- Unicorn cybersecurity startup KnowBe4 is reportedly preparing for an IPO.
- The company sells cybersecurity training and tries to trick its customers' employees into clicking on fake emails and phony social media notifications.
- This kind of training is more important than ever as remote work has left employees particularly susceptible to social engineering attacks, as evidenced by a hack on Twitter and other attacks.
- Visit Business Insider's homepage for more stories.
Cybersecurity training startup KnowBe4 is anything but dull: It has a rumored initial public offering on the horizon, a legendary, convicted-felon hacker helping to lead the company, and routinely catfishes its paying customers.
Its eccentric tactics come in handy, because training employees on safe cybersecurity practices has never been more important than it is now with millions of people working remotely, far from the oversight of IT staff.
There are lots of interesting things about KnowBe4, beginning with its possible public offering ahead. A mammoth, $309 million private equity funding round in June 2019 gave KnowBe4 a billion-dollar valuation, and the 1,000-employee Florida firm is readying itself for an IPO, Reuters reported earlier this month.
KnowBe4 CEO Stu Sjouwerman is firmly tight-lipped about the rumored IPO – which sources told Reuters could come later this year or early 2021 – as is lead investor Kohlberg Kravis Roberts. But that is virtually the only topic that the colorful company is reticent about.
KnowBe4 tries to trick its customers with social engineering ploys – enticing employees to click on malicious links or provide access to company data and systems – then follows that deception with interactive training in a dizzying variety of formats. "Some people like animation, some people like to walk through slideshows, some people like live-action. We've got all that," says Sjouwerman. All of its trainings seek to avoid jargon and pique interest with challenges and games.
The one-two punch of trickery and engagement is a stark contrast from the typical, plodding security training, KnowBe4's chief says.
"Security awareness training in the past was essentially: Herd everyone into the break room, keep them awake with coffee and donuts, and then it's death by PowerPoint," says Sjouwerman. "They tend to use all kinds of technical terms where your average employee immediately shuts down and falls asleep."
The cybersecurity industry routinely discusses terms like "homomorphic encryption standardization" (rules for working with computer code that is not visible for security reasons), and multi-vector attack surface (places where companies are vulnerable to hackers). Sjouwerman says that's more than just a turn-off to average workers: it endangers them.
"The amount that this industry throws around acronyms and jargon is one of the issues that causes people to not understand their own risks," he says.
Perhaps the least-boring things KnowBe4 has done – which is saying a lot considering it often opens presentations with card tricks – is hiring a legendary hacker and convicted felon as a top executive.
Kevin Mitnick, once considered the world's most famous hacker, spent five years in prison for fraud. He claims the sentence was as long as it was because the US was afraid he could launch a nuclear war by "whistling into a payphone" to hack servers triggered by sounds.
Now a tech evangelist and security expert, Mitnick has the role of "chief hacking officer" at KnowBe4. And at KnowBe4, having a convicted fraudster as a leader when you're apparently gearing up for an IPO makes perfect sense.
"It gives us instant credibility. You have a thought-leader who used to be a digital delinquent himself, went to jail, turned his life around," says Sjouwerman. "Kevin is my business partner. I gave him half the company. I had the choice between owning 100% of a muffin or owning 50% of a really large pie. I chose the pie."
KnowBe4 has a big piece of the cybersecurity training pie, with other smaller startups including Elevate Security, RangeForce, and Curricula.
"We are the 800-pound gorilla in this space," Sjouwerman says.
The social engineering aspect – actually testing employees to see if they click bad links or give outsiders access – is a differentiator, he believes. During the COVID-19 remote work period, Twitter and other companies have been hit by significant attacks that tricked employees.
KnowBe4 helps its customers test employees by leaving thumb drives with enticing names in their work stations, or sending them what seem to be social media notifications that are actually phishing lures such as criminals use to capture employees' data.
"Bad guys can hack hardware, and that's like three months worth of work. They can hack software, which is maybe three weeks. Or they can hack humans, which takes three minutes."
Sjouwerman walks the walk when it comes to social engineering. After an interview with Business Insider, he craftily sent an email that "spoofed" the reporter's email address, so it looked like the reporter sent it.
Source: Read Full Article