Math Exercise User Training vs Cost of Good Security and BDR Plan
-
$400 per year for 20 users as a rough ball park.
-
@DustinB3403 said:
@Breffni-Potter We're using the example I have in my day to day. Volume pricing might apply. We can dig into your pricing provider in a bit and see the nitty-gritty.
But your pricing is 2000% percent higher on training than what anyone is currently doing to resource user training. So it skews the math horribly on one side of the scale.
-
So annually assuming training cost $75/Employee for a 4 hour class a company can spend $35600.
That is not by any stretch of the imagination a small sum of money that could very easily go towards improving your systems security, and infrastructure improvements. It doesn't include things like the cost of inflation.
The cost of this training, instead taken and applied to a proper backup and restore / security policy annually could very easily provide a very robust and backup solution for many SMB's.
Including incremental, fulls, Offsite storage, AV and AM software. All of this while still providing a quarterly reminder email to your entire staff of best Security Tips and Tricks. Which takes moments to draft and send in comparison.
I look forward to seeing how you're IT departments would spend above monies towards improving your backup and recovery plans and infrastructure.
-
You also have to take into account that many small businesses simply won't know about or care to provide these kinds of trainings. Those that do know about them are likely unable to afford them at the prices you are speaking of.
An option like KnowBe4 provides a good alternative to having to fork out large amounts of money for year over-year stuff, and you still get the benefits of having things tested semi-regularly. Even if KnowBe4 costs $1,000 per 20 users at $5k a year, you are still coming out far, far ahead of the game for 100 users than the on-site training at $17k...
-
@dafyre said:
An option like KnowBe4 provides a good alternative to having to fork out large amounts of money for year over-year stuff, and you still get the benefits of having things tested semi-regularly. Even if KnowBe4 costs $1,000 per 20 users at $5k a year, you are still coming out far, far ahead of the game for 100 users than the on-site training at $17k...
We use KnowBe4 as well as our internal people. It's a great service.
-
I've used KnowBe4 as well, it is very good.
-
Now has others have said on another topic.
There are things like the cost of the breach, customer trust, and stock values that are likely to be affected. (Maybe not stock in an SMB but it's there because it could be, private board etc)
These items are much more difficult to calculate as each breach that does occur can easily effect different quantities of systems. Maybe only a single laptop or desktop gets cryptolocked.
Maybe the entire organization from every laptop, desktop and server. So how would you evaluate the cost.
Wiping a desktop and starting over for an end user is a pretty minimal impact to what could easily have been far worse. Many companies would likely say, well Nuke it and start over.
If you domain controllers, network shares, and every user system was cryptolocked this is a completely different case. A business would likely have to pay the ransom. Possibly for each system that was locked, assuming a new decryption key is made for each and every system.
You'd might still nuke the user devices, but your shares and servers are the valuable item here.
Then add in the cost to rebuild everything that gets nuked. The time to decrypt your servers, security audits you might be forced to perform because of a breach. The cost just goes up and up.
Training may assist in reducing this, but in my opinion, reminder emails, best practice emails are more effective to implement and provide monthly or even annually.
Building a proper backup solution and testing it, improving it, keeping it current. This in my opinion is the only way to effectively dwindle down the risk of this threat.
By having a proper and well documented BDR Plan you already have a plan to address these cases, should they occur. No one is running around "like a chicken with its head cut off" during disaster time.
Plans are implemented.
And as I love using the "KISS" method, and eliminating as much attack field as possible from your users perspective is the best option. By locking down your infrastructure, building a robust backup and recovery solution, by having a plan.
That is what makes the most financial sense, and likely should to any business who's considering Training VS Security and Backup Systems.
-
@Breffni-Potter is right. In class learning is nearly useless at this scale. At best I would think a company would do that once. After that they would move solely to KnowBe4 model. It's more regular, puts them into the situation on purpose regularly (this was a stated flaw stated in @DustinB3403's classroom training) and tracks the user's behavior.
Additionally the classroom training as you mention take the users out of the work zone, normally requiring significant amounts of the staff to be unavailable at the same time lowering production value of your company during that time.
I'm also not sure your growth curve is a good one, with a start up it might be, but my office has turn over of 10 or so people a year, but no or little growth.
Ultimately even if you have the best training in the world, it still doesn't matter. All it takes is one person being absent minded for it all to be meaningless. This isn't to say the training isn't worthwhile, but has a very low real value.
Also, the company should definitely have a BDR plan regardless. This is not an either or type situation. Granted you could approach this from the perspective that you have a basic DR plan (let's assume you have two VM hosts and Veeam backing up to a NAS) and consider the cost of that training to implementing a lower RTO solution, which given the above example for DR.
In the above given example, I suppose you could lower the RTO by taking more frequent backup snap shots (but that's really a RPO fix) and installing faster/fatter network pipes and drives to allow for a quicker restore.
So after all that, I'm thinking the best value to the company is a good BDR plan.
With regards to the SMB, Scott basically said the same thing yesterday with regards to installing a layer 7 filtering firewall vs something like an ERL. The cost of the layer 7 vs using the recovery plan often don't justify the purchase of the layer 7.
OK I've kinda gone all over the place, but I don't want to just delete this. -
@Breffni-Potter said:
Neither are the right answer but both are helpful.
The right answer is hiring people who are motivated to learn the right way of doing things, who want to improve at their work, who want to use the most efficient tools for the task at hand.
You have 2 types of hire, those who don't want to grow and those who do want to grow.
No amount of training will help those who just don't want to grow. They will always click on the spam emails, click on the malware links and ignore you.
When faced with management pressure they will either grow to change their behaviour or dig their heels in.
Although lots of companies need "fodder" workers. You need to account for those. The average worker can't be a good worker.
-
@Breffni-Potter said:
It's really expensive to hire a bad person for your organisation. Even more expensive to attempt to train them.
Just don't let them in the door to begin with.
That's the "good employee" theory. Only works for the top X percentage of companies. Most companies, especially large ones, can't hire great workers, they just hope to avoid the worst ones.
-
@DustinB3403 said:
So I actually work at a training company not IT Training, but it could certainly be something that we would do, if we had the initiative. The ballpark price per training session is ~$1500 for a half day class up to 20 participants (this number is conservative as I don't have the exact numbers).
I've worked at companies that were crazy into security and what they did was make this training part of their normal training initiatives and did it all internally. Which was still expensive, but it just fit into what they were already doing.
-
@scottalanmiller said:
@DustinB3403 said:
So I actually work at a training company not IT Training, but it could certainly be something that we would do, if we had the initiative. The ballpark price per training session is ~$1500 for a half day class up to 20 participants (this number is conservative as I don't have the exact numbers).
I've worked at companies that were crazy into security and what they did was make this training part of their normal training initiatives and did it all internally. Which was still expensive, but it just fit into what they were already doing.
Our company requires quarterly training for everyone anyway so it fits in very easily... IT staff have to take a mandatory week off paid (not using vacation) to take a class or training session somewhere.
-
We had to do like 20 minutes per day, every day. You could save it up for a week and do it all at once or whatever, but there was a constant stream of it.
-
@scottalanmiller said:
@Breffni-Potter said:
Neither are the right answer but both are helpful.
The right answer is hiring people who are motivated to learn the right way of doing things, who want to improve at their work, who want to use the most efficient tools for the task at hand.
You have 2 types of hire, those who don't want to grow and those who do want to grow.
No amount of training will help those who just don't want to grow. They will always click on the spam emails, click on the malware links and ignore you.
When faced with management pressure they will either grow to change their behaviour or dig their heels in.
Although lots of companies need "fodder" workers. You need to account for those. The average worker can't be a good worker.
I was thinking the same thing. Also, when hiring minimum wage or barely over ($22-25K/yr) you can't expect to get the best people, and those that you do get will probably leave you looking for better pay, etc.
-
@Dashrender said:
I was thinking the same thing. Also, when hiring minimum wage or barely over ($22-25K/yr) you can't expect to get the best people, and those that you do get will probably leave you looking for better pay, etc.
But that is surely the right candidate, you want some ambition and a desire to improve and if you can't offer it inside your structure, whilst they are in your organisation would they not be far better than an "Average effort" but will stay for 5 years?
-
@Breffni-Potter said:
@Dashrender said:
I was thinking the same thing. Also, when hiring minimum wage or barely over ($22-25K/yr) you can't expect to get the best people, and those that you do get will probably leave you looking for better pay, etc.
But that is surely the right candidate, you want some ambition and a desire to improve and if you can't offer it inside your structure, whilst they are in your organisation would they not be far better than an "Average effort" but will stay for 5 years?
Why? Why is someone that wants to grow better than someone who is better suited for the job at hand?
-
I've worked in low end jobs, and pretty universally the people who wanted to learn and grow did, and left, but were never the best people, just the most ambitious. The best people typically were the ones that liked what they did, were comfortable, cared about the job, were vested in it and were at their level of competence but not higher. They had the seniority, experience and reliability far above the other people who came and went.
In most cases, people looking to move to "another job" are not the ones I would want to hire. I want to hire the right people, not good enough wrong people using this job as a path not a goal.
-
@Breffni-Potter said:
@Dashrender said:
I was thinking the same thing. Also, when hiring minimum wage or barely over ($22-25K/yr) you can't expect to get the best people, and those that you do get will probably leave you looking for better pay, etc.
But that is surely the right candidate, you want some ambition and a desire to improve and if you can't offer it inside your structure, whilst they are in your organisation would they not be far better than an "Average effort" but will stay for 5 years?
Perhap they are, but the reality is the job needs to be filled now, today. I really can't afford to wait months and months for the right candidate, it's not that kind of position.
-
@Breffni-Potter said:
But that is surely the right candidate, you want some ambition and a desire to improve and if you can't offer it inside your structure, whilst they are in your organisation would they not be far better than an "Average effort" but will stay for 5 years?
I'm going to say no, this is an "IT-ism" I feel. I hear this from IT all of the time, ambition for something greater is more important than being good at the job they are in. It's a weird thing that causes us to look down on jobs that we feel are beneath us and see the world as stepping stones rather than potential destinations. It's an article I have been meaning to write. I think it is an unhealthy thing in IT that we feel that everyone should be "passing through" rather than finding where they are good and what makes them happy.
-
hmm... I'm guessing most people probably stop "passing through" once they find something that makes them happy.
I've know tons of people who have worked on a help desk, but only a rare few who actually like it and wanted to continue doing it.
