Security Awareness Training Answers the Cost-Cutting Call

Security Awareness Training Answers the Call by Cutting Phishing Costs in Half

---

Many of today’s most expensive and devastating cybercrimes arrive on a company’s doorstep as the cargo of a phishing email. Attacks like business email compromise or ransomware can bring a company to its knees through expenses related to response, investigation, mitigation, loss of data and productivity, payroll overages and more, especially if intensive repairs are required to restore the company’s environment or recover their data. That’s one reason why 60% of companies that suffer a cyberattack go out of business. But the data shows that when companies are looking to improve security affordably, security awareness training answers the call, cutting phishing costs in half while improving overall security.

---

---

Wondering How to Cut Phishing Risk? Security Awareness Training Answers That Question

---

Security awareness training can help businesses avoid an expensive data breach. As we reported last week, data breach rates are steadily climbing, and phishing is at the root of many of those breaches. In a recent report, researchers discovered that just under 75% of organizations in the United States were hit by a successful phishing attack that resulted in a data breach in the last 12 months. The US is the leader in phishing-related data breaches for 2021 so far, with rates 30% higher than the global average, and 14% higher than the same period in 2020. The UK isn’t lagging far behind –  73% of the UK organizations surveyed suffered at least one data breach caused by phishing attacks in the last year.   

The relationship between phishing and a data breach puts many businesses that have neglected security awareness training at risk for a disaster. The newly released 2021 Ponemon Cost of Phishing Study helps shed light on some of the massive hits that companies can take to their revenue in the event of a successful phishing attack. The biggest takeaway from this report is the colossal increase in the cost of a phishing attack for businesses. Researchers say that the cost of phishing attacks has almost quadrupled over the past six years, with large US companies losing an average of $14.8 million annually (or $1,500 per employee) to phishing. 

How can companies reduce the cost associated with phishing? Security awareness training answers that need. It’s the one bright spot in this tale of increased expense, and it’s an easy thing for businesses to do that pays dividends in other areas of cybercrime protection. Security awareness training reduces the cost of phishing by more than 50%. That’s a significant amount of reduction. Companies are constantly looking for easy ways to lower risk across the board without spending a fortune, and security awareness training answers that question by reducing a company’s chance of experiencing a data breach up to 70% and it’s easy to see the dollars and cents of exactly what makes it so valuable. It’s a small investment in a business that offers an excellent ROI.

---

---

What is the Real Cost of Phishing?

---

While this report detailed several areas of concern for IT professionals when it comes to containing burgeoning phishing costs, two major players stand out as major cost centers when calculating the cost of phishing and the impact of a phishing-related data breach: business email compromise (BEC) and credential compromise. But security awareness training answers the need to cut costs in these dangerous areas of phishing-related cybercrime too.

BEC 

Ransomware may hog the cybersecurity spotlight, but business email compromise is the biggest phishing villain and the costliest menace that businesses face every day. The US Federal Bureau of Investigation (FBI)IC3 Internet Crime Report. Security awareness training is a bargain when it comes to BEC. BEC is extremely expensive from discovery through investigation and recovery. This report reveals that companies shelled out almost $6 million per year on business email compromise recovery, which includes about $1.17 million in illicit payments made to attackers annually. Organizations transferred an average of $1.17 million to BEC attackers in the past 12 months. 

BEC risk is rising steadily.  As we reported in The State of Email Security, this type of flexible and devastating attack rose 14% in 2020, with a whopping 65% of organizations facing down a BEC threat. Security awareness training can reduce that threat by making employees more aware of the usual point of entry for BEC, a phishing email. It’s a popular tactic because it is very profitable for cybercrime gangs. Bad actors enjoyed payouts in 2020 that were 30% larger than the previous year. Gartner estimates BEC attacks will double each year, reaching an impact of $5 billion by 2023.   

Credential Compromise 

Security awareness training answers the call to help businesses reduce the risk for another danger that can spawn from a successful phishing attack: credential compromise. Researchers disclosed that the average company experiences 5.3 credential compromises that originate from phishing every year, a frightening proposition when you think about the havoc that cybercriminals can wreak with just one stolen credential. The LinkedIn credential compromise incident is a good look at how businesses can get tangled up in credential compromise disasters that aren’t even on them as dark web data piles up.   

Even when they’re quickly contained, credential compromises caused by phishing are an expensive proposition and like everything else, that’s only rising. The cost to contain phishing-related credential compromises increased from $381,920 in 2015 to $692,531 in 2021. So how expensive is a compromised credential that is not quickly contained? The financial hit to businesses that do not contain a credential compromise quickly has also more than doubled for a total cost of $2.1 million. In any scenario, comparing the tiny cost of security awareness training to those big bills makes it easy to see why it’s an economical choice to reduce this risk.

The growth in expense for credential compromise attacks tracks with data from other sources. In the Verizon Data Breach Investigations Report 2021, researchers note that 61% of data breaches are caused by credential compromise. One of the most common ways that cybercriminals accomplish credential compromise is through phishing which is often powered by the huge quantities of records that are readily available in dark web data markets and dumps including 22 billion added in 2020 alone.  A 100GB text file dubbed RockYou2021 was leaked by an anonymous user on a popular hacker forum in early summer 2021 adding a new cache of data estimated to contain 8.4 billion passwords. Security awareness training definitively takes a bite out of credential compromise related phishing risk, especially when combines with the powerhouse protection of multifactor authentication, a tool that stops 99% of phishing related cybercrime.

---

---

How Security Awareness Training Answers the Call to Cut the Cost of Phishing by Over 50% 

---

When a company is wondering what they can do to quickly improve their security, adding or restarting security awareness training answers that inquiry. Unfortunately, far too many organizations neglected security in the hubbub of 2020 – especially training. Almost 50% of companies have done no training for employees around security awareness topics like remote workforce risks.

That training needs to be refreshed regularly and given at the right cadence, 11 times per year on average, but if those conditions are met security awareness training is extremely effective. Researchers in a UK phishing simulation study discovered that the improvement is stark. At the beginning of the study, 40 – 60% of the employees surveyed were likely to open malicious links or attachments.  But after about 6 months of security awareness training, the percentage of employees who took the bait in every industry dropped 20% to 25% – and after 3 to 6 months of more security awareness training, the percentage of employees who opened phishing messages plummeted to only 10% to 18%.   

An estimated 34% of business IT leaders in an employee behavior survey admitted that a simple lack of employee understanding of today’s sophisticated phishing threats was their biggest problem. We can help by making sure that improving your security culture isn’t just something on your to-do list with an affordable, effective security awareness training answer.  BullPhish ID makes security awareness training with options to fit every budget.

• Companies can choose from plug-and-play phishing campaign kits or customize the content to reflect the unique threats that employees face every day in their industry. 
• an array of video lessons is available covering a range of topics like compliance, password security, ransomware, nation-state cybercrime more.
• Lessons are presented in bite-sized pieces without jargon, making the subjects easy for employees to grasp no matter how much tech-savvy they have.  
• Content is available in 7 languages and new kits are added monthly.  

If your company is looking for ways to cut phishing costs, security awareness training answers that question. Contact an ID Agent solutions expert today to get started with BullPhish ID and see how the ID Agent digital risk protection platform can benefit you.  

---

---

---

---