This is Hoxhunt, an AI-driven cybersecurity engagement platform to train you to be better at protecting yourself and your company from cybercrime. Our public story begins with this post, but we’ve been around already for a short while. During that while, we’ve built a rocket, ignited the engines and managed to have a lift-off. We have also closed a seed-funding round, led by the coolest VC fund in Finland, Icebreaker.vc, joined by Nokia & F-Secure chairman Risto Siilasmaa’s First Fellow Partners. But as usual, dinner is the tastiest when served with an appetizer, so let’s first drill down to what we are all about.
We know who you are, and so do the criminals
Before we tell more about ourselves, let’s take a moment to think about how much we could know about you. You probably have social media accounts and a work email. By combining information from those sources, we can create a message tailored to you. If we were an attacker we would most probably load that message with fear and urgency to get you to react to it instantly, without using your common sense. This attack tactic is called social engineering and today’s digital criminals are extremely skillful in using it.
Social engineering attacks rely on the power of facts. The stronger the facts are, the easier it is to manipulate the target. Attackers are using the information you share about yourself, against you. The ultimate goal of the attacker is not necessarily to get to your computer per se but to get to your company’s computer, because that’s where the money is.
How do social engineers get to you?
We all share a personal global address, an email account, and the attackers are knocking on your door all the time. What you’ve probably seen are the naïve easy attacks but the ones you should be worried about are the more sophisticated ones.
In fact, over 90% of corporate cyber incidents start through an employee. The biggest channel of delivering these attacks is by far, email. The better attacks start with truths about your life trick wired with a hidden agenda. Usually, that agenda is to get you to click on a link or to open an attachment. What happens next, is up to the attacker.
Why should you and your company care
The problem is magnified when a malicious email hits the inbox of a company employee. If the employee does not recognize that she is under an attack, the consequences are usually expensive. The outcomes of the incidents range from locking the company systems for ransom to stealing sensitive information and causing a major reputation crisis. On average an attacker spends 213 days in the company’s systems without being detected.
Companies function on top of data. Thus, if an attacker is able to reject a company’s employees’ access to that data or steal sensitive information, the consequences could be drastic. Many companies have recognized the importance of information security as an integral part of their employees’ core competence. For those companies, the question is not anymore if you should train their employees in cybersecurity, the question is whether their 213 days has already begun.
The bad feng-shui in cybersecurity
To this date, changing employee behaviour to a secure one has been incredibly hard. Organizations have tried pushing information to their employees in classrooms and in e-learning solutions. They’ve tested the results of these awareness campaigns with phishing tools and penetration tests, giving extra training only when an employee fails, not exactly creating nice feng-shui to security. While some of these methods are great for other purposes — like e-learning is for regulatory compliance – you need to rely on engaging cybersecurity training to create actual tangible results. The traditional methods of cybersecurity training do not to patch the human component of security. Only constant learning and a positive environment can result in behavior change.
That’s why we founded Hoxhunt.
Gamification is a fancy word for creating great experiences
We think that secure behavior — like any behavior — can not be forced to an employee. We think the secure behavior should initiate from the employee.
So, we decided to create a solution that’s fast and easy to use, integrated into your employees’ workflow without even noticing it. We decided to make it so engaging, that the employees want to use it, voluntarily! How we were able to achieve this? That’s called gamification folks, one of the national competencies of our dear home country, Finland. Creating experiences means creating memorable moments and memorable moments mean behavior change. Great user experience also means that there is no more bad karma around cybersecurity.
May the force be with you
Our mission at HoxHunt is to enable everyone to protect themselves from cybercrime. We want you to be able to protect yourself, your family, and your company. Before you can start doing that, you have to recognize when you are under an attack.
That is why we created Hoxhunt AI. An AI that gathers intelligence about you just like the attacker would and simulates the real-world attacks to you. Your job is to recognize and report when you are under an attack. Our game engine rewards you whenever you report an attack. The best thing is, that you can’t know if the attack is a simulated or a real one – in either case, you are encouraged to report it.
One of the biggest challenges to date, has been security education customization. Employees’ knowledge and initial skill levels in cybersecurity vary a lot. To change individual behavior in a large organization, the training needs to be customized employee by employee. Hoxhunt’s game AI does this automatically.
On the user experience side, the system integrates to user’s daily workflow, so that the training is fast and effortless. Under the hood, we have powerful machine learning algorithms to leverage network effects when real threats are reported. We want to give you the force to protect yourself and your organization.
The fast forward
Our first customers have been stock listed organizations from retail, cybersecurity, IT and financial technology. For us, selecting the most demanding first customers – from cybersecurity experts to white and blue-collar employees – has helped us to push our product forward with high intensity. We now have users in over 22 countries.
Investors also believe in our mission. We are stoked to announce that we have closed our seed-round led by Icebreaker VC and joined by Nokia & F-Secure chairman Risto Siilasmaa’s First Fellow Partners. The funding helps us to serve our customers even better and to take our product to the next level. Yes, that rhymes.
So, next time when you receive a parking ticket from a private parking company to your work email and you are in rage and frustration about to open the attached invoice, think first if the parking company really should know your email address.