Companies that train their employees about cybersecurity best practices spend 76% less on security incidents than their non-training counterparts. That's a prime takeaway from the 2014 U.S. State of Cybercrime Survey, a joint effort of PricewaterhouseCoopers (PwC), the Software Engineering Institute at Carnegie Mellon University, CSO magazine, and the U.S. Secret Service.
This survey of more than 500 executives from U.S. businesses, law enforcement services, and government agencies yielded a treasure trove of data and analysis. And there was a good bit of consensus about the things that can be done to deter criminals, including the following types of policies and procedures, which were identified by the noted percentage of survey respondents:
- Vulnerability management (49%)
- Security education and awareness for new employees (42%)
- Use of "white hat" hackers (44%)
But how does this understanding relate to action? The statistics are telling:
- Only 46% of survey respondents provide security training to new employees
- Just 44% deliver periodic security education and awareness programs
- Only 42% utilize penetration testing
And how does failed action tie to financial loss? As the PwC survey said, "Untrained employees drain revenue." According to the results, organizations without security awareness programs -- and, specifically, new employee training -- reported average annual financial losses of $683,000. Those with cybersecurity training totaled just $162,000 in average financial losses.
Continuous Training Is the Gold Standard for Reducing Risks Related to Employees' Poor Cyber Hygiene
Here's the caveat to implementing a security awareness and training program: depending on your approach, results may vary. The cornerstone of the risk reduction model proven out in Aberdeen Group's November 2014 study, The Last Mile in IT Security: Changing User Behavior, is Wombat Security's Continuous Training Methodology, which helps organizations make cybersecurity best practices a consistent part in their employees' day-to-day routines.
Using Monte Carlo analysis, the study shows that Wombat's 360-degree approach to security education can change employee behavioral responses to cyber threats such as social engineering, phishing, and other popular attack vectors, which in turn reduces the security-related risk by about 60%.
Cybersecurity is destined to be a hot topic for years to come. Top retailers have become known more for their breaches than their brands, and residents of Wall Street and Main Street alike are feeling the stresses and pressures that are being applied by hackers, scammers, and social engineers. And if self-preservation isn't enough of a driver, increasing regulations and looming legislation are sure to force organizations to put the pedal to the metal with regard to security awareness and training efforts.
But before you go full speed ahead, just remember this: not all programs deliver equal results. If you choose to let an expert provide your training program, be sure to ask about the results their customers have seen from their programs. You'll find most vendors can't provide demonstrable results. Be selective.
