Security Experts Debate Whether Anti-phishing Training Worth the Cost
Or it might also boil down to if hackers' ability to turn a single employee's click on a phishing link into a full-blown compromise means that the defenders need to be right all the time. If a single employee clicking on the wrong link can lead to a network breach, improving the average security level of the workforce matters little, said Bruce Schneier, CTO for Resilient Systems. With security education, "it matters if I have to move the average or the end points," he said. "If I'm trying to get into your network and all it takes is one click, then moving the average does not matter." The Ponemon Institute argues that the major costs of phishing incidents are as a productivity drain. The firm's survey looked at five costs linked to successful phishing attacks. These included the costs of containing malware, of a successful infection, of lost productivity, of containing credential compromises and of a successful compromise of credentials.For the most part, phishing attacks result in compromises or leaked credentials that do not turn into a full-scale network breach. For the average company, 11 percent of malware infections are caused by phishing attacks and respondents estimated that malware attacks will cause a breach in 1.9 percent of cases over 12 months. These results align with Verizon's data, which found that 23 percent of recipients open phishing emails and 11 percent click on the attachments. While many phishing scams attempt to collect user's credentials, they are not about stealing information, but gaining access. "The user interaction is not about eliciting information, but for attackers to establish persistence on user devices, set up camp and continue their stealthy march inside the network," Verizon stated in its report. Reducing the number of successful phishing attacks can mean saving productivity and allowing the security team the ability to focus on incident response and detecting breaches, Wombat's Ferrara said. "This is about the ROI [return on investment]," he said. "We should treat security education like any other security investment. To me, this is getting back to a business decision, not a religious argument about stopping 100 percent" of phishing attacks. For many firms, it is a moot point, as regulations require that a company has a security awareness program. Yet skeptics such as Aitel argue that relying on humans to make the right decision is not a good security practice. Instead, companies should make sure that their security does not rely on such decisions. "Two-factor authentication would have kept us out," Aitel said of his client's test. "You can train all day, every day, and still not get the value of a simple rollout of two-factor authentication."
The largest cost, lost productivity, accounted for $1.8 million, or 48 percent of the total estimated costs of $3.8 million for a large company, according to the survey-research group.