Michael Moliterno | November 17, 2014

Wombat Security Software Teaches Cyber Defense

A little-known fact about wombats is they become fiercely protective when they’re provoked. For this reason, three faculty members at Carnegie Mellon University decided to name their jointly developed software Wombat Security Technologies.

Based on the findings of the largest national research project of its kind, the developers of the software seek to dissuade those who would inadvertently facilitate cyber attacks through education and training.

“[Cyber attackers] are trying to get people, based on either guilt or greed or trust,” Joe Ferrara says of the phishing his company looks to thwart. Phishing relies on unsuspecting users to perform an action, such as clicking a link or downloading a file, for the virus to succeed.

As the president and CEO of Pittsburgh-based Wombat Technologies, Ferrara sees an increasing number of new phishing scams. Some of the most common assume the identity of a seemingly legitimate source via email, sending text messages with links to malicious software or by planting a USB device on a company’s property.

“I could put a file on a USB device that says ‘executive salaries,’ and the chance of somebody clicking on that is pretty high if you dropped it into the parking lot,” he says.

In these instances human error – even well-intentioned human error – can completely circumvent a company’s security infrastructure.

“So much of this is people don’t understand all the risks and how to protect themselves,” says Amy Baker, vice president of marketing for Wombat.

“A lot of it is just uninformed decision making,” adds Ferrara.

Wombat trains employees to identify and avoid threats by giving their employers the tools to attack them. “So I send you a fake phishing email, no malicious payload or malware,” says Ferrara. “The second you click on that link, that is the exact moment you get training.”

Wombat software tests employees by presenting simulations of common scams. A mysterious email might appear, asking a worker to click a link or download a file. If the employee bites, the program gives instant feedback, telling him what he did wrong and what the consequences could have been.

Wombat also uses instructional games to train workers. One module asks employees to sort through emails and decide which are safe to open. “Is there a sense of urgency? Is it asking you to respond quickly?” All are red flags to Baker.

Another cause for suspicion is an anonymous Web address or URL. Baker shows how to identify a URL by hovering over it with her mouse. “It says account/update.com. You don’t know where this location is,” she points out.

Three years ago in Nashville, Tenn., Pinnacle Financial Partners was discussing ways to take an active approach to security. “We do a lot of research on what’s going on in the industry and [Wombat] definitely surfaced as a tool that we felt was a very good fit,” says Randy Withrow, chief information officer for the company.

Pinnacle, with more than $5 billion in assets, is the second-largest bank holding company headquartered in Tennessee. It implements Wombat software with three administrative users who run the program to train nearly 1,000 employees. “It afforded us a look into where we needed to develop additional training and education so we could strengthen that internally,” Withrow says.

Pinnacle requires all new employees to use the software and also gives periodic training. “We have seen a significant decrease in potential issues. Probably a good 20%,” Withrow says.

Recent studies suggest companies would be wise to follow Pinnacle’s lead. A global survey by PricewaterhouseCoopers found the average financial loss attributed to cyber security incidents increased 34% this year. Data from the IBM Security Services 2014 Cyber Security Intelligence Index found that 95% of incidents involve some form of human error.

And still, 46% of businesses don’t train their employees on how to recognize and avoid cyber attacks. “The average breach is around almost a half a million dollars in cost,” says Baker, citing a survey of 500 executives. “That’s the average, so a lot of them are much, much higher than that.”

The same survey found companies reduced their expense for cyber security 76% simply by training their employees. “So there’s great return on investment in this kind of solution but it’s taking companies a long time to come to that kind of thinking,” she explains.

For these reasons, Ferrara says, assessing and training employees quickly is vital. “It’s essentially a half hour to an hour set up call,” he says. “They could literally be up and running within days or hours, really.”

Just as it’s important to be fast, it’s also important to be precise. “Who are the people that are most at risk and who might present the biggest threat to the organization? Let me make sure I educate them first,” Baker says.

Wombat’s software produces reports that identify at-risk employees and show their weaknesses. The more it’s used, the clearer the picture of how safe a company is. “What we’re doing as an organization is getting to the point where we can literally customize and treat each person individually,” Ferrara says.

And it’s proving to be a good business model. In early 2011, Wombat had one full-time employee. Today it employs 50. “So we’re really growing fast right now,” Ferrara says.

As he speaks, loud crashes come from the ceiling as workers prepare new office space for the company. With the renovation, Wombat will double its space, giving it room for the “significant growth” Ferrara says it’s planning.

The new employees will likely have their work cut out for them as Baker and Ferrara say the creativity and resolve of cyber criminals isn’t waning. They point to a virus called Ransomware, which is becoming more common. Ransomware encrypts a hard drive so the user can’t access it. “They’ll actually say to you, ‘We’re not giving you access to your hard drive until you pay us,’ ” Ferrara says.

Another trend Ferrara and Baker see is the high demand for health-care information. Ferrara says the going rate on the black market for an individual’s credit card information is $20, while health-care information is going for $1,000 a record. “People are still trying to figure out exactly what they’re doing. It’s unclear to me,” Ferrara says.

Perhaps the scariest thing, Baker says, is how so many of these programs go undetected for so long. Most companies go “18 months or a year before they realize they’ve been breached,” she relates.

After a slight pause in the conversation, Baker jokes, “Usually at this point in the discussion, the reporter says, ‘I’m turning off all my online banking. I’m turning off my phone.’ ”

Pictured: Joe Ferrara, president and CEO of Wombat Technologies.

Read More on The Business Journal