How is everybody going with security awareness training ?
Posted by nman112@reddit | sysadmin | View on Reddit | 43 comments
How's everyone going adding it to the growing list of tasks, there are so many vendors to choose from these days! The keep poping up, it must be difficult to determine which is the best product?
If someone created a service to bundle the good ones for your picking and streamline the process - would that be helpful?
monkeymagic2525@reddit
I use culture AI. It's a Human Risk platform I dont touch it for admin except to do my own training.and review results.
All training is a tick and go exercise with 12-15 per year and Just in Time training post clicked a phish simulation.
Staff love it and training is informative and bite sized. We have a leader board and reward success with it.
Simulations are randomised as well as localised (we have another non English office)
We had KnowBe4 and honestly I hated the admin. Hated the awful interface too.
SomeWhereInSC@reddit
What's the price per user on Culture AI?
Advanced_Ball5132@reddit
Check out "Bob's Business" if you're looking in to Culture AI. A cheaper alternative, and their service is fantastic. We have been using them over 3 years now
monkeymagic2525@reddit
Always open to looking into other products to keep it fresh. Thanks
monkeymagic2525@reddit
Always open to looking into other products to keep it fresh. Thanks
monkeymagic2525@reddit
It was 3.5k compared to over 5k for KnowBe4 so quite a big saving. I'd have gone for it even if there wasn't a saving. The onboarding from them was also first rate and continues to be.
Advanced_Ball5132@reddit
Check out "Bob's Business" - They're smaller than KnowBe4, but that's what we've found sets them apart. Their dedicated account management is great, and they do a lot of the heavy lifting for us. They also offer fully bespoke campaigns & simulations
_510Dan@reddit
Currently with KnowBe4. Looking at switching over to HoxHunt.
SomeWhereInSC@reddit
be kind and post your per user pricing on Hox...
Crafty_Individual_47@reddit
Hoxhunt, tested few from Microsoft, Knowbe4, Sophos… And it is just on another level.
SomeWhereInSC@reddit
price per user on Hox?
Brufar_308@reddit
KnowBe4 for phishing testing.
Our state has rolled out more comprehensive training for State and local government that is free to us. Includes more technical training for IT personnel as well as risk management training for decision makers. And has a second phase for getting all those at her aspects in place formal response plan and business continuity, etc.
Tax dollars actually being used wisely in this day and age with all the targeted attacks on govt entities.
Loud_Mycologist5130@reddit
Our org uses Knowbe4. The team that sends them out has no complaints with it. I've had users complain that we don't warn them of pending tests, but otherwise zero issues on my end. We have it setup so if they fail one they get another training, then down the road another test. Had one user fail over and over again despite training and my advising them that it's easier to just delete and move on with your day vs clicking, realize you made a mistake, then asking us to "undo it".
kuldan5853@reddit
The Answer is always Knowbe4 and be done with it.
nman112@reddit (OP)
Do you ever consider changing or just stick with them?
kuldan5853@reddit
Eh, it works pretty well for us if you set it up right. Pricing is also alright at the moment.
Haven't seen a need to re-evaluate the market again since we introduced this (5ish years ago)
nman112@reddit (OP)
Wow that's pretty consistent usage. When it's setup right do you need to interfere with it much? Also what do you mean by "set it up right"?
kuldan5853@reddit
there's some defaults like that they push phising tests out to everyone at the same time that are pretty bad in my opinion, and also some of the phishing tests are more or less quite simplistic so to make them more realistic you will want to customize them to your org.
But once it's set up the main interaction you'll have is to decide which user groups get which kinds of training, and to keep them up to date with the times - we also built some custom trainings ourselves.
nman112@reddit (OP)
Sounds pretty comprehensive. Do they get involved with the setup much?
RuggedTracker@reddit
We use "Pistachio". Easiest solution I've ever seen. I had two meetings with them, one as a demo and one when we went live. All I had to do was accept that they could read info from our intune tenant and roll out a new phising button to outlook. Took maybe 5 minutes in total
They stagger phising, tailors it to our users (e.g. people in Sales get sales related phising), sends out training emails with a little quiz, and generates pretty reports that the auditors and management likes.
Personally I'm in the "phising training is a waste of time" camp, but we implemented this because the auditors demanded it (Same people who wanted us to do forced password changes as well ... At least that one I managed to shoot down). Their product does everything on it's own and our users haven't complained much so I'm happy.
I am guessing they don't provide any other services because I have not gotten a single upselling attempt either. amazing
siedenburg2@reddit
we implemented it about 2 months ago and there is a personal contact person that also does the basics with you
kuldan5853@reddit
I wasn't on the team that did this initially, but so much as I remember I at least didn't hear people complain about the process so it seems it was pretty smooth.
CaterpillarFun3811@reddit
You can usually get a kb4 rep to assist if you need it.
nman112@reddit (OP)
No complaining is always good. Thanks for sharing mate.
Shujolnyc@reddit
It works fine just be sure to configure it correctly.
Don’t send same email to everyone.
Use this role groups.
Select the entire pool of emails and let it rotate across all employees on a periodic basis - makes the groundhog affect very unlikely.
tarkinlarson@reddit
Unfortunately they've not been very responsive with bugs or flaws recently and their platform doesn't seem that innovative.
What they could do with is improving...
Don't get me wrong, I think they're currently the best, but I feel they've become complacent... Someone will challenge the and it'll not be from a security space it'll be like a HR platform or other l&d system.
Sushi-And-The-Beast@reddit
Stop asking these questions. These are questions for management and the CTO.
Focus on keeping that Server 2008 off the internet.
Craptcha@reddit
Made a free one if you want to take a look cyber101.com
fubes2000@reddit
Ark161@reddit
wanted to add to this, that you need to have more frequent and advanced tests for IT staff. You would be surprised how many of us get super cocky and let our hubris get the best of us.
outofspaceandtime@reddit
Should have a think about it again tbh. Management rejected the expense for this year, a discussion which lead to my being granted more ownership of the budget.
I think SoSafe would be a better fit than Knowbe4 for my org, but pricewise KnowBe4 has a good package deal.
bad_brown@reddit
To answer your last question, no. I just sign up for services myself, assign them to myself, and test for myself.
It's really not that hard of a lift.
Extension_Guitar_819@reddit
PII Protect. The videos are funny sometimes and are quick, usually less than 2 or 3 minutes, with 4 questions for each.
I dont have any hard numbers, but the number of "I clicked an email and my computer BSOD'ed (or crashed)" certainly went down a lot, but conversely, we now get way more calls and tickets asking if an email or attachment is safe from users, which makes for a lot less late nights cleaning up messes than before we starred using it.
post4u@reddit
Mimecast. We use them for mail security already and they are great. Is their awareness fantastic? Meh. But it's not worth going with another vendor. It satisfies compliance.
Megafiend@reddit
KnowBe4.
I think the content is over americanised, corporate sounding, poorly acted piss, but it does the job and management are happy with it .
981flacht6@reddit
Using Fortinet Security Awareness Training right now.
Because of my industry they are giving it for free.
tucrahman@reddit
Ninjio here. Our users like their content.
Sushi-And-The-Beast@reddit
KnowBe4 because nevermind their breach. Just need to check a box!
secret_configuration@reddit
KnowBe4. Training on a semi-annual basis, monthly phish test. Those who fail get enrolled in additional remedial training.
nman112@reddit (OP)
Very nice, do they enjoy the additional training?
wpbguy69@reddit
Knowbe4 here as well. I have an account rep that even calls every couple of months and we setup the ongoing training and tweaking of the account.
ToddSpengo@reddit
We use Knowbe4. Have their full suite. It's nice and convenient.
nman112@reddit (OP)
Thanks for the comment, I'll check it out!