Search results by: "remote working"
Data Loss Prevention Human Layer Security
13 Cybersecurity Sins When Working Remotely
By Maddie Rosenthal
27 May 2020
Over the last eight weeks, security vendors, thought leaders, and even mainstream media have been offering employees advice on how to stay secure and productive while working from home. And, why wouldn’t they? The transition from office-to-home has been both sudden and challenging and the risks associated with data loss haven’t disappeared just because the perimeter has. At Tessian, we’ve created (and have been consistently updating) our own remote-working content hub filled with actionable advice for security, IT, and compliance professionals as well as employees. While you can find the individual articles below, we thought we’d combine all of the tips we’ve shared over the last two months into one easy-to-read article. Advice from Security Leaders for Security Leaders: How to Navigate New Remote-Working Challenges Ultimate Guide to Staying Secure While Working Remotely  Remote Worker’s Guide to: Preventing Data Loss Remote Worker’s Guide to: BYOD Policies  11 Tools to Help You Stay Secure and Productive While Working Remotely  Here are 13 things you shouldn’t do when working remotely from a cybersecurity perspective.  1. Don’t send company data to your personal email accounts. As many organizations have had to adopt new tools and systems like VPNs and Cloud Storage on the fly, some employees may have had to resort to sending company data to their personal email accounts in order to continue doing their job.  We understand that doing so may have been viewed at the “only option”, but it’s important to note that this is not wise from a security perspective. While we’ve written about this in detail on our blog The Dark Side of Sending Work Emails “Home”, the short-and-sweet version is this: Personal email accounts are less secure and more likely to be compromised than work email accounts. Why? Read point #5 to find out.  2. Don’t share Zoom links or Meeting IDs.  Zoom – like so many other remote-working tools – is enabling workforces around the world to continue collaborating despite being out-of-office. But, as we highlighted in our Ultimate Guide to Staying Secure While Working Remotely, there are precautions you must take in order to prevent attackers from infiltrating your calls. While there are plenty of lists circulating with top tips around using Zoom, the most important piece of advice we can offer is to not share your Zoom Meeting ID (or link) with anyone you don’t work with directly or otherwise trust.  Importantly, this Meeting ID appears at the top of your conference window, which means if you share a screenshot of your call, anyone who sees the screenshot can access this meeting. If you want to be proactive in locking down your Zoom calls, you should also ensure all of your meetings require a password to join. 3. Don’t ignore warnings from IT and security teams or other authoritative sources.  Since the outbreak of COVID-19, we’ve seen a spike in phishing attacks. Why? Because hackers tend to take advantage of emergencies, times of general uncertainty, and key calendar moments. IT and security teams and even organizations like the FBI have been working hard to communicate these threats and how to avoid them. But – importantly – these warnings are useless unless employees heed the advice.  Whether it’s an email outlining how to spot a phishing email or an announcement from your line manager about updating your iOS, employees should take warnings seriously and take action immediately.  4. Don’t work off of personal devices.  While it may seem harmless, using your personal devices – whether it’s a laptop, desktop computer, mobile device, or tablet – for work-related activities creates big security risks. To start, your personal devices won’t be configured with the same security software as your work device.  Whether it’s the protection offered by a simple firewall or antivirus software, you and your data are more secure when working on company-sanctioned devices. Note: Some organizations have adopted more flexible BYOD policies. You can learn how to combat the security risks associated with these policies on our blog. 5. Don’t action email requests without double-checking their legitimacy.  Phishing and other social engineering attacks are designed for one of three reasons: to extract sensitive information or credentials, to install malware onto a network, or to initiate a wire transfer. To avoid falling victim to one of these scams and potentially actioning a request that isn’t legitimate, make sure you double-check that the person making the request is who they say they are.  For example, if your CEO asks you to change an account number on an invoice, contact him or her directly – via phone call, text, Slack or a separate email – before doing so. Likewise, if someone in HR asks you to share any credentialsor other personal information, get in touch with them via phone or a separate email thread before responding.  6. Don’t use weak passwords.  Many organizations have strict password policies, including the enforcement of multi-factor authentication. It makes sense. If a bad actor gained access to your applications – whether it’s your email account or collaboration tools – they’ll have free rein over your most sensitive systems and data.  If your organization doesn’t have any policies in place, our advice is to use 6-digit PINs or complex swipe codes on mobile devices and strong passwords that utilize numbers, letters, and characters for laptops and other log-ins.  If you’re having trouble managing your passwords, discuss the use of a password manager with your IT department. 7. Don’t lose touch with your IT or security teams.  Communication – especially during periods of transition and disruption- is key.  If you’re unsure about any security policies or procedures, how to use your personal device securely, or if you believe your device or network has been compromised in any way, don’t be afraid to communicate with your IT and security teams. That’s what they’re there for. Moreover, the more information they have and the sooner they have it, the better equipped they are to keep you and your devices protected.  8. Don’t use public Wi-Fi or mobile hotspots.  Given the digital transformation, most of us rely on internet access to do our jobs. Unfortunately, we can’t connect to just any network.  The open nature of public Wi-Fi means your laptop or other device could be accessible to opportunistic hackers. Likewise, if a phone is being used as a hotspot and has already been compromised by an attacker, it’s possible it could be used to pivot to the corporate network. With that said, you should only use networks you’re absolutely confident are secure.  9. Don’t download new tools or software without approval.  IT and security teams have processes in place that help them identify which applications are and aren’t in compliance with their data and privacy protection criteria. That means that if they haven’t approved the use of a certain tool, it probably isn’t safe in their opinion. Even if a certain tool makes your job easier to do, you shouldn’t download – or even use – tools or software without express permission to use them. Whether it’s a design, writing, or project management tool, you must communicate with your in-house teams before clicking “download”.  10. Don’t leave work devices or documents in plain sight.  Your devices are gateways to sensitive information. While we’ve already covered the importance of password-protecting these devices, preventing them from being stolen is vital, too.  Avoid leaving laptops, tablets, mobile devices, and documents containing sensitive company or client information in plain sight, such as near windows at home or on a passenger seat if traveling by car. This will help prevent opportunistic theft.  Any organization that has a remote-working policy in place should also provide employees with privacy screens for their laptops, and encourage employees to always work in positions that minimize line-of-sight views of their screens by others. This has the added benefit of showing clients or other professional contacts that the business takes security seriously. 11. Don’t give hackers the information they need to execute social engineering attacks.  When planning a spear phishing attack – a type of phishing attack that is targeted at a specific individual or small set of individuals – an attacker will try to gather as much open-source intelligence about their target as they can in order to make the email as believable as possible.  Don’t make it easier for them by sharing personal information on OOO messages or on social media like LinkedIn. This includes phone numbers, alternative email addresses, travel plans, details about company structure and reporting lines, and other data points.  12. Don’t be afraid to ask questions about security policies and procedures.  When working from home or otherwise outside of the office, you have much more autonomy. But that doesn’t mean you should disregard the processes and policies your organization has in place. And, part of following processes and policies is understanding them in the first place. IT and security teams are there to help you. If anything is unclear, send them an email, pick up the phone, or file a request.   13. Don’t forget the basics of security best practice.  While we’ve offered plenty of advice that’s specific to remote-working, following general security best practices will help prevent security incidents, too.  Most employees receive annual security training or, at the very least, had some security training during their onboarding process. If you didn’t, below are some of the basics. Don’t reuse passwords. Don’t share your passwords with anyone. Stay up-to-date on compliance standards and regulations specific to your industry. Report incidents of theft. Don’t share sensitive company information with people outside of your organization.  If any of the above are unclear, refer back to point #7. Ask your IT, security, or HR teams. Communication is key! What’s next? While most organizations and individuals have started to adjust to “the new normal”, it’s important to remember that, eventually, some of us will move back to our office environments. The above tips are relevant wherever you’re working, whether that’s at home, from a cafe, on public transport, or at your desk in the office. Looking for more insights on what\s next in this new world of work? We’re hosting our first virtual Human Layer Security Summit on June 18. Find out more – including the agenda for the day – here. 
Compliance Data Loss Prevention Spear Phishing
Advice from Security Leaders for Security Leaders: How to Navigate New Remote-Working Challenges
15 April 2020
As a part of our ongoing efforts to help security professionals around the world manage their new remote workforces, we’ve been holding virtual panel discussions and roundtables with ethical hackers and security and compliance leaders from some of the world’s leading institutions to discuss cybersecurity best practice while working from home. Our panelists and speakers have included David Kennedy, Co-Founder and Chief Hacking Officer at TrustedSec, Jenna Franklin, Managing Counsel, Privacy & Data at Santander, Stacey Champagne, Head of Insider Threat at Blackstone, Ben Sadeghipour, Head of Hacker Education at HackerOne, Chris Turek, CIO at Evercore, Jon Washburn, CISO at Stoel Rives, Peter Keenan, CISO at Lazard, Gil Danieli, Director of Information security at Stroock, and Justin Daniels, General Counsel at Baker Donelson We’ve compiled some of the key takeaways to help IT, privacy, and security professionals and employees stay secure wherever they’re working. 
How to defend against spear phishing (inbound threats) Communicate new threats. Cybercriminals are carrying out opportunistic phishing attacks around COVID-19 and the mass transition from office-to-home. Keep employees in the loop by showing them examples of these threats. But, it’s important to not over-communicate. That means you should ensure there’s one point of contact (or source of truth) who shares updates at a regular, defined time and cadence as opposed to different people sharing updates as and when they happen. Create policies and procedures around authenticating requests. Communicating new threats isn’t enough to stop them. To protect your employees and your data, you should also set up a system for verifying and authorizing requests via a known communication channel. For example, if an employee receives an email requesting an invoice be paid, they should contact the relevant department or individual via phone before making any payments. Enable multi-factor authentication. This easy-to-implement security precaution helps prevent unauthorized individuals from accessing systems and data in the event a password is compromised.   Encourage reporting. Creating and maintaining a positive security culture is one of the best ways to help defend against phishing and spear phishing attacks. If employees make a habit of reporting new threats, security and IT teams have a better chance of remediating them and preventing future threats.  Update security awareness training. Remote-working brings with it a host of new security challenges. From the do’s and don’t of using personal devices to identifying new threat vectors for phishing, employees need to refresh their security know-how now more than ever.
How to defend against data exfiltration (outbound threats) Exercise strict control over your VPN. Whether it’s disabling split tunneling on your  VPN or limiting local admin access, it’s absolutely vital that you minimize lateral movements within your network. This will not only help prevent insider threats from stealing data, but it will also prevent hackers from moving quickly from one device to another.  Block downloads of software and applications. This is one of the easiest ways to minimize the attack vectors within your network. By preventing downloads by individual users, you’ll be able to exercise more control over the software and applications your employees use. This way, only vetted tools and solutions will be available for use.  Secure your cloud services. As workforces around the world are suddenly remote, cloud services are more important than ever. But, it’s important to ensure the infrastructure is configured properly in order to reduce risk. We recommend limiting access whenever possible (without impeding productivity) and creating policies around how to safely share documents externally. Create a system for onboarding and offboarding employees. Both negligent and malicious incidents of data exfiltration are on the rise. To prevent new starters or bad leavers from mishandling your data, make sure you create and communicate new policies for onboarding and offboarding employees. In order to be truly effective, this will need to be a joint effort between HR, IT and security teams. Update security awareness training. Again, remote-working brings with it a host of new security challenges. Give your employees the best chance of preventing data loss by updating your security awareness training. Bonus: Check your cybersecurity insurance. Organizations are now especially vulnerable to cyber attacks. While preventative measures like the above should be in place, if you have cybersecurity insurance, now is the time to review your policy to ensure you’re covered across both new and pre-existing threat vectors.  Our panelist cited two key points to review: If you are allowing employees to use personal devices for anything work-related, check whether personal devices are included in your insurance policy. Verify whether or not your policy places a cap on scams and social engineering attacks and scrutinize the language around both terms. In some instances, there may be different caps placed on these different types of attacks which means your policy may not be as comprehensive as you might have thought. For example, under your policy, what would a phishing attack fall under? 
How to stay compliant Share updated policies and detailed guides with employees. While employees may know and understand security policies in the context of an office environment, they may not understand how to apply them in the context of their homes. In order to prevent data loss (and fines), ensure your employees know exactly how to handle sensitive information. This could mean wearing a headset while on calls with clients or customers, avoiding any handwritten notes, and – in general – storing information electronically. Update security awareness training. As we’ve mentioned, organizations around the world have seen a spike in inbound attacks like phishing. And, when you consider that 91% of data breaches start with a phishing attack, you can begin to understand why it’s absolutely essential that employees in every department know how to catch a phish and are especially cautious and vigilant when responding to emails. Conduct a Data Protection Impact Assessment (DPIA). As employees have moved out of offices and into their homes, businesses need to ensure personal data about employees and customers is protected while the employees are accessing it and while it’s in transit, wherever that may be. That means compliance teams need to consider localized regulations and compliance standards and IT and security teams have to take necessary steps to secure devices with software, restricted access, and physical security. Note: personal devices will also have to be safeguarded if employees are using those devices to access work.  Remember that health data requires special care. In light of COVID-19, a lot of organizations are monitoring employee health. But, it’s important to remember that health data is a special category under GDPR and requires special care both in terms of obtaining consent and how it’s processed and stored.  This is the case unless one of the exceptions apply. For example, processing is necessary for health and safety obligations under employment law. Likewise, processing is necessary for reasons of public interest in the area of public health. An important step here is to update employee privacy notices so that they know what information you’re collecting and how you’re using it, which meets the transparency requirement under GDPR.   Revise your Business Continuity Plan (BCP). For many organizations, recent events will have been the ultimate stress test for BCPs. With that said, though, these plans should continually be reviewed. For the best outcome, IT, security, legal, and compliance teams should work cross-functionally. Beyond that, you should stay in touch with suppliers to ensure service can be maintained, consistently review the risk profile of those suppliers, and scrutinize your own plans, bearing in mind redundancies and furloughs.  Stay up-to-date with regulatory authorities. Some regulators responsible for upholding data privacy have been releasing guidance around their attitude and approach to organizations meeting their regulatory obligations during this public health emergency.  In some cases, fines may be reduced, there may be fewer investigations, they may stand down new audits, and – while they cannot alter statutory deadlines – there is an acknowledgment that there may be some delays in fulfilling certain requests such as Data Subject Access Requests (DSARs). The UK privacy regulator, the ICO, has said they will continue acting proportionately, taking into account the challenges organizations face at this time. But, regulators won’t accept excuses and they will take strong action against those who take advantage of the pandemic; this crisis should not be used as an artificial reason for not investing in security.  
Looking for more advice around remote-working and the new world of work? We’ve created a hub with curated content around remote working security which we’ll be updating regularly with more helpful guides and tips.
Data Loss Prevention Human Layer Security
Ultimate Guide to Staying Secure While Working Remotely
By Maddie Rosenthal
27 March 2020
The gradual trend towards remote working has been expedited by recent events, and now businesses and employees alike find themselves adapting to moving almost everything online to accommodate a distributed workforce. Obviously, this has a massive impact on how we behave and how we work, which inevitably has an impact on security culture. In this blog, we’ll discuss what we consider to be the main challenges and questions that arise from moving to a remote working model, and how both management teams and employees can make good decisions about security.
The risk involved in sending work emails “home” It may seem harmless to send an email containing a spreadsheet or a project proposal to your personal email address in order to have easy and quick access whenever you need it. But doing so is risky for a number of reasons.  Personal email accounts can be compromised, especially as they are often configured with weak passwords Email is not a default encrypted medium. If an attacker were in a position to intercept your email, they would be able to read them, and any attachments if not encrypted Devices used to access personal email, such as personal laptops and mobile phones, may also be more easily compromised than work devices safeguarded by your company The bottom line is, sending sensitive information to your personal email accounts increases the risk of data exfiltration, both from insider threats and outsider threats. You can read more about this – including how to prevent data exfiltration – in this article.  Public Wi-Fi vs. using a personal device as a hotspot While for now, most of the world is working from home, “working remotely” can extend to a number of places. You could be staying with a friend, catching up on emails during your commute, or getting your head down at a café. Of course, to do work, you’ll likely rely on internet access. While connecting to public Wi-Fi is not encouraged, the risks can be managed if the right systems are put in place. As an employer, you should ensure that any services an employee must connect with over the internet (such as a web portal for your email or time tracking app), are only served over HTTPS. This is the encrypted version of HTTP, which is used to transfer data over the web. Using HTTPS ensures that all data transmitted between your network and the employee’s device is encrypted. For any services that should not be offered over the internet but that employees will require access to, you should enable them to connect via a VPN.  As an employee, here’s what you can do to be safe: When connecting to a service over the internet, check the address bar to ensure the protocol used is HTTPS, not HTTP. If you’re using a service from your employer that isn’t HTTPS, avoid connecting and let alert your IT team of the oversight.  Ensure you keeping VPN software on work devices up-to-date Importantly – and despite many articles written stating the contrary – using a personal mobile phone as a hotspot to connect a work laptop to the corporate network can actually raise more concerns than connecting via public Wi-Fi.  From a security perspective, any device used to connect to your network could be a risk. Why? Because there’s no way for a company to effectively manage the software and security of devices they do not own. If a phone is being used as a hotspot and has already been compromised by an attacker, it’s possible it could be used to pivot to the corporate network. Any connections made over HTTPS will still be encrypted, of course, but it’s still important to weigh up the risks and err on the side of caution.  This may be easier to understand with an example. Let’s say you open a malicious attachment from a phishing email on your mobile device. If that malicious attachment contains spyware, hackers can (rather easily) infiltrate your phone. That means that if you then connect to your company network on your laptop via your phone’s hotspot, hackers will have a foothold into your company network, too.  Top tip: Any personal devices used in this way should fall under the domain of your corporate “Bring your own device” (BYOD) policy. Each organization’s policy will be different, so it’s best to check with your IT and security teams before you consider using a hotspot as a workaround in the case of limited access to Wi-Fi.
Best practice around using cloud storage to share documents For many organizations, cloud services have replaced company local networks to store, manage, and share information. While it’s fair to say that the transition from office-to-home is certainly easier with cloud storage, there are still some security concerns that must be addressed in order to lock down your sensitive information. Most concerns center around the perceived risks of allowing someone else to host your data. And, because it’s stored on the “cloud” it can – in theory – be accessed by anyone on the internet with the right credentials. In the worst case, this could be an attacker who comprises a user laptop or guesses a weak password. But, there are several ways to ensure your cloud system is secure. Organizations considering moving to a cloud system should consider: How the data is backed up Risks associated with denial of service (DOS) attacks  Legal complications that may arise from certain types of data being stored overseas Not sure how to navigate these considerations? Concerns about standards and support can all be worked out during the contract stage, and many companies offer secure and resilient storage. It’s no different to any risk assessment phase when purchasing a new service. At Tessian, we use Google Drive. It’s still necessary to put in the work to ensure that your data is stored in the correct places, and appropriately secured, just as you would with a local storage solution. Folders should be structured and locked down with appropriate access permissions to ensure that only users who are authorized to view the contents can do so. For example, you can restrict access to and sharing with people outside the corporate network. In addition, requiring two-factor authentication for Google accounts is very important. Conferencing and collaboration tools Remote-working means an increased reliance on conferencing, chat, and other collaboration applications to stay in touch with colleagues. All such applications come with security considerations. IT and security teams must be clear with employees about what sort of information can be shared over these applications, after assessing their suitability. Without clear guidance, employees may act in ways that are less than secure in order to do their jobs, which means comprehensive policies and procedures must be put in place and communicated clearly across an organization.  We share our criteria for vetting and onboarding new tools in our blog, 11 Tools to Help You Stay Productive and Secure While Working Remotely. You’ll also find a list of tools we use across departments to stay connected while working remotely. Additionally, it’s important to ensure employees understand which applications should be used to share which kinds of information and where the design of the application itself may lead to a compromise.  For example, a screenshot of a conference call or online meeting may reveal information that would be useful to an attacker; such as a Zoom meeting ID that allows anyone to join that meeting without a PIN. If such a screenshot were shared online, this could be exploited by an attacker and give them unlimited access to private, internal communications.   
How to physically protect your devices Working on devices outside of the office, even in a home environment, carries additional risks. There is always the potential for an attacker to get physical access to a device. In the home environment, employees should be reminded that their devices are gateways to sensitive information. They should always lock devices, and make sure they’re secured with good passwords or, in the case of mobile phones, 6-digit PINs or complex swipe codes.
Employees should also make sure that devices aren’t left in plain sight, such as near windows at home or on a passenger seat if travelling by car. This will help prevent opportunistic theft. While it may sound unlikely, you should always assume that devices might be stolen. In fact, in an organization of reasonable size, it will almost certainly happen. That means that encryption should be used to protect the data on them, and employees should know exactly when and how to report thefts to the support team. This ensures that the devices can be wiped if they are activated. Any organization that has a remote-working policy in place should also provide employees with privacy screens for their laptops, and encourage them to always work in positions that minimize line-of-sight views of their device screens by others.  This has the added benefit of showing clients or other professional contacts that the business takes security seriously. About that OOO message… “Hi, I’m on vacation right now, returning April 15th. If it’s urgent, you can contact me directly on my personal number or email below, or my line manager at…” It’s human nature to want to be helpful. When setting an out-of-office message, therefore, we often try to give the recipient as much information as possible to help them out. However, it’s important to consider whether that information really needs to be shared, and whether it might be useful to an attacker. When planning a spear phishing attack – a type of phishing attack that is targeted at a specific individual or small set of individuals – an attacker will try to gather as much open-source intelligence about their target as they can in order to make the email as believable as possible.  Phone numbers, alternative email addresses, details about company structure and reporting lines, and other data points are all things that could be useful to an attacker. Again, businesses should make sure employees are aware of these risks and should provide them with a simple template for OOO messages alongside guidance on how and when to forward important emails while away. Top tips for businesses setting up remote-working policies…. Keep policy points clear and concise and support them with similarly written procedures. Employees cannot practically absorb or retain 60+ pages of security policy, especially not overnight. When approving the use of new tools or software, always communicate the change to your employees, including guidelines on how and where to access them. Remember that users are going to make mistakes because they are human. Support them and encourage them to report issues, rather than making them afraid to admit to a mistake. Give clear channels for reporting such issues, supported by technical and human resources; for example, guidance on how to report a potential phishing email along with a method to contact support in the event of account lockout. Consider other technical challenges, such as how your support team can verify user identity when asked to reset a password or perform other remote technical support functions. Ensure your support team is trained and briefed to offer remote workers reassurance and understanding when a security issue arises. Remote workers need to feel connected with their colleagues during difficult moments. Top tips for employees working from home… Use company-approved cloud or VPN services to access work documents instead of emailing sensitive information to your personal email accounts. Don’t download new software or tools without consulting your IT team. Keep your software and operating systems up-to-date. Always lock your laptop and keep all of your devices password-protected. Avoid public Wi-Fi and don’t rely on personal hotspots; whenever possible, find a secure, stable network to connect to. Before you join that call or connect to that site – especially if it requires installing new software – stop and think about the potential implications. If you’re not sure, ask your colleagues or support team for help. If you make a mistake and find yourself alarmed or fearful, it’s important to stop, think, and get someone else involved to support you. Report near misses. If you almost make a mistake, the odds are that others have also almost done the same thing. By sharing this information, your colleagues will be better informed and your business can modify procedures or applications to help prevent the issue ever occurring. During this transitional period, we think it’s incredibly important to provide everyone – our employees, our customers, and our community – with as much information as possible. With that said, you may also find the below links helpful in getting your team set up to work remotely.  FTC online security tips for working from home NCSC issues guidance as home working increases in response to COVID-19 We’ll also continue sharing best practice tips both on our blog and on LinkedIn. 
Data Loss Prevention
11 Tools to Help You Stay Secure and Productive While Working Remotely
23 March 2020
With the outbreak of COVID-19, organizations are relying on tools and software to enable their employees to work remotely. While this transition from office-to-home may be relatively seamless for some, it can be quite a challenge for those who didn’t already have these virtual systems set-up and deployed. As a tech start-up, Tessian has had remote-working processes and security policies in place since the beginning and, as a part of that, we have a long list of fully vetted productivity tools and software that we’ve made available to our employees.  So, to help IT, security, operations, and HR teams around the world balance productivity and security, while also attempting to conduct “business as usual”, we’re sharing applications we use to ensure our people are always protected while working, whether that’s from the office or from home.
What should you consider before onboarding an application? There are a lot of collaboration and productivity tools out there. But, it’s crucial organizations only use those that have the highest standards and protocols around safeguarding data.  At Tessian, we scrutinize and vet all applications to ensure they comply with our own strict data and privacy protection criteria. While the below assessment isn’t exhaustive or applicable to all tools, software, or applications that might be useful while employees are working remotely, it should help you identify products that are sound from an information security and data protection perspective.  Does the application process personal data? If so, why and in what volume? Where is the data processed?  Does the application take back-ups of data? If so, how often? Who has access to the data in the platform? Is access conditional upon Multi-Factor Authentication (2FA, for example)?  Does the application have a policy in place that addresses Incident Response to patching and other security issues? Does the application protect data in transit between services using encryption?  Does the application protect internal data in transit? If so, how? Is the application certified with any regional or international data security standards? Not sure where to find all of this information? You should be able to find vendor’s privacy and data policies on their website. You can also contact them directly. For example, we always ask that a vendor assessment form be completed and, when solutions process a large amount of data, we’ll schedule a follow-up call.
Collaboration and productivity tools we use at Tessian Zoom Used across every department at Tessian, Zoom is a video conferencing platform that helps keep us connected with each other and our customers across continents. Now, we’re even using it for our weekly all-company meetings, which means almost 200 people are joining at once. It’s made collaboration – especially in isolation – much easier.  You can record the sessions, break larger groups into smaller teams via Breakout Rooms, and there’s an add-in for calendar systems which makes scheduling virtual meetings as easy as in-person meetings. While they’ve always offered solutions for educators, healthcare providers, and virtually every other industry, Zoom has developed even more solutions and resources in light of the pandemic. Use this resource to find out how Zoom can support businesses moving to a remote-working model. Clubhouse While we use other project management platforms like Trello, Clubhouse is a favorite amongst our product and engineering teams because it’s made specifically for developers and is deeply integrated with GitHub. It makes creating and tracking workflows for features, bugs, sprints, or long-term projects easy. GitHub For most engineers, this is an obvious one, but worth mentioning nonetheless. GitHub was built for developers and allows users to host and review code, manage projects, and build software, all in one place.  Importantly from a security and admin perspective, you can deploy it to your environment or to the cloud.  OpenVPN In any remote-working environment, secure access to network resources is the top priority. If employees can’t access their work, they can’t do their jobs. And, to prevent employees from sending work emails to personal accounts or exfiltrating data, organizations have to implement a solution that extends to different sites, devices, and users.  We use OpenVPN. In addition to extending centralized unified threat management to remote networks, encryption ensures privacy on different Wi-Fi networks.  Google Drive We also use Google’s cloud storage system, Google Drive, to enable file sharing in and out of the office. Again, the name of the game is collaboration and with integrations into other applications like Google Docs, Slides, and Sheets all available on desktop and mobile, it’s easy for different individuals and entire teams to work together.  But, it’s important that you implement security processes to ensure everything you store in your Drive stays safe. To start, you should secure access to the Drive by enabling 2FA for all Google Accounts and set-up strict policies around sharing documents externally. You should also limit access internally to different Drives. For example, each department can have its own, limited-access Drive in addition to an all-company Drive. Peakon Knowing how your employees are feeling is essential for business growth and personal development. Of course, gauging employee engagement and experience is easier said than done and is especially difficult when your entire organization is working remotely. Peakon does the heavy lifting for you via bi-weekly online surveys and enables HR, People, and Executive teams to make changes to their organization that make an actual impact. How? By gathering feedback from every employee anonymously and comparing results to industry benchmarks.  IronClad IronClad is a digital contract platform that makes workflows for legal, finance, sales, and recruitment teams seamless.  The difference between this application and other services that let people “sign” digital agreements (DocuSign, Adobe Sign, etc.) is that IronClad extracts and catalogs metadata from contracts and integrates with other systems and platforms to make information accessible and actionable.  Slack According to the brand’s tagline, Slack is “where work happens” and, while many organizations use it in an office environment on top of email, it’s especially helpful for remote-working teams.  You can create different channels for different projects or conversations, update your “status” to let your co-workers know you’re ill, in transit, or away from your computer, and even loop in contacts from outside of your organization.  The company has seen a surge in usage since the outbreak and is rolling out new features to make the app (on both mobile and desktop) easier to use. Better still, there are three different plans available depending on your needs, including a free version.  Confluence Confluence – an Atlassian product – is a knowledge management tool. We use it as an ever-evolving source of truth for our organization: our wiki. Every team inputs and updates key information – from processes to KPIs – so that internally, anyone, at any time, anywhere, can quickly and easily find answers to questions related to onboarding, our products, or internal policies.  Figma Used by our product, design, and marketing teams, Figma is a web-based all-in-one design tool that makes collaboration and iteration fast and easy. You can share projects internally or externally with a URL, which means you don’t have to continually upload, save, or sync projects.  This is huge and means you can move from design-to-code more seamlessly. Beyond that, there are built-in commenting features that can integrate with Slack so that different people can track progress and flag issues in real-time.  Astute eLearning The need for training, whether around compliance, security, or something department-specific, doesn’t go away simply because an organization has moved from an office to a virtual environment. And, unfortunately, engaging with employees for training can be hard in-person, which means it’s an even bigger challenge while they’re out-of-office. At Tessian, we’ve used Astute eLearning, a web-based learning experience platform that lets your employees complete online training. Using the platform’s bank of certified videos and skills-assessments, you can monitor your employees’ progress through courses and, from that, identify and close any skills gaps.  Top tip: To ensure your employees are enabled to sign-in to all of these different apps securely and quickly, we also recommend using a password manager and Single Sign-On tool.  Want more information? As we all try our best to adapt to the “new normal” during these uncertain and challenging times, we’ll continue sharing best practice tips to keep our employees, customers, and the general community secure while working remotely.  Check back on our blog for the latest updates.
Data Loss Prevention
Remote Worker’s Guide To: BYOD Policies
16 April 2020
With the outbreak of COVID-19, workforces around the world have transitioned from secure office environments to their homes.  While some companies already had the infrastructure and policies in place to support a remote workforce, other smaller organizations and even some large enterprises are facing a number of challenges in getting their teams set up, starting with access to secure devices like laptops and phones. One way to empower your employees to work safely wherever they are is to implement BYOD (Bring Your Own Device) policies. What is a BYOD Policy?
While BYOD policies are something of a necessity now – especially with delays and even cancellations in global supply chains for the devices virtual workers rely on – they were formerly an answer to IT consumerization.  Consumerization of IT refers to the cycle of technology first being built for personal, consumer use and then later being adopted by businesses and other organizations at an enterprise level. It’s often the result of employees using popular consumer apps or devices at work, because they are better than the legacy tech used by the organization. What are the benefits of a BYOD policy? There’s a reason why the BYOD market was booming pre-COVID-19. In fact, the market is expected to be valued at more than $366.95 by 2020, a big jump from its valuation of $30 billion in 2014. Note: This forecast was made three years ago, which means the sudden and global transition to remote-working will likely drive more growth. So, what are some of the benefits for businesses? You’ll Enable a Productive Remote Workforce  This is no doubt the most important reason to adopt BYOD policies, especially now. If your employees have historically worked on desktops and you’re struggling to set each person up with a laptop, BYOD policies will enable your people to keep working, despite hardware shortages and other challenges. Beyond that, though, you’ll also enable your people to work freely from wherever they need to, whether that be in transit, at home, or in the office. You’ll Reduce Burden on IT Teams Employees tend to be more comfortable and confident using their own personal devices and their native interfaces. For example, someone who has worked on a Windows computer for 15 years may struggle to suddenly start working on a Mac. That means there will be less dependence on IT teams to train or otherwise set-up employees on new devices. But, it’s important to consider the security risks along with the benefits so that your employees and data stay safe while working from personal devices.  What are the security risks involved in using personal devices? Physical security Loss or theft of a personal device is one of the biggest concerns around BYOD policies, especially when you consider that people tend to carry their mobile phones and even laptops with them at all times. If a device fell into the wrong hands and adequate security measures weren’t in place, sensitive data could be at risk.  Network security If a cybercriminal was able to gain access to a personal device, they could maneuver from one device to another and move through an organization’s network quickly. Once inside, they could install malware, steal sensitive information, or simply maintain a foothold to control systems later. Information security Data is currency and personal devices hold a lot of information not just about an organization and its clients, vendors, and suppliers, but also about the individual. If you imagine all the sensitive data contained in Outlook or Gmail accounts, you can begin to see the magnitude of the risks if this data were exposed. Physical and network security risks are threats to information security, which proves how important securing devices really is. Tips for employers To minimize the risk associated with BYOD policies, we recommend that you: Enforce strict password policies. Mobile phones should be locked down with 6-digit PINs or complex swipe codes, and laptops should be secured with strong passwords that utilize numbers, letters, and characters. Your best bet is to enforce MFA or SSO and provide your employees with a password manager to keep track of their details securely. Equip devices with reliable security solutions. From encryption to antivirus software, personal devices need to have the same security solutions installed as work devices. Ideally, solutions will operate on both desktop and mobile ensuring protection across the board. For example, Tessian defends against both inbound and outbound email threats on desktop and mobile. Read more about our solutions here.  Restrict data access. Whether your organization uses a VPN or cloud services, it’s important to ensure the infrastructure is configured properly in order to reduce risk. We recommend limiting access through stringent access controls whenever possible (without impeding productivity) and creating policies around how to safely share documents externally. Limit or block downloads of software and applications. IT and security teams can use either blacklisting or whitelisting to ensure employees are only downloading and using vetted software and applications. Alternatively, IT and security teams could exercise even more control by preventing downloads altogether. Educate your employees. Awareness training is an essential part of any security strategy. But, it’s important that the training is relevant to your organization. If you do implement a BYOD policy, ensure every employee is educated about the rules and risks.  Tips for employees  To minimize the risk associated with BYOD policies, we recommend that you: Password-protect your personal devices. Adhere to internal security policies around password-protection or, alternatively, use 6-digit PINs or complex swipe codes on mobile devices and strong passwords that utilize numbers, letters, and characters for laptops. If you’re having trouble managing your passwords, discuss the use of a password manager with your IT department. Avoid public Wi-Fi and hotspotting. The open nature of public Wi-Fi means your laptop or other device could be accessible to opportunistic hackers. Likewise, if a phone is being used as a hotspot and has already been compromised by an attacker, it’s possible it could be used to pivot to the corporate network. Put training into practice. While security training is notoriously boring, it’s incredibly important and effective if put into practice. Always pay attention during training sessions and action the advice you’re given. Report loss or theft. In the event your device is lost or stolen, file a report internally immediately. If you’re unfamiliar with procedures around reporting, check with your line manager or IT team ASAP. They’ll be able to better mitigate risks around data loss the sooner they’re notified.  Communicate with IT and security teams. If you’re unsure about how to use your personal device securely or if you think your device has been compromised in some way, don’t be afraid to communicate with your IT and security teams. That’s what they’re there for. Moreover, the more information they have, the better equipped they are to keep you and your device protected.  BYOD policies offer organizations and employees much-needed flexibility. But, in order to be effective as opposed to detrimental, strict security policies must be in place. It’s not just up to security teams. Employees must do their part to make smart security decisions in order to protect their devices, personal data and sensitive business information. Looking for more tips on staying secure while working remotely? We’re here to help! Check out these blogs: Ultimate Guide to Staying Secure While Working Remotely Remote Worker’s Guide To: Preventing Data Loss 11 Tools to Help You Stay Secure and Productive While Working Remotely 
Data Loss Prevention
Remote Worker’s Guide To: Preventing Data Loss
09 April 2020
Over the last several weeks, workforces across the world have transitioned from office to home. While security teams may have struggled initially to get their teams set up to work securely outside of their normal environments, by now most organizations have introduced new software, policies, and procedures to accommodate their new distributed teams.  We spoke with former CISO of KPMG Carolann Shields along with Tess Frieswick of Kivu Consulting and Hayley Bly of Nielsen about what the shift means for cybersecurity in a webinar on March 26. Carolann summed it up nicely when she said “Remote-working introduces complexities that you just don’t have when you can have everyone sitting in an office behind a firewall. It’s a difficult task trying to keep everyone secure and behavioral change and educating folks will be really important. If those things weren’t already a part of your cybersecurity program, they’re going to need to become a part of your cybersecurity program.”  While IT departments no doubt bear the burden of protecting sensitive data, data loss prevention (DLP) is the responsibility of the entire organization. And, while this sudden move to remote-working brings a host of new challenges – from effectively collaborating to co-working with partners, roommates, and children – data security should still be top of mind for both security leaders and individual employees, too.
So, what can you do to help prevent data loss within your organization? We have some tips. 1. Don’t work from your personal devices While it may seem harmless, using your personal devices – whether it’s a laptop, desktop computer, mobile device, or tablet – for work-related activities creates big security risks. To start, your personal devices won’t be configured with the same security software as your work device.  Whether it’s the protection offered by a simple firewall or antivirus software, you’re more protected when working on company-sanctioned devices. Beyond that, though, the process to get work-related documents onto personal devices is risky on its own. We’ve written about this extensively in our blog The Dark Side of Sending Work Emails “Home”. In short, personal email accounts are more likely to be compromised than work email accounts. It may be because your personal email account is configured with a weak password or, the worst case, your personal email account may have already been infiltrated by an attacker who could easily intercept whatever sensitive data you’ve emailed to yourself.  Note: IT teams should ensure employees have a secure way to connect their authorized work devices to their personal printers in the event they need to print any documents. This will help them avoid them having to send sensitive documents to their personal accounts in order to print. 2. Be cautious whenever sending sensitive information via email Tessian has seen a 20% increase in email use with the shift to remote working. That means more sensitive data is in motion than ever.  More email traffic, unfortunately, means employees have more opportunities to make mistakes. One of the biggest mistakes an employee can make is sending an email to the wrong person and, as most of us know, it’s easy to do. So, to avoid making this costly mistake, always double-check the recipient(s) of your emails. Ensure you haven’t made any spelling mistakes, and, if you’re using autocomplete, make sure the correct email address has been added. Beyond that, you should always be vigilant when using Cc vs. Bcc and Reply vs Reply All and take time to check that you’ve attached the right documents.  3. Stay up-to-date on the latest phishing and spear phishing trends Cybercriminals use increasingly advanced technology and tactics to carry out effective phishing and spear phishing campaigns. They also tend to take advantage of emergencies, times of general uncertainty, and key calendar moments. While you should always be on the lookout for the red flags that signal phishing attacks, you should also stay up-to-date on the latest trends. We’ve written about several on our blog, including phishing attacks around COVID-19, Tax Day, and the 2020 Census. For more information on how to catch a phish, click here. 4. Use password protection, especially for conferencing and collaboration tools Zoom has made headlines over the last several weeks for the security vulnerabilities found in the platform. While the online conference tool is working on their backend, individuals must do their part, too. To start, ensure you’re using strong passwords. For an application like Zoom, this also means always password-protecting your meetings, never sharing meeting links with people you don’t know or trust, and never sharing screenshots of your meeting which include the Zoom Meeting ID.  Managing so many passwords can be difficult, though. That’s why we recommend using a Password Manager. Click here for more information about the Password Manager we use at Tessian along with other tools that help us work securely while working remotely.  Note: If you’re an employee, you shouldn’t download new software or tools without consulting your IT team.  5. Avoid public Wi-Fi and hotspots Currently most of the world is working from home, but “working remotely” can extend to a number of places. You could be staying with a friend, traveling for work, catching up on emails during your commute, or getting your head down at a café.  Of course, to do work, you’ll likely rely on internet access. Public Wi-Fi or hotspotting from your mobile device may seem like an easy (and harmless) workaround when you don’t have other access, but it’s not wise. The open nature of public Wi-Fi means your laptop or other device could be accessible to opportunistic hackers. Likewise, if a phone is being used as a hotspot and has already been compromised by an attacker, it’s possible it could be used to pivot to the corporate network. 6. Follow existing processes and policies When working from home or otherwise outside of the office, you have much more autonomy. But that doesn’t mean you should disregard the processes and policies your organization has in place. Whether it’s rules around locking your devices (see below) or procedures for sharing documents, they’re just as important – if not more important – while you’re working remotely.  This applies to training too. If your organization offers security training, do your best to keep those tips and best practices top of mind. If you’re unclear on the do’s and don’t of cybersecurity, consult your IT, security, or HR team. 7. Always lock your devices  Working outside of the office, even in a home environment, carries additional risks. That means you should always lock your devices with good passwords or, in the case of mobile phones, 6-digit PINs or complex swipe codes. 
8. Report near-misses or mistakes  Whether you’ve sent a misdirected email, fallen for a phishing scam, or had your device stolen, it’s absolutely vital that you report the incident to your IT or security team as soon as possible. The more lead time and information they have, the better the outcome of remediation.   By sharing this information, your colleagues will be better informed and your business can modify procedures or applications to help prevent the issue occurring again. It’s a two-way street, though. Organizations must build positive security cultures in order to empower employees to be open and honest. For more tips on how to stay safe while working remotely, read this Ultimate Guide. We’ll also be publishing more helpful tips weekly on both our blog and LinkedIn.
Customer Stories Data Loss Prevention Human Layer Security
Data Leakage and Exfiltration: 7 Problems Tessian Helps Solve
03 August 2020
On Wednesday, July 29, Tessian hosted a webinar with two customers: Euromoney Institutional Investor and ERT. The topic? Data exfiltration and reduced visibility while workforces are remote. Martyn Booth, Chief Information Security Officer (CISO) at Euromoney Institutional Investor and Ted Crawford, Chief Information Officer (CIO) at ERT both offered incredible insights about how things have changed from a security perspective over the last four months and how Tessian has helped them lock down email, even before their employees started working from home. And, because Martyn and Ted are two security leaders in different industries (Financial Services and Tech/Healthcare respectively) and are based in different regions (England and The United States), they were able to share diverse opinions and experiences. Keep reading to learn more about how Tessian has helped them solve some of their biggest pain points.  7 Problems Tessian Helps Solve 1. Tessian prevents accidental data loss on email When you hear “data exfiltration”, what do you think of?  Many of you probably thought immediately about Insider Threats and other malicious activity. But, as our customers pointed out, most incidents involving data loss are accidental. Or, as Martyn put it, are the result of “naive email usage”. It could be an employee sending an email to the wrong person (we call this a misdirected email), it could be someone hitting “reply all”, or it could be someone emailing a spreadsheet to their personal email account to work on over the weekend.  Harmless, right? Not exactly. If these “accidents” involve sensitive information related to employees, customers, clients, or the company itself, it’s considered a breach.  Organizations can prevent all of the above with Tessian Guardian.  This is especially important now that employees are working remotely. Why? Because the lines between peoples’ personal and professional lives are blurred. Beyond that, people are distracted, stressed, and tired which, as we’ve shown in our latest research report The Psychology of Human Error, increases the likelihood that a mistake will happen. 2. Tessian prevents malicious data exfiltration on email While, yes, many data loss incidents are accidental, some employees do intentionally exfiltrate data. There are a number of reasons why, but financial gain and a competitive edge are the most likely motivators.  Unfortunately, with so many people being laid off, made redundant, or furloughed, many organizations have seen a spike in this type of malicious activity. But, with Tessian Enforcer, organizations’ most sensitive data is kept safe.  Employees attempting to email sensitive information to themselves or a suspicious third-party will receive a warning message, explaining why the email has been flagged and asking if they’re sure they want to proceed. At the same time, security teams will get a notification.
Note: Instead of warning the employee and asking if they’d like to send the email anyway, security teams can easily configure Tessian to automatically quarantine emails that look like data exfiltration. Book a demo to see Tessian in action.  3. Tessian makes it easy to report security risks and communicate ROI  Communicating cybersecurity ROI has historically been a real challenge for security leaders. Not with Tessian. Martyn explained how Tessian enables him to share key results with executives and demonstrate the effectiveness of not just the solution, but his overall strategy. “One of the pillars of our infrastructure strategy was to build transparency across the organization. This comes from sharing metrics. With Tessian, we can show how many alerts were picked up and, each month, we can show the risk committee that we’re reducing the number of alerts. Now, are they actually interested in our preventative controls? I don’t think so. But the whole point of the metrics program is to show how well (or badly) our strategy is performing.  Before, they would make their decision based on cost or how much risk they thought we were going to be mitigating. It was quite subjective. We’ve moved that now into something more data-based. We can actually say “Well, actually, we pay x per year and, as a result of that, we’re going in the right direction in terms of our risk mitigations.” 4. Tessian helps organizations stay compliant  Both Healthcare and Financial Services are highly regulated industries that are bound to several compliance standards beyond GDPR.  That’s why, for Ted, protecting sensitive clinical data and ensuring “privacy and security by design” are both paramount. “There’s a lot of data that we need to protect and prevent from getting outside of the four walls of ERT,” he said. “As an offshoot of GDPR in 2018, we had to classify all of the data, determine from a privacy perspective how to treat it from a sensitivity perspective, and then decide how to treat it from a security perspective. Because it’s very easy to pull sensitive data and incur data loss on email, we needed a solution that would help us ensure data isn’t distributed where it shouldn’t go. That’s why we approached Tessian.” For more information about compliance in Financial Services, check out this article: Ultimate Guide to Data Protection and Compliance in Financial Services.
5. Tessian saves security teams time  While essential for compliance, classifying (and re-classifying) data, monitoring movement, investigating incidents, and generating reports all take a lot of time. That’s why 85% of IT leaders say rule-based DLP is admin-intensive.  With Tessian, security teams don’t have to do any of the above manually. This is a big selling point for Martyn, who said, “That’s where we really see the value with Tessian. It takes the burden off of people in my security team”. Tessian is powered by machine learning algorithms that have been trained on billions of data points. That means our solutions automatically understand what is and isn’t normal behavior for individual employees and can, therefore, detect and prevent threats before they turn into incidents or breaches. No rules required.  You can read more about our technology here.  6. Tessian gives security teams clear visibility of risks We’ve talked a lot about how Tessian detects and prevents risks. But for a solution to be really successful, it has to give security teams clear visibility of the risks in their organization. Tessian’s Human Layer Security platform does both.  With Tessian Human Layer Security Intelligence, our customers can easily and automatically get detailed insights into employee’s actions.  For example, imagine that in a single week, Tessian detects 12 different employees attempting to send sensitive information to their personal email accounts. When warned that sending the email is against company policy, nine of the employees opted to not send the email. The other three went ahead. Knowing this, security leaders can focus their efforts on the three that went ahead and offer additional, targeted training or, if necessary, they can escalate the incident to a line manager to issue a more formal warning.  This also helps predict future behavior. For example, if Tessian flags that an employee has sent upwards of 20 attachments – including Intellectual Property that would be valuable to a competitor – to a recipient he or she has no previous email history with soon after being denied a raise or promotion, security teams could infer that the employee is resigning and taking company data with them.  And, to prevent any further data exfiltration attempts, they can create custom filters specifically for that user, including customized warning messages or a filter that automatically blocks future exfiltration attempts. Before Tessian, this wasn’t possible for Martyn.  “Even if we suspected that an employee was going to go to a competitor and take data, we couldn’t check. We couldn’t see anything that was going up to the Cloud. It was all encrypted. The only way we would be able to see what people were emailing would be to actually go through individual emails to find ones that were problematic. We didn’t have time for that,” he said 
7. Tessian helps reinforce training and improve employee’s security reflexes with in-the-moment warnings In the example above, three employees opted to send an email after being warned that doing so is against company policy. But, what about the other nine? The warning message changed their behavior! It actually incentivized them to accurately mark emails as confidential or malicious if they were, in fact, confidential or malicious. This is really important. “You can’t take a “big bang” approach to data privacy awareness training. To really see employees empowered, you have to constantly reinforce training,” Ted said.  The bottom line: For training to be effective long-term, employees need to apply what they learn to real-world situations and be reminded of policies in-the-moment. Over time, this will help improve their security reflexes and help build a more positive security culture.  Henry Trevelyan Thomas, the host of the webinar and Tessian’s Head of Customer Success, summarized the benefits of this for both employees and security leaders, “This is a really productive way to help employees take accountability for how they handle data. It democratizes security and takes some of the weight off of the Chief Information Security Officer’s shoulders.” Tessian can help prevent data exfiltration in your organization, too Tessian turns an organization’s email data into its best defense against inbound and outbound email security threats. Powered by machine learning, our Human Layer Security technology understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity. Tessian Enforcer detects and prevents data exfiltration attempts Tessian Guardian detects and prevents misdirected emails Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of the organization’s email network. Oh, and it works silently in the background, meaning employees can do their jobs without security getting in the way.  Interested in learning more about how Tessian can help prevent accidental data loss and data exfiltration in your organization? You can read some of our customer stories here or book a demo.
Human Layer Security Spear Phishing
Pros and Cons of Phishing Awareness Training
By Maddie Rosenthal
03 August 2020
Over the last several weeks, phishing, spear phishing, and social engineering attacks have dominated headlines. But, phishing isn’t a new problem. These scams have been circulating since the mid-’90s.  So, what can security leaders do to prevent being targeted? Unfortunately, not much. Hackers play the odds and fire off thousands of phishing emails at a time, hoping that at least a few will be successful. The key, then, is to train employees to spot these scams. That’s why phishing awareness training is such an essential part of any cybersecurity strategy. But is phishing awareness training alone enough? Keep reading to find out the pros and cons of phishing awareness training as well as the steps security leaders need to take to level up their inbound threat protection. Still wondering how big of a problem phishing really is? Check out the latest phishing statistics for 2020.
To make this article easy-to-navigate, we’ll start with a simple list of the pros and cons of phishing awareness training. For more information about each point, you can click the text to jump down on the page. 
Pros of phishing awareness training Phishing awareness training introduces employees to threats they might not be familiar with While people working in security, IT, or compliance are all-too-familiar with phishing, spear phishing, and social engineering, the average employee isn’t. The reality is, they might not have even heard of these terms. That means phishing awareness training is an essential first step. To successfully spot a phish, they have to know they exist. By showing employees examples of attacks – including the subject lines to watch out for, a high-level overview of domain impersonation, and the types of requests hackers will generally make – they’ll immediately be better placed to identify what is and isn’t a phishing attack.   Looking for resources to help train your employees? Check out this blog with a shareable PDF. It includes examples of phishing attacks and reasons why the email is suspicious.  Phishing awareness training can teach employees more about existing policies and procedures Again, showing employees what phishing attacks look like is step one. But ensuring they know what to do if and when they receive one is an essential next step and is your chance to remind employees of existing policies and procedures. For example, who to report attacks to within the security or IT team. Importantly, though, phishing awareness training should also reinforce the importance of other policies, specifically around creating strong passwords, storing them safely, and updating them frequently. After all, credentials are the number one “type” of data hackers harvest in phishing attacks.  Phishing awareness training can help security leaders identify particularly risky and at-risk employees By getting teams across departments together for training sessions and phishing simulations, security leaders will get a birds’ eye view of employee behavior. Are certain departments or individuals more likely to click a malicious link than others? Are senior executives skipping training sessions? Are new-starters struggling to pass post-training assessments?  These observations will help security leaders stay ahead of security incidents, can inform subsequent training sessions, and could help pinpoint gaps in the overall security framework.
Phishing awareness training can help satisfy compliance standards While you can read more about various compliance standards – including GDPR, CCPA, HIPAA, and GLBA – on our compliance hub, they all include a clause that outlines the importance of implementing proper data security practices. What are “proper data security practices?” This criterion has – for the most part – not been formally defined. But, phishing awareness training is certainly a step in the right direction and demonstrates a concerted effort to secure data company-wide.   Phishing awareness training can help foster a strong security culture In the last several years (due in part to increased regulation) cybersecurity has become business-critical. But, it takes a village to keep systems and data safe, which means accountability is required from everyone to make policies, procedures, and tech solutions truly effective.  That’s why creating and maintaining a strong security culture is so important. While this is easier said than done, training sessions can help encourage employees – whether in finance or sales – to become less passive in their roles as they relate to cybersecurity, especially when gamification is used to drive engagement. You can read more about creating a positive security culture on our blog. Phishing awareness training can enable employees to spot scams in their personal lives, too The point of phishing awareness training is to prevent successful attacks in the workplace. But, it’s important to remember that phishing attacks are targeted at consumers, too. That’s why the most frequently impersonated brands are household names like Netflix and Facebook. Why does this matter? Because phishing attacks have serious consequences, and not just for larger organizations. If an employee was scammed in a consumer attack, they could lose thousands of dollars or even have their identity stolen. It’s hard to imagine a world in which this wouldn’t affect their work. The bottom line: prevention is better than cure and knowledge is power. Phishing awareness training won’t just protect your organization’s data and assets, it’ll empower your people to protect themselves outside of the office, too. 
Cons of phishing awareness training Phishing awareness training can’t prevent human error While phishing awareness training will help employees spot phishing scams and make them think twice before clicking a link or downloading an attachment, it’s not a silver bullet.  Even the most security-conscious and tech-savvy employees can – and do – fall for phishing attacks. Case in point: Employees working in the tech industry are the most likely to click on links in phishing emails, with nearly half (47%)  admitting to having done it. This is 22% higher than the average across all industries. As the saying goes, to “err is human”. Phishing awareness training can’t evolve as quickly as threats do Hackers think and move quickly and are constantly crafting more sophisticated attacks to evade detection. That means that training that was relevant three months may not be today. We only have to look at the spike in COVID-19 themed phishing attacks starting in March for proof. Prior to the outbreak of the pandemic, very few phishing awareness programs would have trained employees to look for impersonations of the World Health Organization, for example. Likewise, impersonations of collaboration tools like Zoom took off as soon as workforces shifted to remote-working. (Click here for more real-life examples of COVID-19 phishing emails.) What could be next?  Phishing awareness training has hidden costs According to Mark Logsdon, Head of Cyber Assurance and Oversight at Prudential, there are three fundamental flaws in training: it’s boring, often irrelevant, and expensive. We’ll cover the first two below but, for now, let’s focus on the cost. Needless to say, the cost of training and simulation software varies vendor-by-vendor. But, the solution itself is far from the only cost to consider. What about lost productivity? Imagine you have a 1,000-person organization and, as a part of an aggressive inbound strategy, you’ve opted to hold training every quarter. Training lasts, on average, three hours. That’s 12,000 lost hours a year.  While – yes – a successful attack would cost more, we can’t forget that phishing awareness training alone doesn’t work. (See point 1: Phishing awareness training can’t prevent human error.)
Phishing awareness training isn’t targeted (or engaging) enough Going back to what Mark Logsdon said: Training is boring and often irrelevant. It’s easy to see why. You can’t apply one lesson to an entire organization – whether it’s 20 people or 20,0000 – and expect it to stick. It has to be targeted based on age, department, and tech-literacy. Age is especially important.  According to Tessian’s latest research, nearly three-quarters of respondents who admitted to clicking a phishing email were aged between 18-40 years old. In comparison, just 8% of people over 51 said they had done the same. However, the older generation was also the least likely to know what a phishing email was. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Jeff Hancock, the Harry and Norman Chandler Professor of Communication at Stanford University and expert in trust and deception, explained how tailored training programs could help. “A one-size-fits-all approach won’t work. Different generations have grown up with tech in different ways, and security training needs to reflect this. That’s not to say that we should think that people over 50 are tech-illiterate, though. Businesses need to consider what motivates each age group and tailor training accordingly.”  “Being respected at work is incredibly important to an older generation, so telling them that they don’t understand something isn’t an effective way to educate them on the threats. Instead, businesses should engage them in a conversation, helping them to identify how their strengths and weaknesses could be used against them in an attack.”  “Many younger employees, on the other hand, have never known a time without the internet and they don’t want to be told how to use it. This generation has a thirst for knowledge, so teach them the techniques that hackers will use to target them. That way, when they see a scam, they’ll be able to unpick it and recognize the tactics being used on them.”   Phishing awareness training can’t force employees to care about cybersecurity Unfortunately, the average employee is less focused on cybersecurity and more focused on getting their jobs done. That’s why one-third (33%) rarely or never think about security and work and over half (54%) of employees say they’ll find a workaround if security software or policies prevent them from doing their job.  While – yes – security leaders can certainly reinforce the importance of software and policies, training alone won’t help control employee’s behavior or inspire every single person to become champions of cybersecurity. Phishing awareness can’t change quick-to-click company cultures It’s widely accepted that time pressure negatively impacts decision accuracy. But did you know that individuals who are expected to respond to emails quickly are also the most likely to click on phishing emails?  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); It makes sense. If you’re rushing to read and fire off emails – especially when you’re working off of laptops, phones, and even watches – you’re more likely to make mistakes.
Should I create a phishing awareness training program? The short answer: Absolutely. Phishing awareness training programs can help teach employees what phishing is, how to spot phishing emails, what to do if they’re targeted, and the implications of falling for an attack. But, as we’ve said, training isn’t a silver bullet. It will curb the problem, but it won’t prevent mistakes from happening. That’s why security leaders need to bolster training with technology that detects and prevents inbound threats. That way, employees aren’t the last line of defense. But, given the frequency of attacks year-on-year, it’s clear that spam filters, antivirus software, and other legacy security solutions aren’t enough. That’s where Tessian comes in. How does Tessian detect and prevent targeted phishing attacks? Tessian fills a critical gap in security strategies that SEGs, spam filters, and training alone can’t.  By learning from historical email data, Tessian’s machine learning algorithms can understand specific user relationships and the context behind each email. This allows Tessian Defender to detect a wide range of impersonations, spanning more obvious, payload-based attacks to difficult-to-spot social-engineered ones like CEO Fraud and Business Email Compromise. Once detected, real-time warnings are triggered and explain exactly why the email was flagged, including specific information from the email. (See below.) This is an important function. Why? Because, according to Jeff, “People learn best when they get fast feedback and when that feedback is in context,” 
These in-the-moment warnings reinforce training and policies and help employees improve their security reflexes over time.  To learn more about how tools like Tessian Defender can prevent spear phishing attacks, speak to one of our experts and request a demo today.
July Cybersecurity News Roundup
By Maddie Rosenthal
24 July 2020
If you keep up with cybersecurity news, you’ll know it’s been a busy month. We’ve seen headlines around social engineering attacks, the CCPA, coronavirus vaccine data, critical patches, and banned social media applications.  We’ve rounded up some of the top stories from July, including must-know information and links to various supporting resources.  Coronavirus: Russian Spies Target COVID-19 Vaccine Research After pharmaceutical companies and research centers in Great Britain were hacked, four agencies in the US, UK and Canada issued a joint warning, saying that Cozy Bear – a group that “almost certainly operate as a part of Russian intelligence services” – was responsible and that they were targeting organizations trying to develop a coronavirus vaccine. While the UK’s National Cyber Security Centre (NCSC) hasn’t revealed which organizations were targeted or whether any information had been stolen, they have made it clear that vaccine research wasn’t compromised.  In their warning, the US, UK, and Canadian agencies said that hackers not only exploited software flaws to gain access to computer systems, but they also used malware, and tricked employees into handing over login credentials with phishing and spear phishing attacks. Check out our guide: Coronavirus and Cybersecurity: How to Stay Safe From Phishing Attacks. Twitter Accounts Hacked in Bitcoin Scam On July 15, the official accounts of Barack Obama, Joe Biden, Elon Musk, Bill Gates and other celebrities and politicians were hacked in an apparent Bitcoin scam. 
According to Twitter, it was a coordinated social engineering attack involving an Insider that targeted employees who had access to internal systems and tools. This access was then used to take control of various accounts. And, in an update from the social media giant on Wednesday, July 22, it was announced that cybercriminals didn’t just tweet from hacked accounts, they also accessed the direct messages of around 36 people, including a Dutch politician.  The Federal Bureau of Investigation (FBI) is now involved and other lawmakers (on both sides of the political spectrum) are asking Twitter for transparency into what happened and how it can be prevented in the future. Emotet Spam Trojan Surges Back to Life After 5 Months of Silence After going dark five months ago, 2019’s most active malware – Emotet botnet – is back. The latest campaign (the first attack was spotted on July 17) is firing off spam emails, trying to infect users in the US and the UK with its malware. According to one researcher, the campaign is “ongoing” and reached 250,000 messages in just one day.  Here’s how it works: malicious Word attachments or URLs are contained within emails and, if clicked by targets, Emotet will be downloaded and installed. This initial foothold is then used to deploy other malware. What do you do if you’re infected? Isolate the infected system and take the entire network offline.  15 Billion Usernames and Passwords are For Sale on The Dark Web We often say that data is valuable currency but, after a report was released in early July, we can see just how much our personal information is worth. The report, From Exposure to Takeover, found that 100,000 data breaches over a two-year period have yielded a 300% increase in stolen credentials. That means that, today, there are fifteen billion usernames and passwords for sale on the dark web. These compromised credentials are being sold for an average price of $15.43. But, hackers can “rent” an identity for as little as $10. So, how are hackers getting their hands on this data? Phishing, credential-stealing malware, and credit-card skimmers are three of the most popular ways. Research Shows How to Prevent Mistakes Before They Become Breaches  The Psychology of Human Error, the latest report from Tessian, examines not only the mistakes people make at work, but why they make those mistakes. These are important questions to answer, especially when the research shows that nearly half (43%) of employees say they’ve made a mistake at work that had security repercussions for themselves or their company. The findings reveal that younger employees are more likely to make mistakes, that men are more likely than women to fall for phishing scams, and that fast-paced company cultures are driving employees to make more mistakes. The research also outlines that those employees who are distracted (which many people are when working from home) or tired are more likely to fall for phishing scams.  Read the full report to learn more, including what security leaders can do to combat the problem. In a rush? You can read an overview of the key findings here. Microsoft Patches Critical 17-year-old DNS Bug in Windows Server As a part of Microsoft’s monthly security update – called Patch Tuesday – 123 security flaws across 13 products were fixed. The most severe? The flaw is known as CVE-2020-1350 Windows DNS Server Remote Code Execution Vulnerability, and points to a problem with Microsoft’s implementation of DNS that can result in a server improperly handling domain name resolutions requests.  Researchers say hackers can exploit this vulnerability and weaponize it to create wormable malware that would allow them to gain Domain Administrator rights and take control of an entire network. Patches are available for several versions of Windows Server, going back as far as 2003 and Microsoft has advised that organizations install the patch as soon as possible. Note: The vulnerability is limited to Microsoft’s Windows DNS Server implementation, so Windows DNS clients are not affected.   Biden Ups the Cybersecurity Game Ahead of Elections The 2016 election made it clear how important cybersecurity is in politics.  As a preventive measure, some (although very few) candidates’ in this year’s election have brought on Chief Information Security Officers (CISOs). The latest announcement came from Joe Biden who announced Chris DeRush – former CISO for the State of Michigan who has also served as a cybersecurity advisor in the White House and Department of Homeland Security – would fill the position for his presidential campaign.  Learn more about why political campaigns need CISOs on our blog.  India Has Banned TikTok. US May be Next TikTok – the popular social media application – has generated a lot of buzz throughout July. Why? According to a press release from India’s Ministry of Electronics & IT, it’s because the app (and 58 other Chinese-owned apps) are “hostile to national security” and “pose a threat to sovereignty”.  These concerns arose after a military stand-off between China and India in mid-June. Other countries are following suit. Both US and Australian authorities banned the use of the app for military personnel as more and more questions are being asked about the security of data and potential breaches of privacy.     Most recently, The House of Representatives voted 336-71 in favor of the National Defense Authorization Act, which includes an amendment banning TikTok from all federal devices. Meanwhile, TikTok  – who has recently hired an American CEO – has maintained that it doesn’t share data from its app with the Chinese government.  Walmart Accused of Mishandling Data in CCPA Lawsuit July 1 was the official enforcement data of the CCPA and, less than two weeks later, Walmart was sued in a class-action lawsuit. Why? A San Francisco man claims that his personal information – including his credit card – was sold on the dark web after the superstore was hacked.  Under the CCPA, companies can be fined up to $750 “per consumer per incident” and, because the man alleges that hundreds more customers were affected, Walmart could be hit with a big fine. For now, Walmart says it wasn’t hacked, maintaining that “Protecting our customers’ data is a top priority and something we take very seriously. We dispute the plaintiff’s allegations that the failure of our systems played any role in the public disclosure of his personally identifiable information (PII)”. That’s all for this month! Did we miss anything? Email [email protected] You can also keep up with us on social media and check our blog for more updates. 
Human Layer Security Spear Phishing
Research Shows How To Prevent Mistakes Before They Become Breaches
By Maddie Rosenthal
22 July 2020
We all make mistakes. But with over two-fifths of employees saying they’ve made mistakes at work that have had security repercussions, businesses need to find a way to stop mistakes from happening before they compromise cybersecurity.  That’s why we developed our report The Psychology of Human Error, with the help of Jeff Hancock, a professor at Stanford University and expert in social dynamics online.  We wanted to understand why these mistakes are happening, rather than simply dismissing incidents of human error as people acting carelessly or labeling people the ‘weakest link’ when it comes to security. By doing so, we hope businesses can better understand how to protect their people, and the data they control.  Key findings: 43% of employees have made mistakes that have compromised cybersecurity A third of workers (33%) rarely or never think about cybersecurity when at work 52% of employees make more mistakes when they’re stressed, while 43% are more error-prone when tired 58% have sent an email to the wrong person at work and 1 in 5 companies lost customers after an employee sent a misdirected email  Read on to learn why this matters. What mistakes are people making?  The majority of our survey respondents said they had sent an email to the wrong person, with nearly one-fifth of these misdirected emails ending up in the wrong external person’s inbox.  Far from just red-faced embarrassment, this simple mistake has devastating consequences. Not only do companies face the wrath of data protection regulators for flouting the rules of regulations like GDPR, our research reveals that one in five companies lost customers as a result of a misdirected email, because the trust they once had with their clients was broken. What’s more, one in 10 workers said they lost their job.  !function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async"); Another mistake was clicking on links in phishing emails, something a quarter of respondents (25%) said they had done at work. This figure was significantly higher in the Technology industry however, with 47% of workers in this sector saying they’d fallen for phishing scams. It goes to show that even the most cybersecurity savvy people can make mistakes.  Interestingly, men were twice as likely as women to fall for phishing scams. While researchers aren’t 100% sure as to why gender differences play a factor in phishing susceptibility, our report does show that demographics play a role in people’s cybersecurity behaviors at work.  What’s causing these mistakes to happen?  1. Younger employees are 5x more likely to make mistakes 50% aged 18-30 years olds said they had made such mistakes with security repercussions for themselves or their organization. Just 10% of workers over 51 said the same.  This disparity, our report suggests, is not because younger workers are more careless. Rather, it may be because younger workers are actually more aware that they have made a mistake and are also more willing to admit their errors. For older generations, Professor Hancock explains, self-presentation and respect in the workplace are hugely important. They may be more reluctant to admit they’ve made a mistake because they feel ashamed due to preconceived notions about their generations and technology. Businesses, therefore, need to not only acknowledge how age affects cybersecurity behaviors but also find ways to deshame the reporting of mistakes in their organization. 2. 93% of employees are stressed and tired Employees told us they make more mistakes at work when they are stressed (52%), tired (43%), distracted (41%) and working quickly (36%).  This is concerning when you consider that an overwhelming 93% of employees surveyed said they were either tired or stressed at some point during the working week. This isn’t helped by the fact that nearly two-thirds of employees feel chained to their desks, with 61% saying there is a culture of presenteeism in their organization that makes them work longer hours than they need to.  The Covid-19 pandemic has put people under huge amounts of stress and change. In light of the events of 2020, our findings call for businesses to empathize with people’s positions and understand the impact stress and working cultures have on cybersecurity.
3. 57% of employees are being driven to distraction 47% of employees surveyed cited distraction as a top reason for falling for a phishing scam, while two-fifths said they sent an email to the wrong person because they were distracted.  With over half of workers (57%) admitting they’re more distracted when working from home, the sudden shift to remote-working could open businesses up to even more risks caused by human error. It’s hardly surprising. We suddenly had to set-up offices in the homes we share with our young children, pets and our housemates. There’s a lot going on, and mistakes are likely to happen. 
4. 41% thought phishing emails were from someone they trusted Over two-fifths of people (43%) mistakenly clicked on phishing emails because they thought the request was legitimate, while 41% said the email appeared to have come from either a senior executive or a well-known brand.  Over the past few months, we’ve seen hackers impersonating well-known brands and trusted authorities in their phishing scams, taking advantage of people’s desire to seek guidance and information on the pandemic. Impersonating someone in a position of trust or authority is a common and effective tactic used by hackers in phishing campaigns. Why? Because they know how difficult or unlikely it is to ignore a request from someone you like, respect or report into.  Businesses need to protect their people from these phishing scams. Educate staff on the ways hackers could take advantage of their circumstances and invest in solutions that can detect the impersonations, when your distracted and overworked employees can’t. !function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async"); But how can businesses prevent these mistakes from happening in the first place?  To successfully prevent mistakes from turning into serious security incidents, businesses have to take a more human approach.  It’s all too easy to place the blame of data breaches on people’s mistakes. But businesses have to remember that not every employee is an expert in cybersecurity. In fact, a third of our survey respondents (33%) said they rarely or never think about cybersecurity when at work. They are focused on getting the jobs they were hired to do, done. !function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async"); Training and policies help. However, combining this with machine intelligent security solutions – like Tessian – that automatically alert individuals of potential threats in real-time is a much more powerful tool in preventing mistakes before they turn into breaches.  Alerting employees to the threat in-the-moment helps override impulsive and dangerous decision-making that could compromise cybersecurity. By using explainable machine learning, we arm employees with the information they need to apply conscious reasoning to their actions over email, making them think twice before doing something they might regret. 
And with greater visibility into the behaviors of your riskiest and most at-risk employees, your teams can tailor security training and policies to influence and improve staff’s cybersecurity behaviors. Only by protecting people and preventing their mistakes can you ensure data and systems remain secure, and help your people do their best work. Read the full Psychology of Human Error report here.
Compliance Data Loss Prevention Human Layer Security
At a Glance: Data Loss Prevention in Healthcare
By Maddie Rosenthal
30 June 2020
Data Loss Prevention (DLP) is a priority for organizations across all sectors, but especially for those in Healthcare. Why? To start, they process and hold incredible amounts of personal and medical data and they must comply with strict data privacy laws like HIPAA and HITECH.  Healthcare also has the highest costs associated with data breaches – 65% higher than the average across all industries – and has for nine years running.  But, in order to remain compliant and, more importantly, to prevent data loss incidents and breaches, security leaders must have visibility over data movement. The question is: Do they? According to our latest research report, The State of Data Loss Prevention 2020, not yet. How frequently are data loss incidents happening in Healthcare? Data loss incidents are happening up to 38x more frequently than IT leaders currently estimate.  Tessian platform data shows that in organizations with 1,000 employees, 800 emails are sent to the wrong person every year. Likewise, in organizations of the same size, 27,500 emails containing company data are sent to personal accounts. These numbers are significantly higher than IT leaders expected.
But, what about in Healthcare specifically? We found that: Over half (51%) of employees working in Healthcare admit to sending company data to personal email accounts 41% of employees working in Healthcare say they’ve sent an email to the wrong person 35% employees working in Healthcare have downloaded, saved, or sent work-related documents to personal accounts before leaving or after being dismissed from a job Download the data sheet for more stats, including graphs. This only covers outbound email security. Hospitals are also frequently targeted by ransomware and phishing attacks and Healthcare is the industry most likely to experience an incident involving employee misuse of access privileges.  Worse still, new remote-working structures are only making DLP more challenging.
Healthcare professionals feel less secure outside of the office  While over the last several months workforces around the world have suddenly transitioned from office-to-home, this isn’t a fleeting change. In fact, bolstered by digital solutions and streamlined virtual services, we can expect to see the global healthcare market grow exponentially over the next several years.  While this is great news in terms of general welfare, we can’t ignore the impact this might have on information security.   Half of employees working in Healthcare feel less secure outside of their normal office environment and 42% say they’re less likely to follow safe data practices when working remotely.   Why? Most employees surveyed said it was because IT isn’t watching, they’re distracted, and they’re not working on their normal devices. But, we can’t blame employees. After all, they’re just trying to do their jobs and cybersecurity isn’t top-of-mind, especially during a global pandemic. Perhaps that’s why over half (57%) say they’ll find a workaround if security software or policies make it difficult or prevent them from doing their job.  That’s why it’s so important that security leaders make the most secure path the path of least resistance. How can security leaders in Healthcare help protect employees and data? There are thousands of products on the market designed to detect and prevent data incidents and breaches and organizations are spending more than ever (up from $1.4 million to $13 million) to protect their systems and data.  But something’s wrong.  We’ve seen a 67% increase in the volume of breaches over the last five years and, as we’ve explored already, security leaders still don’t have visibility over risky and at-risk employees. So, what solutions are security, IT, and compliance leaders relying on? According to our research, most are relying on security training. And, it makes sense. Security awareness training confronts the crux of data loss by educating employees on best practice, company policies, and industry regulation. But, how effective is training, and can it influence and actually change human behavior for the long-term? Not on its own. Despite having training more frequently than most industries, Healthcare remains among the most likely to suffer a breach. The fact is, people break the rules and make mistakes. To err is human! That’s why security leaders have to bolster training and reinforce policies with tech that understands human behavior. How does Tessian prevent data loss on email? Tessian uses machine learning to address the problem of accidental or deliberate data loss. How? By analyzing email data to understand how people work and communicate.  This enables Tessian Guardian to look at email communications and determine in real-time if a particular email looks like they’re about to be sent to the wrong person. Tessian Enforcer, meanwhile, can identify when sensitive data is about to be sent to an unsafe place outside an organization’s email network. 
Interested in learning more about how Tessian can help prevent data loss in your organization? You can read some of our customer stories here or book a demo. You can also download this data sheet to share key statistics with others.
Data Loss Prevention Human Layer Security Spear Phishing
Research Shows Employees Are Less Likely To Follow Safe Data Practices At Home
26 June 2020
While organizations may have struggled initially to get their employees set-up to work securely outside of their normal office environment, by now, most have introduced new software, policies, and procedures to accommodate their new distributed teams.  Problem solved, right? Not quite. While 91% of IT leaders trust their employees to follow security best practice while out of the office, almost half (48%) of employees say they’re less likely to follow safe data practices when working remotely and a further 52% say they feel as though they can get away with riskier behavior when working from home.   In our latest research report, The State of Data Loss Prevention 2020, we explore the reasons why.  Key findings include: 50% of employees say they’re less likely to follow safe data practices when working from home because they’re not working on their usual devices. 48% of employees say they’re less likely to follow safe data practices when working from home because they feel as though they’re not being watched by their IT teams. 47% of employees say they’re less likely to follow safe data practices when working from home because they’re distracted. Read on to learn why this matters and what you can do to promote safer security practices in your organization.
Why is data loss prevention (DLP) harder when workforces are remote? 84% of IT leaders say that DLP is more challenging when employees are working remotely. It makes sense. One or two offices have become thousands of virtual offices which means maintaining visibility over data flow is more difficult than ever.  People are relying more heavily on email and other communication tools and are therefore sending data more frequently. Security and IT teams have limited control over how employees handle physical data (for example how they print, store, and dispose of documents). And there’s been a spike in inbound attacks like phishing since the outbreak of COVID-19.  This is to say that organizations are more vulnerable across email security, physical security, and network security. While there are tools to detect and prevent incidents, data loss prevention ultimately relies on people. After all, it’s people who control our systems and data. They’re the gatekeepers of an organization’s most sensitive information. But, despite IT leaders’ confidence and optimism (91% say they trust their employees to follow security best practice while out of the office), nearly half (48%) of employees say they’re less likely to.   !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); The question is: Why?
1. 50% of employees say they’re less likely to follow safe data practices when working from home because they’re not working on their usual devices. Most of us have dedicated workstations in the office and have grown accustomed to certain equipment. Whether it’s multiple monitors, a desktop, a keyboard, a printer, or a trackpad, we’re comfortable working on our usual devices.  At home, not all of us are so lucky. And, while security and IT teams around the world have worked hard to get their teams set-up at home, there have been delays and even cancellations in global supply chains providing laptops, cell phones, and other technology.  What to do about it: If you’re unable to get your employees the equipment they need, you should consider BYOD policies. We’ve covered the benefits, potential security risks, and tips for employers and employees in this blog: Remote Worker’s Guide To: BYOD Policies.  You can also implement training sessions for new devices to ensure your employees feel comfortable using them. (Be sure to also train your employees on any new applications or software!) 2. 48% of employees say they’re less likely to follow safe data practices when working from home because they feel as though they’re not being watched by their IT teams. While we can say with confidence that the average employee wants to do the right thing when it comes to security, it’s important to remember that first and foremost, they want to get their jobs done. And, if security policies, procedures, or software makes that difficult or prevents them from doing it all together, they’ll find a workaround.  In fact, 54% of employees say exactly that. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); In an office environment, it’s easier for IT and security teams to maintain visibility of employee behavior. They can see if someone isn’t locking their laptop. They can see if someone is using a USB stick when they shouldn’t. They can see if someone has skipped security training. But, IT and security teams aren’t just there to enforce rules. They’re also there to educate employees and build a strong security culture. That’s harder with distributed workforces.
What to do about it: Communicate, communicate, communicate. Whether it’s sharing information about new threats, reminding employees of security do’s and don’ts, or offering an individual or team kudos for secure behavior, you need to consistently remind your team not only that you’re there, but that you’re there to help. But, you shouldn’t over-communicate. That means you should ensure there’s one point of contact (or source of truth) who shares updates at a regular, defined time and cadence as opposed to different people sharing updates as and when they happen. 3. 47% of employees say they’re less likely to follow safe data practices when working from home because they’re distracted. We’re not just working from home. We’re working from home during a crisis. It’s essential that security and business leaders keep this in mind. While most of us are trying to conduct “business as usual”, most of us are also dealing with a range of challenges. Parents have suddenly taken on the roles of teachers. Living rooms have been turned into makeshift coworking spaces for partners and roommates. Employees are navigating mass lay-offs and furlough schemes. Current social and political unrest is triggering emotional stress and anxiety. The bottom line: There’s a lot going on.  That means people are more likely to make mistakes. They may send an email to the wrong person. They may misconfigure a firewall. They may make sensitive documents public instead of private on a Google Drive. While these are “small” mishaps, they can have big consequences. In fact, each of the above incidents has caused a data breach.   What to do about it: Start by being empathetic and compassionate. Take the mental wellbeing of your employees seriously and give them the tools, resources, and support they need to thrive. We’ve put together some tips in this blog: 3 Practical Ways to Support Mental Wellbeing in the Workplace. Beyond that, though, you have to implement solutions that prevent human error. Why? Because it’s simply not fair (or realistic) to rely on people to do the right thing 100% of the time.  Tessian does this across three solutions: Tessian Enforcer detects and prevents data exfiltration attempts Tessian Guardian detects and prevents misdirected emails Tessian Defender detects and prevents spear phishing attacks Curious how frequently these incidents are happening in your organization? Click here for a free threat report. How does Tessian support employees and security leaders working remotely? Tessian turns an organization’s email data into its best defense against inbound and outbound email security threats. Powered by machine learning, our Human Layer Security technology understands evolvong human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity. 
Best of all: It works silently in the background across devices. That means employees can do their job without security getting in the way and they’re protected, wherever they work. Tessian bolsters training, reinforces policies and procedures, and enables employees to do their best work.  And, with Human Layer Security Intelligence, security, IT, and compliance leaders get clear visibility into employee behavior with visualized insights and automated threat intelligence. That means detecting and preventing human error is easier than ever and organizations can continuously lower the risks of misdirected emails, data exfiltration, and impersonation attacks.
To learn more about Tessian’s solutions, book a demo. And, for more insights around data loss on email (including the most and least effective solutions) read the report: The State of Data Loss Prevention 2020.
Page