In March 2019, a breach exposed private data from more than 100 million Capital One customers across the U.S. and Canada. The breach wasn’t detected by the bank until early July.
“Most security products even today are geared specifically around static-based vulnerabilities — things that are fixed,” says Jason A. Hollander, a cybersecurity technologist for over 20 years. “There’s firewall ports that are open, and that’s what happened during the Capital One breach.”
A lot of a company’s security relies on other individual’s practices, says Hollander. His customers would ask for feedback on how to protect their brand with visitors constantly coming onto their web property and accessing information.
The common denominator in these breaches is humans.
“We see this a lot with the Facebook, LabCorp, and Quest Diagnostics breaches,” says Hollander. “Those breaches weren’t necessarily breaches from their own security, it was from a third party.”
“All of these products in the market tackle static vulnerabilities, but 90 percent of all breaches are derived from humans.”
“We’re able to identify humans and understand their security ‘hygiene,’ almost like you understand your health hygiene. You go to the doctor once a year to get a physical to understand how healthy you are,” says Hollander.
They’ve found that most employees have poor security hygiene — all of their passwords are too similar, for example. To-date, 30 percent of breaches comes from password credentials.
“We can look at that holistically and then understand what the breach result is and what the risk is to an organization’s cyberhealth,” says Hollander. “We help provide visibility and protection to organizations by understanding user behavior and user security hygiene.
When faced with a breach, companies often instruct every employee to change their password, without knowing which user’s vulnerability caused the problem in the first place. With Cymatic, each user in the company has a cyberhealth score to show who is at risk.
“Everything we do is anonymous, only capturing characteristics. The machine learning and AI component is able to understand risk and compensate for that [as the employee browses],” says Hollander.
The technology can even be applied to unmanaged devices from third-party contractors that log-in to the company’s network. When any new device enters the network, Cymatic performs a quick vulnerability scan.
The enterprise client can see every employee’s security hygiene and the direct impact it has on their overall cyber health. The platform also reviews current security products in the system to make sure they’re up-to-date.
“These security hygiene reports are extremely valuable to companies to understand gaps in devices, gaps in user management,” says Hollander.
Cymatic’s main customers are enterprises in highly-regulated industries like financial services, healthcare, and government. They will soon be expanding into legal, education, and e-commerce.
The Raleigh, North Carolina-based SaaS startup raised $4.5 million in seed funding from angel investors last month. The company bootstrapped prior to that and will leverage the new funds for marketing and product development.
“Our product is very human-centric, and as a company we are as well. We’re now in a growth acceleration rate and have tripled our team in the last six months,” says Hollander. “We want to continue to be on the bleeding-edge.”