Return on investment
ROI (return on investment) is the bedrock of most organisations. How much are we spending? How much are we earning? Where can we maximise production, cut costs, increase profits? It’s a theme that is implicit, if not explicit, in almost every meeting that takes place in an organisation.
Reducing risk and where to start.
It is widely accepted within the infosec community that as much over 90% of successful cyber breaches started with a phishing attack, so it makes sense both rationally and financially to start mitigating that threat as a priority.
Increasing the awareness and, thus, reducing the propensity of your colleagues to click and open potentially malicious emails, is likely to be the most cost-effective data and information security protection measure you can take.
It is almost impossible to eliminate risk, we can only reduce it. Being secure means you have an acceptable level of risk relative to the threats you are facing. This SANS “bell curve” diagram shows the optimum budget sweet-spot in security awareness training.
As mentioned at the beginning, the most important statistic that organisations, and especially IT departments, need to keep in mind is that phishing attacks cause as over 90% of security breaches. Prevent the breaches associated with email phishing campaigns, and you have a clear measure of value for money.
Following that principle the most effective thing, from a cyber-security and ROI perspective, that a company can do is invest in systems that can prevent and mitigate such attacks.
As most of the malware threats in phishing scam messages are in attachments or links to malicious and data-capturing spoof web site, it stands to reason that raising awareness and training your colleagues in spotting these would be one of the best places to start.
Malware is often spread via embedded code or in an email attachment which activates itself when the attachment is opened, and data is often leaked or stolen by the use of malicious and spoofed web sites.
Mindful of these common and effective approaches, the skill and awareness of your colleagues could make the difference between your organisation’s financial, commercial or personally sensitive data being stolen, your infrastructure being hacked or your systems disrupted.
All those compromises come with a high-price in terms of legal, reputational and financial loss. With the advent of new legislation such a the GDPR, these concerns are now even greater.
In cyber data and information security, this is not measured as a concrete gain, but as a reduction in risk. The ROI for Security Awareness Training (SAT) can be broken down in three main components, which you can use all together or independently depending on your current requirements: