Security Awareness Campaigns Deliver Major, Ongoing ROI

Similar documents
Global Corporate IT Security Risks: 2013

Building a Business Case:

Cybersecurity. Are you prepared?

CYBER EXPOSURES OF SMALL AND MIDSIZE BUSINESSES A DIGITAL PANDEMIC. October Sponsored by:

TOP 10 TIPS FOR EDUCATING EMPLOYEES ABOUT CYBERSECURITY

Retail Security: Enabling Retail Business Innovation with Threat-Centric Security.

Combating a new generation of cybercriminal with in-depth security monitoring

FINANCIAL FRAUD: THE IMPACT ON CORPORATE SPEND IT SECURITY RISKS SPECIAL REPORT SERIES

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

The economics of IT risk and reputation

WHAT EVERY CEO, CIO AND CFO NEEDS TO KNOW ABOUT CYBER SECURITY.

State of Security Survey GLOBAL FINDINGS

THE SECURITY EXECUTIVE S GUIDE TO A SECURE INBOX. How to create a thriving business through trust

Top Five Ways to Protect Your Network. A MainNerve Whitepaper

Malware isn t The only Threat on Your Endpoints

CFO Changing the CFO Mindset on Cybersecurity

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War

Managing cyber risks with insurance

Time Is Not On Our Side!

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

Online security. Defeating cybercriminals. Protecting online banking clients in a rapidly evolving online environment. The threat.

SMB Data Breach Risk Management Best Practices. By Mark Pribish February 19, 2015

THE PERFECT STORM WEATHERING CYBER THREATS IN THE HEALTHCARE INDUSTRY

Remarks by. Thomas J. Curry. Comptroller of the Currency. Before the. Chicago. November 7, 2014

NATIONAL CYBER SECURITY AWARENESS MONTH

Overcoming Five Critical Cybersecurity Gaps

10 Quick Tips to Mobile Security

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

Your Customers Want Secure Access

CYBERSECURITY IN HEALTHCARE: A TIME TO ACT

Things To Do After You ve Been Hacked

Cyber Security Management

How To Create An Insight Analysis For Cyber Security

Whitepaper MODERN THREATS DRIVE DEMAND FOR NEW GENERATION TWO-FACTOR AUTHENTICATION

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

WHITE PAPER: Cyber Crime and the Critical Need for Endpoint Security

privileged identities management best practices

Gaining the upper hand in today s cyber security battle

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

Utilizing Security Ratings for Enterprise IT Risk Mitigation Date: June 2014 Author: Jon Oltsik, Senior Principal Analyst

Global IT Security Risks: 2012

Cybersecurity Best Practices in Mortgage Banking. Article by Jim Deitch October 2015

FROM INBOX TO ACTION AND THREAT INTELLIGENCE:

RLI PROFESSIONAL SERVICES GROUP PROFESSIONAL LEARNING EVENT PSGLE 123. Cybersecurity: A Growing Concern for Small Businesses

January IIA / ISACA Joint Meeting Pre-meeting. Cybersecurity Update for Internal Auditors. Matt Wilson, PwC Risk Assurance Director

Data Security. So many businesses leave their data exposed, That doesn t mean you have to Computerbilities, Inc.

Protecting Your Mid-Size Business from Today s Security Threats

S 2 ERC Project: A Review of Return on Investment for Cybersecurity. Author: Joe Stuntz, MBA EP 14, McDonough School of Business.

2012 Endpoint Security Best Practices Survey

Advanced Threat Protection with Dell SecureWorks Security Services

October 24, Mitigating Legal and Business Risks of Cyber Breaches

PCI Data Security Standard 3.0

Why Data Security is Critical to Your Brand

CYBERSECURITY: Is Your Business Ready?

IT & DATA SECURITY BREACH PREVENTION A PRACTICAL GUIDE. Part I: Reducing Employee and Application Risks

White. Paper. Rethinking Endpoint Security. February 2015

Vulnerability Assessment & Compliance

Is Your Company Ready for a Big Data Breach?

Best Practices in Data Protection Survey of U.S. IT & IT Security Practitioners

SIZE DOESN T MATTER IN CYBERSECURITY

Reputation Impact of a Data Breach Executive Summary

THE CHANGING FACE OF CYBERCRIME AND WHAT IT MEANS FOR BANKS

Internal audit of cybersecurity. Presentation to the Atlanta IIA Chapter January 2015

2010 Data Breach Investigations Report

Security Metrics to Manage Change: Which Matter, Which Can Be Measured?

Be Prepared. For Anything. Cyber Security - Confronting Current & Future Threats The role of skilled professionals in maintaining cyber resilience

National Cybersecurity Awareness Campaign

cyber liability insurance.

Cybersecurity: A View from the Boardroom

Mitigating and managing cyber risk: ten issues to consider

1. Thwart attacks on your network.

WhiteHat Security White Paper. Evaluating the Total Cost of Ownership for Protecting Web Applications

Cyber Security Protecting critical health care information

Stay ahead of insiderthreats with predictive,intelligent security

Proactive Credential Monitoring as a Method of Fraud Prevention and Risk Mitigation. By Marc Ostryniec, vice president, CSID

Cybersecurity Governance Update on New FFIEC Requirements

Managed Security Services. Leverage our experienced security operations team to improve your cyber security posture

Security Intelligence Services.

Into the cybersecurity breach

Cybersecurity: A Growing Concern for All Businesses. RLI Design Professionals Design Professionals Learning Event DPLE 160 October 7, 2015

Internet threats: steps to security for your small business

Combatting the Biggest Cyber Threats to the Financial Services Industry. A White Paper Presented by: Lockheed Martin Corporation

Reducing Cyber Risk in Your Organization

7 Steps to Protect Your Company from a Data Breach

National Cyber Security Month 2015: Daily Security Awareness Tips

The New Crisis Communication Challenge: Data Breach

SHS Annual Information Security Training

The Cyber Security Leap: From Laggard to Leader

GUIDE TO IMPROVING INFORMATION SECURITY IDENTIFYING WEAKNESSES & STRENGTHENING SECURITY

Cybersecurity. Considerations for the audit committee

Information Security for Executives

Getting real about cyber threats: where are you headed?

Managing Your Cyber & Data Risk 2010 NTA Convention Montreal, Quebec

PCI Compliance for Healthcare

Exercising Your Enterprise Cyber Response Crisis Management Capabilities

Security Awareness Training Solutions

TechTarget Enterprise Applications Media. Pocket E-Guide

Cyber security Time for a new paradigm. Stéphane Hurtaud Partner Information & Technology Risk Deloitte

Transcription:

Security Awareness Campaigns Deliver Major, Ongoing ROI

CONTENTS 01 01 02 04 05 06 Introduction The Challenge Immediate Value Evaluating effectiveness Ongoing value Conclusion

INTRODUCTION By this point, it is fair to say that there is not a single CEO, CFO or other executive in America who is unaware of the importance of IT security. These business leaders have heard a lot about data breaches and cybersecurity incidents and they understand that these can be truly devastating events, to be avoided at all costs. But understanding this concept in the abstract does not always translate to an accurate appreciation of the value that IT security awareness and training programs can deliver. Part of the problem is that it is difficult to discern the true return on investment that these initiatives offer. Yet this does not means the ROI isn t there. It simply means that a more subtle, comprehensive appreciation of the nature of IT security, and security awareness training, is needed. THE CHALLENGE The most obvious challenge inherent to return on security awareness ROI calculations is the fact that there s no perfect means of determining how likely a data breach was to occur if not for the training, nor precisely how costly such an incident would be. It is exceedingly difficult to gauge the ramifications of what did not happen, rather than what did. For IT leaders, the challenge goes further. These professionals typically understand the value that security awareness campaigns offer, even if they do not have an exact figure to point to. For them, the real predicament is the need to convey this understanding to members of the C-suite. Understandably, executives tend to give far more credence to solid, quantifiable proposals. Unfortunately, this means that the difficulty of calculating an accurate security awareness program ROI causes numerous company leaders to underappreciate such initiatives, and therefore fail to make such initiatives a priority. This puts organizations at serious risk of a breach or other incident. 01

IMMEDIATE VALUE That being the case, IT leaders and C-level executives alike can and should take a closer look at several key factors in order to determine security awareness training s value for their individual organizations. First and foremost, it is important to look at data breaches. In its 2014 Cost of Data Breach: Global Analysis, the Ponemon Institute determined that the average total cost of a data breach last year was $3.5 million, a 15 percent increase from 2014. The average cost per compromised record reached $145, up from $136 in 2013 a 9 percent increase. In the United States, the cost per stolen or lost record was even higher, at $201. These costs come in many forms. An IBM study of cyberattacks in the U.S. in 2013 found that data breaches cause damage in six categories: 8% 10% 29% 12% % of Total Cost 19% 21% Reputation and brand damage Lost productivity Lost revenue Forensics expenses Technical support Compliance-related costs 02

This data is enough to clearly demonstrate the value in any cybersecurity efforts that may reduce the risk of a data breach. However, the ROI of security awareness training can be further be appreciated in the context of how these data breaches occur. While it is true that external cyberattacks remain the most common cause of these incidents, internal mishaps are also a major driver of breaches. Verizon s 2014 Data Breach Investigations Report found internal actions, including employee negligence and misuse, were responsible for nearly 11,700 of the 63,437 total security incidents reported in 2013. Critically, this figure only accounts only for breaches actually caused by company insiders. It does not include all of those incidents in which employee mistakes created opportunities that hackers and other external threats subsequently took advantage of. This is an exceedingly common scenario, as many cybercriminals look for cybersecurity vulnerabilities, rather than targeting specific companies. Employee mistakes like opening suspicious emails or clicking on untrustworthy links can create openings for malware, leading directly to successful cyberattacks. According to Verizon, employee negligence and misuse, was responsible for nearly 11,700 of the 63,437 total security incidents reported in 2013. 03

EVALUATING EFFECTIVENESS All of this illustrates how security awareness training can provide companies assistance in a broad, general capacity, and should act as powerful arguments in favor of investing in these solutions. To truly calculate the ROI that these programs actually deliver for a specific organization, though, further steps are required. Importantly, companies must adopt security-related metrics prior to the implementation of the security awareness campaign. These measurements will provide a baseline that will demonstrate the financial impact that the awareness campaign has had on employee behavior, and the company at large. Here are several metrics to consider: HELP DESK CALLS FOR HELP: Once employees receive security awareness training, they will be far less likely to inadvertently install viruses or fall victim to phishing attacks. As such, they will not need to request help desk assistance as frequently. HELP DESK WARNINGS: At the same time, these security awareness campaigns will improve employees ability to recognize suspicious events and other cybersecurity-related incidents. Personnel will therefore be more proactive in alerting the help desk of cybersecurity threats before they cause significant damage. DEVICE THEFTS: Employees who receive training will become more aware of how to protect their mobile phones and tablets from theft and loss. POLICY VIOLATIONS: Companies can track the number of security-related policy violations before and after employees participate in awareness campaigns. For example, personnel will be less likely to leave sensitive printed materials unattended. 04

In all of these examples, businesses should also consider comparing results between those employees who complete the training and those who either did not participate or did not complete it. The differences between the two groups will further demonstrate the tangible ROI that security awareness and training campaigns can deliver. By ascertaining the financial impact of these activities and how behavior changes in the wake of security awareness training campaigns, company leaders can clearly see the positive ROI that these efforts deliver. ONGOING VALUE It s important to note that the true value of security awareness training and campaigns is best harnessed through ongoing commitments. One-time efforts will have a noticeable but limited impact, whereas recurring training will help to permanently alter employees behavior for the better. Just as significantly, ongoing security awareness training is essential in the context of change management. Over time, employee behavior will evolve in response to new challenges and personal preferences. This tendency will eventually begin to pose a growing cybersecurity threat as employees gradually shrug off the best practices they previously abided by. A continuous, ongoing security awareness campaign can counter this trend, helping to ensure that employee behavior remains sound for the duration of the individual s career at a given company. Additionally, company leaders must recognize that the overall cybersecurity landscape is becoming more dangerous over time. The number of cybercriminals around the world is growing, and their tactics and skills are evolving and maturing. Ongoing security awareness programs represent a critical tool for staying one step ahead of these threats. 05

CONCLUSION There s no denying that it is difficult to accurately determine the financial return that a company will experience from its security awareness and training investments. Yet as this white paper has demonstrated, there is a tremendous amount of evidence demonstrating how costly and common data breaches can be, as well as the major role that employee behavior plays in these incidents. Furthermore, businesses can and should embrace measurement programs that will clearly show the substantial, quantifiable ways that employee behavior improves for the better following security awareness training and the positive impact this has on corporate bottom lines. This, along with the tendency for employee behavior to change over time and the growing nature of the worldwide cybersecurity threat, should make it clear to both IT leaders and C-level executives that any company s investment in security awareness campaigns will easily justify their costs, delivering a positive ROI in the short- and long-term. 06

terranovacorporation.com 1-514-489-5806 SOURCES: http://www.verizonenterprise.com/dbir/2014/ http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?subtype=wh&infotype=sa&appname= GTSE_SE_SE_USEN&htmlfid=SEL03027USEN&attachment=SEL03027USEN.PDF#loaded

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information