As a System- or Network Admin or IT Security Manager you know that Security Awareness Training is a crucial part of ‘Defense-in-depth’ to keep your organization secure. Microsoft recently reported that a whopping 45% of malware infections are caused by social engineering. But that same awareness has often not yet filtered up into top management, who simply do not know the urgent IT security problems of social engineering, spear phishing and ransomware attacks yet.

So it can be a challenge to get the approval and receive the budget to run a security awareness program. Here are five helpful hints and tips to get that OK!

1) Your Organization’s Compliance Requirements

You’d be surprised to know there are over 8,500 different Local, State and Federal standards and requirements that your organization might need to comply with, many of these requiring security awareness training. Check out this “Security Awareness Compliance Requirements” page, with a list of the most important standards and legislation that require your organization to do regular security awareness training. Providing evidence that training is required by law is often an effective strategy to get budget.

2) Employee Questionnaire

Ask your employees how much they know about security in your organization. Chances are they simply do not know about your policies, your security team, and what the bad guys are up to. Here is a sample security awareness questionnaire at Surveymonkey with 11 short questions you can use for your own survey. Making it much longer is going to cause problems getting it filled out by employees. Providing the results to upper management might open their eyes about the often sorry state of security awareness and is good ammo to get the OK.

3) Data Loss and Ransomware Threat

In the last few years a wave of new legislation has been rolled out that requires organizations to protect various types of data. Some examples are: Personally Identifiable Information (PII), Payment Card Industry (PCI), etc. The OSF Dataloss website has a database with a continuously updated list of data breaches you can search. Showing examples to management of breaches in your own industry often makes it more real that this happens all the time. The last thing your CEO wants to see is tomorrow morning’s front page with news that all your customer records have been stolen and are for sale on the Internet.

4) Let Their Own ‘Thought Leaders’ Tell Them

It often helps to convince management if the data comes from an independent source they trust. If the Wall Street Journal or INC Magazine tell them this is a real problem that needs to be addressed, their ears might perk up and suddenly they are interested in this problem. Lucky for us, both publications are on the ball, and they have regularly published articles about the threats of social engineering, spear phishing and ransomware attacks. Find a recent one and send them a link.

5) Show The Payback Is Just Two Months (or less)

We have a special ROI page on our website that gives you three ways to present the Return On Investment on training:

  • Development Cost,
  • Direct loss of productivity and revenue, and
  • Loss Of Reputation

Once management comes to the conclusion that they cannot afford to not train staff since the risk is just too high if they don’t, there is always a way to find budget, especially since KnowBe4’s security awareness training program is really effective and very affordable!


Get the latest about social engineering

Subscribe to CyberheistNews