Phishing Awareness Training Effective Only for a Few Months

Phishing Awareness Training Effective Only for a Few Months

In the majority of cyber breaches, phishing attacks are the root cause. Phishing awareness training sensitizes a company’s employees to possible phishing attacks. Businesses that fail to invest in phishing protection will sooner or later become victims of this crime. What’s even more disconcerting is that 90% of phishing emails will contain ransomware.

Today, a typical phishing attack costs over $1 million. Through anti-phishing behavioral conditioning, companies can significantly reduce their risk of becoming victims of a phishing attack.

Our Cyber Resiliency Team will simulate a real phishing attack to your organization to increase the overall security posture to help keep cybercriminals from entering your network.

That said, phishing awareness training is only sufficiently useful for a few months. Researchers sought to know how phishing training wears off over time in a survey of 490 employees at the State Office for Geoinformation and State Survey (SOGSS) in Germany. They conducted periodic tests to see at what point in time the anti-phishing training would wear off enough for the SOGSS employees to fail in phishing email detection.

Research Results

The research team split the 490 SOGSS employees into five groups, each group being tested after a predetermined time: four, six, eight, ten, and 12 months. The results showed that survey participants correctly detected phishing in emails even four months after training, but that changed six months from the initial training.

A recent Osterman Research survey shows that only 17% of employees are confident in identifying social engineering attacks. Therefore, today’s phishing awareness best practices must include regular security awareness training.

Anti-phishing Training Is Effective

According to the 2019 Verizon Data Breaches Investigations Report (DBIR), the phishing click rate has dropped from 25% in 2012 to 3% in 2018. The companies that have benefitted from this drop are those that conduct multiple security training events. Consistent phishing training elevates a sense of caution in a user’s mind, a change that often stops malware from finding its way into an organization’s systems.


The secret to sufficient phishing awareness is conducting random phishing awareness tests and phishing awareness training every six months. While such training would accrue considerable cost, avoiding a data breach could save the company an incredible amount of money; cleaning up following a data breach is no easy feat.