We are thrilled to announce that Nimblr is now entering the French- and Spanish-speaking markets!
As a leading Swedish cyber security awareness company, we understand the importance of providing our training in local languages and adapting to local circumstances in changing user behavior. We are very excited to bring our state-of-the-art automated security awareness training to these new markets.
Leading the charge in these new markets will be our talented account managers Virginia Ribó Villà and Hélène Kasriel. With their expertise and passion for the industry, they will be instrumental in helping us successfully engage with customers and partners in these new local markets.
We are already well established in these markets and are confident that our solutions will significantly benefit companies in the French- and Spanish-speaking world. We look forward to a successful and exciting future in these territories.
Artificial Intelligence (AI) has revolutionized many industries, but it has also created new avenues for cybercriminals to carry out phishing and email scams. AI-powered scams are becoming increasingly sophisticated and harder to detect, posing a threat to individuals and businesses alike.
Artificial fishing Phishing is a type of cyber attack that involves tricking victims into revealing sensitive information such as passwords, credit card details, or social security numbers. AI can be used to automate the phishing process, making it more efficient and scalable for criminals. For example, AI algorithms can be used to generate personalized phishing emails that are designed to appear legitimate and target specific individuals or organizations. One of the most common forms of AI-powered phishing is called “spear phishing.” This type of phishing involves using AI algorithms to analyze public data and personal information to craft highly targeted phishing emails. The AI algorithms can generate realistic-looking emails that are addressed specifically to the intended target and contain information that is tailored to their interests or job role.
Who is who? Another way AI is being used for phishing is through the creation of deepfake videos. Deepfake videos are synthetic videos that use AI algorithms to superimpose one person’s face on another person’s body in a realistic manner. Criminals can use deepfake videos to impersonate trusted individuals or organizations in phishing scams. For example, a criminal might create a deepfake video of a CEO asking employees to transfer money to a new bank account, or a video of a government official asking for sensitive information.
A larger phishing net AI is also being used to automate email scams, making it easier for criminals to reach a large number of targets in a short amount of time. For example, AI algorithms can be used to generate fake job offers, investment opportunities, or lottery winnings in the form of emails. The AI algorithms can analyze public data and personal information to craft realistic-looking emails that are designed to trick the victim into sending money or revealing sensitive information.
In conclusion… AI has opened up new avenues for cybercriminals to carry out phishing and email scams. As AI technology continues to advance, it is becoming increasingly difficult for individuals and organizations to detect and defend against these types of attacks. To protect themselves from AI-powered scams, individuals should be cautious of unsolicited emails and never reveal sensitive information or send money to unfamiliar individuals or organizations. Businesses should invest in advanced security solutions that can detect and prevent AI-powered phishing and email scams.
Better “the devil” you know Thought-provoking reading, isn’t it? But wait, there’s more… We tried, as an experiment, to AI-generate a body of text on the theme of “AI-generated fraud” and the result of the experiment is the text you have in front of you, minus this concluding paragraph. So the future is already here and may seem both unreliable and threatening. However, it is important not to be paralyzed by what may appear to be a fundamental paradigm shift, a so-called game changer. From another perspective, what we are seeing now is just a continuation of the arms race between cybercrime and cybersecurity that has been going on for decades. We at Nimblr are monitoring developments in this area, and are convinced that educational and awareness-raising cybersecurity training – together with technological solutions – is the best way to address both current and future security risks. AI, like ordinary intelligence, is a tool that can be used for both good and evil, and the same technology that is used for fraudulent purposes can also be used to protect us from fraud.
2023; a new year, a new number to get used to and to replace an old number with. Four digits that evoke expectations, hopes, and fears. What is and what may be? The start of a new year is usually a time for closure and new objectives, with reflections on things that will change and things we hope will remain; prospects, and insights. Nimblr welcomes 2023 with a look back at the year that was.
Awareness of security awareness An increasing number of people are becoming aware of the importance of security awareness. In the digital world, threats are not merely technical errors and human mistakes, but also deliberate and malicious acts. Russia’s war of invasion in Ukraine has made it clear that cybercrime is not only committed by teenagers fuelled with energy drinks in dark basement rooms but also by state-sponsored actors, with more than money at stake. In an increasingly digitalized world, the secure handling, storage, and transmission of data is a paramount concern, not only for individuals and organizations but also for nations and federations of nations. This increased focus has been seen in many ways – and at many levels – over the past year, well exemplified by the strengthening of the EU’s NIS Directive.
More customers, more markets. As security awareness becomes an international concern, the need for delivered security services with customized and up-to-date content increases. During 2022, Nimblr has seen an increase in customers and end users of 202 and 288 percent respectively. Our revenue has tripled, and our security solutions are now available in 23 languages. During the year, we also opened an office in Lisbon and established ourselves in the Portuguese, French and Spanish markets. However, the weight of these figures is secondary to the quality of the services delivered. Nimblr recognizes and believes that an increased focus on security awareness should lead to increased scrutiny of the services and training tools available. We welcome such a development and look forward to further refining our safety solutions in collaboration with our clients and in line with current and future evidence-based research findings.
Cultural open-mindedness Security awareness is a global concern, thus solutions to enhance such awareness should be imbued with cross-cultural viability. As Nimblr’s user community has grown and become more nationally diverse, the need to mirror this development internally has increased. Nimblr’s workforce has more than doubled in 2022, and we are currently a group of Swedes, Danes, French, Portuguese, Brazilians, Ukrainians, and Argentinians. Like any major change, in the short term, this growth has led to new misunderstandings and areas of conflict, but in the longer term, it has led to new insights and development, both personally and organizationally. As a global actor, in a modern world, and in the face of a global security threat, we believe that a pluralistic and inclusive organizational culture is a vital, if not indispensable, asset. In 2023, we are setting our sights on continuing to evolve in this direction, learning from each other and becoming even better. Together.
In recent years, pitches for paid honors – so-called Vanity Awards – have become increasingly common. Nimblr describes the phenomenon and its common course, and looks at the possible security risks associated with these “borrowed feathers”. Finally, a proposal is made for a less loaded terminological alternative: Pyrrhic Prizes.
A prize, but at what price?
Many and deep are the pitfalls we risk falling into when our quest for attention and recognition isn’t governed by better judgment. A good example of this is Vanity Awards, where companies are tempted to accept vaguely described nominations or to nominate themselves for “prestigious awards” only to find that the prizes are priced, i.e., are available for a fee. The companies behind these charlatanries are usually careful to be on the right side of the law and can prosper from the delusions of their unsuspecting victims. Nimblr often receives this type of offer and can therefore describe the typical Vanity Award process.
The usual course of events
During November and December 2022, Nimblr receives more than half a dozen emails from a company – let’s call it Corporate Foresight – whose stated agenda is “to acknowledge and celebrate businesses all over the world who strive – every day- to be better than they were”. The introductory message is well crafted and may, at first glance, seem trustworthy and reputable. We are informed that “Nimblr Ab has been identified as a potential nominee within the Security Awards 2023” and are, via two links, given the option to either accept or decline this potential nomination. Furthermore, we are told that “There is no mandatory cost involved if you choose to accept this nomination, or if you go on to be successful. If a company is successful, we do offer packages to make the most of the achievement, but these are completely optional, and we always offer a complimentary package to our awardees.” So far so good, right? The company is registered and has an address, phone number, and a well-designed website. The email also includes a photograph of the staff, five smiling women who on the surface – much like the Spice Girls – exemplify five different archetypes or styles. We even get to know their first names/nicknames; short, easy-to-pronounce, ‘ordinary’ names.
Upon closer inspection…
In the Security Awareness field, you learn early on that what is left unsaid is often more informative than what is said. We are not told on what grounds this potential nomination rests; what we have achieved? Nor is anything said about who or which people nominated us. Moreover, a discursive examination of the message reveals some classic cons:
We are chosen/special/outstanding
A (possible) reward awaits, in the short and long term
We need to act swiftly
In addition to these warning signs, the message – photograph included – appears a little too rigged: a pluralistic catch-all whose differentiated meshes are meant to entangle a wide spectrum of would-be prey. In Nimblr, we know that the best way to reject a suspicious online offer is to ignore it, in order both to negate the risk of interacting with unsafe links and to examine the counterparty’s behavior in the absence of a response. We thus let the message from Corporate Foresight go unanswered. Immediately, an intense spamming started, with the urgency message coming more and more to the fore, while Nimblr went from “potentially nominated” to “nominated” without comment. Needless to say, we did not reply to any of these messages either.
Then what happens?
However, there are companies that – by mistake or pure curiosity – have accepted this type of nomination. From their experience, we learn that nominations always lead to wins and that a win sometimes means some form of free exposure, for example via a short interview in the awarding company’s own online magazine. In addition, there are offers of so-called prize packages, with plaques, trophies, and the like, at a cost ranging from 150 to over 5000 €. The free interviews seem to bring minimal positive returns at best. A more likely consequence of Vanity Awards is a continued and intensified spam bombardment with similar offers.
More than money at stake
It’s easy to view Vanity Awards as a nuisance rather than as a real threat, since interactions with their spam messages, links, and offers are voluntary, with no explicit purchase requirements. It is therefore neither phishing nor pure fraud. The operations and practices are not illegal but can be justifiably classified as dishonest, and in this context, there is more than just money at stake. As already mentioned, participation often opens the floodgates to a torrent of similar “offers”, which poses an increased security risk. In addition, these spam messages contain a variety of links, the legitimacy of which can and should be questioned. For a Security Awareness company like Nimblr, the negative exposure that a Vanity Award brings can be devastating, as active participation demonstrates a lack of both security and awareness.
“If we are victorious once more, we shall be utterly ruined”
However, it is understandable that companies allow themselves to be duped in this way. The global business world is a jungle, and neither maps nor compasses offer protection from the predators that lurk in the dark. It is essential to be able to discuss Vanity Awards and other types of scams in a clear and non-judgmental way, without ridiculing those who have allowed themselves to be scammed. This will help spread information about the phenomenon and make companies more vigilant and resilient. In this spirit, Nimblr would like to propose a terminological shift, replacing the stigmatizing term Vanity Awards with the more neutral term Pyrrhic Awards, so named after King Pyrrhus who, following a costly victory over the Romans at the Battle of Asculum in 279 BC, is said to have uttered the phrase “If we are victorious in one more battle with the Romans, we shall be utterly ruined”. Unlike King Pyrrhus, you, as an entrepreneur – thankfully – are not fighting a resourceful Roman Empire, but in this case, the battle is between reason and vanity. If you represent and/or have built a brand and a business idea that you believe in and are proud of, it’s better to focus on well-deserved and genuine awards, and if you can’t wait for those, you can always invest in a “world’s best boss” mug for yourself. These are both cheaper and more useful than Pyrrhic awards.
Now it has happened! The EU Parliament’s gavel has swung and met the table surface with a resolute tap. The Network and Information Security Directive – NIS – is being updated to NIS2, and within 21 months EU Member States must implement the said directive in their national legislation. What does this mean, and who is concerned? Does the directive say anything specific about security awareness and training? Nimblr provides clarification.
The NIS Directive, which aims to achieve a high common level of security in networks and information systems within the EU, was enacted in 2018 through The information security law. Since its introduction, the Directive has been criticized for being incomplete, unspecific, and ineffective, and for underestimating the increased threats and rapid developments in the field. Furthermore, the need for increased cooperation and coordination between EU Member States in this area has been highlighted. On 28 November 2022, the adoption of NIS version 2 was thus decided. The update broadens and sharpens the original directive, with new regulations and increased obligations for far more actors than before.
An all-risk perspective with increased monitoring
The NIS2 Directive establishes safeguards for both the storage and transmission of data that are considered essential for the maintenance of public services. It advocates an all-risk approach, with increased preparedness for natural hazards, and technical failures, as well as for human error and cybercrime. The NIS2 Directive also emphasizes the importance of securing supply chains, which implies higher security requirements for far more companies, authorities, and organizations than before. Furthermore, EU regulators will have more means to issue warnings and sanctions for breaches of security.
More concerned parties
The original NIS Directive applied to activities in the following sectors:
Supply and distribution of freshwater
NIS2 continues to apply to these sectors as well as the following ones:
Providers of public electronic communications networks or services
Sewerage and waste management
In addition to directly affected parties, the number of indirectly affected entities will increase, as they are part of critical supply chains. In addition, the NIS2 Directive covers non-EU activities supplying services to EU countries.
Cybersecurity training and awareness raising
Another new feature of the updated NIS Directive is the increased requirement for security awareness among management bodies. It will no longer be sufficient to leave security issues solely to the business’ IT departments, as the Directive states that: “Member States shall ensure that members of the management body follow specific trainings, on a regular basis, to gain sufficient knowledge and skills in order to apprehend and assess cybersecurity risks and management practices and their impact on the operations of the entity.” As part of this assurance, the need for measurability is highlighted; business policies should demonstrate a prioritization of cybersecurity, i.a. through relevant training programs and awareness-raising actions for all employees. The Directive thus advocates not only an increased focus on cybersecurity but also a broadening of the concept, mentioning not only technical and reactive protection measures but also educational and proactive approaches.
Nimblr and NIS2
At Nimblr, we welcome the EU’s advocacy of an increased focus on cybersecurity, as our society becomes more and more dependent on secure systems for storing and transmitting data. At the same time, we understand that the transition to NIS2 may be costly in terms of time and resources. In addition, uncertainty easily arises with change, with questions such as “What is an adequate level of security?” and “How do we know if the measures we have taken are having an impact?”. Regarding training and education, Nimblr’s automated solution is an excellent way for your business to meet the training requirements of the NIS2 Directive. Nimblr Security Awareness Training ensures your NIS2 transition through access to relevant and up-to-date information, interactive simulations, and business-oriented training sessions.
What to do if you suspect that personal data has fallen into the wrong hands? What is classified as personal data? What’s the consequences of violating the GDPR? Nimblr introduces a new course, in microtraining format, that gives your users a basic understanding of GDPR and personal data.
In today’s information society, it’s difficult not to handle personal data in one way or another. Nimblr’s new course’s aimed at all employees and easily raises the minimum level and helps employees to understand and apply the GDPR in their day to day work.
The course is part of Nimblr’s automated Security Awareness program. The content is developed in collaboration with IT security experts, lawyers and psychologists to be relevant and easy to absorb.
Nimblr’s Micro Training can be performed directly on the mobile phone or in the computer’s browser. No login details are required by the user, instead each user is identified through the unique link in the email invitation. The system also sends reminders to users who have not completed courses within a given time frame and continuously reports the completion rate to the administrator.