Considering the fact that 91 percent of cyber attacks start with a phishing email, enterprises spend billions every year to train their employees on preventing phishing attacks. However, despite this training, data breaches continue to occur — current predictions put cybercrime costs at $2 trillion by 2019.
While working at Bank of America, Quincy Acklen spent his time setting up what-if financial scenarios, but constant safety filters on his computer would prevent him from investigating new sites and slow down his research.
After one of his colleagues fell for a phishing link that put the company — and his career in jeopardy — Acklen realized that the training and blocking was not doing enough to prevent these attacks. Along with his co-founder Andrew Faraca, Acklen created machine learning phishing prevention software, Gyomo. Upon clicking on a site, the software automatically rates it, quickly alerting the employee of any danger.
“Security specialists have been battling their employees with traditional models, always trying to look out for the next dangerous action of their employees,” says Acklen. “But with Gyomo we transform this unpatchable vulnerability into active and effective participants in defense of the network.”
The team just finished up a startup bootcamp in Amsterdam and raised $65,000 in outside funding. They’ll soon launch a crowdfunding campaign to scale the product and meet customer demand.
Here, Acklen shares more about how his career at Bank of America helped him find this issue, how Gyomo trains employees more effectively than blocking, and what are the main phishing mistakes to avoid.
What problem are you solving?
The vast majority of data breaches start with social engineering — when people, not computers, are compromised. The two biggest ways organizations currently try to solve this massive problem — training and blocking — are just not very good. Gyomo combines both approaches to teach people to stop clicking on phishing links and block bad websites if they click anyway.
How’d you get the idea?
Having spent years at Bank of America with the internet locked down tight, I used to get pretty frustrated when I was trying to do research for my job and couldn’t because security had so many sites blocked. It took one to three days to get access to new websites, and that really hurt my productivity.
My friends (and now advisors) at the bank actually had the experience of both analyzing requests for access to new websites and sending simulated phishes to test the security awareness of the employees. We knew the pain from all sides, and hoped there would be a better solution. After leaving the Bank, we saw someone we knew and respected fall victim to a phish and endanger his company and career. What was originally an annoyance to us now became a personal goal to ensure no one has to go through that pain. So our mission became clear: patch the human and secure the network.
What are some of the main mistakes you see in phishing attacks?
One of the most obvious mistakes is that people just don’t look at the URLs. If you clicked on a link to the Apple store and arrived at a website that looked exactly like Apple store webpage you logged into yesterday, but the address in your browser says something else — would you still login? People either don’t understand the different parts of a web address or they aren’t vigilant in checking every link they click on.
Also, many people think that ‘https’ means that a site is safe — when that’s just not true. They don’t understand the distinction between secure data transmission and secure, safe sites. Bad guys are smart enough to securely transmit data if that helps lure more people.
How does Gyomo combine machine learning and gamification to train users?
When a user clicks on a suspicious link, Gyomo jumps into action. We gather information about the website and send it to our machine learning algorithm, which scores the page and most of the time, decides to block or allow access. We present users with training, quizzes, and games — all of which guides them on various aspects of detecting phish. With this knowledge, not only does the crowd learn and get better at detecting phish, but their feedback and interactions help train the software.
What’s your expected revenue model?
We will go to market with our cloud-based, SaaS product with subscription pricing in-line with existing training products already on the market. We will sell directly to our customers and through channel partners where we will share revenue.
Who are your competitors and how do you stand out?
There are many competitors on the training side — PhishMe, Wombat, KnowBe4, etc. — but none of those utilize real phish, and frankly they’re quite ineffective. Gyomo provides more relevant, timely, and effective training, with the added benefit of filtering/blocking as well. On the filtering/blocking side of the competition, we see companies like Symantec that provide solid blocking solutions, but at the expense of productivity, and they still struggle to stop zero-day attacks or targeted spear phish.
What we’ve seen from the filtering/blocking “competitors” is that they are actually interested in working with Gyomo to provide more comprehensive solutions to their customers.
What are some lessons you’ve learned as a startup founder that may help others?
Honestly, we’re still very much learning and growing, so I’m not sure I can speak with much authority. But there are two big things that really stand out to me. First, truly understanding the product market fit and customer needs is key. During our Amsterdam Startupbootcamp, we learned that much of the European market has different pain points than what we saw in the U.S. market, so that has allowed us to hone in on the most valuable aspects to our customers.
Second, I cannot understate the value of working with the right people, programs, etc. Having direct and candid access to potential customers and mentors is tremendous.
How does your location in Atlanta weave into your startup story?
Although I spent many years in Charlotte with Bank of America, much of my career has been in the Atlanta area. Atlanta has an excellent market for technical talent, numerous potential customers, and the investor scene is quite active.
What’s next for Gyomo in the next 6-12 months?
The next few months look exceptionally busy. In the very short term we’re fundraising, hiring, continuing to build out the solution, and have pilots in queue. Beyond that we look forward to growing and providing our solution to additional companies that we’re already in discussions with, and pursuing channel partnerships.