Posted in Commentary with tags KnowBe4 on September 2, 2025 by itnerd
By Anna Collard, SVP of Content Strategy and Evangelist at KnowBe4
Inda Sahota, Group Cybersecurity Office (GCSO) Cyber Culture & Training – Fresenius
Recently, I had the pleasure of speaking with Inda Sahota, the dynamic and deeply empathetic force behind cybersecurity awareness at Fresenius Group. What struck me most wasn’t just her deep understanding of human-centric security, it was how naturally she bridges the gap between personal values and professional practice.
Inda brings her whole self into her work: her empathy, intuition, and a grounding in values passed down from her parents, progressive thinkers and first generation Punjabi Indian immigrants to the UK. They instilled in her and her sisters a quiet but powerful sense of agency. When cultural voices around them suggested that girls were somehow less capable than boys, her father would respond with a deceptively simple challenge:“But you can eat, can’t you?”
His way of creating initial confusion sparked critical thinking, and a gentle dismantling of limiting beliefs that, if left unchecked, could have developed into lifelong insecurities.
Our conversation got us thinking about the intersection of critical thinking, values-based education, self-efficacy, and digital mindfulness, especially in a world where we are exposed to online manipulation on a daily basis.
From Awareness to Agency
In security awareness design, we often focus on rules: don’t click this, don’t trust that, don’t reuse your password. But what if we focused instead on values? On presence. And on the cultivation of agency and critical thinking, the kind that Inda’s father nurtured in her from a young age? Psychologist Albert Bandura’s concept of self-efficacy, the belief in one’s capacity to act in the face of challenges, is central here (Bandura, xx). Research shows that self-efficacy is a strong predictor of behaviour change, and it has been linked to improving cybersecurity awareness attitude, knowledge, and behaviour (Arachchilage & Love, 2014; Zainal et al., 2021).
As Inda put it:“Resilience is like water. You need to be able to flow.”
In other words, we need to prepare, not just protect, our people. Whether we’re speaking to employees, children, or our broader communities, we need to teach them how to adapt fluidly, not just obey. How to stay present, not just paranoid. “This is about more than cybersecurity,” Inda notes. “It’s about helping people reclaim their agency in a world designed to exploit their attention and emotions. This fluid resilience allows individuals to:
Recognise when they’re being emotionally manipulated
Pause before responding to urgent digital demands
Stay centred when algorithms try to steal their attention
Respond with intention, rather than react impulsively
Presence vs. Performance: The Cost of Multitasking
One of the biggest threats to cybersecurity by the way, isn’t malware. It’s human error, often linked to distraction, overwhelm and media multitasking. And attention is one of our most compromised assets. Studies show that frequent multitasking reduces cognitive control, impairs memory, and increases difficulty in impulse control (Ophir, 2009; Baumgartner, 2014). And people who engage in high media multitasking engage in riskier cybersecurity behaviours compared to the low multitaskers (Hadlington & Murphy, 2018).
This fragmentation of attention doesn’t just make us less productive, it makes us more vulnerable. Scammers, phishers, and social engineers exploit us best when we’re rushed, distracted, over-stimulated or overwhelmed without realising. As a result, mindfulness becomes a cybersecurity imperative, not just a wellness buzzword.
Habits that Shape the Mind
Digital hygiene, like brushing your teeth, only becomes effective when it’s habitual. But forming habits, particularly in high-distraction environments, requires deliberate design. If we want people to pause before clicking a link or question a seemingly friendly DM, we need to design cues and rewards that reinforce critical thinking. This is where digital mindfulness practices can play a critical role in training the brain.
What Inda’s father modeled for her was a form of cognitive scaffolding. He didn’t control her environment or scare her into obedience. Instead, he provided intuitive frameworks for situational self-awareness, such as: “Have eyes at the back of your head.”
This is a powerful metaphor for living with conscious awareness and for being both vigilant and empowered. And those are precisely the qualities we need to foster in our digital citizens. So how can we apply this to our digital spaces?
Here are 5 practical ways to build digital resilience starting today.
1. Question, Don’t Lecture
Instead of explaining all the dangers of the internet, ask questions that help think critically:
“What do you notice about how you feel after scrolling for an hour?”
“What is the intent behind this narrative, article or social media post?”
“What emotions are triggered by the narrative?”
2. Build Self-Efficacy Through Practice
Research by Dr. BJ Fogg at Stanford’s Behavior Design Lab shows that lasting behavioral change happens through tiny habits that feel easy to do. In the digital realm, this might mean:
Pause for three seconds before clicking on links
Creating simple rituals around device usage – i.e. no screens at meals, or in bedroom
Play critical thinking games, illusions and logic riddles
Phishing tests and “spot the phish” or “spot the deepfake” games
The key is making these practices feel natural rather than imposed. Creating safe opportunities for people to practice digital decision-making and learning from mistakes also helps building self-efficacy.
3. Model Mindful Technology Use
We learn more from what we observe than what we’re told. You can model mindful technology use by:
Putting devices away during conversations
Thinking out loud when you encounter suspicious emails
Demonstrating how you fact-check information before sharing
Try the 5-minute rule. Tell yourself: “If I still need to check this in 5 minutes, I will.” This pattern interrupt helps break unhealthy autopilot impulses.
4. Develop Emotional Regulation Skills
Social media platforms and cybercriminals alike exploit our emotional responses to drive behaviour. They create artificial urgency, leverage fear of missing out, and use variable reward schedules that mirror addictive behaviours. Training should show how to recognise when one is being emotionally manipulated by technology. Simple practices like taking three deep breaths before responding can activate the prefrontal cortex and reduce reactive behaviour.
5, Create an emotionally safe environment
People need to feel psychologically safe to slow down. Create environments where questioning is welcomed, where “Let me verify this first” is praised, not criticised. When it’s okay to ask “Does this seem right to you?” without fear of looking incompetent, people actually become more vigilant, not less.
Bringing the Being into the Human
One of Inda’s most poetic expressions stayed with me: “We need to bring the human back into the being, and the being into the human.”
What if we saw our intuition and self-awareness as cybersecurity superpowers? What if we cultivated presence alongside password hygiene? We might just build a digital culture where security isn’t only about understanding the risks, but about knowing ourselves.
KnowBe4 today released a comprehensive resource kit in support of Cybersecurity Awareness Month 2025. The toolkit aligns with this year’s theme “Secure Our World” and supports the global movement to emphasize the importance of securing our digital lives. Cybersecurity Awareness Month, established in 2004 through a joint effort by the U.S. Department of Homeland Security and the National Cyber Security Alliance, provides organizations worldwide an opportunity to strengthen their security culture through education and awareness. This year’s focus is on simple, effective practices like using strong passwords, enabling non-phishable multifactor authentication (MFA), recognizing and reporting phishing attempts, and keeping software up to date.
KnowBe4, the world-renowned cybersecurity platform that comprehensively addresses human risk management (HRM), today announced it has hired experienced IT executive Joel Kemmerer as the new chief information officer (CIO) to help lead critical digital transformation initiatives.
Kemmerer is a veteran IT executive and CIO, with over 30 years of experience in various IT leadership positions for technology companies such as N-able Inc., SolarWinds, Advanced Micro Devices (AMD) and others. Kemmerer earned his bachelor of business administration from the McCombs School of Business at the University of Texas and his master of business administration from the Edwin L. Cox School of Business at Southern Methodist University. Previously, his organization was the recipient of a 2022 American Business Awards Gold Stevie for Information Technology Department of the Year.
KnowBe4 has released its latest research paper “Financial Sector Threats Report,” uncovering critical insights into the escalating cybersecurity crisis facing the global financial sector. The report shows that financial institutions face a perfect storm of AI-enhanced attacks, credential theft and supply chain vulnerabilities that pose systemic risks to the global financial industry.
The research reveals almost all (97%) of major U.S. banks experienced third-party breaches in 2024, while targeted intrusions against financial institutions increased by 109% year-over-year. Most concerning, tests in large financial institutions found that nearly 45% of employees were likely to click on a malicious link or download an infected file, creating entry points for threat actors. The report highlights how threat actors are leveraging AI tools like FraudGPT and ElevenLabs to create more convincing phishing campaigns, while simultaneously moving away from traditional ransomware encryption toward data exfiltration and multi-stage extortion schemes. This evolution allows attackers to use legitimate credentials, making detection significantly more challenging. According to Federal Reserve Bank of New York Staff Reports, even a single day’s disruption in payments by major banks could affect 38% of network banks globally.
Key findings from the report:
Financial service firms globally experience up to 300 times more cyberattacks annually than other industries, with a 25% year-on-year increase in intrusion events for 2024.
97% of the largest U.S. banks suffered third-party breaches in 2024, while 100% of Europe’s top financial firms suffered supplier breaches, highlighting vulnerabilities in vendor ecosystems.
Analysis of over three million dark web posts shows stolen credentials far outpace credit card theft; infostealer infection attempts increased 58% in 2024 and 68% of attacks originating from email.
The U.S. accounts for 60% of all ransomware attacks against financial institutions, with the U.S. and U.K. together representing over 70% of attacks, with increasing activity targeting emerging markets in South Asia and Latin America.
Large financial institutions show 44.7% Phish-proneTM Percentage (PPP) rates initially, but comprehensive security awareness training reduces phishing susceptibility to below 5%.
Download the full KnowBe4 report “Financial Sector Threats: The Shifting Landscape” here.
KnowBe4 today unveiled a bold new brand with an innovative new vision for the future of the company. The refreshed identity reflects KnowBe4’s leadership in human risk management, with a reputation for excellence in cybersecurity and groundbreaking AI advancements.
Armed with a new company tagline “Rise Above Risk”, KnowBe4 is boldly pushing the boundaries of its brand identity to new heights to reflect a focus on human risk management while helping IT and cybersecurity professionals elevate their protection efforts regarding company risk. It goes beyond phishing, training and boundaries to transform the unpredictable into the unstoppable to rise above risk.
KnowBe4’s evolution reaffirms its leadership position in the human risk management space and bolsters its dedication to helping IT and cybersecurity workers to fight against today’s top threats, including social engineering, email threats, ransomware and more.
To explore KnowBe4’s new visual identity, visit our website www.knowbe4.com.
KnowBe4 is proud to highlight the success of its customers in achieving remarkable transformations in their HRM programs. By leveraging KnowBe4’s HRM+ platform and advanced AI-driven products including AIDA (Artificial Intelligence Defense Agents), customers like First Community Credit Union have reduced their Phish-prone Percentage (PPP) to a near-perfect one percent.
AIDA combines human expertise with advanced AI to give organizations a clear view of their human risk and the tools to reduce it. Powered by the SmartRisk Agent, it utilizes 316 indicators influencing 37 factors across seven knowledge areas. It automates targeted actions based on each organization’s unique threat landscape, helping security teams work faster, train smarter, and strengthen defenses. KnowBe4’s agentic AI capabilities are rooted in having the industry’s largest data set of simulated phishing and people-centric cybersecurity defense measures collected from over 13 million global users and 15 years.
Bryan Perkola, senior vice president of information security at First Community Credit Union in Houston, shared in a video how KnowBe4 has been instrumental in reshaping their approach to security awareness.
In addition to AIDA, PhishML Insights is now available as part of PhishER+. This AI capability enables InfoSec teams to better understand emerging attack patterns by setting customized confidence thresholds for email threat classification while receiving detailed explanations of why each message was tagged as clean, spam, or a threat.
By Erich Kron, Security Awareness Advocate at KnowBe4
Social Engineering Day brings the perfect opportunity to discuss why organizations must prioritize awareness and preparedness in the face of the growing threat of social engineering. Social engineering is the use of emotional manipulation to execute a cyberattack. Threat actors will often prey on the emotions of their victims, especially fear, making this tactic highly effective.
For example, KnowBe4’s March 2025 Phishing Threat Trends report revealed that phishing emails increased 17.3% over a six-month period, highlighting the critical need for awareness and preparation. The increase shows this tactic remains a preferred method for cybercriminals, especially as they continually improve their tactics. For this reason, organizations must proactively prepare for possible social engineering crises.
Understanding Social Engineering
Social engineering attackers are skilled at exploiting human vulnerabilities, such as trust and urgency, to gain unauthorized access to organizational systems. Often, threat actors will impersonate internal departments like HR or IT. According to the same report, nearly 49% of top-clicked phishing links originate from email addresses pretending to be these departments.
Likewise, ransomware phishing attacks, such as the notorious LockBit ransomware delivered via phishing, increased 22.6% within just a six-month period. Meanwhile, high-profile attacks using AI-driven polymorphic phishing techniques now represent 92% of all attacks, highlighting the increased sophistication of social engineering hackers.
The North Korean Fake Employee Problem
Social engineering attackers have become so sophisticated that a new phenomenon has crept into the U.S. hiring market. North Koreans have started to pose as U.S. job candidates to infiltrate companies for financial gain, espionage and other nefarious activities. They use fake resumes, AI-manipulated headshots and stolen Social Security numbers to get hired as part of their scheme. In fact, many have been hired in companies across the U.S., going undetected for an extended period of time.
Social engineering comes in many forms, and this is one recent example of how manipulation can be utilized in unique ways for cybercrime activities. These are the types of situations that we can learn from and use as an opportunity to educate others about the risks of social engineering.
Proactive Measures and a Crisis Response Framework
All organizations are at risk of social engineering attacks. To effectively prepare, they must develop a detailed crisis response framework outlining an action plan for how they will react in the case of attempted and successful social engineering attacks.
Essential proactive measures include:
Pre-employment screenings that detect potential insider threats early on.
Continuous security awareness training (SAT) and simulations. SAT reduces employee susceptibility to phishing by 89.5% after 12 months, reducing the Phish-proneTM rate from 37.1% to about 3.9%.
Adopting a “no-blame” reporting culture within the organization. By not punishing employees who click on a bad link, the workforce will be more likely to report and identify threats.
In the event of a successful social engineering attack, it is just as important for organizations to have a reactive plan. Essential crisis response measures include:
Maintaining real-time updates for situational awareness, both internally and externally.
Being transparent to build trust among employees, stakeholders and the public.
Utilizing AI and advanced monitoring tools for early detection and rapid response.
Lessons for Organizations
In the case of successful social engineering attacks, leadership visibility and proactive communication are crucial for maintaining organizational credibility. By implementing continuous employee education on how to recognize and respond to social engineering attacks, organizations significantly decrease the likelihood of actually being hit by one of these attacks.
Likewise, public education builds broader trust and reinforces organizational resilience. If the majority of people become knowledgeable about the risk of social engineering, hackers employing this method will face greater challenges when taking advantage of these human vulnerabilities.
National Social Engineering Day may be here, but it is essential for organizations to prioritize social engineering awareness and crisis management strategies throughout the entire year. Social engineering may not disappear anytime soon, but through proactive and reactive preparedness, organizations and individuals can become well-equipped to handle any potential crisis.
KnowBe4 has announced it has hired experienced executive Keith Bird to lead KnowBe4’s global revenue efforts as executive vice president responsible for their international business in Europe, Middle East, Africa, Asia-Pacific, Japan and Latin America.
Bird is a 40-year technology veteran and business leader with over 20 years of experience in the cybersecurity industry. He held senior leadership and executive roles at global companies including Proofpoint, F5, Symantec, Checkpoint, SonicWALL, Extreme Networks and EDS. Bird also founded and sold two technology companies. Prior to joining KnowBe4, Bird was an Operating Partner at Banyan where he led their European operations and investment portfolio of software company acquisitions, serving as a director on a number of their boards.
KnowBe4 today announced a new collaboration with Microsoft to integrate KnowBe4 SecurityCoach with the Microsoft Edge for Business browser.
Browser security threats are increasing and global cybersecurity professionals should consider taking measures to reduce risk. A report by Menlo Security revealed a 140% increase in browser-based phishing attacks.
The SecurityCoach and Microsoft Edge for Business integration leverages browser activity through native security signals to deliver valuable learning opportunities within seconds of detecting risky online behaviors. These risky activities include password reuse, visits to blocked sites or attempts to bypass security warnings. As one of the only human risk management platforms with a built-in reporting connector in Microsoft Edge for Business, this integration helps organizations within the Microsoft ecosystem maximize their KnowBe4 investments while building a stronger, security focused company.
Resources:
Read the blog post on this new collaboration, and here’s more information from June’s KnowBe4 Defend and Microsoft Defender for Office365 announcement.
KnowBe4 today released its Q2 2025 Simulated Phishing Roundup report. The roundup highlights a continued trend of employee susceptibility to social engineering techniques that exploit familiarity and trust, as seen in dominant interactions with internal communications and well-known brands, making up 98% of top email subject lines. All data for this roundup was taken from the KnowBe4 HRM+ platform between April 1, 2025, and June 30, 2025.
Key Findings from the Roundup Report:
Consistency with Previous Quarter
Phishing simulation trends remained largely consistent with Q1 2025 (January 1 – March 31, 2025).
Internal Topics Dominate
Internal-themed topics made up 98.4% of the top 10 most-clicked email templates.
Among these, HR was cited in 42.5% of phishing failures and IT in 21.5%.
Branded Landing Pages
71.9% of malicious landing page interactions involved branded content.
Microsoft was the most common, accounting for 26.7%, followed by LinkedIn, X, Okta, and Amazon.
Top Clicked Hyperlinks
80.6% of the top 20 clicked links came from internally-themed simulations.
68.2% of these used domain spoofing techniques.
Attachment Interactions
PDF attachment clicks rose by 8.1% compared to Q1.
PDFs comprised 61.1% of the top 20 attachments, followed by HTML files (20.9%) and Word documents (18.0%).
Download a copy of the Q2 2025 KnowBe4 Simulated Phishing Roundup report, here.
Guest Post – Bringing the Human Back into Cybersecurity: What Values-Based Education Teaches Us About Digital Mindfulness
Posted in Commentary with tags KnowBe4 on September 2, 2025 by itnerdBy Anna Collard, SVP of Content Strategy and Evangelist at KnowBe4
Inda Sahota, Group Cybersecurity Office (GCSO) Cyber Culture & Training – Fresenius
Recently, I had the pleasure of speaking with Inda Sahota, the dynamic and deeply empathetic force behind cybersecurity awareness at Fresenius Group. What struck me most wasn’t just her deep understanding of human-centric security, it was how naturally she bridges the gap between personal values and professional practice.
Inda brings her whole self into her work: her empathy, intuition, and a grounding in values passed down from her parents, progressive thinkers and first generation Punjabi Indian immigrants to the UK. They instilled in her and her sisters a quiet but powerful sense of agency. When cultural voices around them suggested that girls were somehow less capable than boys, her father would respond with a deceptively simple challenge:“But you can eat, can’t you?”
His way of creating initial confusion sparked critical thinking, and a gentle dismantling of limiting beliefs that, if left unchecked, could have developed into lifelong insecurities.
Our conversation got us thinking about the intersection of critical thinking, values-based education, self-efficacy, and digital mindfulness, especially in a world where we are exposed to online manipulation on a daily basis.
From Awareness to Agency
In security awareness design, we often focus on rules: don’t click this, don’t trust that, don’t reuse your password. But what if we focused instead on values? On presence. And on the cultivation of agency and critical thinking, the kind that Inda’s father nurtured in her from a young age? Psychologist Albert Bandura’s concept of self-efficacy, the belief in one’s capacity to act in the face of challenges, is central here (Bandura, xx). Research shows that self-efficacy is a strong predictor of behaviour change, and it has been linked to improving cybersecurity awareness attitude, knowledge, and behaviour (Arachchilage & Love, 2014; Zainal et al., 2021).
As Inda put it:“Resilience is like water. You need to be able to flow.”
In other words, we need to prepare, not just protect, our people. Whether we’re speaking to employees, children, or our broader communities, we need to teach them how to adapt fluidly, not just obey. How to stay present, not just paranoid. “This is about more than cybersecurity,” Inda notes. “It’s about helping people reclaim their agency in a world designed to exploit their attention and emotions. This fluid resilience allows individuals to:
Presence vs. Performance: The Cost of Multitasking
One of the biggest threats to cybersecurity by the way, isn’t malware. It’s human error, often linked to distraction, overwhelm and media multitasking. And attention is one of our most compromised assets. Studies show that frequent multitasking reduces cognitive control, impairs memory, and increases difficulty in impulse control (Ophir, 2009; Baumgartner, 2014). And people who engage in high media multitasking engage in riskier cybersecurity behaviours compared to the low multitaskers (Hadlington & Murphy, 2018).
This fragmentation of attention doesn’t just make us less productive, it makes us more vulnerable. Scammers, phishers, and social engineers exploit us best when we’re rushed, distracted, over-stimulated or overwhelmed without realising. As a result, mindfulness becomes a cybersecurity imperative, not just a wellness buzzword.
Habits that Shape the Mind
Digital hygiene, like brushing your teeth, only becomes effective when it’s habitual. But forming habits, particularly in high-distraction environments, requires deliberate design. If we want people to pause before clicking a link or question a seemingly friendly DM, we need to design cues and rewards that reinforce critical thinking. This is where digital mindfulness practices can play a critical role in training the brain.
What Inda’s father modeled for her was a form of cognitive scaffolding. He didn’t control her environment or scare her into obedience. Instead, he provided intuitive frameworks for situational self-awareness, such as: “Have eyes at the back of your head.”
This is a powerful metaphor for living with conscious awareness and for being both vigilant and empowered. And those are precisely the qualities we need to foster in our digital citizens. So how can we apply this to our digital spaces?
Here are 5 practical ways to build digital resilience starting today.
1. Question, Don’t Lecture
Instead of explaining all the dangers of the internet, ask questions that help think critically:
2. Build Self-Efficacy Through Practice
Research by Dr. BJ Fogg at Stanford’s Behavior Design Lab shows that lasting behavioral change happens through tiny habits that feel easy to do. In the digital realm, this might mean:
The key is making these practices feel natural rather than imposed. Creating safe opportunities for people to practice digital decision-making and learning from mistakes also helps building self-efficacy.
3. Model Mindful Technology Use
We learn more from what we observe than what we’re told. You can model mindful technology use by:
4. Develop Emotional Regulation Skills
Social media platforms and cybercriminals alike exploit our emotional responses to drive behaviour. They create artificial urgency, leverage fear of missing out, and use variable reward schedules that mirror addictive behaviours. Training should show how to recognise when one is being emotionally manipulated by technology. Simple practices like taking three deep breaths before responding can activate the prefrontal cortex and reduce reactive behaviour.
5, Create an emotionally safe environment
People need to feel psychologically safe to slow down. Create environments where questioning is welcomed, where “Let me verify this first” is praised, not criticised. When it’s okay to ask “Does this seem right to you?” without fear of looking incompetent, people actually become more vigilant, not less.
Bringing the Being into the Human
One of Inda’s most poetic expressions stayed with me:
“We need to bring the human back into the being, and the being into the human.”
What if we saw our intuition and self-awareness as cybersecurity superpowers? What if we cultivated presence alongside password hygiene? We might just build a digital culture where security isn’t only about understanding the risks, but about knowing ourselves.
Leave a comment »