top of page
  • Zack Davis

Training Employees Not to Engage in Phishing Scams


You've completed your phishing training at the beginning of your work year. It's already a refresher from previous trainings you and your staff have engaged in. Hopefully, these trainings will ensure your company remains secure.


Unfortunately, 6 months later, someone clicks a phishing link, and now you must deal with a security breach in your server. You wonder why you seem to need to train on the same information every year. But you still suffer from security incidents. The problem is that you’re not training your employees often enough.


People can’t change behaviors if training isn’t reinforced. They can also easily forget what they’ve learned after several months go by. The importance of an issue is only emphasized by the reminders and training refreshers employees receive.


So, how often is often enough to improve your team’s cybersecurity awareness? It turns out that training every four months is the “sweet spot.” This is when you see more consistent results in your IT security.


The Four-Month Training Schedule

So, where does this four-month recommendation come from? There was a study presented at the USENIX SOUPS security conference recently. It looked at users’ ability to detect phishing emails versus training frequency. It looked at training on phishing awareness and IT security.


Employees took phishing identification tests at several different time increments:

  • 4-months

  • 6-months

  • 8-months

  • 10-months

  • 12-months

The study found that four months after their training scores were still strong. Employees were still able to accurately identify and avoid clicking on phishing emails. But after that 6-month boundary, their scores started to decline. Scores continued to decline the more months that passed after their initial training.

To keep employees well prepared, they need training and refreshers on security awareness. This will help them to act as a positive agent in your cybersecurity strategy.


What Cybersecurity Training Should Look Like

The gold standard for cybersecurity training is to develop a cyber secure culture. This is one where everyone is aware of the need to protect sensitive data. This includes a plethora of positive behaviors including password maintenance, the ability to spot phishing scams, etc.


This is not the case in most organizations, According to the 2021 Sophos Threat Report. One of the biggest threats to network security is a lack of good security practices.

The report includes the following,

“A lack of attention to one or more aspects of basic security hygiene has been found to be at the root cause of many of the most damaging attacks we've investigated.”


Well-trained employees significantly reduce a company’s risk. They reduce the chance of falling victim to any number of different online attacks. Law firms house a decent amount of sensitive information. With employees standing guard over technological practices, it is more difficult for hackers to gain access to and ransom that important data.


Here are some examples of engaging ways to train employees on cybersecurity. You can include these in your training plan:

  • Self-service videos that get emailed once per month

  • Team-based roundtable discussions

  • Security “Tip of the Week” via email or newsletters

  • Training session given by an IT professional

  • Simulated phishing tests

  • Cybersecurity posters in your office space

  • Celebrate Cybersecurity Awareness Month in October

When conducting training, phishing is a big topic to cover, but it’s not the only one. Here are some important topics that you want to include in your mix of awareness training.


Phishing via Email, Text & Social Media

Email phishing is still the most prevalent form. But SMS phishing (“smishing”) and phishing over social media are both growing. Employees must recognize phishing in all avenues so they can stand guard against it.


Credential & Password Security

Many businesses have moved most of their data and processes to cloud-based platforms. This has led to a steep increase in credential theft because it is the easiest way to gain access to a company's cloud.


Credential theft is now the #1 cause of data breaches globally. This makes it a topic that is critical to address with your team. Discuss the need to create secure passwords, change them frequently, and use multi-factor verification.


Securing Your Mobile Device

Mobile devices are now used for a large part of the workload, even in the office. They’re handy for reading and replying to an email from anywhere. Most companies won't even consider buying new software if it can't be used on a mobile device.


Review security needs for employee devices that access business data and apps. Such as securing the phone with a passcode and keeping it properly updated.


Data Security

Data privacy regulations are something else that has been rising over the years. Most companies have more than one data privacy regulation requiring compliance.


Train employees on proper data handling and security procedures. This reduces the risk you'll fall victim to a data leak or breach that can end up in a costly compliance penalty.


Need Help Teaching Your Staff about Cybersecurity?

Reach out to us with questions about building a great training program for staff in order to keep security protocols strong!

1 view
bottom of page