1. Focusing on Features Over Functionality
How can you be expected to know exactly what suits your team’s Security Awareness Training program needs? You’re already juggling every other IT project and application. The attractive solution is to simply buy the platform that offers the most bells and whistles. You’ll figure out what’s critical later, right?
The trap of shiny features can be very tricky to avoid. In the end, you can get lots of mediocre tools and tchotchkes instead of a focused set of excellent, tailored solutions for your team. Next, you’re left with lots of decisions on which one of the thousands of Training courses are right for your team. Then, you’re building dozens of Phishing templates, hoping they’re accurate and relevant for your organization.
When you demo platforms, be sure to ask how your organization’s needs are best served by that vendor’s product. It’s a simple question, right? And there should be a clear and understandable answer to that question. Hey, you’re the one buying the thing anyway!
There are lots of factors to consider in your purchase, but it doesn’t have to be overwhelming. See our post here for a deeper dive on this.
2. Adding Hidden Time Commitments
Most platforms market their ease of use or flexibility. These claims, while convenient, can be quite perplexing after using them. Remember, there can be lots of items required to keep your Security Awareness Training program fully active, accurate and complete.
Training Curriculum Design
When you’re presented with dozens or even thousands of training courses, you’re left with the job of choosing from a library courses on each topic that is relevant for your team. This is mentally taxing, and then you still don’t know if you picked the right one. Some vendors assist you in this process, and you’ll want to determine how much of the work you want to do on your own versus a fully automated platform.
Nagging Users to Take Training
No one wants to be the nag. It takes time and costs mental exhaustion. Just imagine how much your co-workers will love you when you’re the one constantly reminding them to take Training Courses. It’s not a fun job! You’ll want to consider platforms that offer automated reminders for your users to take Training Courses.
Building Phishing Templates
This job seems really fun at first - kind of like IKEA furniture! And just like a bookshelf from IKEA, what once seemed so easy is now the bane of your existence. Ok maybe an overstatement from bad experiences, but this part of the job will require considerable time - estimate 1 hour per template and a minimum of 10 templates per month (at 250 users). You’ll want to consider the manual versus automated functionality of any platform.
Tracking Phishing Clickers
Once you’ve sent relevant Phishing tests to your employees, you’ll need to track and re-target your Phishing “clickers.” Without the follow up, the test can simply fall on deaf ears. This re-targeting should take the form of additional instruction AND additional Phishing tests. This becomes time intensive with most organizations, unless your platform provides automated re-targeting for vulnerable users.
Assuming a 250-person team, it’s safe to assume you’ll spend 15+ hours per month ensuring your program is fully active, accurate and complete.
Regardless of the perks of any platform, too many ongoing manual tasks will put your program at risk of falling behind.
3. Heavy User Onboarding and Maintenance Requirements
For any Security Awareness Training program to be fully active, you’ll need to be sure all users are included. This seems easy on Day 1. The problems start as soon as hires and fires begin. Or interns are added into the mix with corporate email.
For instance, every new hire needs to be promptly enrolled in the program to avoid the “weakest link” problem. This means you need to consider the time commitment required for user additions and edits. Similarly, you want to remove anyone no longer with the organization. This ensures your reports remain accurate and you’re not paying for more licenses than necessary.
One important feature to look for is an active directory sync. This ensures your user list is regularly updated in your Security Awareness Training platform.
The next important consideration is in regards to the process of starting each new user with Training and Phishing. This may be manual or automated, and you’ll want to consider any time required to ensure new hires are promptly engaging with Security Training and Phishing Testing.
Your program can only be as strong as its weakest link. This means your active user management is ongoing, either manual or automated.
4. Signing a Long-Term Contract Right Away
Discounts on multi-year licenses are often attractive. If you’re like everyone else, you already have limited budget. This often leads us toward flashy discounts that lock us in to multi-year agreements before experiencing a platform. Rather than simply reducing your license cost, it’s critical to consider your Total Cost of Ownership (TCO) for every tool in your environment. You’ll see that your time cost is often more expensive than the tool itself.
Unfortunately, the painful part often comes immediately after contract signing. That salesperson gets a commission and is well on the way to the next. Meanwhile, you’re stuck for 3 years, figuring out how this thing works. You’ll always want to fully understand the platform ahead of time - from onboarding lift to ongoing weekly/monthly management to reporting.
To properly calculate your TCO, you’ll have to estimate the number of hours required to keep your Security Awareness program fully active. Depending on your platform, this can be a heavy burden. Many tools give you “pre-made” Phishing templates, but that still leaves you spending hours a week or month creating a dozen templates to send to your team. It’s fair to estimate 1 hour per month per Phishing template. At a minimum, a 250-person team needs 10 new templates per month. That’s a 10 hour per month minimum. Remember, variation in your team’s Phishing tests is paramount!
In addition to the hours spent on sending your Phishing templates, you’ll need to allocate time to manage and follow up on Training courses. This typically equates to another 1 hour per every 50 employees.
So with 250 users, you’ll easily spend 15 hours per month maintaining minimum expectations of an active program. At a conservative assumption of $40 per hour, you’re adding another $7,200 per year for your 250-user program (i.e. $28.80 per user in labor cost on top of your license cost.)
Often a multi-year contract locks you in to a multi-year time commitment to keep it running.
Be sure to understand any platform in-depth prior to a long-term commitment.
5. Not Getting Executive Buy-In
Your program is critical to securing your organization. Executives must understand the importance of your program to support your efforts. The facts are easy to grasp - 90% of attacks start with Phishing. The process of fixing that is less clear to Executives. You’ll want a way of showing them the End User Experience.
To ensure strong Training Course completions, it often takes Executives leading by example. They need to be aware of the value of the program and the ease/difficulty of completion for their employees.
Also, you’ll want to ensure your manager is on board with any new time commitments. Many platforms will take 15+ hours per month (assuming 250 users) to manage. This can easily become a point of conflict with other priorities if expectations are not set upfront.
Any Security Awareness Program can fail without Executive buy-in. Be sure to show them the employee experience for Training and Phishing simulations beforehand.