Put a Stop to the Company Phishing Trip
Click the image above to view the one minute video about Internet Security Awareness training and how your organization can get:
- A free security audit to measure how Phish-prone™ your organization is
- First2Know™ Internet Security Awareness Training to make your employees less susceptible to phishing attacks (25 minute, high-quality training that is updated to keep pace with industry changes)
- Clear reporting and measures of the training’s effectiveness through training reports and scheduled phishing security tests
- ThreatApp™ daily smartphone updates with relevant threat intelligence
If you didn’t leave my site to begin using this service (I’d forgive you), I would like to share information about the CEO’s design concept, and my involvement in the project, which was to help deliver the Dynamic Content Updates (DCU)™ technology and to select a solution that can run on client LMS systems or through a KnowBe4 portal customized for each client.
Cybercrime is a behavioral issue
You’ve probably heard – a lot – about all the hacks that have occurred from Epsilon (and the long list of impacted companies), Sony, the CIA…
… even the bombing and shootings in Norway had cybercriminals using the incidents to phish for profit within 24 hours.
The cost of a single breach can be crippling to a business. And it may only take one successful hack of the right account for an internet thief to hit the jackpot: just one. These criminals are flooding the internet with attempts to produce results. In fact, if the internet pipeline were a faucet in your home, 80% of it would be clogged with this garbage.
Of all the tools in a hacker’s arsenal, phishing is the tool of choice. It is the optimal pathway for them to gain a backstage pass to your company’s network. The strategy depends on fooling a user into some action. It could be as simple as clicking a link.
The user actions are the keys to success for cybercrime to thrive. This is why Internet Security Awareness Training is truly the best defense against cybercrime.
But, I didn’t know any of this. I learned it all because I met Stu.
Stu Sjouwerman, founder of KnowBe4 and an amazing training designer
There are many ways to describe Stu Sjouwerman, founder of KnowBe4: Serial Entrepreneur, Author, IT Security Expert, Marketeer, and truly one of the nicest people I have had the pleasure of working for. All of these are accurate descriptions. Many wouldn’t think to describe Stu as a training designer, but he was the IT Security Expert who recognized that cybercrime is primarily a behavioral issue that can be improved through training -and he designed a great solution to address it. I wish I could take credit for the design, but Stu had it all worked out; my involvement was to help deliver on it.
Stu’s vision for developing Internet Security Awareness Training illustrates key principles of good training design:
- Clearly understand your problem
Stakeholders value training when they clearly understand the problem it will solve for their business. The free security audit measures how Phish-prone™ employees are. This is an actual test of your company’s employees-not an abstracted, generalized conclusion of risk exposure based on industry averages. The tests are real-world examples using the same tactics as cybercriminals. There is no risk for stakeholders to gain a clear and accurate measure of the true risk exposure for their organization.
- Design a system, not a course
Too often, information security training is designed like a marketing campaign. A lot of information is blasted at users as one course to complete. Get the check in the box to “mark compliance”, and be on your way. This won’t produce meaningful or lasting behavioral change. Many courses don’t provide any type of experience in how to react to threats, opting instead to test recall of facts about cybercrime. Even courses with skills-application testing have a critical design flaw: users know that they are in training and that their actions are being measured. This heightened awareness of the fact their behavior is monitored in the training environment can influence users to act differently than they normally would in the work environment.
In contrast, KnowBe4 uses the security audit to measure actual the on-the-job results to establish a baseline. The provided training presents scenarios to educate you on how to react to potential threats, and what to do if you suspect if your system is compromised. The training measures capture what you learned. What is more important is what transfers to the workplace-when you are not in training when cybercrime is top-of-mind as a core subject matter. Are learned skills being applied? Ongoing scheduled phishing security tests enable stakeholders to see how skills transfer to work, and enables the organization to take corrective action when necessary. Support tools such as Threat App™ compliment the training. To make cybercrime prevention in a business effective, a course alone simply won’t do. It requires skills application in the a real-world workflow, not a separated test experience as part of a learning event where learners realize they are being monitored as part of training.
- Repetition, reinforcement = results [blockquote type="blockquote_quotes" align="right"]Clients in a test campaign realized an immediate overall 74.55% reduction in phishing susceptibility after the first training session. But continued phishing tests and supplemental training reduced the Phish-prone™ rate to 0% for all these clients by the 5th cycle.[/blockquote]
The results are transparent and undeniable. The security audit illustrates the starting point, the training reports clearly indicate what skills are developed, and the ongoing phishing test measures how thes skills are translating to applied results in the workplace. Dr. John Medina stated that most of learning is controlled forgetting and reminds us about the importance of reinforcement. These principles are applied by this training design.
Let’s talk about results: Clients in a test campaign realized an immediate overall 74.55% reduction in phishing susceptibility after the first training session. But continued phishing tests and supplemental training reduced the Phish-prone™ rate to 0% for all these clients by the 5th cycle.
- It needs to be real
The scheduled phish tests are as real as a true attack. The complex mechanics to perform a fake-phish are complex and were designed by white-hat hackers to exactly replicate all the components of a real cyberattack (just without the malware part). This is critical. A poorly designed fake-phish might be easily identified by users (i.e. if everyone in the organization got the same phish attempt email at the same time). Also, fake-phishing has to bypass all safeguards put in by an IT team to ensure they get to users and not blacklisted and blocked by network safegrards before it can reach the user to measure their behavior. By essentially replicating every move cybercriminals use to get to employees in the organization, stakeholders can trust that the results reported from phish tests are valid, reliable, and most importantly, specific to their organization’s security weaknesses.
- It needs to be relevant
Relevance is a critical challenge to address in security training. Cybercriminals constantly change tactics and attack vectors at a blinding pace. The training must keep in lockstep with these changes to be relevant. This is no small task. It required the development of a proprietary Dynamic Content Updates (DCU)™ technology to enable the training to update with industry changes without disrupting user registration or completion data.
- It needs to work…
…and that means work on many levels. It works to drive behavioral change. As for a training design that works, Stu envisioned something quick and focused despite the complexity of the topic (only 25 mins to produce the behavioral change needed), high-quality and interesting (let’s be honest-there is a lot of tech training that could be sold as a sleep agent and we needed to avoid that), and easy to navigate (we didn’t want to build a mini-course within the course to explain how to use the course… erm, that sentence was as painful to type as it is to experience one of these designs).
Finally, we had to determine how this would work for deployment. Looking at potential clients, we realized that some would have LMS systems, and others would not. We needed a solution to allow clients with an LMS to use their system, while also providing access, tracking and reporting services to clients without an LMS. All of this needed to be done so KnowBe4 had centralized control to perform the content updates and manage access for the subscription-based service while keeping costs and administrative overhead for clients extremely low.
Strategies to deliver on the design
This is the design vision Stu shared with me when I walked into his office during our first meeting. My task was to find opportunities to deliver on this vision.
Challenge 1: Deployment with SCORM Cloud
The first key challenge was to determine how to deploy the content to the client base. Some have LMS systems; others did not. KnowBe4 needed central control over the content for the critical and frequent updates and to administer access controls. For our clients without LMS systems, we needed to provide a customized portal for access, tracking, and reporting.
After a review of over 50 potential solutions (LMS/LCMS/CMS vendors, assessment systems, portal tools, and other cloud-based services) SCORM Cloud was chosen as our solution. SCORM Cloud allows KnowBe4 to centrally perform the content updates and administer access permissions. This was preferable to providing SCORM packages to clients to upload into their systems which would require immense levels of effort to coordinate. It was also was a far superior alternative to purchasing an LMS system and working to coordinate access with client LMS systems (because when either vendor updates, it often requires reconfigurations to maintain the ties between the systems). The SCORM Cloud pricing model proved much more cost-effective than LMS systems.
Another key element of SCORM Cloud is the ability to use it’s API to create custom portals for access, tracking, and reporting and to tie SCORM Cloud to other critical business services. The KnowBe4 site is a mashup using SCORM Cloud’s APIs, customized parts of the site coded by the development team, and other backend services like Salesforce™ to provide customers an integrated, seamless experience.
Challenge 2: Creating a Dynamic Content Updates (DCU)™ Engine to Keep Pace with Industry
Stu provided a development script to the team at Prometheus Training. They produced a great piece of engaging, easy-t0-navigate content in Articulate Studio. Now, we had to figure out a way that we could expose pieces of the SCORM packaged content in a manner that we could update the content with frequency while ensuring we wouldn’t have to upload updated packages that risk impacting user registration, progress, or completion data. For those of you who have worked with SCORM, you know this is quite a trick.
Without giving up any secrets of our DCU™ “secret sauce”, I can share that this required a mashup between elements of Articulate Studio 9, and elements of the prior versions of Articulate.
It was one of the white hat hacker security pros, Brian, that had the vision of building a utility to expose content for updating “from the side” without really breaking open the core SCORM assets. I was very lucky to have Brian to really look at how the different versions of Articulate package content to expose a pathway for this to be possible. Who else to expose the opportunity, but a professional hacker (note: Brian uses his powers for good; this is hacking for a good purpose)? After looking at a few options, we finally found a mashup of tool versions with an option that would work. Brian built a proprietary tool to feed the updates from the DCU™ into the course without cracking open SCORM and risking user data.
We did hit some challenges in pulling off the trick. By substituting portions of different versions of Studio that weren’t designed to go together, we experienced some unexpected side effects. Some of the interactions other parts of the training (parts we left in the original Studio 9 engine) stopped working as expected.
Support matters most: Kudos for the Articulate Team
I have said often in LinkedIn and ASTD chatrooms that support is the key differentiator for any vendor. I have yet to use a system that I haven’t experienced a problem with. Therefore, it’s your partner’s response to the problem that matters most.
High praise must go to the support team at Articulate for two reasons:
- First, they went to the archive for prior versions of Articulate no longer sold for us to perform the experiment. It was a very strange request and they had every right to refuse. We were essentially asking permission to explore “retired” versions of the product to crack open and mashup into a new solution for a very unique business purpose. They graciously honored the request.
- Second, and more amazing, was when we put the pieces together to get the DCU™ component operating, but then saw unexpected consequences in another part of the asset, they provided support. Again, they had every right to refuse. Not only was this on a retired product, but a mashup between components from their organization that weren’t designed to be put together. But, they stuck by our side and guided us to the results we needed to build something truly unique.
I am immensely proud of being involved in the project and grateful for the support of all involved. I truly believe in the product. KnowBe4 is an extremely valuable service with a great design that delivers real results. Each individual of your organization can be trained to eliminate the risk exposure to cybercrime for less than I paid for my last two cups of coffee. That’s not marketing claim, that’s fact you can measure in your business.