KnowBe4 Alternative

Knowbe4 is a multi-award winning security and awareness training platform; but, due to its technical complexity, pricing structure, and poor risk quantification features, it is not suitable for many HIPAA Covered Entities and Business Associates who may find compliance with the HIPAA Security Rule easier with a KnowBe4 alternative.

All organizations subject to HIPAA are required by the Administrative Safeguards of the HIPAA Security Rule to implement a security and awareness training program for all members of the workforce (see 45 CFR § 164.308). The content of the security and awareness training program should be determined by a risk analysis that identifies threats to the confidentiality, integrity, and availability of ePHI and what measures can best mitigate the threats.

Although Covered Entities and Business Associates may identify many different threats in their risk analyses, all analyses should include the most common causes of data breaches – phishing, malware, and ransomware. Many threats from phishing, malware, and ransomware can be mitigated by implementing technology solutions such as email filters and web filters; but, as attacks on the healthcare industry become more sophisticated, some threats may still avoid detection.

When this happens, members of the workforce are the last line of defense. They need to know what constitutes a threat and resist being susceptible to the emotional triggers most commonly used by cybercriminals (fear, greed, curiosity, desire to help, etc.). To strengthen the last line of defense, many organizations implement security awareness training platforms such as KnowBe4 that claim to reduce user susceptibility through videos, training exercises, and simulation tests.

Is KnowBe4 a Good Platform?

KnowBe4 appears to be a very good security awareness training platform. It has won numerous cybersecurity awards and is rated a “leader” in the market by both Forrester and Gartner – two widely-respected analyst firms. However, KnowBe4 isn´t suitable for every type of organization. Reviewers have commented that, due to its technical complexity, it is not easy to understand, it can be difficult to select and assign activities, and consequently some phishing emails are too easy to spot – potentially giving users and HIPAA Security Officers a false sense of security.

For busy HIPAA Security Teams tasked with complying with the many different implementation specifications of the HIPAA Security Rule, triaging potential security threats, and training staff on the technology solutions implemented to mitigate threats, administering a complex security awareness training platform can be a step too far. However, any failure to master the complexity of KnowBe4 can result in knowledge gaps that weaken, rather than strengthen, the last line of defense.

It is also the case that, to access the full range of content required to deliver a comprehensive program, Covered Entities and Business Associates must subscribe to the most expensive KnowBe4 subscription plan and the customizable “Compliance Plus” add-on. Even for a small healthcare organization, the cost of subscribing to the only plan that will fulfil the organization´s compliance obligations can be substantial – especially as a lot of content is irrelevant to the healthcare industry.

A final issue with the KnowBe4 platform is its poor risk quantification features. These – and average metric, measurement, and reporting capabilities – were identified in the “Forrester Wave for Security Awareness and Training Solutions” and they can prevent Covered Entities and Business Associates determining whether the workforce is becoming more or less susceptible to online threats and whether the cost of deploying KnowBe4 can be justified.

What Makes a Good KnowBe4 Alternative?

If you are part of a busy HIPAA compliance team, the last thing you need is a platform that has a steep learning curve, that has known shortcomings, and that contains a lot of content you have paid for but will never use – notwithstanding that, even when you have mastered the complexity of KnowBe4, you still have to select and assign the right content for the right people to ensure your last line of defense against online threats is actually getting stronger.

Ideally, a good KnowBe4 alternative should be quick to deploy, easy to customize, and report on the security behaviors of each member of the workforce so that targeted training can be provided when necessary. The KnowBe4 alternative should also have a straightforward pricing structure, enterprise-level risk quantification, and benchmarking and measuring capabilities so you can get a 360º view of the entire organization´s “culture of compliance” and clearly see the ROI on investment.

However, there are dozens of KnowBe4 alternatives, and evaluating every one is impractical. To reduce the options, it is recommended to find a review site in which the reviews are written by verifiable users rather than technical experts, and create a shortlist based on top-rated vendors that offer a demo of their platform in action. The demos will allow you to see how easy the platforms are to use, how customizable they are, and how effective they are at identifying individual weaknesses.

Price shouldn´t be a leading consideration in determining which platform is the best KnowBe4 alternative, because it is more important that all members of the workforce become less susceptible to online threats. Nonetheless, the pricing structure needs to be fairer that the KnowBe4 pricing structure to ensure Covered Entities and Business Associates are not paying for content they will never be able to use – which will make it harder to justify the cost of deployment.