According to experts, the best measure against phishing attacks is to increase your employees’ cybersecurity awareness. So, the best method to avoid cyberattacks is cybersecurity awareness training. This training usually includes phishing simulations and informing employees regularly. However, it is a fact that the effect of this training depends on the employee’s desire to learn. Recent research suggests that companies should provide their employees with cybersecurity training at least every six months. But how to measure the impact of phishing training on employees?
How To Measure The Impact of Phishing Training on Employees?
In a study conducted on approximately 400 employees last year, significant results were obtained regarding the impact of phishing training on employees. Studies carried out until today have shown that employees’ awareness generally increases after the training, but this awareness decreases over time. These studies did not reveal how long the impact of phishing training on employees lasts. This new study we will be talking about clearly reveals how long the effects of the training last.
It takes a year to get results from the study. In this process, experts ask employees to periodically examine various e-mails and determine whether the e-mail is a phishing e-mail. According to the results, while employees can successfully detect attacks in the 4 months following the training, after 6 months, their success rate drops.
Details Of The Study:
In summary, at the beginning of the process, experts talk about the threats that the company faces, the attack rates, and the forms of attacks in recent years. Employees get the chance to examine examples of emails with fake sites and malicious attachments. IT experts provide information about the ransomware and phishing attempts that have happened to the company in the past. Afterward, experts talk about measures such as the use of strong passwords. At the end of the training, employees take a test on creating strong passwords for themselves.
In the training process, the attack methods that usually concern the company are mentioned. Experts provide information on malicious emails for most of the training, although they briefly mention SMS (Smishing) or Phone (Vishing) attacks. The study results do not include a few employees who have a very high failure rate or do not take training seriously.
The results of the research do not seem to surprise experts. Although training is the best method against phishing, the effect of training is expected to decrease over time. Because human habits are not easily changeable behaviors. For a behavior to become permanent, the behavior should be repeated frequently. And employees must take action on this newly learned behavior.
How To Make The Impact of Phishing Training on Employees Last Longer?
According to the results of the study, interactive phishing training containing training videos is more effective.
It is also crucial to use the material presented in training in these videos or interactive examples. Repeated use of information reinforces learning. However, when there is new information or an unknown term in the examples, the training’s effect decreases. For this purpose, companies can send videos to their employees that repeat the information they teach in education and conduct phishing tests in interactive studies. Also, the information shown in phishing awareness training should be reminded at least every 4 months.
So, Which Methods Increase The Impact of Phishing Training on Employees?
- Preparing education material beforehand and organizing regular training.
- Testing employees with unexpected phishing simulations.
But the content of messages and the time of the simulation is very critical. Many companies have been the target of criticism for conducting unethical phishing simulations in the past years. Research companies also deem the results of these tests invalid.
In addition to the methods mentioned above, it is also essential to create a common phishing awareness in your company and to increase solidarity when fighting phishing attacks. You can use our threat intelligence tool for this. Thanks to this tool, you can quickly inform your employees in case of possible risk and make them take precautions.
“This post is originally published at www.phishing.org.uk”