Security Awareness Training

The Importance Of Security Awareness Training In The Fight Against Phishing

Expert Insights met with Erich Kron from KnowBe4 to discuss the increasing sophistication of social engineering attacks, and why organizations can’t only rely on technical solutions for protection


Security awareness training is an important way for organizations to protect themselves from targeted business email compromise and phishing attacks. One of the market-leading security awareness vendors is KnowBe4, a Tampa-based organization, who provide hundreds of security awareness training materials. Founded in 2010, KnowBe4 was valued at $1 billion in June last year, cementing their dominance in the security awareness training industry.

Unsurprisingly, KnowBe4 had a big presence at RSA 2020, the world’s biggest cybersecurity conference. They set up a cinema on the show floor, complete with free popcorn and sweets, for the world premiere of season two of their security awareness TV show: “The Inside Man.” It’s been made with the production values of the latest Netflix drama, a big jump from what you would typically expect from corporate security awareness training content.

At the show, Expert Insights caught up with Erich Kron, a Technical Evangelist for KnowBe4, to talk about KnowBe4’s success and why organizations need to be proactive with security awareness training.

Why Are Organizations Investing More in Security Awareness Training?

Security awareness training, the process of training and testing employees on cybersecurity issues and best practices, isn’t a new concept. Many companies have conducted security awareness training internally for many years, although often on a small scale. However, recently, computer-based security awareness training has exploded, with a number of vendors targeting SMBs and mid-sized organizations with security awareness and simulated phishing platforms.

Kron argues the growth has been driven by the huge increase in social engineering attacks against organizations. Attackers are increasingly targeting the human-layer within organizations- the employees- with attacks, such as phishing and business email compromise. These attacks exploit human error and limited awareness of security issues.

“Phishing is the cause of most data breaches,” Kron says. “Whether it’s malicious links or credential theft, or business email compromise. Now organizations realize there are ways they can train users on these issues, that just weren’t there outside the large enterprise a few years ago.”

Kron tells me that KnowBe4’s key differentiators in the industry are their innovation and their sole-focus on security awareness training, rather than looking to become part of a larger technical platform- which is the approach competitors such PhishMe have taken since becoming part of Cofense.

“Being innovative in how we do security awareness training is what sets us apart from other vendors,” Kron says. He uses the example of the ‘Inside Man’ show that they have created; a 12-part series designed to lift their training materials to the quality of a Netflix show. Their aim is to create training materials that people will actually want to watch, rather than just something they are told to watch by their boss. “There’s also other things that I can’t talk about of course, but we’re looking at a lot of avenues and technologies, while keeping our focus on security awareness training,” Kron says.

Cyber-Criminal Groups Are More Sophisticated Than Ever Before

Cyber-attacks against the enterprise are not only targeting the human layer, but those attacks are becoming far more sophisticated. Threats such as business email compromise are designed to slip through the gaps in email security technologies. This leaves employees as the organization’s last line of defense.

“Business email compromise is almost entirely an emotional attack,” Kron says. “The premise is getting people fearful, scared, concerned that they’re going to lose their job, or get in trouble if they don’t make a payment. Technology can’t stop that emotional response.”

Attackers have honed these kinds of social engineering attacks “down to a science,” he says. The times of attackers sitting in their bedrooms is gone – what we’re now seeing are organized criminal enterprises.

“Cybercrime is a business now,” Kron tells me. “Organized cybercrime groups are basically companies. Attackers come in, they park their car in their assigned parking spot, and they go to work, they have their cubicle, they phish a few people and they get a drink at the water cooler! These organizations are actually businesses now- a drastic change over the last ten years. Just as we improve our polices, they have improved their attacks and their processes.”

Why Organizations Need to Engage with Security Awareness Training for Success

Criticism of security awareness training often portrays it as a check-box activity.

It’s often seen as something that organizations implement for compliance reasons, and not something employees really engage with.  From a security standpoint, this can put businesses at risk, as they may be more confident in their employees’ abilities to spot phishing attacks than they should be.

Kron says that there is no doubt this happens in some organizations, but it’s a situation that KnowBe4 tries hard to avoid. “If you buy and implement our product but don’t start using it, we’ll actually call you and nag you! We really do. Our customer success managers will call and check that they are actually using it.”

“We don’t want to see people just buy it to check the box. Security awareness training should be about actually trying to fix the problem.”

Thinking of Implementing Security Awareness Training?

Kron’s advice to organizations considering implementing security awareness training is to make sure it’s part of a wider organizational strategy to deal with phishing attacks.  

“My advice is don’t forget that security awareness training is not a silver bullet. We never say that it is,” Kron says. “But what it is, is a great way to manage the ongoing problem of phishing attacks.”

“Just don’t put all your eggs in one basket, whatever that basket is, email security, anti-virus. Make sure you have a comprehensive program in place to stop these attacks.”

Find out more about KnowBe4: