How Security Awareness Training (SAT) Reduces SMB Risk and Expense

Some solutions are more effective than others. When it comes to cybersecurity, experts agree. Security awareness training (SAT) fulfills a vital role helping organizations protect information technology (IT) users, systems and data. In fact, the National Institute of Standards and Technology (NIST), the US Department of Commerce agency tasked with developing cost-effective security standards and guidelines among other responsibilities, states within its Building an Information Technology Security Awareness and Training Program special report that “A strong IT security program cannot be put in place without significant attention given to training agency IT users on security policy, procedures, and techniques.”

What is SAT?

Security awareness training educates users to the risks and signatures of common every day attacks. The instruction provides relevant examples and related education to assist staff in better understanding the tools, techniques and methods hackers employ to trick users, obtain credentials, gain systems access and penetrate networks.

Small and medium businesses (SMBs) benefit from implementing SAT programs in numerous ways. By training users to better recognize and resist social engineering, spear-phishing, ransomware and other malicious technology-related attacks, SMBs can reduce breaches, systems disruptions, outages and similar calamities.

In short, SAT initiatives help users recognize social engineering, phishing and business email compromise (BEC) attacks, as well as other malicious dangers. SAT programs also assist users in spotting and avoiding other risks, such as can occur with physical security and paper documents. Such instruction, conducted properly, also helps keep the topic current among staff members and reinforces the importance of following proper processes and procedures. Further, statistics commonly demonstrate SAT initiatives reduce infections and breaches, which save SMBs by reducing the likelihood and occurrence of unplanned outages and systems disruptions and having to pay corresponding expenses.

Why is SAT Necessary?

SAT is a particularly compelling option, as malicious actors are continually increasing the complexity and sophistication of their attacks. These same attacks are becoming more destructive and damaging when successful.

Ultimately, cybercrime attacks are estimated to cost companies $8 trillion a year. SAT works by leveraging a minimal investment to educate users and familiarize them with common cybersecurity risks, as well as the practices and techniques criminals use to trick them, obtain access and subsequently wreak havoc. Another advantage is SAT helps staff learn to recognize suspicious behaviors and respond properly. SMBs receive a positive return on investment, as a result. The method is particularly effective, as it’s estimated almost three-quarters of breaches involve a human failure versus a technology oversight or error and SAT initiatives target just such weaknesses.

And such weaknesses and attacks are common within SMBs. According to an eSentire report, SMBs are victims of more than half of all cyberattacks. The report recommends SMBs educate employees as to phishing and social engineering efforts, in addition to undertaking other steps (such as deploying a managed detection and response solution).

CISA notes 44 percent of small businesses reported they were victims of cyber attacks. The agency also maintains a small business presentation that emphasizes the importance of educating employees. In addition to enforcing security policies and procedures, the agency recommends employees regularly receive training regarding new cybersecurity threats.

Subsequently, SAT importance has never been greater for SMBs. It’s estimated the cost of phishing alone has tripled since 2015. The most time-consuming resulting tasks are associated with repairing and disinfecting corrupted systems and performing the corresponding forensics work. The corresponding productivity loss is among the costliest of phishing damages, accounting for an average of $3.2 million in 2021. Organizations are similarly spending more time battling credential compromises, which are increasing, while business email compromises, which typically target an organization’s funds or data, are increasing and reached an average cost just shy of $6 million. Fortunately, SAT initiatives help SMBs battle all of these common exploits.

How Does SAT Work?

SAT programs typically include a variety of components. While each SAT solution may vary, such programs commonly include web-based instructional videos and potentially interactive quizzes to test users’ comprehension. SAT solutions also frequently include phishing simulations—actual test messages sent to the organization’s employees—that gauge individual user’s real-world knowledge and compliance.

Other SAT elements SMBs should seek in a cybersecurity training program are security policies that prescribe proper behaviors for specific online situations, instruction to help users spot social engineering attempts, reminders for properly structuring and safeguarding passwords, guidance regarding the importance of physical security—such as the need to secure workstations and shred sensitive paperwork before discarding—and tips for reporting incidents that might occur.

Unfortunately, just selecting a provider and implementing a security awareness training initiative doesn’t guarantee success. SMBs should work to ensure the effort is supported throughout the organization and employees understand the importance the instruction plays in protecting them, systems and data from malicious hackers.

There are also a few potential SAT errors to avoid. For example, SMBs should ensure the SAT solution they implement is updated and hasn’t gone stale on a shelf without receiving refreshed content in the last year or so. SMBs should also make SAT a priority for new users. Providing instruction and dedicating time to security awareness education impresses upon new staff the importance the topic deserves. Good SAT programs will also occasionally test user’s knowledge and compliance, including via phishing simulations and even interactive quizzes and not skip those elements. For best results, an SMB’s SAT solution should also regularly provide users and employees with content and reminders to help cybersecurity topics remain top of mind.

Gartner notes executive support for SAT initiatives, in particular, can help such training prove effective. Among other recommendations, Gartner encourages businesses to directly connect security requirements with organization objectives, link SAT initiatives’ results to specific business goals and adopt measurable and contextualized metrics to prove a SAT programs’ effectiveness.

Can You Calculate the ROI for a SAT Program?

Just because outlets like Entrepreneur declare SAT is “essential” for small businesses doesn’t mean an SMB automatically maximizes such investments. The business magazine noted there’s no such thing as sharing too much cybersecurity information with employees, but it’s still wise to break down the math and confirm an SAT investment pays off.

KnowBe4 is but one example of a SAT provider that has published its own ROI equation. Interested SMBs can perform the actual math to determine the return they receive when investing in such outsourced employee instruction. The company’s model prescribes measuring resultant risk reduction by factoring the program’s development cost and comparing that expense to the direct loss of productivity and revenue, as well as the impact from a damaged reputation, potentially resulting from a security incident.

KnowBe4’s actual ROI example adopts the Payback approach in which gains appreciating after the payback period are not factored, while noting larger firms could employ the even more sophisticated Net Present Value (NPV) strategy to potentially factor those benefits. KnowBe4’s math concludes, using a simple and straightforward example, how the organization’s SAT offering could save an SMB $45,000 a year.

The company’s not alone. Arctic Wolf and Infosec Institute are examples of two other firms publishing similar conclusions. Various white papers and research efforts are also available—such as a 2021 Ponemon Institute study. The study’s findings regarding the costs organizations face due to phishing—the form of social engineering in which a malicious actor sends a fraudulent email message to an intended victim with the goal of tricking the victim into sharing sensitive information or inadvertently installing malicious software on behalf of the bad actor—is particularly compelling. The organization found SAT programs are effective in reducing phishing vulnerabilities and help organizations significantly reduce corresponding costs.

Of course, those organizations are SAT providers, consultants, or training institutes. It’s natural to believe there’s potential bias built into their calculations. Fortunately, you don’t need to take their word for it. Numerous other authorities recommend adopting SAT initiatives, too. In fact, it’s hard to find any respected authority, organization or industry observer that doesn’t recommend implementing security awareness training.

How Do I Get Started Implementing a SAT Program?

You don’t have to be a math major to determine that building and maintaining a SAT program from scratch in-house doesn’t typically make economic sense. Not when several providers offer cost-effective ready-made options. Leading candidates include solutions from such companies as Arctic Wolf, KnowBe4, Ninjio and Proofpoint. Those are but a few popular options.

If you need help comparing SAT offerings, selecting a program or implementing a SAT initiative within your SMB, call Louisville Geek at 502-897-7577 or email [email protected]. We can help.