Roger Grimes, KnowBe4. PHOTO: Cybercrime Magazine.

Phishing Scams And Unpatched Software Are The Biggest Cybersecurity Threats In 2020

KnowBe4 delivers an important message at RSA Conference USA 2020

Steve Morgan, Editor-in-Chief

Sausalito, Calif. – Mar. 16, 2020

Scott Schober, Cybercrime Magazine commentator at the recent RSA Conference USA 2020 in San Francisco, met up with Roger Grimes, a data-driven defense evangelist for KnowBe4, the fledgling security awareness training and phishing simulation company and newly minted unicorn.

Grimes, who Schober calls a legend and computer security geek, is one of the top media writers and authors in our field. In a short video interview, which took place in the KnowBe4 exhibition booth, he summed up his views on the greatest cybercrime threats to organizations in 2020:

  • Phishing and social engineering is responsible for 70 to 90 percent of all successful malicious data breaches.
  • The next closest threat is unpatched software, around 20 to 40 percent of breaches, and which is sometimes used together with phishing.
  • Everything else — password compromises, (unethical) hacking, SQL injections, insider threats, and many others, altogether make up only 1 to 10 percent of the cyberattacks on organizations.


Grimes says that when it comes to combating social engineering, which is the biggest threat of all, no matter how many technical controls you might implement — content filtering, anti-spam, anti-phishing, etc. — and no matter how good those technical controls are, something will always get through to your end users.

If you agree with Grimes, which we do, then there’s nothing more important than providing your employees with ongoing security awareness training, and reinforcing it with a phishing simulation program.

Security awareness training is about building a culture of skepticism where people know how to recognize it (phishing scams) and report it, according to Grimes. The last thing you want is for employees to just delete incoming phony email messages.

Grimes offers an example — a massive APT (advanced persistent threat) attack launched against your organization. If everyone is just deleting and not reporting, then the IT security team doesn’t know to get involved. “I’ve seen that — a Fortune Five company had 1,900 emails coming in from Russia attacking their company and nobody was reporting it until the nine-hundredth one that had been successful.”

Every company will be hacked,” according to Grimes, in a story he wrote for CSO. It’s a scary statement to make but Grimes, a 30-year tech industry road warrior who spent 11 years as a principal security architect at Microsoft, knows his stuff.

KnowBe4 generated a lot of buzz at RSA Conference, which included their chief hacking officer, Kevin Mitnick, signing copies of his latest book “The Art of Invisibility” in the KnowBe4 booth.

Grimes points out that KnowBe4 has been at RSA for many years, and now the company has more customers than anyone else in their space.

Earlier this year, Cybercrime Magazine released a documentary about KnowBe4, which chronicles their ascent from a pure startup with three people, to a company that was valued at $1 billion when they raised a whopping $300 million in venture funding.

To catch more of Grimes, you can listen to him host KnowBe4’s webinar “What Most Computer Security Defenses Are Doing Wrong and How to Fix It.” He explores the latest research on what’s wrong with current network defenses and how they got this way.

It was a treat to go one-on-one with Grimes at RSA Conference, one of just a few major tech events that went on last month despite growing concerns over the Coronavirus situation, which has since worsened and canceled practically all conferences.

Steve Morgan is founder and Editor-in-Chief at Cybersecurity Ventures.

Go here to read all of my blogs and articles covering cybersecurity. Go here to send me story tips, feedback and suggestions.