When there are so many security threats demanding our attention and initiatives needing funding, it can be difficult to decide how to allocate the security budget. Security awareness training goes beyond preventing some attacks to improving an organization's overall security posture.
Over the past few months, we've seen attackers increasingly relying on phishing and other social engineering attacks which require users to click on a link, download a file, or enter information on a Web page. And human nature being what it is, these attack methods are extremely successful. In fact, in a quiz developed by McAfee Labs, 80 percent of its participants could not identify at least one of seven phishing emails. It seems logical, then, for organizations to focus on user awareness training so that employees will recognize potential attacks and avoid them.
Companies that provide security training for their employees spent 76 percent less on security incidents than companies that don't have formal training programs, according to the 2014 U.S. State of Cybercrime report jointly produced by PricewaterhouseCoopers, Carnegie Mellon University's Software Engineering Institute, the United States Secret Service, and CSO magazine.
As the report's authors noted, "untrained employees drain revenue."
Most of the respondents in the survey—more than 500 executives from businesses, law enforcement, and government agencies—did not provide security training, as only 46 percent said they provided security training to new employees and only 44 percent said they delivered periodic education and awareness programs. The figures are telling, as organizations who did not have security awareness programs reported annual financial losses of $683,000, compared to the $162,000 average financial loss reported by organizations with training programs.
Even with this kind of cost-savings, security teams struggle with prioritizing training in their budgets. One way to justify the spend is to consider the overall impact these programs have towards reducing the organization's risk, instead of on total expenses, says Joe Ferrara, president and CEO of Wombat Security Technologies, a company which specializes in security awareness training programs.
"Align security ops plans to business goals," and see areas where training can improve employee productivity, he advises.
For example, a more security-aware user base may mean fewer calls to the help desk, freeing up IT to work on other projects. The organization may experience less downtime because employees won't be waiting for IT to reimage their computers after an infection.
Security awareness training typically simulates attack scenarios such as emails resembling common phishing campaigns. If the user fails the test and clicks on the link, the program immediately provides a brief message to teach the warning signs. When combined with interactive training, these simulations can be treated as proof-of-concepts similar to penetration testing as they show where the organization is vulnerable and how training can reduce susceptibility to attack, Ferrara says. CISOs can use the results of the assessments to highlight the gaps to convince senior executives into spending on security, he says.
There are plenty of examples showing security awareness training can reduce an organization's risk. Wombat Security Technologies recently released a case study of a Northeastern college where users used to fall for five to six criminal phishing attacks a month. After deploying Wombat's training program, the college saw the number of successful phishing attacks decrease to just three over six months, the company said. Similarly, a Fortune 50 company reduced its susceptibility to attack by 68 percent within three weeks of deploying the training program, according to Wombat.
It's easy to fall in the trap of thinking that security awareness training will block all attacks. Yes, security-aware users are less likely to be tricked, but attackers need to con only one person to successfully breach the organization. And it's easy to blame the victim and say if that person had only been more vigilant, then the attack would have failed. It isn't practical to expect that users will stop doing what comes naturally—clicking on links and opening files—especially since the same actions are also part of their normal job activities, says Anup Ghosh, CEO of Invincea, a company specializing in malware threat detection. Attackers take advantage of the fact that users are inclined to trust other people and may be concerned not doing something would have negative consequences.
"The popularity of security training is predicated on the myth that we can teach users to make the Internet a safer place, if only they won’t be, well, humans," Ghosh recently wrote.
Security professionals have to remember that boosting training efforts doesn't mean the organization can ease spending on other security initiatives, Ferrara says. There isn't any one area that will be 100 percent effective at blocking attacks, so organizations have to focus on reducing risks and investing in layered security, he says. Security training just needs to be part of the larger strategy.