L1 North Tower, 527 Gregory Terrace

Fortitude Valley,

QLD 4006

How Often Should You Train Employees on Security Awareness to Make it Stick?

How Often Should You Train Employees on Security Awareness to Make it Stick?

Employee security awareness training is one of those layers of a good cybersecurity strategy that companies can easily get wrong.

Either they don’t train employees enough, perhaps just once per year. Or they neglect training altogether, expecting their cybersecurity hardware and software to pick up all the threats.

While things like firewalls, DNS filtering, advanced threat protection, and IT disaster recovery planning are all important parts of IT security, your employees are just as vital. They are the ones that control where they share their passwords, the email links they click on, and the attachments they open on their devices.

With the significant uptick in hybrid and remote teams since the pandemic, it’s more important than ever to ensure employees are properly educated on things like phishing detection, data security, and password protection.

We mentioned that once per year doesn’t really suffice when it comes to keeping your team well-trained on cybersecurity awareness. So, what is the best training repetition to ensure the information sticks?

It turns out that there was a study on this fairly recently. We’ll tell you what it found. 

Study Results for Employee Phishing Training Retention

At the USENIX SOUPS security conference in 2020, there was an insightful study presented that showed that after just a few months, IT security training could be forgotten if it’s not reinforced.

Survey participants were trained on phishing awareness and tested on their phishing detection skills at varying intervals after first receiving the training. After 4-months, employees still retained much of what they had learned and scored well on phishing identification.

But, at the 6-month mark after training had been held, they scored noticeably worse. They had forgotten a lot of the subject matter they’d been trained on. And during the remainder of the study, which tested them again at 8, 10, and 12-months, scores got worse as more time elapsed since that initial training.

The takeaway is that reinforcement is important to ensure employees gain and retain the cybersecurity skills they are taught. Ensuring you introduce reinforcement training every four months can help you build a well-prepared team.

Teams that are well-trained in cybersecurity awareness can cut the risk of a cyberattack impacting their organisation by 45% to 70%.

Methods of Training That Can Be Used  

It’s helpful if you vary your training and refresher training. Not everyone learns in the same way, and by employing different methods you can empower everyone on your team to improve their cyber hygiene.

Some of the methods you can use include the following.

Self-Service Videos

Short self-service videos are an entertaining way to teach employees important cybersecurity skills. Different topics can be covered each month to keep training fresh and varied.

It’s estimated that people absorb 95% of a message when receiving it in video format, as compared to just 10% when reading plain text.

In-person or Remote Training with an IT Pro

The benefit of doing formal training, either in-person or remotely, with an IT professional is that they can answer detailed questions. We will also know the latest threats that we’ve been seeing when working with clients and can bring that knowledge to your employee cybersecurity training.

Interactive Online Interfaces

When people can interact with an interface, such as a multiple-choice quiz or “what would you do next” scenario, they learn better. An interactive interface allows information that has been learned to be put into action.

Doing instead of just listening helps cement skills like phishing detection and data security.

Phishing Simulations

Another type of interactive cybersecurity training tool is a phishing simulation. In these, an IT professional will send convincing, but safe, phishing emails out unannounced.

The goal is to track clicks and other user engagement with these phishing lures. This helps an organisation see as a whole how well employees are doing at identifying dangerous phishing emails when they come in.

Small Round-Table Discussions

Some of your employees might have valuable experience from going through a malware attack or data breach in the past that they can share. They may also be able to impart tips on how they manage passwords, etc.

Hold small round-table discussions from time to time on cybersecurity so everyone can learn from each other. These can be done on a team or department level, so everyone has a chance to contribute.

Reminders: Posters, Tips of the Week, etc.

Your company sets the tone as to how important IT security is to you. For example, if employees only hear about cybersecurity once per year, that signals, that it’s not a high priority.

However, if you use reminders regularly, that indicates that cybersecurity is important to your company, and should be to employees as well. 

Some of the things that can help you build a culture of cybersecurity are reminders like security-related posters or cybersecurity tips of the week that you send out over a newsletter or messaging channel. 

Need Help Putting Together a “People” Strategy for Cybersecurity?

Connected Platforms can help your Brisbane area business with an engaging and impactful security awareness training program for your team.

Contact us for a free consultation. Call (07) 3062 6932 or book a coffee meeting online.

More blog posts

Duo of hoody wearing hackers trying to illegally access information | Featured image for Types of Hacker Attacks – Understanding Business Risk Blog on Connected Platforms.

Types of Hacker Attacks – Understanding Business Risk

As a business owner, one of the fundamental elements of owning your own business is understanding what risks you are going to be subject to. This is more so important for those businesses that rely heavily on internet-based software and programs, online data storing, and any sort of communications that take place using online connections.

Call Now Button