According to a new report from cybersecurity company Fortinet, nearly 60% of organizational leadership thinks that just 3 hours a year of security training is enough to keep data safe. Yes, just 3 hours. In an entire year. This despite the fact that in the same survey, 84% of those same organizations experienced at least one breach in the past 12 months, with almost 30% experiencing 5 or more in the same timeframe! And of that group of victimized organizations, 81% of the attacks were from phishing, password stealing and malware. Which, as we know, are overwhelmingly the result of successful social engineering (i.e., manipulation of human behavior.) How can they not see the disconnect?
So what do the experts say?
If you Google the question “How often should we do cyber security training” the overall consensus seems to be 2 or 3 times a year. In other words, every 4-6 months. Many suggest even more often would be ideal. That suggestion has a lot to do with the fact that the threat landscape is constantly changing, and training needs to morph right alongside to reflect those changes. My guess is that to C-level staff, that all sounds pretty time-consuming. After all, employees ideally should be working, not having their time occupied by security training, right? Well, when it comes to the security of their organization’s private data, they’d be wise to remember that employees can be both their greatest asset and their greatest liability.
Lest we all forget
Last year I wrote about this topic and talked about the Forgetting Curve. German psychologist Hermann Ebbinghaus coined the term back in 1885 after discovering through his research that in as little as 20 minutes, 40% of what’s been learned has already been forgotten. In fact, he found humans tend to halve their memory of newly learned knowledge in just a matter of days or weeks. He also discovered – not surprisingly – that regularly spaced repetition of the same material over a period of time significantly increases the percentage of knowledge retained.
Interactive training wins the day
Another important part of Ebbinghaus’s research teaches us that how we learn something – including the method by which it is taught – plays a part in how well we remember it. This is where games and other forms of interactive, experiential cybersecurity training come into play. (No pun intended.) Studies show that the brain is 68% more engaged when you’re having fun. Multiple other studies that show the rate of retention from experiential learning lands anywhere between 75-90%.
More fun, more often
So, the secret to protecting your organization from a security breach appears to be this: Train regularly and often and make it hands-on and fun. The repetition keeps your staff on their toes, with what they learn (the very latest phishing tricks, for example) being bolstered to top of mind. And by making cybersecurity training enjoyable, staff may even look forward to it, thereby absorbing more of the material and retaining it for longer periods of time. Online games, interactive quizzes, friendly competitions and phishing simulations all take the pain out of otherwise dull training. And they might just keep those costly breaches at bay for one more day.