In this interview with Toolbox, Jelle Wieringa, Security Awareness Advocate at KnowBe4, dives deep into the capabilities of AI-enabled phishing security software, explains how organizations can leverage the fruits of machine learning to offer relevant and employee-centric cybersecurity awareness training, and what steps organizations can take to inculcate a culture of defense-in-depth in the battle for survival amidst the modern cyber threat landscape.
Phishing attacks have truly become a scourge for organizations worldwide. From garage stores to the largest enterprises, email-based, phone-based or SMS-based phishing attacks and social engineering attempts have spared no one. In fact, 85% of U.S. organizations suffered phishing attacks in 2020, with only 3% of workers reporting such attacks to the management. Moreover, the frequency of phishing attacks becomes even more of a concern if we consider that 97% of targeted recipients are unable to recognizeOpens a new window sophisticated phishing emails as fake.
Phishing and social engineering attacks target the human element at all organizations, appealing to people’s curiosities and needs and exploiting their trust to lure them into sharing sensitive data, credentials, or even money. Cybersecurity experts across the board agree that the most potent defense against such attacks lies in training employees to spot phishing lures, practice cyber hygiene, and report attacks to the management. However, this is easier said than done.
Toolbox spoke to Jelle WieringaOpens a new window , security awareness advocate at KnowBe4, a firm specializing in offering cybersecurity awareness training to organizations worldwide, to understand why phishing attacks are so successful, what are the essential components of a defense-in-depth approach against such attacks, and whether AI and machine learning can be leveraged effectively by organizations to improve the scale and effectiveness of security awareness training offered to employees.
Learn More: How to Stop Spear Phishing Attacks No Matter Where You Work
Watch our face-to-face interview with Jelle Wieringa:
Here are some of the highlights from this interview:
KnowBe4 recently launched an AI-Driven Phishing Feature, claiming that the tool can help organizations curate security awareness training programs to suit the specific needs of individual employees. How does this tool help in reducing the effectiveness of phishing attacks?
The frequency of phishing attacks has almost doubled this year compared to 2020, and this has imposed a huge strain on organizations. It is not just the number of attacks but also the complexity of attacks that organizations had to deal with in the recent past. Therefore, there is a pressing need to train all users to recognize various forms of phishing attacks and practice cyber hygiene to reduce their exposure to phishing attacks. That is where security awareness training comes in.
While security experts and IT security teams are now increasingly relying on technology, such as automation tools, to defend against various forms of cyber threats, there is also a pressing need to focus on the human element as this is what social engineering attacks are aimed at.
Organizations are willing to train their employees to detect phishing attacks but are struggling to do so. Most organizations offer generic training to employees from different departments but bundling them together in groups instead of offering curated anti-phishing training to individual employees. However, the ideal way is to focus on the individual needs of every user and provide specific training to address such needs. That’s where AI comes in.
KnowBe4 has developed an Artificial Intelligence-enabled toolOpens a new window that collects all the data related to an individual and leverages machine learning to create specific training programs for different users. The tool takes things into account like maturity levels, what individuals already know, what they have been trained in, things they did well, and things they don’t do well. Then, the tool combines all of that data with the data KnowBe4 has compiled about millions of users across organizations worldwide and recommends the best training program for each user.
Learn More: SlashNext Launches New APIs to Thwart Phishing Attacks Faster
How effective has the tool been in helping individual users improve their ability to detect phishing threats?
The AI-based phishing security tool was launched recently by KnowBe4 after it was tested extensively and after it proved its efficacy in enabling individual users to improve their ability to detect phishing messages. Unfortunately, organizations don’t have the luxury of time, which is a scarce resource, nor do they have enough IT administrators or security practitioners to impart round-the-clock security awareness training to everyone working across all facilities. By automating the process of imparting security awareness training, AI helps cover the lack of time and resources, thereby enhancing the output of security awareness training programs significantly.
The AI-enabled security awareness training also enables organizations to schedule remedial security training for employees who fail phishing tests or are found to be unable to spot fake or malicious emails. This ensures that employees get the opportunity to understand their weaknesses and learn quickly to optimize their security awareness. As a result, no one gets left behind in the process.Â
Artificial Intelligence holds the promise to change the way security awareness training will be imparted in the future. It is already serving as an excellent tool for organizations that do not have the time or resources to provide training to employees in a granular manner.
Hackers are now abusing well-known brand names, such as Google, Microsoft, and LinkedIn to lure targets into downloading malware into their systems or to hand over their credentials. What kind of phishing training is required to enable users to differentiate between fake emails and genuine emails sent out by these big brands?
It’s very ingenious of hackers to use these tricks and techniques to fool recipients. Unfortunately, most of these emails are very intricate and hard to spot as fake, and some of these techniques are so advanced that the average user will never identify them as phishing emails.Â
Aside from checking emails for sender details and other minute details that may contain tell-tale signs of a fake email, individuals should also ask themselves why they are receiving such emails from big-name brands and whether the timing and the email’s subject is normal. ‘Think before you click’ is the best form of defense against phishing attacks. In addition, continuous anti-phishing training is the best way to enable employees to detect threats that they may not detect in normal circumstances.
Learn More: 6 Ways to Protect Your Company Against Social Engineering Attacks
Aside from tackling the human element that is primarily targeted by phishers, what kind of technical steps should organizations take to prevent phishing emails from landing in employees’ inboxes?
Defense in depth is always essential for organizations. Solving the technical challenges is as important as tackling the human element that is the primary target of phishing and social engineering attacks. My advice to organizations is to first create their risk profile based on their industry and the work they do. Secondly, organizations should use anti-malware and anti-spam tools and software to the maximum to take full advantage of these solutions.
Organizations should also handle security from the perspective of the user. Security should be conducted so that it does not hinder an employee’s productivity or performance. Patching of systems, using the most effective firewall solutions, using password managers, and practicing good cyber hygiene will also go a long way in keeping networks secure from cyber attacks.
Bottomline
Cybersecurity firms such as KnowBe4 will continue to offer practical solutions such as AI-Driven Phishing Security to enable organizations to improve the effectiveness of security awareness programs offered to employees. However, like our recent interview with Mathieu Gorge, the CEO of VigiTrust, revealed, an organization can effectively defeat cybersecurity threats only if those at the top demonstrate cyber accountability.
Unfortunately, that is not the case. As per new data from HelpNetSecurity, even cybersecurity leaders are failing at demonstrating sound cyber hygiene. A study by the firm revealed that one in four cybersecurity leaders use the same password for both work and personal accounts, 45% connect to public Wi-Fi without using a VPN, 48% log in to social networks using their work computers, and 77% accept connection requestsOpens a new window from unknown individuals.
Unless CXOs at every organization give utmost importance to cybersecurity matters, accept personal accountability for the security of networks and systems, and lead by example in terms of cyber hygiene, it is futile to expect other employees to feel responsible for the security of enterprise data and systems.Â
About Jelle WieringaOpens a new window :
Jelle is a security awareness advocate at KnowBe4 where he works to highlight the criticality of the human factor in cybersecurity and advocates how to strengthen it. Prior to joining KnowBe4, he served as Business and Innovation Strategist at QSight IT where he was responsible for growing the cybersecurity business by developing and executing vision and strategy based on market developments and trends.Â
About KnowBe4Opens a new window :
KnowBe4 is the provider of the world’s largest security awareness training and simulated phishing platform that helps organizations manage the ongoing problem of social engineering. Forrester Research Named KnowBe4 a Leader in The Forrester Waveâ„¢: Security Awareness and Training Solutions, Q1 2020. The latest G2 Grid Report did over 500 G2 customer reviews, and KnowBe4 ranked as the top-ranked security awareness training platform with 99% of users rating 4 or 5 stars, and the largest market presence among all vendors.
Does your organization provide specific cybersecurity awareness training to all employees based on their strengths and weaknesses? Let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!