Are Employees Forgetting Phishing Training? You May Not Be Training Often Enough

Employees are the greatest vulnerability of any organization when it comes to cybersecurity. This is true become many have trouble recognizing phishing attacks. Many phishing attacks are designed to trick users into accepting false information. To this effect, organizations provide employees with phishing and security awareness training programs to counter this activity.

Phishing has become increasingly popular in recent years with cybercriminals relying on new tactics to defraud unsuspecting companies. Phishing attacks can only be recognized when employees are trained to identify the modus operandi used by cybercriminals.

But are you aware that there is no certainty that people would retain information after you provide it?

It sounds incredible yet it’s a hard reality! Ebbinghaus’s Forgetting Curve analyzed this possibility and discovered that it is a common occurrence in humans. More so, several factors are responsible for it. Unfortunately, when people forget new information or skills, it leads to costly mistakes and a waste of time and resources. According to the Forgetting Curve theory, when there is no effort to retain the new information, the ability to recall it diminishes very quickly.

For this reason, cybersecurity experts suggest that the employees of an organization are always provided with timely reminders and structured training scenarios. As much as this sounds like an easy feat to achieve, the results are not always encouraging especially with less technically inclined employees.

Now, the question is how often should this training be carried out? Let’s take a look at some best practices in this area.

What is Phishing Training?

Phishing training is an activity that involves educating the employees to be able to recognize and report phishing attempts. This is necessitated by the need to protect the individual and the organization from the attacks of cybercriminals who are eager to steal sensitive data or disrupt the activities of the organization.

The type of training that the employee receives depends on the culture of the organization. Training can be carried out through various forms such as written documents, online platforms, and classroom teachings.  The essence of this training is to help the employee understand the risk associated with phishing and its threat to the organization.

The method of training that is mostly adopted is the classroom presentation style with an instructor delivering training sessions. The essence of this training is to minimize the presence of human error.

Phishing training must be reinforced over time and the results of the training monitored to identify grey areas that need improvement. The purpose of phishing training is not to make the employees become security experts. Rather, the focus is on increasing risk awareness.

How Much Training is too Little?

A lot of people struggle to remember information that was disclosed to them in the previous week. Yet, many companies drag their feet when it comes to organizing regular phishing training for employees.

Organizations often encourage phishing and security awareness training for their employees. Unfortunately, they do not have this training as often as they should. The landscape keeps changing every day. To this effect, cyber security training should be a constant activity.

In a study conducted by IBM, it was discovered that 95% of the cyber security breaches were caused by human error. In cyber security, human error is referred to as the unintentional actions of the employees that enable security breaches. Such actions include downloading malware, not updating their devices, password problems, physical errors, and lastly, sending messages to the wrong recipient.

Human errors can be monitored through periodic training. The duration of training varies from one organization to another. While some organizations may conduct phishing training once a year for their employees, others may choose to have the training sessions twice every month.

The Advanced Computing Systems Association (USENIX) maintains that cybersecurity training should take place every four to six months. Research carried out to this effect required employees to undergo cybersecurity training and then be tested at 2-month intervals between four to twelve months. It was discovered that employees could still spot phishing attacks for about four months. But, after six months, they started to forget what they had learned during the phishing training.

Frequent cybersecurity training will protect an organization from an increased number of cyberattacks. In addition, it will keep your employees on alert for phishing attempts by cybercriminals. Therefore, to protect your employees and the security of the organization, phishing and cybersecurity training must be held as many times as possible every year.

Get it Right with ECN IT Solutions

ECN IT Solutions is a brand protection company that specializes in cyberattack prevention, phishing, and security awareness programs among others. We are structured to protect the interest of our clients against phishing attacks, malware, and other security-related challenges. Do you need our services? Contact us at 520-335-7553 to help you get it right!