There isn’t a Technology:Security category, so this one seemed like the next best option. I’ve been impressed with the offering that KnowBe4 offers our users: essentially, they have some training videos for our staff to better understand the inherent risks with email phishing, how to spot it, and what actions to take if they see it. Then, we can do random audits at any time so they’re somewhat regularly practicing. Cost is about $15/user/yr.
Why is this something you would or wouldn’t pay for? Thanks for your input!
They’re a pretty well-known enterprise company that is one of the top phishing-testing companies. I’d probably be pretty comfortable using them if you find $15/year of justification in value per user, especially if this includes the phishing testing where you can send fake phishing emails and see how your staff responds. I know someone at a rather large company who has used the phishing testing to justify additional security budget, and he really likes the ability to have users who fall for it be directed to training immediately.
Their Outlook plugin for reporting phishing attempts looks slick as well, just started considering playing with that in the last few days when I get the chance.
We’ve tested the platform and really like it but haven’t had any customers interested in paying the costs for it.
If you wanted to gauge your impact or need, duo security now offers a free phishing test platform to see how vulnerable your users are. We haven’t tested it yet but I fully intend to.
UPDATE: I just found out we DO have a client that signed up for services and they used the free KnowBe4 phishing test to justify the costs. Their HR department has helped drive this (and yes…it’s a church client).
I didn’t realize KnowBe4 also offered a one-time free test just like Duo does.
That’s good to know about duo security, they get generally glowing reviews. I agree we find it hard to find companies who both are interested in security and are willing to put their money where their mouth is, especially on the smaller end. If you’re not large enough to have an in-house security staff and actually do so, it is generally difficult for business owners to see an ROI on much of a security investment beyond the very basics (much less have whatever it is implemented properly).
Unfortunately once you’re large enough for your own security staff you also likely have a mountain that can never be fully climbed because the rest of your environment is so large as well…
I think the stat I heard most recently quoted on the Startup Security Weekly Podcast Shownotes Wiki podcast is that most small and medium businesses spend an average of 0.4% of their budget on security right now? That’s not going to go very far most places, and remember, the average means half spend less…
Yep, we got the free test. 4 ppl (10%) failed the test, by clicking the link… And this wasn’t even a tricky one. So it made me think that in addition to tightening up our inbound email restrictions (thanks guys for helping with that yesterday), maybe they’d appreciate some extra coaching that we could provide them.
I agree, getting them to buy into the time will be the trickiest thing.
We are using it. I’d have to look but I know our cost was under $15 per user. Pretty sure we got a NFP discount from them. My first phishing test got a 28% click rate so we feel it’s worth the money if it helps prevent a social engineering hack.
Their support is great and the program is easy to use. Lots of phishing templates to choose from including new current event ones being released all the time. They’ve just added AD integration plus a new ransomware simulator to test how effective your existing security is.
I haven’t launched any of the training modules yet but will be doing that soon. I’m a fan and highly recommend it as more and more it seems our weakest hacking link is our people.
We use Phishing Frenzy to send test phishing emails to our staff. The application is free. We run it on a $5/month server at digitalocean. It does take a little effort to set up, but has worked very well. It comes with a few templates, and we create our own based on actual emails that we receive – either actual phishing attempts or real emails that people are likely to receive (package delivery, password reset, news alerts).
The phishing tests have greatly increased awareness among our staff, but it also reveals that there will always be some people (and not necessarily the same ones each time) that will click on a link or enter their credentials into a form.
It’s been a real eye-opener. I think having an anti-phishing training program is essential.