CyberheistNews Vol 14 #23 [SPECIAL] The Hard Evidence That Phishing Training and Testing Really Works Great

Cyberheist News

CyberheistNews Vol 14 #23  |   June 4th, 2024

[SPECIAL] The Hard Evidence That Phishing Training and Testing Really Works GreatStu Sjouwerman SACP

We are publishing a special edition this week.

Now and then in the press you get people who ask if security awareness training which includes phishing training and testing is really necessary. We decided to answer that question once and for all, so that this is available as your budget ammo year-round.

Security awareness training (SAT) and simulated phishing works to significantly reduce cybersecurity risk. We have the data, customer testimonials and government recommendations to prove it.

Social engineering, especially as enabled by email, text messages, the web and phone calls, is involved in the vast majority of cybersecurity attacks. No other root initial access hacking method comes close.

Cybersecurity experts state that social engineering is involved in 60% to over 90% of all successful data breaches.

For example, Barracuda Networks reported that spear phishing accounted for 66% of all successful compromises. Seventy-nine percent of all successful credential thefts came through phishing. Avast recently stated that 90% of all cyber attacks involve social engineering. Reports may differ over the exact percentage, but they all agree that social engineering is the number one threat.

And if you do not aggressively try to mitigate social engineering using your best defense-in-depth combination of policies, technical defenses and education, you or your organization are more likely to become a part of those statistics.

It is important to note that social engineering is the number one threat only after it has already gotten past every existing policy and technical defense. Some estimates state that as many as one in every seven malicious emails make it past content filters.

Until the — unlikely — event where we get proven technical defenses that work to prevent all social engineering, we will need continuous education to help users to spot and report social engineering attacks. Note this U.S. Government FedRAMP recommendation: "Users are the last line of defense and should be tested."

We recommend frequent training (at least monthly) and frequent simulated phishing campaigns (weekly if possible, because you can gamify it and get great results that way.)

Security Awareness Training Analysis Whitepaper

KnowBe4 has the data from over 60,000 customer organizations worldwide who use our platform as recommended. They were able significantly reduce the likelihood that a user will click on a phishing attack and the more frequently the training and simulated phishing occurs, the better.

The numbers tell the story

We analyzed over 10 years of records from those 60k+ customers, comprising 32,604,108 separate individual users, who took a total of 493,871,295 Phishing Security Tests (PSTs) and participated in awareness training at least once a year. We believe this is the largest analysis, in terms of both customers and test numbers, of any study of this kind.

We found these five main points:

  • Groups that did frequent PSTs performed better in detecting simulated phishing campaigns than groups that did not.
  • The more frequently that groups did PSTs, the better the users performed on simulated phishing tests. The more PSTs, the better.
  • Groups that did weekly PSTs were 2.74 times more effective in reducing risk than groups that only did less than quarterly PSTs.
  • The longer a group trained, the better they did on simulated phishing tests.
  • Groups that did both training and simulated phishing tests did the best.

Customer Testimonials

This is not just us saying training works. Our customers see the improvement in their own environments and support the effectiveness of SAT.

    • "I can spend any amount of money on firewalls, on filters, on anything like that…and none of that does me any good if my end users are clicking on phishing emails. So, I need to train them and help them to detect and not fall victim to phishing scams. I would give KnowBe4 a 10 out of 10 rating."

    • "One of the first things I did when starting at my current company was to have a penetration test performed on the entire network. The results were pathetic. MFA was not being used; users had no idea of what a phishing message really is, how to spot one or what to do. The pen test revealed that our users were clicking on any and everything with no regard for safety. KnowBe4 changed that in 6 months."

    • "I've had the privilege of using the KnowBe4 Security Awareness Training platform for some time now, and I must say it's been a game-changer in the realm of cybersecurity education. As cyber threats continue to evolve and become more sophisticated, having an effective training solution like KnowBe4 has become imperative for individuals and organizations alike."

    • "One of the best features of KnowBe4 is that its relevance in peoples' personal lives as well as the business environment is outstanding. The variety of topics including multifactor authentication and social media have received high praise from those who have gone through it, to the point where they can pass on the knowledge to their families and friends."

    • "The Phish Alert Button, and PhishER, are also amazing tools that help us keep on top of cybersecurity. Our employees actively use the PAB and not just on their training emails. We are able to keep a better eye on potential threats, and keep our employees diligent when dealing with these threats."

    • "Updated content ensures that the campaigns I create remain relevant to the uprising of different security threats."

Creating Your Security Awareness Training Policy

Doing cybersecurity training once a year to meet a compliance requirement does not work. We recommend a longer SAT training session when employees are hired (say 15-30 minutes), and a similar longer session once a year thereafter. Then, SAT training should be at least monthly, although shorter in duration (say three to five minutes).

Simulated phishing campaigns should be conducted at least once a month. However we found that organizations that conduct phishing tests weekly had been able to drive down their social engineering risk score the lowest. Recipients "failing" a simulated phishing test should be given more training.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) Advisory recommends "continuous training." The recent introduction of an integrated Phish Alert Button in Microsoft Outlook makes things easier and leads to better threat detection and prevention.

Fantastic ROI

And it goes without saying that deploying KnowBe4 has fantastic ROI. The combination of SAT with PhishER Plus, combined with Compliance Training, all using the same platform has incredible returns. Forrester showed a three-year ROI of 276% with payback in less than 3 months. Get your copy of the study here.

You, of course, should not do SAT and simulated phishing in a way that makes your co-workers upset or disgruntled. If you are creating unhappy campers because of SAT and simulated phishing tests, you are doing it wrong. Use your SAT program to reduce cybersecurity risk and to create a culture of healthy skepticism when your users get sent a suspicious-looking messages.

If you are interested in creating a professional corporate SAT policy, we have a guide for that. It discusses the sections that a corporate SAT program policy document should contain followed by an example of a corporate program SAT policy.

To reiterate, security awareness training works! We have the data, the customer testimonials, and government cybersecurity organizations on our side. Let's create a stronger security culture and keep our networks safe!

Blog post with a TON of links:

[New Features] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us TOMORROW, Wednesday, June 5, @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.

  • NEW! Callback Phishing allows you to see how likely users are to call an unknown phone number provided in an email and share sensitive information
  • NEW! Individual Leaderboards are a fun way to help increase training engagement by encouraging friendly competition among your users
  • NEW! 2024 Phish-prone™ Percentage Benchmark By Industry lets you compare your percentage with your peers
  • Smart Groups allows you to use employees' behavior and user attributes to tailor and automate phishing campaigns, training assignments, remedial learning and reporting
  • Full Random Phishing automatically chooses different templates for each user, preventing users from telling each other about an incoming phishing test

Find out how 65,000+ organizations have mobilized their end users as their human firewall.

Date/Time: TOMORROW, Wednesday, June 5, @ 2:00 PM (ET)

Save My Spot!

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

SUBSCRIBE to your weekly CyberheistNews here:

PS: Your KnowBe4 Fresh Content Updates from May 2024:

PPS: KnowBe4's Original "2024 Social Engineering Red Flags" Training Series Wins Silver Telly Award:

Quotes of the Week  
"It is a capital mistake to theorize before one has data. Insensibly one begins to twist facts to suit theories instead of theories to suit facts."
- Arthur Conan Doyle: Author of Sherlock Holmes (1859 - 1930)

"Only the strongest people have the pluck to change their minds and say so if they see they have been wrong in their ideas."
- Enid Blyton Author (1897 - 1968)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog

The 10 Interesting News Items This Week
  1. Potent youth cybercrime ring made up of 1,000 people, FBI official says:

  2. Russia's GRU targets European defense and transportation organizations:

  3. Russian indicted for selling access to U.S. corporate networks:

  4. U.S. govt sanctions cybercrime gang behind massive 911 S5 botnet:

  5. New Tricks in the Phishing Playbook: Cloudflare Workers, HTML Smuggling, GenAI:

  6. BBC Suffers data breach impacting current, former employees:

  7. The Cyber Arms Race Gives Way to AI Weaponization:

  8. In a first, OpenAI removes influence operations tied to Russia, China and Israel:

  9. Cyberattacks targeting U.S. and allies having 'strategically consequential effects':

  10. Warren Buffett is worried about potential for 'huge losses' in cyber-insurance market:

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews