Large Enterprises Spend Nearly $300K Per Year On Security Education, So Why Are Endpoint Attacks More Successful Than Ever?

New Bromium research examines CIO conundrum, finding user-targeted threats are at an all-time high despite increasing education investments

CUPERTINO, Calif., Sept. 14, 2017 (GLOBE NEWSWIRE) -- Bromium®, Inc., the pioneer and leader in virtualization-based enterprise security that stops advanced malware attacks, today released new research which found the cost of security education for large enterprises is at an all-time-high of $290,033* per year per organization, and that user education is rocketing up the CIO’s priority list. Yet despite those investments, the end user remains the greatest risk to the organization’s security from targeted zero-day and nation state threats to common ransomware and phishing attacks.

The research is based on a survey of 500 CIOs from large enterprises in the US (200), UK (200) and Germany (100). Key research findings include:

  • 99 percent of CIOs see users as ‘the last line of defense’ against hackers. This means the burden of securing the enterprise has shifted to user education and often stringent policies and procedures that limit teams’ ability to get work done and puts a tremendous amount of personal responsibility on the end user.
  • Based on an average of seven hours of cybersecurity training per employee, large enterprises waste $290,000 per year.
  • Skilled employees in HR, legal, IT and risk departments spend an additional 276 hours a year helping to arrange and deliver in-house training.
  • Most businesses (90 percent) have used external consultants for over three days (27 hours) a year to review and advise on security policies and procedures.
  • 94 percent of CIOs have pushed for increased investment in user education following recent headlines around phishing and ransomware.

Increased User Education Doesn’t Correlate with Reducing Attack Success

Despite growing investment of time, capital and human resources to increase security education, users remain the weakest link in security, and user-introduced threats continue to rise. According to BakerHostetler’s 2016 Data Security Incident Response Report, phishing, hacking, and malware accounted for approximately 31 percent of incidents, followed by employee actions and mistakes (24 percent). Verizon’s Data Breach Investigations Report shows that there are often repeat offenders – with 30 percent of phishing messages opened by targeted users and 12 percent of those users clicking on the malicious attachments or links multiple times.

“While end users are often the easiest target for hackers, the idea that they should be ‘the last line of defense’ for a business is simply ridiculous. The fact is, most employees are focused on getting their jobs done, and any training will go out the window if a deadline is looming,” commented Simon Crosby, CTO for Bromium.

“Insanity is doing the same thing over and over again and expecting different results, yet this is exactly what businesses are doing by piling time and money into education. It’s inevitable that the average employee will do something that goes against their training. For example, HR departments can’t avoid opening attachments from untrusted sources, but this is a favored hacker tactic for distributing malware and ransomware. The fact is our whole approach to security needs to change.”

Let Users Click with Confidence and Let the Malware Run

“The culture of making employees responsible for security simply isn’t fair. Users are being criminalized for carrying out normal day-to-day business activities, because based on their security training, they should have suspected a risk with whatever they were doing,” Crosby continued. “We need to challenge the status quo: next gen is nonsense and we need a totally new approach.”

“Instead of wasting time on user education policies, protect your users. Let them click with confidence. If they get attacked, let it happen, but do so in a contained environment. By isolating applications in self-contained hardware-enforced environments, malware is completely trapped. Users are free to download attachments, browse websites and click on links without fear of causing a breach. This is the only way to stem the tide of user-introduced threats.”

The research was conducted by researchers at Vanson Bourne. The sample of 500 CIOs was comprised of 175 enterprises with between 1,000 and 3,000 employees, 175 with 3,000 to 5,000 employees and further 150 with more than 5,000 employees.

About Bromium, Inc.

Bromium protects your brand, data and people using virtualization-based security. We convert an enterprise’s largest liability - endpoints and servers -into its best defense. By combining our patented hardware-enforced containerization to deliver application isolation and control, with a distributed Sensor Network to protect across all major threat vectors and attack types, we stop malware in its tracks. Unlike traditional security technologies, Bromium automatically isolates threats and adapts to new attacks using behavioral analysis and instantly shares threat intelligence to eliminate the impact of malware. Bromium offers defense-grade security and counts a rapidly growing set of Fortune 500 companies and government agencies as customers.

Visit Bromium:
Read the Bromium blog:
Follow Bromium on Twitter:
Follow Bromium on LinkedIn:

*$290,033 is calculated as follows: The average hourly pay of an employee is $21 based on data from the ONS in the UK, Statista in Germany, and the Department of Labor in the US. This was then multiplied by the 7 hours a year spent by individual employees on security education and training, and then multiplied by the average number of employees (2,000) in a large enterprise. The $290,033 figure doesn’t include the cost of hiring in external consultants to conduct training sessions with users, or the time spent by IT, legal and HR teams organizing internal sessions.


United Kingdom
Spark Communications
+020 7436 0420

United States 
Method Communications