Whether you’re in the stage of crafting a brand new security awareness program or looking to spruce up your current training approach, there’s one question that always crops up along the way — “how often should our employees receive security awareness training?”.
Once-per-year? Each quarter? Every month?
Finding the sweet spot of how often you should train your employees is a key factor for making sure that a) security awareness is being maintained and b) your training isn’t going into overkill.
In this post, we’ll guide you through:
- How often should security awareness training be conducted?
- Why is regular training the best approach?
- What's the best way to deliver regular training?
- How to get started
How often should security awareness training be conducted?
Many businesses have gone down the traditional route of once-per-year security awareness training sessions, often delivered by an instructor in a classroom-based presentation format.
But with over 90% of data breaches still originating from human error, is this frequency of training really enough for employees to retain and act on the information they've learned?
This question was answered in a study by USENIX, where employees initially received security awareness training that was focused on identifying phishing attacks, and then were asked to identify phishing emails at various stages over a 4-12 month period.
The researchers learned that most employees were able to spot phishing emails four months after the training, but then started to forget what they had learned after six months — meaning that employee training was needed at a minimum of every 4-6 months in order to combat phishing.
But what about educating employees on other core security topics, like password hygiene, removable media, malware, working remotely and physical security?
Although phishing is one of the major threats out there, only training employees on this topic leaves a huge window open for human error and targeted attacks, especially in an environment where remote working has caused more security concerns amongst IT pros.
With that in mind, more and more businesses are finding that monthly security awareness training is the most effective approach for educating all staff on new threats whilst maximising their knowledge retention.
As the 2020 State of the Phish Report points out above, only 6% of companies are now conducting yearly training, compared to 61% of companies who train staff either once or twice per month.
Why is monthly security awareness training the most effective?
There are a number of benefits for launching monthly security awareness training, including:
It helps make training stick
More frequent training helps to reinforce security best practices and refreshes any points that might be starting to slip the employees' minds.
In a recent study, consistent security awareness training was proven to reduce employee phishing susceptibility from 60% all the way down to 10% within the first 12 months.
It allows staff to proactively learn new threats
Cybercriminals don't waste any time in crafting new attacks techniques to trick unsuspecting victims, as pointed out in the huge 220% rise in phishing attacks during the height of the global pandemic.
Monthly security awareness training allows your business to proactively educate staff on the newest cyber threats that they could come across, rather than delaying their training until the next yearly workshop.
It ensures that all staff are trained, including new starters
One huge downside to annual security awareness training is the need to have all staff present at the same time which, due to meetings, holidays and sick days, can be a logistical nightmare.
Rolling out monthly security awareness training ensures that staff are more likely to receive training and that any new starters don't miss out on important information.
What's the best way to deliver regular security awareness training?
At first glance, delivering regular training can seem like an incredibly daunting, expensive and time-consuming job. Having to create, deliver and report back on sessions every single month? Nope. No chance.
These types of pains are exactly what usecure, the automated Human Risk Management (HRM) platform, was designed to eliminate.
Automate regular user training with usecure
With usecure's security awareness training platform, uLearn, you're able to deliver bite-sized monthly training that is crafted, managed and measured through admin-lite automation — eliminating the time and money spent on preparing training material and endlessly chasing staff to complete their courses.
The best part is, each employee training program is personalised to address their own unique risk areas, with a wide library of essential security and compliance topics being covered through engaging video and interactive content.
Here's a quick 2-minute demo of how uLearn works:
Get started today
Grab a free 14-day trial and explore usecure's automated security awareness training platform, huge course library and phishing simulation tool, or access your free guide on how to launch effective training below ⬇️