UPDATED 11:56 EST / JANUARY 15 2025

KnowBe4's Roger Grimes talks with theCUBE about social engineering at the Cyber Resiliency Summit. SECURITY

How training and awareness are reshaping cyber defense strategies

Social engineering isn’t just a cyber risk — it’s the cyber risk.

Despite advancements in security technologies, attackers continue to exploit human vulnerabilities with remarkable success, bypassing technical defenses through clever deception, according to Roger Grimes (pictured), data-driven defense evangelist at KnowBe4 Inc.

“Since the beginning of computers, social engineering has been the number one way, by far, that devices, networks and environments are compromised — social engineering, and, in particular, email phishing,” he said. “If an organization gets compromised by hackers, malware, ransomware or something like that … it usually involves social engineering. Then, everything else besides social engineering and patching … doesn’t even account for 10% of the risk. If you’ve got one cause like social engineering … and you’re not trying to effectively mitigate it, the rest doesn’t matter.”

Grimes spoke with theCUBE Research’s Christophe Bertrand at the Cyber Resiliency Summit, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed the persistent threat of social engineering, the growing role of AI in cyberattacks and how organizations can mitigate risks through security awareness training. (* Disclosure below.)

Social engineering is the top cyber threat

Social engineering is responsible for 70–90% of successful data breaches, making it the most significant cyber risk organizations face today, according to Grimes. Unlike technical vulnerabilities, these attacks exploit human behavior, relying on tactics like email phishing to deceive users.

“I think one of the reasons why social engineering is so targeted is that it’s [been] so successful for so long,” Grime said. “If I trick you … send you an email pretending to be somebody that you might [know], and I ask you for your login name and password, and you’re tricked into inputting that, well, that works whether you are using Windows, Mac, Linux or Chrome [operating system].”

AI-enabled tools have amplified the threat, allowing attackers to craft more convincing messages and mimic industry-specific terminology. Phishing attempts have become increasingly sophisticated, with fewer telltale signs such as typos or odd phrasing, Grimes explained.

“I think a lot of us, for probably two or three decades, when we got some sort of a spam or social engineering, it would a lot of times have typos in it,” he noted. “The language would be weird … because many times attackers are coming from countries where our language is not their first language.

Reducing risk with education

Despite social engineering being the root cause of most breaches, less than 5% of IT security budgets are allocated to combat it, according to Grimes. Comprehensive security awareness training at all organizational levels helps bridge this gap.

“When I’ve been in board rooms, I think the average board [member] thinks that the number one problem is unpatched software,” Grimes said. “That is a big problem, but it’s number two, and it’s only 33% of the problem.”

Effective training programs go beyond the basics, equipping employees with the knowledge to recognize, report and respond to social engineering attempts. Regularly scheduled phishing tests and immediate corrective feedback are key components of successful strategies, according to Grimes.

“We consider an effective security awareness training program one to be where the end user’s getting training some sort, even if it’s only a few minutes, at least once a month,” Grimes said. “You’re giving them tools to easily report suspicious social engineering attacks.”

Organizations with strong training programs see dramatic results, Grimes added. Fewer than 3% of KnowBe4’s customers have been compromised, compared to a global average of closer to 40%.

“Only 2.37% … of our customers have ever been compromised and are far less likely to be breached or compromised once they are our customers,” he explained. “It really shows you the value of having an effective awareness training program and reducing human risk.”

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE Research’s coverage of the Cyber Resiliency Summit:

(* Disclosure: KnowBe4 Inc. sponsored this segment of theCUBE. Neither KnowBe4 nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU