Security Awareness Training ROI: Part 3 of 3

December 20, 2022
Roy Zur, CEO of ThriveDX for Enterprise

In our previous two series on Security Awareness Training ROI, we’ve provided an overview of why security awareness training should be a priority (Part 1), taking into account the monetary benefits, along with ways to positively impact and change employee security awareness (Part 2) within your own company.

At ThriveDX, we’ve spent the past year aligning our mission and solutions to the changing cybersecurity landscape, where human risk remains the number one threat to enterprises worldwide. To this end, we’ve made human factor security a priority, going beyond awareness to provide training that truly makes an impact on employee behavior. As Gartner pointed out in its 2022 Top Trends report, the fact that data breaches continue to plague organizations proves that traditional security awareness training is broken.

Overview

In Part 3 of our Security Awareness Training ROI series, I’d like to both explore where traditional security awareness programs have fallen short and propose a plan for how we can right the ship to truly effect change, creating more secure enterprises and ultimately a more secure digital world for us all. As you’ll read, a few small changes can result in big impacts.

The Big Picture: ROI In The Evolving Cyberculture

Security awareness training has evolved dramatically since the early 2000s. At that time, most companies didn’t rely solely on digital data and computer systems to run their businesses. Computer viruses that could replicate and spread to other computers were the main concern, so the focus was on technology that could keep important data secure. Largely missed was the contribution humans make in cybersecurity.

Fast forward a decade to find companies breaking their dependencies on desktop computers and paper-based processes and embracing laptops, smartphones, and other mobile technologies. The “simple” hacking schemes of the mid-2000s and early 2010s began giving way to the monetization of information and data, as cyber criminals learned they could profit from stealing and selling personal information online. As a result, attacks on organizations in critical infrastructure sectors rose from less than ten in 2013 to almost 400 in 2020, a 3900% increase (Gartner).

Due to these increases, cybersecurity is now becoming a board issue. In its 2022 Gartner Board of Directors Survey, 88% of board members classified cybersecurity as a business risk; while just 12% called it a technology risk. Security leaders, including CIO’s and CISO’s, are now held accountable for cybersecurity, and any resulting breaches, at a minimum of 85% of organizations (link to Gartner 2021 survey).

Today, cyberattacks that prey on the human factor are prevalent and increasingly sophisticated, demonstrating the vital need for security awareness. In fact, 93 to 97% of cyberattacks happen through human negligence at an average cost of $4.35 million per breach (IBM) — compared to $3.66 million just four years ago (2022 Cost of Insider Threats Global Report). With two-thirds of companies reporting between 21 and 40 incidents per year, the financial losses to a business can quickly mount.

The Cost-Benefit Analysis At A Glance

An honest cost-benefit analysis of security awareness training might look something like this: When you subtract the expense of a security awareness training course at an average of $50K, you save $4.3 million because the average cost of a data breach is $4.35 million (IBM).

Osterman Research breaks down the direct costs before and after security awareness training for a 1000+ employee company as $488.80 before and $110.21 after. Their research also found that the overall security awareness training budget in 2018 was $137 per employee, growing to $156 per employee in 2019, with the average employee spending under 18 minutes on training per month in mid-2018. This number jumped to nearly 23 minutes in 2019 and 26 minutes by mid-2020.

The savings side of the equation includes lower costs for incident remediation. Less quantifiable are the potentially devastating costs of lost customers, harm to the company’s stock market valuation and reputation, regulatory fines, and more.

What Are The Odds Of An Attack?

The odds that risky employee behavior could initiate a security breach at your company have only increased in recent years, according to the ROI research published in Mimecast’s latest State of Email Security survey. Phishing attacks alone have surged 63% since the COVID-19 pandemic began and employees are clicking on three times more malicious emails than before, often letting their guard down while working from home.

Why Cybersecurity Efforts Fail

Security awareness training is not just about avoiding security threats and breaches, but about avoiding the significant losses that can result in the absence of proper training. In deciding where, when, and how to invest in security readiness, making sure your employees have the information and knowledge to better defend against attacks is critical.

Unfortunately, only 25% of organizations allocate two or more hours to formal phishing training annually and only 20% conduct more than seven simulations per year (ThriveDX Global Cybersecurity Awareness Study 2022).

Traditional approaches to security awareness training have proven to be a drain on resources, time, and money. That’s why it’s so important to invest in the right security awareness training — across all levels of the organization. At ThriveDX, with our End-to-End Cybersecurity Solutions for the Human Factor, we go beyond awareness with our training to include a holistic approach. As noted earlier in this series, and underscored in the ThriveDX study, addressing the human factor is what delivers a higher ROI on an organization’s cybersecurity spend.

ThriveDX’s security awareness training is human factor training that offers relevant and realistic, fully customizable solutions, multiple types of attack simulations, real-time reporting, and complete data privacy. It’s what makes the ThriveDX continuous adaptive training model an award-winning solution.

Small Changes Can Deliver Big Rewards

Every department within your organization is at risk of cyberattacks due to inadequate cybersecurity training, poor cybersecurity culture, and vulnerabilities related to former employees. Your security education must, therefore, focus on promoting behavior change at every level.

In the C-Suite alone, 76% of CEOs admit to bypassing security protocols to get things done faster, sacrificing security for speed. Here’s how even small behavior changes in just one area may reduce cyber risks and better protect your business.

It currently takes an average of 277 days to identify and contain a data breach. Better security awareness training within IT and Security that promotes incident identification and mitigation measures can help contain a breach within 200 days or less to save an average of $1.12M.
Putting in place an Incident Response team to regularly test your company’s IR can provide an average breach cost savings of $2.66M.
Stolen or compromised credentials are not only the most common cause of a data breach, but at 327 days, take the longest time to identify. With continuous, adaptive training for HR employees, your business has the potential to save $150,000 should a breach occur.

Figures are courtesy of IBM.

The Bottom Line

Security is everyone’s responsibility. It only takes one employee clicking on a malicious link, viewing an infected attachment, or sharing sensitive information for your entire company to be put in jeopardy.

The good news is 58% of organizations surveyed by ThriveDX say they now have awareness regulations embedded in their IT strategies and 65% want to expand their awareness programs further in the future. Cybersecurity is headed in the right direction.

According to a new market research report published by Global Market Estimates, the global cybersecurity awareness training market is projected to grow from $1,854.9 million in 2022 to $12,140.0 million by 2027 and is expected to grow at a CAGR of 45.6% from 2022 to 2027. The report cites the rising trend of internet penetration in developing and underdeveloped countries; increasing adoption of wearable gadgets, smartphones, and removable devices; the rise in COVID-19-related scams; recent wars; fake emails; and malicious attacks on SMEs and start-up firms as some of the factors driving the growth of the market.

In Summary

Simply put, sustainable security awareness training can provide a significant ROI and pay for itself in a short period of time. For a relatively small investment, you help ensure that your human firewall is prepared to recognize and respond to the latest threats. For more information on ThriveDX enterprise security training programs, please visit us here.

Roy Zur, a serial entrepreneur, is Founder & CEO of ThriveDX’s Enterprise Division the global education company committed to transforming lives through digital skills training and solutions. In August of 2021, ThriveDX acquired Cybint Solutions where he also served as CEO since founding the company in 2014. Roy is a 15-year veteran of the vaunted Unit 8200 of the Israeli Defense Force, where he served as a Major, which instilled in him early a passion for addressing the “human factor” of cybersecurity training – currently the #1 vulnerability across the threat landscape.

In addition to steering the vision of ThriveDX’s Enterprise Division, Roy serves as adjunct professor of risk management in cybersecurity at IDC Herzliya in Israel. He is also Founder and Chairman of the non-profit Israeli Institute for Policy and Legislation, and a member of the Forbes Business Council.

Protect Your Organization from Phishing

Article

9 Most Important Cybersecurity Tips for Your Employees

Organizations are inundated with cybersecurity tips- but what are the most important ones you

Article

8 Mobile Cybersecurity Threats You Should Take Seriously

Between 80 to 90% of mobile apps contain a security vulnerability. Learn about the

Article

Zoom Cybersecurity and Privacy Strategies

Zoom's growth during and after Covid expedited working in remote areas. However, video conferencing

Article

8 Surprising Reasons Hackers Target Schools

Hackers target schools for a number of reasons. To steal research data, learn trade secrets

Your Trusted Source for Cyber Education

Sign up for ThriveDX's quarterly newsletter to receive information on the latest cybersecurity trends, expert takes, security news, and free resources.