When it comes to training, the philosophy of one and done does not allow for a successful security program against phishing attacks.
To the contrary, comprehensive security training programs with continuous training can significantly reduce the financial consequences of phishing in the workplace, according to a new research report.
The report received information from 377 IT security practitioners in the U.S. — 39 percent of them from organizations with 1,000 or more employees who have access to corporate email systems — for the “Cost of Phishing and Value of Employee Training” report, conducted by security research firm Ponemon Institute and sponsored by Wombat Security Technologies.
“In talking with security officers, we know that many do not expect much benefit from employee training as part of their defense against phishing attacks,” said Larry Ponemon, chairman and founder of Ponemon Institute. “As the threat landscape continues to intensify and phishing attacks become more sophisticated, this research shows that employees who have undergone security training are far less likely to fall victim to a phishing attack.”
Ponemon performed a cost analysis of the potential cost to organizations when employees end up victimized by phishing scams, extrapolating the total annual cost of phishing for the average-sized organization in its sample (headcount of 9,552 individuals with user access to corporate email systems) came to $3.77 million. The analysis included costs to contain malware, the cost of malware not contained, loss of productivity from phishing, the cost to contain credential compromises and the cost of credential compromises not contained.
In Ponemon’s cost analysis, the majority of costs come from the loss of employee productivity, with 48 percent of total organizational costs (more than $1.8 million for average-sized organizations in the sample) pertaining to employee/user productivity losses caused by successful phishing during the work day. The cost of credential compromises not contained accounted for 27 percent of costs (more than $1 million for average-sized organizations in the sample).
Ponemon found employees waste an average of 4.16 hours annually due to phishing scams. For an average-sized organization (9,552 individuals with user access to corporate email systems), that comes to 39,736 hours wasted due to phishing. Assuming an average labor rate of $45.8 for non-IT employees that comes to a productivity loss of $1,819,923 a year.
But employee security training can substantially affect that number. Ponemon obtained six proof of concept studies for six large companies, including mock attacks and follow-up with in-depth training. The actual improvements experienced by the companies ranged from 26 percent to 99 percent, with an average of 64 percent improvement.
With phishing costing an average-sized organization $3.77 million, Ponemon estimates a cost savings of $1.8 million, or $188.40 per employee/user.
“This is yet another proof point that an overall security posture is multifaceted and needs to include employee education to prevent against increasingly more sophisticated phishing attacks, which leave companies vulnerable to significant losses and business disruption,” said Joe Ferrara, president and chief executive of Wombat Security Technologies. “This research reveals the compelling value and ROI from putting in place a comprehensive security training program.”
A continuous training methodology can change employee behavior and reduce risk within an organization, the report said.