Fernando Mateus, Kymatio: “traditional forms of cybersecurity training are neither engaging nor effective”
When cybersecurity training is mostly delivered through methods like presentations and reading material, it’s no wonder phishing attacks remain rampant.
Over the last couple of years, we have seen numerous instances when a company’s data ended up compromised due to the actions of untrained employees. As organizations rush to secure their operations with the latest technology, why should it be any different when it comes to employee cybersecurity training?
It is evident that traditional methods do not cut it anymore. To discuss how AI can be harnessed to personalize cybersecurity training, we sat down with Fernando Mateus, the CEO of Kymatio – a company empowering the human firewall.
Tell us more about your story. What was the idea behind Kymatio?
Before creating Kymatio, part of the team worked as cybersecurity consultants for large companies. After incorporating all kinds of solutions for the active protection of the entity, we saw how at the end of the day, it was human negligence and fraud by cybercriminals that generated the largest number of serious information security incidents.
With that in mind and knowing that traditional forms of cybersecurity training are neither engaging nor effective in increasing the alertness level and creating human firewalls, we decided to create a human-centric approach to cybersecurity. With insights from behavioral science and neuroscience, we came up with methods and chatbots to teach end-users what to look out for in a cyber attack.
Why is employee security awareness so important?
First of all, let’s look at the bigger picture: more than 90% of all security incidents involve the organization's personnel.
While there are numerous technology solutions that protect the computer systems of organizations, it is the workforce that is exposed to different kinds of attacks carried out using Social Engineering. This set of techniques is used to deceive victims and obtain confidential information or to execute actions that benefit the attacker (and consequently, do damage to the victim). Usually, this is achieved by installing a malicious program that will later steal or hijack information or infect other systems. All in all, Social Engineering, which is often called “people hacking,” can pose many different threats.
How do you manage to keep cybersecurity training educational and, at the same time, entertaining?
Our AI uses advanced neuropsychology to identify and assign archetypes that allow us to go deeper into the concept of hyperpersonalization. At the same time, we launch personalized phishing campaigns to determine which aspects do the employees struggle with the most. We also provide training for users on techniques already used by attackers, like spear-phishing, adapted to each employee's cyber archetype. To sum up, we base our training around the vulnerabilities of each individual, strengthening their skills to withstand social engineering attacks.
We are also different in the way we interact. We respect the valuable time of our employees and provide training via chatbot-based hyper-personalized interaction that is mostly run by user participation (an average of > 80%).
Another interesting service we provide is Kymatio Account Breach Scanner, which periodically analyses online repositories and detects the accounts of the organization exposed in security breaches of third-party services. This way, we raise data credential protection awareness, using real examples so the employee can understand the risk immediately.
We also perform Cyber Sentiment Analysis Assessment to identify other human risk elements like burnout and reduced alertness, which are key elements that can affect cybersecurity.
At Kymatio, we are not limited to written theory. Instead, we put security awareness to practice by providing each trainee with different cases that they need to solve.
It is evident that the pandemic presented many cybersecurity challenges worldwide. What would you consider to be the main takeaways?
Since the start of the pandemic, companies have reported a 71% increase in cyber attacks.
This already serious situation is complicated by new threats and employees located in less controlled environments (working from home), sometimes even without the security systems provided by their organizations.
Although the risk of a data breach is always present, organizations need to keep their security under control so that these events do not negatively affect the company's reputation and the general attitude of employees, especially during the pandemic.
Why do you think employee cybersecurity training is often only an afterthought?
The companies that demand employee cybersecurity training usually experienced a direct incident or witnessed one in their own industry sector. That is often the trigger that makes the management team look into security awareness training more seriously. That is why we say that there are two types of companies: those that know they are vulnerable to attacks and seek to strengthen their cybersecurity posture and those that do not even know they are being targeted yet.
Considering the growing number of ransomware incidents, what can companies do to protect themselves? Does it come down to implementing stronger security measures or providing training for the employees?
The answer to that last question is both. But it is usually easier and quicker to deploy more technical measures than to develop a continuous awareness plan and maintain high alertness of all your staff. Only using technical measures is not the solution.
To take a well-documented example, in the WannaCry ransomware epidemic, the human factor played a key role in compromising companies around the world. Some studies found that just over half of businesses (52%) believe they are at risk for threats related to human error – carelessness or lack of knowledge. Staff training is essential to raise awareness among employees and motivate them to pay attention to cyber threats and to take countermeasures, even if it is not part of their specific job responsibilities.
In your opinion, what types of attacks are we going to see more of in the near future? Who is going to be the main target – individual users or large organizations?
Criminals not only threaten large technology companies or financial services but also simultaneously attack SMEs and citizens themselves. A great part of the attacks are random, and everyone is a target. So, no individual or company is safe because it is large or small: "Cyber-attacks can affect anyone."
Organizations must pay extra attention to Social Engineering and Phishing, Malware and Ransomware, threats associated with remote work, and unintentional breach incidents.
Just talking about ransomware, we see a tendency: simple, double, and triple extortion:
- Simple: initially the files are encrypted and the criminals hand over the encryption key only after receiving the ransom payment.
- Double extortion: in addition to keeping the information encrypted, they publish it online. In that case, the company has to face a fine from the regulator for not properly protecting personal data. Fines aside, not paying and having the data published on the Internet has another component: reputational crisis.
- Triple extortion: if payment is not made and if the victim has many online services, criminals proceed with DDoS (Denial of Service) attacks that can make these services inaccessible.
What can Internet users do to protect themselves online? Are there any security measures that you could recommend?
The first thing to do is to apply common sense and be less trusting. Before doing anything, we must think if that email is really from who they claim they are, if that link is safe, if that attachment is legit...
Then there are technical measures: we must activate antivirus and firewall protection, backup copies of valuable data, update our software, use secure passwords (double factor authentication is good practice), use encryption of critical information, learn and maintain cybersecurity awareness (best practices, phishing training, credential security, etc.)
And finally, what’s next for Kymatio?
As for the next steps for Kymatio from a cybersecurity point of view, we are currently evolving the service from neuroscientific studies that enable novel approaches such as NeuroPhishing to new gamification techniques and chatbot sessions.
As a company, we are preparing for a round of investments that will allow us to expand our presence in more geographies and ultimately bring Kymatio to serve companies and employees on a global scale. We hope to make a much more cyber-secure society with a fresh new-school Neuroscience-backed cybersecurity awareness and testing platform, which provides human risk scoring and behavior analysis. The goal is to sustainably protect the most important threat surface in cybersecurity – the human aspect.