The most unpredictable and vulnerable component of any security system is the human factor. Forrester reports that “90% of data breaches will include a human element”[1]. Despite this, security teams and investors have been focused on standalone technological defences – firewalls, antivirus software and intrusion detection systems. There is continuing evidence that these reactive tools are not working effectively.
We’ve invested in CultureAI because we believe the Human Risk Management sector is still a massively untapped market with room for an outright champion to lead the charge.
Ineffective remedies
Security awareness has evolved significantly since the early 2000s. Yet companies have been limited in their methods to combat the human risk, with the go-to solution being security awareness and training (SA&T). Unfortunately, this has become a compliance-driven box-ticking tool rather than a method to reduce cyber risk.
Security teams complain about misaligned metrics, with effectiveness measured by course completion rates. The ‘learn and dump’ model of training sees employees undergo annual ‘refresher’ courses, where they fail to retain most of the knowledge and come away unable to practically apply any gained skills.
Forrester predicts that “despite wide-spread usage of ‘training-for-all’, it doesn’t change employee behaviour.”
Another tool in the security team’s arsenal is phishing simulations. For a period, this was an effective training method, however hackers quickly became more advanced. Methods such as targeted spear-phishing attacks (highly customised and convincing malicious emails) and ransomware (malicious software encrypting data, demanding payment for decryption) are more widely deployed. Instances of fraud stemming from employees being deceived has continued to rise.
What’s becoming apparent is that the “real potency of a robust security posture doesn’t just reside in the deployment of cutting-edge technologies or stringent policies, but significantly in the collective consciousness and behaviour of every individual within an organisation.”
It’s clear a step-change in approach to managing human risk was necessary. As a sign of the times, Forrester dropped the “Security Awareness and Training” moniker in favour of a new category title: “Human Risk Management”.
This is where CultureAI comes in
Off the back of selling his last start-up, Phished, in 2018, James Moore had a vision for building a new category defining cyber solution. One where employees can go about their day-to-day without causing cyber risk. A tool that empowers security teams to instantly identify workforce cyber security risks, coach employees in the moment and automatically apply fixes.
CultureAI seamlessly integrates with the modern tech stack, providing real-time visibility into an organisation’s riskiest employee behaviours and security vulnerabilities. It can check if you’re using weak or compromised passwords, unauthorised software, falling for phishing emails or oversharing sensitive data on business applications.
This hits our thesis: by using CultureAI, security teams can allocate resources more proactively to address security concerns and enhance overall risk management. James and his team have effectively built 9 standalone products, all captured in one platform. This aligns with the current market trend of consolidating product functionalities into fewer vendors.
We were also impressed with how James and his team have already established multiple distribution channels and are making early success of US sales without a physical presence. Combining this with the resilience of cyber spend and their track record of displacing incumbents, we’re excited about what CultureAI will go on to achieve.
We are delighted to have co-led CultureAI’s £8m Series-A alongside Smedvig Ventures, and to have the continuing support of Senovo and Passon Capital. You can read more about the investment here.
Learn more about Mercia Ventures
[1] Forrester Predictions Report 2024: Cybersecurity, risk and privacy