Hello everyone, I submitted a previous idea which was "P2P app to sell your food leftovers" . I realized quickly that not only the idea was stupid but also dangerous in terms of food regulation. And regarding the problem I tried to solved ? Fortunately, there are already charities and entities working on this problem. So, I decided to work on an another big problem of our world : Cybersecurity attacks against companies and peoples.
Let's imagine you are in the company Y. you are doing your work as usual and suddenly, you receive what seems to be an important email. This email seems to come from a supplier. He sent you an invoice in the excel format.
You download the file, you launch it and you allow the file to launch its macro (After all, the file kindly asked you to do it) and Congratulations ! You've just been cat fished by a hacker. Now wait for several hours and the company network will be hacked by a ransomware or another nasty malware. In best case scenario, the company will deploy a backup and just suffer financial loss. Worst cases scenarios, the company will be out of business within the next months (In France, 60% of the companies hacked are filling for bankruptcy) . Remember that this chain of event can happen because of a single malicious email. But what happened if instead of launching the file, you report the email because you saw something odd in it ? My goal here is to help people to defend themselves against phishing attacks by training them.
My idea is to create an online software (SaaS) on which you can register, give some information on your companies (Such as your employees email address for example). And voilà ! the software will simulate phishing attacks against your employees. If the employee report the email, he will be redirected on a landing page which congratulates him for detecting the malicious email. If instead, he clicked on the malicious link or file, he will be redirected to another landing which will warn him that he was cat fished. He will have then, the possibility to read guides teaching him how to detect phishing attacks, what to do and more... Of course, nothing is compromised during the campaign and the information submitted by the employees aren't saved anywhere.
Before writhing this thread, I ran my idea through the [CENTS](https://www.thefastlaneforum.com/community/threads/the-cents-business-commandments-for-entrepreneurs.81090/ "CENTS") framework and asked myself common-sense questions to see if this idea is good, here's what I found :
C for Control : It will be a SaaS hosted on a personal website. Even though I will create my own software and company, I will be dependent on web hosting companies to host my software once it will be finished. To lessen this dependence, I can hire several web hosting companies to balance the load of my website and avoid any disruption of my service in case of technical failures from one of the web hosting company.
E for Entry : You need to know how to create a website (HTML, CSS, PHP, MySQL at least) to build a website... Also, you need to have experience in the cybersecurity field (What is a phishing attack, what are the different attack vectors...). So yeah, the entry barrier is high, very high for this one. This is not a problem since I have an engineering degree in cybersecurity, have no problem to learn new computer skills and last but not least, a 3 years work experience within the cybersecurity field...
N for Need : In France and from my experience, phishing is by far, the most used attack to gain a foothold within a company network in the context of a cybersecurity attack. Also, less than 1 company on 2 invest money into their cybersecurity. So, this is a very big problem which needs to be faced immediately.
T for Time : I will need a lot of time to design, develop and test the app but once the first version of the software is functional, I will just have to "convince" companies to use it. My goal will be to create a system of subscription in which, people will have the possibility to pay monthly or annually. I'm still figuring out how the subscription will work but I know for sure that it will be easy to detach the revenue generated from my time with this software.
S for Scale : Once the software will be functional, it will be very easy for people to create their own account, configure it and simulate phishing attacks on their company. The only thing I need to watch out for is the number of servers which will host the software. Despite this, there will be no problem to scale this software to a greater market. If I want to
In addition to this framework, here's is a non-exhaustive list of benefits of my idea which might be translated into value-skews (if executed upon) :
Thank you again for your time and I wish you a nice day.
Prantice
Sources (Only in French, sorry.):
1) Cybersécurité : 60% des PME attaquées déposent le bilan
2) Cybersécurité en France, 10 statistiques clés à connaître en 2022 ! - Ndnm
Let's imagine you are in the company Y. you are doing your work as usual and suddenly, you receive what seems to be an important email. This email seems to come from a supplier. He sent you an invoice in the excel format.
You download the file, you launch it and you allow the file to launch its macro (After all, the file kindly asked you to do it) and Congratulations ! You've just been cat fished by a hacker. Now wait for several hours and the company network will be hacked by a ransomware or another nasty malware. In best case scenario, the company will deploy a backup and just suffer financial loss. Worst cases scenarios, the company will be out of business within the next months (In France, 60% of the companies hacked are filling for bankruptcy) . Remember that this chain of event can happen because of a single malicious email. But what happened if instead of launching the file, you report the email because you saw something odd in it ? My goal here is to help people to defend themselves against phishing attacks by training them.
My idea is to create an online software (SaaS) on which you can register, give some information on your companies (Such as your employees email address for example). And voilà ! the software will simulate phishing attacks against your employees. If the employee report the email, he will be redirected on a landing page which congratulates him for detecting the malicious email. If instead, he clicked on the malicious link or file, he will be redirected to another landing which will warn him that he was cat fished. He will have then, the possibility to read guides teaching him how to detect phishing attacks, what to do and more... Of course, nothing is compromised during the campaign and the information submitted by the employees aren't saved anywhere.
Before writhing this thread, I ran my idea through the [CENTS](https://www.thefastlaneforum.com/community/threads/the-cents-business-commandments-for-entrepreneurs.81090/ "CENTS") framework and asked myself common-sense questions to see if this idea is good, here's what I found :
C for Control : It will be a SaaS hosted on a personal website. Even though I will create my own software and company, I will be dependent on web hosting companies to host my software once it will be finished. To lessen this dependence, I can hire several web hosting companies to balance the load of my website and avoid any disruption of my service in case of technical failures from one of the web hosting company.
E for Entry : You need to know how to create a website (HTML, CSS, PHP, MySQL at least) to build a website... Also, you need to have experience in the cybersecurity field (What is a phishing attack, what are the different attack vectors...). So yeah, the entry barrier is high, very high for this one. This is not a problem since I have an engineering degree in cybersecurity, have no problem to learn new computer skills and last but not least, a 3 years work experience within the cybersecurity field...
N for Need : In France and from my experience, phishing is by far, the most used attack to gain a foothold within a company network in the context of a cybersecurity attack. Also, less than 1 company on 2 invest money into their cybersecurity. So, this is a very big problem which needs to be faced immediately.
T for Time : I will need a lot of time to design, develop and test the app but once the first version of the software is functional, I will just have to "convince" companies to use it. My goal will be to create a system of subscription in which, people will have the possibility to pay monthly or annually. I'm still figuring out how the subscription will work but I know for sure that it will be easy to detach the revenue generated from my time with this software.
S for Scale : Once the software will be functional, it will be very easy for people to create their own account, configure it and simulate phishing attacks on their company. The only thing I need to watch out for is the number of servers which will host the software. Despite this, there will be no problem to scale this software to a greater market. If I want to
In addition to this framework, here's is a non-exhaustive list of benefits of my idea which might be translated into value-skews (if executed upon) :
- Hosted in France : Since we are speaking about a cybersecurity SaaS, the fact that the software is hosted in France may have a huge impact on the CEO of french companies. Why you may ask yourselves ? Simply because of the CLOUD act in the USA. the idea that any foreign governmental entity may have access to confidential data regarding the security of french companies (If they use a software relying on an foreign datacenter or company to keep it very simple) is eerie to us, french people. So, this might play in my favor to differentiate myself from the competitors.
- Train company employee to detect phishing attacks : By using this software, you train your employees to detect phishing attacks. Thus, you lessen your probabilities to find one day that your company was hacked because someone opened a malicious email.
- Get tailored phishing campaigns for your company : Because every company is different, my goal here is to deploy a system in which the phishing campaigns will be "smart". By smart I mean that based on the attack which worked (The employee which submit their login through a malicious page) and didn't worked, the software will detect that and train the employee on their weakness (AI, Machine learning ? I need to figure it out for this one) .
- Anonymization of the targeted employees : Training people against cybersecurity attack is a good thing. However, when the performance of the employee are measured on a real-time dashboard with their name and picture, this might be a huge problem for union workers. Hence, The CEO will not see the stat of each employee but instead, the statistics for each department (For example, 20% of the phishing emails sent to the IT department were opened whereas 80% of phishing mails sent to the HR department where opened...). Without knowing the name of employees who opened the email, the CEO will know which department needs more cybersecurity training.
- Realistic but dummy attacks : During the "fake" phishing attack, the information submitted aren't saved or sent somewhere and the "files" launched by the employees will just send a message to the SaaS that somebody opened a file and that's it. The only information saved within the software will only be for statistical purposes, to count for example the number of employees who opened the dummy file or opened the dummy link within the phishing email, SMS...
Thank you again for your time and I wish you a nice day.
Prantice
Sources (Only in French, sorry.):
1) Cybersécurité : 60% des PME attaquées déposent le bilan
2) Cybersécurité en France, 10 statistiques clés à connaître en 2022 ! - Ndnm
Dislike ads? Remove them and support the forum:
Subscribe to Fastlane Insiders.
