The SoSafe founders have developed a learning suite to prevent phishing attacks from occuring in companies. For this purpose, they have put together a curriculum that combines 10 e-learning online courses with simulated phishing attacks. The templates for the phishing attacks can be customized to the needs of the company and industry to also simulate so-called “spearphishing attacks”. In this approach hackers first profile employees on social media and then send targeted phishing emails which are customized to the victim and therefore make them hard to discern. The curriculum and phishing templates are cloud-based which means that they can be accessed and deployed from outside the company’s IT system. The system complies with the new data protection directive. So, access and results are anonymized.
To go one step further, SoSafe is currently negotiating with different insurance providers to integrate their offering into a bundled cyber risk policy offering.
For quite a while insurers have been looking to extend their product propositions into prevention so as to act before a claim occurred. So, the relatively new field of cyber risk coverages is a good place to put this approach into action. Offering cyber risk policies together with SoSafe’s suite of e-learning and simulated phishing attacks seems to be a natural fit. Learning about the risks and then actually practising the learned content repatedly can reduce the risk arising from a cyber breach and thus reduce claims costs.
The approach is a clever way to combine insurance and prevention with an element of gamification. As modern learning psychology has proven, we tend to keep only 20% of what we hear but actually memorize 90% of what we do ourselves. In addition, repeating the exercise also contributes positively to adding the acquired behaviour to our memory.
Also, the offer comes at the right time as phishing attacks are on the rise. A joint study by Google and the University of Berkeley in November 2017 (https://ai.google/research/pubs/pub46437) showed phishing as the second highest cause, after large-scale data leaks, for a user to fall prey to a hacking attack. Interestingly enough so-called phishing kits, software programs that automate the attack and for example emulate a Google or Paypal login page, have hardly evolved technology-wise since the 2000s but continue to be just as effective.
So, combining a phishing prevention approach with a cybersecurity policy seems an effective value proposition for clients by going one step further in reducing the risk.