number of staff attending/completing course



Financial year 2019-20

Financial year 2020-21


All SLC staff




Anti-Money Laundering [1]



Content created and published by SLC – only internal staff costs which are not tracked/recorded.

Counter Fraud Bribery & Corruption [1]



Free, provided by Civil Service Learning to SLC.

Protecting Information [1] and [2]



Responsible for Information and Government Security Classification and Handling are free, provided by Civil Service Learning to SLC.  The Freedom of Information (“FOI”) course is part of the overall Protecting Information mandatory module, however not considered to cover cybercrime/cyber security to outside the scope of the request.  In any event, the FOI course  content was created and published by SLC, so only internal staff costs which are not tracked/recorded.

Role of the Manager Security MasterClass [3]



Main costs (including creating and publishing content) has been internal staff costs, which are not tracked/recorded.  Training does contain a short animated infographic which was created by a third party for SLC – initial cost of £9,000 with additional ad hoc maintenance costs of £872 in order to keep current.

Defending SLC from Phishing Attacks [4]



Developed in conjunction with third party – cost of third party services to SLC £5,670 (internal staff costs not recorded).

Power to your Passwords [4]



Developed in conjunction with third party – cost of third party services to SLC £5,720 (internal staff costs not recorded).

Working from Home Securely [4]



Developed in conjunction with third party – cost of third party services to SLC £3,050 (internal staff costs not recorded).





Role specific training for staff in SLC’s Technology Group Security Team and Information Governance and Compliance Team




Cyber Security Introduction




Certified Data Protection Foundation and Practitioner




AWS Security Engineer




Mastering GDPR, Governance Security and Compliance in Office 365




CompTIA Cyber Security Analyst (CYSA+)




Payment Card Industry Data Security Standard Internal Security Assessor certification




Certified Information Privacy Professional (“CIPP”)



Combined total cost for CIPP and CIPM – £9,999.50 (paid for together)

Certified Information Privacy Manager (“CIPM”)



See above


Related Articles