How to Best Prepare for Cyberattacks? KnowBe4 Knows

A security expert in front of multiple computer screens in a network operations centre near a server room. Cybersecurity, Cyber awareness training.

Organizations that conduct security and awareness training and simulated phishing attacks perform better in detecting mock phishing campaigns than those refraining from such training, KnowBe4 said in a new study.

The security and awareness training and phishing campaign platform provider’s white paper, “Data Confirms Value of Security Awareness Training and Simulated Phishing," is based on an analysis of some 32 million individual end users, who took over 493 million Phishing Security Tests (PSTs) and participated in awareness training at least once a year.

Insight from 493 Million Phishing Security Tests

Survey results are gleaned from input from more than 60,000 individual KnowBe4 customer organizations worldwide, the company said.

Highlights from the study include:

  • Groups that did frequent PSTs performed better in detecting simulated phishing campaigns than groups that did not.
  • The more frequently that groups did PSTs, the better the users performed on simulated phishing tests. The more PSTs, the better.
  • Groups that did weekly PSTs were 2.74 times more effective in reducing risk than groups that only did less than quarterly PSTs.
  • The longer a group trained, the better they did on simulated phishing tests.
  • Groups that did both training and simulated phishing tests did the best.

“Based on the massive amount of data that we analyzed from around the world, everyone should be conducting frequent simulated phishing tests as part of their security awareness training program to get the highest level of impact and most effective cybersecurity risk reduction,” said Roger Grimes, KnowBe4 data-driven defense evangelist.

He added “Phishing and social engineering account for 70-90% of all malicious data breaches, so focusing on ways to mitigate it are critical to your organization’s overarching cyber defense strategy. We are thrilled to finally have the concrete data to confirm the true value of security awareness training and simulated phishing.”

Email Phishing Top Attack Vector

Two weeks ago, KnowBe4 released the results of its Q3 2023 global phishing report and found that HR-related email subjects continue to be used as a phishing strategy and make up more than 50% of top email subjects. The results include the top email subjects clicked on in phishing tests and reflect the use of HR business-related messages as well as popular seasonal messages that pique interest from employees and may affect their work day.

According to KnowBe4’s data, nearly one in three users are likely to click on a suspicious link or comply with a fraudulent request. This results in cybercriminals changing phishing email subjects to be more believable while preying on emotions by inflicting urgency, confusion and distress in order to get employees to click on a malicious phishing link or download an attachment.

This steady trend from the last two quarters of cybercriminals using email subjects coming from HR include messages related to dress code changes, training notifications, vacation updates and more. These are effective because they may cause a person to react before thinking logically about the legitimacy of the email and have the potential to impact an employee's personal life and professional workday.

Emphasis on Workforce Security Training

KnowBe4 CEO Stu Sjouwerman explained that the continued trend of disguising emails as coming from an internal department such as HR is especially dangerous to organizations because they appear to be coming from a trusted, reliable source.

“These malicious emails take advantage of employee trust and create vulnerabilities within an organization that could potentially result in its downfall," he said. "KnowBe4’s phishing test reports emphasize the importance of new-school security awareness training that educates end users on the latest and most common cyber attacks and threats. An educated workforce is essential to fostering a strong security culture and is an organization’s best defense to stay safe online.”

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.