By Hudney Piquant, Solutions Architect, and Charlie Waterhouse, Senior Security Analyst, Synack, Inc.

IBM recently reported that the average cost of a data breach reached an all-time high of $4.45 million. In addition to those material costs, incidents can damage an organization’s reputation with clients and investors, which means reducing the risk of a security breach should be a critical component of any business plan.

Verizon said in its annual Data Breach Investigations Report (DBIR) that 26% of breaches solely involved technological vulnerabilities. The remaining 74% involve a human element, such as use of stolen credentials or social engineering. Implementing purely technical solutions to these problems is prohibitively costly, and many businesses would be better served by investing in security training for their employees in addition to procuring technological solutions.

Investing in security training has an outsized impact on risk reduction

Let’s consider a few potential investments in our security posture. For this exercise, we can assume that we represent a large public company with thousands of employees that is likely to attract the attention of attackers. Our task: reduce the risk of these adversaries making their way into our company’s environment.

We can get a large, state-of-the-art firewall from a top-tier vendor. This is the normal approach, and it can help with reduction of technical risk. We also will optimistically assume it reduces 50% of our operational risks for the technical side. This will cost us $1.5 million all in for our scenario here, which is an approximate for this size solution.

We also can look at investing in our people for this tabletop exercise. Using the same size company, we can propose a $250,000 training budget. For this size organization, this is quite high, but for our purposes we can use it. We can also be pessimistic about our results and say people are 10% better at spotting threats. The following table breaks down the findings here based on a standard $4.5 million breach.

This data is quite interesting. What we see is that due to the scale of the issue, small improvements regarding the human factor have an outsized impact in our organization. We can also see that human training is quite cheap compared to hardening technology, even with a “bloated” budget and poor results. Additionally, if we assume a breach annually and fixed costs on deployment, we can see that the training becomes a spend that nets money in the end. This alone should help with the budget for human training.

Don’t punish employees—reward good security behavior

We need both technical solutions and security training, of course, but much of the cyber industry currently treats the human element as an afterthought. The current approach of simply offering annual training to check a box and then investing more heavily in technical safeguards doesn’t work. Here’s how we could improve it.

We could start with “drip feeds” related to security. A regular column in the company newsletter detailing best practices, highlighting specific threats and mitigation strategies would be more impactful than an annual information dump. People learn better by revisiting a topic over time than they do by “cramming” for a one-time test.

The 74% figure cited in the DBIR shows that the current system of studying for a few hours once a year is a broken model that requires people to sit through courses that are often boring, overly complicated and easy to forget the moment they’re over. Complementing them with “gotcha” emails or “phishing awareness tests” merely teaches our most vulnerable employees to feel bad for clicking on something in their inboxes.

What if we used our marketing resources to make fun, punchy items? Things that grab attention and are posted internally? Change them regularly to keep it fresh and keep security on people’s minds. Additionally, gamification can go a long way to help people stay engaged. Consider the extra content in your training and quizzes. What if you solicited entries into a drawing for going the extra mile or for each quiz you got right on the first try? Same with catching phishing emails. Now you can win a large gift card, a cooler or another benefit your employees care about. This is why we left a high cost for the training budget and can now easily incentivize learning. The key is to make it emotionally impactful and desirable across the organization.

Let your employees sound the alarm on potential threats

We also need to encourage direct communication between employees. Synack has an internal security channel that allows everyone to share information about potential threats, whether it’s a widespread vulnerability making headlines or attempted phishing attacks on specific employees. This type of engagement can turn your personnel into “sensors” that help educate on threats to your organization in real time.

The point isn’t to halt all spending on technical solutions to security problems. Rather, it’s to say that an attack surface we gave up on long ago (our people) is not only fixable but capable of being turned into an incredible asset. The human element can go from being one of our biggest weaknesses from a security perspective to being an additional layer of defense if we put in a bit of time, effort and thought into cybersecurity training.

When we as security professionals learn to meet people where they are, rather than continuing to rely on ineffective training strategies, we’ll be able to make significant progress towards securing our global infrastructure.

The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.