The proverb “a stitch in time saves nine” would seem especially apt in the cybersecurity world. Employers can in theory save time and money by training their workers to identify suspicious links and avoid clicking on them, rather than having to deal with the potentially costly fallout from a phishing attack.
That’s the idea behind PhishLine, a Waukesha, WI-based company that develops software to help customers educate their employees through simulated exercises that cover what common types of phishing attacks look like, and the havoc they can wreak on an organization’s e-mail and IT infrastructure.
On Wednesday, Campbell, CA-based Barracuda Networks (NYSE: [[ticker:CUDA]]) said it acquired PhishLine late last month for an undisclosed amount. Barracuda, which counts large enterprises like Samsung, Oracle (NYSE: [[ticker:ORCL]]), and Boeing (NYSE: [[ticker:BA]]) as clients, provides digital tools for storing data and protecting against computer viruses and other cyber threats.
“Security awareness training is an important and quickly evolving area, particularly with increasingly targeted attacks making the human element a critical link in the security value chain,” Barracuda president and CEO BJ Jenkins said in a prepared statement. “Combining the power of the Barracuda security technologies with PhishLine’s capabilities gives us the opportunity to deliver integrated, adaptive security training aimed at preventing e-mail security threats.”
Barracuda touts the use of artificial intelligence in its products. Some believe that the proliferation of A.I. and machine learning technologies could bring down the rate of human computing errors. A 2015 study by CompTIA found that human error is the leading cause of security breaches.
PhishLine was reportedly created in 2011 by the Chapman Technology Group, which spun it out into a separate company four years later. The company had 15 employees at the time of the acquisition, all of whom will be “transitioning to the Barracuda team,” PhishLine chief operating officer Dennis Dillman said through a spokesperson.
PhishLine’s tools not only teach people how to spot a possible phishing attack, but also track which users engage in risky behavior, Dillman said.
“We equip the security and/or training teams [with information] about which employees are behaving in ways that might merit extra training [or] a change in privileges,” he said. Data collected by PhishLine’s software has led to discipline for workers who have accumulated multiple violations, Dillman said.
The purchase of PhishLine by Barracuda, which has recently been in expansion mode, comes amid a deluge of headlines about security breaches, data theft, and other adverse cybersecurity events.
The Equifax (NYSE: [[ticker:EFX]]) data breach and the WannaCry ransomware attack were perhaps the two biggest cybersecurity stories of 2017. Neither fit into the category of phishing or “spear phishing,” the practice of sending an e-mail so that it appears to be from a trusted sender, when in reality it’s from a stranger hoping to get the recipient to divulge passwords and other confidential information. However, according to an article by the cybersecurity news website Security Boulevard, ransomware is “growing in concert with phishing,” a trend that could accelerate in 2018 and future years.
(Another industry term PhishLine uses frequently in its company materials is “social engineering.” In information security parlance, this refers to psychological manipulation and exploitation of users’ default behaviors to get them to perform specific actions, such as revealing personal information.)
American and British officials have said they believe North Korea was behind the WannaCry attack, according to a New York Times report. Separately, a hacking group from North Korea known as The Lazarus Group has reportedly been conducting a spear phishing campaign that targets leaders of companies developing cryptocurrency