Knowledge Feb 28, 2024 Cyber Security for 2024

This month’s issue introduces Security Awareness and Training (SA&T) as one of the measures to be considered for the fiscal year 2024, taking into account the recent trends in cybersecurity incidents that were discussed in the previous blog. 

Due to the pandemic of the COVID-19, employees have found themselves spending unprecedented amounts of time online. Along with this shift, there has been a significant increase in email-based attacks such as phishing and targeted attacks, using recipients as the focal point. As employees continue to work remotely from home, it is crucial for awareness of security to extend beyond the boundaries of the office to encompass both the office and home environments. Currently, it is essential to promote a culture of "security anywhere" to address these challenges. 

Security measures for IT systems such as network equipment and servers have traditionally been a routine expenditure for many companies. However, with the increasing cyber attack tactics like phishing, which specifically target the vulnerable aspect of "human" behavior, it is crucial for companies to recognize the need for additional security measures. Unlike conventional security focused on hardware and software, these attacks exploit human vulnerabilities. Therefore, it is imperative for companies to reassess their awareness and training programs to address and counteract these evolving threats effectively. 

As a measure against attacks targeting individuals, there is something called "Security Awareness." This aims to foster awareness in individuals to recognize IT security issues and respond appropriately. However, since it is primarily intended to raise "awareness," it is insufficient as a standalone measure. Therefore, to actually enable individuals to take action, "training" becomes necessary as a set. 

Up until now, there has been training for employees that involves mandatory viewing of videos on security risks. However, with the increasingly sophisticated tactics employed by hackers, the effectiveness of such traditional styles of security education has reached its limits. 

In this article, we would like to introduce the program from KnowBe4, which received the highest ratings in recent years in the Security Awareness & Training Solution Report by FORRESTER Research. 

KnowBe4 is an integrated web platform that combines security awareness training with phishing simulation, analysis, and reporting. 

KnowBe4 takes below steps to increase security awareness and implement trainings effectively: 

1. Base Line Testing
   Through free simulated phishing attack tests, the platform assesses the susceptibility of each employee to potential attacks, using the Phishing-Prone Percentage (PPP) as a benchmark to evaluate the baseline situation before training.
   
   
2. Training
   The awareness training includes interactive modules with various materials, such as videos, games, posters, newsletters, etc. As an option, gamification features allow employees to engage in training tasks with a game-like experience, compete with colleagues using a scorecard, earn badges upon clearing certain levels, and enjoy the whole training process. Additionally, the platform enables adaptive learning based on each participant's behavior and attributes. 
   
   
3. Phising Test
   The platform conducts automated simulated phishing attacks with a vast array of templates, enabling various types of tests. The content of phishing attacks can be customized based on individual participant information, allowing for targeted attack scenarios. Additionally, the platform supports the inclusion of disguised attachments in various formats (Word, Excel, PowerPoint, and zip files). 
   Furthermore, when an employee mistakenly responds to a simulated phishing email, the platform provides appropriate advice and guidance.
    
4. Test Result Analysis
   The platform generates reports using statistical and graphical analysis that correlate training progress with phishing test results. This allows for the visualization of Return on Investment (ROI).  

Continuously conducting phishing tests leads to a steady increase in employees' response levels. In a report published by KnowBe4, initial assessments revealed that 33.2% of employees fell for phishing emails. However, after undergoing training and participating in monthly phishing tests, the results showed a significant improvement. After 12 months, the susceptibility rate was reduced to 5.4%. This demonstrates the effectiveness of ongoing training in enhancing employees' ability to recognize and resist phishing attempts over time. 

Thank you for reading this month’s issue from KDDI America!
We strive to protect our customers from various cyber attacks!