Brief Summary. European telematics company, ABAX has been using CLTRe (pronounced “culture”) by KnowBe4 to establish a baseline for its security culture—periodically measuring employees’ cybersecurity behaviours and identifying areas for improvement that can be easily relayed back to the company’s Board. Business and Technical Challenges. With ABAX swiftly growing from a start-up of five people to over 400 staff after just ten years, Espen Otterstad head of IT and acting CISO at ABAX realised that “people were probably one of the largest vulnerabilities” when it came to the security of the business. Furthermore, as the company was expanding with new owners taking over, ABAX was receiving a lot of media attention, appearing in a number of new articles. With the extra attention, Otterstad noticed that phishing attempts were on the rise and “employees were opening emails they perhaps shouldn’t be opening.” In addition, while information security was paramount, Otterstad also recognised that wading through long reports was not going to have the desired impact when it came to translating the security culture to the Board and management team. Therefore, he also needed clear and precise metrics to share with the Board and be able to demonstrate improvements or conversely, areas for improvements. The Solution. In order to fulfil the requirements of measuring the security culture baseline for ABAX—while being able to deliver a concise KPI measurement for the Board and management team—Otterstad initiated conversation with Kai Roer, CEO of CLTRe, now a KnowBe4 company. CLTRe helps companies manage and gauge security culture with a comprehensive toolkit and Security Culture Framework that uses a scientific approach to scope security across seven dimensions, resulting in a detailed insight into how different teams and business units compare. Results and Benefits. With many cybersecurity implementations, the theoretical cost savings were huge for ABAX, particularly before and after the advent of GDPR, Otterstad explained. “Using CLTRe was not only absolutely necessary, but also a good investment,” he said.

With the goal of folding security awareness into the Alliance’s organizational culture and a high Phish-Prone Percentage, Mueller and Lukaszewski (the Alliance’s director of IT and systems administrator and supervisor) to work training the staff and enriching their security posture with a highly-trained human firewall. Now that the Alliance has had its one-year anniversary with KnowBe4, the organization has increased the complexity of its simulated phishing tests and incorporated immediate trainings for users who mistakenly fall for a spoof. “KnowBe4 has allowed us to mature our program and build up that human firewall we wanted with security skills that really work. The Phish Alert Button tunes us in to actual threats in the wild and helps us create custom phishing templates that are very realistic. Our goal this year is to make our tests harder because we know that hackers don’t just send attachments or bad links. They start conversations and social engineer people; we are working with KnowBe4 to train our users to not respond to emails, to avoid smishing and vishing threats and more,” says Lukaszewski. Increasing awareness about security practices and protocols were the main goals of the Alliances’ SAT program with KnowBe4. Lukaszewski and Mueller, however, had a broader vision that KnowBe4 has proven very helpful in achieving. “We understand that part of the role of our IT department is to help keep our organization secure. For us to really embrace a culture of security, we have to drive communication between our users and our IT department. KnowBe4 has proven to be very effective in helping us drive rapport and trust between these two groups and foster a stronger security culture internally,” said Mueller. To achieve this goal, Mueller and Lukaszewski asked their users to phone IT directly if they failed a simulated phishing test. Mueller stated, “KnowBe4’s platform already alerts IT if a test is failed, but we want to promote good behaviors and get our users to understand that if something goes wrong in the real world, they must call IT right away. IT is not going to yell at them if they make a mistake; IT is going to help them solve the problem and protect the organization.” This approach also creates an environment that encourages users to not cover it up if they do mistakenly click a bad link or respond to a phishing email. With their users regularly being sent phishing tests and receiving both automatic remedial and scheduled trainings, Mueller and Lukaszewski can appreciate the usability of the KnowBe4 platform. According to Mueller, “KnowBe4 makes it simple to do really important and complex trainings that build up an organization’s security posture. The usability of the platform is very strong; we are able to create custom templates very easily and challenge our users even more. And we love the fact that KnowBe4 consistently adds new content so we can keep our trainings and our simulated tests fresh. KnowBe4 has been a wonderful partner and one that we expect to continue working with for a long time.”

The Challenge. In the case of K-12 Education School District with operations serving 5 counties in Illinois, technology adoption is often a bit behind the curve as compared to the public sector. While there are professional consortiums raising awareness of technology and security, unfortunately educational tech departments are often not aggressively staffed nor have the appropriate budget and resources. Don Ringelestein, CETL, Director of Technology at District 129, knew he needed to put more emphasis on security and phishing. This became even more of a priority in 2016 when District 129 fell victim to a DDoS attack that included weekly attacks and lasted nearly two months. With so much of the District relying on the internet, this was highly problematic for them to operate efficiently and showcased the dire need for improving its cybersecurity hygiene. At the same time, phishing attacks were increasingly plastered all over the news—including a nearby school district that fell victim to a phishing attack and divulged all social security numbers of its staff. Ringelestein recognized that he needed to ramp up security and phishing, particularly in terms of end-user training. However, like many IT pros, he didn’t know exactly where to start in terms of creating a customized security awareness program that would be effective for District 129. The Results. As a result of working with KnowBe4, District 129 saw very dramatic and favorable results in only a short time. In a five-month period, monthly phishing rates dropped from 27% to .03 percent. “These results are stunning—we were thrilled to see how quickly the training yielded results,” said Ringelestein. Not only is the staff far more cautious, but teachers have responded very favorably and are open to the opportunity to educate themselves on phishing—tools that they can use even beyond the workplace. Successful Outcomes

• Phish-prone percentage dropped from 27% to .03% in 5 months
• More security-aware culture among staff
• Positive teacher engagement with training content
• Phishing and training campaigns reinforced cautious vetting of emails

The Problem. We were aware of some of the cyber thefts occurring at medium-size businesses. However, the awareness of phishing and spear-phishing had been localized to the IT Dept and our Risk Management team. On a management level we knew what could go wrong, but we did not have a company wide awareness and we were not sure what we needed. We had basic security training in place as part of new employee onboarding and a yearly mandatory test. Employees could do a refresher course if needed, but we were limited to that. Some of our clients are now starting to require Security Awareness Training for their vendors as part of their audit process. These requirements do not specify the granularity needed, so we were still faced with a lack of clarity on what we needed and which method would be most effective and fulfill audit requirements. When we found KnowBe4, it was a perfect fit. We knew we had to have something that allowed us to do phishing tests on the staff, record training and results and be able to report on the results. KnowBe4 was able to do all this in an easy to use fashion, saving IT from having to do a lot of extra work. Our prior efforts would take a couple of weeks to do as a project and were nowhere near as fine tuned as KnowBe4 allowed us to get. Getting Started. Getting started was an easy process. We did a couple of calls and were walked through the process of importing addresses and setting up the way we wanted it, learning the reporting features and so forth. Once we were set up, we decided to do a baseline Phishing Security Test to see how many of our staff were phish-prone. Our results showed phishing was a far bigger situation than I had envisioned. We ran the test and got a staggering 39% phish-prone percent. Training. Due to the high percentage of clicks off our initial testing, we made Kevin Mitnick Security Awareness Training mandatory for staff and included it as part of any new employee training. The managers are required to do the 40 minute version and staff are given the option of doing the 15 minute version or the 40 minute version. We also have a group we put through the training in a classroom setting with the documentation as some computers do not have sound options. We are able to easily track who does the training and who completes it for compliance reporting. Ongoing Phishing Tests. Once we did the training, subsequent phishing tests dropped to zero as staff were darn sure they were not going to fall for a phishing test. We then started to explore some of the templates and customizable options and decided to use these to be a bit more “crafty” in our attempts. We got a few to respond and click but the general trend of clicks is continuing down with staff much more focused and able to avoid phishing attacks.

Business and Technical Challenges. With all growing organisations, the importance of security awareness is something that is built up over time. Arriving at the organisation nearly five years ago, Jonathan Flack, senior systems administrator, noticed that the culture of security awareness at ICBF and Sheep Ireland was not progressing as it should. On the contrary, it was almost non-existent. “There was no security awareness within the company when I started,” Jonathan said. Passwords weren’t being changed regularly, and “everybody knew everybody else’s password.” He also noticed the click-through rate on phishing links was particularly high, as people would frequently log into their colleagues’ email and open a phishing link out of curiosity. However, despite their best efforts, they never won that free iPad that was promised. The Resolution. At the beginning of 2018, frustrated by employee apathy and limited by the constraints of a tedious training package, Jonathan was determined to find a training option that fit ICBF and Sheep Ireland’s needs without exceeding the current budget laid out by the organisation. Resolute to reduce the time spent chasing up workers across ten different departments, Jonathan aimed to provide security awareness to the entire organisation without the added hassle. For Jonathan, research for a new security training service began with the Gartner Magic Quadrant and KnowBe4 immediately stood out at the forefront of security awareness providers in both leadership and vision. There were several other contenders, but he recalled that it was “a hassle” trying to get into contact with a local reseller, as most of them had offices overseas, making it difficult to conduct business across different time zones. He found that being able to do business with a company on the same schedule was a luxury often taken for granted, particularly in the realm of IT security. Result and Benefits. The results for ICBF and Sheep Ireland were simple, while it can be difficult to provide concrete metrics of success, the organisation noticed a “reduction of overall IT security threats”. The KnowBe4 training at ICBF and Sheep Ireland “has equipped staff with the tools needed to acknowledge IT security threats inside and outside the organisation.” While it can be difficult to provide a definitive metric for successful security awareness, one simple way of proving success is by measuring staff engagement with the training. Since implementing KnowBe4, Jonathan noticed that IT security had become a topic amongst colleagues as their attitude towards cybersecurity evolved. “Staff were having light-bulb moments when they see or hear of security threats. They feel enabled to analyse threats and empowered to make informed decisions when faced with a threat.”

Business and Technical Challenges. With sensitive information stored and passed through the systems at the Mayflower Theatre, getting security right is a top priority for all; and despite having a robust and resilient infrastructure in place, Paul Thompson, IT Manager at Mayflower Theatre, knew that more needed to be done. He said, “we wanted to train and educate users about the various aspects of cybersecurity, from how to structure passwords, to spotting phishing emails.” Many are still unaware of the different cyberattacks that are currently out in the world, so Paul and his team wanted to take a proactive approach to mitigating these threats by raising awareness about common risks like phishing emails and scams involving fraudulent websites. The Resolution. The prime objective for Paul was to build the general cybersecurity awareness of the employees at Mayflower Theatre. While some IT managers may want to review and test various security platforms before deciding on the right fit, Paul took a more direct approach when he came across the KnowBe4 platform, saying, “for the offering and the price, it was sufficiently unique to anything else I had seen in the market.” Results and Benefits. It’s a matter of when, not if, when an organisation will suffer a cyberattack and Paul is more than aware of this fact. However, it’s more about the reduction of risk for him. Whether employees come across real phishing emails or ones manufactured to test their skills, Paul explained how the staff were excited when they did come across one before flagging to the IT department. It’s this sort of reaction KnowBe4 was designed for, to get users motivated about security and for Paul, this is where the ROI has been most evident. Having KnowBe4 is an insurance policy in his eyes, saying, “I can absolutely say that we have received generic as well as targeted phishing emails aimed at people in the organisation and, because of the training, we have avoided an incident to date. Having a wide range of cybersecurity training deployed to the number of users that we have to cover a number of issues has been largely beneficial and very cost efficient.” Future Plans. Currently, Mayflower Theatre has 110 members using the KnowBe4 platform, but the expectation for Paul is to upgrade to the platinum subscription to give all staff members access due to the positive results he’s seen since 2017.

Challenge. The struggle that Softcat faced in containing issue boils down to two primary factors. Firstly, until three years ago, its security awareness programme was conducted on an ad hoc basis. Any training was typically implemented during the induction period, when new employees first joined the business. On top of being infrequent, training would often be missed due to a lack of time or getting lost in the long to-do lists that accompany starting a new job. Secondly, the field in which Softcat operates requires that employees work with a vast number of third parties. Indeed, at present, the company has upwards of 12,300 long-standing customers and at least a thousand partners. It also receives as many as 50,000 inbound emails a day. In other words, a quarter of a million inbound emails per working week! Solely considering the sheer number of clients and partners, as well as the immense influx of emails, the risks of a phishing attack are heightened multi-fold. One of the principal problems that Softcat has observed in the market is the compromise of business emails. On numerous occasions, a third-party suffers a phishing attack and the account becomes compromised. The account then sends out malicious emails to its contacts, including Softcat. At this stage, the risk is very high as the email appears to originate from a legitimate, known contact. Implementation. The implementation of KnowBe4’s training programme could easily be described as seamless as well. Under the sole supervision of an apprentice, Softcat was able to have the programme up and running in less than two months. Whenever a roadblock was hit, the customer relationship manager at KnowBe4 was quick to provide support. Indeed, Mark praised KnowBe4’s customer service as “second-to-none”, giving more time to the senior IT personnel to focus on other, more pressing jobs. Results. KnowBe4’s training content range as well as customisation options are among the most advantageous aspects of the service to Softcat. That, plus the frequent reminders and ease of use, allows Softcat’s employees to be efficiently made aware of the risks of operating online in the modern day. The fact that the programme runs without a huge administrative overhead is especially appreciated by Mark and his team of four, who have a heavy workload as it is. In the near future, Mark plans to build a phishing campaign that closely mimics the business email compromises that he sees occurring from within the supply chain. The great selection of email templates available through the KnowBe4 platform, as well as the option to customise templates will be beneficial in this process. The main goal for Mark going forward is to significantly reduce the baseline of 12%. “The more that employees are able to identify a phishing email, the more effectively and swiftly the IT team can spin off a workflow to neutralise the threat and safeguard the company’s cybersecurity.” – Mark Overton Head of IT Security, Softcat

Telkom South Africa (SA), a leading telecommunications service provider, invested in ongoing employee training and development to ensure cybersecurity awareness and compliance. In an evolving cybersecurity landscape that places employees and organisations at risk of fraud, theft and infiltration, this level of training is critical to ensure corporate compliance to privacy/data protection laws and individual security. Challenge. For Telkom, it was critical that the training offering not only meet budget requirements, but that it be as extensive and engaging as possible. It had to change the culture of thinking within the company and provide employees with the tools they needed to remain aware outside of the organisation as well. Three key elements comprised the cybersecurity training process: the learning platform, the baseline phishing assessment (phishing simulator), and the Phish Alert Button (PAB). The learning content was developed for the South African audience and included focused and relevant information that didn’t bombard the users. The training had to be short, smart and targeted so that employees could take the training sessions in under 10 minutes. “We wanted our employees to think twice with every click. The first test saw a number of people fail and we plan on running a second test later in the process.” Results. The KnowBe4 engagement was a complete success for Telkom SA, introducing relevant and targeted training materials to a wide-ranging and diverse employee pool and achieving impressive engagement targets. KnowBe4 worked closely with Telkom to customise the offering and create a training platform that worked within their specific requirements and goals.

Challenge. Targeted social engineering attacks are the most fruitful for cyber criminals, which is why the frequency and sophistication of these types of attacks are guaranteed to increase. Guido Angelo Ingenito, Group IT Manager, TXT e-solutions is very well aware of the problems that organizations can face with social engineering attacks, which is why educating employees about the dangers is so important. Implementation. Having a security awareness training provider that delivers a wide variety of content is far less expensive than what they thought. Also, the efforts required to manage the platform are much less than what they expected. The value of having employees trained on security topics far exceeds the minimal cost of purchasing the KnowBe4 platform. TXT e-solutions even made KnowBe4’s security awareness training a requirement for all employees. And the IT has received feedback from a few of the employees within the company on the effectiveness of the simulated phishing campaigns. Now, employees come up to the IT Support Team to double check suspicious looking emails before clicking on them, which helps to more effectively block real spam sources. Results. TXT e-solutions saw a significant drop in their Phish-Prone Percentage from 17.4% to 0.7% over a period of five months. “In order to fight an ongoing threat of phishing, we have adopted the KnowBe4 security awareness platform to educate our users about phishing and anti-phishing techniques, use security protection and report suspicious activities. By doing so, we have reduced exposure to fraud and identity theft. The most effective fix to phishing is training and KnowBe4 is the right tool for it. Phishing and training campaigns have proven to be effective; we have fewer users clicking on phishing emails since the beginning. You can easily change the difficulty levels of the email campaigns for your more experienced users. KnowBe4 helps us to raise awareness of social engineering attacks. Great company; good pricing; solid training. Highly recommended.” – Azamat Uzhangaliyev Successful Outcomes

• A drop in Phish-Prone Percentage from 17.4% to 0.7% in five months
• KnowBe4's offerings were far less expensive than what they thought
• Employees now come to the IT Support Team to double check suspicious looking emails before clicking on them