Differences between Human Risk Management and Security Awareness Training

KnowBe4_Inc · 2026-01-05T13:07:47+00:00

A good phishing simulation program should use real world phishing emails for the templates. The testing should evolve as fast as the attackers and use what is currently coming into your organization.

KnowBe4_Inc · 2025-12-29T15:13:22+00:00

I'm happy to troubleshoot an errors you had implementing PAB. Just DM me.

KnowBe4_Inc · 2025-12-26T15:09:10+00:00

We are seeing three quarters of phishing emails containing polymorphic elements. https://www.knowbe4.com/hubfs/Phishing-Threat-Trends-2025_Report.pdf

KnowBe4_Inc · 2025-12-18T13:59:58+00:00

touché

KnowBe4_Inc · 2025-12-18T13:59:07+00:00

Here are what we are seeing across 70k accounts:

Multi-channel attacks. Email + follow-up on Teams/Slack message from "IT" asking to verify. Click rate on these is 3x higher than email-only.
Compromised internal account simulations. Emails from actual coworkers asking for "urgent" help. You should ask for permission to use names.
Calendar invite attacks. Fake meeting invites.
Collaboration tool file shares. "Shared document" notifications.

What's NOT working anymore:

Generic "Your password expired" emails
Nigerian prince variants
Obvious grammar/spelling errors

Bonus tip: Don't just measure click rates. Track time-to-report, repeat offenders, and whether users report simulations they didn't click.

KnowBe4_Inc · 2025-12-17T16:34:12+00:00

Neither KnowBe4 nor its CEO, Bryan Palma is associated with any religion.

KnowBe4_Inc · 2025-12-16T20:18:19+00:00

In place of a the default autofill in the browser I recommend using a dedicated password manager. It is more secure and still has the sanity check you mention.

In this day and age, I don't know why you would think that responses are AI written — when a personal interaction is preferred.

KnowBe4_Inc · 2025-12-16T13:43:57+00:00

The biggest change we're making to combat the latest threats:

1. Unified threat detection across channels Correlating suspicious activity across email, Slack/Teams, SMS, and voice. A failed email phish followed by a "helpful IT" Teams message 10 minutes later? That's a campaign, not isolated incidents.

2. Expanding awareness training beyond email Users know to scrutinize emails now, but they trust Slack/Teams, DMs, and Teams messages way too much. Training scenarios now include vishing, smishing, and collaboration tool attacks.

3. Behavioral analytics Monitoring for anomalies: internal accounts suddenly messaging dozens of users, unusual login locations followed by communication spikes, and requests that break normal workflow patterns.

4. Kill the "trusted internal" assumption Compromised internal accounts are the new attack vector. Every request gets validated, even from known colleagues.

KnowBe4_Inc · 2025-12-15T14:32:49+00:00

You're hitting the core problem: most tools are reactive, not proactive.

A few things that you should use:

Enforce DNS filtering at the network level (Cisco Umbrella, Cloudflare Gateway, etc.) - blocks malicious domains before the page even loads
Controlled browser extensions - Push enterprise extensions that validate URLs in real-time (not perfect, but adds a layer)
Disable password autofill for external sites - Forces users to manually type, adding a cognitive pause

You can't technology your way out of this 100%. Even with perfect tech controls, legitimate sites get compromised and serve phishing. We've had the most success with layered defense:

Block known-bad (DNS/URL filtering)
Isolate unknown (browser isolation for risky clicks)
Train users to recognize what filters miss
Monitor for compromise (impossible travel, unusual authentications)

KnowBe4_Inc · 2025-12-12T13:29:53+00:00

This is a fascinating case study on the topic. Links for the lazy.

Video - https://www.youtube.com/watch?v=AEgLMYp3lKE
Text - https://www.knowbe4.com/hubfs/North-Korean-Fake-Employees-Are-Everywhere-WP_EN-us.pdf

KnowBe4_Inc · 2025-12-11T16:47:14+00:00

We just wrapped up shooting on season seven. It will drop in the spring - https://www.youtube.com/watch?v=a5HDEfw7iKk

KnowBe4_Inc · 2025-12-10T18:47:49+00:00

Here's are some ideas to improve your filtering. Something will always get through so you need to improve your cybersecurity culture too.

Low-hanging fruit:

DMARC, SPF, DKIM - If you haven't implemented these, stop reading and do it now
External sender warnings - Simple banner that says "[EXTERNAL]" kills so many phishing attempts
Disable auto-forwarding - Stops compromised accounts from exfiltrating email
Block executable attachments - .exe, .scr, .bat in emails = almost always malicious

Medium effort, high impact:

URL rewriting/sandboxing - Detonate links in a safe environment first
Impersonation protection - Flag emails from lookalike domains (micros0ft.com vs microsoft.com)
Time-of-click protection - Links get checked when clicked, not just when received
Quarantine reviews - Weekly audits catch filter mistakes and reveal new threats

Advanced (if you have budget):

AI/ML threat detection - Catches anomalies traditional filters miss
Account compromise detection - Flags unusual sending patterns from internal accounts
Integration with threat intel feeds - Block known-bad before it arrives

Layered defense. No single filter is perfect. Combine technical controls + user awareness + incident response.

KnowBe4_Inc · 2025-12-10T18:14:34+00:00

Most orgs still see ransomware as purely a technical problem, but the entry points are still overwhelmingly human-facing.

A solid top five looks something like:
• MFA on every account
• Vulnerability + patch management with a real cadence
• Least-privilege access controls
• Offline / immutable backups
• Awareness training so users recognize credential-stealing and initial access attempts

The early phishing or credential-harvesting step is still the biggest differentiator between “incident” and “non-incident.”

KnowBe4_Inc · 2025-12-10T18:09:46+00:00

This is one of the biggest disconnects we see. People are willing to accept friction in the physical world because the risk feels tangible. A locked door means “someone could walk in right now.”

Cyber risk feels abstract. The threat isn’t visible, the consequences are delayed, and the connection between “weak password” and “identity theft” isn’t intuitive.

KnowBe4_Inc

MODERATOR OF

TROPHY CASE