Security awareness training and simulated phishing firm KnowBe4 has secured $30 million in Series B financing led by Goldman Sachs Growth Equity (GS Growth), with existing investor Elephant participating. It brings the total financing raised by KnowBe4 to $44 million.
“KnowBe4 has separated itself as a leader in the cyber-security awareness training market, with their platform becoming a ‘need to have’ for businesses across sectors and geographies in the fight against cyber-threats,” said Hans Sherman, a Vice President in Goldman Sachs’ Merchant Banking Division, who will join the KnowBe4 board of directors in connection with the investment. “Our financing will support the company’s continuing growth as they expand globally and develop new products to serve this fast-growing market.”
KnowBe4 was formed in 2010. By 2014 it still lagged behind its big competitors, PhishMe and Wombat. Since then it has grown rapidly. Chief evangelist and strategy officer, Perry Carpenter, claims that it is now the fastest growing vendor in the market.
He told SecurityWeek the rapid growth is a combination of three primary factors: being priced for SMBs while being technologically targeted for large enterprises; a growing market readiness to use staff training to counter the emergence of ransomware and business email compromise (BEC) fraud; and the need for staff training to counter the insider threat (to prevent naive actions and help detect malicious actions). KnowBe4 uses a combination of awareness training and simulated phishing on what is now a well-proven and stable platform.
“The confidence in our company demonstrated by GS Growth’s investment shows the strength of the new-school security awareness training market, and support for KnowBe4’s approach and dedication to mobilizing an organization’s last line of defense, its employees, to make smarter security decisions and reduce overall company risk,” said Stu Sjouwerman, KnowBe4 Founder and CEO.
KnowBe4’s training combines simulated phishing attacks, case studies, demonstration videos and tests with real-world scenarios to help employees understand the mechanisms of spam, phishing, spear phishing, malware and social engineering. Earlier this month, the company published its Q3 2017 list of top-clicked phishing email subjects from its enterprise training sessions. The top three are ‘official data breach notification’, ‘UPS delivery’, and ‘password expiry notification’.
“In the wild,” Carpenter told SecurityWeek, “things like coupons for free pizzas are almost always in the top ten because it’s self-interest. It’s, literally, feeding an appetite. Suspicious activity in your bank feeds fear.” Phishing usually plays on a small number of human characteristics, such as self-interest, curiosity, FUD (fear, uncertainty and doubt) and urgency. The intent is to spark an emotional knee-jerk reaction from the targets — to get them to click the link automatically and reactively.
The purpose of continuous training, said Carpenter, is to ‘train-out’ that knee-jerk reaction and give staff the emotional permission to slow down and think about things: “to mentally scan the content for suspicious phrases and links.” He likens this to creating muscle memory, like learning how to catch a ball. “It’s awkward at first, but the only way to get better at it is to subject yourself frequently. Quarterly simulated phishing isn’t really training — it’s quarterly baselining. You need to do the training almost continuously — at least every two weeks — and then you’re conditioning behavioral response.”
Carpenter sees scalability as the current trend in targeted phishing. “Social media is being scraped for data, engines are being used to analyze the data, and botnets are used to deliver targeted phishing emails.”
KnowBe4, said Carpenter, tries to replicate this in its training. “We have an AI-driven agent that takes on a personality. We have a Facebook support agent; we’re training one to be a dental receptionist, and so on. They have these personas and they try to engage people through an email: ‘Hey, this is Bob at Facebook Security and we’ve noticed some suspicious activity on your account… click on this link and we can sort it out.’ If they click on the link, they’ve been owned and we do the training there and then.”
But if they ignore it, then a few hours later the agent will send a text message: “Hi; hope you got my email. Plz check it out and take the appropriate action.” If they don’t respond to that, then the agent can move over to a voice mail. “It’s kind of chat box-based,” explained Carpenter, “where the AI has been trained in more than 50,000 question and answer pairs so that if someone responds to it, it can have a conversation. That conversation is all about trying to drive the user to take the action that the social engineer would want them to take.”
Phishing awareness training is difficult, but necessary. “Phishing attacks are responsible for more than 90 percent of successful cyber attacks and the level of sophistication hackers are now using makes it nearly impossible for a piece of technology to keep an organization protected against social engineering threats,” said Carpenter. “It is clear that humans are the weakest link in an organization’s security program. Simulated phishing helps CISOs and IT Managers reduce the human error within their organization, thus reducing their social engineering attack surface.”