You’ve just completed your annual phishing training, where you teach employees how to spot phishing emails. You feel good about it until about 5-6 months later when your company suffers a costly ransomware infection because someone clicked on a phishing link.
You wonder why you have to train on the same information every year and still suffer from security incidents. The problem is that you’re not training your employees often enough. People can’t change behaviours if a company doesn’t regularly reinforce their employee’s training.
They can also easily forget what they’ve learnt after several months. So, how often is enough to improve your team’s cybersecurity awareness and cyber hygiene? It turns out that training every four months is the “sweet spot” for seeing consistent results in your IT security.
A study presented at the USENIX SOUPS security conference examined users’ ability to detect phishing emails versus how often they received phishing awareness and IT security training. Researchers tested employees at several different time increments:
The second round of research found that 4-months after their training, they could identify and avoid clicking on phishing emails accurately. However, after 6-months, their scores started to get worse. Then they continued to decline further the more months that passed after their initial training.
So, to keep employees well prepared to act as positive agents in your cybersecurity strategy, they must get training and refreshers regularly.
The gold standard for employee security awareness training is to develop a cyber-secure culture. This culture is where everyone is cognisant of the need to protect sensitive data, avoid phishing scams, and secure passwords. Unfortunately, this is not the case in most organisations. According to the 2021 Sophos Threat Report, one of the biggest threats to network security is a lack of good security knowledge and practices. The report states, “A lack of attention to one or more aspects of basic security hygiene is at the root cause of many of the most damaging attacks we’ve investigated.”
Well-trained employees significantly reduce a company’s risk of falling victim to various online attacks. To be well-trained doesn’t mean you have to conduct a long day of cybersecurity training every 4-months. Instead, it’s better to mix up the delivery methods. Here are some examples of engaging ways to train employees on cybersecurity that you can include in your training plan:
We love technology, and we love helping people.
Call me today for a quick (non-sales) chat to determine whether my team and I can help you better secure your data and get more out of your existing technology!
Kalpesh Shah, CTOBack to News