Bromium, Inc. has today released new research which found the productivity cost of security education for large enterprises is at an all-time-high of $290,033 per year per organisation, and that user education is rocketing up the CIO’s priority list. Yet despite those investments, the end user remains the greatest risk to the organisation’s security from targeted zero-day and nation state threats to common ransomware and phishing attacks.
The research is based on a survey of 500 CIOs from large enterprises in the US (200), UK (200) and Germany (100).
It found that 99% of CIOs see users as ‘the last line of defence’ against hackers. This means the burden of securing the enterprise has shifted to user education and often stringent policies and procedures that limit teams’ ability to get work done and puts a tremendous amount of personal responsibility on the end user.
Based on an average of seven hours of cyber security training per employee, large enterprises waste $290,000 per year through productivity loss.
Skilled employees in HR, Legal, IT and Risk spend an additional 276 hours a year helping to arrange and deliver in-house training, while most businesses (90%) have used external consultants for over 3 days (27 hours) a year to review and advise on security policies and procedures.
94% of CIOs have pushed for increased investment in user education following recent headlines around phishing and ransomware.
Increased user education doesn’t correlate with reducing attack success
Despite growing investment of time, capital and human resources to increase security education, users remain the weakest link in security, and user-introduced threats continue to rise.
According to BakerHostetler’s 2016 Data Security Incident Response Report, phishing, hacking, and malware accounted for approximately 31% of incidents, followed by employee actions and mistakes (24%).
Verizon’s Data Breach Investigations Report shows that there are often repeat offenders too: 30% of phishing messages get opened by targeted users and 12% of those users click on the malicious attachment or link multiple times.
“While end users are often the easiest target for hackers, the idea that they should be ‘the last line of defence’ for a business is simply ridiculous. The fact is, most employees are focused on getting their jobs done, and any training will go out the window if a deadline is looming,” comments Simon Crosby, CTO for Bromium.
“Insanity is doing the same thing over and over again and expecting different results; yet this is exactly what businesses are doing by piling time and money into education. It’s inevitable that the average employee will do something that goes against their training. For example, a HR department can’t avoid opening attachments from untrusted sources, but this is a favoured hacker tactic for distributing malware and ransomware. The fact is our whole approach to security needs to change.”
Let users click with confidence and let the malware run
“The culture of making employees responsible for security simply isn’t fair. Users are being criminalised for carrying out normal day to day business activities, because based on their security training, they should have suspected a risk with whatever they were doing,” Crosby continued. “We need to challenge the status quo: next gen is a nonsense and we need a totally new approach.”
>See also: Addressing the cyber security skills gap
“Instead of wasting time on user education policies, protect your users. Let them click with confidence. If they get attacked, let it happen, but do so in a contained environment. By isolating applications in self-contained hardware-enforced environments, malware is completely trapped.”
“Users are free to download attachments, browse websites and click on links without fear of causing a breach. This is the only way to stem the tide of user-introduced threats.”
*$290,033 is calculated as follows: The average hourly pay of an employee is $21 based on data from the ONS in the UK, Statista in Germany, and the Department of Labor in the US. This was then multiplied by the 7 hours a year spent by individual employees on security education and training, and then multiplied by the average number of employees (2,000) in a large enterprise. The $290,033 figure doesn’t include the cost of hiring in external consultants to conduct training sessions with users, or the time spent by IT, legal and HR teams organising internal sessions.