What organizations need to KnowBe4 investing and consolidating cybersecurity

Companies should be focused on changing behavior when it comes to security awareness training, explains Caroline Soo, Vice President Customer Success, Asia Pacific and Japan KnowBe4.

As businesses move towards a more proactive approach in cybersecurity, many are looking to consolidate the many cybersecurity solutions they have invested in so that they can have better capabilities in cybersecurity management.

While AI in cybersecurity is promising to enable improved cybersecurity management by automating some processes and proving a single pane of glass view, KnowBe4 believes there is still a lot more that can be done, especially when the employee side of the organization.

According to a KnowBe4 report based on a survey of more than 100 security professionals during the Infosecurity Europe 2025 conference, distraction (43%) and lack of security awareness training (41%) are identified as primary reasons employees fall victim to cyberattacks, rather than attack sophistication.

The Navigating Cyber Threats: Infosecurity Europe 2025 Findings report also revealed that phishing is the leading threat (74%), with impersonation of executives or trusted colleagues being the most common tactic. While AI-generated threats are not yet dominant, fears about their rise are growing with 60% of organizations fear the rise of AI-generated threats.

Meanwhile, KnowBe4’s Financial Sector Threats Report, which was also recently published revealed financial service firms globally experience up to 300 times more cyberattacks annually than other industries, with a 25% year-on-year increase in intrusion events for 2024.

The report stated that 97% of the largest U.S. banks suffered third-party breaches in 2024, while 100% of Europe's top financial firms suffered supplier breaches, highlighting vulnerabilities in vendor ecosystems. At the same time, the U.S. accounts for 60% of all ransomware attacks against financial institutions, with the U.S. and U.K. together representing over 70% of attacks, with increasing activity targeting emerging markets in South Asia and Latin America.

The need for stronger cybersecurity awareness

In a conversation with CRN Asia, Caroline Soo, Vice President Customer Success, Asia Pacific and Japan KnowBe4, explained that companies should be focused on changing behavior when it comes to security awareness training.

“When we talk about cyber safety, you have to understand what the users are thinking, doing, and how they're behaving. So, we expanded capabilities to not just focus on the security awareness training, but also to connect with other technology stack in the organizations. So, we acquired a company called Security Advisor a couple of years ago, and that expanded into Security Coach, where it integrates with the security stack of the end users’ organizations, like CrowdStrike and Microsoft Defender and so forth,” Soo said.

“So, all these user events, when it's triggered, it starts to send it into Security Coach, and we look at it and know these are the user events that's been triggered. Let's send a safety tip through their team's internal messaging platform to say, hold on a second, you've forgotten your YubiKey. Do you want to raise a ticket to your IT department and so forth? So, it's like nudging them on a real-time coaching aspect,” she explained.

According to Soo, one of the biggest challenges when it comes to cybersecurity training today is localization, especially in a region like Asia, whereby there are numerous languages spoken in organizations. Given that most of the cybersecurity solutions are in English, KnowBe4 has localized the content to 35 different languages and works with local MSPs in delivering them.

“A lot of our content has 35 languages available, which is great for MNCs. And there's still more demand to be more refined to actually address all those market's needs. That's why localization is right now quite a huge focus. And we've even started a Japan Coursera team where the content is created from scratch, because that is a unique culture itself as well. We do have MSPs who create their own content and actually offer it to the customers and upload it to their consoles as well. So, our console is also a learning management system. So that's where you can actually upload your own content,” she added.

Breaking down the silos

For Soo, there's a disconnect between the IT professionals who's actually holding on to the technology platform versus the people who are leading the change management in the culture perspective. And this is clearly indicated in the research conducted by KnowBe4, with distraction and lack of cybersecurity training a major concern.

With companies facing problems like the increasing use of Shadow AI, Soo pointed out that the challenge is similar to the social norms, ideals and behaviors that you have in an organization towards security.

“So just like workplace safety, decades ago when it first started, there were a lot of fatalities, deaths, incidents at workplace. And then it's throughout that constant, what could we nudge further? So, one of our clients shared at one of our events when she was doing an audit for one of the clients in logistics, where every day there's a workplace safety briefing. The workers come from different countries, and they speak different languages. But then, that workplace safety briefing was done only in English. So she asked them afterwards, "Do you actually understand the briefing? And they're like, not really, no. It was more of a check-the-box exercise. But for companies that really take it seriously, it's about, well, we need to make sure that it's actually communicated in every single language that our workers are, that they are skilled in, they are native in.”

“So, we need to make sure that it's communicated, that they understand it. If you look at the evolution of where cybersecurity comes to place, it starts from check the box. Right now, we need to ensure that the message gets across exactly what we're trying to do here. So that's the part in which, if we look at, I'll say the differences in security culture and how it's been evolving, it's a mystery for quite a few companies to get a handle of,” she said.

Soo explained that this is the very first step is to expand KnowBe4’s capabilities to become a human risk management platform.

“With the robust data, the different capabilities of security, gateway, security coach as well, and also our training platform, we start to develop a smart risk agent that deciphers what does this mean, the user events mean. And then we have agentic AI. So agentic AI would be doing modular efforts to orchestrate how does it translates into a really relevant, personalized, tailored messaging, be it a phishing simulation, a training campaign, or a safety nudge to the end users. It becomes more refined, and the vision is really in the next four to five years, where we want it to be as automated as possible,” Soo said.

At the same time, Soo also acknowledges that one of the challenges with AI is what fits in. For example, the more data it is given, the more relevant inputs are received.

“At these early stages, it's about fine tuning it. And I would imagine that all vendors in this space, they are rushing for it and trying to fine tune the agentic AI that they have,” Soo added.

Going forward, Soo believes the maturity part of understanding cybersecurity would be very similar to workplace safety, but it would be faster in terms of evolution. Workplace safety took a few decades to get to where organizations are today, with the evolution of technology and understanding and top leadership.

“I see it being reduced. In one generation or so, we should have common knowledge to look at validating. It will be the habit to practice and to actually just adopt in our daily life. Right now, AI comes in to make life easier by sending relevant messaging because everyone would probably have a different behavior that they need to slightly tweak or change. That's where when you break down all the data silos and really look at the users’ behavioral patterns. That's where AI can help us because of the amount of touch points that one individual has. And with agentic AI that's where we'll be able to identify a real targeted behavioral or messaging for that person,” Soo concluded.