LUCY Security: Enabling companies to improve their IT security awareness
CIO Bulletin
February 2019
Cyber threats have multiplied at a fast rate. Today, no sector is left behind when it comes to threats and attacks, especially the financial sector. When an organization is under threat, it involves both outside actors as well as internal employees. Take a look at LUCY Security: it is a company with almost 20 years of experience in supporting companies in the field of IT security. With such vast experience, LUCY slowly evolved to understand that a technical solution alone cannot solve the security problems and that employees are an important part of the company-wide security policy.
Let’s hear more about the company’s journey in a tete-a-tete with Oliver Münchow, the Founder of LUCY Security:
Brief us about LUCY and how it all started.
The Swiss financial industry has been virtually attacked by cybercriminals since the beginning of the Internet. For this reason, we started offering penetration tests as early as 1998 to evaluate the IT infrastructure of the industry and recommend potential improvements. LUCY is basically software that allows you to test your security and help it evolve against cyber threats, on both the people’s side and the system’s side simultaneously. The software offers the ability to run phishing simulations, awareness training, technology assessments, malware simulations, or simulated ransomware attacks. Our customers include energy companies, financial services, government agencies, healthcare and manufacturing industries, as well as other global organizations.
A cybersecurity company has two big responsibilities, one – to secure itself from being attacked and two –securing other companies against attacks. How do you manage both?
Most security companies focus on only a niche area and do not have the expertise in protecting themselves in all other areas. RSA is the best example: I remember when their website actually was breached in the early 2000s and some hacker made fun about the “most trusted name on the internet.” 10 years later RSA got hacked again on a large scale. So, the answer is: security is challenging and very difficult.
It starts with the appropriate communication strategy. I personally know that being a security company, challenges and attracts hackers. Unless you are sure your security is really tight, I would also be very careful in my communication strategy and avoid sentences like “most trusted name”, “most secure solution.” In our case, it probably doesn’t hurt, that our team did penetration tests and ethical hacking attacks for more than 20 years. If you are working as an ethical hacker, you also get a better understanding of protection.
Tell us about your products and services.
LUCY software allows companies to take on the role of an attacker to discover and eliminate existing weaknesses in both the technical infrastructure and the staff. We have 4 main modules: Test Employees, Educate Employees, Engage Employees, and Technical Tests.
Test Employees includes spear phishing simulations, SMS & portable media attacks, file attacks (PDF, Java, Macro, etc.), and website cloner etc. Educating Employees includes activities like interactive online & offline training content, customizable e-learning movies, role and reputation-based training, and integrated LMS with SCORM export/import. We Engage Employees with mail plugin (Outlook, Gmail, O365, etc.), e-mail incident analysis, and e-mail threat mitigation. Lastly, Technical Tests are exposure to malware attacks, detection of browser vulnerabilities, spoofing & ransomware simulation, mail and web filter tests, and darknet exposure (leaks, Tornet, P2P etc.).
How do you manage to serve the needs of the highly volatile IT industry?
The question indicates that the IT industry is volatile. When it comes to investments & valuation, I agree. But when I look at cybersecurity: I see mainly volatility in how we label certain technologies, giving the users the feeling there are a lot of changes. When I look at our specific sector, the employee behind the computer is an entry point for attacks – hardly anything has changed in the last 20 years.
For example, in 1997 the Chaos Computer Club showed how they can steal money from users through phishing by tricking them to click a link by asking: “you want to become a millionaire in 5 minutes?” In 2019, we see the exact same type of attack floating around. Not using ActiveX anymore, but still aiming at humans who continuously seem to show some resistance to the awareness.
Do you think robotics and AI might be able to help defend against incoming cyber-attacks?
We see already great support from AI-driven software to detect and combat attacks. But we really have to be careful when we use the word “AI”. This is more of a populist term, as there isn’t such a thing as a real AI. We are at a very early stage where machine learning algorithms act as supporting tools to deal with a lot of input data. In the end, what is labeled AI is not much more than some smart statistical analysis. So, if companies claim to provide “AI-driven” solutions in combating cyber-attacks, in reality, they’re leveraging machine learning techniques at best. But in the future, we will see improvements in this area.
Do you have the skills required to cope with the fast paced change of technology in security?
As mentioned before: I do not see such a change when it comes to technologies used for attacking. The terms and terminology have changed, but not the underlying technology. I’ll give you an example: In 2017 and 2018 I read articles that talk about new attacks like Smishing, referring to a new security threat that targets smartphones by texting. The underlying protocol (SMS) was developed in 1996 and has basically not changed! I remember sending spoofed messages to my colleagues in the same office: my colleague Sven suddenly got an SMS from his buddy Sean, sitting next to him “YOU STINK- TAKE A SHOWER!” I watched them argue about the SMS with tears in my eyes! I learned many years later, that this technology is nothing but Smishing.
What do you feel are the reasons behind your service popularity?
Our service is free for companies up to 500 users. It is better than anything that exists out there. We have created our service with passion about the topic, which boosts our popularity.
What do you think is the next big thing in the security marketplace?
Affordable and better security awareness training. As a security awareness provider, I might be slightly biased in my rating!
Meet the Security Guru
Oliver Münchow, Founder
Oliver created LUCY software with a project at a Swiss bank, which had a requirement of an on-premise solution to test and educate employees, where passwords never leave the perimeter. At that point in time in 2015, such a solution didn’t exist and Oliver was instrumental in finding it. Before LUCY Security, he was involved in penetration testing for a very long time. He then started other companies, but not all were in the field of IT. For instance, his art gallery is still present somewhere in the heart of Zürich!
“Up to today, we’ve educated more than 7 million users with more than 8,000 LUCY installations worldwide.”
“With LUCY, we developed a unique tool that allows you to test your security and help it evolve against cyber threats on both the people side and the system side simultaneously.”
