Once again, your annual phishing training runs well. Each training session teaches employees how to avoid phishing emails. Naturally, you’re feeling all good about it. Right up until about 5-6 months later, when your company pays for a costly ransomware infection. Sure enough, someone clicked on a phishing link. You think, what’s the use?
You may wonder why you need to train on the exact same information every year. And then, when you do, you still suffer expensive security incidents. Unfortunately, the issue is that you’re not training your employees often enough.
Training is all about changing behavior. People can’t change behaviors based on a one and done training. They never build good habits and easily forget what they’ve learned after several months go by.
Given that we’re talking about behavior instead of knowledge alone, how often is often enough to improve your company’s cybersecurity? Research shows that training every four months is the “sweet spot.” That training cycle is what’s needed for more consistent IT security results.
Why Is Ever 4 Months Recommended For IT Training?
So, wherever does this four-month recommendation come from? The basis is this study presented at the recent USENIX SOUPS security conference. The study looked at users’ ability to correctly identify phishing emails versus training frequency. It also looked at training about phishing awareness and IT security.
Team members took phishing identification tests at several different time increments after training:
The study found that four months after their training scores were still good. Team members were still able to accurately identify and quarantine phishing emails. But, after the 6 month mark, their scores started to get progressively worse. The more months that passed after their initial training, the more scores declined.
To keep everyone in the company well prepared, they need training and refreshers on security awareness approximately every 4 months. This repetition and reinforcement of behavior helps them to act as a positive element in your cybersecurity strategy.
What & How to Train Employees to Develop a Cybersecure Culture
Developing a cybersecure culture represents the gold standard for IT security. A culture of cybersecurity means one where everyone up and down the line is cognizant of the need to protect sensitive data. Data security includes avoiding phishing scams, keeping passwords secured, and preventing unauthorized access.
Most organizations don’t create a cybersecurity culture, according to the 2021 Sophos Threat Report. Lack of habitual good security practices represents one of the biggest threats to network security.
The report states the following,
“A lack of attention to one or more aspects of basic security hygiene has been found to be at the root cause of many of the most damaging attacks we’ve investigated.”
Well-trained employees with good habits significantly reduce a company’s risk. Those good habits reduce the chance of the company falling victim to any number of different online attacks. Being well-trained doesn’t mean conducting one long, slogging day of cybersecurity training. Mixing up the delivery methods over several sessions works much better.
Here are a few examples of engaging ways to train team members on cybersecurity. Include these in your regular training plan:
- Self-service videos that get emailed once per month
- Team-based roundtable discussions
- Security “Tip of the Week” in company newsletters or messaging channels
- Training session given by an IT professional
- Simulated phishing tests
- Cybersecurity posters
- Celebrate Cybersecurity Awareness Month in October
During training, phishing is a big topic to cover, but it’s far from the only one. Some other important topics that you want to include in your mix of awareness training include authentication and device security.
Phishing by Email, Text & Social Media
Email phishing is still the most prevalent form used by cybercriminals. However, SMS phishing (“smishing”) and phishing over social media are both growing exponentially. Employees must know what these appear as, so they can avoid falling for these common scams.
Credential & Password Security
Many businesses have shifted most of their processes and data to cloud-based platforms. This changeover has led to a steep increase in credential theft. After all, it’s the easiest way to breach SaaS cloud tools.
Credential theft now accounts for the #1 cause of data breaches globally. Therefore, it’s critical to address with your team. Discuss the need to keep passwords secure and the use of strong passwords on a regular basis. In addition, help them learn tools like business password managers, since strong passwords are difficult to remember.
Mobile Device Security
Mobile devices get large part of the workload done in a typical modern office. They’re quite handy for reading and replying to an email from anywhere, or even communicating through a cloud app. Most companies would not even consider using software these days if the vendor doesn’t offer a great mobile app.
Review security needs on a regular basis for employee devices that access business data and apps. For instance, physically securing the phone with a passcode and keeping the phone properly updated with security patches are both important.
Data privacy regulations have been multiplying over the years. The vast majority of companies use more than one data privacy regulation requiring compliance from all employees.
Train all employees on proper data handling and security procedure habits. Again, this creation of culture reduces the risk you’ll fall victim to a data leak or breach that can end up in costly compliance penalties.
Why Is This Published By A Business Phone Company?
Here at NoContractVoIP, we believe that your success is our success. To get the latest helpful content delivered to your inbox every month, subscribe to our newsletter here.
Looking for the finest stress-free custom business telephone systems? Contact us or call today at 866-550-0005!