Security Awareness Training: How Often Should Your Employees Get Retrained?

Almost every company has some sort of security training, along with several other training prompts to complete during the new hire process. But once initial training is complete, how often should you revisit?

With the ever-changing cybersecurity landscape and new threats continually being used by hackers, users must stay updated with the latest security trends and know best practices to avoid falling subject to an attack.

A recent study presented at the USENIX SOUPS security conference last month showed that security and phishing awareness training is forgotten over time and that employees need to be retrained after six months. Those surveyed were trained and re-tested four, six, eight, ten, and 12 months later. While most were able to correctly identify phishing emails up to four months after initial training, the longer they went without training, the worse they performed.

These findings come just ahead of October and the 17th year of National Cybersecurity Awareness Month (NCSAM). This year’s theme, “Do Your Part. #BeCyberSmart,” encourages individuals and organizations to “own their role in protecting their part of cyberspace.” This stresses the importance of personal accountability and taking proactive steps to strengthen their cybersecurity posture.

The goal is to put the onus on both parties, the company, and the employee. Both have to work diligently to ensure that they are practicing safe cybersecurity measures. Phishing is one of the most effective social engineering attack vectors to exploit and can defeat almost all traditional security layers, such as email gateways and endpoint solutions. With the effectiveness of training fading in as little as four months, awareness training must be an ongoing exercise. Of course, you must tread carefully with this lest you start to fatigue users with too much training.

To be more proactive in their approach to achieving excellent security posture, Infosec teams should consider investing in a solution that allows for continuous visibility into user risk. While traditional vulnerability management solutions focus primarily on unpatched software and misconfiguration, Balbix calculates risk across your entire attack surface, including the human element. Leveraging powerful AI, the system is able to predict which users represent the highest phishing, web, and ransomware risk, giving you a powerful edge in determining where to target additional awareness training. And because the platform operates continuously, you’ll always know who is the biggest risk to your organization and why.

And as all cyber-defenders know, any enterprise network is only as secure as its weakest link. This is why security awareness training is essential to the business’s safety and the customers you serve. Balbix helps boost those efforts by helping you figure out who represents your biggest risk and could use a little additional training.

To learn more about how Balbix can help you discover your entire attack surface, and understand your risk, sign up to start your free trial today!

Related Posts

11 Ways to Strengthen Cyber Hygiene With a Remote Workforce
8 Most Common Attack Vectors
Defining and Calculating Cyber Risk