Andrew Walls, research vice president for security, risk and privacy at analyst firm Gartner, estimated the security awareness training market at more than $1 billion in late 2014.
Another Gartner analyst, Perry Carpenter, covers an important slice of that market - security awareness CBT (computer based training) - which he estimated at $240 million for 2016. That figure only accounts for the companies that Gartner covers in its popular Magic Quadrant.
A new report from Cybersecurity Ventures states that training employees how to recognize and defend against cyber attacks is the most underspent sector of the cybersecurity industry - a sector that can be worth $10 billion by 2027. (Disclaimer: Steve Morgan is founder and Editor-in-Chief at Cybersecurity Ventures)
Security awareness training done right can provide an excellent ROI for large enterprises. “Training employees on security will immediately bolster the cyber defenses at most companies,” says Lawrence Pingree, a research director at Gartner, because most data breaches are based on “exploiting common user knowledge gaps to social engineer them to install malware or give away their credentials."
Pingree's assertion rings true at one banking giant. “Building a strong cyber culture requires an investment of time and resources," says Rich Baich, CISO at Wells Fargo. "Periodic updates and enhancements to existing cyber hygiene practices can drive more awareness resulting in a more educated workforce dedicated to healthy cyber practices."
"Through the use of various security awareness techniques we've seen a decrease in susceptibility of phishing throughout the workforce by over 40 percent," adds Baich. "Those organizations that embrace the commitment to build a strong security awareness program will be positioned to reap the benefits of a cyber culture that will positively differentiate their organization in the industry.”
Robert Herjavec, founder and CEO at Herjavec Group
“Unfortunately employees tend to be the weakest link in an organization,” says Robert Herjavec, founder and CEO at Herjavec Group, who agrees with Pingree and Baich. “Human error is inevitable. But it’s each company’s responsibility to train their team – all of their teams, and not just security personnel – to know what to look for. How do you identify a phishing scheme? What do you need to consider before you open an attachment? Why should you never email your passwords or give them to someone who is cold calling you saying they are from Internal IT? It seems simple, but these basic errors can be catastrophic for an enterprise.”
Training the world's employees on how to detect and respond to spear phishing and other hacks aimed at users will cost billions of dollars. But it may be the world's best ROI in the war against cybercrime - which is predicted to cost organizations $6 trillion annually by 2021.