This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
Global spending on IT security just keeps going up and up. According to Gartner, worldwide spending increased 7.9 percent in 2014 over 2013, and 2015 has seen another 8.2 percent increase over 2014. And yet, companies make significant investments in security technologies that are diluted by a lack of investment in their people.
A little security awareness training that results in workers changing their behaviors can reduce a company's security-related risks by about 60 percent. This is according to a recent report by Derek Brink with Aberdeen Group, "The Last Mile in IT Security: Changing User Behaviors." (Get a free copy of the full report here.)
Brink writes that companies know that a traditional prevention strategy can't be successful 100 percent of the time, so they turn to expensive, sophisticated technologies to detect, respond to and recover from security incidents. But the less expensive prevention strategy can be bolstered by modifying risky user behavior that is often the root cause for many security incidents.
The research study "A Clinical Study of Risk Factors Related to Malware Infections," conducted by various Canadian universities, asserts that malware infections now occur largely because users are enticed to take an action that leads to their computers being infected. The action could be something as simple as opening an email attachment embedded with malware, visiting a malicious Web site, or even willingly installing a piece of software with a hidden malicious intent.
+ ALSO ON NETWORK WORLD 9 tips, tricks and must-haves for security awareness programs +
Brink writes that the proportion of infections that result from user behaviors is estimated at between 70 and 95 percent. Thus it stands to reason that if user behavior could be modified to avoid risky actions, then malware infections will go down. Indeed, empirical before-and-after training click rates analyzed by Wombat Security Technologies proves that malware infections can be reduced by 45 to 70 percent through user awareness and training.
Another Aberdeen research study shows that user awareness and training provides another benefit to companies: there is a strong and consistent correlation between investment in this type of training and the achievement of top business performance. In short, companies perform better when their workers receive IT security training. These research results can be found in the Aberdeen report "Successful IT Security Projects Invest Not Only in Technologies, But Also in People."
Wombat Security Technologies calls itself a "behavior change" company. Wombat provides SaaS cybersecurity education solutions that are scientifically designed to get workers to change their risky computing behaviors. Wombat uses a continuous training methodology to assess where people are with their security awareness; educate them on the risks of specific behaviors, such as clicking on a web link without analyzing its origins; reinforce lessons that have been learned; and measure the progress of behavior modification.
Companies that use Wombat's behavior change portfolio can conduct a broad assessment to see where their employees are in terms of security awareness and knowledge of how to avoid risky behaviors. The next phase is often to send simulated attacks to employees to test their reactions. Will people click on that dubious link or not? The simulated attacks yield a range of metrics and intelligence about actual user behavior.
One thing that Wombat is noted for is contextual training. During the simulated attacks, workers get immediate feedback about their behavior and short bursts of training that reinforce desired behavior.
The training is bite-sized so that it doesn't become a burden that people try to avoid. It presents concepts and procedures together. For example, a lesson on mobile computing security teaches the risk of Bluetooth hacking—that a phone with a "discoverable" Bluetooth setting can allow a hacker to steal information from the phone. A risk-reducing procedure would be to turn off the "discoverable" mode on the user's smartphone.
The training often presents scenarios and asks the worker to judge whether the situation is high risk or low risk. The person gets immediate feedback to his response and reinforcement of the lesson. All the while in the background, Wombat is collecting data on the responses so that the company can see who has learned the lessons well and who needs additional training pertaining to various situations.
Wombat has proven that over time, the training has taught people to act in less risky ways. For example, a northeastern college that had a real problem with successful malicious phishing attacks used the Wombat education solution to modify workers' behaviors. The college achieved a 90 percent reduction in successful phishing attacks, resulting in less spyware and fewer infections on workers' computers.
In another case, a manufacturing company that utilized the Wombat portfolio reduced its malware infections by 46 percent and achieved a 700 percent ROI based on the cost to remediate infections.
The bottom line is that successful user behavior training, coupled with effective prevention technologies, is a winning combination to reduce IT security-related risks.