Cybersecurity issues are becoming a daily struggle for companies. In fact, trends indicate a significant increase in hacked and breached data from very common workplace sources such as mobile devices and Internet of Things (IOT). The average expenditures on cyber crime are increasing drastically. The associated costs can cripple a company. While research indicates security awareness training is the number one way for companies to protect themselves, it can be a tough sell to leadership. After all, training requires both time and money. Explaining the return on investment to leaders can be a frustrating and difficult task. Effective security awareness training should be doing more than just satisfying compliance requirements, it should be making your company's data safer. What is the cost for security? How do you show that benefits of security awareness training outweigh the costs? The truth is it is really difficult to show ROI on something you prevented from happening in the first place, on something intangible like security awareness training. Still, leadership will expect to know whether or not this will save the company money. The good news is there's a lot of ways you can illustrate the ROI of investing in security awareness training platforms and it will vary by size of your company. The simplest way to calculate is to use this formula:
ROI% = Savings Divided by Cost Minus 1 X 100%
In other words, let's say your company would save $150,000 (The average cost of an attack to a SMB in the US 2017).
Cost equals program + time allocation.
To determine the cost of the security awareness program use (users X price per license). For this example we will say 50 users at $20.00 per license.
Time allocation = (hours per year X salary per hour X number of users). To illustrate, let's say 4 hrs per yr X $25 per hour X 50 users.
ROI% = ((150,000/6,000)-1) X 100%
In this scenario, the direct ROI% is 2,400%.
Other Factors to Consider
However, it's not as easy to calculate the loss of revenue and damaged brand reputation if a security incident occurs. Consider the impact of business when your investors, clients, partners and third party vendors learn that you suffered a breach. Will they continue to do business with you? How will this affect your prospects when the big one hits and word gets out?
Another way to look at the direct benefits of a security awareness training program is to calculate susceptibility. One way to discover your susceptibility is to divide your total security failures by the number of total tests performed. For instance, if you tried a phishing simulator to test your employees' susceptibility of clicking on a malicious email, you might send out 50 phishing emails for example. If 15 employees clicked through a phishing email out of the 50 employees who received one, the susceptibility rate would be 30%. One of the wisest things you can do is try a free phishing demo to gather baseline data to gauge the susceptibility of your employees. This baseline calculation may just be enough of a determining factor in your decision to purchase a phishing simulator/security awareness training package. By doing so, you now have the ability to follow up with additional campaigns to see the direct improvement. Sign up below to get to assess your employees' security behaviors.
Before you ever enter the boardroom have all your ducks in a row. Do your research and present how many users you are suggesting adding so that you can calculate a specific ROI. How much time will the training take? If you have ever experienced a security incident, how much did it cost the company? How much will you be paying per user license? What is the cost per hour of the employees who will be participating? In order to calculate the direct ROI%, you will need to know the answers to these questions.
Manage the resistance to change. Support from leadership is paramount because without it the employees may feel their willingness to participate in the security awareness training and to adopt behavior change is optional. Choose a program with excellent analytics so you can show real progress and results. These metrics will also show who is participating. Don't forget reinforcement is key. Choose a program that will engage them throughout the year with educational blogs, newsletters and supplemental materials that can be displayed throughout the organization for reinforcement. Psychologists estimate that on average it takes 66 to 300 days to form a new habit.
Teach leadership that cybersecurity is everyone's responsiblity, and not just the responsibility of IT. Hackers will target the weakest link and that is most likely your employees. Share these compelling stats to have a stronger call to action.
- 91% of advanced cyberattacks begin with an email.
- 97% of people around the world cannot detect a sophisticated phishing email.
- 61% of SMBs have experienced a cyberattack in the last 12 months.
- 95% of cyberattacks target small and midsized businesses.
- 60% of businesses shut down within 6 months of a cyberattack.
Time is Not an Issue
Ease their mind about time requirements. Many think that their employees will lose several hours of productivity due to time lost spent on training. The truth is that a good program only requires 1-2 hrs per quarter and many platforms offer 5 minute training modules. Who doesn't have 5 minutes for a training? In addition, you may find resistance because the state of security knowledge with their current employees is so far less than what they may view highly trained security experts holding. It doesn't matter. You'll find the most ROI if you just focus on finding the sweet spot for your company. Teach your employees to be "good enough". They don't need to be experts in security, they just need to know the basic best practices to make security-minded decisions.
Last, to shape your argument, compare the benefit over other options. For example, if you discovered that investing in a security awareness training program costs about the same as multi-factor authentication, which would provide more bang for your buck? Multi-factor authentication would most likely offer a higher level of protection for your passwords than security awareness training on passwords alone but consider all the additional training on various topics they would receive beyond password security. Investing in security awareness training can be viewed in a similar manner as in purchasing insurance. It gives us peace of mind about protecting our assets. With proper training, your employees will be empowered to protect your company. Don't wait until your company is victim to an attack.
Written by Michelle Stamps
Michelle has over 10 years of experience in marketing and business development across various industries including government and non-profit. Her background in writing, facilitating presentations and event planning allows her to use her creative skill-set and her relationship building skills strengthens her ability to understand the human element role in cybersecurity and to support positive behavior change. Whether she is out in the community, blogging or developing the next social post for TechGuard, she believes in telling the company’s story and uses relatable, real-life examples to connect with our clients. If you know Michelle outside of work, you would know that she loves sunny days and tropical places.