KnowBe4, cybersecurity platform that comprehensively addresses human risk management, today released a new white paper that provides data-driven evidence on the effectiveness of security awareness training (SAT) in reducing data breaches. Over 17,500 data breaches from the Privacy Rights Clearinghouse database were analysed along with KnowBe4’s extensive customer data to quantify the impact of SAT […] The post KnowBe4 Research Confirms Effective Security Awareness Training Significantly Reduces Data Breaches appeared first on IT Security Guru.
Oh well what a surprise… KnowBe4 confirms that the bullshit corporate “training” KnowBe4 sells is effective. Color me surprised…
If you don’t know KnowBe4, here’s a perspective from yours truly who works in a company that inflicts it on its employees:
Basically, once every few weeks, you’re supposed to hit KnowBe4’s website and follow a “training” module. It can be anything from data security, how not to get phished, workplace security…
So you go to that website and you’re forced to watch videos after videos of really dumb, really obvious shit on the subject at hands, created by marketdroids who really cranked up the corporate-speak volume to 11. It’s maddeningly stupid and you really want to skip through it because it’s so damn obvious and infuriating, but you can’t! If you do, you fail the module. But you can fast-forward it and put it in the background at least.
Then it pops a multiple choice question about the really obvious video you just (didn’t) watch. Again, with really stupid obvious answers. You’re supposed to select the right answers to show you’ve learned whatever the video talked about. If the video was in the background because you were doing actual, useful stuff instead of wasting your time watching this tripe, remember to answer the questionnaire in time or you fail the module.
Do this a few times, and after 10 to 15 minutes, voila! You have now been trained.
Of course, since you don’t have time for this nonsense and there’s real work to do, you can put off doing it. But after a few months, you’re 10, 12, 15 “trainings” behind and HR starts breathing down your neck. So at some point you relent and spend half a day clearing the backlog of unskippable KnowBe4 training sessions designed for 5 year-olds with a learning disability.
It’s a complete time-waster. It’s long. It teaches you almost nothing of value. It immerses you in a terrible world of bland corporate imagery, fake inclusivity and maddening AI-generated voice-over. It wastes countless man-hours across the entire company that could have been used productively.
But my employer isn’t one for BS. So I got curious at some point and asked my boss why we use KnowBe4, and he finally gave me the key to that particular company’s scam.
He told me: “Well, it’s not really of any value, but it’s the only online training package that’s quick enough and cheap enough to satisfy legal and insurance requirements. So for example, if the insurance company lowers rates if the staff is fire-hazard-aware or threatens to withhold payouts in case of a fire if they were not, we buy a training package from KnowBe4 on the risks of fire and have everybody go through it. It’s cheaper to waste everybody time for a while than risk trouble with the insurance company and it’s cheaper than bringing in actual professional to do an actual training session.”
That’s it. That’s KnowBe4’s entire business model: fake training for compliance.
My advice is this: if you work in a company that doesn’t use KnowBe4, go have a drink to celebrate because you’re one of the lucky ones.
I have a slightly different take…
its great at showing absolute laymen how to spot potentially malicious emails, and then regularly test them on that via actually faked emails (not the multiple choice thing).
even if all it does is get the ignorant to be slightly more careful/suspicious of their email so they dont have to retake the class, its totally worth it. sounds like you are not the actual target audience.
it also generates a list of idiots who work for you when they consistently fail. also worth it.
sounds like you are not the actual target audience.
Neither is our entire company then. We’re a small outfit producing high-tech optoelectronic products, and even the least qualified worker in the assembly line works with computers in clean rooms all day long and has a 2-year degree. There is literally nobody in our company who’s the target audience for KnowBe4’s particular brand of training for the mentally feeble: the company buys KnowBe4 training solely for compliance.
it also generates a list of idiots who work for you when they consistently fail. also worth it.
I didn’t consider the use of KnowBe4 from that angle 🙂 Interesting.
Some of our users are not technical at all. The initial training was reported as beneficial by all of those users. The ones that wanted to enjoy the games spent an hour or two on it, and the ones that didn’t cruised through the entry module in less than a half hour. The intermittent test emails are nice to keep those users’ spidey senses alert, and one of them actually clicked a link in a test email and got Rick rolled on knowbe4’s website.
I can definitely see how it’d be annoying because your team is comprised of experts.
I can definitely see how it’d be annoying because your team is comprised of experts.
Yeah but… Define expert.
My grandchildren know more than what those KnowBe4 slides teach. The cleaning ladies who come twice a week are probably more astute when they receive phishing emails. The only people I can think of who might benefit are employees who are very close to retirement, who don’t normally work with computers and who are very uncomfortable with technology, and that raises the question: if they made it so far without computers, why would you teach them about computers now?
I’m not against online training. I can see the potential. But the training sessions we’ve had to suffer through for the past 3 years wouldn’t be out of place in a mental institution for children. They are seriously, seriously dumb.
I have to believe there are levels of expertise that KnowBe4 can provide, because all their material can’t be that dumb, and that somehow we’ve only been exposed to the bottom of the barrel. But then I totally fail to see why our management would have chosen those courses over something more useful for us specifically.
I have experience in an internal IT helpdesk position. All I can say is that you are greatly overestimating the computer competency of the average person.
Your workplace also sounds like an exception in terms of competency.
Also, maybe you should ask the powers that be if they have to assign so damn many. I work in the finance/banking industry. We only have to do an average of two per quarter where I work. Enough that it’s somehow possible to be 10 or more behind sounds absolutely soul destroying.
Small tip, you can generally use the accessibility features to look at the transcript and skip ahead using that.
Yeah I do that too. It’s still a PITA though.
True.
