Cost of User Security Training Tops $290K Per Year

The cost of security education for large enterprises at an all-time-high, coming in at $290,033 per year—a clear indication that user education is rocketing up CIOs’ priority list.

That’s according to Bromium, which found that, on average, each employee spends seven hours a year in training, learning best practices, processes and procedures to help keep the business secure. Skilled employees in human resources, legal, IT and risk departments spend an additional 276 hours a year helping to arrange and deliver in-house training.

The report, conducted by researchers at Vanson Bourne and based on responses from 500 companies with between 1,000 and 5,000 employees, also found that about 94% of CIOs surveyed have pushed for increased investment in user education following recent headlines around phishing and ransomware. Almost all of them (99%) see users as the last line of defense against hackers, meaning user education, policies and procedures are essential to ensuring that employees understand their role.

Additionally, the survey uncovered increasing interest in consulting—most businesses (90%) have used external consultants for more than three days (27 hours) a year to review and advise on security policies and procedures.

While employee education is undoubtedly a key piece of any security strategy, the quality of the training clearly varies given that user-introduced threats continue to rise. According to BakerHostetler’s 2016 Data Security Incident Response Report, phishing, hacking and malware accounted for approximately 31% of incidents, followed by employee actions and mistakes (24%). Verizon’s Data Breach Investigations Report meanwhile showed that there are often repeat offenders too: 30% of phishing messages get opened by targeted users and 12% of those users click on the malicious attachment or link.

Bromium, which provides a platform that aims to allow companies to place less focus on user practices, notes that company culture has much to do with training effectiveness.

“The fact is, most employees are focused on getting their jobs done, and any training will go out the window if a deadline is looming,” said Simon Crosby, CTO for Bromium.

He also argues—in favor of the Bromium platform—that making users responsible at all is a poor security policy.

“Insanity is doing the same thing over and over again and expecting different results; yet this is exactly what businesses are doing by piling time and money into education,” Crosby said. “It’s inevitable that the average employee will do something that goes against their training. For example, how can an HR department avoid opening attachments from untrusted sources? The fact is our whole approach to security needs to change.”

He added, “Let them click with confidence. If they get attacked, let it happen, but do so in a contained environment. By isolating applications in a contained hardware-enforced environment, malware is completely trapped, users can download attachments, browse websites and click on links without fear of causing a breach. This is the only way to stem the tide of user-introduced threats.”

Others argue that enterprises can in fact turn their weakest link—their employees—into their last line of defense, with new approaches to user education to effect real behavioral change.

“Technology filters are undeniably important in the fight against cybercrime, but IT and security bosses should be in no doubt: the decisions that employees make every day on your network could make or break your organizational cybersecurity,” said Coin McTrust, director of EMEA for Wombat Security, in a blog. “A third of organizations that we polled in 2016 claimed they’re still not measuring their susceptibility to phishing. Measurement is a vital first step to any education program, helping to set goals and baselines.”

Companies should ensure that whatever simulation tools you use to test employee awareness are highly customizable and are regularly updated to cover a wide range of current attack scenarios, for instance.

“Remember: continuous training is the key to success,” he said. “Keep lessons short and sweet so they’re easy-to-digest and pepper them multiple times throughout the year, via brief, focused computer-based training modules which focus on specific topics and provide immediate feedback. These Learning Science Principles have been proven to offer the best chance of engaging learners and changing their long-term behavior.”

What’s Hot on Infosecurity Magazine?