If you asked your employees to identify the main areas of an email to check for phishing, how would they score? Do they know the tenants of good password security?
Employee security awareness training is a vital piece of your IT security strategy. Just as important as your firewall or anti-malware software. Employees are on the front line when it comes to incoming phishing emails or credential theft, and what they don’t know can hurt your company.
Effective security awareness training can reduce a company’s risk of becoming a cyberattack victim by 45% – 70%.
Is your training preparing your employees? Or is it quickly forgotten until the next year rolls around?
Make sure you’re not making one of these common business mistakes when it comes to employee security awareness training. Not properly preparing your staff for potential scams can leave you at a much higher risk for a breach.
Not Training Often Enough
If you’re only training your employees once per year on cybersecurity awareness, then you’re not going to get much traction from your training program. In a few weeks, the priority on IT security will have faded and employees will quickly forget what they’ve learned.
How often should you train your employees on IT security? About three times per year at a minimum.
A recent study on IT security awareness training tested employees on knowledge retention 4, 6, 8, 10, and 12 months after receiving training on phishing and other cybersecurity topics. It found that most of them could correctly identify phishing emails after four months, but beyond that, their detection skills quickly faded.
To ensure employees can continue sharpening their skills for phishing detection, password security, and other areas, training every four months at a minimum is recommended.
Not Varying the Training Topics
Do you train from the same materials every time and feel like you’re just going over stuff employees already learned? This is a problem if you’re not varying your training topics.
While phishing detection using things like the SLAM method is an important topic for employee training, there are other topics that you need to incorporate as well.
For example, credential theft has become the number one cause of data breaches, according to IBM Security’s latest Cost of a Data Breach Report. Password security is a major topic that you want to address as well, but there are more.
Some of the topics you want to incorporate into various training approaches throughout the year include:
- Phishing detection
- Password security
- Dangers of Shadow IT
- Data privacy compliance
- Ransomware prevention
- Device security best practices
- How to spot a malware infection
- Social engineering over SMS and social media
- Browser security
Giving Too Much Information at Once and In Just One Way
If you overload employees with all the IT security topics you have in just one long training, it’s going to be difficult for them to process it all. It’s better to dole the training out in bite-sized pieces that they see throughout the week/month/year.
There are several ways you can train employees on cybersecurity and it’s better to use multiple ways because people learn and retain information differently.
Try to incorporate some of these training approaches into your strategy:
- Self-service short security awareness videos
- Tip of the week promoted in your newsletter or team messaging feed
- Small group training sessions
- Large company events on security (like celebrating Cybersecurity Awareness Month)
- Scheduled “drop-in” webinar sessions
- Cybersecurity posters
Not Evolving Training with Current Trending Threats
While some threats stay around forever, like phishing, others begin growing and are fairly new, such as firmware attacks and phishing via text message.
Make sure you don’t allow your training material to get stale. Otherwise, it may no longer be addressing some of the biggest threats that employees will face when they’re online or checking emails.
Keep up to date on the latest IT security threat trends, including new versions of phishing scams making the rounds that employees need to be aware of (e.g., the new scams taking advantage of the Ukraine war).
Not Testing Employees on Retention
How do you know if your employees can detect phishing emails better now than they could last year? It’s important to run phishing simulation drills and test employees from time to time on security information retention.
This ensures your organization hasn’t become complacent about security training, which leaves you at higher risk of a breach, and is on the right track to maintaining a culture of cybersecurity.
Let GEEK911’s Expert Team Help You with Employee Security Training
GEEK911 can help your Silicon Valley area business ensure your employees are well trained on cybersecurity using a variety of engaging methods. Don’t leave your team unprepared!
Schedule a consultation by calling 1-866-433-5411 or reach us online.