Want to Spend 76% Less on Security Incidents? Train Your Employees.
Share our post
Companies that train their employees about cyber security best practices spend 76% less on security incidents than their non-training counterparts. That’s a prime takeaway from the 2014 U.S. State of Cybercrime Survey, a joint effort of PricewaterhouseCoopers (PwC), the Software Engineering Institute at Carnegie Mellon University, CSO magazine, and the U.S. Secret Service.
This survey of more than 500 executives from U.S. businesses, law enforcement services, and government agencies yielded a treasure trove of data and analysis. But, as with other studies we’ve discussed, there seems to be a disconnect between understanding and action.
Clearly, companies know there is a problem:
77% of respondents detected a security event in the 12 months prior to the survey
34% said the number of security incidents detected increased over the previous year
More than 59% of respondents stated they were more concerned about cybersecurity threats this year than in the past
Among those who were able to estimate the financial costs of their security incidents, the average monetary loss was approximately $415,000
Additionally, there is a good bit of consensus about the things that can be done to deter criminals, including these types of policies and procedures:
Vulnerability management (49%)
Security education and awareness for new employees (42%)
Use of “white hat” hackers (44%)
But how does this understanding relate to action? The statistics are telling:
Only 46% of survey respondents provide security training to new employees
Just 44% deliver periodic security education and awareness programs
Only 42% utilize penetration testing
Just 38% of survey respondents have a methodology to prioritize security investments based on greatest risk to the business
Only 23% conduct cyber threat analysis
And how does failed action tie to financial loss? According to the survey, organizations without security awareness and training programs — and, specifically, new employee training — reported average annual financial losses of $683,000. Those with cyber security training totaled just $162,000 in average financial losses.
It’s Time to Cut Your Losses
If you’ve been kicking the security training can down the road, it’s time to pick it up, read the writing on the label, and get cooking. Because, as the survey said, “Untrained employees drain revenue.” PwC and the survey’s cosponsors offer some blunt advice:
So if history — and responses to this survey — are a guide, more organizations will fall victim to more costly cybercrime in the coming year. Don’t be one of them. Organizations that take a strategic approach to cybersecurity spending can build a more effective cybersecurity practice, one that advances the ability to detect and quickly respond to incidents that are all but inevitable.