Gamified Cybersecurity Training | Anagram

The Ongoing Challenge of Human-Driven Cybersecurity Breaches

Despite mandatory annual cybersecurity training for employees, security breaches stemming from human error continue to occur. This situation is potentially poised to worsen with the increasing sophistication of social engineering campaigns powered by generative AI.

Anagram's Innovative Approach to Employee Training

Anagram, previously operating as Cipher, is introducing a novel methodology for employee cybersecurity education. The company aims to address the evolving landscape of these threats effectively.

A Platform for Hands-On Security Education

Based in New York, Anagram has developed a platform offering practical security training to businesses. The training incorporates concise video modules and customized interactive challenges. These are designed to equip employees with the skills to identify deceptive emails and communications.

Frequent and Engaging Training Modules

These training programs are structured to be more frequent and engaging than the conventional yearly, extensive training sessions.

Learning Through Simulation

Harley Sugarman, founder and CEO of Anagram, explained to TechCrunch that the training includes exercises where employees craft their own phishing emails. This helps them understand the tactics used in sophisticated attacks and recognize them when targeted.

Drawing Inspiration from Successful Platforms

“We drew very limited inspiration, in fact, almost none, from existing cybersecurity training programs,” Sugarman stated. “Our primary influence came from platforms like TikTok, Duolingo, and Khan Academy. We analyzed how these platforms successfully engage users and modify behavior outside of the security domain, and then considered how to apply those lessons to cybersecurity.”

From Capture the Flag to Employee Education

The development of gamified cybersecurity training wasn’t Sugarman’s initial objective when he first founded the company.

The Initial Focus on Cybersecurity Professionals

Sugarman’s original concept involved adapting the cybersecurity industry’s “capture the flag” training method to enhance the skills of enterprise cybersecurity professionals. This approach entails creating software with intentional vulnerabilities and challenging security researchers to identify and resolve them.

A Shift in Focus Based on CISO Feedback

The company, initially launched as Cipher in 2022, achieved some initial success. However, Chief Information Security Officers (CISOs) communicated to Sugarman that their organizations faced a more pressing security concern: their general employee base. CISOs identified their employees as the most vulnerable point in their cybersecurity defenses.

Recognizing an Unsolved Problem

“I was struck by the level of discouragement I encountered in their feedback,” Sugarman noted. “They viewed this as an intractable problem.”

Pivoting to Address the Core Vulnerability

Cipher underwent a strategic shift in January 2024 to concentrate on resolving this issue. Consequently, the startup rebranded as Anagram to reflect its new direction and is phasing out its original product.

Strong Growth and Notable Clients

Anagram has experienced substantial growth since its pivot, securing clients such as Thomson Reuters, MassMutual, and Disney.

Securing Funding for Expansion

Anagram recently completed a $10 million Series A funding round, led by Madrona, with participation from General Catalyst, Bloomberg Beta, and Operator Partners. The company intends to utilize these funds to expand its sales team and further refine its product.

Demonstrated Improvement in Phishing Resilience

Sugarman reported that their platform has demonstrably reduced company phishing failure rates from 20% to 6%, with confidence in further improvements towards zero.

The Impact of Generative AI on Cybersecurity

Sugarman emphasized that Anagram’s launch coincided with a critical juncture in the cybersecurity industry. The advancements in generative AI enable the creation of highly personalized social engineering campaigns. This makes it increasingly difficult for individuals to distinguish between legitimate and malicious communications.

Challenges for Traditional Email Security

“A consequence of this is that conventional email security platforms will likely struggle to detect these AI-generated phishing attempts,” Sugarman explained. “The capacity to generate and randomize content is exceptionally strong, and defending against it presents significant engineering challenges.”

Developing an AI-Powered Security Agent

Anagram is also developing an AI agent designed to monitor employee emails and proactively identify potential cybersecurity risks. This agent would provide alerts, such as questioning the user before sending sensitive information like credit card details.

Continuing to Refine Training Methods

In the interim, Anagram anticipates that its interactive puzzles and engaging video training will continue to yield positive results.

A Vote of Confidence in Human Capability

“Humans are capable of remarkable achievements – we’ve built skyscrapers and traveled to space,” Sugarman concluded. “We are certainly capable of learning to avoid clicking on suspicious links in emails.”