It's important that you space the training out over time, because this is a big part of keeping awareness continuous. We recommend that users take 1-2 courses every month or every other month.
A simple way to work with our recommended frequency is sending out one course every month.
Why is 1-2 courses every 1-2 months the ideal frequency?
Think of Awareness Training like fitness training. To see the most optimal results, you are going to want to train on a regular basis. If you train intensely for two weeks but sit on the couch the rest of the year, that training won’t have a significant impact.
Assigning courses at a moderate interval will help keep your employees’ cyber security and GDPR muscles strong and capable of maintaining good habits.
Our courses are meant to be taken continuously
Our courses are designed to take about as long as it takes you to drink a cup of coffee (5-7 minutes). They are short and concise because we want the training to feel like a small, educational break in the workday.
Because the courses don't take long to complete, your colleagues should be able to take 1 or 2 courses in one sitting. Taking them regularly over the year helps the information stay fresh in everyone's minds while being a manageable task to complete.
Why we don't recommend sending out many courses at the same time
Even though it might be tempting to send out all the courses at once and be done for a while, we do not recommend users take all (or many) courses at once. Doing this negates the point of continuous awareness training, which is what makes a difference in your security.
Our courses are designed to build awareness over time, so they use spaced repetitions. Spaced repetition helps learning stick - it's much easier to remember something if you hear it again a few times. Because of this, the courses have repetitions and taking them all at once can feel redundant.
Taking all the courses at the same time, once each year, might make an employee aware for a few days or weeks after the training (if they paid attention during the full day of training). But it's much more valuable for your employees and your organisation's security to spread them out over time.
Some concrete recommendations for sending out 1-2 courses every 1-2 months
You can always follow our recommended course plan. But in case you want to customize it, here's some advice to help you make a good plan:
- Wait at least 2 weeks between courses to avoid redundancy
- Do not let 3 months go by without sending out a course. This is too spread out.
- Send no more than 3 courses at once. More than that can be too much and overwhelming
- Pay attention to the topics and try to spread them out throughout the year.
- E.g., instead of sending all our phishing courses at once, then all our personal data courses, send a phishing and personal data course together. This allows you to build and maintain awareness around the same topics all year.
Pros and cons of training on an ongoing basis
Pros
- Allows the training to have a larger impact on forming good habits
- Will help to keep cyber security and GDPR issues on your colleagues' minds
- The content will be retained much better because it's consistently refreshed
- Keeps the training as a manageable task for employees to complete during their busy workdays, which will foster positive attitudes about the training and security in general
Cons
- As an admin, you will have to dedicate some time to consistently send out and follow up on the training
- We help you avoid spending too much time managing the training, so we've made it easy to set up onboarding plans and schedule courses for the future. See how to schedule courses and set up an onboarding plan
- You can use our email template to easily follow up with users who haven't completed the training
Pros and cons of training on a more intense but less frequent basis
Pros
- Does not require continuous administration of the awareness training.
- Those that choose the “one and done” method can save a bit of time on assigning courses, and will have a slightly easier time keeping track of everyone who has not taken the training.
Cons
- The phrase “out of sight, out of mind” applies here. The good habits that are conveyed in awareness training are only useful if they're actually remembered and used.
- The thing about cybersecurity, and especially the GDPR, is that these topics and processes are so new to organisations. Many employees do not actively think about how they use their IT devices and how their actions online can have major implications for themselves, the people whose data they handle, and their organisation.
- If you send out too many courses at once, you risk losing your employees' attention and willingness to do the training.
- Assigning all the courses at once might make it seem like an employee's time isn't valued, because the courses have a good amount of repetition.
- If you only do training once or a few times per year, you risk that the learning goals don't stick how you want them to, since the reminders are too spread out.
- It's likely that a few weeks after the training, many employees will have already forgotten some of what they learned.
Your customer success manager is here to help
If you need help figuring out what course frequency will work best for your organisation, then talk to your customer success manager. She/he has experience with a lot of different organisations and how awareness training can fit into different schedules and structures.
Got a question?
Contact us at support@cyberpilot.io