Whilst companies employ an array of sophisticated technology to combat security risks, often the weakest link remains the person sitting in front of the screen.
New research from Wombat Security Technologies and the Aberdeen Group suggests that changing employee behaviour when responding to cyber threats via social media, phishing and other popular attack vectors can reduce an organisation's risk by as much as 70 per cent.
The report finds that despite controls and protection being in place many - if not most - reported security incidents result from the actions of company employees. The new research clearly demonstrates that investments in security awareness training can help businesses close the security gap.
"It's important for security teams to communicate clearly about the risks that organisations are accepting when their employees' response to cyber threats is not addressed," says Derek Brink, VP and Research Fellow for Aberdeen Group, at Harte Hanks Company.
"While the public disclosures of the past several months have provided some startling examples about what can happen when security awareness and training is ignored, Aberdeen and Wombat have developed this model to address the most basic and logical question that security teams so often struggle to address: How does an investment in changing end user behaviour through innovative security education solutions actually reduce the organisation's risk?"
The findings show that an investment in user awareness and training is effective in changing behaviour and measurably reduces security-related risks by between 45 and 70 per cent.
The report also estimates that for an organisation with $200 million (£130 million) in annual revenue there is an 80 per cent likelihood that infections from employee behaviour will result in total costs of $2.5 million (£1.6 million), with a 20 per cent chance of exceeding $8 million (£5.2 million).
The full report, The Last Mile in IT Security: Changing User Behaviour, is available to download from the Wombat Security site.