Effective Security Awareness Training Really Does Reduce Data Breaches



blog.knowbe4.comhubfssocial-suggested-imagesblog.knowbe4.comhubfsSocial Image RepositoryEvangelist Blog Social GraphicsEvangelists-Roger Grimes-1.Social engineering and phishing are involved in 70% - 90% of data breaches. No other root cause of malicious hacking (e.g., unpatched software and firmware, eavesdropping, cryptography attacks, physical theft, etc.) comes close.

In fact, if you add up all other causes for successful cyberattacks together, they do not come close to equaling the damage done by social engineering and phishing alone.

We have previously shown in a white paper entitled, Data Confirms Value of Security Awareness Training and Simulated Phishing that an effective security awareness training (SAT) program including simulated phishing works well to reduce the percentage of people who will inappropriately respond to a simulated phishing exercise (what we call the Phish-prone PercentageTM or PPP), and that the more often SAT and simulated phishing are performed within an organization, the lower the PPP. 

We also have data, shown below, that proves that organizations that have a good SAT program (including frequent simulated phishing campaigns) significantly reduce real human risk and have fewer real-world compromises. And the more often you train and conduct simulated phishing campaigns, the lower the real human risk is. 

Note: KnowBe4 considers a good SAT program to include at least quarterly training and simulated phishing tests, although even more frequent training and simulated phishing are demonstrated to provide even more risk reduction. We consider an effective SAT program to be one where training is done at least monthly with simulated phishing campaigns done at least monthly as well, if not more frequently.  If you are interested in more details of what KnowBe4 recommends for an effective SAT program, read this.  

The Effective Security Awareness Training Really Does Reduce Breaches paper can be downloaded here.

Ultimately, there is only one question to ask regarding the effectiveness of SAT programs.

Does an effective security awareness training program with simulated phishing campaigns reduce an organization’s risk of being compromised by a real-world attack?

Every other measure does not get to the exact goal of why we need effective SAT programs. If effective SAT programs really do reduce human risk, we should see evidence of reduced real-world compromises from human risk reduction from organizations that have effective SAT programs.

The best way to objectively answer that question would be to collect global large-scale data on which organizations have or have not suffered a data breach in a given time period and compare those findings with whether they had used or did not use a good SAT program prior to the attack to reduce human risk. 

If good SAT did indeed help organizations avoid getting breached (and there was proven correlation and causation), you would expect that organizations with good SAT programs would be breached less than organizations that did not have good or no SAT programs prior to the incident(s). 

The Challenge
Unfortunately, a large global dataset showing who has or has not been breached AND whether or not they had a good SAT program in place ahead of the breach does not exist. 

It is challenging to answer the ultimate question either way using our large global customer dataset because although we do have internal data showing how much our customers do or do not use SAT and simulated phishing, our customers usually do not tell us when they have or have not suffered a data breach, and if that data breach was related to social engineering and phishing.

Further, we certainly do not have the data on non-customers and whether they did or did not suffer a data breach in a given time period and whether or not they had a good SAT program and simulated phishing campaigns. 

However, we came up with the best representation of that sort of dataset that we could construct with available data. 

Note: We realize that even what we did to find the best representation of data to answer the ultimate question will not 100% satisfy everyone. But we think we did our best to find the worthiest, largest dataset to answer the question as well as it could be answered. 

What We Did
First, we purchased the largest publicly-known list of compromised organizations from the Privacy Rights Clearinghouse. The Privacy Rights Clearinghouse (PRC) breach database contains records for over 17,500 data breaches since 2005 publicly announced by U.S. organizations. Anyone can purchase it for $450.

As a global company with customers around the world, we would rather use a global database including non-U.S. organizations and breaches, but this U.S.-only collection is the single largest public breach database available. Nothing else comes even close, regarding the number of compromises over almost a decade. At the time we purchased it, it had over 35,000 separate public breach notifications (for the 17,500 unique breach events). Many organizations had multiple breach announcements for the same breach and/or suffered multiple publicly-announced breaches.

Note: It is very common for a single organization in the PRC database to suffer multiple public breaches from different cybersecurity events. A noteworthy percentage of breached companies suffered multiple breaches. It is not difficult to imagine that a company that has suffered a breach because of weak security controls or practices is breached again as it tries to improve its security posture over time.

We then downloaded our much larger customer list and compared it to the PRC records. 

Analysis and Results

The vast majority of our current U.S. customers (97.6%) have not suffered a public data breach (at least since 2005). 
This compares very favorably to figures routinely reported for decades that the percentage of organizations experiencing a data breach of some type, including ransomware, was, depending on the year and source, around 20% - 69% in a single year. 

Some supporting statements from other cybersecurity firms as examples:

If we take the lowest figure of 20% of organizations compromised in a single year, this means our current U.S. customers are 8.3 times less likely to be on the public data breach list any year. 

Breached Organization Analysis
To help get a better sense of correlation with the services that KnowBe4 provides, we decided to look at organizations that suffered one or more data breaches before becoming a KnowBe4 customer and compare it to the number of breaches suffered by the same customers after becoming a KnowBe4 customer. If a current KnowBe4 customer suffered fewer breaches while they were an existing customer than before they were our customer, that result would support the idea that a good SAT program reduces human risk.

Now that we had the list of 1,189 current U.S. customers who were also breached, we needed to determine if they were breached before they became customers or while they were customers. 

Here is what we found shown in the table below.

Total KnowBe4 Current U.S. Customers

With a Confirmed Data Breach Date

Breached Before KnowBe4 Contract


Breached Before Contract %

Breached While a KnowBe4 Customer


Breached While a KnowBe4 Customer %

1,189

866

72.83%

390

32.80%

Note: Breached figures are over 100% because some breached customers suffered one or more breaches before becoming our customers and/or one or more breaches after becoming our customers. 

The data shows that most data breaches occurred involving our U.S. customers before they were our customers. Keep in mind that most of our current U.S. customers (97.6%) are not reporting any breaches. But if they have been breached, 73% were breached before they were our customer.  

Breached U.S. current customers appear 65% (32.8%/72.83%) less likely to suffer one or more breaches while being our customers.

Summary
The vast majority (97.6%) of our customers have not suffered a public data breach. Even our customers who suffered a breach appear 65% less likely to suffer one or more breaches while being our customers. Customers who are breached while being our customers suffer fewer breaches. Based on the data analyzed for this report and other supporting analyses, it is likely that an effective SAT program significantly reduces human risk and the chances of a real-world compromise. 

You can see more data and details in the whitepaper, Effective Security Awareness Training Really Does Reduce Breaches, which can be downloaded here.


Request A Demo: Security Awareness Training

products-KB4SAT6-2-1New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!

Request a Demo!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://www.knowbe4.com/kmsat-security-awareness-training-demo



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews