Security Compliance: It Pays to Educate Employees

Security Compliance: It Pays to Educate Employees

Educating employees on the dangers of phishing plays a critical role in ensuring security compliance.

When was the last time your business earned a return of 50 times the initial investment? According to a study conducted by the Ponemon Institute, that's the type of returns firms generate when they invest in security compliance training.

To arrive at that lofty return on investment, the study's authors analyzed six case studies that involved simulating phishing attacks and captured the email click rate on phishing emails sent before and after an employee took the class. Reductions in the number of emails opened and clicked ranged from 26 to 99 percent, with an average of 64 percent of employees choosing not to click on phishing emails after training.

The study pegs the cost of delivering cybersecurity training at $3.69 per employee and the savings at $188.40, which includes the costs businesses avoid when employees don't trigger a breach by clicking on a phishing email, to arrive at a net benefit of $184.71 per employee trained.

Training That Pays for Itself

While the Ponemon report assumes that a company includes 10,000 employees, the concept readily applies to businesses of all sizes: train employees to spot a suspicious scheme and dramatically reduce the costs borne by the organization related to phishing.

But why pay so much to phishing? A recent report from NTT Security noted that in the second quarter of 2017, cyberattacks increased by 24 percent, with phishing playing a role in 67 percent of malware attacks.

Truth be told, in an age when an average employee receives hundreds of emails a day, phishing emails provide cybercriminals with a remarkably simple, yet highly cost-effective, means of breaching an organization's defenses. Mitigating the threat posed by phishing, and cyberattacks in general, requires that senior executives and board members understand the threat, the firm's current approach to cybersecurity, and by extension, where gaps exist that may require investment.

More Than Just an IT initiative

An effective cybersecurity relies on more than the IT department deploying technology-based tools to combat the threat. In its 2016 Data Security Incident Response Report, BakerHostetler, a US-based law firm identified human error as the leading cause of data breaches. This reaffirms why it's important that employees and executives alike must possess the ability to identify the hallmarks of an attack, in particular, phishing emails.

Provide Real-World Examples of Cyberattacks

Breaches happen with alarming regularity. In fact, there's no shortage of news articles on the topic. Make the threat real by compiling examples of recent data breaches, ideally from within your industry, to discuss with the board and senior executives. Summarize the facts of each case and the lessons learned. By doing so, you might identify critical gaps within your organization's defenses.

Detail the Types of Losses Cybercrime Inflicts

A board member's common sense tells them that cyberattacks generate losses, but they may not understand the depth and breadth of those losses. Fortune reported that according to IBM, the average breach costs $3.79 million, or $158 per record lost. Provide the board with a breakdown of those costs, including the expenses organizations incur to investigate the source of the attack as well as improve their defenses to prevent a similar attack in the future.

As long as phishing emails grant cybercriminals access to corporate data, they will continue to land in your employees' inboxes. While board members control a firm's purse strings, they often don't have an appreciation of the costs that accompany a breach. Using the talking points noted previously, finance leaders have an opportunity to reframe the discussion to secure funding for cybersecurity-related expenses, including an effective employee security training program.