No Time to Be Stodgy If You’re in the Security Game

“Covid is a cybersecurity criminal’s Christmas,” said Joanna Huisman. “Right out of the gate we saw all their efforts to ensnare the unaware.”

Huisman is a senior vice president for strategic insights and research at KnowBe4, the security awareness training and simulated phishing platform. She was talking about all the emails hackers have sent out to lure the unwary to click on links to what were supposed to be free testing kits or financial aid packages.

Criminals like the ones who devised these scams, Huisman said, “are innovative.” Companies that need to elude their phishing attacks, on the other hand, are too often “doing the same old things,” she said. “They think they’re doing the right things—or enough—when in essence they’re not.”

Huisman and Perry Carpenter, KnowBe4’s chief evangelist and strategy officer, gave a briefing for TAG Cyber analysts during which it was clear that their company is not one of those stodgy ones doing the same old things.

Founded in 2010 and headquartered in Clearwater, Florida, with offices in England, the Netherlands, Germany, Brazil, Australia, Japan, South Africa and Singapore, KnowBe4 has always sought to make a splash. In 2011, for example, cofounder Stu Sjouwerman brought in Kevin Mitnick as chief hacking officer and part owner.

Enter the Hacker

Mitnick has long been a larger-than-life presence on the cybersecurity scene, turning the notoriety of landing on the FBI’s Most Wanted List into a different kind of recognition as the author of four books and now a highly sought-after public speaker. His Kevin Mitnick Security Awareness Training (KMSAT) helped spur the company’s early breakneck growth.

More recently, KnowBe4 boosted its profile by introducing a “ransomware guarantee.” The deal is this: If you’re a current customer, you’ve deployed the training following the company’s recommendations, and you get hit with a ransomware attack, KnowBe4 will cover up to $1000. Call it KnowBe4’s “putting our money where our mouth is” pledge.

How has it worked out? During the five years since KnowBe4 slapped down the guarantee, the company has paid out only once, Carpenter said. It’s been good for the company, he observed. It was good marketing and PR. “The ransomware guarantee is a tangible way of demonstrating the company’s faith in the product and methodology,” Carpenter said.

The company offers over 1,000 pieces of training content, and it prides itself on high quality and innovative tools across a variety of formats. Featured prominently are two seasons of videos that teach viewers about phishing, social engineering and a host of other end-user security topics—while entertaining them with the zest of an action TV drama. It’s called “The Inside Man,” and it won a silver medal at Cannes last year in the category of best corporate media and TV awards. It may be the first “binge-worthy security awareness series,” said Carpenter, who was the executive producer. “We wanted to answer the question, ‘What would security awareness look like if it were a Netflix series?’” We smiled when he said that, but later when we watched an episode, we realized that he wasn’t kidding.

More Than TV

But it’s not all fun and games. And it’s not just a matter of watching a little TV. Huisman pointed out that law firms with 250 or fewer employees don’t do well on phishing tests. A recent report found that they have a 34 percent failure rate, she said. And failure in the real world can lead to a ransomware attack, or a costly data breach. “Just about every breach is attributable to human error,” added Carpenter, who published a well-received book on this subject himself last year called “Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behavior.”

Their own statistics found that without training, the failure rate for clients is about 37 percent, Huisman noted. With frequent training over three months, they can bring that down to 17 percent. With more training, they can bring it down to 4 percent.

It’s not only about phishing, either. Their KCM GRC platform allows clients to manage and automate governance, risk, compliance and audits. And at a substantial discount in time and cost from competitors’ products, Carpenter said. Their offering provides about 80 percent of the functionality of RSA Archer, for example, and it’s got 10 percent of the complexity, according to Carpenter. The tools clients want are there, and they can be up and running in a couple of days, he said, rather than a week or weeks.

What’s the takeaway? You don’t have to be a criminal to be innovative. Companies leading the fight against the hackers can be just as creative. Especially if they have a little hacking experience themselves. It’s OK to inject some fun into the work—and KnowBe4 seems to be very good at that. But good companies know that they better bring substance and metrics to back it up.