Shlomi Gian, CybeReady, on Teaching Everyone to Avoid Phishing Attacks
Cyber attacks happen constantly and whether or not they're going to hit you or your employee is a matter of chance and time. One thing that's super important, however, is to know how to do your part in avoiding such attacks, which is where education comes in.
Shlomi Gian is the CEO of CybeReady, a company that offers autonomous cybersecurity training platforms for enterprises, hoping to teach everyone how to avoid, at the very least, phishing attacks. In an interview with TechNadu, Shlomi Gian talks about the best tactics to stay safe and spreading the cyber education to everyone around us.
TechNadu: Let's get things going with you telling us about how you became the CybeReady CEO and the path you've had so far through your career.
Shlomi Gian: I spent the early part of my career in multiple engineering management roles. A few years later, I got more involved in the business side. From the early days, I was intrigued by problem-solving, first as an engineer and later as a leader. I took part in the mobile revolution starting when these small connected devices granted us access to the Internet “on the go”. I have no doubt that pretty soon we’ll be able to think digitally and share our ideas without even typing or speaking. These rapid advancements require a change in the way we operate as they also leave us exposed to new risks. This is the main reason I got interested in CybeReady, soon after PacketZoom - the previous startup I was running - was acquired by Roblox in 2018. Email as the main vehicle for modern communication has exposed our society to new risks and an entire generation must change its behavior to better protect itself from electronic predators. Unlike anything else, CybeReady found a way to change behavior on a large scale, with minimal effort. That’s where the future of cybersecurity education is.
TechNadu: One of the major issues we see nowadays is the lack of education in security issues, which is something that CybeReady is trying to cover to some extent. What are some of the most common online scams that people fall for, in your company's experience?
Shlomi Gian: The biggest threat to organizations comes from phishing emails, which account for more than 90% of all data breaches. Therefore, employee security awareness training is definitely key to winning that battle. The irony is that companies today invest more than ever in awareness training programs, but with all legacy solutions expecting the customer to manage the program, the results are mediocre and employee behavior towards phishing attacks doesn’t change.
When it comes to phishing emails, the most common attacks people fall for are often the simplest ones. A two-sentence email from a “credible source” (such as Amazon or LinkedIn) prompting an employee to update their password is a common one. Another common attack comes from a familiar sender - a colleague, our manager, etc., information hackers would typically obtain from social channels. An example would be an email from the company’s HR with a link the “the company event photos”. That email, typically sent during the holiday season, always triggers high click rates among all organization departments.
TechNadu: What are some behaviors your training try to correct most often among the employees of your clients?
Shlomi Gian: Some employees are simply less careful and often open email from unknown sources, click on suspicious links and download unknown files with little hesitation. This group of employees - often called Serial Clickers - is the one that puts the organization at most risk. We change this impulse to click, and train to look for suspicious signs such as the sender details, the URL, look for fonts, writing style, and other red flags. The most effective way to teach that is by utilizing Just-in-Time training - meaning that employees get trained immediately after they failed a simulation using a short and memorable lesson that explains what they failed to detect. That way, the learning is relevant, engaging and effective and with time, it becomes second nature for employees to check each email they receive with critical eyes.
TechNadu: While CybeReady focuses on the employees of various corporations, what can be done to raise awareness about the various cyber scams that target regular people? How can we raise education levels for everyone?
Shlomi Gian: Each employee we train is also a “regular person” who uses his devices and received emails to their private accounts as well. They may be someone’s parent and are someone’s child, and have their own friends and social/professional networks. Therefore, when we train employees, they take those learnings and insights with them to their extended communities and educate their parents, friends, and children to embrace a more secure cyber lifestyle as well. I absolutely believe that on top of training employees in the workplace, everyone should be trained at schools, colleges and community centers, to raise awareness and mitigate the growing risks of cyber-attacks.
TechNadu: Let's take some steps towards educating everyone. What are some steps people should take to avoid phishing attacks?
Shlomi Gian: We try to educate everyone to watch every single email that lands in their inbox with a critical eye - look for alarming signals, such as unknown senders, uncommon URLs, awkward language and even context and timing of email. Also, when it comes to emails announcing the award and FREE stuff, the rule of thumb is that if it sounds too good to be true, then it probably is. The beauty of security awareness training is that just like with any other life skills training - if done consciously and methodologically - it becomes second nature. We see how within three to six months, any size enterprise transforms and employee resilience score rises dramatically. However, hackers are becoming more sophisticated by the day and utilize social engineering to find new techniques to trick employees, so training should be an ongoing effort and should replicate “real-life attacks” as much as possible. As part of our training platform, we also provide our customers with “PhishCage” - a reporting button that allows employees to report any suspicious email, hence empowers employees to play an active role in keeping their company phish-free.
TechNadu: Your company has clients from a wide range of industries. Did you notice any particular industry as being more commonly targeted by phishing attacks?
Shlomi Gian: Phishing attacks have become extremely prevalent and target every industry. While in the past some industries - such as Financial, Insurance, Medical - were considered more vulnerable due to the sensitive customer/patient data in their systems, hackers today do not “discriminate” one industry from another. Some of the biggest attacks we learned about this past year included leading Retail companies, such as Target and Amazon, hotel group Marriott and multiple government agencies.
TechNadu: You're in the cyber security business, you know the risks - what are some of the things you personally do to avoid online scams and other types of cyber attacks?
Shlomi Gian: In today’s electronic world, attackers are everywhere. For that reason, I personally avoid opening emails from unknown sources or answer messages from unknown contacts. As a parent, I share best practices with family and friends that are less aware or not as “techie”. Similarly to protecting an enterprise, the logic here is that hackers will keep looking for the weakest link such as the new employee or unaware individual and eventually find a way in.
We can't wait to hear what you think about what Shlomi Gian had to say, so drop us a note in the comments section below the article. Share the interview with friends and family to keep them safe too. Follow TechNadu on Facebook and Twitter for more tech news, guides, reviews, and interviews.