All it takes to invite a cyber attack is for one unsuspecting employee to accidentally click on a phishing email — endangering your data and your customers. According to the IBM Cyber Security Intelligence Index, 95 percent of cybersecurity incidents occur because of human error and 9 out of 10 U.S. businesses fall victim to hacking incidents each year with costs upward of $4M per breach.
Many enterprises have workshops once or twice a year for employees to learn the latest in cybersecurity threats, but many of those employees don’t pay attention as the PowerPoint slides go by. Curricula wants to engage your employees more often and in a fun way via educational videos to make sure the point actually gets across.
“Multi-billion dollar organizations spend tens of millions of dollars on hardware applications to protect them from bad guys, but when it came down to actually teaching their employees about it, it’s just a few slides slapped together by their lawyers or their HR people,” says CEO Nick Santora.
Curricula helps train your employees via short illustrated videos that show real-life situations to keep them engaged throughout. Episodes covers ransomware, phishing, removable media, and current cybersecurity trends with an option to create customized episodes based on your company’s specific procedures. The startup also delivers data based on knowledge retention so leadership can understand employees’ learned behaviors.
Here, Santora shares more about what triggered his startup idea, why they turned down venture funds in favor of bootstrapping, and how Curricula can help your business prevent cybersecurity issues.
How did you get the idea for this?
I used to work at the North American Electric Reliability Corporation — it’s kind of like the IRS, but we would regulate how the electric works in the country. I used to oversee auditing, advisory, and cybersecurity issues to protect us from hackers on our electric grid. One of the regulations is to teach employees about cybersecurity regulations.
Everyone sat through boring presentations and quit as fast as they could. I had this hunch in the back of my mind saying if we could just make this a little more fun and engaging for people, maybe they’ll actually start to pay attention.
You met with venture capitalists shortly after to get your startup off the ground. Why did you decide to bootstrap instead?
Early on we met with VC’s and pitched the idea. We showed them what the strategy was and our direction, but we quickly realized that one, they were going to take a massive chunk of the company from day one, which we didn’t want to do. And two, they weren’t going to provide any support or expertise in the field because that’s kind of where I was coming from. We bootstrapped the whole thing — I pulled all of my money out of my 401K and I gathered a team together and then we just launched it on our own in March 2015.
What problem are you solving with Curricula?
You have employees that use computers every day. Those employees are one of the biggest risks to your organization because a lot of them have the keys to the kingdom as far as bank accounts, financial records, and proprietary information. As an organization, it’s difficult to articulate some of these cybersecurity defenses to their employees and make them pay attention to it. The easiest way to do that is to relate to the employee personally first.
Think of things that affect them in their personal lives — their own bank accounts, their mortgages and rent payments — and show them how easily that can disappear with a swift click or phishing email. Once you do that, then all the other stuff starts to kind of fall into place.
We use story-based learning, where your employees can watch our characters go on adventures and hack each other and see a story unfold of what an actual cyber attack would look like.
How often should companies do cybersecurity training with their employees? Does Curricula advise them on timing?
We’re also a full-blown security awareness company, so we’re here to help every step of the way. You’ll not only have these episodes, but you also have access to downloads and email notifications. We’re also currently building a tool to “mock phish” your own employees. You would be able to go into our tool and send out a fake phishing campaign against your own employees and see who actually falls victim to those emails.
One of the most important things about security awareness, similar to healthcare awareness, is if you want to become healthy you’re not going to eat well and exercise once a year. The problem most organizations make is they only do the training once a year. We recommend doing consistent monthly or quarterly approach so you’re constantly putting cybersecurity training in front of your employees and make them aware of different subjects.
Are you looking for funding at the moment?
We are still bootstrapped. Currently we have four partners with three contractors on staff. We’re self-sustained. We’re interested in reaching out for funding opportunities in 2018 to expand. We know we can do a lot more damage if we had more resources in our hands.
What’s your revenue model?
The model is based off employee size at the organization with an annual fee. Our target customer has about 500 employees with our smallest client right now being an organization with 12 employees.
What’s next for Curricula?
We’re opening up the training beta for the mock phishing program — it’ll probably launch in Q1 2018. The bigger one is just networking more with the Atlanta community, since most of our customers are from outside of the Atlanta area. We’re looking forward to talking with more Atlanta companies that we can help out, so the more the merrier. We’re here to kind of lift our heads up and say hello to everyone.