On the face of it, there’s really only one reason to invest in security awareness training: To avoid breaches, and save money. In reality there’s a bit more to it than that, but let’s stick with this assumption for now.
Are breaches a realistic risk for your organization? And if they are, how much could it really cost you?
After all, investing in powerful security awareness training costs money, and you need to know it’s going to be money well spent.
So before you make a decision, let’s cover some of the main concerns.
The Dangers of Underestimation
First of all, we need to recognize a simple truth. People always underestimate the likelihood and impact of dangers they don’t properly understand. If you, or your executive board, don’t have a good handle on the subject, there’s a good chance you’re underestimating the potential risk of cyber attack.
If you’ve been following our blog recently, you already know that it’s pretty simple to calculate ROI for security awareness training. But to avoid scepticism, we’ll take a deeper look at some of the risks.
Heard enough? Our 2016 Buyer's Guide includes everything you need to choose, implement, and monitor a security awareness training program that turns your employees into security MVPs.
Am I Really at Risk?
The short answer is yes, you are. Everybody is, and that risk is getting worse every year.
A comprehensive study conducted by LogRhythm, which covered 1,000 IT security decision makers across 10 countries, five continents, and 19 industries found that 76 percent of organizations were breached during 2015. That’s over three quarters of all organizations worldwide. And believe it or not, that figure is even higher in industries such as healthcare.
Now you might be thinking ‘Well, we haven’t been breached so far, so maybe we’re not a target.”
But here’s the thing. Breaches often take months to detect, and many are never discovered. So while it’s possible that your organization has never been breached, it’s statistically much more likely that you just don’t know about it.
And if your organization is small or medium sized, we’ve got some bad news for you. 90 percent of all reported breaches target SMEs, not large corporations, so the ‘not being a target’ argument really doesn’t hold up.
OK… But Does it Really Cost THAT Much?
You’ve probably seen headlines that estimate the cost of data breaches at around $4 million. But that’s an average figure, and most small or medium sized organizations shrug it off as implausible.
Now, we could suggest you use our handy calculator to estimate your annual breach costs. But here’s a different statistic that might make you sit up and take notice:
An estimated 60 percent of breached SMEs go out of business within six months.
Doesn’t get much worse than that, does it? In the end, the specific costs don’t matter if the business ends up going under.
But let’s assume your organization can withstand the impact of a data breach. Even if that’s the case, the cost of a breach can be astronomical, and with the advent of new regulations such as the GDPR they’re about to get even higher.
Consider the case of TalkTalk, who have recently endured many of the anticipated ramifications of a large-scale breach. As a result of the breach they were fined a record £400,000, or $417,700, but for a company as large as TalkTalk you could argue that wasn’t as significant as it might have been. If the same breach had happened in a couple of years, after the advent of the GDPR, a similar company could be fined up to 4 percent of global turnover or €20 million (whichever is higher).
But even that doesn’t tell the whole story. Despite their relatively meager fine, TalkTalk’s actual costs are predicted to reach something in the region of £60 million, or $62.6 million.
Why? Because fines and remediation costs are just the tip of the iceberg.
On Breaches and Reputation
The impact of breaches on reputation has been the subject of much debate. While surveys typically find that customers lose faith in organizations following a breach, the idea that breaches necessarily cause long-term brand damage has been questioned.
For instance, Sean Mason, director of threat management at Cisco security services, points out that although stock prices take a hit immediately following a breach, this amounts to little more than a blip over the long haul.
But stock prices aren’t everything. The fact remains that in the wake of their high profile breach, TalkTalk lost up to 250,000 customers, or around 7.5 percent of their total customer-base. Even worse, those losses went straight to TalkTalk’s main competitors BT and Sky.
And don’t forget we’re talking about subscribers, not single sale customers, each of whom could easily be worth hundreds or even thousands over the period of their contract.
If that’s not a measurable long-term impact, we don’t know what is.
Fine, But Why Security Awareness Training?
According to BakerHostetler’s 2016 Data Security Incident Response Report, 31 percent of breaches are a direct result of phishing and malware, and a further 24 percent are caused by employee actions. That’s 55 percent of breaches that can be directly attributable to employee error.
A separate study conducted by SANS Institute found that an incredible 95 percent of all attacks on enterprise networks started with a spear phishing attack.
So if data breaches are a stark reality, and employees are the weakest link in most corporate networks, the path forward should be clear: investment in security awareness training.
And not just any security awareness training. You need a program that delivers genuine improvements in employee security behaviors, and which enables you to track those improvements.
Of course technical controls are important. Advanced spam filters, consistent patch management, and penetration testing all help to minimize the security burden on your employees. But in the real world it’s impossible to completely shield your employees from attacks, and ultimately that means your organization’s security is at least partially dependent on their security behaviors.
And do you really want to take that risk?
Ready to get started? Our Employee Defense Training service helps users identify and report phishing attacks, instead of falling for them. If you want to see measurable improvements fast, request a demonstration today.