Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.
Tessian Culture
How We Created a D&I Strategy to Maximize Impact
By Amina Godfrey
Monday, April 19th, 2021
You might have read about our D&I learning journey, the start of our journey to create a better Tessian and a better world. After such an illuminating learning series, it was tempting to dive straight into initiatives and solutions. But if we want to tackle such significant and impactful challenges, we can’t work on everything all at once. We need focus.  So we made an active decision to approach D&I with the rigor we bring to all aspects of work at Tessian…and that means data. We gathered data we knew could inform our broader D&I strategy and help us to narrow down focus areas where we could have sustainable impact.  Gathering the data The aim of our internal research was to understand: What our representation at Tessian looks like; and Whether the experience of Tessians varies according to personal attributes and protected characteristics On a voluntary basis, we asked all our Tessians to submit information about themselves using our engagement platform Peakon. We had great uptake, with 80-90% of Tessians providing information about their personal attributes. This allowed us to understand representation at Tessian, across different aspects of diversity, including gender, sexual orientation, religion, ethnicity, and age. From this we were able to: Segment anonymous employee experience feedback scores to identify groups (based on personal characteristics) who are having a different experience and; Conduct a pay gap and employee retention analysis Determining focus areas You might be thinking…how statistically significant is data when you’re a small company (for reference, we’re currently about 150 people)? We asked ourselves this question A LOT. With so few data points, we were reluctant to draw certain conclusions from our findings. Instead, we have treated our findings as indicators of places we need to go and do further research. The data isn’t the be all and end all of our understanding, but it does provide the signposts.  We paired these data insights with what we hear from the company anecdotally, and what we know to be the case in the tech industry. This gave us a good picture of where Tessian is with D&I today. But we still needed focus. So, we asked ourselves: Where are our biggest concerns? Where can we make a significant impact? These two simple questions helped us to identify the key focus areas of our D&I efforts this year. So…where did we land? Ensure every Tessian continues to feel like they’re supported, valued and belong at Tessian Improve ethnicity and gender representation across all levels of seniority at Tessian We believe by focusing in these areas we can create a long-lasting positive impact on diversity and inclusion, in Tessian and in our industry. Building our strategy Once we had our focus areas, we worked closely with our exec team to build the strategy and tactics we would commit to this year. These discussions with our exec team centred not only on how to make change for a better Tessian, but also initiatives that would help create a more diverse industry.  As the exec team were bouncing ideas on tactics, we were careful to keep in mind every point of the employee life cycle. When thinking about D&I, it’s easy to focus on top of funnel diversity in hiring. Improving representation through hiring is important, but on its own it’s not enough. It matters what Tessians experience once they’re through the door too.
Once we had committed to the steps we’re taking this year, we kicked off by presenting our research and our strategy to the whole of Tessian. Our employees don’t just want to know what we’ve found, they want to know what we’re doing about it and when. So as part of this presentation, we shared this 2021 D&I roadmap.
As we work our way through the roadmap, we will be communicating progress, wins and learnings every two weeks in our employee newsletter. We want every Tessian to stay super engaged in this work, and to have the opportunity to bring ideas and feedback to the table. How our work this year will create long-term solutions It’s no secret that today, the tech industry isn’t that diverse. If we want representation of  diverse people at Tessian, it’s not enough to draw from the existent talent pool, where so many groups are so underrepresented. By this we mean that it’s not enough for us to think about short term wins for Tessian’s stats. We need to be committed to making positive, sustainable change in the long term. And that means changing the whole industry, as well as Tessian.  We want to create opportunities for a range of people to move into tech, and make sure they want to stay! If we don’t, our CFO, Sabrina Castiglione, will tell you how no-one wins in this zero-sum game.  Our long term strategy is about growing and expanding the entry-level talent pool by creating junior jobs for people entering the tech industry, whether that’s in Sales or Engineering. But remember, we don’t just want to bring them in, we want them to stay, learn and grow! Only then will we get representation of diverse voices in senior positions.  To achieve this, we’re prioritizing the development of future leaders through well-defined growth frameworks across the company. Every Tessian creates a detailed growth plan, and by the end of the year, we’ll have a tailored growth framework for every single department at Tessian.  These tactics won’t move the needle on senior representation this year. Probably not next year either. But through them, we can change the game when it comes to diversity in tech. We want to see senior representation, and that means bringing in and building up fresh talent.  How to act today As well as the longer-term goals, we’re taking action on some short-term wins to ensure our business is an equitable and inclusive place for everyone today. Even before that representation has changed.  D&I needs to be baked into the culture of a business. And that doesn’t just mean D&I training alone.  It means we need to interrogate every single one of our People processes and ask “Is there opportunity for bias here?”.  It means we need to inspect our company communications and ask “Who has a voice here?” It means we need to listen to employee feedback and ask “Do people have an equitable experience here?” There’s nothing stopping us asking these questions today. And the good news is — we have the power to have a huge impact on the answers straight away. Want to keep up with our D&I journey? Subscribe to our weekly blog digest to be the first to hear about updates. Or, if you’d rather explore open opportunities at Tessian, click here. 
Read Blog Post
Tessian Culture
How We Improved Developer Experience in a Rapidly Growing Engineering Team
By Andy Smith
Friday, April 16th, 2021
Developer experience is one of most important things for a Head of Engineering to care about. Is development safe and fast? Are developers proud of their work? Are our processes enabling great collaboration and getting the best out of the team?  But sometimes, developer experience doesn’t get the attention it deserves. It is never the most urgent problem to solve, there are lots of different opinions about how to make improvements, and it seems very hard to measure.  At Tessian the team grows and evolves very quickly; we’ve gone from 20 developers to over 60 in just 3 years.  When the team was smaller, it was straightforward to keep a finger on the pulse of developer experience. With such a large and rapidly growing team, it’s all too easy for developer experience to be overshadowed by other priorities. At the end of 2020, it became clear that we needed a way to get a department-wide view of the perception of our developer experience that we could use to inform decisions and see whether those decisions had an impact. We decided one thing that would really help is a regular survey.  This would help us spot patterns quickly and it would give us a way to know if we were improving or getting worse. Most importantly it gives everyone in the team a chance to have their say and to understand what others are thinking.  Borrowing some ideas from Spotify, we sent the survey out in January to the whole Engineering team to get their honest, anonymized feedback. We’ll be repeating this quarterly.  Here are some of the high-level topics we covered in the survey. Speed and ease To better understand if our developers feel they can work quickly and securely, we asked the following questions: How simple, safe and painless is it to release your work? Do you feel that the speed of development is high? !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");
You can see we got a big spread of answers, with quite a few detractors. We looked into this more deeply and identified that the primary driver for this is that some changes cannot be released independently by developers; some changes have a dependency on other teams and this can slow down development.  We’d heard similar feedback before running the survey which had led us to start migrating from Amazon ECS to Kubernetes. This would allow our Engineering teams to make more changes themselves. It was great to validate this strategy with results from the survey. More feedback called out a lack of test automation in an important component of our system.  We weren’t taking risks here, but we were using up Engineering time unnecessarily. This led to us deciding to commit to a project that would bring automation here. This has already led to us finding issues 15x quicker than before:
Autonomy and satisfaction We identified two areas of strength revealed by asking the following questions: How proud are you of the work you produce and the impact it has for customers? How much do you feel your team has a say in what they build and how they build it? !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");
These are two areas that we’ve always worked very hard on because they are so important to us at Tessian. In fact, customer impact and having a say in what is built are the top two reasons that engineers decide to join Tessian.  We’ve recently introduced a Slack channel called #securingthehumanlayer, where our Sales and Customer Success teams share quotes and stories from customers and prospects who have been wowed by their Tessian experience or who have avoided major data breaches (or embarrassing ‘Oh sh*t’ moments!).  We’ve also introduced changes to how OKRs are set, which gives the team much more autonomy over their OKRs and more time to collaborate with other teams when defining OKRs. Recently we launched a new product feature, Misattached File Prevention. Within one hour of enabling this product for our customers, we were able to share an anonymised story of an awesome flag that we’d caught.
What’s next? We’re running the next survey again soon and are excited to see what we learn and how we can make the developer experience at Tessian as great as possible.
Read Blog Post
Human Layer Security
21 Virtual Cybersecurity Events To Attend in 2021
Friday, April 16th, 2021
Our list of 21 cybersecurity events to attend in 2021 features premier cybersecurity summits, like the International Cybersecurity Forum in France and National Cyber Summit in the US, alongside intimate and industry-specific events (and webinars) you won’t want to miss. Many of these events are hosted online, but a lot of organizers are planning to host their conferences face-to-face. Watch out for last-minute changes as the COVID-19 situation continues to evolve. Last updated April 16, 2021 Webinar: Account Takeover is an Issue, Your SEG Isn’t Enough Date: April 28, 2021 Location: Online External account takeover (ATO) attacks are a critical issue that hit many organizations today, and it happens more often than you think. They are considered one of the security industry’s most successful attack types. In fact, here at Tessian, we are seeing more attempts at these attacks than ever before, and they’re slipping right past Secure Email Gateways (SEGs) and other legacy email security tools. In this webinar: See real-world examples of external ATO attacks from our threat intelligence team at Tessian How ATOs bypass SEGs and why users fall for them Learn what tools can help you detect and avoid ATO breaches Cost to attend: Free 11th ACM Conference on Data and Application Security and Privacy (CODASPY) Date: April 26-28, 2021 Location: Online (Possible in-person enrolment available in the US, exact location TBC) This conference, organized by the Association for Computing Machinery (ACM) Special Interest Group on Security, Audit, and Control (SIGSAC), brings together academics and industry leaders to discuss security and privacy in software development. Applications, including mobile apps, are a key vulnerability of many systems. Read our article on zero-day vulnerabilities to learn about how hackers exploit software weaknesses. Software developers attending CODASPY will learn about cutting-edge research in the cybersecurity of software applications. Cost to attend: Free IAPP Global Privacy Summit Date: April 27-28, 2021 Location: Washington DC The International Association of Privacy Professionals (IAPP) is a globally-respected coalition of lawyers, developers, consultants, and other experts. The IAPP Global Privacy Summit features over 4000 attendees, at least 125 exhibitors, and more than 250 expert speakers. Privacy and cybersecurity are intertwined, and your business neglects on to the detriment of the other. Applying privacy-focused principles means collecting less personal information, deleting it when necessary, and — of course — storing it securely. The IAPP summit will feature sessions on data breach response, compliance with data protection laws such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), and privacy engineering. Cost: TBC FS-ISAC: Americas Spring Summit Date: April 27-29, 2021 Location: Online A lot changed with the shift to remote-working, and many of these changes are here to stay. But, these changes can be difficult to navigate. This three-day virtual summit – with speakers, panelists, and keynotes from Bank of America, Liberty Mutual, ADP and more – will help you stay at the forefront of these new technology trends and emerging paradigms. For a full program schedule, click here. Cost to Attend: Free for members CyberUK 2021 Date: May 11-12, 2021 Location: International Convention Centre Wales, Newport, Wales CyberUK is hosted by the UK’s National Cyber Security Centre (NCSC), a government unit that advises on cybersecurity. It’s one of the UK’s most important cybersecurity events and is a “must-attend” for industry leaders. The program for 2021 has not yet been set, but expect a full and varied range of talks, demos, and workshops. The last CyberUK agenda included sessions on identifying supply chain risks, building the cybersecurity profession, and using machine learning to boost defences. Cost to attend: Free for public sector employees. Private sector employees — Early bird: £849 + tax. Standard rate: £999 + tax CyberCon London 2021 Date: May 12-13, 2021 Location: Online CyberCon London features high-profile speakers bringing CTOs, CISOs, and IT directors up-to-date knowledge and practical advice on dealing with cyberthreats. Agenda items include panel sessions on fraud, remote working, and the costs of cybercrime —  plus lectures from world-renowned cybersecurity exxperts. Cost to attend: Standard: £95 + tax. RSA Conference San Francisco Date: May 17-20, 2021 Location: Online The theme for this year’s fully virtual RSAC? Resilience.  While a full list of speakers hasn’t been released, you can see what Linda Gray Martin, VP of RSA Conference, has to say about what you should expect in this video. “See” you there! Did you know 2021 marks the 30th anniversary of this event? International Privacy + Security Forum Date: May 24-26, 2021 Location: Online The International Privacy + Security Forum is organized by academics Daniel Solove and Paul Schwartz, both well-known figures in the world of privacy. The conference is open to privacy and security professionals from all walks of life. The event provides several sessions focusing on legal compliance with EU and California privacy law, plus workshops on data security law, health privacy, and data de-identification. Cost to attend: 2-day pass — $499 (general), or $299 (academic/NGO/government), 10% early bird discount before March 31. Infosecurity Europe 2021 Date: June 8-10, 2021 Location: Olympia London, Hammersmith, London. Infosecurity Europe features an eclectic range of exhibitors and networking opportunities for cybersecurity leaders across all industries. Many key players in cybersecurity are exhibiting in 2021, including Avast, Bitdefender, and SolarWinds. Public bodies, including the UK Department for Digital, Culture, Media and Sport (DCMS) and Nation Cyber Security Centre (NCSC), are also represented. Cost to attend: TBC National Cyber Summit 2021 Date: June 8-10, 2021 Location: Huntsville, Alabama The National Cyber Summit focuses on education, collaboration, and innovation, bringing together experts from government, academia, and industry to deliver an innovative, diverse, and accessible event. Speakers will include Robert Powell, Senior Advisor for Cybersecurity at NASA, Katie Arrington, Chief of Information Security Acquisition and the US Department of Defense, and Merritt Baer, Principal Security Architect at Amazon Web Services. Cost to attend: Full Access: Standard — $570, Onsite — $610. Student, Teacher/Faculty: Standard — $175,  Onsite — $200. Government: Free. Virtual Silicon Valley Cyber Security Summit 2021 Date: June 9, 2021 Location: Online The fourth annual Virtual Silicon Valley Cyber Security Summit features sessions from Verizon, IBM, and Chrome Enterprise. Attendees can attend sessions on: Identifying and avoiding insider threats, hosted by Sean Atkinson from the Center for Internet Security Combating ransomware, with Kristin Judge from the Cybercrime Support Network  The state of passwordless security, with HYPR’s George Avetisov. The event focuses on interactive discussion, so expect plenty of opportunities to network with colleagues and cybersecurity leaders. Cost to attend: $95 Regulatory Compliance Conference Date: June 13-16, 2021 Location: Hyatt Regency, San Diego, California With nations worldwide passing ever-stricter privacy and security laws, your business should take every opportunity to learn how best to remain compliant. Join “the nation’s top risk-based thinkers” to discuss the most pressing issues in regulatory compliance. This conference from the American Bankers Association features over 50 sessions to help banking and fintech organizations comply with consumer protection and data security regulations. Want to know more about balancing your security and compliance obligations? Read Security vs. Compliance: What’s The Difference? Cost to attend: TBC CogX Festival Date:  June 14-16, 2021 Location: London and Online With over 100,000 expected visitors (both in-person and online), ths hybrid festival features 1,000+ speakers covering 20 topics. The theme? “How do we get the next 10 years right?” For a list of topics, click here. For a list of speakers, click here.  Cost to Attend: £4-5,000 CISO Visions Virtual Cybersecurity Summit  Date: June 21-25, 2021 Location: Online CISO VISIONS is invitation-only for security executives.  Why is it exclusive? According to the event coordinators, it lets them cater to security leaders specific challenges and keep attendees in the company of the leaders driving progress in your field. At the event, you’ll be able to meet one-on-one with solution providers and learn from 30+ speakers driving innovation. Cost to Attend: Free (but you must apply!) PrivSec Global Date: June 22-24, 2021 Location: Online PrivSec Global returns on 22nd-24th June 2021 with over 200+ subject matter experts addressing prominent issues and challenges across 64 sessions, panel discussions, debates and fireside chats on data protection, privacy, security and beyond. Cost to Attend: Free British Legal Technology Forum 2021 Date: July 6, 2021 Location: Billinghurst, London The British Legal Technology Forum is Europe’s biggest legal technology conference and exhibition, featuring 2,500 square meters of exhibition space. BLTF 2021 is a crucial event for legal professionals, featuring talks from Prof. Richard Susskind, President of the Society for Computers & Law, and Bruna Pellicci, CTO at Linklaters.  Bonus: Tessian is the headline sponsor!  Want to learn more about how Tessian helps lock down email and prevent breaches for some of the world’s top law firms? Read our customer stories.  Cost to attend: Free International Conference on Cyber Security (ICCS) 2021 Date: July 19-22, 2021 Location: Fordham University, New York The International Conference of Cyber Security (ICCS), a collaboration between the FBI and Fordham University, is among the world’s premier cybersecurity events. Esteemed speakers from around the world will discuss how to address cyber threats in the private, government, academic, and law enforcement sectors. The 2021 agenda remains a work-in-progress, but previous ICCS events have featured presentations from the Director of National Intelligence (DNI), FBI, CIA, and NSA. Registration is limited to just 300 attendees. Cost to attend: $995. Cyber Security Tutorial (CST) and Law Enforcement Workshop (LEW): an extra $75 per session. WSTA: Smart, Fast, Effective: Cybersecurity in the Age of Analytics and Automation Date: July 21, 2021 Location: Online This seminar and panel session provides an overview of the threat universe facing financial cybersecurity firms.  You can expect to review operational security best practices, and dig deep into critical technology areas. Check out the agenda here. Cost to Attend: Members Only Black Hat USA 2021 Date: July 31-August 5, 2021 Location: Las Vegas and Online In its 24th year, this hybrid in-person and virtual event features virtual training sessions, briefings, and a Business Hall. More info coming soon! Cost to Attend: TBC Gartner Security and Risk Management Summit Date: September 20-22, 2021 Location: Orlando, FL Over four days, security, identity and access management, and risk management executives will come together to share valuable insights on establishing an effective, risk-based cybersecurity program.  Attendees will learn how to prepare for the new normal, with the tools they need to create agile security and IT risk management plans. For more information about speakers, click here. For more information about the agenda, click here. Cost to Attend: $3, 825 Cybersecurity Digital Summit for EMEA 2021 Date: October 19-20, 2021 Location: Online  This Cybersecurity Digital Summit, hosted by Cyber Security Hub, is a two-day event focusing on the main threats affecting the Europe, Middle-East, and Africa (EMEA) region. The summit follows on from Cyber Security Hub’s events focusing on the Americas and Asia Pacific (APAC) regions. According to Cyber Security Hub’s publicity, the EMEA region “seems to set the course for the regulatory framework that APAC (Asia Pacific) and the Americas are adopting.” Whether you’re a cybersecurity professional working in the EMEA region — or you’re based elsewhere and hoping to understand the threats emerging from EMEA — this event is for you. Cost to attend: Free
Read Blog Post
Human Layer Security, DLP
What is Email DLP? Overview of DLP on Email
Thursday, April 15th, 2021
Data loss prevention (DLP) and insider threat management are both top priorities for security leaders to protect data and meet compliance requirements.  And, while there are literally thousands of threat vectors – from devices to file sharing applications to physical security – email is the threat vector security leaders are most concerned about protecting. It makes sense, especially with remote or hybrid working environments. According to Tessian platform data, employees send nearly 400 emails a month. When you think about the total for an organization with 1,000+ employees, that’s 400,000 emails, many of which contain sensitive data. That’s 400,000 opportunities for a data breach.  The solution? Email data loss prevention.
This article will explain how email DLP works, consider the different types of email DLP, and help you decide whether you need to consider it as a part of your overall data protection strategy.  Looking for information about DLP more broadly? Check out this article instead: A Complete Overview of Data Loss Prevention.  ➡ What is email data loss prevention? Essentially, email DLP tools monitor a company’s email communications to determine whether data is at risk of loss or theft. There are several methods of email DLP, which we’ll look at below. But they all attempt to: Monitor data sent and received via email Detect suspicious email activity Flag or block email activity that leads to data loss ➡ Do I need email data loss prevention? Unless you’re working with a limitless security budget (lucky you!), it’s important to prioritize your company’s resources and target areas that represent key security vulnerabilities.  Implementing security controls is mandatory under data protection laws and cybersecurity frameworks, like the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and Health Insurance Portability and Accountability Act (HIPAA). And there’s a good reason to prioritize preventing data loss on email. As we’ve said, email is the threat vector security leaders are most concerned about. We’ll explain why.  📩 Inbound email security threats How can malicious external actors use email to steal data? There are many methods. Phishing—social engineering attacks designed to trick your employees into handing over sensitive data. According to the FBI, phishing is the leading cause of internet crime, and the number of phishing incidents doubled in 2020. Spear phishing—like phishing, but targeted at a specific individual. Spear phishing attacks are more sophisticated than the “bulk” phishing attacks many employees are used to. Malware—phishing emails can contain a “malicious payload”, such as a trojan, that installs itself on a user’s device and exfiltrates or corrupts data. Email DLP can help prevent criminals from exfiltrating your company’s data. 🏢 Internal email security threats While it’s crucial to guard against external security threats, security teams are increasingly concerned with protecting company data from internal actors. There are two types of internal security threats: accidental and malicious. 🙈 Accidental data loss Accidents happen. Don’t believe us?  Human error is the leading cause of data breaches. Tessian platform data shows that in organizations with 1,000 or more employees, people send an average of 800 misdirected emails (emails sent to the wrong recipient) every year. That’s two every day.  How can a misdirected email cause data loss? Misspelling the recipient’s address, attaching the wrong file, accidental “reply-all”—any of these common issues can lead to sensitive company data being emailed to the wrong person.  And remember—if the email contains information about an individual (personal data), this might be a data breach. Misdirected emails are the top cause of information security incidents according to the UK’s data regulator. We can’t forget that misattached files are also a big problem. In fact, nearly half (48%) of employees say they’ve attached the wrong file to an email. Worse will, according to survey data: 42% of documents sent in error contained company research and data 39% contained security information like passwords and passcodes 38% contained financial information and client information 36% contained employee data But, not all data loss incidents are an accident.  🕵 Insider threats  Employees or contractors can steal company data from the inside. While less common than accidental data loss, employees that steal data—or simply overstep the mark—are more common than you might think. Some employees steal company data to gain a competitive advantage in a new venture—or for the benefit of a third party. We covered some of these incidents in our article, 11 Real Insider Threats. But more commonly, employees are breaking the rules for less nefarious reasons. For example, employees send company data to a personal email address for convenience. For example, to work on a project at home or on another device. Sending unauthorized emails is a security risk, though. Tessian platform data shows that it occurs over 27,500 times per year in companies with 1,000 employees or more. And, while – yes – it’s often not done maliciously, the consequences are no less dire, especially in highly regulated industries.  So, how do you prevent these things from happening?  ➡ Email DLP solutions to consider Research shows that the majority of security leaders say that security awareness training and the implementation of policies and procedures are the best ways to prevent data loss. And both are very important.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); But – as well-intentioned as most employees are – mistakes still happen despite frequent training and despite stringent policies. That means a more holistic approach to email DLP – including technology – is your best bet.  Broadly, there are two “types” of DLP technology: ruled-based DLP and machine learning DLP. 📏 Rule-based email DLP Using rule-based DLP, IT administrators can tag sensitive domains, activities, or types of data. When the DLP software detects blacklisted data or behavior, it can flag it or block it. Like training and policies, rule-based DLP certainly has its place in security strategies. But there are limitations of ruled-based DLP. This “data-centric” model does not fully account for the range of behavior that is appropriate in different situations. For example, say an IT administrator asks email DLP software to block all correspondence arriving from “freemail” domains (such as gmail.com), which are often used to launch cyberattacks. What happens when you need to communicate with a contractor or customer using a freemail address? What’s more, rule-based DLP is very admin-intensive. Creating and managing rules and analyzing events takes a lot of time, which isn’t ideal for thinly-stretched security teams.  Want to learn more? We explore situations where rule-based DLP falls short. For more information, read The Drawbacks of Traditional DLP on Email. 🤖 Machine learning email DLP Machine learning email DLP is a “human-centric” approach. By learning how every member of your company communicates, machine learning DLP understands the context behind every human interaction with data. How does machine learning email DLP work? This DLP model processes large amounts of data and learns your employees’ communications patterns.  The software understands when a communication is anomalous or suspicious by constantly reclassifying data according to the relationship between a business and customers, suppliers, and other third parties. No rules required.  This type of DLP solution enables employees to work unimpeded until something goes wrong, and makes preventing data loss effortless for security teams.
💡 Learn more about how Tessian’s email DLP solutions Tessian uses contextual machine learning to address the problem of accidental or deliberate data loss by applying human understanding to email behavior. Our contextual machine learning models have been trained on more than two billion emails – rich in information on the kind of data people send and receive every day. And they continue to adapt and learn as human relationships evolve over time. This enables Tessian Guardian to look at email communications and determine in real-time if particular emails look like they’re about to be sent to the wrong person or if an employee has attached the wrong file. Tessian Enforcer, meanwhile, can identify when sensitive data is about to be sent to an unsafe place outside an organization’s email network. And, finally, Tessiden Defender prevents inbound threats, like spear phishing, business email compromise, and CEO fraud.  To learn more about data exfiltration and how Tessian uses machine learning to keep data safe, check out our customer stories or talk to one of our experts today. You can also subscribe to our monthly newsletter below to get more updates about DLP, compliance, spear phishing, industry trends, and more. 
Read Blog Post
Human Layer Security, Podcast
Five Things I Learned From Launching A Podcast
By Tim Sadler
Wednesday, April 14th, 2021
At the start of this year, Tessian started a podcast. Why? Because since we launched the Human Layer Security category in 2013, the human factor has become one of the biggest considerations in cybersecurity today. Every day, we are speaking to CISOs, CIOs, business leaders and security professionals about how to secure the human layer. And I’m not just talking about conversations related to how to stop the ever-rising number of phishing attacks. We’re talking about insider threats and security incidents caused by simple human error, too. We’re discussing ways in which CISOs can better understand their employees’ behaviors and ways of working, in order to build security strategies that protect them and empower them to do great work. And we’re talking about how to get buy-in from boards. Rather than keeping the conversations to ourselves, we wanted the podcast to provide a platform for inspiring IT leaders, thought-provoking academics, and ethical hackers to discuss why it’s so important for businesses to protect their people – not just machines and data – and share their learnings so that how other security teams can do it too.
It’s been a lot of fun and I’ve spoken to some incredible people. So here are my highlights and my top learnings as we close out Season 1 of the RE:Human Layer Security podcast: 1. CISOs are doing an amazing job in their relentless roles. As Simon Hodgkinson, former CISO at bp said, the job of the CISO is truly 24/7. And it’s becoming “more and more challenging as the threats become more advanced and regulatory landscapes become even more complicated”. Hearing the work that CISOs like Jerry Perullo at ICE, Ray Espinoza at Cobalt, Tim Fitzgerald at ARM and Anne Benigsen at Bankers’ Bank of West are doing to not only navigate these landscapes and keep their companies safe, but also to help make their people into security champions and make security as seamless as possible is really inspiring. 2. … and they want to do more. It was clear from the leaders I spoke that they have a “duty of care to continue raising awareness” and “invest in making sure people are able to do the right thing.” Some believe, however, there are more engaging ways to do it, while others think there is more work to be done to get employees to buy-in to the security cultures. It was great to understand how they plan to do this.
3. Security can learn so much from psychology. In one of my favourite episodes, academics Dr Karen Renaud and Dr Marc Dupuis question why businesses continually use fear – a short term emotion – to try and engender long-term behavioral change in cybersecurity. They also explain why the role of employee self-efficacy is so important to encourage safer security practices. Their insight into what factors make people more or less likely to adopt safe cybersecurity behaviors makes me question whether FUD in security has had its day? 4. If you don’t get to know your people well, the bad guys certainly will. Ethical hackers and social engineering experts like Craig Hays and Jenny Radcliffe explained how cybercriminals select their targets and methods of attack, emphasizing the need for companies – at manager level – to know their people really well. As Jenny said, “the answer to becoming a more secure organization […] is to know your humans better than the bad guys.”
5. Employees aren’t the weakest link. The age-old saying that people are the weakest link in security is something our guests don’t believe in. To Dan Raywood, people are neither the strongest or weakest link, but rather “an essential part of your business”. Tim Fitzgerald agreed, stating that, as security leaders, “we try to take a look in the mirror and say, are we providing these people with the tools they need to help them avoid these types of threats or scenarios?” It’s been a privilege to speak with all of our guests on the RE:Human Security Layer podcast and, if you haven’t already, I encourage you to listen to their interviews and subscribe to the show.  We’re now planning Season 2 so stay tuned for that – and if you’d like to get involved or hear more about what we’re doing, please contact me on LinkedIn or Twitter.  
Read Blog Post
12 CISOs to Connect With On LinkedIn and Twitter
By Bethan Hope-Bell
Friday, April 9th, 2021
While the title “Chief Information Security Officer” (CISO) is highly sought after, the job is tough.  On top of preventing threats and avoiding breaches, CISOs are also tasked with communicating risk, aligning with key stakeholders across the business, and – of course – managing a team of IT professionals. So, how do you keep your head above water and excel in your role?  We can’t offer a prescriptive answer to that question (sorry!), but we can tell you that staying connected with your peers – regardless of industry or company size – can help. After all, they’re right there in the trenches with you. Here’s a list of 12 CISOs you should connect with on both LinkedIn and Twitter for tips, advice, anecdotes, industry news, open tech roles, and even the occasional joke.  “The more you know”, right?  P.S. If you’re looking for tips on how to build better relationships and influence change within your organization, check out this article: Relationship 15: A Framework For Security Leaders.  Name: Bob Lord  Bio: CSO The Democrats, former CISO Yahoo, Rapid7 CISO in Residence, Twitter alum. Handle: LinkedIn | @BobLord Follow him for: Bob Lord is the Chief Security Officer at the Democratic Nationalist Committee and has held senior executive infosec positions at Twitter and Yahoo (he was actually Twitter’s first-ever security hire). He’s particularly active on Twitter and shares personal security hacks, debunks cybersecurity myths for his followers, and shares great advice for security leaders. Name: Window Snyder Bio: A security industry veteran and former Chief Security Officer at Square, Fastly, and Mozilla. Handle: LinkedIn | @window Follow her for: Window Snyder has more than 20 years of experience in cybersecurity and has held positions at some of the world’s biggest brands. She worked with Apple leading security and privacy features for OS X and iOS. Follow Window for posts about her experiences as a CISO (and a parent!) and details of her favorite cybersecurity events. Name: Michael Coates  Bio: Co-founder & CEO @Altitude Past: CISO @Twitter, Head of Security @Mozilla, @OWASP Chairman, Top 30 Security Startup. Handle: LinkedIn | @_mwc Follow him for: Michael Coates is the former CISO of Twitter and is the co-founder and CEO of a cloud data protection company. He’s made TV appearances and has been a speaker at the RSA Conference to share his experiences of being a leading CISO. Follow Michael for tips for CISOs and advice on how to work with security vendors.  Name: Azeem Bashir  Bio: Award-winning Global CISO | CDO |Cyber Security & Cyber Risk Leader | NED | Advisor | Speaker Handle: LinkedIn  Follow him for: Azeem Bashi held a number of CISO and CIO positions at confidential companies. Although his previous companies are a mystery, he must be pretty good given the endless awards he’s won and certifications he’s achieved. He’s also a board advisor, CISO mentor, speaker, and government advisor. Follow Azeem for the latest cybersecurity news about data breaches, attacks and, industry research.  Name: Kevin Fielder  Bio: Dad, CISO, Health and resilience coach, Podcaster. Lover of life and learning.  Passionate about helping people and building high-performing (security) teams. Handle: LinkedIn | @kevin_fielder Follow him for: Kevin has a huge range of CISO experience at companies ranging from Just Eat to WorldPay and FNZ Group. He’s also an active cybersecurity speaker, podcaster and is particularly active in the LinkedIn cybersecurity community. Follow Kevin for honest posts about life as a CISO (as well as honest posts about life as a Dad) and for his perspective on security attacks or breaches.  Name: Troels Ortering  Bio: Chairman, NED, award-winning CSO, passionate cybersecurity leader with a long track record in cybersecurity and privacy. Handle: LinkedIn  Follow him for: Troels has over 20 years of cybersecurity experience, including intelligence roles within the Danish Police, Group Chief Security Officer at Barclays, cybersecurity lecturing roles and, multiple board positions. Follow Troels for his perspective on the latest cybersecurity attacks and threat actors – as well as his views on best practices and how to stay protected.  Name: Lynwen Connick Bio: Chief Information Security Officer at Australia and New Zealand banking group(ANZ) Loves Travelling, Skiing, Mountain Biking & Orienteering. Handle: LinkedIn | @LynwenConnick  Follow her for: With 25 years of cybersecurity experience ranging from working in Australia’s Department of the Prime Minister and Cabinet to the CISO of one of the biggest banks in Australia – Lynwen is a great addition to your social timelines. Lynwen is highly active in the women in cybersecurity community, and shares cybersecurity events and groups that other women can get involved in. Follow Lynwen to hear about the work she’s done with the Australian Government, and for cybersecurity advice for the financial services and banking industry. Name: Dinis Cruz  Bio: CTO and CISO of @GlasswallCDR, Transformation agent, project leader of OWASP SBot and O2 Platform projects. Handle: LinkedIn | @DinisCruz  Follow him for: Dinis Cruz has over 20 years of experience in cybersecurity and software development, he’s also been nominated for CISO of the year and is currently writing a book. On social media, Dinis is all about knowledge sharing and contributing to the cybersecurity community. Follow Dinis for cybersecurity and general tech hacks, advice on how to apply for security roles, and details of cybersecurity events (plus you might even come across his TikTok account).  Name: Moty Jacob Bio: Moty is a long-time CISSP, holds Security Clearance, and has several Industry certifications including checkpoint’s CCSE, PCI-DSS AUDITOR, CCNA, Certified Ethical Hacker, and many others. Handle: LinkedIn Follow him for: Moty Jacob has a huge list of experiences in security from start-ups to Fortune 500 companies and national governments. As well as being a top leader in cybersecurity, Moty is also a leader in Diversity and Inclusion, with almost half of his security team being made up of women. Follow Moty for his hilarious and relatable cybersecurity memes and for honest posts about his experiences as the CISO at Dunnhumby.  Name: Christopher Porter  Bio: CISO, student of infosec, manager of risk, Dad, exerciser, and @UVA alum. Former @vzdbir author, @verisframework creator.  Handle: LinkedIn | @cdporter00 Follow him for: Christopher Porter is the CISO at Fannie Mae, he previously worked with Verizon to author Verizon’s Data Breach Investigations Report series and co-created the VERIS framework (Vocabulary for Event Recording and Incident Sharing). On social media, Christopher is committed to sharing cybersecurity research and posts about how to help close the diversity gap in the industry. Follow Christopher for the latest phishing intel, information about how the pandemic is affecting cybersecurity, and the occasional cybersecurity joke!  Name: Becky Pinkard Bio: Cyber security exec, published author & professional speaker. I do security because I love it.  Handle: LinkedIn | @BeckyPinkard Follow her for: Becky Pinkard has worked in the cybersecurity industry at some of the world’s leading brands since 1996 – from Blackberry and Vodafone to Aldemore and Barclays. She’s also a published author, a regular commentator on infosec events, and won CISO of the Year at the 2020 SC Awards, Europe. Becky is an active advocate for diversity and inclusion in cybersecurity on social media. Follow Becky for posts about open cybersecurity roles, her honest advice to other security leaders, and her incredible sense of humor.  Name: Bobby Ford Bio: Senior Vice President/Chief Security Officer at Hewlett Packard Enterprise Handle: LinkedIn Follow him for: Bobby Ford has held the position of CISO at world-leading organizations from Unilever and Abbott Labs to his current company – Hewlett Packard Enterprise. Bobby has also been an information security analyst for the Pentagon’s incident response team and spent much of his career in the Aerospace and Defence industry. Bobby is an active member of the cybersecurity community on social media – follow him for posts about improving diversity in cybersecurity, open tech roles, and the occasional throwback picture of his days in the army.  Have we missed anyone? Let us know! Email [email protected]  And, if you want to be the first to get your hands on blogs like this and others written just for security leaders like you, subscribe to our newsletter below.
Read Blog Post
Human Layer Security
Machine vs. Machine: Setting the Record Straight on Offensive AI
By Trevor Luker
Thursday, April 8th, 2021
In recent years, we’ve heard the term “Offensive AI” being used more frequently to describe a new type of cyber threat – one that sees cybercriminals using artificial intelligence (AI) to supercharge their cyber attacks, advance impersonation scams, and avoid detection. In response, organizations are being advised to “fight fire with fire” and invest in defensive AI solutions in order to stay ahead of the bad guys, a sort of modern day “spy on spy” warfare tactic. Sure, cybercriminals are using more sophisticated technologies to advance their attack campaigns, but let’s start by getting one thing straight: where we are at the moment is not “AI”. For a system to be considered intelligent, it needs to exhibit autonomous behavior and goal seeking. What we are seeing, though, is an emerging use of Machine Learning (ML) and adaptive algorithms, combined with large datasets, that are proving effective for cybercriminals in mounting attacks against their targets.  Semantics, I know. But it’s important that we manage the hype. Even the washing machine I just purchased says it includes “AI” functionality. It doesn’t.  Organizations do, though, need to be aware of attackers’ use of offensive ML, and every company needs to understand how to defend itself against it. I can help. 
So, what is offensive ML? At this stage, offensive ML is often the use of ML and large data-lakes to automate the first stages of cyber attacks. In particular the reconnaissance, weaponization, and delivery stages of the Cyber-Kill-Chain lend themselves to automation.  It allows attacks to be carried out on a much larger scale and faster than ever previously seen. It also helps attackers overcome their human-resource problem—yes, even cybercriminals have this problem; skilled cyber staff are hard to find.  Automation frees up the human’s time, keeping them involved for the later stages of an attack once a weakness that can be exploited has been found. To a large degree, many cyber attacks have become a data science issue, as opposed to requiring stereotypical ‘elite hackers’.  A good offensive ML will also have a feedback mechanism to tune the underlying models of an attack, for example, based on the success of a lure in front of a potential victim in a phishing attack. The models will start to favor successful approaches and, over time, increase in efficiency and effectiveness.  How is offensive ML being used today? One example of offensive ML I’ve observed is large-scale scanning of perimeter systems for fingerprinting purposes.  Fingerprinting the perimeter of organizations – assigning IP addresses with organizations, public data (DNS, MX lookup) and industry sectors – is a simple data-management issue. However, if this is combined with Common Vulnerabilities and Exposures (CVE) updates, and possibly dark web zero-day exploits, it provides attackers with a constantly updated list of vulnerable systems.  You can learn more about zero-day vulnerabilites here: What is a Zero-Day Vulnerability? 3 Real-World Examples. Organizations defending themselves against cybercrime frequently have to go through a time consuming testing process before deploying a patch and, in some cases, the systems are just not patched at all. This gives an attacker a window of opportunity to deploy automated scripts against any targets that have been selected by the ML as meeting the attack criteria. No humans need be involved except to set the parameters of the attack campaign: it’s fully automated. An attacker could, for example, have the ML algorithms send emails to known invalid email addresses at the target organization to see what information or responses they get—Do the email headers give clues about internal systems and defenses? Do any of the systems indicate unpatched vulnerabilities?  They can use ML to understand more about the employees they will target too, crawling through social media platforms like LinkedIn and Twitter to identify employees who recently joined an organization, any workers that have moved roles, or people that are dissatisfied with their company. Why? Because these people are prime targets to attempt to phish.  Combining this information is step one. Attackers then just need to understand how to get past defenses so that the phishing emails land into a target employee’s inbox. MX records – a mail exchanger record that specifies the mail server responsible for accepting email messages on behalf of a domain name – are public information and would give the ML information as to what Secure Email Gateway (SEG) a company is using so that an attacker could tailor the lure and have the most chance of getting through an organization’s defenses.  Another area in which offensive ML proves problematic for organizations is facial recognition. Attackers can deploy ML technology or facial recognition to match company photos with photos from across the Internet, and then build up a graph of relationships between people and their target. An exercise in understanding “who knows who?”.  With this information, bad actors could deploy social media bots under ML control to build trust with the target and their associates. From public sources, an attacker knows their target’s interests, who they work with, who they live with; all this is gold dust when it comes to the “phishing stage” as an attacker can make the scam more believable by referring to associates, shared interests, hobbies etc.  Using offensive ML in ransomware attacks There are other reasons to be concerned about the impact offensive ML can have on your organization’s security. Attackers can use it to advance their ransomware attacks.  Ransomware attacks – and any exploits used to deliver the ransomware – have a short shelf-life because defenses are constantly evolving too. Therefore, successful ROI for the attacker depends on whether they choose their targets carefully. Good reconnaissance will ensure resources are used more efficiently and effectively than using a simpler scatter-gun approach.  For any cybercriminal involved in “ransomware for hire”, offensive ML proves invaluable to earning a higher salary. They can use the data gathered above to set their pricing model for their customers. The better defended – or more valuable- the target, the higher the price. All this could be, and likely is, automated. So, how can organizations protect themselves from an offensive AI/ML attack? It’s the classic “spy vs spy” scenario; attacks evolve and so do defenses. With traditional, rule-based defensive systems, though, the defender is always at a disadvantage. Until an attack is observed, a rule can’t be written to counteract it. However, if an organization uses ML, the defensive systems don’t need to wait for new rules;  they can react to anomalous changes in behavior autonomously and adjust defensive thresholds accordingly. In addition, defensive ML systems can more accurately adjust thresholds based on the observed riskiness of behavior within a defender’s organization; there is no longer a need to have a one-size-fits-all defense.  A good ML-based system will adapt to each company, even each employee or department, and set corresponding defense levels. Traditional, rule-based systems can’t do this. In my opinion, the future of defensive security is a data-issue; the days of the traditional human-heavy Security Operations Center are numbered. What questions should organizations ask to ensure they have the right defenses in place? First and foremost, ask your IT service provider why they think their system is actually AI. Because it almost certainly isn’t. If the vendor maintains that they have a real AI solution, be very skeptical about them as a reliable vendor. Ask vendors how their system would react to a zero-day exploit: How long would their system need to deal with a novel attack? Would the user need to wait for a vendor update? Ask vendors about data and threat sharing. All companies are under reconnaissance and attack, and the more data that is shared about this, the better the defenses. So ask, does the vendor share attack data, even with their competitors?
Read Blog Post
Threat Intel, Spear Phishing
Cybercriminals Take Advantage of Mass Unemployment in Phishing Scams
By Charles Brook
Wednesday, April 7th, 2021
The global COVID-19 pandemic has wreaked havoc on job markets. In the US, the unemployment rate stands at 6.2 percent and in the UK, it’s estimated that around 2.2 million people, or 6.5% of all workers, could be unemployed at the end of the year.  Cybercriminals are taking note.  When Tessian researchers analyzed suspicious emails relating to ‘unemployment’ and terms associated with unemployment that were flagged by our inbound solution Tessian Defender, they saw a notable spike in suspicious emails related to unemployment and COVID-19 in the week of 24th February – the week in which President Biden announced the third round of stimulus checks, which would send billions of dollars to people without jobs. Our researchers also noted a spike in suspicious activity during the week of 8th March which is when COVID-19 the stimulus checks started being received. They found that: In the week of 24th February, the number of suspicious unemployment and COVID-19 related emails was 40% higher than the weekly average of such emails detected since the start of 2021. The number of unemployment themed emails alone was 16% higher than the weekly average. In the week of 24th February, the number of unemployment and COVID-19 related emails was 50% higher than previous week.  In the week of 8th March, the number of suspicious unemployment and COVID-19 related emails was 51% higher than weekly average recorded since the start of 2021. The number of unemployment and COVID-19 related emails detected during this week was 69% higher than the previous week.  Over the last 12 months, cybercriminals have capitalized on the fear, uncertainty and doubt created by the global pandemic to make their scams as believable and convincing as possible. At the start of 2021, for example, Tessian reported a surge in newly registered domains related to the vaccine roll-out and confirmed that a number of these websites were malicious and designed to harvest people’s financial information and account credentials. Now, cybercriminals are launching scams to prey on people who are vulnerable, out of work and urgently looking for relief. They are well aware that these individuals may be applying a little less scrutiny to the messages they receive – especially if the emails appear to have come from a legitimate and trusted sender. How do unemployment scams work?  Here’s how a typical unemployment related scam works: A fake job posting is listed on legitimate job sites. Often, scammers will target small businesses to spoof or impersonate as it is less likely for these companies to monitor their job listings.  An applicant will respond to that ad and will be sent a generic email asking them to perform a task for the interview process. These phishing emails could contain malicious attachments that applicants are asked to download or links to fake websites that ask applicants to input sensitive or personal information. This information could, then, be used to commit identity fraud.  Scammers will also ask applicants to click on a link that refers them to a fake credit check website. Here, they will ask the applicant to share financial information or wire money. Cybercriminals can also identify targets via social media sites like LinkedIn. A recent report from Tessian found that 93% of people share job updates online, and while it’s common for people to let their networks know that they’ve been laid off and are looking for jobs, they are also unknowingly giving cybercriminals the information they need to craft convincing social engineering attacks that are designed to steal personal information.  The FBI has released warnings of unemployment scams, disclosing that many U.S. citizens have been victimized by bad actors “impersonating the victims and using the victims’ stolen identities to submit fraudulent unemployment insurance claims online.” In fact, figures from a watchdog for the U.S. Department of Labor reveal that Americans have lost a shocking $63 billion of unemployment funds during the pandemic to improper payments and fraud, while the Illinois Department of Employment Security reports having stopped around 1.1 million claims involving identity theft in the past year. In many cases, victims don’t even realize they’ve been targeted until they later try to file for unemployment insurance benefits, receive a notification from the state unemployment insurance agency or even get notified by their employer that a claim has been filed while the victim is still employed.
What can you do to avoid falling victim to the scams? It’s always worth remembering that an official government agency or state workforce agency (SWA) will not contact you out of the blue, asking you to apply for UI benefits via an email or a text. So if you do receive a message like this, then do not click on the links or comply with the actions. We also recommend that you: Inspect emails carefully. Look for the .gov URL in the sender’s email address and check that the sender’s email domain matches the sender’s name. Don’t click on anything unless it’s from a legitimate source. Verify the legitimacy of the sender by calling the organization or agency directly. Adopt two-factor authentication and try to not use the same password across different sites. Password generators like 1Password create unique passwords and protect them with encryption software. Monitor your bank accounts on a regular basis to check for any fraudulent activity.
Read Blog Post
Human Layer Security
Risk Management Made Easy: Introducing Tessian Human Layer Risk Hub
By Ed Bishop
Tuesday, April 6th, 2021
Today, comprehensive visibility into employee risk is one of the biggest challenges security and risk management leaders face.  Why? Because most security solutions offer a limited view of risk and don’t offer any insights into the likelihood of an employee falling for a phishing attack or exfiltrating data.  Worse still, when it is available, risk information is siloed and hard to interpret.  Insights around security awareness training exist in seperate systems from insights related to threats that have been detected and prevented. There’s no integration which means security leaders can’t get a full view of their risk profile. Without integration and visibility, it’s impossible to take a tailored, proactive approach to preventing threats. It’s an uphill battle. You may not even know where to start… But, we have a solution.  With Tessian Human Layer Risk Hub, our customers can now deeply understand their organization’s security posture with granular visibility into employee risk and insights into individual user risk levels and drivers.
This is the only solution that offers protection, training, and risk analytics all in one platform, giving you a clear picture of your organization’s risk and the tools needed to reduce that risk.  How does Tessian Human Layer Risk Hub work? With Tessian Human Layer Risk Hub, security leaders can quantify risk, take targeted actions, and offer the right training to continuously lower the risks posed by employees’ poor security decisions.  Let’s look at an example.  1. An employee in the Finance department is flagged as a high-risk user based on their access to sensitive information, their low level of security awareness training, and how frequently they’re targeted by spear phishing attacks.  Tessian looks at five risk drivers – accidental data loss, data exfiltration, social engineering, sensitive data handling, and security awareness – to generate individual risk scores. Each employee’s risk score is dynamically updated, decreasing when an employee makes the correct security decision, and increasing when they do something risky, such as clicking on a phishing email or sending company data to personal email accounts. 
2. Based on these insights, Tessian intelligently and automatically identifies actions teams can take within the platform (for example, custom protections for certain user groups) to reinforce policies, improve security awareness, and change behavior to help drive down risk.  Security teams can also implement additional processes and controls outside of Tessian to exercise better control over specific risks. 
3. With custom protections enabled, Tessian’s in-the-moment warnings help nudge employees towards safer behavior. For example, you could quickly and easily configure a trigger that always warns and educates users when they receive an email from a new domain, mentioning a wire transfer. But, even without custom protections,  Tessian Defender can detect spear phishing attacks with incredible accuracy. And, because the warnings are written in clear, easy-to-understand language, employees are continusouly learning and leveling up their security awareness. If targeted by a spear phishing attack, employees would receive a warning that looks something like this. 
4. With continuous protection and in-the-moment training, security leaders will see employees move from high-risk users to low-risk users over time. Risk scores and drivers are aggregated at employee, department, and company-level and are benchmarked against peers. This makes tracking and reporting on progress simple and effective. 
Benefits of Tessian Human Layer Risk Hub Tessian Human Layer Risk Hub enables security leaders to reduce risk and improve their organization’s security posture with unique insights you can’t get anywhere else. Targeted remediation at scale. With a bird’s eye view of your most risky and at-risk user groups, security leaders can make better decisions about how to distribute budget and resources, what mitigation measures to prioritize, and when to intervene. This goes beyond email. If you can see who has access to sensitive information – and how they’re handling that sensitive information – you’ll be able to create and update policies that really work.  More effective training. Every year, businesses spend nearly $300,000 and 276 hours on security awareness training. But, training is only effective when the messages are tailored and the employee is engaged. Tessian Human Layer Risk Hub gives security, risk management, and compliance leaders the insights they need to create tailored training programs that cut through. And, Tessian in-the-moment warnings help nudge employees towards safer behavior in real-time.  Clear ROI. Many solutions simply report risk; they don’t actually reduce risk. Tessian is different. Security leaders can easily measure and demonstrate how risk has changed over time, how the platform has proactively helped improve the organization’s security posture, and can even apply learnings from the platform to inform future decisions. The benefit? You’ll become a trusted partner across your organization.   Defensible audit. Tessian’s detailed reports and audit logs provide defensible proof against data breaches. If a risk is identified, you’ll be able to formally document all associated events, and track exposure, owner, mitigation decisions, and actions.  The bottom line: Tessian Human Layer Risk Hub gives security teams a unified view and a shared language to communicate risk to business, demonstrate progress towards lowering risk, and effectively secure their human layer.  Learn more about Tessian Interested in learning more about Tessian Human Layer Risk Hub? Current Tessian customers can get in touch with their Customer Success Manager. Not yet a Tessian customer? Learn more about the new Human Layer Risk Hub, explore our customer stories, or book a demo now. And, to be the first to hear about new product updates, sign-up for our newsletter below.
Read Blog Post
Human Layer Security, Spear Phishing
Types of Email Attacks Every Business Should Prepare For
Thursday, April 1st, 2021
Email remains the number one tool of business communication. The email network is open to practically anyone—and its flexibility, reliability, and convenience mean it’s not going away any time soon. But for all its benefits, email can also be a vector for serious cyberattacks. Social engineering attacks like phishing can lead to data breaches, malware attacks, and billions of dollars in losses for businesses worldwide. This article will explain the major types of email attacks, provide some data on how common they are, and consider the devastating impact that email attacks can have on your business. Types of email attacks First, we’ll walk you through some of the most common types of email attacks. Phishing Phishing can mean one of two things: An “umbrella term” meaning any social engineering attack that takes place via email. A type of email attack where the attacker sends a lot of malicious emails in an untargeted way. When we use “phishing” as an umbrella term, it refers to the most common type of email attack. Any malicious email that tries to trick you into clicking a link, opening a file, or taking any other action that causes harm, can be part of a phishing attack.  All of the other types of email attacks we’ll look at below are forms of phishing, if we use the term in this broad way. When we use “phishing” as a specific term, it means a “bulk” or “spray and pray” email attack, where the malicious email is sent to many unnamed recipients. Here’s an example:
What makes this a phishing email? There’s no addressee: It says “Hello,” not “Hello Rob.” The “update account now” button leads to a credential phishing page. Most importantly — Netflix didn’t send it! Want to know more about phishing? See our article What is Phishing? Spear phishing Spear phishing is an email attack targeting a specific individual. So, whereas bulk phishing uses a net — sending emails to as many potential victims as possible — spear phishing uses a spear to target one specific victim. Again, spear phishing is can also be an umbrella term, in that there are lots of different types of phishing attacks. Some of the examples below, including Business Email Compromise (BEC) and CEO fraud, are almost always spear phishing attacks. Why? Because whenever a phishing attack targets a specific individual, it’s a spear phishing attack. Here’s an example:
What makes this a spear phishing email? It targets a specific person. The “click here” link leads to a credential phishing website. Most importantly — you guessed it — DHL didn’t send it! For more information, see our article What is Spear Phishing? Business Email Compromise (BEC) Business Email Compromise (BEC) is any phishing attack where the attacker uses a hacked, spoofed, or impersonated corporate email address. In the sense that the attacker is impersonating a business, the Netflix and DHL examples above are both BEC attacks. But we normally use “BEC” to refer to a more sophisticated form of email attack. For example, one of the biggest cyberattacks of all time is an example of BEC. Between 2013 and 2015, a Latvian cybercrime gang headed by Evaldas Rimasauskas scammed Facebook and Google out of around $121 million by impersonating their suppliers and sending fake invoices via email. Want to know more about BEC? See our article What is Business Email Compromise (BEC)? CEO fraud In a CEO fraud attack, the attacker impersonates a company executive and targets a less senior employee. Here’s an example:
What makes this a CEO fraud attack? The sender’s email address impersonates a real company executive (note the method here is email impersonation — ”microsott.com” — but other methods such as email spoofing are also common). The sender (“Leon”) puts a lot of pressure on the recipient (Tess). Stressed people make poor decisions. The attack involves wire transfer fraud. While not all CEO fraud attacks involve wire transfer fraud, this is a very common tactic. Want to know more about CEO fraud? See our article What is CEO Fraud? How common are email attacks? Email attacks are on the rise, and are now extremely common. According to the FBI’s Internet Crime Complaint Center (IC3), phishing incidents more than doubled from 2019 to 2020, costing victims over $54 million in direct losses. Verizon says 22% of breaches in 2019 involved phishing. Around 75% of organizations around the world experienced some kind of phishing attack in 2020. Want more data on phishing and other email attacks? See our article Phishing Statistics (Updated 2021). Consequences of email attacks What are the main consequences of email attacks on businesses and their customers? Data breaches: Attackers use techniques such as credential phishing to exfiltrate your customers’ personal information. Data breaches can attract investigations, regulatory fines, and class-action lawsuits. IBM estimates that the average data breach costs a business $3.86 million Malware: Some email attacks aim to deposit a malicious payload on the recipient’s device. This payload is normally some form of malware, for example: A virus, which can infect other devices on your network Spyware, which can log your keystrokes and online activity  Ransomware, which encrypts your valuable data and demands you pay a ransom to get it back. Wire transfer fraud: Spear phishing attacks—particularly if they involve BEC or CEO fraud—often attempt to persuade the target into transferring funds into a bank account controlled by the attacker. And it really works—that’s why the FBI calls BEC “the $26 billion scam” How to prevent email attacks Now you know about the most common types of email attacks. Want to learn how to protect your business from these types of cybercrime? Take a look at the resources below: How to Avoid Falling For a Phishing Attack | 6 Useful Tips Prevent Business Email Compromise | BEC CEO Fraud Prevention: 3 Effective Solutions
Read Blog Post
Compliance, Tessian Culture
Securing SOC 2 Certification
By Trevor Luker
Tuesday, March 30th, 2021
Building on our existing ISO 27001 security certification, Tessian is excited to announce that we have achieved Service Organization Control 2 Type 2 (SOC 2) compliance in the key domains of Security, Confidentiality and Availability with zero exceptions on our very first attempt. Achieving full SOC 2 Type 2 compliance within 6 months is simply sensational and is a huge achievement for our company. It reinforces our message to customers and prospects that Information Security and protecting customer data is at the very core of everything Tessian does.
The Journey We began the preparations for SOC 2 in September 2020 and initiated the formal process in October. Having previously experienced the pain and trauma of doing SOC 2 manually, we knew that to move quickly, we needed tooling to assist with the evidence gathering and reporting.  Fortunately we were introduced to VANTA, which automates the majority of the information gathering tasks, allowing the Tessian team to concentrate on identifying and closing any gaps we had. VANTA is a great platform, and we would recommend it to any other company undertaking SOC 2 or ISO 27001 certification. For the external audit part of the process, we were especially fortunate to team up with Barr Advisory who proactively helped us navigate the maze of the Trust Service Criteria requirements. They provided skilled, objective advice and guidance along the way, and we would particularly like to thank Cody Hewell and Kyle Helles for their insights, enthusiasm and support. Tessian chose an accelerated three month observation period, which in turn, put a lot of pressure on internal resources to respond to information requests and deliver process changes as required. The Tessian team knew how important SOC 2 was to us strategically and rallied to the challenge. Despite some extremely short timeframes, we were able to deliver the evidence that the auditors needed.  A huge team effort and a great reflection of Tessian’s Craft At Speed value. What Next? Achieving SOC 2 Type 2 is a crucial step for Tessian as we expand further into the large enterprise space. It’s also the basis on which we will further develop our compliance and risk management initiatives, leading to specialized government security accreditation in the US and Europe over the next year or two.
Read Blog Post
Tessian Culture
Mind Over Matter: Why We Prioritize a Growth Mindset at Tessian
By Samantha Holt
Tuesday, March 30th, 2021
“I can’t ….” “I’m an anxious person.” “I’m bad with numbers.” “I don’t understand the technical stuff; it’s just not for me!” Sound familiar? These are the limiting beliefs of someone stuck in what Dr. Carol Dweck, Stanford University psychologist and author of Mindsets: The New Psychology of Success, termed “fixed mindset.”  The problem with a fixed mindset If you’re in the “fixed mindset” camp, you most likely avoid challenges, don’t like failure (flag! can be prone to sandbag), ignore feedback, and believe you’re stuck with what you’ve got: your intelligence, talents, and abilities.  You’re simply what you are. People in this camp often rely on talent alone and will spend time looking for praise and recognition vs building on past successes, seeing the silver lining in failures, and getting better. If you say out loud that you’ll never understand the technical stuff … your team will believe it and more importantly, YOU will believe it. The opportunity to learn will end there. The very language we use to describe our limitations makes those limitations a reality.  This can be especially limiting when it comes to doing things out of your comfort zone. Why mindset matters when you’re out of your comfort zone  The mindset you have will likely how you react when you’re out of your comfort zone.  To keep it simple, there are likely only three directions you’ll gravitate towards when you’re out of your comfort zone:  Flight: You’ll freak out and run the other way, seeking shelter and safety  Fight: You’ll get angry, irritated, or annoyed by the situation  Freeze: You’ll freeze in your tracks, not able to move the conversation forward, hoping no one notices  This is where a “growth mindset” comes in.
The learning zone: A growth mindset You want to find space between the trigger and your response (i.e. fleeing, fighting or freezing) where you can plant your feet firmly on the ground, step into the chaos, and try to learn from the difficult situation. If you’re in the “growth mindset” camp, you believe your intelligence, talents, and abilities can grow through Grit & Perseverance (a Tessian value!).  What you’re born with is just the foundation, which cultivates an insatiable desire in you to continue learning and improving.  How is Tessian championing a growth mindset? In the last year, we created a Global Leadership Team (GLT) to help our people work on personal and leadership growth. 
We focused on growth mindset because an essential part of scaling a hyper-growth start-up is building a culture where your people are unafraid to set moonshot goals.  But to set these ambitious moonshot goals, we also need to be comfortable with failing fast, iterating, and continuing to build. As Simon Sinek says “What good is an idea if it remains an idea? Try. Experiment. Iterate. Fail. Try again. Change the world.”  At Tessian we want to change the world of cybersecurity. During our GLT sessions on growth mindset, our biggest takeaway was that we need to change how we view our failures. This change of mindset takes time, but we’ve already begun relishing in challenges, because mistakes and setbacks aren’t a reflection on us — just on our preparation and current ability, which are adaptable. We can grow! Tips to help you adopt a growth mindset We’re creating a culture where our leaders are open to feedback, accountable for their own growth, and resilient to take on new challenges — we are seeing the impact of this with increased creativity, innovation, and bottom-line growth. So, how can you adopt a growth mindset? Here are three of the core “growth mindset” tenants we implemented: Openly recognize and reward the value of learning from failure with your team. Failure is inevitable when it comes to running a team. So when you’re running a retrospective, it’s a good idea to openly speak about your own failures and those of the team, plus the lessons you learned. This will help create a culture where failure is recognized as a learning tool. Result? Your team will be encouraged to grow and take innovative risks. Embed a company or leadership value that focuses on perseverance. A great organization doesn’t grow overnight. The fruits of growth require time, which means perseverance is key. We found having a company value around “Grit & Perseverance” helped to better embed this concept throughout our teams. We speak about it at our Town Halls, Weekly All Hands, and Performance Reviews. The company is clear on how important it to push through failure, treat obstacles as challenges, and persist in spite of difficult situations to produce more impactful results. Pay close attention to the language you use in 1:1s with your direct reports and team meetings. Top tip: Remove the “you can’t” mindset and adopt a “how can you” mindset with your team. Also, think about moving from “this was a failure” to “we failed, this is what we learned, now let’s go make this even better”. Everyone has desires, and most of us can channel our efforts toward diligent work. But the ability to overcome constant failure has proven to be the distinguishing factor between ‘good’ and ‘great’. Language will help motivate your teams to keep coming back from failures; they will feel it’s safe for them to fail. (Hint! This is all about psychological safety). If you want to learn more about growth mindset, here are some of our favorite resources: Everything written by Dr. Dweck is great! But if you’re going to read or listen to anything, we’d recommend you watch this TedTalk or read this HBR article. We found it helpful to check out how other start-ups were using “Growth Mindset” to develop their leaders and found this article on Microsoft helpful We love everything from Farnam Street, and found ourselves coming back to this article, Creating a Growth Mindset in the Workplace again and again Farnam Street has done a great summary of the two different mindsets here Inspired by this article? Share it with your network on LinkedIn and Twitter! Or, if you’re looking for more insights into how we work at Tessian, subscribe to our newsletter below.
Read Blog Post
Page
[if lte IE 8]
[if lte IE 8]