How often do you need to train employees on Cybersecurity awareness?

News and Blogs

18th August 2022

cybersecurity for employees
How often do you need to train employees on Cybersecurity awareness?

You’ve just completed your annual phishing training where you teach employees how to spot phishing emails. You’re feeling good about it, until about 5-6 months later when your company suffers a costly ransomware infection because someone clicked on a phishing link. 

You wonder why you seem to need to train on the same information every year, and yet still suffer from security incidents. The problem is that you’re not training your employees often enough. People can’t change behaviours if training isn’t reinforced regularly. 

They can also easily forget what they’ve learnt after several months. So, how often is often enough to improve your team’s cybersecurity awareness and cyber hygiene? It turns out that training every four months is the “sweet spot” when it comes to seeing consistent results in your IT security. 

Why Is cybersecurity awareness training each 4-months recommended? 

There was a study presented at the USENIX SOUPS security conference that looked at users’ ability to detect phishing emails versus how often they were trained on phishing awareness and IT security. Employees were tested at several different time increments: 

  • 4-months 
  • 6-months 
  • 8-months
  • 10-months 
  • 12-months

It was found that 4-months after their training, they were still able to accurately identify and avoid clicking on phishing emails. However, after 6-months, their scores started to get worse. Then they continued to decline further the more months that passed after their initial training. 

So, to keep employees well prepared to act as positive agents in your overall cybersecurity strategy, it’s important they get training and refreshers regularly. 

Tips on what and how to train employees to develop a cybersecure culture 

The gold standard for employee security awareness training is to develop a cyber secure culture. This is one where everyone is cognisant of the need to protect sensitive data, avoid phishing scams, and keep passwords secured. Unfortunately, this is not the case in most organisations. According to the 2021 Sophos Threat Report, one of the biggest threats to network security is a lack of good security knowledge and practices. The report states, “A lack of attention to one or more aspects of basic security hygiene has been found to be at the root cause of many of the most damaging attacks we’ve investigated.” 

Well-trained employees significantly reduce a company’s risk of falling victim to any number of different online attacks. To be well-trained doesn’t mean you have to conduct a long day of cybersecurity training every 4-months. It’s better to mix up the delivery methods. Here are some examples of engaging ways to train employees on cybersecurity that you can include in your training plan: 

  • Self-service videos that get emailed once per month 
  • Team-based roundtable discussions 
  • Security “Tip of the Week” in company newsletters or messaging channels 
  • Training session run by an IT professional 
  • Simulated phishing tests 
  • Cybersecurity posters 
  • Celebrate Cybersecurity Awareness Month in October 

We love technology and we love helping people. 

Give me a call today for a quick (non-salesy) chat to find out whether my team and I can help you better secure your data and get more out of your existing technology! 

Kalpesh Shah, CTO

Back to News

We put our clients at the centre of what we do

Interested in becoming a client or finding out more?

Let’s Chat



We Support

Footer Logo
Microminder - Footer Logo
facebook facebook linkedin twitter