June 08, 2022

Persistent Training vs Overkill

Security awareness training is emerging as a must-have on every HR department’s training schedule. However, some organisations are having trouble deciding how to approach this type of training, both in terms of its nature and its frequency. And as the threat of phishing attacks continues to increase, the buzzword in security awareness training circles is ‘Persistent Training’.

How persistent does persistent training have to be?

First, let’s define the term: Persistent training does not merely refer to regular training and repetition of the subject matter. Rather, it refers to an ongoing process of learning, testing, and then further learning. It also implies that training is not reserved for specific and dedicated training slots, but is integrated into the everyday work routine. Indeed, online training modules allow users to work at their own pace (within the overall timeframe), while automated simulated attacks are scheduled randomly, to train users to expect them at any time.

At CYBERAWARE SECURITY, our persistent training model is based on a clear cycle that has four phases:

  1. Education through training modules for all levels
  2. Reinforcement by practising the learned material through simulated attacks
  3. Recording of test results collected from both training module quizzes and simulated attacks
  4. Reporting to determine which direction the next training modules should take.

A well-developed persistent training programme will be broken down into bite-sized learning material, making it easier to fit into the average work schedule, rather than interrupting it for a whole day dedicated to passive presentations that are delivered in large intervals. Ideally, the programme will involve graduated learning material, which becomes deeper and more detailed as users advance.

Too much training?

Yes, it is possible to take training to the extreme, in which case it becomes counterproductive. Like any form of training, the key to success is to ensure that users perceive it as helpful, necessary, beneficial to them personally as well as to the company, and – wherever possible – fun. What you are after here is baby steps, regular baby steps that form new habits in a natural way. What you do NOT want is to add more pressure on the employees, whether by underlining any failures or disrupting their workflow.

Within this context it is crucial to create an environment that is not judgemental. On the contrary, training must be carried out in a spirit of cooperation and appreciation. Participants should understand that their mistakes and ‘failures’ will actually be helpful in planning the next training cycle as well as in developing the company’s security policies and best practices. 

The value of teamwork in any organisation is undisputed. The importance of collective effort when it comes to data security is crucial. It is widely recognised that users are the weakest link in the chain of data security. But that also means that raising their level of security awareness is your greatest weapon against a potential breach. By getting the quality, intensity and frequency of your security awareness programme right, you can ensure compliance with data security regulations while minimising the risks of a damaging attack.