Eyal Benishti With IRONSCALES

Intro: [00:00:04] Broadcasting live from the Business RadioX studios in Atlanta, Georgia. It’s time for Atlanta Business Radio brought to you by on pay Atlanta’s new standard in payroll. Now here’s your host.

Lee Kantor: [00:00:24] Lee Kantor here, another episode of Atlanta Business Radio. And this is going to be a good one. But before we get started, it’s important to recognize our sponsor on pay. Without them, we couldn’t be sharing these important stories today on the Atlanta Business Radio. We have Eyal Benishti with iron scales. Welcome.

Eyal Benishti: [00:00:41] Actually happy to be here.

Lee Kantor: [00:00:43] Well, I’m excited to learn what you’re up to. Tell us a little bit about iron scales. How are you serving folks?

Eyal Benishti: [00:00:48] So I was in Antiphishing in a security company while helping organizations to protect their mailboxes against the most sophisticated kind of social engineering and email scams out there. The business seemed compromised, the fake invoices and the ransomware of the world.

Lee Kantor: [00:01:08] So now email’s been with us for a minute. Has the attacks on our email become more sophisticated.

Eyal Benishti: [00:01:16] Constantly evolving and morphing at scale? The phishing that we now form five and even two years ago, very different from what we see out there these days. I think that actors are becoming much more sophisticated. The level and the sophistication level of of the IS is increasing almost daily. And obviously they’re jumping on every opportunity in order to create new scams and looking for constantly looking for new ways in order to loot people to click on links, open attachments, wire money, buy gift cards and all these great things that we can find out these days.

Lee Kantor: [00:01:57] Now, for most technology firms, it’s that balance of making the customer experience so easy and seamless that they continue to do business. But on the other hand, you need to have the security and protection so you feel safe doing these transactions. How do you help companies kind of thread that needle between speed, efficiency and safety?

Eyal Benishti: [00:02:22] It’s a good question. So like I said, our goal is to make sure that people stay highly productive but safe at the same time, especially with the kind of stuff that they can find in the inbox. The way we deploy our technology and the way we kind of others, the email phishing problem is, is in a way that we want to increase users kind of confidence with whatever is in the inbox. So we teach them and train them to how to spot phishing, and we give them with real time insights regarding what’s in the mailbox. So if we find something not necessarily malicious but suspicious, we will just place a human readable kind of panel that can kind of guide them to what we think they need to to look at in order to make sure that they’re first and foremost interacting with the with the right person or the person that they think that is sending them. The email is actually the person behind behind the humor. So authenticity and trust in the standard identity is one of the main things that we are trying to fix. The second, obviously kind of a deep inspection into whatever is inside is email form links, attachment, the language that that the sender is is using in order to try and find kind of known patterns and and schemes in the sense of like, you know, threat actors are using in the email for these days like, you know, sense of urgency, greed and other kind of common things that we can find out there. And then our machine to detect.

Lee Kantor: [00:04:04] Now is the type of phishing that you’re dealing with. Are you working only at kind of the enterprise level? So you’re only working with the largest of the companies in their corporate accounts? Or is this something that trickles down to just like an entrepreneur or a solopreneur, an individual?

Eyal Benishti: [00:04:23] We are working with companies all sizes, from small shops to large and very large kind of enterprises, including the Fortune 500 of this world and and even managed service providers. So for people that provide I.T. and security services to other companies, we have kind of an offering for them so they can leverage on our technology in order to protect smaller organizations that normally don’t have a security staff or any security knowledge whatsoever. But in today’s world, they as well may find itself as a victim to social engineering and phishing attack, because the nature of these attacks today are very, very automated from what we we see out there. So there are a lot of spam play kind of attacks and collateral damage that can be done even for this one organization is pretty severe. So we want to make sure that we can protect them or again, provide the tools, capabilities and technology for their service provider in order to protect them instead.

Lee Kantor: [00:05:31] Now, when you’re working with the larger firms, it’s important that your work does trickle down to the smaller firms, because a lot of the ways that I would imagine the bad guys penetrate the larger firms is through relationships with smaller vendors and folks that they might not have their guard up as. Hi.

Eyal Benishti: [00:05:51] Exactly. I think the main challenge here for us was how can we provide an enterprise grade technology to meet and even small organizations out there? Because like I said, threat actors are targeting everyone these days. They’re looking for the low hanging fruit and sometimes or in most cases, the low hanging fruit. So in the shape of a smaller organization that that is still conducting business with significant amount of money. So convincing someone in a 100 people shop to wire $100,000 to the wrong account can be devastating for for these organizations, even more than to the larger enterprises out there that can suffer some financial loss. But for smaller organizations, it can be fatal and can basically cause them to go under in some cases.

Lee Kantor: [00:06:43] Now, what’s your back story? How did you get involved in this kind of work?

Eyal Benishti: [00:06:48] So my background is know I before I was because I was a security researcher, malware analyst, engineer, so I was kind of studying malware and helping other security vendors to build a better technology in order to stop malware. At the gate, I realized that most of the most of the bad stuff is basically coming by via email. And I thought that the way we are testing human security or the way organizations are currently dealing with email security is lacking in many in many aspects. Are not only using filters and technical controls in order to stop bad stuff, but most of the stuff that I was researching that was, again, very sophisticated, was not necessarily known to be bad. And I saw companies that are struggling with that. And to add to that, the fact that this kind of technology was very expensive and stuff that only larger the larger organization could could afford, because it’s not just the price that you need to pay in order to license the software is to the fact that you need full time employees to be able to kind of work with the tool in order to configure and and do whatever it requires in order to achieve this kind of level of protection that they were hoping to achieve. And from this research and basically it was kind of coming the idea of, hey, let’s build something that is more powerful than what is out there, that is looking on modern fishing and animal security and in a different way, easy to deploy, easy to manage, and affordable not just to large organizations, to the larger organization, but to to the smaller ones as well. And with this mission to build the most powerfully simple email and messaging security solution, I started a company and we built something that we are very proud of.

Lee Kantor: [00:08:44] Now, is there anything actionable you could share for folks listening right now? Is there anything they could be doing for themselves on their team to make them a little safer.

Eyal Benishti: [00:08:55] Actually? And by the way, one of the things that we all felt for free these days is what we call our starter package. And the starter package is is allowing organization smaller, smaller and large organization to basically do one of the most fundamental but important things, which is train the employees, make sure that your employees is kind of equipped with the knowledge and skills to to detect phishing, but not only to, you know, be in the know regarding how what is phishing and how to to avoid falling victim to one of those, but to report back to to the organization, to the security team or to the IT team that they found something that is suspicious in the mailbox and give the company the chance to kind of deal with it quickly before people that normally are not that great in spotting phishing will fall victim to the attack. So triennial users change behavior. Make sure that people know that they are part of the solution. Make sure that they know that they can never 100% past on the technical controls or whatever kind of security solutions are currently in place. And they need to stay vigilant.

Lee Kantor: [00:10:03] And it is one of those things that if you tell everybody on your team that, hey, periodically we’re going to send you a test to see if you’re going to click on something that you shouldn’t click on. Maybe it makes them a little more aware of everything, and you create a culture that gives them permission to like, Hey, call me back. I got this email. I’m not sure really is you. Like, you have to have a culture that’s accepting of that type of skepticism so that they don’t inadvertently just click on something because, you know, the email makes it seem like it’s super urgent.

Eyal Benishti: [00:10:38] Exactly. We said that, you know, phishing and social engineering is like it’s a human and machine problem and therefore we need a human and machine solution. So the more you kind of drive this message inside the organization and make sure that they know they are part of the solution, the more you kind of do, the more people will change their behavior, feel part of the solution, contribute more to to collect intelligence and help the organization be more secure. And, you know, if you provide with immediate, immediate gratification and to use tools in order to automate that, they would actually like it. It’s becoming a little game that that we are playing every day. Like, you know, spot the fish, bowl the fish and help us stay more secure.

Lee Kantor: [00:11:23] Now, do you find that that some of this is a generational challenge, that maybe young people who don’t kind of enjoy either confrontation or face to face conversations or calling people that they’re more apt to press, you know, on an email or to click a button on an email.

Eyal Benishti: [00:11:42] I think. Generally speaking, we know based on the hundreds of thousands of phishing campaigns that we’ve launched with our solution, it’s very hard to kind of put people in a in a bucket or a box, like based on generation or what have you that you’re trying to use maybe to segment the population. It’s more about, again, sending the message, make sure the people understand the importance, and then you will be shocked to maybe to surprise to to realize that some of this generation will spot the fish that was missed by technology. And sometimes it’s even the most senior people in the organization that normally you wouldn’t expect them to kind of participate in the game, that they click on the report fish button that we put in their outlook or Gmail and help you spot something that could have caused the company a great deal of money or this goal, whatever was behind that specific scam. So, so now just sending them all as as your defense layer set expectation and provide training and tools for them to be part of the solution.

Lee Kantor: [00:12:55] So now what was kind of the impetus to move the company to Atlanta?

Eyal Benishti: [00:13:00] Oh, it’s a good question. First, Atlanta is a great place. So we started we started the US kind of operation here in Atlanta. It was the first few folks that we hired were based here. I was visiting them a few times. I took the place like I vowed to do, like Atlanta as a place. And when I was kind of contemplating, well, should I move with with the family in order to to build our headquarters in the US, Atlanta was the easy first choice for me. Great talent, great people, great weather, great hub. It’s very easy to kind of, you know, jump on an on a plane and get to almost anywhere in the US and outside of the US in in one leg. So it was very compelling.

Lee Kantor: [00:13:51] Now, did the pandemic and the work from home kind of trend that’s occurring, did that make your job harder now that a lot of folks are working out of their home and it’s kind of a less protected ecosystem than maybe a company or a business that was having servers that maybe you can control and protect a little better.

Eyal Benishti: [00:14:14] Actually, it really helped to kind of. Help us as a business to push the message that companies need to start thinking out of the box, which means there is no there is no longer the perimeter that they need to protect. The perimeter is everywhere. The perimeter is wherever your employees are and whatever they are using in order to do the day to day business or the importance of training, you are giving them the tools and understanding that work hours changed. People need to attend to other stuff because we were all caught unready with schools and some other stuff in our lives that that changed dramatically the moment the pandemic hit. The fact that actors are actually leveraging on the fact that we are not sitting in one office and cannot step to offices to the left and ask the person if he actually asked us to do this specific thing that just came by by email. So again, like I said, Dell using and leveraging every opportunity that to create new schemes and and things that will help them monetize or achieve whatever they are after. So in the pandemic, the need for solutions like our skills increase the understanding that we can no longer kind of just chase known threats because that’s all changing every day as a way to protect our organization. It’s no longer valid. It’s no longer the kind of way we can architect our security and company around. All this really contributed to the fact that companies and obviously the transition to the cloud and more and more companies were kind of, you know, changing their infrastructure and moving more services, including email to the cloud, really have to kind of drive our message out there that things have changed. And Dell for legacy the legacy solutions or the old way of thinking about security is no longer valid and we need to make a change.

Lee Kantor: [00:16:24] Now, is there any kind of unintended consequence? Maybe that is an obvious to a lay person with the conflict between Russia and Ukraine? Is that is there some impact on global cybersecurity because of that conflict?

Eyal Benishti: [00:16:40] We? So theoretically speaking, yes, because there is always the collateral damage, even when nations are kind of, you know, exchanging punches back and forth. Obviously, some sectors are more vulnerable than others were in these kinds of war situation. Obviously, fishing is. It is a way that even nations are using in order to try and achieve their goals and an agenda. I don’t see any kind of imminent or specific risk, but I’m sure that we will see companies kind of being breached as part of this kind of conflict or the cyber cold war that we are currently experiencing between the different nations that are involved in the current conflict.

Lee Kantor: [00:17:35] So you mentioned that you have a service on your website about training that you help, you know, at no charge or low cost people train their people so they can be more informed and and make educated choices when it comes to clicking on an email. Is there any other type of kind of a way to get to know your company without fully going working with your company?

Eyal Benishti: [00:18:00] So you can go on our website. It’s ion skillz dot com. We have a lot of collateral and content that you can download listen to in order to learn more about. First the problem and then our solution and how we approach it. And we think that it should be solved these days and you can always reach out to us. We have some forms and contact us if you have any questions. We are always happy to answer those questions and help you with your challenges.

Lee Kantor: [00:18:34] And the challenge is real. And the like you said, these people who are doing this, this is their job and this is they’re treating this like a real business. Right? They’re whiteboarding this this is a team effort. They’re trying to penetrate an organization. They’re working together. They’re collaborating. This isn’t a kid in the basement with Red Bull and some Cheetos. Right.

Eyal Benishti: [00:18:57] Cybercrime is about $60 billion kind of business a year. Now it’s an organized crime. No longer kids. In other words, although some of them are going on the dark web and buying phishing as a service kids for one or $2,000 installing it and, you know, and phishing companies for for profit. But the vast majority of cybercrime today is well organized. Well, well organized.

Lee Kantor: [00:19:31] And this isn’t something you can sleep on. This is something you have to be proactive and and be working on every day, especially, I’m sure, if your business is in the business of, you know, e-commerce, health care, fintech, those kind of businesses that are dealing with a lot of personal information and a lot of money.

Eyal Benishti: [00:19:52] At the end of the day, 95% of all the breach cyber, which we read about in in the news, started as an email phishing. So it should be the number one priority. Like if you don’t have anything in place currently or you’re using kind of building securities or some default out of the box stuff, I would highly recommend to kind of address this issue first and foremost, because again, it’s the number one vehicle, number one tool that the bad guys are using in order to get to us, to our organizations.

Lee Kantor: [00:20:27] Well, thank you so much for sharing your story. You’re doing important work and we appreciate you. And the website one more time is Iron Scales within ESPN.com. That’s correct. All right. This is Lee Kantor. We’ll see you all next time on Atlanta Business Radio.