People remain one of the key weak links in cybersecurity defence, but training them and testing their propensity to fall for phishing attacks delivered by email, social media messages or WhatsApp can significantly reduce the risks of cyberattacks against companies, says cybersecurity training firm KnowBe4 MD Anna Collard.

Phishing attacks are one of the most frequently used vectors of attack that lead to cybersecurity breaches. More than 32% of breaches are linked to successful phishing attacks, according to telecommunications multinational Verizon’s ‘Data Breach Report 2019’ report, followed by credential theft.

Measuring the cybersecurity awareness and propensity of personnel to fall victim to cyberattacks enables a company to quantify its risks and take steps to lower them, explains Collard.

KnowBe4 provides cybersecurity training from basic to executive level. It captures all the information from training participation and phishing simulation testing to identify the propensity of employees to fall victim to phishing and scam emails, and thereby manage the risks.

“Given the amount of resources companies are allocating to cybersecurity, proportional resources should also be allocated to secure the most vulnerable elements of your network, which are your people. However, there should also be a quantifiable baseline and improvement to determine the efficacy of the training.”

The company uses gamified and story-based training content and exercises to equip personnel with knowledge about cyberrisks and common attack strategies, as well as best practices to follow in the event of a possible attack, such as delaying a process and seeking confirmation of the veracity of an instruction, says Collard.

Simulation exercises and mock phishing attacks are used to determine the susceptibility of personnel to fall for phishing and fraudulent emails and communications, which is called a ‘phish-prone’ rate.

“KnowBe4 has the statistics from more than nine-million people we have trained, and has demonstrated that awareness and training can reduce the average propensity of personnel to fall victim to such attacks from about 30% to below 5%.”

Stealing credentials is one of the easiest ways cybercriminals use to break into cloud systems and services, and only requires an attack on employees, not against well-protected information technology (IT) systems. Cybersecurity training, phishing and attack simulation and tests help to reduce credential theft by not only making users more aware of the threat through training but also actually exposing them to mock versions of these kinds of attacks.

The KnowBe4 training also includes the client’s IT and security teams, which helps to spread awareness of the roles of IT in cybersecurity and establishes channels for employees to report suspicious emails or attachments to the IT department or to check whether a link is malicious.

“We also add a reporting button to the client’s email platform, which enables employees to check or report a suspicious email easily.”

Further, the company’s training is based on rigorous psychological foundations and adheres to training and change management best practices, including establishing a baseline among a client’s employees and monitoring training progress and effectiveness.

After training, KnowBe4, which works closely with its clients’ human resources departments, also provides material, tests and simulations that are used for further training and testing.

KnowBe4’s reporting provides visibility of the efficacy of training. It has been able to reduce an average phish-prone rate from about 30% to 15% within 90 days and to below 5% within 12 months.

“Our role is to address the human in cybersecurity, which makes cybersecurity measures more effective, and makes companies’ cybersecurity policies known and effective. Training also establishes cybersecurity best practice, including awareness and reporting phishing to IT security.”