You’ve just completed your latest round of cybersecurity awareness training, this time focusing on phishing scams. Employees are taught how to spot phishing emails and briefed on your company policy for handling them when they arrive.
So far, things are going well.
That is, until about 5-6 months later. Your company suffers a costly ransomware infection due to a click on a phishing link.
So, what happened? Your staff had proper training, and up until now, things were going well!
While cybersecurity awareness training is important, it’s not enough to hold a single session and forget about it. In order to keep your employees informed, it must be carried out regularly.
If the same type of information is taught every year, why do you need to repeat it?
Let’s take a look at the major reasons why cybersecurity awareness training needs to become a routine habit, and how you can go about it.
Why Is Cybersecurity Awareness Training Each 4-Months Recommended?
People can’t change behaviors if training isn’t reinforced. After all, who hasn’t forgotten something they’ve learned once several months go by?
So, how often is often enough to improve your team’s cybersecurity awareness? It turns out that training every four months is the “sweet spot.” This is when you see the most consistent results in your IT security and threat mitigation.
OK, but where does this four-month recommendation come from?
Recently, there was a study presented at the USENIX SOUPS security conference . It took a look at users’ ability to detect phishing emails versus training frequency. It looked at the effects of training on phishing awareness and IT security best practices.
Employees took phishing identification tests at several different time increments:
The study found that four months after their training scores were good. Employees were still able to accurately identify and avoid clicking on phishing emails. But, after 6-months, their scores started to get worse. And, scores continued to decline the more months had passed after their initial training.
To keep employees well prepared, they need training and refreshers on cybersecurity awareness. This helps them to act as a positive agent in your cybersecurity strategy.
What & How to Train Employees For Developing a Cybersecure Culture
Of course, the ultimate goal for cybersecurity awareness training is to develop a cybersecure culture. This is one where everyone is aware of the need to protect sensitive data. This includes items like avoiding phishing scams, and keeping passwords secured.
Unfortunately, this culture isn’t the case in most organizations, according to the 2021 Sophos Threat Report. It reveals one of the biggest threats to network security is a lack of good security practices.
The report states the following,
“A lack of attention to one or more aspects of basic security hygiene has been found to be at the root cause of many of the most damaging attacks we’ve investigated.”
Well-trained employees significantly reduce a company’s risk. They reduce the chance of falling victim to any number of different online attacks.
The good news is that being well-trained doesn’t mean you must conduct a long day of cybersecurity training. It’s actually better to mix up various delivery methods.
For instance, for your cybersecurity awareness training, trying incorporating a few of these methods:
- Self-service videos that get emailed once per month
- Team-based roundtable discussions
- Security “Tip of the Week” in company newsletters or messaging channels
- Training session given by an IT professional
- Simulated phishing tests
- Cybersecurity posters
- Celebrate Cybersecurity Awareness Month in October
While phishing is a huge topic to cover, but it’s not the only one.
Let’s examine a few key topics you’ll want to include in your mix of cybersecurity awareness training.
Phishing by Email, Text & Social Media
As mentioned, the topic of phishing is one of the most important you’ll need to cover, with scammers and attackers constantly trying out new methods.
Email phishing is still the most prevalent form. But, SMS phishing (“smishing”) and phishing over social media are both growing. Employees must know what these look like, so they can avoid falling for these sinister scams.
If you’re not sure where to start with your training programs, you’ll probably want to start here.
Credential & Password Security
Many businesses have moved most of their data and processes to cloud-based platforms. This has led to a steep increase in credential theft, since it’s the easiest way to breach SaaS cloud tools.
Credential theft is now the #1 cause of data breaches globally. This makes it a topic that is critical to address with your team. Discuss the need to keep passwords secure and the use of strong passwords. Also, help them learn tools like a business password manager.
Mobile Device Security
Mobile devices are now used for a large part of the workload in a typical office. They’re handy for reading and replying to an email from anywhere.
In fact, most companies won’t even consider using software these days if it doesn’t have a great mobile app.
Review security needs for employee devices that access business data and apps. For instance, securing the phone with a passcode and keeping it properly updated.
Data privacy regulations are something else that has been rising over the years. Most companies have more than one data privacy regulation requiring compliance.
Train employees on proper data handling and security procedures. This reduces the risk you’ll fall victim to a data leak or breach that can end up in a costly compliance penalty.
Getting Help With Cybersecurity Awareness Training
With so many new attacks and vulnerabilities discovered nearly every day, it’s not easy keeping up with the latest threats.
As much as you try to keep up with the necessary information, it’s a tough challenge, to be sure.
Fortunately, it’s not something you need to approach by yourself. There’s always help available from reliable experts in the field.
If you’re hoping to take training off your plate and place it in trustworthy hands, Blue Bastion is here to help.
Along with our networking division, Ideal Integrations, we can help you with an engaging training program.
Simply contact us at 412-349-6680, or fill out the form below, and we’ll work with you to create a customized program to help your team change their behaviors and improve cyber hygiene.
And, as always, stay vigilant.