Comprehensive security training programs with a continuous training methodology can significantly reduce the financial consequences of phishing in the workplace, according to a research report published Wednesday.
Security research firm Ponemon Institute recently surveyed 377 IT security practitioners in the U.S. — 39 percent of them from organizations with 1,000 or more employees who have access to corporate email systems — for the Cost of Phishing and Value of Employee Training report, sponsored by Wombat Security Technologies.
"In talking with security officers, we know that many do not expect much benefit from employee training as part of their defense against phishing attacks," Larry Ponemon, chairman and founder of Ponemon Institute, said in a statement today. "This research proves that security officers should expect more from employee education and seek providers like Wombat Security who can provide results like these. As the threat landscape continues to intensify and phishing attacks become more sophisticated, this research shows that employees who have undergone security training are far less likely to fall victim to a phishing attack."
Phishing costs businesses big-timePonemon performed a cost analysis of the potential cost to organizations when employees are victimized by phishing scams, extrapolating that the total annual cost of phishing for the average-sized organization in its sample (headcount of 9,552 individuals with user access to corporate email systems) came to $3.77 million. The analysis included costs to contain malware, the cost of malware not contained, loss of productivity from phishing, the cost to contain credential compromises and the cost of credential compromises not contained.
[Related: The worst of the worst phishing scams ]
In Ponemon's cost analysis, the majority of costs are caused by loss of employee productivity, with 48 percent of total organizational costs (more than $1.8 million for average-sized organizations in the sample) pertaining to employee/user productivity losses caused by successful phishing during the work day. The cost of credential compromises not contained accounted for 27 percent of costs (more than $1 million for average-sized organizations in the sample).
Ponemon found that employees waste an average of 4.16 hours annually due to phishing scams. For an average-sized organization (9,552 individuals with user access to corporate email systems), that comes to 39,736 hours wasted due to phishing. Assuming an average labor rate of $45.8 for non-IT employees that comes to a productivity loss of $1,819,923 a year.
Training does matterBut employee security training can substantially affect that number. Ponemon obtained six proof of concept studies for six large companies that used Wombat's training on phishing, including mock attacks and follow-up with in-depth training. The actual improvements experienced by the companies ranged from 26 percent to 99 percent, with an average of 64 percent improvement.
Based on an average retention rate of about 75 percent (Ponemon attributes this to The Learning Pyramid from National Training Laboratories in Bethel, Maine, though its accuracy has been called into question), Ponemon estimates a net long-term improvement in fighting phishing scams of 47.75 percent.
With phishing costing an average-sized organization $3.77 million, Ponemon estimates a cost savings of $1.80 million, or $188.40 per employee/user. Wombat's fee comes in at $3.69 per employee, so a little quick math leads to a net benefit of $184.71 per user — a one-year rate of return of 50X.
"This is yet another proof point that an overall security posture is multifaceted and needs to include employee education to prevent against increasingly more sophisticated phishing attacks, which leave companies vulnerable to significant losses and business disruption," Joe Ferrara, president and CEO of Wombat Security Technologies, said in a statement today. "This research reveals the compelling value and ROI from putting in place a comprehensive security training program. Our methods have shown that a continuous training methodology does change employee behavior and reduce risk within an organization."