KnowBe4 for financial institution
Categories
Description
The Problem. We were aware of some of the cyber thefts occurring at medium-size businesses. However, the awareness of phishing and spear-phishing had been localized to the IT Dept and our Risk Management team. On a management level we knew what could go wrong, but we did not have a company wide awareness and we were not sure what we needed. We had basic security training in place as part of new employee onboarding and a yearly mandatory test. Employees could do a refresher course if needed, but we were limited to that.
Some of our clients are now starting to require Security Awareness Training for their vendors as part of their audit process. These requirements do not specify the granularity needed, so we were still faced with a lack of clarity on what we needed and which method would be most effective and fulfill audit requirements.
When we found KnowBe4, it was a perfect fit. We knew we had to have something that allowed us to do phishing tests on the staff, record training and results and be able to report on the results. KnowBe4 was able to do all this in an easy to use fashion, saving IT from having to do a lot of extra work. Our prior efforts would take a couple of weeks to do as a project and were nowhere near as fine tuned as KnowBe4 allowed us to get.
Getting Started. Getting started was an easy process. We did a couple of calls and were walked through the process of importing addresses and setting up the way we wanted it, learning the reporting features and so forth. Once we were set up, we decided to do a baseline Phishing Security Test to see how many of our staff were phish-prone. Our results showed phishing was a far bigger situation than I had envisioned. We ran the test and got a staggering 39% phish-prone percent.
Training. Due to the high percentage of clicks off our initial testing, we made Kevin Mitnick Security Awareness Training mandatory for staff and included it as part of any new employee training. The managers are required to do the 40 minute version and staff are given the option of doing the 15 minute version or the 40 minute version. We also have a group we put through the training in a classroom setting with the documentation as some computers do not have sound options. We are able to easily track who does the training and who completes it for compliance reporting.
Ongoing Phishing Tests. Once we did the training, subsequent phishing tests dropped to zero as staff were darn sure they were not going to fall for a phishing test. We then started to explore some of the templates and customizable options and decided to use these to be a bit more “crafty” in our attempts. We got a few to respond and click but the general trend of clicks is continuing down with staff much more focused and able to avoid phishing attacks.
Details
Business tasks
Enhance Staff Productivity
Ensure Security and Business Continuity
Problems
Risk of attacks by hackers
Risk of data loss or damage
Shortage of inhouse IT resources