Cybersecurity isn’t just an IT issue — it requires the attention of every person in every part of the organization. That’s why companies not only invest in IT security technologies but also in training and education programs designed to make employees more conscious of security issues. Ninety-six percent of companies responding to a recent global study agreed that security awareness training improves their overall security posture.
However, new evidence suggests the benefits are short-lived. Researchers from several German universities say their analysis indicates that employees forget much of what they’ve learned after just a few months unless training is repeated regularly.
The researchers tested 409 subjects at regular intervals over a one-year period to evaluate the effectiveness of phishing awareness training. Subjects were evaluated immediately before and after an in-person training course, again after four months, and then again after every two months. Researchers said test subjects’ ability to correctly distinguish phishing emails from legitimate emails was “significantly improved” for up to five months after training. After six months, however, they seemed to forget much of what they had learned.
The Value of Repetition
In a report presented to the USENIX Symposium on Usable Privacy and Security, the researchers concluded that training is only effective if sessions are repeated regularly, optimally every six months. That reinforces what industry insiders have long believed — that one-off security training sessions are unlikely to produce any lasting benefit.
“For awareness training to have an impact it cannot be a singular event, it must be a long-term commitment,” Lance Spitzner, Director of Security Awareness for the SANS Institute, wrote recently. “You are not going to change behaviors in a day.”
Although the vast majority of companies understand the importance of awareness training, their delivery mechanisms often leave much to be desired. In a study from Osterman Research and KnowBe4, almost 90 percent of employees said they believed their awareness training was ineffective because the training materials were usually dry, boring, poorly written or irrelevant.
Keep it Interesting
Through our partnership with KnowBe4, RMM Solutions offers proven training programs that leverage a variety of approaches to keep things interesting and engaging. The user-friendly platform includes interactive learning modules, videos, games and more, backed by a content library that is continually updated with information about the latest threats and current best-practice approaches for dealing with them.
Training modules were designed with the help of Kevin Mitnick, the one-time hacker and now internationally recognized cybersecurity specialist who provides a unique insider’s view into the world of cybercrime. Gamification features allow users to compete against their peers on leaderboards and earn badges while learning how to keep your organization safe from cyberattacks.
The platform also allows administrators to launch thousands of different simulated phishing, ransomware, malware and spyware attacks that help employees learn to recognize, avoid and report threats. Within 24 hours of a simulated attack, your organization will receive a report describing how well your employees fared and which red flags they missed.
No matter how much you invest in security technologies and systems, employees who are ill-equipped to identify and avoid threats will create a huge vulnerability for your organization. An engaging awareness program offered at six-month intervals is your best bet for delivering a recurring message that resonates with your users. Give us a call to learn more.