{"id":9847,"date":"2024-04-02T06:53:50","date_gmt":"2024-04-02T10:53:50","guid":{"rendered":"https:\/\/joindeleteme.com\/?p=9847"},"modified":"2024-06-12T15:50:43","modified_gmt":"2024-06-12T19:50:43","slug":"how-often-should-security-awareness-training-be-conducted","status":"publish","type":"b2b-post","link":"https:\/\/joindeleteme.com\/business\/blog\/how-often-should-security-awareness-training-be-conducted\/","title":{"rendered":"How Often Should Security Awareness Training Be Conducted\u00a0"},"content":{"rendered":"\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#how-often-should-security-awareness-training-be-conducted\">How Often Should Security Awareness Training Be Conducted?\u00a0<\/a><\/li><li><a href=\"#can-you-have-too-much-security-training\">Can You Have Too Much Security Training?\u00a0<\/a><\/li><li><a href=\"#security-training-is-important-but-not-something-you-can-rely-on-100\">Security Training Is Important, But Not Something You Can Rely On 100%\u00a0<\/a><\/li><li><a href=\"#reducing-the-risk-of-personal-information-attacks\">Reducing the Risk of Personal Information Attacks<\/a><\/li><\/ul><\/nav><\/div>\n\n\n\n<p>The simple answer to \u201cHow often should security awareness training be conducted?\u201d is: At least twice a year.&nbsp;<\/p>\n\n\n\n<p>For a more granular answer (including why yearly training is insufficient and whether there\u2019s such a thing as \u201ctoo much\u201d training), read the guide below.&nbsp;<\/p>\n\n\n\n<p>We also explain why security awareness training alone is not enough and what other steps organizations can take to prevent employees from falling for spear phishing and other attacks.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"how-often-should-security-awareness-training-be-conducted\">How Often Should Security Awareness Training Be Conducted?&nbsp;<\/h2>\n\n\n\n<p>As a basic guideline, security awareness training should be conducted at least every <a href=\"https:\/\/www.isaca.org\/resources\/isaca-journal\/issues\/2023\/volume-2\/considerations-for-developing-cybersecurity-awareness-training\" target=\"_blank\" rel=\"noreferrer noopener\">4 to 6 months<\/a>, according to ISACA, an association focused on IT governance.&nbsp;<\/p>\n\n\n\n<p>Studies have found that employees continue to retain the ability to recognize phishing attempts four months after training, but after six months, they begin to forget what they\u2019ve learned.<\/p>\n\n\n\n<p>After the 6 to 8-month window passes, employees\u2019 skills are <a href=\"https:\/\/www.usenix.org\/system\/files\/soups2020-reinheimer_0.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">no longer much better<\/a> than before the training.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"770\" height=\"166\" src=\"https:\/\/joindeleteme.com\/wp-content\/uploads\/2024\/04\/pasted-image-0-53.png\" alt=\"Reddit awareness training post - awareness training is like going to the gym \" class=\"wp-image-9848\" srcset=\"https:\/\/joindeleteme.com\/wp-content\/uploads\/2024\/04\/pasted-image-0-53.png 770w, https:\/\/joindeleteme.com\/wp-content\/uploads\/2024\/04\/pasted-image-0-53-300x65.png 300w, https:\/\/joindeleteme.com\/wp-content\/uploads\/2024\/04\/pasted-image-0-53-768x166.png 768w\" sizes=\"(max-width: 770px) 100vw, 770px\" \/><\/figure>\n\n\n\n<p>Inside of the 4 to 6-month window, the exact frequency that will best suit your organization will depend on factors like:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Size of your organization<\/li>\n\n\n\n<li>Complexity of your organization<\/li>\n\n\n\n<li>Compliance requirements<\/li>\n\n\n\n<li>Level of risk you face.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>In any case, yearly training is not enough. Security awareness training should take place at least twice a year.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"can-you-have-too-much-security-training\">Can You Have Too Much Security Training?&nbsp;<\/h2>\n\n\n\n<p>Some experts believe you can have too much security training.&nbsp;<\/p>\n\n\n\n<p>For example, employees who are overtrained in spotting spear phishing may lose productivity, according to Zinaida Benenson of the IT Security Infrastructures Lab at the University of Erlangen-Nuremberg, as per <a href=\"https:\/\/www.csoonline.com\/article\/557879\/awareness-training-how-much-is-too-much.html\" target=\"_blank\" rel=\"noreferrer noopener\">a CSOOnline article<\/a>.&nbsp;<\/p>\n\n\n\n<p>She says, \u201cPeople\u2019s work effectiveness may decrease, as they will have to be suspicious of practically every message they receive.\u201d&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"432\" height=\"171\" src=\"https:\/\/joindeleteme.com\/wp-content\/uploads\/2024\/04\/pasted-image-0-54.png\" alt=\"Twitter\/X post - IT email reported as phishing \" class=\"wp-image-9849\" srcset=\"https:\/\/joindeleteme.com\/wp-content\/uploads\/2024\/04\/pasted-image-0-54.png 432w, https:\/\/joindeleteme.com\/wp-content\/uploads\/2024\/04\/pasted-image-0-54-300x119.png 300w\" sizes=\"(max-width: 432px) 100vw, 432px\" \/><\/figure>\n\n\n\n<p>Not everyone agrees, though.&nbsp;<\/p>\n\n\n\n<p>Kevin Mitnick, once the world\u2019s foremost hacker and now the head of Mitnick Security Consulting, strongly disagrees with that viewpoint.&nbsp;<\/p>\n\n\n\n<p>\u201cThat would be like saying wearing a seat belt takes away the enjoyment of driving. Or locking your car makes people drive poorly. You wouldn\u2019t blame the manufacturer if someone left his keys in the car and a thief drove off with the vehicle. The driver would be responsible,\u201d he says.&nbsp;<\/p>\n\n\n\n<p>The level of suspicion that you want your employees to utilize during their daily work will depend on your organization and your data security needs.&nbsp;<\/p>\n\n\n\n<p>Lanze Spitzner, director of SANS Securing the Human, pointed out the need for balance.&nbsp;<\/p>\n\n\n\n<p>\u201cNot enough [suspicion] and bad guys get through. Too much and definitely trust and the ability to work together breaks apart,\u201d he said.&nbsp;<\/p>\n\n\n\n<p>As a rule of thumb, stick to whatever feels appropriate for your organization when it comes to training frequency &#8211; but focus on teaching employees to be skeptical when more scrutiny and distrust is essential, like when someone sends them a link (even if it\u2019s someone they know) or if the company is going through a time of change or a significant financial event, like a <a href=\"https:\/\/www.zdnet.com\/article\/fbi-ransomware-groups-tying-attacks-to-significant-financial-events\/\" target=\"_blank\" rel=\"noreferrer noopener\">merger and acquisition<\/a>.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"security-training-is-important-but-not-something-you-can-rely-on-100\">Security Training Is Important, But Not Something You Can Rely On 100%&nbsp;<\/h2>\n\n\n\n<p>While training is important, it should be just one of many tools in your utility belt to stop data breaches and other security incidents.&nbsp;<\/p>\n\n\n\n<p>Even after receiving security awareness training, <a href=\"https:\/\/www.keeper.io\/hubfs\/Workplace-Password-Malpractice-Report-2021.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">44% of respondents<\/a> in one survey admitted to reusing passwords across accounts and devices. Another survey found that only <a href=\"https:\/\/www.lastpass.com\/resources\/ebook\/psychology-of-passwords-2021\" target=\"_blank\" rel=\"noreferrer noopener\">45% of people<\/a> change their passwords after data breaches occur.<\/p>\n\n\n\n<p>People make mistakes, and they will keep making them out of habit.<\/p>\n\n\n\n<p>Cybercriminals know this, too. <a href=\"https:\/\/inquest.net\/wp-content\/uploads\/2023-data-breach-investigations-report-dbir.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">74% of all data breaches<\/a> involve humans in some capacity, illustrating how easy it is for bad actors to get login credentials and how effective targeted spear phishing attacks can be.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"reducing-the-risk-of-personal-information-attacks\">Reducing the Risk of Personal Information Attacks<\/h2>\n\n\n\n<p>To improve their chances of success, criminals are increasingly researching their targets.&nbsp;<\/p>\n\n\n\n<p>They use the information they find online to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Personalize their phishing campaigns.&nbsp;<\/li>\n\n\n\n<li>Impersonate executives and other employees in business email compromise attacks to trick victims into sharing sensitive information or clicking on malicious files.<\/li>\n\n\n\n<li>Guess passwords and security questions to corporate accounts.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>In addition to offering regular security awareness training programs, it\u2019s essential to give employees guidance on how to reduce their online footprint. Doing so will shrink the amount of information about them online, making it more difficult for criminals to execute the kind of personalized attacks mentioned above.&nbsp;<\/p>\n\n\n\n<p>Consider educating employees on the importance of changing social media settings from public to private, limiting the amount of information they share on websites and forums, and opting out of data brokers.<\/p>\n\n\n\n<p>Data brokers, in particular, represent a major vulnerability when it comes to employee data security. They are companies that collect public information about people and then sell this information to anyone willing to pay a small fee.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"880\" height=\"1024\" src=\"https:\/\/joindeleteme.com\/wp-content\/uploads\/2024\/04\/databrokerprofile-1-880x1024.png\" alt=\"Data broker profile \" class=\"wp-image-9850\" style=\"width:468px;height:auto\" srcset=\"https:\/\/joindeleteme.com\/wp-content\/uploads\/2024\/04\/databrokerprofile-1-880x1024.png 880w, https:\/\/joindeleteme.com\/wp-content\/uploads\/2024\/04\/databrokerprofile-1-258x300.png 258w, https:\/\/joindeleteme.com\/wp-content\/uploads\/2024\/04\/databrokerprofile-1-768x894.png 768w, https:\/\/joindeleteme.com\/wp-content\/uploads\/2024\/04\/databrokerprofile-1-1319x1536.png 1319w, https:\/\/joindeleteme.com\/wp-content\/uploads\/2024\/04\/databrokerprofile-1.png 1364w\" sizes=\"(max-width: 880px) 100vw, 880px\" \/><\/figure>\n\n\n\n<p>By obtaining data broker profiles (whether through buying them or <a href=\"https:\/\/cybernews.com\/privacy\/top-data-broker-breaches\/\" target=\"_blank\" rel=\"noreferrer noopener\">hacking data broker databases<\/a>), criminals can (<a href=\"https:\/\/www.varonis.com\/blog\/contileaks\" target=\"_blank\" rel=\"noreferrer noopener\">and do<\/a>) find a significant amount of information about employees in your organization. This can include data on their family (criminals now send phishing messages to <a href=\"https:\/\/blog.cloudflare.com\/2022-07-sms-phishing-attacks\" target=\"_blank\" rel=\"noreferrer noopener\">employees\u2019 family members<\/a>) and who they report to within their organization (crucial for BEC attacks).&nbsp;<\/p>\n\n\n\n<p>It is possible to opt out of data brokers, but employees will need to opt out of every data broker manually. They&#8217;ll also need to be diligent and repeat the process with the same data brokers whenever their profiles are reactivated (which occurs when new data is found online).&nbsp;<\/p>\n\n\n\n<p>A better solution is for organizations to subscribe their employees to a <a href=\"https:\/\/business.joindeleteme.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">data broker removal service such as DeleteMe<\/a>, which can handle the data broker opt-out process on employees\u2019 behalf.&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The simple answer to \u201cHow often should security awareness training be conducted?\u201d is: At least twice a year.&nbsp; For a more granular answer (including why yearly training is insufficient and whether there\u2019s such a thing as \u201ctoo much\u201d training), read the guide below.&nbsp; We also explain why security awareness training alone is not enough and [&hellip;]<\/p>\n","protected":false},"author":14,"featured_media":9851,"menu_order":0,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"b2b-category":[45],"class_list":["post-9847","b2b-post","type-b2b-post","status-publish","format-standard","has-post-thumbnail","hentry","b2b-category-resources"],"acf":[],"_links":{"self":[{"href":"https:\/\/joindeleteme.com\/wp-json\/wp\/v2\/b2b-post\/9847","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/joindeleteme.com\/wp-json\/wp\/v2\/b2b-post"}],"about":[{"href":"https:\/\/joindeleteme.com\/wp-json\/wp\/v2\/types\/b2b-post"}],"author":[{"embeddable":true,"href":"https:\/\/joindeleteme.com\/wp-json\/wp\/v2\/users\/14"}],"version-history":[{"count":0,"href":"https:\/\/joindeleteme.com\/wp-json\/wp\/v2\/b2b-post\/9847\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/joindeleteme.com\/wp-json\/wp\/v2\/media\/9851"}],"wp:attachment":[{"href":"https:\/\/joindeleteme.com\/wp-json\/wp\/v2\/media?parent=9847"}],"wp:term":[{"taxonomy":"b2b-category","embeddable":true,"href":"https:\/\/joindeleteme.com\/wp-json\/wp\/v2\/b2b-category?post=9847"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}