Conquering Human Error With KnowBe4 — How the Security Awareness Training Platform Protects Businesses From Vulnerabilities

TL; DR: Instead of encouraging businesses to spend thousands on hardware and software security solutions, KnowBe4 concentrates on the most common vulnerability — human behavior. The award-winning security awareness platform combats email phishing and ransomware threats with engaging training sessions and a variety of free tests and simulators. Erich Kron, a Security Awareness Advocate, told us how KnowBe4 helps companies and their employees stay ahead of self-inflicted security weaknesses.

Even the US Department of Defense doesn’t always follow the strongest security training protocols. Erich Kron, a longtime employee, remembers watching the same programs several years in a row.

“You get to the point where you check out because it’s old content, and you’ve seen it before,” he said. “It’s a dry topic, and it doesn’t just become interesting again.”

Now a Security Awareness Advocate with KnowBe4, Erich and about 450 coworkers help businesses large and small provide vibrant training experiences about the threats lingering in their email inboxes and simple passwords. Created by an antivirus developer and a world-famous hacker-turned-security-expert, KnowBe4 offers extensive training alongside social engineering simulations.

“People don’t want to see the same thing over and over again,” Erich said. “Constantly having fresh and new content is very important, especially considering how rapidly the threats change.”

Based in Tampa Bay, Florida, KnowBe4 improves upon old-school security practices by focusing on the most underestimated risk factor — human error.

Despite sizable investments in security software and services, many companies still fall victim to attacks that bring business operations and websites to a halt. In some cases, what seems like an attack — and results in the same downtime and revenue loss — is actually the result of an employee clicking on a link in a malicious email or otherwise exposing the company’s infrastructure to danger.

For example, an employee’s execution of erroneous code caused the 2017 Amazon Web Services outage. Causing massive disruptions across the world, the event shows how a simple mistake can bring major headaches and losses — even in the absence of malicious intent.

“One of the most common misconceptions is that you can spot a phishing email just by the bad grammar and spelling,” Erich said. “People don’t realize the amount of money that’s involved in these attacks. It’s no longer kids in their basement who are doing this while drinking Mountain Dew and eating pizza.”

Stu Sjouwerman, who previously started Sunbelt Software and developed Vipre Antivirus, launched KnowBe4 in 2010.

“They used to do endpoint protection but were still finding that people were constantly getting hit with malware,” Erich said. “Thinking about it, Stu realized that it’s the people who were still the issue.”

In the early days of phishing scams, a majority of users could easily identify threats by checking the sender’s address or by spotting numerous spelling and grammatical errors. However, according to Erich, cybercriminals have since gotten smarter and more covert.

“A couple of human emotions that really drive action are outrage and anger,” Erich said. “They’ll send out emails that are political or dealing with current events that really get people’s blood boiling. If people get outraged, they tend to take action by opening the document or clicking a link in the email.”

As email phishing has evolved into numerous high-profile ransomware attacks, hacking has become a well-funded industry — complete with its own underground economy and cryptocurrency exchanges.

Security now goes beyond just scanning files or implementing new firewall rules, Erich said. As such, KnowBe4 regularly updates its curriculum to provide content that is not only engaging but current with the latest threats.

“We continually add more content to our library,” Erich said. “We have the largest security awareness library in the world, by a long shot. It makes a big difference, having that at customers’ disposal.”

Because hackers prey on the uninformed, early training and constant reinforcement are of prime importance, Erich told us.

“We try to get companies to train the person right away,” he said. “As soon as they have email access, they’re vulnerable.”

The earliest stages of awareness training involve topics such as password best practices and establishing secure network connections, along with identifying and reporting phishing attempts.

With a heavy focus on phishing, fraud, and other social engineering attacks, KnowBe4 has identified 22 red flags that indicate a possible attack. For emails, these include unrecognized senders, seemingly unrelated recipient groups, and mismatched hyperlinks and anchor text, among other signals. For example, the message may be sent to people within an organization who work in unrelated departments but share similar names. Other common threats include unusual send times and calls to action such as urging the reader to click a link or download an attachment.

In addition to KnowBe4’s extensive library of training content, businesses may access a variety of free tools to gauge their employees’ security behaviors. With phishing security tests, employers can send templated phishing attacks and gain insights into employees’ behavior. Other free resources include tests for password security, domain spoofing, and a ransomware simulator.

Even though KnowBe4 is staffed by passionate, well-connected security experts, Erich said that the company’s customers sometimes become aware of new attacks before they do. When potential targets are more informed and aware of security threats, they can identify emerging attacks and notify others.

Customers can submit feedback regarding features, security and vulnerability trends, and even real-life examples of social engineering attempts.

As the last line of defense against devastating attacks, well-informed employees are one of the most valuable assets to an organization, Erich said.

“Within our platform itself, we have a section where customers can submit email templates for the phishing simulator,” Erich said. “When they see things from the real world, they can modify them, remove the bad links, and then post them for the larger community to use and become aware of.”