Posted on

Training Employees on Cybersecurity

After completing your annual phishing training, which teaches employees how to spot phishing emails, you feel confident. However, your confidence is shattered when your company falls victim to a costly ransomware infection due to a click on a phishing link. Despite undergoing the same training every year, you continue to experience security incidents, which begs the question of how often you should train your employees.

How often do you need to train employees on cybersecurity awareness?

It’s not enough to train your employees just once a year. Without reinforcement, people are unlikely to change their behaviors or may forget what they’ve learned after a few months. According to research, the “sweet spot” for training frequency is every four months, as this results in more consistent improvements in IT security.

A recent study presented at the USENIX SOUPS security conference looked at the relationship between training frequency and users’ ability to detect phishing emails. The study tested employees’ phishing identification skills at various time increments, including four months, six months, eight months, ten months, and twelve months. The results suggest that training every four months is optimal for improving your team’s cybersecurity awareness.

Employees took phishing identification tests at several different time increments:

  • 4-months
  • 6-months
  • 8-months
  • 10-months
  • 12-months

The study revealed that four months after their initial training, employees had good scores in accurately identifying and avoiding phishing emails. However, their scores started to decline after six months and continued to worsen as more time passed since their training.

To ensure employees remain well-prepared, it is crucial to provide ongoing training and refreshers on security awareness. This will empower them to actively contribute to your cybersecurity strategy.

Tips for Training Employees and Cultivating a Cybersecure Culture

The ultimate goal of security awareness training is to foster a cybersecure culture. In this culture, everyone recognizes the importance of safeguarding sensitive data, avoiding phishing scams, and maintaining secure passwords.

Unfortunately, according to the 2021 Sophos Threat Report, most organizations do not exhibit this culture, and a lack of sound security practices poses a significant threat to network security.

According to the report, the root cause of numerous severe attacks we’ve investigated is a lack of attention to basic security hygiene. Having well-trained employees plays a crucial role in mitigating a company’s risk and reducing the likelihood of falling victim to various online attacks. Effective training doesn’t necessarily require lengthy cybersecurity sessions; it’s more effective to diversify the delivery methods.

Here are some examples of effective cybersecurity training methods that you can include in your training plan:

  1. Monthly self-service videos: Provide employees with self-service videos via email on a monthly basis to enhance their cybersecurity knowledge and awareness.

  2. Team-based roundtable discussions: Organize interactive roundtable discussions within teams to encourage knowledge sharing and collaborative learning about cybersecurity practices.

  3. “Tip of the Week” in company communications: Include a regular “Tip of the Week” in company newsletters or messaging channels to deliver bite-sized cybersecurity tips and best practices.

  4. IT professional-led training sessions: Arrange training sessions led by IT professionals who can provide in-depth insights and guidance on various cybersecurity topics.

  5. Simulated phishing tests: Conduct simulated phishing tests to assess employees’ susceptibility to phishing attacks and provide targeted training based on the results.

  6. Cybersecurity posters: Display informative and visually appealing cybersecurity posters in common areas to reinforce key security concepts and promote awareness.

  7. Celebrate Cybersecurity Awareness Month: Dedicate the month of October to celebrate Cybersecurity Awareness Month by organizing special events, workshops, or training sessions to emphasize the importance of cybersecurity within your organization.

By incorporating these diverse training methods, you can ensure a comprehensive and engaging approach to cybersecurity training for your employees.

When conducting awareness training, it’s essential to cover not only phishing but also other crucial topics. Here are some important areas that should be included in your training mix:

Phishing by Email, Text & Social Media

While email phishing remains the most common form, it’s crucial to address the growing threats of SMS phishing (“smishing”) and phishing through social media. Employees need to be able to recognise these deceptive tactics and avoid falling victim to these scams.

Credential & Password Security

With the widespread adoption of cloud-based platforms, credential theft has become a significant concern. It has become the leading cause of data breaches globally, particularly as it provides an easy pathway to breach SaaS cloud tools. It’s critical to discuss with your team the importance of maintaining secure passwords and using strong authentication methods. Additionally, provide guidance on tools such as business password managers to assist them in safeguarding their credentials.

Mobile Device Security

Mobile devices have become an integral part of daily work, enabling employees to access emails and perform tasks from anywhere. Considering this, it’s essential to review the security requirements for employee devices that access business data and applications. Emphasize the importance of securing mobile devices with passcodes, keeping them regularly updated with the latest security patches, and following best practices for mobile device security.

By addressing these topics in your awareness training, you can better equip your employees to recognize and mitigate the risks associated with phishing, credential theft, and mobile device security.

Data Security

As data privacy regulations continue to increase, it is crucial for companies to comply with multiple data privacy regulations. To mitigate the risk of data leaks or breaches that could result in costly compliance penalties, it is important to provide training to employees on proper data handling and security procedures. By ensuring employees are well-versed in data security, you can minimise the potential risks associated with mishandling sensitive information.

Need Assistance in Maintaining Your Team’s Cybersecurity Training?

Take the burden off your shoulders and entrust the training of your team to cybersecurity professionals. We offer an engaging training program designed to help your team develop better cybersecurity practices and enhance their cyber hygiene. With our expertise, we can provide the necessary guidance and knowledge to facilitate behavioral changes and improve your overall security posture.

Get in touch today to learn more

Recent articles

Posted on

Dark Web Monitoring: what is it & does my business need it?

The global pandemic transformed the way we conduct business, and it’s unlikely that things will ever be the same again. With the increasing reliance on online platforms for both personal and professional transactions, geographical distances and time zones have become irrelevant. However, conducting business online also comes with inherent dangers and threats that we must be aware of.

One significant threat is data breaches, where cyber criminals manage to hack into legitimate commercial website databases. Well-known companies like Facebook and T-Mobile have fallen victim to such breaches, resulting in the theft of over 550 million records. In fact, the Identity Theft Resource Center reported a staggering 68% increase in stolen data in 2021 compared to the previous year.

When your email and password used to log into a website are stolen, they end up in the hands of highly skilled and destructive cyber criminals. These criminals may also obtain other personal information, such as addresses, mobile numbers, and credit/debit card details, that you have saved on the website.

So, what happens to your stolen data?

Your stolen credentials typically end up in a hidden part of the internet known as the Dark Web, where a significant portion of cyber-criminal activity takes place. Over time, your stolen data may be used and distilled by a sequence of criminals in their efforts to create financial gain at your expense. The exact methods they use to steal from end users using stolen credentials can vary, but it’s a sophisticated and malicious process that can span months or even years.

Understanding the risks and implications of data breaches and the Dark Web is crucial for protecting your personal and business information. It’s important to take proactive measures, such as implementing strong security measures and monitoring services, to safeguard against these threats in the ever-evolving landscape of online business transactions.

As we have emphasised, cybersecurity is not limited to a single tool or service, but rather a comprehensive security suite that protects various aspects of your online presence, including email, computers, devices, and overall online activity.

Now, we can answer the initial question of why dark web security is necessary. Dark web scanning acts as a proactive measure before cyber criminals can fully exploit your breached data. By providing timely alerts about breach details, it allows you to take relevant actions to secure your account and render the stolen or breached data useless.

You can easily purchase dark web security from Geniosity at a reasonable monthly cost. A large substantial loss can be avoided with dark web security in place.

If you would like to delve deeper into this topic, please feel free to get in touch with us. We are happy to provide useful information for your business and assist you with dark web security.

For more information about dark web scanning, please visit our Dark Web Monitoring page or drop us a line.