Human-driven cybersecurity breaches are still occurring despite employers requesting employees to complete their annual cybersecurity training courses. The problem can be significantly worsened as generative AI increases the size and personalization of social engineering campaigns.
Anagram, formerly known as Cipher, is taking a new approach to employee cybersecurity training.
The New York-based company has built a platform that includes practical security training for businesses. The training includes bite-sized videos and personalized interactive puzzles to teach employees how to find suspicious emails and communications. These trainings are designed to be more frequent and attractive than the current standards for one long training session each year.
Anagram co-founder and CEO Harley Sugarman said these activities include creating their own personalized phishing emails to teach employees how to find sophisticated campaigns against themselves. He told TechCrunch that the tasks included.
“In fact, there was basically little inspiration from existing ones,” Sugarman said of existing cybersecurity training. “What we really took were lessons from Tiktok and lessons from Duolingo and Khan Academy. We have been working on these things that have been very attractive and transformed users' behavior outside the security space. I saw the platform.
Building gaming cybersecurity training wasn't something that Sugarman, a former VC in the Bloomberg Beta, was trying to do when he first set up the company.
Sugarman's first idea was to recruit the Cybersecurity industry's “Capture the Flag” training approach to Upskill Enterprise Cybersecurity employees. This training approach involves building software with vulnerabilities and asking security researchers to get into the software, find bugs, and find ways to write code without falling into the same trap.
The company was launched as a code in 2022 and gained traction. However, the Chief Information Science Officer (CISOS) began to tell Sugarman that their companies actually have bigger security issues they are trying to tackle: their non-security employees . Sugarman said the CISO describes employees as the weakest cybersecurity link.
“The only thing that surprised me was actually the amount of despair I heard in their voices,” Sugarman said. “This was an issue they couldn't solve.”
Cipher then pivoted in January 2024 and focused on solving the problem. Now, the startup has changed its name to Anagram to reflect its new focus and is in the process of winding up the original product. Anagram has experienced strong growth since its pivot and landed customers such as Thomson Reuters, MassMutual, Disney and more.
Anagram recently hired a $10 million Series A round led by Madrona with participation from General Catalyst, Bloomberg Beta and Operator Partners. The company plans to use the funds to build a sales team and continue to improve its products. Sugarman said so far they were able to reduce the company's phishing failure rate from 20% to 6%, but he thinks he can continue to get closer to zero.
Sugarman said Anagram launched its product at an inflection point that is very interesting for the cybersecurity industry. Advances in generative AI could potentially make social engineering campaigns more personalized than ever.
“I think that side-effect like that is that traditional email security platforms will actually be much more difficult to detect fish generated by these AI,” Sgelman said. “Its ability to generate and randomize is very powerful and it's really, really difficult to protect it from an engineering perspective.”
Anagram is also working on developing AI agents that will be trained to sit in the emails of enterprise employees and flag potential cybersecurity slip-ups. Sugarman said the agent would do something that would pop up asking someone if they really want to send credit card information via email or other similar safeguards.
In the meantime, Anagram hopes that puzzles and training videos like Tiktok keep the needle moving.
“Man is not stupid. We have created a skyscraper that can travel space,” Sugarman said. “I understand how to avoid clicking suspicious links in emails.”