Math Exercise User Training vs Cost of Good Security and BDR Plan
-
Now has others have said on another topic.
There are things like the cost of the breach, customer trust, and stock values that are likely to be affected. (Maybe not stock in an SMB but it's there because it could be, private board etc)
These items are much more difficult to calculate as each breach that does occur can easily effect different quantities of systems. Maybe only a single laptop or desktop gets cryptolocked.
Maybe the entire organization from every laptop, desktop and server. So how would you evaluate the cost.
Wiping a desktop and starting over for an end user is a pretty minimal impact to what could easily have been far worse. Many companies would likely say, well Nuke it and start over.
If you domain controllers, network shares, and every user system was cryptolocked this is a completely different case. A business would likely have to pay the ransom. Possibly for each system that was locked, assuming a new decryption key is made for each and every system.
You'd might still nuke the user devices, but your shares and servers are the valuable item here.
Then add in the cost to rebuild everything that gets nuked. The time to decrypt your servers, security audits you might be forced to perform because of a breach. The cost just goes up and up.
Training may assist in reducing this, but in my opinion, reminder emails, best practice emails are more effective to implement and provide monthly or even annually.
Building a proper backup solution and testing it, improving it, keeping it current. This in my opinion is the only way to effectively dwindle down the risk of this threat.
By having a proper and well documented BDR Plan you already have a plan to address these cases, should they occur. No one is running around "like a chicken with its head cut off" during disaster time.
Plans are implemented.
And as I love using the "KISS" method, and eliminating as much attack field as possible from your users perspective is the best option. By locking down your infrastructure, building a robust backup and recovery solution, by having a plan.
That is what makes the most financial sense, and likely should to any business who's considering Training VS Security and Backup Systems.
-
@Breffni-Potter is right. In class learning is nearly useless at this scale. At best I would think a company would do that once. After that they would move solely to KnowBe4 model. It's more regular, puts them into the situation on purpose regularly (this was a stated flaw stated in @DustinB3403's classroom training) and tracks the user's behavior.
Additionally the classroom training as you mention take the users out of the work zone, normally requiring significant amounts of the staff to be unavailable at the same time lowering production value of your company during that time.
I'm also not sure your growth curve is a good one, with a start up it might be, but my office has turn over of 10 or so people a year, but no or little growth.
Ultimately even if you have the best training in the world, it still doesn't matter. All it takes is one person being absent minded for it all to be meaningless. This isn't to say the training isn't worthwhile, but has a very low real value.
Also, the company should definitely have a BDR plan regardless. This is not an either or type situation. Granted you could approach this from the perspective that you have a basic DR plan (let's assume you have two VM hosts and Veeam backing up to a NAS) and consider the cost of that training to implementing a lower RTO solution, which given the above example for DR.
In the above given example, I suppose you could lower the RTO by taking more frequent backup snap shots (but that's really a RPO fix) and installing faster/fatter network pipes and drives to allow for a quicker restore.
So after all that, I'm thinking the best value to the company is a good BDR plan.
With regards to the SMB, Scott basically said the same thing yesterday with regards to installing a layer 7 filtering firewall vs something like an ERL. The cost of the layer 7 vs using the recovery plan often don't justify the purchase of the layer 7.
OK I've kinda gone all over the place, but I don't want to just delete this. -
@Breffni-Potter said:
Neither are the right answer but both are helpful.
The right answer is hiring people who are motivated to learn the right way of doing things, who want to improve at their work, who want to use the most efficient tools for the task at hand.
You have 2 types of hire, those who don't want to grow and those who do want to grow.
No amount of training will help those who just don't want to grow. They will always click on the spam emails, click on the malware links and ignore you.
When faced with management pressure they will either grow to change their behaviour or dig their heels in.
Although lots of companies need "fodder" workers. You need to account for those. The average worker can't be a good worker.
-
@Breffni-Potter said:
It's really expensive to hire a bad person for your organisation. Even more expensive to attempt to train them.
Just don't let them in the door to begin with.
That's the "good employee" theory. Only works for the top X percentage of companies. Most companies, especially large ones, can't hire great workers, they just hope to avoid the worst ones.
-
@DustinB3403 said:
So I actually work at a training company not IT Training, but it could certainly be something that we would do, if we had the initiative. The ballpark price per training session is ~$1500 for a half day class up to 20 participants (this number is conservative as I don't have the exact numbers).
I've worked at companies that were crazy into security and what they did was make this training part of their normal training initiatives and did it all internally. Which was still expensive, but it just fit into what they were already doing.
-
@scottalanmiller said:
@DustinB3403 said:
So I actually work at a training company not IT Training, but it could certainly be something that we would do, if we had the initiative. The ballpark price per training session is ~$1500 for a half day class up to 20 participants (this number is conservative as I don't have the exact numbers).
I've worked at companies that were crazy into security and what they did was make this training part of their normal training initiatives and did it all internally. Which was still expensive, but it just fit into what they were already doing.
Our company requires quarterly training for everyone anyway so it fits in very easily... IT staff have to take a mandatory week off paid (not using vacation) to take a class or training session somewhere.
-
We had to do like 20 minutes per day, every day. You could save it up for a week and do it all at once or whatever, but there was a constant stream of it.
-
@scottalanmiller said:
@Breffni-Potter said:
Neither are the right answer but both are helpful.
The right answer is hiring people who are motivated to learn the right way of doing things, who want to improve at their work, who want to use the most efficient tools for the task at hand.
You have 2 types of hire, those who don't want to grow and those who do want to grow.
No amount of training will help those who just don't want to grow. They will always click on the spam emails, click on the malware links and ignore you.
When faced with management pressure they will either grow to change their behaviour or dig their heels in.
Although lots of companies need "fodder" workers. You need to account for those. The average worker can't be a good worker.
I was thinking the same thing. Also, when hiring minimum wage or barely over ($22-25K/yr) you can't expect to get the best people, and those that you do get will probably leave you looking for better pay, etc.
-
@Dashrender said:
I was thinking the same thing. Also, when hiring minimum wage or barely over ($22-25K/yr) you can't expect to get the best people, and those that you do get will probably leave you looking for better pay, etc.
But that is surely the right candidate, you want some ambition and a desire to improve and if you can't offer it inside your structure, whilst they are in your organisation would they not be far better than an "Average effort" but will stay for 5 years?
-
@Breffni-Potter said:
@Dashrender said:
I was thinking the same thing. Also, when hiring minimum wage or barely over ($22-25K/yr) you can't expect to get the best people, and those that you do get will probably leave you looking for better pay, etc.
But that is surely the right candidate, you want some ambition and a desire to improve and if you can't offer it inside your structure, whilst they are in your organisation would they not be far better than an "Average effort" but will stay for 5 years?
Why? Why is someone that wants to grow better than someone who is better suited for the job at hand?
-
I've worked in low end jobs, and pretty universally the people who wanted to learn and grow did, and left, but were never the best people, just the most ambitious. The best people typically were the ones that liked what they did, were comfortable, cared about the job, were vested in it and were at their level of competence but not higher. They had the seniority, experience and reliability far above the other people who came and went.
In most cases, people looking to move to "another job" are not the ones I would want to hire. I want to hire the right people, not good enough wrong people using this job as a path not a goal.
-
@Breffni-Potter said:
@Dashrender said:
I was thinking the same thing. Also, when hiring minimum wage or barely over ($22-25K/yr) you can't expect to get the best people, and those that you do get will probably leave you looking for better pay, etc.
But that is surely the right candidate, you want some ambition and a desire to improve and if you can't offer it inside your structure, whilst they are in your organisation would they not be far better than an "Average effort" but will stay for 5 years?
Perhap they are, but the reality is the job needs to be filled now, today. I really can't afford to wait months and months for the right candidate, it's not that kind of position.
-
@Breffni-Potter said:
But that is surely the right candidate, you want some ambition and a desire to improve and if you can't offer it inside your structure, whilst they are in your organisation would they not be far better than an "Average effort" but will stay for 5 years?
I'm going to say no, this is an "IT-ism" I feel. I hear this from IT all of the time, ambition for something greater is more important than being good at the job they are in. It's a weird thing that causes us to look down on jobs that we feel are beneath us and see the world as stepping stones rather than potential destinations. It's an article I have been meaning to write. I think it is an unhealthy thing in IT that we feel that everyone should be "passing through" rather than finding where they are good and what makes them happy.
-
hmm... I'm guessing most people probably stop "passing through" once they find something that makes them happy.
I've know tons of people who have worked on a help desk, but only a rare few who actually like it and wanted to continue doing it.
-
@Dashrender said:
hmm... I'm guessing most people probably stop "passing through" once they find something that makes them happy.
I've know tons of people who have worked on a help desk, but only a rare few who actually like it and wanted to continue doing it.
But the ones that DO want to stop there are happy and generally the best people to have, from what I've found. The unhappy people passing through generally are terrible at it. They often are not that good at it and rarely are happy doing it. Their ability or ambition to do something else has effectively no positive impact on working on the helpdesk.
-
@scottalanmiller said:
I think it is an unhealthy thing in IT that we feel that everyone should be "passing through" rather than finding where they are good and what makes them happy.
But once your skills/knowledge out grows the environment you are in and it is impossible for you to get that extra needed challenge which you crave, surely that pushes you to move on then?
-
http://mangolassi.it/topic/6514/what-is-your-educational-goal/31
Does the fact you had 40 jobs in 7 years make you a worse candidate than someone at the same job for 3-5 years? Albeit a consultant job there is definite benefits to someone pushing rather than someone who is stagnant/stuck.
-
@Breffni-Potter said:
@scottalanmiller said:
I think it is an unhealthy thing in IT that we feel that everyone should be "passing through" rather than finding where they are good and what makes them happy.
But once your skills/knowledge out grows the environment you are in and it is impossible for you to get that extra needed challenge which you crave, surely that pushes you to move on then?
No, that's not what studies in business have shown after decades of research. Quite the opposite. Once you hit your level of competence, going beyond that results in failure and frustration.
-
@scottalanmiller said:
No, that's not what studies in business have shown after decades of research. Quite the opposite. Once you hit your level of competence, going beyond that results in failure and frustration.
But what I'm trying to say is if you could have someone who was at say...level 8 for competence out of 10, or level 5 out of 10 but they'll stay for quite a few years because they have reached their limit, will 5 outperform 8 in a single year?
-
@Breffni-Potter said:
http://mangolassi.it/topic/6514/what-is-your-educational-goal/31
Does the fact you had 40 jobs in 7 years make you a worse candidate than someone at the same job for 3-5 years? Albeit a consultant job there is definite benefits to someone pushing rather than someone who is stagnant/stuck.
No, the fact that I was a consultant does not imply that. That someone has changed jobs is totally different from hiring someone passing through versus someone looking to do this job. Completely different concepts.
