The High Cost of Switching Security Awareness Programs
Security awareness programs are now an essential component of doing – and staying in – business for nearly every company of any size. But starting one company-wide awareness program and then switching to another mid-program is a big mistake that will cost you time, money and morale. That’s why it’s so important to choose the correct security awareness program the first time!
What Is a Security Awareness Program?
A security awareness program is usually defined as a set of materials, courses and policies designed to educate as well as update employees about issues related to keeping networks, information, finances and other assets protected from thieves.
In other words, it’s like placing a digital padlock on all aspects of your business: You’re making sure everyone knows the rules and that only authorized people have access. This is security awareness in a nutshell. Since much of what is being protected is data, it’s sometimes referred to as information security awareness.
Security, and security awareness, work best if there is a clear chain of command. In larger corporations, the CISO and CTO are usually at the top and working in tandem to make secure security protocols are established as well as implemented. They will allocate the budgets and manpower available to make this happen.
With smaller companies, you may just have a senior IT person or an outside security staff. Whatever their title, the person or persons in charge will have to make sure the program is implemented correctly, completed by everyone and its lessons and messages understood. To spread the word, many companies create the role of security champion, who help put a human face on the problem.
Last but not least, the entire workforce within the different departments that must take time out of their day to be educated.
Elements of an Effective Security Awareness Program
That said, not all security awareness programs are equal. There are dozens, if not hundreds of different companies offering different brands and methods of security awareness training.
Each claims they will help employees become aware of dangers and help them stay more vigilant. Yet it’s often difficult to assess their effectiveness from just a website or online review.
What is clear is that the structure and contents of a security awareness program are critical to engagement. Long videos or boring PowerPoint programs do more to turn off an employee than empower or enlighten them. Those that are clever or work-averse may merely run the video in the background without watching in order to get credit.
Awareness programs that offer little in the way of feedback or encouragement are also ineffective, as employees end up tuning out. There should be an interactive component which requires them to demonstrate they understand the materials presented. Gamification has been shown to make training fun — and make it stick.
Versatility is also key. A good information security awareness program will not only contain quality, current materials but make it easy for a company to adapt and/or create modules specific to them.
Most importantly, however, security awareness programs should encourage a cultural behavioral change that respects the role of security in everyday work scenarios and helps people make better decisions when confronted with a potential situation. When they know what to look out for and aren’t afraid to ask questions or report incidents to their supervisors, there is a better morale and a greatly reduced chance of error.
Because threats to a company most often involve email messages that contain malicious links or attachments (commonly referred to as “phishing”), special plugins are often included with security awareness training. These are usually in the form of email filters that can block images or html from appearing in learners’ inboxes, preventing them from accidentally clicking links while they are still learning. This type of plugin can be required of new hires as well as implemented on a case-by-case basis.
Another often-overlooked element of a robust cybersecurity awareness program is a way to test its effectiveness surreptitiously in a real-world setting. One of the most effective methods is to use a phishing simulation program.
This type of program lets administrators create and send phony phishing emails to employees and monitor whether anyone responds to or clicks on them. These phishing emails should be designed to look as convincing as possible and sent in batches over a period of time, usually a few weeks.
Some examples are sending a phony password reset or low bank balance alert, two of the most common scams (but far from the only ones). If anyone in the company thinks they are real and does click on a link or fill out an online form, both the employee and administrator are alerted. The employee could then be required to take further training.
The Cost of Setting Up and Then Switching
As you can see, there are many different important elements to a strong information security awareness program – educational material, videos and exercises, a phishing simulator and related plugins – that must come together in order for it to be as effective as possible.
This, however, is a fixed cost which can be easily calculated, as many software programs are billed monthly or annually, and the cost sometimes depends on a company’s size.
But the devil is in the details. The real cost is in the time lost during the use of the old system and in the transition to the new platform.
According to a report from Bromium, security awareness training for an average large enterprise is at an all-time high of $290,033. Add to this the cost of your highest-level security executives, CISO and CTO, who, according to PayScale average $155,401 and $154,329, respectively.
While the average employee spends just 7 hours per year learning, support staff such as human resources, legal, IT and risk departments spend an additional 276 hours preparing, monitoring and distributing the required training.
Those that are midway through their courses may be upset they have to start over again. Those that were already reluctant to take security awareness training courses will be even less engaged if they feel like their time has been wasted.
Security awareness program switching is also difficult for the administrator, who will need to learn the new ways of working and handling the new program.
Let’s say a company spends two months preparing training and three months using one security awareness training program. Then, however, they discover through feedback that the program is not effective, and employees aren’t engaged. They may decide to conduct a review of the current system and shop for an alternative; this could take about a month.
Next, the support staff will likely need another two months to prepare, as well as getting used to the new system. Total time spent in this scenario? Approximately eight months.
How to Make the Right Choice
In order to set the correct course, it will be important to test different providers’ offerings. Many of them offer free trials that will give you access to their materials. This can give you a general overview of how they operate as well as what information they contain.
After reviewing their contents, you may want to select your top two or three and do pilot enrollments of a select group of learners (perhaps your security champions) who can give you their evaluation of the materials. Only then should it be it full steam ahead.
As you can see, it’s deceptive to think of a security awareness program in terms of a monthly or annual subscription fee. Instead, think of the entire security ecosystem that will need a sea change of adjustment. Therefore, choose wisely before adopting.
Cost of User Security Training Tops $290K Per Year, Infosecurity Magazine
Matthew Jensen, Alexandra Durcikova, Ryan Wright, “Combating Phishing Attacks: A Knowledge Management Approach”