The more you know, the less likely you are to be a victim of cybercrime

Security awareness and user education are the most effective tools for avoiding the rising costs of cybercrime

Cybercrime is more costly than most organizations realize, and those costs are continuing to rise. The cost per victim has increased 50 percent, and the total cost of cybercrime is a staggering $113 billion—with a "B." One way to avoid becoming a victim of cybercrime is to make sure users are trained to recognize potential threats.

[Enterprise defenses lag despite rising cybersecurity awareness]

A cybercrime attack impacts a company in three ways. There is the cost of the attack itself, including any money or data that is stolen, as well as the cost of eradicating the threat and cleaning up after the incident is discovered. There is the effect the attack has on the brand reputation and credibility, resulting in a decline in business in general. And, finally, there is the potential cost of lawsuits from those affected by information compromised in a data breach.

Symantec conducts an annual study of consumer online behavior, attitudes, and security habits, and their relation to online dangers and the financial cost of cybercrime. The 2013 Norton Report found that the number of cybercrime victims has declined, but that the average cost per incident, and the overall cost globally both went up. To summarize, your chances of being a victim of cybercrime have decreased slightly, but the impact of being a victim of cybercrime has gone up substantially.

When you combine that with other findings from the Norton Report, it gets a bit scarier. Symantec found that 63 percent of those surveyed have smartphones, and 30 percent have tablets—but half of them don't use basic security precautions like setting a PIN or password of some sort. On top of that, nearly half of the respondents use their personal devices–laptops, smartphones, and tablets–for business purposes at well, so those poor security practices are putting sensitive business data at risk.

There are a lot of things companies can do to defend against malware and cybercrime, but the reality is that there is no absolutely impenetrable defense. Security is a game of risk management. The goal is not to create an invulnerable network—the goal is to make a successful attack more challenging and more costly for attackers.

[Security spending continues to run a step behind the threats]

One of the most effective ways to do that is through education and security awareness. No matter how great your security tools are, the human beings using the devices, typing on the keyboard, and clicking the mouse are the weakest link. User error can torpedo even the best defense.

Stu Sjouwerman, founder of KnowBe4, believes that the most effective form of defense is a persistent user awareness program. Many organizations pay lip service to user awareness, but Siouwerman promotes a more aggressive program that includes periodic testing users by exposing them to fake threats to identify weaknesses and focus additional training to ensure users are aware of those attack vectors.

Siouwerman obviously has a biased self-interest in promoting security training since that is what KnowBe4 does. However, KnowBe4's role as a provider of security training, and its work with infamous hacker Kevin Mitnick also give Siouwerman a unique view and appreciation for the value of training users to recognize and avoid threats.

The simple fact is that cybcercrime is costly, and it is continuing to get more expensive over time. Companies need to invest in effective security tools to identify and block threats, but the users are the weak link, and there is no substitute for making sure employees are trained to understand and recognize cyber attacks.

Copyright © 2013 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)