New research from Wombat Security Technologies and the Aberdeen Group suggests that changing employee behavior when responding to cyber threats via social media, phishing and other popular attack vectors can reduce an organization's risk by as much as 70 percent.
The report finds that despite controls and protection being in place many -- if not most -- reported security incidents result from the actions of company employees. The new research clearly demonstrates that investments in security awareness training can help businesses close the security gap.
"It's important for security teams to communicate clearly about the risks that organizations are accepting when their employees' response to cyber threats is not addressed," says Derek Brink, VP and Research Fellow for Aberdeen Group, at Harte Hanks Company. "While the public disclosures of the past several months have provided some startling examples about what can happen when security awareness and training is ignored, Aberdeen and Wombat have developed this model to address the most basic and logical question that security teams so often struggle to address: How does an investment in changing end user behavior through innovative security education solutions actually reduce the organization's risk?"
The findings show that an investment in user awareness and training is effective in changing behavior and measurably reduces security-related risks by between 45 and 70 percent. The report also estimates that for an organization with $200 million in annual revenue there is an 80 percent likelihood that infections from employee behavior will result in total costs of $2.5 million, with a 20 percent chance of exceeding $8 million.
The full report, The Last Mile in IT Security: Changing User Behavior, is available to download from the Wombat Security site.