KnowBe4, a provider of integrated platforms for security awareness training and simulated phishing testing, told Homeland Security Today the company “has seen explosive growth for eight consecutive quarters,” noting that “data breaches in the first half of 2015 such as Anthem and the Office of Personnel Management, affecting millions, have left CEOs and CISOs alike scrambling for a way to manage the problem of social engineering.”
“Even the FBI is getting in on the act, prompting an alert on June 23, 2015,” the company said. “As a result, security awareness training has gone from lunchroom-to-boardroom in priority, exceeding a billion in worldwide annual revenue.”
KnowBe4’s Chief Hacking Officer Kevin Mitnick, said, "People are used to having a technology solution [but] social engineering bypasses all technologies, including firewalls. Technology is critical, but we have to look at people and processes. Social engineering is a form of hacking that uses influence tactics.”
And, “With the average cost of a data breach skyrocketing and costs of ransomware infections running over $18,000 per victim, relegating security awareness training to an annual lunchtime ‘death by PowerPoint’ is no longer a viable option,” said KnowBe4 CEO Stu Sjouwerman, who wrote the March 2014 Homeland Security Today report, Corporate Cybersecurity Issues Aren’t Impossible to Solve.
“Furthermore,” Sjouwerman said, “many companies were caught by surprise when they found their backups failed after a ransomware infection, underlining aneed for more proactive action. Since we are the only company to offer a crypto-ransom guarantee (we cover the ransom in Bitcoin if our customer gets hit with ransomware after training their users), we moved up on the priority list.”
Sjouwerman and Mitnick said risk managers know it is far cheaper to train users than pay the fines and heavy costs associated with a data breach, estimated by Juniper Networks to account for $2.1 trillion dollars by 2019.
They pointed to the April Osterman Research report, Best Practices for Dealing with Phishing and Next-Generation Malware, that revealed 5 out of 6 of the most serious concerns of security-focused decision makers are directly related to phishing or its aftermath.
The study said, “Employees should receive thorough training about phishing and other security risks in order to understand how to detect phishing attempts and to become more skeptical about suspicious emails and content. It is important to invest sufficiently in employee training so that the human ‘firewall’ can provide the best possible initial line of defense against increasingly sophisticated phishing and other social engineering attacks."
The study also stated that, “Malware infiltration is generally getting worse over time. In 2015, however, we discovered that email has once again become the most serious incursion point for malware. Interestingly, while the Web was the primary threat vector for malware for several years, email reclaimed its place as the leading entry point for malware in 2015. The growing use of phishing as an attack vector leads us to believe that email will remain the most important entry point for malware for the next several years.”
KnowBe4 said it’s “seen explosive triple digit growth for the past 4 years,” and that during the 2nd quarter of this year it “was more than 350 percent over Q2 2014, with over 1,500 enterprise accounts using it to manage the problem of phishing and social engineering.”
The largest growth, the company said, “has been in the financial sector, an area targeted four times as often as other industries. The financial sector has taken the initiative to move away from compliance-focused annual ‘breakroom’ approach to a more effective behavioral-based approach, using Kevin Mitnick Security Awareness Training, teaching users how to recognize threats with a combination of on-line, on-demand training and simulated phishing attacks that arrive in their inbox at work.