Security education in phishing can save companies millions

A new research report by Ponemon Institute finds that a comprehensive security training program with a continuous training methodology can improve the phishing email click rate an average of 64 percent.

Comprehensive security training programs with a continuous training methodology can significantly reduce the financial consequences of phishing in the workplace, according to a research report published Wednesday.

Security research firm Ponemon Institute recently surveyed 377 IT security practitioners in the U.S. — 39 percent of them from organizations with 1,000 or more employees who have access to corporate email systems — for the Cost of Phishing and Value of Employee Training report, sponsored by Wombat Security Technologies.

"In talking with security officers, we know that many do not expect much benefit from employee training as part of their defense against phishing attacks," Larry Ponemon, chairman and founder of Ponemon Institute, said in a statement today. "This research proves that security officers should expect more from employee education and seek providers like Wombat Security who can provide results like these. As the threat landscape continues to intensify and phishing attacks become more sophisticated, this research shows that employees who have undergone security training are far less likely to fall victim to a phishing attack."

Phishing costs businesses big-time

Ponemon performed a cost analysis of the potential cost to organizations when employees are victimized by phishing scams, extrapolating that the total annual cost of phishing for the average-sized organization in its sample (headcount of 9,552 individuals with user access to corporate email systems) came to $3.77 million. The analysis included costs to contain malware, the cost of malware not contained, loss of productivity from phishing, the cost to contain credential compromises and the cost of credential compromises not contained.

[Related: The worst of the worst phishing scams ]

In Ponemon's cost analysis, the majority of costs are caused by loss of employee productivity, with 48 percent of total organizational costs (more than $1.8 million for average-sized organizations in the sample) pertaining to employee/user productivity losses caused by successful phishing during the work day. The cost of credential compromises not contained accounted for 27 percent of costs (more than $1 million for average-sized organizations in the sample).

Ponemon found that employees waste an average of 4.16 hours annually due to phishing scams. For an average-sized organization (9,552 individuals with user access to corporate email systems), that comes to 39,736 hours wasted due to phishing. Assuming an average labor rate of $45.8 for non-IT employees that comes to a productivity loss of $1,819,923 a year.

Training does matter

But employee security training can substantially affect that number. Ponemon obtained six proof of concept studies for six large companies that used Wombat's training on phishing, including mock attacks and follow-up with in-depth training. The actual improvements experienced by the companies ranged from 26 percent to 99 percent, with an average of 64 percent improvement.

[Related: Google Drive phishing is back -- with obfuscation ]

Based on an average retention rate of about 75 percent (Ponemon attributes this to The Learning Pyramid from National Training Laboratories in Bethel, Maine, though its accuracy has been called into question), Ponemon estimates a net long-term improvement in fighting phishing scams of 47.75 percent.

With phishing costing an average-sized organization $3.77 million, Ponemon estimates a cost savings of $1.80 million, or $188.40 per employee/user. Wombat's fee comes in at $3.69 per employee, so a little quick math leads to a net benefit of $184.71 per user — a one-year rate of return of 50X.

"This is yet another proof point that an overall security posture is multifaceted and needs to include employee education to prevent against increasingly more sophisticated phishing attacks, which leave companies vulnerable to significant losses and business disruption," Joe Ferrara, president and CEO of Wombat Security Technologies, said in a statement today. "This research reveals the compelling value and ROI from putting in place a comprehensive security training program. Our methods have shown that a continuous training methodology does change employee behavior and reduce risk within an organization."

Follow Thor on Google+

Join the CSO newsletter!

Error: Please check your email address.

More about Google

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Thor Olavsrud

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts