A single cyber attack - be it a data breach, malware, ransomware, or DDoS attack - cost companies in the U.S. a median of $18 000 in 2022, up from $10 000 in 2021, with 47% of all U.S. businesses suffering a cyber attack in some way, according to the Hiscox Cyber Readiness Report 2022.
And according to Verizon's 2022 Data Breach Investigations Report,
“The human element is the most common threat vector; it is the root cause of 82% of data breaches”.
Regardless of whether you think using language like “human vulnerability” or “weakest link” is unfair and hurtful towards ‘Sensitive Sid’ from billing, social engineering remains the number one go-to strategy for cyber criminals. These facts alone should be enough to convince people that building a Security Awareness Training (SAT) programme for employees is a necessary part of any company's security strategy.
And yet people still need convincing and education - taking steps to reduce our human risk is a critical part of the ‘defence in-depth’ plan.
Whether you’re a managed security service provider pitching your SAT solution to one of your clients, an insurer convincing their policyholders to reduce their cyber risk by training their employees, or a CISO pitching the need for an SAT programme to their company bean counters to secure budget – it all comes down to your ability to sell.
To help increase your success in selling SAT, to whatever audience you’re pitching it to, we’ve got a few tips and approaches below to help you get the job done.
1. Understand the company's needs
Before you start selling, it's super important to understand their specific needs, challenges, and history. Take a deep dive to understand how the business operates, how many employees they have, where they’re located, and the technology they’re using to function daily. You could ask yourself some of these questions:
How mature are they with managing cyber risk in general and how big is their team for implementing information security and potentially rolling out training?
Have they suffered an attack in the past, how did that impact them, and what did they do about it afterward?
Have they implemented SAT before? If so, how successful was it, what did they love or hate and what challenges did they face?
Is their industry heavily regulated where awareness training may be a huge compliance requirement?
Understand the “need behind the need". Keep peeling back the onion until you get to its core. The first few things customers share are always surface-level. Forget pitching your product, services, or programme during this phase, just listen. In this day and age risk managers, security professionals and business leaders know full well the importance of addressing the human element of cyber risk, but there are countless reasons, barriers, and blockers preventing investment and implementation. Really trying to pinpoint and understand these challenges will help you tailor your pitch and show the company how your training solution can address their ‘personal’ concerns.
2. WHO matters a lot
The ‘WHO’ matters more than anything in sales, especially SAT. If you're not talking to the right person, then the perfect sales pitch and world-class product demo are a complete waste of everyone’s time. Pinning down the right individual within a company can prove challenging at times. Some companies position SAT as a security control to be managed by the CISO and their security or IT teams, while others will place it under the training budget to be implemented by the HR or L&D department, and sometimes even the CFO wants in on the action.
During discovery conversations, establish which budget SAT will fall under and which team will implement the programme - then ensure you have those people on your demos and sales calls. Shape your demo and conversation to solve their particular pains and meet their business objectives.
3. Sell on 'loss aversion,' not benefits.
Fun fact: People are twice as motivated to avoid loss than to achieve gain (this is proven). Selling is far more about pain points than benefits. Money follows pain points everywhere it goes – whereas money only follows positive benefits every once in a while, especially during economic downturns. Tweak your language and sales messages accordingly (without fear-mongering) to paint a realistic picture.
Data breaches cost UK organisations an average of £6.4 million. Investing in security awareness training reduces the risk of phishing attacks by about 50%.
Ransomware is only going to get worse. The downtime, opportunity cost, and recovery expenses caused by ransomware can be massive. The No.1 delivery method for ransomware remains email.
More and more regulators are demanding specific industries implement SAT. Across the US and Europe, there are thousands of standards that may require businesses to implement a security awareness program. Some notable ones include GDPR, HIPAA, PCI DSS, ISO/IEC 27001 & 27002, and NERC CIP.
Legally, businesses are required to act "reasonably" and take "necessary" measures to cope with a threat. If they don't, they violate either compliance laws, regulations, or recent case law. The reputational damage, fines, or even imprisonment, as a result, can be devastating for an organisation.
Board members' number one focus today is cyber security. Some very pointed questions will be asked of the CEO and CFO regarding their investment in security following a breach. They wouldn’t be the first company executives to lose their jobs as a result.
Building a business case is more powerful when you measure and emphasise the cost of the status quo than when you measure the positive ROI of a solution. Cyber crime can affect a business for years after the initial attack occurs. The costs associated with cyber attacks -- lawsuits, insurance rate hikes, criminal investigations, and bad press -- can put a company out of business quickly.
4. Emphasise the benefits
When a business has a limited budget for security, and highlighting all the ways SAT can help them avoid pain and loss is still not getting them across the line, try to focus on the benefits it will provide - this will demonstrate that “return on investment” to the suits. Many budget controllers cannot see the benefits of security awareness training outside of cyber risk management - they see it as “an unnecessary expense for an IT problem”.
Here are a few real benefits SAT can bring:
Strong tech defences require human input
Without security training, they won't be as effective against cyber attacks targeting people as well as technology.
Enhancing cyber security earns customer trust and loyalty
Customers care about a company's security efforts and are more likely to avoid businesses that have been attacked.
Security awareness training helps meet compliance requirements
It also provides a marketing advantage, demonstrating cyber security maturity and adherence to key standards.
Cyber insurance requires evidence of security maturity
This includes employee training, to effectively manage cyber risk and protect smaller businesses.
Security awareness training is socially responsible, as a weak network can put others at risk
It benefits customers, suppliers, and everyone connected to the network.
Security awareness training improves employee well-being
This is achieved by protecting them from cyber threats at work and in their personal lives, increasing productivity and happiness.
5. Get them to use the product ASAP
A great way to encourage a company to invest in training is to offer a trial period. This allows them to try out the training and see the benefits for themselves and get feedback from their team (or a portion of their organisation) before making a long-term commitment. A free trial could also allow the company to run a baseline phishing simulation across their organisation, with the results highlighting their vulnerability to social engineering and really highlighting the need for further employee training. Being able to include training campaign results and phishing simulation reports as part of a business case is a surefire way to help win over budget.
6. Offer ongoing support and training
SAT is not a one-time event – it requires ongoing training, simulations, assessments, and communications to keep employees up-to-date on the latest threats and best practices. A continuous awareness programme over the year is the only way to build a secure culture and change employee behaviours. When selling cyber security awareness training, offer ongoing support and training to the customer team to ensure they have the knowledge, assets, and ideas to run an effective programme effortlessly.
7. Provide references and case studies
Social proof is powerful. Potential clients may be more convinced by seeing the successes of other companies that have undergone your cyber security awareness training. Provide references and case studies from satisfied customers to show the effectiveness of your training.
Despite the marketing material, cyber security technology can not provide a silver bullet for a cyber security programme. People are an organisation’s greatest asset and largest vulnerability with 82% of security issues being accidental or unintentional human error.
By educating a workforce and making a security-first mindset part of the company culture, businesses will be able to greatly reduce their cyber risk and avert loss. Help them find the budget for education and guide them in implementing the most effective and effortless programme possible.
Get in touch for more information: email@example.com