A decade or so ago, phishing criminals discovered a simple way to beat email filtering, the main technology organisations were using to defend themselves from attacks. Instead of bombarding inboxes with ever greater volumes of spam, they started tailoring phishing emails to specific organisations and the people who worked for them in a technique security firms dubbed ‘spear phishing’.
An atttack theme that had been in use by intelligence services since the dawn of email itself in the 1970s was suddenly mainstream and easy to pull off. If phishing looks odd then make it look familiar. People will eventually click on attachments and links because that’s part of what makes anyone’s email inbox worth using. From these simple but devastating realisations countless big data breaches and malware attacks can be traced.
It took years for organisations to grasp that filters were never going to cut it but more recently a new approach has been tried in the form of software that can test and fine-tune employee awareness of sophisticated social engineering. The principle of this type of anti-phishing is simple - turn employees into the filter by teaching them what spear phishing looks like.
It’s not clear how many organisations have tried this technology and in truth there aren’t many well-know names beyond US market leader PhishMe in an under-served sector.
It is into this intriguing but immature market that a tiny British venture Hook has launched itself from within the bosom of the UK’s only cybersecurity accelerator, Cyber London (CyLon). This situation is interesting on a number of scores. It seems incredible that in 2016 two fresh British entrepreneurs can still spot what on the face of it should be a major cybersecurity market. Phishing has become a central cybersecurity issue thanks to an epidemic of targeted campaigns so why aren’t more innovators addressing it?
It’s likely that without CyLon, Hook would not have got this far, or anywhere at all. CyLon has only been around for 18 months which makes one wonder how many other good ideas have gone begging in the UK in the last decade for want of some encouragement.
In the founding story below co-Founder Oliver Rees reminds us of one of the critical startup hurdles, that of inventing things people ultimately don’t want or need. Some would say the key to good marketing is convincing them anyway. But in the case of anti-phishing training, it is pretty clear that organisations do need this type of service. Surely the cybercrime and phishing statistics tell us that much.
Oliver Rees, co-founder on starting Hook:
According to the SANS Institute, a staggering 95 percent of all enterprise attacks last year started as a result of spear phishing, or had it as a component part. We’ve all received them or have seen them lurking in our inboxes; messages from fraudsters designed to steal valuable or personal details that, at first glance, appear legitimate. Malicious attachments or website links may also be included, ready to set off malware infection for monetary gain.
Criminals know that the humans receiving these emails are the real weakness which is why companies try to educate employees to recognise malicious emails. IT departments might send out fake phishing emails to see whether recipients click on them, later showing employees who fail the test their mistake.
Unfortunately, there are problems with this approach, mainly that while this system is very good at telling you there’s a problem, it doesn’t help address it. It also creates a sense of ‘us versus them’, irritating members of staff who feel it gets in the way when they’re only trying to do their job. Worst of all, it only protects against generic phishing attacks rather than those that have been personalised.
Phishing attacks: the idea behind Hook
Before starting our business, my co-founder Alex Walker and I worked for an organisation that would go into businesses and run workshops, teaching staff how to code and analyse data, as well as leading sessions on innovation and cybersecurity.
We left our jobs to create a company that would focus on bridging the gap between cyber security and psychology, to achieve change at scale within companies. We came up with the idea of incentivising employees to understand spear phishing attacks in a fun, social way that encourages engagement and Hook came into existence. Our system allows ordinary employees to see through the eyes of a hacker, so they in turn, become better defenders.
Through our platform, individuals are guided through the same steps that a cybercriminal would take to craft an email, giving them an understanding of what spear phishing is and how personalised attacks can be extremely effective and convincing.
Alex had a background in cybersecurity and had worked with BAE Systems in a technical role, whereas I had studied psychology before going into advertising. Together, we had a good mix of skills allowing us to understand both the technological and psychological factors behind cybercrime. We were awarded a place at Cyber London (CyLon), a cybersecurity-specific start-up accelerator programme, which gave us access to funding and expertise to help us grow our business further.
Bringing in the catch
The biggest risk to any startup is building something nobody wants. Working with CyLon has been helpful because we work with experts on a daily basis and can get instant feedback on our progress.
Luckily there are more and more resources available to support people in their entrepreneurial journey. One example is HutZero, a free cybersecurity focused bootcamp, which helps individuals turn their ideas into businesses. Being able to test your idea on people who have the right experience of the industry is invaluable and certainly would have helped us at that early stage.
We’re in talks with various investors and CyLon is supporting us in this process. We have initial proof-of-concept customers that we're using to act as case studies to show the true value of what we offer.
Cybersecurity isn’t simply about putting a lock on a door; you need to understand what a hacker is thinking, and what their motivations and goals are in order to build adequate defences. Your workforce, as the frontline of your business, needs to understand this too.