January marks the one-year anniversary of Barracuda’s acquisition of PhishLine, so to mark the occasion we sat down with Dennis Dillman, VP of Product Management for PhishLine at Barracuda to discuss security awareness training, what sets PhishLine apart, and how the solution has evolved.
What do you feel sets Barracuda PhishLine apart?
There are a few things that I believe set our solution apart from what our competitors have to offer. The first is the deep collection of data that we make available to our customers via industry-standard REST API. Next is our emphasis on helping customers build a comprehensive security awareness program not just standalone security awareness campaigns. And, of course, there’s our team of dedicated security professionals who are available to design, run, and provide reporting on your security awareness program as part of PhishLine’s Concierge service.
What types of data does Barracuda PhishLine provide that competitors don’t?
We provide data on not only what the user did, but also what they did it with. Things like the browser information, the plug-ins that they have, the operating system. We also provide information about the vulnerabilities present in those pieces of software. Because guess what? People who engage in risky behavior in one part of their life tend to engage in risky behavior in all parts of their life. So, the user that’s clicking on bad links is probably also the user that’s running an old browser version or has old plug-ins. We can provide information that helps you make that assessment and get a much clearer picture of the average risk profile of your users.
We also collect information about the IP address that the employee is located on. This is usually very banal and uninformative, but it can be a huge outlier if you get information about employees who are engaging in this kind of behavior at a Starbucks. Maybe they’re working at Starbucks, and they have access to confidential data. Or maybe they’re supposed to be working on a VPN and they’re never supposed to be exposed to a local hotspot because they supposed to connect to the VPN to do their work because maybe that’s a corporate policy.
All this information — what are they doing, what are they doing it with, and where are they doing it — is essential to helping organizations build a profile for the riskier population in their company and take appropriate steps to start dealing with it. Whether that means more training, in-person training, coaching sessions, or maybe a technology investment to make sure their laptops are up to date.
Security awareness cuts both ways. The user needs to be aware of the security threats that they face as an individual, but the administrators of the security awareness program need to become aware of the threats that the organizations faces from its users.
How do you differentiate between a security awareness program and a security awareness campaign?
Let me tell you what the typical situation for a customer might be. You have to run a campaign every other month because that’s what the auditors say you need to do. Fifty-five days go by, and you’re worried about other things in your job, and suddenly you have to run a security campaign or you’re in violation of your audit controls. So, you quick throw together a campaign and launch it, and it’s completely disconnected from the campaign you ran two months ago. It’s either redundant or entirely unrelated, but you got it done and technically met the requirements of the audit.
But the spirit of the audit requirements is that you run a campaign because you’re building toward something. You want a comprehensive security awareness program for your users. You want to make sure you talk about the six most important security topics that your organization has to deal with, so that’s what we talk about with our customers. We talk about laying out a plan that deals with all four, six, eight, 12, 24, 36 campaigns that you feel you need to run in a year. We map them all out. We make sure they build on each other, that they’re not redundant, or if they are redundant it’s because you’re retesting with a purpose. You want to see if people forgot what they were supposed to have learned six months ago. That’s the difference between building a true security awareness training program and simply running singular campaigns.
What makes Barracuda PhishLine’s team of professionals stand out?
In part, it’s our concierge service, something not all of our competitors offer. With PhishLine Concierge, customers outsource a huge part, if not all, of their security awareness program to us, and we run it for them. That’s in addition to the advice and guidance we give to our SaaS customers. Plus, everyone on the PhishLine team is a full-time Barracuda employee. So, your data does not leave Barracuda.
How has Barracuda PhishLine evolved?
One of the huge changes we made is we refreshed our entire training library, and we’ve been steadily adding one new bundled piece of content every month for the past 14 to 15 months now. So, our library is now twice as big as it was before. In addition to that, we’ve made a very aggressive, standardized approach to translations, so we have all the standard languages in EMEA and APJ available, not only in our training videos but also our email templates and landing pages. That’s important because it’s all well and good to have a training video in your native language, but you also want to be able to run a campaign in that language without having to go through a translation hassle every single time. Professional translators have created a library with hundreds, probably now thousands, of translated templates and landing pages available for our multi-national customers. Plus, as part of the Barracuda family, we offer Barracuda’s award-winning 24×7 global support, and Barracuda PhishLine is available as part of the Total Email Protection bundle with Barracuda’s other email-protection products.
What is the team’s vision for the solution?
We want to make the entire ongoing security awareness process as easy as possible with program automation, allowing customers to select an entire program from a library and have it run automatically. For example, a customer wants an introductory year-one program with six campaigns in it. We want that customer to be able to pick that entire program from the library with one click. PhishLine will automatically schedule every campaign with our recommended content: announcements, surveys, simulations, and training — each campaign building on the next. The customer can always customize it if they want to, but the goal would be once they download it the whole year is scheduled. It will even pop out an approval report the customer can take to their oversight committee to enable them to sign off on the whole program. And then it just runs. At the scheduled time, it begins sending all of the emails over the course of a few weeks, and then cuts off the campaign after the specified interval. Then it automatically emails you with a link to your report.
Everybody is pressed for time, so why make collecting the data difficult? The goal is to get our customers to the point where they can run professional, well-thought-out annual programs very easily. Then they can spend their time dealing with risky behaviors and solving underlying security issues, not gathering the data.
We also want to make the most of the integration opportunities with Barracuda products. Barracuda is already offering a Total Email Protection bundle, which combines PhishLine with its Sentinel and Essentials products. We have some exciting ideas in development that will leverage the value of those products. More to come on that!
What kind of feedback do you hear from customers? What do they appreciate most about working with the Barracuda PhishLine team?
Some customers love us because we provide that concierge service, and they feel like we’re a partner bringing a level of experience and knowledge that’s hard for them to maintain on staff. Plus, we’re responsive, and we deliver what we promise. We’ve got a bunch of raving fans as a result. Just look at Gartner Peer Insights for proof of that.
Other customers really appreciate the level of analytics they can do with PhishLine with the data we can provide them. They also like that we can provide the data pretty much however they want. We support the Rest API and numerous other methods of integration. The foundation of our platform is an ECL and workflow tool, so we can connect to our customers easily and quickly.
Lastly, our customers also genuinely appreciate that when they give us feedback, they frequently see the results of that feedback manifest in the product. This means the product is evolving the way customers want it to evolve. This didn’t stop when PhishLine was acquired — it accelerated. Barracuda is committed to the PhishLine product, and it shows in the increased the level of investment in the PhishLine product over and above what it was when PhishLine was a standalone company.