Investing in Security Awareness with KnowBe4 Stock
“Think of how stupid the average person is, and realize half of them are stupider than that,” said the American philosopher George Carlin. If your job involves cybersecurity, it’s not just the stupid ones you need to watch out for. Even the most intelligent individuals in your organization can fall prey to the cunning attacks levied by cybercriminals. Every organization’s greatest asset is also its greatest security risk – its people.
The term “security awareness” describes the attitude of an entire organization towards cybercrime. Attacks at the human layer are now responsible for a majority of events leading to breaches. And it’s only been getting worse lately. Since the onset of The Rona, VMware reports that 88% of businesses have seen an increase in social engineering attacks. If you’re selling a security awareness platform, now might be a good time to raise capital. That seems to be the thought process behind a recent initial public offering (IPO) from a security awareness firm aptly called KnowBe4. Thankfully, they did their long-term investors a favor by not going the SPAC route. That means we have a delicious S-1 filing to peruse.
Social engineering, attacks on the human layer of an organization, can take the form of phishing, spear phishing, pretexting, business email compromise, smishing (SMS-based phishing) and vishing (voice-based phishing).Credit: KnowBe4
About KnowBe4 Stock
Founded in 2010, Florida company KnowBe4 (KNBE) took in just over $393 million in funding from investors that included Goldman Sachs and KKR. That money has been used to build a security awareness platform that’s seeing tremendous growth, both organically and through acquisitions – seven in the past four years. We first came across the company in our 2017 piece titled “7 Startups Working to Secure Communications,” where we noted they “treat employees as threats to be trained.” And the best way to deal with threats is some security awareness.
The Security Awareness Journey
Everyone who has served hard time in America’s most notorious corporations knows how completely useless any HR-led training session is in getting people to learn anything. In order to make sure your employees are being properly taught whatever subject you want them to learn, start with a benchmark. That’s the first step in the KnowBe4 “security awareness journey.”
The process of adopting KnowBe4’s security awareness solution starts with establishing a baseline.
Door-to-door vacuum cleaner salesmen know this trick all too well. Use the vacuum on the customer’s floor, and show them how much dirt the vacuum filter has picked up. Rub their face in the fact their carpets are dirty. Your vacuum is clearly better than whatever rubbish they’re currently using. They’re not a bad person (they most certainly are), they just don’t have the right tools. When a company lets KnowBe4 establish a baseline, they’re admitting their carpets are dirty – and pretty much asking to be sold a security awareness solution. Just think about how many of Rumsfeld’s “unknown unknowns” exist in this world, and how easy they are to point out when you’ve already done so for tens of thousands of others.
Train Your Users
Anyone with a decent amount of cybercrime street cred knows the name Kevin Mitnick, a hacker whose path to fame was paved in social engineering. After a stint in the pen, he founded Mitnick Security, a cybersecurity firm that claims they can penetrate any organization on demand using only social engineering – with a 100% success rate. Even if your firm is “security aware,” your vendors may not be. There’s always a way in, and Mr. Mitnick and team can find it. Fortunately, they decided to partner with KnowBe4 and help design the ultimate way to get your employees up to speed – Kevin Mitnick Security Awareness Training.
Once there is a baseline to measure against, KnowBe4 can now start training the employees not to make the same mistake twice. Since KnowBe4 is providing the training, they have loads of previous experience that allows them to improve the process going forward. There’s probably a lot of useful big data that can be gleaned from that as well. Speaking of which, it goes without saying that KnowBe4 uses artificial intelligence. Then again, it’s hard to find a security firm that doesn’t say they’re using AI in some way.
Whatever KnowBe4 is selling, people are lining up to buy. The company has more than 37,000 customers, a number that’s been growing incredibly fast.
While we can’t expect that growth to continue at the same pace, what we can expect is that they’ll be able to increase the spend from their large customer base by expanding the breadth of their service.
Phish Your Users
Here comes the fun part. KnowBe4’s platform contains thousands of templates for fake phishing attacks. All you need to do is define the parameters to continually test your employees. The best part is that you don’t even need to tell them when they’ve cocked up. Just keep track of who is consistently dropping the ball. Stage an intervention and get out the performance-improvement-plan – the dreaded PIP. Once news gets out of that happening, people will start paying a whole lot more attention to security awareness training. It sure beats getting on the front page of the WSJ because someone gave important credentials to the wrong person. The average data breach now costs companies $3.6 million on average.
Don’t be afraid to have some fun with it. Give the victim a reward so they don’t feel so bad about the whole thing. Gweneth in human resources won a $100 Amazon gift card because she gave John-in-Mumbai some personnel information she shouldn’t have. Everyone has a good laugh, and suddenly everyone is paying a lot closer attention to their interactions with others.
See the Results
KnowBe4 has shown their system can find security awareness deficits, train them out of existence, and then continuously verify that no bad apples get thrown into the mix. This is when the customer becomes “recurring revenue,” and that means you can start squeezing more money out of them by offering new products and features. Knowbe4 provides this metric in their S-1 filing as “customers using more than one product,” and it’s trending in the right direction.
- 2018: 1.2%
- 2019: 7.7%
- 2020: 13.7%
For KnowBe4, customer growth maps directly to revenue growth, with both growth rates expectedly slowing as the company scales.
Not to worry, there’s plenty of work left to be done. KnowBe4 estimates their total addressable market (TAM) at around $15 billion, which means they’ve captured about 1.33% of that so far. There’s also a strong focus on selling outside their backyard. The KnowBe4 platform is currently accessible in over 30 languages, with nearly 12% of the company’s revenues coming from outside the United States.
To Buy or Not to Buy
We’re admittedly behind when it comes to researching how to invest in cybersecurity. There’s a sense of urgency here, because retail investors can’t resist a story that involves a bit of danger. A recent survey from Gallop showed that most Americans believe cybersecurity is the biggest threat faced by the nation.
Given everyone is so aware of cybersecurity, we’d expect there to be strong interest in cybersecurity stocks.
Whenever we want to invest in a tech theme like cybersecurity, we start by looking at any ETFs that might be available. The maturity of an investment theme is usually reflected in the number of ETFs available. Right now we’re counting at least 8 cybersecurity ETFs out there, several of which have assets under management measured in billions. Given the large number of cybersecurity stocks available, it makes sense to invest in an ETF instead of trying to cherry-pick a winner.
Our over-worked research team has been given the mandate to write a piece about which cybersecurity ETF might be “the best” for investors, so stay tuned for that.
There’s a lot to like about investing in cybersecurity stocks, and KnowBe4 is one that’s easy to understand with clear metrics for investors to monitor. Their solution sells itself, the business model is Software-as-a–Service (SaaS) and therefore commands a premium in the market, and they can continuously offer additional services as the cybersecurity space changes over time. There’s a lot to like about KnowBe4, but we’re not going to start stock picking unless we’ve vetted the available cybersecurity ETFs first.
Are we going to finally open a position in the Global X Cybersecurity ETF? Or did we go all hero-or-zero on CrowdStrike? Become a Nanalyze Premium subscriber and find out.