Let’s Train Machines, Not Humans, to Catch Cyber Scams

It’s no secret that the most significant cause of data breaches and privacy violations is simple human error: an employee clicking on a nefarious link, or falling for a phishing or spear-phishing scam. According to HelpNet Security, employee error caused over half of the reported data breach incidents in 2018. This was almost double the number from the year before.

The response of the cybersecurity community has been more emphasis on employee training, relying on the idea that people will catch more of the attacks if they are given sufficient knowledge to spot them. But for whatever reason, as the HelpNet numbers show, this strategy has not been tremendously successful.

This may be because most people are busy, and taking time out for training is hard to find.

Plus, the ever-growing shorter attention spans and the fact that many employees just go through the training motions contributes to the failure. Since scams that make it through corporate firewalls don’t happen every day, the training is often used and forgotten. The scams grow ever more sophisticated, making education a moving target. Finally, in the haste to get work done and respond to the deluge of emails and other demands, the training is soon forgotten no matter how good it is.

In reality, much of the training leaves a lot to be desired. It’s boring. It lacks user interaction and involvement. There’s no measurement of how good it is. Scare tactics versus teaching techniques are often used. The truth is education and training is not usually a security team’s core competency. Let’s face it—most training is done as much to check a box than to catch criminal mischief.

But what if we are approaching this all wrong? What if instead of thinking how to prevent what appears to be inevitable—the employee who unlocks the proverbial door despite all the training—we instead should start thinking about better locks.

Alex Babin, founder and CEO of Zero, a mobile-based email service platform primarily designed for the legal community, is one of those people who spends time thinking about better locks. Rather than focusing on time-consuming and marginally successful training, he and his company are looking for ways to use algorithms to catch scams and opportunistic links. The algorithms and programs can discover when employees are about to make a mistake and then immediately prevent them from doing so or at least ask whether they really want to take that step.

According to Babin, machines, once they are programmed correctly, are really, really good at catching problematic links, incorrect addresses and wrong attachments. “Machines are really good at doing this kind of dirty work…so why not spend our time and money training them instead of humans,” he said. In other words, tricking people is almost always easier than tricking computers.

Zero is now working on programs that will see such things as an out of place auto-filled name on an email address line, or when someone is about to send a document to someone else that perhaps should not get it. And where these things happen, the program could quiz the email’s author whether that was a correct step. Babin hopes to develop more sophisticated programs that can catch nefarious links as well and even analyze employee behavior to note when the employee is about to do something out of the ordinary. Babin and Zero are also working hard at trying to get the Zero mobile software housed on the mobile device to do more and more of the cybersecurity “dirty work” and reduce the latency periods associated with machine-based security.

Babin got to into this approach because his company markets products designed to enable lawyers to work better and improve email communications on mobile devices, the place where we more and more live and work. Babin notes that working on a mobile screen differs significantly from working on a larger computer or laptop screen. It is frankly harder to see email addresses and links to pick up suspicious ones. This, plus the fact that using a mobile device emphasizes immediacy much more than other computing devices, makes the chances for human error even greater no matter how much training has taken place. These mobile characteristics thus create greater cybersecurity challenges.

Babin thinks, “People shouldn’t have to do more to get more. They should do less and get more.” And his cybersecurity approaches will do just that.

This piece was originally published on the Advisen blog. To read the original, click here.


Stephen Embry, TechLaw Crossroads

Stephen Embry is a frequent speaker, blogger and writer. He publishes TechLaw Crossroads, a blog devoted to the examination of the tension between technology, the law and the practice of law. He is co-chair of the Legal Technology Resource Center of the ABA’s Law Practice Division and on the Board of Editors of the Law Practice Today webzine. He is also a member of the Leadership Council of the ABA Law Practice Division. Stephen serves as Chair of the Kentucky Bar Association’s Law Practice Task Force and Webinar Chair and Steering Committee member of Defense Research Institute’s Law Practice Management section. Stephen is a national litigator and advisor primarily in the mass tort, business and consumer class action, and privacy and data breach arenas.