Security Awareness Blog

Why Just One Year Just Isn't Enough

Sometimes I'm asked the question why should an organization continue to pursue their awareness training year after year. After all, once people are trained isn't that good enough? Unfortunately no, in so many ways. Think about it, if you kept your computers locked down and secure for just one year, could you stop securing them after that? Absolutely not, their security would quickly degrade. The HumanOS is no different, and here is why.

Your training should be aggressively updated at least once a year (we update our training twice a year at SANS). You would be amazed at how fast technology, attackers and the latest risks change. Over 60% of our training content changes every year, to include new examples, key learning points or even new topics. Long story short, a good part of what your folks learned last year will most likely no longer apply this year.

The key to changing behaviors is reinforcement. By taking training every
year employees, contractors and staff are more likely to learn and
understand key learning points and change behavior. For maximum impact, you should not only go beyond once a year but reinforce key learning points every month. Not
only with videos or onsite training but additional methods such as newsletters, posters,
webcasts, or an internal blog. One suggestion is the free, monthly
security awareness newsletter OUCH!

Most standards that require a security awareness program require it to be
taught at least once a year, every year (some standards such as FISMA or PCIDSS
require even more). In addition, standards are constantly evolving and
changing. What you taught last year may be out of date or not applicable
this year. By providing new training every year you can keep your organization current with the latest compliance requirements.

You need to a have a long term, continuous program as people are always changing. New employees being hired, contractors brought on for temporary positions, or existing employees changing roles which may require additional or different security training. Your organization is always changing, and a long term awareness program ensure people stay secure amongst all that change.