Startups

This Newark cybersecurity firm helps companies phish their own employees

Humans are the weak link in stopping cybersecurity attacks. Phishing simulations can help, says Anchor Security Team team member Josh Simmons.

AI can't stop email phishing alone. (Photo by Pexels user Torsten Dettlaff used under a Creative Commons license)

If you think you can spot a phishing email from a mile away, consider the case of Barbara Corcoran of “Shark Tank“: A scammer learned the identities of her assistant and bookkeeper, then created a real email address that was almost indistinguishable from her assistant’s email, which they used to email the bookkeeper — resulting in the (since recovered) theft of nearly $400,000.

“They’re getting so much more complex and more targeted,” said Connor Swalm, one of the founders of Anchor Security Team, a Newark cybersecurity firm that specializes in helping companies reinforce security on the front line — the employees who receive phishing emails every day.

A huge percentage of cybersecurity events start with phishing emails, said Josh Simmons, a team member for Anchor Security, citing data that is backed up in the 2018 Verizon Data Breach Investigations Report. “As the technology gets better, the human becomes the weakest point.”

When Swalm, a 2018 graduate of University of Delaware, spun off a software company he started as a student into a cybersecurity company with partners Dr. Andrew Novocin and Dr. Jamie Swalm, its primary focus wasn’t phishing. But when they, like virtually all companies, started receiving complex phishing emails, they found existing software solutions on the market to be inadequate.

“We realized very quickly through talking to large organizations that were already using products in the marketplace that the current products weren’t getting the job done,” Swalm said. “We decided at that point that there was an opportunity to build a better product that focused on training employees, preparing them for these eventual attacks, because they’re the ones that get really taken advantage of.”

Typically, educating employees on phishing involves a watching a video and checking a box — but employees “typically just mute and continue working on other stuff while they check the box that they need to get IT off their back,” said Swalm.

Anchor Security’s platform, which recently finished a pilot program and is now serving clients, allows companies to create their own custom simulated phishing emails to send out to their own employees at different times, without warning. When simulated phishing emails are typically used in cybersecurity training, the same email goes out all at the same time to all employees — but that, Swalm said, does not accurately represent a real phishing scenario and is far too easy for employees to catch, not least of all because word spreads to not click the email.

“[The Anchor platform] can customize all of the templates, the email, the reports, which individuals get which phishing emails and what information you’re going to put in those emails of that individual,” said Swalm.

When employees click on a simulated phishing email — and, in its pilot, even cybersecurity team members were fooled by some of them — a browser opens, taking them to what they call a Learning Moment. “The second an employee clicks a phishing email, they go through an automated tour of the email that they just clicked, telling them which things in the email they missed that would have showed them that it was a phishing email.”

Unlike a training video, Learning Moments are interactive demos the employee can’t ignore.

Focusing on people rather than technology isn’t the most common defense in cybersecurity, Swalm said.

“There are a lot of companies that focus on securing the software, hardware and the infrastructure with enormously expensive machine learning tools that read emails and try to predict if they’re phishing,” he said. “But at the end of the day, the only way to defend from a complex phishing attempt like [Corcoran’s] is to train your employees in a better way.”

Before you go...

Please consider supporting Technical.ly to keep our independent journalism strong. Unlike most business-focused media outlets, we don’t have a paywall. Instead, we count on your personal and organizational support.

3 ways to support our work:
  • Contribute to the Journalism Fund. Charitable giving ensures our information remains free and accessible for residents to discover workforce programs and entrepreneurship pathways. This includes philanthropic grants and individual tax-deductible donations from readers like you.
  • Use our Preferred Partners. Our directory of vetted providers offers high-quality recommendations for services our readers need, and each referral supports our journalism.
  • Use our services. If you need entrepreneurs and tech leaders to buy your services, are seeking technologists to hire or want more professionals to know about your ecosystem, Technical.ly has the biggest and most engaged audience in the mid-Atlantic. We help companies tell their stories and answer big questions to meet and serve our community.
The journalism fund Preferred partners Our services
Engagement

Join our growing Slack community

Join 5,000 tech professionals and entrepreneurs in our community Slack today!

Trending

Trump may kill the CHIPS and Science Act. Here’s what that means for your community.

This Week in Jobs: Sweeten your career with these 31 open tech roles

14 tech community events to be thankful for in November

How 4 orgs give back to their local tech community

Technically Media