Addressing the biggest cybersecurity gap: Human risk

We strive to provide individuals with disabilities equal access to our website. If you would like information about this content we will be happy to work with you. Please email us at: McKinsey_Website_Accessibility@mckinsey.com

In the ever-evolving landscape of cybersecurity, the human element remains both a vulnerability and a promising frontier for innovation. Meet Zepo, a pioneering cybersecurity company that merges education with technology to address the human risks that underpin digital threats.

In this interview, alumnus Antonio Muñoz, based in Madrid, sheds light on the imperative need for their unique approach, the evolving challenges posed by technological advancement in social engineering, and the transformative impact of their participation in Google's prestigious Global AI for Cybersecurity Program.

Zepo addresses the cybersecurity gap of human risk. Can you tell us what your approach is for doing this, and why it's needed?

We are a cybersecurity company, but we sit at the intersection of cybersecurity and education because ultimately our goal is to educate employees about security risks.

Our lives are becoming more and more digitized. Parallel to that, cybercriminals have long known that humans are the weakest link in the security chain. The more time spent with connected devices, the more opportunity for cybercriminals to take advantage. To address that, we believe in the 'learning by doing' approach.

So it's not just about telling employees what cyber attacks, phishing, and ransomware are, but rather exposing them to real scenarios in a controlled setup. We built a tool to allow companies to create those scenarios very easily and expose their employees to those situations. We can then train employees, taking into account their response to those scenarios. This approach is more effective than traditional lessons. The idea is to transform workforces into successful human firewalls.

We strive to provide individuals with disabilities equal access to our website. If you would like information about this content we will be happy to work with you. Please email us at: McKinsey_Website_Accessibility@mckinsey.com

In a world that is so connected, if my company is working with yours, we're going to end up connecting our systems. So if you're not secure, my company's not secure either. The only way to prove that you are secure is by referring to some external certification that proves that you're taking cybersecurity seriously. Therefore, cyber awareness now goes beyond the traditional bottom-line perspective and is also critical for your top-line.

But there is more. "Cyber wellness" is becoming a major concern for HR teams, and Zepo is playing a pivotal role in leading this category globally. Companies are speaking a lot about wellness in the workplace nowadays, but they struggle to understand the impact of cybersecurity on the health of their employees. And believe me, employees can be exposed to very stressful situations online.

The pace of change in technology has been accelerating, and a whole new set of cybersecurity risks are emerging. What are we facing today? What's new? How are things different than they were even just a few years ago?

We see gen AI enhancing the sophistication of social engineering attacks. For example, phishing, one of the most common social engineering techniques, is seeing increasing linguistic complexity of emails, making them harder to spot, and the speed of email creation has increased by 40%, which is crazy.

We strive to provide individuals with disabilities equal access to our website. If you would like information about this content we will be happy to work with you. Please email us at: McKinsey_Website_Accessibility@mckinsey.com

Cybercriminals are exploiting speech-to-text, ChatGPT, and text-to-speech APIs to become smarter in their social engineering attempts.

Habits in the workplace are also changing, and some increase risk exposure. Remote setups increase connectivity, and home devices become powerful weapons for cybercriminals.

Automation and AI are some of the ingredients we use in our secret sauce to empower organizations with the knowledge and resources to make informed decisions before threats become disasters.

What was your inspiration for starting Zepo?

There were really three things that inspired me: one personal and two professional.

First, I was bullied when I was very young. I am now the father of three beautiful kids, and I’m very sensitive to those scenarios. That made me think about leveraging technology to fight digital harassment as a general concept. I focused on building a B2B business, realizing that digital harassment can take place in the workplace.

Secondly, I worked in the cyber industry. I started my career working at Allianz, where I was part of the team that was building cyber products to protect organizations against cyber attacks. However, cyber insurance is a young, immature sector facing critical challenges, including limited data around cyber events and historical loss due to the comparative recency of the field as well as the rapidly evolving threat landscape. These make it difficult to quantify risks and effectively price insurance to protect against them. As a result, businesses continue to opt against cyber insurance because the risk prices do not accurately reflect the risk being insured against.

Last but not least, I was inspired by my time at McKinsey. I was very intrigued by how McKinsey trained us to prevent reputational damage and data hacking. I started to think more broadly about human risk as a whole new category in the industry.

These three things set the foundation for Zepo.

Zepo is one of just 17 startups worldwide picked by Google for Startups to join the Global AI for Cybersecurity Program. How do you envision leveraging the mentorship from experts to enhance what you're doing at Zepo?

It's been amazing, to be honest. I've been part of powerful accelerator programs in the past, at Wharton, Harvard, and Y Combinator. This program at Google is different in the sense that all the participants are cybersecurity companies that are going through similar challenges. We do not compete against each other, and we find synergies that make the environment unique.

We strive to provide individuals with disabilities equal access to our website. If you would like information about this content we will be happy to work with you. Please email us at: McKinsey_Website_Accessibility@mckinsey.com

We can benefit from the program on three different levels.

The first is access to Google experts. As an example, Munich organizes one of the biggest cybersecurity and security conferences worldwide. This is where the Google program kicked off. That week, the city was flooded with prominent and renowned personalities from all over the world, such as Sundar Pichai, CEO of Google, and Volodymyr Zelenskyy, President of Ukraine. We had the chance to sit together with some of the best Google experts from all over the world and discuss how they are approaching social engineering, and how we are doing on our end. These folks are years ahead of where we are, so it gives us a unique opportunity to identify shortcuts and areas of focus that are going to be relevant.

We strive to provide individuals with disabilities equal access to our website. If you would like information about this content we will be happy to work with you. Please email us at: McKinsey_Website_Accessibility@mckinsey.com

Second is the networking, not only with other companies in the industry, but also with partners, companies and global investors.

And third, we will have mentorships in specific areas, such as AI, technology, sales, product, finance, and marketing.

In the end, it is all about getting access to knowledge and relevant people to skyrocket your business. And something I personally like a lot is that throughout this process you become not only a taker, but a significant giver. Our experience is also very helpful to others.