Cybersecurity Awareness: How Often do You Need to Train Employees on it?

News and Blogs

18th August 2022

cybersecurity for employees
How often do you need to train employees on Cybersecurity awareness?

You’ve just completed your annual phishing training, where you teach employees how to spot phishing emails. You feel good about it until about 5-6 months later when your company suffers a costly ransomware infection because someone clicked on a phishing link. 

You wonder why you have to train on the same information every year and still suffer from security incidents. The problem is that you’re not training your employees often enough. People can’t change behaviours if a company doesn’t regularly reinforce their employee’s training. 

They can also easily forget what they’ve learnt after several months. So, how often is enough to improve your team’s cybersecurity awareness and cyber hygiene? It turns out that training every four months is the “sweet spot” for seeing consistent results in your IT security. 

Why Is cybersecurity awareness training each 4-months recommended? 

A study presented at the USENIX SOUPS security conference examined users’ ability to detect phishing emails versus how often they received phishing awareness and IT security training. Researchers tested employees at several different time increments: 

  • 4-months 
  • 6-months 
  • 8-months
  • 10-months 
  • 12-months

The second round of research found that 4-months after their training, they could identify and avoid clicking on phishing emails accurately. However, after 6-months, their scores started to get worse. Then they continued to decline further the more months that passed after their initial training. 

So, to keep employees well prepared to act as positive agents in your cybersecurity strategy, they must get training and refreshers regularly. 

Tips on what and how to train employees to develop a cyber-secure culture 

The gold standard for employee security awareness training is to develop a cyber-secure culture. This culture is where everyone is cognisant of the need to protect sensitive data, avoid phishing scams, and secure passwords. Unfortunately, this is not the case in most organisations. According to the 2021 Sophos Threat Report, one of the biggest threats to network security is a lack of good security knowledge and practices. The report states, “A lack of attention to one or more aspects of basic security hygiene is at the root cause of many of the most damaging attacks we’ve investigated.” 

Well-trained employees significantly reduce a company’s risk of falling victim to various online attacks. To be well-trained doesn’t mean you have to conduct a long day of cybersecurity training every 4-months. Instead, it’s better to mix up the delivery methods. Here are some examples of engaging ways to train employees on cybersecurity that you can include in your training plan: 

  • Self-service videos that get emailed once per month 
  • Team-based roundtable discussions 
  • Security “Tip of the Week” in company newsletters or messaging channels 
  • Training session run by an IT professional 
  • Simulated phishing tests 
  • Cybersecurity posters 
  • Celebrate Cybersecurity Awareness Month in October 

We love technology, and we love helping people. 

Call me today for a quick (non-sales) chat to determine whether my team and I can help you better secure your data and get more out of your existing technology! 

Kalpesh Shah, CTO

Back to News

We put our clients at the centre of what we do

Interested in becoming a client or finding out more?

Let’s Chat



We Support

Footer Logo
Microminder - Footer Logo
facebook facebook linkedin twitter