You’ve just done your annual cybersecurity training. You‘ve told employees how to spot phishing emails and what to do with them. You’re feeling good about it, you know that your team is trained and your company is safe from scammers and other cybercriminals. Fast forward to 6-7 months later. Your company suffers a costly ransomware attack because someone clicked on a link in a phishing email.
How could this happen? You‘ve trained them on cyber security every year for past 5 years but you still suffered from security breach. The problem is simple – you’re not training your employees often enough.
People won‘t change their habits and behaviors if training isn’t reinforced. And even if they do, they can easily forget what they’ve learned 6 months ago.
So, how often is often enough? How much do you need to train your employees to improve their cybersecurity awareness? It turns out that training every four months is optimal. You see more consistent results in your IT security and your team doesn‘t get too annoyed with your “cybersecurity nagging“.
How did we come up with this four-month recommendation? There was a recent study presented at the USENIX SOUPS security conference that looked at users’ ability to detect phishing emails versus training frequency.
Teams of employees took phishing tests at different time increments:
The study found that teams who trained every four months were still able to accurately identify and avoid clicking on phishing emails. Teams that trained 2 times a year (every 6-months) had lower scores. Teams that trained less than 2 times a year had their scores decline significantly with noticeable correlation between the amount of months that passed between trainings and the amount of employees who clicked on a malicious link.
Cybersecure culture is a gold standard for security awareness. It is a culture where everyone is aware and conscious of the need to protect company‘s sensitive data. It includes avoiding phishing and scams, keeping passwords secured, and etc.
This is not the case for most organizations, According to the Sophos Threat Report 2021. One of the biggest threats to network security is a lack or negligence of security practices.
The report states,
“A lack of attention to one or more aspects of basic security hygiene has been found to be at the root cause of many of the most damaging attacks we’ve investigated.”
Well-trained employees significantly reduce a company’s risk of falling victim to different online attacks. To get your team well-trained doesn’t mean that you have to have a day-long boot camp of cybersecurity training. It‘s recommended that you mix up delivery methods and give information in small digestible pieces over a period of time.
Here are some examples of engaging ways we train our employees on cybersecurity. You can include any of these in your plan:
When conducting a cybersecurity training companies often focus too much on phishing while neglecting other aspects. Phishing is a big and important topic to cover, but it’s not the only one. We suggest that you look into other important topics and include them into your awareness training.
Email phishing is still the most prevalent form. But social media and SMS phishing (“smishing”) are both growing rapidly. Employees must know what “smishing“ looks like, and how to avoid falling for social media scams.
More and more businesses every year are moving their data and processes to cloud-based platforms. This has led to an increase in credential theft attempts. Because the easiest way to breach businesses‘ SaaS cloud tools is to simply login with stolen credentials.
According to IBM credential theft is now the #1 cause worldwide of data breaches. This makes it a critical topic to address with your employees. Discuss the need to use stronger password, the need to change them regularly, and options for secure password storage. Also, business password manager can be a great tool to introduce. Not only it simplifies password management for your team but also gives your company an extra layer of cybersecurity.
Like it or not, but mobile devices are now an integral part of the typical office work. A lot of mundane tasks like reading and replying to emails, checking work chats on messengers, and end even attending virtual meetings can be done with a mobile phone from anywhere anytime. Mobile phones are such a big factor that these days most companies won‘t even consider using a software that doesn‘t have a great mobile app.
You should regularly review security needs for all employee devices that have an access to business data.
With the rise of cybercrime we saw a rise of data privacy regulations. Most companies have two or more data privacy regulation requiring compliance at the same time. And although failing to comply to a regulation is not as scary as falling a victim to a cybercriminal – data regulators won‘t steal your data and use it against you. Still, it‘s not a good look when public finds out that you were fined for not protecting your clients sensitive data properly.
So train your employees on proper data handling and security procedures. This simultaneously reduces the risk you falling victim to a security breach and the risk of paying costly compliance penalty.
We can help you build and implement an engaging training program. Here at EB Solution we have 11 years of experience in building networks, ensuring their security and training clients on all cybersecurity aspects. We have worked with businesses of different sizes and from various industries, so schedule a quick 10-15 min call with us and get all your questions regarding cybersecurity training answered.