←back to thread

Launch HN: Riot (YC W20) – Phishing training for your team

114 points BenjaminN | 1 comments | 24 Mar 20 17:25 UTC | HN request time: 0s | source

Ahoy Hacker News! I'm Ben, founder of Riot (https://tryriot.com), a tool that sends phishing emails to your team to get them ready for real attacks. It's like a fire drill, but for cybersecurity.

Prior to Riot, I was the co-founder and CTO of a fintech company operating hundred of millions of euros of transactions every year. We were under attack continuously. I was doing an hour-long security training once a year, but was always curious if my team was really ready for an attack. In fact, it kept me up at night thinking we were spending a lot of money on protecting our app, but none on preparing the employees for social engineering.

So I started a side project at that previous company to test this out. On the first run, 9% of all the employees got scammed. I was pissed, but it convinced me we needed a better way to train employees for cybersecurity attacks. This is what grew into Riot.

For now we are only training for phishing, but our intention is to grow this into a tool that will continuously prepare your team for good practices (don't reuse passwords for example) and upcoming attacks (CEO fraud is next), in a smart way.

Your questions, feedback, and ideas are most welcome. Would love to hear your war stories on phishing scams, and how you train your teams!

Show context
cones688 ◴[24 Mar 20 18:05 UTC] No.22677015[source]
> "I was pissed"

How do you balance/deal with "security shaming", which is proven to put you further at risk as an organization?

There is some interesting research from the UK Government in this space - https://www.ncsc.gov.uk/blog-post/trouble-phishing#section_3

The relevant bit:

"If just one user reports a phish, you can get a head start on defending your company against that phishing campaign and every spotted email is one less opportunity for attackers...but phishing your own users isn't your only option.

Try being more creative; some companies have had a lot of success with training that gets the participants to craft their own phishing email, giving them a much richer view of the influence techniques used. Others are experimenting with gamification, making a friendly competition between peers, rather than an 'us vs them' situation with security."

replies(2): >>22677095 #>>22683480 #
1. bubblethink ◴[25 Mar 20 11:08 UTC] No.22683480[source]
>How do you balance/deal with "security shaming", which is proven to put you further at risk as an organization?

I've had this happen to me, not for phishing, but for the kensington lock thing. Probably not that common any more, at least not in the west, but some workplaces have aggressive laptop locking policies. Workplace tried this stunt of confiscating laptops that were not locked, and everyone had to meet some manager type person. It was completely asinine. This is a typical badge access controlled workplace with additional security personnel. The laptop locks were a total overkill.