The 2015 Websense threat report is abundantly clear about it. "Websense detected 28 percent of malicious email messages before an antivirus signature became available, presenting AV users with an average window of exposure of 17.5 hours." Here is an excerpt from page 14 of the report:
Employees can be tricked through social engineering into opening malicious emails or browsing to a compromised website. Inadvertent data loss can also occur while attempting to be innovative and productive on the job, such as using an un-approved cloud service (so-called shadow-IT).
The poster child for 2014’s accidental harm comes from the news headlines. Data breach investigations reveal that most began with a malicious email or other social engineering tactic. Risky employee behavior has also been a key factor in the explosion of ransomware incidents.
Employee education can reduce their susceptibility to social engineering. Information sharing can raise awareness and tools can be deployed to test their knowledge of best practices for identifying phishing emails and other suspicious content.
IT can monitor improved behavior resulting from educational efforts as well as identify users whose behaviors simply don’t change. Advanced tools can even proactively identify the high risk user behavior of a disgruntled or other dangerously motivated employee.
Page 17 has some good quotes on it as well regarding the recycling of earlier methods and "blended threats". Here is the full report: http://www.websense.com/assets/reports/report-2015-threat-report-en.pdf
Want to be pleasantly surprised about the cost for security awareness training combined with simulated phishing attacks, set-it-and-forget-it?