Security Awareness Training. PHOTO: Cybercrime Magazine.

Dishing On Phishing: Are Your Employees Black Belt Cyber Defenders?

A security expert explains the difference between awareness and training

Steve Morgan, Editor-in-Chief

Sausalito, Calif. – Sep. 10, 2019

One of your employees clicked when they shouldn’t have, and something really bad happened. So you’ve trained everyone on how to detect and react to phishing scams. But all too often your people still take the bait.

That was the sentiment of hundreds of IT managers, cybersecurity professionals, and HR chiefs at KB4-CON, the world’s largest security awareness user conference, produced by KnowBe4 earlier this year.

Some companies are faring much better than others when it comes to building a human firewall as the first line of defense against cyber intrusions.

“When it comes to phishing, it’s one thing to show you pictures of what a phish looks like and to talk about it,” said Perry Carpenter, chief evangelist and strategy officer for KnowBe4, at the KB4-CON event. “It’s another thing to actually put you in an environment where you’re having to react to the psychological dynamic of being phished,” he added.

Carpenter’s point is that you don’t just show people videos and expect them to suddenly become “cyber aware.” If it were that easy, then busy executives wouldn’t be traveling from halfway across the globe to watch the panel of experts at KB4-CON.

Despite a huge movement towards providing employees with security awareness training, people are still getting hooked by cybercriminals.


“Training is different than awareness,” says Carpenter, a highly respected speaker and author, and former Gartner research director covering security and risk management. “Awareness is raising an issue and giving you information about it. Training is actually building muscle, building memory, and building a habit around something.”

If this sounds like martial arts training, then it may as well be, the way Carpenter explains it. “When it gets to training, if you do that over and over and over again, you can start to build (good) habits and hygiene. That’s where training gets to be really important as you’re building muscle memory over time.”

Apparently there’s a lot of awareness going on in enterprises, but not nearly enough ongoing training.

If you listen carefully, Carpenter’s message is that cyber safety boils down to people protecting themselves and not expecting technology to do it for them. “You can spend all the money you want on all the layers of technology, but there’s still that ability to exploit the human.”

KnowBe4’s mantra is that old school security awareness training doesn’t hack it anymore. Instead, users first need to be assessed in order to determine how phish-prone they are. Then an ongoing and automated training regimen ensues. Along the way, simulated phishing emails are sent to users — to see if they’re progressing. Managers track the results through reports with easy to read stats and graphs.

Think of it this way. Right now most of your employees, if they’ve had some basic level of awareness training, are white belts. Chances are, they’re still phish-prone. Listen to Carpenter, and plan to turn your people into black belts.

A new and sophisticated phishing scam is no different than a roundhouse kick to the head. If your users don’t see it coming and they don’t know how to defend against it, then the harm can be devastating.

Dishing On Phishing Archives

Steve Morgan is founder and Editor-in-Chief at Cybersecurity Ventures.

Go here to read all of my blogs and articles covering cybersecurity. Go here to send me story tips, feedback and suggestions.

Sponsored by KnowBe4

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. We are a leader in the Gartner Magic Quadrant and the fastest-growing vendor in this space. We are proud of the fact that more than 50 percent of our team are women.