Rohyt Belani, CEO at PhishMe, set up the Virginia-based phishing training company in 2008. Since then, PhishMe has grown its workforce to 35 people across London and New York, training more than 4.5 million individuals in about 160 countries.
With recent research by anti-virus company Kaspersky showing that the UK is hit with over 3,000 phishing attacks a day, Internet security ought to be a top concern for executives.
Belani, who also co-founded the Intrepidus Group, tells CBR why companies are at risk and outlines steps they can take to prevent security breaches.
What are the differences between the approach of a hacker and an employer?
Organisations spend their time setting up the firewalls, protecting internet facing web servers and things of that sort. Whereas, hackers realise that sending emails and attaching malware in the form of an attached file or excel spread sheet can bypass all these firewalls and security controls. This is what they did with the Associated Press, where their Twitter Feed said the White House has been attacked.
So my co-founder Aaron Higbee, who is also my chief technology officer, and I said: "The industry is missing out, how do we fortify this human element of security?"
What we found was that most organisations put posters up in the hallway with things like 'change your password frequently, don't fall for phishing scams,' but that stuff doesn't work. No one does that.
How does PhishMe protect organisations from hacker attacks?
PhishMe is based on a bunch of learning principles because we believe that if you immerse people in an experience they learn.
For example, fighter pilots in the Royal Air Force learn best when they're in the simulator doing things. The instructor says: "These are the mistakes you made and this is how you can learn from them."
So we said, if we can simulate these phishing attacks against organisations, in an authorised manner of course and frequent basis, employees will learn from their mistakes.
More importantly, we'll also have very detailed metrics on the backend telling the security guys which employees are most susceptible and how often are they falling.
Last year, we attacked 4.5 million individuals across 160 different countries. We took this data and found 58% will be susceptible the first time we touch them and in about 12 to 18 months it's down to 8%. Given large organisations have three or four per cent of the employees turning over every year, you can eventually bring it down to a very small residual number.
What kinds of phishing attacks have you come across?
One is where they try to get you to click on a link pointing to a malicious website. Then there's the attack where they try to get you to open a file and the third part, which I think is actually the scariest for from a cyber security stand point, is a data entry attack, which has no malware involved. There'll be a link in the email, but when you click the link, it doesn't take you to a website hosting any virus. Instead, it looks like a website belonging to an organisation and people think it's really innocuous not realising that when they're entering their user name and password, it's not there company's website. It's particularly dangerous because there is no malicious software, so any anti-virus software will not detect any activity because there is no infectious software getting downloaded on your system. It's simply a user being tricked into giving up their username and password.
What other steps can organisations take to minimise risk?
It's important that employees have a right amount of scepticism. You should ask questions like was I expecting this email or do I know this person. If you're unsure, pick up the phone and ask them did you just send me this document. If there's a link in an email, don't click, browse to the website instead. It's these little things that we continually train people on.
Looking after so many companies, it can be quite difficult to detect the overall level of phishing attacks.
Exactly. The folks that are trained by our software are allowed to call the security guys saying 'I'm seeing some suspicious email now. What do you want me to do this?' But multiply that by 700 and it gets chaotic. So we launched a little button in the outlook email client, which says 'report suspicious email'. What you can do is highlight any email you believe is suspicious and click the button. The button will do a bit of lightweight analysis and sends it in the appropriate format to the security guys in your organisation. Overtime, we're also building the reputation of users, helping security know who the good informants are. Phish reporter is what we call this functionality.
Have you experienced any challenges when it comes to implementing your software into organisations?
In the early days, I think we learned some hard lessons. Emotions are involved and I didn't know that. Don't test people without telling them and make sure that the tone isn't 'hey you're stupid. Why did you fall for this?' It's more like 'it's all right...I'm here to help you.'
Again, another lesson we've been learning is the cultural differences between the US and UK. What is deemed as funny in the US may not be funny in the UK. For example, one of our educational modules had this joke about swinging a dead cat. In the US, it's a very commonly used phrase and people find it funny. But when we came to the UK, they said 'what dead cats are these? What are you talking about?'
And in the Middle East, we've learnt to take all jokes out!
Would you ever think of providing software solutions like other vendors such as Symantec, Trendmicro and IBM?
No, because none of the big vendors have any solution that competes with ours. They all have complimentary offerings in fact. Some of the names you just mentioned were actually in talks to partner with us and the one I can talk about is a company called FireEye. It's interesting to see a company like this acknowledging their software is not going to be perfect at stopping every attack and that they're interested in Phish Me to fortify the human element.
You sold off the Intredpidis Group, the company you co-founded, to NCC group last year. Would you ever sell off PhishMe?
The way I look at starting and building companies is not with 'hey I have this end goal of selling it.' I think a lot of founders can fall in that trap and you make decisions that are not sound for the business when you're just focused on how to do I window dress it and how do I make it look good, whereas focusing on the core business. For me, I really just stay focused on execution and say look if a bigger player comes a long the way and say we're interested in acquiring you, we'll treat like any other business decision. We go with the flow.
What else is in store for PhishMe?
We're looking to increase our workforce from 35 to 60 by the end of next year and building over in the Middle East, Dubai probably, if we get an office because there's a lot of demand out in Abu Dabi, Qatar and Saudi Arabia. If demand continues to grow, we'll probably buy an office.