Security Experts Debate Whether Anti-phishing Training Worth the Cost

The debate over whether it’s pointless to train employees to recognize social engineering got louder after a Ponemon Institute survey suggests anti-phishing training saves money.

Antiphishing Training

Many network compromises start with phishing—a social engineering attack that arrives via email to dupe corporate workers into divulging passwords or other network application details—and employees continue to be vulnerable to these scams.

In its latest annual Data Breach Investigations Report, for example, Verizon found that more than two-thirds of espionage-related breaches started with a phishing email.

Anti-spam products and services do not catch every phishing attack, so many companies have turned to user education in an attempt to make workers less likely to click on dodgy email messages. If the impact of phishing consists of constant nuisance attacks, rather than a serious breach, such training can pay significant dividends, according to a survey released on Aug. 26 by the Ponemon Institute.

The survey research firm polled 377 information-security and technology practitioners to find that the average company can save nearly $190 per employee, according to the analysis, which was funded by Wombat Security, a security-training firm.

"Every single phishing email that a person falls for ends up being a cost to the organization to go out and clean up the machine," said Joe Ferrara, CEO of Wombat Security. The cost involves downtime for the employees whose machine is affected as well as additional work for the help desk, Ferrara notes.

On its face, employee security training seems like an obviously good idea. By teaching workers to recognize and avoid potential threats, companies can reduce the number of incidents with which they have to deal and free up security teams to focus on incident response and further hardening of the network. By training workers to recognize attacks, security teams gain the benefits of additional eyes among the workforce.

Yet other security experts have taken a dim view of security training. Whether the chances of a given employee clicking on a link in a phishing email is 10 percent or 1 percent, an attacker can easily, and inexpensively, crank up their attack tactics until they are successful, David Aitel, CEO of security-services firm Immunity, told eWEEK.

Immunity, which conducts penetration tests among other services, is often tasked with using a phishing attack to test the security of a client and to gain a beachhead in its network. In one case, the client had trained its workforce well, which showed strong awareness to phishing scams, but it was not enough, Aitel said.

"These guys are all super-aware, and we had a pretty low hit rate of people giving us their passwords, and they shut us down in an hour," Aitel said. "Still, it didn't matter. We only needed the three passwords that we got."

Essentially, the issue boils down to whether improving a company's overall security posture can save money and reduce risk.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...