KnowBe4 helps organizations to educate and train their employees against social engineering attacks, and carry out other required compliance training. KnowBe4 offers over 1,000 different training content modules (e.g. videos, quizzes, documents, graphics, etc.) through an easy-to-use management portal. Customers following KnowBe4’s best practice recommendations uniformly reduce their phish-prone percentage from over 30% to less than 5% in one year or less.
Note: The phish-prone percentage is the percent of your organization’s employees who will click on a URL link or file attachment in a simulated phishing email, i.e. the percentage of employees in your organization who are prone to real phishing attacks.
The KnowBe4 security awareness training method quickly works to significantly reduce cybersecurity risk in every organization. You don’t have to trust our word alone. The reduction in risk is shown in easy-to-understand reports showing your organization’s progress using its own data.
KnowBe4 also offers PhishER
(https://www.knowbe4.com/products/phisher) to help organizations identify and respond to email threats faster and KnowBe4 Compliance Manager GRC (https://www.knowbe4.com/products/kcm-grc-platform) to help organizations perform compliance audits and vendor risk management assessments.
Goal of Security Awareness Training
The main objective of security awareness training is to make your employees have more default skepticism toward digital (and audio) content that has the potential to negatively impact them or the organization. We want to educate users to stop and think before clicking or performing actions that can hurt themselves or the organization.
It’s like teaching a young child to look both ways before crossing a street. Early on, the parent may hold the child’s hand to prevent them from stepping out into ongoing traffic. But, with enough training, that child will automatically, and hopefully for the rest of their lives, look both ways before crossing a street as part of their instincts.
Security awareness training helps everyone in your staff develop a healthy level of skepticism and become very accurate at identifying things that could hurt them or the organization. The main goal of security awareness training is to significantly reduce risk by changing the organization’s security culture.
KnowBe4 Managed Services
KnowBe4 Managed Services team of professionals offers programs proven to enhance your security awareness program. This team is composed of experienced KnowBe4 cybersecurity professionals who focus intensely on anti-phishing security awareness training. They know what does and doesn’t work, and how to create the most successful program for your organization. KnowBe4 Managed Services can completely run your security awareness training program based on your needs and directions, or work hand-in-hand with your staff offering proven best-practice advice and methods during all stages of your program.
Note: KnowBe4 uses best-in-class education methods to teach security awareness training. Our content development staff is full of professional educators, digital education Ph.Ds, and students of some of the most impressive education teachers in the world.
You can read about some of those lessons learned and how they apply to security awareness training by reading Transformational Security Awareness: What Neuroscientists, Story Tellers, and Marketers Can Teach Us About Driving Security Behaviors (https://www.amazon.com/Transformational-Security-Awareness-Neuroscientists-Storytellers/dp/1119566347) written by KnowBe4 Chief Evangelist & Strategy Officer, Perry Carpenter.
Data-Driven Defense
KnowBe4 Managed Services uses an overarching concept known as a Data-Driven Computer Defense, where your organization’s own experiences and data are used to drive and customize your program and pathway.
KnowBe4 Managed Services starts by using a baseline simulated phishing campaign to gauge your organization’s current phish-prone percentage. Then, and thereafter, your organization’s data (based on who responds to simulated phishing tests and who takes what educational experience) drives future education and testing.
Note: Social engineering is responsible for 70%-90% of all malicious digital breaches in most organizations. The single best thing most organizations can do to reduce cybersecurity risk is to mitigate social engineering. You can read more about data breach risk factors here: https://blog.knowbe4.com/70-to-90-of-all-malicious-breaches-are-due-to-social-engineering-and-phishing-attacks.
KnowBe4 Learning Program Pathway
KnowBe4 uses a proven program that involves training employees and sending simulated phishing campaigns as part of that training to measure the success of previous educational experiences, and then analyzing the outcome of those simulated phishing tests to gauge future training and simulated phishing. The cycle is graphically represented below.
Education and testing are done on the following timeline:
- Initial baseline
- Ongoing (e.g. monthly, quarterly, etc.)
- Targeted education and testing based on the data
- New employee hires
- Annually
Baseline Testing
One of the first things KnowBe4 Managed Services does is send a baseline phishing campaign to all of your (selected) users and report back user response actions (as graphically represented below).
The initial baseline phishing email is fairly unsophisticated with a low-to-medium difficulty level. The most commonly used baseline template is one that mimics a request from the company’s IT department, but with plenty of red flags hinting that it is a phishing email. Most KnowBe4 customers are shocked to learn that over 30% of their end-users still open and click on the URL link in the email or open a file attachment. The actions their employees take with any simulated phish is tracked. Possible recorded actions include, employee:
- Clicked on included URL
- Replied to email
- Opened file attachment
- Allowed macro/script to run
- Entered in data, such as their logon credentials
Social Engineering is More Than Email
KnowBe4 starts the baseline by sending a simple, fairly unsophisticated simulated phishing attack. But social engineering can occur many other ways. Depending on your organization’s goals and objectives, KnowBe4 Managed Services could also include simulated social engineering tests which involve Short Messaging Service (SMS) messages (known as Smishing), voice phone calls (known as vishing, and physical USB storage drives (scattered around the organization; although the vast majority of phishing tests arrive via email just like in the real-world).
Every security awareness training platform needs to be more inclusive than just fighting email phishing. Additionally, many organizations use KnowBe4’s training content to push compliance education (e.g. HIPAA, GLBA, etc.), HR policies (e.g. anti-sexual discrimination, etc.), and other custom organizational content. An organization’s own content can be included in the content pushed and tracked toward an organization’s employees and tracked in one common report.
With email, SMS phishes, and USB drive openings, the goal of security awareness training is to prevent a user from doing anything beyond looking at an email, message, or drive. Simply opening a simulated phishing email, viewing an SMS message, or looking at a file list on a USB drive is still tracked, but isn’t counted as a “failure” because usually, with rare exceptions due to zero-days, simply doing those things does not allow malicious actions to be executed.
KnowBe4 Phish Alert Button
It’s not good enough to simply not perform a negative action; we want employees to report all potential maliciousness to the organization’s security review personnel. This is the only way the organization can get an accurate picture of what types of social engineering and phishing are being performed against the organization. Without constant reporting, an organization may never know when it is being targeted by a crimeware group or nation-state attack.
KnowBe4 provides the Phish Alert Button (PDF) for this purpose. Its icon is shown below.
PAB is a separate installable program that can be integrated with Google Gmail or Microsoft Outlook email clients, including browser and mobile versions. If a user suspects that a phishing email is a simulated or real phish, they can click on the PAB, and the email will be deleted from their inbox and a copy is sent to a predefined email address where all suspected phishes are collected and can be investigated.
Ongoing and Targeted Security Awareness Training
KnowBe4 Managed Services takes the shared results from the initial baseline simulated phishing test and works with your organization to make a plan for future training and simulated phishing tests. In general, KnowBe4 Managed Services recommends monthly (or more) ongoing training and simulated phishing campaigns.
Usually, the training content sent monthly is of shorter duration (1-5 minutes) than other types of training, and is focused on preventing popular types of social engineering. KnowBe4 keeps track of real-world phishing attacks to determine current and emerging trends and to make training and simulated phishing recommendations.
All employees should take one or more longer training sessions to communicate a broader range of cybersecurity safety issues. This should ideally occur when first hired and at least once each year thereafter. Additional targeted training is done based on the data collected from the simulated phishing campaigns and testing.
Here is an example of longer, annual training content.
Here is an example of new-hire training content.
Training Topics
KnowBe4 has well over a 1,000 pieces of original content across over 40 different languages. Training is accomplished using a combination of educational materials and simulated phishing campaigns. Training content includes videos, documents, newsletters, posters, hand-outs and games. Simulated phishing campaigns start off with easier-to-spot phishing emails and then are gradually modified to include more-difficult-to-spot phishing signs. The goal is to improve everyone’s ability to spot phishing emails and continue to challenge them to improve.
Training topics include a mix of general, randomized, and targeted training issues, similar to the topics that real-world phishers will foist upon your end-users. Training is modified based on the results of previous testing and education, popular phishing trends, required custom corporate training, seasons, events and roles. For instance, around tax time, employees are more likely to get real-world phishing that is looking for their personally identifiable tax information.
So, KnowBe4 Managed Services is more likely to send a simulated phish asking employees for their tax information (e.g. SSN, W-2, etc.), or ask Human Resource employees for bulk collections of that information (just like real-world phishers do). Around big holidays, like New Year’s and Christmas, holiday-related simulated phishing tests and education are likely to be given.
When major world or news events happen, such as a pandemic, earthquake, or celebrity death, phishers are more likely to use these topics to try to trick users. So, KnowBe4 Managed Services are more likely to test using those same topics. Here are some examples of educational posters and artwork customers can use to help raise security awareness.
Your organization’s logo can be placed on many pieces of training content (as simulated below).
Simulated Phishing Templates
Phishing campaigns are started by selecting one or more phishing templates, which form the bulk of the information used in a particular phishing campaign instance. KnowBe4 has thousands of templates to choose from in over 40 different languages.
Templates include static text and images, as well as dynamic fields, which can change based on the intended recipient, such as the name used in a personalized greeting. Managed services loves to do custom templates based on what the customer’s organization has seen in real life. Here are some example simulated phishing templates.
KnowBe4 simulated phishing templates are ranked with different levels of difficulty rating, from 1 star (low difficulty to recognize as a phishing email that any user should recognize as a phish) to 5 stars (sophisticated phish which attempts to use more branding and details to potentially fool even more sophisticated users). Difficulty ratings are switched up to test users across different levels of phishing sophistication, mimicking the different types of real-world phishing attacks your users will see (as graphically shown below).
Overall, the goal is to get all of your users to a point where they require higher levels of phishing sophistication to be fooled, moving them step-by-step to higher levels of difficulty based on their unique previous simulated phishing test results (as graphically shown below).
Landing Pages
Users who are clicking on or responding to simulated phishing campaigns (known as failures) will, by default, be sent to a selected landing page, which lets them know they failed a simulated phishing test and will most often let them know the red flags of phishing that they should have seen to alert them to the fact that it was a simulated phishing email. Below is an example landing page.
A big part of security awareness training is educating people about the red flags of social engineering, and doing that in the moment that someone fails a simulated phishing test is crucial to their learning.
Here is a copy of our Red Flags of Social Engineering PDF hand out that all KnowBe4 customers can download and use.
People who successfully handle a simulated phishing test will be sent a landing page indicating their success, reinforcing their appropriate actions to incentivize continued appropriate handling in the future. As people successfully handle simulated phishing campaigns, they can be given less training. Alternatively, people who have successive failures can be automatically targeted for more training using a KnowBe4 feature known as smart groups. KnowBe4 Managed Services can help you decide on the appropriate level and rate of learning for both types of groups.
Learner Experience
KnowBe4 prides itself on the easiest-to-use software and services for both admins and end-users. End-users will receive email invitations to take training and quizzes. Users will be shown what required and optional training is waiting for them, and they will be allowed to evaluate all training at the end so that admins can ensure its effectiveness.
Admins can easily determine who did or didn’t take training and institute additional actions if needed. KnowBe4 Managed Services is experienced in selecting the right training and amount of training for your users. Below is an example of the friendly screens and invitations end-users will see in their experience.
Risk Ratings
The cybersecurity risk of each individual user and the aggregated cybersecurity risk of the entire organization can be calculated and tracked. A personalized risk score is generated for each user based on their simulated phishing tests’ successes and failures, training completion, job function, and custom booster score that the organization can add. All of the personal risk scores can be aggregated on a per-business-unit basis or for the entire organization. Here is an example of an organization risk rating.
Reporting
KnowBe4 systems and services have many built-in reports and APIs to that information for any involved organization. Information can be seen on the screen, delivered via reports, or sent in multiple downloadable data formats. KnowBe4 Managed Services is also experienced in creating custom reports and advising your organization on how to get and utilize the data it desires. Here are two examples of reports:
Summary
KnowBe4 has award-winning software and services that are proven to significantly reduce cybersecurity risks and incidents in its customer environments. KnowBe4 Managed Services can run your security awareness training program or be a partner with you to make a best-practice, proven security awareness training program. If KnowBe4 Managed Services is used, it’s team of professionals will implement a proven program, which includes:
- Baseline simulated phish testing
- General and targeted educational content
- Ongoing, dynamic simulated phishing
- Implementation of the KnowBe4 Phishing Alert Button
- Reports to track activities, progress, and help plan future activities
Whether or not you deploy KnowBe4’s software and services yourself, you can rest assured that we will help make your experience as easy and successful as possible.