How Often Should You Train for Phishing?
As the human factor in cyber-attacks persists, phishing training becomes vital to an organization's cybersecurity strategy. Phishing training helps to counteract the human-centric cyber-attacks that account for 82% of data breaches, as identified in research from Verizon in their Data Breach Investigation Report (DBIR).
You may have heard of a proverb: "Tell me and I forget, teach me and I may remember, involve me and I learn." This adage sums up how important it is to involve employees in training so that the learning experience sticks. However, a question regularly asked when considering investing in phishing training is, "How often should you train employees on phishing?" A recent study from TitanHQ, "2023 Automated Phishing Simulation Success Report," offers some insights into this question and how automation can help with regular phishing training.
Why is Regular Phishing Training Essential?
Research shows that 96% of data breaches start with a phishing email. However, the phishing tactics used to deliver malicious emails and the methods used to deceive employees constantly evolve. This change in phishing methodology makes regular phishing training for employees essential. Cybercriminals adapt to the changing technology environment to evade detection and make their phishing campaigns successful. To put the sophisticated phishing tactics into context, data from the FBI's IC3 research unit for 2022 saw 38% of complaints related to phishing. As phishing tactics change and volumes increase, our approach to phishing must evolve with those changes; this is why regular phishing training is essential.
Did You Know?
in phishing susceptibility with SafeTitan
of employees share passwords
estimated global cybercrime cost
of data breaches involved a human being
How Often Should Employees be Trained on Phishing?
Unfortunately, 79% of employees engage in risky security behaviors, so education around security awareness must be used to counteract this behavior. Employees must be trained to understand the subtleties of phishing and how to react when confronted with a potential phishing email. Training in phishing involves simulated phishing; campaigns that reflect real-world phishing threats are used with employees to help train them to identify phishing emails and texts. Other security awareness training uses techniques such as interactive videos and quizzes to teach employees about many security-related issues, such as password sharing and safe internet browsing.
How often to train is the big question: every three months, every six months, once a year? USENIX has researched how often employee phishing training should be carried out. The USENIX report "An investigation of phishing awareness and education over time: When and how to best remind users" found that employees' initial training lasted around four months; employees could not spot phishing emails after six months. This baseline suggests that regular phishing training should be carried out at least every 4-6 months to optimize its effectiveness.
A related question to how often you should train employees on phishing is, "How can this repeated training be automated?"
How to Benchmark Your Phishing Training Effectiveness
The TitanHQ study, "2023 Automated Phishing Simulation Success Report," looked at how to apply metrics to test the efficacy of phishing training; these metrics can then help to optimize automated training sessions.
The TitanHQ study was based on industry scoring standards for PVP and SPR (Phish Vulnerable Percentage and SMSish Prone Risk). These scoring standards provide insight into the effectiveness of phishing training, making sure that repeated training builds upon previous campaigns to optimize employee phishing awareness. By optimizing phishing training, updated tactics used by phishers can be woven into the regular exercise, keeping employees up to date with the latest tactics.
Understanding where your company fits in terms of the average PVP and SPR will show how your company progresses and what areas you need to focus on to improve phishing awareness. A company benchmark for PVP and SPR is mapped against industry average baselines across sectors, sizes, and geographies. An example of some of the results from the TitanHQ report shows the effectiveness of phishing training by organization size:
This chart captures the metrics of a phishing simulation training campaign using the TitanHQ SafeTitan automated phishing simulation platform. The results show the phishing susceptibility (PVP and SPR) by organization size before phishing training begins and after a year of training. Across all companies of all sizes, PVP was above 29% at the start, with smaller organizations having a higher PVP at around 45%. However, after a year of regular phishing simulation campaigns, the rate of all sized organizations dropped by at least 90%, with the average drop in PVP being 92%.
Research shows that 96% of data breaches start with a phishing email.
Using Automation to Optimize Regular Phishing Training
To improve the PVP score, a company can use methods and strategies, such as automation, to create tailored and effective phishing simulation campaigns. Automation works alongside behavior-led phishing training. Phishing simulation platforms that offer automated phishing training generate repeated simulated phishing campaigns with no user intervention. However, these phishing campaigns can be automatically tailored using benchmark standards such as PVP results. Components such as automated scheduling calendars are part of a phishing simulation platform used to schedule preconfigured campaigns, delivering simulated phishing emails at regular intervals to train employees; the process saves time and money while ensuring the delivery of traditional training campaigns to improve PVP scores. Advanced phishing simulation platforms, like SafeTitan, use AI to tailor the simulated phishing program using benchmark data to improve effectiveness as the regular sessions unfold. This is why SafeTitan has such a success rate in reducing employee phishing vulnerability.
How Does SafeTitan Help to Train Employees Regularly?
SafeTitan is designed to deliver regular phishing simulation campaigns tailored to reflect the evolving phishing landscape. Using benchmark data such as PVP and SPR, these campaigns can be increasingly optimized to ensure employees become more adept at spotting phishing tricks. Using preconfigured templates representing the latest phishing tactics and campaign automation makes deploying regular simulated phishing campaigns easier but still highly effective. This significantly reduces the overheads for an MSP or in-house IT or security administrator. SafeTitan automation of simulated phishing planning and scheduling allows an MSP or organization to:
- Select the number of campaigns they wish to run each quarter.
- Select response training messages that give immediate training to the responder.
- Deliver further reactive training in video or interactive training formats.
Talk to TitanHQ experts about how to use automation to deliver effective phishing training.
Read the full TitanHQ 2023 Automated Phishing Simulation Success Report to learn how to improve your PVP and SPR.
Jennifer Marsh
- SECURITY AWARENESS TRAINING