We spoke to James McQuiggan, security awareness advocate at KnowBe4, a new-school security awareness training and simulated phishing platform. James introduced the company’s products – including one with a stamp of approval of FBI’s most wanted hacker in the 90s – and the challenges that a cybersecurity professional has to face in 2020.
Please tell us a bit about the history of KnowBe4
KnowBe4 is a security awareness and training company that provides what we like to call ‘new school security awareness training’, phishing assessments and we have a variety of products to help fight phishing attacks in organizations.
We’re having our 10-year anniversary. Over the last 4 years, the hypergrowth of our organization has been crazy, it has just taken off and I think a lot of this is due to more organizations realizing that they need security awareness training. There’s an extremely quick return on investment for them.
For instance, they can reduce their ‘Phish-ProneTM Percentage’, which is the likelihood of them clicking on a link. In the research that we’ve done, when they don’t have training, 39% of your employees are going to click on a malicious link. When you put them to training, after about a year, that number goes down to about 4%.
What are the services and products that KnowBe4 offers?
We have the Kevin Mitnick – our Chief Hacking Officer who is also known as the world’s most famous hacker – security awareness training. There are hundreds of modules of this training aimed at specific needs.
With the phishing assessment tool, there are thousands of templates available to send to your employees. Once you do the phishing assessment, you can go through additional training to emphasize the point that’s been made with the phishing.
One of my favorite tools is the red flags of social engineering: there’s about 22 of them and they all focus on phishing email. These are 22 different things you want to look for to make sure you’re not getting phished. We even have phishing templates for COVID because a lot of organizations want to make sure that their employees aren’t falling for any COVID scams.
There are two newer tools called PhishER and PhishRIP. Those two applications deal with assessing and reviewing any type of phishing emails that come into your organization – real ones. If there’s a phishing email coming into your organization, your IT team can use the PhishRIP to go to everyone’s mailbox and, if they’ve got that phishing email, the IT team can remove it from everyone’s mailbox.
We also have a GRC tool – Governance, Risk and Compliance. We found that going into organizations and having conversations with them, they didn’t really have a good program that they were using to track their governance and compliance requirements, including the policies. The tool has been around as long as the company has been established. It was created early on and has been developed over the years. It’s very easy to use, intuitive and we are slowly getting more and more people to use that application as well.
We already have observed a spike in cyberattacks during the pandemic. Did you notice any difference between cybersecurity before and after COVID?
It’s a challenge for any organization. Some of them are finding their employees are a lot more productive working from home. Others want to get people back into the buildings because we’ve been seeing a lot more phishing and social engineering attacks against employees that are at home.
When you are inside the confines of the building and something weird comes in, you can turn to your colleague or send it to the IT, but when you’re working from home, you are more comfortable and relaxed. We’ve been seeing a lot more phishing attacks going on.
The recent Twitter hack was all done because of social engineering: targeting people that were at home. The cybercriminals were able to gain access in there, they knew that companies like Google and Twitter are letting their employees work from home – these were easy targets.
A lot of organizations have also ramped up their security awareness trainings as well. You can’t just rely on annual training, you need to be able to continually reinforce security awareness, so that you can strengthen it to become a security culture. I think if organizations can have that habit, if it’s a daily meeting or weekly staff meetings, you talk about passwords, tailgating, phishing attacks, just to keep in the mindset of the employees so it further drives the culture.
What are the main challenges for a cybersecurity professional to face in 2020?
A lot of it comes down to being able to protect the perimeter, the data and the employees. From the perimeter standpoint, that is slowly going away: organizations are putting more and more stuff into the clouds. Then, you have to start relying on additional identity access management control, machine identification, making sure the right people have the right access to those systems.
The different challenges that cybersecurity professionals face are all the different tools that are out there, all the different systems, services and applications within their organizations’ environment doing different things. A lot of the times, people in these organizations need to take a step back and look at a data-driven defense versus what is the latest tool out there.
They need to look as a whole to what the organization needs to protect first and build up from there. Because, in the event you do get breached, it’ll be a lot harder for those cybercriminals to gain access. For years, a saying I had was: ‘you are either a company that’s been hacked or you’re a company that has been hacked but doesn’t know yet’.
It’s important for organizations to have the mentality that a firewall is no longer keeping out the bad guys. You have to think the bad guys are in your organization; and what to do to make sure that, if they do get in, you can contain them so they can’t get to the crown jewels.
You focus on the employee factor and how they can be unprotected. What tips do you have for employees in an organization to protect their data, even if the organization doesn’t have a system in place?
Employees are your greatest asset. But if they’re not made aware of the dangers out there and how to protect themselves it’ll work essentially like a home: you may have bars in the windows, an alarm system and a ‘beware of the dog’ sign in the front window. But if they come up and ring the doorbell and your teenage son or daughter decides to open up the front door and allow them to come in, you are in a losing battle right there.
Educate the people around you. Look for open-source software to encrypt or isolate folders, or make backups of data and disconnect them. A lot of times, when ransomware hits, cybercriminals have been in the system long enough to delete your backup.
Also, with KnowBe4, you can have a free phishing assessment done for up to 100 people in your organization. The IT team of the organization can analyze it and start working down the path to communicate to upper management to take the necessary actions.
A lot of times, you can’t go into one of these conversations and be all technical. Rather, you need to speak their language: to talk about the reputation of the organization, loss of data, intellectual property, loss of revenue, damage to business to perk up the ears of upper management.
Those are some big keywords, right?
Yes. When you start talking about loss of reputation, loss of business, loss of revenue and have the data that shows other organizations that have been through the same situation, you’ll be able to put the programs in place to protect the organization or the employees.
If you can speak the language of the CEO, it will make your life a lot easier as a security professional.