Doubters Question Validity of Security Training—KnowBe4 Warns: Don’t Take the Bait—Phishing Attacks on the Rise

Share Article

As phishing attempts increase, Internet security awareness training firm KnowBe4 warns businesses and individuals against believing the naysayers—security training is not only effective, but is a requisite in today’s technologically advanced world.

News Image

KnowBe4's Osterman Research Survey

The results speak for themselves—security training does work, and it has become an essential piece of a company’s defense against cyber-attacks.

Cybercriminals have become the perpetual thorn in America’s side—cybercrime is now estimated to cost the U.S. economy $140 billion and half a million jobs each year (1). As IT professionals scramble to stop these criminals, some are dissing the idea of security awareness training where individuals are taught to recognize and avoid cyberattacks. But Internet security awareness training firm KnowBe4 not only deems security training to be a necessity, but also has the results to prove its effectiveness.

Many Americans tend to overestimate their ability to identify phishing attacks—a recent survey that tested individuals’ ability to distinguish malicious emails from legitimate ones demonstrated the alarming truth:

●Before taking the test, 89% of the group had said they were “confident” in their ability to tell the difference between an authentic email and one sent by a scammer;
oBut just 7.5% of the participants were able to spot all the fake emails; and
oMore than half of the group missed half of the fake emails and deleted at least one authentic email.
●People who were overconfident before the test, females, and people described as introverted, were more likely to struggle with distinguishing the emails. (1)

The topic of whether employee training is an effective strategy in stemming cybercrime has raised an decades-old debate between information technology (IT) professionals: Opponents of employee training say it is not only overrated, but also doesn’t help employees stand a chance against modern attackers who customize their phishing attacks against individuals. (2) But proponents of employee training—such as Stu Sjouwerman, founder of KnowBe4—say that security awareness training educates employees, provides them with the knowledge and skills to spot social engineering red flags, and to not click on suspicious links or open infected attachments.

“While anti-phishing software is helpful in protecting an organization, no technology-based solution can overcome the problems caused by users who mistakenly or carelessly click on suspect links and thereby introduce malware into the corporate network,” says Sjouwerman. “The only solution is to bolster the first level of a layered defense system in protecting an organization by providing employees with the appropriate security awareness training in order to recognize phishing characteristics, what to do when confronted with them, and keep security top of mind.”

Osterman Research, which specializes in conducting market research for IT and technology-based companies, classifies five basic types of security awareness training that organizations can implement to educate employees about phishing and other illegal cyber acts:

1.The Do-Nothing Approach: The organization conducts no security awareness training.
2.The Breakroom Approach: Employees are gathered during lunches or meetings and are told what to look out for in emails, web surfing, etc.
3.The Monthly Security Video Approach: Employees are shown short videos that explain how to keep the organization safe and secure.
4.The Phishing Test Approach: Certain employees are pre-selected and sent simulated phishing attacks, IT determines whether they fell prey to the attack, and those employees get remedial training.
5.The Human Firewall Approach: Everyone in the organization is tested, the percentage of employees who are prone to phishing attacks is determined, and then everyone is trained on major attack vectors. Simulated phishing attacks are sent to all employees on a regular basis.

Sjouwerman recently commissioned a research survey with Osterman Research to glean data on KnowBe4 customers’ opinions regarding security awareness training. After using KnowBe4’s security awareness training program—categorized as a “Human Firewall Approach”—a vast majority of organizations were found to have increased confidence in employee capability in distinguishing phishing attempts and malware.

Further results of the survey found KnowBe4 customers to be nearly three times more likely than non-customers to find that their phishing problem has lessened over the past year.

“The results speak for themselves—security training does work, and it has become an essential piece of a company’s defense against cyberattacks,” commented Sjouwerman. “Training never fails to show a dramatic reduction in what we have called an organization’s ‘Phish-prone’ percentage—security awareness training is no longer an option, but a must.”

KnowBe4 provides an extensive collection of free cybercrime education resources so that executives and system administrators can arm themselves and their staff against cyber-attacks. The company also offers a free phishing security test to help business owners and managers determine what percentage of employees are phish-prone™—or susceptible to phishing attacks.

For more information, visit KnowBe4 online at

About Stu Sjouwerman and KnowBe4:

Stu Sjouwerman is the founder and CEO of KnowBe4, LLC, which provides web-based Internet Security Awareness Training (ISAT) to small and medium-sized enterprises. A data security expert with more than 30 years in the IT industry, Sjouwerman was the co-founder of Inc. 500 company Sunbelt Software, an award-winning anti-malware software company that he and his partner sold to GFI Software in 2010. Realizing that the human element of security was being seriously neglected, Sjouwerman decided to help entrepreneurs tackle cybercrime tactics through advanced security awareness training. He and his colleagues work with companies in many different industries, including highly-regulated fields such as healthcare, finance and insurance. Sjouwerman is the author of four books, with his latest being Cyberheist: The Biggest Financial Threat Facing American Businesses Since the Meltdown of 2008.

1.Dave, Paresh July. “Cybercrime Costs U.S. Economy up to $140 Billion Annually, Report Says.” Los Angeles Times, 22 July 2013. Web. 14 Aug. 2013.,0,308705.story.

2.Dave, Paresh July. “Who’s Susceptible to Email Phishing Attacks? Study Says Everyone.” Los Angeles Times, 26 July 2013. Web. 13 Aug. 2013.,0,6813984.story.

3.“Debate: Security Training Is Effective in Preventing Workers from Clicking on Malicious Links and Attachments.” SC Magazine, 01 Aug. 2013. Web. 13 Aug. 2013.

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Karla Jo Helms
888-202-4614 802
Email >
Visit website