Making staff aware of security issues should not be a onetime training exercise, everybody needs to be involved irrespective of rank. The staff within your business are the last line of defence; your employees must be able to identify and avoid potentially malicious emails, reducing the threat to your business. Email security training needs to be an evolving process.
The most common form of cyber-attack is phishing; it is thought to be successful in as much as 20% of the attempts made. If an employee is drawn into one phishing attempt, they are likely to fall for it a second time. If you do not educate your staff, statistics suggest this cycle will continue. User education can be the most effective way of increasing awareness and changing repeat behaviour. Adjusting behaviours can improve the security across your network, simply by slowing your colleagues down, causing them to evaluate the mail they receive, can help them to recognise an attempt.
More and more companies are choosing to use simulated attacks as a training tool in how to spot those stinky phishes, security officers think these types of attacks are a valuable training tool to trick people into opening emails, with education being the key to the attack, checking the susceptibility of your human firewall can give you an understanding of the risks to your company and the level of understanding amongst your staff.
If a real attack was to be successful, this could have a huge impact on your reputation and even your bottom line. The National Cyber Security Centre (NCSC) has published guidelines on how to prevent falling for an attack, but simply raising awareness can reduce the risk; maybe running a fake attack could reduce the risk even further.