Overall, technologies can be pretty straightforward to secure. Teach software not to execute a certain command, block a port, or alert on a set of conditions, and it will abide.
Humans, on the other hand are not as easy to harden against attacks. These attacks are frequently delivered through emails, text messages, social media, or even infected USB drives left in a car park.
It’s no wonder that user behavior consistently remains a high priority for many enterprises.
Following the money
There has been much activity in the user awareness space in recent months. Money has poured in, in the form of investments and acquisitions.
Recent notable market transactions include
February 2018: PhishMe acquired by PE for $400m and rebranded as Cofense
February 2018: Proofpoint acquired Wombat Security for $225m
August 2017: Webroot acquired the assets of Securecast for an undisclosed amount.
October 2017: KnowBe4 raised $30m in a series B round, bringing total funding to date to $43.5m
A broader look at the market
Many years ago, the user awareness market was more fragmented. Each provider delivering a segment of the training. Some would focus only on phishing, others provided a learning management system, whereas others created specialist training content in the form of books, posters, or videos.
The recent trend indicates more providers want to move more towards a user awareness ‘platform’ as opposed to having a single product. It was one of the drivers behind the renaming of PhishMe to Cofense, to present and offer more than just phishing.
Alongside Cofense, ProofPoint (Wombat), Webroot (Securecast), and KnowBe4 are all examples of user awareness companies that have tried to consolidate the different aspects of user awareness to one platform.
But that’s not to say there isn’t still room for specialist providers. Twist & Shout Media has built a sizeable customer base with four seasons of its Restricted Intelligence of comedy-awareness series as well as a number of spin-offs. Similarly, Habitu8 seeks to bring a bit of Hollywood glamour to its Hashtag awareness videos.
Security awareness is a hot space as awareness (no pun intended) increases and money is entering the space faster than before.
But the biggest question that remains over user awareness is it’s ROI and means to measure its effectiveness. Although approaches are improving, the security culture framework tries to put some meaningful metrics around awareness.
The NCSC recently published a somewhat polarizing blog questioning the value of phishing.
All in, we’ll probably continue to see more consolidation in the user awareness space in the coming months, not just to create user awareness platforms, but to truly embed user awareness as a security layer within organizations.