Elevity Services


Gain a deeper understanding of how Elevity’s approach to technology management will impact your organization.

About Elevity

Elevity is one of the largest and most capable technology management providers in the Midwest. Our team of technology experts can help you reach a truly elevated level of IT strategy, security, solutions and support.

A division of



How to Insure Yourself Against a Cyberattack

Learn more →



2675 Research Park Drive
Madison, WI 53711

A division of


How Often Should You Do Cybersecurity Awareness Training?

Nick Bambulas
Facebook LinkedIn Twitter Email

Can you remember the last time you had any cybersecurity training? Maybe it was when you were first hired. Or maybe it was sometime in the last year or two. Either way, it’s probably been a while.

Lots of us struggle to remember things that happened only a month ago, yet many organizations let months or even years go by between training sessions. If you want your employees to retain the cybersecurity tips that will help stop attacks, you need to train more often.

But how often?

The Right Training Cadence

How long can employees retain the information they’re taught in training? How often should you train so the effects don’t wear off?

We can find the answer in new research conducted by the Advanced Computing Systems Association (USENIX).

In the study, employees received security awareness training focused on phishing identification. They were then asked to identify phishing emails at various intervals, ranging from 4-12 months after the training.

The researchers learned that at 4 months after the initial training, employees were still easily able to spot phishing emails. After 6 months, though, employees began forgetting what they had learned.

The sweet spot for security training timing is every 4-6 months.

Although this study focused on phishing training in particular, the findings can apply to security training on a variety of topics.

The 2020 State of the Phish Report found that training frequency varies widely among organizations, with some only training yearly while others train as often as twice a month.

State of the Phish

The key is to find the right cadence for your own employees. Use the 4- to 6-month timeframe as a starting point and test your employees regularly to see how well they recall their training. You might need to train more often at first. Then as your users perform better in testing, you can go longer between training sessions.

Get Blog Updates In Your Email

Regular Training Really Is Necessary

Security awareness training is a powerful tool for reducing the risk of damaging cyberattacks. Training lowers the chance of an incident like a data breach by 70%. Yet 62% of businesses don’t do enough cybersecurity awareness training.

The State of Email Security 2020 Report highlights some key reasons why security training should be a priority:

  • Ransomware causes 3 days of downtime on average
  • 51% of organizations were impacted by ransomware in the last year
  • 31% of organizations suffered data loss due to a lack of cyber resilience preparedness
  • 82% experienced downtime from a cyberattack
  • 60% were hit by an attack that spread from one infected user to others
  • 58% of companies saw phishing attacks increase

Despite all this, the same report found that more than half (55%) of organizations don’t provide awareness training on a frequent basis.

Think the costs and time spent on security training isn’t worth it at the end of the day? That couldn’t be more untrue.

The average total cost of a data breach for organizations under 500 employees is $2.64 million, according to IBM’s Cost of a Data Breach Report 2020. At that rate, you can’t afford NOT to train your employees.

Research has even revealed the actual ROI of security awareness training. On average, smaller organizations (under 1,000 employees) can enjoy an ROI of 69% from a training program. The ROI is even bigger for larger organizations (1,000+ employees) at 562%.

What Does Effective Training Look Like?

Great security training is a combination of the right information delivered in the right formats.

First, your training program needs to educate employees on a wide variety of potential threats. Security training needs to cover all the bases – not just how to recognize phishing attempts. It should also discuss topics such as:

  • Not oversharing work or personal information on social media
  • How to use public Wi-Fi safely
  • Why not to plug in random USB drives into your PC
  • Proper password management
  • The importance of applying updates and patches

Second, you need to share this information in ways your employees will enjoy engaging with. Not many people are going to get excited about sitting through a pre-recorded PowerPoint lecture. Research backs this up.

A recent study tested the effectiveness of four different types of cybersecurity reminders sent to employees: a short written message, a longer written message, a video, and an interactive example. The video and interactive example were the most effective formats.

What studies are finding is that using humor and entertainment in the training process really boosts employees’ enthusiasm for learning. Nearly three in five (58%) of employees prefer training that includes a mix of serious and entertaining content. Only 33% prefer serious, matter-of-fact content.

Thankfully, security training providers have realized this and are offering lessons filled with humor, live demonstrations, and engaging storytelling. Mimecast in particular is making a name for itself with its funny video clips written by SNL writers and starring such amusing characters as Human Error and Sound Judgement.

If you’re ready to kick your employee training into gear, we can help you evaluate, select, and deploy the right training program for your organization.

More Resources

Awareness Training Program Best Practices (Mimecast)

Security Awareness Training Top 10 Best Practice Checklist (Mimecast)

The Psychology of Human Error (Tessian)

Subscribe by Email