How Often Should Employees Go Through Security Awareness Training?

If you’re waiting until that magic moment after you’ve handed over a couple million dollars to a cybercriminal peddling ransomware to actually launch security awareness training, we’re not sure we can be friends.

Okay, we’ll consider investing in the BFF necklaces, but only if you’re prepared to be proactive and on the offensive by building a culture of security awareness. This means delivering training on best practices more than once every few years or when someone “accidentally” clicks a “totally legit” link—and you’ve got to make it part of your new-hire onboarding, too.

But if you’re asking yourself how often you should run a phishing simulation or send out videos with security tips, the truth is that no two security professionals can agree on the best type of content or style of security training, let alone frequency.

Although there’s no silver bullet on best practices, here’s what we think.

Deliver training just in time

Most organizations commit to one yearly security awareness training program at the very least, but many are shifting to the overkill of monthly training. If your training is too frequent, it’s hard to be effective because employees are inevitably going to feel like it’s too much too often.

Learn the steps to build an amazing security awareness program in the guide >>

And then there are companies that are doing “just in time” training. This usually happens when something major shows up in the news—Mega Corporation Pays Millions in Ransomware Attack!—and everyone starts wondering, “Are we next?” The problem with “just in time” training is that it’s really difficult to strategize, plan, and execute effectively.

Whatever your strategy, start by lining up solid annual training that covers major employee security pain points, including phishing, public Wi-Fi, passwords, and so on. Then, set up an ambassador program to keep the training alive and present across departments. A healthy crop of active ambassadors will free you up to focus on future training and strategizing how to keep the culture of security alive and well throughout the year and well into the future.

After you’ve got the basics in place, you can strategize how frequently to hold regular training and what exactly that looks like, whether you opt for hilarious, yet on-point, educational videos sent via email once a month or prefer to hold quarterly security sessions to talk about new threats and reinforce healthy habits.

Focus on your repeat responders

After your initial all-singing and all-dancing security awareness training, turn your sights toward more targeted training, such as a phishing simulation. Then, you can focus on specific populations, like repeat responders, and coaching them toward better habits.

Who are repeat responders? Repeat responders are people who respond to three or more phishing simulations within a six- to 12-month rolling window. Don’t think of these responders as “offenders”—they’re not offending anyone; they’re just responding to training, which is exactly what they’re supposed to be doing.

The beauty of repeat responders is that you don’t need to do anything with them. All you have to do is accept that there’s a learning curve and craft a strategy for helping repeat responders embrace better, more secure habits.

A note on healthcare workers

Did you know that HIPAA requires regular security awareness training, including for management? According to 45 C.F.R. § 164.308(a)(5)(i), a covered entity must “implement a security awareness and training program for all members of its workforce (including management).” And then there’s the requirement for “periodic security updates” in 45 C.F.R. § 164.308(a)(5)(ii)(A).

HIPAA doesn’t say how often these updates should occur, but monthly security updates seem to work well for most healthcare organizations, with additional security awareness training programs provided biannually.

Also, according to the Department of Health and Human Services’s Office for Civil Rights (OCR), documentation of training has to be provided—including any newsletters sent or updates issued—or the training doesn’t meet HIPAA requirements covered in 45 C.F.R. §§ 164.316(b) and 164.530(j).

If you’re working in the healthcare field with electronic private health information (ePHI), make sure you’ve spent plenty of time creating a strategy and created processes not only for regular training but also for keeping close tabs on your training.

Do what’s best for your organization

Security awareness training shouldn't feel like training—it should be embedded into your company’s culture. After you’ve launched a security awareness training program, it’s ultimately up to you to decide how frequently your employees should go through regular training.

It’s important to issue regular updates on how the training is impacting the company, repeat responders, and individual teams, but full-blown phishing simulations and training shouldn’t happen too regularly, or they’ll become inefficient.

Also, think about your company onboarding new employees and ask yourself:

Because hiring cycles vary and employees are constantly coming into the company, you’ve got to have comprehensive security training as part of onboarding, but also throughout the year and when new threats arise.

Not sure where to start? Download our Complete Security Awareness Program Plan & Strategy Guide to get started.

Put your awareness program on track with steps to build and manage an amazing security awareness program in this guide