Q1. You have written about familiarity breeding a false sense of security at many organizations. How is that impacting enterprise responses to mitigating phishing risks? What should security leaders be doing to ensure that familiarity doesn't lead to complacency when it comes to dealing with security threats?
Security leaders need to recognize some of the basic tendencies of human nature. When it comes to something like familiarity breeding a false sense of security, there are several ways that happens. First, if you are an organization that does phishing simulations and you always send the same template or tend to train on the same types of phishing tests, then you are really just teaching your people how to spot those specific types of phishing emails. And so, if you look at your phishing metrics and are celebrating your current phish-prone percentage, then you’ll have a false sense of security because attackers certainly aren’t limited to the single attack type that you’ve trained on.
There’s another type of familiarity that causes problems – and that’s where you provide the same video content, posters, or other material over and over and over. The first couple times people see the information, it’s new and they will pay attention. After that, they become numb to it. If it’s a poster that’s been up for several months, many people will not even notice that it is there anymore… it’s effectively invisible to them.
The way to ensure that familiarity doesn’t become a problem for you is to inject diversity and variety in your training. You need to do simulations using a wide variety of phishing templates and even consider taking some of the actual phishing emails that have bypassed your secure email gateway and create simulated versions of those. Your goal isn’t just to get your people good at spotting simulated phishing attacks, it’s to get them good at spotting and reporting all types of phishing.
Similarly, with content like videos, posters, and newsletters, you need to keep things fresh. And, more importantly, ensure that your content is relevant. That combination of elements will naturally encourage greater interest and engagement.
Q2. KnowBe4 recently introduced a new Security Culture Maturity Model for helping organizations measure the maturity of their current security-related practices. What exactly does it help an organization measure and how will they benefit from it?
Over the past few years, the phrase “security culture” has gotten pretty popular. Security awareness leaders, CISOs, and other executives instinctively know that it is important. But there was a problem – despite the fact that everyone believed it was important, there was very little understanding of what security culture actually is. There was no industry definition for the concept; and that meant that lots of people agreed that “it” is a good thing. But they had no way of measuring how good they were doing at achieving “it.”
Our first step at helping address this problem was setting forth an industry definition of security culture. Security sulture is defined as the ideas, customs, and social behaviors of a group that influence its security. Then we took it a step further by demonstrating that security culture could be broken-up and measured across seven different dimensions: attitudes, behaviors, cognition, communication, compliance, norms, and responsibilities.
But there was still one more step needed. And that was a high level, data-driven and evidence-backed instrument to measure an organization’s journey to create a security culture. And that’s what we set out to do when creating the Security Culture Maturity Model (SCMM). This new model can measure an individual, group, department, organization, or region’s security culture using something that looks very much like a capability maturity model… but actually hides a lot of complexity.
We are able to measure several data points – what we refer to as Culture Maturity Indicators (CMIs). Each one of these CMIs are interesting on their own; but the power comes in the aggregation of several CMIs. That aggregation is what helps to stabilize the data and provide the most accurate picture possible of an organization’s true security maturity.
Q3. What does KnowBe4 plan on highlighting at Black Hat Asia 2022? What do you want customers to take away from your organization's participation in the event?
We’ve got a ton planned for this year. At the KnowBe4 boot, we will be discussing our KMSAT platform showing people how they can easily get up and running with a fully mature security awareness program. We’ll also be demonstrating PhishER and some really cool features like PhishRIP and PhishFlip that can truly make an organization’s employees part of an active defensive security layer.
We also have an on-demand zone session, featuring a presentation from our Chief Product Officer, Greg Kras. Greg will be highlighting the power of our platform and showing-off some of our most exciting features like our new Security Culture Benchmarking Feature which allows an organization to compare their security culture against that of similar organizations. He’ll also show how the platform provides AI-Driven training recommendations for end users in their own UI, our “Brandable Content” capabilities that gives organizations the option to add branded custom content to select training modules, and a ton of other cool stuff. Please be sure to stop by.