Concept Brief: Phishing Education Suite

Context

From a security perspective, people are the weakest link within an organization: they are prone to social engineering, phishing attacks, distractions, and mistakes. Automated systems such as Abnormal try to provide a robust defense against these types of attacks, but email security is an ongoing game of cat and mouse between attackers and security systems and there is never a guarantee of 100% coverage.

Because of the adversarial nature of security, it is inevitable that some novel attacks will bypass Abnormal’s algorithms and appear in employee inboxes. However, most employees have no idea they are susceptible to these kinds of attacks and have little to no formal training in identifying, reporting, or mitigating these types of attacks.[0]

The Problem

85% of business cybersecurity breaches last year went through a human, often through social engineering or impersonation.[1] This isn’t particularly surprising considering that only 20% of organizations administer any form of phishing training.[2] The average data breach costs an organization upwards of $4MM.[2]

Lack of basic email security training for employees presents an enormous liability for companies of all sizes: if the people responsible for sensitive information and finances are not actively looking out for threats, they become an ineffective last line of defense. This is a critical issue because in the long-run there will always be threats that bypass algorithmic security solutions and prey on human nature.

Objective

There are 2 objectives with this product:

Abnormal clients have a goal of improving their security postures for their organizations and its employees. The goal of the Phishing Education Suite is to train employees to effectively identify and avoid email threats. We want to build employee confidence when it comes to email security, encourage communication with SO teams, and establish habits that mitigate phishing attacks.

Abnormal’s goal through the Phishing Education Suite is to drive additional value for existing customers to increase net dollar retention by increasing upsells and decreasing churn.

Opportunity

Abnormal can educate employees about identifying email security threats via the Phising Education (PE) Suite to create an effective last line of defense against email attacks.

Educating employees about threats further positions Abnormal as an end-to-end security product (able to algorithmically secure inboxes as a first line of defense, and able to educate employees to identify threats as a last line of defense). By moving Abnormal from behind the scenes to across the entire email security chain, Abnormal can further solidify its position within a company’s SOC and become a deeply ingrained product.

The business opportunity presented is large: existing players in the phishing education space charge up to $30 per user per year and there are several multi billion dollar companies with a core product offering of educating employees about phishing threats.[3]

Educating employees is an ongoing task without a concrete finish –– new employees are constantly joining and new threats are always emerging. The Phishing Education Suite positions itself as a longterm, continuous offering which can be upsold to existing customers. This will drive additional revenue, lower churn, and ultimately increase net dollar retention for Abnormal.

Proposed Solution

The proposed solution is an educational suite of comprehensive phishing and email security threats which can automatically be deployed, monitored, and reported on. The end goal is to educate Abnormal’s clients’ employees on email security so that they are less of a vulnerability to the organization.

The suite equips the SO team with an Email Security Score (ESS) for each individual, team, and department. A high ESS signals great email security practices; a low ESS signals vulnerabilities and areas of improvement, providing execs w actionable goals to make their organization more secure.

Rationale

For context, net dollar retention for a given year is calculated by this equation:

(Initial_ARR + Upgrades - Downgrades - Churn) / (Initial_ARR)

Thus, net dollar retention is a metric indicating revenue fluctuations within a set cohort of customers over time. With the business goal of increasing net dollar retention for Abnormal, our product must do at least one of the following:

Increase upgrades

Decrease downgrades

Decrease churn

The Phishing Education Suite will accomplish #1 and #3. It is designed to be a product which is sold in addition to Abnormal’s core offering, which by definition would increase spend on upgrades. Additionally, the offering operates on a long time horizon because new employees are constantly joining and new threats are always emerging, so clients are less likely to churn sooner.

Assumptions

Employees and management won’t mind being tested and having faux phishing emails appear in their inbox.

SO Teams want to educate their employees to be a better last line of defense, and will pay money to mitigate these vulnerabilities.

References

[0]

https://www.ivanti.com/company/press-releases/2021/fatigued-it-teams-and-ill-prepared-employees-are-losing-the-war-on-phishing-ivanti-study-confirms⁠

⁠

[1]

https://www.verizon.com/business/resources/reports/2021-data-breach-investigations-report.pdfx⁠

(click view only)

[2]

https://expertinsights.com/insights/50-phishing-stats-you-should-know/⁠

⁠

[3]

https://www.knowbe4.com/pricing-kevin-mitnick-security-awareness-training⁠

⁠

Want to print your doc?
This is not the way.

Try clicking the ⋯ next to your doc name or using a keyboard shortcut (

CtrlP

) instead.