How Often Do You Need to Train staff on Cybersecurity Awareness?

Home       Blog       How Often Do You Need to Train staff on Cybersecurity Awareness?

How Often Do You Need to Train staff on Cybersecurity Awareness?

Phishing training is a critical component of cybersecurity awareness in businesses across Melbourne. But the following scenario is unfortunately all too common.

Your staff have completed their annual phishing training, which teaches employees how to spot phishing emails. As a result, you’re feeling good about it and expect your people to be extra vigilant. That is until about 5-6 months later… when your company suffers a costly ransomware infection due to an errant click on a phishing link.

So why do you need to keep training your staff on the same topics every year but still suffer from security incidents? The problem is that you’re not often training your employees.

The truth is that people can’t change their behaviours or remain vigilant to threats over a long period if those behaviours and training aren’t reinforced. Office workers are taking in a lot of information daily, so they can easily forget previous training, especially after several months pass by… and even more so if they are working remotely.

So, how frequently should you be training your people in cybersecurity awareness? 

It turns out that every four months is the sweet spot. Frequent training will result in more consistent results in your staff’s security score.

Why do Cybersecurity Awareness refreshers demand a four-month cycle?

Four months may be the recommended frequency for training, but where does this figure originate? A study presented at the USENIX SOUPS security conference in October 2020 took a close look at users’ ability to detect phishing emails versus the frequency of their training. In addition, it studied the correlation between more training and better awareness of phishing emails and IT security in general.

During the study, employees took phishing identification tests at several time increments. These included:

  • 4-months;
  • 6-months;
  • 8-months;
  • 10-months;
  • 12-months.

This study found that they scored well four months after their initial training. They could accurately identify suspicious links and avoid clicking on phishing links and emails. However, after six months, their scores began to get worse and continued to decline the more time passed after initial training.

The findings are clear; to keep employees well prepared, they need regular cybersecurity awareness training and refreshers. Your people are a vital tool in cybersecurity strategy, so this regular training ensures they are positive agents.

How to Train Employees to Develop a Cyber resilience Culture

Developing a culture of cybersecurity awareness is the gold standard for every Melbourne company. This culture involves a workforce where every employee knows the need to protect sensitive information, avoid phishing scams and keep passwords and other data secure. 

Unfortunately, this is not the case in many organisations. We’ve seen it first-hand with a range of companies across Melbourne…, and this lack of security often results in costly breaches. The 2021 Sophos Threat Report showed that one of the biggest threats to network security is a lack of good practices throughout the organisation.

This report states:

“A lack of attention to one or more aspects of basic security hygiene has been found to be at the root cause of many of the most damaging attacks we’ve investigated.”

The impact of well-trained employees on reducing risk cannot be understated. Employees who are well trained, vigilant and aware of cyber security are far less likely to fall victim to online attacks. And having well-trained employees doesn’t mean simply conducting a long day of cybersecurity training, either! You and your people should mix up delivery methods.

Some great examples of engaging training methods include:

  • Self-service videos that get emailed once per month
  • Team-based roundtable discussions (including a coffee, of course)
  • Security “Tip of the Month” in company newsletters or messaging channels
  • Training sessions provided by an IT professional
  • Simulated phishing tests
  • Cybersecurity posters
  • Celebrate Cybersecurity Awareness Month in October
  • Fake phishing emails to staff – see how they go identifying them!

Phishing is a large part of cyber security training, but it’s not the only aspect that needs to be covered. Here are some other topics that should be covered in your cyber security training.

Phishing by Email, Text & Social Media

Email phishing is still the number one form of this type of threat, but SMS phishing (also known as smishing… we didn’t make that up!) and social media phishing is becoming more prevalent. Therefore, it’s essential to show your people what these kinds of scams look like to ensure they stay vigilant and do not fall victim to a malicious attack.

Credential & Password Security

Most businesses have moved most of their data and processes to cloud-based platforms… and that likely includes your organisation. Unfortunately, this movement has led to a steep increase in credential theft because it’s the easiest way to breach SaaS cloud tools. 

Credential theft is now the top cause of data breaches worldwide, meaning it’s something you must address with your team. Make sure your people have MFA enabled and know the need to keep passwords secure and that these passwords must be strong in the first place… ‘ilovesouthyarra’ might not be the strongest choice!

Tools like Lastpass, a business password manager, can help further.

Mobile Device Security

Mobile devices are now frequently used in work applications in offices. They’re handy for reading and replying to emails virtually anywhere, including when waiting for a train at Flinders Street (it might be a little while). What’s more, most companies won’t even consider using software that doesn’t have some form of mobile app available.

It’s essential to continually review security needs for employee mobile devices which access business data and applications. For instance, securing phones with a longer passcode and keeping it updated regularly.

Data Security

Data privacy regulations have become increasingly important over the last decade, and most companies have more than one data privacy regulation, which requires compliance. Therefore, you must train your people on proper data handling and security procedures. Doing so reduces the risk of falling victim to data leaks or breaches, which result in a costly compliance penalty!

Need Help Keeping Your Melbourne Team Trained on Cybersecurity?

Training should always be done by the best in the business, such as cyber security professionals. We can conduct in-depth and engaging cyber security training in Melbourne for you and your staff. Such training will improve cyber hygiene throughout your organisation and ensure everyone is working toward keeping your sensitive data safe.

About the author

Yener is the founder and Managing Director of Intuitive IT. Prior to running his own business Yener worked for a number of corporate organisations where he gained invaluable experience and skills, as well as an understanding of how IT can complement and improve business outcomes.