Picnic showcased in Startup to Follow

Picnic Protects Your Company from Social Engineers

What the company does

Picnic is a cybersecurity firm that proactively protects people and companies from the biggest threat vector in cyber today: attacks by social engineers.

Picnic has built the industry’s first enterprise-wide social engineering detection and prevention platform. Picnic’s technology addresses the social engineering threat at the source by allowing companies to emulate attacker reconnaissance at scale, and to preemptively eliminate social engineering pathways to compromise. The platform automatically identifies exposed public data of organizations and their people which could be used in a social engineering attack, and streamlines the removal and/or neutralization of that data before it can be exploited.

In case you aren’t already familiar with the name, PICNIC is an old IT-security acronym that means Problem in Chair, Not in Computer, which is referring to the problems of human error. The Company feels this is a good way to talk about social engineering, which is fundamentally a human problem. So, as a nod to this saying, the Company decided to name itself Picnic and is reframing this old saying with a positive spin as Protection in the Chair, Not in the Computer.

The current landscape

Social engineering is the single largest and most challenging problem in cybersecurity that includes myriad attacks (phishing, impersonation, BEC, identity theft, etc.). These kinds of attacks have one common thread: they seek to trick targeted people into doing something by leveraging personal data about the target and their personal and professional networks. Traditional approaches have tried to solve the social engineering problem by technical means (email gateways, endpoint protection, MFA, etc) and through training. Unfortunately, technical solutions are defeated by hackers, for example by running a staged attack, and training does little to inoculate users against more than the most basic “Nigerian Prince” types of scams.

Before the person in the chair is even targeted, hackers always begin with reconnaissance of public data, known as OSINT, or Open-Source Intelligence. OSINT refers to any publicly available information a hacker can find on a target, such as data from LinkedIn & social media, data brokers, breach repositories, and elsewhere. Today, 92% of cyber-attacks are specifically crafted from users’ OSINT. It is the reconnaissance of a target’s OSINT footprint that reveals to hackers the pathways to compromise human targets via social engineering.

Because the behaviors and data revealed in the OSINT reconnaissance phase of an attack have historically existed beyond the reach of traditional cybersecurity controls, hackers have continued to be able to exploit data vulnerabilities with impunity via social engineering, which remains the #1 threat vector in cyber. More than 90% of the time, initial access is gained through social engineering and by 2025, it will cost companies an estimated $200 billion in losses.

Even though 90% of all cyberattacks start with a phishing email and 90% of attacks are caused by human error, less than 3% of cybersecurity budgets are allocated to the human factor.

Very little has been invested in addressing OSINT vulnerabilities and securing the human data layer. Organizations have historically not been able tackle OSINT because of a lack of adequate visibility, no technological means to visualize attack paths and neutralize them, employee privacy issues, and the too difficult and time-consuming task of taking proactive measures manually.

The industry has only had a handful of social engineering solutions, such as security awareness training providers KnowBe4 and Barracuda, and there has (until now) been no platform that preemptively addresses the public data (OSINT) vulnerabilities from which social engineering attacks are crafted.

Picnic’s platform is unique in that it is the first one to tackle the online digital footprint of enterprises to reduce the human attack surface and prevent social engineering attacks.

Company birth story

The world digitized faster than society imagined. For decades, the promise of big data was on the horizon as a means to make sense out of our digital chaos.

The big data wave crested and crashed: there is more data at the fingertips of any human than any time in history – all you need is a smartphone and the internet. While there are many positives associated with such rapid innovation, a dangerous current cuts through our online world: hackers also use big data tools to make cents from the digital chaos.

Until now, the cybersecurity industry has done what it knows how to do best: harden infrastructure.

By locking hackers out of systems, traditional cybersecurity vendors tried to stem the tide of attacks. We are at an inflection point: further hardening of infrastructure is a losing battle, because hackers know that they only need to trick a human to defeat the most powerful technical solutions.

The human operating system is fallible. Love, fear, curiosity, and other emotions present potential ways that we can be manipulated, and personal information about each of us tells hackers what our passions and concerns are. This fundamental situation is the reason the social engineering problem is so challenging to resolve and has remained such a threat.

Recognizing that our own data trails are being used against us, and that humans are vulnerable to exploitation, Picnic’s founders realized that the solution to the social engineering problem – the way to protect people from those who would use their information against them – is to think like a hacker, to focus on harnessing the power of information for good, and to provide people with the technological means to reduce their visibility and accessibility to social engineers by controlling their data footprint.

Having backgrounds and expertise in human intelligence and mathematics, Picnic’s founders spent years reverse-engineering threat actor OSINT reconnaissance and, with a consummate team of engineers, building a platform that allows organizations to see themselves exactly the way a hacker does and to remediate vulnerabilities preemptively to prevent and dramatically reduce social engineering attacks.

The solution

Picnic is the first company to come upstream of the social engineering problem to tackle the root cause: the growing data footprint about each person online that is used by hackers to target and compromise their work and personal identities. Picnic detects where valuable data about you and your company are so our technology can take preventive measures, often by removing it, before it can power hackers’ campaigns. Our automated, privacy-forward enterprise solution protects, proactively, against attacks that target people.

Our platform combines visibility of an organization’s public data at scale, visibility of the attack paths associated with that data, and the streamlined, technological means to eliminate those paths, all the while keeping sensitive personal information private and secure.

Command Center

For enterprise security teams, Picnic has built an enterprise-wide hacker’s lens in a single screen known as Command Center. Command Center has the power to automatically emulate hacker reconnaissance of exposed data and to surface and remediate a company’s OSINT vulnerabilities. With this powerful tool, security teams have near full visibility beyond the perimeter from 1000+ data sources. They can know instantly where social engineering risk resides, who is most likely to be targeted and how, and they can take remedial actions with built-in tools that remove and/or neutralize risky information and paths to compromise while continuously monitoring for new threats.

Command Center is designed to provide power to the security team while simultaneously protecting individual employee data. Picnic uses qualitative and quantitative risk measurement scores that enable security teams to drive remediation without needing to handle disparate pieces of sensitive information. Specific risk attributes (i.e., employee taxpayer identification numbers, etc.) are shared as flags without disclosing personal data and cleartext credentials and other sensitive items are encrypted before they are shared via a machine-to-machine Application Programming Interface (API).

Personal information can only be viewed by the individual employees, not by the company. 

CheckUp

As a complement to our Command Center, Picnic’s CheckUp is a personal security dashboard for employees that gives them unprecedented visibility and power over their exposed personal information and the social engineering risks specific to them. Through this application, employees see detailed views of their exposed personal data and can easily remove or neutralize any unwanted online data.

CheckUp includes built-in remediation tools for neutralizing vulnerabilities and reducing attack surface, provides active personalized learning that is vastly superior to traditional training, and continuously monitors for new risks. It improves protection for both employees and the enterprise by reducing an employee’s attack surface, promoting cyber hygiene, and raising security awareness in a very personalized way. CheckUp is messaged as an employee benefit that offers protection across the work/home boundary, with reciprocal benefits to the company. Employees can extend CheckUp protection with family invites.

Executive Services

Since VIPs are high-value targets for social engineers, Picnic provides additional layers of protection for Board and C-Suite via our Executive Services. In addition to VIP data being cleaned through CheckUp, our Global Intelligence Team conducts advanced info gathering to map the routes to compromise an attacker would take against VIPs so they can be proactively neutralized. Each VIP is given continuous personal exploitation protection against ransomware, malware and viruses, and impersonation, and this protection can be extended up to 10 family members and 2 support staff.

Our team provides VIPs with one-of-a-kind Executive Exposure Reports that include personalized, detailed insights about the types of risk they are exposed to based on their particular online footprint along with remediation solutions. We also conduct manual data broker takedowns that remove VIP information from data brokers and provide on-demand private access to our resources and intelligence specialists for VIPs to ask questions and receive personalized, expert assistance.

A Customer Story
Founder quote
“Without adequate visibility of exposure and attack paths, a critical blind spot for preventing social engineering attacks remains, along with an ever-increasing human attack surface that is beyond the control of traditional cybersecurity. Picnic has stepped in to remedy this situation with the first technology platform of its kind capable of addressing public data vulnerabilities preemptively, efficiently, and comprehensively at an integrated, enterprise-wide level.” – Matt Polak, Picnic CEO
Scroll to Top