How Often Should Your Team Do Cybersecurity Training?

Your practice ran phishing awareness training in January. Everyone sat through it, ticked the box, and went back to work. By July, one of your reception staff clicked a link in a convincing-looking email and your systems were locked with ransomware. The training happened. The breach happened anyway. That is not a coincidence.

The problem is almost never the quality of the training. It is the frequency. Research presented at the USENIX SOUPS security conference found that employees who were tested four months after phishing training could still accurately identify suspicious emails. By six months, their scores started to drop. By twelve months, the knowledge had largely faded. Annual training gives people a good few months of awareness, then leaves them exposed for the rest of the year.

This matters more for healthcare and allied health practices than most people realise. Your staff handle patient records, referrals, and sensitive clinical information every day. Under the NZ Privacy Act 2020, a preventable breach caused by an untrained staff member is still your responsibility. The cost is not just the remediation. It is the notification obligations, the potential regulatory scrutiny, and the damage to patient trust that is very hard to rebuild.

The goal is not to turn your team into IT experts. It is to make safe habits second nature. That happens through repetition and variety, not a single annual session. Short, regular touchpoints work far better than long annual events. A monthly two-minute video, a simulated phishing test every quarter, a security tip in your team messaging channel, and a proper training session every four months adds up to a team that stays sharp without anyone losing a full day to training. Covering phishing across email, text, and social media, good password habits, mobile device security, and basic data handling keeps the topics fresh and relevant to what your staff actually encounter.

For most practices, the honest barrier is capacity. Nobody has time to build and run a training programme on top of everything else. The answer is to have it managed for you. A good healthcare IT support partner will include security awareness training as part of a managed service, so your team stays current without you having to think about it. Simulated phishing tests, training content, and reporting on who needs extra attention can all be handled without pulling you away from running the practice.

If you are not sure whether your current setup is keeping your team properly protected, ITstuffed offers a quick IT Fit Check - 15 minutes to get a clear picture of where things stand.