Victoria Company Plurilock Tackles Cyber Insecurity

Plurilock, a Victoria B.C. based digital-security company is changing the cybersecurity game for good with behavioural-biometric science.

Ian Paterson, CEO of Plurilock. Photo by Jeffrey Bosdet//Douglas

The cyber-threat landscape develops new thorns daily, with cyberattacks showing increasing sophistication. But where most security firms focus on providing solutions that mitigate risks from automated attacks, we have, until recently, lacked reliable solutions for a significant portion of the threat landscape — human-driven attacks.

Enter Plurilock, a Victoria digital-security company that is changing the cybersecurity game for good. With recent contracts with the U.S. Department of Homeland Security and Canada’s Department of National Defence and Canadian Armed Forces, Plurilock has achieved a period of record revenue growth for the company and is poised for, well, global domination.

What’s the buzz? An easier way to handle multi-factor authentication — one that doesn’t require a user to jump through hoops like signing in with a password, answering security questions or plugging in clunky hardware.

Rather, Plurilock deploys what’s known as identity-centric security, where the software monitors the way a user types on a keyboard and moves their mouse.

“What Plurilock is doing is ultimately using data to make an identity decision continuously throughout the day,” says CEO Ian Paterson, who has been with the company since it spun out from the University of Victoria.

“So rather than being asked for a password, either first thing in the morning or maybe sometime during the day … The question is, can we make the security environment so easy to use that users are not even aware that we’re there, and ultimately provide a more secure computing experience?”


Plurilock ADAPT is the company’s flagship multi-factor authentication product, used to seamlessly connect to systems or applications. An example comes from a recent pilot, Plurilock wrapped up with a prestigious New York hedge fund with more than 2,000 employees.

Two problems the company faced were ensuring the right people were pushing changes out to their trading models, and enabling those people to do it as quickly
as possible. Prior to Plurilock ADAPT, fund employees had been limited to signing in with a piece of plug-in hardware — not an ideal fit for a company culture that promotes flexibility and allows people to work remotely.

“If your hardware key was in your office, that was essentially a delay that could cost them a lot of money,” Paterson says.

Plurilock DEFEND is the company’s second product, an end point capability involving continuous authentication that can run directly on Macs or PCs,

or be embedded in iCloud applications. Every three to five seconds, DEFEND makes an identity decision based on the user’s behaviour.

Designed from the ground up to be privacy compliant, Defend doesn’t look at the
content of what the employee is doing — it looks at their behaviour or their behaviour biometrics.

“In other words, we don’t look at the words that they type,” says Paterson. “We don’t look at what websites they’re browsing. Certainly, there are other security applications that an organization may have in place that do those types of things. But for us, all we’re trying to do is decide: Is this the right person on that device — and to do it in a way that is both invisible and continuous throughout the day.”

DEFEND is suitable for organizations — banks, for example — where regulatory requirements demand specific measures to safeguard and protect data and use. DEFEND also offers a secondary benefit: a record of non-repudiation to validate which users accessed which records, and at what time.

“This becomes really important in industries like health care, where personal health information is obviously a regulated type of data,” says Paterson. “Enforcing that only the right people have access to it becomes really important, as well as being able to prove after the fact that, yes, in fact the right people had access to the right data and nobody else did.”


What makes Plurilock different than other security and tech companies, in general, is its rich base of applied research and development. Where typically data- science companies work on a pre-sale basis, convincing customers to commit to an idea and then building the idea to suit, Plurilock’s roots in pure research offered the company the freedom to evolve early on without any pressure to deliver a product to clients.

“What that has meant for us is that every single test we’ve done for the technology itself — our capabilities have always been at the top of the pack,” says Paterson. “And so it’s really provided us a competitive advantage, even as a relatively new company.”

Plurilock puts humans and human identity at the centre of the cybersecurity battle and then builds from there, says its director of Innovation Youssef Nakkabi. This enables the company to address critical gaps seen in other cybersecurity solutions.

“Our AI (Artificial Intelligence) technology combines three different basic strategies: behavioural biometrics, process analysis and network traffic behaviour analysis.

This three-pronged approach means that we’re able to recognize and prevent both human-driven and automated attacks with remarkable speed and accuracy.”


Plurilock’s DEFEND product began as the brainchild of University of Victoria (UVic) electrical and computer engineering professor Dr. Issa Traoré, who noticed gaps in cybersecurity offerings and wondered whether there might

be a way to identify individual users using a biometric signature. Research led to publications in prestigious academic journals and garnered interest in the cybersecurity market, and Traore and his PhD student, Ahmed Awad Ahmed, were off to the races.

The university filed patents on the technology, known as BioTracker in its early days. In 2008, Plurilock formed as a company, and UVic licensed the technology back to the company, posting some people to board positions and bringing in lawyers and accountants to advise.

“That was our role for the first several years up until around 2015, when they were taken over by another investor group that really helped take them to the next level, so to speak,” says Brent Sternig, UVic’s director of research partnerships and knowledge mobilization.

Growing out of UVic meant the team had access to research funding, an incredible talent pool and the university’s assistance in covering things like patent costs.

“It created a company that’s just a little bit different and unique when you compare it against other tech companies,” says Paterson. “It’s really what I attribute a lot of our success to.”

More Reading: Remote Work Tips from Plurilock

This article is from the April/May 2020 issue of Douglas.