How Frequently Should You Train Staff on Cybersecurity Awareness?


Let’s say you complete a yearly phishing training with your company. This involves educating staff on how to spot phishing emails and scams. You feel good about doing this annually. Up until 5-6months later when your company suffers a pricey ransomware attack due to a phishing link. Then you might be asking yourself, how frequently should you train your staff on cybersecurity awareness?

To put it simply, you may not be training your employees enough. Especially if you train them on the same material yearly and are still suffering from security incidents.

Employees will never change their behavior if the training you do isn’t reinforced. It can be easy for them to forget what they’ve learned several months before.

So how often is often enough? Well if you want your team to be confident in their knowledge of cybersecurity, we find its best to train every four months. Doing so will start to show more consistent results in your IT security.

Why we Recommend Cybersecurity Awareness Training Every 4 Months

You might be asking where this 4-month recommendation comes from. Well, there was a study done. At the most recent USENIX SOUPS security conference, a study comparing a users ability to recognize a phishing email to the frequency of training. The point was to examine phishing awareness training and IT security.

Employees were given phishing identification tests after different time increments including:

  • 4 months
  • 6 months
  • 8 months
  • 10 months
  • 12months

The study discovered that their identification scores were high four months following training. It was at this point where employees were still accurately identifying phishing emails and avoided clicking on them. However, after 6 months these scores began to decline. The longer the time from initial training, the lower the scores.

The only way to keep your employees prepared for these threats is to consistently train and refresh their knowledge. They will better contribute to your cybersecurity strategy as a result.

Advice on What to Teach Employees to Create a Cyber-secure Culture

The ultimate goal of security awareness training is to foster a culture that is cyber-secure. One where everyone is aware of the need to safeguard sensitive data.  Along with keeping passwords secure and avoiding phishing schemes.

Most companies are not concerned with creating this culture. Unfortunately for them, one of the biggest threats to network security is a lack of good security practices.

The most damaging attacks are rooted in a lack of attention to basic security hygiene.

The risk a company faces greatly decreases the more employees receive proper training. They lessen the likelihood of being a target of many cyber attacks. Having good training does not have to require a whole day either. It’s also better to mix up the techniques and delivery methods.

Here are some engaging cybersecurity training methods you can include in your training program:

  • Video modules that are sent via email once a month
  • Team round table conversations
  • Security “Tip of the Week” in an email newsletter or messaging service
  • Training sessions led by an IT expert
  • Phishing simulation tests
  • Best Practice Cybersecurity posters
  • Celebrate Cybersecurity Awareness month every October

Phishing is a significant issue to address during training, but it’s not the only one. You should incorporate the following key subjects into your mix of awareness training.

Phishing by Form of Text, Email and Social Media

The most common type of phishing is still through email. However, both SMS phishing (also known as “smishing”) and phishing on social media are becoming more popular. Employees must be aware of them in order to protect themselves against these malevolent schemes.

Password Security

The majority of business processes and data are now on cloud-based systems. Which has led to an extreme increase in credential theft.

Credential theft is the top cause of data breaches across the globe. This is a critical topic to discuss with your team. They should know the importance of using strong passwords and keeping these passwords secure. Help them learn to use tools such as a business password manager.

Mobile Device Security

Today, a sizable portion of the work done in a normal office is done on mobile devices. They are extremely helpful for checking and responding to emails from any location. These days, most businesses won’t even consider utilizing software if it doesn’t have a decent mobile app.

Examine the security requirements for staff devices that access business apps and data. Make sure to secure these phones with a passcode and updating it regularly.

Data Security Procedures

Regulations pertaining to data privacy have recently been on the rise.  The majority of businesses have more than one data privacy regulation that requires compliance.

Employees should get training on secure data handling practices. This lessens the possibility that you’ll be the victim of a data breach or leak that might result in a pricey compliance fine.

We hope this blog helps you determine how frequently should you train staff on cybersecurity awareness.

Need Assistance Training Your Team On Cybersecurity Awareness?

Take the task of training your team off your plate by passing it off to a cybersecurity professional. We can help you create an engaging training course. One that helps your team improve their cyber hygiene.

Hopefully this blog helps you know how frequently should you train staff on cybersecurity awareness.


If you’d like to find out more about what’s new in the tech world, make sure to follow our blog!

Click here to schedule a free 15-minute meeting with Stan Kats, our Founder, and Chief Technologist. 

STG IT Consulting Group proudly provides IT Service in Greater Los Angeles and the surrounding areas for all of your IT needs.

Logo