←back to thread

Launch HN: Riot (YC W20) – Phishing training for your team

114 points BenjaminN | 2 comments | 24 Mar 20 17:25 UTC | HN request time: 0s | source

Ahoy Hacker News! I'm Ben, founder of Riot (https://tryriot.com), a tool that sends phishing emails to your team to get them ready for real attacks. It's like a fire drill, but for cybersecurity.

Prior to Riot, I was the co-founder and CTO of a fintech company operating hundred of millions of euros of transactions every year. We were under attack continuously. I was doing an hour-long security training once a year, but was always curious if my team was really ready for an attack. In fact, it kept me up at night thinking we were spending a lot of money on protecting our app, but none on preparing the employees for social engineering.

So I started a side project at that previous company to test this out. On the first run, 9% of all the employees got scammed. I was pissed, but it convinced me we needed a better way to train employees for cybersecurity attacks. This is what grew into Riot.

For now we are only training for phishing, but our intention is to grow this into a tool that will continuously prepare your team for good practices (don't reuse passwords for example) and upcoming attacks (CEO fraud is next), in a smart way.

Your questions, feedback, and ideas are most welcome. Would love to hear your war stories on phishing scams, and how you train your teams!

1. bt3 ◴[24 Mar 20 18:32 UTC] No.22677403[source]▶

>>22676574 (OP) #

I work at a large professional services firm (think Big 4), so the risk of any single breach in our network is taken pretty seriously. Our IT department added an Outlook plugin years ago that you can use to immediately reporting phishing attempts to them. As a bonus, they'll sometimes send these "tests" and if you select to "Report Phishing", you'll get a atta-boy type notification. I would assume at a macro level, they have stats on everyone and know who the "riskier" employees are. I have no idea if this is done inhouse at other large companies.

Sidenote/ question for you: some of the "test" attacks my company sends are very specific to the work we're doing and can sometimes sound very convincing. Do you have a catalogue of "attacks" based on industry or department (procurement might fall for something completely different than sales or marketing)? I'm sure with enough tests, you could measure the effectiveness of attacks (or maybe the difficulty of detection)... then you can start rating organizations not just based on what percentage of folks fell for it, but what specifically they fell for, or what was more likely to get them to bite. Almost like targeted training?

Cool idea overall and wish you guys the best.

replies(1): >>22677825 #

2. BenjaminN ◴[24 Mar 20 19:07 UTC] No.22677825[source]▶

>>22677403 (TP) #

1. I've talked with a lot of companies (Stripe for example) who do that internally and it takes a tremendous amount of time to set up.

2. For now attacks are very generic, but will soon be sector-based and department-based.

3. Yes for sure it's probably worth adapting the pace of the attacks depending on the level of the employees.

Thanks for the kind words!