Cyber security is essential - but how useful is security awareness?

#
Cyber Security
#
Information Security
#
Security Awareness
A team of five people looks at a screen showing a meeting presentation on security awareness training.

Cyber threats are everywhere, and humans remain one of the biggest vulnerabilities. But how effective is security awareness? This blog shows why targeted training is essential, how it protects companies, and what advantages it offers in the long term.

There is no question that cyber threats are everywhere. But how effective is security awareness? And is it worth investing in employee training and education? The answer is a resounding yes! Relying on technical security measures alone means ignoring a crucial factor - people.

Table of contents

  • The underestimated danger
  • The ROI of cyber security awareness: an investment that pays off
  • Regional relevance: the threat situation in the DACH region
  • Concrete implications: when ignorance becomes expensive

The underestimated danger

Every day we read about new cyber-attacks that cripple businesses or cause immense damage. Attackers are becoming more sophisticated and are not only exploiting technical vulnerabilities, but are increasingly targeting the 'human factor'. Phishing emails that look deceptively genuine or manipulative social engineering attacks are methods used by criminals to penetrate internal systems. According to the German Federal Office for Information Security (BSI), human characteristics such as helpfulness and trust are deliberately exploited to manipulate people.

According to the IBM Security Services 2014 Cyber Security Intelligence Index Report (1), human error is responsible for more than 95% of security breaches. These include data theft, sabotage and industrial espionage, which cause billions of dollars of damage to the German economy every year.

Insufficient training and careless user behavior open the door to cybercriminals. According to a study by the digital association Bitkom (2), 15% of companies do not provide any IT security training at all. The study also shows that only around one in four companies (24%) offers training at least once a year. These figures underscore the need for regular and comprehensive IT security training for all employees in order to minimize human error as a gateway for cyber attacks.

It is therefore vital to move away from seeing the 'human factor' as a weakness and to strengthen it as a key defence against cyber threats. Well-informed and vigilant employees are an important line of defence against cyber attacks.

The ROI of cyber security awareness: an investment that pays off

Investment in cyber security awareness pays off. Targeted training enables employees to recognise potential threats early and respond appropriately. This not only reduces the risk of successful attacks, but also saves significant costs that could result from security incidents.

A 2019 study by Osterman Research (3) shows that smaller organizations (50 to 999 employees) can achieve a 69% return on investment (ROI) from security awareness training, while larger organizations (over 1,000 employees) can achieve a 355% ROI. However, when extraordinary scenarios such as total loss and IT rebuild are taken into account - including lost revenue, ransom demands, customer churn, loss of reputation, and reduced company valuation - the ROI can exceed 1,500%.

Basis for calculating ROI:

  • Assumption: company with 1,000 employees (figures based on Osterman Research, The ROI of Security Awareness Training, 2019)
  • Hourly security employee wage: $38.46/hr; time invested in preventive measures: 730.9 hours
  • General employee hourly wage: $36.06/hr; time lost due to incident: 12.6 hours per year
  • Assumption: 90% reduction in incidents through security awareness training
  • Time invested per year and employee: 5.6 hours (of which 30% is integrated into existing workflows)

For smaller organizations, the ROI is lower, but still significant. For example, for 50-99 users, it is 69%.

TreeSolution offers customised training that not only imparts knowledge, but also raises awareness of security risks. One example is the TreeSolution Awareness Academy, which contains everything you need to successfully embed secure behaviour into your corporate culture. Our user-friendly learning platform gives you and your employees quick and easy access to the latest security knowledge.

TreeSolution also offers phishing training services to educate your employees on the dangers of email fraud and how to recognise and avoid phishing attempts.

With this hands-on training, your employees become active security ambassadors who play a key role in reducing security incidents.

Regional relevance: the threat situation in the DACH region

In German-speaking countries, companies are increasingly the target of cyber attacks. Small and medium-sized enterprises (SMEs) in particular often underestimate the danger and invest too little in training their employees. Yet they cannot afford to fall victim to cybercrime.

While digitalisation is opening up new opportunities, it is also creating more opportunities for cybercriminals to attack. Attackers often find SMEs attractive targets because they have not always implemented comprehensive security measures. A successful cyber-attack can threaten the very existence of these companies, as they do not usually have the resources to absorb the damage.

In addition, SMEs are often part of larger supply chains, which means that an attack on them can also affect partners and customers. It is therefore vital that these businesses are proactive and invest in their cyber security. A key aspect of this is employee awareness and training to minimise human error as a gateway to attack.

Regular training and increased awareness of cyber threats can help SMEs become more resilient to attacks, protecting their own livelihoods as well as those of their partners and customers.

Concrete implications: When ignorance becomes expensive

Imagine that an untrained employee opens a phishing email at your company, Sample Ltd. The consequences could be devastating:

  • Financial loss: Clicking on a malicious link activates ransomware that encrypts important company data. Recovering the data requires expensive IT services and causes significant business disruption.
  • Reputational damage: Customer data is compromised and falls into the wrong hands. Customer trust is lost, leading to contract cancellations and a decline in new customer acquisition.
  • Legal consequences: Failure to comply with data protection regulations can result in heavy fines. There is also the threat of lengthy legal proceedings and additional costs.

This disaster could have been prevented with targeted security awareness training. With practical phishing tests and interactive training, employees would have recognized suspicious emails more quickly and reacted appropriately.

As you have read, there are significant differences between the threat situation and how it is perceived. To minimize the risk of successful cyber attacks, security awareness with regular training is a must. Targeted training and the right strategy are crucial to arming companies against cyber threats.

The TreeSolution Awareness Academy supports companies in establishing sustainable security awareness. Through interactive training, phishing tests and practical scenarios, employees can be effectively prepared for real cyber threats. This not only reduces the risk of attacks, but also strengthens the security culture within the company in the long term.

An effective training program, such as the TreeSolution Awareness Academy, helps companies to sustainably integrate security awareness into their corporate culture. In addition, TreeSolution phishing training offers practical simulations that teach employees how to recognize cyber attacks at an early stage and how to react to them. This significantly reduces the risk of security incidents.

Sources: 

  1. IBM Security Services 2014 Cyber Security Intelligence Index Report: https://duo.com/blog/human-error-accounts-for-over-95-percent-of-security-incidents-reports-ibm
  2. Bitkom (12.09.2023): Presseinformation - IT-Sicherheit: 8 von 10 Unternehmen schulen Beschäftigte: https://www.bitkom.org/Presse/Presseinformation/IT-Sicherheit-8-von-10-Unternehmen-schulen-Beschaeftigte?utm_source=chatgpt.com
  3. Osterman Research - The ROI of Security Awareness Training (2019): https://ostermanresearch.com/wp-content/uploads/2021/01/ORWP_0313-The-ROI-of-Security-Awareness-Training-August-2019.pdf

Newsletter

Don't miss any more news about cyber security awareness and get tips and tricks for employee training in your company.

Thank you for subscribing to our newsletter.
Something went wrong when submitting the form.

Related blog articles

#
Information Security
#
Security Awareness

Cyber Security Awareness - What exactly is the goal?

#
Cyber Security
#
Information Security

Cyber Security Month - 5 tips on cybersecurity

#
Information Security
#
Awareness Strategy

How to manage a cybersecurity culture

Umschlagsymbol

Form, E-mail, Phone

You can fill out a short form or send us an email. We will get back to you within two working days. You can also call us directly. Click on "Contact" and you will receive all the necessary contact details.

Kalendersymbol

Free online consultation

If you would prefer to book a specific appointment, you can do so by clicking on the blue button below. The online booking system will open in a new window and you can schedule your free consultation.