News Stay informed about the latest enterprise technology news and product updates.

Cybersecurity awareness can reduce infection risk up to 70%

A new study from Wombat Security and Aberdeen Group shows that boosting cybersecurity awareness and education among employees can reduce enterprise security risks and cost.

According to a pair of organizations behind a newly released study, cybersecurity awareness and education is important,...

not just for IT professionals but for all employees of every organization, from management to the general rank-and-file of an organization's workforce. However, it can be difficult for security officers to effectively communicate this importance to senior management.

Wombat Security Technologies Inc. and the Aberdeen Group hope to change that with new research released this week, which suggests that security awareness and changing employee behavior can reduce the risk of a breach by up to 70%.

While companies tend to spend a lot on security technologies, Wombat and Aberdeen found these controls are not 100% effective and may not account for one of the biggest threats to security: the errant behavior of end users.

Investing in awareness and training to teach employees how to effectively deal with common threats from social media or phishing can quantifiably reduce security-related risk by 45% to 70%, according to the companies, when accounting for both the likelihood and business impacts of security infections due to employee behavior.

Security education may lower malware costs

The research, assembled in Q4 2014, also details how education could significantly reduce the costs associated with potential malware infections.

Wombat and Aberdeen sought to estimate the cost of infections resulting from employee behavior, and found that for an organization with $200 million in annual revenue, there is an 80% chance of these infections costing $2.5M per year and a 20% chance of the damages exceeding $8M.

In a statement, Joe Ferrara, president and CEO of Pittsburgh-based Wombat, acknowledged many organizations struggle to justify the cost of security awareness training. The study, he said, is intended to support the risk analysis security officers need to build a compelling business case.

Dig Deeper on Security Awareness Training and Internal Threats-Information

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Does your organization have a security awareness training budget? How did you justify it internally?
Our organization considers security awareness as an important issue. Although I agree the organization is not investing enough in this area the budget was approved. The security awareness was allocated 2% of the total IT budget. The justification for the allocation was the high cost of security breaches caused by the lack of awareness. It is important to note that security awareness is most valuable in specific areas such as security management and security policy.
There is definitely an emphasis on security and security awareness. We have a weekly update and practices we are encouraged to read about and implement for ourselves and others. How much of our budget I cannot actually say.
This is the ultimate in a common-sense statement. By saying that, I'm not belittling it, but only emphasizing the point that many professionals don't use enough common sense when locking down their enterprise or business. Like walking down the sidewalk in a seedy neighborhood, being aware of your surroundings is immeasurably valuable in reducing your level of danger. The same is true in cybersecurity. Good piece.
Like the saying goes: common sense is anything but common. Besides training employees, another area in which I see great potential for improving security awareness is in training short-term contract resources that come into the company to work on a project for four to six months. These resources often have access to the same information as regular employees, yet often use their own machines and, at least with us, do not receive the corporate communications regarding potential phishing threats and risks.
I wholeheartedly agree. I have firsthand experience with how awareness and education can reduce security risks. When I first started at my current position, I saw quite a few instances of various infections. On tracking them down, I found that many of them came from poisoned search results. Staff were typing URLs into search engines instead of the address bar. A quick lunch-n-learn solved the problem and now these things are rare.
I don't doubt that absent the 70% figure that this makes sense, however, the study it links to does not seem to explain in any manner that I understand what methodology they used to arrive at those conclusions.  Well there is a link which points to a form that requires contact information about your employer.  That sounds rather convenient, given that such an important bit of statistical research should be freely shared.  Something about that smells fishy to me.
An interesting corollary here is watching how my kids and my spouse use their systems, and what they typically do when looking for information or doing what they enjoy doing with their systems. I've had to do some "cleaning up" after malware has polluted machines to the point of being unusable, and there are definite patterns of use. The most common is installing software based on wanting to see something or interact with something. I have a a very high cynicism threshold to overcome, but my kids haven't quite gotten there yet. as such, things that look fun often end up costing in needed cleanups later. Common sense is developed after you've made bad decisions and learned from them. For many, their experiences are not common enough, nor is their involvement and awareness enough to reach the point where this "common sense" comes into play.