“How often should we conduct security awareness training?”

I was asked the question this week from a director at a Fortune 500 company. There are several answers to the question, and while every organization approaches training a little differently, I was happy to provide my thoughts regarding the subject.

The innovative way to approach security awareness training is to make it a part of the organizational culture.  Incorporate security awareness as an ongoing plan for continuous improvement.

For simplicity, consider starting with a basic course that every employee must take.  For a more complex and dynamic approach, have executives, managers and IT staff complete a role specific course before rolling out the basic course to the rest of the employee base.  No matter the direction you take:  be sure to establish a target end date to keep the project on schedule.

Unfortunately, I more commonly see organizations use a one-time-per year approach.  This is usually the result of an internal audit that highlighted the need.  Security awareness trainingbecomes an afterthought and the annual due date for completion looms until year-end when management needs a quick-fix answer to meet its deadline.  Consequently, there isn’t any time, energy, personnel or resources invested into the project .

Often the IT department is tasked with the overall management and execution.  In the end, what is accomplished is a band-aid that will almost definitely need replacing again next year.

There isn’t a right or wrong answer to the question above. The goal should be to provide continuous training and reinforcement of basic security awareness principles.  This will help minimize company risk and exposure to breaches.  A company’s greatest risk of potential data loss is, after all, human error.  And the best way to protect your organization and your employees from human error is to provide proper comprehensive training.

Once you’ve found the proper security awareness plan…… what’s next?