A new research report by Ponemon Institute finds that a comprehensive security training program with a continuous training methodology can improve the phishing email click rate an average of 64 percent. Comprehensive security training programs with a continuous training methodology can significantly reduce the financial consequences of phishing in the workplace, according to a research report published Wednesday. Security research firm Ponemon Institute recently surveyed 377 IT security practitioners in the U.S. — 39 percent of them from organizations with 1,000 or more employees who have access to corporate email systems — for the Cost of Phishing and Value of Employee Training report, sponsored by Wombat Security Technologies. “In talking with security officers, we know that many do not expect much benefit from employee training as part of their defense against phishing attacks,” Larry Ponemon, chairman and founder of Ponemon Institute, said in a statement today. “This research proves that security officers should expect more from employee education and seek providers like Wombat Security who can provide results like these. As the threat landscape continues to intensify and phishing attacks become more sophisticated, this research shows that employees who have undergone security training are far less likely to fall victim to a phishing attack.” Phishing costs businesses big-time Ponemon performed a cost analysis of the potential cost to organizations when employees are victimized by phishing scams, extrapolating that the total annual cost of phishing for the average-sized organization in its sample (headcount of 9,552 individuals with user access to corporate email systems) came to $3.77 million. The analysis included costs to contain malware, the cost of malware not contained, loss of productivity from phishing, the cost to contain credential compromises and the cost of credential compromises not contained. [Related: The worst of the worst phishing scams] In Ponemon’s cost analysis, the majority of costs are caused by loss of employee productivity, with 48 percent of total organizational costs (more than $1.8 million for average-sized organizations in the sample) pertaining to employee/user productivity losses caused by successful phishing during the work day. The cost of credential compromises not contained accounted for 27 percent of costs (more than $1 million for average-sized organizations in the sample). Ponemon found that employees waste an average of 4.16 hours annually due to phishing scams. For an average-sized organization (9,552 individuals with user access to corporate email systems), that comes to 39,736 hours wasted due to phishing. Assuming an average labor rate of $45.8 for non-IT employees that comes to a productivity loss of $1,819,923 a year. Training does matter But employee security training can substantially affect that number. Ponemon obtained six proof of concept studies for six large companies that used Wombat’s training on phishing, including mock attacks and follow-up with in-depth training. The actual improvements experienced by the companies ranged from 26 percent to 99 percent, with an average of 64 percent improvement. [Related: Google Drive phishing is back — with obfuscation] Based on an average retention rate of about 75 percent (Ponemon attributes this to The Learning Pyramid from National Training Laboratories in Bethel, Maine, though its accuracy has been called into question), Ponemon estimates a net long-term improvement in fighting phishing scams of 47.75 percent. With phishing costing an average-sized organization $3.77 million, Ponemon estimates a cost savings of $1.80 million, or $188.40 per employee/user. Wombat’s fee comes in at $3.69 per employee, so a little quick math leads to a net benefit of $184.71 per user — a one-year rate of return of 50X. “This is yet another proof point that an overall security posture is multifaceted and needs to include employee education to prevent against increasingly more sophisticated phishing attacks, which leave companies vulnerable to significant losses and business disruption,” Joe Ferrara, president and CEO of Wombat Security Technologies, said in a statement today. “This research reveals the compelling value and ROI from putting in place a comprehensive security training program. Our methods have shown that a continuous training methodology does change employee behavior and reduce risk within an organization.” Follow Thor on Google+ Related content feature 10 most popular IT certifications for 2023 Certifications are a great way to show employers you have the right IT skills and specializations for the job. These 10 certs are the ones IT pros are most likely to pursue, according to data from Dice. By Sarah K. White May 26, 2023 8 mins Certifications Careers interview Stepping up to the challenge of a global conglomerate CIO role Dr. Amrut Urkude became CIO of Reliance Polyester after his company was acquired by Reliance Industries. He discusses challenges IT leaders face while transitioning from a small company to a large multinational enterprise, and how to overcome them. By Yashvendra Singh May 26, 2023 7 mins Digital Transformation Careers brandpost With the new financial year looming, now is a good time to review your Microsoft 365 licenses By Veronica Lew May 25, 2023 5 mins Lenovo news Alteryx works in generative AI for speedy analytics results OpenAI integration and AI wizardry for report generation are aimed at making Alteryx’s analytics products more accessible. By Jon Gold May 25, 2023 3 mins Analytics Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe