Making Personnel ‘Human Firewalls’ Against Cyberattacks

News

logoprint
Making Personnel ‘Human Firewalls’ Against Cyberattacks

By Sara Miller, NoCamels -

An Israeli startup is training company workforces to protect themselves against cyberattacks by simulating incredibly realistic attempted security breaches of their computers and emails.

Cywareness’ AI-driven platform imitates emails and text messages from legitimate sources in an attempt to fool employees, CEO Ori Attar tells NoCamels. The startup can even plant USB drives in an attempt to access computers via hardware.

“We built a tool that was the first of its kind in the world – using AI to do everything for you,” he says.

The aim is to hoodwink “targets” into adding malware to their computers or providing secure information such as passwords and financial details – without actually posing a danger to either company hardware or security protocols, Attar explains.

“Our mission is to minimize the risk of cyberattacks on an organization and to increase awareness – like a human firewall,” he says.

“We’re doing that by training them, attacking them and keeping their awareness high.”

With permission from the company, Cywareness will launch a phishing attack – an attempt to sensitive information through deception – using email, SMS or WhatsApp message.

According to global data and business intelligence platform Statista, 85 percent of organizations worldwide experienced one or more phishing attacks between 2021 and 2022.

Furthermore, US multinational tech corporation IBM says, the global average cost of a data breach in 2023 was $4.45 million.

The startup will use the same tactics as actual hackers – mimicking the logo and web address of a reputable source in an attempt to persuade the victim that the message is legitimate.

What separates Cywareness from other companies offering similar services, Attar says, is its unique AI simulation builder – a platform that allows the startup to generate these challenging faux attacks within minutes, based on the requirements of the company training its staff.

“Two months ago, you needed to know HTML or SQL when building a phishing email and it would take you up to 24 hours to build it,” he explains.

“Now in less than a minute, you can build anything that you want and you can direct it to anyone in the organization that you want.”

He gives the example of a phishing email, which requires multiple factors to look authentic, including the address from which it was sent, the links that appear within the message and then the website to which the target is directed in order to provide sensitive data.

“You receive an email asking you to press something,” he says. “It will direct you to a landing page where you can submit personal data or company information [so] we need to make a fake email that will make you go this route.”

All of this is created by the Cywareness AI platform within minutes, Attar says, using images and other data such as email signatures taken from the company or another legitimate source to increase the authentic feel.

The phishing attempt comes after the employees have already received awareness training about cybersecurity and the startup views it as a test of what they have actually learned.

“We built a training machine,” says Attar, with resources such as videos that instruct staff on how to detect and avoid cyberattacks.

The Ra’anana-based company was founded in 2020 as part of the BSW Group, an Israeli organization whose cybersecurity academy trains companies all over the world.

Cywareness too has an international presence, working with several dozen partners to provide their cybersecurity tutorials to companies and organizations, among them a major American sports league and a global pharmaceutical giant.

Senior officials in both Cywareness and BSW are experienced cyber specialists with experience in this field from their service in the Israeli military. In fact, BSW Group is chaired by former Israel Defense Forces chief of staff Gabi Ashkenazi.

The company training its staff determines how difficult to detect it wants to make the phishing attempt, on a sliding scale of 1 to 5.

The easiest attempts include obvious spelling mistakes and suspicious language that should be easy to spot by the recipient. The harder the test, the less clues that this is a malicious message.

The messages can also be sent in any language the company requests.

Once the simulation is over, the employee is told that they had been targeted as part of a training exercise, and receives feedback about any mistakes they made or clues that they missed that would have revealed that this was a cyberattack.

“We want to make sure that they understand that this was training,” Attar says. “It’s a test and we want them to learn – we don’t want to hack them!”


Share:

More News