Roy Urrico | August 26, 2015

Security Training Fights Phishing: Ponemon

Costs incurred by organizations as a result of successful phishing attacks are mostly related to employee productivity loss and uncontained credential compromises, which together cost an average sized company $3.77 million per year.

That’s one of the key findings of a new report, “The Cost of Phishing and Value of Employee Training,” published by the Pittsburgh-based Wombat Security Technologies and Traverse City, Mich.-based Ponemon Institute.

In the report, Ponemon Institute also found that phishing email click rates went down by an average of 64% after employees completed Wombat’s security training program. This demonstrates that following a security training program, employees are more likely to recognize phishing in their workplaces and will behave differently, Ponemon said.

As a result of effective training, Ponemon estimated organizations will see a cost savings of $1.8 million or $188.4 per employee or user. If a company paid Wombat’s standard fee of $3.69 per user for up to 10,000 users, it would see a very substantial net benefit of $184.7 per user.

Other key findings of the report include the following:

  • The average total cost for an average company to contain malware is $1.9 million per year.
  • Uncontained malware costs for an average sized company are as high as $105.9 million annually.
  • The cost of business disruption due to phishing is $66.9 million per year.
  • Employees waste an average of 4.16 hours annually due to phishing scams.
  • The average annual cost to contain a credential compromise that originated from a successful phishing attack is $381,920. Uncontained credential compromises could cost a company as much as $105.9 million per year.

“In talking with security officers, we know that many do not expect much benefit from employee training as part of their defense against phishing attacks,” Dr. Larry Ponemon, chairman and founder for the Ponemon Institute, said. “This research proves that security officers should expect more from employee education and seek providers like Wombat Security who can provide results like these. As the threat landscape continues to intensify and phishing tactics become more sophisticated, this research shows that employees who have undergone security training are far less likely to fall victim to a phishing attack.”

Joe Ferrara, president/CEO of Wombat Security Technologies, said, “This is yet another proof point that an overall security posture is multifaceted and needs to include employee education to prevent against increasingly more sophisticated phishing attacks, which leave companies vulnerable to significant losses and business disruption. This research reveals the compelling value and ROI from putting in place a comprehensive security training program. Our methods have shown that a continuous training methodology does change employee behavior and reduce risk within an organization.”

Read the Article on Credit Union Times