Surveys, unfortunately, show that the vast majority of organizations do little to no security awareness training. The average organization, if it does security awareness training, does it once annually, likely as part of a compliance program.
It is not enough
We know from customer data collected, involving many tens of millions of records, over 10 years, that the more frequently an organization does training and simulated phishing, the better able their staff is able to spot phishing attacks (an example table shown below).
Since phishing is involved in 70% to 90% of successful data breaches, until a perfect technical defense is found, security awareness training is one of the best things you can do to reduce cybersecurity risk.
How Frequently Should You Train?
The data is fairly conclusive on that answer – as much as you can. We think the sweet spot for most organizations is training once a month with weekly simulated phishing campaigns. New employees should be given long, general cybersecurity training along with specific training on phishing attacks. Anti-phishing training should include examples of popular phishing attacks and teach the participants how to recognize, mitigate, and appropriately report all phishing attacks. The longer training should be repeated at least annually. Most companies require it for every employee in December or January, but really it can be anytime.
You should do simulated phishing campaigns at least monthly, and really once a week is what the top decreasing risk performers do. The simulated phishing campaigns should reflect the most common real-world attacks. The best-case scenario would be to take a recent real-world phishing attack against the organization and send out a simulation test mimicking the real-world phish. You can easily do this with our PhishFlipTM technology. PhishFlip takes a real-world reported phish, replaces the malicious URL links with something safer, and then sends it out to your users. You can quickly quantify how many of your users would have been tricked by the real-world phish had it been sent to all users.
If you are wondering, you should definitely conduct regular simulated phishing campaigns. Years ago, many companies wondered if they needed to do simulated phishing and some even worried about the legal consequences. As long as you let your users know that you do simulated phishing tests, the legal consequences should not be a problem (that and also use due care and get senior management approvals when using controversial subjects).
But for sure, you should do simulated phishing campaigns. Almost every organization does them today, but there are still a few hold outs. Our data shows that the education provided by simulated phishing tests is likely to be more protective than general cybersecurity training by itself. This is especially true if your simulated phishing tests give users failing those tests immediate feedback on what they missed (as exemplified below).
Nothing beats immediately seeing what you missed and should focus on next time.
Our core best practice recommendation is that longer training is done when an employee is hired, and annually thereafter. Shorter training and simulated phishing tests done at least monthly during the year. The best performing organizations do monthly training and weekly simulated phishing, and some do it even more frequently.
How Much Is Too Much?
Some organizations do weekly training and more than weekly simulated phishing tests. According to our data, their users are best at spotting phishing messages. Still, this level of training and simulated phishing may be too much for most organizations. At some point, your users might push back and argue that their operational efficiency is being challenged.
While we think every organization should be doing at least monthly training and simulated phishing tests, how much more you do beyond that best practice recommendation is up to you. Some organizations thrive with more frequent training and testing, and others with less. Each organization will need to find its best cyclical rhythm. What we can say unequivocally is that you should be doing training and testing at least once a month. Any less than that significantly undermines phishing message recognition.
If your organization is only doing annual training (or no training) and less frequent than monthly simulated phishing campaigns, try to move your security awareness training program to an at least monthly cadence. Your risk managers will love you for it.