Council Co-Designed Cyber Awareness & GDPR Training

Portsmouth City Council collaborated with nine other local authorities to co-fund and co-design council specific cyber and GDPR awareness training. Working with the production company that designed and developed the BBC’s mandatory cyber awareness training and eLearning, and adapting expertise from that project to apply in a local government setting.

Data and transparency

The result is Dojo: Local Government, an accessible animated video-based modular awareness series with supporting SCORM compliant eLearning, covering password management to social media, personal data to offline security and more. The 10 collaborating councils had direct access into scripts, sign off on the visuals, voiceover and the overall product.

The challenge:
Cyber security has been an increasing challenge, not just for IT departments, but for council staff at all levels for some time. In Spring 2017 when this work began, several councils had been publicly hacked, personal data held to ransom and Wannacry was in the headlines, which inadvertently pushed cyber security to the top of councils priority lists and risk registers. In addition the (then) incoming GDPR regulations made it very clear that ensuring a level of cyber awareness across all staff was critical.

Although Portsmouth City Council (PCC) had a security policy and cyber specific guidance had been issued to staff, there was no formal cyber awareness training in place and nothing on the market was really hitting the mark. There wasn’t any training that spoke to staff in council terminology or cited local authority processes and
 
protocols. What we had seen was too generic, often very lengthy, unengaging and some had accessibility concerns. Also pricing to cover over 5,000 staff was proving expensive.

The solution:
At the same time, Spring 2017, we were contacted by CC2i - the public sector
co-funding platform - via their partnership with Socitm. The proposition was to be part of a collaboration looking at cyber awareness specifically for a local authority audience.
CC2i were bringing the collaboration together with Matobo, a production company who had just delivered the BBC’s cyber & GDPR awareness training, and were looking for 10 councils to help co-design a series specifically for local government.

The quality of the base product, Matobo’s experience, the ability for us to input in the scripts alongside peer authorities and steer the solution, plus affordable co-funding terms, meant that PCC felt that this was the right, low-risk approach to take in terms of staff cyber awareness, itself was seen as a critical element to organisational security.

In the summer of 2017, the 10 councils and production company Matobo came together for a one-off one-day workshop. We had already had access to scripts and having introduced ourselves to our fellow cyber co-funders, we collectively worked through the changes required to reflect local government cyber and GDPR requirements.

In the intervening four months the animations were redrawn, the scripts pinned down, the voiceover recorded, sound design and final mastering undertaken - with each stage requiring partner agreement and virtual sign off.

In December ‘Dojo: Local Government’ was delivered: 12 video modules covering both cyber security and GDPR and the roll out across all PCC staff began in earnest January 2018.

The impact (including cost savings/income generated if applicable):

  • The impact in terms of cyber threats that the training will have averted (the phishing link that wasn’t clicked on, the file that wasn’t insecurely shared), whilst unquantified, is immense. Not only from a financial perspective, but also reputationally and in terms of organisational disruption;
  • Portsmouth City Council could not have accessed the production skills or created a council-specific awareness series alone, not from a financial nor a resource perspective. In this scenario, we were able to access the solution for a 10th of its cost;
  • By being part of the initial collaboration, PCC achieved a 50% cost saving compared to other courses assessed as part of the process (which themselves were more generic and lacked the council focus);
  • In terms of ongoing cost savings, again by being an initial partner and co-funder, PCC now has a perpetual licence to use Dojo: Local Government across the entire council workforce for no further cost;
  • As a result of co-design and council engagement, PCC is experiencing high levels of staff engagement as the training ‘speaks’ to them using council vocabulary - making it more personal and relevant - and further engages staff with the animation style and high production values;
  • In terms of impact all staff have now completed GDPR training that included the relevant Dojo modules and we are currently monitoring and measuring staff completion of the rest of the series and their cyber awareness levels;
  • The modular approach means that staff can access the training over a number of sessions, and with each module being between 3-5 minutes and available on any corporate device. It is accessible to all levels of staff from remote non-office workers like waste collection operatives to the Chief Executive;
  • We are also now part of a much wider council collective which will seek to improve and add to the series as cyber threats change and as new areas arise (already we have participated in a multi-council workshop looking further at personal data, data handling, sharing and analysis, data hygiene, consent and other areas);
  • Connections made at the original co-design workshop still exist today with PCC meeting up with fellow collaborators from Manchester City Council at CyberUK and liaising with other partners to share approach on GDPR and other areas of common interest.

How is the new approach being sustained?:
Dojo: Local Government is sustained by being available to other local authorities to deploy at an affordable price, itself determined in consultation with the co-funding councils.

In the first six months of 2018, over 50 additional councils commissioned the series, primarily citing the local government focus, co-design process and affordable pricing as their reasons to engage. The training and eLearning has been translated into Welsh at
 
no extra cost due to the take up levels in Wales, and the whole series has been commissioned by NHS Wales for 50,000 frontline staff.

There is a growing Dojo series for different parts of public sector, driven the genesis of the solution and further successful co-funding rounds to deliver a housing version.

The collective approach enables Dojo: Local Government to be hosted and made available in a variety of forms depending on organisational needs (intranets versus in-house learning management systems, different hosting options etc) and will be maintained/improved as new cyber threats emerge.

Lessons learned:
Collaboration and co-design can really work, especially around areas of emerging technologies, new policies and/or common challenges.

Working with established experts in the field, who are already some way down the road in terms of solution design or product knowledge can help. PCC did not have the resource to commit to a project starting from scratch, but being brought in as the local authority expert to work with subject experts worked very well.

Co-funding works and in this case means that PCC got a great product for 10% of the cost required to deliver it.

Contact:  mike.greenslade@portsmouth.gov.uk dojo@cc2i.org.uk

Links to relevant documents:
See our trailer