wombatsecurity | December 04, 2014

Lessons Learned from Costco? Employee Training Matters

Over the last week, Costco became the latest victim of phishing. Every day another mega company joins the list. In one recent instance, more than 56 million customer credit accounts, it was revealed that some 53 million customer email addresses were also leaked.

Just what does this mean?

It's no surprise to discover that cybercriminals are leveraging the uptick in holiday shopping, or any occasion, to further spread their malicious campaigns.  Researchers at ESET have caught on to a new phishing scam where cyber criminals are spoofing emails to victims claiming to be from Costco, attempting to lure them into submitting sensitive information, according to a recent blog post.

As we first discussed in the inaugural version of Wombat’s News Watch series; how do these high-profile data breaches continue to take place and what can you do to protect your business?

Employee training matters.

Bottom-line, companies that train their employees about cyber security best practices spend 76% less on security incidents than their non-training counterparts. Analysts now agree, including industry giant Gartner, which has published a magic quadrant on security awareness training.   A recent article (http://searchsecurity.techtarget.com/news/2240234092/Despite-skeptics-security-awareness-training-for-employees-is-booming) based on this new Magic Quadrant stated these facts:

Although enterprise security awareness training for employees has long been considered a compliance-checkbox activity, but not necessarily an effective tactic for protecting corporate assets, Gartner says it’s time that enterprise security managers should rethink their attitudes toward user awareness training.

The article states the old views have largely been driven by past mistakes from enterprises, which often utilized internal security teams to develop training programs. While input from in-house security experts is vital for quality training, the Gartner report said do-it-yourself training programs often fail to account for a key ingredient: instructional designers and other training experts.

From the article, enterprises are also concerned by the "reputational issues" associated with suffering a breach. Retailers have been criticized in the wake of massive data breaches when information leaked showing both had made serious security program missteps.  Should a high-profile incident occur, enterprises fear facing similar criticisms from customers and shareholders that employees weren't properly trained?

A recent report from the 2014 U.S. State of Cybercrime Survey, a joint effort of Pricewaterhouse Coopers (PwC), the Software Engineering Institute at Carnegie Mellon University, CSO magazine, and the U.S. Secret Service revealed some startling facts.

  • Only 46% of survey respondents provide security training to new employees
  • Just 44% deliver periodic security education and awareness programs
  • Only 42% utilize penetration testing
  • Just 38% of survey respondents have a methodology to prioritize security investments based on greatest risk to the business
  • Only 23% conduct cyber threat analysis

And how does failed action tie to financial loss? According to the survey, organizations without security awareness programs — and, specifically, new employee training — reported average annual financial losses of $683,000. Those with training totaled just $162,000 in average financial losses.

It’s time for Security Awareness Training

From the Tech Target article referenced above Gartner concluded that training should be considered a legitimate, must-have enterprise security tool.

Basically if you are not educating employees about how to keep your company behavior safe, there should be no expectation that employees will be knowledgeable enough to make the right decision when faced with a cyber security threat.  Enterprises should consider it a basic security guideline just like having anti-virus software on desktops.

To develop your own unique story around the latest around Security Awareness Training trends, please feel free contact Lorraine Kauffman-Hall at 704-882-0443.

About Wombat Security Technologies

Wombat Security Technologies provides information security awareness and training software to help organizations teach their employees secure behavior.  Their SaaS cyber security education solution includes a platform of integrated broad assessments, as well as a library of simulated attacks and brief interactive training modules. Wombat's solutions help organizations reduce successful phishing attacks and malware infections up to 90%. Wombat is helping Fortune 1000 and Global 500 customers in industry segments such as finance, technology, banking, higher education, retail, and consumer packaged goods to strengthen their cyber security defenses.

Lorraine Kauffman-Hall


Amy Baker
412-621-1484 x 115