Math Exercise User Training vs Cost of Good Security and BDR Plan
-
So as there are other topics around the ML forums as well as some others, it's been a hot topic, and generally assumed that companies are better off Paying the Ransom.
With this report many IT professionals have taken arms to defend what they assume is the best solution. Train the employees to not click on this, or use USB's from unknown sources etc.
Other have said a great backup and recovery plan is the way to go, and I tend to agree.
Training users is a repetitive task that companies must do continually, for every new hire or even annually, as viruses and ransomware become more advanced, the training must be kept up. This is generally a huge undertaking, scheduling time away from their money producing jobs to be educated enough to not be "stupid".
Alternative to this, companies and IT departments could easily take the approach of building a really good backup and recovery plan. Now this doesn't exclude the occasional reminder email (or whatever have you) to your employees, but it certainly isn't "classroom business security training".
Anyways, I wanted to do some math on this and see what would generally be more expensive to implement and maintain.
Who's go input?
-
Neither are the right answer but both are helpful.
The right answer is hiring people who are motivated to learn the right way of doing things, who want to improve at their work, who want to use the most efficient tools for the task at hand.
You have 2 types of hire, those who don't want to grow and those who do want to grow.
No amount of training will help those who just don't want to grow. They will always click on the spam emails, click on the malware links and ignore you.
When faced with management pressure they will either grow to change their behaviour or dig their heels in.
-
It's really expensive to hire a bad person for your organisation. Even more expensive to attempt to train them.
Just don't let them in the door to begin with.
-
So I actually work at a training company not IT Training, but it could certainly be something that we would do, if we had the initiative. The ballpark price per training session is ~$1500 for a half day class up to 20 participants (this number is conservative as I don't have the exact numbers).
But for simple math, that's $75 per participant, every time. With a live (in person) or virtual training session. So a company with just 100 employees would immediately spend $7500 on training only. No additional hardware at all to protect the company.
That's not cheap. As with anything, what's taught has to be used, or forgotten this is a matter of human nature. So training will reoccur year over year. As end users are not going to actively be using what's in the training. It'll be sporadic when they get something suspicious that warrants critical thinking.
In addition to the reoccurring training the company is expected to hire and fire, but for simplicity I won't go down that rabbit hole to far. Lets just say over 3 years the company adds 25 new hire employees. For those 25 new hire employees that's an additional $1875 in training.
In a single year that's $9375 on training alone, to keep employees current with what would be considered a "passing grade".
Now assuming the company keeps this employee growth going over 3 years, the added cost total for just the new hire employees is $5625 plus the original 25 new hires plus the original $7500 for the first 100 employees. Total the company is looking at spending $15000 on annual training.
-
Yes but your classroom training would be the wrong expense because of the lack of memory retention.
So then you have the KnowBe4 model which offers a price per user per year.
I think it was around $50 per user per year. You get regular phishing tests, video classroom style of the courses all year round.
So your $75 per participant for a one off session just cannot compete price wise.
-
Now the above math doesn't include the time the training takes the employee away from their actual duties. But a half day training is up to 4 hours.
So lets use that as our ballpark number. 200 employees away from their proper jobs for 4 hours annually. And for simplicity I'm going to say everyone at this company makes $25/Hour.
That's a round $20,000 paid to employees to attend mandatory training. Annually, just the 4 hour class, times their pay rate for 200 employees.
Now obviously the company will spend more than this because they are literally burning daylight, energy for things such as electricity, HVAC etc. So the cost just goes up from here. @JaredBusch might be able to put more math to this for the percentage cost. But lets say 3%. So $20600 annually towards training is now paid out.
Then you have to calculate for the cost of non-productive hours or (sell-able work) for those 4 hours. Obviously this is far more difficult to calculate per industry, so everyone will have to do some of their own math here.
-
Actually the cost is much much lower than $50 per person.
Someone from their team literally just called me asking if I was interested and the pricing was incredibly cheap compared with the numbers we are talking about.
-
@Breffni-Potter We're using the example I have in my day to day. Volume pricing might apply. We can dig into your pricing provider in a bit and see the nitty-gritty.
-
$400 per year for 20 users as a rough ball park.
-
@DustinB3403 said:
@Breffni-Potter We're using the example I have in my day to day. Volume pricing might apply. We can dig into your pricing provider in a bit and see the nitty-gritty.
But your pricing is 2000% percent higher on training than what anyone is currently doing to resource user training. So it skews the math horribly on one side of the scale.
-
So annually assuming training cost $75/Employee for a 4 hour class a company can spend $35600.
That is not by any stretch of the imagination a small sum of money that could very easily go towards improving your systems security, and infrastructure improvements. It doesn't include things like the cost of inflation.
The cost of this training, instead taken and applied to a proper backup and restore / security policy annually could very easily provide a very robust and backup solution for many SMB's.
Including incremental, fulls, Offsite storage, AV and AM software. All of this while still providing a quarterly reminder email to your entire staff of best Security Tips and Tricks. Which takes moments to draft and send in comparison.
I look forward to seeing how you're IT departments would spend above monies towards improving your backup and recovery plans and infrastructure.
-
You also have to take into account that many small businesses simply won't know about or care to provide these kinds of trainings. Those that do know about them are likely unable to afford them at the prices you are speaking of.
An option like KnowBe4 provides a good alternative to having to fork out large amounts of money for year over-year stuff, and you still get the benefits of having things tested semi-regularly. Even if KnowBe4 costs $1,000 per 20 users at $5k a year, you are still coming out far, far ahead of the game for 100 users than the on-site training at $17k...
-
@dafyre said:
An option like KnowBe4 provides a good alternative to having to fork out large amounts of money for year over-year stuff, and you still get the benefits of having things tested semi-regularly. Even if KnowBe4 costs $1,000 per 20 users at $5k a year, you are still coming out far, far ahead of the game for 100 users than the on-site training at $17k...
We use KnowBe4 as well as our internal people. It's a great service.
-
I've used KnowBe4 as well, it is very good.
-
Now has others have said on another topic.
There are things like the cost of the breach, customer trust, and stock values that are likely to be affected. (Maybe not stock in an SMB but it's there because it could be, private board etc)
These items are much more difficult to calculate as each breach that does occur can easily effect different quantities of systems. Maybe only a single laptop or desktop gets cryptolocked.
Maybe the entire organization from every laptop, desktop and server. So how would you evaluate the cost.
Wiping a desktop and starting over for an end user is a pretty minimal impact to what could easily have been far worse. Many companies would likely say, well Nuke it and start over.
If you domain controllers, network shares, and every user system was cryptolocked this is a completely different case. A business would likely have to pay the ransom. Possibly for each system that was locked, assuming a new decryption key is made for each and every system.
You'd might still nuke the user devices, but your shares and servers are the valuable item here.
Then add in the cost to rebuild everything that gets nuked. The time to decrypt your servers, security audits you might be forced to perform because of a breach. The cost just goes up and up.
Training may assist in reducing this, but in my opinion, reminder emails, best practice emails are more effective to implement and provide monthly or even annually.
Building a proper backup solution and testing it, improving it, keeping it current. This in my opinion is the only way to effectively dwindle down the risk of this threat.
By having a proper and well documented BDR Plan you already have a plan to address these cases, should they occur. No one is running around "like a chicken with its head cut off" during disaster time.
Plans are implemented.
And as I love using the "KISS" method, and eliminating as much attack field as possible from your users perspective is the best option. By locking down your infrastructure, building a robust backup and recovery solution, by having a plan.
That is what makes the most financial sense, and likely should to any business who's considering Training VS Security and Backup Systems.
-
@Breffni-Potter is right. In class learning is nearly useless at this scale. At best I would think a company would do that once. After that they would move solely to KnowBe4 model. It's more regular, puts them into the situation on purpose regularly (this was a stated flaw stated in @DustinB3403's classroom training) and tracks the user's behavior.
Additionally the classroom training as you mention take the users out of the work zone, normally requiring significant amounts of the staff to be unavailable at the same time lowering production value of your company during that time.
I'm also not sure your growth curve is a good one, with a start up it might be, but my office has turn over of 10 or so people a year, but no or little growth.
Ultimately even if you have the best training in the world, it still doesn't matter. All it takes is one person being absent minded for it all to be meaningless. This isn't to say the training isn't worthwhile, but has a very low real value.
Also, the company should definitely have a BDR plan regardless. This is not an either or type situation. Granted you could approach this from the perspective that you have a basic DR plan (let's assume you have two VM hosts and Veeam backing up to a NAS) and consider the cost of that training to implementing a lower RTO solution, which given the above example for DR.
In the above given example, I suppose you could lower the RTO by taking more frequent backup snap shots (but that's really a RPO fix) and installing faster/fatter network pipes and drives to allow for a quicker restore.
So after all that, I'm thinking the best value to the company is a good BDR plan.
With regards to the SMB, Scott basically said the same thing yesterday with regards to installing a layer 7 filtering firewall vs something like an ERL. The cost of the layer 7 vs using the recovery plan often don't justify the purchase of the layer 7.
OK I've kinda gone all over the place, but I don't want to just delete this. -
@Breffni-Potter said:
Neither are the right answer but both are helpful.
The right answer is hiring people who are motivated to learn the right way of doing things, who want to improve at their work, who want to use the most efficient tools for the task at hand.
You have 2 types of hire, those who don't want to grow and those who do want to grow.
No amount of training will help those who just don't want to grow. They will always click on the spam emails, click on the malware links and ignore you.
When faced with management pressure they will either grow to change their behaviour or dig their heels in.
Although lots of companies need "fodder" workers. You need to account for those. The average worker can't be a good worker.
-
@Breffni-Potter said:
It's really expensive to hire a bad person for your organisation. Even more expensive to attempt to train them.
Just don't let them in the door to begin with.
That's the "good employee" theory. Only works for the top X percentage of companies. Most companies, especially large ones, can't hire great workers, they just hope to avoid the worst ones.
-
@DustinB3403 said:
So I actually work at a training company not IT Training, but it could certainly be something that we would do, if we had the initiative. The ballpark price per training session is ~$1500 for a half day class up to 20 participants (this number is conservative as I don't have the exact numbers).
I've worked at companies that were crazy into security and what they did was make this training part of their normal training initiatives and did it all internally. Which was still expensive, but it just fit into what they were already doing.
-
@scottalanmiller said:
@DustinB3403 said:
So I actually work at a training company not IT Training, but it could certainly be something that we would do, if we had the initiative. The ballpark price per training session is ~$1500 for a half day class up to 20 participants (this number is conservative as I don't have the exact numbers).
I've worked at companies that were crazy into security and what they did was make this training part of their normal training initiatives and did it all internally. Which was still expensive, but it just fit into what they were already doing.
Our company requires quarterly training for everyone anyway so it fits in very easily... IT staff have to take a mandatory week off paid (not using vacation) to take a class or training session somewhere.
