Study: Employee Training Reduces the Cost of a Data Breach

On: June 17, 2015
The Ponemon Institute found that employee awareness training is the top factor impacting the cost of a data breach!

As you may have already heard, the Ponemon Institute’s 2015 Global Cost of Data Breach Study has been released and it confirmed what we all sensed—the average cost of a data breach has increased … significantly … again. According the study, the average cost of a breach has reached $3.79 million dollars, a 23% increase in the past two years. The average cost per lost or stolen record has also increased, this time up 12% to $154 per record.

If you’re curious as to how that $3.79 million breaks out, we were as well. Thankfully, we were all treated to a great visual during a recent webinar on the study’s findings led by Dr. Larry Ponemon himself.

costofbreach

Of course, those are just the averages. Your true cost of being hit by a breach largely depends on your industry and your location. Healthcare and education sectors incur the highest breach costs of all industries, and Germany- and U.S.-based organizations are hit more than anywhere else in the world.

Why are these numbers rising at such a rapid rate? Dr. Ponemon shared three main reasons:

  1. Cyberattacks are increasing both in frequency and the cost it requires to resolve these security incidents.
  2. The financial consequences of losing customers in the aftermath of a breach are having a greater impact on the cost (it’s that whole true cost of a data breach thing).
  3. More companies are incurring higher costs in their forensic and investigative activities, assessments, and crisis team management.

It sounds dire, but the news isn’t all bad.

The bright spot in all these increased numbers is that there are things you can do to not only lessen the likelihood you’ll experience a breach, but to also lessen the cost on your organization should the worst happen.

Much of it starts with employee awareness training.

Take a look at the slide below, which breaks out the cause of data breaches. Malicious or criminal attacks are currently leading the way, but human error (good people doing stupid things) is close behind at 29%.

causeofattack

Don’t discount that 29%—it’s something your organization can actively fight against simply by adopting a security-aware culture and educating your employees to not do dumb things.

The study found employee training to be the top factor impacting the per capita cost of a data breach, creating the third highest per capita cost savings (giving you back $8 per record—not exactly chump change when we’re talking about thousands of records.).

Dr. Ponemon also called out employee awareness training as being “extremely important,” encouraging organizations to look into options that tailor security training to specific needs or vulnerabilities identified within the organization. For example, if you survey employees and find they’re likely to click on phishing emails, then you’ll want to invest in training in this specific area. This kind of training is incredibly effective.

Having an incident response team and using encryption extensively were also found to reduce the cost of a data breach.

So where should organizations focus their efforts—on better technology or better training?

Dr. Ponemon noted that the solution to better security is not better technology alone. Sure, that’s part of the equation, but you also need other things. He shared some “common sensical” steps all organizations should take:

  1. Prioritize your business objectives and set your risk tolerance: Sometimes organizations go overboard catering to certain features of security and end up ignoring other factors that may actually be more important to the organization’s overall security. Don’t do this. Look at your objectives and be deliberate.
  2. Protect your organization with a proactive security plan: Take the time to assess the different things that could go wrong (understanding that this list will never be exhaustive…) and be proactive about how you’ll defend against them.
  3. Prepare your response to the inevitable: a sophisticated attack : Have a response ready to roll for those identified risks. Understand your response to the attack.
  4. Promote and support a culture of security awareness : People are rushing around, using all sorts of unsecure devices for business communication. Work on changing that culture to one that is more security aware. Continuous training and education can help change that mindset and get people to take security seriously.

We want to thank Ponemom and IBM for once again pairing up to do this research and sharing these insights. If you are the security expert within your organization, we encourage you to use this data internally to help build out budget justification for new solutions and new security training programs that protect your organization.

Share this Article

Related Articles

Don't waste time and money on an awareness program that doesn't yield real results. Download our white paper for tips on improving your awareness program.
White Paper: 5 Strategies for Improving the Effectiveness of Your Awareness Program
The annual Verizon Data Breach Investigations Report serves up as many learning moments as it does troubling InfoSec statistics this year.
The More You Know: 5 Lessons from the 2016 Verizon Data Breach Report
Find out the results of MediaPro's State of Privacy and Security Awareness Report with our free executive summary.
Executive Summary: 2016 State of Privacy and Security Awareness
88 percent of employees polled in a new MediaPro survey lack the privacy or security awareness to stop preventable cyber incidents.
Report: 88% of Employees Lack Awareness Needed to Prevent Common Cyber Incidents