How often should you train your employees on cybersecurity?

You've just completed your annual phishing training. This includes teaching employees how to spot phishing emails. Five or six months later, your company suffers a costly ransomware infection after clicking on a phishing link.

You're wondering why you need to train employees on the same information every year. Yet, you're still suffering from IT security incidents. The problem is that you're not training your employees often enough.

People cannot change their behaviors without reinforcement training. They can easily forget what they have learned after just a few months.

So, how often should you raise your team's awareness about cybersecurity? It turns out that training every four months is ideal. At Nexxo, we understand that this frequency will ensure consistent results in your IT security.  

Why is cybersecurity training recommended every 4 months?

So where does this 4-month recommendation come from? There was a study recently presented at the USENIX SOUPS security conference. They looked at users' ability to detect phishing emails versus the frequency of training. They looked at phishing awareness and computer security training.  

Employees took phishing identification tests at several time intervals:

• 4 months
• 6 months
• 8 months
• 10 months
• 12 months

The study found that four months after their training, employees' scores were good. Employees were still able to accurately identify and avoid clicking on phishing emails. But after six months, their scores began to worsen. The scores continued to decline as the months passed after their initial training.

To ensure employees are well-prepared, they need security awareness training and refresher courses. This will help them act as a positive agent in your cybersecurity strategy.  

Tips on what and how to train employees to develop a cybersecurity culture  

The optimal standards for security awareness training are to develop a culture of cybersecurity. This is where everyone is aware of the need to protect sensitive data, in addition to avoiding phishing scams and keeping passwords secure.  

This isn't the case in most organizations, according to the Sophos 2021 Threat Report. In Quebec and elsewhere , one of the biggest threats to network security is the lack of good security practices.  

The report states the following:  

" A lack of attention to one or more aspects of basic security hygiene has proven to be the cause of many of the most damaging attacks we have investigated "

Well-trained employees help significantly reduce risks within a company. They reduce the risk of falling victim to a number of different cyberattacks. Being well-trained doesn't mean you have to conduct a long day of cybersecurity training. It's better to mix learning methods.

Here are some examples of engaging ways to train employees on cybersecurity. You can include them in your training plan:  

• Self-service videos sent by email once a month
• Team discussion roundtable
• Safety newsletter or “Tip of the Week” message group;
• Training session given by an IT professional
• Phishing simulation tests
• Cybersecurity posters
• Celebrate Cybersecurity Month in October  

Phishing is a very important topic to cover during training, but it's not the only one. Here are some important topics to include in your cybersecurity awareness training.  

Phishing by email, SMS and social networks

Email phishing remains the most common form, but text phishing, smishing, and social media phishing are all on the rise. Employees need to know how to recognize them to avoid falling for these sinister scams.  

Login Information Security

Many businesses have moved most of their data and processes to cloud-based platforms. This has led to a sharp increase in information theft, as it's the easiest way to breach SaaS cloud tools.  

Credential theft is now the leading cause of data breaches worldwide. At Nexxo, we believe this makes it an essential topic to address with your team. Discuss the need to keep passwords secure and the use of strong passwords. Additionally, help them learn about certain tools, such as a password manager.  

Mobile Device Security

In Montreal, mobile devices are now used for a large portion of office workload. They're convenient for reading and responding to emails from anywhere. Most companies don't even consider using software these days unless there's a great mobile app.

Review the security requirements for employees accessing company data and applications. A good solution would be to secure the phone with a password and keep it properly updated.  

Data security

Data privacy regulations are another topic that has gained momentum over the years. Most companies have more than one data regulation that must be adhered to.

Train employees on proper data security procedures. This reduces the risk of a data leak or breach that could result in a costly compliance penalty.  

Need help training your team on cybersecurity?

Take the burden off your shoulders and have your team trained by cybersecurity professionals. At Nexxo in Montreal, we can help you with an engaging training program.

About Nexxo

Nexxo Solutions informatique is a company specializing in providing IT and technology services to Quebec businesses. Its mission is to offer Quebec companies IT services tailored to their needs. Acting as an external IT department, it handles all of a company's IT tasks, allowing it to focus on its business activities. It achieves this by collaborating closely with its clients and putting their interests at the center of its concerns.