Awareness and training for workers means employers will pay less in cyber security incidents.
In fact, if employees get training about cyber security best practices, companies will spend 76 percent less on security incidents than their non-training counterparts, according to the 2014 U.S. State of Cybercrime Survey, a joint effort of Pricewaterhouse Coopers (PwC), the Software Engineering Institute at Carnegie Mellon University, CSO magazine, and the U.S. Secret Service.
The survey had responses from more than 500 executives from U.S. businesses, law enforcement services, and government agencies.
Companies know there is a problem:
• 77 percent of respondents detected a security event in the past 12 months
• 34 percent said the number of security incidents detected increased over the previous year
• More than 59 percent of respondents stated they were more concerned about cybersecurity threats this year than in the past
• Among those who were able to estimate the financial costs of their security incidents, the average monetary loss was $415,000
There was agreement on what needs to happen to deter criminals, including these types of policies and procedures:
• Vulnerability management (49 percent)
• Security education and awareness for new employees (42 percent)
• Use of “white hat” hackers (44 percent)
Respondents understand the issue, but understanding and delivering are two different things. The survey found:
• 46 percent of survey respondents provide security training to new employees
• 44 percent deliver periodic security education and awareness programs
• 42 percent utilize penetration testing
• 38 percent of survey respondents have a methodology to prioritize security investments based on greatest risk to the business
• 23 percent conduct cyber threat analysis
The survey found organizations without security awareness programs — and, specifically, new employee training — reported average annual financial losses of $683,000. Those with training totaled just $162,000 in average financial losses.