SECURITY AWARENESS TRAINING AND WHY YOU NEED IT!

Consider the following:

• The cost of phishing attacks has almost quadrupled over the past six years, with large U.S. companies losing an average of $14.8 million annually (or $1,500 per employee) to phishing.
• SMBs spend an average of $955,429 to restore normal business in the wake of a cyberattack.
• The average cost of a breach in 2021 was estimated at $4.2 million per incident — the highest ever recorded in the 17 years of the study.
• Seven in 10 customers would stop doing business with a company that has a data breach. 
• Security goes hand in hand with regulatory compliance, and the effects of a breach bring numerous complications. Organizations in many industries or geographic locations are re-quired to comply with data privacy statutes that require certain protections for the handling and storage of personal, financial or health-related data — and the penalties for non-compliance can be steep.
• For a HIPAA violation, a company could be looking at penalties ranging from $100 to $50,000 per violation (or per record).
• A GDPR penalty could set a company back up to 4% of its annual global revenue or 20 million euros ($22.8 million).
• A company in breach of PIPEDA requirements can be fined up to $100,000 for each violation.

Untrained employees are security hazards, not security assets. By failing to properly train employees in security and compliance best practices, companies are setting themselves up to battle that unpleasant reality in a scenario where they can never win.

• About 61% of organizations have had employees cause a compliance-related security failure.
• Around 97% of employees are unable to spot a sophisticated phishing email without training.
• Only about 30% of average internet users even know what ransomware or malware is.
• About 40% of remote workers have caused cybersecurity repercussions for their company.
• Only 16% of employees can recognize cyberthreats without security awareness training.
• Approximately 45% of respondents in a HIPAA Journal survey said that they don’t need to worry about cybersecurity safeguards because they don’t work in the IT department

While training may sound nebulous or frivolous, it’s not. Instead, the benefits of security and compliance awareness training have been scientifically proven. Researchers in a U.K. study discovered that the improvement in employee behavior that companies see when they engage in security awareness training is stark.

At the beginning of the study, as many as 40% to 60% of the employees surveyed were likely to open malicious links or attachments. After about six months of security awareness training, the percentage of employees who took the bait dropped to 20% to 25%. When the employees completed three to six months more of security awareness training, only 10% to 18% of them fell for the phishing messages.

These cold, hard facts clearly demonstrate the dangers of untrained employees facing security and compliance choices. However, many of these problems can be resolved through security and compliance awareness training.

Why should you devote a portion of your security budget to security awareness training? Because it’s a powerful defensive asset with impressive ROI that maximizes your security spend while protecting your bottom line. Security awareness training programs have a three-fold or more return on investment. This breakdown by Osterman Research helps explain how that happens.