Meet Riot, a company participating in Y Combinator’s current batch that wants to help you fight phishing attempts. Riot runs fake phishing campaigns on your employees. For instance, your team members could receive an email saying that their Google account has been deactivated to see if they can spot real email notifications from fake ones.
It has never been easier to secure your products and internal tools thanks to two-factor authentication, single sign-on and access policies. And yet, humans remain the most important vulnerability. Many data breaches start with a compromised account from one of your employees.
In other words, your company’s security is as strong as your least careful employee. That’s why educating your employees about security risks will be key in the coming years.
Riot is currently divided into three different modules. First, you can set up fake phishing campaigns on your employees. You can select a periodicity so that your employees receive a fake phishing attempt at least once every 45 days, for instance. You then select between a template library. Right now, Riot can send you fake notifications about a suspended account on Microsoft, Google, Dropbox or Slack, a new shared document on Google or Dropbox and an unbranded voicemail notification.
“With the new voicemail-received notification, the person should have noticed that the email came from the noreply.link domain name,” Riot founder and CEO Benjamin Netter told me.
Second, admins get a nice dashboard to check the level of their employees. You can see if they weren’t fooled, if some of them clicked on a link and (worse) if some of them entered a login and a password. This way, you can check progress over time or run frequent campaigns on some employees.
Third, if you failed a test as an employee, your company can assign you a quick security training. It looks like a chat interface with a few questions. It works on desktop and mobile and shouldn’t take more than a few minutes. Short, effortless trainings instead of boring webinars should be more efficient when it comes to getting the message across.
“The next step is CEO fraud training. It’s something I’ve noticed more and more. I’ve talked with a ton of people who said that assistants often receive emails from their managers asking them to buy 10 Amazon gift cards,” Netter said.
But CEO fraud could be even worse than that. Some attackers send invoices to the accounting department asking for a large bank transfer.
Eventually, Riot could offer more modules beyond education. For example, the startup could partner with an insurance company to negotiate better terms for a cybersecurity insurance product based on your Riot data.
Riot’s founder Benjamin Netter was previously the co-founder and CTO of October (formerly known as Lendix), one of the leading crowd-lending platforms in Europe. He has experience when it comes to assessing risk.
The company is just getting started, and has signed a handful of clients. Plans start at $ 200 per month for companies with up to 50 employees.