By Bree Fowler, contributor
Artificial intelligence is dramatically changing the digital threat landscape and how security professionals fight back against the cybercriminals that use these new and more powerful tools.
That was one of the biggest topics of conversation among the attendees of KnowBe4’s annual KB4-CON last week in Orlando, Florida.
On the last day of the event, KnowBe4 President and CEO Bryan Palma sat down to talk about how AI has affected how his company protects its customers, as well as how KnowBe4 has grown and changed over the past several years.
The following responses have been edited for clarity and length.
Q: KnowBe4 started off as a security awareness training company, but it’s obviously grown and evolved into a lot more than that. How has AI played a role?
Palma: First of all, Stu Sjouwerman, our founder, and his team did an amazing job. I mean, we were the global leader in, as you said, security awareness training by a country mile. We made some acquisitions and have had over 100 million users. Our platform is proven and now we’re thinking about AI. We have patents in AI back to 2016. We launched our AI Defense Agents (AIDA) beta in 2016, our first agent in 2024 and most recently our Content Generation Agent. That brings a total of 12 into the AIDA suite. So we've been at this for almost a decade, and that's what's given us the advantage. It's been a great journey.
Q: How does AI play into the company’s business?
Palma: You think about our business with three pillars. We have attack simulation and training, which is a big part of what we do. We have collaboration security, which is email, inbound, outbound, also message security, Teams, Slack, etc, and then we have the agent risk management, which we launched 60 days ago. We have almost 1,000 customers in our trial. So that's the future of the company.
We're the company that helps you protect your workforce and it's more than that. Your workforce is a vulnerability, they're going to do things that you don't want them to do. They're going to click on stuff, they're going to download stuff, they're going to not know. And now our whole focus is to create a workforce that's an asset, meaning it helps you defensively from attacks. And that means humans, it means agents, it means machine IDs. It means your whole workforce.
Q: AI is changing the game for everyone in cybersecurity. How do you even begin to secure it? Are there best practices for this yet?
Palma: I think, right now, we're really at the early stages. Think about it in three kinds of segments. Segment A is what's out there, like, what agents are in the company that you run, or your organization, for example. At KnowBe4, we have 400 agents right now working at our company. The first thing is to give our customers visibility. So think of shadow AI like, what are the agents in your environment, and which of those agents are approved or sanctioned by the company, and which ones are not approved by the company? The second phase is then to take those agents and determine what those agents have access to. We map that for the customer. And then the final part is to figure out what you want them to do. For example, I'm using an agent to manage my email inbox. Well, right now, we don't allow it to send email for me, meaning it can't exfiltrate my email. But in the future, I might like the AI to send my email. But the question is: What protection will be put in place so that a hacker doesn't get to it and say, "Send me all Bryan's email," right? So that's the last portion, which is going to be the guardrails and the policy around the agents.
Q: How do you even set guardrails? We think about threats like prompt injection. How do you write rules and plug all those holes when you don't even know if they exist?
Palma: So it comes down to, what are the services, right? What are the data sets that you really want to protect? And then you just have to then say, "How am I going to lock that down?" You can make it so the agent can't send email, you can make it so that you, or whoever is working with the agent, in order to access certain data, has got to be on a VPN. So there're different criteria that you can put on as policy and it will be enforced.
Q: How big of a threat is shadow AI?
Palma: Oh it’s huge. What you have to be able to do is see it. If you can see it, you can manage it better. And then the other part is, which we're obviously keen on, you've got to be able to make people aware. I mean, most people want to do the right thing for the organization. But a lot of them don't know that if they open up ChatGPT and go put company information in, that could be a problem, right? Once you educate them they’re not a vulnerability. You turn them into an asset.
Q: Deepfakes are very splashy and grab headlines. But realistically speaking, what is the threat to organizations?
Palma: I think they’re going to get better and better. We have deepfake training. The volume of that's not going to be what you see with phishing, or what you see with smishing, or anything like that, but it is a real attack vector and we want to make sure our customers have the ability to train on it and also stop it and prevent it.
Q: That takes us full circle back to security awareness training. I think most people know not to converse with the Nigerian prince or click on links. How do you incorporate AI safety into those long-held security practices?
Palma: Right now, across our platform, we have 100 different training sets, tests, quizzes, videos on AI and what to do with it. So that's integrated. Obviously, we have our deepfake simulator. If you’re a KnowBe4 user, you've been educated on this for over a year and we typically put out 30 to 40 pieces of new content every month. So we're targeting the latest attacks, the latest things that are happening.
