According to a new study, the cost of cybersecurity education for large enterprises at an all-time-high of $290,033 per year per organization, and user education is rocketing up the CIO’s priority list.

Research from Bromium has found that

  • 99% of CIOs see users as ‘the last line of defense’ against hackers. This means the burden of securing the enterprise has shifted to user education and often stringent policies and procedures that limit teams’ ability to get work done and puts a tremendous amount of personal responsibility on the end user.
  • Based on an average of seven hours of cybersecurity training per employee, large enterprises waste $290,000 per year.
  • Skilled employees in HR, Legal, IT and Risk spend an additional 276 hours a year helping to arrange and deliver in-house training.
  • Most businesses (90%) have used external consultants for over 3 days (27 hours) a year to review and advise on security policies and procedures.
  • 94% of CIOs have pushed for increased investment in user education following recent headlines around phishing and ransomware.

Increased User Education Doesn’t Correlate with Reducing Attack Success

Despite growing investment of time, capital and human resources to increase security education, users remain the weakest link in security, and user-introduced threats continue to rise. According to BakerHostetler’s 2016 Data Security Incident Response Report, phishing, hacking, and malware accounted for approximately 31 percent of incidents, followed by employee actions and mistakes (24 percent). Verizon’s Data Breach Investigations Report shows that there are often repeat offenders too: 30% of phishing messages get opened by targeted users and 12 percent of those users click on the malicious attachment or link multiple times.

“While end users are often the easiest target for hackers, the idea that they should be ‘the last line of defence’ for a business is simply ridiculous. The fact is, most employees are focused on getting their jobs done, and any training will go out the window if a deadline is looming,” saud Simon Crosby, CTO for Bromium.

“Insanity is doing the same thing over and over again and expecting different results; yet this is exactly what businesses are doing by piling time and money into education. It’s inevitable that the average employee will do something that goes against their training. For example, a HR department can’t avoid opening attachments from untrusted sources, but this is a favoured hacker tactic for distributing malware and ransomware. The fact is our whole approach to security needs to change.”

Let Users Click with Confidence and Let the Malware Run

“Instead of wasting time on user education policies, protect your users. Let them click with confidence. If they get attacked, let it happen, but do so in a contained environment. By isolating applications in self-contained hardware-enforced environments, malware is completely trapped. Users are free to download attachments, browse websites and click on links without fear of causing a breach. This is the only way to stem the tide of user-introduced threats.”

The research was conducted by researchers at Vanson Bourne. The sample of 500 was made of 175 enterprises with between 1,000 and 3,000 employees, 175 with 3,000 to 5,000 employees and further 150 with more than 5,000 employees.