CybeReady Reviews

NatWest is one of the major retail banks in the UK. NatWest operates across the globe in different locations, but most of its efforts are within the UK. Once a month, we use their BLAST tool to deploy phishing simulations to our entire workforce, which is about 74,000 people.

So we use the tool to provide us with continual training on phishing as its and ever present threat.

Interestingly, the way that the bank used to do it before was an email every quarter. However, by moving to this more continuous learning where they have an email every month, we have had a number of people recognize that it has happened because we have been quite transparent about the change within the bank. Because of the way that the emails are written, the way that it is done, and we have been quite transparent about it, we feel that this has been quite helpful for them. They are getting something from it as well as learning from it. Instead of it being this one-off four times a year, we are having this done on a more regular basis. So, they feel more practiced with increased recognition. Externally, we have had a number of positive pieces of feedback because of it as well.

Realistically, it's keeping the phishing in mind. It moves away from a slightly more draconian, negative feel of being told off. This is because of the way that CybeReady does it. Their way is more beneficial and about that positive engagement. It isn't about telling people off or determining their behavior to be wrong. It's about allowing them to build capabilities and learn coping mechanisms. They go on to additional training, if they do click, but that additional training is actually positive, engaging, and quite open in its language. This allows people to engage differently. 

Overall, it broadens the way people engage with security across the board because they are used to being told off and that they are not doing the right sort of things. Whereas, CybeReady really helped move that conversation forward into a positive lens, allowing people to see how they can take part and their role within security. Also, that it's okay, because this is training, a learning point, how you can continue, how you can cope, and how you move forward. This really helps build people's confidence in recognizing phishing, understanding what it is, and how to cope with it, all of which are important.

Getting people to move from the idea that they only need to do phishing training every quarter to that continuous learning is quite a shift because they were doing that for about five years. It was very much something that they were used to. Therefore, moving to this different way did take some conversations with CybeReady about the best way to approach it. We did not want to have a "throw the baby out with the bathwater" sort of approach of just making it really difficult, hard, or that everyone would obviously click. It was being a bit more pragmatic about having a range of emails, which CybeReady does really well. Some of them do seem straightforward to people, but others are definitely not. All of them will still get kicked on through, because ease is really hard to determine for other people. The fact that CybeReady takes that into consideration when sending out their emails allows people not to feel blamed. It is something now that is part and parcel of everything they do. When we give the feedback back, then they hear about these things because we speak about it more openly. Because of the way that it's presented, it allows us to present the data in a way that doesn't terrify people because people are clicking, because we will never get away from the fact that people click on emails.

People have to click on emails. It's how you make the Internet work. What we can do is normalize the fact that this is a common threat sector, teaching people how to cope through it instead of just demeaning and undermining the fact that they do it and these things can happen. The way that they do it does help with that because of their variation of emails. They also can do it in different languages. Because we have people in different countries, it's more in a tone or language that they recognize, which helps as well.

Click rates always happen, but you can see that variation in the type of things they click on as well as the understanding of that for the organization. It is not just the employee, but also for the organization to understand the type of things that are being clicked on. CybeReady allows us to see this for the organization, but also for the employee who may just happen to be in a particular area where these things are more likely. For example, if you happen to get an email about finance, and you are in finance, then you may be able to see that this solution may create more of a click rate there, but it allows us to have a better conversation and build more resilience to allow people to see where phishing can happen across the board. Attackers use these everyday known things about organizations, such as everybody has a finance department. When it's these sorts of things, CybeReady does help. 

CyberReady is positively engaged with the way that it writes its training and messaging, which is really helpful. Therefore, people don't feel "got at", which is really important. 

Not only across the bank, but within my own team, they can see the effects of what simulated phishing can do. It moves people away from seeing click rate as the be-all or end-all to start having deeper conversations about what they are clicking on and what areas need clicking, and what can we do about that? For example, it may not have anything to do with training and instead it may be to fix some type of technology problem. This has allowed us to have a wider conversation about the effects on people. It is not just my team or other employees, but also the seniors who get the data from it. This has allowed them to have more open, reasoned conversations about what the data is really showing us and what we can do better to support people.

By using CybeReady, we have identified some issues in the bank, which we have corrected because of having CybeReady. 

The general phishing training, which is BLAST in its normal setting, on a monthly, continuous basis has actually proved to be quite good and useful in showing trends. 

I find the dashboard on the back-end for collecting data and the MI particularly helpful in the way that it is broken down, e.g., you can search and pull out any particular sort of anomalies or things that are interesting. It allows you to kind of find it for yourself because it allows for flexibility of particular areas and breaking them down, not just by location, but also by different management levels to different team areas. The fact that we can cut and slice the data in different ways allows us to be able to navigate, then present it back to people within those areas a bit better. So, it is a bit more of a nuanced view with a bit more context specific for them, which is always helpful. 

They have a business review download that is a generic presentation, which we do use and then add it ourselves to give to our seniors. We don't always need to create the look and feel, as they provide a standard for that, which is quite helpful. Then, any additional information that people request or need for their area, we are able to dig in a bit deeper to give them a bit more content-specific stuff. 

Even though the phishing emails are useful, I like the back-end and richness of the data that those actually provide.

We don't just use the BLAST tool. We also have the Continuous Awareness Bites (CAB) tool that we are trialing in the organization. That tool uses positive, open language to try and get people to engage a bit differently, and CybeReady understands how to do that well. I get people who say to me, "It should be more like this or that." What they mean is harder, less obvious. and more scary, but I don't believe in that way personally. So, it is really helpful for me to have the backing of CybeReady who is more like a partner to my way of thinking in helping change the mindset across the wider bank of what to do with phishing framing. So, it isn't just seen as a stick to beat people with.

We have just BLAST and CAB at the moment. We have also turned on the additional features, like welcome messages, messages to high risk people, and reinforcing messages that people are doing well. While I would not classify them as training, they are useful positive reinforcements for people and to give something back.

It can categorize people into high risk groups, meaning that:

• We can turn on the reinforcing message to people in those groups. 
• On a team basis with the tool, we are able to look at the data, focus on those groups, and start to give more specific support and outreach to find out who these people are, why they may be clicking more, and so forth. 

These breakdowns are useful in multiple different ways, not just through the tool, but for us personally as a team and our reporting.

The feedback that we get from CAB is that employees like it because it's straightforward and simple to read. It's not difficult, which is the main thing, and one of the most important things. They can just engage with it, if they want to and take it on board without being technical.

It is not difficult to do the customization. While you can customize the email, we would like there to be just a bit more upfront conversation about the types of emails that month. Because if there is one thing I get asked about in the bank, it is about the types of emails. I don't know if that's particularly needed, but it's something that I get asked about.

We have the generic reporting that comes out so we can download that at any time or at the end of the three month campaign. So, we have two generic reports. If we could section up the data in multiple, different ways, then we could create a report from that instead of just those two options. That would be helpful.

January 2020, CybeReady was brought into the bank. Then, it went into a testing phase, etc. We have been running simulations since June 2020, though I wasn't the person doing that.

I am currently the head of security awareness for NatWest, but I wasn't the person that brought in CybeReady. That was the person who was in the role before, and her name is Leslie. She met with CybeReady and decided to change suppliers to them. This was during the back end of 2019 when the actual decision to move to CyberReady was made. Then, I took over that job since Leslie left starting from September 2020.

The stability is really good. We have never had an issue with them. They are really responsive. In fact, I don't think we have ever had anything happen that would make me question that.

We have about 74,000 members of staff, and CybeReady deals with them easily. We have leavers and joiners all the time as well. Therefore, we upload new data on every campaign about every three months. That just gets uploaded, sorted, and then all that works together. We don't have any issues with things like duplicate names. All of that is dealt with on CybeReady's side. We have never had an issue. So, it all works well, no matter the size or how many people are joining. 

We actually had a thing where some of the email addresses were changing. The members of staff were still the same members of staff, but they would have different email addresses. CybeReady was able to deal with that in stride. They had no issue at all. In this case, about 50,000 people suddenly needed to have their email addresses changed.

CybeReady's technical support is really responsive. I have always been able to get through to them quickly. They come back and investigate if there are any issues, just to double check. They are very clear. Probably one of the best things is the level of support that they give.

Because we have a good relationship with CyberReady, if people have any questions or things that they need, then we are able to reach out to CyberReady and ask more specifically if certain things can get added into reporting. Or if there is an issue, then can they double check it? Having that relationship has definitely helped reduce workloads. It has definitely lessened the burden because it's more of a partnership and collaboration between us to balance the effort into the phishing direction, which could, for a lot of people, take all of their time. However, it doesn't take all of our time since CybeReady manages the majority of the work for us.

When we have had some issues, we have asked for some double checking and they were able to provide that. Even though it is our infrastructure that may be causing the problem, CybeReady is able to cope with that, give us some feedback, help direct us to what might be the issue, and what they are seeing. This allows us to pull in the right people from our end.

From what I know about the previous supplier and what the team used to have to go through to collect all of the MI for that, CybeReady has definitely reduced workloads. It is now a much more streamlined process on what we can offer or how we can offer it. 

Believe in the approach, where the emails don't need to be overly hard or difficult and in fact, it's the every day looking type emails that get people to click. Its the regular activity that is often the route in. Even though CybeReady's emails can look 'basic' sometimes, that is because that is like the emails you get every day in a workplace and the scammers know that. So it's not always about high gloss look and feel. CybeReady does that balance of the different sorts of emails well and the balance, to allow us to show people that it is often every day activity type emails that are just as risky.

I would rate CybeReady as nine out of 10.

Here at Central Bottling Company, we have many different sites. We are spread all over the country and we have several companies overseas. I cannot manage security awareness in the traditional way through, for example, presentations or LMS (learning management systems). I wanted a quick way to get to anyone, anywhere, whether by mobile or via the computer that someone works on in the office, to teach awareness.

We have a varied group of employees. We have people who work with computers while others are working in the factory. The factory workers are not working with computers but they have mobile phones. CybeReady can send them "phishing" emails. That way I can make sure they see them and react to them.

In my previous company, we had CybeReady in place for over two years and we could see the trends. We could see where we were at the beginning in terms of the number "clickers"—people who would click on more than one phishing email. The percentage started off very high but by the end of my role there, it was down to something like 0.1 or 0.2 percent of employees who were still clicking. That was a very beautiful result. Don't forget that it's a dynamic environment because employees are leaving and onboarding into the company. That is why I never stopped the campaign. It's a routine that should be done continuously.

It provides security awareness. What does that look like? People send me articles or news that they have read about a cyber breach. And sometimes they send me a message saying, "Wow. I recognized it. This was a phishing attempt from the CybeReady campaign training, right?" They want to show me that they didn't fail the test.

And when colleagues meet me in a meeting, they mention that they like the program. They tell me they can recognize that something is a phishing attempt, and they are very satisfied with themselves that they didn't fail.

It creates a lot of buzz. People talk about it. Sometimes people laugh about the scenarios that CybeReady tests them through because the scenarios are not obvious. For example, they sent an email with a link to pictures from a company party we had that quarter, a party where we did take some pictures. Because people knew how to recognize a phishing email, they didn't click on it, even though they knew that there was a party and maybe there were some photos of them. It's not only in the office. People will say to their friends, "You know what happened to me today? I got a voucher in my email to a coffee shop, but at the last minute I saw that the logo didn't match the name. I avoided falling for the phishing attempt." I feel very satisfied because I know that I have done my job and that the solution is working.

The CybeReady solution is the face of our information security efforts, day-to-day, in our company. In general, people don't appreciate our efforts and our work to maintain security and to keep data safe. But with this solution, they understand what it means to secure an organization from breaches, from hackers, from malicious code, et cetera. That is the impact. They understand what it means if they are not careful enough and click on a link or open an attachment that they don't recognize. They understand that this could harm the organization. This is what I have heard from people who have experienced this solution.

CybeReady's "phishing" emails manipulate you to open an email. If you do open the email, you are forwarded to a tip that explains how you should behave and how to recognize a phishing email. This is one of the main features of the training provided.

They have another model for creating awareness called CAB (Continuous Awareness Bytes). In this model, they send an email tip to the employees according to the frequency that I choose, such as once a month or once every two weeks. The employee gets a postcard with a tip, such as, "Don't forget to change your password. Make sure your password is unique. Don't pass it on to anyone else." The content of CAB can be tailored to the issues that you want to train people on. They can also cover security issues to do with physical items, such as keeping workstations clean and clear of sensitive documents. They can cover all the security issues that people encounter in their daily work.

CybeReady also generates graphical PowerPoint reports that show you the main issues and help you present the progress made to company executives. If I want to show them what the campaign results have been in the last six months—where we were in the beginning and where we are now, in terms of training and awareness—these reports are very helpful. Otherwise, I would need to put them together myself. CybeReady does that for me and I just download the reports and present them in executive meetings.

One area that might be improved is making their emails more visually attractive to make them more convincing. It might depend on the email relay in the organization. Maybe it's cutting out some of the features that come with the email. I don't know if it's their problem or our problem, but sometimes the emails don't look convincing enough. If you are very skilled, you can recognize the domain and see that it is a phishing email. But sometimes the look of the email is very poor.

I was already familiar with CybeReady because I worked for a vendor that sells their solutions to other companies. Then, in 2018, I became CISO in an investment house in Israel and I brought in the solution because I knew it. It was easier for me to bring it to management and harness their cooperation to give me a budget for the solution. I got there in the middle of the year so there was no budget for security awareness. But that was the first risk that I recognized needed to be handled, in my new role.

In March of 2021, I started working at the Central Bottling Company, which is known in Israel as Coca-Cola. I decided to implement this solution here as well. It was very easy because I knew the procedure and what to do for onboarding.

I haven't noticed any outages or bugs.

I'm the CISO for our operations here in Israel, but I am an advising CISO for companies that we hold in Europe. I hope that they will also buy this solution. I would like to spread the solution to other countries.

I have not used their technical support yet. I'm experienced with this solution because this is the third place that I have implemented it.

CybeReady is cloud-based. I needed to do some configuration in the mail relay so that it would not reject their domains, because they might be unknown and security controls might see them as suspicious. I allowed the domains they use for the phishing emails, uploaded the list of our company's employees—and there are a lot of employees because there are several companies that are part of Central Bottling Company. I reviewed the campaign scripts, the scenarios, and approved them. And that was it. Since then, it's been running.

The ROI is 100 percent. I am satisfied with every shekel that I pay for it. It works well. 

The unfortunate thing about security is that you only really know how much money you're spending; you don't know how much it saves you. Security controls cost a lot of money. But in the long run, CybeReady helps, as does any solution like it.

The pricing is fair. They don't charge too much and, if I remember correctly, the cost is the same as another solution I compared it to.

In Israel there are several competing solutions. One of them is IRONSCALES, but I haven't used it.

Another one that I have used is Dcoya. It's more of the same. I needed to implement it in a place where they had already bought it before I got there. It's similar, but CybeReady seems to be very quick. The onboarding with CybeReady is really tremendous. You don't need to do anything. Nothing. Just give them the employees' emails, do some configuration in Exchange and the email relay, and that's it. It runs.

It's a must-have solution. It's very helpful. It doesn't require any special effort. Managers like to see numbers and CybeReady gives them statistics about employees who clicked at the beginning of the campaign versus the end of the campaign.

In my previous company, we gave gifts to employees who never failed during the campaign. For employees who failed, we sent them a message saying, "Be more careful. We want you to understand what's wrong, and the significance of not opening suspicious email." Sometimes employees said they were not careful and that is why they behaved as they did. At the end of the day, it gives you peace of mind that the area of awareness is covered.

I think it would be a good idea, from time to time, to send out a short email about the results of the campaign. For example, we sent 3,000 emails and there were 300 clicks on it. This is important so that people understand that someone is watching them. Of course, the solution is working, and it gives them a "smiley" if they succeed or the opposite if they fail. But I want them to know that it's not a game. At my level, I can see the results and can draw conclusions about employee behavior and figure out what else I can do. But I want the users to know that they should be more careful. It's not enough to have this ongoing routine. I want something to shake up employees. They must understand that opening a suspicious email could harm the company. While I send them a postcard or a tip with a reminder, from time to time, to teach them how to behave, I need something else to keep them on their toes.

We have several vectors of attack, and one of them is, of course, the employee. We need to put our best efforts into recognizing phishing and malicious code and emails that have attachments with a virus. This is because sometimes, all the automated controls we have in place fail to recognize a threat and it gets through to users. Those people are the last fail-safe, so I need them to be aware not to open it and not to put all their trust in the controls that are in place between them and the internet. Users need to be aware of what they're doing during the workday, such as not opening an email that is not recognized. I emphasize this in the presentations I do for employees, that I need them to be aware and to recognize threats, including not giving their details in a phishing form, which is the most common phishing attack.

There are several factors involved in a successful attack, such as mis-configurations and problems in the security support chain. But the human resource, the end-user, is a major factor because email and web browsers are very good attack vectors. Users must understand how to behave regarding both. CybeReady trains them to recognize all the bad things that they can encounter.

CybeReady has not reduced our security team's workload. It has increased it, but in a good way because each time users get an email they don't recognize—while most of them are spam and are not malicious—it's good because it means that they are more careful now. That has increased the work of our operations team in checking every mail that they're asked to check to see whether it's malicious or not. But I prefer to work this way as opposed to having people who are ignorant and not reacting to the malicious email that they get.

I know the founders of CybeReady. They have a lot of skill in training and awareness. Omer was my trainer when I studied for my chief information security officer certificate. He has a lot of training and teaching capabilities. It's not only about creating phishing emails and sending them. I can do that myself. They provide the statistics through which we can see the improvement of the organization, where it was at the beginning of the first campaign and where it is now, after the 12th campaign. It shows that the system is working. It has an impact. And CybeReady is also thinking about new ideas for campaign scenarios. Sometimes they surprise me with the crazy ideas in the emails. The most familiar are things like "Please reset your password," or "the hard disk is getting full," or "take a look at the picture." But sometimes they have very crazy emails. I don't know where they get the ideas from, but it works.

Overall, I'm very satisfied with it.

We use it for simulation of phishing campaigns against our employees and for  the built-in micro-training, based on user response. We also use it for telemetry collection to figure out which employees, or teams, or locations are more risky than others. That way we can deliver some additional human training for those employees or teams, and potentially deploy some mitigating controls in addition to what we normally do.

In about the last two and a half years since we started using CybeReady, the click rate, or the frequency with which employees click on phishing links, across our organization dropped from the normal industry average, which is about 15 or 16 percent, to below 7 percent. That's a significant improvement. It has lowered the number of high-risk users, the people who click on everything, by 300 percent.

CybeReady also has a metric for resiliency, or how many attacks it takes before a user clicks on a phishing-campaign message, on average, and our resiliency has grown from under two campaigns, to something above six or seven of them. We've improved in triple-digit percentages across the board.

The program has definitely changed employee behavior towards cyberattacks. It is one of the tools in the overall picture for us, but it's on the edge, where the most attack vectors exist, among all our employees. By any measurement, they've drastically improved our cyber resiliency and improved user awareness of the attacks that are out there.

Sometimes there have been complaints to HR by employees, and from HR to us, about how the phishing attacks are just too close to home, including virus and COVID-related, bonus-related, tax-related, or even HR-notification-related. But after discussion, in every one of those cases, HR or whoever reported the issue, agreed that it was actually a good idea that controlled and really safe mechanisms like these are used and discussed, and that people become aware as a result of them. It makes us a lot more resilient across the board.

Part of the problem for InfoSec teams is that people are not thinking about InfoSec all the time. Getting people to think about risk, and become more risk-aware more of the time, is really a target. All the tools involved are there to try to decrease that gap. The more people who are aware, and the more time they are aware, the safer the company is. CybeReady has been very effective in increasing the number of people who think about information security and, for those people, the amount of time they think about it. We haven't had a single phishing-based incident in the past two and a half years. That's a testament to something that we're doing right in that area.

In terms of security culture within our organization, the more people talk and the more people think about these things, the more opportunities there are to discuss what should happen, how it should happen, as well as to laugh together at the alerts that people sometimes click on. It increases conversation and makes it easier, which in turn, improves our overall cyber resiliency.

CybeReady has this uncanny ability to fit its simulations to reality. The simulations that CybeReady prepares are refreshed on a monthly basis. We have full campaigns and every month they create about 20 different simulations, based on what they see in real-world attacks. That means that these simulated attacks are spot-on for what's happening in the world. They could be news-related, for example, related to COVID, or elections. They might be related to the time of the year, such as taxes or bonus payments and the like. They could be seasonal, like at Christmas when a lot of deliveries are happening, and a simulation might be, "You have a package coming." They could be based on threat intelligence. For example, if there are well-known campaigns from bad guys, such as the impersonation of members of the executive team, the simulated attacks are adjusted to start using real names of our executives to attempt to pretend to be them. Their campaigns evolve, and they closely match what we do see from real bad guys out there. It might be a bad comparison, but it's like a virus. It's evolving to what it's seeing out there, but in a good way.

The micro training is very useful for exactly what it's for. It's spot-training at the right time without too much. It jumps out, covers the immediate needs, and doesn't overload the user.

The area where we could probably use more attention is the involvement of CybeReady with us. It would help if a technical account manager were more actively reaching out and making sure that we are using the tool to its full potential. On the one hand, it would probably take a little bit more of our time. But on the other hand, if it were very targeted and controlled by a technical account manager, it could be very useful and take very little time.

The kind of scenario I'm thinking about is where a CybeReady account manager would call and say, "Hey, I looked through your settings and, based on the numbers I'm seeing, maybe you guys can turn this on and turn this off, or adjust it this way or that way."

I go in there and pull the information and I use its presentations, and that's useful. And they do periodically send out reports to summarize things. But in the world of automation, I still think you need a little bit of human touch. That's the part that's missing, just a little bit.

I've been using CybeReady for more than two years.

We've had no concerns about the availability. It's up there in the cloud, and it's not really mission-critical, even if it goes down—which, to my knowledge, it hasn't. If it were to go down for a couple of hours, things would just recommence when it came back online. But we haven't been aware of any issues.

We're not controlling how the solution is put under stress. We're getting something like 30,000 simulated attacks a year, at least, and there has been no impact on the solution one way or the other. We don't have any concerns or complaints in terms of scalability. It's not an issue.

Customer support has been good. If we reach out to them, it's fine. When we were doing the email configuration, because we needed to configure our filters to allow it, that's when we contacted them. But that's just regular setup work. I don't think we've had issues with its operation where we needed technical support.

Positive

We didn't have a previous solution.

Setting up the solution was very quick. It took several hours to configure AD integration for user-pull, but now we just check it once a quarter. There isn't much to strategize. You just pull in the users and they start sending things out. Get it going and adjust things slightly in the first couple of months.

You can set it up to send emails in multiple languages, but the feedback from users was that when they get an email in their native language, meaning if it's not in English, it is actually an indication for them that it's a phishing attempt, much more than if it were in English. We started out doing this in 20 languages, but we switched back to pretty much just English.

It took a couple of months to collect a full data set, before the numbers were meaningful.

The four hours a quarter we spend on it reporting from it, et cetera, works out to 1 percent of an FTE. That's negligible.

We have seen ROI since week one. It was almost immediate.

It has increased employees' security resilience with little effort on the part of my team to make that happen. My team dedicates maybe four hours a quarter to maintaining this. The rest of it is done by the tool, we call it "automagically." There is very little effort on our part, but with a lot of results. All we do at the end, really, is just collect the numbers. 

That's huge. It's all about ROI. If we don't have to spend any time, or very little time, tracking a solution that gives us this kind of a drop, that's a huge improvement. If we didn't have this kind of automation and had to do these by hand, it would involve several weeks of prep as well as continuous tracking, everything the tool does on its own.

In terms of workload for our IT and security teams, we don't have anything to correlate with before. We weren't doing anything before we started to use CybeReady. But I know others who are doing phishing simulations internally, not using a tool, and it requires at least a quarter to half an FTE to run things. Using CybeReady results in empirically drastic time savings.

The pricing is very competitive.

We looked at KnowBe4 and one other. But the automation, the fact that it was autonomous, was one of the bigger keys and has proved to be very impactful.

My advice would be, whether you use this solution or not, do something. This one will take so little time and effort that you'd be hard-pressed to find alternatives within the same cost constraints.

We are using the CybeReady Blast module, which is an automated phishing simulation. It sends a simulated phish email to each of our staff members every month. The goal is to train our staff to spot phishing emails.

CybeReady has absolutely helped change employee behavior toward cyber attacks. We have staff in what we call the high-risk category, which is those who are considered likely to click. That has reduced by 70% over time.

It is difficult to judge whether CybeReady has helped to get employees to care more about reducing organizational risks but certainly, it's helped to drive an increase in reporting of suspicious emails. Anecdotally, some people have not liked it, whereas other people have.

In general, it has helped to build a positive security culture for us. People are much more aware of phishing emails now and how to spot them.

There are several features in this solution that are valuable to us.

The first one is that there are some very good management statistics. I'm able to use those management statistics as I present to senior management, to give them a very clear idea of how well we're doing and what progress we're making. That's the first thing.

The second thing is that CybeReady produces all of the phishing simulation emails for us and we get to approve which ones we use. We choose them, but they do the work producing the content.

The third thing is it's all automated. So, literally, I check the emails that I want to use and then press go, and everything from that point on is automated. It automatically decides which email to send to which employee and it does so and it tracks their response. This means that very little of my time is required to run the simulations. 

The product automatically adapts to users and how adept they are at spotting phishing emails. If somebody is doing very well and is not clicking on the phishing simulation emails, then it will send them emails that are harder to spot. But, if somebody is doing badly, it will send the ones that are easier to spot.

CybeReady is still getting used to working with really big companies, which is the category that we are in. They have to make a lot of adjustments but they're learning and adapting.

We have been using CybeReady for approximately 14 months.

With respect to performance and availability, it seems to work pretty well. I don't have any problems logging into the management portal. It was a bit slow with large numbers until recently, but it seems to have speeded up a bit.

There have been one or two technical issues. There was one where some emails weren't being sent out, but they identified the problem and worked to fix it very quickly. That was the only issue that was significant.

Overall, stability-wise, it's pretty good.

We are a large company with several tens of thousands of employees and it works for us. It delivers emails to our staff, there are no issues there. The only thing worth noting is that in the old version of the management portal, perhaps because it was dealing with so much data for us, it was sometimes a little bit slow. Ultimately, this wasn't a big issue.

The technical support is very responsive when we have a problem. These things happen in IT and when we contact the vendor, they get onto things and resolve them very quickly.

We have made a range of special requests to support for information about, for example, getting certain things fixed, or about technical problems, and whether they can help us resolve delivery issues. Each time, they have been responsive and I would rate the support a nine or ten out of ten.

We did not do anything like this before implementing CybeReady.

As we did not run a phishing simulation or similar program prior to this, we do not have a benchmark and I can't say for sure whether this saves our IT department time.

The initial setup is pretty straightforward, as far as dealing with CyberReady goes. We just had to supply certain data to them, choose the emails, and then activate it. Overall, it was fine. There was rather more work involved on our side to ensure that our IT networks let the emails get through okay.

It took us about four months to deploy, although the delay had nothing to do with CybeReady. They were ready to go much quicker than that.

We have absolutely seen ROI. The management information really helps, but I can absolutely see the improvement in staff's ability to spot phishing emails. It's very clearly demonstrated and that is a very significant return on our investment.

Their licensing model is fine.

You pay a yearly fee and they're a fairly good value.

The annual payment model is fine, although they could consider a monthly one. At the same time, you want to be committed and have predictability, so the annual model works well.

We looked at several solutions that were on the market. We settled on CybeReady because they had a solution that involved not using very much of our staff time, and also because it was adaptive and automated. Basically, it was easy and intelligent.

We have not implemented any supplementary training but we are looking to do so. The vendor has another offering called Continuous Awareness Bites (CAB), which is a continuous stream of email tips that come into your inbox every couple of weeks. We're working on implementing that now.

Both the Blast and the CAB products look to be very good. I think they're still working on the management statistics and I've fed back a little bit of how I think they could be improved, but it's not really a major deal. 

My advice for anybody who is looking into this solution is that it's a very good service and they're very willing to help. Getting things set up with them is straightforward. But as a prospective customer, you need to do some work to make sure that the phishing simulation gets through your various email filters effectively. You must also make sure that your staff knows about it and that it's a positive learning experience. It's not there as a test or a punishment. It's meant to be a positive learning experience. We did that and it landed pretty well.

The only other thing is that if your staff isn't used to reporting suspicious emails, then you need to tell them how to do it, because certainly during the early days, I think lots of our staff didn't quite know what to do with it all. We told them, but just managing to get that word out there as to how to report took a little time. Make sure there is plenty of communication with your staff before you turn on the phishing simulation so that they know it's coming, know why it's coming, and know what to do with it.

In our case, we wrote to every single user and said, "This is coming. This is designed to help you to learn to spot phishing emails at work and at home. We hope you will find it useful." We explained that it wasn't a test for them and we promoted it via our internal social media, really trying to make sure everybody knew about it.

Overall, this is a really good product but there is always room for improvement.

I would rate this solution a nine out of ten.

We are using CybeReady because training on and awareness about security are among our main areas of focus for existing and, of course, for new employees. It's very important that we maintain our employees' awareness in this area as much as possible. That is the most important part. If our employees are really attentive to and aware of all the different types of possible threats from phishing emails, we believe we can avoid 50 percent of the potential attacks that we can suffer as a company.

In addition, due to external factors like the pandemic, we are much more vulnerable. People are working remotely and that exposes us more and more to different kinds of cybersecurity threats.

CybeReady helps us understand what the maturity level of our employees is in these matters. We are very close to finishing our first year with CybeReady. We are taking the information from the program, the KPIs provided, and we are gaining an understanding about the behavior of our users. We have seen a positive trend beginning to appear over the last three to four months. We started in January and, by the end of the summer, we started to notice that the resilience to phishing campaigns was growing more and more. That is one objective we really wanted to achieve. We want to maintain it and improve further.

All of CybeReady's features are valuable. They work together and complement each other.

The campaigns, and the training behind the specific campaigns, are the starting point. But the Continuous Awareness Bites program is also very important. They share what the correct behavior should have been for our users who clicked on a link or downloaded an attachment during a phishing campaign.

In addition, we have the ability to configure the platform to message an employee who successfully ignores or refuses to click on campaign emails. We can tell them that they are resilient because they have refused our campaign emails and didn't click on them. Or if an employee alerts us that they received a phishing campaign from CybeReady, we can confirm that they are correct. But we also tell them to continue to be attentive. It's important to keep the people who are more prepared, and who have a greater level of knowledge and of awareness in this area, watchful and engaged and make them part of the program.

One point that CybeReady could improve on is the reporting. I don't mean the KPIs or the reports on the dashboard. What I'm referring to are the people assigned to each client to help the client correctly interpret the KPIs. In our case, we were not so happy with the person that was assigned to us. She didn't provide much more for us than we saw ourselves.

We were expecting a different kind of exercise. We asked them to really help us understand the KPIs. But more than that, to help us create an exercise to focus on the areas or the actions that we should put in place to mitigate the risks identified, based on the results. I'm not saying that CybeReady doesn't have people who are very well prepared. Maybe it was just that the person who was assigned to us was not well prepared. Maybe she had only started to work with CybeReady some months before she started meeting with us. But it's a point that I would like to share.

We have been using CybeReady since January of 2021, so about 10 months.

The stability has been very good. 

We have had to make some small adjustments to the PowerPoint presentations that were prepared automatically to help the CISO share results with management. There was a small wrong interpretation of departments on the title of a slide. But everything that works automatically has to be adjusted from time to time. That's normal.

We are an enterprise business with more than 1,200 employees, and I haven't noticed any issues with scalability.

Because CybeReady is a service, they did everything for us, apart from the initial configuration for integrating our Azure Active Directory with their platform to provide them with information dynamically. Everything else was done automatically, and we didn't have to do anything, other than follow the program, look at the results and the trends, and analyze them. It's a very good solution. 

From that point of view, it didn't cause any workload for our IT team or security teams. 

In the future, with the new strategy and approach that we are implementing to continue the area of training for phishing awareness inside our company, I will have the opportunity to compare the return on investment, looking at the improvement that CybeReady helped us to achieve during 2021 versus what we achieve by the end of 2022. 

For this calculation, we will have to take into consideration the time spent by us in the preparation of this new approach.

We quickly evaluated other options but we didn't do a complete investigation into them because CybeReady was recommended to us by a colleague at another company here in Portugal. Also, it was not so easy to find a solution on the market that offers all that CybeReady offered to us, in one platform. I was happy with the first meeting that we had with CybeReady and saw all of its potential.

Unfortunately, we are not going to continue with CybeReady, but that doesn't mean that in the future we will not come back and do another year with CybeReady. The only reason we are stopping has to do with our strategy, not because we are unhappy with the product. We plan to stop using them for 2022 and continue with a different approach for training and awareness. Based on the results that we obtain from this change in approach during 2022, we will review where we stand and see if we can continue with that approach or if it makes sense to come back to CybeReady.

We actually started a training and awareness problem inside our organization at the same moment that we contracted with CybeReady. So I can't say, "Before our contract with CybeReady we spent, for example, a lot of time preparing the company for training and awareness, whereas with CybeReady we didn't have to do that and we had time for other tasks." But I am aware that we need a lot of time to prepare this kind of activity. That's one of the reasons we contracted with CybeReady. We didn't have enough people on our team to internally support a program like CybeReady.

In terms of the functionality and features, CybeReady has everything that we need and I believe that is true for most companies.