New KnowBe4 Statistics Reveal Security Awareness Training Reduces Phishing Susceptibility by 75%
Companies Participating in KnowBe4 Internet Security Awareness Training (ISAT) Achieved Dramatically Lower Phish-Prone™ Percentage After Four-Week Campaign
CLEARWATER, Fla., July 11, 2011 – New statistics published by Internet Security Awareness Training (ISAT) firm KnowBe4 indicate that formal training can substantially reduce an organization’s vulnerability to cybercrime. The findings, which are based on a case study of three KnowBe4 clients, revealed that between 26% and 45% of employees at those companies were Phish-prone™, or susceptible to phishing emails. Implementation of ISAT immediately reduced that percentage by 75%; with subsequent phishing testing over four weeks resulting in a close to zero phishing response rate across all three companies.
“As cyberheists continue to make headlines, it’s become clear that small and medium enterprises underestimate the prevalence of cybercrime and the ability of cybercriminals to hack into their networks and bank accounts,” said Stu Sjouwerman, founder and CEO of KnowBe4. “Many executives erroneously assume that their IT departments and antivirus software will identify and block any cyberheist attempts. The fact of the matter is, though, that all it takes is one employee clicking on a phishing email to give the bad guys a backdoor to your network. Cybercriminals use that weak link – your employees – to bypass your antivirus software and gain full access to your systems. Our research has proven that Internet Security Awareness Training can close that hole; but organizations need to take the initiative to implement a formal, company-wide program.”
KnowBe4’s recent client case study showed that between a quarter to a half of employees were Phish-prone before receiving Internet security training. If a cybercriminal had targeted any of those companies prior to their implementation of ISAT, there could have been serious implications. The initial test involved sending a simulated phishing email to employees before the first ISAT session to see how many would fall for a phishing attempt. The results were alarming; KnowBe4’s phishing statistics revealed an average 36.67% click rate among the three companies:
- Company A (28 users): 45%
- Company B (95 users): 39%
- Company C (76 users): 26%
Following the preliminary free phishing security test, KnowBe4 conducted company-wide training. After that 30-minute online training, a series of five different simulated phishing emails were sent to users. The emails and the order in which they were sent varied by company; and the simulated phishing attacks encompassed a number of different topics, which ranged from bank account unauthorized access alerts, to Twitter notifications, to requests that appeared to be sent from the companies’ own IT departments. After the first email in the post-training test campaign, Company A’s Phish-prone percentage dropped to 28%, while Company B and Company C had a 0% click rate; resulting in an average of 9.33% across the three organizations. That represents an immediate overall 74.55% reduction in phishing susceptibility after the first training session.
Supplemental training decreased the phishing response rates even further. The second email in the campaign netted only a 7.10% response rate from Company A, while Company B and Company C held steady at 0%. Following the third email in the series, Company A had joined Company B at 0% phishing susceptibility, while Company C had a 1% response rate. The fourth email in the campaign – a message that appeared to have been sent from the companies’ own IT departments – fooled some employees at Company A (3.5%) and Company B (10%), while Company C had no clicks. By the fifth email in the test campaign, all three companies had achieve a 0% Phish-prone rate; representing a full 100% reduction in susceptibility to phishing tactics.
Sjouwerman noted that the initial pre-testing phishing response rates are indicative of phishing susceptibility among small and medium enterprises (SMEs) as a whole, making these businesses especially vulnerable to cybercrime. “The media often tend to focus on high-profile cases, like the recent hacking incidents at Sony and Lockheed Martin. Cybercriminals target smaller companies and non-profits all the time; it’s just that those cases don’t always make national news. As a result, many SMEs have a false sense of security, thinking that nobody is going to bother going after them with so many larger, more successful targets out there. The reality is that cybercriminals know SMEs are less likely to have effective security measures in place – and they’ll go anywhere they can find an easy way in. We recently published a case study about an attempted $150,000 cyberheist at a Boston branch of the United Way. If someone at the charitable organization hadn’t been especially vigilant, those funds would be in the hands of overseas criminals instead of helping local citizens in need. My point is that cybercrime can – and does – happen everywhere. That’s why Internet security awareness training is so important.”
KnowBe4 offers a free phishing security test to help business owners determine phishing susceptibility among their own employees. Companies that choose to implement KnowBe4’s First2Know™ Internet Security Awareness Training will receive high-quality, web-based instruction that educates employees on spam, phishing, spear phishing and social engineering. At the end, employees will complete a multiple-choice test that is updated daily to reflect current threats on the Internet. KnowBe4 also provides templates for simulated phishing email attacks so companies can continue to test phishing susceptibility over time. Employees who fail the test can repeat the training at no additional cost. Subscription to the service also includes optional email updates with phishing security hints and tips.
To further educate business owners and individuals, Sjouwerman recently published Cyberheist: The Biggest Financial Threat Facing American Businesses Since the Meltdown of 2008. Cyberheist explores the business of cybercrime, examines cyberheist tactics through a series of case studies and equips readers with effective tips and tools for countering cyber attacks.
About Stu Sjouwerman and KnowBe4
Stu Sjouwerman is the founder and CEO of KnowBe4, LLC, which provides web-based Internet Security Awareness Training (ISAT) to small and medium enterprises. A data security expert with more than 30 years in the IT industry, Sjouwerman was the co-founder of Sunbelt Software, an award-winning anti-malware software company that he and his partner sold to GFI Software in 2010. Realizing that the human element of security was being seriously neglected, Sjouwerman decided to help entrepreneurs tackle cybercrime tactics through advanced Internet security awareness training. He is the author of four books, including Cyberheist: The Biggest Financial Threat Facing American Businesses Since the Meltdown of 2008. For more information on Sjouwerman and KnowBe4, visit http://www.knowbe4.com.
Karla Jo Helms
CEO and PR Strategist
JoTo Extreme PR