Security Awareness Training Report
A SPECIAL REPORT FROM THE EDITORS AT CYBERSECURITY VENTURES
The Security Awareness Training Report — sponsored by KnowBe4 — provides security awareness training trends, statistics, best practices, and resources for chief information security officers (CISOs) and IT security teams.
Global spending on security awareness training for employees predicted to reach $10 billion by 2027
Training employees how to recognize and defend against cyber attacks is the most under spent sector of the cybersecurity industry.
Menlo Park, Calif. – Feb. 6, 2017
Organizations of every size are starting to realize that when it comes to information security, inside threats are as significant as outside threats — and they’re starting to do something about it.
That something is upping their spending on security awareness computer based training (CBT) which, according to the latest forecast by Gartner is a market that’s growing “big time”, and pegs the overall global market growth at 13 percent. In late 2014, the overall security awareness training market (including CBT) was estimated to be $1 billion by Andrew Walls, Research Vice President for Security, Risk and Privacy at Gartner. That same figure is still regularly quoted in the media and by vendors.
Growth for the leaders in the (CBT) market is even higher. From 2014 to 2015, market growth for them was 55 percent, Research Director Perry Carpenter writes in his analysis of Gartner’s 2016 “Magic Quadrant” report for security awareness CBT. That pace is expected to continue in 2017.
Of the 18 training companies in the report, Carpenter went on to write, 15 had year-over-year revenue growth exceeding 25 percent and four had super growth of 100 percent.
“Security awareness training for employees is the most under spent sector of the cybersecurity industry” says Steve Morgan, founder and editor-in-chief at Cybersecurity Ventures.
He predicts security awareness training will become a multi-billion dollar industry in 2017, and it will become fundamental to cyber-defense strategies at Fortune 500 and Global 2000 corporations by 2021, with small businesses following shortly after that.
“Right now the market is difficult to accurately size because so many organizations are reacting to hacks and breaches with informal patchwork training programs,” he explains.
He adds, “There’s also debate on exactly what constitutes a security awareness training program as it relates to the IT analysts and researchers who calculate or forecast spending in this category. We believe that informal and unreported programs (CBT and otherwise) far exceed the programs being tracked. The security awareness training market is probably growing at a 20-plus percent clip when all of the spending is factored in.”
Nevertheless, as the number of online users increases — one estimate says they’ll be four billion people online by 2020 — and the need to train those folks in security awareness grows with them, Morgan sees the possibility of the overall market reaching $10 billion by 2027.
While necessity is the prime driver behind the growth of awareness training, there are some other factors contributing to growth, too, such as improvements in the training itself. “Security awareness training used to be stagnant for years, limited to once a year herding everyone in the break room, keeping them awake with coffee and donuts and expose them to death by PowerPoint,” says Stu Sjouwerman, CEO of KnowBe4, a security awareness training company.
“However,” he continues, “in the last five years something called new-school awareness training has taken off, which combines interactive training in the browser with frequent simulated phishing attacks straight into the user’s email inbox. This has proven to be very effective in creating a human firewall which is the last line of defense.”
In addition to being more effective than death-by-Powerpoint training, new style training has a benefit that appeals to the C-suite. “I would say that new-school awareness training has by far the best ROI of any security layer,” Sjouwerman maintains.
“You see Phish-prone percentages go from an average of 15 to 20 percent down to one to two percent after a year,” he adds.
Awareness training growth is also being driven by customer satisfaction. In the Gartner report, training firms received high marks from their customers. ” This is in stark contrast to many other markets — just take a look around to see,” Gartner’s Carpenter writes.
Why are customers so satisfied? Carpenter maintains it’s because training is content-driven. That makes it easier to evaluate prior to purchase than say the latest Security Information and Event Management system. What’s more, the training systems are relatively easy to deploy compared to other types of security solutions.
“The result is that customers really know what they are getting when they sign the contract,” Carpenter writes.
Hardening Human Frailty
While the annals of hacking are studded with tales of clever coders finding flaws in systems to achieve malevolent ends, the fact is most cyber attacks begin with a simple email. Both Trend Micro and PhishMe have found that more than 90 percent of successful hacks and data breaches stem from phishing, emails crafted to lure their recipients to click a link, open a document or forward information to someone they shouldn’t.
“Cybercriminals commonly deliver malware through fraudulent, misleading emails purporting to contain family photos, important documents or retail offers that are too good to be true,” Anuj Goel, co-founder of Cyware Labs, maker of a cybersecurity awareness and intelligence-sharing platform, explains in an article at SecurityIntelligence, an IBM website.
“Many organizations deploy phishing filters, advanced firewalls, network access controls and endpoint scanning tools to mitigate this threat,” he says, “but no technology can account for human error entirely.”
Kevin Mitnick, an infamous hacker who’s now a security consultant and Chief Hacking Officer at KnowBe4, adds, “You could spend a fortune purchasing technology and services, and your network infrastructure could still remain vulnerable to old-fashioned manipulation.”
That’s because attackers need only find one flaw in a system’s defenses while defenders need to find and defend all the attack points in their systems.
“A company that includes 1,000 employees with poor online hygiene has 1,000 insecure endpoints,” writes Goel.
Designing a malicious email campaign to deliver malware to each of those flesh-and-blood endpoints is child’s play for a net bandit, who knows he only need one careless employee to make that campaign a success. Meanwhile IT teams need to protect each of those endpoints, plus any other flaws in the system.
“If humans are the primary targets of cybercriminals, they ought to be prepared, informed and weaponized as the first line of defense,” Goel writes.
An Effective Weapon
Awareness training plays an important part in the weaponization process. “Training employees on security will immediately bolster the cyber defenses at most companies,” says Lawrence Pingree, a research director at Gartner, because most data breaches are based on “exploiting common user knowledge gaps to social engineer them to install malware or give away their credentials.”
Phishing identification training definitely bolstered Wells Fargo’s cyber defenses, notes Chief Information Security Officer Rich Baich. Through the use of various security awareness techniques, he says, workforce susceptibility to phishing declined by more than 40 percent.
“Building a strong cyber culture requires an investment of time and resources,” Baich notes. “Periodic updates and enhancements to existing cyber hygiene practices can drive more awareness resulting in a more educated work force dedicated to healthy cyber practices.”
Anyone seeking to reap the benefits of awareness training, though, needs to know that it’s a continuous process. “Whatever training they may have done, any and all employees need to be sent simulated phishing attacks twice a month, or at the very least once a month to be effective,” KnowBe4’s Sjouwerman says.
At the City of San Diego, for instance, security incidents related to phishing dropped 15 to 20 percent during the first year of its security awareness program, but then they began to rise again. “I have been told this is the norm,” says CISO Gary Hayslip, “which is why we are requiring our training to be an annual requirement for personnel and we are looking at adding a separate phishing training component since it is one of our biggest issues.” Hayslip is also author of the book CISO Desk Reference Guide: A Practical Guide for CISOs — which covers the security awareness training topic given its importance to his peers.
Even when awareness training is frequently reinforced, though, employees still make mistakes, which is why other security measures will always be necessary. “While the policies and training are crucial, we need to get better at ‘idiot-proofing’ our technology so that even if people do the wrong thing, the malware doesn’t run or doesn’t achieve its goals,” Jim Kent, global head of security and intelligence at Nuix, a maker of a platform for indexing, searching, analyzing and extracting knowledge from unstructured data, wrote in Security InfoWatch.
Whether progress is made in idiot-proofing defenses or not, users are going to be a crucial part of any organization’s information security and training those users to recognize the overtures of malicious actors will be critical to hardening the “people layer” against cyberattacks.
– John P. Mello, Jr. is a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security.
© 2016-2017 Cybersecurity Ventures. All rights reserved. Federal copyright law prohibits unauthorized reproduction of this Report by any means and imposes fines up to $150,000 for violations. Reproduction in whole or in part in any form or medium without expressed written permission of Cybersecurity Ventures is prohibited.
— KnowBe4 (@KnowBe4) February 21, 2017
— CSOonline (@CSOonline) February 9, 2017
— Infosecurity (@InfosecurityMag) February 24, 2017