Want to Spend 76% Less on Security Incidents? Train Your Employees.

Companies that train their employees about cyber security best practices spend 76% less on security incidents than their non-training counterparts. That’s a prime takeaway from the 2014 U.S. State of Cybercrime Survey, a joint effort of PricewaterhouseCoopers (PwC), the Software Engineering Institute at Carnegie Mellon University, CSO magazine, and the U.S. Secret Service.

This survey of more than 500 executives from U.S. businesses, law enforcement services, and government agencies yielded a treasure trove of data and analysis. But, as with other studies we’ve discussed, there seems to be a disconnect between understanding and action.

Clearly, companies know there is a problem:

• 77% of respondents detected a security event in the 12 months prior to the survey
• 34% said the number of security incidents detected increased over the previous year
• More than 59% of respondents stated they were more concerned about cybersecurity threats this year than in the past
• Among those who were able to estimate the financial costs of their security incidents, the average monetary loss was approximately $415,000

Additionally, there is a good bit of consensus about the things that can be done to deter criminals, including these types of policies and procedures:

• Vulnerability management (49%)
• Security education and awareness for new employees (42%)
• Use of “white hat” hackers (44%)

But how does this understanding relate to action? The statistics are telling:

• Only 46% of survey respondents provide security training to new employees
• Just 44% deliver periodic security education and awareness programs
• Only 42% utilize penetration testing
• Just 38% of survey respondents have a methodology to prioritize security investments based on greatest risk to the business
• Only 23% conduct cyber threat analysis

And how does failed action tie to financial loss? According to the survey, organizations without security awareness and training programs — and, specifically, new employee training — reported average annual financial losses of $683,000. Those with cyber security training totaled just $162,000 in average financial losses.

It’s Time to Cut Your Losses

If you’ve been kicking the security training can down the road, it’s time to pick it up, read the writing on the label, and get cooking. Because, as the survey said, “Untrained employees drain revenue.” PwC and the survey’s cosponsors offer some blunt advice:

So if history — and responses to this survey — are a guide, more organizations will fall victim to more costly cybercrime in the coming year. Don’t be one of them. Organizations that take a strategic approach to cybersecurity spending can build a more effective cybersecurity practice, one that advances the ability to detect and quickly respond to incidents that are all but inevitable.

Find out how Wombat’s Continuous Training Methodology helps organizations change employee behaviors and reduce risk.