After completing your annual phishing training, which teaches employees how to spot phishing emails, you feel confident. However, your confidence is shattered when your company falls victim to a costly ransomware infection due to a click on a phishing link. Despite undergoing the same training every year, you continue to experience security incidents, which begs the question of how often you should train your employees.
How often do you need to train employees on cybersecurity awareness?
It’s not enough to train your employees just once a year. Without reinforcement, people are unlikely to change their behaviors or may forget what they’ve learned after a few months. According to research, the “sweet spot” for training frequency is every four months, as this results in more consistent improvements in IT security.
A recent study presented at the USENIX SOUPS security conference looked at the relationship between training frequency and users’ ability to detect phishing emails. The study tested employees’ phishing identification skills at various time increments, including four months, six months, eight months, ten months, and twelve months. The results suggest that training every four months is optimal for improving your team’s cybersecurity awareness.
Employees took phishing identification tests at several different time increments:
- 4-months
- 6-months
- 8-months
- 10-months
- 12-months
The study revealed that four months after their initial training, employees had good scores in accurately identifying and avoiding phishing emails. However, their scores started to decline after six months and continued to worsen as more time passed since their training.
To ensure employees remain well-prepared, it is crucial to provide ongoing training and refreshers on security awareness. This will empower them to actively contribute to your cybersecurity strategy.
Tips for Training Employees and Cultivating a Cybersecure Culture
The ultimate goal of security awareness training is to foster a cybersecure culture. In this culture, everyone recognizes the importance of safeguarding sensitive data, avoiding phishing scams, and maintaining secure passwords.
Unfortunately, according to the 2021 Sophos Threat Report, most organizations do not exhibit this culture, and a lack of sound security practices poses a significant threat to network security.
According to the report, the root cause of numerous severe attacks we’ve investigated is a lack of attention to basic security hygiene. Having well-trained employees plays a crucial role in mitigating a company’s risk and reducing the likelihood of falling victim to various online attacks. Effective training doesn’t necessarily require lengthy cybersecurity sessions; it’s more effective to diversify the delivery methods.
Here are some examples of effective cybersecurity training methods that you can include in your training plan:
Monthly self-service videos: Provide employees with self-service videos via email on a monthly basis to enhance their cybersecurity knowledge and awareness.
Team-based roundtable discussions: Organize interactive roundtable discussions within teams to encourage knowledge sharing and collaborative learning about cybersecurity practices.
“Tip of the Week” in company communications: Include a regular “Tip of the Week” in company newsletters or messaging channels to deliver bite-sized cybersecurity tips and best practices.
IT professional-led training sessions: Arrange training sessions led by IT professionals who can provide in-depth insights and guidance on various cybersecurity topics.
Simulated phishing tests: Conduct simulated phishing tests to assess employees’ susceptibility to phishing attacks and provide targeted training based on the results.
Cybersecurity posters: Display informative and visually appealing cybersecurity posters in common areas to reinforce key security concepts and promote awareness.
Celebrate Cybersecurity Awareness Month: Dedicate the month of October to celebrate Cybersecurity Awareness Month by organizing special events, workshops, or training sessions to emphasize the importance of cybersecurity within your organization.
By incorporating these diverse training methods, you can ensure a comprehensive and engaging approach to cybersecurity training for your employees.
When conducting awareness training, it’s essential to cover not only phishing but also other crucial topics. Here are some important areas that should be included in your training mix:
Phishing by Email, Text & Social Media
While email phishing remains the most common form, it’s crucial to address the growing threats of SMS phishing (“smishing”) and phishing through social media. Employees need to be able to recognise these deceptive tactics and avoid falling victim to these scams.
Credential & Password Security
With the widespread adoption of cloud-based platforms, credential theft has become a significant concern. It has become the leading cause of data breaches globally, particularly as it provides an easy pathway to breach SaaS cloud tools. It’s critical to discuss with your team the importance of maintaining secure passwords and using strong authentication methods. Additionally, provide guidance on tools such as business password managers to assist them in safeguarding their credentials.
Mobile Device Security
Mobile devices have become an integral part of daily work, enabling employees to access emails and perform tasks from anywhere. Considering this, it’s essential to review the security requirements for employee devices that access business data and applications. Emphasize the importance of securing mobile devices with passcodes, keeping them regularly updated with the latest security patches, and following best practices for mobile device security.
By addressing these topics in your awareness training, you can better equip your employees to recognize and mitigate the risks associated with phishing, credential theft, and mobile device security.
Data Security
As data privacy regulations continue to increase, it is crucial for companies to comply with multiple data privacy regulations. To mitigate the risk of data leaks or breaches that could result in costly compliance penalties, it is important to provide training to employees on proper data handling and security procedures. By ensuring employees are well-versed in data security, you can minimise the potential risks associated with mishandling sensitive information.
Need Assistance in Maintaining Your Team’s Cybersecurity Training?
Take the burden off your shoulders and entrust the training of your team to cybersecurity professionals. We offer an engaging training program designed to help your team develop better cybersecurity practices and enhance their cyber hygiene. With our expertise, we can provide the necessary guidance and knowledge to facilitate behavioral changes and improve your overall security posture.
Recent articles
Microsoft takes the pain out of updates
Updates are a pain, right? Time consuming and disruptive. Not anymore… Here we tell you how Microsoft’s latest Windows 11 update is making things quicker and easier.
Lost for words? Draft with Copilot can help
If you struggle to find the right words in an email or post, you’d probably love a little help. Draft with Copilot is exactly that. Here we tell you how it works.
Heads up: You need to update Windows 11 by this deadline
Have you updated to the latest version of Windows 11 yet? If not, it’s time to act – Microsoft has announced when it will end support for older versions (and it’s soon!).
Cyber extortion: What is it and what’s the risk to your business?
Have you heard of cyber extortion? It’s a very real threat to your business. Here we explain what it is and how to stay safe.
Protect your business from a data leak with Microsoft Edge
Keeping your data away from the wrong hands is a big challenge. But thanks to Microsoft Edge for Business, it’s just become easier. Here we tell you why.
Are your employees reporting security issues fast enough… or even at all?
The faster your employees report a potential cyber security issue, the less damage is done to your business. But how can you encourage quick reporting? Here we share some solid ideas.