The cost of security education for large enterprises at an all-time-high of $290,033 per year per organization, and user education is rocketing up the CIO’s priority list. Yet despite those investments, the end user remains the greatest risk to the organization’s security from targeted zero-day and nation state threats to common ransomware and phishing attacks, according to a survey conducted by Vanson Bourne.
The research is based on a survey of 500 CIOs from large enterprises in the US (200), UK (200) and Germany (100). Key findings include:
- 99% of CIOs see users as ‘the last line of defence’ against hackers. This means the burden of securing the enterprise has shifted to user education and often stringent policies and procedures that limit teams’ ability to get work done and puts a tremendous amount of personal responsibility on the end user.
- Based on an average of seven hours of cybersecurity training per employee, large enterprises waste $290,000 per year.
- Skilled employees in HR, Legal, IT and Risk spend an additional 276 hours a year helping to arrange and deliver in-house training.
- Most businesses (90%) have used external consultants for over 3 days (27 hours) a year to review and advise on security policies and procedures.
- 94% of CIOs have pushed for increased investment in user education following recent headlines around phishing and ransomware.
Increased user education doesn’t correlate with reducing attack success
Despite growing investment of time, capital and human resources to increase security education, users remain the weakest link in security, and user-introduced threats continue to rise.
According to BakerHostetler’s 2016 Data Security Incident Response Report, phishing, hacking, and malware accounted for approximately 31 percent of incidents, followed by employee actions and mistakes (24 percent). Verizon’s Data Breach Investigations Report shows that there are often repeat offenders too: 30% of phishing messages get opened by targeted users and 12 percent of those users click on the malicious attachment or link multiple times.
“While end users are often the easiest target for hackers, the idea that they should be ‘the last line of defence’ for a business is simply ridiculous. The fact is, most employees are focused on getting their jobs done, and any training will go out the window if a deadline is looming,” comments Simon Crosby, CTO for Bromium.
“Insanity is doing the same thing over and over again and expecting different results; yet this is exactly what businesses are doing by piling time and money into education. It’s inevitable that the average employee will do something that goes against their training. For example, a HR department can’t avoid opening attachments from untrusted sources, but this is a favoured hacker tactic for distributing malware and ransomware. The fact is our whole approach to security needs to change.”
Let users click with confidence
“The culture of making employees responsible for security simply isn’t fair. Users are being criminalised for carrying out normal day to day business activities, because based on their security training, they should have suspected a risk with whatever they were doing,” Crosby continued. “We need to challenge the status quo: next gen is a nonsense and we need a totally new approach.”
“Instead of wasting time on user education policies, protect your users. Let them click with confidence. If they get attacked, let it happen, but do so in a contained environment. By isolating applications in self-contained hardware-enforced environments, malware is completely trapped. Users are free to download attachments, browse websites and click on links without fear of causing a breach. This is the only way to stem the tide of user-introduced threats.”