You’ve just completed your annual phishing training where you teach employees how to spot phishing emails. You’re feeling good about it, until about 5-6 months later when your company suffers a costly ransomware infection because someone clicked on a phishing link.
You wonder why you seem to need to train on the same information every year, and yet still suffer from security incidents. The problem is that you’re not training your employees often enough. People can’t change behaviours if training isn’t reinforced regularly.
They can also easily forget what they’ve learnt after several months. So, how often is often enough to improve your team’s cybersecurity awareness and cyber hygiene? It turns out that training every four months is the “sweet spot” when it comes to seeing consistent results in your IT security.
There was a study presented at the USENIX SOUPS security conference that looked at users’ ability to detect phishing emails versus how often they were trained on phishing awareness and IT security. Employees were tested at several different time increments:
It was found that 4-months after their training, they were still able to accurately identify and avoid clicking on phishing emails. However, after 6-months, their scores started to get worse. Then they continued to decline further the more months that passed after their initial training.
So, to keep employees well prepared to act as positive agents in your overall cybersecurity strategy, it’s important they get training and refreshers regularly.
The gold standard for employee security awareness training is to develop a cyber secure culture. This is one where everyone is cognisant of the need to protect sensitive data, avoid phishing scams, and keep passwords secured. Unfortunately, this is not the case in most organisations. According to the 2021 Sophos Threat Report, one of the biggest threats to network security is a lack of good security knowledge and practices. The report states, “A lack of attention to one or more aspects of basic security hygiene has been found to be at the root cause of many of the most damaging attacks we’ve investigated.”
Well-trained employees significantly reduce a company’s risk of falling victim to any number of different online attacks. To be well-trained doesn’t mean you have to conduct a long day of cybersecurity training every 4-months. It’s better to mix up the delivery methods. Here are some examples of engaging ways to train employees on cybersecurity that you can include in your training plan:
We love technology and we love helping people.
Give me a call today for a quick (non-salesy) chat to find out whether my team and I can help you better secure your data and get more out of your existing technology!
Kalpesh Shah, CTOBack to News