(October 27, 2022) October is cybersecurity awareness month, but organizations should focus on it year-round. Studies show that cybersecurity awareness training can help organizations improve their overall security posture, but evidence suggests the benefits are short-lived. That’s why organizations should deliver cybersecurity awareness training regularly.
Researchers tested 409 subjects at regular intervals over a one-year period to evaluate the effectiveness of phishing awareness training. Subjects were evaluated immediately before and after an in-person training course, again after four months, and then again after every two months.
Researchers said test subjects’ ability to correctly distinguish phishing emails from legitimate emails was “significantly improved” for up to five months after training. After six months, however, they seemed to forget much of what they had learned.
The Value of Repetition
In a report presented to the USENIX Symposium on Usable Privacy and Security, the researchers concluded that training is only effective if sessions are repeated regularly, optimally every six months. That reinforces what industry insiders have long believed — that one-off security training sessions are unlikely to produce any lasting benefit.
“For awareness training to have an impact it cannot be a singular event, it must be a long-term commitment,” Lance Spitzner, Director of Security Awareness for the SANS Institute, wrote recently. “You are not going to change behaviors in a day.”
The quality of the training is another factor. Although the vast majority of companies understand the importance of cybersecurity awareness training, their delivery mechanisms often leave much to be desired. In a study from Osterman Research and KnowBe4, almost 90 percent of employees said they believed their training was ineffective because the materials were usually dry, boring, poorly written or irrelevant.
Keep it Interesting
Leading providers such as KnowBe4 offer proven training programs that leverage a variety of approaches to keep things interesting and engaging. KnowBe4’s user-friendly platform includes interactive learning modules, videos, games, and more, backed by a content library that is continually updated with information about the latest threats and current approaches for dealing with them.
Training modules were designed with the help of Kevin Mitnick, the one-time hacker and now internationally recognized cybersecurity specialist who provides a unique insider’s view into the world of cybercrime. Gamification features allow users to compete against their peers on leaderboards and earn badges while learning how to keep their organization safe from cyberattacks.
The platform also allows administrators to launch thousands of simulated phishing, ransomware, malware and spyware attacks that help employees learn to recognize, avoid and report threats. Within 24 hours of a simulated attack, the organization will receive a report describing how well employees fared and which red flags they missed.
Organizations invest in training programs because they recognize that cybersecurity isn’t just an IT issue — it requires the attention of every person in every part of the organization. No matter how much organizations invest in security technologies and systems, employees who are ill-equipped to identify and avoid threats will create a huge vulnerability.
Effective cybersecurity awareness training helps make employees more conscious of security issues and their responsibilities for combating them — if it’s repeated regularly. An engaging program offered on a monthly basis is the best bet for delivering a recurring message that resonates with users.
ABOUT MAINSTREAM TECHNOLOGIES
Mainstream Technologies delivers a full range of technology services in Arkansas and the surrounding region including managed technology States services and consulting custom software development and cybersecurity services. We also offer industry-leading data center services in our Little Rock facilities. Established in 1996, Mainstream has earned a reputation for delivering quality, reliable, and professional technology services for public and private-sector customers across the United States.
IT Business Development Manager
(479) 715-8629 Office
(501) 529-0008 Mobile