Which phishing messages have a near 100% click rate? [source: helpnetsecurity]

Training employees to spot phishing emails, messages and phone calls can’t be done just once or once a year if the organization wants to see click rates decrease.

For one thing, employees come and go (and change roles) with regularity. Secondly, threats change over time. Thirdly, knowledge and practices that aren’t regularly reinforced will be lost. And, finally, awareness isn’t the same as knowledge.

“Just knowing a threat exists isn’t the same as knowing how to recognize and respond to a threat when it presents itself. In-depth education about phishing prevention is needed to create lasting behavior change,” Wombat Security researchers point out.

The statistics included in the company’s latest annual State of the Phish report show the difference made by both the tools used to train end users to recognize and avoid phishing attacks and how often they are used.

In the US, most organizations use computer-based online security awareness training and simulated phishing attacks to train employees, while UK organizations generally opt for more passive training methods over hands-on practice:

Also, 46 percent of US organizations use those tools biweekly or monthly, while UK organizations do that in just 21 percent of cases.

As a result, 61 percent of US organizations see quantifiable results from these efforts, compared to 28 percent of UK orgs.

You also might find yourself tempted by a “set it and forget it” security awareness training program, the researchers noted, but that’s not ideal. “When you plan and schedule your phishing tests months (or even years) in advance, you lose the ability to be responsive to emerging threats and to tailor activities based on your results.”

For more, click here.