Picture This…

You’ve just completed your annual phishing training where you teach employees how to spot phishing emails. You’re feeling good about it, until about 5-6 months later when your company suffers a costly ransomware infection because someone clicked on a phishing link. You wonder why you seem to need to train on the same information every year, and yet still suffer from security incidents. 

The problem is that you’re not training your employees often enough. People can’t change behaviors if training isn’t reinforced regularly. They can also easily forget what they’ve learned after several months go by. So, how often is often enough to improve your team’s cybersecurity awareness and cyber hygiene? It turns out that training every four months is the “sweet spot” when it comes to seeing consistent results in your IT security.

Why Is Cybersecurity Awareness Training Every 4 Months Recommended? 

There was a study presented at the USENIX SOUPS security conference that looked at users’ ability to detect phishing emails versus how often they were trained on phishing awareness and IT security. Employees were tested at several different time increments: 4-months, 6-months, 8-months, 10-months, and 12-months. 

It was found that four months after their training, they were still able to accurately identify and avoid clicking on phishing emails. However, after 6-months, their scores started to get worse. Then they continued to decline further the more months that passed after their initial training. So, to keep employees well prepared to act as a positive agents in your overall cybersecurity strategy, it’s important they get training and refreshers regularly. 

Tips on What & How to Train Employees to Develop a Cybersecure Culture

The gold standard for employee security awareness training is to develop a cybersecure culture. This is one where everyone is cognizant of the need to protect sensitive data, avoid phishing scams, and keep passwords secured. Unfortunately, this is not the case in most organizations. 

According to the 2021 Sophos Threat Report, one of the biggest threats to network security is a lack of good security knowledge and practices. The report states, “A lack of attention to one or more aspects of basic security hygiene has been found to be at the root cause of many of the most damaging attacks we’ve investigated.”

Well-trained employees significantly reduce a company’s risk of falling victim to any number of different online attacks. To be well-trained doesn’t mean you have to conduct a long day of cybersecurity training every four months. It’s better to mix up the delivery methods. Here are some examples of engaging ways to train employees on cybersecurity that you can include in your training plan: 

  • Self-service videos that get emailed once per month 
  • Team-based roundtable discussions 
  • Security “Tip of the Week” in company newsletters or messaging channels 
  • Training session given by an IT professional 
  • Simulated phishing tests 
  • Cybersecurity posters 
  • Celebrate Cybersecurity Awareness Month in October