Today, social engineering prevention and detection platform Picnic announced it had raised $14 million as part of a Series A funding round led by Crosslink Capital and Rally Ventures with participation from Energy Impact Partners. 

The startup aims to address the challenge of social engineering threats that have successfully evaded traditional cybersecurity controls by continuously monitoring an organization’s online digital footprints and public data from over 1,000 data sources, and analyzing whether an attacker could use that information to create a scam. 

Picnic offers a preventative solution to social engineering attacks which allows them to see what data an attacker could gather on their employees from social media, data brokers, breach repositories, and the dark web. 

The Era of social engineering 

The announcement comes as social engineering attacks run rampant, with the average organization targeted by over 700 social engineering attacks each year, with over 12 million spear phishing and social engineering attacks taking place between May 2020 and June 2021. 

These attacks are prevalent because there’s no silver bullet antivirus or anti-malware platform that can prevent an attacker from gathering information about a company or individual online, and coordinating targeted outreach to trick them into handing over sensitive information. 

“Social engineering is the single largest and most challenging problem in cybersecurity that includes myriad attacks (phishing, impersonation, BEC, identity theft, etc). These kinds of attacks have one common thread: they seek to trick targeted people into doing something by leveraging personal data about the target and their personal and professional networks,” said Matt Polak, founder of Picnic. 

“Traditional approaches have tried to solve this problem by technical means (email gateways, endpoint protection, MFA, etc) and through training. Unfortunately, technical solutions are defeated by hackers, for example, by running a staged attack, and training does little to inoculate users against more than the most basic ‘Nigerian Prince’ types of scams,” he said. 

Instead, Picnic addresses social engineering threats by identifying publicly available information, or open-source intelligence (OSINT), in print, about individuals or organizations, so that organizations can remove it and deny potential attackers of reconnaissance data. 

The idea is to prevent attackers from putting together public information to target employees with social engineering scams. 

A new preventative approach to social engineering 

Picnic is part of the global cybersecurity market, valued at $153 billion in 2020 and anticipated to reach $366 billion by 2028, which only has a handful of social engineering solutions, including security awareness training providers. 

One such provider is KnowBe4, which provides security awareness training to teach employees how to detect social engineering attempts, which has over 40,000 customers, and announced $262.2 million in annual recurring revenue last year. 

Another is Barracuda, which offers security awareness training based on real-world threat templates of malicious emails, and analyzes how effectively employees can spot phishing attacks, which is on target to reach $1 billion in sales between 2023 and 2024. 

These preventative approaches aim to mitigate social engineering threats by teaching employees how to spot manipulation attempts in the form of phishing emails that aim to mislead them into clicking through to phishing websites. 

However, while there are other cybersecurity vendors tackling the issue of social engineering threats, Picnic’s approach is unique in that it tackles the online digital footprint of enterprises. 

“Picnic has created the first technology platform of its kind capable of addressing public data vulnerabilities preemptively, efficiently, and comprehensively at an integrated, enterprise-wide level,” said Polak.