Humans are the weak point in any security system. If your network is secured with passwords, biometrics and internal firewall, it doesn’t matter at all if someone who has all the clearances gets tricked into providing a malicious user access. Hollywood has done us a disservice in portraying hackers as these code wizards who type out some sort of digital magical spell to get access to secure network. The scenes from heist movies where thieves pretend to be plumbers are really more accurate; hackers often simply fool authorized people into giving them valid credentials.
One way to trick people is with phishing attacks, where an official looking email invites a person with credentials to log in on a fake site that’s actually recording their password. For example, falsely telling users their service has been suspended and that they need to login to restore it. PhishMe is a company that makes it fun for employees to learn not to fall for phishing attacks. How does it do it? It phishes them.
The key to teaching people to behave online in a more conscientious fashion and to keep a company’s data secure is to make learning a fun, positive experience for them, Rohyt Belani, the Virginia-based company’s CEO, told the Observer during an interview at the 2015 New York City Cyber Security Summit on Friday.
“We make employees think they are informants in the company’s security system,” Mr. Belani said. When a company adds PhishMe to its security architecture, employees get a button in their email client for reporting suspicious messages. The system tracks and reports back to employees how effectively and quickly they spot attacks. “We’re giving them a pat on the back when they report something malicious,” Mr. Belani said.
In fact, Mr. Belani thinks human knowledge deserves more credit in security architecture. During a panel on corporate espionage, he pointed out that it wasn’t technology or professionals that spotted an attempted bombing of Times Square in 2010, but two T-shirt vendors that spotted something contextually out of whack. He thinks security pros can find smart ways to recruit regular people to help them spot new threats to computer networks, and his company is building some of those tools.
The system also phishes employees to teach them about spotting malicious messages. It sends staff a wide array of phony phishing emails at different times. If an employee reports it, that goes in their stats. If they fall for it, they get a video, infographic or text that explains to them what they fell for, how to spot and throws in some humor so the mistake isn’t so painful.
“We’re still giving people a positive punch in a fun way when they are gullible,” he said.
If the employee clicks the button for one of PhishMe’s fake emails, then they get points on their score. If it’s not from PhishMe, it goes to the security team to check and see if it’s a real attack. So it really does empower staff to keep an eye out for threats.
In short, the company is gamifying security education. Employees don’t have to sit through a boring workshop to learn how to spot phishing emails. Instead, the workplace comes through in moments, where they need it, inside their inbox. During a panel that Mr. Belani appeared on, he said the company is crafting its educational pieces to fit within people’s attention spans.
Mr. Belani said that they have also gamified phish fighting for security teams. “When they find something bad,” Mr. Belani said, “they want to share that with their peers. Even their competitors.” The PhishMe system promotes sharing information about cyber adversaries, and it gives attribution to the security professionals that spot the new attacks first.
Gamification has been a startup buzzword, but not many companies have made it work well in practice. “There isn’t one size fits all in gamification,” Mr. Belani said, adding that it needs to fit a company’s culture.
How well does the PhishMe team know phishing? Last week, a fraudster tried to phish the company. Its staff phished the attacker back and secured enough information about their whereabouts to report the hacker to law enforcement.