KnowBe4 CEO: Prevent Insider Threats With More User Training
Submitted by Sarah Kuranda on
Insider threats are one of the biggest issues facing the security industry today. While some of the threats are from malicious insiders, many of the recent breaches and security threats have been due to targeted phishing attacks that could have been prevented with more user education. Longtime security expert Stu Sjouwerman, CEO of KnowBe4, sat down with ITbestofbreed.com to chat about this threat, and what his startup is doing to fight back against it.
What exactly is KnowBe4?
During the last year or so, being a software develop of antivirus platforms, we saw that still many infections were caused, and once we tracked down the reason for those malware infections were, it always turned out to be an end user that was social engineered and clicked on a link or opened up an attachment. After selling Sunbelt, I said there is an underserved segment in the market that needs to be addressed because software only doesn't cut it. That's when I started KnowBe4 in 2010...and teamed up with Kevin Mitnick to tap into his 30 years of first hand hacking experience and more or less distill that into a 30 minute course for employees – interactive, at their place of work, in the environment that would be social engineered – but also created the platform that would allow frequent simulated phishing attacks so that you really get these users on their toes with security top of mind and you keep them there. That's now four years ago and today I am happy to say that we are the world's most popular platform for integrated security awareness training and simulated phishing. There are other people that do this too, but we just have way more enterprise customers.
Can you talk about the problem you're solving a little more and how that's tied to the mega breaches we're seeing?
We position ourselves as this is a great way to manage the problem, manage the ongoing problem of social engineering. This is not a problem that's going to go away. The bad guys have gone pro. They've become very, very good at this. They're hiring the smartest people that they can get their hands on and there's many of them in Eastern Europe that want to make five times as much money doing this than anything else. So, helping IT pros and, to a large degree the systems administrators and network administrators and director of IT, helping them to manage the problem of end users, because end users are their number on headache to begin with. Until recently, in IT there was a little bit of a group agreement that you "cannot patch stupid." That is actually not true. If you do it right, you can get end users trained to a point where they will catch 99 percent of red flags and be what you call a "human firewall" that you have as an additional layer on top of all of your existing security layers. This is the missing piece of the puzzle. The reason why people were thinking "you can't patch stupid" is because they didn't quite do it right. They didn't estimate the correct amount of effort needed...We basically are turning a worst practice into a best practice...We decided to automate all of that work, first to provide a bunch of modules that they can provide to the user and second to make the simulated phishing attacks.
What do you see as the status quo for most companies when it comes to effort around combating insider threats?
We've done a bunch of surveys. A good 20 percent or so is doing nothing and is relying on their existing filters, which is risky. There's another 30 percent who are doing essentially compliance security awareness training, what we call check box awareness training...You do need to have a program in place, which is creating a best practice and phish your own users before the bad guys do.
KnowBe4 is expanding its programs – talk about what's new.
What's new is that the training campaigns that we have launched are making the life of the administrator even easier. It's now as simple as uploading a bunch of users, having a pull down menu, deciding which module you want them to step through, and what the deadline is for them to finish it. Then, automatically an email is sent to the users...It is exceedingly simple...That was the number one request from our users.
What sort of changes have you already seen with the companies that you've worked with?
I send an email to every customer after they have rolled out the solution...I ask them, are you a happy camper? I get tons of emails that say it's great, we've seen our phish-prone percentage go down dramatically...There's customer after customer sends us positive feedback.