Osterman the ROI of Security Awareness Training

OOsterman Research

WHITE PAPER

White Paper by Osterman Research Published August 2019 Sponsored by Mimecast

The ROI of Security Awareness Training

©2019 Osterman Research, Inc. 1


Executive Summary Technology-based security solutions like firewalls, endpoint detection and response solutions, secure email gateways, desktop anti-virus, cloud-based malware and spam filtering are essential elements of a security infrastructure. However, too many decision makers neglect another important element that’s necessary to keep networks, data, applications, and financial resources safe: the human beings who interact with them. Security awareness training is designed to bolster users’ ability to recognize threats like phishing attempts, unusual requests that purport to be from their company’s CEO, malicious advertising on web pages, and a host of other threats that are designed to trick users into doing something that can wreak havoc within an organization. Users who are well trained on security issues will be more skeptical and more careful about opening emails, clicking on social media links, or visiting web pages without first checking for clues about their validity. This white paper reviews the results of an in-depth survey of organizations conducted by Osterman Research during May and June 2019. This paper discusses the financial justification for deploying a robust security awareness training program and demonstrates the significant return-on-investment (ROI) that can result. KEY TAKEAWAYS • Security decision makers are concerned about a wide range of issues

Our research found that decision makers and influencers are concerned about a wide range of security issues, most notably phishing attacks, malware (including ransomware), and breaches of sensitive or confidential data. Larger organizations tend to be more concerned about these issues than smaller ones.

• Security budgets are increasing

Security budgets at the vast majority of organizations have been increasing over time. Interestingly, at many organizations a relatively small proportion of the total security budget is spent on anti-phishing technologies, despite the fact that phishing is regarded as the leading overall concern.

• But security awareness training budgets are increasing even faster On a per employee and per email user basis, security awareness budgets are growing at a significantly faster pace than overall security budgets. The growth in these budgets coincides with a significant increase in the monthly minutes of security awareness training that users receive, from an average of 17.6 minutes in mid-2018 to 26.0 minutes expected by mid-2020.

• Decision makers still view technology-based solutions as superior

We found that for phishing and business email compromise (BEC) attacks, decision makers generally regard training as a better way to deal with these threats. However, for other types of security threats, technology-based solutions are generally viewed as superior to security awareness training.

• Most users don’t get enough training Almost one-third of users receive training about once each year or even less often. Another 29 percent receive security awareness training only two to three times per year. Only 39 percent of users receive training quarterly or more often.

• Training dramatically improves users’ ability to recognize threats

Before security awareness training, IT and security teams had relatively little confidence in their users’ ability to recognize various types of threats. However, after users received training, the level of confidence in their knowledge and ability jumps dramatically – up to three fold in some cases.

Security awareness training is designed to bolster users’ ability to recognize threats.



• The ROI for security awareness training is significant The ROI for security awareness training can vary widely based on a number of factors. However, the cost and ROI model that Osterman Research has developed – as shown later in this paper -- demonstrate that, on average, smaller organizations (50 to 999 employees) can achieve an ROI of 69 percent from a security awareness training program, while larger organizations (1,000+ employees) can achieve an ROI of 562 percent.

ABOUT THE SURVEY AND WHITE PAPER Osterman Research conducted a survey among 230 individuals in North American organizations (primarily for-profit companies) who are familiar with security and security awareness training issues in their organizations. We split the survey respondents into two groups, those with 50 to 999 employees and those with 1,000 or more employees, to understand and evaluate differences between them. This white paper was sponsored by Mimecast; information about the sponsor is provided at the end of this paper.

The Key Concerns About Security DECISION MAKERS ARE CONCERNED ABOUT MANY ISSUES Our research found that decision makers and influencers in the security space are concerned about a wide range of security issues. Not surprisingly, as shown in Figure 1, decision makers overall are concerned most about phishing attacks that can successfully penetrate their corporate defenses, non-ransomware malware that can infect endpoints on their network, a breach of sensitive or confidential data, and ransomware. However, we found that decision makers in larger organizations are generally more concerned about the range of security issues they might face than their counterparts in smaller organizations – the average level of concern, as shown in Figure 1, is 58 percent for larger organizations and 50 percent for smaller ones. It’s important to note in reviewing the table that many of these concerns are the result of phishing and social engineering. For example, ransomware and other types of malware infiltration, spam and several other threats shown in the table often have their root in a phishing attack. Figure 1 Decision Makers’ and Influencers’ Security Concerns Percentage Indicating They are “Concerned” or “Extremely Concerned”

Security Concern Total 50 to 999 Employees

1,000+ Employees

Phishing attacks 74% 74% 75% Malware other than ransomware 68% 64% 71% A breach of sensitive or confidential data 68% 65% 71%

Ransomware attacks 67% 65% 69% CEO Fraud/BEC attacks 63% 60% 66% Targeted attacks 61% 50% 71% Zero-day exploits 57% 53% 61% Malware infiltration through web traffic 57% 50% 64% Account takeover attacks 53% 50% 57% Malware infections that occur through web surfing 53% 55% 52%

Malvertising 42% 38% 45% Spam 41% 35% 46%

For ransom-ware and other types of malware infiltration, spam and several other threats often have their root in a phishing attack.



Figure 1 (concluded) Decision Makers’ and Influencers’ Security Concerns Percentage Indicating They are “Concerned” or “Extremely Concerned”

Security Concern Total 50 to 999 Employees

1,000+ Employees

“Shadow IT” – employees using unauthorized cloud apps and services 40% 34% 46%

Cryptocurrency mining malware being installed on your internal PCs or servers

37% 32% 41%

Employees surfing websites that violate corporate policies (e.g., porn sites) 33% 28% 38%

AVERAGE LEVEL OF CONCERN 54% 50% 58% Source: Osterman Research, Inc. THEY HAVE REASON TO BE CONCERNED Decision makers and influencers have good reason to be concerned about security issues. Here are some high-level findings from various security vendors about what they’re seeing: • Mimecast found that from early 2018 to early 2019, 67 percent of the

organizations they surveyed had seen an increase in BEC attacks, and 54 percent saw an increase in phishingi.

• CyberEdge found that in 2018, 56 percent of organizations were infected with

ransomware and 78 percent of networks had been breachedii.

• Barracuda Networks found that in just March 2019, 4,000 Office 365 accounts were compromised using account takeover attacks and were used to deliver in excess of 1.5 million spam and malicious emailsiii.

• While ransomware was more of a problem in 2016 than it was during the

following two years, it seems to be making a comeback in 2019 and is focused heavily on the public sector. In just 2019, the governments of Baltimore, MD; Albany, NY; Fisher County, TX; Genesee County, MI; Cartersville, GA; Lynn, MA; Augusta, ME; Akron; OH; Sammamish, WA; Jackson County, GA; Stuart, FL; Greenville, NC and many others have been infected by ransomwareiv.

• Microsoft has discovered a technique that enables cybercriminals to use

Microsoft’s own tools to download code, share it, and run it completely in memory, making it more difficult for some types of traditional anti-virus solutions to detect the threat. And, the process starts with a phishing campaign that relies on careless users to download and run a filev.

SECURITY PROBLEMS ARE GETTING WORSE Despite the investment of billions of dollars in security infrastructure and services each year, and even though most of these solutions are quite effective at stopping a significant proportion of malware, spam, phishing attempts, fileless malware, hacking attempts and the like, security problems are getting worse for many organizations. There are two primary reasons for this: • Bad actors are smart and resourceful

Security vendors spend millions of dollars each year on research and development to develop more capable security solutions and are acquiring innovative security startups that have new ways of addressing threats. There are enormous investments being made in threat intelligence to understand the growing number of adversaries and their techniques. Security solutions are being

Decision makers and influencers have good reason to be concerned about security issues.



deployed in new and innovative ways. However, cybercrime has become for all intents and purposes, an industry like any other and cybercriminals operate as though they are employees in a loosely connected corporation. There are specialists in the field of cybercrime, ranging from those who develop specific types of malware to those who can provide expertise in converting stolen credentials or data into cash. Cybercriminals collaborate with one another, they seek out recommendations from trusted associates, they can access reviews about the work quality of fellow criminals, they have adopted quasi-regulatory systems, they arbitrate disputes, and so forth. Cybercriminal organizations have access to all of the leading security solutions, and they test against them to ensure they can be bypassed. In short, legitimate organizations must defend themselves from criminal organizations that are intent on penetrating their defenses. And, given that a legitimate organization must protect every point of access while a cybercriminal need penetrate only one, the latter will always have a built-in advantage.

• Some users are not

Despite the enormous investments made in security solutions each year, users continue to be the weak link in the security chain. For example, in the 2019 Data Breach Investigations Report Verizon demonstrated that four percent of people in the typical phishing campaign will click a link or attachment. Among those who click on a phishing email, many will do so repeatedly. Moreover, KnowBe4 found that 55 percent of people who receive a phishing email in a simulation will click on it less than an hour after the start of the campaign, and another 12 percent will do so within two hours, long before many security solutions are aware of the new phishing campaign.

Where are Security Dollars Going? SECURITY BUDGETS CONTINUE TO INCREASE Security budgets vary widely based on a number of factors, including the industry in which an organization participates, the number of employees it has, the geographical distribution of its employees and offices, and the risk tolerance of its senior management. We found that for 2018, the mean security budget at the organizations we surveyed was $332 per employee, increasing to $373 per employee in 2019, an increase of 12 percent. However, the per-employee budget at smaller organizations was much higher in 2018 at $455, growing to $492 in 2019. Larger organizations, owing to the economies of scale that they enjoy, had a mean security budget of $210 per employee in 2018, growing to $255 in 2019. SECURITY AWARENESS TRAINING BUDGETS ALSO GROWING Our research found that the overall security awareness training budget in 2018 was $137 per employee, growing to $156 per employee in 2019. For smaller organizations, the mean expenditure per employee was $193 in 2018, growing to $203 in 2019; for larger organizations, the 2018 security awareness training budget was $81 per employee, growing to $109 in 2019. The survey data on overall security budgets and security awareness training budgets is summarized in Figure 2.

Users continue to be the weak link in the security chain.



Figure 2 Security and Security Awareness Training Budgets per Employee 2018 and 2019

Source: Osterman Research, Inc. VARIOUS APPROACHES TO TRAINING Our research found that there is a wide range of security awareness training programs in use other than the “do-nothing” approach employed by five percent of organizations. As shown in Figure 3, the most common approach to security awareness training is to test everyone using simulated phishing attacks, the approach taken by 39 percent of organizations. Employed by one-third of organizations is the security awareness video approach, followed by selective training for some employees, and the “break-room or lunch-and-learn” approach. Figure 3 Current Approaches to Security Awareness Training

Source: Osterman Research, Inc.

The most common approach to security awareness training is to test everyone on phishing attacks.



TRAINING INVESTMENTS ARE INCREASING The increases in budgets for security awareness training discussed earlier are being translated into employees spending significantly more time in training on security issues. As shown in Figure 4, the average employee spent just under 18 minutes per month in mid-2018, but this has jumped to nearly 23 minutes in 2019 and is expected to increase to 26 minutes by mid-2020. These data show there has been an increase in the average time spent in security awareness training of 29 percent from 2018 to 2019, and there will be a 15 percent increase from 2019 to 2020. Moreover, we found that employee time spent in security awareness training is greater in larger organizations. Figure 4 Monthly Minutes of Security Awareness Training for the Typical Employee 2018 through 2020

Source: Osterman Research, Inc. WHY ARE INVESTMENTS GROWING? Why are investments in security awareness training increasing and significantly so? We believe there are two primary reasons: • Corporate security decision makers increasingly understand the benefits of

security awareness training as a complement to technology-based security infrastructure and services. The evidence is clear, as presented in this report and elsewhere, that security awareness training can reduce the success of phishing attempts and other types of attacks and can provide a significant ROI.

• Traditional security technology vendors increasingly realize that security

awareness training offers an important complement to their traditional offerings and so are acquiring these vendors or are offering various types of security awareness training. For example, in 2018, Mimecast acquired Ataata, Barracuda acquired PhishLine, and Proofpoint acquired Wombat Security Technologies; and in 2017 Webroot acquired Securecast. Plus, there are traditional, infrastructure- and solution-focused security vendors that offer some form of security awareness training, including Trend Micro (which has recently partnered with four security awareness vendorsvi), Sophos, and Symantec. In short, it’s no longer just security awareness training companies that are pushing the importance of training users, but traditional security solution vendors, as well. And integration between the technical security controls and the awareness training systems is also showing promise.

There has been an increase in the average time spent in security awareness training of 29 percent from 2018 to 2019, and there will be a 15 percent increase from 2019 to 2020.



Technology vs. Training WHICH APPROACH DO DECISION MAKERS TRUST MORE? One of the key queries that we made in the survey was about the perceived efficacy of technology-based security solutions versus the efficacy of security awareness training to address a range of security-related issues. We asked respondents about how well their technology-based solutions protect their organization on a scale of 1 (not well at all) to 7 (extremely well); we asked the same question on the same security issues about security awareness training. As shown in Figure 5, security decision makers generally consider that their technology-based solutions do a better job at protecting their organization than do their security awareness training programs. However, we found an important change in this survey compared to the survey we conducted asking the same question in August 2018. In the earlier survey, technology-based solutions were regarded as providing better security than security awareness training for every threat about which we queried. However, in the current survey, we found that decision makers now regard security awareness training as providing better protection against phishing attacks and BEC attacks (highlighted in green in the table). This is an important change, and it reflects the fact that security awareness training is now viewed as a stronger complement to more traditional security solutions. This is particularly true for smaller organizations that may spend significantly more per employee on security in general and may need to rely more on training than technology to protect their organizations. Figure 5 Perceptions About the Effectiveness of Technology-Based Security Defenses vs. Security Awareness Training Percentage Indicating That Solution Works “Well” or “Extremely Well”

Security Concern Total

50 to 999 Employees

1,000+ Employees

Tech SAT Tech SAT Tech SAT Phishing attacks 50% 58% 43% 57% 56% 60% CEO Fraud/BEC attacks 48% 65% 41% 63% 55% 66% Malware other than ransomware 62% 50% 62% 49% 62% 51%

Employees surfing websites that violate policies 62% 51% 62% 48% 62% 55%

Ransomware attacks 61% 51% 58% 47% 64% 55% Malware infections that occur through web surfing 60% 46% 56% 38% 63% 54%

Malware infiltration through web traffic 59% 44% 60% 41% 58% 47%

Spam 56% 48% 55% 45% 57% 51% Targeted attacks 51% 45% 48% 40% 54% 50% A breach of sensitive or confidential data 50% 48% 41% 39% 58% 57%

Cryptocurrency mining malware 50% 40% 43% 34% 55% 46%

Malvertising 50% 44% 48% 37% 53% 50% Zero-day exploits 48% 39% 45% 35% 50% 43% Account takeover attacks 48% 42% 42% 37% 53% 47% “Shadow IT” 44% 41% 41% 35% 46% 46%

Source: Osterman Research, Inc. “Tech” refers to technology-based security solutions; SAT refers to security awareness training

Decision makers now regard security awareness training as providing better protection against phishing attacks and BEC attacks.



MOST USERS ARE NOT ADEQUATELY TRAINED Despite the fact that users are receiving more security training over time, many users still do not receive an amount of training adequate to protect their organizations. As shown in Figure 6, nearly one-third of users receive training no more than about once each year or less often. Another 29 percent receive security awareness training only two to three times per year. Only 39 percent of users receive training quarterly or more often. Figure 6 Frequency of Conducting Security Awareness Training

Source: Osterman Research, Inc. It’s important to note that users in larger organizations receive more security awareness training than their counterparts in smaller organizations. As shown in Figure 6, 28 percent of users in larger organizations receive training more than six times per year, but only 16 percent of users in smaller organizations receive this much training. Similarly, while 10 percent of users in smaller organizations receive training only once when they join the organization or not at all, only four percent of users in larger organizations receive this little training. TRAINING MAKES USERS MUCH MORE CAPABLE Before security awareness training is conducted, IT and security report relatively little confidence in their users’ ability to recognize various types of threats. As shown in Figure 7, only 23 percent of those in IT/security believe their users are “capable” or “very capable” at recognizing mass-mailed phishing emails. Expectations about the capability of untrained users are similar for targeted emails and social media and web scams. However, after users have received security awareness training, the level of confidence in them jumps dramatically – up to three fold in the case of mass-mailed phishing attempts.

After users have received security awareness training, the level of confidence in them jumps dramatically.



Figure 7 Perceived Ability of Employees at Recognizing Various Threats Before and After Security Awareness Training Percentage Indicating “Capable” or “Very Capable”

Source: Osterman Research, Inc. ENTHUSIASM ABOUT SECURITY AWARENESS TRAINING Are employees enthusiastic about going through security awareness training? It depends on who you ask: as shown in Figure 8, two-thirds of senior IT management are enthusiastic about it, and most of the rest of people in IT management are generally in favor and supportive. However, the level of enthusiasm drops off substantially with those outside of the IT department. Only 47 percent of senior business management and 23 percent of rank-and-file employees are enthusiastically supportive of security awareness training. Figure 8 Attitudes Towards Security Awareness Training


Two-thirds of senior IT management are enthu-siastic about it, and most of the rest in IT management are generally in favor and supportive.



Senior IT management are generally enthusiastic about security awareness training for obvious reasons: they see the direct benefit of having fewer users click on phishing links, open suspicious attachments and otherwise introduce malicious content into the organization. Others are perhaps less enthusiastic because they see security awareness training as yet another task that takes them away from their already heavy workload. Others may not perceive the benefit because they typically don’t have to deal directly with the impact that follows a malware infection, data breach or some other security incident. One way to increase the enthusiasm level for non-IT and non-security employees may be by introducing humor or entertainment into the learning process. The survey asked about the type of security awareness training that IT and security decision makers and influencers would find most engaging for their users. We found that nearly three in five (58 percent) would prefer training “content that is presented with a mix of seriousness and entertainment”. Only 33 percent prefer “serious content presented in a very matter-of-fact way”.

The ROI of Security Awareness Training THE COSTS WITH AND WITHOUT TRAINING To determine the costs of not having security awareness and the costs that are experienced after a security awareness training program has been implemented, we built a cost model based on the survey data and various assumptions: • Annual, fully burdened salary of IT staff members: $80,000

• Annual, fully burdened salary of non-IT employees: $75,000 • Hours worked per year per employee: 2,080 • Employee productivity loss during downtime caused by malware/ransomware

while the incident is being remediated remediation: 70 percent

• Mean number of hours that employees would experience downtime during a malware/ransomware incident: 9.9 hours in smaller organizations; 18.0 hours in larger organizations (based on the research conducted for this white paper).

• There is one major malware/ransomware incident per year caused by an

employee mistake. We further assume that after security awareness training, the chance of an employee-caused mistake of this type is reduced by 90 percent.

• Despite the time investment required of employees for security awareness

training, much of this occurs during the normal work process and so the actual reduction in employee productivity from training is only 15 percent.

• Pricing for security awareness training is the average pricing for smaller and

larger organizations published by a leading vendor in the training space.

Please note that these assumptions can vary widely based on geography and other factors. For example, the average base pay for a systems administrator in Jacksonville, Florida is $61,877, whereas the same position in San Jose, California averages $92,962vii, and so salaries by themselves can have a major impact on ROI. Combining these assumptions and the research conducted for this white paper, we developed the following calculations shown in Figures 9 and 10.

One way to increase the enthusiasm level for non-IT and non-security employees may be by introducing humor or entertainment into the learning process.



Figure 9 Costs Before Security Awareness Training

Cost Elements 50 to 99

Emps 1,000+ Emps

Annual IT/security person-hours spent per 1,000 users disinfecting workstations, networks 760.0 137.3

Annual cost per user $29.23 $5.28 IT/security hours to remediate one major malware or ransomware attack per 1,000 users 195.2 730.9

Hours that 1,000 users would be down during remediation periodviii 9,881 18,043

Annual IT/security costs $7,510 $28,111 Annual non-IT employee costs $249,394 $455,406 Annual IT/security costs, per user $7.51 $28.11 Annual costs, per user $249.39 $455.41 TOTAL COSTS PER USER BEFORE SAT $286.14 $488.80

Source: Osterman Research, Inc. Figure 10 Costs After Security Awareness Training

Cost Elements 50 to 99

Emps 1,000+ Emps

Annual IT/security person-hours spent disinfecting workstations, networks 565.5 120.5

Cost per user $21.75 $4.63 IT/security hours to remediate one major malware or ransomware attack per 1,000 users 195.2 730.9

Hours that 1,000 users would be down 9,881 18,043 Annual IT/security costs, per user $7.51 $28.11 Annual email user costs, per user $249.39 $455.41 Likelihood of an attack caused by a user mistake 10% 10% Annual IT/security costs, per user $0.75 $2.81 Annual costs, per user $24.94 $45.54 Annual IT/security hours devoted to SAT per 1,000 users 1,159.9 309.4

Cost per user $44.61 $11.90 Cost of SAT, per user $23.00 $17.50 Cost of employee time spent in SAT $21.11 $27.83 TOTAL COSTS PER EMPLOYEE AFTER SAT $136.17 $110.21

Source: Osterman Research, Inc. SCENARIO 1: ONGOING, REGULAR SECURITY EVENTS Using these calculations, we determined that the aggregate costs of dealing with disinfecting workstations and remediating malware/ransomware incidents without security awareness training are as shown in Figures 11 and 12, respectively. The research conducted for this white paper also found that when security awareness training is implemented, the costs of disinfecting workstations and remediating malware/ransomware attacks goes down dramatically, resulting in a significant ROI for both small and large organizations. However, given that our research found that larger organizations spend less on security awareness training per employee and

When security awareness training is implemented, the costs of disinfecting workstations and remed-iating malware/ ransomware attacks goes down dramatically.



experience some costs that can be lower than for their smaller counterparts, the ROI is significantly greater for large firms, as shown in Figures 11 and 12. Figure 11 Smaller Organizations, Annual Cost per Employee

Before

SAT After SAT ROI

Disinfecting workstations $29.23 $21.75

69%

Remediating malware/ransomware $256.90 $25.69 Labor cost of SAT $0 $44.61 Cost of SAT $0 $23.00 Employee time spent on SAT $0 $21.11 TOTAL $286.14 $136.17

Source: Osterman Research, Inc. Figure 12 Larger Organizations, Annual Cost per Employee

Before

SAT After SAT ROI

Disinfecting workstations $5.28 $4.63

562%

Remediating malware/ransomware $483.52 $48.35 Labor cost of SAT $0 $11.90 Cost of SAT $0 $17.50 Employee time spent on SAT $0 $27.83 TOTAL $488.80 $110.21

Source: Osterman Research, Inc. OTHER COSTS It’s important to note that the costs identified in the figures above represent the direct costs that security awareness training can reduce. However, there are other costs that are more difficult to quantify, such as: • Loss of customers and revenue

A data breach can result in loss of customers. For example, a Carnegie Mellon study of more than 500,000 bank customers found that if a customer found unauthorized charges on his or her account, they were one percent more likely to switch banks during the following six months than the average customer of the bank. The study also found that long-term customers were more likely to leaveix. Target experienced a 46 percent year-over-year sales decline in the fourth quarter of 2013 following disclosure of its data breachx. Another study found that for companies that suffer a data breach, seven in 10 customers would stop doing businessxi; another study had similar findingsxii.

• Loss of valuation

A data breach, ransomware infection or some other major security issue can have both immediate and long-term impacts on an organization’s valuation. For example, one analysis found that the largest drop in a company’s stock price comes 14 days after public disclosure of the breach. While the stock will rebound significantly in the 12 months following disclosure of the breach, the increase in stock price is not as great as it would have been had the breach not occurredxiii.

A data breach, ransomware infection or some other major security issue can have both immediate and long-term impacts on an organization’s valuation.



• Loss of reputation An organization that suffers a ransomware attack or a data breach, for example, will certainly face a loss of reputation when the problem becomes public knowledge. While loss of reputation carries with it a number of problems, it’s a difficult one to quantity in the context of ROI calculations.

• Other costs

There are several other costs associated with data breaches and various kinds of security problems. These include fines from regulators, legal costs, the cost of credit reporting services provided to customers who have had their data stolen, and the cost of terminating employees who were responsible for the breach. Moreover, if a data breach results in the loss of intellectual property, there can be protracted legal actions, loss of patents, and the intellectual property itself. As an example of the enormous costs that can accompany a data breach, consider Equifax: the company has agreed to pay a minimum of $1.4 billion to settle various lawsuits related to its breach of 147 million consumer recordsxiv.

SCENARIO 2: OCCASIONAL, “UNLIKELY” EVENTS The scenario above describes the somewhat regular, ongoing events that impact organizations. But what about events that occur with much less regularity, but that can cause devastating consequences, and could be prevented – or the chance of them occurring reduced – with appropriate security awareness training? For example: • Let’s assume that a 500-user organization has the potential of experiencing a

data breach from a data-stealing malware attack that costs it $1 million in remediation costs, lost revenue, lost goodwill, and the like.

• Let’s also assume that a 5,000-user organization faces the potential of the same

type of attack, but its cost would be $4 million because of the much larger number of records that would be lost, greater costs of remediation, and so forth.

• We will also assume conservatively that these risks are unlikely, and will occur

only once every 20 years.

• Finally, we will conservatively assume that good security awareness training can reduce the likelihood of these attacks by 80 percent. Please note that this is an assumption that can vary widely.

Based on these assumptions, the costs and ROI associated with these unlikely events are shown in Figures 13 and 14. Figure 13 500-User Organization, Cost and ROI of Unusual Events

Cost of data breach $1,000,000

248% ROI

Likelihood per year 5% Cost per year without SAT $50,000 Annual security awareness training costs $11,500 Cost per year with SAT $10,000


If a data breach results in the loss of intellectual property, there can be protracted legal actions, loss of patents, and the intellectual property itself.



Figure 14 500-User Organization, Cost and ROI of Unusual Events

Cost of data breach $4,000,000

83% ROI

Likelihood per year 5% Cost per year without SAT $200,000 Annual security awareness training costs $87,500 Cost per year with SAT $40,000


Some Best Practices to Consider Osterman Research recommends that all organizations, but particularly those that have yet to begin a security awareness training program, consider the following ideas: • Make sure the board is on-board

The success of a robust security awareness training program is at least partially dependent on its support from the board of directors and senior management within an organization. Our research over the past several years shows that boards are becoming more aware of the need to understand security more thoroughly, and they’re doing this by adding CISOs to their ranks, getting more in-depth on key security issues that affect their company, having more frequent reporting on security issues, etc. Convincing boards of directors through solid evidence that security awareness training works and returns a solid ROI will be key in moving these initiatives through in many organizations.

• Understand the ROI of security awareness training

As demonstrated in this paper, there is a solid ROI to be gained from a robust security awareness training program. Good training is not a “nice-to-have” element of a security plan, but an essential element of it. Having employees who are trained to recognize phishing and other threats, and who are taught to be more careful about everything they do online, will result in solid dollar savings from a reduced number of data breaches, less IT and security time spent remediating the results of malware infections, and the like.

• Identify key issues in your corporate culture

Not every corporate culture will be open to the idea of, nor will it support, security awareness training. Some managers, particularly in non-technical roles, will not be open to the idea of being trained and so won’t support or fund it to the degree they should. Just like boards should be focused on security, so should senior management so that security awareness training will be supported and will be given the opportunity to succeed. Gaining management approval to fund and promote security awareness training is essential to fostering not only good training programs, but also creating a corporate culture in which treating employees as a key part of the security infrastructure is given a high priority. A key element of a corporate culture that supports security awareness training is teachability. Managers and others who don’t want to be challenged and instructed about mistakes they’re making will be a detriment to any training program and will slow the results that otherwise might be achieved.

• Ensure that security awareness training is sufficiently frequent

Good security awareness training that occurs just when an employee joins the company or otherwise infrequently is not adequate. It needs to happen with adequate frequency so that employees understand new threats and the techniques of bad actors, and so that good security practices are kept top-of-mind.

There is a solid ROI to be gained from a robust security awareness training program.



• Ensure that training is appropriate for different users A good security awareness training program should be provided for all users, but some roles may require specific types of training. Our research found that many organizations will provide additional training for different roles within the organization. For example, 72 percent of IT staffers receive additional training beyond what is provided to the general employee population because they may be at risk for targeted threats. The same is true for 57 percent of senior executives, and 37 percent of those in finance and human resources.

• Make security awareness training fun

Security awareness training should be engaging and interesting to those being taught. Not that it should be purely entertaining, but an appropriate mix of entertainment combined with solid teaching will go a long way toward helping people understand, remember and apply what they’ve been taught.

• Ensure the focus is on behavioral change

The crux of security awareness training is changing the behavior of the users who are being taught: getting people to click on links or attachments in phishing emails much less often; to look for clues in emails that are the telltale signs of a bad actor; to be more skeptical about requests for sharing data, buying gift cards or wiring funds; to share information on social media with more forethought, etc. The ultimate goal of security awareness training is about changing the behavior of employees who have the potential of creating enormous harm through carelessness and simple mistakes.

• Ensure that security awareness training covers all the bases

Security awareness training should encompass all aspects of security, not just recognizing phishing attempts, as important as that is. It should include not oversharing on social media so as to provide fodder for bad actors to craft more believable BEC attempts. It should include a protocol for how to use public Wi-Fi safely in places like coffee shops, airports and hotels. It should include training on why not to plug random USB sticks into corporate workstations or personal ones that access corporate data. In short, security awareness training should cover all of the potential threats that exist.

Summary Security awareness training should be a key element of any organization’s security posture. Just like the right technology like firewalls, endpoint detection and response solutions, secure email gateways, cloud-based filtering, and other solutions can protect an organization’s data and financial assets from theft or destruction, so can good employee training. Good security awareness training can provide a significant ROI and can pay for itself in a short time.

Sponsor of This White Paper Developed by top leadership from the U.S. military, law enforcement and the intelligence community, Mimecast Awareness Training is a security awareness training and cyber risk management platform that helps you combat information security breaches caused by employee mistakes. Human error is involved in 95 percent of all security breaches. But humans are maddeningly careless and resistant to change. Employees’ casual mistakes lead to disaster all the time — and cost people their jobs. To change security culture effectively, employees have to know what to do, care enough to improve, and then do what’s right when it matters.

www.mimecast.com

@Mimecast

[email protected]

+1 617 393 7000



You need to drive gut-level behavior improvements at scale. That is what Mimecast Awareness Training’s cyber security training platform delivers. Mimecast Awareness Training combines effective, modern training techniques with predictive analytics to solve for your company's vulnerability to human error. From ransomware and phishing to unattended laptops and CEO fraud, the threats are many and they are real. There are plenty of bad actors ready to take advantage of your employees’ mistakes. And even when mistakes are not being engineered and leveraged by malicious outsiders, poor cyber habits can lead to difficult and costly situations for you and your team. Mimecast Awareness Training helps you mitigate cyber risk stemming from the simple mistakes your employees are making every day.



© 2019 Osterman Research, Inc. All rights reserved. No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission of Osterman Research, Inc., nor may it be resold or distributed by any entity other than Osterman Research, Inc., without prior written authorization of Osterman Research, Inc. Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this document or any software product or other offering referenced herein serve as a substitute for the reader’s compliance with any laws (including but not limited to any act, statute, regulation, rule, directive, administrative order, executive order, etc. (collectively, “Laws”)) referenced in this document. If necessary, the reader should consult with competent legal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes no representation or warranty regarding the completeness or accuracy of the information contained in this document. THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL. REFERENCES i Source: The State of Email Security Report 2019 ii Source: CyberEdge 2019 Cyberthreat Defense Report iii https://www.bleepingcomputer.com/news/security/office-365-accounts- compromised-via-ato-attacks-used-in-bec-scams/ iv https://go.recordedfuture.com/hubfs/reports/cta-2019-0510.pdf v https://www.zdnet.com/article/microsoft-warns-about-astaroth-malware-campaign/ vi http://www.enterpriseitworld.com/news/trend-micro-partners-with-market-leading-security- awareness-vendors/ vii Source: Glassdoor viii This calculation is based on the number of hours per 1,000 email users and it applies also to organizations with fewer than 1,000 email users. ix https://deltarisk.com/blog/the-impact-of-bank-data-breaches-on-customer-loyalty- and-retention/ x https://www.csoonline.com/article/3019283/does-a-data-breach-really-affect- your-firm-s-reputation.html xi https://itsecuritycentral.teramind.co/2017/12/20/data-breach-cost-when-you-lose- your-customers/ xii https://www.csoonline.com/article/3019283/does-a-data-breach-really-affect- your-firm-s-reputation.html xiii https://duo.com/decipher/data-breaches-have-long-term-impact-on-stock-price xiv https://www.law.com/2019/07/22/equifax-reaches-1-4-billion-data-breach-settlement-in- consumer-class-action/

Osterman the ROI of Security Awareness Training

Documents

Transcript of Osterman the ROI of Security Awareness Training