Let’s face it, email security is something a lot of people would rather think less about. When you’re not deluged with a daily onslaught of phishing attacks trying to steal your passwords, you’re also expected to dodge the simulated phishing emails sent by your own company all for the sake of checking a compliance box.
One security startup wants that to change. Tiffany Ricks founded HacWare in Dallas, Texas, in 2017 to help bring better cybersecurity awareness to small businesses without getting in the way of the day job.
“We’re trying to show them what they don’t know about cybersecurity and educate them on that so they can get back to work,” Ricks told TechCrunch, ahead of the company’s participation in TechCrunch’s Startup Battlefield.
Ricks, a former Pentagon contractor, has her roots as an ethical hacker. As a penetration tester, or “red teamer,” she would test the limits of a company’s cybersecurity defenses by using a number of techniques, including social engineering attacks, which often involves tricking someone into turning over a password or access to a system.
“It was just very easy to get into organizations by social engineering employees,” said Ricks. But the existing offerings on the market, she said, weren’t up to the task of educating users at scale.
“And so we built the product in-house,” she said.
HacWare sits on a company’s email server and uses machine learning to categorize and analyze each message for risk — the same things you would look for in a phishing email, like suspicious links and attachments.
HacWare tries to identify the most at-risk users, like those working in finance and human resources, who are more vulnerable to business email compromise attacks that try to steal sensitive employee information. The system also uses automated simulated phishing attacks using the contents of what’s in a user’s inbox already to send personalized phishing emails to test the user.
Email remains the most popular way for attackers to use phishing and other social engineering attacks to try to steal sensitive information, according to Verizon’s annual data breach report. These attackers want your passwords or to try to trick you into sending sensitive documents, like employee tax and financial information.
But as the adage goes, humans are the weakest link in the security chain.
Stronger security features, like two-factor authentication, makes it far more difficult for hackers to break into accounts but it’s not a panacea. It was only in July that Twitter was hit by a devastating breach that saw hackers use social engineering techniques to trick employees into giving over access to an internal “admin” tool that the hackers abused to hijack high-profile accounts and spread a cryptocurrency scam.
HacWare’s approach to email security appears to be working. “We’ve seen a 60% reduction in reducing phishing responses,” she said. The automated phishing simulations also help to reduce IT workload, she said.
Ricks moved the bootstrapped HacWare to New York City after securing a place in Techstars’ accelerator program. HacWare is seeking to raise a $1 million seed round, said Ricks. For now, the company is “laser focused” on email security, but the company has growth in its sights.
“I see us expanding into just trying to understand human behavior and trying to figure out how we can mitigate that risk,” she said.
“We believe that cyber security is an integrated approach,” said Ricks. “But first we definitely need to start with the root cause, and the root cause is we need to really get our people the tools they need to empower them to make sound cybersecurity decisions,” she said.