Tessian Blog

New research from the Ponemon Institute reveals that nearly 60% of organizations experienced data loss or exfiltration caused by an employee mistake on email in the last 12 months. Email was revealed as the riskiest channel for data loss in organizations, as stated by 65% of IT security practitioners. This was closely followed by cloud file-sharing services (62%) and instant messaging platforms (57%).    Key findings The Ponemon Institute surveyed 614 IT security practitioners across the globe to also reveal that:  Employee negligence, because of not following policies, is the leading cause of data loss incidents (40%)  Over a quarter (27%) of data loss incidents are caused by malicious insiders  It takes up to three days for security and risk management teams to detect and remediate a data loss and exfiltration incident caused by a malicious insider on email  Almost one in four (23%) organizations experience up to 30 security incidents involving employees’ use of email every month (for example, email was sent to an unintended recipient)

The most common types of confidential and sensitive information lost or intentionally stolen include: customer information (61%); intellectual property (56%); and consumer information (47%). User-created data (sensitive email content, text files, M&A documents), regulated data (credit card data, Social Security numbers, national ID numbers, employee data), and intellectual property were identified as the three types of data that are most difficult to protect from data loss.    The top two consequences for data loss incidents were revealed as non-compliance with data protection regulations (57%) and damage to an organization’s reputation (52%). One of our previous studies found that almost one-third (29%) of businesses lost a client or customer because of an employee sending an email to the wrong person. 

Lack of visibility creates data loss challenges    Organizations cannot protect what they can’t see. A lack of visibility of sensitive data that employees transferred from the network to personal email was cited as the most common barrier (54%) to preventing data loss. Further, over half of respondents (52%) report being unable to identify legitimate data loss incidents and standard employee data handling behaviors.     As a result, it takes security teams 72 hours, on average, to detect and remediate a data loss and exfiltration incident caused by a malicious insider on email, and almost 48 hours to detect and remediate an incident caused by a negligent employee.   Greater education required for employees    The majority of organizations (73%) are concerned that employees do not understand the sensitivity or confidentiality of data they share through email. In addition, marketing and public relations departments are most likely to put data at risk when using email (61%), closely followed by production/manufacturing (58%) and operations (57%).    Despite these risks, organizations do not have adequate training in place. While 61% have security awareness training, only about half of IT security leaders say their programs properly address the sensitivity and confidentiality of the data that employees can access on email.    “This study showcases the severity of data loss on email and the implications it has for modern enterprises,” said Larry Ponemon, chairman and founder of Ponemon Institute. “Our findings prove the lack of visibility organizations have into sensitive data, how risky employee behavior can be on email and why enterprises should view data loss prevention as a top business priority.”

Tessian’s Chief Information Security Officer, Josh Yavor, said, “Most security awareness training programs focus on inbound threats, yet fail to adequately address the handling of sensitive data internally. But data loss – whether accidental or intentional – is a major threat and should be treated as a top priority.    “To create awareness and mitigate data loss incidents, organizations need to be proactive in delivering effective data loss prevention training while also gaining greater visibility into how employees handle company data. Security awareness training that directly addresses common types of data loss – including what’s okay to share with personal accounts and what’s not okay to take with you when you leave a company – and a culture that builds trust and confidence among employees will improve security behaviors and limit the amount of data that flows out of the organization.”  

Between 2018 and 2020, there was a 47% increase in the frequency of incidents involving Insider Threats. This includes malicious data exfiltration and accidental data loss. The latest research, from the Verizon 2021 Data Breach Investigations Report, suggests that Insiders are responsible for around 22% of security incidents. Why does this matter? Because these incidents cost organizations millions, are leading to breaches that expose sensitive customer, client, and company data, and are notoriously hard to prevent. In this article, we’ll explore: How often these incident are happening What motivates Insider Threats to act The financial  impact Insider Threats have on larger organizations The effectiveness of different preventive measures You can also download this infographic with the key statistics from this article. If you know what an Insider Threat is, click here to jump down the page. If not, you can check out some of these articles for a bit more background. What is an Insider Threat? Insider Threat Definition, Examples, and Solutions Insider Threat Indicators: 11 Ways to Recognize an Insider Threat Insider Threats: Types and Real-World Examples

How frequently are Insider Threat incidents happening? As we’ve said, incidents involving Insider Threats have increased by 47% between 2018 and 2020. A 2021 report from Cybersecurity Insiders also suggests that 57% of organizations feel insider incidents have become more frequent over the past 12 months. But the frequency of incidents varies industry by industry. The Verizon 2021 Breach Investigations Report offers a comprehensive overview of different incidents in different industries, with a focus on patterns, actions, and assets. Verizon found that: The Healthcare and Finance industries experience the most incidents involving employees misusing their access privileges The Healthcare and Finance industries also suffer the most from lost or stolen assets The Finance and Public Administration sectors experience the most “miscellaneous errors” (including misdirected emails)—with Healthcare in a close third place !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");

There are also several different types of Insider Threats and the “who and why” behind these incidents can vary. According to one study: Negligent Insiders are the most common and account for 62% of all incidents. Negligent Insiders who have their credentials stolen account for 25% of all incidents Malicious Insiders are responsible for 14% of all incidents. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Looking at Tessian’s own platform data, Negligent Insiders may be responsible for even more incidents than most expected. On average, 800 emails are sent to the wrong person every year in companies with 1,000 employees. This is 1.6x more than IT leaders estimate. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Malicious Insiders are likely responsible for more incidents than expected, too. Between March and July 2020, 43% of security incidents reported were caused by malicious insiders. We should expect this number to increase. Around 98% of organizations say they feel some degree of vulnerability to Insider Threats. Over three-quarters of IT leaders (78%) think their organization is at greater risk of Insider Threats if their company adopts a permanent hybrid working structure. Which, by the way, the majority of employees would prefer. What motivates Insider Threats to act? When it comes to the “why”, Insiders – specifically Malicious Insiders – are often motivated by money, a competitive edge, or revenge. But, according to one report, there is a range of reasons malicious Insiders act. Some just do it for fun. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); But, we don’t always know exactly “why”. For example, Tessian’s own survey data shows that 45% of employees download, save, send, or otherwise exfiltrate work-related documents before leaving a job or after being dismissed.  While we may be able to infer that they’re taking spreadsheets, contracts, or other documents to impress a future or potential employer, we can’t know for certain. Note: Incidents like this happen the most frequently in competitive industries like Financial Services and Business, Consulting, & Management. This supports our theory. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); How much do incidents involving Insider Threats cost? The cost of Insider Threat incidents varies based on the type of incident, with incidents involving stolen credentials causing the most financial damage. But, across the board, the cost has been steadily rising. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Likewise, there are regional differences in the cost of Insider Threats, with incidents in North America costing the most and almost twice as much as those in Asia-Pacific. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); But, overall, the average global cost has increased 31% over the last 2 years, from $8.76 million in 2018 to $11.45 in 2020 and the largest chunk goes towards containment, remediation, incident response, and investigation. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); But, what about prevention? How effective are preventative measures? As the frequency of Insider Threat incidents continues to increase, so does investment in cybersecurity. But, what solutions are available and which solutions do security, IT, and compliance leaders trust to detect and prevent data loss within their organizations? A 2021 report from Cybersecurity Insiders suggests that a shortfall in security monitoring might be contributing to the prevalence of Insider Threat incidents. Asked whether they monitor user behavior to detect anomalous activity: Just 28% of firms responded that they used automation to monitor user behavior 14% of firms don’t monitor user behavior at all 28% of firms said they only monitor access logs 17% of firms only monitor specific user activity under specific circumstances 10% of firms only monitor user behavior after an incident has occurred And, according to Tessian’s research report, The State of Data Loss Prevention, most rely on security awareness training, followed by following company policies/procedures, and machine learning/intelligent automation. But, incidents actually happen more frequently in organizations that offer training the most often and, while the majority of employees say they understand company policies and procedures, comprehension doesn’t help prevent malicious behavior. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); That’s why many organizations rely on rule-based solutions. But, those often fall short. Not only are they admin-intensive for security teams, but they’re blunt instruments and often prevent employees from doing their jobs while also failing to prevent data loss from Insiders. So, how can you detect incidents involving Insiders in order to prevent data loss and eliminate the cost of remediation? Machine learning. How does Tessian detect and prevent Insider Threats? Tessian turns an organization’s email data into its best defense against inbound and outbound email security threats. Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises. It understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity. Tessian Enforcer detects and prevents data exfiltration attempts Tessian Guardian detects and prevents misdirected emails Tessian Defender detects and prevents spear phishing attacks Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of the organization’s email network. Oh, and it works silently in the background, meaning employees can do their jobs without security getting in the way. Interested in learning more about how Tessian can help prevent Insider Threats in your organization? You can read some of our customer stories here or book a demo.

Today we announce the appointment of our new Chief Financial Officer, Daniel Kim. Daniel has joined us to supercharge our fast-paced growth and unlock more opportunities in the North America market. Previously Daniel was at integrated security firm Lookout, where he oversaw and led all financial aspects, from business reporting and accounting to treasury and revenue operations. Before Lookout, he led the finance and sales operations functions at BigPanda.    We caught up with Daniel to hear why he decided to join the team. Here’s what he had to say. “Tessian’s compelling mission, seasoned leadership team, and their best-in-class intelligent cloud email security product, present a significant opportunity to modernize the enterprise, and I can’t wait to get started.”    

Our co-founder and CEO Tim Sadler is delighted with the appointment, saying “not only does Daniel share our mission of empowering people to do their best work, by intelligently protecting them on the channels they use most at work, but he also knows what it takes to lead a company through rapid growth. We are at a critical and exciting phase in our company growth and trajectory, and with Daniel’s track record, he is best-equipped to help Tessian continue to scale.”  

Over the last decade, phishing – a type of social engineering attack – has transformed from something more like spam to the threat most likely to cause a breach. During that same period, the number of adults on social media platforms like Facebook increased by almost 1,300%.   Every photo we post, status we update, person we tag, and place we check into reveals valuable information about our personal and professional lives. And hackers use this information to craft targeted – and effective – attacks at scale.

How big are our digital footprints?    Our digital footprints are bigger than ever. There are over: 2,701,000,000 users on Facebook 1,158,000,000 users on Instagram 722,000,000 users on LinkedIn 353,000,000 users on Twitter And it shouldn’t surprise you that, according to research, 90% of people post information related to their personal and professional lives online. This number is even higher among 18-34 year olds. And, across LinkedIn, Instagram, and Facebook, 55% of people have publicly visible accounts.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");

When an account is public, anyone can see the information you post online, whether it’s a photo of your boarding pass, or a birthday shout-out to a colleague. Harmless, right? Unfortunately not.   This information is gold dust to hackers and makes reconnaissance impossibly easy.    Take the former Australian Prime Minister, Tony Abbott. He posted a picture of his boarding pass on Instagram. From the booking reference, hackers found his passport number and phone number – information that could have helped them gain access to other accounts, including sensitive personal and government information.   It didn’t take much work. According to an ethical hacker we spoke to, “Anyone who saw that Instagram post could also have [his passport number and phone number].”   Mr. Abbott isn’t the only person who posts this kind of information online…

32% of employees post business travel photos and updates. Nearly 72% mention birthday celebrations. 36% share information about their jobs. And don’t forget about all the information we share about our pets, partners, and children.     Hackers use all of it. Yep, even that photo of your pup.    How do bad actors use this information?   To understand exactly how hackers leverage all of this information, we have to look at a social engineering attack from start to finish.   First, a hacker identifies a target organization.    Depending on their motivations, they could choose an asset management firm with hopes of initiating a wire transfer or a pharmaceutical company with hopes of getting their hands on R&D. From there, they’ll research supply chains and vendors, study company org. charts, map employee relationships, and monitor individual behavior. And, by running scripts, they can do this automatically and at scale.     Why do all this reconnaissance? To pinpoint potential entry points, identify viable third-parties to impersonate, and to collect information (however subtle) that’ll help them nudge their targets towards unconscious (and conscious) confirmation and – eventually – trust and compliance. 

While behavior varies by region, most of us eagerly announce when we start a new job. In the US, almost everyone does – with 93% of employees in the US saying they update their job status on social media.   We share press releases about new clients and mergers and acquisitions. We post photos of our employee IDs and screenshots of Zoom calls. We tag our colleagues and customers in our updates and comment on theirs. We share all of this information regularly.    Almost half (43%) of us post every day, giving hackers up-to-date intelligence about where we’re working, who we’re working with, and what we’re working on.   Passwords play a role, too   When it comes to Business Email Compromise, information related to your professional life is important. But your personal information can be just as valuable.   Hackers can use information about your pets, partner, children, and even your interests to crack passwords and answer security questions, giving them full access to personal and work accounts, including password managers and even your email.    Don’t believe us? 21% of people use information like their favorite football team, their pet’s name, or birthdays when creating passwords and some of the most common security questions include: What is your mother’s maiden name? What was your first car? What elementary school did you attend? What year were you married?    This is all readily available online. 34% of people share the names of their pets, 34% mention their children/partner, and 40% share information about their interests.     People may even unwittingly share this information via gimmicks or memes that make their rounds on social media. For example, “name generators” that ask you to combine your pet’s name with your childhood street address. Sound familiar?

An example of a social engineering attack leveraging social media In this example of a social engineering attack, hackers use an OOO message and other publicly available information to initiate a wire transfer.   Type of Attack: CEO/CXO Fraud Industry: Financial Services Hacker Motivation: (Quick) Financial Gain

The hacker group monitors news wires for up-to-date information about banks in the United States to find their target, an asset management firm called SoBank.  They see that the company’s CFO – Andrew Neal – is OOO at a conference. Thanks to his OOO message, they’re able to identify their target, Tristan Porter. They also learn that Andrew goes by “Andy” at work. The hacker group sends a fabricated email chain that appears to be between Andy and Gregory Ellwood, Senior Partner at Dorling Clayton – SoBank’s advising firm – urging Tristan to make a wire transfer.

Cybersecurity best practice   Want to better manage your digital footprint and avoid being targeted by (and falling for) a social engineering attack?   Here’s a list of do’s and don’ts.

The EU General Data Protection Regulation (GDPR) is among the world’s toughest data protection laws. Under the GDPR, the EU’s data protection authorities can impose fines of up to up to €20 million (roughly $20,372,000), or 4% of worldwide turnover for the preceding financial year – whichever is higher.   Since the GDPR took effect in May 2018, we’ve seen over 900 fines issued across the European Economic Area (EEA) and the U.K. GDPR fines have ramped up significantly.   Let’s take a look at the biggest GDPR fines, explore what caused them, and consider how you can avoid being fined for similar violations. Last updated May 2022.

The biggest GDPR fines of 2020, 2021, and 2022 (so far)   1. Amazon — €746 million ($877 million) Amazon’s gigantic GDPR fine, announced in the company’s July 2021 earnings report, is nearly 15 times bigger than the previous record. The full reasons behind the fine haven’t yet been confirmed, but we know the cause has to do with cookie consent.   And this isn’t the first time Amazon has been punished due to the way it collects and shares personal data via cookies. In late 2020, France fined Amazon €35 million after the tech giant allegedly failed to get cookie consent on its website.   How the fine could have been avoided: It’s tempting to force users to “agree” to cookies—or make opting out of cookies difficult—to collect as much personal data as possible. But regulators have shown some serious appetite for enforcing the EU’s cookie rules recently. If Amazon had obtained “freely given”, informed, and unambiguous opt-in consent before setting cookies on its users’ devices, the company probably could have avoided this huge GDPR fine.     2. WhatsApp — €225 million ($255 million) Mere months after Amazon’s colossal GDPR fine knocked Google off the number one GDPR fine spot, WhatsApp pushed Google into third place with a penalty nearly five times as large as the search giant’s previous record. Ireland slammed WhatsApp with A €225 million GDPR penalty after claiming that the messaging service had failed to properly explain its data processing practices in its privacy notice. Ireland is not known for issuing large fines, despite being the European home of nearly every US-based big tech firm. And even this penalty arrived only after other EU data protection authorities used the “one-stop-shop” mechanism to argue that it should have been higher. So what did WhatsApp do wrong? It’s complicated, and the company is appealing the decision. But it boils down to WhatsApp’s alleged failure to explain its legal basis for certain data processing—“legitimate interests.”   How the fine could have been avoided: The Irish DPA said that WhatsApp’s somewhat opaque privacy notice was at fault here—the company should have provided privacy information in an easily accessible format using language its users could understand. If you’re relying on “legitimate interests,” you must make sure you explain what those interests are in respect of each relevant processing operation.     3. Google Ireland — €90 million ($102 million) The French data protection authority (the CNIL) hit Google Ireland with this substantial fine on Jan 6 2022. The fine relates to the way Google’s European arm implements cookie consent procedures on YouTube. The Google Ireland fine was one of two fines issued as part of the same decision, with the other being levied against California-based Google LLC (which operates Google Search).   So what’s the issue? In a nutshell, the CNIL said that Google should have made it easier for YouTube users to refuse cookies. YouTube sets cookies on our devices to track our online activity for marketing purposes. It’s easy to accept cookies on YouTube, but harder to refuse them. The CNIL noted that refusing cookies required a user to make several clicks, whereas accepting cookies required just one click.   The CNIL justified the relatively high fine by pointing to the large number of people using YouTube and the huge profits that Google derives from the service. But wait a minute—doesn’t Google run its EU operations out of Ireland? How come the Irish regulator didn’t deliver this fine?   The reason, the CNIL contended, is that cookie regulation primarily falls under the ePrivacy Directive, not the GDPR, so regulators can take direct action against website operators in their jurisdiction rather than referring everything back to the organization’s “main establishment.” But the decision still qualifies as a “GDPR fine” because it’s the GDPR that determines how website operators obtain consent.   How the fine could have been avoided: Under the GDPR, consent must be “freely given”: equally easy to accept or refuse: if you can accept with one click, you should also be able to refuse with one click.     4. Facebook — €60 million ($68 million) Facebook’s second-largest GDPR fine (including its WhatsApp fine, above) came from the French data protection authority, the CNIL, on Jan 6, 2022. The social media giant earned this €60 million penalty owing to—you guessed it—failing to obtain proper cookie consent from its users.   The issue here mainly related to the unclear way in which Facebook provided a cookie opt-out. Like with Google (see above and below), accepting cookies on Facebook is a piece of cake—just click “accept.” Refusing them is a little more complicated.   How the fine could have been avoided: The CNIL drew attention to how Facebook’s cookie consent interface seemed to offer no option except “Accept Cookies”—even when it appeared that users were actually refusing them. The CNIL reflected that this language” necessarily generates confusion and that the user may have the feeling that it is not possible to refuse the deposit of cookies and that they have no way to manage it. Don’t confuse your users. Keep language simple and straightforward whenever you’re providing privacy information.     5. Google LLC — €60 million ($68 million) This Jan 6 fine against Google’s California headquarters came alongside the CNIL’s €90 million penalty against the search giant’s European establishment (see fine number 3, above). That larger sanction was levied against Google’s non-compliant setting of cookies on the YouTube platform.   Google LLC was hit with this €60 million blow on the same day for precisely the same reason—but in relation to its search website rather than its video-sharing platform.   How the fine could have been avoided: The takeaway in both Google cases is clear: make sure it’s as easy for your users to accept cookie consent as it is for them to refuse it.

6. Google – €50 million ($56.6 million)  Google’s fine, levied in 2019 and finalized after an unsuccessful appeal in March 2020, was the largest on record until August 2021.    The case related to how Google provided privacy notice to its users—and how the company requested their consent for personalized advertising and other types of data processing.   How the fine could have been avoided: Google should have provided more information to users in consent policies and granted them more control over how their personal data is processed.     7. H&M — €35 million ($41 million) On October 5, 2020 the Data Protection Authority of Hamburg, Germany, fined clothing retailer H&M €35,258,707.95 — the second-largest GDPR fine ever imposed at the time.   H&M’s GDPR violations involved the “monitoring of several hundred employees.” After employees took vacation or sick leave, they were required to attend a return-to-work meeting. Some of these meetings were recorded and accessible to over 50 H&M managers.   Senior H&M staff gained ”a broad knowledge of their employees’ private lives… ranging from rather harmless details to family issues and religious beliefs.” This “detailed profile” was used to help evaluate employees’ performance and make decisions about their employment.   How the fine could have been avoided: H&M appears to have violated the GDPR’s principle of data minimization — don’t process personal information, particularly sensitive data about people’s health and beliefs, unless you need to for a specific purpose.   H&M should also have placed strict access controls on the data, and the company should not have used this data to make decisions about people’s employment.     8. TIM – €27.8 million ($31.5 million) On January 15, 2020, Italian telecommunications operator TIM (or Telecom Italia) was stung with a €27.8 million GDPR fine from Garante, the Italian Data Protection Authority, for a series of infractions and violations that have accumulated over the last several years.    TIM’s infractions include a variety of unlawful actions, most of which stem from an overly aggressive marketing strategy. Millions of individuals were bombarded with promotional calls and unsolicited communications, some of whom were on non-contact and exclusion lists.     How the fine could have been avoided: TIM should have managed lists of data subjects more carefully and created specific opt-ins for different marketing activities.   9. Enel Energia — €26.5 million ($29.3 million) On January 19th, 2022 the Italian data protection authority (‘Garante’) publicized its decision to fine the multinational electric and gas supplier Enel Energia €26.5 million for a range of GDPR violations including failing to get user consent or inform customers before using their personal data for telemarketing calls.   The complex investigation was triggered after Garante had received numerous complaints concerning the receipt of unwanted promotional calls among other problems. The investigation covered Enel Energia’s business partners and included four separate requests for cumulative information, from December 2018 to July 2020, concerning a total of 135 files. Garante also reported that Enel Energia had not sufficiently cooperated with the investigation by failing to respond adequately (if at all) to a number of requests.   How the fine could have been avoided: Enel Energia should have provided more information to users in consent policies and granted them more control over how their personal data is processed. Once caught out, Enel Energia could have also lessened the consequences had they responded to requests by investigators.   10. British Airways – €22 million ($26 million) In October, the ICO hit British Airways with a $26 million fine for a breach that took place in 2018. This is considerably less than the $238 million fine that the ICO originally said it intended to issue back in 2019.    So, what happened back in 2018? British Airway’s systems were compromised. The breach affected 400,000 customers and hackers got their hands on log-in details, payment card information, and travelers’ names and addresses.     How the fine could have been avoided: According to the ICO, the attack was preventable, but BA didn’t have sufficient security measures in place to protect their systems, networks, and data. In fact, it seems BA didn’t even have basics like multi-factor authentication in place at the time of the breach.    Going forward, the airline should take a security-first approach, invest in security solutions, and ensure they have strict data privacy policies and procedures in place.     11. Marriott – €20.4 million ($23.8 million)   While this is an eye-watering fine, it’s actually significantly lower than the $123 million fine the ICO originally said they’d levy. So, what happened?    383 million guest records (30 million EU residents) were exposed after the hotel chain’s guest reservation database was compromised. Personal data like guests’ names, addresses, passport numbers, and payment card information was exposed.    Note: The hack originated in Starwood Group’s reservation system in 2014. While Marriott acquired Starwood in 2016, the hack wasn’t detected until September 2018.   How the fine could have been avoided: The ICO found that Marriott failed to perform adequate due diligence after acquiring Starwood. They should have done more to safeguard their systems with a stronger data loss prevention (DLP) strategy and utilized de-identification methods. 

12. Clearview AI — €20 Million ($20.5 Million)   In what is shaping up to be a busy year for the Italian data protection authority, Clearview AI has been issued a fine of €20 Million by Garante. The fine came on 10 February 2022, after several issues in connection with Clearview’s facial recognition products.  A number of infringements were found including the unlawful processing of personal biometric and geolocation data, and the breaching of several fundamental principles of the GDPR, such as transparency, purpose limitation, and storage limitation. Like Enel Energia, the company also failed to respond to requests in a complete and timely manner.   How the fine could have been avoided: Less is more – Clearview should have only collected and held on to data with a clear purpose, and been transparent about this decision-making with their customers. Better co-operation in the investigation would have also decreased the fine. 13. Meta (Facebook) Ireland — €17 Million ($18.2 Million) On March 15th, 2022 the Irish Data Protection Commission (DPC) fined Meta Platforms Ireland €17 Million for issues which meant it could not readily demonstrate the security measures that it implemented to protect EU users’ data. This failure was spotted in 2018 after twelve personal data breaches were reported to the DPC. How the fine could have been avoided: In this case, these shortcomings were spotted before a more widespread breach occurred. To prepare for future threats, Meta should take a security-first approach, invest in security solutions, and ensure they have strict data privacy policies and procedures in place.   14. Wind — €17 million ($18.2 million) On July 13, Italian Data Protection Authority imposed a fine of €16,729,600 on telecoms company Wind due to its unlawful direct marketing activities.   The enforcement action started after Italy’s regulator received complaints about Wind Tre’s marketing communications. Wind reportedly spammed Italians with ads — without their consent — and provided incorrect contact details, leaving consumers unable to unsubscribe.   The regulator also found that Wind’s mobile apps forced users to agree to direct marketing and location tracking and that its business partners had undertaken illegal data-collection activities.    How the fine could have been avoided: Wind should have established a valid lawful basis before using people’s contact details for direct marketing purposes. This probably would have meant getting consumers’ consent — unless it could  demonstrate that sending marketing materials was in its “legitimate interests.”   For whatever reason you send direct marketing, you must ensure that consumers have an easy way to unsubscribe. And you must always ensure that your company’s Privacy Policy is accurate and up-to-date.     15. Vodafone Italia — €12.3 million ($14.5 million) Vodafone Italia’s November 2020 fine was issued in relation to a vast range of alleged GDPR violations, including provisions within Articles 5, 6, 7, 16, 21, 25, 32, and 33.   So what did Vodafone do that resulted in so many GDPR violations?    The company’s data processing issues included failing to properly secure customer data, sharing personal data with third-party call centers, and processing without a legal basis—all brought to light after complaints about the company’s telemarketing campaign.   How the fine could have been avoided: Vodafone’s marketing operations may have triggered the Italian DPA’s investigation, but the company’s data management and security were the fundamental issues here.   Vodafone might have avoided this large fine by conducting regular audits of its data and properly documenting all relationships with third-party data processors.     16. Notebooksbilliger.de — €10.4 million ($12.5 million) German electronics retailer notebooksbilliger.de (NBB) received this significant GDPR fine on January 8, 2021. The penalty relates to how NBB used CCTV cameras to monitor its employees and customers.   The CCTV system ran for two years, and NBB reportedly kept recordings for up to 60 days. NBB said it needed to record its staff and customers to prevent theft. The Lower Saxony DPA said the monitoring was an intrusion on its employees’ and customers’ privacy.   How the fine could have been avoided: The NBB’s fine reflects strict attitudes towards CCTV monitoring in parts of Germany. The regulator said NBB’s CCTV program was not limited to a specific person or period.   Using CCTV isn’t prohibited under the GDPR, but you must ensure it is a legitimate and proportionate response to a specific problem. The UK’s ICO has some guidance on using CCTV in a GDPR-compliant way.   17. Austrian Post — €9 million ($10.23 million) Austria’s largest GDPR fine hit in September 2021, when Austrian Post received a €9 million sanction for allegedly failing to facilitate data subject rights requests properly.   If a data subject hoped to access, delete, or rectify personal data held by the Austrian Post, the company provided a variety of mediums by which to make a request, including a web form, mail, or phone number.   The one means of communication that Austria Post did not recognize, however, was email—and the Austrian DPA said that the mail carrier should have allowed data subjects to submit a rights request via any medium they preferred.   How the fine could have been avoided: Austrian Post (which is planning to appeal the fine) should have processed data subject rights requests however they arrived—forcing data subjects to use a particular communication method and excluding email is not an acceptable way to facilitate their rights.   18. Eni — €8.5 million ($10 million) Eni Gas e Luce (Eni) is an Italian gas and oil company that was found to have made marketing phone calls without a proper legal basis.   While telemarketing is covered by the ePrivacy Directive, this is another example of how any processing of personal data without a proper legal basis can lead to a GDPR fine.   How the fine could have been avoided: Eni should have ensured it had a proper legal basis for telemarketing before calling any of its customers or leads. In this case, the Italian DPA said that the proper lawful basis would have been consent.

19. Vodafone Spain — €8.15 million ($9.72 million) Vodafone’s €8.15 million fine, issued by the Spanish DPA (the AEPD) on March 11, 2021, is actually made up of four fines for violating the GDPR and other Spanish laws covering telecommunications and cookies. The Vodafone fine stands as Spain’s biggest yet—in a year that has seen the AEPD issue several substantial GDPR penalties. The fine results from 191 separate complaints regarding Vodafone’s marketing activity. Vodafone was alleged not to have taken sufficient organizational measures to ensure it was processing people’s personal data lawfully.   How the fine could have been avoided: Vodafone’s complex series of legal violations all appear to have one thing in common: a lack of organization and control over personal data used for marketing purposes.   Whenever you outsource any processing activity to a third party—for example, a marketing agency—you must ensure you have a clear legal basis for doing so. Keep clear records, maintain data processing agreements with contractors, and regularly audit your processing activities to ensure they are lawful.   19. REWE International — €8 Million ($8.8 Million)   The Austrian Data Protection Authority (DPA) has fined Austrian food retailer REWE International €8 million after the mismanaging of the data of users involved in its loyalty program, jö Bonus Club. The subsidiary had been collecting users’ data without their consent and using it for marketing purposes.   However, REWE is set to appeal the decision, arguing that jö Bonus Club operates independently as a separate subsidiary, Unser Ö-Bonus Club. This comes hot off the heels of a 2021 fine after jö Bonus Club unlawfully collected millions of members’ data and sold it to third parties. The offense saw jö Bonus Club pay €2 Million. How the fine could have been avoided: There are a few things that could be done to stop these recurring fines – seeking consent from customers and applying the fundamental GDPR principles of transparency, purpose limitation, and storage limitation are good places to start. 20. Google – €7 million ($8.3 million) From a GDPR enforcement perspective, 2020 was not a good year for Google.    Along with the company losing its appeal against French DPA in January, March saw the Swedish Data Protection Authority of Sweden (SDPA) fining Google for neglecting to remove a pair of search result listings under Europe’s GDPR “right to be forgotten” rules.    How the fine could have been avoided: Google should have fulfilled the rights of data subjects, primarily their right to be forgotten. This is also known as the right to erasure. How? By “ensuring a process was in place to respond to requests for erasure without undue delay and within one month of receipt.”    You can find more information about how to comply with requests for erasure from the ICO here.  21. Caixabank — €6 million ($7.2 million) This fine against financial services company Caixabank is the largest fine ever issued by the Spanish DPA (the AEPD).    The AEPD finalized Caixabank’s penalty on January 13, 2021, breaking Spain’s previous record GDPR fine, against BBVA — issued just one month earlier. This suggests a significant toughening of approach from the Spanish DPA.   The first issue, which accounts for €4 million of the total fine, related to how Caixabank established a “legal basis” for using consumers’ personal data under Article 6. Second, Caixabank was fined €2 million for violating the GDPR’s transparency requirements at Articles 13 and 14.    How the fine could have been avoided: The AEPD said Caixabank relied on the legal basis of “legitimate interests” without proper justification. Before you rely on “legitimate interests,” you must conduct and document a “legitimate interests assessment.”    The company also failed to obtain consumers’ consent in a GDPR-compliant way. If you’re relying on “consent,” make sure it meets the GDPR’s strict “opt in” standards.   The AEPD criticized Caixabank’s privacy policy as providing vague and inconsistent information about its data processing practices. Make sure you use clear language in your privacy notices and keep them consistent across websites and platforms.   22. Cosmote Mobile Telecommunications — €6 Million ($6.6 Million)   In February 2022 the Greek data protection authority, the Hellenic Data Protection Authority (HDPA) fined Cosmote Mobile Telecommunications €6 Million.    The fine was issued after a hack in September 2020 led to customers’ private information being exposed, but the buck didn’t stop there. It was revealed that the company was illegally processing customer data – an activity that exacerbated the issues caused by the hack. To make matters worse, the private data was not fully pseudonymized, making it easier for hackers to identify individuals from the data.   Cosmote’s parent company, OTE group was then given an additional fine of €3.25 million after the Cosmote investigation determined that OTE should have been included in the process from the beginning but had not been.   How the fine could have been avoided: Unfortunately, this domino effect is not an uncommon occurrence that only highlights the importance of abiding by GDPR rules and principles. For a start, Cosmote should be only processing data legally, with purpose, and with proper encryption to ensure best customer security.    Secondly, this example demonstrates how devastating a hack can be. It has been reported that the hack that caused this breach was a phone hack – meaning secure internet connections, improved physical security and investing in security solutions are all good ways to prevent this from happening.   23. BBVA (bank) — €5 million ($6 million) This fine against financial services giant BBVA (Banco Bilbao Vizcaya Argentaria) dates from December 11, 2020.    The BBVA’s penalty is the second biggest that the Spanish DPA (the AEPD) has ever imposed, and it shares many similarities with the AEPD’s largest-ever penalty, against Caixabank, issued the following month. Taken together with the record fine against Caixabank, it’s tempting to conclude that the Spanish DPA has its eye on the GDPR compliance of financial institutions.   How the fine could have been avoided: The AEPD fined BBVA €3 million for sending SMS messages without obtaining consumers’ consent. In most circumstances, you must ensure you have GDPR-valid consent for sending direct marketing messages.   The remaining €2 million of the penalty related to BBVA’s privacy policy, which failed to properly explain how the bank collected and use its customers’ personal data. Make sure you include all the necessary information under Articles 13 and 14 in your privacy policy.

24. Fastweb — €4.5 million ($5.5 million) Italy’s DPA (the Garante) fined telecoms company Fastweb €4.5 million on April 2 2021 for engaging in unsolicited telephone marketing without consent. In particular, the Garanta noted that Fastweb was using “fraudulent” telephone numbers that the company had not registered with Italy’s Register of Communication Operators.   How the fine could have been avoided: Fastweb’s fine derives from telemarketing rules that are set out in Italy’s implementation of the ePrivacy Directive, rather than the GDPR. However, the company still appears to have violated the GDPR by failing to obtain valid consent.   It’s important to remember this interplay between the EU’s main privacy laws. The ePrivacy Directive requires you to obtain consent for certain activities, but the GDPR sets the standard of consent—and the standard is very high.   25. Dutch Tax and Customs Administration — €3.7 Million ($4 Million)   In April 2022, The Dutch Tax and Customs Administration was fined €3.7 Million after the illegal processing of personal data in the Fraud Signaling Facility (FSV) – a blacklist on which the Tax and Customs Administration kept records of fraud. For more than six years, the Tax and Customs Administration had been wrongly putting people on the FSV – around 270,000 people in total – with major consequences for those on the list. The investigation revealed a number of GDPR violations including widespread discrimination, with employees instructed to base the risk of fraud in part on people’s appearance and nationality.   “People were often wrongly labeled as fraudsters, with dire consequences,” Dutch Data Protection Authority Chairman Aleid Wolfsen said in a statement. “The tax authorities have turned lives upside down with FSV.”   This is the highest fine that the Dutch Data Protection Authority (AP) has ever imposed, and reflects the seriousness of the violations as well as the number of people affected and the timespan over which the violations occurred. How the fine could have been avoided: In this extraordinary case, the issues spread beyond data security, with intent and impact both being malicious. It looks like The Dutch Tax and Customs Administration could do with brushing up on not just GDPR rules, but discrimination and equality laws as well.   26. Eni Gas e Luce — €3 million ($3.6 million) This fine is one of two imposed on the Italian gas and oil company Eni in December 2019. This is a complicated case involving the creation of new customer accounts—but it boils down to the failure of Eni to obey the GDPR’s principle of accuracy.   How the fine could have been avoided: Data protection is about more than just privacy—it also covers issues like records management. Eni should have ensured its customer records were kept accurate and up-to-date.     27. Capio St. Göran AB — €2.9 million ($3.4 million) Capio St. Goran is a Swedish healthcare provider that received a GDPR fine following an audit of one of its hospitals by the Swedish DPA. The audit revealed that the company had failed to carry out appropriate risk assessments and implement effective access controls. As a result, too many employees had access to sensitive personal data.   How the fine could have been avoided: Conducting a data protection impact assessment (DPIA) is mandatory under the GDPR for controllers undertaking certain risky activities or handling large-scale sensitive data.   Eni should have conducted such an assessment to determine which staff required access to medical records. Access to sensitive personal data should be restricted to those who strictly require it.     28. Iren Mercato — €2.85 million ($3.4 million) In June 2021, the Italian DPA fined energy company Iren Mercato for carrying out a telephone marketing campaign without obtaining proper consent. The phone calls were conducted by a third party marketing company acting as a data processor.   How the fine could have been avoided: Many of the fines on our list relate to telemarketing and the failure to obtain GDPR-valid consent.   Remember that even when using third-party services to conduct marketing campaigns, you could still be directly liable under the GDPR if you fail to establish a valid legal basis for processing personal data.   29. Foodinho — €2.6 million ($3 million) Groceries delivery service Foodinho received this substantial fine in June 2021, after the Italian DPA found the company had failed to obey the GDPR’s rules on “automated processing,” in this case the use of an algorithm to determine employees’ wages and workflow.   The company was also found to have violated the GDPR’s principle of “lawfulness, fairness, and transparency” by failing to provide employees with adequate information.   How the fine could have been avoided: Foodinho’s fine mainly relates to a relatively niche area of GDPR compliance—”solely automated processing with legal or similarly significant effects.”    In short, if you’re making purely AI-driven decisions about people that could impact on their finances, employment, or access to services, you must ensure you provide a human review of such decisions.   30. National Revenue Agency (Bulgaria) — €2.6 million ($3 million) This August 2019 fine against Bulgaria’s National Revenue Agency was issued after the organization suffered a data breach affecting 5 million people. The breached data included people’s names, contact details, and tax information. The Bulgarian DPA found that the agency failed to take effective technical and organizational measures to protect the personal data under its control.   How the fine could have been avoided: The Bulgarian National Revenue should have conducted a thorough risk assessment of its processing operations and taken effective steps to safeguard personal data.   While it’s not clear what caused this data breach, it’s worth noting that the FBI’s Internet Crime Control Center cites email as the number one threat vector in cybercrime. By securing your company’s email systems, you’re cutting off one of your major vulnerabilities and significantly reducing the likelihood of a data breach.

What else can organizations be fined for under GDPR?    While the biggest fines involve marketing activities, failure to remove personal data when requested by EU citizens, and unlawfully requiring employees to have their biometric data recorded, there are a number of ways in which a breach can occur.    In fact, so far this year, misdirected emails have been the primary cause of data loss reported to the ICO. But, how do you prevent an accident? By focusing on people rather than systems and networks.   How does Tessian help organizations stay GDPR compliant?

Powered by machine learning, Tessian understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity, including misdirected emails. Tessian also detects and prevents spear phishing attacks and data exfiltration attempts on email.    Importantly, though, Tessian doesn’t just prevent breaches. Tessian’s key features – which are both proactive and reactive – align with the GDPR requirement “to implement appropriate technical and organizational measures together with a process for regularly testing, assessing and evaluating the effectiveness of those measures to ensure the security of processing” (Article 32).   To learn more about how Tessian helps with GDPR compliance, you can check out this page, our customer stories or book a demo. 

Tessian Threat Intel introduces our key threat intelligence themes and topics we have been tracking for the month of April 2022.  The key theme this month focussed on Ukraine-related cyber threat campaigns. We expect nation-state related attacks to escalate in the wake of the Russia invasion. Recommendations for staying include following best practice as outlined by CISA  and NIST. Be sure to sign-up for our Threat Intel update to get this monthly update straight to your inbox.

Phishing campaigns escalated in the wake of the Ukraine invasion Ukrainian themed QR code crypto currency donation fraud featured prominently in phishing campaigns in the wake of the invasion Ramp-up of cyber retaliation by Russia against western countries and targets is expected in the coming weeks The Ukraine invasion is among the first inter- nation-state conventional conflicts to feature a cyber-war (hybrid war) component In order to disrupt nation-state campaigns in Ukraine, public-private partnerships as demonstrated by Microsoft will be key in addressing this threat vector The cyber insurance industry, already in choppy waters before the Ukraine invasion, is set for further turmoil concerning coverage limitations and premiums LinkedIn is now the most popular brand for impersonation in phishing attacks

Tessian Threat Intel have noted a significant escalation of phishing threats in the wake of the Ukraine invasion We take the view along with our colleagues that Russian affiliated APT groups are expected to escalate their attacks on countries allied with Ukraine, with the US, the UK, and the EU key targets in this regard Nation-state cyber attacks are expected to feature more prominently in conventional nation-state conflict based on recent outcomes from the Ukraine invasion  Cyber insurance premiums have doubled over the past 12 months, while coverage has dramatically been reduced A number of leading cyber insurance providers have recently amended their policy coverage to reflect this changing geopolitical risk landscape to specifically exclude acts of war

Threat actors take advantage of key events including conflict and natural disaster events as we witnessed during the recent pandemic Having dedicated executive support and resourcing for cybersecurity programs in the enterprise as outlined by CISA  is essential Defense in depth is key to reducing the likelihood of a successful breach Leveraging Threat Intel insights from your peers and from the cybersecurity vendor community is an important component to keeping aware of the rapidly evolving threatscape Cyber insurance is quickly becoming unaffordable to most small and medium sized companies. This may result in tough trade-offs for firms. Bottom line: Making strategic investments in cybersecurity programs is more important than ever.

To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video, download our platform architecture whitepaper, or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn

Tessian, an intelligent cloud email security solution for the enterprise, prevents advanced email threats and protects against data loss. With email responsible for up to 90% of all breaches, rule based security solutions like Secure Email Gateways (SEGs) no longer cut it. This explains why 58% of cybersecurity leaders are actively looking to displace SEGs for the next generation of email security.   Next gen solutions like Tessian ensure significantly improved threat detection and prevention capabilities thanks to machine learning and behavioral user intelligence, and offer a simplified approach to solution integration and management.

Removing the pain from security management   Tessian’s API integration into both Microsoft 365 and Google Workspace cloud email environments enables deployment in seconds, and provides unparalleled protection within hours. No manual updates, complex mail rerouting, or MX record re-configuration is needed.   And, when customers integrate Tessian’s security event feed with other solutions, they’re able to streamline processes and workflows and get a more contextualized and complete risk profile of their environment, down to the employee level.   To help you better understand the value of Tessian with products like Splunk, Okta, and KnowBe4, let’s explore real use cases from our customers. 

Tessian + Splunk Customer: Financial Services Employees: 7,000 Tessian Products Deployed:  Enforcer and Guardian    Use case:  For one of our financial services customers, the integration of Tessian with Splunk has been essential in addressing insider threats and preventing data loss. The client ingests, triages and remediates Tessian’s alerts in its SOC which runs on Splunk.   By sending data to Splunk, the SOC is empowered to create dashboards for the key security events that they care about, for example users with the most flags, or top recipients of flagged emails. This data can be combined with metrics from other cybersecurity tools in the environment to form a more comprehensive risk profile. For example, correlating the data from Tessian with endpoint security alerts enabled the client to get a deeper level of risk understanding viewed from a single pane of glass.   From here the client is able to create workflows through ServiceNow, which allows streamlining of Tessian’s security feeds into existing security workflows.   Some of the key benefits of Tessian and Splunk integration include:   Setting up custom alerts Triaging security events Identifying risky users Easy reporting of risk to the risk committee

Tessian + Sumo Logic Customer: Financial Services Employees: 3,100 Tessian Products Deployed:  Defender, Enforcer, and Guardian   Use Case: Sumo Logic is a central source for log analysis and is often a starting point for remediation workflows. Tessian has a native app built to Sumo Logic’s Modern Enterprise Security Architecture (MESA). With this native app, Sumo Logic users can ingest Tessian alerts and correlate them with other events.    One of our financial services clients uses Sumo Logic for log correlation and analysis. By feeding logs and alerts into Sumo Logic, enables the client to quickly identify spikes in anomalous email activity, for example:  misdirected email (Guardian), unauthorized email (Enforcer) and phishing emails (Defender).    Once a verdict has been delivered on an email, the SecOps team is in a position to take mitigating actions. 

Tessian + Okta  Customer: Financial Services Employees: 1, 200 Tessian Products Deployed: Defender, Enforcer, and Guardian    Use case:  The Tessian integration with Okta enables clients to use Okta’s Universal Directory to set specific email security policies for user groups based on risk. For example, one client in financial services leverages the integration to enforce more stringent email security rules for the finance department – responsible for sending and receiving sensitive financial data.    Tessian is leveraged to target these specific user groups with email security policies that ensure safe email behavior and prevents email related data loss.    The integration with Okta enables greater security flexibility for user groups, rather than a standard one-size fits all approach to security policy orchestration.

Tessian + CrowdStrike + Netskope Customer: Healthcare Employees: 16,500 Tessian Products Deployed: Defender, Enforcer, and Guardian    Use case: A growing number of Tessian clients, such as one in healthcare, is using Tessian as an integral security pillar to keep their enterprise safe from external and insider threats, particularly concerning data loss.   Tessian is seen as one of core security pillars keeping employees and the email ecosystem safe. Other key security pillars and best-in-breed solutions include CrowdStrike for endpoint and Netskope for cloud security – deployed alongside Tessian.    By leveraging Tessian in combination with these tools enables a defense in depth approach, giving security practitioners peace of mind that they have the best tools in place to keep their employees and their data safe.

Tessian + KnowBe4 Customer: Pharmaceuticals Employees: 650 Tessian Products Deployed: Defender   Use case: The Tessian integration with Knowbe4 gives organizations more visibility into phishing risk by identifying the employees who are most likely to fall for phishing attacks. Tessian ingests KnowBe4’s Phish Prone Score and combines it with our own Risk Score, presenting a more comprehensive risk profile for each employee.   This way, security teams can customize security policies and training programs for more targeted and engaging security awareness for specific employees rather than a blanketed approach – that often lacks context.    After deploying Tessian to bolster KnowBe4, one pharmaceutical company saw click through rate drop significantly from 20% to below the industry benchmark of 3%. Another Tessian client in the financial services sector summed up the value of the Tessian and KnowBe4 integration:

Click here to book a demo of our market leading cloud email security and DLP platform.

Many organizations spend significant time and effort on counter-phishing programs and training. The emphasis of these mitigation is always preventing the click; how to see it, how to stop it, and how to report it in a timely manner.   Rarely though, does anyone ask why the end user clicks on a malicious email. There’s a variety of psychological triggers that prompt a bad outcome of clicking on malspam, but an interesting one is that you might have trained them to do it.

And if you think email is dead, think again. A 2019 study by Adobe Analytics found US-based workers spend an average of 3 hours a day managing work email. Practically speaking, no one can directly engage with that much email using 100% of their critical thinking capacity.     As a result, users tend to rely on heuristics to manage the cognitive load, such as rules sorting content into different folders, only reading subject lines, or sometimes ignoring some types of messages altogether.   In somewhat of an escalating arms race for attention, corporate comms teams can often add things like “ACTION REQUIRED”, “URGENT”, highlight portions of text, or load up the email with HTML and various trackers. Many people view those sorts of messages as just petty annoyances, but let’s take a look at some actual phishes to see why they might actually be dangerous.

As we can see, two scammers attempting to impersonate Tessian executives rely very heavily on a sense of urgency to short circuit critical thinking skills that would easily catch out these phishes.     While on their own they’re not very sophisticated at all, when sent to an organization that bombards their users with urgent action required emails, the environment has already trained the users to look out for and at least open such messages.  As a result, false urgency is very frequently found in almost any malicious email. Let’s look at how formatting can abuse user trust as well.

This looks pretty good for the average phish, but we can mark it as malicious due to poor language skills alone. However, IT teams will commonly use formatting very similar to this to announce server upgrades and request user action.     Organizations will hide links behind buttons to be “friendly’, use red text to highlight a tl;dr, or use bolding liberally to draw the eye. While a deep read will reveal the above phish as fraudulent fairly easily, a user inundated with email is not going to deep read anything – especially if their IT team uses similar formatting on a regular basis.

A positive counterexample   Microsoft, once renowned for the most inscrutable error messages of all time in earlier versions of Windows (see above), has been putting increasing thought into how to communicate in effective ways with the end user. Let’s see how they communicate that a user’s operating system is at end of life for support.    

This can serve as a reasonable guide to how to communicate facts to the end user and request an action be taken. The negative outcome is centered, at the top, and large enough to be read first, but without any highlights or red text to suggest undue urgency.     Consequences of this outcome are listed clearly in idiomatically correct and simple English.  Lastly, the recommended action (clicking to be guided to an upgrade page) is gently highlighted but not required, and other options are presented to the user to avoid any pressure for a particular action.    Going against the grain of most corporate communications that tend to be quite directive, Microsoft is presenting simple facts in a clean, unhurried way, and providing options for action at the end user’s preferred pace.     Taking design cues from this error message can prompt a harried employee relying on heuristics rather than close reading to slow down and only take action when they have the resources to do so in a considered manner.  

Lessons learned   Sending messages to your employees that share design cues with phishes is not a great security outcome.  So how do we do better?  Comprehensive phishing solutions can catch a lot of nastiness on the front end and keep it out of the inbox.  But empowering users to spot and flag malicious content on their own can be a great adjunct strategy to catch threats that never make it to security staff.  We can help them do that by taking a deep look at what sort of information handling environment the user lives in and designing communication that makes full use of critical thinking easier rather than harder.  The above attacks were all caught via Tessian’s Defender module, with end user warnings like the one here.  Breaking up the user’s typical email experience and providing clear, simple information necessary to make a good judgment on the emails’ authenticity.    In these instances, augmenting technical controls by giving the user timely guidance helped us enable good outcomes for the attacks.  As with most email attacks, focusing on human factors has been a very effective force multiplier in keeping the organization safe.

Cybercrime is big business. But just how big? Well, big. A recent report from Cybercrime Magazine predicted cybercrime would cost the world $10.5 trillion annually by 2025. Bear in mind that estimates in 2020 were just over half that, at $6 trillion, and up from $2.9 trillion in 2015. So ,why is there a cybercriminal gold rush? And why are attacks getting increasingly more sophisticated, more numerous, and more successful?

Legacy solutions are no match for today’s attacks   As we noted in our recent Spear Phishing Threat Landscape Report, attacks are getting more sophisticated and are bypassing traditional defense systems like rule-based Secure Email Gateways (SEGs). We know this because we examined platform data and found that between July 2020 and July 2021, Tessian scanned nearly 4 billion emails and flagged nearly 2 million as malicious. These emails sailed right past our customers’ Secure Email Gateways (SEGs) and native tools and would have left employees as the last line of defense if it wasn’t for Tessian. Not only that, attacks are getting more frequent. Cybersecurity Magazine estimated a new ransomware attack hits every 11 seconds.    Oftentimes, big problems (like paying out millions for a ransom) can be traced back to small oversights. Like not using Multi-Factor Authentication (MFA). This is particularly common in mid-market SMEs, despite the fact that Microsoft Research found that MFA blocks 99.9% of all automated attacks. As Dave Kennedy, Founder of TrustedSec said at our Spring 2022 Human Layer Security Summit, just 22% of O365 users have MFA enabled. And so attackers can target these firms much more easily. SMEs also have smaller budgets and headcount allocated to cyber compared to the enterprise. The result: 60% of SMEs file for bankruptcy within six months of a breach. 

https://www.tessian.com/wp-content/uploads/2022/04/MFA-quote-Dave-Kennedy-Trusted-Sec.m4v

Email is inherently flawed   If someone broke into your office, chances are you’d know about it quickly and do something about it. Unfortunately, the same doesn’t apply to many organizations’ networks and inboxes. From a simple way of sending asynchronous ASCII messages between user accounts on an academic network in the 1970s, email has grown into a world-devouring beast that is the very backbone of commerce and information exchange. Over 7 billion users globally send and receive 333.2 billion emails a day. Such a vast user base means email is the number one threat vector. 

After all, for many, moving data via email IS their job. What’s more, email is on all our devices: desktops, tablets, and phones. But as Will Patterson, Enterprise Customer Success Lead, notes in this webinar, email has some inherent problems when it comes to security. Firstly, it’s open (in that you can email anyone) and secondly, email attacks are cheap to deploy; they’re effective and can be launched from anywhere. A big audience and low entry bar make it the ideal medium in which to conduct attacks.   It’s no wonder 90% of phishing occurs via email.

Cybercrime pays out – big time   Cybercriminals continue to attack because those attacks continue to be successful, netting potentially hundreds of thousands of dollars from companies for little effort and risk (compared with other types of crime).    The international nature of cybercrime adds another layer of complexity and helps shield attackers from law enforcement. According to the FBI, in 2021, BEC scammers made over $2.4 billion – far more than via any other type of cybercrime. Of course, the cost to the company isn’t just these initial losses, it’s the further costs of containing, reporting, and remediating the breach. IBM currently puts the cost to businesses at $4.24 million per breach. 

It’s faster, easier, and cheaper than ever to execute attacks   With such a big potential target group, attackers are using automation and off-the-shelf tools to not only launch attacks but process the data they exfiltrate in the process. And as James McQuiggan, Security Awareness Advocate at KnowBe4, said at our Fall Human Layer Security Summit, “the bad guys are buying the same hardware and software configurations we’re using – they’re then testing their attacks and then see what gets through”. So if criminals are automating many of their repetitive processes, you should too.   Not only that, but it’s also easier and cheaper than ever to execute attacks, and technical skills are no longer required. There are numerous tools, platforms, and services that make executing attacks as easy as building a webpage. The following open-source intelligence (OSINT) apps and tools can be used to gather precise information about a person’s social media details, location, and their work email address, making it impossibly easy to identify and manipulate a target.  

Security teams are burned out   Against this cybercrime tsunami stands the CISO and the company’s security team, and the daily battle to keep employees and the organization safe. That’s taking its toll on security teams, who are often stressed and burned out. Our Lost Hours Report found CISOs regularly working extra hours and overtime to keep the company secure from threats.    The CISOs we surveyed worked, on average, 11 hours more than they’re contracted to each week. Nearly 1 in 10 work 20-24 hours more a week. What’s eating up that time is dealing with potential breaches. A quarter of respondents say they spend 9-12 hours investigating and remediating each threat caused by human error, while more than 1 in 10 spend more than a day.    A global study by The Ponemon Institute found that the average amount of time required to identify a data breach is 197 days. that’s over six months. It then takes another 69 days on average to contain and deal with the fallout of that breach. Better alerts and warning systems, as well as swift procedures in place to respond to them, are a must. Over six months is more than enough time to wreak havoc in a network. In medicine, there’s the concept of ‘the golden hour’, security needs to aim for a golden 24 hours because the faster an organization can respond the better and faster its recovery will be. 

Employees are busy, stressed, and distracted   The modern workplace is a fuzzy blend of devices (laptop/phone) and locations (home/office/coffee shop etc) with people constantly switching between them trying to juggle, on average, around 100 emails a day. You can see why our Psychology of Human Error report found that 26% of people fell for a phishing email at work in the last 12 months alone. People are maxed out trying to do their jobs, and it’s exactly this pressure that attackers are looking to exploit and manipulate, which underscores the important of building a positive security culture alongside HR.   So, as cybercrime is becoming more and more profitable, here’s what you need to do to strengthen your security stack and keep your people and organization safe:   Layer up your security stack with Integrated Cloud Email Security (ICES) to augment your SEG Implement better email monitoring Automate repetitive security tasks Improve your response time and processes Work with the people team on fostering a positive security culture and engaging security awareness training programs And don’t forget to switch on MFA ASAP!