sat-slider-1

The Ultimate Guide to
Security Awareness Training

Old-school awareness training never really hacked it. Our new-school approach educates employees on the importance of security awareness training.


What Is Security Awareness Training?

Security awareness training is a form of education that seeks to equip employees of an organization with the information they need to protect themselves and their organization's assets from loss or harm. For the purposes of any security awareness training discussion, members of an organization include employees, temps, contractors, and anybody else who performs authorized functions online for an organization.

Organizations that must comply with industry regulations or frameworks such as PCI (Payment Card Initiative), HIPAA (Health Insurance Portability and Accountability Act of 1996), the Sarbanes-Oxley reporting requirements, NIST or ISO usually deliver security awareness training to all employees once or perhaps twice a year.

And even though it may not be required by Small and Medium Enterprises for compliance reasons, they can also benefit from training their employees to avoid cyberheists through phishing attacks, account takeovers, or other well-known means that cybercriminals use to misappropriate company funds.

Why Security Awareness Training?

To be aware, you need to be able to confront (face things as they are). KnowBe4 helps employees confront the fact that cybercriminals are trying to trick them. Once they confront that, they become aware and able to detect these scam emails and can take appropriate action like deleting the email or not clicking a link. 

Cybercrime is moving at light speed. A few years ago, cybercriminals used to specialize in identity theft, but now they take over your organization’s network, hack into your bank accounts, and steal tens or hundreds of thousands of dollars. Organizations of every size and type are at risk. Are you the next cyber-heist victim? You really need a strong human firewall as your last line of defense.


World's largest library of security awareness training content is now just a click away!

In your fight against phishing and ransomware you can now deploy the best-in-class phishing platform combined with the world's largest library of security awareness training content; including 1000+ interactive modules, videos, games, posters and newsletters.

ModStore01.png

You can get access to our ModStore Preview Portal to see our full library of security awareness content; you can browse, search by title, category, language or content topics.

Preview the ModStore Now!

I want to see the ModStore

Forrester_logo_new

The Forrester Wave™: Security Awareness and Training Solutions, Q1 2022

KnowBe4 has been named a Leader in The Forrester Wave™: Security Awareness and Training Solutions, Q1 2022. Using a 30-criteria evaluation, the Forrester Wave report ranks 11 vendors in the security awareness and training market based on their current offering, strategy and market presence. KnowBe4 received the highest scores possible in 16 of the 30 evaluation criteria, including breadth of content coverage, security culture measurement, and customer support and success.

Download Your Complimentary Copy of the Report 

How To Run A Successful Program In For Your Employee

Critical Components of a Cyber Security Awareness Program

  1. Content - Content is king! As humans we all prefer different types and styles of content. Don’t approach content in your program as one size fits all. Match different content types to different roles in your organization.
  2. Executive Support & Planning - Materials that will help you continue to prove the value of the program to your executive team, and also to show auditors/regulators that you are doing the right thing.
  3. Campaign Support Materials - A successful program shouldn’t be ‘one and done’, treat it as a marketing endeavor. Once-a-year, ‘check the box’ training will not work toward changing user behavior. Continuously presenting the information in different ways, when it coincides with the context of their life, is what will influence their decisions and make it EASIER for users to make smarter choices.
  4. Testing - People need to be put in a situation where they will have to make a decision that will determine if the organization gets breached or not. Phishing simulations prompt employees to either click a link, report the phish, or do nothing. You want to give them an opportunity to report phishing attempts and help the organization increase resilience. If they do fall for the phish, you want the ability to do training then and there to create a learning moment. Doing nothing isn't ideal as it leaves the potential threat out there and there's an opportunity for others in the organization to click.
  5. Metrics & Reporting - You need to be able to show you are closing security gaps. Reporting is also useful for optimizing campaigns based on past results. You want to be able to see what is working well and what can be improved upon.
  6. Surveys/Assessments - These types of tools can help you understand the attitudes of your organization and how well your program is resonating with your people so you can adapt. Think of it as a pulse check of subtle nuances that are different than metrics/reporting such as opinions, frame of mind, etc.

Here's a sobering truth: Your cyber awareness program and content are the visible ‘face’ of your department to the rest of the organization. Especially if you are in a larger organization, a good portion of your coworkers don't know you, they only know what your department produces. For that reason, it HAS to be as good or better than anything else the organization is doing. Otherwise, security is seen as 'other', unimportant, an afterthought.

Program Development 

Learning doesn't just happen at one point in time, we need to think about the entire context of user experience. Consider this 70:20:10 model for learning and development:

702010

  • 10% Formal - Structured learning, LMS courses, training days, etc. This is about the maximum amount of time you can allot per user for formal training. You need to be thinking about ways to address the other 90% of someone's experience in the organization.
  • 20% Informal - This would include asking others, collaborating, webinars, watching videos, reading, etc. Think about how to build an informal community for users to know where to go to get the information they need when they are actually seeking it out.
  • 70% Experiencial - On-the-job, social, in the workflow, corporate and departmental culture. From a security aspect, if we are ignoring that 70% social/cultural component, we're putting ourselves at a disadvantage. Think about ways to address that entire 100%. Vendor support systems can help.

The Five Moments of Need

  1. For the first time
  2. Wanting to learn more
  3. Trying to apply knowledge and/or remember
  4. When something goes wrong
  5. When something changes

Think About Learner Profiles/Segments Where Possible

The types of information and cultures of different departments vary. You need powerful ways to split your user population into groups. This allows you to measure them and train them in ways that best resonate with their individual needs and learning styles.

"3 truths about human nature. We’re lazy, social,  and creatures of habit. Design products for this reality." - BJ Fogg, Behavioral Researcher

The Four Stages of Competence

  1. Lack of Awareness - Unconscious Incompetence or "I don't know that I don't know something." They are blissfully unaware and their behavior will reflect that.
  2. Awareness - Conscious Incompetence or "I know that I don't know something." They now realize they don't have all the knowledge and tools they need. We can hope that will move them to the next stage.
  3. Step-by-step - Conscious Competence or "I know something, but I have to think about it as I do it." They either need to access stored information or really intentionally weigh all the options then come to the right conclusion.
  4. Skilled Stage - Unconscious Competence or "I know something so well that I don't have to think about it." This is where most of us are with pattern-based behaviors like driving, brushing our teeth, etc. At some point these things were difficult, and we can actually build up to this stage.

Four Stages of Competence

The problem is that traditional programs fail by leaving employee to linger in stages 1 and 2. Design your program to push them all the way through to stage 4. Getting users to stage 4 with constant training and simulation is ideal and cultivates the kind of behavior that can protect you from a breach.

Plan like a Marketer. Test like an Attacker.

Multi channel campaign - different types of content at different times targeting different audiences going through different channels so you have a constant barrage of information and working within the context that those different people are in. You need to be constantly building reflexes and building muscle memory for your people, which is where the testing component comes in. No matter which tool you use, even if you are using a homegrown program, you need to send a social engineering test like a phishing test to users at least every 30 days. By doing both training and testing, you are running a hearts and minds campaigns like a marketer would. Over a period of time through different channels/mediums you can start building influence in the mind. Supplementing that with frequent phishing attacks you are building the muscle memory on top of that so users naturally react in the right way. That's the key to building resilience.

SATMarketing


Building-an-Effective-and-Comprehensive-Security-Awareness-Program--Fanned

Whitepaper: Building an Effective and Comprehensive Security Awareness Program

This whitepaper will help break down the critical components of a successful security awareness program and connect them together into something comprehensive, continuous and engaging.

Get the Whitepaper


Security-Awareness-Training-Example-Policy-Guide-Fanned

Whitepaper: Example Security Awareness Training Policy Guide

Like any cyber risk mitigation strategy, security awareness training works best when procedures are written down to ensure your team walks through the necessary steps as efficiently as possible. Download this free guide to learn why a dedicated security awareness training policy is important and how to craft one that works for your organization.

Get the Guide


Variety of Content

More than just formal training

When you think of cyber security awareness training content, the first thing that comes to mind is probably traditional courses in an LMS. It's so much more than that! Other examples include videos, games, blog, webinars, posters, messaging on swag, self-produced content, newsletters, email content, etc. Anything you can deliver that conveys your message and elicits some kind of thinking, engagement or reaction is considered content.

Make your content interesting and relevant to your uses

This is important when it comes to training because if content isn’t appealing to the audience it’s in front of, it doesn’t feel relevant to them and won’t stick with them. Relevance is key. The human mind learns through storytelling, security awareness training is no different. A story contains contextual information that a boring, written policy simply cannot. People learn in many different ways and naturally gravitate toward different types of content, so it makes sense that if you use a one-dimensional approach in training, you are going to lose a huge part of your audience. You want to come to the learner with content suited for them rather than try to make them learn in one certain way.

And don’t just add more content for the sake of having more content. A diverse portfolio of different types of content will get the message to resonate. Repetition is key for knowledge to stick, and you need to have variety to go along with a repetitive message. Showing the same exact course over and over isn’t going to make much of a difference. If you're not sure where to begin, you're not alone. Many vendors can provide recommendations and best practices. Start there and adjust over time according to what works for your environment.


Inside-Man-S5-Announcement-Blog-Featured-Image

The Inside Man - Security Awareness Video Series

The Inside Man is KnowBe4’s first custom network-quality video series that delivers an entertaining movie-like experience for your users and makes learning how to make smarter security decisions fun and engaging. From social engineering and passwords, to social media and travel, The Inside Man reveals how easy it can be for an outsider to penetrate your organization’s security controls and network.

Want access to all five seasons and check out all our great security awareness training content?

It’s easy! You can now get access to our ModStore Preview Portal to see the world's largest library of security awareness content; including 1000+ interactive modules, videos, games, posters, and newsletters. You can easily browse, search by title, category, language or content topics. See how entertaining security awareness training can be!

Get Access Now! >>


Four Layers of Security, Starting With The Human Firewall

 Okta, one of the largest Identity Management players, provides single sign-on and a host of other services. They "see" what everyone is using in the sense of which apps users are logging on to. Okta used data from 7,400 customers and more than 6,500 cloud, mobile and web app integrations to compile a new report. The average company deploys more than 150-security focused tools, and based on findings of the past four years, there is a new modern security stack consisting of four layers of security. Those are designated as: 

4-security-layers-human-firewall

  1. People - Not only focusing on accounts and credentials, but physical security solutions
  2. Devices - Includes tools for security analytics, endpoint management and security and certificate management.
  3. Network - Secure web gateway tools, VPNs and firewalls, and proxies
  4. Infrastructure - Content delivery network providers, server access, and infrastructure monitoring tools

With cybercriminals knowing your untrained users are the weakest link into your network, it is more important than ever to add cyber security awareness training and strengthen that people layer. Today’s email filters have an average 7-10 percent failure rate; and about 30 percent of data breaches are caused by repeat offenders from within the organization.  You need a strong human firewall as your last line of defense.

Avoid Potential Pitfalls in Phishing Your Users

Five Principles to build positive anti-phishing behavior management programs

Building positive anti-phishing behavior with cyber security awareness training

Shifting organizational behavior requires a recognition that simply exposing employees to security-related information will never be enough. Instead, it is imperative to train secure reflexes through intentional and methodical simulated testing so that employees are continually exposed to the situations in which you hope they will exhibit secure behavior.

Some security and organizational leaders might be hesitant to phish their users, fearing that end-users or managers could react negatively to the experience. In fact, some organizations may even have horror stories of phishing simulations that have backfired, resulting in more harm than good. Yet, security leaders, auditors, and adult-learning experts agree that the best way to train secure reflexes is through simulation (not information).

It is possible to work through concerns related to simulated phishing and, in fact, make the experience positive for end-users and management alike. Use the following five principles to build a positive anti-phishing behavior management program:

  1. Frame the program with a positive tone: the way that employees react to simulated phishing events is directly related to the way that you message the program. If employees feel that your main goal is to trick them and make them fail, then they will view you as an adversary. It is much better to position your program as something that you are doing for the good of the organization and the employees within it. In short, your message is that you are running these campaigns for the same reasons that you conduct events like fire-drills. For people’s ultimate safety and preservation.
  2. Be intentional about your ‘post click’ landing pages: The time immediately following a phishing test failure is your most critical messaging moment. Employees will naturally feel the most vulnerable and sensitive when they’ve fallen for a simulated attack. If you are directing them to a landing page that lets them know they’ve failed, it is important that you account for their heightened emotional state. Use the learning moment – but be extra careful not to heap shame on the employee. Instead, be friendly and to the point. Additionally, your messaging for any follow-up training should not be framed in shame or condemnation; it should remind them of the program, why tests like these are important, and how we all struggle to retrain human nature.
  3. Empower them with new behaviors: Give your employees the power to build new behavioral patterns by offering them replacement behaviors. Humans struggle with simply removing a behavioral pattern. It can actually be easier to replace one behavior with another. For phishing simulation tests, we consider it best practice to have your employees report the simulated phish by clicking on our free Phish Alert Button (PAB). This not only gives them a replacement behavior, but can also give them a positive reinforcement by displaying congratulatory message for reporting the simulated phish. For organizations that have not deployed the PAB, train them to think, “when in doubt, throw it out,” so that their replacement behavior is simply deleting emails that are worrisome.
  4. Measure and train at their individual competency – and train for improvement: In all organizations, there are different levels of employee sophistication in detecting simulated phish. You will have some employees who almost never fall victim to phishing tests, and some who fall victim much more often. Because your employees have different levels of maturity in detecting phish, it can be extremely useful to train employee groups at their current level of competence, so they can improve. For the same reason that we don’t expect grade school students to do college-level math, we shouldn’t expect employees to immediately become expert phish detectors. Consider a tiered system of phishing training for your users to train them according to their current level of competence and allowing them to grow over time.
  5. Phish frequently: A pattern of frequent simulated phishing tests let employees know simulated phishing is a part of your security culture -- that this is standard practice because frequent training provides the best chance at developing proper reflexive behaviors. Organizations that only conduct yearly or quarterly simulated phishing are actually only performing baselining measurements – not training secure reflexes. Monthly – or, better yet – bi-weekly simulated phishing training will let employees know that they should always be on the lookout for the next phish to land in their inbox, and that they can always show improvement because the next test is not far away.

Creating your anti-phishing behavior management program according to these five principles will ensure that your program is seen as something that builds-up employees rather than tearing them down. These principles are aimed at recognizing that humans can become an effective last line of defense for your organization when given proper training, motivation, and support.

Avoid these top 10 security awareness training program fails

 

We want you and your employees to enjoy the benefits of a great security awareness training program without experiencing the pain and setbacks associated with missteps. Set your organization up for success by avoiding these common cyber security awareness program fails:
  1. Avoid singling out users that click on a phishing link and making a public example of them. Do not punish employees that make mistakes early on.
  2. Avoid sending phishing campaigns only every 90 days. Quarterly phishing tests really just take a baseline, whereas phishing users at least once a month is an effective method to groove in making smart security decisions.
  3. Avoid sending the same phishing template instead of randomizing the templates to each user, and running campaigns on predictable times like every Monday afternoon.
  4. Avoid starting out with 5-star phishing templates that are too difficult to identify.
  5. Avoid sending only phishing attacks and overlooking stepping users through interactive training.
  6. Avoid forgetting to emphasize that this program will also help your users to keep their family safe online.
  7. Avoid forcing the program through your users throats, and bypassing getting C-level air cover for the program. You want as much buy-in from the get-go as possible.
  8. Avoid neglecting to inform key stakeholders, department managers and tech support before you send the initial baseline test.
  9. Avoid not reporting the positive results to the stakeholders with graphics that show improvement over time.
  10. Avoid not having a good procedure / process that allows users to report phishing emails that they found in their inbox, and not having a Social Engineering Incident Response program.

Follow these guidelines to ensure the success of your program. Need help getting started? KnowBe4's Automated Security Awareness Program takes away all the guesswork. Answer 15-25 questions about your goals and organization and get your customized program in just 10 minutes!

* This list is also available as an infographic


pst30_V2

How many of your users would click on a phishing link?

Find out what percentage of your users are Phish-prone™ with your free Phishing Security Test. Why? If you don't do it yourself, cybercriminals will. Plus, see how you stack up against your peers with phishing Industry Benchmarks. Start phishing your users now. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

Go Phishing Now!


When To Go Pro

The difference between knowing you can do it on your own, and getting to the point of feeling stretched and needing to bring someone in

Ask yourself, do you have the capacity and capability and talent within the organization to be able to put out a product that will actually drive quality training and the behavior change you’re looking for? Even organizations that have dedicated internal training teams can struggle with this.

Usually, taking that next step in looking for an outside vendor means you are looking for help with frequency, providing the right kind of content, and the ability to couple that with the correct activities that should be happening like simulated phishing. It can be appealing to do it on your own because you have complete control. However, everything is manual and it’s really hard to be good at (let alone have time for) creating a really robust security awareness program with a good variety of content.

Something to look at as you’re evaluating the market is that potential vendors have content available in a variety of flavors, lengths, languages, role-specific, etc. to fit the needs of different users across your organization. Having ways to repeat the same messaging without using the exact same training is important. Maybe you have a handful of topics you need to reinforce throughout the year. Without having a library of different types of content, the messaging falls flat over the course of a year. A good example of the most effective way to accomplish that would be: have a definitive piece of content that you deliver annually, that is what you use to check the box on compliance requirements. Then you have supplemental content that reinforces the annual training. As you’re looking at vendors, evaluate if they would only be fulfilling the annual training and in that case, necessitate a secondary or tertiary vendor to build up that content library you will need.

5 Ways Vendors Can Help To Improve Your Program:

  • Continuous production of quality materials - updating content monthly is undoable for most organizations
  • Being able to put out content that aligns your key topics with current news
  • Expertise on topic, production, writing, filming, animation, plus technical aspects around things like phishing and social engineering
  • Also - be honest with yourself about ROI. Think about the time you are spending on your program. Most of the time you will find that a program through a vendor is actually a fraction of the cost
  • Vendors can provide a level of engagement, service and consistency that would be hard to do on your own

Reporting

Investing in a program and not having any insight to prove its value is a huge problem. Easy access to reporting data is an absolute necessity. It’s easy to get lost in a ton of metrics, but best to focus on a few areas that show changes in behavior and can consistently be validated through easily accessible tools.

Three key areas to make sure you are covering include: an understanding what is most valuable to measure, having the tools that allow you to easily grab the data you need when you need it, and having a narrative that goes along with the reporting. Most of the time, executives are just seeing high-level numbers with no context. Having a meaningful story is much more effective at illustrating a narrative that shows movement of the behavioral change of an organization.


 

LeveragingSATVendor-SOCIAL-1

Watch the Webinar: Why It's Time for Your Organization to Start Leveraging a Security Awareness Vendor

In this webinar KnowBe4’s Perry Carpenter and Joanna Huisman discuss the benefits of partnering with an experienced provider and what to look for as you evaluate Security Awareness Training vendors.

Watch Now


How to Gain and Maintain Executive Support for Your Security Awareness Program

How to work through "push back" when seeking to implement security awareness and training programs

Conference

With so many regulations and audit standards requiring organizations to provide critical security-related information and training programs for their employees, it can be shocking that security leaders often encounter high-level "push back" when seeking to implement cyber security awareness and training programs.

To overcome this situation, propose your program in a way that addresses executive concerns, links to corporate objectives, and tells a story. This is accomplished in three steps:

  1. Seek first to understand

    Habit five of Stephen Covey's "Seven Habits of Highly Effective People" states, "Seek first to understand, then to be understood." Dr. Covey writes,

    "If you're like most people, you probably seek first to be understood; you want to get your point across. And in doing so, you may ignore the other person completely, pretend that you're listening, selectively hear only certain parts of the conversation or attentively focus on only the words being said, but miss the meaning entirely. So why does this happen? Because most people listen with the intent to reply, not to understand. You listen to yourself as you prepare in your mind what you are going to say, the questions you are going to ask, etc. You filter everything you hear through your life experiences, your frame of reference. You check what you hear against your autobiography and see how it measures up. And consequently, you decide prematurely what the other person means before he/she finishes communicating."

    It is vital to recognize that most business leaders (and end users) simply will not care about security in the same way that a security professional does. People don't care about security for the sake of security alone. What they care about is the result that a sound security strategy can provide and the impacts/risks associated with the lack of a sound security strategy. Use this understanding to inform the methods that you use to engage the organization and business leaders.

  2. Take Genuine Interest and See the Motivation Behind Any Concerns
    So, what motivates a business leader? The answer is: business risks and business outcomes. Therefore, it is helpful to position your security awareness and training program in this context. To do this, consider highlighting the following:
     
      • Issues associated with behavior-related risks. It's important to speak to the traditional factors related to the possibility of data breach and negative PR. But don't stop there — behavior-related risk is broader and gets into areas related to system stability, continuity of operations, employee morale and productivity, proper handling of intellectual property, and more.
      • Regulatory and audit requirements. Here is where you get to highlight the slew of regulations and audit requirements that mandate awareness and training programs.
      • Industry best practice and competitor benchmarking. Decision makers are very interested in understanding where their organization stands relative to peer organizations. A few data points that decision makers may find interesting include: what are the standard topics that organizations like us train on? What is the average phish-prone percentage for organizations like ours, and how do we compare? What are the greatest behavior-related risks for organizations like us? How much do other organizations spend on security awareness and training programs?
      • A sense of respect for everyone's time. Time is your employee's most valuable resource. It's important that your security awareness and training program respect this fact by not exposing employees to information that is irrelevant or unnecessary. Where possible, provide data points to demonstrate that your awareness and training efforts will have a positive payback for the organization.
      • Evidence that you have an informed plan. Give your executive team confidence in your program by eliminating as much uncertainty as possible. Often, security leaders embark on awareness and training programs that are amorphous and without a clear sense of direction. Eliminate uncertainty and/or smooth-out any potential future conflicts by sharing a well-formed plan that removes the guesswork.

  3. Connect Your Security Awareness Program to Organizational Outcomes
    Where possible, you need to speak the language of "the business" and report in a way that shows relevance to organizational outcomes. Notice that this is directly related to the other points mentioned in this article. In order to report in a relevant way, you first need to understand your organization's targets and the agreed-upon risks.

    When reporting your security awareness successes, continue to remind the executive team why the program is important, and how the activities and metrics connect with the motivations outlined in points 1 and 2, above. In the end, many of the metrics can be the same as you would normally report (for example, course completion rates, phishing test outcomes, and so on), but the difference here is that you are able to put these numbers into context. This context is used to tell the story of how your security awareness and training program is strengthening the overall security culture of the organization, thereby reducing risk, potentially increasing productivity, and having a positive impact on the organization's ability to execute.

"Culture eats strategy for breakfast." - Peter Drucker, Management Consultant, Educator and Author

Maintaining Executive Support for Your Program

Communication Strategy is Key

Any time you are presenting data numbers, don’t leave the interpretation up for chance. The ‘what’ is the data, with every ‘what’ comes a so what? meaning what does that data actually mean? and a now what?, or what do we do in light of that information? Any time you have a what, you need to answer the so what and the now what, otherwise you’re leaving one or both of those things up for interpretation and that’s a chance you cannot afford to take. Your communication strategy throughout the whole process is key. You want to tell a memorable story, the moral being you need cyber security awareness training. Use statistics and charts and graphs to support that story.

Capturing Executive Attention

What’s in it for them - Answer the "so what" question. Answer specifically for each member of the executive team what is going to matter most for them with the output of a security awareness training program. This can be talked about positively - increased resiliency that leads to stabilization of environment, higher employee productivity or negatively - pain that can be avoided when this is done right (data doesn’t get exposed, users don’t get compromised, etc.).

Outline clear connections - Showing connection between the action of training and things that are important for that executive. Could be a specific system, business outcome, specific project, a regulation they are accountable for.

Measurement and stories - Talk about what is going to be measured, how it will be presented, and use that to get into the morality (this is what goes wrong without a security awareness program, here is what can go right, etc.)

Be on the Lookout for Ways To:

  • Align your program to the organization’s strategy, mission, and initiatives. This can get heads around the table nodding.
  • Tie your program to compliance requirements. For most major security best practices, audit requirements and regulatory requirements, security awareness training IS a requirement.
  • Use current events and stories about organizations that are similar to yours in terms of industry, size, or other demographic characteristics. Note: Be careful not to do this in a way that will be perceived as alarmist or as fear mongering. The closer to home it feels, the more real it becomes in their minds.
  • Map your program to established industry best practices (such as the NIST Cybersecurity Framework, the National Association of Corporate Directors guidance on cybersecurity, and so on).

Use SMARTER Goals

Show that you are being very intentional about starting your program and you will more likely get the support, budget and resources you need to get it started. Use a SMARTER goal-setting framework, goals should be Specific, Measurable, Actionable, Risky, Time-keyed, Exciting and Relevant.

Goals like "The goal is to reduce our phish-prone percentage" or "To be able to engage employees so they are more aware of the risks and threats around them" are not specific or measurable and are certainly not exciting. An example of a SMARTER goal would be: We are going to reduce our phish-prone percentage from an initial baseline of 30% down to 15% within the next 45 days. You will know for sure whether you’ve hit the goal or not once that 45 days is up. With this framework in mind, it is much easier to build out your training plan and reporting schedule around these types of goals.

Brainstorming Worksheet for Gaining Support

We recommend filling something like the below sheet out for each executive you need to get buy-in from. This isn’t to share with anyone, it’s a tool for you to help before you start meeting with your executive team. Find ways to amplify their value proposition and address or minimize their concerns early on. Try to have one-on-one conversations before you officially ask for support so there are no major surprises when that time comes.

Support Worksheet

It's a Marathon, not a Sprint

It's very important that you present this as an ongoing program from the very beginning - not a one and done. Think about the difference between an event and an ongoing effort… and the difference between a sprint and a marathon. Time and consistency make a BIG impact in changing behavior for the better.


ExecutiveSupport-SOCIAL

Watch the full webinar: How To Gain and Maintain Executive Support for Security Awareness Training

In this webinar, Perry Carpenter, Chief Evangelist and Strategy Office at KnowBe4, helps you detangle the complicated web of politics around securing executive support for security awareness training.

Watch Now

Awareness Posters

Awareness posters are great to display in the office as a reminder for the whole organization to keep security top of mind. Posters should be changed frequently enough so the message doesn't get stale. These high-res JPGs are suitable for printing:

See All Security Awareness Posters >>

Case Studies

AllianceCS

Nonprofit Security Awareness Training Case Study

The Alliance for Strong Families and Communities aimed to train their staff and enrich their security posture. See how KnowBe4's integrated security awareness training and simulated phishing platform helped them to reduce their Phish-Prone Percentage from 36% to 2.2% within 12 months.

“By employing that automated, immediate remediation training, we know that it’s only a matter of time before our PPP is back down to 2%. It’s our job to make sure our people are cognizant and skeptical of threats so they can stay secure, and KnowBe4 is helping us do just that,”

  - G.M., Systems Administrator and Supervisor

See the Case Study 


EduCS

Education Security Awareness Training Case Study

After an Illinois school district fell victim to a DDoS attack, security and phishing became a higher priority. They needed a better way to protect sensitive data and ensure adherence to The Family Educational Rights and Privacy Act. See how they were able to reinforce cautious vetting of emails amongst staff members with phishing and training campaigns.

“My staff is excellent at teaching, but aren’t as experienced with technology, and they don’t have time in their busy days to gain a better understanding of technology and information security. The KnowBe4 Security Awareness Training model was a way to get their attention and their interest. ‘You just got had with a phishing email’ stands out and would grab anyone’s attention!”

 - D.R., CETL, Director of Technology

See the Case Study 


txtCS

Software Provider Security Awareness Training Case Study

TXT e-solutions was well aware of of the problems that organizations face with social engineering attacks, which is why they believe that educating employees about the dangers is so important. Given the ISO 27001 compliance requirement, their desire to strengthen the company's security culture and their need to satisfy GDPR compliance requirements, they found KnowBe4 to be the best fit to meet their needs.

“In order to fight an ongoing threat of phishing, we have adopted the KnowBe4 security awareness platform to educate our users about phishing and anti-phishing techniques, use security protection and report suspicious activities. By doing so, we have reduced exposure to fraud and identity theft. The most effective fix to phishing is training and KnowBe4 is the right tool for it. Phishing and training campaigns have proven to be effective; we have fewer users clicking on phishing emails since the beginning. You can easily change the difficulty levels of the email campaigns for your more experienced users. KnowBe4 helps us to raise awareness of social engineering attacks. Great company; good pricing; solid training. Highly recommended.”

 - A.U., Group IT Network Engineer

See the Case Study 


Free Tools

ModStore01-1

ModStore Training Preview

The world's largest library of security awareness training content is now just a click away!

In your fight against phishing and ransomware you can now deploy the best-in-class phishing platform combined with the world's largest library of security awareness training content; including 1000+ interactive modules, videos, games, posters and newsletters. Get access to the full library now!

Start Your Preview

asap-monitor-1

Automated Security Awareness Program

Get Your Free Automated Security Awareness Program (ASAP)!

Many IT pros don’t exactly know where to start when it comes to creating a security awareness program that will work for their organization. ASAP allows you to build a customized Security Awareness Program for your organization that will help you to implement all the steps needed to create a fully mature training program in just a few minutes.

Get Started Now

KnowBe4 Security Awareness Training

Employees phishing awareness improvement over timeOld-school awareness training never really hacked it. Herding your employees in the break-room, keeping them awake with coffee and donuts and subjecting them to death-by-PowerPoint gave traditional awareness training a bad rap.

KnowBe4 is your platform for new-school security awareness training. We help you keep your employees on their toes with security top of mind. With this new-school integrated platform you can train and phish your users, see their Phish-prone percentage™ and their Risk Score improve over time and get measurable results.

Your KnowBe4 subscription gives you access to the world’s largest security awareness training library with always-fresh content, via the unique ModStore.

You can choose from dozens of categories with more than 5,000 real-world, known-to-work phishing templates in 34 core languages (as well as 9 more with limited support) that give you the most realistic phishing test environment available on the market.

Whether you're a small business, enterprise, or are looking to partner with KnowBe4, we will suggest best practices for your size/type of organization!

 

What Makes KnowBe4 Unique?

  • Flexible and adaptive: Greater context-awareness and real-time intervention
  • Focus on time savings: Micro-learning, behavioral baselining, test-outs, fine-grained roles/rules
  • Smarter: Broader use of AI and machine learning
  • Plug-able: More integrations with 'traditional' security tools
  • Sneakier: Better automated social engineering use cases
  • Sensitive: Learner sensitive and aware
  • More flavorful: more variety of content, styles, tones, formats, etc.
  • Assistive: Will naturally encourage greater program maturity

We have the largest content library in the world. We are the largest security awareness training provider in the world. With over 50,000 customers (and counting), nearly 1,000 employees, and offices in 9 countries, KnowBe4 is the world's most-popular and most proven security awareness vendor.

Testimonials and Reviews

 

Keep Users Vigilant About Cybersecurity

Melody was referred to KnowBe4 and immediately began phishing campaigns for her staff, telling only one other partner. Based on initial results, they identified the need for staff training and got buy-in from the rest of their partners. She trains staff to be vigilant about phishing and ransomware attacks and KnowBe4 makes her job easier because of the available resources on the platform.

 

Why You Need To Invest In Your Human Firewall

Jesse got his CISO involved with KnowBe4 from the beginning and had top-down buy-in. When they started phishing their users they had a 23% click rate. Based on reported results from training and phishing campaigns, they are getting more buy-in from across the organization. He recommends KnowBe4 and thinks not enough organizations invest in the human element of cybersecurity.

 

How KnowBe4 Helps IT Sleep Better at Night

Nelson is the IT Director for a nonprofit that was hit with a ransomware attack a few years ago. While the attack was caught immediately and they were able to restore their files, they realized they needed help. He phishes users weekly and went from a 33% Phish-prone rate to less than 1%. Since starting KnowBe4, he sleeps better at night and users are constantly aware of cyberattacks.

What People Are Saying About KnowBe4

KB4EmailHeader-DEMO-ALT2

Request A Demo

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Get a product demonstration of the innovative Kevin Mitnick Security Awareness Training Platform. In this live one-on-one demo we will show you how easy it is to train and phish your users.

Request A Demo

products-KB4SAT6-2-1

Get A Quote

Today, your employees are frequently exposed to advanced phishing and ransomware attacks. You need New-school Security Awareness Training.

KnowBe4 is the world’s most popular integrated Security Awareness Training and Simulated Phishing platform. 

Your users are your last line of defense. Find out how affordable creating a "Human Firewall" is. Get a quote for your organization now and be pleasantly surprised.

Get Your Best Price

Security Awareness Training In The News


New Research: BEC Attacks Rose 246% in 2023

Business email compromise (BEC) attacks surged by 246% last year, according to researchers at ReliaQuest.The researchers believe the increase is due to widely available phishing kits that facilitate BEC.

The European Union's Unified Approach to Cybersecurity: The Cyber Solidarity Act

The construction of a more cyber resilient European Union (EU) took a remarkable step forward this past week as negotiators from the European Parliament and the European Council reached a provisional agreement on the proposed Cyber Solidarity Act.

FBI's 2023 Internet Crime Report Highlights Alarming Trends on Ransomware

The specter of cybercrime continues to grow, with losses soaring to $12.5 billion in 2023, according to the recently released Internet Crime Report by the FBI's Internet Crime Complaint Center (IC3).


Get the latest about social engineering

Subscribe to CyberheistNews