Awareness is everything in cybersecurity — until it wears off

New research shows that cybersecurity training wears off after just six months.
28 September 2020
  • Security and phishing awareness programs wear off in time with employees needing to be re-trained after around six months
  • Recommended training needs to be cyclical, with training sessions repeated optimally every six months using interactive or video training measures

One in 3,231 emails received in the US is a phishing attempt. It’s even more in the UK. Cyberattacks are constant, and regardless of sophisticated firewalls, threat detection systems, and more, everything can fall down — often irreparably — with a simple human error.

In fact, human oversight was ultimately the cause of 90% of cyber data breaches in 2019, according to CybSafe.

What this should tell business leaders is that education and awareness are the most effective defense against cyberattacks and that programs to ensure the workforce is vigilant should be a focus of cybersecurity resources.

Cybersecurity awareness is about more than just strong passwords; it’s about being savvy to emerging threats and being drilled to the correct procedures in order to mitigate threats, ensuring staff is the first and strongest line of defense. From how to spot a social engineering attempt to guidelines for using VPNs, building a culture of cybersecurity awareness won’t simply stick with one day, or even a week, of devoted training. It has to be refreshed and revitalized constantly.

Released at the USENIX SOUPS security conference last week, a study of more than 400 employees at the State Office for Geoinformation and State Survey (SOGSS) by German universities, found that phishing training dissipated over time without reinforcement.

During the survey, SOGSS were tested at regular intervals to determine whether they would lose their ability to detect phishing emails.

Following the initial training, the research team found that while the employees partaking in the survey were able to correctly identify phishing emails after four months, this was not the case after six months and beyond.

The upshot is that cybersecurity training needs to be more frequent and cyclical to ensure that phishing awareness — and broadly all security awareness training — is always at its most effective.

“People are very quick to fall into old habits, and so, constant reminders or nudges are very important,” said security awareness advocate at KnowBe4, Javvad Malik.

Following the results of the survey, researchers went on to develop their own “reminder” system to help replenish employees’ phishing awareness and knowledge to re-train employees after taking part in their survey.

This was repeated after six and 12 months later using four different types of reminder measures: text, video, interactive examples, and a short text. These were each then distributed to four different groups.

Researchers then compared the knowledge retention of the four reminder groups 12 months after the tutorial and found that among the four reminder measures, the video and interactive measures had performed best, with their impact lasting at least six months following their roll-out to employees.

“In many cases, it’s not that people aren’t aware of threats, it’s more a matter of ‘out of sight, out of mind’ – so having little but frequent reminders helps to keep threats at the forefront and remain more vigilant,” said Malik. “A bit like when driving, most people are aware of the speed limit on the roads and they have to be careful at intersections. However, we still have constant reminders on the road reminding what the speed limit is, or to slow down near a school, or a sharp bend.”

While training employees to detect phishing emails may help organizations fend off some attacks, the training needs to be regular and ongoing, reinforced, and updated at least every six months using interactive training approaches.

“Like any behavior, being a more secure employee requires an ongoing effort – if organizations only put employees through security awareness training once a year with a PowerPoint, they are adding little value, if any,” added Malik.

As many companies continue to battle against cyberthreats amid an uncertain pandemic-filled future, making full use of any investment in cybersecurity is paramount.

Regular training not only empowers them with know-how but strengthens what could be the best line of defense or the most vulnerable link in the chain