You might have read about our D&I learning journey, the start of our journey to create a better Tessian and a better world. After such an illuminating learning series, it was tempting to dive straight into initiatives and solutions. But if we want to tackle such significant and impactful challenges, we can’t work on everything all at once. We need focus.  So we made an active decision to approach D&I with the rigor we bring to all aspects of work at Tessian…and that means data. We gathered data we knew could inform our broader D&I strategy and help us to narrow down focus areas where we could have sustainable impact.  Gathering the data The aim of our internal research was to understand: What our representation at Tessian looks like; and Whether the experience of Tessians varies according to personal attributes and protected characteristics On a voluntary basis, we asked all our Tessians to submit information about themselves using our engagement platform Peakon. We had great uptake, with 80-90% of Tessians providing information about their personal attributes. This allowed us to understand representation at Tessian, across different aspects of diversity, including gender, sexual orientation, religion, ethnicity, and age. From this we were able to: Segment anonymous employee experience feedback scores to identify groups (based on personal characteristics) who are having a different experience and; Conduct a pay gap and employee retention analysis Determining focus areas You might be thinking…how statistically significant is data when you’re a small company (for reference, we’re currently about 150 people)? We asked ourselves this question A LOT. With so few data points, we were reluctant to draw certain conclusions from our findings. Instead, we have treated our findings as indicators of places we need to go and do further research. The data isn’t the be all and end all of our understanding, but it does provide the signposts.  We paired these data insights with what we hear from the company anecdotally, and what we know to be the case in the tech industry. This gave us a good picture of where Tessian is with D&I today. But we still needed focus. So, we asked ourselves: Where are our biggest concerns? Where can we make a significant impact? These two simple questions helped us to identify the key focus areas of our D&I efforts this year. So…where did we land? Ensure every Tessian continues to feel like they’re supported, valued and belong at Tessian Improve ethnicity and gender representation across all levels of seniority at Tessian We believe by focusing in these areas we can create a long-lasting positive impact on diversity and inclusion, in Tessian and in our industry. Building our strategy Once we had our focus areas, we worked closely with our exec team to build the strategy and tactics we would commit to this year. These discussions with our exec team centred not only on how to make change for a better Tessian, but also initiatives that would help create a more diverse industry.  As the exec team were bouncing ideas on tactics, we were careful to keep in mind every point of the employee life cycle. When thinking about D&I, it’s easy to focus on top of funnel diversity in hiring. Improving representation through hiring is important, but on its own it’s not enough. It matters what Tessians experience once they’re through the door too.

Once we had committed to the steps we’re taking this year, we kicked off by presenting our research and our strategy to the whole of Tessian. Our employees don’t just want to know what we’ve found, they want to know what we’re doing about it and when. So as part of this presentation, we shared this 2021 D&I roadmap.

As we work our way through the roadmap, we will be communicating progress, wins and learnings every two weeks in our employee newsletter. We want every Tessian to stay super engaged in this work, and to have the opportunity to bring ideas and feedback to the table. How our work this year will create long-term solutions It’s no secret that today, the tech industry isn’t that diverse. If we want representation of  diverse people at Tessian, it’s not enough to draw from the existent talent pool, where so many groups are so underrepresented. By this we mean that it’s not enough for us to think about short term wins for Tessian’s stats. We need to be committed to making positive, sustainable change in the long term. And that means changing the whole industry, as well as Tessian.  We want to create opportunities for a range of people to move into tech, and make sure they want to stay! If we don’t, our CFO, Sabrina Castiglione, will tell you how no-one wins in this zero-sum game.  Our long term strategy is about growing and expanding the entry-level talent pool by creating junior jobs for people entering the tech industry, whether that’s in Sales or Engineering. But remember, we don’t just want to bring them in, we want them to stay, learn and grow! Only then will we get representation of diverse voices in senior positions.  To achieve this, we’re prioritizing the development of future leaders through well-defined growth frameworks across the company. Every Tessian creates a detailed growth plan, and by the end of the year, we’ll have a tailored growth framework for every single department at Tessian.  These tactics won’t move the needle on senior representation this year. Probably not next year either. But through them, we can change the game when it comes to diversity in tech. We want to see senior representation, and that means bringing in and building up fresh talent.  How to act today As well as the longer-term goals, we’re taking action on some short-term wins to ensure our business is an equitable and inclusive place for everyone today. Even before that representation has changed.  D&I needs to be baked into the culture of a business. And that doesn’t just mean D&I training alone.  It means we need to interrogate every single one of our People processes and ask “Is there opportunity for bias here?”.  It means we need to inspect our company communications and ask “Who has a voice here?” It means we need to listen to employee feedback and ask “Do people have an equitable experience here?” There’s nothing stopping us asking these questions today. And the good news is — we have the power to have a huge impact on the answers straight away. Want to keep up with our D&I journey? Subscribe to our weekly blog digest to be the first to hear about updates. Or, if you’d rather explore open opportunities at Tessian, click here. 

Developer experience is one of most important things for a Head of Engineering to care about. Is development safe and fast? Are developers proud of their work? Are our processes enabling great collaboration and getting the best out of the team?  But sometimes, developer experience doesn’t get the attention it deserves. It is never the most urgent problem to solve, there are lots of different opinions about how to make improvements, and it seems very hard to measure.  At Tessian the team grows and evolves very quickly; we’ve gone from 20 developers to over 60 in just 3 years.  When the team was smaller, it was straightforward to keep a finger on the pulse of developer experience. With such a large and rapidly growing team, it’s all too easy for developer experience to be overshadowed by other priorities. At the end of 2020, it became clear that we needed a way to get a department-wide view of the perception of our developer experience that we could use to inform decisions and see whether those decisions had an impact. We decided one thing that would really help is a regular survey.  This would help us spot patterns quickly and it would give us a way to know if we were improving or getting worse. Most importantly it gives everyone in the team a chance to have their say and to understand what others are thinking.  Borrowing some ideas from Spotify, we sent the survey out in January to the whole Engineering team to get their honest, anonymized feedback. We’ll be repeating this quarterly.  Here are some of the high-level topics we covered in the survey. Speed and ease To better understand if our developers feel they can work quickly and securely, we asked the following questions: How simple, safe and painless is it to release your work? Do you feel that the speed of development is high? !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");

You can see we got a big spread of answers, with quite a few detractors. We looked into this more deeply and identified that the primary driver for this is that some changes cannot be released independently by developers; some changes have a dependency on other teams and this can slow down development.  We’d heard similar feedback before running the survey which had led us to start migrating from Amazon ECS to Kubernetes. This would allow our Engineering teams to make more changes themselves. It was great to validate this strategy with results from the survey. More feedback called out a lack of test automation in an important component of our system.  We weren’t taking risks here, but we were using up Engineering time unnecessarily. This led to us deciding to commit to a project that would bring automation here. This has already led to us finding issues 15x quicker than before:

Autonomy and satisfaction We identified two areas of strength revealed by asking the following questions: How proud are you of the work you produce and the impact it has for customers? How much do you feel your team has a say in what they build and how they build it? !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");

These are two areas that we’ve always worked very hard on because they are so important to us at Tessian. In fact, customer impact and having a say in what is built are the top two reasons that engineers decide to join Tessian.  We’ve recently introduced a Slack channel called #securingthehumanlayer, where our Sales and Customer Success teams share quotes and stories from customers and prospects who have been wowed by their Tessian experience or who have avoided major data breaches (or embarrassing ‘Oh sh*t’ moments!).  We’ve also introduced changes to how OKRs are set, which gives the team much more autonomy over their OKRs and more time to collaborate with other teams when defining OKRs. Recently we launched a new product feature, Misattached File Prevention. Within one hour of enabling this product for our customers, we were able to share an anonymised story of an awesome flag that we’d caught.

What’s next? We’re running the next survey again soon and are excited to see what we learn and how we can make the developer experience at Tessian as great as possible.

Our list of 21 cybersecurity events to attend in 2021 features premier cybersecurity summits, like the International Cybersecurity Forum in France and National Cyber Summit in the US, alongside intimate and industry-specific events (and webinars) you won’t want to miss. Many of these events are hosted online, but a lot of organizers are planning to host their conferences face-to-face. Watch out for last-minute changes as the COVID-19 situation continues to evolve. Last updated April 16, 2021 Webinar: Account Takeover is an Issue, Your SEG Isn’t Enough Date: April 28, 2021 Location: Online External account takeover (ATO) attacks are a critical issue that hit many organizations today, and it happens more often than you think. They are considered one of the security industry’s most successful attack types. In fact, here at Tessian, we are seeing more attempts at these attacks than ever before, and they’re slipping right past Secure Email Gateways (SEGs) and other legacy email security tools. In this webinar: See real-world examples of external ATO attacks from our threat intelligence team at Tessian How ATOs bypass SEGs and why users fall for them Learn what tools can help you detect and avoid ATO breaches Cost to attend: Free 11th ACM Conference on Data and Application Security and Privacy (CODASPY) Date: April 26-28, 2021 Location: Online (Possible in-person enrolment available in the US, exact location TBC) This conference, organized by the Association for Computing Machinery (ACM) Special Interest Group on Security, Audit, and Control (SIGSAC), brings together academics and industry leaders to discuss security and privacy in software development. Applications, including mobile apps, are a key vulnerability of many systems. Read our article on zero-day vulnerabilities to learn about how hackers exploit software weaknesses. Software developers attending CODASPY will learn about cutting-edge research in the cybersecurity of software applications. Cost to attend: Free IAPP Global Privacy Summit Date: April 27-28, 2021 Location: Washington DC The International Association of Privacy Professionals (IAPP) is a globally-respected coalition of lawyers, developers, consultants, and other experts. The IAPP Global Privacy Summit features over 4000 attendees, at least 125 exhibitors, and more than 250 expert speakers. Privacy and cybersecurity are intertwined, and your business neglects on to the detriment of the other. Applying privacy-focused principles means collecting less personal information, deleting it when necessary, and — of course — storing it securely. The IAPP summit will feature sessions on data breach response, compliance with data protection laws such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), and privacy engineering. Cost: TBC FS-ISAC: Americas Spring Summit Date: April 27-29, 2021 Location: Online A lot changed with the shift to remote-working, and many of these changes are here to stay. But, these changes can be difficult to navigate. This three-day virtual summit – with speakers, panelists, and keynotes from Bank of America, Liberty Mutual, ADP and more – will help you stay at the forefront of these new technology trends and emerging paradigms. For a full program schedule, click here. Cost to Attend: Free for members CyberUK 2021 Date: May 11-12, 2021 Location: International Convention Centre Wales, Newport, Wales CyberUK is hosted by the UK’s National Cyber Security Centre (NCSC), a government unit that advises on cybersecurity. It’s one of the UK’s most important cybersecurity events and is a “must-attend” for industry leaders. The program for 2021 has not yet been set, but expect a full and varied range of talks, demos, and workshops. The last CyberUK agenda included sessions on identifying supply chain risks, building the cybersecurity profession, and using machine learning to boost defences. Cost to attend: Free for public sector employees. Private sector employees — Early bird: £849 + tax. Standard rate: £999 + tax CyberCon London 2021 Date: May 12-13, 2021 Location: Online CyberCon London features high-profile speakers bringing CTOs, CISOs, and IT directors up-to-date knowledge and practical advice on dealing with cyberthreats. Agenda items include panel sessions on fraud, remote working, and the costs of cybercrime —  plus lectures from world-renowned cybersecurity exxperts. Cost to attend: Standard: £95 + tax. RSA Conference San Francisco Date: May 17-20, 2021 Location: Online The theme for this year’s fully virtual RSAC? Resilience.  While a full list of speakers hasn’t been released, you can see what Linda Gray Martin, VP of RSA Conference, has to say about what you should expect in this video. “See” you there! Did you know 2021 marks the 30th anniversary of this event? International Privacy + Security Forum Date: May 24-26, 2021 Location: Online The International Privacy + Security Forum is organized by academics Daniel Solove and Paul Schwartz, both well-known figures in the world of privacy. The conference is open to privacy and security professionals from all walks of life. The event provides several sessions focusing on legal compliance with EU and California privacy law, plus workshops on data security law, health privacy, and data de-identification. Cost to attend: 2-day pass — $499 (general), or $299 (academic/NGO/government), 10% early bird discount before March 31. Infosecurity Europe 2021 Date: June 8-10, 2021 Location: Olympia London, Hammersmith, London. Infosecurity Europe features an eclectic range of exhibitors and networking opportunities for cybersecurity leaders across all industries. Many key players in cybersecurity are exhibiting in 2021, including Avast, Bitdefender, and SolarWinds. Public bodies, including the UK Department for Digital, Culture, Media and Sport (DCMS) and Nation Cyber Security Centre (NCSC), are also represented. Cost to attend: TBC National Cyber Summit 2021 Date: June 8-10, 2021 Location: Huntsville, Alabama The National Cyber Summit focuses on education, collaboration, and innovation, bringing together experts from government, academia, and industry to deliver an innovative, diverse, and accessible event. Speakers will include Robert Powell, Senior Advisor for Cybersecurity at NASA, Katie Arrington, Chief of Information Security Acquisition and the US Department of Defense, and Merritt Baer, Principal Security Architect at Amazon Web Services. Cost to attend: Full Access: Standard — $570, Onsite — $610. Student, Teacher/Faculty: Standard — $175,  Onsite — $200. Government: Free. Virtual Silicon Valley Cyber Security Summit 2021 Date: June 9, 2021 Location: Online The fourth annual Virtual Silicon Valley Cyber Security Summit features sessions from Verizon, IBM, and Chrome Enterprise. Attendees can attend sessions on: Identifying and avoiding insider threats, hosted by Sean Atkinson from the Center for Internet Security Combating ransomware, with Kristin Judge from the Cybercrime Support Network  The state of passwordless security, with HYPR’s George Avetisov. The event focuses on interactive discussion, so expect plenty of opportunities to network with colleagues and cybersecurity leaders. Cost to attend: $95 Regulatory Compliance Conference Date: June 13-16, 2021 Location: Hyatt Regency, San Diego, California With nations worldwide passing ever-stricter privacy and security laws, your business should take every opportunity to learn how best to remain compliant. Join “the nation’s top risk-based thinkers” to discuss the most pressing issues in regulatory compliance. This conference from the American Bankers Association features over 50 sessions to help banking and fintech organizations comply with consumer protection and data security regulations. Want to know more about balancing your security and compliance obligations? Read Security vs. Compliance: What’s The Difference? Cost to attend: TBC CogX Festival Date:  June 14-16, 2021 Location: London and Online With over 100,000 expected visitors (both in-person and online), ths hybrid festival features 1,000+ speakers covering 20 topics. The theme? “How do we get the next 10 years right?” For a list of topics, click here. For a list of speakers, click here.  Cost to Attend: £4-5,000 CISO Visions Virtual Cybersecurity Summit  Date: June 21-25, 2021 Location: Online CISO VISIONS is invitation-only for security executives.  Why is it exclusive? According to the event coordinators, it lets them cater to security leaders specific challenges and keep attendees in the company of the leaders driving progress in your field. At the event, you’ll be able to meet one-on-one with solution providers and learn from 30+ speakers driving innovation. Cost to Attend: Free (but you must apply!) PrivSec Global Date: June 22-24, 2021 Location: Online PrivSec Global returns on 22nd-24th June 2021 with over 200+ subject matter experts addressing prominent issues and challenges across 64 sessions, panel discussions, debates and fireside chats on data protection, privacy, security and beyond. Cost to Attend: Free British Legal Technology Forum 2021 Date: July 6, 2021 Location: Billinghurst, London The British Legal Technology Forum is Europe’s biggest legal technology conference and exhibition, featuring 2,500 square meters of exhibition space. BLTF 2021 is a crucial event for legal professionals, featuring talks from Prof. Richard Susskind, President of the Society for Computers & Law, and Bruna Pellicci, CTO at Linklaters.  Bonus: Tessian is the headline sponsor!  Want to learn more about how Tessian helps lock down email and prevent breaches for some of the world’s top law firms? Read our customer stories.  Cost to attend: Free International Conference on Cyber Security (ICCS) 2021 Date: July 19-22, 2021 Location: Fordham University, New York The International Conference of Cyber Security (ICCS), a collaboration between the FBI and Fordham University, is among the world’s premier cybersecurity events. Esteemed speakers from around the world will discuss how to address cyber threats in the private, government, academic, and law enforcement sectors. The 2021 agenda remains a work-in-progress, but previous ICCS events have featured presentations from the Director of National Intelligence (DNI), FBI, CIA, and NSA. Registration is limited to just 300 attendees. Cost to attend: $995. Cyber Security Tutorial (CST) and Law Enforcement Workshop (LEW): an extra $75 per session. WSTA: Smart, Fast, Effective: Cybersecurity in the Age of Analytics and Automation Date: July 21, 2021 Location: Online This seminar and panel session provides an overview of the threat universe facing financial cybersecurity firms.  You can expect to review operational security best practices, and dig deep into critical technology areas. Check out the agenda here. Cost to Attend: Members Only Black Hat USA 2021 Date: July 31-August 5, 2021 Location: Las Vegas and Online In its 24th year, this hybrid in-person and virtual event features virtual training sessions, briefings, and a Business Hall. More info coming soon! Cost to Attend: TBC Gartner Security and Risk Management Summit Date: September 20-22, 2021 Location: Orlando, FL Over four days, security, identity and access management, and risk management executives will come together to share valuable insights on establishing an effective, risk-based cybersecurity program.  Attendees will learn how to prepare for the new normal, with the tools they need to create agile security and IT risk management plans. For more information about speakers, click here. For more information about the agenda, click here. Cost to Attend: $3, 825 Cybersecurity Digital Summit for EMEA 2021 Date: October 19-20, 2021 Location: Online  This Cybersecurity Digital Summit, hosted by Cyber Security Hub, is a two-day event focusing on the main threats affecting the Europe, Middle-East, and Africa (EMEA) region. The summit follows on from Cyber Security Hub’s events focusing on the Americas and Asia Pacific (APAC) regions. According to Cyber Security Hub’s publicity, the EMEA region “seems to set the course for the regulatory framework that APAC (Asia Pacific) and the Americas are adopting.” Whether you’re a cybersecurity professional working in the EMEA region — or you’re based elsewhere and hoping to understand the threats emerging from EMEA — this event is for you. Cost to attend: Free

At the start of this year, Tessian started a podcast. Why? Because since we launched the Human Layer Security category in 2013, the human factor has become one of the biggest considerations in cybersecurity today. Every day, we are speaking to CISOs, CIOs, business leaders and security professionals about how to secure the human layer. And I’m not just talking about conversations related to how to stop the ever-rising number of phishing attacks. We’re talking about insider threats and security incidents caused by simple human error, too. We’re discussing ways in which CISOs can better understand their employees’ behaviors and ways of working, in order to build security strategies that protect them and empower them to do great work. And we’re talking about how to get buy-in from boards. Rather than keeping the conversations to ourselves, we wanted the podcast to provide a platform for inspiring IT leaders, thought-provoking academics, and ethical hackers to discuss why it’s so important for businesses to protect their people – not just machines and data – and share their learnings so that how other security teams can do it too.

It’s been a lot of fun and I’ve spoken to some incredible people. So here are my highlights and my top learnings as we close out Season 1 of the RE:Human Layer Security podcast: 1. CISOs are doing an amazing job in their relentless roles. As Simon Hodgkinson, former CISO at bp said, the job of the CISO is truly 24/7. And it’s becoming “more and more challenging as the threats become more advanced and regulatory landscapes become even more complicated”. Hearing the work that CISOs like Jerry Perullo at ICE, Ray Espinoza at Cobalt, Tim Fitzgerald at ARM and Anne Benigsen at Bankers’ Bank of West are doing to not only navigate these landscapes and keep their companies safe, but also to help make their people into security champions and make security as seamless as possible is really inspiring. 2. … and they want to do more. It was clear from the leaders I spoke that they have a “duty of care to continue raising awareness” and “invest in making sure people are able to do the right thing.” Some believe, however, there are more engaging ways to do it, while others think there is more work to be done to get employees to buy-in to the security cultures. It was great to understand how they plan to do this.

3. Security can learn so much from psychology. In one of my favourite episodes, academics Dr Karen Renaud and Dr Marc Dupuis question why businesses continually use fear – a short term emotion – to try and engender long-term behavioral change in cybersecurity. They also explain why the role of employee self-efficacy is so important to encourage safer security practices. Their insight into what factors make people more or less likely to adopt safe cybersecurity behaviors makes me question whether FUD in security has had its day? 4. If you don’t get to know your people well, the bad guys certainly will. Ethical hackers and social engineering experts like Craig Hays and Jenny Radcliffe explained how cybercriminals select their targets and methods of attack, emphasizing the need for companies – at manager level – to know their people really well. As Jenny said, “the answer to becoming a more secure organization […] is to know your humans better than the bad guys.”

5. Employees aren’t the weakest link. The age-old saying that people are the weakest link in security is something our guests don’t believe in. To Dan Raywood, people are neither the strongest or weakest link, but rather “an essential part of your business”. Tim Fitzgerald agreed, stating that, as security leaders, “we try to take a look in the mirror and say, are we providing these people with the tools they need to help them avoid these types of threats or scenarios?” It’s been a privilege to speak with all of our guests on the RE:Human Security Layer podcast and, if you haven’t already, I encourage you to listen to their interviews and subscribe to the show.  We’re now planning Season 2 so stay tuned for that – and if you’d like to get involved or hear more about what we’re doing, please contact me on LinkedIn or Twitter.  

While the title “Chief Information Security Officer” (CISO) is highly sought after, the job is tough.  On top of preventing threats and avoiding breaches, CISOs are also tasked with communicating risk, aligning with key stakeholders across the business, and – of course – managing a team of IT professionals. So, how do you keep your head above water and excel in your role?  We can’t offer a prescriptive answer to that question (sorry!), but we can tell you that staying connected with your peers – regardless of industry or company size – can help. After all, they’re right there in the trenches with you. Here’s a list of 12 CISOs you should connect with on both LinkedIn and Twitter for tips, advice, anecdotes, industry news, open tech roles, and even the occasional joke.  “The more you know”, right?  P.S. If you’re looking for tips on how to build better relationships and influence change within your organization, check out this article: Relationship 15: A Framework For Security Leaders.  Name: Bob Lord  Bio: CSO The Democrats, former CISO Yahoo, Rapid7 CISO in Residence, Twitter alum. Handle: LinkedIn | @BobLord Follow him for: Bob Lord is the Chief Security Officer at the Democratic Nationalist Committee and has held senior executive infosec positions at Twitter and Yahoo (he was actually Twitter’s first-ever security hire). He’s particularly active on Twitter and shares personal security hacks, debunks cybersecurity myths for his followers, and shares great advice for security leaders. Name: Window Snyder Bio: A security industry veteran and former Chief Security Officer at Square, Fastly, and Mozilla. Handle: LinkedIn | @window Follow her for: Window Snyder has more than 20 years of experience in cybersecurity and has held positions at some of the world’s biggest brands. She worked with Apple leading security and privacy features for OS X and iOS. Follow Window for posts about her experiences as a CISO (and a parent!) and details of her favorite cybersecurity events. Name: Michael Coates  Bio: Co-founder & CEO @Altitude Past: CISO @Twitter, Head of Security @Mozilla, @OWASP Chairman, Top 30 Security Startup. Handle: LinkedIn | @_mwc Follow him for: Michael Coates is the former CISO of Twitter and is the co-founder and CEO of a cloud data protection company. He’s made TV appearances and has been a speaker at the RSA Conference to share his experiences of being a leading CISO. Follow Michael for tips for CISOs and advice on how to work with security vendors.  Name: Azeem Bashir  Bio: Award-winning Global CISO | CDO |Cyber Security & Cyber Risk Leader | NED | Advisor | Speaker Handle: LinkedIn  Follow him for: Azeem Bashi held a number of CISO and CIO positions at confidential companies. Although his previous companies are a mystery, he must be pretty good given the endless awards he’s won and certifications he’s achieved. He’s also a board advisor, CISO mentor, speaker, and government advisor. Follow Azeem for the latest cybersecurity news about data breaches, attacks and, industry research.  Name: Kevin Fielder  Bio: Dad, CISO, Health and resilience coach, Podcaster. Lover of life and learning.  Passionate about helping people and building high-performing (security) teams. Handle: LinkedIn | @kevin_fielder Follow him for: Kevin has a huge range of CISO experience at companies ranging from Just Eat to WorldPay and FNZ Group. He’s also an active cybersecurity speaker, podcaster and is particularly active in the LinkedIn cybersecurity community. Follow Kevin for honest posts about life as a CISO (as well as honest posts about life as a Dad) and for his perspective on security attacks or breaches.  Name: Troels Ortering  Bio: Chairman, NED, award-winning CSO, passionate cybersecurity leader with a long track record in cybersecurity and privacy. Handle: LinkedIn  Follow him for: Troels has over 20 years of cybersecurity experience, including intelligence roles within the Danish Police, Group Chief Security Officer at Barclays, cybersecurity lecturing roles and, multiple board positions. Follow Troels for his perspective on the latest cybersecurity attacks and threat actors – as well as his views on best practices and how to stay protected.  Name: Lynwen Connick Bio: Chief Information Security Officer at Australia and New Zealand banking group(ANZ) Loves Travelling, Skiing, Mountain Biking & Orienteering. Handle: LinkedIn | @LynwenConnick  Follow her for: With 25 years of cybersecurity experience ranging from working in Australia’s Department of the Prime Minister and Cabinet to the CISO of one of the biggest banks in Australia – Lynwen is a great addition to your social timelines. Lynwen is highly active in the women in cybersecurity community, and shares cybersecurity events and groups that other women can get involved in. Follow Lynwen to hear about the work she’s done with the Australian Government, and for cybersecurity advice for the financial services and banking industry. Name: Dinis Cruz  Bio: CTO and CISO of @GlasswallCDR, Transformation agent, project leader of OWASP SBot and O2 Platform projects. Handle: LinkedIn | @DinisCruz  Follow him for: Dinis Cruz has over 20 years of experience in cybersecurity and software development, he’s also been nominated for CISO of the year and is currently writing a book. On social media, Dinis is all about knowledge sharing and contributing to the cybersecurity community. Follow Dinis for cybersecurity and general tech hacks, advice on how to apply for security roles, and details of cybersecurity events (plus you might even come across his TikTok account).  Name: Moty Jacob Bio: Moty is a long-time CISSP, holds Security Clearance, and has several Industry certifications including checkpoint’s CCSE, PCI-DSS AUDITOR, CCNA, Certified Ethical Hacker, and many others. Handle: LinkedIn Follow him for: Moty Jacob has a huge list of experiences in security from start-ups to Fortune 500 companies and national governments. As well as being a top leader in cybersecurity, Moty is also a leader in Diversity and Inclusion, with almost half of his security team being made up of women. Follow Moty for his hilarious and relatable cybersecurity memes and for honest posts about his experiences as the CISO at Dunnhumby.  Name: Christopher Porter  Bio: CISO, student of infosec, manager of risk, Dad, exerciser, and @UVA alum. Former @vzdbir author, @verisframework creator.  Handle: LinkedIn | @cdporter00 Follow him for: Christopher Porter is the CISO at Fannie Mae, he previously worked with Verizon to author Verizon’s Data Breach Investigations Report series and co-created the VERIS framework (Vocabulary for Event Recording and Incident Sharing). On social media, Christopher is committed to sharing cybersecurity research and posts about how to help close the diversity gap in the industry. Follow Christopher for the latest phishing intel, information about how the pandemic is affecting cybersecurity, and the occasional cybersecurity joke!  Name: Becky Pinkard Bio: Cyber security exec, published author & professional speaker. I do security because I love it.  Handle: LinkedIn | @BeckyPinkard Follow her for: Becky Pinkard has worked in the cybersecurity industry at some of the world’s leading brands since 1996 – from Blackberry and Vodafone to Aldemore and Barclays. She’s also a published author, a regular commentator on infosec events, and won CISO of the Year at the 2020 SC Awards, Europe. Becky is an active advocate for diversity and inclusion in cybersecurity on social media. Follow Becky for posts about open cybersecurity roles, her honest advice to other security leaders, and her incredible sense of humor.  Name: Bobby Ford Bio: Senior Vice President/Chief Security Officer at Hewlett Packard Enterprise Handle: LinkedIn Follow him for: Bobby Ford has held the position of CISO at world-leading organizations from Unilever and Abbott Labs to his current company – Hewlett Packard Enterprise. Bobby has also been an information security analyst for the Pentagon’s incident response team and spent much of his career in the Aerospace and Defence industry. Bobby is an active member of the cybersecurity community on social media – follow him for posts about improving diversity in cybersecurity, open tech roles, and the occasional throwback picture of his days in the army.  Have we missed anyone? Let us know! Email [email protected]  And, if you want to be the first to get your hands on blogs like this and others written just for security leaders like you, subscribe to our newsletter below.

The global COVID-19 pandemic has wreaked havoc on job markets. In the US, the unemployment rate stands at 6.2 percent and in the UK, it’s estimated that around 2.2 million people, or 6.5% of all workers, could be unemployed at the end of the year.  Cybercriminals are taking note.  When Tessian researchers analyzed suspicious emails relating to ‘unemployment’ and terms associated with unemployment that were flagged by our inbound solution Tessian Defender, they saw a notable spike in suspicious emails related to unemployment and COVID-19 in the week of 24th February – the week in which President Biden announced the third round of stimulus checks, which would send billions of dollars to people without jobs. Our researchers also noted a spike in suspicious activity during the week of 8th March which is when COVID-19 the stimulus checks started being received. They found that: In the week of 24th February, the number of suspicious unemployment and COVID-19 related emails was 40% higher than the weekly average of such emails detected since the start of 2021. The number of unemployment themed emails alone was 16% higher than the weekly average. In the week of 24th February, the number of unemployment and COVID-19 related emails was 50% higher than previous week.  In the week of 8th March, the number of suspicious unemployment and COVID-19 related emails was 51% higher than weekly average recorded since the start of 2021. The number of unemployment and COVID-19 related emails detected during this week was 69% higher than the previous week.  Over the last 12 months, cybercriminals have capitalized on the fear, uncertainty and doubt created by the global pandemic to make their scams as believable and convincing as possible. At the start of 2021, for example, Tessian reported a surge in newly registered domains related to the vaccine roll-out and confirmed that a number of these websites were malicious and designed to harvest people’s financial information and account credentials. Now, cybercriminals are launching scams to prey on people who are vulnerable, out of work and urgently looking for relief. They are well aware that these individuals may be applying a little less scrutiny to the messages they receive – especially if the emails appear to have come from a legitimate and trusted sender. How do unemployment scams work?  Here’s how a typical unemployment related scam works: A fake job posting is listed on legitimate job sites. Often, scammers will target small businesses to spoof or impersonate as it is less likely for these companies to monitor their job listings.  An applicant will respond to that ad and will be sent a generic email asking them to perform a task for the interview process. These phishing emails could contain malicious attachments that applicants are asked to download or links to fake websites that ask applicants to input sensitive or personal information. This information could, then, be used to commit identity fraud.  Scammers will also ask applicants to click on a link that refers them to a fake credit check website. Here, they will ask the applicant to share financial information or wire money. Cybercriminals can also identify targets via social media sites like LinkedIn. A recent report from Tessian found that 93% of people share job updates online, and while it’s common for people to let their networks know that they’ve been laid off and are looking for jobs, they are also unknowingly giving cybercriminals the information they need to craft convincing social engineering attacks that are designed to steal personal information.  The FBI has released warnings of unemployment scams, disclosing that many U.S. citizens have been victimized by bad actors “impersonating the victims and using the victims’ stolen identities to submit fraudulent unemployment insurance claims online.” In fact, figures from a watchdog for the U.S. Department of Labor reveal that Americans have lost a shocking $63 billion of unemployment funds during the pandemic to improper payments and fraud, while the Illinois Department of Employment Security reports having stopped around 1.1 million claims involving identity theft in the past year. In many cases, victims don’t even realize they’ve been targeted until they later try to file for unemployment insurance benefits, receive a notification from the state unemployment insurance agency or even get notified by their employer that a claim has been filed while the victim is still employed.

What can you do to avoid falling victim to the scams? It’s always worth remembering that an official government agency or state workforce agency (SWA) will not contact you out of the blue, asking you to apply for UI benefits via an email or a text. So if you do receive a message like this, then do not click on the links or comply with the actions. We also recommend that you: Inspect emails carefully. Look for the .gov URL in the sender’s email address and check that the sender’s email domain matches the sender’s name. Don’t click on anything unless it’s from a legitimate source. Verify the legitimacy of the sender by calling the organization or agency directly. Adopt two-factor authentication and try to not use the same password across different sites. Password generators like 1Password create unique passwords and protect them with encryption software. Monitor your bank accounts on a regular basis to check for any fraudulent activity.

Today, comprehensive visibility into employee risk is one of the biggest challenges security and risk management leaders face.  Why? Because most security solutions offer a limited view of risk and don’t offer any insights into the likelihood of an employee falling for a phishing attack or exfiltrating data.  Worse still, when it is available, risk information is siloed and hard to interpret.  Insights around security awareness training exist in seperate systems from insights related to threats that have been detected and prevented. There’s no integration which means security leaders can’t get a full view of their risk profile. Without integration and visibility, it’s impossible to take a tailored, proactive approach to preventing threats. It’s an uphill battle. You may not even know where to start… But, we have a solution.  With Tessian Human Layer Risk Hub, our customers can now deeply understand their organization’s security posture with granular visibility into employee risk and insights into individual user risk levels and drivers.

This is the only solution that offers protection, training, and risk analytics all in one platform, giving you a clear picture of your organization’s risk and the tools needed to reduce that risk.  How does Tessian Human Layer Risk Hub work? With Tessian Human Layer Risk Hub, security leaders can quantify risk, take targeted actions, and offer the right training to continuously lower the risks posed by employees’ poor security decisions.  Let’s look at an example.  1. An employee in the Finance department is flagged as a high-risk user based on their access to sensitive information, their low level of security awareness training, and how frequently they’re targeted by spear phishing attacks.  Tessian looks at five risk drivers – accidental data loss, data exfiltration, social engineering, sensitive data handling, and security awareness – to generate individual risk scores. Each employee’s risk score is dynamically updated, decreasing when an employee makes the correct security decision, and increasing when they do something risky, such as clicking on a phishing email or sending company data to personal email accounts. 

2. Based on these insights, Tessian intelligently and automatically identifies actions teams can take within the platform (for example, custom protections for certain user groups) to reinforce policies, improve security awareness, and change behavior to help drive down risk.  Security teams can also implement additional processes and controls outside of Tessian to exercise better control over specific risks. 

3. With custom protections enabled, Tessian’s in-the-moment warnings help nudge employees towards safer behavior. For example, you could quickly and easily configure a trigger that always warns and educates users when they receive an email from a new domain, mentioning a wire transfer. But, even without custom protections,  Tessian Defender can detect spear phishing attacks with incredible accuracy. And, because the warnings are written in clear, easy-to-understand language, employees are continusouly learning and leveling up their security awareness. If targeted by a spear phishing attack, employees would receive a warning that looks something like this. 

4. With continuous protection and in-the-moment training, security leaders will see employees move from high-risk users to low-risk users over time. Risk scores and drivers are aggregated at employee, department, and company-level and are benchmarked against peers. This makes tracking and reporting on progress simple and effective. 

Benefits of Tessian Human Layer Risk Hub Tessian Human Layer Risk Hub enables security leaders to reduce risk and improve their organization’s security posture with unique insights you can’t get anywhere else. Targeted remediation at scale. With a bird’s eye view of your most risky and at-risk user groups, security leaders can make better decisions about how to distribute budget and resources, what mitigation measures to prioritize, and when to intervene. This goes beyond email. If you can see who has access to sensitive information – and how they’re handling that sensitive information – you’ll be able to create and update policies that really work.  More effective training. Every year, businesses spend nearly $300,000 and 276 hours on security awareness training. But, training is only effective when the messages are tailored and the employee is engaged. Tessian Human Layer Risk Hub gives security, risk management, and compliance leaders the insights they need to create tailored training programs that cut through. And, Tessian in-the-moment warnings help nudge employees towards safer behavior in real-time.  Clear ROI. Many solutions simply report risk; they don’t actually reduce risk. Tessian is different. Security leaders can easily measure and demonstrate how risk has changed over time, how the platform has proactively helped improve the organization’s security posture, and can even apply learnings from the platform to inform future decisions. The benefit? You’ll become a trusted partner across your organization.   Defensible audit. Tessian’s detailed reports and audit logs provide defensible proof against data breaches. If a risk is identified, you’ll be able to formally document all associated events, and track exposure, owner, mitigation decisions, and actions.  The bottom line: Tessian Human Layer Risk Hub gives security teams a unified view and a shared language to communicate risk to business, demonstrate progress towards lowering risk, and effectively secure their human layer.  Learn more about Tessian Interested in learning more about Tessian Human Layer Risk Hub? Current Tessian customers can get in touch with their Customer Success Manager. Not yet a Tessian customer? Learn more about the new Human Layer Risk Hub, explore our customer stories, or book a demo now. And, to be the first to hear about new product updates, sign-up for our newsletter below.

Email remains the number one tool of business communication. The email network is open to practically anyone—and its flexibility, reliability, and convenience mean it’s not going away any time soon. But for all its benefits, email can also be a vector for serious cyberattacks. Social engineering attacks like phishing can lead to data breaches, malware attacks, and billions of dollars in losses for businesses worldwide. This article will explain the major types of email attacks, provide some data on how common they are, and consider the devastating impact that email attacks can have on your business. Types of email attacks First, we’ll walk you through some of the most common types of email attacks. Phishing Phishing can mean one of two things: An “umbrella term” meaning any social engineering attack that takes place via email. A type of email attack where the attacker sends a lot of malicious emails in an untargeted way. When we use “phishing” as an umbrella term, it refers to the most common type of email attack. Any malicious email that tries to trick you into clicking a link, opening a file, or taking any other action that causes harm, can be part of a phishing attack.  All of the other types of email attacks we’ll look at below are forms of phishing, if we use the term in this broad way. When we use “phishing” as a specific term, it means a “bulk” or “spray and pray” email attack, where the malicious email is sent to many unnamed recipients. Here’s an example:

What makes this a phishing email? There’s no addressee: It says “Hello,” not “Hello Rob.” The “update account now” button leads to a credential phishing page. Most importantly — Netflix didn’t send it! Want to know more about phishing? See our article What is Phishing? Spear phishing Spear phishing is an email attack targeting a specific individual. So, whereas bulk phishing uses a net — sending emails to as many potential victims as possible — spear phishing uses a spear to target one specific victim. Again, spear phishing is can also be an umbrella term, in that there are lots of different types of phishing attacks. Some of the examples below, including Business Email Compromise (BEC) and CEO fraud, are almost always spear phishing attacks. Why? Because whenever a phishing attack targets a specific individual, it’s a spear phishing attack. Here’s an example:

What makes this a spear phishing email? It targets a specific person. The “click here” link leads to a credential phishing website. Most importantly — you guessed it — DHL didn’t send it! For more information, see our article What is Spear Phishing? Business Email Compromise (BEC) Business Email Compromise (BEC) is any phishing attack where the attacker uses a hacked, spoofed, or impersonated corporate email address. In the sense that the attacker is impersonating a business, the Netflix and DHL examples above are both BEC attacks. But we normally use “BEC” to refer to a more sophisticated form of email attack. For example, one of the biggest cyberattacks of all time is an example of BEC. Between 2013 and 2015, a Latvian cybercrime gang headed by Evaldas Rimasauskas scammed Facebook and Google out of around $121 million by impersonating their suppliers and sending fake invoices via email. Want to know more about BEC? See our article What is Business Email Compromise (BEC)? CEO fraud In a CEO fraud attack, the attacker impersonates a company executive and targets a less senior employee. Here’s an example:

What makes this a CEO fraud attack? The sender’s email address impersonates a real company executive (note the method here is email impersonation — ”microsott.com” — but other methods such as email spoofing are also common). The sender (“Leon”) puts a lot of pressure on the recipient (Tess). Stressed people make poor decisions. The attack involves wire transfer fraud. While not all CEO fraud attacks involve wire transfer fraud, this is a very common tactic. Want to know more about CEO fraud? See our article What is CEO Fraud? How common are email attacks? Email attacks are on the rise, and are now extremely common. According to the FBI’s Internet Crime Complaint Center (IC3), phishing incidents more than doubled from 2019 to 2020, costing victims over $54 million in direct losses. Verizon says 22% of breaches in 2019 involved phishing. Around 75% of organizations around the world experienced some kind of phishing attack in 2020. Want more data on phishing and other email attacks? See our article Phishing Statistics (Updated 2021). Consequences of email attacks What are the main consequences of email attacks on businesses and their customers? Data breaches: Attackers use techniques such as credential phishing to exfiltrate your customers’ personal information. Data breaches can attract investigations, regulatory fines, and class-action lawsuits. IBM estimates that the average data breach costs a business $3.86 million Malware: Some email attacks aim to deposit a malicious payload on the recipient’s device. This payload is normally some form of malware, for example: A virus, which can infect other devices on your network Spyware, which can log your keystrokes and online activity  Ransomware, which encrypts your valuable data and demands you pay a ransom to get it back. Wire transfer fraud: Spear phishing attacks—particularly if they involve BEC or CEO fraud—often attempt to persuade the target into transferring funds into a bank account controlled by the attacker. And it really works—that’s why the FBI calls BEC “the $26 billion scam” How to prevent email attacks Now you know about the most common types of email attacks. Want to learn how to protect your business from these types of cybercrime? Take a look at the resources below: How to Avoid Falling For a Phishing Attack | 6 Useful Tips Prevent Business Email Compromise | BEC CEO Fraud Prevention: 3 Effective Solutions

Building on our existing ISO 27001 security certification, Tessian is excited to announce that we have achieved Service Organization Control 2 Type 2 (SOC 2) compliance in the key domains of Security, Confidentiality and Availability with zero exceptions on our very first attempt. Achieving full SOC 2 Type 2 compliance within 6 months is simply sensational and is a huge achievement for our company. It reinforces our message to customers and prospects that Information Security and protecting customer data is at the very core of everything Tessian does.

The Journey We began the preparations for SOC 2 in September 2020 and initiated the formal process in October. Having previously experienced the pain and trauma of doing SOC 2 manually, we knew that to move quickly, we needed tooling to assist with the evidence gathering and reporting.  Fortunately we were introduced to VANTA, which automates the majority of the information gathering tasks, allowing the Tessian team to concentrate on identifying and closing any gaps we had. VANTA is a great platform, and we would recommend it to any other company undertaking SOC 2 or ISO 27001 certification. For the external audit part of the process, we were especially fortunate to team up with Barr Advisory who proactively helped us navigate the maze of the Trust Service Criteria requirements. They provided skilled, objective advice and guidance along the way, and we would particularly like to thank Cody Hewell and Kyle Helles for their insights, enthusiasm and support. Tessian chose an accelerated three month observation period, which in turn, put a lot of pressure on internal resources to respond to information requests and deliver process changes as required. The Tessian team knew how important SOC 2 was to us strategically and rallied to the challenge. Despite some extremely short timeframes, we were able to deliver the evidence that the auditors needed.  A huge team effort and a great reflection of Tessian’s Craft At Speed value. What Next? Achieving SOC 2 Type 2 is a crucial step for Tessian as we expand further into the large enterprise space. It’s also the basis on which we will further develop our compliance and risk management initiatives, leading to specialized government security accreditation in the US and Europe over the next year or two.