According to a pair of organizations behind a newly released study, cybersecurity awareness and education is important, not just for IT professionals but for all employees of every organization, from management to the general rank-and-file of an organization's workforce. However, it can be difficult for security officers to effectively communicate this importance to senior management.
Wombat Security Technologies Inc. and the Aberdeen Group hope to change that with new research released this week, which suggests that security awareness and changing employee behavior can reduce the risk of a breach by up to 70%.
While companies tend to spend a lot on security technologies, Wombat and Aberdeen found these controls are not 100% effective and may not account for one of the biggest threats to security: the errant behavior of end users.
Investing in awareness and training to teach employees how to effectively deal with common threats from social media or phishing can quantifiably reduce security-related risk by 45% to 70%, according to the companies, when accounting for both the likelihood and business impacts of security infections due to employee behavior.
The research, assembled in Q4 2014, also details how education could significantly reduce the costs associated with potential malware infections.
Wombat and Aberdeen sought to estimate the cost of infections resulting from employee behavior, and found that for an organization with $200 million in annual revenue, there is an 80% chance of these infections costing $2.5M per year and a 20% chance of the damages exceeding $8M.
In a statement, Joe Ferrara, president and CEO of Pittsburgh-based Wombat, acknowledged many organizations struggle to justify the cost of security awareness training. The study, he said, is intended to support the risk analysis security officers need to build a compelling business case.