Search results by: "remote working"
Data Loss Prevention Human Layer Security
13 Cybersecurity Sins When Working Remotely
By Maddie Rosenthal
27 May 2020
Over the last eight weeks, security vendors, thought leaders, and even mainstream media have been offering employees advice on how to stay secure and productive while working from home. And, why wouldn’t they? The transition from office-to-home has been both sudden and challenging and the risks associated with data loss haven’t disappeared just because the perimeter has. At Tessian, we’ve created (and have been consistently updating) our own remote-working content hub filled with actionable advice for security, IT, and compliance professionals as well as employees. While you can find the individual articles below, we thought we’d combine all of the tips we’ve shared over the last two months into one easy-to-read article. Advice from Security Leaders for Security Leaders: How to Navigate New Remote-Working Challenges Ultimate Guide to Staying Secure While Working Remotely  Remote Worker’s Guide to: Preventing Data Loss Remote Worker’s Guide to: BYOD Policies  11 Tools to Help You Stay Secure and Productive While Working Remotely  Here are 13 things you shouldn’t do when working remotely from a cybersecurity perspective.  1. Don’t send company data to your personal email accounts. As many organizations have had to adopt new tools and systems like VPNs and Cloud Storage on the fly, some employees may have had to resort to sending company data to their personal email accounts in order to continue doing their job.  We understand that doing so may have been viewed at the “only option”, but it’s important to note that this is not wise from a security perspective. While we’ve written about this in detail on our blog The Dark Side of Sending Work Emails “Home”, the short-and-sweet version is this: Personal email accounts are less secure and more likely to be compromised than work email accounts. Why? Read point #5 to find out.  2. Don’t share Zoom links or Meeting IDs.  Zoom – like so many other remote-working tools – is enabling workforces around the world to continue collaborating despite being out-of-office. But, as we highlighted in our Ultimate Guide to Staying Secure While Working Remotely, there are precautions you must take in order to prevent attackers from infiltrating your calls. While there are plenty of lists circulating with top tips around using Zoom, the most important piece of advice we can offer is to not share your Zoom Meeting ID (or link) with anyone you don’t work with directly or otherwise trust.  Importantly, this Meeting ID appears at the top of your conference window, which means if you share a screenshot of your call, anyone who sees the screenshot can access this meeting. If you want to be proactive in locking down your Zoom calls, you should also ensure all of your meetings require a password to join. 3. Don’t ignore warnings from IT and security teams or other authoritative sources.  Since the outbreak of COVID-19, we’ve seen a spike in phishing attacks. Why? Because hackers tend to take advantage of emergencies, times of general uncertainty, and key calendar moments. IT and security teams and even organizations like the FBI have been working hard to communicate these threats and how to avoid them. But – importantly – these warnings are useless unless employees heed the advice.  Whether it’s an email outlining how to spot a phishing email or an announcement from your line manager about updating your iOS, employees should take warnings seriously and take action immediately.  4. Don’t work off of personal devices.  While it may seem harmless, using your personal devices – whether it’s a laptop, desktop computer, mobile device, or tablet – for work-related activities creates big security risks. To start, your personal devices won’t be configured with the same security software as your work device.  Whether it’s the protection offered by a simple firewall or antivirus software, you and your data are more secure when working on company-sanctioned devices. Note: Some organizations have adopted more flexible BYOD policies. You can learn how to combat the security risks associated with these policies on our blog. 5. Don’t action email requests without double-checking their legitimacy.  Phishing and other social engineering attacks are designed for one of three reasons: to extract sensitive information or credentials, to install malware onto a network, or to initiate a wire transfer. To avoid falling victim to one of these scams and potentially actioning a request that isn’t legitimate, make sure you double-check that the person making the request is who they say they are.  For example, if your CEO asks you to change an account number on an invoice, contact him or her directly – via phone call, text, Slack or a separate email – before doing so. Likewise, if someone in HR asks you to share any credentialsor other personal information, get in touch with them via phone or a separate email thread before responding.  6. Don’t use weak passwords.  Many organizations have strict password policies, including the enforcement of multi-factor authentication. It makes sense. If a bad actor gained access to your applications – whether it’s your email account or collaboration tools – they’ll have free rein over your most sensitive systems and data.  If your organization doesn’t have any policies in place, our advice is to use 6-digit PINs or complex swipe codes on mobile devices and strong passwords that utilize numbers, letters, and characters for laptops and other log-ins.  If you’re having trouble managing your passwords, discuss the use of a password manager with your IT department. 7. Don’t lose touch with your IT or security teams.  Communication – especially during periods of transition and disruption- is key.  If you’re unsure about any security policies or procedures, how to use your personal device securely, or if you believe your device or network has been compromised in any way, don’t be afraid to communicate with your IT and security teams. That’s what they’re there for. Moreover, the more information they have and the sooner they have it, the better equipped they are to keep you and your devices protected.  8. Don’t use public Wi-Fi or mobile hotspots.  Given the digital transformation, most of us rely on internet access to do our jobs. Unfortunately, we can’t connect to just any network.  The open nature of public Wi-Fi means your laptop or other device could be accessible to opportunistic hackers. Likewise, if a phone is being used as a hotspot and has already been compromised by an attacker, it’s possible it could be used to pivot to the corporate network. With that said, you should only use networks you’re absolutely confident are secure.  9. Don’t download new tools or software without approval.  IT and security teams have processes in place that help them identify which applications are and aren’t in compliance with their data and privacy protection criteria. That means that if they haven’t approved the use of a certain tool, it probably isn’t safe in their opinion. Even if a certain tool makes your job easier to do, you shouldn’t download – or even use – tools or software without express permission to use them. Whether it’s a design, writing, or project management tool, you must communicate with your in-house teams before clicking “download”.  10. Don’t leave work devices or documents in plain sight.  Your devices are gateways to sensitive information. While we’ve already covered the importance of password-protecting these devices, preventing them from being stolen is vital, too.  Avoid leaving laptops, tablets, mobile devices, and documents containing sensitive company or client information in plain sight, such as near windows at home or on a passenger seat if traveling by car. This will help prevent opportunistic theft.  Any organization that has a remote-working policy in place should also provide employees with privacy screens for their laptops, and encourage employees to always work in positions that minimize line-of-sight views of their screens by others. This has the added benefit of showing clients or other professional contacts that the business takes security seriously. 11. Don’t give hackers the information they need to execute social engineering attacks.  When planning a spear phishing attack – a type of phishing attack that is targeted at a specific individual or small set of individuals – an attacker will try to gather as much open-source intelligence about their target as they can in order to make the email as believable as possible.  Don’t make it easier for them by sharing personal information on OOO messages or on social media like LinkedIn. This includes phone numbers, alternative email addresses, travel plans, details about company structure and reporting lines, and other data points.  12. Don’t be afraid to ask questions about security policies and procedures.  When working from home or otherwise outside of the office, you have much more autonomy. But that doesn’t mean you should disregard the processes and policies your organization has in place. And, part of following processes and policies is understanding them in the first place. IT and security teams are there to help you. If anything is unclear, send them an email, pick up the phone, or file a request.   13. Don’t forget the basics of security best practice.  While we’ve offered plenty of advice that’s specific to remote-working, following general security best practices will help prevent security incidents, too.  Most employees receive annual security training or, at the very least, had some security training during their onboarding process. If you didn’t, below are some of the basics. Don’t reuse passwords. Don’t share your passwords with anyone. Stay up-to-date on compliance standards and regulations specific to your industry. Report incidents of theft. Don’t share sensitive company information with people outside of your organization.  If any of the above are unclear, refer back to point #7. Ask your IT, security, or HR teams. Communication is key! What’s next? While most organizations and individuals have started to adjust to “the new normal”, it’s important to remember that, eventually, some of us will move back to our office environments. The above tips are relevant wherever you’re working, whether that’s at home, from a cafe, on public transport, or at your desk in the office. Looking for more insights on what\s next in this new world of work? We’re hosting our first virtual Human Layer Security Summit on June 18. Find out more – including the agenda for the day – here. 
Compliance Data Loss Prevention Spear Phishing
Advice from Security Leaders for Security Leaders: How to Navigate New Remote-Working Challenges
15 April 2020
As a part of our ongoing efforts to help security professionals around the world manage their new remote workforces, we’ve been holding virtual panel discussions and roundtables with ethical hackers and security and compliance leaders from some of the world’s leading institutions to discuss cybersecurity best practice while working from home. Our panelists and speakers have included David Kennedy, Co-Founder and Chief Hacking Officer at TrustedSec, Jenna Franklin, Managing Counsel, Privacy & Data at Santander, Stacey Champagne, Head of Insider Threat at Blackstone, Ben Sadeghipour, Head of Hacker Education at HackerOne, Chris Turek, CIO at Evercore, Jon Washburn, CISO at Stoel Rives, Peter Keenan, CISO at Lazard, Gil Danieli, Director of Information security at Stroock, and Justin Daniels, General Counsel at Baker Donelson We’ve compiled some of the key takeaways to help IT, privacy, and security professionals and employees stay secure wherever they’re working.  Interested in joining a future roundtable? You can register here.
How to defend against spear phishing (inbound threats) Communicate new threats. Cybercriminals are carrying out opportunistic phishing attacks around COVID-19 and the mass transition from office-to-home. Keep employees in the loop by showing them examples of these threats. But, it’s important to not over-communicate. That means you should ensure there’s one point of contact (or source of truth) who shares updates at a regular, defined time and cadence as opposed to different people sharing updates as and when they happen. Create policies and procedures around authenticating requests. Communicating new threats isn’t enough to stop them. To protect your employees and your data, you should also set up a system for verifying and authorizing requests via a known communication channel. For example, if an employee receives an email requesting an invoice be paid, they should contact the relevant department or individual via phone before making any payments. Enable multi-factor authentication. This easy-to-implement security precaution helps prevent unauthorized individuals from accessing systems and data in the event a password is compromised.   Encourage reporting. Creating and maintaining a positive security culture is one of the best ways to help defend against phishing and spear phishing attacks. If employees make a habit of reporting new threats, security and IT teams have a better chance of remediating them and preventing future threats.  Update security awareness training. Remote-working brings with it a host of new security challenges. From the do’s and don’t of using personal devices to identifying new threat vectors for phishing, employees need to refresh their security know-how now more than ever.
How to defend against data exfiltration (outbounds threats) Exercise strict control over your VPN. Whether it’s disabling split tunneling on your  VPN or limiting local admin access, it’s absolutely vital that you minimize lateral movements within your network. This will not only help prevent insider threats from stealing data, but it will also prevent hackers from moving quickly from one device to another.  Block downloads of software and applications. This is one of the easiest ways to minimize the attack vectors within your network. By preventing downloads by individual users, you’ll be able to exercise more control over the software and applications your employees use. This way, only vetted tools and solutions will be available for use.  Secure your cloud services. As workforces around the world are suddenly remote, cloud services are more important than ever. But, it’s important to ensure the infrastructure is configured properly in order to reduce risk. We recommend limiting access whenever possible (without impeding productivity) and creating policies around how to safely share documents externally. Create a system for onboarding and offboarding employees. Both negligent and malicious incidents of data exfiltration are on the rise. To prevent new starters or bad leavers from mishandling your data, make sure you create and communicate new policies for onboarding and offboarding employees. In order to be truly effective, this will need to be a joint effort between HR, IT and security teams. Update security awareness training. Again, remote-working brings with it a host of new security challenges. Give your employees the best chance of preventing data loss by updating your security awareness training. Bonus: Check your cybersecurity insurance. Organizations are now especially vulnerable to cyber attacks. While preventative measures like the above should be in place, if you have cybersecurity insurance, now is the time to review your policy to ensure you’re covered across both new and pre-existing threat vectors.  Our panelist cited two key points to review: If you are allowing employees to use personal devices for anything work-related, check whether personal devices are included in your insurance policy. Verify whether or not your policy places a cap on scams and social engineering attacks and scrutinize the language around both terms. In some instances, there may be different caps placed on these different types of attacks which means your policy may not be as comprehensive as you might have thought. For example, under your policy, what would a phishing attack fall under? 
How to stay compliant Share updated policies and detailed guides with employees. While employees may know and understand security policies in the context of an office environment, they may not understand how to apply them in the context of their homes. In order to prevent data loss (and fines), ensure your employees know exactly how to handle sensitive information. This could mean wearing a headset while on calls with clients or customers, avoiding any handwritten notes, and – in general – storing information electronically. Update security awareness training. As we’ve mentioned, organizations around the world have seen a spike in inbound attacks like phishing. And, when you consider that 91% of data breaches start with a phishing attack, you can begin to understand why it’s absolutely essential that employees in every department know how to catch a phish and are especially cautious and vigilant when responding to emails. Conduct a Data Protection Impact Assessment (DPIA). As employees have moved out of offices and into their homes, businesses need to ensure personal data about employees and customers is protected while the employees are accessing it and while it’s in transit, wherever that may be. That means compliance teams need to consider localized regulations and compliance standards and IT and security teams have to take necessary steps to secure devices with software, restricted access, and physical security. Note: personal devices will also have to be safeguarded if employees are using those devices to access work.  Remember that health data requires special care. In light of COVID-19, a lot of organizations are monitoring employee health. But, it’s important to remember that health data is a special category under GDPR and requires special care both in terms of obtaining consent and how it’s processed and stored.  This is the case unless one of the exceptions apply. For example, processing is necessary for health and safety obligations under employment law. Likewise, processing is necessary for reasons of public interest in the area of public health. An important step here is to update employee privacy notices so that they know what information you’re collecting and how you’re using it, which meets the transparency requirement under GDPR.   Revise your Business Continuity Plan (BCP). For many organizations, recent events will have been the ultimate stress test for BCPs. With that said, though, these plans should continually be reviewed. For the best outcome, IT, security, legal, and compliance teams should work cross-functionally. Beyond that, you should stay in touch with suppliers to ensure service can be maintained, consistently review the risk profile of those suppliers, and scrutinize your own plans, bearing in mind redundancies and furloughs.  Stay up-to-date with regulatory authorities. Some regulators responsible for upholding data privacy have been releasing guidance around their attitude and approach to organizations meeting their regulatory obligations during this public health emergency.  In some cases, fines may be reduced, there may be fewer investigations, they may stand down new audits, and – while they cannot alter statutory deadlines – there is an acknowledgment that there may be some delays in fulfilling certain requests such as Data Subject Access Requests (DSARs). The UK privacy regulator, the ICO, has said they will continue acting proportionately, taking into account the challenges organizations face at this time. But, regulators won’t accept excuses and they will take strong action against those who take advantage of the pandemic; this crisis should not be used as an artificial reason for not investing in security.  
Looking for more advice around remote-working and the new world of work? For more practical advice from security leaders for security leaders and privacy professionals, join us for our next virtual panel discussion on April 30. We’ve also created a hub with curated content around remote working security which we’ll be updating regularly with more helpful guides and tips.
Data Loss Prevention Human Layer Security
Ultimate Guide to Staying Secure While Working Remotely
By Maddie Rosenthal
27 March 2020
The gradual trend towards remote working has been expedited by recent events, and now businesses and employees alike find themselves adapting to moving almost everything online to accommodate a distributed workforce. Obviously, this has a massive impact on how we behave and how we work, which inevitably has an impact on security culture. In this blog, we’ll discuss what we consider to be the main challenges and questions that arise from moving to a remote working model, and how both management teams and employees can make good decisions about security.
The risk involved in sending work emails “home” It may seem harmless to send an email containing a spreadsheet or a project proposal to your personal email address in order to have easy and quick access whenever you need it. But doing so is risky for a number of reasons.  Personal email accounts can be compromised, especially as they are often configured with weak passwords Email is not a default encrypted medium. If an attacker were in a position to intercept your email, they would be able to read them, and any attachments if not encrypted Devices used to access personal email, such as personal laptops and mobile phones, may also be more easily compromised than work devices safeguarded by your company The bottom line is, sending sensitive information to your personal email accounts increases the risk of data exfiltration, both from insider threats and outsider threats. You can read more about this – including how to prevent data exfiltration – in this article.  Public Wi-Fi vs. using a personal device as a hotspot While for now, most of the world is working from home, “working remotely” can extend to a number of places. You could be staying with a friend, catching up on emails during your commute, or getting your head down at a café. Of course, to do work, you’ll likely rely on internet access. While connecting to public Wi-Fi is not encouraged, the risks can be managed if the right systems are put in place. As an employer, you should ensure that any services an employee must connect with over the internet (such as a web portal for your email or time tracking app), are only served over HTTPS. This is the encrypted version of HTTP, which is used to transfer data over the web. Using HTTPS ensures that all data transmitted between your network and the employee’s device is encrypted. For any services that should not be offered over the internet but that employees will require access to, you should enable them to connect via a VPN.  As an employee, here’s what you can do to be safe: When connecting to a service over the internet, check the address bar to ensure the protocol used is HTTPS, not HTTP. If you’re using a service from your employer that isn’t HTTPS, avoid connecting and let alert your IT team of the oversight.  Ensure you keeping VPN software on work devices up-to-date Importantly – and despite many articles written stating the contrary – using a personal mobile phone as a hotspot to connect a work laptop to the corporate network can actually raise more concerns than connecting via public Wi-Fi.  From a security perspective, any device used to connect to your network could be a risk. Why? Because there’s no way for a company to effectively manage the software and security of devices they do not own. If a phone is being used as a hotspot and has already been compromised by an attacker, it’s possible it could be used to pivot to the corporate network. Any connections made over HTTPS will still be encrypted, of course, but it’s still important to weigh up the risks and err on the side of caution.  This may be easier to understand with an example. Let’s say you open a malicious attachment from a phishing email on your mobile device. If that malicious attachment contains spyware, hackers can (rather easily) infiltrate your phone. That means that if you then connect to your company network on your laptop via your phone’s hotspot, hackers will have a foothold into your company network, too.  Top tip: Any personal devices used in this way should fall under the domain of your corporate “Bring your own device” (BYOD) policy. Each organization’s policy will be different, so it’s best to check with your IT and security teams before you consider using a hotspot as a workaround in the case of limited access to Wi-Fi.
Best practice around using cloud storage to share documents For many organizations, cloud services have replaced company local networks to store, manage, and share information. While it’s fair to say that the transition from office-to-home is certainly easier with cloud storage, there are still some security concerns that must be addressed in order to lock down your sensitive information. Most concerns center around the perceived risks of allowing someone else to host your data. And, because it’s stored on the “cloud” it can – in theory – be accessed by anyone on the internet with the right credentials. In the worst case, this could be an attacker who comprises a user laptop or guesses a weak password. But, there are several ways to ensure your cloud system is secure. Organizations considering moving to a cloud system should consider: How the data is backed up Risks associated with denial of service (DOS) attacks  Legal complications that may arise from certain types of data being stored overseas Not sure how to navigate these considerations? Concerns about standards and support can all be worked out during the contract stage, and many companies offer secure and resilient storage. It’s no different to any risk assessment phase when purchasing a new service. At Tessian, we use Google Drive. It’s still necessary to put in the work to ensure that your data is stored in the correct places, and appropriately secured, just as you would with a local storage solution. Folders should be structured and locked down with appropriate access permissions to ensure that only users who are authorized to view the contents can do so. For example, you can restrict access to and sharing with people outside the corporate network. In addition, requiring two-factor authentication for Google accounts is very important. Conferencing and collaboration tools Remote-working means an increased reliance on conferencing, chat, and other collaboration applications to stay in touch with colleagues. All such applications come with security considerations. IT and security teams must be clear with employees about what sort of information can be shared over these applications, after assessing their suitability. Without clear guidance, employees may act in ways that are less than secure in order to do their jobs, which means comprehensive policies and procedures must be put in place and communicated clearly across an organization.  We share our criteria for vetting and onboarding new tools in our blog, 11 Tools to Help You Stay Productive and Secure While Working Remotely. You’ll also find a list of tools we use across departments to stay connected while working remotely. Additionally, it’s important to ensure employees understand which applications should be used to share which kinds of information and where the design of the application itself may lead to a compromise.  For example, a screenshot of a conference call or online meeting may reveal information that would be useful to an attacker; such as a Zoom meeting ID that allows anyone to join that meeting without a PIN. If such a screenshot were shared online, this could be exploited by an attacker and give them unlimited access to private, internal communications.   
How to physically protect your devices Working on devices outside of the office, even in a home environment, carries additional risks. There is always the potential for an attacker to get physical access to a device. In the home environment, employees should be reminded that their devices are gateways to sensitive information. They should always lock devices, and make sure they’re secured with good passwords or, in the case of mobile phones, 6-digit PINs or complex swipe codes.
Employees should also make sure that devices aren’t left in plain sight, such as near windows at home or on a passenger seat if travelling by car. This will help prevent opportunistic theft. While it may sound unlikely, you should always assume that devices might be stolen. In fact, in an organization of reasonable size, it will almost certainly happen. That means that encryption should be used to protect the data on them, and employees should know exactly when and how to report thefts to the support team. This ensures that the devices can be wiped if they are activated. Any organization that has a remote-working policy in place should also provide employees with privacy screens for their laptops, and encourage them to always work in positions that minimize line-of-sight views of their device screens by others.  This has the added benefit of showing clients or other professional contacts that the business takes security seriously. About that OOO message… “Hi, I’m on vacation right now, returning April 15th. If it’s urgent, you can contact me directly on my personal number or email below, or my line manager at…” It’s human nature to want to be helpful. When setting an out-of-office message, therefore, we often try to give the recipient as much information as possible to help them out. However, it’s important to consider whether that information really needs to be shared, and whether it might be useful to an attacker. When planning a spear phishing attack – a type of phishing attack that is targeted at a specific individual or small set of individuals – an attacker will try to gather as much open-source intelligence about their target as they can in order to make the email as believable as possible.  Phone numbers, alternative email addresses, details about company structure and reporting lines, and other data points are all things that could be useful to an attacker. Again, businesses should make sure employees are aware of these risks and should provide them with a simple template for OOO messages alongside guidance on how and when to forward important emails while away. Top tips for businesses setting up remote-working policies…. Keep policy points clear and concise and support them with similarly written procedures. Employees cannot practically absorb or retain 60+ pages of security policy, especially not overnight. When approving the use of new tools or software, always communicate the change to your employees, including guidelines on how and where to access them. Remember that users are going to make mistakes because they are human. Support them and encourage them to report issues, rather than making them afraid to admit to a mistake. Give clear channels for reporting such issues, supported by technical and human resources; for example, guidance on how to report a potential phishing email along with a method to contact support in the event of account lockout. Consider other technical challenges, such as how your support team can verify user identity when asked to reset a password or perform other remote technical support functions. Ensure your support team is trained and briefed to offer remote workers reassurance and understanding when a security issue arises. Remote workers need to feel connected with their colleagues during difficult moments. Top tips for employees working from home… Use company-approved cloud or VPN services to access work documents instead of emailing sensitive information to your personal email accounts. Don’t download new software or tools without consulting your IT team. Keep your software and operating systems up-to-date. Always lock your laptop and keep all of your devices password-protected. Avoid public Wi-Fi and don’t rely on personal hotspots; whenever possible, find a secure, stable network to connect to. Before you join that call or connect to that site – especially if it requires installing new software – stop and think about the potential implications. If you’re not sure, ask your colleagues or support team for help. If you make a mistake and find yourself alarmed or fearful, it’s important to stop, think, and get someone else involved to support you. Report near misses. If you almost make a mistake, the odds are that others have also almost done the same thing. By sharing this information, your colleagues will be better informed and your business can modify procedures or applications to help prevent the issue ever occurring. During this transitional period, we think it’s incredibly important to provide everyone – our employees, our customers, and our community – with as much information as possible. With that said, you may also find the below links helpful in getting your team set up to work remotely.  FTC online security tips for working from home NCSC issues guidance as home working increases in response to COVID-19 We’ll also continue sharing best practice tips both on our blog and on LinkedIn. 
Data Loss Prevention
11 Tools to Help You Stay Secure and Productive While Working Remotely
23 March 2020
With the outbreak of COVID-19, organizations are relying on tools and software to enable their employees to work remotely. While this transition from office-to-home may be relatively seamless for some, it can be quite a challenge for those who didn’t already have these virtual systems set-up and deployed. As a tech start-up, Tessian has had remote-working processes and security policies in place since the beginning and, as a part of that, we have a long list of fully vetted productivity tools and software that we’ve made available to our employees.  So, to help IT, security, operations, and HR teams around the world balance productivity and security, while also attempting to conduct “business as usual”, we’re sharing applications we use to ensure our people are always protected while working, whether that’s from the office or from home.
What should you consider before onboarding an application? There are a lot of collaboration and productivity tools out there. But, it’s crucial organizations only use those that have the highest standards and protocols around safeguarding data.  At Tessian, we scrutinize and vet all applications to ensure they comply with our own strict data and privacy protection criteria. While the below assessment isn’t exhaustive or applicable to all tools, software, or applications that might be useful while employees are working remotely, it should help you identify products that are sound from an information security and data protection perspective.  Does the application process personal data? If so, why and in what volume? Where is the data processed?  Does the application take back-ups of data? If so, how often? Who has access to the data in the platform? Is access conditional upon Multi-Factor Authentication (2FA, for example)?  Does the application have a policy in place that addresses Incident Response to patching and other security issues? Does the application protect data in transit between services using encryption?  Does the application protect internal data in transit? If so, how? Is the application certified with any regional or international data security standards? Not sure where to find all of this information? You should be able to find vendor’s privacy and data policies on their website. You can also contact them directly. For example, we always ask that a vendor assessment form be completed and, when solutions process a large amount of data, we’ll schedule a follow-up call.
Collaboration and productivity tools we use at Tessian Zoom Used across every department at Tessian, Zoom is a video conferencing platform that helps keep us connected with each other and our customers across continents. Now, we’re even using it for our weekly all-company meetings, which means almost 200 people are joining at once. It’s made collaboration – especially in isolation – much easier.  You can record the sessions, break larger groups into smaller teams via Breakout Rooms, and there’s an add-in for calendar systems which makes scheduling virtual meetings as easy as in-person meetings. While they’ve always offered solutions for educators, healthcare providers, and virtually every other industry, Zoom has developed even more solutions and resources in light of the pandemic. Use this resource to find out how Zoom can support businesses moving to a remote-working model. Clubhouse While we use other project management platforms like Trello, Clubhouse is a favorite amongst our product and engineering teams because it’s made specifically for developers and is deeply integrated with GitHub. It makes creating and tracking workflows for features, bugs, sprints, or long-term projects easy. GitHub For most engineers, this is an obvious one, but worth mentioning nonetheless. GitHub was built for developers and allows users to host and review code, manage projects, and build software, all in one place.  Importantly from a security and admin perspective, you can deploy it to your environment or to the cloud.  OpenVPN In any remote-working environment, secure access to network resources is the top priority. If employees can’t access their work, they can’t do their jobs. And, to prevent employees from sending work emails to personal accounts or exfiltrating data, organizations have to implement a solution that extends to different sites, devices, and users.  We use OpenVPN. In addition to extending centralized unified threat management to remote networks, encryption ensures privacy on different Wi-Fi networks.  Google Drive We also use Google’s cloud storage system, Google Drive, to enable file sharing in and out of the office. Again, the name of the game is collaboration and with integrations into other applications like Google Docs, Slides, and Sheets all available on desktop and mobile, it’s easy for different individuals and entire teams to work together.  But, it’s important that you implement security processes to ensure everything you store in your Drive stays safe. To start, you should secure access to the Drive by enabling 2FA for all Google Accounts and set-up strict policies around sharing documents externally. You should also limit access internally to different Drives. For example, each department can have its own, limited-access Drive in addition to an all-company Drive. Peakon Knowing how your employees are feeling is essential for business growth and personal development. Of course, gauging employee engagement and experience is easier said than done and is especially difficult when your entire organization is working remotely. Peakon does the heavy lifting for you via bi-weekly online surveys and enables HR, People, and Executive teams to make changes to their organization that make an actual impact. How? By gathering feedback from every employee anonymously and comparing results to industry benchmarks.  IronClad IronClad is a digital contract platform that makes workflows for legal, finance, sales, and recruitment teams seamless.  The difference between this application and other services that let people “sign” digital agreements (DocuSign, Adobe Sign, etc.) is that IronClad extracts and catalogs metadata from contracts and integrates with other systems and platforms to make information accessible and actionable.  Slack According to the brand’s tagline, Slack is “where work happens” and, while many organizations use it in an office environment on top of email, it’s especially helpful for remote-working teams.  You can create different channels for different projects or conversations, update your “status” to let your co-workers know you’re ill, in transit, or away from your computer, and even loop in contacts from outside of your organization.  The company has seen a surge in usage since the outbreak and is rolling out new features to make the app (on both mobile and desktop) easier to use. Better still, there are three different plans available depending on your needs, including a free version.  Confluence Confluence – an Atlassian product – is a knowledge management tool. We use it as an ever-evolving source of truth for our organization: our wiki. Every team inputs and updates key information – from processes to KPIs – so that internally, anyone, at any time, anywhere, can quickly and easily find answers to questions related to onboarding, our products, or internal policies.  Figma Used by our product, design, and marketing teams, Figma is a web-based all-in-one design tool that makes collaboration and iteration fast and easy. You can share projects internally or externally with a URL, which means you don’t have to continually upload, save, or sync projects.  This is huge and means you can move from design-to-code more seamlessly. Beyond that, there are built-in commenting features that can integrate with Slack so that different people can track progress and flag issues in real-time.  Astute eLearning The need for training, whether around compliance, security, or something department-specific, doesn’t go away simply because an organization has moved from an office to a virtual environment. And, unfortunately, engaging with employees for training can be hard in-person, which means it’s an even bigger challenge while they’re out-of-office. At Tessian, we’ve used Astute eLearning, a web-based learning experience platform that lets your employees complete online training. Using the platform’s bank of certified videos and skills-assessments, you can monitor your employees’ progress through courses and, from that, identify and close any skills gaps.  Top tip: To ensure your employees are enabled to sign-in to all of these different apps securely and quickly, we also recommend using a password manager and Single Sign-On tool.  Want more information? As we all try our best to adapt to the “new normal” during these uncertain and challenging times, we’ll continue sharing best practice tips to keep our employees, customers, and the general community secure while working remotely.  Check back on our blog for the latest updates.
Data Loss Prevention
Remote Worker’s Guide To: BYOD Policies
16 April 2020
With the outbreak of COVID-19, workforces around the world have transitioned from secure office environments to their homes.  While some companies already had the infrastructure and policies in place to support a remote workforce, other smaller organizations and even some large enterprises are facing a number of challenges in getting their teams set up, starting with access to secure devices like laptops and phones. One way to empower your employees to work safely wherever they are is to implement BYOD (Bring Your Own Device) policies. What is a BYOD Policy?
While BYOD policies are something of a necessity now – especially with delays and even cancellations in global supply chains for the devices virtual workers rely on – they were formerly an answer to IT consumerization.  Consumerization of IT refers to the cycle of technology first being built for personal, consumer use and then later being adopted by businesses and other organizations at an enterprise level. It’s often the result of employees using popular consumer apps or devices at work, because they are better than the legacy tech used by the organization. What are the benefits of a BYOD policy? There’s a reason why the BYOD market was booming pre-COVID-19. In fact, the market is expected to be valued at more than $366.95 by 2020, a big jump from its valuation of $30 billion in 2014. Note: This forecast was made three years ago, which means the sudden and global transition to remote-working will likely drive more growth. So, what are some of the benefits for businesses? You’ll Enable a Productive Remote Workforce  This is no doubt the most important reason to adopt BYOD policies, especially now. If your employees have historically worked on desktops and you’re struggling to set each person up with a laptop, BYOD policies will enable your people to keep working, despite hardware shortages and other challenges. Beyond that, though, you’ll also enable your people to work freely from wherever they need to, whether that be in transit, at home, or in the office. You’ll Reduce Burden on IT Teams Employees tend to be more comfortable and confident using their own personal devices and their native interfaces. For example, someone who has worked on a Windows computer for 15 years may struggle to suddenly start working on a Mac. That means there will be less dependence on IT teams to train or otherwise set-up employees on new devices. But, it’s important to consider the security risks along with the benefits so that your employees and data stay safe while working from personal devices.  What are the security risks involved in using personal devices? Physical security Loss or theft of a personal device is one of the biggest concerns around BYOD policies, especially when you consider that people tend to carry their mobile phones and even laptops with them at all times. If a device fell into the wrong hands and adequate security measures weren’t in place, sensitive data could be at risk.  Network security If a cybercriminal was able to gain access to a personal device, they could maneuver from one device to another and move through an organization’s network quickly. Once inside, they could install malware, steal sensitive information, or simply maintain a foothold to control systems later. Information security Data is currency and personal devices hold a lot of information not just about an organization and its clients, vendors, and suppliers, but also about the individual. If you imagine all the sensitive data contained in Outlook or Gmail accounts, you can begin to see the magnitude of the risks if this data were exposed. Physical and network security risks are threats to information security, which proves how important securing devices really is. Tips for employers To minimize the risk associated with BYOD policies, we recommend that you: Enforce strict password policies. Mobile phones should be locked down with 6-digit PINs or complex swipe codes, and laptops should be secured with strong passwords that utilize numbers, letters, and characters. Your best bet is to enforce MFA or SSO and provide your employees with a password manager to keep track of their details securely. Equip devices with reliable security solutions. From encryption to antivirus software, personal devices need to have the same security solutions installed as work devices. Ideally, solutions will operate on both desktop and mobile ensuring protection across the board. For example, Tessian defends against both inbound and outbound email threats on desktop and mobile. Read more about our solutions here.  Restrict data access. Whether your organization uses a VPN or cloud services, it’s important to ensure the infrastructure is configured properly in order to reduce risk. We recommend limiting access through stringent access controls whenever possible (without impeding productivity) and creating policies around how to safely share documents externally. Limit or block downloads of software and applications. IT and security teams can use either blacklisting or whitelisting to ensure employees are only downloading and using vetted software and applications. Alternatively, IT and security teams could exercise even more control by preventing downloads altogether. Educate your employees. Awareness training is an essential part of any security strategy. But, it’s important that the training is relevant to your organization. If you do implement a BYOD policy, ensure every employee is educated about the rules and risks.  Tips for employees  To minimize the risk associated with BYOD policies, we recommend that you: Password-protect your personal devices. Adhere to internal security policies around password-protection or, alternatively, use 6-digit PINs or complex swipe codes on mobile devices and strong passwords that utilize numbers, letters, and characters for laptops. If you’re having trouble managing your passwords, discuss the use of a password manager with your IT department. Avoid public Wi-Fi and hotspotting. The open nature of public Wi-Fi means your laptop or other device could be accessible to opportunistic hackers. Likewise, if a phone is being used as a hotspot and has already been compromised by an attacker, it’s possible it could be used to pivot to the corporate network. Put training into practice. While security training is notoriously boring, it’s incredibly important and effective if put into practice. Always pay attention during training sessions and action the advice you’re given. Report loss or theft. In the event your device is lost or stolen, file a report internally immediately. If you’re unfamiliar with procedures around reporting, check with your line manager or IT team ASAP. They’ll be able to better mitigate risks around data loss the sooner they’re notified.  Communicate with IT and security teams. If you’re unsure about how to use your personal device securely or if you think your device has been compromised in some way, don’t be afraid to communicate with your IT and security teams. That’s what they’re there for. Moreover, the more information they have, the better equipped they are to keep you and your device protected.  BYOD policies offer organizations and employees much-needed flexibility. But, in order to be effective as opposed to detrimental, strict security policies must be in place. It’s not just up to security teams. Employees must do their part to make smart security decisions in order to protect their devices, personal data and sensitive business information. Looking for more tips on staying secure while working remotely? We’re here to help! Check out these blogs: Ultimate Guide to Staying Secure While Working Remotely Remote Worker’s Guide To: Preventing Data Loss 11 Tools to Help You Stay Secure and Productive While Working Remotely 
Data Loss Prevention
Remote Worker’s Guide To: Preventing Data Loss
09 April 2020
Over the last several weeks, workforces across the world have transitioned from office to home. While security teams may have struggled initially to get their teams set up to work securely outside of their normal environments, by now most organizations have introduced new software, policies, and procedures to accommodate their new distributed teams.  We spoke with former CISO of KPMG Carolann Shields along with Tess Frieswick of Kivu Consulting and Hayley Bly of Nielsen about what the shift means for cybersecurity in a webinar on March 26. Carolann summed it up nicely when she said “Remote-working introduces complexities that you just don’t have when you can have everyone sitting in an office behind a firewall. It’s a difficult task trying to keep everyone secure and behavioral change and educating folks will be really important. If those things weren’t already a part of your cybersecurity program, they’re going to need to become a part of your cybersecurity program.”  While IT departments no doubt bear the burden of protecting sensitive data, data loss prevention (DLP) is the responsibility of the entire organization. And, while this sudden move to remote-working brings a host of new challenges – from effectively collaborating to co-working with partners, roommates, and children – data security should still be top of mind for both security leaders and individual employees, too.
So, what can you do to help prevent data loss within your organization? We have some tips. 1. Don’t work from your personal devices While it may seem harmless, using your personal devices – whether it’s a laptop, desktop computer, mobile device, or tablet – for work-related activities creates big security risks. To start, your personal devices won’t be configured with the same security software as your work device.  Whether it’s the protection offered by a simple firewall or antivirus software, you’re more protected when working on company-sanctioned devices. Beyond that, though, the process to get work-related documents onto personal devices is risky on its own. We’ve written about this extensively in our blog The Dark Side of Sending Work Emails “Home”. In short, personal email accounts are more likely to be compromised than work email accounts. It may be because your personal email account is configured with a weak password or, the worst case, your personal email account may have already been infiltrated by an attacker who could easily intercept whatever sensitive data you’ve emailed to yourself.  Note: IT teams should ensure employees have a secure way to connect their authorized work devices to their personal printers in the event they need to print any documents. This will help them avoid them having to send sensitive documents to their personal accounts in order to print. 2. Be cautious whenever sending sensitive information via email Tessian has seen a 20% increase in email use with the shift to remote working. That means more sensitive data is in motion than ever.  More email traffic, unfortunately, means employees have more opportunities to make mistakes. One of the biggest mistakes an employee can make is sending an email to the wrong person and, as most of us know, it’s easy to do. So, to avoid making this costly mistake, always double-check the recipient(s) of your emails. Ensure you haven’t made any spelling mistakes, and, if you’re using autocomplete, make sure the correct email address has been added. Beyond that, you should always be vigilant when using Cc vs. Bcc and Reply vs Reply All and take time to check that you’ve attached the right documents.  3. Stay up-to-date on the latest phishing and spear phishing trends Cybercriminals use increasingly advanced technology and tactics to carry out effective phishing and spear phishing campaigns. They also tend to take advantage of emergencies, times of general uncertainty, and key calendar moments. While you should always be on the lookout for the red flags that signal phishing attacks, you should also stay up-to-date on the latest trends. We’ve written about several on our blog, including phishing attacks around COVID-19, Tax Day, and the 2020 Census. For more information on how to catch a phish, click here. 4. Use password protection, especially for conferencing and collaboration tools Zoom has made headlines over the last several weeks for the security vulnerabilities found in the platform. While the online conference tool is working on their backend, individuals must do their part, too. To start, ensure you’re using strong passwords. For an application like Zoom, this also means always password-protecting your meetings, never sharing meeting links with people you don’t know or trust, and never sharing screenshots of your meeting which include the Zoom Meeting ID.  Managing so many passwords can be difficult, though. That’s why we recommend using a Password Manager. Click here for more information about the Password Manager we use at Tessian along with other tools that help us work securely while working remotely.  Note: If you’re an employee, you shouldn’t download new software or tools without consulting your IT team.  5. Avoid public Wi-Fi and hotspots Currently most of the world is working from home, but “working remotely” can extend to a number of places. You could be staying with a friend, traveling for work, catching up on emails during your commute, or getting your head down at a café.  Of course, to do work, you’ll likely rely on internet access. Public Wi-Fi or hotspotting from your mobile device may seem like an easy (and harmless) workaround when you don’t have other access, but it’s not wise. The open nature of public Wi-Fi means your laptop or other device could be accessible to opportunistic hackers. Likewise, if a phone is being used as a hotspot and has already been compromised by an attacker, it’s possible it could be used to pivot to the corporate network. 6. Follow existing processes and policies When working from home or otherwise outside of the office, you have much more autonomy. But that doesn’t mean you should disregard the processes and policies your organization has in place. Whether it’s rules around locking your devices (see below) or procedures for sharing documents, they’re just as important – if not more important – while you’re working remotely.  This applies to training too. If your organization offers security training, do your best to keep those tips and best practices top of mind. If you’re unclear on the do’s and don’t of cybersecurity, consult your IT, security, or HR team. 7. Always lock your devices  Working outside of the office, even in a home environment, carries additional risks. That means you should always lock your devices with good passwords or, in the case of mobile phones, 6-digit PINs or complex swipe codes. 
8. Report near-misses or mistakes  Whether you’ve sent a misdirected email, fallen for a phishing scam, or had your device stolen, it’s absolutely vital that you report the incident to your IT or security team as soon as possible. The more lead time and information they have, the better the outcome of remediation.   By sharing this information, your colleagues will be better informed and your business can modify procedures or applications to help prevent the issue occurring again. It’s a two-way street, though. Organizations must build positive security cultures in order to empower employees to be open and honest. For more tips on how to stay safe while working remotely, read this Ultimate Guide. We’ll also be publishing more helpful tips weekly on both our blog and LinkedIn.
Data Loss Prevention
Insider Threats: Types And Real-World Examples
By Maddie Rosenthal
05 June 2020
Insider threats are a big problem for organizations across industries, especially now with mass layoffs and new remote-working arrangements. Why? Because they’re so hard to detect. After all, insiders have legitimate access to systems and data, unlike the external bad actors many security policies and tools help defend against. It could be anyone, from a careless employee to a rogue business partner. That’s why we’ve put together this list of Insider Threat types and examples. By exploring different methods and motives, security, compliance, and IT leaders (and their employees) will be better equipped to spot Insider Threats before a data breach happens. Types of Insider Threats First things first, let’s define what exactly an Insider Threats is. Insider threats are people – whether employees, former employees, contractors, business partners, or vendors – with legitimate access to an organization’s networks and systems who deliberately exfiltrate data for personal gain or accidentally leak sensitive information. The key here is that there are two distinct types of Insider Threats:  The Malicious Insider  The Negligent Insider The Malicious Insider Malicious Insiders knowingly and intentionally steal data.  For example, an employee or contractor may exfiltrate valuable information (like Intellectual Property (IP), Personally Identifiable Information (PII), or financial information) for some kind of financial incentive, a competitive edge, or simply because they’re holding a grudge for being let go or furloughed.  Financial Incentives According to Verizon’s 2020 Data Breach Investigations Report, 86% of breaches are financially motivated. Whether it’s a list of customer email addresses or trade secrets, the Dark Web has helped monetize data and now, it’s easier than ever to sell information.  Click here to jump to the real-world example. Competitive Edge According to Tessian research, 45% of employees download, save, send, or otherwise exfiltrate work-related documents before leaving a job or after being dismissed. While they could simply be adding a project to their portfolio, they could also be hoping to impress or bribe a new or potential employer with trade secrets or customer information.  Click here to jump to the real-world example. A Grudge  Emotions can run high when it comes to someone’s livelihood. That’s one reason why some Insider Threats act out of revenge. In fact, according to one report, almost 10% of Insiders are motivated by a grudge. Click here to jump to the real-world example. The Negligent Insiders  Negligent insiders are just your average employees who have made a mistake.  For example, an employee could send an email containing sensitive information to the wrong person, email company data to personal accounts to do some work over the weekend, fall victim to a phishing or spear phishing attack, or lose their work device.  Sending an email to the wrong person Data emailed to the incorrect recipient is the second most reported cause of data breaches. At Tessian, we call this is a misdirected email and it’s happening almost twice as much as IT leaders currently estimate.  While it’s unintentional, the consequences can be tremendous, especially for those organizations that are bound to compliance standards or data privacy regulations. Think about it: emails contain structured and unstructured data in either the body copy, as attachments, or both. In certain industries – like Healthcare and Financial Services – the likelihood of email communications containing sensitive information is even greater.  Click here to jump to the real-world example. Sending work emails “home” According to Tessian platform data, 27,500 emails are sent to personal accounts every year in organizations with 1,000 people. We call these unauthorized emails. While – yes – this could be done maliciously to exfiltrate data, the majority of employees are just trying to do their jobs. Nonetheless, sending company data to personal email accounts is often against security policies. You can read more about why that is on this blog: The Dark Side of Sending Work Emails “Home”. Click here to jump to the real-world example. Falling victim to a phishing or spear phishing attack Phishing and other social engineering attacks are designed for one of three reasons: to extract sensitive information or credentials, to install malware onto a network, or to initiate a wire transfer. If the attack is successful – meaning the target (an employee) falls for the scam – there could be serious consequences.  Click here to jump to the real-world example. Losing your work device(s)   Whether it’s a mobile phone, laptop, or tablet, losing a work device could lead to a data breach, especially if the device is left unlocked.  Misconfiguration It’s important to remember that employees aren’t just responsible for data, they’re also responsible for the architecture that supports that data. Whether it’s configuring a firewall or setting up access settings for Cloud Storage, one simple mistake could lead to a breach.  Worryingly, these incidents are on the rise. From 2018-2019, incidents involving misconfiguration have more than doubled. Click here to jump to the real-world example.
7 Examples of Insider Threats  Example #1: The employee who exfiltrated data after being fired or furloughed Since the outbreak of COVID-19, 81% of the global workforce have had their workplace fully or partially closed. And, with the economy grinding to a halt, employees across industries have been laid off or furloughed.  This has caused widespread distress. When you combine this distress with the reduced visibility of IT and security teams while their teams work from home, you’re bound to see more incidents of Malicious Insiders.  One such case involves a former employee of a medical device packaging company who was let go in early March 2020  By the end of March – and after he was given his final paycheck – Dobbins hacked into the company’s computer network, granted himself administrator access, and then edited and deleted nearly 120,000 records.  This caused significant delays in the delivery of medical equipment to healthcare providers.
Example #2: The employee who sold company data for financial gain href=”https://www.telegraph.co.uk/technology/2018/09/28/bupa-fined-175000-employee-stole-500000-customer-records-tried/”>an employee at Bupa accessed customer information via an in-house customer relationship management system, copied the information, deleted it from the database, and then tried to sell it on the Dark Web.  The breach affected 547,000 customers and in 2018 after an investigation by the ICO, Bupa was fined £175,000.
Example #3: The employee who fell for a phishing attack While we’ve seen a spike in phishing and spear phishing attacks since the outbreak of COVID-19, these aren’t new threats. One example involves an email that was sent to a senior staff member at Australian National University. The result? 700 Megabytes of data were stolen. This data was related to both staff and students and included details like names, addresses, phone numbers, dates of birth, emergency contact numbers, tax file numbers, payroll information, bank account details, and student academic records.
Example #4: The employee who took company data to a new employer for a competitive edge This incident involves two of the biggest tech players: Google and Uber. In 2015, a lead engineer at Waymo, Google’s self-driving car project, left the company to start his own self-driving truck venture, Otto. But, before departing, he exfiltrated several trade secrets including diagrams and drawings related to simulations, radar technology, source code snippets, PDFs marked as confidential, and videos of test drives.  How? By downloading 14,000 files onto his laptop directly from Google servers. Otto was acquired by Uber after a few months, at which point Google executives discovered the breach. In the end, Waymo was awarded $245 million worth of Uber shares and, in March, the employee pleaded guilty.
Example #5: The employee who accidentally sent an email to the wrong person Misdirected emails happen more than most think. In fact, Tessian platform data shows that at least 800 misdirected emails are sent every year in organizations with 1,000 employees. But, what are the implications? It depends on what data has been exposed.  In one incident in mid-2019, the private details of 24 NHS employees were exposed after someone in the HR department accidentally sent an email to a team of senior executives. This included: Mental health information Surgery information While the employee apologized, the exposure of PII like this can lead to medical identity theft and even physical harm to the patients. This isn’t the only incident involving the NHS. (See below.)
Example #6: The employee who accidentally misconfigured access privileges Just last month, NHS coronavirus contact-tracing app details were leaked after documents hosted in Google Drive were left open for anyone with a link to view. Worse still, links to the documents were included in several others published by the NHS.  These documents – marked “SENSITIVE” and “OFFICIAL” contained information about the app’s future development roadmap and revealed that officials within the NHS and Department of Health and Social Care are worried about the app’s reliance and that it could be open to abuse that leads to public panic.
Example #7: The employee who sent company data to a personal email account We mentioned earlier that employees oftentimes email company data to themselves to work over the weekend.  But, in this incident, an employee at Boeing shared a spreadsheet with his wife in hopes that she could help solve formatting issues. The result? The personal information of 36,000 employees were exposed, including employee ID data, places of birth, and accounting department codes.
How common are Insider Threats? Incidents involving Insider Threats are on the rise, with a marked 47% increase over the last two years. This isn’t trivial, especially considering the global average cost of an Insider Threat is $11.45 million. This is up from $8.76 in 2018. Who’s more culpable, Negligent Insiders or Malicious Insiders?  Negligent Insiders (like those who send emails to the wrong person) are responsible for 62% of all incidents Negligent Insiders who have their credentials stolen (via a phishing attack or physical theft) are responsible for 25% of all incidents Malicious Insiders are responsible for 14% of all incidents It’s worth noting, though, that credential theft is the most detrimental to an organization’s bottom line, costing an average of $2.79 million.  Which industries suffer the most? The “what, who, and why” behind incidents involving Insider Threats vary greatly by industry.  For example, customer data is most likely to be compromised by an Insider in the Healthcare industry, while money is the most common target in the Finance and Insurance sector. But, who exfiltrated the data is just as important as what data was exfiltrated. The sectors most likely to experience incidents perpetrated by trusted business partners are: Finance and Insurance Federal Government Entertainment Information Technology Healthcare State and Local Government Overall, though, when it comes to employees misusing their access privileges, the Healthcare and Manufacturing industries experience the most incidents. On the other hand, the Public Sector suffers the most from lost or stolen assets and also ranks in the top three for miscellaneous errors (for example misdirected emails) alongside Healthcare and Finance. The bottom line: Insider Threats are a growling problem. We have a solution.
How does Tessian prevent Insider Threats? Tessian turns an organization’s email data into its best defense against inbound and outbound email security threats. Powered by machine learning, our Human Layer Security technology understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity. Tessian Enforcer detects and prevents data exfiltration attempts Tessian Guardian detects and prevents misdirected emails Tessian Defender detects and prevents spear phishing attacks Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of the organization’s email network.  Curious how frequently these incidents are happening in your organization? Click here for a free threat report.
Data Loss Prevention Human Layer Security
Guide: How to Stop Data Loss Across 1 Million New Offices
By Maddie Rosenthal
28 May 2020
Now more than ever, security, IT, and compliance leaders are leaning on each other for support in navigating new challenges around remote-working. And, why wouldn’t they? While some organizations have operated virtually for months and even years before the outbreak of COVID-19, others had never operated a remote workforce. That means they’ve had to – very quickly – equip their teams with new devices and tools, implement new policies and procedures, and update security stacks. Of course, they’re doing all of this while trying to maintain “business as usual” which means trying to monitor and prevent data loss company-wide. That’s exactly why we’ve been hosting virtual events: to pool the wisdom of experienced security and IT leaders and share back with the broader community While you can access our library of webinars here (and register for our next virtual event here), we’ve compiled key takeaways below from our most recent webinar: How to Stop Data Loss Across 1 Million New Offices.  Here’s the actionable advice from Mark Settle, the former CIO of Okta and Karl Knowles, the Global Head of Cyber at HFW.
1. Prioritize email Even with collaboration tools like Slack, email is still King. Or, as Mark put it “email is the central nervous system of almost every company. You really can’t escape it”. Over 124 billion emails are sent and received everyday and employees spend 40% of their time on email. And, when you consider what’s being sent back and forth in emails (spreadsheets, invoices, client information, and other structured and unstructured data) it’s no wonder IT and security leaders consider it the number one threat vector for data loss. Whether it’s a disgruntled employee purposely exfiltrating data or a negligent employee who accidentally sends sensitive information to the wrong person, email is a leaky pipe.  Interested in learning more about how data is lost on email? Read this blog: A Complete Overview of DLP on Email. 2. Clearly communicate what constitutes “data loss” It’s employees who have to take on the role of protecting a company’s most important asset: data. But, unfortunately, many are blissfully unaware of what’s actually considered a data loss incident. It’s not their fault. It’s up to IT leaders – especially now as employees are adjusting to their new work environments – to really communicate what data is sensitive and how that data must be handled.  While those working in Healthcare or Financial Services may be well-versed in what data can and can’t be stored and shared, because of industry-specific compliance standards, the “average” professional may not be. For example: if you don’t tell employees that sending company data to their personal email accounts is considered unauthorized and could lead to a data breach, they’ll never know that they shouldn’t do it. Likewise, many employees don’t realize that sending an email to the wrong person could be classified as a data loss incident.  3. Don’t blame employees, empower them As we’ve said, employees are the gatekeepers of a company’s most sensitive systems and data. But, many aren’t familiar with security best practices or the implications of a breach. And, beyond that, many simply don’t have the necessary tools to work securely. It’s up to IT and security leaders to empower them to do so. How? According to Karl, it comes down to training and technology.
4. Re-think security awareness training Earlier this year at the world’s first Human Layer Security Summit, Mark Logsdon, Head of Cyber Assurance & Oversight at Prudential, explained there are three fundamental problems with training: It’s boring It’s often irrelevant It’s expensive Karl Knowles and Mark Settle shared many of these sentiments. The bottom line is: In order for training to be effective, it has to really resonate. And, for it to really resonate, employees have to understand the who, what, and why behind security policies and procedures. They recommend using different methods and mediums to communicate risks and preventative strategies and – perhaps most importantly – ensure you aren’t overloading them. That means breaking complex subjects down into more manageable pieces and translating technical jargon and concepts into language that’s easier to understand. Top Tip from Karl: Nominate Cyber Champions as a way to gamify training and encourage a positive security culture.  5. Know the limitations of rule-based DLP solutions and invest in technology that proactively adapts DLP isn’t just a challenge now that workforces are remote. It’s been a consistent pain point for IT and security teams for a long time and for several reasons. One of the biggest problems around DLP is that rule-based solutions aren’t adaptive. Not only are they admin-intensive to set-up, but they’re virtually impossible to maintain. You can read more about The Drawbacks of Traditional DLP on Email on our blog.  Learn more about Why DLP is Failing in Tessian’s latest report: The State of Data Loss Prevention 2020. That’s why Karl and Mark recommend investing in technology that’s fast and evolving. The technology is machine learning. Tessian’s DLP solutions (Tessian Enforcer and Tessian Guardian) are powered by machine learning which is why Karl – a customer – considered Tessian an extension of his cyber team.
Interested in learning more about how Tessian can help you detect and prevent data loss wherever your employees are working? Book a demo. And, for more advice, keep up with our blog, LinkedIn, and Twitter for guides, industry news, and events. 
Data Loss Prevention Human Layer Security
The State of Data Loss Prevention 2020: What You Need to Know
28 May 2020
Today, Tessian released The State of Data Loss Prevention 2020, a comprehensive report that explores new and perennial challenges around data loss prevention.
Our findings reveal that data loss on email is a bigger problem than most realize, that remote-working brings new challenges around DLP, and that the solutions currently deemed most effective may actually be the least. Why does this report matter? IT, security, and compliance readers have a lot to gain by reading this report. To really understand why, we have to look at the current landscape. Insider threats are a growing problem While email threats from external bad actors (like spear phishing and business email compromise) dominate headlines, email threats from insiders are steadily rising. In fact, there’s been a 47% increase in incidents over the last two years. This includes accidental data loss and deliberate data exfiltration. According to Verizon’s 2020 Data Breach Investigations Report “It is a bit disturbing when you realize that your employees’ mistakes account for roughly the same number of breaches as external parties who are actively attacking you.” The DLP market is booming and is on track for significant growth. Why? Because it’s one of the top spending priorities for IT leaders with 21% planning to acquire DLP tools within the next year.  Remote-working makes DLP even more challenging Over the last eight weeks, workforces around the world have transitioned from office-to-home. That means the perimeter has disappeared and past strategies have become obsolete. COVID-19 has been deemed a “field day for Insider Threats”. There are more opportunities than ever for employees to exploit privileged access to data, working from home can reduce the vigilance of employees handling confidential data, and there’s been a marked increase in COVID-19 phishing attacks. While some organizations will encourage their employees to migrate back to offices, many (including Facebook) have already opted to maintain remote-working set-ups.  Interested in learning more about the methods and motives of Insider Threats? Read our blog: What is an Insider Threat? Insider Threat Definitions, Examples, and Solutions. The implications of a data breach are far-reaching  The consequences of a data breach aren’t limited to lost data and revenue loss. Organizations also experience a 2-7% churn rate after a breach. Data privacy regulations add insult to injury. In the first quarter of 2020 alone, GDPR fines totaled nearly €50 million. But, we had to look beyond third-party research and conduct our own.  What will I learn? We analyzed Tessian platform data and commissioned OnePoll to survey 2,000 professionals (1,000 in the US and 1,000 in the UK) and 250 Information Technology (IT) leaders. We also interviewed IT, security, and compliance leaders about their own experiences with DLP. Here’s what we found out: !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");
Data loss incidents are happening as much as 38x more often than IT leaders currently estimate. 800 misdirected emails are sent every year in organizations with 1,000 employees. 27,500 emails containing company data are sent to personal accounts every year in organizations with 1,000 employees. 84% of IT leaders say DLP is more challenging when their workforce is working remotely. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");
While 91% of IT leaders say they trust their employees to follow security policies while working from home, almost half (48%) of employees say they’re less likely to follow safe data practices when working from home. Email is the threat vector IT leaders are most concerned about. 54% of employees say they’ll find a workaround if security software or policies prevent them from doing their job and 51% say security tools and software impede their productivity.  While IT leaders believe security awareness training is the most effective way to prevent data loss, machine learning is the better option.  Dozens more insights in the full report, including segmented data around industry, company size, age, and region.  How can I access The State of Data Loss Prevention 2020? IT leaders must have visibility over how their employees are handing and mishandling data on email in order to implement effective DLP strategies.  Our report shines a light on the problems and best solutions.  You can access the full report via our microsite. And, if you’re interested in learning more, save your spot at Tessian Human Layer Security Summit on June 18.
Human Layer Security
7 Reasons to Attend Tessian Virtual Human Layer Security Summit
26 May 2020
On June 18, we’re hosting Tessian Human Layer Security Summit and you’re invited.  The theme? The new world of work. While businesses have flexed fast to adapt to remote-working, there are still plenty of challenges security, compliance, and IT leaders have to overcome.  That’s why we’re bringing thousands of people together from around the world – including over a dozen speakers and partners – to discuss what’s happened and (more importantly) what’s next. We know what you’re thinking: How is this virtual event different from others you’ve been invited to or attended? We’ll tell you.
1. You’ll hear from thought leaders from world-renowned institutions We believe that diverse perspectives lead to better solutions, which is why we’ve brought together such a wide range of voices from the world’s top businesses and institutions.  We’ll be welcoming security and business leaders from Amazon Web Services, The FBI, Unilever, Investec, and more and each speaker will cover a topic that demonstrates their expertise and unique point of view. So, what will they be covering? The evolving risk landscape, how new compliance standards affect business and cybersecurity strategies, challenges in preventing data loss, and how to build and maintain a happy and productive remote workforce.  2. You’ll have a chance to ask your most pressing questions around cybersecurity, remote-working, and business continuity While the agenda is jam-packed with fireside chats, presentations, and panel discussions, we’ve left plenty of time for you to voice your thoughts, too. After all, the name of the game is diverse perspectives. We’ll be opening the floor to all attendees to ask their most pressing questions and our speakers will answer them live. You can even submit your questions ahead of time by emailing [email protected] This way, you can leave the event with actionable advice related specifically to you and your organization. 
3. You’ll learn more about human-centric security strategies  The Human Element has been a buzzword throughout 2020. But, do you know how to create and implement security strategies that are human-centric? You will after this event. You’ll hear why solving the problem of human error on email is more important now than ever, how security and privacy risks have evolved as the perimeter has disappeared, and how Tessian’s Human Layer Security platform has helped Tessian customers prevent data loss incidents on email.  Want a sneak peek at what you might learn? Check out these insights from the world’s first Human Layer Security Summit.  4. You’ll be the first to know about exciting company and industry news  While we don’t want to spoil all the surprises, you should know that we’ll be announcing some very exciting news that will bring greater visibility into threats specific to your organization.  Not only will we be unveiling new technology that gives security, IT, and compliance leaders a birds’ eye view into data loss trends, but we’ll be sharing key findings from our groundbreaking research into the State of Data Loss Prevention 2020. 
5. You’ll be in good company  We hosted our first-ever Human Layer Security Summit in March where hundreds of attendees (both in-person and online) joined the conversation. This event will be even bigger. Thousands of leading C-suite executives, business leaders, and security professionals from across continents will be under the same (virtual) roof which means this event is the perfect opportunity to network and connect with the larger cybersecurity community.  Whether you’re looking for advice, allies, or future opportunities, this is your chance, especially considering all of our incredible partners for the event: HackerOne, Noord, The SASIG, Women in Security and Privacy, and Security Current. 6. You don’t have to change out of your pajamas While most of us are all too familiar with challenges around remote-working, we can’t ignore that there are some benefits, too. For example: Being able to ask the former CEO of Upwork a question while sitting in your pajamas.  This is especially relevant for those tuning in from California, as the event kicks off at 7:00 AM PST. Of course, feel free to join in whatever you’re comfortable in.  7. …It’s free! Attendees have a lot to gain by joining us on June 18 and nothing to lose; the event is 100% free.  All you have to do is register now to save your spot and tune in on the day.  Can’t make it on June 18? Don’t worry! By registering, you’ll have on-demand access to watch the full series of keynotes, panel discussions, and more after the live session.
Spear Phishing
How to Avoid the PPP Scams Targeting Small Businesses
By Maddie Rosenthal
01 May 2020
On April 27, the U.S government’s coronavirus relief fund for small businesses – the Payroll Protection Program – resumed lending, after an additional $320 billion in funding was authorized to help small businesses keep employees on the payroll. The program will provide much needed relief for small businesses, but it could also provide cybercriminals with another prime opportunity to cash in on Covid-19 related schemes. Over the last month, Tessian has identified ways in which criminals have taken advantage of the global pandemic to make their scams more effective – from impersonating remote working and collaboration tools to tricking people into clicking onto fake stimulus check domains.  We are now warning small businesses of the PPP and CARES Act scams that they could face.  Tessian’s latest research reveals that 645 domains related to the PPP were registered between March 30 and April 20, with the majority of the domains being registered in the week following the US government’s announcement on March 31.  While 85% of the domains are offline, it’s unclear how long they will remain offline for. Of the newly registered domains that are currently live: 35% were registered as multiple domains that lead users to the same website. The 31 of the grouped domains only lead people to eight websites. 28% were from different loan providers that have a separate PPP presence through an online form. Although these may not all be spammy, it’s important for people to be wary of what they’re signing up for, what information they’re sharing and any associated costs. 24% were law firms and consultants offering their services. Around 10% were “advisory,” giving businesses information about PPP in a blog style without any notable Call To Action or service. Worryingly, a recent survey by IBM X-Force found that only 14% of small business owners say they are very knowledgeable about how to access the SBA’s loan relief program. Cybercriminals will use this to their advantage, targeting those individuals seeking more information or guidance on the PPP. And although not every newly registered PPP domain may be malicious, it’s possible that these websites could be set up to trick people into sharing money, credentials or personal information.  Small businesses have been prime targets throughout the global pandemic. We’ve seen a number of spam campaigns whereby hackers impersonate the Small Business Administration (SBA) or well-respected banks to entice people into opening malicious attachments or sharing sensitive information. At this time, we urge small business owners and staff to think twice about what they share online and question the legitimacy of the emails they receive.  Our advice to avoiding the PPP scams: Be cautious about sharing personal information online. If it doesn’t look right, it probably isn’t. Understand the Call To Action on these PPP-related sites and emails you receive from them asking for urgent action or to click links.  Make sure any sites offering consultancy services are legitimate before sharing information or money. Always check the URL and, if you’re still not sure, verify by calling the company directly. Never share direct deposit details or your Social Security number on an unfamiliar website. Always use different passwords when setting up new accounts on websites. And enable two-factor authentication on all the services that you use.
3 Reasons Hackers Could Help Bridge the Cybersecurity Skills Gap
By Maddie Rosenthal
28 April 2020
There are currently over 4 million unfilled positions in cybersecurity. The question is: Why? To find out, Tessian released the Opportunity in Cybersecurity Report 2020. Based on interviews with over a dozen practitioners from some of the world’s biggest and most innovative organizations (including Google, KPMG, and IBM), survey results from hundreds of female cybersecurity professionals, and quantitative research from the Centre for Economics and Business Research, we revealed that: There’d be a $30.4 billion boost to the industry’s economic contribution in the US and a £12.6 billion boost in the UK if the number of women working in cybersecurity rose to equal that of men A lack of awareness/knowledge about the industry is the biggest challenge female cybersecurity professionals face at the start of their career The industry has a major image problem. Women working in cybersecurity believe a more accurate perception of the industry in the media would be the biggest driver of new entrants  A different perspective of the same problem While we examined the growing skills gap in cybersecurity through the lens of the disproportionately low percentage of women currently working in the field, we were recently introduced to a different perspective. Hackers’.  HackerOne released The 2020 Hacker Report earlier this year and, on April 21, Tessian welcomed Ben Sadeghipour, the platform’s Head of Hacker Education, to present the key findings from the report during one of our Human Layer Security Virtual Roundtables. The message was simple: Hackers can (and do) help bridge the cybersecurity skills gap.  Now, by combining highlights from The 2020 Hacker Report with our own Opportunity in Cybersecurity Report 2020, we’ve identified 3 key reasons why hackers have the potential to make a positive impact on the industry. 
1. Hackers have the skills the cybersecurity industry needs When asked why there’s a skills gap in the industry, 47% of those women surveyed said it’s because there’s a lack of qualified talent. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Likewise, 33% of women currently working in cybersecurity say that a lack of requisite skills was the biggest challenge they faced at the start of their career. This came behind a lack of clear career development paths (43%) and a lack of awareness/knowledge of the industry (43%). !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); While a greater emphasis on STEM subjects in primary/high school, more apprenticeship programs, and cybersecurity-specific curriculums at universities would certainly help, we need to look beyond formal education. According to HackerOne’s report, “Most [43%] hackers consider themselves self-taught… since formalized cybersecurity engineering educations have yet to become common, bug bounty programs and public VDPs give promising hackers the ability to quickly learn, grow, and contribute to everyone’s increased security.” What’s more, hackers are putting these self-taught skills to use, with 78% of hackers saying they’ve used or plan to use their hacking experience to help them land a job. On top of that, the majority of hackers (59%) say they hack as a hobby or in their free time and 27% describe themselves as students.  That means a large percentage of hackers could, in theory, transition into cybersecurity. It’s important to note, too, that different cybersecurity roles attract different types of talent. We asked our survey respondents to identify the skills needed to thrive in different roles, and the results demonstrate how diverse the opportunities are. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");  
2. All hackers aren’t “bad” While a lack of requisite skills is perpetuating the skills gap, 51% of the women surveyed in Tessian’s Opportunity in Cybersecurity Report 2020 said that a more accurate perception of the industry in the media would encourage more women into cybersecurity roles. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Hillary Benson, Director, Product at StackRox and one of the contributors to our report summed it up nicely when she said, “People hear ‘cybersecurity’ and think of hackers in hoodies. That’s a bit of a caricature, maybe with some legitimacy to it—and that was even part of my own experience—but that’s not all there is.” Unfortunately, this “caricature” of hackers tends to be negative as pop culture and headlines about nation-state hacking groups have conditioned us to associate hackers with criminal or solitary activity. HackerOne even commissioned a survey of over 2,000 US adults to gauge their perception of hackers.  The survey found that 82% of Americans believe hackers can help expose system weaknesses to improve security in future versions. However, a nearly identical share said they believe hacking to be an illegal activity.  But, hackers feel confident this perception is changing for the better, with:  55% saying they see a more positive perception from friends and family 47% saying they see a more positive perception from the general public 38% saying they see a more positive perception from businesses 35% saying they see a more positive perception from the media
3. Hackers already have a strong community 23% of Tessian’s respondents said that a lack of role models was a challenge they faced at the start of their career, and a further 26% said that more diverse role models would encourage more women to enter cybersecurity roles. The impact of role models is even more important for the younger generations. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Hackers already have a strong community. Katie (@Insider_PHD) was quoted in HackerOne’s report saying “The community is super encouraging. The community is super willing to help out. It’s, as far as I’m concerned, my home.”  Likewise, Corben (@CDL) was quoted as saying “Being part of the hacker community means the world to me. I’ve met a ton of people. I’ve made a ton of friends through it. It’s really become a big part of my identity. Everyone who is a part of the community is bringing something important.” Beyond that, 15% of those surveyed got interested in ethical hacking because of online forums or chatrooms.  The bottom line is: Mentorship is important. Role models are important. Community is important. Unlike cybersecurity professionals – specifically female cybersecurity professionals – hackers have these things in abundance. Cybersecurity is more important now than ever Data has become valuable currency and ransomware attacks, phishing scams, and network breaches are costing businesses and governments billions every year. And now, with new security challenges around remote-working and a marked spike in COVID-19-related phishing attacks, cybersecurity is more business-critical than ever before. While we should continue encouraging gender diversity in cybersecurity, we should also encourage other types of diversity as well. The field is wide open for a range of educational and professional backgrounds…including hackers.  Challenge perceptions, make an impact.  Learn how cybersecurity professionals kick-started their career   So, what is cybersecurity actually like? It depends on your role within the field. And contrary to popular belief, the opportunities available are incredibly diverse.  To learn more about how the 12 women we interviewed broke into the industry, read their profiles. #TheFutureIsCyber
Page