Any strong, reliable company cybersecurity strategy will include layers of different types of protection. Including device protections, network security, and cloud-based security. One protection that is just as important as all the others is employee security awareness.
Employees are on the front line when it comes to the way that most malware and data breach attacks are introduced, via phishing. Staff is also responsible for things like proper handling of sensitive data (such as customer payment card numbers) and their own password and login security.
Adequate training is necessary to ensure that your team understands how to use best practices for cybersecurity, which reduces the risk that your company will get hit with a costly cyberattack.
You can’t expect to be properly protected if you only use hardware protection (firewalls, anti-virus, etc.) and don’t also incorporate employee security awareness training.
A study of the effectiveness of employee training on cybersecurity found that when employees were well trained and had the knowledge needed to change their behaviors, the cybersecurity-related risk was reduced between 45% to 70% for their organizations.
Thus, it pays off to invest the time and money needed to ensure employees are well trained on things like phishing detection, password security, sensitive data handling, and similar security-related topics.
So… what does “good” employee training look like? How often should you train your employees on security awareness?
There was a study conducted on this by several academics at German universities. We’ll tell you the results below.
Training Employees Quarterly is Recommended
The study conducted by German researchers found that after just a few months, the knowledge employees get from security awareness training begins to go away.
There were 409 employees of the State Office of Geoinformation and State Survey (SOGSS) trained on cybersecurity awareness, including phishing detection.
Those employees were then tested at intervals of 4, 6, 8, 10, and 12 months to see how well the information had been retained. After four months, employees still performed well on a phishing identification test, but at six months, their skills had dropped significantly and continued to get worse at each subsequent test.
What this tells us is that the best interval to keep your employees’ cybersecurity awareness skills sharp is about every quarter or at least before they get to the 6-month mark since their last training.
What Types of Training Work Best?
Including a mix of different training messages is important. You don’t need to do every training as a 2-hour lecture on IT security, and this isn’t going to be the most effective method to aid retention.
The German study looked at four different reminder/training refresher methods to see which ones improved performance the most.
They provided additional training to replenish awareness and knowledge using these methods:
- Text: Giving the information in a text-only format
- Video: Providing cybersecurity training videos
- Interactive examples: Where employees could interact with the refresher information
- Short text: Shorter text-based messages with security tips
The two measures that extended employee information retention to the 6-month mark were video and interactive examples.
Video is a more engaging format than text-only and can often help people remember details of the training because they associate them with the images they saw in the video.
Videos also can incorporate music, which is another aid for retaining information that one is taught. Viewers retain 95% of a message when they watch it on video as compared to only 10% when reading it in text.
This type of training refresher is perfect for introducing different concepts, such as a different cybersecurity focus each month (password security, smishing, shadow IT, etc.). This keeps training from getting stale and delivers it in bite-sized pieces that aren’t overwhelming.
Incorporating Interactive Examples
Telling someone what to do and giving them a chance to do it are two very different things. People learn better by doing, which is why everyone from sports teams to new manufacturing employees are given a chance to practice and build their skills.
Phishing training that comes in interactive examples, allows employees to be taught a concept and then immediately put that concept into action. The participation and ability to practice what they just learned make the training more engaging, improves retention, and helps employees build up their security skills.
Tips for Impactful Employee Security Awareness Training
Here are some tips to help you create a successful training program to improve employee cybersecurity habits:
- Use a mix of different training delivery channels (meetings, videos, short tips, etc.)
- Use the power of video to reinforce the message
- Train at regular intervals, at least quarterly is recommended
- Invite security awareness to the table for other discussions (i.e., We are rolling out this new payment system, how do we ensure that customer data is protected?)
- Celebrate Cybersecurity Awareness Month (this can be fun for your team & help you build a culture of cybersecurity awareness)
Get Help from Connect2Geek to Keep Your Employees’ Security Skills Sharp
You don’t have to do all the heavy lifting on security awareness training yourself. Connect2Geek can help your Treasure Valley area business with employee training methods that optimize their skills and reduce your cybersecurity risk.
Schedule your free consultation to learn more today! Call 208-468-4323 or reach out online.