Talk to any cybersecurity specialist and they will tell you that the threat environment has never been higher. And it doesn’t matter if you’re a small enterprise or the US Government – the bad guys are out there and if they can find a way into your network they will. What many casual observers are not aware of though is just how much human error or misjudgment is responsible for security breaches. In the age of social media, we have become conditioned to sharing information, and this is a weakness hackers have learned to prey on. All IT needs for your enterprise to be hacked is one employee to click on the wrong PDF attachment – perhaps a ‘request for proposal’ that seems legitimate – and the hackers can be into your network. Luckily for enterprise IT pros, startup Knowbe4 was created to help IT specialists to bring security awareness training to the far reaches of their organizations. Based on the experience of legendary hacker turned white hat Kevin Mitnick, Knowbe4’s unique security awareness training modules help IT to take the human error out of security breaches. Here to share some thoughts with us is Knowbe4’s founder and CEO Stu Sjouwerman. IT Specialist: Thank you for joining us today Stu. Can you provide some brief background on KnowBe4, such as what year you were started and the background of the founders? Stu: KnowBe4 was started in 2010, five days after I sold my last company, Sunbelt Software. I’m a serial entrepreneur. I co-founded my 4th company, Sunbelt Software, in 1996. Sunbelt grew into an international success with VIPRE antivirus and several other security products, and I sold it in 2010 to GFI, a portfolio company of Insight Venture Partners of NY and Boston. The KnowBe4 team has built, deployed and supported e-learning applications and we have deep roots in IT security. Having worked within and for IT for 34 years, we have a good idea what problems IT administrators face. We build our products "for admins, by admins" IT Specialist: What was the inspiration behind your founding? Stu: While building a brand new anti-malware platform from the ground up between 2006 and 2010, we discovered that every time a workstation was infected, the reason was that the human had been social engineered to click on a link or open an attachment they had not asked for. The conclusion was that existing security awareness training was not up to snuff, and needed to be dramatically improved to be truly effective. The market was under-served and pioneering a new category of IT security company was a fun challenge to go after! IT Specialist: What do you see as the current status of cybersecurity in the enterprise? What are some of the leading threats organizations are facing today and how are they coping – if you had to pick one threat that is most prevalent out there, which one would you highlight? Stu: Ransomware! Since September 2013, ransomware has gotten vicious and has been by far the most worrisome threat out there. Having all the files on a workstation encrypted is one thing, but all the files on the file server is a whole other type of problem. The issue at hand is that backups fail far more often than people think, and the loss of weeks or months of files is sometimes disastrous. Preventing a ransomware attack with effective security awareness training is a must these days. Admins are coping with a renewed focus on making sure backups can be restored and with a renewed focus on user education. IT Specialist: Turning now to your products, could you highlight what you are offering to assist enterprises? I noticed you offer a Phishing Security Test; an E-mail Exposure Check; Vulnerability Scanning; a Domain Spoof Test? Could you explain 1) what each of these cybersecurity threats are, and 2) a bit more about how each of your products works? Stu: Did you know that 91% of successful data breaches started with a spear-phishing attack? Any IT manager can do a Free Phishing Security Test (PST), using our website. No need to talk to anyone. It allows them to find out what percentages of users are Phish-prone. The number is usually much higher than you expect. We provide this free simulated test that will show who is prone to click a phishing link. An email exposure check (EEC) will help you discover which address are exposed on the internet and are a target for phishing attacks. We scan the Internet and find any email addresses that belong to your domain. If we can find them, the bad guys can too, and this list of email addresses is your immediate Phishing Attack Surface. Regarding the Domain Spoof Test, one of the first things hackers try is to see if they can spoof the email address of someone in your own domain. If they are able to, penetrating your network is like taking candy from a baby. Now they can launch a spear-phishing attack on your organization, and that type of attack is very hard to defend against, unless your users are highly ‘security awareness’ trained. An example is an email from HR@yourdomain.com to all employees about their new health insurance plan they need to "accept". IT Specialist: Turning now to your training offerings, what would you say makes your training product unique from others that are available? I noticed you actually call it the KevinMitnick Security Awareness Training – can you provide any background as to who Mitnick is, and was he involved in advising on or designing your training program? Stu: KnowBe4 training is based on decades of real world hacking and social engineering experience from one of the very best. Who better to learn from but arguably the most successful hacker turned white hat. Kevin never hacked for profit though, he was just pushing the envelope and admits he went too far. Kevin Mitnick is an internationally recognized computer security expert with extensive experience in exposing the vulnerabilities of complex operating systems and telecom devices. He gained notoriety as a highly skilled hacker who penetrated some of the most resilient computer systems ever developed. I sat down with him and took his 30+ years of hacking experience and distilled this into a series of training modules that we deliver. Today, Mitnick is renowned as an information security consultant and speaker, and has authored three books, including his recent New York Times best seller "Ghost in the Wires". Kevin functions as the Chief Hacking Officer of KnowBe4, LLC. Our program consists of three steps: 1) An initial (free) baseline phishing test that shows the phish-prone percentage of the organization. 2) On-demand, interactive, web-based training that clearly communicates the dangers and risks of being online and clicking on anything. 3) Regular simulated Phishing Security Tests, year-round, that keep employees on their toes with security top of mind. These PST's are done using our library of templates and set-it-and-forget-it. IT Specialist: How easy is it for an IT specialist in charge of cybersecurity to implement your solutions within their organization? How easy is it for IT to manage KnowBe4 solutions once they are installed? Our security awareness training program is extremely easy to use. After the purchase, we also have a customer success rep who will get you up & running with your testing and training very quickly. The console is a truly user friendly GUI that lets the IT manager import his names (by groups if he likes) and he can then send a link for self-service enrollment to users to do at their own pace. The training works on a variety of devices and the IT manager can track who has successfully completed the training (for compliance reasons), and who has not. IT Specialist: What has been the response in the market to KnowBe4, and are there any customers or case studies you might want to highlight? Stu: We have experienced explosive growth with a 437% year-over-year growth for 2013 over 2014 and several hundred percent the year prior. This year is on track to be another banner year. Industry experts and IT pros alike recognize that security awareness training is the most effective way to combat a potential security breach as the bulk of them are initially caused by human error. We did a study over 12 months of 291,000 end points (over 350 customers) which showed a reduction of risky behavior by over 12X. With an initial baseline of 16%, we reduced the phish-prone percent over a year to just over 1%. A large portion of our customers (35%) are financial institutions who typically are more aware and employ tighter restrictions yet still saw enormous improvement. Compared to a study done by Dartmouth/Vanderbilt and MITRE on “point-of-failure” training methods, our 3-step program actually works where others don’t. Security Awareness Programs need constant repetition and reminders, otherwise people forget. "Use it or lose it" is definitely applicable here! Like the Ben Franklin quote: “Tell me and I forget. Teach me and I remember. Involve me and I learn.” IT Specialist: Turning now to the corporate level, can you tell us as a start-up, how do you measure your success and growth? Stu: Expansion and customer growth is our corporate measure. But we judge ourselves on our customers success. In fact, we are so confident our program is effective, we offer our customers a "crypto-ransom warranty" that if they train their users and do monthly phishing tests - if they get hit with ransomware, we’ll pay their ransom. IT Specialist: Finally, for people who may be interested in testing KnowBe4’s solutions or beginning a dialogue with you, what is the best way for them to start working with you? Stu: Creating an account and doing the free Phishing Security Test is a great way to immediately see how phish-prone your employees are. Do that at: https://www.knowbe4.com/free-phish-alert-its If that is not possible for any reason, the next best thing is to request a free Email Exposure Check and find out what your phishing attack surface is. Do that at: https://www.knowbe4.com/email-exposure-check/its IT Specialist: Thank you for your time Stu, and keep up the good fight.