Item: KnowBe4 Security Awareness Training
Rating: 7
Author: Verified User

Use Cases and Deployment Scope

KnowBe4 is used across our entire organization to help provide cybersecurity awareness training. It allows us to measure how employees are responding to phishing. There is training material that provides generalized guidance and there are options to customize training as well. It also helps in that cyber insurance companies require some kind of training to provide insurance.

Pros and Cons

The content is varied and easy to integrate.
The phishing emails are very convincing.
Employee tracking of performance and participation is straightforward.

Metrics could offer more detail into the results of tests specifically which questions were answered incorrectly.
Some questions asked after the training material is presented are not covered in the material itself.
There should be an option to retake the tests.

Return on Investment

Results are mixed, phishing campaign results suggest improvement and then deterioration.
We can apply for cyber insurance.
We can make a more credible argument that we are investing in cybersecurity and demonstrating it is a priority, showing rather than telling.

Alternatives Considered

Proofpoint Security Awareness Training (formerly Wombat Security) and Mimecast Awareness Training

Proofpoint compares very favorably to KnowBe4. I think the customization in Proofpoint is better. The integration with their email security is a double edge sword and we had some concerns the training might suffer without their email integration. We had a similar concern with Mimecast, that the email tool and training would be less effective divorced.

Key Insights

Do you think KnowBe4 Security Awareness Training delivers good value for the price?

Not sure

Are you happy with KnowBe4 Security Awareness Training's feature set?

Yes

Did KnowBe4 Security Awareness Training live up to sales and marketing promises?

Yes

Did implementation of KnowBe4 Security Awareness Training go as expected?

Yes

Would you buy KnowBe4 Security Awareness Training again?

Yes

KnowBe4 Training Content

We didn't really have a program before using KnowBe4. We had training but it was not uniform nor regular. This tool allows up to provide more kinds of content and get a sense of whether it is being ingested. Now we have an actual program in place that we can collectively contribute to for all of our offices.

KnowBe4 User Management

Users are provisioned through Active Directory in an automated fashion. These accounts are subdivided similarly and each account is overseen by the local IT group. The local IT group is responsible for tracking these users and providing reports to management for the aggregate group. Offboarding has also been automated for convenience.

KnowBe4 Reporting

The reports that describe who clicks on phishing emails during a campaign are helpful. It is also important to us to know that training has been completed in the required time. Knowing that training has not started allows us to target those laggards and motivate them to get going looking at the material.

Other Software Used

Webroot Endpoint Protection, Huntress, Microsoft Advanced Threat Analytics (discontinued)

Likelihood to Recommend

The training is basic which is good for a general audience. For more advanced users, there is less material of interest which makes it less engaging. The gamification module we used did a poor job of explaining the game mechanics so for experienced gamers this is not a problem, but for people who are not familiar or accustomed to computer games, it left room for confusion.

Training Content

The material is very general, so we are looking at it as a base for customizing.

Value of Centralized Services

We don't have compliance requirements that require training.

Cost

There is some value to delivering compliance training this way. I don't know the actual pricing, so I can't comment, but if I extrapolate from other pricing I've seen, it is not very attractive. This kind of training is typically not ongoing and needing regular revision.

The value depends on the need. We have some state mandated compliance training that we are doing through our payroll system. It is specific to the locations that are affected. There is some benefit to having this training tied to a system that is an employee requirement. While security training is important, we have not decided to make it mandatory to the degree that we will terminate an employee if they do not complete the training. Compliance is a requirement not a resource. KnowBe4 does not has this kind of visibility in our firm.

Cost Comparison

It does not stand out.

User Provisioning

These work well and have made provisioning easier. There is a slight loss in usability though since completing the training cannot be done as a separate task accessed only with credentials. It would have some value to be able to access training materials on the go on non-work equipment or downloaded locally to a physical drive.

AI-Driven Phishing & Training

We haven't taken advantage of this and wasn't aware of it's availability. We did have a situation where a credit card phish actually used the last numbers of an actual credit card curently active, which turned out to be just a coincidence, but sent up many alarms. This led to a debate as to whether too much personalization was actually presenting phish emails that are not in line with the content of actual attacks and more like entrapment than training.

Usability

The usability of KnowBe4 Security Awareness Training module is straightforward. It is easy to navigate and implement. What it does it does well, but it doesn't really do more. Once a training module is done, there is no way to offer it as a refresher or to go through it in tandem with someone who wants further clarification on specific content.

Security Awareness Training with PhishER

We haven't turned on PhishER because it seems to conflict with some native Microsoft security tools.

KnowBe4 is 4 general audiences

Overall Satisfaction with KnowBe4 Security Awareness Training