Social engineering attacks are on the rise. These low-tech but high-impact attacks — where hackers give employees access to companies’ services and information — have nearly tripled in the past year, and so far this year they’ve claimed victims from Twilio and Melchimp to several high-profile victims. Revolut, and more recently Uber. As these big names show, these types of attacks can be difficult for even the most well-resourced organizations to defend against.
Now, cybersecurity startup Nudge Security is coming out of hiding to help organizations address what they think is their biggest cybersecurity weakness.
A completely remote company — with outposts in Austin, Texas and Jackson, Wyoming — in Founded in 2021 by ex-AlienVault software engineers Russell Spitler and Jaime Blasko, they believe the only way to solve the “people problem” is to involve employees. The solution. As the name suggests, the product taps employees into better security behavior, such as turning on multi-factor authentication (MFA) or changing their passwords if involved in a breach.
The company’s security offering seamlessly exposes legacy and new software-as-a-service assets across an enterprise, including SaaS supply chains and OAuth capabilities, without relying on network infrastructure, endpoint agents, browser extensions or API integrations. When there’s a new “security-critical” event, such as creating a new account or installing a new app, Nudge engages with the employee to make sure they’re making good security choices. For example, if an employee downloads Dropbox but the organization uses Google Drive, Nudge starts a conversation to understand why the decision was made.
“We act as a sidecar so employees can connect with the security team and the centralized team still has visibility into what’s going on, setting policies and allowing employees to be a non-disruptive part of their work,” Nudge Spitler told TechCrunch. We believe he has the ability to walk, it’s not always easy or simple to do that.”
To ensure employees engage with these incentives, Nudge worked with Aaron Kay, a professor of psychology at Duke University, who showed the startup how to use basic research in psychology to create connections between our product and end users. “We’re trying to get employees involved, and make sure we don’t get in the way of slapping your hands or waving a big red warning banner,” Spitler added.
He’s not saying Nudge could have prevented the Uber hack or the Revolut breach — as Spitler told TechCrunch, “we’ve been in the industry long enough to do bold cases like this” — but the company believes it can help inform organizations’ risk exposure. Not only in terms of who has access, but also in terms of who has access to what and why.
“One of the things that’s been going down over the last few months, like with Uber, is the complexity of these organizations,” Spitler said. “Social engineering and complexity means that even if one user is harmed, the organization will suddenly begin to collapse.”
“We provide supply chain information,” added Blasko, Nudge’s co-founder and chief technology officer. “Let’s say your organization is using Slack, and they’re using Twilio, we can tell you if Twilio is a reference.”
Nudge launches six months after securing a $7 million seed investment from Ballistic Ventures, a new VC outfit dedicated to mentoring and funding early-stage cybersecurity startups. Since this investment, Nudge has landed 10 customers, with another dozen in the large enterprise pilot phase.
“Our product offering this week is now our focus, and we will be ramping up our marketing and sales efforts,” Spitler said. “As we begin to expand on that front, we’ll probably want to raise another round.”
