One of the roadblocks that IT managers often encounter when trying to implement IT security awareness training initiatives is justifying expenses associated with the program. Businesses live and die by return on investment (ROI) and rightfully so. Executives insist upon proof that any outlay of resources will have a positive impact on the bottom line. Unlike a product that is purchased and resold, an online advertising campaign where clicks may be tracked, or the addition of a new sales rep with a corresponding increase in sales, it is a little more difficult to pinpoint the exact economic benefit of IT security awareness training, but certainly doable.

IT security programs cannot be proposed as a product to be resold, but they can be presented as an overhead expense critical to an organization. Insurance, utilities, office furniture, dress codes, and many other expenses and policies are difficult to quantify precisely as to how they impact the bottom line. However, it is accepted that, without these items, a firm would not be able to conduct its business properly or project the reputation it seeks in the marketplace.

Something to Brag About

A company engaged in best IT security practices, which include awareness training, should incorporate this information in marketing collateral. Prospects who are considering doing business with an organization want to know that their assets will be secure and that all reasonable measures are being taken to ensure that a firm can deliver its products or services without interruptions poised by a security breach.

Customers who know and appreciate that a business is taking every practical step to protect their information may also transfer that knowledge and gratitude into other services provided by the firm. Believing that an organization is safeguarding their data may also lead them to believe or at least give the benefit of the doubt that orders, billing, customer service, and quality are also being handled with the utmost care. It builds general goodwill, which when shared through word of mouth can lead to additional sales.

The general public is well aware of the threats a firm faces with respect to IT security, as major breaches are routinely in the news. Deloitte University reported the findings of a consumer surveys in a paper that demonstrates that the public is attuned to IT security threats facing a firm and has certain expectations as to what is acceptable for both frequency and response. 59% of consumers surveyed reported that a single breach would negatively impact the likelihood of them doing business with a company; 51% of the respondents indicated that they would be forgiving of a firm, after a breach, if the incident was handled promptly and with minimal disruption.

Results of that survey clearly show that firm that suffers an IT security will likely find it more difficult to attract new customers, which is crucial to any business. The findings also indicate that an organization responding promptly to an incident will fare better, in terms of reputation, than an operation that does not tackle an event in a manner consistent with customers’ expectations. The exact cost and benefit are difficult to calculate precisely, as those numbers are predicated on the chances of a breach, the size of the breach, and other unknowns. However, with response rates in the 50 percentiles for those customers who will likely penalize a business for inadequate defenses and responses to security threats, it is evident that a very substantial loss of business is at stake.

The Cost of Inaction

IBM’s Cost of Data Breach Study for 2016 found that the average cost of a breach had grown from $3.8M in 2015 to $4M in 2016. The same study found that the cost associated with each record that contains sensitive information rose from $154 each to $158 apiece. Given that, in 2016, 78% of all firms experienced a data breach, per findings by the CyberEdge Group, it is unfortunately a fairly safe bet that a firm will be hit. It is even more likely, and a near certainty, that an organization that has not taken sufficient preventative measures will suffer a breach.

Target’s well-publicized data breach in 2013 cost the company an estimated $148M. That is serious money and enough to gain the attention of any senior executive. Target reported, a year after the breach, that the company was still suffering losses from the event, which demonstrates how long a firm might suffer after a breach occurs and corrective actions are completed.

“Time is money” is a well-worn maxim that applies fittingly to IT security awareness. An online merchant may lose money for every second it is unable to process transactions. Most companies will have a longer grace period than the online merchant example, but few can go several minutes, much less hours or days, with operations compromised, before the costs begin to add up significantly. It is fairly easy to calculate losses per minute, hour, or day to a business. Dividing income by the respective time period will give an average loss that can be used to justify costs associated with implementing and maintaining a robust IT security awareness training program.

After a significant event, many firms will hire public relations firms to craft messages for both the press and the public. Internal customer service groups can expect to be dealing with customer complaints for months or even years in the wake of a breach, as it sometimes takes that long for data stolen to be used or for damages to be uncovered.

Failure to adhere to regulations and laws governing IT security can leave an organization exposed to some very serious fines and penalties. One of the many examples of this is the FTC’s ability not only to fine a firm for failing to protect personal information in a manner consistent with law, but to subject the firm to audits for up to 20 years following a security incident. Not only are those audits costly, as an organization is required to produce records and reports, but it can also easily lead to additional fines and penalties, as the audits are often performed with a fine-toothed comb.

Lawsuits are another adverse outcome which may result from poor security practices. Courts can not only award monetary damages, but they may also order a business to abandon certain practices or markets, which could cripple a business. It is safe to assume that damages awarded and penalties assessed will be, in part, based on an organization’s history of security breaches and current precautions taken. A business that has a lackadaisical approach to IT security will likely be sanctioned to a greater extent, in any lawsuit, than those that can demonstrate that their best effort has always been put forth to alleviate the possibility of an event.

After a security incident, a business can expect a significant increase in premiums for cyber insurance, if they have a policy. Policies may also be canceled after an attack. If a company does not have insurance, but decides after an event that it is needed, the cost of a policy will be greater than if the event had not occurred.

A firm could very well lose its IT security staff, should it fail to adequately invest in preventive measures. CSO lists failure to invest in IT security issues as one of the top five reasons why systems personnel should consider quitting their jobs. The job market for IT security personnel is red hot, with over a million job openings in the U.S., per the article, so it is easy for these folks to find another job.

Few want to be tied to an organization that endures a headline-grabbing security event, as that does not look great on a resume. Loss of personnel will likely make an organization more vulnerable, while searching for replacements, given the demand for IT security personnel, could be lengthy and costly.

As if those potential monetary losses were not bad enough, C-level executives can be personally prosecuted and find themselves behind bars for not complying with certain laws meant to protect information. If none of the other potential losses get the attention of upper management, then the possible loss of their personal freedom might.

Security Awareness

Benefits to Be Discovered

Almost any initiative, be it IT security awareness training or something else, forces a company to examine its procedures, policies, and personnel. Inefficiencies and opportunities often surface as a result of these examinations, which may have nothing to do with security, but can still benefit a firm.

An IT security awareness program can act as a team-building and collaboration exercise. Because the nature of the goal is generally not to solve a problem where finger-pointing is common, it lends itself to improving relations among employees. A common enemy (IT security threats) often unites a group.

It All Adds Up

Most of the impact IT security awareness has on the bottom line is risk aversion. Stakes for any firm are far too great to overlook. One way to appreciate the benefits of a robust awareness program is to think of it as a health insurance policy. A health insurance policy is costly and few are happy about paying for it, but it is understood that without one, an individual could be wrecked financially, adding salt to the wound.

Be Safe

Section Guide

Miller
Henley

View more articles from Miller

SecurityIQ has published a number of videos on social engineering and phishing. You can sign up for a free account to browse their resources and test how phishing savvy you really are.

Section Guide

Miller
Henley

View more articles from Miller