Phishing is becoming an ever-increasing problem. Our recent report, Fighting Phishing: The IT Leader's View, revealed that 84% of the organizations we surveyed last year were phishing victims. That represents a 15% increase from our 2021 survey: The real (and rising) risk of phishing.
Phishing is a widespread issue because it can be tough to spot – even the experts fall for phishing tricks. Training is an important tactic for protecting organizations from phishing breaches. It allows IT leaders to assess the organization's maturity regarding security awareness, and it teaches employees to detect and avoid phishing attacks within a safe environment.
However, training also has its limitations: it is time-consuming, disrupts productivity, and is often easily forgettable.
To make anti-phishing training more effective and increase the chances of long-term success, we need to augment it with intelligent technology that engages users in real time.
How frequently is anti-phishing training carried out?
According to our recent report, 98% of companies surveyed conducted some form of cybersecurity training over the past 12 months. 55% of IT leaders indicate they carry out training a few times a year, while 38% train monthly. Although it is far from perfect, there are several benefits of this training: it helps to educate employees, meet compliance requirements, and keep customers' trust.
Our research also shows that 45% of our surveyed organizations changed their training supplier yearly. That suggests that many IT leaders are dissatisfied with their ability to prevent employees from falling for phishing attacks.
There are several potential reasons behind this dissatisfaction. On the one hand, the cybersecurity industry changes rapidly, suggesting that leaders must continuously look for a training supplier with newer, more relevant content. On the other, it could mean that many IT leaders don't believe that the training is working. Or, it could even mean that leaders are simply going with whichever option is cheaper at the time.
Regarding which type of training employees prefer, research by Lorman Education Services reveals that 80% of workers believe regular and frequent training is more important than formal workplace training. In addition, 91% want their training to be personalized and relevant.
Due to the way we remember information, regular, frequent training tends to be significantly more effective than longer, more formal training sessions.
We forget information at an exponential rate
Have you ever spent hours delivering a training session to your employees, only to watch them do the complete opposite of everything you've taught them a week later when it's time to put the lessons into practice?
It can be a hard pill to swallow after you've spent so much money on training, but the truth is that they've probably already forgotten most of what they've been told.
Hermann Ebbinghaus's 'Forgetting Curve' is a helpful visualization demonstrating how quickly we forget information.
His research revealed that the sharpest memory decline occurs in the first twenty minutes and that the decay remains significant through the first hour. The curve levels off after about one day.
There's a reason we're good at forgetting – it's strongly connected to the survival instinct developed in humans a long time ago. That's because the biological goal of our brain is not to preserve information – but to help us make sound decisions.
In a 2017 research paper, The Persistence and Transience of Memory, Richards, and Frankland observed that "simple memories that store the gist of our experiences and avoid complicated details will be better for generalizing to future events."
Unfortunately, while this may be a great survival instinct, it's not great for remembering information-dense training sessions that are not directly related to our survival.
Box-ticking SA&T won’t change security behaviorsGet your copy
The solution? Augment training with regular, light-touch moments
Instead of delivering irregular, information-dense sessions that people forget quickly, leaders should focus on offering regular, light-touch moments that ensure important information is always at the forefront of employees' minds. These are known as 'real-time teachable moments.'
These moments tend to be unplanned, and it is often up to management to sense when they should be delivered. Those whom the training is aimed towards tend to be inherently more interested in the topic at hand because they can feel its immediate applications to the world around them. As a result, they are often significantly more successful.
Egress Defend offers these moments by catching phishing attacks, then educating people in real time through banners and coaching on why the email was flagged as dangerous. This information educates people in real time when it is most appropriate and makes them feel as if they are being supported instead of policed.
Given that these teachable moments can be delivered quickly and often, it's also much more likely that your employees will remember them.
Interested in augmenting your training efforts? Learn more about Egress Defend here.