Security training is essential for the business because 95% of security incidents are the result of human error. This, says the World Economic Forum’s ‘Global Risks Report 2024’, comes from people clicking on phishing emails, using 12345 as their passwords, or accidentally sharing sensitive information. Their inability to detect a scam or mistaken click can compromise the entire enterprise’s expensive and complicated security framework.
This compromise comes at a cost. Cybercrime, says Cybersecurity Ventures, is anticipated to cost $10.5tn in 2025, with the UK government citing a cost of £10 830 per breach for the larger organisation.
This makes putting people through rigorous training that reminds them as often as possible that they’re the weakest link important. But does this training delivery on its promise? It’s expensive – KnowBe4 costs £3.25 per seat for its Diamond level service, Ninjio Aware starts from $50 per user, and PhishingBox starts at $16.50 per seat.
Does this expense deliver returns? “We’ve been trying to work out how to actually see true ROI and there have been two ways we’ve felt this,” says Gary Fouché, co-owner and director: Sales and Marketing, at Gravit8. “Externally, in the training we provide to clients, this is felt in how customers respond to the training and an increase in customer retention based on results. Internally, training is part of our KPIs because we believe we need to set an example so clients can see what they’re buying into. We expect an internal pass rate of 99% and our training is compulsory.”
The challenge, says Fouché, is to quantify the value beyond ensuring that training equips users to make sound decisions, which then reduces the risk of downtime and the financial costs that come with it, as well as the cost of ransomware. “There are quite a few things you don’t see the true value of, which makes selling cybersecurity training challenging. You can’t say someone is definitely going to save R20 000 a month.”
Breach-related costs
It’s a sentiment shared by Danie Theron, head of GRC, Office of Information Security, NTT DATA. “It’s difficult to measure, but we do see an initial spike in events that come after people have done the training and start applying what they’ve learned. We are also seeing improvements in how often we identify operational or process non-conformities. Finding the right metrics, however, is something we’re still determining.”
Theron says the programme may not have metrics that deliver precise insights around its ROI, but there are other factors that play into its value. “I’m rolling out training across 147 000 people, which adds up – that’s 147 000 hours of training. I need to consider the time spent by people within the business, including contractors, and the monetary controls when investing in a solution.”
For Robinson Shai, chief of Operations, Metatrusted Services, quantifying the value of training comes down to measuring click-through rates. A client in the financial services industry was struggling with phishing attacks with a click-through rate on phishing simulations of 25%. After training, the number dropped to 5% within a year, delivering an estimated saving of $500 000 in avoided breach-related costs.
“Training only delivers ROI if it’s done properly,” says Shai. “I’ve seen companies waste thousands on generic, check-box-style training programmes that employees forget as soon as they complete them. The key is to make training relevant and actionable.” Brandon Muller, technical expert: MEA, Kaspersky, says that while measurement is challenging, it is ultimately saving the business the exorbitant cost of a hack. The numbers paint the picture. If the average large enterprise has a median cybersecurity budget of approximately $5.7mn and there are, according to statistics, around 12 incidents per year, or one per month, should the company not have the right training and security in place, then each incident could potentially cost that company $6.2mn, which is, says Muller, 1.1 times higher than the IT security budget in itself.
“When we start talking about the larger proportion of businesses in South Africa, which is small to medium enterprises (SMEs), their median cybersecurity budget, if they’re lucky, is about $200 000, but their incident number per year increases significantly,” he adds. “There are more incidents for SMEs and their recovery costs are around $300 000, which is 1.5 times higher.”
Robust training
Then, there’s the fact that South African companies report an average of 19 incidents a year, and suddenly, the measurements and metrics around security training become less about the expenditure and more about the results. Certainly, this is felt by Plaxcidiah Muzembe, head of Department: Compliance, Debtsource, who implemented the cybersecurity training solution from Galix. “We started with a 33% phishing average, which has now dropped to 1.9%. This is due to numerous factors, but definitely comes down to the platform itself being user-friendly and versatile. We needed a solution that was accessible and customisable so we could get buy-in from all users.”
Training only delivers ROI if it’s done properly.
Robinson Shai, Metatrusted Services
The Galix solution fit Debtsure’s needs because it allowed for the firm to remain compliant and adhere to regulatory requirements while still fitting in with the needs of the users and the business. NTT DATA has adopted a similar approach, using security solutions that emphasise accessbility and training.
“Our staff has a huge number of materials to choose from across full training courses, Harvard-related training courses, LinkedIn training and other platforms and tools,” says Theron. “We needed solutions that could be delivered across all five companies being integrated into the NTT Data ecosystem as efficiently as possible. We also use training from Microsoft, Cisco, Check Point and other security vendors, which allows staff to become certified or specialised in specific areas.”
At both NTT DATA and Debtsource, competition has driven uptake. “We’ve had competitions spring up across departments, with claims of 0% phishing averages and other metrics,” says Muzembe. NTT DATA, on the other hand, has a badging system developed by the IT team that has people competing against one another for certifications and credentials.
Creating value within the training through competitive metrics and engagement tools is one metric that should be used to choose a training platform that fits the business, but there are other factors that should play a role. The solution also has to fit the business and the culture. It has to offer customisation options and allow for the business to fine tune its training approaches and directions.
Training approaches
“If your business sees a lot of phishing emails coming in, then you want to focus your training on that,” says Gravit8’s Fouché. “Any solution must be capable of pivoting towards the risks. For example, what if the company is focusing on ransomware or phishing when the threat is originating at dumpster diving? Knowing the business means creating a solution that addresses the problems.”
Dumpster diving may uncover sensitive paperwork that hasn’t been shredded, and that can be used to socially engineer staff members. But with training, people can learn to pay more attention to security beyond just their inbox.
Cybersecurity training isn’t easily measured. The metrics are vague and difficult to pin down – probably more accurately assessed on a business-by-business basis than with standardised tools – and the cost will probably always fall into the grudge column. But it will always be essential because without it, the door is wide open. As the Kaspersky Business Digitisation survey highlighted, only 28% of companies in South Africa organise training for their employees, while 16% have none. This isn’t fabulous optics for their customers, or their bank balances.
SOUTH AFRICAN TRAINING BY THE NUMBERS:
1. 16% of South African companies have no training in place at all, says Kaspersky Business Digitisation survey.
2. 35% of employees want training, says Kaspersky Business Digitisation survey.
3. 40% reduction in employee-related security incidents after implementing a Metatrusted Services training programme.
4. From 33% phishing average to 1.9%, Debtsource changed the shape of security with training.
5. 14 languages – NTT DATA’s training programmes make it easy to pick the right language.
6. 45% of employees worldwide report no security training at all, says Kaspersky.
* Article first published on brainstorm.itweb.co.za
Share