With a multitude of awards, ranging from CRN’s ‘Public Sector Reseller of the Year’ to Great Places to Work and Best Managed IT Provider, Softcat is one of the largest and most reputable resellers of technology solutions and services in the United Kingdom. Its team of over 1,300 employees in offices across Britain and Ireland, help clients to find the right software for their needs, provide expert advice and support organisations through full infrastructure transformations. Formerly known as Software Catalogue, Softcat went public on the London Stock Exchange in 2015 and has since been promoted to the FTSE 250 Index.
50,000 Emails a Day and Combating Business Email Compromise
For the most part, the team at Softcat can be described as tech savvy. As such, employees are, on the whole, more equipped to recognise suspicious activity. Yet, as it found upon completion of a baseline phishing campaign run with KnowBe4, 12% of the company is susceptible to falling victim to phishing emails. While this may appear to be a low figure to some, it is worth remembering that it only takes one mis-click for a data breach to ensue.
The struggle that Softcat faced in containing this issue boils down to two primary factors.
Firstly, until three years ago, its security awareness programme was conducted on an ad hoc basis. Any training was typically implemented during the induction period, when new employees first joined the business. On top of being infrequent, trainings would often be missed due to a lack of time or getting lost in the long to-do lists that accompanies starting a new job.
Secondly, the field in which Softcat operates in requires that employees work with a vast number of third parties. Indeed, at present, the company has upwards of 12,300 long-standing customers and at least a thousand partners. It also receives as many as 50,000 inbound emails a day. In other words, a quarter of a million inbound emails per working week! Solely considering the sheer number of clients and partners, as well as the immense influx of emails, the risks of a phishing attack are heightened multi-fold. One of the principle problems that Softcat has observed in the market is the compromise of business emails. On numerous occasions, a third-party suffers a phishing attack and the account becomes compromised. The account then sends out malicious emails to its contacts, including Softcat. At this stage, the risk is very high as the email appears to originate from a legitimate, known contact.
The importance of diverse security awareness training content
Fortunately for Mark Overton, Head of IT Security at Softcat, the company’s board recognised the importance of, not only implementing security awareness training, but ensuring it was well executed. Having successfully sold KnowBe4’s services and seeing first-hand its popularity among their clients, KnowBe4 stood out as an obvious provider for Softcat’s own security awareness needs.
Mark was especially impressed with the richness of KnowBe4’s content. While the former provider had security awareness as part of its portfolio, KnowBe4 specialised in it. In this way, it could offer a variety of content to accommodate different employees. On the one hand, Softcat has employees such as those in sales, who largely work within a restricted environment and possess limited administrative access. For these users, Mark wanted to be sure that they were not overburdened with irrelevant and exhaustive training. The short and entertaining videos offered by KnowBe4, that helped to drive home the key messages, were useful in this context. On the other hand, other departments such as those in finance and IT, who had high levels of privilege and faced greater risk, required more detailed and extensive training that KnowBe4 could also provide.
In addition to this, KnowBe4 automatically sends notifications to its users to regularly remind them of any incomplete training, while also providing unique links to it. This allows employees to easily access the training without having to go via the IT department with complaints regarding accessibility. In Mark’s words, KnowBe4 makes the process “seamless”.
The implementation of KnowBe4’s training programme could easily be described as seamless as well. Under the sole supervision of an apprentice, Softcat was able to have the programme up and running in less than two months. Whenever a roadblock was hit, the customer relationship manager at KnowBe4 was quick to provide support. Indeed, Mark praised KnowBe4’s customer service as “second-to-none”, giving more time to the senior IT personnel to focus on other, more pressing jobs.
The Gift that Keeps on Giving
KnowBe4’s content range as well as customisation facilities are among the most advantageous aspects of the service to Softcat. That, plus the frequent reminders and ease of use, allows Softcat’s employees to be efficiently made aware of the risks of operating online in the modern day. The fact that the programme runs without a huge administrative overhead is especially appreciated by Mark and his team of four, who have a heavy workload as it is.
In the near future, Mark plans to build a phishing campaign that closely mimics the business email compromises that he sees occurring from within the supply chain. The great selection of email templates available through the KnowBe4 platform, as well as the option to customise templates will be beneficial in this process. The main goal for Mark going forward is to significantly reduce the baseline of 12%.
“The more that employees are able to identify a phishing email, the more effectively and swiftly the IT team can spin off a workflow to neutralise the threat and safeguard the company’s cybersecurity,” he explained.
The value of KnowBe4’s services has not stayed a secret within the company either. Rather, because the content can be easily personalised as necessary, other departments are demonstrating interest in using the programme for their own security awareness needs. For example, the legal team and departments responsible for their ISO standards are considering the application of Knowbe4’s services to confirm that all employees have read and acknowledged policies or have undergone anti-corruption and bribery training.
All in all, Mark said that KnowBe4 “really makes life easy”.