I have worked for not one, but three Fortune 500 companies, and the approach to cybersecurity training is typically as follows:

• Get a bunch of unwilling people in a room.
• Have them sit through an insufferable PowerPoint presentation straight out of the '90s for hours.
• An unfortunate fellow employee, designated by management, clicks forward through the ppt, skipping many essential parts with: "Y'all already know this, right?"
• Coffee break to catch up with friends from other departments.
• Fill out some forms stating that you've participated in this fantastic up-to-date training and are now a cybersecurity specialist.
• Rinse, and repeat next year.

Once the training is over, you drag yourself back to the office, and by the time you've sat down, it feels like half of all that information is GONE!

A Snapshot of Traditional Cybersecurity Training

This is how employee training is usually delivered in the corporate universe: organizations carve out a designated period once a year, during which employees are ushered through a series of presentations, workshops, or even online courses.

Annual cybersecurity training aims to educate employees about the latest cyber threats and equip them with the necessary knowledge to counter these risks.

Traditionally, the training will cover a wide array of security topics, from phishing scams and malware to more sophisticated threats like ransomware. It should also delve into various best practices for password management, secure browsing, sensitive data handling, etc.

While having its merits, this approach also has significant drawbacks, most noticeably its static nature.

Employees tend to leave these training sessions with a false sense of competence, believing they are ready to perform their tasks while diligently protecting the company. 

Well, suffice it to say that their belief is far from reality, and criminals are eager to test them.

Remember: Cyber threats evolve rapidly, and hackers always find innovative ways to exploit vulnerabilities. Training material that was up-to-date at the beginning of the year might be obsolete within months. This volatility puts not only employees but the entire organization at risk.

The Challenge with Retention

The key hurdle with traditional, annual cybersecurity training is the challenge posed by the human's brain limited capacity to retain vast amounts of information. Cognitive psychology and neuroscience constantly remind us of this constraint.

This phenomenon is referred to as "the forgetting curve" and was demonstrated by German psychologist Hermann Ebbinghaus, who found that a significant amount of newly learned information is forgotten within just a few days unless the learner actively reviews the material.

In the context of cybersecurity, this means employees are likely to forget a good deal of their annual training long before the year is out.

In addition, different individuals absorb and retain information at varying paces, which the non-recurring nature of annual training doesn't account for. Some employees may need more time or repetitions to fully understand a concept and commit it to memory. Without the flexibility to cater to these individual learning needs, the efficacy of the training is likely compromised.

When you compile these factors, it is noticeable that the annual cybersecurity training/workshop model needs to be revised, for it lacks the necessary frequency and flexibility to ensure effective long-term retention and application of cybersecurity knowledge.

The Case for Year-Round Cyber Security Awareness

Contrary to annual training, year-round awareness fosters consistent engagement and learning, making it a more dynamic and effective approach. Here's why:

1. Allows for regular reinforcement of critical cybersecurity concepts, applying the "spaced repetition" principle to combat the "forgetting curve."
2. Employs diverse learning formats such as videos, quizzes, newsletters, or bite-sized articles, catering to different learning styles.
3. Keeps pace with the dynamic nature of cyber threats, ensuring employees have the most current knowledge at their fingertips.

In essence, a year-round approach nurtures a proactive security culture. By keeping cybersecurity top of mind, it helps employees become active participants in the organization's security framework, resulting in heightened vigilance, better threat detection, and quicker response times.

It's all about conditioning employees to respond to cyber threats and cultivating an environment where cybersecurity becomes second nature.

The Advantages of Constant Engagement

Continuous engagement in cybersecurity, like the Aware Force e-newsletter, offers a wide array of advantages, especially compared to traditional one-time training sessions. Here are some of the key benefits:

• Adaptive Learning: Year-round awareness initiatives adapt to the changing landscape of cyber threats, ensuring employees are always up to date.
• Better Retention: Regular exposure to cybersecurity information promotes long-term retention of knowledge and best practices.
• Engaging and Interactive: Diverse content formats, from videos to quizzes, keep the learning process engaging, promoting active participation.
• Culture of Security: Constant engagement fosters a culture of security within the organization, turning employees into proactive defenders of corporate data.
• Prompt Response to Threats: Regular reminders and updates enable quicker recognition of threats and rapid response, minimizing potential damage.

So, which option should you pick?

Whether to conduct an annual cybersecurity training or facilitate year-round awareness doesn't need to be a binary choice. Combining the strengths of both is likely to be the best way to equip employees with the knowledge they need to protect themselves, the organization, and their families.

Again, the yearly workshop is valuable, as it provides a structured opportunity to dive deep into key cybersecurity concepts. At the same time, year-round awareness continuously reinforces this knowledge, keeping it fresh and relevant.

We have the perfect solution if you’re considering taking cybersecurity to a whole new level within your organization.

Engage your employees in cybersecurity all year long with content branded for your company from Aware Force. Check our Cybersecurity Newsletter page to know more or connect with us, and you'll see why organizations across the US and Canada use outstanding cybersecurity content — branded for them — and delivered by Aware Force.