awareness training is an important way for organizations to protect themselves
from targeted business email compromise and phishing attacks. One of the market-leading
security awareness vendors is KnowBe4, a Tampa-based organization, who provide
hundreds of security awareness training materials. Founded in 2010, KnowBe4 was
valued at $1 billion in June last year, cementing their dominance in the
security awareness training industry.
KnowBe4 had a big presence at RSA 2020, the world’s biggest cybersecurity conference.
They set up a cinema on the show floor, complete with free popcorn and sweets, for
the world premiere of season two of their security awareness TV show: “The
Inside Man.” It’s been made with the production values of the latest Netflix
drama, a big jump from what you would typically expect from corporate security
awareness training content.
show, Expert Insights caught up with Erich Kron, a Technical Evangelist for
KnowBe4, to talk about KnowBe4’s success and why organizations need to be
proactive with security awareness training.
Why Are Organizations Investing More in Security Awareness Training?
awareness training, the process of training and testing employees on
cybersecurity issues and best practices, isn’t a new concept. Many companies
have conducted security awareness training internally for many years, although often
on a small scale. However, recently, computer-based security awareness training
has exploded, with a number of vendors targeting SMBs and mid-sized
organizations with security awareness and simulated phishing platforms.
the growth has been driven by the huge increase in social engineering attacks
against organizations. Attackers are increasingly targeting the human-layer
within organizations- the employees- with attacks, such as phishing and
business email compromise. These attacks exploit human error and limited
awareness of security issues.
is the cause of most data breaches,” Kron says. “Whether it’s malicious links
or credential theft, or business email compromise. Now organizations realize
there are ways they can train users on these issues, that just weren’t there
outside the large enterprise a few years ago.”
me that KnowBe4’s key differentiators in the industry are their innovation and their
sole-focus on security awareness training, rather than looking to become part
of a larger technical platform- which is the approach competitors such PhishMe
have taken since becoming part of Cofense.
innovative in how we do security awareness training is what sets us apart from
other vendors,” Kron says. He uses the example of the ‘Inside Man’ show that
they have created; a 12-part series designed to lift their training materials
to the quality of a Netflix show. Their aim is to create training materials that
people will actually want to watch, rather than just something they are told to
watch by their boss. “There’s also other things that I can’t talk about of
course, but we’re looking at a lot of avenues and technologies, while keeping
our focus on security awareness training,” Kron says.
Cyber-Criminal Groups Are More Sophisticated Than Ever Before
against the enterprise are not only targeting the human layer, but those
attacks are becoming far more sophisticated. Threats such as business email
compromise are designed to slip through the gaps in email security technologies.
This leaves employees as the organization’s last line of defense.
email compromise is almost entirely an emotional attack,” Kron says. “The
premise is getting people fearful, scared, concerned that they’re going to lose
their job, or get in trouble if they don’t make a payment. Technology can’t
stop that emotional response.”
have honed these kinds of social engineering attacks “down to a science,” he
says. The times of attackers sitting in their bedrooms is gone – what we’re now
seeing are organized criminal enterprises.
is a business now,” Kron tells me. “Organized cybercrime groups are basically
companies. Attackers come in, they park their car in their assigned parking spot,
and they go to work, they have their cubicle, they phish a few people and they
get a drink at the water cooler! These organizations are actually businesses
now- a drastic change over the last ten years. Just as we improve our polices,
they have improved their attacks and their processes.”
Why Organizations Need to Engage with Security Awareness Training for Success
of security awareness training often portrays it as a check-box activity.
seen as something that organizations implement for compliance reasons, and not
something employees really engage with. From a security standpoint, this can put businesses
at risk, as they may be more confident in their employees’ abilities to spot
phishing attacks than they should be.
that there is no doubt this happens in some organizations, but it’s a situation
that KnowBe4 tries hard to avoid. “If you buy and implement our product but
don’t start using it, we’ll actually call you and nag you! We really do. Our
customer success managers will call and check that they are actually using it.”
“We don’t want
to see people just buy it to check the box. Security awareness training should
be about actually trying to fix the problem.”
Thinking of Implementing Security Awareness Training?
advice to organizations considering implementing security awareness training is
to make sure it’s part of a wider organizational strategy to deal with phishing
is don’t forget that security awareness training is not a silver bullet. We
never say that it is,” Kron says. “But what it is, is a great way to manage the
ongoing problem of phishing attacks.”
“Just don’t put all your eggs in one basket, whatever that basket is, email security, anti-virus. Make sure you have a comprehensive program in place to stop these attacks.”
Find out more about KnowBe4: https://www.knowbe4.com/