When it comes to training employees on security awareness, most companies tend to ask themselves one question: How frequent should training occur? The fact of the matter is that there is no set answer. Companies need to determine how often training occurs based upon a number of factors, not the least of which include their industry and the threats they face as well as the size of their workforce.
In many cases, training can be delivered annually or even less frequently. In some industries where threats are low, training may only occur once per year or even less frequently than that. In other industries with heightened threats such as healthcare, training needs to occur more regularly-perhaps twice a year at a minimum. This may also be the case for companies in highly regulated industries such as financial services and banking, where training may need to occur more frequently.
Typically training can be delivered once a year or even less frequently for very small businesses with a handful of employees. In these cases typically training is combined with training on other security controls such as patching software and applying the latest updates from vendors.
In larger businesses however it is advisable to deliver training at least twice a year (typically separated by summer and winter holidays) for all employees regardless of their role in the business or how long they have been employed there. The idea behind this approach is that after an initial training course, an employee’s knowledge starts to degrade over time if he or she does not receive continuous reinforcement training throughout the rest of the year. This training should include refresher training as well as training employees to understand new threats and vulnerabilities that have emerged since their initial training was delivered.
For training temporary employees, training needs to occur once every six months at a minimum. If an employee is going to be working for a business for a shorter period of time such as on a contract or as a consultant, companies should consider the time frame in which they will be employed there and adjust their security awareness training accordingly. In these cases where training may only occur once every six months, organizations need to ensure that they are also keeping records showing when this training occurred.
This can help not only with demonstrating due diligence but it can also help companies establish stronger relationships with third party security consultants by showing how serious they are about training. In fact, training should be viewed as a fundamental part of any relationship with a third-party security consultant or other external individual or company that you rely on for services such as penetration testing.
In these cases training needs to occur at least twice a year. Once before the employee starts work and once before he or she leaves. By training employees in this way companies will help ensure that their employees understand not only what they need to do but also why they need to perform certain tasks required by their role within the company’s information security program. This type of training can not only help keep your business safe from threats both internal and external but it can also help limit exposure to risk if it is later discovered by regulators that training was not completed in a timely manner.
If your training program is in need of a serious refresh, or if training has not been a focus for your company, then talk to the experts at ThrottleNet today. They can help you design training courses that match your business’ needs and objectives as well as deliver training courses both onsite and online.
