Poor or absent training causes 80% to 88% of all data breaches
An article on the Employee Benefits News (EBN) website noted that lack of employee training contributes to 80% of all data breaches. Stanford University researchers collaborating with a cybersecurity organization found that human error causes the vast majority of cybersecurity incidents—in this case 88% of all data breaches. Other sources offer similar statistics.
Not long ago, an employee of the national health service in Ireland opened a phishing email and clicked on a malicious attachment. That click launched ransomware into the entire network and burned through more than $100 million (USD) before the dust finally settled.
These cyber disasters occur with alarming frequency and produce alarming consequences for employers, customers, investors, and other stakeholders. And human weakness is responsible for most of them.
Three Simple Facts About Training
Research compiled in a Forbes article notes that we forget roughly half of all new information within an hour of learning it. It also reveals that we can only digest six to nine data points in a single session. These two simple facts confirm what professional trainers have long known: that training must be delivered in short sessions, offered in multiple formats to suit individual learning needs, include testing at intervals throughout, and repeated frequently.
Ironically, 60% of employees who failed a basic cybersecurity awareness test stated that they believe they are safe from cyberthreats. We don’t know what we don’t know—until we learn more about a subject. Only then do we begin to realize how little we actually know about it. Which further points out the need for employee cybersecurity awareness training and retraining. Cybersecurity protocols and best practices are neither innate nor intuitive. They must be taught.
The Business Case for Regular Training
When looking to justify your cybersecurity awareness training program, consider the soaring costs of data breaches in the U.S. The average cost of a data breach has been escalating since 2013, and in 2022 approached $9.5 million, according to Statista, which follows this and other business trends.
Specifically, that’s $9.44 million for one data breach, on average. This means some breaches cost a lot more—generally those affecting enterprises and large organizations. And some cost less, as is the case with small businesses and private practices. But the fact is, they all cost plenty. And the toll is particularly onerous for organizations unable to manage the financial consequences of a security breach.
What the Cost Includes. Data breach costs include tangible and less tangible expenses, ranging from hits to your public image and brand reputation, to letters required to be mailed to shareholders and customers, to fees paid to forensic consultants. Costs may include operational downtime, revenue losses, ransomware payments, regulatory penalties, mitigation and clean-up costs, and more. These costs can soar into the hundreds of thousands of dollars on the small end of the spectrum, and into the millions on the upper end.
Regulatory Requirements. Another factor to consider are regulatory requirements for security training. Most industries in the U.S. are regulated, and most regulations incorporate security safeguards, including security training, as part of compliance. Regulations such as HIPAA, PCI DSS, CMMC, GLBA and others all require specific security training on a regular basis.
Four Quick Tips for Your Cybersecurity Awareness Training
Chances are that the costs of training, whether your business is large or small, localized or far-flung, are modest when compared to what a data breach would cost you. As you plan your employee cybersecurity awareness training, be sure it includes the following basics, which are proven to be effective in protecting networks, systems, and data against today’s most common cyberthreats.
Train Employees to Use Strong Passwords
Train your employees to understand the value and importance of using strong passwords for all of their accounts and applications. Following are the essential parameters:
Length – Passwords should be a minimum of eight characters, and longer is even more difficult for both humans and machines to guess
Mix – Characters should include upper and lower case letters, numbers, and special symbols such as $ & % #
Uniqueness – A different password should be used for every different application and account, so that if one is breached the others will still be secure
Change – Passwords should be changed every 90 days in case they have been compromised without detection
Depending on the tools your information technology and security staff have at their disposal, your organization may be able to enforce these requirements automatically, which is far more effective than relying on employees to remember. But if you must rely on employees to govern their own password hygiene, training and retraining is mandatory.
Train Employees to Use Multifactor Authentication
Multifactor authentication adds another step in employee login procedures in order to add another layer of access security. Increasingly, large organizations are requiring multifactor authentication for all logins. Smaller businesses may not have this capacity but should at least try to implement MFA for their highest-value applications.
MFA offers three ways to verify the identity of the individual attempting to login. These are:
Something you know – Such as a password, passphrase, or PIN.
Something you have – Such as a verification text, email, or phone call, or tangible security token, smartcard, or software application.
Something you are – Such as a fingerprint, facial recognition, or voice recognition.
Training employees to understand why MFA is so important will help them more easily accept this as a requirement for conducting business securely.
Train Employees to Spot Phishing Schemes
Virtually any employee can be exposed to cyberthreats and risks that enter organizations through phishing, social media, and other common attack channels. We’ve already learned that the great majority of data breaches and security incidents are caused by employee actions. However, security awareness training can reduce your organization's risk by as much as 70%.
Effective training will teach employees how to recognize phishing schemes, whether via email, phone, or text. There are telltale signs such as misspellings, odd sentences, and other indicators that can alert employees that an email is suspicious, for example. Training can be enhanced by presenting examples of phishing schemes and asking employees why they look suspicious, and what they should do when receiving these communications.
Subsets of phishing also deserve mention during training, including spear-phishing, smishing, whaling, and other forms of phishing.
Train Employees to Practice Identity Management
The second Tuesday of every April is Identity Management Day. This special day was created to raise the awareness of employees, employers, and consumers about how we put our login credentials and other personal identifiers at risk, often without realizing it. (Why? Because we haven’t been thoroughly or properly trained!)
Risky online behaviors include:
Using the same password for multiple accounts
Clicking on a suspicious link
Opening an attachment from an unknown sender
Sharing sensitive information without properly validating the requestor
Failing to use multifactor authentication when it’s available.
These and other risky actions can allow hackers access to company networks, systems, and data by targeting and compromising employees. According to research from the Ponemon Institute, 54% of security incidents are the result of stolen credentials. Resources are available to help you incorporate identity management practices into employee training, so that it becomes a good habit along with these other security basics.
Without focused, effective, and regular cybersecurity awareness training, your employees will remain the weakest link in your security chain and the most vulnerable target for hackers. And you will be the victim.
Poor or absent cybersecurity training for employees contributes to the great majority of data breaches, between 80% and 88% by most reports. And yet security breaches can be reduced by up to 70% when employees are trained and retrained. This is compelling data that is relevant to all organizations. When we consider the high cost of data breaches, which reached $9.44 million per breach in 2022, the relatively modest cost of employee training, and the prevalence of security training mandates in regulatory requirements, adopting a rigorous cybersecurity training program is no longer an option.
Training costs can be lowered without impacting effectiveness by using a mix of online classes, recorded webinars, and live webinars that include testing and other reinforcement tools. Costs can also be managed by outsourcing cybersecurity training to professionals who provide these services. Engaging a qualified third party is an effective way to ensure that training and retraining takes place on a regular schedule, unaffected by shifting company pressures on your internal training resources.