Sometimes I'm asked the question why should an organization continue to pursue their awareness training year after year. After all, once people are trained isn't that good enough? Unfortunately no, in so many ways. Think about it, if you kept your computers locked down and secure for just one year, could you stop securing them after that? Absolutely not, their security would quickly degrade. The HumanOS is no different, and here is why.
1. UPDATED TRAINING: Your training should be aggressively updated at least once a year (we update our training twice a year at SANS). You would be amazed at how fast technology, attackers and the latest risks change. Over 60% of our training content changes every year, to include new examples, key learning points or even new topics. Long story short, a good part of what your folks learned last year will most likely no longer apply this year.
2. CHANGING BEHAVIOR: The key to changing behaviors is reinforcement. By taking training every year employees, contractors and staff are more likely to learn and understand key learning points and change behavior. For maximum impact, you should not only go beyond once a year but reinforce key learning points every month. Not only with videos or onsite training but additional methods such as newsletters, posters, webcasts, or an internal blog. One suggestion is the free, monthly security awareness newsletter OUCH!
3. REMAINING COMPLIANT: Most standards that require a security awareness program require it to be taught at least once a year, every year (some standards such as FISMA or PCIDSS require even more). In addition, standards are constantly evolving and changing. What you taught last year may be out of date or not applicable this year. By providing new training every year you can keep your organization current with the latest compliance requirements.
4. CHANGING PEOPLE / ROLES You need to a have a long term, continuous program as people are always changing. New employees being hired, contractors brought on for temporary positions, or existing employees changing roles which may require additional or different security training. Your organization is always changing, and a long term awareness program ensure people stay secure amongst all that change.