Following four years of self-funded fine-tuning in Europe, start-up security awareness firm CybeReady has expanded into the U.S. market with an initial funding round of $5 million led by Baseline Ventures.
CybeReady was founded by Mike Polatsek and Omer Taran in Tel Aviv, Israel in 2015, following the well-established route of commercializing skills learned while serving in or for the Israeli Defense Force (IDF). The skills here comprised a methodology for training users how to recognize phishing attacks to defend the Israeli critical infrastructure. CybeReady has added machine learning and automation to that methodology to provide an autonomous phish-training capability that is unique to each employee, at scale.
Where CybeReady differs from the normal IDF-to-market route is that it didn’t immediately raise the money and move to America. Instead, it self-funded product development within the European market. This was successful. It has 130 customers in Europe ranging from automotive manufacturers to banks and pharmaceuticals, and has doubled its revenue every year. On June 3, 2019, Frost and Sullivan recognized CybeReady with its 2019 European Entrepreneurial Company of the Year Award.
“Its data science driven approach to cyber awareness training,” announced Frost and Sullivan, “improves employees’ resilience by an average of 5x, and decreases the ratio of serial clickers by an average of 10x. Its anti-phishing platform leverages an autonomous process to enable security teams to quickly deploy campaigns, personalized to individual employees.”
CybeReady has already been deployed in 66 countries and is available in 35 languages. However, the U.S. is the primary market as the world’s largest target for phishing attacks. An April 2019 report from PhishLabs states that 84% of all phishing attacks target the U.S. CybeReady’s funding is designed to expand the company’s presence in the area (it already has offices in California and has been building its team in preparation).
The basis of the CybeReady approach is well-understood. Awareness training by 6-monthly lectures doesn’t work — the message doesn’t stick. ‘Training by doing’ is far more effective. This is delivered by simulated phishing attacks where the user’s response is noted and measured. Where the CybeReady approach differs to other products in the market is in its continuous, individually tailored and fully automated process. The security team, usually already too small and overstretched, does not need to take time out of firefighting to develop, run and manage phish-training programs.
“CybeReady is the only solution,” says CEO Shlomi Gian, “that guarantees behavioral change by leveraging data science and machine learning to train the entire workforce on a monthly basis throughout the year. After serving hundreds of customers in highly regulated markets, we are ready to take US cybersecurity training to the next level.”
It is called ‘autonomous’, he told SecurityWeek, “because it’s an end-to-end solution, from accepting the employees, onboarding them and training them almost individually through to recording and reporting — it is all done automatically as a managed service. The IT department doesn’t have to do anything. In our first two years we were only semi-autonomous, but we completed the product development by the end of last year. Now we’re ready for the U.S. market.”
He calls it ‘phish and teach’. “The moment any employee fails a test,” he explained, “he or she gets a lesson on the mistakes made. Machine learning is used with the employee’s performance risk score and the templates, organized by ‘difficulty’ level, held by the platform in order to pair each employee with the right challenge. By automating the entire process, we’ve reduced IT and security team involvement to just two hours per month — which is just to review the results.” The result is that every employee receives adaptive training at least once per month.
The basic process with a new customer is to start with a few genuine phishing mails that have been used against the customer’s industry vertical. Every few minutes, one of these emails is sent to one of the employees, and the results gathered. As soon as statistically relevant details are recovered, the staff are separated into virtual classes based on a risk score, and the machine learning kicks in. Over the course of a month, everybody receives a phishing email geared to their current proficiency in recognizing and not responding to phishing. Multi-national companies are catered for, so that each employee gets trained in his or her own language.
Every time an employee clicks a link or opens an attachment during one of the tests, on-the-spot training is invoked. It is short, focused on the error made and provides advice on how to recognize the phish.
One of the inherent advantages of simulated phish training is the ability to monitor results, and prepare statistics for presentation to senior management. The automated and continuous nature of the CybeReady platform lends itself to continuous result collation, and a dashboard provides a real time view to the organizational learning progress, along with weekly, monthly and quarterly management reports.
The announcement of CybeReady’s $5 million funding comes the same day as compeitor KnowBe4 announced a $300 million investment from private equity giant KKR in a deal that valued the company at $1 billion.