HOW OFTEN SHOULD BUSINESSES RUN CYBERSECURITY AWARENESS TRAINING?

by Matt Solomon

Make Sure You’re Running Cybersecurity Awareness Training at the Right Cadence


Phishing risk has never been higher. 2020 was a record-breaking year for cybercrime and phishing led the way with a more than 600% increase. This was facilitated in part by an unprecedented increase in email volume. A sudden transition to remote operations combined with extended lockdowns and new hybrid work policies translated into businesses sending more internal and external email than ever before. An estimated 306.4 billion emails were sent and received each day in 2020, triple the average increase of past years. That figure is expected to continue to grow steadily as companies adopt a more flexible work approach going forward, and it’s estimated to reach over 376.4 billion daily messages by 2025 – which makes effective cybersecurity awareness training a must.

More Email Means More Danger


Within the rising tide of email there are plenty of sharks. An estimated 6 billion fake emails were sent to businesses daily in 2020. This flood of dangerous messages ran the gamut from generic phishing attempts to skilled impersonation schemes. However, nothing matched the danger and frequency of ransomware. IBM reports that one in four attacks that IBM Security X-Force Incident Response remediated in 2020 were caused by ransomware. Overall, an estimated 1 in 99 emails a business receives are phishing. 

These attacks use social engineering to persuade the targets into taking an action, and some techniques are very successful. Topping the list of the most opened phishing email was bogus social media requests. A little over 85% of organizations were targeted or hit with social media phishing scams in 2020. Spoofing and corporate impersonation plagued businesses, as a steady stream of false system messages and fake internal corporate email clogged employee inboxes.   

What does this mean for your business? It means that a huge amount of phishing email is headed your way every day. Phishing risks are not slowing down, especially when it comes to ransomware Ransomware attacks in 2021 are up more than 300% over the same period in 2020 and that was a record-setting year. Plus, an estimated 22 billion new records landed in dark web data markets and dumps in 2020, giving cybercriminals plenty of fuel to mount spear phishing attacks.

Training Cadence Matters for ROI


Every industry is at risk for a cybersecurity disaster caused by mishandled email. An estimated 97% of employees in a wide array of industries are unable to recognize a sophisticated phishing email. To mitigate that risk, companies must increase their commitment to cybersecurity awareness training that includes phishing resistance, a proven winner in the fight against cybercrime – and unfortunately, 62% of businesses don’t do enough cybersecurity awareness training. 

In a UK study on companies running phishing simulations, researchers discovered that 40 – 60% of their employees are likely to open malicious links or attachments. However, the study also showed that consistent cybersecurity awareness training made a huge difference in those employees’ behavior when considering email. In follow-up testing, after about 6 months of training, the percentage of employees who took the bait dropped 20% to 25%. Further training produced a steeper drop. After 3 to 6 months more training, the percentage of employees who opened phishing messages dropped to only 10% to 18%.   

But just running a few training courses for your staffers isn’t enough to foster strong cybersecurity awareness. Running training courses regularly is vital to gaining and keeping awareness. In a report from consulting giant Accenture detailing the characteristics of a cyber resilient organization, researchers place the ideal number of training courses for employees each year at 11, or just a little under one per month. This prevents courses from becoming rote but still keeps the topic fresh in employees’ minds. 

Cybersecurity Awareness Training Needs Regular Refreshment


Why so frequently? Usenix found that the knowledge and savvy that employees gain from security and phishing awareness training is forgotten over time. In a study of cybersecurity awareness training retention, test subjects went through a single training course. Researchers then retention tested them four, six, eight, ten and 12 months later. The findings concluded that the longer the test subjects went from the original training date, the worse their memory was of what they’d learned. The sweet spot for retention was at four months. Once the testers passed that mark, their retention dropped dramatically until their performance at ten months was the same as it was when they started the study. 

Don’t wait to protect your business and your clients from phishing. Implement a security awareness training program  that’s both effective and cost-effective now. 

The training tools that you need to reduce the risk of phishing damaging your business are available now. Contact our solutions experts today to get started.  

Comments are closed.