How KnowBe4 Helps Companies and Employees Adopt a Security Mindset Through Awareness Training and Simulated Attacks

TL; DR: KnowBe4 helps companies manage ongoing cybersecurity problems through its simulated phishing platform and security awareness training programs. The company helps IT teams train end users to recognize and delete phishing emails and stay mindful of possible breaches. Many companies have had their operations disrupted recently due to cyberattacks, but KnowBe4 tools allow SMBs to remain proactive and protected. Investing in cybersecurity is no longer a luxury for businesses, and KnowBe4 offers a practical approach and targets one of the biggest culprits: user error.

SPC Mechanical, a commercial HVAC company based out of North Carolina, was the target of a ransomware attack that shut down its operations. The company estimated that it would need $2 million in new contracts to offset the losses it suffered.

SPC analyzed its cybersecurity practices following the attack and found that seven of its employees had clicked on a phishing link, allowing the ransomware into the system. Its hardware and software weren’t to blame; it was user error.

Malware, ransomware, and phishing scams are on the rise as economic volatility has increased. And cybercriminals are also looking for the biggest return on investment.

“Root cause analysis led us to the conclusion that social engineering was to blame. Bad guys are hacking humans. It takes three months to hack a hardware piece, three weeks to hack some software layer, and three minutes to hack a human. Time is money, so they focus on people,” said Stu Sjouwerman, CEO of KnowBe4, a company that offers security awareness training to employers.

Phishing scams and ransomware attacks have been rising recently, forcing some companies to shut down operations and lay off their entire staff because they lacked the funds to pay the ransom.

KnowBe4 helps companies avoid those outcomes by flipping the script on compliance training. What used to be stale PowerPoint presentations has become engaging, interactive, and on-demand training. Today, the only defense against employees clicking on phishing links is reframing how they approach everyday online interactions.

Companies, including SPC Mechanical, leverage KnowBe4 tools and resources to assess where staff members are and keep them continually engaged in the fight against malware, ransomware, and phishing attacks. In an environment where companies can’t risk network security, KnowBe4 helps patch holes through a holistic approach to eliminate human error.

Cybersecurity often focuses on software and hardware improvements. But if employees aren’t practicing discretion while using company networks, it doesn’t matter how good the infrastructure is. And even if the IT staff is on board with the security training and implementation, it doesn’t mean employees in all departments are on the same page.

That is why KnowBe4 focuses on educating the entire organization — from executives to freelancers. Whoever has access to a company’s database can compromise its defense, which is why it’s important to empower employees to make smarter security decisions every day.

Many companies have given up on compliance training and shifted their focus from educating employees to checking off boxes. But behaviors aren’t changed because real learning isn’t taking place.

“Employees are herded into a room and kept awake with coffee. It’s death by PowerPoint,” Stu said.

But even though companies are realizing that the human element is their weakest link, they often have difficulty shifting employee perception. Rethinking the security process and making it a team effort instead of the IT staff’s job needs to be the central component of a successful cybersecurity strategy.

KnowBe4 revolutionizes that process by communicating to employees what’s really at stake and continuing to keep them on their toes with monthly or weekly simulated phishing attacks.

“If you have to do compliance training anyway, you might as well do it right,” Stu said.

Education is about how employers deliver it, and when employees realize what’s at stake when they open a malware or ransomware link, behaviors start to shift.

ESI ThoughtLab, an innovative thought leadership firm, generated a report on trends in the cybersecurity field, which found that one in three attacks over the last year were successful. It also found that the average price tag for a breach is around $330,000, but for firms in the top 10%, it cost more than $1.8 million.

“KnowBe4 pays for itself the first month,” Stu said.

The average ROI on all cybersecurity investments is 179%. But when companies focus on people, it’s almost 100% more than that. And few companies can afford to respond to a $1.8 million ransomware attack.

ESI ThoughtLab also found that “credential theft and attacks via phishing and business email caused more than 67% of breaches in 2019.” That is why having a strategy that incorporates the human element is necessary for every business — from enterprises to SMBs. And KnowBe4 has led the field in teaching employees to think about security every time they open an email or create a password.

Many companies offer software or hardware solutions in the cybersecurity field, but KnowBe4 focuses on retraining end users.

In an article on the state of cybersecurity, Perry Carpenter, Chief Evangelist at KnowBe4, said, “The biggest cybersecurity issue most organizations face is not a technology issue, but rather one of mindset. Many organizations simply don’t know where to start or what to tackle next.”

With KnowBe4, a company knows exactly where its money is going. It isn’t just chasing the most recent headline, it’s shifting the way that employees think about security, and that type of rethinking has an ROI of 271%.

ESI ThoughtLab researched cybersecurity leaders, as well. What it found was that leaders in the field spend, on average, 25% more on cybersecurity technology and resources per employee. They also do more backup restoration drills (5.6 times a year vs. 4.3 for non-leaders) and phishing tests (5.1 vs. 4.4). They are also more likely to surpass rather than meet NIST or ISO standards and purchase cybersecurity insurance.

According to Stu, KnowBe4 trains to be secure and aware in the office environment, but that training may not match a new emerging work environment — working from home during the pandemic.

“They are often using their own home computer, which can be full of malware. It’s not a good scene,” Stu said.

In addition to that change in work environment is a new landscape in which cyberattacks are on the rise. Cloudflare calculated that during the first four weeks of COVID-19 closures, cyberattacks rose by 37%.

In the office environment, employees may have been more mindful of their activity online. But now that networks have become much less centralized, user action has become even more critical. Not only are people working on less secure hardware, but they’re also often less immediately accountable, which is why every employee — not just IT — needs to be educated on the risks.

A successful cybersecurity strategy can’t simply depend on IT. It needs to focus on every employee, especially those who have moved out of the office. Today, the front line of defense isn’t company leadership or IT, but every employee on the network.

KnowBe4 doesn’t just train leadership or IT, and it doesn’t see training as a single event that ends after class. It teaches everyone who signs onto the network, and continually reinforces lessons through regular testing.

And while many employees feel more isolated today than ever, their actions can still have the same disastrous effects on businesses. Education is at the center of transforming that dynamic and empowering everyone to have a security mindset.

When IT professionals believe that a piece of software can fix their security problem, they may become complacent. But the onus of maintaining network security remains on the end user, which is why KnowBe4 recommends its products need to run at least once a month — but ideally more.

“KnowBe4 is not a solution. The end user is an IT pro, and the IT pro needs to own the problem,” Stu said.

And KnowBe4 continues to create software and hardware products to stay ahead of digital threats, especially through machine learning and AI.

One upcoming addition to its product suite is a tool that recommends employee training. It will track an employee’s performance using machine learning technology and offer recommendations based on their strengths and weaknesses.

KnowBe4 understands that a successful cybersecurity strategy requires a holistic approach. Not only is training necessary, but so is staying up-to-date on software and hardware developments. That’s why the company stays on top of trends on end-user behavior, because educating an employee often takes minutes, but can save a company millions.