Back in June, I posted a story titled “One Law Firm’s Experience with KnowBe4 Training.” I kept the firm and the source anonymous to protect them from cyber hackers. In the following article, I’m going to share some of their stellar results after a recent fake phishing campaign. But first… the highlights from my last article to set the stage:
Benjamin Stevenson, Director of Information Technology with Joseph & Joseph, chose KnowBe4, offered through Savvy Training & Consulting, to help with his firm’s security awareness training.
KnowBe4 is the world’s most popular integrated Security Awareness Training and Simulated Phishing platform. The system includes a series of trainings which are randomly followed by simulated phishing emails. The phishing templates are updated every day based on trends that KnowBe4 sees occurring in the real world. Clients use these templates to phish their own firm, learning who is vulnerable to scams and who needs training.
In August 2016, Stevenson launched KnowBe4 firm-wide by taking the following steps:
>> Introductory meetings
>> Training modules
>> Phishing campaign
“The simulations opened lot of eyes,” he said. “I was pleased at the number of people who reported suspected phishing. We had a 20% fail rate and now I know how to re-focus my training efforts for the next campaign.”
Now, an update!
Stevenson kicked off a 4-week phishing campaign in July using the KnowBe4 phishing templates.
“I picked 25 to 30 templates from the platform with varying degrees of difficulty,” says Stevenson.” Each employee received a total of four phishing emails over the four weeks. The templates varied from emails that looked work-related to social media emails, news updates, etc.”
As the campaign progressed, Stevenson says that he saw steady improvement week over week. In the first week, there was an 18% fail rate, meaning 18% of the people clicked on the phishing emails. By week four, only 4% of people clicked on the scam emails.
Even better, people simultaneously started reporting suspicious emails at a higher rate. This means that the firm is much more protected from real phishing emails that could lead to ransomware attacks and other security breaches.
Stevenson also was able to determine which types of emails present the biggest threat to his firm’s security. One of the fake phishing emails looked like it was from the firm’s IT department, including the firm’s logo and a return email address that read: ITSupport@Joseph&Joseph.com
“We never send emails like that but it got the most clicks,” says Stevenson. He adds that people complained and said, “Cybercriminals would never use tactics like that,” which made Stevenson laugh.
“That is exactly what they do,” he says.
Overall, though, Stevenson says that people responded positively to the trainings and phishing campaign. Some even asked if they could share the trainings with their families, including elderly parents.
Stevenson says that the improved security is an ace that the firm can use in responding to client RFPs. Clients are increasingly asking about firm security protocols and he is happy that he can report that the firm is conducting ongoing trainings and seeing significant improvements in security awareness.
Because the fight against cybercriminals is a nonstop battle, Stevenson plans to run trainings and campaigns on a regular basis, keeping security top of mind throughout the firm.
“The KnowBe4 system is very easy to use and I’m pleased with the results.”