10 Mar Dishing On Phishing: Security Awareness Training Year In Review
KnowBe4’s KB4-CON event taught us more than we expected
– Steve Morgan, Editor-in-Chief
Sausalito, Calif. – Mar. 11, 2020
Phishtales from the world’s largest security awareness user conference. That’s how Cybercrime Magazine kicked off our editorial coverage when we returned from the KB4-CON user conference last April – one of the best events we’ve covered. And truly it was because of the stories we heard from practitioners responsible for protecting users and organizations from phishing scams, ransomware attacks, and cybercrime in general.
“During the 2019 KB4-CON, dozens of customers walked up to me and thanked me for what they called a world-class event,” said KnowBe4’s Stu Sjouwerman. “Someone said that they had previously been to Microsoft and IBM conferences, and this was as good or better. Another one rated it as A+, which made me a very happy camper. The team did an awesome job putting this together.”
If history can help predict the future, then now is a good time for us to look back on what security experts have shared with us over the past year. Time flies and here we are just a little more than a month away from the third annual KB4-CON, which is being held in Orlando on April 15-17, 2020, where we’re certain to meet some of the same people.
KB4-CON is all about community, where like-minded professionals come together for networking, knowledge exchange, and even to have fun with each other. Here’s some insight and commentary we’ve heard from the KB4-CON community this past year:
1. In a conversation with Cybercrime Magazine, KnowBe4’s CISO Brian Jack commented that providing ongoing security awareness training was akin to “patching” employees — a clever use of the term, as patching traditionally refers to the practice of updating software in order to address known threats or vulnerabilities.
2. Joseph Wityshyn, an information security specialist at Tampa Bay Water, said, “Receiving emails, clicking on executables, downloading software — we need to make sure all those avenues are secure,” and added, “The consequences (of a cyberattack) would be total catastrophe. We have some critical systems online. If those things are disrupted, you’re talking total geographical chaos.”
3. Roger Grimes, data-driven defense evangelist at KnowBe4, said that security awareness training is like teaching a little kid to look both ways before crossing a street or buckling a seatbelt. It requires nonstop effort. “You want to reinforce it enough until it becomes such a natural behavior that they aren’t even thinking about it.”
4. “When they [users] click a link and get the banner that pops up and says ‘you’ve been caught!’, it really has an impact, said Lisa Sheldon, the CISO (chief information security officer) at IAP Worldwide Services, a leading provider of global-scale logistics and facilities management, with 2,000 employees in 25 countries around the world. Sheldon was referring to IAP’s phishing simulation program. “We found that without that, it seems to fall off their attention.”
5. “When it comes to phishing, it’s one thing to show you pictures of what a phish looks like and to talk about it,” said Perry Carpenter, chief evangelist and strategy officer for KnowBe4, at the KB4-CON 2019 event. “It’s another thing to actually put you in an environment where you’re having to react to the psychological dynamic of being phished,” he added.
“Throughout the year we run different types of phishing campaigns using KnowBe4”
6. “The biggest problem with training is if you don’t do it over and over,” said Ryan Fitterling, director of technology for the Wilson School District in Berks County, Pa., which has 1,100 to 1,200 staff members, and 6,100 students. “It’s in the forefront initially but if you don’t do it over and over again to reinforce, then it sort of falls off the radar.”
7. Javvad Malik, security advocate at KnowBe4, explained that phishing simulation is a really effective tool as part of the overall awareness and training of employees. “Most people won’t have a home alarm installed until after they’ve been burgled,” he said. It’s worth watching the video just to hear him say “burgled” with that great British accent! But how true it is. Do you really want to be hacked into getting your users trained?
8. Stephanie Pratt, a cybersecurity evangelist, change agent, speaker, trainer, and communications and education specialist for Blackbaud, a world leader in software for social good community such as K-12 schools, nonprofits, foundations, and faith communities, said, “If your employees don’t know what to do, then they’re not going to do the right things. It’s not that they want to do the wrong thing — but they need to know what to be aware of, what to look out for, so they can help protect their company.”
9. “We have broadband attacks that attack general practitioners like phishing, and then we have very targeted attacks on C-class executives,” said Apollo Robbins, an American sleight-of-hand artist, security consultant, self-described gentleman thief and deception specialist. “So what that means is that experts who think that they’re above that could be very vulnerable to attacks. So you have a multi-platform and multi-faceted problem.”
10. Lucas Burke, who has a master’s degree in Computer and Information Systems Security / Information Assurance from Capella University, and industry certifications including CTPRA, CISM, CISSP, GCCC, Cisco CNP, and Microsoft CNE, and is vice president, Security Compliance and Assurance for Philadelphia, Pa. based Radian (NYSE:RDN), believes that it’s personal (computing) habits, more than anything, that need to be addressed in order to avoid employee induced cyber intrusions and attacks. “We all know what’s a great way to be healthy — eat right and exercise — it’s a pretty simple formula. Do we all do it all the time? I know that I don’t … Just because your employees know what secured behaviors are, don’t assume that they are going to follow them.”
Cybercrime Magazine will wrap our KB4-CON 2019 coverage in our next article, and then we’ll be on to KB4-CON 2020!
Stay tuned for more dishing on phishing next month.
– Steve Morgan is founder and Editor-in-Chief at Cybersecurity Ventures.
Sponsored by KnowBe4
KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. We are a leader in the Gartner Magic Quadrant and the fastest-growing vendor in this space. We are proud of the fact that more than 50 percent of our team are women.