Cybersecurity training is critical to prevent costly data breaches, but far too many organizations treat this training as a one-and-done exercise. A recent study revealed the folly of such thinking—the results of phishing training tend to only last a few months before employees go back to their old habits. Conducted by the USENIX Association in collaboration with several German universities, 409 employees’ behaviors were studied before and after cybersecurity training. They found that initially after training, awareness was relatively high of warning signs of malicious emails. After six months, though, employees were forgetting what they’d learned. “People are very quick to fall into old habits, and so constant reminders or nudges are very important. A parallel can be drawn to exercise, a person that walks for an hour every day will be more healthy than someone who walks for 18 hours in a day once a year,” said Javvad Malik, security awareness advocate for KnowBe4. “In many cases, it’s not that people aren’t aware of threats, it’s more a matter of ‘out of sight, out of mind’—so having little but frequent reminders helps to keep threats at the forefront and remain more vigilant.”