In the past, employee security training hasn't seemed all that important to most of my clients. For the most part, incidents have been few and far between. The rise of cryptoviruses and ransomware, though, is changing the game, making the cost of an incident much higher. For this reason alone, I would highly suggest that all employers provide security training for their employees. It will likely save money in the long run...unless your company is one of the lucky ones that gets away with it. In 2016, 1 out of 3 small companies experienced some form of data breach. As the companies get larger, that percentage grows quickly.
A basic data breach could just be a malware program that monitors Internet usage or redirects browsers. Those are fairly easy and inexpensive to remove. It could also be a virus that captures keystrokes and uploads data from workstations or servers so the information can be mined for criminal purposes. While these are not usually harder to clean, the damage done by them may not be easily translated to dollars. One HIPAA violation could cost hundreds of thousands of dollars, depending on what was stolen and what security failures allowed the breach to occur.
Cryptovirus/Ransomware viruses are a completely other league of virus. They can be installed by a script kiddie and encrypt entire servers of data which then have to be restored from backup. This could take a network down for a day or more depending on how much data was encrypted and what processes are in place to get it all back. It could cost tens of thousands of dollars in support costs and possibly even more in lost productivity.
All of these are good reasons to train employees to follow security guidelines, treating the Internet and the world abroad as a dangerous, devious place. I am going to suggest another reason, though, that is not often discussed in technology committee meetings. Training the employee helps protect the employee as well.
Most of my clients allow employees to use their business workstations to do some form of personal browsing. They may pay bills online or check on their children at school. They may also frequent their social sites during break hours or at lunch time. It is often this type of browsing that opens a door for the malware or virus to make its way onto a business computer. Once there, it can monitor the Internet usage of the employee until it has been discovered and removed. Employee personal data can just as easily be stolen as client/employer data.
As an employer, we have the ability to provide a wealth of information to employees. We pass on information about health savings plans, retirement, healthy living choices, best restaurants in town, etc... We should start looking at computer security training as one of those benefits we provide. The training is useful for everyone outside of the office. If you have ever had to recover your stolen identity before, you know how much of a headache it could be. What if you could reduce the chances that this might happen to one of your employees?
Put together a security training class that focuses on the employees personal security. Once they understand how it can protect them, they will also understand how it can protect the company. If you present it properly they will realize that you are providing them with real tools to help themselves. That's a benefit that you can list in your employee handbook and recruiting material.