Search results by: "remote working"
Data Exfiltration DLP Human Layer Security Spear Phishing
7 Concerns IT Leaders Have About Permanent Remote Working
By Laura Brooks
14 October 2020
According to Tessian research, 75% of IT leaders and 89% of employees believe the future of work will be “remote” or “hybrid” – a combination of working in the office and remotely.  This will have a significant impact on companies’ IT departments, who will be under pressure to deliver a seamless experience and create strategies that empower employees to work remotely and securely. In fact, 85% of IT leaders think they and their team will be under more pressure if their organization were to adopt a permanent remote working structure.  In this blog, we look at their top 7 concerns and explain how to overcome them.  1. Employee wellbeing Half of IT leaders’ are worried about staff’s wellbeing when they work remotely – making it the top concern among IT professionals.  Remote work can be incredibly stressful for employees. A survey by online employment platform Monster reported that over two-thirds of U.S. workers have experienced burnout symptoms while working from home. Why? Because people are more distracted, they’re taking less time off work, and they’re working longer hours. 61% of employees in another Tessian report said a culture of presenteeism in their organization makes them work longer hours than they need to.  The problem is that when people are stressed, tired and distracted, they make more mistakes that could compromise cybersecurity. In fact, 46% of employees say make more mistakes when they feel burned out.  IT professionals must recognize the correlation between employee wellbeing, their productivity, and security if they want to keep data and systems safe in a remote work world. Lead with empathy and find ways to prevent stressed and distracted employees from making costly cybersecurity mistakes.  2.Unsafe data practices 46% of IT leaders are also worried about employees practicing unsafe cybersecurity behaviors.  Their concerns are valid. A report published by Tessian in May 2020 revealed that 48% of employees feel they can get away with riskier cybersecurity behaviors when working from home, namely because they are working from unfamiliar devices and because they aren’t being watched by IT teams. A further 54% said they’ll find a workaround if security software or policies prevent them from doing their job. Educating employees on safe cybersecurity practices is a necessary first step. However, only 57% of companies implemented additional training at the start of the remote working period in March 2020. This isn’t trivial; businesses must continually educate staff on safe data practices because cybersecurity is rarely at the front of mind for every employee.  Businesses should also ensure that security solutions or policies do not stand in the way of people getting their jobs done. Workers will find the easiest or most convenient path, and this can often involve skirting around security rules. Security should, therefore, be as flexible as people’s working practices in order to mitigate unsafe behaviors online.
3. More data breaches Half of organizations we surveyed said they experienced a data breach or security incident between March and July 2020 – the period in which mandatory remote work arrangements were enforced. Consequently, 40% of IT leaders are worried their company will experience more data breaches if people continue to work remotely.  The causes of these data breaches included phishing attacks (49%), malware (45%) and malicious insider attacks (43%). In addition, 78% of IT leaders said they think their organization is at greater risk of insider threats when staff work from home.  To prevent data breaches caused by insider threats – and other threats caused by human error – IT teams need greater visibility into their riskiest and most at-risk employees. Only by understanding employees’ behaviors, can businesses tailor policies and training to prevent people’s actions from compromising company security and breaching sensitive data.  4. More phishing attacks Half of the security incidents reported between March-July 2020 were caused by successful phishing attacks – making phishing the top attack vector during this period of remote working.  Of the 78% of remote workers that received phishing emails while working on their personal devices, an overwhelming 68% clicked a link or downloaded an attachment from the malicious messages they received. It’s not surprising, then, that 82% of IT leaders think their organization is at greater risk of phishing attacks when people work remotely.  But why is phishing a greater risk for remote workers?  Because it is not uncommon for an employee to receive information about a new software update for a video conferencing app, or an email from a healthcare organization providing tips on how to stay safe, or a request from a supplier asking them to update payment details.  In fact, 43% of IT professionals said their staff had received phishing emails with hackers impersonating software brands, while 34% said they’d received emails from cybercriminals pretending to be an external supplier.  If the sender’s email domain looks legitimate and if hackers have used the correct logos in the body of the email, there’s very little reason why an employee would suspect they were the target of a scam. And, when working remotely, employees can’t easily verify the email with a colleague. They may, then, click the link to “join the meeting”, download the “new update” or share account credentials. To learn more about how to spot a spear phishing email, read our blog here.
5. The IT team’s bandwidth With organizations facing the threat of more data breaches and security incidents caused by unsafe cybersecurity behaviors, over a third (34%) of IT leaders worry that their teams will be stretched too far in terms of time and resource.  Security solutions powered by machine learning can help alleviate the strain. Solutions like Tessian use machine learning algorithms to understand human behaviors in order to automatically detect and prevent threats caused by human error – such as accidental data loss, data exfiltration or phishing attacks. When a potential threat is detected, the individual is alerted in real-time and a record of the incident is logged in a simple and accessible dashboard. IT professionals no longer have to spend hours manually looking back through logs to find incidents – the proverbial ‘needle in a haystack’.  When you consider that 55% of IT teams spend more time navigating manual processes than responding to vulnerabilities, finding ways to take away the manual, labor-intensive tasks will be critical in freeing up IT professionals’ time.  6. An increase to IT leaders’ workload In addition to concerns over their teams’ workloads increasing, IT leaders also fear they’ll face even longer to-do lists in a hybrid or remote working world. Why? To name a few: The majority of IT leaders will be implementing new BYOD policies, additional training programs, upgrades to endpoint protection as well as new VPNs in order to address employees’ expectations and safety.  They have to overcome challenges like data loss prevention (DLP), something 84% of IT leaders say is more difficult in distributed workforces.  They have to address and mitigate more security risks such as employees bringing infected devices or documents into the office, potentially compromising the company’s entire network.  According to Nominet’s 2020 report – The CISO Stress Report: Life Inside the Perimeter: One Year On – 88% of CISOs are moderately or tremendously stressed. What’s more, 95% work more than their contracted hours amounting to an extra 10 hours per week, on average.  As the pressure increases, businesses must find ways to alleviate stress and empower IT leaders to work effectively and efficiently in order to protect their company and employees.
7. Non-compliance with data protection regulations Nearly a third of IT leaders said that remote working could compromise compliance with data protection regulations.  In the last year, misdirected emails have been the number one cause of data breach incidents reported to the Information Commissioner’s Office. A previous Tessian report found that 58% of employees have sent an email to the wrong person during their career and, of these misdirected emails, nearly a fifth (17%) were sent to the wrong external party.  Their reasons? Nearly half said it was because they were tired and 41% said the error was made because they were distracted. Given that studies have shown people are feeling more fatigued and more distracted while working remotely, there is cause for concern that data breaches, caused by human error, will only increase.  Instead of expecting people to do the right thing 100% of the time while working away from the office, invest in security solutions that preempt these errors by detecting and preventing them from happening in the first place. That way, IT leaders can proactively stop sensitive information from leaving their environment, company IP stays secure, compliance standards are met, and customer trust is maintained. To find out more, read the full report – Securing the Future of Hybrid Work – here.
Data Exfiltration Human Layer Security Spear Phishing
How Hybrid-Remote Working Will Affect Cybersecurity
By Laura Brooks
29 September 2020
When the world went into lockdown, ways of working changed forever.  Mandatory remote work arrangements meant people had to find ways to get their jobs done in their homes and most of us quickly settled into a new rhythm of work. Now, after months of being away from the office, the so-called “new normal” is starting to feel, well, just normal. Employees don’t want to give up the level of flexibility and autonomy they’ve come to experience.   In fact, according to our latest report, Securing the Future of Hybrid Working, just 11% of UK and US employees said they’d want to work exclusively in the office post-pandemic, with the average employee wanting to work from home at least two days a week. And, over a third of people said they wouldn’t even consider working for a company if it didn’t offer remote working in the future. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Keep reading to find out: How IT leaders think remote and hybrid working will affect cybersecurity What these new set-ups will do to IT teams’ workloads How business’ can balance flexibility and security Remote, office-based, or a bit of both?  Businesses have some big decisions to make. Do they encourage employees to come back to the office post-pandemic, or opt for a fully remote workforce?  For many, a hybrid model – where employees can split their time between working in the office and anywhere else they’d like – appears to be the best option for the long-term future of their company. Google, for example, has already announced that this is the approach it’ll take.  This way of working requires companies to completely transform the way their companies have previously run – and it may come at the IT department’s expense. The majority of IT leaders surveyed believe permanent remote work will put more pressure on their teams, while over a third (34%) are worried about their workers becoming stretched too far in terms of time and resource. This is because, while it is great for employees, a hybrid way of working actually offers the worst of both worlds for IT teams who have to simultaneously manage and mitigate security risks that occur in and out of the office, while providing a seamless experience that enables employees to work-from-anywhere. Why would permanent remote working arrangements increase IT teams’ workload?  One of IT teams’ biggest concerns is the risk of phishing attacks, with 82% of IT leaders believing employees are at greater risk of phishing attacks when working remotely. Their concerns are valid; over three-quarters of employees said they received a phishing email while working on their personal device between March and July 2020, and 68% admitted to clicking a link or downloading an attachment within that email. In fact, our report shows that nearly half of companies experienced a data breach or security incident between March and July 2020 – the remote working period enforced by the global pandemic – and half of these incidents (49%) were caused by phishing attacks.  This made phishing the leading cause of security incidents during this time.
Insider threats are another concern. Over three-quarters of IT leaders (78%) think their organization is at greater risk of insider threats if their company adopts a permanent hybrid working structure. Such risks include employees bringing infected devices or documents into the office after working remotely and sharing sensitive information with their personal accounts.  It’s also worrying that 43% of the security incidents reported between March – July 2020 were caused by malicious insiders. For more information about the different “types” of insiders and real-world examples of each, visit our blog. The problem is that insider threats are much more difficult to detect and mitigate when workforces are distributed. Why? A lack of visibility.  A previous Tessian report revealed that nearly half of employees feel like they can get away with unsafe cybersecurity practices when working away from the office because they aren’t being watched by their IT team.   Then, there are the security risks associated with Bring Your Own Device (BYOD) practices.  Half of employees we surveyed have been working on their personal devices since the world went into lockdown in March 2020. The top BYOD security risks cited by IT professionals included: The downloading of unsafe apps Malware infections Software updates.  It’s not surprising, then, that 1 in 3 IT leaders are worried about their teams being too stretched in terms of time and resource in a permanent remote working structure. 
How can businesses balance flexibility and security without draining IT teams’ resources?  Securing distributed workforces isn’t going to be easy. Why? Because businesses must transform and reinvent ways of working but IT teams are under-resourced and budgets are getting smaller and smaller. Failure to transform and deliver a seamless hybrid experience, though, could threaten companies’ security posture and see businesses losing out on talent.  Education on the threats people can be exposed to and the threats they pose to company security when working away from the office is, therefore, an important first step. So, it is encouraging to see that 58% of IT leaders are planning to introduce more security training should their company adopt a permanent remote working structure.  But approaches to training may need a rethink so that it resonates with employees and isn’t seen as “just another thing” on people’s to-do list. According to our report, despite 57% of IT departments implementing more education and security training for their employees during the pandemic, nearly 1 in 5 workers said they didn’t even take part. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); This brings us to our second recommendation – security solutions shouldn’t hinder people’s productivity.  It’s clear people want to be able to work flexibly, so tools need to be flexible, too. Solutions like Tessian are invisible to employees until threats are detected, which means we cause minimal disruption to people’s workflow. Our warnings are helpful and educational, not annoying. We give people the information they need to make safer cybersecurity decisions and improve their behaviors over time.  Lastly, IT teams need greater visibility into their riskiest and most at-risk employees – regardless of where they’re working – in order to tailor training and policies and improve cybersecurity behaviors over time. Getting this level of visibility shouldn’t be a burden to the IT team, though. IT teams have enough going on, so solutions that leverage machine learning can take away labor-intensive tasks and help free up IT professionals’ time.  The way people work is quickly changing. But one thing will stay the same; you need to protect your organization’s most important asset – your people.  Businesses that protect their people from security threats and empower them to do great work, without security getting in their way, will set themselves for long-term success.  Read the full report – Securing The Future of Hybrid Working – today.
Compliance Data Exfiltration DLP Human Layer Security Spear Phishing
13 Cybersecurity Sins When Working Remotely
By Maddie Rosenthal
27 May 2020
Over the last eight weeks, security vendors, thought leaders, and even mainstream media have been offering employees advice on how to stay secure and productive while working from home. And, why wouldn’t they? The transition from office-to-home has been both sudden and challenging and the risks associated with data loss haven’t disappeared just because the perimeter has. At Tessian, we’ve created (and have been consistently updating) our own remote-working content hub filled with actionable advice for security, IT, and compliance professionals as well as employees. While you can find the individual articles below, we thought we’d combine all of the tips we’ve shared over the last two months into one easy-to-read article. Advice from Security Leaders for Security Leaders: How to Navigate New Remote-Working Challenges Ultimate Guide to Staying Secure While Working Remotely  Remote Worker’s Guide to: Preventing Data Loss Remote Worker’s Guide to: BYOD Policies  11 Tools to Help You Stay Secure and Productive While Working Remotely  Here are 13 things you shouldn’t do when working remotely from a cybersecurity perspective.  1. Don’t send company data to your personal email accounts. As many organizations have had to adopt new tools and systems like VPNs and Cloud Storage on the fly, some employees may have had to resort to sending company data to their personal email accounts in order to continue doing their job.  We understand that doing so may have been viewed at the “only option”, but it’s important to note that this is not wise from a security perspective. While we’ve written about this in detail on our blog The Dark Side of Sending Work Emails “Home”, the short-and-sweet version is this: Personal email accounts are less secure and more likely to be compromised than work email accounts. Why? Read point #5 to find out.  2. Don’t share Zoom links or Meeting IDs.  Zoom – like so many other remote-working tools – is enabling workforces around the world to continue collaborating despite being out-of-office. But, as we highlighted in our Ultimate Guide to Staying Secure While Working Remotely, there are precautions you must take in order to prevent attackers from infiltrating your calls. While there are plenty of lists circulating with top tips around using Zoom, the most important piece of advice we can offer is to not share your Zoom Meeting ID (or link) with anyone you don’t work with directly or otherwise trust.  Importantly, this Meeting ID appears at the top of your conference window, which means if you share a screenshot of your call, anyone who sees the screenshot can access this meeting. If you want to be proactive in locking down your Zoom calls, you should also ensure all of your meetings require a password to join. 3. Don’t ignore warnings from IT and security teams or other authoritative sources.  Since the outbreak of COVID-19, we’ve seen a spike in phishing attacks. Why? Because hackers tend to take advantage of emergencies, times of general uncertainty, and key calendar moments. IT and security teams and even organizations like the FBI have been working hard to communicate these threats and how to avoid them. But – importantly – these warnings are useless unless employees heed the advice.  Whether it’s an email outlining how to spot a phishing email or an announcement from your line manager about updating your iOS, employees should take warnings seriously and take action immediately.  4. Don’t work off of personal devices.  While it may seem harmless, using your personal devices – whether it’s a laptop, desktop computer, mobile device, or tablet – for work-related activities creates big security risks. To start, your personal devices won’t be configured with the same security software as your work device.  Whether it’s the protection offered by a simple firewall or antivirus software, you and your data are more secure when working on company-sanctioned devices. Note: Some organizations have adopted more flexible BYOD policies. You can learn how to combat the security risks associated with these policies on our blog. 5. Don’t action email requests without double-checking their legitimacy.  Phishing and other social engineering attacks are designed for one of three reasons: to extract sensitive information or credentials, to install malware onto a network, or to initiate a wire transfer. To avoid falling victim to one of these scams and potentially actioning a request that isn’t legitimate, make sure you double-check that the person making the request is who they say they are.  For example, if your CEO asks you to change an account number on an invoice, contact him or her directly – via phone call, text, Slack or a separate email – before doing so. Likewise, if someone in HR asks you to share any credentialsor other personal information, get in touch with them via phone or a separate email thread before responding.  6. Don’t use weak passwords.  Many organizations have strict password policies, including the enforcement of multi-factor authentication. It makes sense. If a bad actor gained access to your applications – whether it’s your email account or collaboration tools – they’ll have free rein over your most sensitive systems and data.  If your organization doesn’t have any policies in place, our advice is to use 6-digit PINs or complex swipe codes on mobile devices and strong passwords that utilize numbers, letters, and characters for laptops and other log-ins.  If you’re having trouble managing your passwords, discuss the use of a password manager with your IT department. 7. Don’t lose touch with your IT or security teams.  Communication – especially during periods of transition and disruption- is key.  If you’re unsure about any security policies or procedures, how to use your personal device securely, or if you believe your device or network has been compromised in any way, don’t be afraid to communicate with your IT and security teams. That’s what they’re there for. Moreover, the more information they have and the sooner they have it, the better equipped they are to keep you and your devices protected.  8. Don’t use public Wi-Fi or mobile hotspots.  Given the digital transformation, most of us rely on internet access to do our jobs. Unfortunately, we can’t connect to just any network.  The open nature of public Wi-Fi means your laptop or other device could be accessible to opportunistic hackers. Likewise, if a phone is being used as a hotspot and has already been compromised by an attacker, it’s possible it could be used to pivot to the corporate network. With that said, you should only use networks you’re absolutely confident are secure.  9. Don’t download new tools or software without approval.  IT and security teams have processes in place that help them identify which applications are and aren’t in compliance with their data and privacy protection criteria. That means that if they haven’t approved the use of a certain tool, it probably isn’t safe in their opinion. Even if a certain tool makes your job easier to do, you shouldn’t download – or even use – tools or software without express permission to use them. Whether it’s a design, writing, or project management tool, you must communicate with your in-house teams before clicking “download”.  10. Don’t leave work devices or documents in plain sight.  Your devices are gateways to sensitive information. While we’ve already covered the importance of password-protecting these devices, preventing them from being stolen is vital, too.  Avoid leaving laptops, tablets, mobile devices, and documents containing sensitive company or client information in plain sight, such as near windows at home or on a passenger seat if traveling by car. This will help prevent opportunistic theft.  Any organization that has a remote-working policy in place should also provide employees with privacy screens for their laptops, and encourage employees to always work in positions that minimize line-of-sight views of their screens by others. This has the added benefit of showing clients or other professional contacts that the business takes security seriously. 11. Don’t give hackers the information they need to execute social engineering attacks.  When planning a spear phishing attack – a type of phishing attack that is targeted at a specific individual or small set of individuals – an attacker will try to gather as much open-source intelligence about their target as they can in order to make the email as believable as possible.  Don’t make it easier for them by sharing personal information on OOO messages or on social media like LinkedIn. This includes phone numbers, alternative email addresses, travel plans, details about company structure and reporting lines, and other data points.  12. Don’t be afraid to ask questions about security policies and procedures.  When working from home or otherwise outside of the office, you have much more autonomy. But that doesn’t mean you should disregard the processes and policies your organization has in place. And, part of following processes and policies is understanding them in the first place. IT and security teams are there to help you. If anything is unclear, send them an email, pick up the phone, or file a request.   13. Don’t forget the basics of security best practice.  While we’ve offered plenty of advice that’s specific to remote-working, following general security best practices will help prevent security incidents, too.  Most employees receive annual security training or, at the very least, had some security training during their onboarding process. If you didn’t, below are some of the basics. Don’t reuse passwords. Don’t share your passwords with anyone. Stay up-to-date on compliance standards and regulations specific to your industry. Report incidents of theft. Don’t share sensitive company information with people outside of your organization.  If any of the above are unclear, refer back to point #7. Ask your IT, security, or HR teams. Communication is key! What’s next? While most organizations and individuals have started to adjust to “the new normal”, it’s important to remember that, eventually, some of us will move back to our office environments. The above tips are relevant wherever you’re working, whether that’s at home, from a cafe, on public transport, or at your desk in the office. Looking for more insights on what\s next in this new world of work? We’re hosting our first virtual Human Layer Security Summit on June 18. Find out more – including the agenda for the day – here. 
Compliance Data Exfiltration DLP Spear Phishing
Advice from Security Leaders for Security Leaders: How to Navigate New Remote-Working Challenges
15 April 2020
As a part of our ongoing efforts to help security professionals around the world manage their new remote workforces, we’ve been holding virtual panel discussions and roundtables with ethical hackers and security and compliance leaders from some of the world’s leading institutions to discuss cybersecurity best practice while working from home. Our panelists and speakers have included David Kennedy, Co-Founder and Chief Hacking Officer at TrustedSec, Jenna Franklin, Managing Counsel, Privacy & Data at Santander, Stacey Champagne, Head of Insider Threat at Blackstone, Ben Sadeghipour, Head of Hacker Education at HackerOne, Chris Turek, CIO at Evercore, Jon Washburn, CISO at Stoel Rives, Peter Keenan, CISO at Lazard, Gil Danieli, Director of Information security at Stroock, and Justin Daniels, General Counsel at Baker Donelson We’ve compiled some of the key takeaways to help IT, privacy, and security professionals and employees stay secure wherever they’re working. 
How to defend against spear phishing (inbound threats) Communicate new threats. Cybercriminals are carrying out opportunistic phishing attacks around COVID-19 and the mass transition from office-to-home. Keep employees in the loop by showing them examples of these threats. But, it’s important to not over-communicate. That means you should ensure there’s one point of contact (or source of truth) who shares updates at a regular, defined time and cadence as opposed to different people sharing updates as and when they happen. Create policies and procedures around authenticating requests. Communicating new threats isn’t enough to stop them. To protect your employees and your data, you should also set up a system for verifying and authorizing requests via a known communication channel. For example, if an employee receives an email requesting an invoice be paid, they should contact the relevant department or individual via phone before making any payments. Enable multi-factor authentication. This easy-to-implement security precaution helps prevent unauthorized individuals from accessing systems and data in the event a password is compromised.   Encourage reporting. Creating and maintaining a positive security culture is one of the best ways to help defend against phishing and spear phishing attacks. If employees make a habit of reporting new threats, security and IT teams have a better chance of remediating them and preventing future threats.  Update security awareness training. Remote-working brings with it a host of new security challenges. From the do’s and don’t of using personal devices to identifying new threat vectors for phishing, employees need to refresh their security know-how now more than ever.
How to defend against data exfiltration (outbound threats) Exercise strict control over your VPN. Whether it’s disabling split tunneling on your  VPN or limiting local admin access, it’s absolutely vital that you minimize lateral movements within your network. This will not only help prevent insider threats from stealing data, but it will also prevent hackers from moving quickly from one device to another.  Block downloads of software and applications. This is one of the easiest ways to minimize the attack vectors within your network. By preventing downloads by individual users, you’ll be able to exercise more control over the software and applications your employees use. This way, only vetted tools and solutions will be available for use.  Secure your cloud services. As workforces around the world are suddenly remote, cloud services are more important than ever. But, it’s important to ensure the infrastructure is configured properly in order to reduce risk. We recommend limiting access whenever possible (without impeding productivity) and creating policies around how to safely share documents externally. Create a system for onboarding and offboarding employees. Both negligent and malicious incidents of data exfiltration are on the rise. To prevent new starters or bad leavers from mishandling your data, make sure you create and communicate new policies for onboarding and offboarding employees. In order to be truly effective, this will need to be a joint effort between HR, IT and security teams. Update security awareness training. Again, remote-working brings with it a host of new security challenges. Give your employees the best chance of preventing data loss by updating your security awareness training. Bonus: Check your cybersecurity insurance. Organizations are now especially vulnerable to cyber attacks. While preventative measures like the above should be in place, if you have cybersecurity insurance, now is the time to review your policy to ensure you’re covered across both new and pre-existing threat vectors.  Our panelist cited two key points to review: If you are allowing employees to use personal devices for anything work-related, check whether personal devices are included in your insurance policy. Verify whether or not your policy places a cap on scams and social engineering attacks and scrutinize the language around both terms. In some instances, there may be different caps placed on these different types of attacks which means your policy may not be as comprehensive as you might have thought. For example, under your policy, what would a phishing attack fall under? 
How to stay compliant Share updated policies and detailed guides with employees. While employees may know and understand security policies in the context of an office environment, they may not understand how to apply them in the context of their homes. In order to prevent data loss (and fines), ensure your employees know exactly how to handle sensitive information. This could mean wearing a headset while on calls with clients or customers, avoiding any handwritten notes, and – in general – storing information electronically. Update security awareness training. As we’ve mentioned, organizations around the world have seen a spike in inbound attacks like phishing. And, when you consider that 91% of data breaches start with a phishing attack, you can begin to understand why it’s absolutely essential that employees in every department know how to catch a phish and are especially cautious and vigilant when responding to emails. Conduct a Data Protection Impact Assessment (DPIA). As employees have moved out of offices and into their homes, businesses need to ensure personal data about employees and customers is protected while the employees are accessing it and while it’s in transit, wherever that may be. That means compliance teams need to consider localized regulations and compliance standards and IT and security teams have to take necessary steps to secure devices with software, restricted access, and physical security. Note: personal devices will also have to be safeguarded if employees are using those devices to access work.  Remember that health data requires special care. In light of COVID-19, a lot of organizations are monitoring employee health. But, it’s important to remember that health data is a special category under GDPR and requires special care both in terms of obtaining consent and how it’s processed and stored.  This is the case unless one of the exceptions apply. For example, processing is necessary for health and safety obligations under employment law. Likewise, processing is necessary for reasons of public interest in the area of public health. An important step here is to update employee privacy notices so that they know what information you’re collecting and how you’re using it, which meets the transparency requirement under GDPR.   Revise your Business Continuity Plan (BCP). For many organizations, recent events will have been the ultimate stress test for BCPs. With that said, though, these plans should continually be reviewed. For the best outcome, IT, security, legal, and compliance teams should work cross-functionally. Beyond that, you should stay in touch with suppliers to ensure service can be maintained, consistently review the risk profile of those suppliers, and scrutinize your own plans, bearing in mind redundancies and furloughs.  Stay up-to-date with regulatory authorities. Some regulators responsible for upholding data privacy have been releasing guidance around their attitude and approach to organizations meeting their regulatory obligations during this public health emergency.  In some cases, fines may be reduced, there may be fewer investigations, they may stand down new audits, and – while they cannot alter statutory deadlines – there is an acknowledgment that there may be some delays in fulfilling certain requests such as Data Subject Access Requests (DSARs). The UK privacy regulator, the ICO, has said they will continue acting proportionately, taking into account the challenges organizations face at this time. But, regulators won’t accept excuses and they will take strong action against those who take advantage of the pandemic; this crisis should not be used as an artificial reason for not investing in security.  
Looking for more advice around remote-working and the new world of work? We’ve created a hub with curated content around remote working security which we’ll be updating regularly with more helpful guides and tips.
Compliance Data Exfiltration DLP Human Layer Security Spear Phishing
Ultimate Guide to Staying Secure While Working Remotely
By Maddie Rosenthal
27 March 2020
The gradual trend towards remote working has been expedited by recent events, and now businesses and employees alike find themselves adapting to moving almost everything online to accommodate a distributed workforce. Obviously, this has a massive impact on how we behave and how we work, which inevitably has an impact on security culture. In this blog, we’ll discuss what we consider to be the main challenges and questions that arise from moving to a remote working model, and how both management teams and employees can make good decisions about security.
The risk involved in sending work emails “home” It may seem harmless to send an email containing a spreadsheet or a project proposal to your personal email address in order to have easy and quick access whenever you need it. But doing so is risky for a number of reasons.  Personal email accounts can be compromised, especially as they are often configured with weak passwords Email is not a default encrypted medium. If an attacker were in a position to intercept your email, they would be able to read them, and any attachments if not encrypted Devices used to access personal email, such as personal laptops and mobile phones, may also be more easily compromised than work devices safeguarded by your company The bottom line is, sending sensitive information to your personal email accounts increases the risk of data exfiltration, both from insider threats and outsider threats. You can read more about this – including how to prevent data exfiltration – in this article.  Public Wi-Fi vs. using a personal device as a hotspot While for now, most of the world is working from home, “working remotely” can extend to a number of places. You could be staying with a friend, catching up on emails during your commute, or getting your head down at a café. Of course, to do work, you’ll likely rely on internet access. While connecting to public Wi-Fi is not encouraged, the risks can be managed if the right systems are put in place. As an employer, you should ensure that any services an employee must connect with over the internet (such as a web portal for your email or time tracking app), are only served over HTTPS. This is the encrypted version of HTTP, which is used to transfer data over the web. Using HTTPS ensures that all data transmitted between your network and the employee’s device is encrypted. For any services that should not be offered over the internet but that employees will require access to, you should enable them to connect via a VPN.  As an employee, here’s what you can do to be safe: When connecting to a service over the internet, check the address bar to ensure the protocol used is HTTPS, not HTTP. If you’re using a service from your employer that isn’t HTTPS, avoid connecting and let alert your IT team of the oversight.  Ensure you keeping VPN software on work devices up-to-date Importantly – and despite many articles written stating the contrary – using a personal mobile phone as a hotspot to connect a work laptop to the corporate network can actually raise more concerns than connecting via public Wi-Fi.  From a security perspective, any device used to connect to your network could be a risk. Why? Because there’s no way for a company to effectively manage the software and security of devices they do not own. If a phone is being used as a hotspot and has already been compromised by an attacker, it’s possible it could be used to pivot to the corporate network. Any connections made over HTTPS will still be encrypted, of course, but it’s still important to weigh up the risks and err on the side of caution.  This may be easier to understand with an example. Let’s say you open a malicious attachment from a phishing email on your mobile device. If that malicious attachment contains spyware, hackers can (rather easily) infiltrate your phone. That means that if you then connect to your company network on your laptop via your phone’s hotspot, hackers will have a foothold into your company network, too.  Top tip: Any personal devices used in this way should fall under the domain of your corporate “Bring your own device” (BYOD) policy. Each organization’s policy will be different, so it’s best to check with your IT and security teams before you consider using a hotspot as a workaround in the case of limited access to Wi-Fi.
Best practice around using cloud storage to share documents For many organizations, cloud services have replaced company local networks to store, manage, and share information. While it’s fair to say that the transition from office-to-home is certainly easier with cloud storage, there are still some security concerns that must be addressed in order to lock down your sensitive information. Most concerns center around the perceived risks of allowing someone else to host your data. And, because it’s stored on the “cloud” it can – in theory – be accessed by anyone on the internet with the right credentials. In the worst case, this could be an attacker who comprises a user laptop or guesses a weak password. But, there are several ways to ensure your cloud system is secure. Organizations considering moving to a cloud system should consider: How the data is backed up Risks associated with denial of service (DOS) attacks  Legal complications that may arise from certain types of data being stored overseas Not sure how to navigate these considerations? Concerns about standards and support can all be worked out during the contract stage, and many companies offer secure and resilient storage. It’s no different to any risk assessment phase when purchasing a new service. At Tessian, we use Google Drive. It’s still necessary to put in the work to ensure that your data is stored in the correct places, and appropriately secured, just as you would with a local storage solution. Folders should be structured and locked down with appropriate access permissions to ensure that only users who are authorized to view the contents can do so. For example, you can restrict access to and sharing with people outside the corporate network. In addition, requiring two-factor authentication for Google accounts is very important. Conferencing and collaboration tools Remote-working means an increased reliance on conferencing, chat, and other collaboration applications to stay in touch with colleagues. All such applications come with security considerations. IT and security teams must be clear with employees about what sort of information can be shared over these applications, after assessing their suitability. Without clear guidance, employees may act in ways that are less than secure in order to do their jobs, which means comprehensive policies and procedures must be put in place and communicated clearly across an organization.  We share our criteria for vetting and onboarding new tools in our blog, 11 Tools to Help You Stay Productive and Secure While Working Remotely. You’ll also find a list of tools we use across departments to stay connected while working remotely. Additionally, it’s important to ensure employees understand which applications should be used to share which kinds of information and where the design of the application itself may lead to a compromise.  For example, a screenshot of a conference call or online meeting may reveal information that would be useful to an attacker; such as a Zoom meeting ID that allows anyone to join that meeting without a PIN. If such a screenshot were shared online, this could be exploited by an attacker and give them unlimited access to private, internal communications.   
How to physically protect your devices Working on devices outside of the office, even in a home environment, carries additional risks. There is always the potential for an attacker to get physical access to a device. In the home environment, employees should be reminded that their devices are gateways to sensitive information. They should always lock devices, and make sure they’re secured with good passwords or, in the case of mobile phones, 6-digit PINs or complex swipe codes.
Employees should also make sure that devices aren’t left in plain sight, such as near windows at home or on a passenger seat if travelling by car. This will help prevent opportunistic theft. While it may sound unlikely, you should always assume that devices might be stolen. In fact, in an organization of reasonable size, it will almost certainly happen. That means that encryption should be used to protect the data on them, and employees should know exactly when and how to report thefts to the support team. This ensures that the devices can be wiped if they are activated. Any organization that has a remote-working policy in place should also provide employees with privacy screens for their laptops, and encourage them to always work in positions that minimize line-of-sight views of their device screens by others.  This has the added benefit of showing clients or other professional contacts that the business takes security seriously. About that OOO message… “Hi, I’m on vacation right now, returning April 15th. If it’s urgent, you can contact me directly on my personal number or email below, or my line manager at…” It’s human nature to want to be helpful. When setting an out-of-office message, therefore, we often try to give the recipient as much information as possible to help them out. However, it’s important to consider whether that information really needs to be shared, and whether it might be useful to an attacker. When planning a spear phishing attack – a type of phishing attack that is targeted at a specific individual or small set of individuals – an attacker will try to gather as much open-source intelligence about their target as they can in order to make the email as believable as possible.  Phone numbers, alternative email addresses, details about company structure and reporting lines, and other data points are all things that could be useful to an attacker. Again, businesses should make sure employees are aware of these risks and should provide them with a simple template for OOO messages alongside guidance on how and when to forward important emails while away. Top tips for businesses setting up remote-working policies…. Keep policy points clear and concise and support them with similarly written procedures. Employees cannot practically absorb or retain 60+ pages of security policy, especially not overnight. When approving the use of new tools or software, always communicate the change to your employees, including guidelines on how and where to access them. Remember that users are going to make mistakes because they are human. Support them and encourage them to report issues, rather than making them afraid to admit to a mistake. Give clear channels for reporting such issues, supported by technical and human resources; for example, guidance on how to report a potential phishing email along with a method to contact support in the event of account lockout. Consider other technical challenges, such as how your support team can verify user identity when asked to reset a password or perform other remote technical support functions. Ensure your support team is trained and briefed to offer remote workers reassurance and understanding when a security issue arises. Remote workers need to feel connected with their colleagues during difficult moments. Top tips for employees working from home… Use company-approved cloud or VPN services to access work documents instead of emailing sensitive information to your personal email accounts. Don’t download new software or tools without consulting your IT team. Keep your software and operating systems up-to-date. Always lock your laptop and keep all of your devices password-protected. Avoid public Wi-Fi and don’t rely on personal hotspots; whenever possible, find a secure, stable network to connect to. Before you join that call or connect to that site – especially if it requires installing new software – stop and think about the potential implications. If you’re not sure, ask your colleagues or support team for help. If you make a mistake and find yourself alarmed or fearful, it’s important to stop, think, and get someone else involved to support you. Report near misses. If you almost make a mistake, the odds are that others have also almost done the same thing. By sharing this information, your colleagues will be better informed and your business can modify procedures or applications to help prevent the issue ever occurring. During this transitional period, we think it’s incredibly important to provide everyone – our employees, our customers, and our community – with as much information as possible. With that said, you may also find the below links helpful in getting your team set up to work remotely.  FTC online security tips for working from home NCSC issues guidance as home working increases in response to COVID-19 We’ll also continue sharing best practice tips both on our blog and on LinkedIn. 
DLP
11 Tools to Help You Stay Secure and Productive While Working Remotely
23 March 2020
With the outbreak of COVID-19, organizations are relying on tools and software to enable their employees to work remotely. While this transition from office-to-home may be relatively seamless for some, it can be quite a challenge for those who didn’t already have these virtual systems set-up and deployed. As a tech start-up, Tessian has had remote-working processes and security policies in place since the beginning and, as a part of that, we have a long list of fully vetted productivity tools and software that we’ve made available to our employees.  So, to help IT, security, operations, and HR teams around the world balance productivity and security, while also attempting to conduct “business as usual”, we’re sharing applications we use to ensure our people are always protected while working, whether that’s from the office or from home.
What should you consider before onboarding an application? There are a lot of collaboration and productivity tools out there. But, it’s crucial organizations only use those that have the highest standards and protocols around safeguarding data.  At Tessian, we scrutinize and vet all applications to ensure they comply with our own strict data and privacy protection criteria. While the below assessment isn’t exhaustive or applicable to all tools, software, or applications that might be useful while employees are working remotely, it should help you identify products that are sound from an information security and data protection perspective.  Does the application process personal data? If so, why and in what volume? Where is the data processed?  Does the application take back-ups of data? If so, how often? Who has access to the data in the platform? Is access conditional upon Multi-Factor Authentication (2FA, for example)?  Does the application have a policy in place that addresses Incident Response to patching and other security issues? Does the application protect data in transit between services using encryption?  Does the application protect internal data in transit? If so, how? Is the application certified with any regional or international data security standards? Not sure where to find all of this information? You should be able to find vendor’s privacy and data policies on their website. You can also contact them directly. For example, we always ask that a vendor assessment form be completed and, when solutions process a large amount of data, we’ll schedule a follow-up call.
Collaboration and productivity tools we use at Tessian Zoom Used across every department at Tessian, Zoom is a video conferencing platform that helps keep us connected with each other and our customers across continents. Now, we’re even using it for our weekly all-company meetings, which means almost 200 people are joining at once. It’s made collaboration – especially in isolation – much easier.  You can record the sessions, break larger groups into smaller teams via Breakout Rooms, and there’s an add-in for calendar systems which makes scheduling virtual meetings as easy as in-person meetings. While they’ve always offered solutions for educators, healthcare providers, and virtually every other industry, Zoom has developed even more solutions and resources in light of the pandemic. Use this resource to find out how Zoom can support businesses moving to a remote-working model. Clubhouse While we use other project management platforms like Trello, Clubhouse is a favorite amongst our product and engineering teams because it’s made specifically for developers and is deeply integrated with GitHub. It makes creating and tracking workflows for features, bugs, sprints, or long-term projects easy. GitHub For most engineers, this is an obvious one, but worth mentioning nonetheless. GitHub was built for developers and allows users to host and review code, manage projects, and build software, all in one place.  Importantly from a security and admin perspective, you can deploy it to your environment or to the cloud.  OpenVPN In any remote-working environment, secure access to network resources is the top priority. If employees can’t access their work, they can’t do their jobs. And, to prevent employees from sending work emails to personal accounts or exfiltrating data, organizations have to implement a solution that extends to different sites, devices, and users.  We use OpenVPN. In addition to extending centralized unified threat management to remote networks, encryption ensures privacy on different Wi-Fi networks.  Google Drive We also use Google’s cloud storage system, Google Drive, to enable file sharing in and out of the office. Again, the name of the game is collaboration and with integrations into other applications like Google Docs, Slides, and Sheets all available on desktop and mobile, it’s easy for different individuals and entire teams to work together.  But, it’s important that you implement security processes to ensure everything you store in your Drive stays safe. To start, you should secure access to the Drive by enabling 2FA for all Google Accounts and set-up strict policies around sharing documents externally. You should also limit access internally to different Drives. For example, each department can have its own, limited-access Drive in addition to an all-company Drive. Peakon Knowing how your employees are feeling is essential for business growth and personal development. Of course, gauging employee engagement and experience is easier said than done and is especially difficult when your entire organization is working remotely. Peakon does the heavy lifting for you via bi-weekly online surveys and enables HR, People, and Executive teams to make changes to their organization that make an actual impact. How? By gathering feedback from every employee anonymously and comparing results to industry benchmarks.  IronClad IronClad is a digital contract platform that makes workflows for legal, finance, sales, and recruitment teams seamless.  The difference between this application and other services that let people “sign” digital agreements (DocuSign, Adobe Sign, etc.) is that IronClad extracts and catalogs metadata from contracts and integrates with other systems and platforms to make information accessible and actionable.  Slack According to the brand’s tagline, Slack is “where work happens” and, while many organizations use it in an office environment on top of email, it’s especially helpful for remote-working teams.  You can create different channels for different projects or conversations, update your “status” to let your co-workers know you’re ill, in transit, or away from your computer, and even loop in contacts from outside of your organization.  The company has seen a surge in usage since the outbreak and is rolling out new features to make the app (on both mobile and desktop) easier to use. Better still, there are three different plans available depending on your needs, including a free version.  Confluence Confluence – an Atlassian product – is a knowledge management tool. We use it as an ever-evolving source of truth for our organization: our wiki. Every team inputs and updates key information – from processes to KPIs – so that internally, anyone, at any time, anywhere, can quickly and easily find answers to questions related to onboarding, our products, or internal policies.  Figma Used by our product, design, and marketing teams, Figma is a web-based all-in-one design tool that makes collaboration and iteration fast and easy. You can share projects internally or externally with a URL, which means you don’t have to continually upload, save, or sync projects.  This is huge and means you can move from design-to-code more seamlessly. Beyond that, there are built-in commenting features that can integrate with Slack so that different people can track progress and flag issues in real-time.  Astute eLearning The need for training, whether around compliance, security, or something department-specific, doesn’t go away simply because an organization has moved from an office to a virtual environment. And, unfortunately, engaging with employees for training can be hard in-person, which means it’s an even bigger challenge while they’re out-of-office. At Tessian, we’ve used Astute eLearning, a web-based learning experience platform that lets your employees complete online training. Using the platform’s bank of certified videos and skills-assessments, you can monitor your employees’ progress through courses and, from that, identify and close any skills gaps.  Top tip: To ensure your employees are enabled to sign-in to all of these different apps securely and quickly, we also recommend using a password manager and Single Sign-On tool.  Want more information? As we all try our best to adapt to the “new normal” during these uncertain and challenging times, we’ll continue sharing best practice tips to keep our employees, customers, and the general community secure while working remotely.  Check back on our blog for the latest updates.
Spear Phishing
CISA Warns of New Attacks Targeting Remote Workers
14 January 2021
tl;dr: The Cybersecurity and Infrastructure Security Agency (CISA) has warned of a string of successful phishing attacks exploiting weak cyber hygiene in remote work environments to access companies’ cloud services via employees’ corporate laptops and personal devices.*  According to the report, “the cyber actors designed emails that included a link to what appeared to be a secure message and also emails that looked like a legitimate file hosting service account login. After a targeted recipient provided their credentials, the threat actors then used the stolen credentials to gain Initial Access to the user’s cloud service account. … A variety of tactics and techniques—including phishing, brute force login attempts, and possibly a “pass-the-cookie” attack—to attempt to exploit weaknesses in the victim organizations’ cloud security practices.” 
Once the hackers had access an employee’s account, they were able to: Send other phishing emails to contacts in the employee’s network.  Modify existing forwarding rules so that emails that would normally automatically be forwarded to personal accounts were instead forwarded directly to the hacker’s inbox.  Create new mailbox rules to have emails containing specific keywords (i.e. finance-related terms) forwarded to the hacker’s account. This type of malicious activity targeting remote workers isn’t new. Henry Trevelyan Thomas, Tessian’s VP of Customer Success has seen many instances this year. “The shift to remote work has resulted in people needing more flexibility, and personal accounts provide that—for example, access to home printers or working from a partner’s computer. Personal accounts are easier to compromise as they almost always have less security controls, are outside organizations’ secure environments, and your guard is down when logging on to your personal account. Attackers have realized this and are seeing it as a soft underbelly and entry point into a full corporate account takeover.” Learn more about Account Takeover (ATO), and take a look at some real-life examples of phishing attacks we spotted last year.  CISA recommends the following steps for organizations to strengthen their cloud security practices: Establish a baseline for normal network activity within your environment Implement MFA for all users, without exception Routinely review user-created email forwarding rules and alerts, or restrict forwarding Have a mitigation plan or procedures in place; understand when, how, and why to reset passwords and to revoke session tokens Consider a policy that does not allow employees to use personal devices for work. At a minimum, use a trusted mobile device management solution. Consider restricting users from forwarding emails to accounts outside of your domain Focus on awareness and training. Make employees aware of the threats—such as phishing scams—and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities. Establish blame-free employee reporting and ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently. For more practical advice on how to avoid falling for a phishing scam, download Tessian’s guide to Remote Work and Cybersecurity. What Tessian’s Experts Say
Free resources to help keep your employees and organization secure.
*Note: the activity and information in this Analysis Report is not explicitly tied to any one threat actor or known to be specifically associated with the advanced persistent threat actor attributed with the compromise of SolarWinds Orion Platform software and other recent activity.
Tessian Culture
Introducing Tessian’s New Hybrid Remote Model: Choice First
By Paige Rinke
04 December 2020
We certainly won’t be the first to have made this claim in the last nine months but…the world has changed. Yes – we’ll say it – these are unprecedented times.  That’s why companies around the world are reinventing their approach to engaging with and supporting their people. How has Tessian adapted so far this year? So, what have we done at Tessian? A lot.  We’ve reimagined how we socialize and connect with Tessians all over the world (yes, there’s been bingo!). We’ve set up fully remote onboarding for the first time ever. We’ve even ever-so-briefly re-opened our London office, with super safe protocol and measures put in place to protect those of us who wished to return. We’ve done it all. But undoubtedly the biggest challenge we’ve had to grapple with – and therefore the question we’ve had to answer – is this: What should the new world of work look like for Tessians when things start to return to “normal”?  We know for sure that our office of the future will be very different from our office of the past, but what exactly does it look like? And, more importantly, how do we support  Tessians while the future is still so unclear? It’s been a journey, but we’re excited to finally share Tessian’s plans for the future. It’s looking bright – and full of choice. What does the new world of work look like at Tessian? Some companies pride themselves on being entirely remote. And there are no doubt benefits to this simplified approach. No office politics. And, decisions don’t get made “where the action is” (in the office) because, well, there isn’t one! Others are still trying to retain an office that puts culture first. They want to create a space that fosters collaboration and offers the social benefits that are synonymous with a bustling office.  But we believe that both of these approaches – while possibly easier and with fewer risks to manage – miss out on one of the most important determinants of happiness and wellbeing in our lives: Choice. So, at Tessian, we’re excited to announce our new approach to the future of work: Choice First What is Choice First? Choice First enables Tessians and future Tessians to do their best work, in whatever way is best for them. Put simply, we will be giving our team three options to choose from, with as few caveats as possible:
Why have we landed here (and not remote first, or office first)? We have done extensive internal and external research, and there are three core reasons we believe this is the way forward.  1. Attract (and keep!) world-class talent  We know that the best companies in the world will be adopting remote options for employees while keeping hubs for those employees who prefer being able to work and socialize in the office. It’s about getting the best of both.  We want to be amongst these companies. That way, we can continue to attract and retain the best people.  Internally, having heard from our people (our Culture Council has done some great work here), some Tessians can’t wait to get back to the office.  We want to ensure that we still have this option in the future. In fact, some have even said they wouldn’t want to work for a company that didn’t have this as an option! But some Tessians have experienced an enormously positive change in their lives since skipping the commute to the office every day. We need to ensure that we offer both. Just look at the results of our most recent research report, Securing the Future of Hybrid Working. You can see employees really do want to be able to work from anywhere. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); 2. Diversity catalyst  This will open doors to new pools of diverse talent and will make room for every potential Tessian. We believe this will support us in creating a more diverse “place” to work by:  Opening up talent pools in different locations around the country (and world!) Allowing those who need to work from home for health reasons, or due to caring or other responsibilities, will be able to join the Tessian experience Enabling those who do want to enjoy the social elements of an office to do so Learn more about why diversity is important at Tessian…from Tessians. Watch the video now. 3. Take care of Tessians and support wellbeing Choice First allows people to be in control of their own working lives.  Which is a good thing. Why? Because what works for one person may not work for another.  Studies have shown that when employees are given the freedom to make the right choices for their career and their life outside of work, their holistic wellbeing will be greater.  Surprisingly, given how difficult this period of working from home has been, our own engagement data is backing up how not being in the office can increase wellbeing. We’ve had a significant (over 10%!) uplift in our company engagement scores against the “health” driver (which measures things like mental and physical wellbeing) since leaving the office back in March.  So, for people to do their best work, and have good holistic wellbeing, we need to enable choice around work locations and preferences. What about the risks?  We all know that introducing a hybrid culture is not without its challenges. So we’re dedicating significant time and resources over the coming months to counteract these. Just some of the key things we’re thinking about are below.  Culture Inclusivity – How do we make sure people aren’t left out because they do or don’t work in the office? Communication – How do we make sure people feel connected to what’s happening at Tessian? Fun – How do we keep things interesting in a hybrid environment? Fairness – How do we make sure no one is positively or negatively impacted due to their choice? Ways of working Communication – When do we use synchronous vs asynchronous communication? How we work – Are hybrid working patterns different from office-based patterns? Security – How can we continue leveraging technology, policies, and training to keep our people safe, wherever and however they work?  Amplifying performance – How can we provide in-the-moment feedback and help Tessians do their best work, even when we’re not all together? Effectiveness – Does hybrid make it harder to get stuff done? Do we have the right tools in place to support everyone? What’s next? There is still a lot of work to be done. We will be mobilizing our internal teams to make sure our current employees and future Tessians have clarity about their options. Of course, decisions don’t need to be made just yet. Watch this space for more insights about our journey – we can’t wait to share it with you.
Customer Stories Human Layer Security
Recap: Tessian Webinar, How to Build a Security Culture in Today’s Working World
By Monica Nio
04 November 2020
In our most recent research report, Securing the Future of Hybrid Working, we revealed that 75% of IT decisions makers believe the future of work will be “remote” or hybrid” – where employees could work wherever and however they’d like. So, we wanted to find out: How that might affect an organization’s security culture Why a positive security culture is even more important when employees are remote  How automation can help ease the burden on thinly-stretched IT teams while empowering employees to make smarter security decisions We explored these topics with Rachel Beard, Principal Security Technical Architect at Salesforce, and Ray Chery, SVP and Co-Head of Security Softwares at Jefferies. The discussion was led by Trevor Luker, Tessian’s VP of Information Technology.  Want to watch the full video? You can view it on-demand here. Otherwise, read our notes below for key takeaways and quotes from the panelists.  Want to learn more about our guest speakers and their companies? Skip down to the bottom of the page. And, if you want to be the first to know about future virtual events, subscribe to our newsletter.  5 key takeaways from the Tessian webinar We have to re-learn how to communicate in a hybrid work structure. Gone are the days of just walking up to our colleagues and asking if they sent that suspicious email or tapping someone in IT on the shoulder to clarify a new security policy.  That means security and business leaders need to arm their teams with tools to collaborate and frequently check-in to make sure each and every employee feels comfortable with their new remote set-up. The key to a positive security culture is making employees feel like they play an active role in protecting the organization’s systems and data. But how? Instill the value of privacy and security from the outset with training and other programs and initiatives. Watch the full webinar for more insights into exactly what Rachel and Ray do at Salesforce and Jefferies.   There are benefits and drawbacks to hybrid work. According to Rachel and Ray, productivity is on the rise, which is great news. Teams are aligning on shared goals and initiatives, despite being physically distant. But people are missing the “human” interaction and camaraderie of an in-person office and many are finding it difficult to separate their personal and professional lives. It’s essential you tackle this problem head on and prioritize employee wellbeing.  Automated tools can make security accessible for everyone. This also contributes to a positive security culture by reducing IT teams’ workload. More on this in the summarized Q&A below. Jefferies uses Tessian to prevent misdirected emails. Ray’s team loves Tessian for its “noise-to-value ratio”. So, what makes Tessian so easy to use? Our technology is powered by machine learning, which means our solutions automatically detect and prevent threats like data exfiltration, misdirected emails, and spear phishing with accuracy and ease.  To find out more about how Rachel and Ray think about security culture, Trevor asked them both several questions about their perspective on automation and how to make employees a part of the solution.  We summarized their answers below. Remember, you can watch the full interview here. Q. Prior to COVID, Jefferies went from 5% to 99% of their employees working remote. Will this change be permanent? Ray: “We’re all more comfortable with getting things done from home; we’ve had to grow accustomed to it over the course of the last couple months. [However], our IT team is planning on going back to being in the office 2 or 3 of the 5 days every week. And part of that is driven by the fact that the interaction with the team is different virtually. Teams that really do interact more collaboratively feel the need to still be in the office. I definitely think hybrid work is here to stay.”  Q. Would you say that increased employee workload makes your organization more vulnerable? Ray: “We’re all doing a million things at once. When you’re stretched that thin all the time, folks tend to make mistakes, are more likely to click on an email that they’re not supposed to, or may not be reading things as thoroughly as they need to. The risks are definitely enhanced given that everyone is working from home now.”  Looking for more insights into why people make mistakes and how businesses can prevent errors before they turn into breaches? Check out our research, The Psychology of Human Error. Q. How can automation save your IT team’s time? Rachel: “At Salesforce, we’ve always had a lot of self-service mechanisms. We have Concierge as our service where you can go searching for the information that you need and open a ticket only if you need advanced help. But now, we’re looking at other ways that our customers can do the same. That way, IT can be more available for the highly specialized activities, and some of the more routine ones can be addressed by the employees themselves.”  Ray: “Ultimately, there’s no patch for human error. Humans are going to make mistakes. I think as much automation as we can incorporate into our security stack is really for the better. It removes repetitive errors, streamlines incident management, and reduces the boring stuff that our security analysts need to do. Instead of formally writing tickets and reaching out to me as an employee every time I violate an email rule, we can set it up as such so there’s a pop-up instead.” 
Q. Can tools add to an organization’s security culture in a positive way? Rachel: “Yes, when you have the guidelines and boundaries in a really transparent way. It makes everything more safe for everybody. You just have to think about how to implement that so that you allow your users to be able to do their work effectively and not get in their way too much or become an obstacle while protecting your sensitive data.”  Q. How has Tessian’s Guardian helped with Jefferies’ security culture in today’s working world? Ray: “We’re doing so many things now at home. And at home, we’re more exposed and more likely to make mistakes. We love Tessian because it’s very low-impact [on obstructing employees’ work]. It is a product that delivers with accuracy. Our IT team likes the noise-to-value ratio. When I think about the misaddressed email capabilities alone – we’re all sending a million emails a day – it’s very easy for us to send an email to the wrong person. The way that Tessian handles it in a seamless way is really great.”  Learn how Guardian can help your organization prevent accidental data loss. View Guardian’s page now. For more insights and personal anecdotes, watch the full video now.  About Rachel Rachel Beard is the Principal Security Technical Architect at Salesforce. Rachel joined Salesforce in 2014 and is a Principal Security Technical Architect.  Rachel’s areas of expertise are Salesforce security, data privacy, and compliance. She has over 14 years experience at Salesforce, spanning everything from System Administrator to Developer and even Product Marketing. Rachel is also the volunteer coordinator for Wet Nose Rescue, a leader of a Pride ERG at Salesforce, and a chair on the Diversity & Inclusion Committee at her local public school.  About Ray Ray Chery is the SVP and Co-Head of Security Software at Jefferies. Ray Chery is Senior Vice President and Co-Head of Security Software in Jefferies’ Technology Investment Banking Division. Based in San Francisco, Ray focuses primarily on enterprise security software. He has advised on more than $50B in transaction value over his 14-year career as a technology banker and has worked with and advised companies such as Bomgar, Carbonite, CrowdStrike, DigiCert, Forcepoint, Gigamon, Imperva, Plexxi, Sailpoint and Tufin.  He has also served on the Young Professional Advisory Council (YPAC) and continues to volunteer with Make-A-Wish Greater Bay Area. About Jefferies Jefferies, the global investment banking firm, has served companies and investors for over 55 years. Headquartered in New York, with offices in over 30 cities around the world, the firm provides clients with capital markets and financial advisory services, institutional brokerage and securities research, as well as asset and wealth management. About Salesforce Salesforce is a customer relationship management solution that brings companies and customers together. It’s one integrated CRM platform that gives all your departments — including marketing, sales, commerce, and service — a single, shared view of every customer.
DLP
Remote Worker’s Guide To: BYOD Policies
16 April 2020
With the outbreak of COVID-19, workforces around the world have transitioned from secure office environments to their homes.  While some companies already had the infrastructure and policies in place to support a remote workforce, other smaller organizations and even some large enterprises are facing a number of challenges in getting their teams set up, starting with access to secure devices like laptops and phones. One way to empower your employees to work safely wherever they are is to implement BYOD (Bring Your Own Device) policies. What is a BYOD Policy?
While BYOD policies are something of a necessity now – especially with delays and even cancellations in global supply chains for the devices virtual workers rely on – they were formerly an answer to IT consumerization.  Consumerization of IT refers to the cycle of technology first being built for personal, consumer use and then later being adopted by businesses and other organizations at an enterprise level. It’s often the result of employees using popular consumer apps or devices at work, because they are better than the legacy tech used by the organization. What are the benefits of a BYOD policy? There’s a reason why the BYOD market was booming pre-COVID-19. In fact, the market is expected to be valued at more than $366.95 by 2020, a big jump from its valuation of $30 billion in 2014. Note: This forecast was made three years ago, which means the sudden and global transition to remote-working will likely drive more growth. So, what are some of the benefits for businesses? You’ll Enable a Productive Remote Workforce  This is no doubt the most important reason to adopt BYOD policies, especially now. If your employees have historically worked on desktops and you’re struggling to set each person up with a laptop, BYOD policies will enable your people to keep working, despite hardware shortages and other challenges. Beyond that, though, you’ll also enable your people to work freely from wherever they need to, whether that be in transit, at home, or in the office. You’ll Reduce Burden on IT Teams Employees tend to be more comfortable and confident using their own personal devices and their native interfaces. For example, someone who has worked on a Windows computer for 15 years may struggle to suddenly start working on a Mac. That means there will be less dependence on IT teams to train or otherwise set-up employees on new devices. But, it’s important to consider the security risks along with the benefits so that your employees and data stay safe while working from personal devices.  What are the security risks involved in using personal devices? Physical security Loss or theft of a personal device is one of the biggest concerns around BYOD policies, especially when you consider that people tend to carry their mobile phones and even laptops with them at all times. If a device fell into the wrong hands and adequate security measures weren’t in place, sensitive data could be at risk.  Network security If a cybercriminal was able to gain access to a personal device, they could maneuver from one device to another and move through an organization’s network quickly. Once inside, they could install malware, steal sensitive information, or simply maintain a foothold to control systems later. Information security Data is currency and personal devices hold a lot of information not just about an organization and its clients, vendors, and suppliers, but also about the individual. If you imagine all the sensitive data contained in Outlook or Gmail accounts, you can begin to see the magnitude of the risks if this data were exposed. Physical and network security risks are threats to information security, which proves how important securing devices really is. Tips for employers To minimize the risk associated with BYOD policies, we recommend that you: Enforce strict password policies. Mobile phones should be locked down with 6-digit PINs or complex swipe codes, and laptops should be secured with strong passwords that utilize numbers, letters, and characters. Your best bet is to enforce MFA or SSO and provide your employees with a password manager to keep track of their details securely. Equip devices with reliable security solutions. From encryption to antivirus software, personal devices need to have the same security solutions installed as work devices. Ideally, solutions will operate on both desktop and mobile ensuring protection across the board. For example, Tessian defends against both inbound and outbound email threats on desktop and mobile. Read more about our solutions here.  Restrict data access. Whether your organization uses a VPN or cloud services, it’s important to ensure the infrastructure is configured properly in order to reduce risk. We recommend limiting access through stringent access controls whenever possible (without impeding productivity) and creating policies around how to safely share documents externally. Limit or block downloads of software and applications. IT and security teams can use either blacklisting or whitelisting to ensure employees are only downloading and using vetted software and applications. Alternatively, IT and security teams could exercise even more control by preventing downloads altogether. Educate your employees. Awareness training is an essential part of any security strategy. But, it’s important that the training is relevant to your organization. If you do implement a BYOD policy, ensure every employee is educated about the rules and risks.  Tips for employees  To minimize the risk associated with BYOD policies, we recommend that you: Password-protect your personal devices. Adhere to internal security policies around password-protection or, alternatively, use 6-digit PINs or complex swipe codes on mobile devices and strong passwords that utilize numbers, letters, and characters for laptops. If you’re having trouble managing your passwords, discuss the use of a password manager with your IT department. Avoid public Wi-Fi and hotspotting. The open nature of public Wi-Fi means your laptop or other device could be accessible to opportunistic hackers. Likewise, if a phone is being used as a hotspot and has already been compromised by an attacker, it’s possible it could be used to pivot to the corporate network. Put training into practice. While security training is notoriously boring, it’s incredibly important and effective if put into practice. Always pay attention during training sessions and action the advice you’re given. Report loss or theft. In the event your device is lost or stolen, file a report internally immediately. If you’re unfamiliar with procedures around reporting, check with your line manager or IT team ASAP. They’ll be able to better mitigate risks around data loss the sooner they’re notified.  Communicate with IT and security teams. If you’re unsure about how to use your personal device securely or if you think your device has been compromised in some way, don’t be afraid to communicate with your IT and security teams. That’s what they’re there for. Moreover, the more information they have, the better equipped they are to keep you and your device protected.  BYOD policies offer organizations and employees much-needed flexibility. But, in order to be effective as opposed to detrimental, strict security policies must be in place. It’s not just up to security teams. Employees must do their part to make smart security decisions in order to protect their devices, personal data and sensitive business information. Looking for more tips on staying secure while working remotely? We’re here to help! Check out these blogs: Ultimate Guide to Staying Secure While Working Remotely Remote Worker’s Guide To: Preventing Data Loss 11 Tools to Help You Stay Secure and Productive While Working Remotely 
Data Exfiltration DLP Human Layer Security
Remote Worker’s Guide To: Preventing Data Loss
09 April 2020
Over the last several weeks, workforces across the world have transitioned from office to home. While security teams may have struggled initially to get their teams set up to work securely outside of their normal environments, by now most organizations have introduced new software, policies, and procedures to accommodate their new distributed teams.  We spoke with former CISO of KPMG Carolann Shields along with Tess Frieswick of Kivu Consulting and Hayley Bly of Nielsen about what the shift means for cybersecurity in a webinar on March 26. Carolann summed it up nicely when she said “Remote-working introduces complexities that you just don’t have when you can have everyone sitting in an office behind a firewall. It’s a difficult task trying to keep everyone secure and behavioral change and educating folks will be really important. If those things weren’t already a part of your cybersecurity program, they’re going to need to become a part of your cybersecurity program.”  While IT departments no doubt bear the burden of protecting sensitive data, data loss prevention (DLP) is the responsibility of the entire organization. And, while this sudden move to remote-working brings a host of new challenges – from effectively collaborating to co-working with partners, roommates, and children – data security should still be top of mind for both security leaders and individual employees, too.
So, what can you do to help prevent data loss within your organization? We have some tips. 1. Don’t work from your personal devices While it may seem harmless, using your personal devices – whether it’s a laptop, desktop computer, mobile device, or tablet – for work-related activities creates big security risks. To start, your personal devices won’t be configured with the same security software as your work device.  Whether it’s the protection offered by a simple firewall or antivirus software, you’re more protected when working on company-sanctioned devices. Beyond that, though, the process to get work-related documents onto personal devices is risky on its own. We’ve written about this extensively in our blog The Dark Side of Sending Work Emails “Home”. In short, personal email accounts are more likely to be compromised than work email accounts. It may be because your personal email account is configured with a weak password or, the worst case, your personal email account may have already been infiltrated by an attacker who could easily intercept whatever sensitive data you’ve emailed to yourself.  Note: IT teams should ensure employees have a secure way to connect their authorized work devices to their personal printers in the event they need to print any documents. This will help them avoid them having to send sensitive documents to their personal accounts in order to print. 2. Be cautious whenever sending sensitive information via email Tessian has seen a 20% increase in email use with the shift to remote working. That means more sensitive data is in motion than ever.  More email traffic, unfortunately, means employees have more opportunities to make mistakes. One of the biggest mistakes an employee can make is sending an email to the wrong person and, as most of us know, it’s easy to do. So, to avoid making this costly mistake, always double-check the recipient(s) of your emails. Ensure you haven’t made any spelling mistakes, and, if you’re using autocomplete, make sure the correct email address has been added. Beyond that, you should always be vigilant when using Cc vs. Bcc and Reply vs Reply All and take time to check that you’ve attached the right documents.  3. Stay up-to-date on the latest phishing and spear phishing trends Cybercriminals use increasingly advanced technology and tactics to carry out effective phishing and spear phishing campaigns. They also tend to take advantage of emergencies, times of general uncertainty, and key calendar moments. While you should always be on the lookout for the red flags that signal phishing attacks, you should also stay up-to-date on the latest trends. We’ve written about several on our blog, including phishing attacks around COVID-19, Tax Day, and the 2020 Census. For more information on how to catch a phish, click here. 4. Use password protection, especially for conferencing and collaboration tools Zoom has made headlines over the last several weeks for the security vulnerabilities found in the platform. While the online conference tool is working on their backend, individuals must do their part, too. To start, ensure you’re using strong passwords. For an application like Zoom, this also means always password-protecting your meetings, never sharing meeting links with people you don’t know or trust, and never sharing screenshots of your meeting which include the Zoom Meeting ID.  Managing so many passwords can be difficult, though. That’s why we recommend using a Password Manager. Click here for more information about the Password Manager we use at Tessian along with other tools that help us work securely while working remotely.  Note: If you’re an employee, you shouldn’t download new software or tools without consulting your IT team.  5. Avoid public Wi-Fi and hotspots Currently most of the world is working from home, but “working remotely” can extend to a number of places. You could be staying with a friend, traveling for work, catching up on emails during your commute, or getting your head down at a café.  Of course, to do work, you’ll likely rely on internet access. Public Wi-Fi or hotspotting from your mobile device may seem like an easy (and harmless) workaround when you don’t have other access, but it’s not wise. The open nature of public Wi-Fi means your laptop or other device could be accessible to opportunistic hackers. Likewise, if a phone is being used as a hotspot and has already been compromised by an attacker, it’s possible it could be used to pivot to the corporate network. 6. Follow existing processes and policies When working from home or otherwise outside of the office, you have much more autonomy. But that doesn’t mean you should disregard the processes and policies your organization has in place. Whether it’s rules around locking your devices (see below) or procedures for sharing documents, they’re just as important – if not more important – while you’re working remotely.  This applies to training too. If your organization offers security training, do your best to keep those tips and best practices top of mind. If you’re unclear on the do’s and don’t of cybersecurity, consult your IT, security, or HR team. 7. Always lock your devices  Working outside of the office, even in a home environment, carries additional risks. That means you should always lock your devices with good passwords or, in the case of mobile phones, 6-digit PINs or complex swipe codes. 
8. Report near-misses or mistakes  Whether you’ve sent a misdirected email, fallen for a phishing scam, or had your device stolen, it’s absolutely vital that you report the incident to your IT or security team as soon as possible. The more lead time and information they have, the better the outcome of remediation.   By sharing this information, your colleagues will be better informed and your business can modify procedures or applications to help prevent the issue occurring again. It’s a two-way street, though. Organizations must build positive security cultures in order to empower employees to be open and honest. For more tips on how to stay safe while working remotely, read this Ultimate Guide. We’ll also be publishing more helpful tips weekly on both our blog and LinkedIn.
Human Layer Security
21 Virtual Cybersecurity Events To Attend in 2021
08 January 2021
Our list of 21 cybersecurity events to attend in 2021 features premier cybersecurity summits, like the International Cybersecurity Forum in France and National Cyber Summit in the US, alongside intimate and industry-specific events (and webinars) you won’t want to miss. Many of these events are hosted online, but a lot of organizers are planning to host their conferences face-to-face. Watch out for last-minute changes as the COVID-19 situation continues to evolve. FloCon 2021 Date: January 12-14, 2021 Location: Online FloCon focuses on using big data to fight cybersecurity threats. FloCon demonstrates the latest research on how data analytics can be applied to any large dataset to improve networked system security. This event is perfect for operational analysts, tool developers, researchers, security professionals, and anyone interested in leveraging the power of big data to enhance cybersecurity. Cost to attend: Standard: $500. Government: $100. Academic: $125. Student: $50 10 Incredible Ways You Can Be Hacked Through Email, and How to Stop the Bad Guys Date: January 14, 2021 Location: Online Email remains the threat vector cybersecurity leaders are most concerned about. 2020 has seen a huge spike in email-based phishing and other cyberattacks. 2021 should be the year you lock down your company’s email system against intruders. Join Roger Grimes and Kevin Mitnick of KnowBe4 at this Secureworld webinar, as they talk participants through 10 ways cybercriminals can use email to trick users, launch malware, or hijack communications. Want to know more about protecting your business from email-based cyberattacks? Read our article on Email Security Best Practice. Cost to attend: Free. How to Hack a Human Date: January 26, 2021, 1:00pm EST Location: Online In this webinar, Tessian’s VP of Information Security, Trevor Luke, is joined by Katie Paxton-Fear, PhD Student and Ethical Hacker and Anne Benigsen, CISO at Banker’s Bank of West. They’ll discuss how our growing digital footprints make us more vulnerable than ever to social engineering attacks and BEC.  You’ll learn: What personal and work-related information many of us unwittingly share online How hackers use this information to socially engineer a personalized attack What you can do to reduce your company’s hackability Based in EMEA? You can register for this event instead, starting at 12:00pm GMT on January 27. Cost to attend: Free. RSA Conference 2021 Date: January 27, 2021 Location: Online The RSA Conference (RSAC) brings together expert speakers from across the global cybersecurity community, including Adam Hickey, Deputy Assistant Attorney General at the US Department of Justice, Target’s Product Security Director Jennifer Czaplewski, and Cybereason CTO Israel Barak. 2021 sees the RSAC operating 100% online for the second year running, with sessions on analytics, ransomware response, and machine learning security solutions. You can read our take on last year’s conference in this first-hand account, all about last year’s theme: The Human Element.  Cost: Early Bird: $79. Standard: $99. Showcase: Free. RegTech Live: an FStech Conference Date: March 3, 2021 Location: Online   RegTech Live is back for its third year, where – once again – industry leaders will be discussing the latest developments in tech, the biggest trends for 2021, and the emerging technologies those in the financial sector and insurance need to keep their eyes on.  While you can view a full list of speakers here, you can expect to hear from experts from BNY Mellon, UCL, NAtWest, the Financial Conduct Authority, and Tessian. Spoiler Alert: We’ll be speaking about How to Hack a Human.  Cost: Free for those in the financial sector and insurance, £395 + VAT for technology providers  Human Layer Security Summit Date: March 3, 2021 Location: Online   On March 3, Tessian will be hosting its first Human Layer Security (HLS) Summit of 2021. Want to be the first to receive an invitation and hear about the agenda and speakers? Sign up to our newsletter! First-timer? Check out our HLS On-Demand page for a collection of last year’s best panel discussions, interviews, and presentations.  Cost to attend: Free. CyberCon London 2021 Date: March 9, 2021 Location: Kimpton Fitzroy, London  CyberCon London features high-profile speakers bringing CTOs, CISOs, and IT directors up-to-date knowledge and practical advice on dealing with cyberthreats. Agenda items include panel sessions on fraud, remote working, and the costs of cybercrime —  plus lectures from world-renowned cybersecurity tsar Dr Jacqui Taylor and blockchain expert Aviya Arika. Cost to attend: Standard: £895 + tax. Super Early Bird: £595 + tax. Early Bird: £695 + tax. Fifth International Workshop on Security, Privacy and Trust in the Internet of Things (SPT-IoT) Date: March 22-26, 2021 Location: Online  The SPT-IoT workshop is part of the International Conference on Pervasive Computing and Communications (PerCom 2021), a conference organized by the IEEE Computer Society. The workshop brings together academics, researchers, and industry leaders to share ideas and advice on security within Internet of Things (IoT) devices.  IoT is a booming industry — but the security risks mean that manufacturers and developers are incurring an increasingly significant regulatory burden. Security leaders in the IoT sector should take every opportunity to learn about implementing better cybersecurity. Cost to attend: Free International Cybersecurity Forum (FIC) 2021 Date: April 6-8, 2021 Location: Grand Palais, Lille, France The International Cybersecurity Forum (Forum International Cybersecurite, or FIC) is one of the largest cybersecurity events in Europe, featuring over 450 speakers, 33 round tables, and 24 conferences, plus plenaries, demonstrations, and cybersecurity masterclasses. The 2021 program features sessions on information mapping, secure home working, and the emerging “cyberwar” between state powers. Speakers include privacy advocate Max Schrems, Jolicloud CEO Tariq Krem, and European Commission Vice President Margaritis Schinás. It’s hoped that FIC 2021 will go ahead as a face-to-face event, but remote participation is also available. Cost to attend: TBC Cybersecurity Digital Summit for Healthcare and Life Sciences 2021 Date: April 13-14, 2021 Location: Online 2020 saw some high-profile data breaches among healthcare companies, including the December cyberattack on the UK’s National Health Service and the devastating November attack on Blackbaud, which acted as a vendor to dozens of healthcare providers. Cybersecurity is absolutely crucial in this most tightly-regulated of industries, and healthcare professionals should learn as much as they can about emerging cyber threats. Cyber Security Hub’s Summit for Healthcare and Life Sciences Summit is a two-day event where industry leaders will advise healthcare professionals on how to keep patient data safe throughout 2021. Cost to attend: Free Third-Party & Supply Chain Cyber Security Summit Date: April 14-15, 2021 Location: Online Securing your own company’s end-points, devices, and networks is just part of the cybersecurity battle. You also need to ensure that your suppliers, vendors, and other third parties are secure and can take good care of your company’s data. In our article on What is Account Takeover (ATO)?, we look at the devastating attacks that can emerge from your supply chain. This two-day event from the Growth Innovation Agility (GIA) Global Group features speakers from Yandex, ENISA, GlaxoSmithKline, and Huawei. You’ll learn how much of your company’s data is really under its control, and how to manage risk when working with third parties. Cost to attend: Free 11th ACM Conference on Data and Application Security and Privacy (CODASPY) Date: April 26-28, 2021 Location: Online (Possible in-person enrolment available in the US, exact location TBC) This conference, organized by the Association for Computing Machinery (ACM) Special Interest Group on Security, Audit, and Control (SIGSAC), brings together academics and industry leaders to discuss security and privacy in software development. Applications, including mobile apps, are a key vulnerability of many systems. Read our article on zero-day vulnerabilities to learn about how hackers exploit software weaknesses. Software developers attending CODASPY will learn about cutting-edge research in the cybersecurity of software applications. Cost to attend: Free IAPP Global Privacy Summit Date: April 27-28, 2021 Location: Washington DC The International Association of Privacy Professionals (IAPP) is a globally-respected coalition of lawyers, developers, consultants, and other experts. The IAPP Global Privacy Summit features over 4000 attendees, at least 125 exhibitors, and more than 250 expert speakers. Privacy and cybersecurity are intertwined, and your business neglects on to the detriment of the other. Applying privacy-focused principles means collecting less personal information, deleting it when necessary, and — of course — storing it securely. The IAPP summit will feature sessions on data breach response, compliance with data protection laws such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), and privacy engineering. Cost: TBC CyberUK 2021 Date: 11-12 May, 2021 Location: International Convention Centre Wales, Newport, Wales CyberUK is hosted by the UK’s National Cyber Security Centre (NCSC), a government unit that advises on cybersecurity. It’s one of the UK’s most important cybersecurity events and is a “must-attend” for industry leaders. The program for 2021 has not yet been set, but expect a full and varied range of talks, demos, and workshops. The last CyberUK agenda included sessions on identifying supply chain risks, building the cybersecurity profession, and using machine learning to boost defences. Cost to attend: Free for public sector employees. Private sector employees — Early bird: £849 + tax. Standard rate: £999 + tax RSA Conference San Francisco The theme for this year’s fully virtual RSAC? Resilience.  While a full list of speakers hasn’t been released, you can see what Linda Gray Martin, VP of RSA Conference, has to say about what you should expect in this video. “See” you there! Did you know 2021 marks the 30th anniversary of this event? Infosecurity Europe 2021 Date: June 8-10, 2021 Location: Olympia London, Hammersmith, London. Infosecurity Europe features an eclectic range of exhibitors and networking opportunities for cybersecurity leaders across all industries. Many key players in cybersecurity are exhibiting in 2021, including Avast, Bitdefender, and SolarWinds. Public bodies, including the UK Department for Digital, Culture, Media and Sport (DCMS) and Nation Cyber Security Centre (NCSC), are also represented. Cost to attend: TBC National Cyber Summit 2021 Date: June 8-10, 2021 Location: Huntsville, Alabama The National Cyber Summit focuses on education, collaboration, and innovation, bringing together experts from government, academia, and industry to deliver an innovative, diverse, and accessible event. Speakers will include Robert Powell, Senior Advisor for Cybersecurity at NASA, Katie Arrington, Chief of Information Security Acquisition and the US Department of Defense, and Merritt Baer, Principal Security Architect at Amazon Web Services. Cost to attend: Full Access: Standard — $570, Onsite — $610. Student, Teacher/Faculty: Standard — $175,  Onsite — $200. Government: Free. Regulatory Compliance Conference Date: June 13-16 Location: Hyatt Regency, San Diego, California With nations worldwide passing ever-stricter privacy and security laws, your business should take every opportunity to learn how best to remain compliant. Join “the nation’s top risk-based thinkers” to discuss the most pressing issues in regulatory compliance. This conference from the American Bankers Association features over 50 sessions to help banking and fintech organizations comply with consumer protection and data security regulations. Want to know more about balancing your security and compliance obligations? Read Security vs. Compliance: What’s The Difference? Cost to attend: TBC British Legal Technology Forum 2021 Date: July 6, 2021 Location: Billinghurst, London The British Legal Technology Forum is Europe’s biggest legal technology conference and exhibition, featuring 2,500 square meters of exhibition space. BLTF 2021 is a crucial event for legal professionals, featuring talks from Prof. Richard Susskind, President of the Society for Computers & Law, and Bruna Pellicci, CTO at Linklaters.  Bonus: Tessian is the headline sponsor!  Want to learn more about how Tessian helps lock down email and prevent breaches for some of the world’s top law firms? Read our customer stories.  Cost to attend: Free International Conference on Cyber Security (ICCS) 2021 Date: July 19-22, 2021 Location: Fordham University, New York The International Conference of Cyber Security (ICCS), a collaboration between the FBI and Fordham University, is among the world’s premier cybersecurity events. Esteemed speakers from around the world will discuss how to address cyber threats in the private, government, academic, and law enforcement sectors. The 2021 agenda remains a work-in-progress, but previous ICCS events have featured presentations from the Director of National Intelligence (DNI), FBI, CIA, and NSA. Registration is limited to just 300 attendees. Cost to attend: $995. Cyber Security Tutorial (CST) and Law Enforcement Workshop (LEW): an extra $75 per session. Cybersecurity Digital Summit for EMEA 2021 Date: October 19-20, 2021 Location: Online  This Cybersecurity Digital Summit, hosted by Cyber Security Hub, is a two-day event focusing on the main threats affecting the Europe, Middle-East, and Africa (EMEA) region. The summit follows on from Cyber Security Hub’s events focusing on the Americas and Asia Pacific (APAC) regions. According to Cyber Security Hub’s publicity, the EMEA region “seems to set the course for the regulatory framework that APAC (Asia Pacific) and the Americas are adopting.” Whether you’re a cybersecurity professional working in the EMEA region — or you’re based elsewhere and hoping to understand the threats emerging from EMEA — this event is for you. Cost to attend: Free We’ll be updating this throughout 2021. For the latest updates – including industry insights, new research, and company news – subscribe to our newsletter.
Page