Wombat Security Technologies - Better Security Through Training

Recently I had a discussion with a cool vendor out of Pittsburgh, PA named Wombat Security Technologies. Wombat Security Technologies provides cyber security training, end-user assessment, and filtering solutions for clients. Their goal is to assist organizations in combating the very serious cyber security attacks that have gained notoriety in the last few years by providing employees with consistent and relevant training around targeted attacks. The current modules focus on helping users to identify and avoid phishing attacks.

Wombat’s training methods are primarily focused on providing simulated cyber attacks on users and following that with interactive training. In the current modules, cyber attacks consist of phishing emails that are intended to deceive users into erroneously disclosing sensitive information using masqueraded websites, online payment processes or other means of phishing techniques. Once the simulated phishing attack phase is completed, the company uses assessment tools and targeted training programs to evaluate and provide prevention tutorials to specific users or groups that need this training. Administrative graphical tools offer a holistic view for managers as to the business’ readiness and posture in the prevention of phishing attacks.

Wombat’s Interactive Training Software consists of seven different types of training modules which provide education on: email security, password management, smartphones, phishing and social engineering, social networking, URL Training, and Mobility and Travel. The training module consists of 10 minute interactive ‘teachable moments’ which are highly engaging and visually illustrative to the users being educated. This approach, according to Wombat, fosters increased motivation and higher retention of training information.

Although their training tools provide the right direction in the prevention of these types of attacks, I believe that some organizations may be hesitant to deploy the Wombat solution in its current form for a couple of reasons. The current product was developed in an educational environment and still maintains some aspects that are cartoonish and look like a video game. Some organizations are likely to interpret this as “childish” or “non-professional” and may feel that a more serious tone should be deployed across all training sessions. Wombat indicated that a more “professional” option for the training modules is coming.

I can also see end users thinking that the tool could be used to track them and their susceptibility to clicking on bad links as part of disciplinary action. A variety of security technologies tend to illicit this response from users initially, and management should clearly indicate how the data will be used.

I would also like to see Wombat include additional training geared specifically to management on ensuring that their IT staff implements the technical controls such as antivirus programs and browser anti-phishing controls in case a phishing attack does succeed. I feel this kind of training would help bridge the gap between management and IT and give an additional source of support for the IT department.

I think Wombat’s business model around email phishing prevention has a good future ahead of them. Content filtering tools are getting better, but so are the criminals and Frost & Sullivan research consistently indicates that the end user will always be the weakest link in a corporate security strategy. I look forward to an expanded selection of training modules in the future on a wide variety of topics and will be following Wombat more closely moving forward.