Phishing is still one of the main reasons why companies get breached today. Despite all the different awareness training, classroom hours, video materials, and quizzes, employees can still fall victim.The power of phishing training that focuses on behavior change and puts people at the center of attention is often overlooked. People-first phishing training is perhaps the most affordable way to address human risk by reinforcing safe employee behavior. It's also relatively simple to measure the phishing training's impact to your organization through KPIs such as failure rates and reporting rates.To defend your company and reduce human risk, your job is to ensure that you provide your employees with phishing training that can make them vigilant in their work. People need training that will stick with them so that they can recognize and report dangerous emails instantly.Once you make the decision that you need more practical and people-focused phishing training compared to your previous solution, how do you get leadership support? If you are thinking about asking for approval, this post is for you.Let's look at how you can build a winning business case to get the support to invest in people-first phishing training that you need to defend your organization from social engineering attacks better.
Create a business case
First, you need to justify why you want to undertake this project. Creating a business case is usually based on the cost of development and implementation compared against the risk and the anticipated benefits and savings to be gained.Leadership must understand how investing in a new phishing training is going to deliver value for the company. In a way, you are selling phishing training to them. While the objectives and benefits may seem perfectly obvious to you, you may need to explain it to others in more detail. A well-prepared business case can help your case to stand out among competing priorities.Now we will go into what elements you should include in your business case.When you present the case, it's good to have a summary first, and you can have further slides or other materials to open up the details of the case.
Why do you need to invest in people-first phishing training?
State your problem clearly when beginning the discussion. If you have security awareness training, why would you invest in people-first phishing training? Elaborate on why the existing solutions, such as periodic in-house phishing tests, are not sufficient.The next thing you want to do is to describe the threat landscape. The easiest way for attackers to access your data and assets is through your employees. Security awareness training that is not practical, up-to-date, and frequent won’t engage people in a way that teaches them to protect your assets. You need to have training in place that makes an impact on employees´ behavior. People need to learn through practical exercises that makes them think critically about the threats they encounter.
Introduce the threat and the risk
Why is phishing a threat to your business? Executives may not be aware that the easiest and fastest way to a data breach is through the employees.You should clarify the likelihood of a phishing attack resulting in a data breach by being transparent. Have you seen phishing attacks within your organization? Were you close to getting breached? How many emails get through your filters? Are there people clicking and downloading stuff?
What’s the priority level of adopting a new phishing training?
It is important to elaborate on why a new phishing training is important, and the statistics will help you with that. Show your executives that you measure high-human risk in your organization. If you have been doing phishing training or penetration tests, show them the results, and explain why you are not happy with the numbers.It’s a fact that a data breach could happen any time – and one click from an employee could be enough for an attacker to gain access to your systems. Dealing with a breach is a burden, not only from a financial perspective, but also from legal, compliance, and brand perspectives. You need a phishing training that reduces your risk because you want to do everything in your power to avoid a data breach.
What are your objectives?
Your objectives can vary, but usually, your main goal is to reduce employee-related risk in the organization and defend the company from a possible breach.
What happens if you delay the implementation?
Paint a picture to executives of what could happen if you didn’t invest. How would you deal with a breach? What resources would you need? What would it cost you financially? Would there be other damages?
Introduce how you plan to mitigate the risk
Propose a solution that could help you to mitigate the risk and achieve your objective. Typically, you want to invest in people-first phishing training that makes your team more efficient, reduces your risk, and also positively impacts your strategy. The latter could mean something different for each organization. Everybody wants to make sure that a data breach doesn’t happen so that the consumers can trust the business, but others could be also prioritizing building a culture where all employees care about security. Find out how this new solution can help you to do your job better.You want to emphasize the benefits to the entire organization of the product you propose. What can this phishing training do for your organization that your current one cannot? How is it different from the phishing tests you’ve been previously running?Are there any proven metrics? Are there KPIs you will want to achieve with this that can also impact your risk profile positively? (This is the place to mention those.) Will the solution help you to promote a security culture where everyone is responsible for safety? This could also contribute to risk reduction.
The cost and the return of investment
Communicate the cost of investment for the period of time you are looking at. Typically, all vendors provide options to sign for one, two, or three years at the start.Vendors are usually selling seats per employee, and you may start with a smaller sample size, and then gradually increase it and add more employees to the training over time.
When can you expect the ROI?
In terms of return of investment (ROI), make your calculations in advance. To calculate the return of investment for the new solution, look at the total internal direct cost of phishing remediation per year, the loss in productivity per year with the old solution or without the new solution, management cost per year, and hosting cost per year and compare it with the value of the proposed solution.
A sound investment for a more resilient organization
The most crucial point that you need to communicate to executives is that you are working on strengthening your company’s resilience, and your employees are in the center of building up better defenses. While justifying the cost of the phishing training can be difficult, once you have created a detailed business case, you’ll show that it’s a small investment to protect your organization from the potential consequences of human error.