Exploring the Craft of Risk Avoidance with Roger Grimes
In this insightful episode of The Art of Security, Jackie McGuire, principal analyst from theCUBE Research and SiliconANGLE, engages with Roger Grimes, data-driven defense evangelist at KnowBe4. The discussion revolves around the crucial aspects of cybersecurity training highlighted during The Art of Security Summit.
Grimes brings their extensive expertise to the table, focusing on the importance of employee education in risk avoidance. They underscore the alarming statistics indicating that a significant portion of data breaches occur due to phishing and social engineering attacks. McGuire and theCUBE Research illuminate the conversation with adept hosting and analysis, diving deep into the behavioral and cultural shifts needed to fortify cybersecurity measures.
The discussion emphasizes key takeaways such as the necessity of fostering a security-conscious culture within organizations, according to Grimes. They assert that when employees are empowered and educated, they transform from potential weak points in cybersecurity defenses into robust lines of defense. The video also touches on actionable strategies for improving training effectiveness and reducing risk, as highlighted by industry insights and statistics shared during the session.
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
The ART of Security Summit: Strategic Risk Management for CISOs. If you don’t think you received an email check your
spam folder.
Sign in to The ART of Security Summit: Strategic Risk Management for CISOs.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Register For The ART of Security Summit: Strategic Risk Management for CISOs
Please fill out the information below. You will recieve an email with a verification link confirming your registration. Click the link to automatically sign into the site.
You’re almost there!
We just sent you a verification email. Please click the verification button in the email. Once your email address is verified, you will have full access to all event content for The ART of Security Summit: Strategic Risk Management for CISOs.
I want my badge and interests to be visible to all attendees.
Checking this box will display your presense on the attendees list, view your profile and allow other attendees to contact you via 1-1 chat. Read the Privacy Policy. At any time, you can choose to disable this preference.
Select your Interests!
add
Upload your photo
Uploading..
OR
Connect via Twitter
Connect via Linkedin
EDIT PASSWORD
Share
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
The ART of Security Summit: Strategic Risk Management for CISOs. If you don’t think you received an email check your
spam folder.
Sign in to The ART of Security Summit: Strategic Risk Management for CISOs.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Sign in to gain access to The ART of Security Summit: Strategic Risk Management for CISOs
Please sign in with LinkedIn to continue to The ART of Security Summit: Strategic Risk Management for CISOs. Signing in with LinkedIn ensures a professional environment.
Are you sure you want to remove access rights for this user?
Details
Manage Access
email address
Community Invitation
Roger Grimes, KnowBe4
Exploring the Craft of Risk Avoidance with Roger Grimes
In this insightful episode of The Art of Security, Jackie McGuire, principal analyst from theCUBE Research and SiliconANGLE, engages with Roger Grimes, data-driven defense evangelist at KnowBe4. The discussion revolves around the crucial aspects of cybersecurity training highlighted during The Art of Security Summit.
Grimes brings their extensive expertise to the table, focusing on the importance of employee education in risk avoidance. They underscore the alarming statistics indicating that a significant portion of data breaches occur due to phishing and social engineering attacks. McGuire and theCUBE Research illuminate the conversation with adept hosting and analysis, diving deep into the behavioral and cultural shifts needed to fortify cybersecurity measures.
The discussion emphasizes key takeaways such as the necessity of fostering a security-conscious culture within organizations, according to Grimes. They assert that when employees are empowered and educated, they transform from potential weak points in cybersecurity defenses into robust lines of defense. The video also touches on actionable strategies for improving training effectiveness and reducing risk, as highlighted by industry insights and statistics shared during the session.
>> Hello, everybody. Welcome back to The
ART of Security Summit. I'm Jackie McGuire, practice lead and principal analyst
for security at theCUBE and SiliconANGLE. Today we're back to talk
about avoiding risk. And I'm really happy. I have
Roger Grimes with me today. So he's the data-driven
defense analyst from KnowBe4. And we're going to talk about
what I would consider probably the most important piece of avoiding risk, which is educating people about
where risk comes from, how to spot it, and how to avoid it. Welcome, Roger. Thank you for being here.
Roger Grimes
>> So glad to be here.
- Awesome.
Jackie McGuire
>> So let's start with a fun fact. Last week we were going
favorite Bay Area rappers because I was talking to
somebody from the Bay Area, but who is your favorite
band in general, Roger?
Roger Grimes
>> Oh, actually, a Gainesville, Florida band called Sister Hazel. Been big fans of them for
going on three decades.
Jackie McGuire
>> All right. I remember
Sister Hazel from the 90s. That's pretty awesome.
That's a great throwback. Fantastic. All right. The first step in the art process that we're talking about
today is avoiding risk. And so sometimes that means
doing nothing at all, right? You say, "This project is just too risky, let's just avoid the risk
by not doing anything. " But in this case,
we're going to avoid it through better training. And I often see employees, and I think you guys say this as well, is they're both the
largest attack surface, but they're also your
last line of defense. And just depending on which
study you read, somewhere between 70 and 90% of compromises
happen at the end point, which is generally involving
someone either clicking on something silly, not noticing something. So employees really need
training on both sides, both as kind of the attack surface
as well as lines of defense. So can you talk to me a little
bit about how you think about cybersecurity training
in the modern enterprise and how KnowBe4 approaches
that last line of defense?
Roger Grimes
>> Yeah, sure. I mean, let me say, for sure I think most
people know that phishing and social engineering is a big part of how attackers attack companies
and people and networks, but I don't think most people realize that it's literally the
largest portion by far, like you said 70 to 90%. It's a lot of risk and if you don't address training, it really can be successful
in most organizations. I mean, I like to say this,
that social engineering and phishing is involved in 70 to 90% of successful data breaches after it's bypassed every
defense you've thrown in its way. It's gotten past the firewalls
and intrusion detection and antivirus and all that sort of stuff. So I'm like... Every once in
a while someone would say, "Well, why should I train them? " Like, "How could you not? " I mean, it's literally, most of these attacks you're
getting past everything else technically and policy-wise
that you've thrown in its way. You have to train people
to help decrease risk because your end users
for sure are going to have to make some cybersecurity decisions and you want to try to help
them make the right decisions.
Jackie McGuire
>> Yeah. And I always think of
it as even as security evolves and we automate things or make them more intelligent,
humans are always still going to be the people on the front
lines of doing the bad things. So you probably also still
need the best trained humans on the line trying to prevent
the bad things regardless of how good our tools and
detections and automations get. So one of the things I've
talked about as well, and I think this is a great,
to your point about having when everything else fails, I also like to think about security
more as not really a program or a team or an objective
as much as a culture. And I've experienced this myself. And I also liken it to compliance. So I come from financial
services originally. That's where I spent the first
several years of my career. And compliance was the same way, and that it was either something
that you kind of eat, sleep and breathe, and it was
safe to ask questions and safe to say something
looked wrong or it wasn't. And I saw the effect at the
financial institutions I was at. And now coming into security, it's actually the same
exact thing with security. It's either a culture where
security is there to help you, they're there to be your backstop, or it's a culture where
security's kind of the department of no and slows things down. So I always feel like one of the best ways to create a security culture
is to create a culture where people feel safe to ask questions and learn rather to get in trouble. And you guys are in a great place because you are the people
that help people learn. Would you agree with that, and assuming you agree with
me, how do you feel like having better cybersecurity
helps contribute to that culture, or better training? Sorry.
Roger Grimes
>> Yeah, I mean, for sure all
of that. Culture's a big deal. I mean, we have the saying
that your users may be aware of something but not care. And the idea about a culture is hoping to impact people's behavior so that they're really making
the right security decisions. And I think that a lot of times when I walk into an organization, I can pretty quickly see whether or not the organization
takes cybersecurity kind of seriously. I mean, even a little thing
like if you see a bunch of laptops on people's desks and they're away, they're at lunch, they're visiting somebody in
a meeting, are they locked? Right? And some places I go, you see all these screens
open and no one's locked. And in other places, if someone's
almost accidentally left their screen unlocked, they'll
come back and lock it, right? You've created a culture of
people trying to keep themselves and the organization safe. You certainly want to
make them feel safe in reporting things. I mean, I've heard of some
people, especially in the financial services where
they're like, "If you fall for a simulated phishing test,
a real phishing attack or something, you're fired first offense. " And that's going to make
people try to hide things. What you want to do is
create this safe environment because no one's trying to hurt themselves or the organization. You want to make them feel safe in trying to report something that
they may suspect like, "Hey, I opened this email and
I clicked on this link, and it's possibly that this was malicious. "
And I have a great example. Years ago, I was at one of
the world's largest companies, Fortune 10, Fortune 50 company, and one of the smartest people
there had been on the Super Bowl day had accidentally
opened up a spear phishing attack email. It appeared to come from
someone that had knowledge of an internal project and said, "Hey, here's
this document that kind of relates to our project. " And when he opened the PDF, he's like, "This doesn't have anything
to do with our project. " And he closed it. But an hour or two later he's like, "Man, maybe that was a spear phishing attack. Maybe I should report it." And so he did. And when he did it, they found out that indeed his workstation had been compromised by a zero day. They had placed a Trojan, but
they had stopped the attack before it was able to
move beyond his endpoint. And so I love that
example for two reasons. First of all, super smart guy, nobody knew more about the
environment than he did, and he still fell for this attack. And number two that he
started saying, "Hey, maybe I was attacked," and he felt safe in reporting
it, not going to be fired. And that helped better
protect the organization. Even maybe another thing,
people will say, "Well, can I do simulated phishing attacks where we're claiming they got
a bonus or they got a raise or maybe we're taking away a
raise or something like that. " I'm like, "If you're
making your coworkers angry by the way that you're
trying to train them, you're not really training
as effectively as you can. You want to train in such a
way that people feel empowered, they feel safe, and that they will see and try to put down risk and report risks that maybe
they missed at first."
Jackie McGuire
>> Absolutely. I always wonder why companies
don't do some type of... When they're doing the phishing attacks, it would always be better to
have positive reinforcements. So every time you spot a
phishing email successfully, you go into some drawing for some electronic or something like that. Because I agree with you. I
think when you make things punitive and you make
it just a more a culture of check the box, I did
the training compliance, people will always be more
hesitant to share information. And it also becomes kind of a... I think when you don't fully
integrate security training into a company company wide,
there still creates that kind of gap between the security
people or the technical people and everybody else. And you really need kind of
open lines of communication where technical people are
treating everybody else as if they are intelligent enough to understand the things we're dealing with because they are. And I think that in turn
enables the whole organization to look at security not
as the hoodie people who sit in the security team, but as your partners,
people who are just trying to help you more efficiently
do your job without putting the company at risk. And I think one of the surprising things for me was the percentage
of successful compromises that happen at the VP level or above, how often those
compromises come from not your average everyday
customer service rep. These are a lot of times
it's people with higher- level access because of spear phishing, because they're very busy
and on the go all the time. And I think that's also something that we maybe don't acknowledge
all the time that we should.
Roger Grimes
>> Yeah. And I do know many organizations that actually don't test those sea levels. And I always say no one gets promoted because they successfully
phish their boss. But to exclude them means that
the only time they're going to be tested is when a
real phishing attack comes. And that's not necessarily the best way to reduce risk either. So you want to, again,
create a healthy culture. You're trying to build in,
coach in certain behaviors where they make the right decisions and they feel safe that if they fail during a simulated phishing test, that they'll get some education so if the real thing comes along they're making the right decision. And you really don't
want to exclude anybody. Anytime you exclude somebody, you're just increasing
risk to the organization. And like you said, a lot
of these attacks happened to IT, to the C-level. And Barracuda Networks back
in 2023, it might've been '24, they had a really great
stat that I live by. They said that less than 0.1% of all email attacks are
spear phishing attacks. So a phishing attack meant
at a particular person or group of people, like
C-level employees or IT or something, but they're
responsible for 66% of successful data breaches. So I mean, that to me is
a big, big deal, meaning that you need to train people and certainly your most high-risk people, that means accounting, that
means HR, that means IT, that means C-levels,
anybody with access to money and financials and things like that.
Jackie McGuire
>> We're going to talk about identity and access management in a little bit, but I could also see that that being because those are also the people who... Because they don't want
to have to put a ticket in to access something over the
weekend, those people also tend to have too many privileges
and elevated access. So even worse. In the data statistics,
I'm a data scientist, so I love statistics, you guys have a really strong
presence across the space. So I'm wondering if you could share data that you've learned along
the way about the impact of stronger cybersecurity training, so what your customers look
like when you get there, and then what the impact of actually implementing a
robust training program is.
Roger Grimes
>> Yeah, sure. I tell you,
I think KnowBe4, we've been doing this 11, 12 years. We're the leader in the industry. We have more customers than anybody else. So we've actually looked at massive amount of data in real life, over
60,000, 70,000 customers, tens of millions of security
awareness training sessions and simulated phishing assessments. And I can tell you this for sure. We have the data to show
that the more often you train and simulate phish, an employee,
the less likely they are to click on a simulated phishing email or a real phishing email. Matter of fact, our latest data, and we've published this
in a white paper, shows that customers who
train, our customers, are at least eight times less likely to get breached than our non-customers. The average company throughout
the world gets breached each year between 20 to 40%. And at first I was like,
"Man, that's way too high. " 20 to 40% of organizations
will be breached each year. A lot of times through ransomware. And now 90, 95% of ransomware
now exfiltrates data, creating this data breach. Well, our customers are only 2.37. Only 2. 37% of our customers
have ever been breached. Most of those, something
like 66% of them were before they were our customers. And once they're our customers,
they're far less likely to get breached and get
breached less times.
Jackie McGuire
>> I think that's compelling
in and of itself. >> Over 10 years to show
that training does work.
Roger Grimes
>> And really, why wouldn't it? It's not like we let people drive a car without training them first. Right? >> Yeah. - Every single area
in our lives training helps.
Roger Grimes
>> But every once in a while
you get somebody who goes,
Roger Grimes
>> "I don't think it helps in cybersecurity. " I'm like, "How could it
not by educating somebody, how could it not help?"
Jackie McGuire
>> Yeah. And you guys have a phishing
security test that really kind of helps assess and address that market. And I think you're right. We
all go on autopilot so much. We all have so many
things to remember to do. And when I open my laptop,
there's always 900 things, squirrel, that need to be done. And accidentally clicking on something, accidentally opening something,
when you're in autopilot, and that's like a secondary
function, you're just trying to clear your inbox out, it happens a lot more frequently
than if it's something top of mind because you're
frequently being reminded that actually specifically in your email, in your text messages, you need to be a little bit more
intentional about how you go through them and what you're looking for. So I guess last question around
your phishing security test. So can you explain, just kind
of TLDR in a few seconds how that works and then how
you work with companies after the test to try to help
address some of those things?
Roger Grimes
>> Yeah. We're certainly big
believers in training more than once a year. We think that every
time someone gets hired, they should be given longer
training, whatever that means, 15, 30 minutes, 45 minutes, and each year thereafter
get this longer training where you're trying to create all kinds of different behaviors. After that, they should
receive monthly training, but shorter, maybe 1, 2, 3 minutes and get at least simulated monthly, simulated phishing tests. And if someone fails a
simulated phishing test, that they get immediate education. You don't want them to
fail a phishing test, and then they get an education
about why they possibly failed that test 30 days later. You want it to be immediate. They have more ability to maintain it, or to retain it, that's the better word. And I would also say what
you just pointed out, where you're really busy. We know for sure that
even a well-trained person that has been trained in
security awareness training and phishing and stuff, like myself, I have been successfully phished, at least through simulated phishing tests. And I would say that I'm among
the top 1% of the world about how to fight phishing
and social engineering. But yeah, I was busy, I was
multitasking and I opened it and click or whatever. So we do try to create this sense of it's more than just training, it's more than just awareness. It's about trying to tell people that if you see an unexpected
message that's asking you to do something you've never done before, that you need to slow down and research it outside that message's contact
information before performing. And let's say we all, all of us get these unexpected
messages from our boss going, "Hey, what about this? What about that?" That's normal. But what we want to
communicate to employees is that if you get an
unexpected message no matter how it arrives and it's asking you to do something you've never done before, at least for that sender, that's a high-risk message. You need to slow down.
You need to be mindful. You need to possibly hover over the link. You possibly need to
go to call that person or call that company in
a known good phone number or go to a website. And if you can really teach that resilience across your
workforce, you are going to significantly decrease
cybersecurity risk.
Jackie McGuire
>> Absolutely. I think that's
a great place to wrap it up. I couldn't thank you more. So the last thing I want to cover is we have RSA
coming up very shortly, so I'm sure you'll be there in full force. Is there any particular events or things that you're doing,
that KnowBe4 is doing at RSA that we should come find you for?
Roger Grimes
>> Well, we certainly have a booth there and we'll have a big presence. Everyone always looks
forward to the RSA parties, but I guess I really like going to the educational sessions
and learning different things. I'll be presenting on the
different ways to hack MFA, which I've been doing for
years and years and years. But for sure I'm going to
have some new ways, new ways that MFA could be bypassed. And so I'm a very big believer in actually going to the sessions. It's not just about networking, it's not just about RSA parties, but it's about actually learning
about what's changing in the cybersecurity space,
like what's going on with AI, when will agentic AI malware be upon us, and when do we have to
start teaching that?
Jackie McGuire
>> Absolutely, yeah. Visit the
villages if you get a chance. That's always a really
good way to get in close with the really technical
people, whether it's lock picking or identity or any of those things. All right, well thank you so much, Roger, for being here today. Again, really emphasizing
that avoiding a lot of security risk really comes
down to understanding where that risk comes from and trusting your employees
with the information to be able to handle it. For The ART of Security
Summit, I'm Jackie McGuire. We will be right back with more
information about avoiding, reducing, and transferring risk.
>> Hello, everybody. Welcome back to The
ART of Security Summit. I'm Jackie McGuire, practice lead and principal analyst
for security at theCUBE and SiliconANGLE. Today we're back to talk
about avoiding risk. And I'm really happy. I have
Roger Grimes with me today. So he's the data-driven
defense analyst from KnowBe4. And we're going to talk about
what I would consider probably the most important piece of avoiding risk, which is educating people about
where risk comes from, how to spot it, and how to avoid it. Welcome, Roger. Thank you for being here.
Roger Grimes
>> So glad to be here.
- Awesome.
Jackie McGuire
>> So let's start with a fun fact. Last week we were going
favorite Bay Area rappers because I was talking to
somebody from the Bay Area, but who is your favorite
band in general, Roger?
Roger Grimes
>> Oh, actually, a Gainesville, Florida band called Sister Hazel. Been big fans of them for
going on three decades.
Jackie McGuire
>> All right. I remember
Sister Hazel from the 90s. That's pretty awesome.
That's a great throwback. Fantastic. All right. The first step in the art process that we're talking about
today is avoiding risk. And so sometimes that means
doing nothing at all, right? You say, "This project is just too risky, let's just avoid the risk
by not doing anything. " But in this case,
we're going to avoid it through better training. And I often see employees, and I think you guys say this as well, is they're both the
largest attack surface, but they're also your
last line of defense. And just depending on which
study you read, somewhere between 70 and 90% of compromises
happen at the end point, which is generally involving
someone either clicking on something silly, not noticing something. So employees really need
training on both sides, both as kind of the attack surface
as well as lines of defense. So can you talk to me a little
bit about how you think about cybersecurity training
in the modern enterprise and how KnowBe4 approaches
that last line of defense?
Roger Grimes
>> Yeah, sure. I mean, let me say, for sure I think most
people know that phishing and social engineering is a big part of how attackers attack companies
and people and networks, but I don't think most people realize that it's literally the
largest portion by far, like you said 70 to 90%. It's a lot of risk and if you don't address training, it really can be successful
in most organizations. I mean, I like to say this,
that social engineering and phishing is involved in 70 to 90% of successful data breaches after it's bypassed every
defense you've thrown in its way. It's gotten past the firewalls
and intrusion detection and antivirus and all that sort of stuff. So I'm like... Every once in
a while someone would say, "Well, why should I train them? " Like, "How could you not? " I mean, it's literally, most of these attacks you're
getting past everything else technically and policy-wise
that you've thrown in its way. You have to train people
to help decrease risk because your end users
for sure are going to have to make some cybersecurity decisions and you want to try to help
them make the right decisions.
Jackie McGuire
>> Yeah. And I always think of
it as even as security evolves and we automate things or make them more intelligent,
humans are always still going to be the people on the front
lines of doing the bad things. So you probably also still
need the best trained humans on the line trying to prevent
the bad things regardless of how good our tools and
detections and automations get. So one of the things I've
talked about as well, and I think this is a great,
to your point about having when everything else fails, I also like to think about security
more as not really a program or a team or an objective
as much as a culture. And I've experienced this myself. And I also liken it to compliance. So I come from financial
services originally. That's where I spent the first
several years of my career. And compliance was the same way, and that it was either something
that you kind of eat, sleep and breathe, and it was
safe to ask questions and safe to say something
looked wrong or it wasn't. And I saw the effect at the
financial institutions I was at. And now coming into security, it's actually the same
exact thing with security. It's either a culture where
security is there to help you, they're there to be your backstop, or it's a culture where
security's kind of the department of no and slows things down. So I always feel like one of the best ways to create a security culture
is to create a culture where people feel safe to ask questions and learn rather to get in trouble. And you guys are in a great place because you are the people
that help people learn. Would you agree with that, and assuming you agree with
me, how do you feel like having better cybersecurity
helps contribute to that culture, or better training? Sorry.
Roger Grimes
>> Yeah, I mean, for sure all
of that. Culture's a big deal. I mean, we have the saying
that your users may be aware of something but not care. And the idea about a culture is hoping to impact people's behavior so that they're really making
the right security decisions. And I think that a lot of times when I walk into an organization, I can pretty quickly see whether or not the organization
takes cybersecurity kind of seriously. I mean, even a little thing
like if you see a bunch of laptops on people's desks and they're away, they're at lunch, they're visiting somebody in
a meeting, are they locked? Right? And some places I go, you see all these screens
open and no one's locked. And in other places, if someone's
almost accidentally left their screen unlocked, they'll
come back and lock it, right? You've created a culture of
people trying to keep themselves and the organization safe. You certainly want to
make them feel safe in reporting things. I mean, I've heard of some
people, especially in the financial services where
they're like, "If you fall for a simulated phishing test,
a real phishing attack or something, you're fired first offense. " And that's going to make
people try to hide things. What you want to do is
create this safe environment because no one's trying to hurt themselves or the organization. You want to make them feel safe in trying to report something that
they may suspect like, "Hey, I opened this email and
I clicked on this link, and it's possibly that this was malicious. "
And I have a great example. Years ago, I was at one of
the world's largest companies, Fortune 10, Fortune 50 company, and one of the smartest people
there had been on the Super Bowl day had accidentally
opened up a spear phishing attack email. It appeared to come from
someone that had knowledge of an internal project and said, "Hey, here's
this document that kind of relates to our project. " And when he opened the PDF, he's like, "This doesn't have anything
to do with our project. " And he closed it. But an hour or two later he's like, "Man, maybe that was a spear phishing attack. Maybe I should report it." And so he did. And when he did it, they found out that indeed his workstation had been compromised by a zero day. They had placed a Trojan, but
they had stopped the attack before it was able to
move beyond his endpoint. And so I love that
example for two reasons. First of all, super smart guy, nobody knew more about the
environment than he did, and he still fell for this attack. And number two that he
started saying, "Hey, maybe I was attacked," and he felt safe in reporting
it, not going to be fired. And that helped better
protect the organization. Even maybe another thing,
people will say, "Well, can I do simulated phishing attacks where we're claiming they got
a bonus or they got a raise or maybe we're taking away a
raise or something like that. " I'm like, "If you're
making your coworkers angry by the way that you're
trying to train them, you're not really training
as effectively as you can. You want to train in such a
way that people feel empowered, they feel safe, and that they will see and try to put down risk and report risks that maybe
they missed at first."
Jackie McGuire
>> Absolutely. I always wonder why companies
don't do some type of... When they're doing the phishing attacks, it would always be better to
have positive reinforcements. So every time you spot a
phishing email successfully, you go into some drawing for some electronic or something like that. Because I agree with you. I
think when you make things punitive and you make
it just a more a culture of check the box, I did
the training compliance, people will always be more
hesitant to share information. And it also becomes kind of a... I think when you don't fully
integrate security training into a company company wide,
there still creates that kind of gap between the security
people or the technical people and everybody else. And you really need kind of
open lines of communication where technical people are
treating everybody else as if they are intelligent enough to understand the things we're dealing with because they are. And I think that in turn
enables the whole organization to look at security not
as the hoodie people who sit in the security team, but as your partners,
people who are just trying to help you more efficiently
do your job without putting the company at risk. And I think one of the surprising things for me was the percentage
of successful compromises that happen at the VP level or above, how often those
compromises come from not your average everyday
customer service rep. These are a lot of times
it's people with higher- level access because of spear phishing, because they're very busy
and on the go all the time. And I think that's also something that we maybe don't acknowledge
all the time that we should.
Roger Grimes
>> Yeah. And I do know many organizations that actually don't test those sea levels. And I always say no one gets promoted because they successfully
phish their boss. But to exclude them means that
the only time they're going to be tested is when a
real phishing attack comes. And that's not necessarily the best way to reduce risk either. So you want to, again,
create a healthy culture. You're trying to build in,
coach in certain behaviors where they make the right decisions and they feel safe that if they fail during a simulated phishing test, that they'll get some education so if the real thing comes along they're making the right decision. And you really don't
want to exclude anybody. Anytime you exclude somebody, you're just increasing
risk to the organization. And like you said, a lot
of these attacks happened to IT, to the C-level. And Barracuda Networks back
in 2023, it might've been '24, they had a really great
stat that I live by. They said that less than 0.1% of all email attacks are
spear phishing attacks. So a phishing attack meant
at a particular person or group of people, like
C-level employees or IT or something, but they're
responsible for 66% of successful data breaches. So I mean, that to me is
a big, big deal, meaning that you need to train people and certainly your most high-risk people, that means accounting, that
means HR, that means IT, that means C-levels,
anybody with access to money and financials and things like that.
Jackie McGuire
>> We're going to talk about identity and access management in a little bit, but I could also see that that being because those are also the people who... Because they don't want
to have to put a ticket in to access something over the
weekend, those people also tend to have too many privileges
and elevated access. So even worse. In the data statistics,
I'm a data scientist, so I love statistics, you guys have a really strong
presence across the space. So I'm wondering if you could share data that you've learned along
the way about the impact of stronger cybersecurity training, so what your customers look
like when you get there, and then what the impact of actually implementing a
robust training program is.
Roger Grimes
>> Yeah, sure. I tell you,
I think KnowBe4, we've been doing this 11, 12 years. We're the leader in the industry. We have more customers than anybody else. So we've actually looked at massive amount of data in real life, over
60,000, 70,000 customers, tens of millions of security
awareness training sessions and simulated phishing assessments. And I can tell you this for sure. We have the data to show
that the more often you train and simulate phish, an employee,
the less likely they are to click on a simulated phishing email or a real phishing email. Matter of fact, our latest data, and we've published this
in a white paper, shows that customers who
train, our customers, are at least eight times less likely to get breached than our non-customers. The average company throughout
the world gets breached each year between 20 to 40%. And at first I was like,
"Man, that's way too high. " 20 to 40% of organizations
will be breached each year. A lot of times through ransomware. And now 90, 95% of ransomware
now exfiltrates data, creating this data breach. Well, our customers are only 2.37. Only 2. 37% of our customers
have ever been breached. Most of those, something
like 66% of them were before they were our customers. And once they're our customers,
they're far less likely to get breached and get
breached less times.
Jackie McGuire
>> I think that's compelling
in and of itself. >> Over 10 years to show
that training does work.
Roger Grimes
>> And really, why wouldn't it? It's not like we let people drive a car without training them first. Right? >> Yeah. - Every single area
in our lives training helps.
Roger Grimes
>> But every once in a while
you get somebody who goes,
Roger Grimes
>> "I don't think it helps in cybersecurity. " I'm like, "How could it
not by educating somebody, how could it not help?"
Jackie McGuire
>> Yeah. And you guys have a phishing
security test that really kind of helps assess and address that market. And I think you're right. We
all go on autopilot so much. We all have so many
things to remember to do. And when I open my laptop,
there's always 900 things, squirrel, that need to be done. And accidentally clicking on something, accidentally opening something,
when you're in autopilot, and that's like a secondary
function, you're just trying to clear your inbox out, it happens a lot more frequently
than if it's something top of mind because you're
frequently being reminded that actually specifically in your email, in your text messages, you need to be a little bit more
intentional about how you go through them and what you're looking for. So I guess last question around
your phishing security test. So can you explain, just kind
of TLDR in a few seconds how that works and then how
you work with companies after the test to try to help
address some of those things?
Roger Grimes
>> Yeah. We're certainly big
believers in training more than once a year. We think that every
time someone gets hired, they should be given longer
training, whatever that means, 15, 30 minutes, 45 minutes, and each year thereafter
get this longer training where you're trying to create all kinds of different behaviors. After that, they should
receive monthly training, but shorter, maybe 1, 2, 3 minutes and get at least simulated monthly, simulated phishing tests. And if someone fails a
simulated phishing test, that they get immediate education. You don't want them to
fail a phishing test, and then they get an education
about why they possibly failed that test 30 days later. You want it to be immediate. They have more ability to maintain it, or to retain it, that's the better word. And I would also say what
you just pointed out, where you're really busy. We know for sure that
even a well-trained person that has been trained in
security awareness training and phishing and stuff, like myself, I have been successfully phished, at least through simulated phishing tests. And I would say that I'm among
the top 1% of the world about how to fight phishing
and social engineering. But yeah, I was busy, I was
multitasking and I opened it and click or whatever. So we do try to create this sense of it's more than just training, it's more than just awareness. It's about trying to tell people that if you see an unexpected
message that's asking you to do something you've never done before, that you need to slow down and research it outside that message's contact
information before performing. And let's say we all, all of us get these unexpected
messages from our boss going, "Hey, what about this? What about that?" That's normal. But what we want to
communicate to employees is that if you get an
unexpected message no matter how it arrives and it's asking you to do something you've never done before, at least for that sender, that's a high-risk message. You need to slow down.
You need to be mindful. You need to possibly hover over the link. You possibly need to
go to call that person or call that company in
a known good phone number or go to a website. And if you can really teach that resilience across your
workforce, you are going to significantly decrease
cybersecurity risk.
Jackie McGuire
>> Absolutely. I think that's
a great place to wrap it up. I couldn't thank you more. So the last thing I want to cover is we have RSA
coming up very shortly, so I'm sure you'll be there in full force. Is there any particular events or things that you're doing,
that KnowBe4 is doing at RSA that we should come find you for?
Roger Grimes
>> Well, we certainly have a booth there and we'll have a big presence. Everyone always looks
forward to the RSA parties, but I guess I really like going to the educational sessions
and learning different things. I'll be presenting on the
different ways to hack MFA, which I've been doing for
years and years and years. But for sure I'm going to
have some new ways, new ways that MFA could be bypassed. And so I'm a very big believer in actually going to the sessions. It's not just about networking, it's not just about RSA parties, but it's about actually learning
about what's changing in the cybersecurity space,
like what's going on with AI, when will agentic AI malware be upon us, and when do we have to
start teaching that?
Jackie McGuire
>> Absolutely, yeah. Visit the
villages if you get a chance. That's always a really
good way to get in close with the really technical
people, whether it's lock picking or identity or any of those things. All right, well thank you so much, Roger, for being here today. Again, really emphasizing
that avoiding a lot of security risk really comes
down to understanding where that risk comes from and trusting your employees
with the information to be able to handle it. For The ART of Security
Summit, I'm Jackie McGuire. We will be right back with more
information about avoiding, reducing, and transferring risk.
Jackie McGuire
