Security training is essential to every effective security plan.

Employees are the largest risk factor in your cybersecurity defense. 92.4% of malware is delivered by email. If a breach occurs, detecting and identifying the breach takes an average of 191 days. 60% of small companies that are the victim of a cyberattack close down within six months.

The math is clear – investing in proper training is paramount for the health of your business. But there are a few important aspects of security training that are underemphasized.

It’s not just a one-time event

The cybersecurity landscape is constantly changing. And it’s not just hacking or phishing, so there’s a lot of ground to cover.

While there are usually one or two prominent forms of attack at any given time, the approaches are always evolving. You need to deliver updated training periodically or you’ll start to fall behind. Twice a year is the longest recommended interval for training events, and certainly more often is needed as you implement new company policies or experience new threats.

Furthermore, studies have shown that people tend to retain information better if they encounter it repeatedly and over a longer period of time. Use this to your advantage when emphasizing best practices and policies that you want to implement.

Follow-up and measurement

Post-training assessment is also important to gauge how well the information is sinking in. First of all, If you aren’t already, you should be tracking the number of security incidents. Check the numbers before and after training sessions. If you are seeing an improvement, the training is effective.

Secondly, you should be actively checking on your team between training sessions – whether in a team meeting or performance reviews with each team member – to see how people are doing with the information given. If there are shortcomings or gaps in the knowledge covered by the training, now is the time to find out what they are.

Open communication is the best way to find out about specific security incidents or concerns, so be sure to encourage feedback.

Tailoring your strategy

It probably goes without saying that you need to make your training more relevant to your employees than simply saying, “This will help the company.” In truth, good cybersecurity practices are applicable in their daily lives – the same behaviors that will protect your company’s data will also keep their information safe from cybercriminals that might, for instance, be trying to access their email or bank accounts. Emphasize this broader value with your team.

You should, in turn, take the feedback you receive during your follow-up meetings to make your training better for your team. Find out what they worry about or what methods might work better for conveying or referencing the information effectively.

Finally, stay focused on what’s relevant to your organization and what your employees can actually utilize. A general seminar on higher-grade concepts might be interesting and enlightening to you, but your team is more likely to engage with content that they can use day-to-day. Do your research to keep learning all you can, and deliver the relevant information to your team.

Good security isn’t just about training

It’s also about attitude. For long-term results and support, it’s up to you to foster a culture of vigilance and skepticism toward sharing and using important data, whether personal or company-related.

If you can accomplish this, then you have won half the battle. The rest is just details.