Request Threat Report Book Demo
Request Threat Report Book Demo
Human Layer Security
Tessian Named a Gartner Cool Vendor
Tuesday, May 12th, 2020
We are thrilled to be recognized as a Cool Vendor in the recently published Gartner Cool Vendors in Cloud Office Security report. To us, being named a Gartner Cool Vendor is an honor. Vendors recognized in the report are interesting, new, and innovative. In the report Gartner explains, “as cloud office suite adoption becomes nearly universal, security and risk management leaders must explore ways to protect sensitive information from risks and threats.” Gartner adds that “security and risk management leaders should recognize that cloud office security technology is evolving and converging in sometimes unpredictable ways” and that “the gaps in cloud office technology convergence often result in incomplete data protection and multiple perspectives to data visibility.” The report further states, “the vendors included in this Cool Vendors report focus specifically upon securing applications, communication and data that occur within cloud office environments.”
Tessian recognized as a Cool Vendor in May 2020 Cool Vendors in Cloud Office Security report Tessian is the world’s first Human Layer Security platform that protects organizations from human layer security threats on email.  By turning your email data into your biggest defense, Tessian prevents inbound and outbound email threats caused by human error. Tessian defends against accidental data loss, data exfiltration and insider threats, in addition to defending against advanced inbound threats like business email compromise, spear phishing and other targeted impersonation attacks. Tessian’s machine learning technology turns your email data into intelligence, transforming your most vulnerable endpoint – your employees – into a trusted security asset by taking human error out of the equation.  Tessian Human Layer Security Prevents Human Error on Email Employees control business’ most sensitive systems and data. Whether it is someone in your finance department who oversees billing and banking platforms, or someone in your HR department who controls employee social security numbers and compensation plans — they are the first and last line of defense; the gatekeepers of digital systems and data. This is what we call the Human Layer. And people’s propensity to make mistakes, break the rules, or be hacked are Human Layer Vulnerabilities. These vulnerabilities can cause big problems. In fact, they’re the number one cause of data breaches: 88% of data breaches reported to the UK’s Information Commissioner’s Office (ICO) are due to human error. To prevent today’s Human Layer Security threats on email, your security controls must understand human behavior. Through a combination of machine intelligence, deep content inspection of email and stateful mapping of email relationships, Tessian turns your email data into your biggest defense against email security threats.  We call it Human Layer Security. What does this mean for security leaders? Our stateful machine learning allows Tessian to understand changing human behavior over time with high accuracy. This means employees experience fewer notification rates and false negatives. Tessian can be deployed in minutes, integrates with O365, Exchange and G-Suite environments and it automatically starts preventing threats within 24 hours of deployment.  Tessian is trusted by world-leading businesses like Arm, Man Group, Evercore and Schroders to protect their people on email. Gartner subscribers can view the Cool Vendors in Cloud Office Security Link.
Data Loss Prevention
How to Communicate Cybersecurity ROI to Your CEO
Monday, April 20th, 2020
CIOs, CISOs, and other IT leaders have a long list of internal and external factors to consider when putting together a cybersecurity strategy. If the ever-evolving threat landscape wasn’t challenging enough to keep up with on its own, there’s also a growing number of privacy regulations and compliance standards to satisfy and a market that’s more saturated with products than ever before. There’s also the issue of budgets. Oftentimes, it’s difficult to measure and communicate cybersecurity ROI which means justifying security investment can be challenging, especially when most organizations are facing significant budget cuts in light of COVID-19. Cybersecurity is, however, a business-critical function. It’s not a nice-to-have, but a must-have.  We’ve put together 3 tips to help you demonstrate the business value of cybersecurity solutions and get buy-in from your CEO.
Reframe cybersecurity solutions as business enablers While cybersecurity has historically been a siloed department, it’s becoming more and more integrated with overall business functions.  To see how far-reaching the implications of a cybersecurity strategy are, let’s consider the consequences of a data breach:  Lost data Lost intellectual property Revenue loss Losing customers and/or their trust Regulatory fines Damaged reputation These consequences directly affect a business’s bottom line.  But, cybersecurity solutions don’t have to be limited to prevention or remediation. In fact, cybersecurity can actually enable businesses and become a unique selling point in and of itself.  With regulations like HIPAA, CCPA, and GDPR dictating how organizations handle sensitive data, your cybersecurity framework can actually support growth by being a strong competitive differentiator. By investing in cybersecurity tools and personnel and being transparent about how your organization protects data, you’ll actually bolster credibility and trust amongst prospects and existing customers and clients.
Lead with facts and figures specific to your organization A critical aspect of communicating ROI is evidence. It’s important you come armed with the right evidence and, whenever possible, quantify the threats and the risk.  For example, you could start with the more general statistics that 90% of data breaches start on email and that misdirected emails were the number one incident reported under GDPR. Then you could use Tessian’s Breach Calculator to determine your organization’s potential exposure. According to our data, on average, 707 misdirected emails are sent every year in businesses with 1,000 people. Referencing this specific number will make the risk more tangible and the need for a solution more urgent.  Likewise, if you’re pitching for new inbound email security solutions, a phishing simulation could help demonstrate the likelihood of a successful attack. Or, if you need to make a case for network vulnerabilities, hiring a penetration tester could help prove that there are, in fact, chinks in your armor.  Curious how many misdirected or unauthorized emails are sent in your organization? Book a demo to find out. 
Engage with the larger organization Communicating the value (and necessity) of cybersecurity measures to your larger organization isn’t easy. Not only are technical risks hard to translate across departments, but policies and procedures can often be seen as a hindrance to employee productivity.  But, if you can engage with the larger organization and create a positive security culture, you’ll have a better chance of getting buy-in from C-level executives. How? More and more, CISOs are relying on gamification, positive reinforcement, and interactive content like videos and podcasts to promote their strategies. Whatever the method or medium, the most important thing is that risks and responsibilities – which the entire organization bears the burden of – are communicated so that everyone, regardless of department or level of seniority, can understand.  The benefits of this are two-fold. Not only will you demonstrate the value of cybersecurity via in-house evangelists, but you’ll also empower security-aware employees to become your biggest cybersecurity asset. (You can read more about the importance of empowering your people and protecting the Human Layer here.) This, in turn, helps your overall objective to prevent data loss and data exfiltration. Get more advice from security leaders for security leaders Ultimately, communicating security ROI relies on translating cyber risk to business risk, and making security a guiding principle for your larger organization. This is more important today than ever with new risks and challenges related to remote-working.  Looking for more advice? We constantly update our blog with new tips and best practices around security. We also found this article: The 5-Step Framework for CISOs Starting in a New Company very helpful, especially when it comes to negotiating budgets and delegating risk owners.
Data Loss Prevention
Remote Worker’s Guide To: Preventing Data Loss
Thursday, April 9th, 2020
Over the last several weeks, workforces across the world have transitioned from office to home. While security teams may have struggled initially to get their teams set up to work securely outside of their normal environments, by now most organizations have introduced new software, policies, and procedures to accommodate their new distributed teams.  We spoke with former CISO of KPMG Carolann Shields along with Tess Frieswick of Kivu Consulting and Hayley Bly of Nielsen about what the shift means for cybersecurity in a webinar on March 26. Carolann summed it up nicely when she said “Remote-working introduces complexities that you just don’t have when you can have everyone sitting in an office behind a firewall. It’s a difficult task trying to keep everyone secure and behavioral change and educating folks will be really important. If those things weren’t already a part of your cybersecurity program, they’re going to need to become a part of your cybersecurity program.”  While IT departments no doubt bear the burden of protecting sensitive data, data loss prevention (DLP) is the responsibility of the entire organization. And, while this sudden move to remote-working brings a host of new challenges – from effectively collaborating to co-working with partners, roommates, and children – data security should still be top of mind for both security leaders and individual employees, too.
So, what can you do to help prevent data loss within your organization? We have some tips. 1. Don’t work from your personal devices While it may seem harmless, using your personal devices – whether it’s a laptop, desktop computer, mobile device, or tablet – for work-related activities creates big security risks. To start, your personal devices won’t be configured with the same security software as your work device.  Whether it’s the protection offered by a simple firewall or antivirus software, you’re more protected when working on company-sanctioned devices. Beyond that, though, the process to get work-related documents onto personal devices is risky on its own. We’ve written about this extensively in our blog The Dark Side of Sending Work Emails “Home”. In short, personal email accounts are more likely to be compromised than work email accounts. It may be because your personal email account is configured with a weak password or, the worst case, your personal email account may have already been infiltrated by an attacker who could easily intercept whatever sensitive data you’ve emailed to yourself.  Note: IT teams should ensure employees have a secure way to connect their authorized work devices to their personal printers in the event they need to print any documents. This will help them avoid them having to send sensitive documents to their personal accounts in order to print. 2. Be cautious whenever sending sensitive information via email Tessian has seen a 20% increase in email use with the shift to remote working. That means more sensitive data is in motion than ever.  More email traffic, unfortunately, means employees have more opportunities to make mistakes. One of the biggest mistakes an employee can make is sending an email to the wrong person and, as most of us know, it’s easy to do. So, to avoid making this costly mistake, always double-check the recipient(s) of your emails. Ensure you haven’t made any spelling mistakes, and, if you’re using autocomplete, make sure the correct email address has been added. Beyond that, you should always be vigilant when using Cc vs. Bcc and Reply vs Reply All and take time to check that you’ve attached the right documents.  3. Stay up-to-date on the latest phishing and spear phishing trends Cybercriminals use increasingly advanced technology and tactics to carry out effective phishing and spear phishing campaigns. They also tend to take advantage of emergencies, times of general uncertainty, and key calendar moments. While you should always be on the lookout for the red flags that signal phishing attacks, you should also stay up-to-date on the latest trends. We’ve written about several on our blog, including phishing attacks around COVID-19, Tax Day, and the 2020 Census. For more information on how to catch a phish, click here. 4. Use password protection, especially for conferencing and collaboration tools Zoom has made headlines over the last several weeks for the security vulnerabilities found in the platform. While the online conference tool is working on their backend, individuals must do their part, too. To start, ensure you’re using strong passwords. For an application like Zoom, this also means always password-protecting your meetings, never sharing meeting links with people you don’t know or trust, and never sharing screenshots of your meeting which include the Zoom Meeting ID.  Managing so many passwords can be difficult, though. That’s why we recommend using a Password Manager. Click here for more information about the Password Manager we use at Tessian along with other tools that help us work securely while working remotely.  Note: If you’re an employee, you shouldn’t download new software or tools without consulting your IT team.  5. Avoid public Wi-Fi and hotspots Currently most of the world is working from home, but “working remotely” can extend to a number of places. You could be staying with a friend, traveling for work, catching up on emails during your commute, or getting your head down at a café.  Of course, to do work, you’ll likely rely on internet access. Public Wi-Fi or hotspotting from your mobile device may seem like an easy (and harmless) workaround when you don’t have other access, but it’s not wise. The open nature of public Wi-Fi means your laptop or other device could be accessible to opportunistic hackers. Likewise, if a phone is being used as a hotspot and has already been compromised by an attacker, it’s possible it could be used to pivot to the corporate network. 6. Follow existing processes and policies When working from home or otherwise outside of the office, you have much more autonomy. But that doesn’t mean you should disregard the processes and policies your organization has in place. Whether it’s rules around locking your devices (see below) or procedures for sharing documents, they’re just as important – if not more important – while you’re working remotely.  This applies to training too. If your organization offers security training, do your best to keep those tips and best practices top of mind. If you’re unclear on the do’s and don’t of cybersecurity, consult your IT, security, or HR team. 7. Always lock your devices  Working outside of the office, even in a home environment, carries additional risks. That means you should always lock your devices with good passwords or, in the case of mobile phones, 6-digit PINs or complex swipe codes. 
8. Report near-misses or mistakes  Whether you’ve sent a misdirected email, fallen for a phishing scam, or had your device stolen, it’s absolutely vital that you report the incident to your IT or security team as soon as possible. The more lead time and information they have, the better the outcome of remediation.   By sharing this information, your colleagues will be better informed and your business can modify procedures or applications to help prevent the issue occurring again. It’s a two-way street, though. Organizations must build positive security cultures in order to empower employees to be open and honest. For more tips on how to stay safe while working remotely, read this Ultimate Guide. We’ll also be publishing more helpful tips weekly on both our blog and LinkedIn.
Data Loss Prevention, Human Layer Security
Ultimate Guide to Staying Secure While Working Remotely
By Maddie Rosenthal
Friday, March 27th, 2020
The gradual trend towards remote working has been expedited by recent events, and now businesses and employees alike find themselves adapting to moving almost everything online to accommodate a distributed workforce. Obviously, this has a massive impact on how we behave and how we work, which inevitably has an impact on security culture. In this blog, we’ll discuss what we consider to be the main challenges and questions that arise from moving to a remote working model, and how both management teams and employees can make good decisions about security.
The risk involved in sending work emails “home” It may seem harmless to send an email containing a spreadsheet or a project proposal to your personal email address in order to have easy and quick access whenever you need it. But doing so is risky for a number of reasons.  Personal email accounts can be compromised, especially as they are often configured with weak passwords Email is not a default encrypted medium. If an attacker were in a position to intercept your email, they would be able to read them, and any attachments if not encrypted Devices used to access personal email, such as personal laptops and mobile phones, may also be more easily compromised than work devices safeguarded by your company The bottom line is, sending sensitive information to your personal email accounts increases the risk of data exfiltration, both from insider threats and outsider threats. You can read more about this – including how to prevent data exfiltration – in this article.  Public Wi-Fi vs. using a personal device as a hotspot While for now, most of the world is working from home, “working remotely” can extend to a number of places. You could be staying with a friend, catching up on emails during your commute, or getting your head down at a café. Of course, to do work, you’ll likely rely on internet access. While connecting to public Wi-Fi is not encouraged, the risks can be managed if the right systems are put in place. As an employer, you should ensure that any services an employee must connect with over the internet (such as a web portal for your email or time tracking app), are only served over HTTPS. This is the encrypted version of HTTP, which is used to transfer data over the web. Using HTTPS ensures that all data transmitted between your network and the employee’s device is encrypted. For any services that should not be offered over the internet but that employees will require access to, you should enable them to connect via a VPN.  As an employee, here’s what you can do to be safe: When connecting to a service over the internet, check the address bar to ensure the protocol used is HTTPS, not HTTP. If you’re using a service from your employer that isn’t HTTPS, avoid connecting and let alert your IT team of the oversight.  Ensure you keeping VPN software on work devices up-to-date Importantly – and despite many articles written stating the contrary – using a personal mobile phone as a hotspot to connect a work laptop to the corporate network can actually raise more concerns than connecting via public Wi-Fi.  From a security perspective, any device used to connect to your network could be a risk. Why? Because there’s no way for a company to effectively manage the software and security of devices they do not own. If a phone is being used as a hotspot and has already been compromised by an attacker, it’s possible it could be used to pivot to the corporate network. Any connections made over HTTPS will still be encrypted, of course, but it’s still important to weigh up the risks and err on the side of caution.  This may be easier to understand with an example. Let’s say you open a malicious attachment from a phishing email on your mobile device. If that malicious attachment contains spyware, hackers can (rather easily) infiltrate your phone. That means that if you then connect to your company network on your laptop via your phone’s hotspot, hackers will have a foothold into your company network, too.  Top tip: Any personal devices used in this way should fall under the domain of your corporate “Bring your own device” (BYOD) policy. Each organization’s policy will be different, so it’s best to check with your IT and security teams before you consider using a hotspot as a workaround in the case of limited access to Wi-Fi.
Best practice around using cloud storage to share documents For many organizations, cloud services have replaced company local networks to store, manage, and share information. While it’s fair to say that the transition from office-to-home is certainly easier with cloud storage, there are still some security concerns that must be addressed in order to lock down your sensitive information. Most concerns center around the perceived risks of allowing someone else to host your data. And, because it’s stored on the “cloud” it can – in theory – be accessed by anyone on the internet with the right credentials. In the worst case, this could be an attacker who comprises a user laptop or guesses a weak password. But, there are several ways to ensure your cloud system is secure. Organizations considering moving to a cloud system should consider: How the data is backed up Risks associated with denial of service (DOS) attacks  Legal complications that may arise from certain types of data being stored overseas Not sure how to navigate these considerations? Concerns about standards and support can all be worked out during the contract stage, and many companies offer secure and resilient storage. It’s no different to any risk assessment phase when purchasing a new service. At Tessian, we use Google Drive. It’s still necessary to put in the work to ensure that your data is stored in the correct places, and appropriately secured, just as you would with a local storage solution. Folders should be structured and locked down with appropriate access permissions to ensure that only users who are authorized to view the contents can do so. For example, you can restrict access to and sharing with people outside the corporate network. In addition, requiring two-factor authentication for Google accounts is very important. Conferencing and collaboration tools Remote-working means an increased reliance on conferencing, chat, and other collaboration applications to stay in touch with colleagues. All such applications come with security considerations. IT and security teams must be clear with employees about what sort of information can be shared over these applications, after assessing their suitability. Without clear guidance, employees may act in ways that are less than secure in order to do their jobs, which means comprehensive policies and procedures must be put in place and communicated clearly across an organization.  We share our criteria for vetting and onboarding new tools in our blog, 11 Tools to Help You Stay Productive and Secure While Working Remotely. You’ll also find a list of tools we use across departments to stay connected while working remotely. Additionally, it’s important to ensure employees understand which applications should be used to share which kinds of information and where the design of the application itself may lead to a compromise.  For example, a screenshot of a conference call or online meeting may reveal information that would be useful to an attacker; such as a Zoom meeting ID that allows anyone to join that meeting without a PIN. If such a screenshot were shared online, this could be exploited by an attacker and give them unlimited access to private, internal communications.   
How to physically protect your devices Working on devices outside of the office, even in a home environment, carries additional risks. There is always the potential for an attacker to get physical access to a device. In the home environment, employees should be reminded that their devices are gateways to sensitive information. They should always lock devices, and make sure they’re secured with good passwords or, in the case of mobile phones, 6-digit PINs or complex swipe codes.
Employees should also make sure that devices aren’t left in plain sight, such as near windows at home or on a passenger seat if travelling by car. This will help prevent opportunistic theft. While it may sound unlikely, you should always assume that devices might be stolen. In fact, in an organization of reasonable size, it will almost certainly happen. That means that encryption should be used to protect the data on them, and employees should know exactly when and how to report thefts to the support team. This ensures that the devices can be wiped if they are activated. Any organization that has a remote-working policy in place should also provide employees with privacy screens for their laptops, and encourage them to always work in positions that minimize line-of-sight views of their device screens by others.  This has the added benefit of showing clients or other professional contacts that the business takes security seriously. About that OOO message… “Hi, I’m on vacation right now, returning April 15th. If it’s urgent, you can contact me directly on my personal number or email below, or my line manager at…” It’s human nature to want to be helpful. When setting an out-of-office message, therefore, we often try to give the recipient as much information as possible to help them out. However, it’s important to consider whether that information really needs to be shared, and whether it might be useful to an attacker. When planning a spear phishing attack – a type of phishing attack that is targeted at a specific individual or small set of individuals – an attacker will try to gather as much open-source intelligence about their target as they can in order to make the email as believable as possible.  Phone numbers, alternative email addresses, details about company structure and reporting lines, and other data points are all things that could be useful to an attacker. Again, businesses should make sure employees are aware of these risks and should provide them with a simple template for OOO messages alongside guidance on how and when to forward important emails while away. Top tips for businesses setting up remote-working policies…. Keep policy points clear and concise and support them with similarly written procedures. Employees cannot practically absorb or retain 60+ pages of security policy, especially not overnight. When approving the use of new tools or software, always communicate the change to your employees, including guidelines on how and where to access them. Remember that users are going to make mistakes because they are human. Support them and encourage them to report issues, rather than making them afraid to admit to a mistake. Give clear channels for reporting such issues, supported by technical and human resources; for example, guidance on how to report a potential phishing email along with a method to contact support in the event of account lockout. Consider other technical challenges, such as how your support team can verify user identity when asked to reset a password or perform other remote technical support functions. Ensure your support team is trained and briefed to offer remote workers reassurance and understanding when a security issue arises. Remote workers need to feel connected with their colleagues during difficult moments. Top tips for employees working from home… Use company-approved cloud or VPN services to access work documents instead of emailing sensitive information to your personal email accounts. Don’t download new software or tools without consulting your IT team. Keep your software and operating systems up-to-date. Always lock your laptop and keep all of your devices password-protected. Avoid public Wi-Fi and don’t rely on personal hotspots; whenever possible, find a secure, stable network to connect to. Before you join that call or connect to that site – especially if it requires installing new software – stop and think about the potential implications. If you’re not sure, ask your colleagues or support team for help. If you make a mistake and find yourself alarmed or fearful, it’s important to stop, think, and get someone else involved to support you. Report near misses. If you almost make a mistake, the odds are that others have also almost done the same thing. By sharing this information, your colleagues will be better informed and your business can modify procedures or applications to help prevent the issue ever occurring. During this transitional period, we think it’s incredibly important to provide everyone – our employees, our customers, and our community – with as much information as possible. With that said, you may also find the below links helpful in getting your team set up to work remotely.  FTC online security tips for working from home NCSC issues guidance as home working increases in response to COVID-19 We’ll also continue sharing best practice tips both on our blog and on LinkedIn. 
Human Layer Security
The Ultimate Guide to Human Layer Security
By Tim Sadler
Friday, January 24th, 2020
There’s a big problem in cybersecurity. Despite over 3,000 products in the market, data breaches are at an all-time high. Businesses are at risk of insider and outsider threats, with a reported 67% increase in the volume of security breaches over the past five years. Worse still, this increase in security breaches is happening despite organizations spending more than ever to protect their systems and data, up from $1.4 million to $13 million. Why is this happening? Businesses haven’t been protecting their most important asset: their employees. Historically, email security solutions have layered defenses first on top of networks, then devices, and finally cloud applications. The majority of these solutions provide blunt protection, or rely on retroactive threat detection and remediation, which leaves obvious (and unfortunate) gaps in a business’ armor. So, when you can get a firewall to protect your network, and EDR to protect your devices, what do you get to protect your people?
What is Human Layer Security?
Tessian’s Human Layer Security technology understands human behavior and relationships, enabling it to detect and prevent dangerous activity. Importantly, Tessian’s technology learns and adapts to how people work without getting in the way or impeding productivity. We created this category over a year ago, and it was the thesis for our Series B fundraise.  Since then, we’ve seamlessly deployed Tessian solutions to customers across industries from SMBs to multi-national enterprises, and are now detecting and preventing millions of inbound and outbound threats on email.
Why do we need Human Layer Security? Your employees now control both your systems and your data and, the fact is, people make mistakes, people break the rules, and people can be hacked. It’s no wonder that 88% of data breaches are caused by human error, with AIG reporting “human errors and behavior continue to be a significant driver of cyber claims.” After all, employees can transfer millions of dollars to a bank account in a few clicks and can share thousands of patient records in an Excel file via a single email. Instead of expecting people to do the right thing 100% of the time, we think it’s better to preempt these errors by detecting and preventing them from happening in the first place. Each of our solutions – Tessian Enforcer, Tessian Guardian, and Tessian Defender – is uniquely positioned to do just that, and these solutions can be explored by the specific type of human error they protect against. People break the rules Whether done maliciously or accidentally, people in every organization can and do break the rules. Those rules can be related to anything, from a password policy to how sensitive information is stored. But, what about rules related to data exfiltration? Oftentimes, employees are blissfully unaware of policies related to – and the risk associated with – sending emails containing work-related information to domains outside of their own organization. Take, for example, an employee who sends a file to their personal email account so that they can work from home over a long weekend. Sometimes, though, work-related information is extracted with more nefarious intent and, unfortunately, this can happen in even the most secure environments. Case in point: In late-2019, an employee at a cybersecurity and defense company sold 68,000 customer records to scammers. This isn’t an isolated incident, either; more than half of UK employees admitted to stealing corporate data. A quarter of those would be willing to do so for less than £1,000.
People make mistakes To err is human and, entrusted with both systems and data, employees put themselves in decidedly vulnerable positions as they maneuver dozens of human-digital interactions each day. From a simple typo to a misconfigured firewall, mistakes are inevitable in the workplace. Unfortunately, though, the consequences of these mistakes are far-reaching. If an employee accidentally fires off an email containing sensitive customer data to the wrong person – otherwise known as a misdirected email – penalties and fines could be incurred, customer trust could plummet, and reputational damage could be long-lasting. And those are just the consequences to the larger organization. Individuals will likely suffer, too, with misdirected emails no doubt causing employees and supervisors tremendous anxiety and even putting them at risk of being terminated.
People can be hacked Businesses of all sizes work with a web of suppliers, contractors and customers spanning different time zones and regulatory environments. As a result, we’ve seen a rise in targeted spear phishing attacks where cybercriminals are convincingly impersonating internal and external contacts. Worse still, the odds are against businesses and their employees. While a hacker only has to get it right once, we are expected to get it right every time. So, what happens if one employee is successfully tricked one time by a spear phishing email and wires money, shares credentials, or otherwise acts as an entry point for a bad actor to gain access to your network? With the average cost of a data breach in the United States climbing to $8.19 million in 2019, the company will likely take a hard hit, especially with the sharp increase in GDPR fines.
Why focus on email? To be truly effective, Human Layer Security must protect all human-digital interactions within the enterprise. This is a massive remit. So, Tessian started with email, because it’s the most popular (we spend 40% of our time on it) and riskiest (most breaches happen here) communication channel.
But why is email currently so poorly protected and how does Tessian fit into larger security frameworks to keep your people and your data safe? Rule-Based Technology Traditional email security solutions are static, disruptive and admin-intensive. Some demand that employees manually classify every email based on sensitivity or tag all emails being sent to external contacts; this is time consuming and not reliable. (Alert fatigue is real.) Others may require that employees encrypt emails, which adds friction and slows the pace of business. These older technologies can’t be configured to adequately defend against all the ways people make mistakes or cut corners on email. Training Aware of these tech shortcomings, most companies layer in security training. The hope is that through a combination of training and policies, employees will adopt secure behaviors. Unfortunately, though, two thirds of employees are not regularly trained about cyber threats on email, which is the #1 threat vector in an organisation. What’s more, a significant percentage of those who are trained don’t retain what they’re taught. Training is incomplete, irregular and doesn’t stick. Hence the need for HLS. Human Layer Security In addition to policies, training, and other security solutions, organizations need an extra layer of security. Human Layer Security works by understanding and adapting to human behavior without compromising productivity. This is only made possible by machine learning (ML), and Tessian built our HLS platform out of the gate using stateful ML. We built our outbound email protection first, and leveraged the email data from hundreds of customers (with their consent, of course) to build our inbound threat stack. Our stateful ML models analyze historical email data in order to understand human relationships and communication patterns. Once we know what normal and abnormal look like, Tessian can automatically predict and prevent security breaches.
How is Tessian using machine learning to secure the human layer on email? We get it—ML/AI are used often and interchangeably in the cybersecurity space. But, the simple truth is that a solution built on ML enables better email protection because ML models get smarter and better over time as more data is ingested. Tessian’s Human Layer Security platform consists of intelligent and fully customizable email filters. For every inbound and outbound email, our filters analyze a vast array of data points in real time to create a comprehensive assessment of the correspondence. In the simplest terms, to determine whether an email is safe or unsafe to send/receive, we examine: Relationship History: Analyzing past and real-time email data, Tessian has a historical view on all email communications and relationships. For example, we can determine in real time: if the wrong recipient has been included on an outbound email; if a sensitive attachment is being sent to a personal, non-business email account; if an inbound email with a legitimate-looking domain is a spoof by detecting an unusual IP address.on Content & context: Using natural language processing to analyze historical email data, Tessian understands how people normally communicate on email and what topics they normally discuss. As a result, our filters automatically detect anomalies in subject matter (i.e. project names) or sentiment (i.e. urgency), which might indicate a threat. Tessian understands and adapts to how people work, so it can prevent threats before they happen. It gets out of the way so people can proceed confidently with business as usual without being slowed down, or having to add threat detection to their to-do list. First, you protected our networks. Then, you protected our devices. Now, you can protect your people with Tessian’s Human Layer Security.
Human Layer Security
Tessian Named a Gartner Cool Vendor
Tuesday, May 12th, 2020
We are thrilled to be recognized as a Cool Vendor in the recently published Gartner Cool Vendors in Cloud Office Security report. To us, being named a Gartner Cool Vendor is an honor. Vendors recognized in the report are interesting, new, and innovative. In the report Gartner explains, “as cloud office suite adoption becomes nearly universal, security and risk management leaders must explore ways to protect sensitive information from risks and threats.” Gartner adds that “security and risk management leaders should recognize that cloud office security technology is evolving and converging in sometimes unpredictable ways” and that “the gaps in cloud office technology convergence often result in incomplete data protection and multiple perspectives to data visibility.” The report further states, “the vendors included in this Cool Vendors report focus specifically upon securing applications, communication and data that occur within cloud office environments.”
Tessian recognized as a Cool Vendor in May 2020 Cool Vendors in Cloud Office Security report Tessian is the world’s first Human Layer Security platform that protects organizations from human layer security threats on email.  By turning your email data into your biggest defense, Tessian prevents inbound and outbound email threats caused by human error. Tessian defends against accidental data loss, data exfiltration and insider threats, in addition to defending against advanced inbound threats like business email compromise, spear phishing and other targeted impersonation attacks. Tessian’s machine learning technology turns your email data into intelligence, transforming your most vulnerable endpoint – your employees – into a trusted security asset by taking human error out of the equation.  Tessian Human Layer Security Prevents Human Error on Email Employees control business’ most sensitive systems and data. Whether it is someone in your finance department who oversees billing and banking platforms, or someone in your HR department who controls employee social security numbers and compensation plans — they are the first and last line of defense; the gatekeepers of digital systems and data. This is what we call the Human Layer. And people’s propensity to make mistakes, break the rules, or be hacked are Human Layer Vulnerabilities. These vulnerabilities can cause big problems. In fact, they’re the number one cause of data breaches: 88% of data breaches reported to the UK’s Information Commissioner’s Office (ICO) are due to human error. To prevent today’s Human Layer Security threats on email, your security controls must understand human behavior. Through a combination of machine intelligence, deep content inspection of email and stateful mapping of email relationships, Tessian turns your email data into your biggest defense against email security threats.  We call it Human Layer Security. What does this mean for security leaders? Our stateful machine learning allows Tessian to understand changing human behavior over time with high accuracy. This means employees experience fewer notification rates and false negatives. Tessian can be deployed in minutes, integrates with O365, Exchange and G-Suite environments and it automatically starts preventing threats within 24 hours of deployment.  Tessian is trusted by world-leading businesses like Arm, Man Group, Evercore and Schroders to protect their people on email. Gartner subscribers can view the Cool Vendors in Cloud Office Security Link.
Data Loss Prevention
How to Communicate Cybersecurity ROI to Your CEO
Monday, April 20th, 2020
CIOs, CISOs, and other IT leaders have a long list of internal and external factors to consider when putting together a cybersecurity strategy. If the ever-evolving threat landscape wasn’t challenging enough to keep up with on its own, there’s also a growing number of privacy regulations and compliance standards to satisfy and a market that’s more saturated with products than ever before. There’s also the issue of budgets. Oftentimes, it’s difficult to measure and communicate cybersecurity ROI which means justifying security investment can be challenging, especially when most organizations are facing significant budget cuts in light of COVID-19. Cybersecurity is, however, a business-critical function. It’s not a nice-to-have, but a must-have.  We’ve put together 3 tips to help you demonstrate the business value of cybersecurity solutions and get buy-in from your CEO.
Reframe cybersecurity solutions as business enablers While cybersecurity has historically been a siloed department, it’s becoming more and more integrated with overall business functions.  To see how far-reaching the implications of a cybersecurity strategy are, let’s consider the consequences of a data breach:  Lost data Lost intellectual property Revenue loss Losing customers and/or their trust Regulatory fines Damaged reputation These consequences directly affect a business’s bottom line.  But, cybersecurity solutions don’t have to be limited to prevention or remediation. In fact, cybersecurity can actually enable businesses and become a unique selling point in and of itself.  With regulations like HIPAA, CCPA, and GDPR dictating how organizations handle sensitive data, your cybersecurity framework can actually support growth by being a strong competitive differentiator. By investing in cybersecurity tools and personnel and being transparent about how your organization protects data, you’ll actually bolster credibility and trust amongst prospects and existing customers and clients.
Lead with facts and figures specific to your organization A critical aspect of communicating ROI is evidence. It’s important you come armed with the right evidence and, whenever possible, quantify the threats and the risk.  For example, you could start with the more general statistics that 90% of data breaches start on email and that misdirected emails were the number one incident reported under GDPR. Then you could use Tessian’s Breach Calculator to determine your organization’s potential exposure. According to our data, on average, 707 misdirected emails are sent every year in businesses with 1,000 people. Referencing this specific number will make the risk more tangible and the need for a solution more urgent.  Likewise, if you’re pitching for new inbound email security solutions, a phishing simulation could help demonstrate the likelihood of a successful attack. Or, if you need to make a case for network vulnerabilities, hiring a penetration tester could help prove that there are, in fact, chinks in your armor.  Curious how many misdirected or unauthorized emails are sent in your organization? Book a demo to find out. 
Engage with the larger organization Communicating the value (and necessity) of cybersecurity measures to your larger organization isn’t easy. Not only are technical risks hard to translate across departments, but policies and procedures can often be seen as a hindrance to employee productivity.  But, if you can engage with the larger organization and create a positive security culture, you’ll have a better chance of getting buy-in from C-level executives. How? More and more, CISOs are relying on gamification, positive reinforcement, and interactive content like videos and podcasts to promote their strategies. Whatever the method or medium, the most important thing is that risks and responsibilities – which the entire organization bears the burden of – are communicated so that everyone, regardless of department or level of seniority, can understand.  The benefits of this are two-fold. Not only will you demonstrate the value of cybersecurity via in-house evangelists, but you’ll also empower security-aware employees to become your biggest cybersecurity asset. (You can read more about the importance of empowering your people and protecting the Human Layer here.) This, in turn, helps your overall objective to prevent data loss and data exfiltration. Get more advice from security leaders for security leaders Ultimately, communicating security ROI relies on translating cyber risk to business risk, and making security a guiding principle for your larger organization. This is more important today than ever with new risks and challenges related to remote-working.  Looking for more advice? We constantly update our blog with new tips and best practices around security. We also found this article: The 5-Step Framework for CISOs Starting in a New Company very helpful, especially when it comes to negotiating budgets and delegating risk owners.
Data Loss Prevention
Remote Worker’s Guide To: Preventing Data Loss
Thursday, April 9th, 2020
Over the last several weeks, workforces across the world have transitioned from office to home. While security teams may have struggled initially to get their teams set up to work securely outside of their normal environments, by now most organizations have introduced new software, policies, and procedures to accommodate their new distributed teams.  We spoke with former CISO of KPMG Carolann Shields along with Tess Frieswick of Kivu Consulting and Hayley Bly of Nielsen about what the shift means for cybersecurity in a webinar on March 26. Carolann summed it up nicely when she said “Remote-working introduces complexities that you just don’t have when you can have everyone sitting in an office behind a firewall. It’s a difficult task trying to keep everyone secure and behavioral change and educating folks will be really important. If those things weren’t already a part of your cybersecurity program, they’re going to need to become a part of your cybersecurity program.”  While IT departments no doubt bear the burden of protecting sensitive data, data loss prevention (DLP) is the responsibility of the entire organization. And, while this sudden move to remote-working brings a host of new challenges – from effectively collaborating to co-working with partners, roommates, and children – data security should still be top of mind for both security leaders and individual employees, too.
So, what can you do to help prevent data loss within your organization? We have some tips. 1. Don’t work from your personal devices While it may seem harmless, using your personal devices – whether it’s a laptop, desktop computer, mobile device, or tablet – for work-related activities creates big security risks. To start, your personal devices won’t be configured with the same security software as your work device.  Whether it’s the protection offered by a simple firewall or antivirus software, you’re more protected when working on company-sanctioned devices. Beyond that, though, the process to get work-related documents onto personal devices is risky on its own. We’ve written about this extensively in our blog The Dark Side of Sending Work Emails “Home”. In short, personal email accounts are more likely to be compromised than work email accounts. It may be because your personal email account is configured with a weak password or, the worst case, your personal email account may have already been infiltrated by an attacker who could easily intercept whatever sensitive data you’ve emailed to yourself.  Note: IT teams should ensure employees have a secure way to connect their authorized work devices to their personal printers in the event they need to print any documents. This will help them avoid them having to send sensitive documents to their personal accounts in order to print. 2. Be cautious whenever sending sensitive information via email Tessian has seen a 20% increase in email use with the shift to remote working. That means more sensitive data is in motion than ever.  More email traffic, unfortunately, means employees have more opportunities to make mistakes. One of the biggest mistakes an employee can make is sending an email to the wrong person and, as most of us know, it’s easy to do. So, to avoid making this costly mistake, always double-check the recipient(s) of your emails. Ensure you haven’t made any spelling mistakes, and, if you’re using autocomplete, make sure the correct email address has been added. Beyond that, you should always be vigilant when using Cc vs. Bcc and Reply vs Reply All and take time to check that you’ve attached the right documents.  3. Stay up-to-date on the latest phishing and spear phishing trends Cybercriminals use increasingly advanced technology and tactics to carry out effective phishing and spear phishing campaigns. They also tend to take advantage of emergencies, times of general uncertainty, and key calendar moments. While you should always be on the lookout for the red flags that signal phishing attacks, you should also stay up-to-date on the latest trends. We’ve written about several on our blog, including phishing attacks around COVID-19, Tax Day, and the 2020 Census. For more information on how to catch a phish, click here. 4. Use password protection, especially for conferencing and collaboration tools Zoom has made headlines over the last several weeks for the security vulnerabilities found in the platform. While the online conference tool is working on their backend, individuals must do their part, too. To start, ensure you’re using strong passwords. For an application like Zoom, this also means always password-protecting your meetings, never sharing meeting links with people you don’t know or trust, and never sharing screenshots of your meeting which include the Zoom Meeting ID.  Managing so many passwords can be difficult, though. That’s why we recommend using a Password Manager. Click here for more information about the Password Manager we use at Tessian along with other tools that help us work securely while working remotely.  Note: If you’re an employee, you shouldn’t download new software or tools without consulting your IT team.  5. Avoid public Wi-Fi and hotspots Currently most of the world is working from home, but “working remotely” can extend to a number of places. You could be staying with a friend, traveling for work, catching up on emails during your commute, or getting your head down at a café.  Of course, to do work, you’ll likely rely on internet access. Public Wi-Fi or hotspotting from your mobile device may seem like an easy (and harmless) workaround when you don’t have other access, but it’s not wise. The open nature of public Wi-Fi means your laptop or other device could be accessible to opportunistic hackers. Likewise, if a phone is being used as a hotspot and has already been compromised by an attacker, it’s possible it could be used to pivot to the corporate network. 6. Follow existing processes and policies When working from home or otherwise outside of the office, you have much more autonomy. But that doesn’t mean you should disregard the processes and policies your organization has in place. Whether it’s rules around locking your devices (see below) or procedures for sharing documents, they’re just as important – if not more important – while you’re working remotely.  This applies to training too. If your organization offers security training, do your best to keep those tips and best practices top of mind. If you’re unclear on the do’s and don’t of cybersecurity, consult your IT, security, or HR team. 7. Always lock your devices  Working outside of the office, even in a home environment, carries additional risks. That means you should always lock your devices with good passwords or, in the case of mobile phones, 6-digit PINs or complex swipe codes. 
8. Report near-misses or mistakes  Whether you’ve sent a misdirected email, fallen for a phishing scam, or had your device stolen, it’s absolutely vital that you report the incident to your IT or security team as soon as possible. The more lead time and information they have, the better the outcome of remediation.   By sharing this information, your colleagues will be better informed and your business can modify procedures or applications to help prevent the issue occurring again. It’s a two-way street, though. Organizations must build positive security cultures in order to empower employees to be open and honest. For more tips on how to stay safe while working remotely, read this Ultimate Guide. We’ll also be publishing more helpful tips weekly on both our blog and LinkedIn.
Data Loss Prevention, Human Layer Security
Ultimate Guide to Staying Secure While Working Remotely
By Maddie Rosenthal
Friday, March 27th, 2020
The gradual trend towards remote working has been expedited by recent events, and now businesses and employees alike find themselves adapting to moving almost everything online to accommodate a distributed workforce. Obviously, this has a massive impact on how we behave and how we work, which inevitably has an impact on security culture. In this blog, we’ll discuss what we consider to be the main challenges and questions that arise from moving to a remote working model, and how both management teams and employees can make good decisions about security.
The risk involved in sending work emails “home” It may seem harmless to send an email containing a spreadsheet or a project proposal to your personal email address in order to have easy and quick access whenever you need it. But doing so is risky for a number of reasons.  Personal email accounts can be compromised, especially as they are often configured with weak passwords Email is not a default encrypted medium. If an attacker were in a position to intercept your email, they would be able to read them, and any attachments if not encrypted Devices used to access personal email, such as personal laptops and mobile phones, may also be more easily compromised than work devices safeguarded by your company The bottom line is, sending sensitive information to your personal email accounts increases the risk of data exfiltration, both from insider threats and outsider threats. You can read more about this – including how to prevent data exfiltration – in this article.  Public Wi-Fi vs. using a personal device as a hotspot While for now, most of the world is working from home, “working remotely” can extend to a number of places. You could be staying with a friend, catching up on emails during your commute, or getting your head down at a café. Of course, to do work, you’ll likely rely on internet access. While connecting to public Wi-Fi is not encouraged, the risks can be managed if the right systems are put in place. As an employer, you should ensure that any services an employee must connect with over the internet (such as a web portal for your email or time tracking app), are only served over HTTPS. This is the encrypted version of HTTP, which is used to transfer data over the web. Using HTTPS ensures that all data transmitted between your network and the employee’s device is encrypted. For any services that should not be offered over the internet but that employees will require access to, you should enable them to connect via a VPN.  As an employee, here’s what you can do to be safe: When connecting to a service over the internet, check the address bar to ensure the protocol used is HTTPS, not HTTP. If you’re using a service from your employer that isn’t HTTPS, avoid connecting and let alert your IT team of the oversight.  Ensure you keeping VPN software on work devices up-to-date Importantly – and despite many articles written stating the contrary – using a personal mobile phone as a hotspot to connect a work laptop to the corporate network can actually raise more concerns than connecting via public Wi-Fi.  From a security perspective, any device used to connect to your network could be a risk. Why? Because there’s no way for a company to effectively manage the software and security of devices they do not own. If a phone is being used as a hotspot and has already been compromised by an attacker, it’s possible it could be used to pivot to the corporate network. Any connections made over HTTPS will still be encrypted, of course, but it’s still important to weigh up the risks and err on the side of caution.  This may be easier to understand with an example. Let’s say you open a malicious attachment from a phishing email on your mobile device. If that malicious attachment contains spyware, hackers can (rather easily) infiltrate your phone. That means that if you then connect to your company network on your laptop via your phone’s hotspot, hackers will have a foothold into your company network, too.  Top tip: Any personal devices used in this way should fall under the domain of your corporate “Bring your own device” (BYOD) policy. Each organization’s policy will be different, so it’s best to check with your IT and security teams before you consider using a hotspot as a workaround in the case of limited access to Wi-Fi.
Best practice around using cloud storage to share documents For many organizations, cloud services have replaced company local networks to store, manage, and share information. While it’s fair to say that the transition from office-to-home is certainly easier with cloud storage, there are still some security concerns that must be addressed in order to lock down your sensitive information. Most concerns center around the perceived risks of allowing someone else to host your data. And, because it’s stored on the “cloud” it can – in theory – be accessed by anyone on the internet with the right credentials. In the worst case, this could be an attacker who comprises a user laptop or guesses a weak password. But, there are several ways to ensure your cloud system is secure. Organizations considering moving to a cloud system should consider: How the data is backed up Risks associated with denial of service (DOS) attacks  Legal complications that may arise from certain types of data being stored overseas Not sure how to navigate these considerations? Concerns about standards and support can all be worked out during the contract stage, and many companies offer secure and resilient storage. It’s no different to any risk assessment phase when purchasing a new service. At Tessian, we use Google Drive. It’s still necessary to put in the work to ensure that your data is stored in the correct places, and appropriately secured, just as you would with a local storage solution. Folders should be structured and locked down with appropriate access permissions to ensure that only users who are authorized to view the contents can do so. For example, you can restrict access to and sharing with people outside the corporate network. In addition, requiring two-factor authentication for Google accounts is very important. Conferencing and collaboration tools Remote-working means an increased reliance on conferencing, chat, and other collaboration applications to stay in touch with colleagues. All such applications come with security considerations. IT and security teams must be clear with employees about what sort of information can be shared over these applications, after assessing their suitability. Without clear guidance, employees may act in ways that are less than secure in order to do their jobs, which means comprehensive policies and procedures must be put in place and communicated clearly across an organization.  We share our criteria for vetting and onboarding new tools in our blog, 11 Tools to Help You Stay Productive and Secure While Working Remotely. You’ll also find a list of tools we use across departments to stay connected while working remotely. Additionally, it’s important to ensure employees understand which applications should be used to share which kinds of information and where the design of the application itself may lead to a compromise.  For example, a screenshot of a conference call or online meeting may reveal information that would be useful to an attacker; such as a Zoom meeting ID that allows anyone to join that meeting without a PIN. If such a screenshot were shared online, this could be exploited by an attacker and give them unlimited access to private, internal communications.   
How to physically protect your devices Working on devices outside of the office, even in a home environment, carries additional risks. There is always the potential for an attacker to get physical access to a device. In the home environment, employees should be reminded that their devices are gateways to sensitive information. They should always lock devices, and make sure they’re secured with good passwords or, in the case of mobile phones, 6-digit PINs or complex swipe codes.
Employees should also make sure that devices aren’t left in plain sight, such as near windows at home or on a passenger seat if travelling by car. This will help prevent opportunistic theft. While it may sound unlikely, you should always assume that devices might be stolen. In fact, in an organization of reasonable size, it will almost certainly happen. That means that encryption should be used to protect the data on them, and employees should know exactly when and how to report thefts to the support team. This ensures that the devices can be wiped if they are activated. Any organization that has a remote-working policy in place should also provide employees with privacy screens for their laptops, and encourage them to always work in positions that minimize line-of-sight views of their device screens by others.  This has the added benefit of showing clients or other professional contacts that the business takes security seriously. About that OOO message… “Hi, I’m on vacation right now, returning April 15th. If it’s urgent, you can contact me directly on my personal number or email below, or my line manager at…” It’s human nature to want to be helpful. When setting an out-of-office message, therefore, we often try to give the recipient as much information as possible to help them out. However, it’s important to consider whether that information really needs to be shared, and whether it might be useful to an attacker. When planning a spear phishing attack – a type of phishing attack that is targeted at a specific individual or small set of individuals – an attacker will try to gather as much open-source intelligence about their target as they can in order to make the email as believable as possible.  Phone numbers, alternative email addresses, details about company structure and reporting lines, and other data points are all things that could be useful to an attacker. Again, businesses should make sure employees are aware of these risks and should provide them with a simple template for OOO messages alongside guidance on how and when to forward important emails while away. Top tips for businesses setting up remote-working policies…. Keep policy points clear and concise and support them with similarly written procedures. Employees cannot practically absorb or retain 60+ pages of security policy, especially not overnight. When approving the use of new tools or software, always communicate the change to your employees, including guidelines on how and where to access them. Remember that users are going to make mistakes because they are human. Support them and encourage them to report issues, rather than making them afraid to admit to a mistake. Give clear channels for reporting such issues, supported by technical and human resources; for example, guidance on how to report a potential phishing email along with a method to contact support in the event of account lockout. Consider other technical challenges, such as how your support team can verify user identity when asked to reset a password or perform other remote technical support functions. Ensure your support team is trained and briefed to offer remote workers reassurance and understanding when a security issue arises. Remote workers need to feel connected with their colleagues during difficult moments. Top tips for employees working from home… Use company-approved cloud or VPN services to access work documents instead of emailing sensitive information to your personal email accounts. Don’t download new software or tools without consulting your IT team. Keep your software and operating systems up-to-date. Always lock your laptop and keep all of your devices password-protected. Avoid public Wi-Fi and don’t rely on personal hotspots; whenever possible, find a secure, stable network to connect to. Before you join that call or connect to that site – especially if it requires installing new software – stop and think about the potential implications. If you’re not sure, ask your colleagues or support team for help. If you make a mistake and find yourself alarmed or fearful, it’s important to stop, think, and get someone else involved to support you. Report near misses. If you almost make a mistake, the odds are that others have also almost done the same thing. By sharing this information, your colleagues will be better informed and your business can modify procedures or applications to help prevent the issue ever occurring. During this transitional period, we think it’s incredibly important to provide everyone – our employees, our customers, and our community – with as much information as possible. With that said, you may also find the below links helpful in getting your team set up to work remotely.  FTC online security tips for working from home NCSC issues guidance as home working increases in response to COVID-19 We’ll also continue sharing best practice tips both on our blog and on LinkedIn. 
Human Layer Security
The Ultimate Guide to Human Layer Security
By Tim Sadler
Friday, January 24th, 2020
There’s a big problem in cybersecurity. Despite over 3,000 products in the market, data breaches are at an all-time high. Businesses are at risk of insider and outsider threats, with a reported 67% increase in the volume of security breaches over the past five years. Worse still, this increase in security breaches is happening despite organizations spending more than ever to protect their systems and data, up from $1.4 million to $13 million. Why is this happening? Businesses haven’t been protecting their most important asset: their employees. Historically, email security solutions have layered defenses first on top of networks, then devices, and finally cloud applications. The majority of these solutions provide blunt protection, or rely on retroactive threat detection and remediation, which leaves obvious (and unfortunate) gaps in a business’ armor. So, when you can get a firewall to protect your network, and EDR to protect your devices, what do you get to protect your people?
What is Human Layer Security?
Tessian’s Human Layer Security technology understands human behavior and relationships, enabling it to detect and prevent dangerous activity. Importantly, Tessian’s technology learns and adapts to how people work without getting in the way or impeding productivity. We created this category over a year ago, and it was the thesis for our Series B fundraise.  Since then, we’ve seamlessly deployed Tessian solutions to customers across industries from SMBs to multi-national enterprises, and are now detecting and preventing millions of inbound and outbound threats on email.
Why do we need Human Layer Security? Your employees now control both your systems and your data and, the fact is, people make mistakes, people break the rules, and people can be hacked. It’s no wonder that 88% of data breaches are caused by human error, with AIG reporting “human errors and behavior continue to be a significant driver of cyber claims.” After all, employees can transfer millions of dollars to a bank account in a few clicks and can share thousands of patient records in an Excel file via a single email. Instead of expecting people to do the right thing 100% of the time, we think it’s better to preempt these errors by detecting and preventing them from happening in the first place. Each of our solutions – Tessian Enforcer, Tessian Guardian, and Tessian Defender – is uniquely positioned to do just that, and these solutions can be explored by the specific type of human error they protect against. People break the rules Whether done maliciously or accidentally, people in every organization can and do break the rules. Those rules can be related to anything, from a password policy to how sensitive information is stored. But, what about rules related to data exfiltration? Oftentimes, employees are blissfully unaware of policies related to – and the risk associated with – sending emails containing work-related information to domains outside of their own organization. Take, for example, an employee who sends a file to their personal email account so that they can work from home over a long weekend. Sometimes, though, work-related information is extracted with more nefarious intent and, unfortunately, this can happen in even the most secure environments. Case in point: In late-2019, an employee at a cybersecurity and defense company sold 68,000 customer records to scammers. This isn’t an isolated incident, either; more than half of UK employees admitted to stealing corporate data. A quarter of those would be willing to do so for less than £1,000.
People make mistakes To err is human and, entrusted with both systems and data, employees put themselves in decidedly vulnerable positions as they maneuver dozens of human-digital interactions each day. From a simple typo to a misconfigured firewall, mistakes are inevitable in the workplace. Unfortunately, though, the consequences of these mistakes are far-reaching. If an employee accidentally fires off an email containing sensitive customer data to the wrong person – otherwise known as a misdirected email – penalties and fines could be incurred, customer trust could plummet, and reputational damage could be long-lasting. And those are just the consequences to the larger organization. Individuals will likely suffer, too, with misdirected emails no doubt causing employees and supervisors tremendous anxiety and even putting them at risk of being terminated.
People can be hacked Businesses of all sizes work with a web of suppliers, contractors and customers spanning different time zones and regulatory environments. As a result, we’ve seen a rise in targeted spear phishing attacks where cybercriminals are convincingly impersonating internal and external contacts. Worse still, the odds are against businesses and their employees. While a hacker only has to get it right once, we are expected to get it right every time. So, what happens if one employee is successfully tricked one time by a spear phishing email and wires money, shares credentials, or otherwise acts as an entry point for a bad actor to gain access to your network? With the average cost of a data breach in the United States climbing to $8.19 million in 2019, the company will likely take a hard hit, especially with the sharp increase in GDPR fines.
Why focus on email? To be truly effective, Human Layer Security must protect all human-digital interactions within the enterprise. This is a massive remit. So, Tessian started with email, because it’s the most popular (we spend 40% of our time on it) and riskiest (most breaches happen here) communication channel.
But why is email currently so poorly protected and how does Tessian fit into larger security frameworks to keep your people and your data safe? Rule-Based Technology Traditional email security solutions are static, disruptive and admin-intensive. Some demand that employees manually classify every email based on sensitivity or tag all emails being sent to external contacts; this is time consuming and not reliable. (Alert fatigue is real.) Others may require that employees encrypt emails, which adds friction and slows the pace of business. These older technologies can’t be configured to adequately defend against all the ways people make mistakes or cut corners on email. Training Aware of these tech shortcomings, most companies layer in security training. The hope is that through a combination of training and policies, employees will adopt secure behaviors. Unfortunately, though, two thirds of employees are not regularly trained about cyber threats on email, which is the #1 threat vector in an organisation. What’s more, a significant percentage of those who are trained don’t retain what they’re taught. Training is incomplete, irregular and doesn’t stick. Hence the need for HLS. Human Layer Security In addition to policies, training, and other security solutions, organizations need an extra layer of security. Human Layer Security works by understanding and adapting to human behavior without compromising productivity. This is only made possible by machine learning (ML), and Tessian built our HLS platform out of the gate using stateful ML. We built our outbound email protection first, and leveraged the email data from hundreds of customers (with their consent, of course) to build our inbound threat stack. Our stateful ML models analyze historical email data in order to understand human relationships and communication patterns. Once we know what normal and abnormal look like, Tessian can automatically predict and prevent security breaches.
How is Tessian using machine learning to secure the human layer on email? We get it—ML/AI are used often and interchangeably in the cybersecurity space. But, the simple truth is that a solution built on ML enables better email protection because ML models get smarter and better over time as more data is ingested. Tessian’s Human Layer Security platform consists of intelligent and fully customizable email filters. For every inbound and outbound email, our filters analyze a vast array of data points in real time to create a comprehensive assessment of the correspondence. In the simplest terms, to determine whether an email is safe or unsafe to send/receive, we examine: Relationship History: Analyzing past and real-time email data, Tessian has a historical view on all email communications and relationships. For example, we can determine in real time: if the wrong recipient has been included on an outbound email; if a sensitive attachment is being sent to a personal, non-business email account; if an inbound email with a legitimate-looking domain is a spoof by detecting an unusual IP address.on Content & context: Using natural language processing to analyze historical email data, Tessian understands how people normally communicate on email and what topics they normally discuss. As a result, our filters automatically detect anomalies in subject matter (i.e. project names) or sentiment (i.e. urgency), which might indicate a threat. Tessian understands and adapts to how people work, so it can prevent threats before they happen. It gets out of the way so people can proceed confidently with business as usual without being slowed down, or having to add threat detection to their to-do list. First, you protected our networks. Then, you protected our devices. Now, you can protect your people with Tessian’s Human Layer Security.
Data Loss Prevention, Human Layer Security
Guide: How to Stop Data Loss Across 1 Million New Offices
By Maddie Rosenthal
Thursday, May 28th, 2020
Now more than ever, security, IT, and compliance leaders are leaning on each other for support in navigating new challenges around remote-working. And, why wouldn’t they? While some organizations have operated virtually for months and even years before the outbreak of COVID-19, others had never operated a remote workforce. That means they’ve had to – very quickly – equip their teams with new devices and tools, implement new policies and procedures, and update security stacks. Of course, they’re doing all of this while trying to maintain “business as usual” which means trying to monitor and prevent data loss company-wide. That’s exactly why we’ve been hosting virtual events: to pool the wisdom of experienced security and IT leaders and share back with the broader community While you can access our library of webinars here (and register for our next virtual event here), we’ve compiled key takeaways below from our most recent webinar: How to Stop Data Loss Across 1 Million New Offices.  Here’s the actionable advice from Mark Settle, the former CIO of Okta and Karl Knowles, the Global Head of Cyber at HFW.
1. Prioritize email Even with collaboration tools like Slack, email is still King. Or, as Mark put it “email is the central nervous system of almost every company. You really can’t escape it”. Over 124 billion emails are sent and received everyday and employees spend 40% of their time on email. And, when you consider what’s being sent back and forth in emails (spreadsheets, invoices, client information, and other structured and unstructured data) it’s no wonder IT and security leaders consider it the number one threat vector for data loss. Whether it’s a disgruntled employee purposely exfiltrating data or a negligent employee who accidentally sends sensitive information to the wrong person, email is a leaky pipe.  Interested in learning more about how data is lost on email? Read this blog: A Complete Overview of DLP on Email. 2. Clearly communicate what constitutes “data loss” It’s employees who have to take on the role of protecting a company’s most important asset: data. But, unfortunately, many are blissfully unaware of what’s actually considered a data loss incident. It’s not their fault. It’s up to IT leaders – especially now as employees are adjusting to their new work environments – to really communicate what data is sensitive and how that data must be handled.  While those working in Healthcare or Financial Services may be well-versed in what data can and can’t be stored and shared, because of industry-specific compliance standards, the “average” professional may not be. For example: if you don’t tell employees that sending company data to their personal email accounts is considered unauthorized and could lead to a data breach, they’ll never know that they shouldn’t do it. Likewise, many employees don’t realize that sending an email to the wrong person could be classified as a data loss incident.  3. Don’t blame employees, empower them As we’ve said, employees are the gatekeepers of a company’s most sensitive systems and data. But, many aren’t familiar with security best practices or the implications of a breach. And, beyond that, many simply don’t have the necessary tools to work securely. It’s up to IT and security leaders to empower them to do so. How? According to Karl, it comes down to training and technology.
4. Re-think security awareness training Earlier this year at the world’s first Human Layer Security Summit, Mark Logsdon, Head of Cyber Assurance & Oversight at Prudential, explained there are three fundamental problems with training: It’s boring It’s often irrelevant It’s expensive Karl Knowles and Mark Settle shared many of these sentiments. The bottom line is: In order for training to be effective, it has to really resonate. And, for it to really resonate, employees have to understand the who, what, and why behind security policies and procedures. They recommend using different methods and mediums to communicate risks and preventative strategies and – perhaps most importantly – ensure you aren’t overloading them. That means breaking complex subjects down into more manageable pieces and translating technical jargon and concepts into language that’s easier to understand. Top Tip from Karl: Nominate Cyber Champions as a way to gamify training and encourage a positive security culture.  5. Know the limitations of rule-based DLP solutions and invest in technology that proactively adapts DLP isn’t just a challenge now that workforces are remote. It’s been a consistent pain point for IT and security teams for a long time and for several reasons. One of the biggest problems around DLP is that rule-based solutions aren’t adaptive. Not only are they admin-intensive to set-up, but they’re virtually impossible to maintain. You can read more about The Drawbacks of Traditional DLP on Email on our blog.  Learn more about Why DLP is Failing in Tessian’s latest report: The State of Data Loss Prevention 2020. That’s why Karl and Mark recommend investing in technology that’s fast and evolving. The technology is machine learning. Tessian’s DLP solutions (Tessian Enforcer and Tessian Guardian) are powered by machine learning which is why Karl – a customer – considered Tessian an extension of his cyber team.
Interested in learning more about how Tessian can help you detect and prevent data loss wherever your employees are working? Book a demo. And, for more advice, keep up with our blog, LinkedIn, and Twitter for guides, industry news, and events. 
Data Loss Prevention, Human Layer Security
The State of Data Loss Prevention 2020: What You Need to Know
Thursday, May 28th, 2020
Today, Tessian released The State of Data Loss Prevention 2020, a comprehensive report that explores new and perennial challenges around data loss prevention.
Our findings reveal that data loss on email is a bigger problem than most realize, that remote-working brings new challenges around DLP, and that the solutions currently deemed most effective may actually be the least. Why does this report matter? IT, security, and compliance readers have a lot to gain by reading this report. To really understand why, we have to look at the current landscape. Insider threats are a growing problem While email threats from external bad actors (like spear phishing and business email compromise) dominate headlines, email threats from insiders are steadily rising. In fact, there’s been a 47% increase in incidents over the last two years. This includes accidental data loss and deliberate data exfiltration. According to Verizon’s 2020 Data Breach Investigations Report “It is a bit disturbing when you realize that your employees’ mistakes account for roughly the same number of breaches as external parties who are actively attacking you.” The DLP market is booming and is on track for significant growth. Why? Because it’s one of the top spending priorities for IT leaders with 21% planning to acquire DLP tools within the next year.  Remote-working makes DLP even more challenging Over the last eight weeks, workforces around the world have transitioned from office-to-home. That means the perimeter has disappeared and past strategies have become obsolete. COVID-19 has been deemed a “field day for Insider Threats”. There are more opportunities than ever for employees to exploit privileged access to data, working from home can reduce the vigilance of employees handling confidential data, and there’s been a marked increase in COVID-19 phishing attacks. While some organizations will encourage their employees to migrate back to offices, many (including Facebook) have already opted to maintain remote-working set-ups.  Interested in learning more about the methods and motives of Insider Threats? Read our blog: What is an Insider Threat? Insider Threat Definitions, Examples, and Solutions. The implications of a data breach are far-reaching  The consequences of a data breach aren’t limited to lost data and revenue loss. Organizations also experience a 2-7% churn rate after a breach. Data privacy regulations add insult to injury. In the first quarter of 2020 alone, GDPR fines totaled nearly €50 million. But, we had to look beyond third-party research and conduct our own.  What will I learn? We analyzed Tessian platform data and commissioned OnePoll to survey 2,000 professionals (1,000 in the US and 1,000 in the UK) and 250 Information Technology (IT) leaders. We also interviewed IT, security, and compliance leaders about their own experiences with DLP. Here’s what we found out: !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");
Data loss incidents are happening as much as 38x more often than IT leaders currently estimate. 800 misdirected emails are sent every year in organizations with 1,000 employees. 27,500 emails containing company data are sent to personal accounts every year in organizations with 1,000 employees. 84% of IT leaders say DLP is more challenging when their workforce is working remotely. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");
While 91% of IT leaders say they trust their employees to follow security policies while working from home, almost half (48%) of employees say they’re less likely to follow safe data practices when working from home. Email is the threat vector IT leaders are most concerned about. 54% of employees say they’ll find a workaround if security software or policies prevent them from doing their job and 51% say security tools and software impede their productivity.  While IT leaders believe security awareness training is the most effective way to prevent data loss, machine learning is the better option.  Dozens more insights in the full report, including segmented data around industry, company size, age, and region.  How can I access The State of Data Loss Prevention 2020? IT leaders must have visibility over how their employees are handing and mishandling data on email in order to implement effective DLP strategies.  Our report shines a light on the problems and best solutions.  You can access the full report via our microsite. And, if you’re interested in learning more, save your spot at Tessian Human Layer Security Summit on June 18.
Data Loss Prevention, Human Layer Security
13 Cybersecurity Sins When Working Remotely
By Maddie Rosenthal
Wednesday, May 27th, 2020
Over the last eight weeks, security vendors, thought leaders, and even mainstream media have been offering employees advice on how to stay secure and productive while working from home. And, why wouldn’t they? The transition from office-to-home has been both sudden and challenging and the risks associated with data loss haven’t disappeared just because the perimeter has. At Tessian, we’ve created (and have been consistently updating) our own remote-working content hub filled with actionable advice for security, IT, and compliance professionals as well as employees. While you can find the individual articles below, we thought we’d combine all of the tips we’ve shared over the last two months into one easy-to-read article. Advice from Security Leaders for Security Leaders: How to Navigate New Remote-Working Challenges Ultimate Guide to Staying Secure While Working Remotely  Remote Worker’s Guide to: Preventing Data Loss Remote Worker’s Guide to: BYOD Policies  11 Tools to Help You Stay Secure and Productive While Working Remotely  Here are 13 things you shouldn’t do when working remotely from a cybersecurity perspective.  1. Don’t send company data to your personal email accounts. As many organizations have had to adopt new tools and systems like VPNs and Cloud Storage on the fly, some employees may have had to resort to sending company data to their personal email accounts in order to continue doing their job.  We understand that doing so may have been viewed at the “only option”, but it’s important to note that this is not wise from a security perspective. While we’ve written about this in detail on our blog The Dark Side of Sending Work Emails “Home”, the short-and-sweet version is this: Personal email accounts are less secure and more likely to be compromised than work email accounts. Why? Read point #5 to find out.  2. Don’t share Zoom links or Meeting IDs.  Zoom – like so many other remote-working tools – is enabling workforces around the world to continue collaborating despite being out-of-office. But, as we highlighted in our Ultimate Guide to Staying Secure While Working Remotely, there are precautions you must take in order to prevent attackers from infiltrating your calls. While there are plenty of lists circulating with top tips around using Zoom, the most important piece of advice we can offer is to not share your Zoom Meeting ID (or link) with anyone you don’t work with directly or otherwise trust.  Importantly, this Meeting ID appears at the top of your conference window, which means if you share a screenshot of your call, anyone who sees the screenshot can access this meeting. If you want to be proactive in locking down your Zoom calls, you should also ensure all of your meetings require a password to join. 3. Don’t ignore warnings from IT and security teams or other authoritative sources.  Since the outbreak of COVID-19, we’ve seen a spike in phishing attacks. Why? Because hackers tend to take advantage of emergencies, times of general uncertainty, and key calendar moments. IT and security teams and even organizations like the FBI have been working hard to communicate these threats and how to avoid them. But – importantly – these warnings are useless unless employees heed the advice.  Whether it’s an email outlining how to spot a phishing email or an announcement from your line manager about updating your iOS, employees should take warnings seriously and take action immediately.  4. Don’t work off of personal devices.  While it may seem harmless, using your personal devices – whether it’s a laptop, desktop computer, mobile device, or tablet – for work-related activities creates big security risks. To start, your personal devices won’t be configured with the same security software as your work device.  Whether it’s the protection offered by a simple firewall or antivirus software, you and your data are more secure when working on company-sanctioned devices. Note: Some organizations have adopted more flexible BYOD policies. You can learn how to combat the security risks associated with these policies on our blog. 5. Don’t action email requests without double-checking their legitimacy.  Phishing and other social engineering attacks are designed for one of three reasons: to extract sensitive information or credentials, to install malware onto a network, or to initiate a wire transfer. To avoid falling victim to one of these scams and potentially actioning a request that isn’t legitimate, make sure you double-check that the person making the request is who they say they are.  For example, if your CEO asks you to change an account number on an invoice, contact him or her directly – via phone call, text, Slack or a separate email – before doing so. Likewise, if someone in HR asks you to share any credentialsor other personal information, get in touch with them via phone or a separate email thread before responding.  6. Don’t use weak passwords.  Many organizations have strict password policies, including the enforcement of multi-factor authentication. It makes sense. If a bad actor gained access to your applications – whether it’s your email account or collaboration tools – they’ll have free rein over your most sensitive systems and data.  If your organization doesn’t have any policies in place, our advice is to use 6-digit PINs or complex swipe codes on mobile devices and strong passwords that utilize numbers, letters, and characters for laptops and other log-ins.  If you’re having trouble managing your passwords, discuss the use of a password manager with your IT department. 7. Don’t lose touch with your IT or security teams.  Communication – especially during periods of transition and disruption- is key.  If you’re unsure about any security policies or procedures, how to use your personal device securely, or if you believe your device or network has been compromised in any way, don’t be afraid to communicate with your IT and security teams. That’s what they’re there for. Moreover, the more information they have and the sooner they have it, the better equipped they are to keep you and your devices protected.  8. Don’t use public Wi-Fi or mobile hotspots.  Given the digital transformation, most of us rely on internet access to do our jobs. Unfortunately, we can’t connect to just any network.  The open nature of public Wi-Fi means your laptop or other device could be accessible to opportunistic hackers. Likewise, if a phone is being used as a hotspot and has already been compromised by an attacker, it’s possible it could be used to pivot to the corporate network. With that said, you should only use networks you’re absolutely confident are secure.  9. Don’t download new tools or software without approval.  IT and security teams have processes in place that help them identify which applications are and aren’t in compliance with their data and privacy protection criteria. That means that if they haven’t approved the use of a certain tool, it probably isn’t safe in their opinion. Even if a certain tool makes your job easier to do, you shouldn’t download – or even use – tools or software without express permission to use them. Whether it’s a design, writing, or project management tool, you must communicate with your in-house teams before clicking “download”.  10. Don’t leave work devices or documents in plain sight.  Your devices are gateways to sensitive information. While we’ve already covered the importance of password-protecting these devices, preventing them from being stolen is vital, too.  Avoid leaving laptops, tablets, mobile devices, and documents containing sensitive company or client information in plain sight, such as near windows at home or on a passenger seat if traveling by car. This will help prevent opportunistic theft.  Any organization that has a remote-working policy in place should also provide employees with privacy screens for their laptops, and encourage employees to always work in positions that minimize line-of-sight views of their screens by others. This has the added benefit of showing clients or other professional contacts that the business takes security seriously. 11. Don’t give hackers the information they need to execute social engineering attacks.  When planning a spear phishing attack – a type of phishing attack that is targeted at a specific individual or small set of individuals – an attacker will try to gather as much open-source intelligence about their target as they can in order to make the email as believable as possible.  Don’t make it easier for them by sharing personal information on OOO messages or on social media like LinkedIn. This includes phone numbers, alternative email addresses, travel plans, details about company structure and reporting lines, and other data points.  12. Don’t be afraid to ask questions about security policies and procedures.  When working from home or otherwise outside of the office, you have much more autonomy. But that doesn’t mean you should disregard the processes and policies your organization has in place. And, part of following processes and policies is understanding them in the first place. IT and security teams are there to help you. If anything is unclear, send them an email, pick up the phone, or file a request.   13. Don’t forget the basics of security best practice.  While we’ve offered plenty of advice that’s specific to remote-working, following general security best practices will help prevent security incidents, too.  Most employees receive annual security training or, at the very least, had some security training during their onboarding process. If you didn’t, below are some of the basics. Don’t reuse passwords. Don’t share your passwords with anyone. Stay up-to-date on compliance standards and regulations specific to your industry. Report incidents of theft. Don’t share sensitive company information with people outside of your organization.  If any of the above are unclear, refer back to point #7. Ask your IT, security, or HR teams. Communication is key! What’s next? While most organizations and individuals have started to adjust to “the new normal”, it’s important to remember that, eventually, some of us will move back to our office environments. The above tips are relevant wherever you’re working, whether that’s at home, from a cafe, on public transport, or at your desk in the office. Looking for more insights on what\s next in this new world of work? We’re hosting our first virtual Human Layer Security Summit on June 18. Find out more – including the agenda for the day – here. 
Human Layer Security
7 Reasons to Attend Tessian Virtual Human Layer Security Summit
Tuesday, May 26th, 2020
On June 18, we’re hosting Tessian Human Layer Security Summit and you’re invited.  The theme? The new world of work. While businesses have flexed fast to adapt to remote-working, there are still plenty of challenges security, compliance, and IT leaders have to overcome.  That’s why we’re bringing thousands of people together from around the world – including over a dozen speakers and partners – to discuss what’s happened and (more importantly) what’s next. We know what you’re thinking: How is this virtual event different from others you’ve been invited to or attended? We’ll tell you.
1. You’ll hear from thought leaders from world-renowned institutions We believe that diverse perspectives lead to better solutions, which is why we’ve brought together such a wide range of voices from the world’s top businesses and institutions.  We’ll be welcoming security and business leaders from Amazon Web Services, The FBI, Unilever, Investec, and more and each speaker will cover a topic that demonstrates their expertise and unique point of view. So, what will they be covering? The evolving risk landscape, how new compliance standards affect business and cybersecurity strategies, challenges in preventing data loss, and how to build and maintain a happy and productive remote workforce.  2. You’ll have a chance to ask your most pressing questions around cybersecurity, remote-working, and business continuity While the agenda is jam-packed with fireside chats, presentations, and panel discussions, we’ve left plenty of time for you to voice your thoughts, too. After all, the name of the game is diverse perspectives. We’ll be opening the floor to all attendees to ask their most pressing questions and our speakers will answer them live. You can even submit your questions ahead of time by emailing [email protected] This way, you can leave the event with actionable advice related specifically to you and your organization. 
3. You’ll learn more about human-centric security strategies  The Human Element has been a buzzword throughout 2020. But, do you know how to create and implement security strategies that are human-centric? You will after this event. You’ll hear why solving the problem of human error on email is more important now than ever, how security and privacy risks have evolved as the perimeter has disappeared, and how Tessian’s Human Layer Security platform has helped Tessian customers prevent data loss incidents on email.  Want a sneak peek at what you might learn? Check out these insights from the world’s first Human Layer Security Summit.  4. You’ll be the first to know about exciting company and industry news  While we don’t want to spoil all the surprises, you should know that we’ll be announcing some very exciting news that will bring greater visibility into threats specific to your organization.  Not only will we be unveiling new technology that gives security, IT, and compliance leaders a birds’ eye view into data loss trends, but we’ll be sharing key findings from our groundbreaking research into the State of Data Loss Prevention 2020. 
5. You’ll be in good company  We hosted our first-ever Human Layer Security Summit in March where hundreds of attendees (both in-person and online) joined the conversation. This event will be even bigger. Thousands of leading C-suite executives, business leaders, and security professionals from across continents will be under the same (virtual) roof which means this event is the perfect opportunity to network and connect with the larger cybersecurity community.  Whether you’re looking for advice, allies, or future opportunities, this is your chance. 6. You don’t have to change out of your pajamas While most of us are all too familiar with challenges around remote-working, we can’t ignore that there are some benefits, too. For example: Being able to ask the former CEO of Upwork a question while sitting in your pajamas.  This is especially relevant for those tuning in from California, as the event kicks off at 7:00 AM PST. Of course, feel free to join in whatever you’re comfortable in.  7. …It’s free! Attendees have a lot to gain by joining us on June 18 and nothing to lose; the event is 100% free.  All you have to do is register now to save your spot and tune in on the day.  Can’t make it on June 18? Don’t worry! By registering, you’ll have on-demand access to watch the full series of keynotes, panel discussions, and more after the live session.
Data Loss Prevention, Human Layer Security
What is an Insider Threat? Insider Threat Definition, Examples, and Solutions
By Maddie Rosenthal
Friday, May 15th, 2020
While cybersecurity policies, procedures, and solutions are often focused on cybercriminals outside of the organization, more and more often, it’s people inside the organization who are responsible for data breaches. In fact, there’s been a 47% increase in incidents over the last two years; this includes accidental data loss and deliberate data exfiltration by negligent or disgruntled employees or contractors. This is a big problem, especially considering the global average cost of an insider threat is a whopping $11.45 million.  So, what is an insider threat and how can organizations protect themselves from their own people?
Importantly, there are two distinct types of insider threats, and understanding different motives and methods of exfiltration is key for detection and prevention. Types of Insider Threats The Malicious Insider
Malicious Insiders knowingly and intentionally steal data. For example, an employee or contractor using valuable information (like Intellectual Property, Personally Identifiable Information (PII), or financial information) for personal gain. What’s in it for the insider? It depends. Financial Incentives Data is valuable currency. Case in point: data brokering is a $200 billion industry…and this doesn’t even include the data that’s sold on the dark web. Whether it’s a list of customer email addresses or trade secrets, bad-intentioned employees with privileged access to systems and networks can cause serious damage to an organization’s bottom line and reputation. Competitive Edge It’s not uncommon for employees to download, save, send, or otherwise exfiltrate work-related documents before leaving a job or after being dismissed. While this isn’t always malicious (they could simply be adding a project to their portfolio), it certainly can be. For example, an exiting employee could take customer lists or trading algorithms to a new employer.  The prevalence of these incidents varies greatly by industry. Unsurprisingly, highly competitive industries like Finance Services, Government, and Entertainment have the highest percentage of occurrences.  The Negligent (or Unaware) Insider 
Negligent or unaware insiders are just your “average” employees doing their jobs. Unfortunately, to err is human, which means people can – and do – make mistakes. While there are a number of ways employees can mishandle data, the common thread here is that data leaks are unintentional.  Sending a misdirected email Data emailed to the incorrect recipient is the second most reported cause of data breaches. And, while it’s unintentional, the implications can be far-reaching, especially for those organizations that are bound to compliance standards or data privacy regulations. Think about it: emails contain structured and unstructured data in either the body copy, as attachments, or both. In certain industries – like healthcare and financial services – the likelihood of email communications containing sensitive information is even greater.  Falling victim to a phishing or spear phishing attack Phishing and other social engineering attacks are designed for one of three reasons: to extract sensitive information or credentials, to install malware onto a network, or to initiate a wire transfer. If the attack is successful – meaning the target (an employee) falls for the scam – there could be serious consequences.  If you want more information, read this article: Phishing vs. Spear Phishing: Differences and Defense Strategies. Losing your work device(s)   Whether it’s a mobile phone, laptop, or tablet, losing a work device could lead to a data breach, especially if the device is left unlocked.  How can I protect against Insider Threats? While organizations are certainly aware of the risks around insider threats, preventing breaches caused by malicious or careless employees is a challenge. Why? Because to detect and prevent threats, IT, security, and compliance teams have to maintain full visibility over data – both digital and physical – including who has access to it. This is no easy task. You must consider all the different perimeters (networks, endpoints, and email), take stock of the massive amount of data that your organization handles, and identify all of the employees, contractors, and other third-parties who have access to that data.  From there, it comes down to training, monitoring (both digital and physical), and the implementation of security policies, procedures, and tools.  Training Education is one of the first steps in prevention, which means malicious and accidental insider threat awareness should be incorporated into periodic security training for all employees. While training won’t prevent those with nefarious intent from exfiltrating data, it will help build a positive security culture in which employees outside of IT and security teams will know how to identify an insider threat.  Beyond that, making employees aware of the dire consequences of mistakes on email will help encourage safe and secure data handling. Monitoring Today, most sensitive data is stored on networks, devices, and the cloud, which means controlled access is absolutely essential. But, if an individual has legitimate access to a system or network, how can IT or security teams know if and when they’re exfiltrating data? Monitoring.  Telltale signs of an insider threat include: Large data or file transfers Multiple failed logins (or other unusual login activity) Incorrect software access requests Machine’s take over Abuse by Service Accounts   Of course, insider threats can still steal physical data like sensitive documents. This is one reason why controlled access to buildings and even certain offices is just as important as network security.  Security Policies, Procedures, and Tools Many organizations look to Data Loss Prevention (DLP) strategies to help mitigate risk around insider threats.  Solutions include: Firewalls Endpoint scanning Rule-based systems Anti-phishing software Machine learning technology  Unsure what exactly DLP is? Read this article: A Complete Overview of DLP. What is the best Insider Threat Solution? While there are a number of ways in which malicious or careless employees can exfiltrate (or otherwise lose) data, email is no doubt the number one threat vector.  Billions of email messages are sent every day to and from organizations and many of these emails contain highly sensitive information including personal details, medical records, intellectual property, and financial projections. That means that in order to have a chance at detecting and preventing insider threats, organizations must look at securing email communications. But, traditional DLP solutions for email fall short and today, machine learning technology is the only way to prevent data loss and data exfiltration.  In fact, Tessian was recently recognized as a Cool Vendor in Gartner’s Cool Vendors in Cloud Office Security report. Why? Because, through a combination of machine intelligence, deep content inspection of email, and stateful mapping of human relationships, Tessian’s Human Layer Security Platform prevents misdirected emails and intentional (and malicious) attempts at data exfiltration.  How does Tessian detect and prevent Insider Threats? Tessian turns an organization’s email data into its best defense against inbound and outbound email security threats. Powered by machine learning, our Human Layer Security technology understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity like data exfiltration attempts and misdirected emails.  Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of the organization’s email network.  Tessian Enforcer detects and prevents data exfiltration attempts by: Analyzing historical email data to understand normal content, context, and communication patterns Establishing, mapping, and continuously updating every employee’s business and non-business email contacts into relationship graphs  Performing real-time analysis of outbound emails before they’re sent to automatically predict whether the email looks like data exfiltration. This is based on insights from relationship graphs, deep inspection of the email content, and previous user behavior Alerting users when data exfiltration attempts are detected with clear, concise, contextual warnings that reinforce security awareness training Tessian Guardian detects and prevents misdirected emails by: Analyzing historical email data to understand normal content, context, and communication patterns Establishing, mapping, and continuously updating every employee’s business and non-business email contacts into relationship graphs  Performing real-time analysis of outbound emails before they’re sent to automatically predict whether the email looks like it’s being sent to the wrong person. This is based on insights from relationship graphs, deep inspection of the email content, and previous user behavior Alerting users when a misdirected email is detected with clear, concise, contextual warnings that allow employees to correct the recipients before the email is sent
Compliance, Human Layer Security
Two Years Later: 3 Ways GDPR Has Affected Cybersecurity
By Maddie Rosenthal
Thursday, May 14th, 2020
This month we celebrate the two year anniversary of the General Data Protection Regulation (GDPR). While the road to compliance hasn’t been easy for organizations in Europe and beyond, it’s clear this benchmark legislation has been a step in the right direction for data rights, privacy, and protection.  It’s also had a big impact on cybersecurity. Not only is cybersecurity now considered business-critical – which is big news for an industry that has historically struggled to communicate its value and ROI – but we’ve seen incredible innovation in security solutions, too. Read on to learn more about how GDPR has affected cybersecurity or, for more context around GDPR and its implications, read GDPR: 13 Most Asked Questions + Answers.  1. Cybersecurity is now a business enabler  While cybersecurity has historically been a siloed department, data privacy regulations and compliance standards like GDPR have helped prove the business value of a strong cybersecurity strategy.  To start, cybersecurity solutions help organizations stay compliant by preventing data breaches. This isn’t trivial. While the fines under these new compliance standards are hefty (GDPR fines totaled nearly €50 million in the first quarter of 2020 alone), the implications of a breach extend far beyond regulatory penalties to include: Lost data Lost intellectual property Revenue loss Losing customers and/or their trust Regulatory fines Damaged reputation It’s no surprise, then, that the UK’s cybersecurity sector has grown by 44% since GDPR was rolled out. But, cybersecurity solutions don’t have to be limited to prevention or remediation. In fact, cybersecurity can actually enable businesses and become a unique selling point in and of itself. Now that data protection is top of mind, those organizations that are transparent about their policies and procedures will have a competitive advantage over those that aren’t and will gain credibility and trust from prospects and existing customers or clients. 
2. IT leaders are engaging with (and depending on) employees more often While cybersecurity teams are responsible for creating and implementing effective policies, procedures, and tech solutions, data protection is the responsibility of the entire organization. Why? Because data loss is a human problem with 88% of breaches being caused by human error, not cyberattacks. The fact is, employees control business’ most sensitive systems and data, and one mistake – whether it’s a misdirected email or a misconfigured firewall – could have tremendous consequences. That means accountability is required company-wide in order to truly keep data secure and stay compliant.  But, education is the first step in prevention which is why there’s express advice contained within the GDPR to train employees. Importantly, though, training has to actually cut through and stick, which means IT leaders are working hard to effectively communicate risks and responsibilities. Of course, anyone in a cybersecurity leadership position knows this is no easy task.  The key is to ensure training is aligned to the individual business, starting with the people in it and their attitudes towards security. Not sure where to start? Watch Mark Lodgson, Head of Cyber Assurance and Oversight at Prudential, talk about how he measures cyber culture within his organization. 3. The DLP market is booming  Post-GDPR, organizations are spending more than ever to protect their systems and data, and, unsurprisingly, one of the top spending priorities for IT leaders is data loss prevention (DLP). While the DLP market is keeping up with demand (DLP market revenues are projected to double from $1.24 billion in 2019 to $2.28 by the end of 2023), data loss prevention remains a pain point for most senior executives because, well, most DLP solutions don’t work. According to a new report from 451 Research “DLP technology has developed a reputation as much for inaccuracy, false positives, and poor performance as it has for protecting data.” The shortcomings of DLP solutions are reflected in the number of incidents of data loss and data exfiltration being reported, too, up 47% over the last two years. The problem is that most DLP solutions rely on rules to detect and prevent incidents and most rules cannot effectively be managed by people. It’s too time consuming and complex to update them in tandem with evolving human relationships and compliance standards. But, there’s a better way: machine learning. In fact, Tessian was recently recognized as a Cool Vendor in Gartner’s Cool Vendors in Cloud Office Security report. Why? Because, through a combination of machine intelligence, deep content inspection of email, and stateful mapping of human relationships, Tessian’s Human Layer Security Platform turns your email data into your biggest defense against email security threats.  To learn more about how Tessian uses machine learning to prevent data loss on email, click here.  What’s next? GDPR is just the beginning and the CCPA enforcement date is looming. Are you prepared? Find out on our blog: 5 Things Every CISO Should Know About CCPA’s Impact on Their InfoSec Programs.
Human Layer Security
Tessian Named a Gartner Cool Vendor
Tuesday, May 12th, 2020
We are thrilled to be recognized as a Cool Vendor in the recently published Gartner Cool Vendors in Cloud Office Security report. To us, being named a Gartner Cool Vendor is an honor. Vendors recognized in the report are interesting, new, and innovative. In the report Gartner explains, “as cloud office suite adoption becomes nearly universal, security and risk management leaders must explore ways to protect sensitive information from risks and threats.” Gartner adds that “security and risk management leaders should recognize that cloud office security technology is evolving and converging in sometimes unpredictable ways” and that “the gaps in cloud office technology convergence often result in incomplete data protection and multiple perspectives to data visibility.” The report further states, “the vendors included in this Cool Vendors report focus specifically upon securing applications, communication and data that occur within cloud office environments.”
Tessian recognized as a Cool Vendor in May 2020 Cool Vendors in Cloud Office Security report Tessian is the world’s first Human Layer Security platform that protects organizations from human layer security threats on email.  By turning your email data into your biggest defense, Tessian prevents inbound and outbound email threats caused by human error. Tessian defends against accidental data loss, data exfiltration and insider threats, in addition to defending against advanced inbound threats like business email compromise, spear phishing and other targeted impersonation attacks. Tessian’s machine learning technology turns your email data into intelligence, transforming your most vulnerable endpoint – your employees – into a trusted security asset by taking human error out of the equation.  Tessian Human Layer Security Prevents Human Error on Email Employees control business’ most sensitive systems and data. Whether it is someone in your finance department who oversees billing and banking platforms, or someone in your HR department who controls employee social security numbers and compensation plans — they are the first and last line of defense; the gatekeepers of digital systems and data. This is what we call the Human Layer. And people’s propensity to make mistakes, break the rules, or be hacked are Human Layer Vulnerabilities. These vulnerabilities can cause big problems. In fact, they’re the number one cause of data breaches: 88% of data breaches reported to the UK’s Information Commissioner’s Office (ICO) are due to human error. To prevent today’s Human Layer Security threats on email, your security controls must understand human behavior. Through a combination of machine intelligence, deep content inspection of email and stateful mapping of email relationships, Tessian turns your email data into your biggest defense against email security threats.  We call it Human Layer Security. What does this mean for security leaders? Our stateful machine learning allows Tessian to understand changing human behavior over time with high accuracy. This means employees experience fewer notification rates and false negatives. Tessian can be deployed in minutes, integrates with O365, Exchange and G-Suite environments and it automatically starts preventing threats within 24 hours of deployment.  Tessian is trusted by world-leading businesses like Arm, Man Group, Evercore and Schroders to protect their people on email. Gartner subscribers can view the Cool Vendors in Cloud Office Security Link.
Data Loss Prevention, Human Layer Security
451 Research: Tessian Uses Machine Learning for Better DLP
Monday, May 11th, 2020
According to a new report from 451 Research, “the DLP market is ripe for change” and Tessian could be the next-generation solution organizations need to detect and prevent both inbound email attacks and outbound email threats.  Key findings from the report include: DLP is ranked at the top of a list of over 20 security categories that are expected to see a “significant” increase in spending in the next 12 months Tessian uses stateful machine learning across four different products to prevent human error on email with use cases for both inbound and outbound email threats including anti-phishing and advanced impersonation attacks, accidental data loss, and malicious data exfiltration Tessian is both complementary and competitive to traditional DLP offerings 
DLP: An Unsolvable Problem While the DLP market is saturated with products – from traditional DLP vendors like Broadcom, McAfee, Forcepoint, and Digital Guardian to newer entrants like ArmorBlox, Altitude Networks, and Code42, the consensus is that DLP is, in many ways, failing. According to the report, “DLP technology has developed a reputation as much for inaccuracy, false positives, and poor performance as it has for protecting data.” That may be why DLP remains one of the top spending priorities for IT leaders, with 13% of those surveyed by 451 Research saying they expect to see a “significant increase” in spending over the next 12 months and a further 11% saying they expect to see a “slight increase.” It’s clear organizations need a better way to prevent data loss.  Tessian believes it’s because DLP efforts aren’t addressing the real problem, which is that 88% of data breaches are caused by human error.   Tessian’s Approach to Data Loss Prevention Instead of focusing on the machine layer, Tessian focuses on the human layer and, in doing so, has developed the world’s first Human Layer Security platform.
Our Human Layer Security platform consists of four main products: Tessian Defender, which prevents advanced inbound attacks like spear phishing, Tessian Guardian, which prevents accidental data loss caused by misdirected emails, Tessian Enforcer, which prevents data exfiltration attempts on email. Organizations that implement any of these solutions also get Tessian Constructor, which allows admins to create blacklists, whitelists, and custom filters to ensure email usage remains compliant.  Each of these products applies stateful machine learning techniques to historical email messages (headers, body, and attachments) to understand relationships and establish normal behavior profiles that can be used to distinguish between safe and unsafe emails.  No rules required. According to 451 Research, Tessian succeeds in preventing data loss where others fall short.  “While [most existing DLP tools] are good at finding personally identifiable information (PII), finding and blocking actions such as employees sending files to a personal email account are surprisingly challenging and are quickly out-of-date, so predefined rules are not that effective.” You can read the full report here. Book a Demo By leveraging new capabilities in AI and machine learning, Tessian, according to 451 Research,“delivers more effective DLP” by preventing human error on email.  To learn more about how we prevent inbound and outbound email threats and why world-leading businesses like Arm, Man Group, Evercore, and Schroders trust Tessian to protect their people on email, book a demo.
Our Journey To Revamp The Tessian Values
By Tim Sadler
Monday, May 11th, 2020
As a founder, I knew from Day 1 how important our values were going to be in order to build the company we dreamed of creating. So when I began to hear murmurs late last year that not everyone at Tessian was understanding what our values meant for them, I knew it was time to investigate how our people were feeling and what we might need to do to revamp our values. To me this listening exercise was vital because our values guide everything. They aren’t aspirational words hanging on a wall that no one understands; they’re the backbone of a company. With this in mind, we went on a month-long journey of listening to our employees, and created values which are a true reflection of Tessian today. They’re actionable, intuitive and central to everything we do, from our recruitment process through to performance and development.  You can check them out in more detail below. But before I get to our revamped values, I want to tell you more about the journey we went on to make sure they truly reflected what Tessians care about. Why do company values matter in the first place? Values aren’t just a corporate thing; values are crucial for both our personal and professional lives. They’re a code we live by, they define what’s important to us, and they help us make decisions day to day. Sometimes our values are so deeply ingrained, we don’t realize we’re using them every day to make choices.  At Tessian, we’ve seen our values as a North star from the beginning. They steer our decision making, serving as a code to help us make choices, especially when it’s not obvious what we should do. They help us hire the right people, individuals who care about the things we care about and can take Tessian in the right direction.  Our values also inform our performance reviews, development conversations, and how we reward, recognize and promote our people. Our values underpin our culture.  Why did we decide to revamp our values at Tessian? We use Peakon, a tool that helps companies build and maintain engaged teams and great company cultures. It does this through employee surveys, which provide insights into how our employees feel about different things. Late last year, our Peakon data revealed a theme: our values weren’t understood by all our people.  We saw that:  People were being rewarded for different behaviors underlying our values (and these were in conflict with each other); and  Behaviors that were really important to us weren’t reflected in our values. In other words, we had a gap in our values. I wanted to do something to fix this. We ask Tessians to show up every day, living and breathing these values. If there’s confusion over what they look like in practice, we’ll all be rowing in different directions. Equally, as people join the team, if there are things that are important to us that aren’t explicitly reflected in our values, we run the risk of losing or diluting those things over time.
How did we revamp our values? We knew we needed to re-work our values. The question was: how?  The most important thing was to get input from as many people as possible from all across the business: different genders, backgrounds, functions, tenures, and levels of seniority. That was the only way we’d get the values that accurately reflect Tessian.  We started by sending out a questionnaire to the whole company to understand from a high level what was most important to us. It included questions like:  What do you think of our current values (what values do and don’t resonate)? If you could add a value, what would it be? What do you value in yourself and your colleagues?  We received a high response rate, but we wanted to dig deeper. Next, we set up 1-1s with about half of the respondents to delve deeper into their answers. We then aggregated all of this information into a pre-read to run a workshop with our Values Focus Group (this consisted of 15 people who had signed up to be our “Values advocates”). We followed this up with additional 1-1s with each of our Values Focus Group members. All of this work meant that the whole of Tessian went on this journey together; our values were crafted from the top-down and bottom-up, so had a great chance of being “sticky”.  Having gathered so much input from across the business, we then started to reformulate our values with a clear view of what was truly important to our people. Here’s an illustration of the words that came up the most during our journey that guided us in our reformulation.  
Our new values A lot of interesting things came out of the listening tour. First and foremost was the fact that there was a “gap” in our values—this became a new value called “Human First”.  This value was the most prominent finding in all of our work; time and again people said how important treating each other with kindness, respect and inclusion is at Tessian. It was so clearly part of the fabric of Tessian. It also seemed like a huge miss to not have this as we are a Human Layer Security company which believes people are the most important part of every organization. With all this in mind, we knew we had to codify it as its own value. Here are some tips we found worked for us when writing our new values: Focus on the actual words your employees are using during the discovery process, and not words that are “hot” right now in your industry or the public generally. Staying true to your employees’ language when writing your new values will help them better resonate in the end. Observe how the value is being embodied around you because so much understanding comes from the values in action; and Don’t be limited by what you think your values are, or what you think they should be. Go in with an open mind and candidly narrate the values you uncover. Without further ado, here’s the entire set of revamped values. They make me proud to be a Tessian, because I know that they reflect the real values and aspirations of all of our people. 
Human first. We approach everything with empathy and we look out for each other alongside our own wellbeing. Respect, kindness and inclusion are at the core of our company because our people are what make us Tessian. 
Customer centricity. We fixate on our customers’ success. They’re the lifeblood of our business and guide our daily decision-making. Whether we’re launching a feature, or pursuing a partnership, we always ask “How does this help our current and future customers?” 
Positive mindset. Solution oriented. We lead with a curious, positive mindset, and go above and beyond to find solutions when problems arise. When our solutions fail, they fail fast — we embrace the failure and keep learning, iterating, and improving.
Grit and perseverance. We have sustained passion for achieving long-term goals. We see setbacks as opportunities to adapt and grow. We’re committed to building resilience and have the motivation to tackle big challenges that others might give up on.
We do the right thing. We’re always honest and guided by integrity in every decision we make; with one another, with our customers, with everyone. We do what we believe is right, even when it means making difficult decisions.
Craft at speed. We work with great care and skill, sometimes at an uncomfortably fast pace. Rather than aim for perfection in one at the expense of the other, we balance attention to detail with speed of delivery.
Spear Phishing
Phishing in Retail: Cybercriminals Follow The Money
Thursday, May 7th, 2020
Retailers have always been a lucrative target for cybercriminals and their phishing scams — even more so during peak shopping times. The thing is, cybercriminals always follow the money and opportunistic hackers will find ways to cash in on spikes in consumers’ spending.  During the coronavirus lockdown, for example, global payments systems provider ACI Worldwide found that online sales for retailers dramatically increased. It reported a 74% growth in average transaction volumes in March 2020, compared to the same period the year before. However, while they saw an increase in online sales, they also saw a spike in fraudulent activity and Covid-19 phishing scams.  We see a similar trend around retailers’ busiest shopping period of the year – Black Friday.  A golden opportunity for fraudsters US shoppers spent a record $7.4bn on Black Friday in 2019, and a further $9.2bn on Cyber Monday. In the UK, Barclaycard reported that transaction value was up 16.5% in 2019, compared to Black Friday in 2018. A golden opportunity for fraudsters. When we surveyed IT decision makers at UK and US retailers, the majority told us the number of number of phishing attacks their company receives during the Black Friday weekend spikes. In fact, respondents said they receive more phishing attacks in the last three months of the year – in the lead up to the holidays – compared to the rest of the year. Consequently, one in five IT decision makers told us that phishing poses the greatest threat to their retail organization during peak shopping times. They identified phishing as a bigger threat to their business than ransomware or Point of Sale (PoS) attacks. Their reasons? They aren’t confident that their staff will be able to identify the scams that land in their inbox during these busier periods, namely because people are receiving more emails at this time and are more distracted. A third of IT decision makers in retail also told us that phishing emails are, simply, becoming harder to spot. The high price of a phishing attack The devastating consequences of falling for a phishing attack are troubling the IT leaders we surveyed. Over a third said financial damage would have the greatest impact to their business following a successful phishing attack. It’s not surprising. Today, the average cost of a phishing attack on a mid-size company is $1.6 million. For small businesses, the cost of a cyber attack stands at just over $53,000 – a devastating blow for any small retailer and one that could put them out of business. More sales, more mistakes The people-heavy nature of the retail industry is something cybercriminals prey on. Using sophisticated social engineering techniques and clever impersonation tactics, they’re counting on people making a mistake and falling for their scams.  Sadly, during busy shopping periods, mistakes are likely to happen. When faced with hundreds of orders, thousands of customers to respond to, and overwhelming sales targets, cybersecurity is rarely front of mind as people just focus on getting their jobs done. In these situations, you can’t expect people to accurately spot a phishing scam every time. New solutions needed Retailers, therefore, need to consider how they can protect their people from the growing number of phishing scams plaguing the industry — beyond training and awareness. In our report – Cashing In: How Hackers Target Retailers with Phishing Attacks – we look into the biggest threats IT leaders in the retail sector face, reveal the gaps in security that need addressing, and explain how to best protect people on email. 
Spear Phishing
How to Avoid the PPP Scams Targeting Small Businesses
By Maddie Rosenthal
Friday, May 1st, 2020
On April 27, the U.S government’s coronavirus relief fund for small businesses – the Payroll Protection Program – resumed lending, after an additional $320 billion in funding was authorized to help small businesses keep employees on the payroll. The program will provide much needed relief for small businesses, but it could also provide cybercriminals with another prime opportunity to cash in on Covid-19 related schemes. Over the last month, Tessian has identified ways in which criminals have taken advantage of the global pandemic to make their scams more effective – from impersonating remote working and collaboration tools to tricking people into clicking onto fake stimulus check domains.  We are now warning small businesses of the PPP and CARES Act scams that they could face.  Tessian’s latest research reveals that 645 domains related to the PPP were registered between March 30 and April 20, with the majority of the domains being registered in the week following the US government’s announcement on March 31.  While 85% of the domains are offline, it’s unclear how long they will remain offline for. Of the newly registered domains that are currently live: 35% were registered as multiple domains that lead users to the same website. The 31 of the grouped domains only lead people to eight websites. 28% were from different loan providers that have a separate PPP presence through an online form. Although these may not all be spammy, it’s important for people to be wary of what they’re signing up for, what information they’re sharing and any associated costs. 24% were law firms and consultants offering their services. Around 10% were “advisory,” giving businesses information about PPP in a blog style without any notable Call To Action or service. Worryingly, a recent survey by IBM X-Force found that only 14% of small business owners say they are very knowledgeable about how to access the SBA’s loan relief program. Cybercriminals will use this to their advantage, targeting those individuals seeking more information or guidance on the PPP. And although not every newly registered PPP domain may be malicious, it’s possible that these websites could be set up to trick people into sharing money, credentials or personal information.  Small businesses have been prime targets throughout the global pandemic. We’ve seen a number of spam campaigns whereby hackers impersonate the Small Business Administration (SBA) or well-respected banks to entice people into opening malicious attachments or sharing sensitive information. At this time, we urge small business owners and staff to think twice about what they share online and question the legitimacy of the emails they receive.  Our advice to avoiding the PPP scams: Be cautious about sharing personal information online. If it doesn’t look right, it probably isn’t. Understand the Call To Action on these PPP-related sites and emails you receive from them asking for urgent action or to click links.  Make sure any sites offering consultancy services are legitimate before sharing information or money. Always check the URL and, if you’re still not sure, verify by calling the company directly. Never share direct deposit details or your Social Security number on an unfamiliar website. Always use different passwords when setting up new accounts on websites. And enable two-factor authentication on all the services that you use.
Data Loss Prevention
6 Examples of Data Exfiltration
By Maddie Rosenthal
Thursday, April 30th, 2020
Over the past two years, 90% of the world’s data has been generated. And, as the sheer volume of data continues to grow, organizations are becoming more and more susceptible to data exfiltration.  But, why would someone want to exfiltrate data? Data is valuable currency. From an e-commerce business to a manufacturing company, organizations across industries hold sensitive information about the business, its employees, customers, and clients. What is data exfiltration? Simply put, data exfiltration indicates the movement of sensitive data from inside the organization to outside without authorization. This can either be done accidentally or deliberately. The consequences of data exfiltration aren’t just around lost data. A breach means reputational damage, lost customer trust, and fines. The best way to illustrate the different types of data exfiltration and the impact these incidents have on businesses is with examples. Examples of data exfiltration  When it comes to data exfiltration, there are countless motives and methods. But, you can broadly group attempts into two categories: data exfiltration by someone within the organization, for example, a disgruntled or negligent employee, and data exfiltration by someone outside the organization; for example, a competitor.  Data exfiltration by insiders Data exfiltration by an insider indicates that company data has been shared by a member of the company to people (or organizations) outside of the company.   While most organizations have security software and policies in place to prevent insider threats from moving data outside of the office environment and outside of company control, insiders have easy access to company data, may know workarounds, and may have the technical know-how to infiltrate “secure” systems.  Here are three examples of data exfiltration by insiders:  Over the course of 9 months, an employee at Anthem Health Insurance forwarded 18,500 members records’ to a third-party vendor. These records included Personally Identifiable Information (PII) like social security numbers, last names, and dates of birth. After exfiltrating nearly 100 GB of data from an unnamed financial company that offered loan services to Ukraine citizens, an employee’s computer equipment was seized. Police later found out the suspect was planning on selling the data to a representative of one of his former employer’s competitors for $4,000.  Not all examples of data exfiltration are malicious, though. Some breaches happen inadvertently, like when an employee leaving the Federal Deposit Insurance Corporation (FDIC) accidentally downloaded data for 44,000 FDIC customers onto a personal storage device and took it out of the agency.  Exfiltration by outsiders Unlike exfiltration by insiders, exfiltration by outsiders indicates that someone from outside an organization has stolen valuable company data.  Here are three examples of data exfiltration by outsiders:  In 2014, eBay suffered a breach that impacted 145 million users. In this case, cybercriminals gained unauthorized access to eBay’s corporate network through a handful of compromised employee log-in credentials. At the time, it was the second-biggest breach of a U.S. company based on the number of records accessed by hackers.  Stealing login credentials isn’t the only way bad actors can gain access to a network. In 2019, malware was discovered on Wawa payment processing servers. This malware harvested the credit card data of over 30 million customers, including card number, expiration date, and cardholder name.  91% of data breaches start with a phishing email. While many phishing emails direct targets to wire money, pay an invoice, or provide bank account details, some request sensitive employee or client information, for example, W-2 forms. You can read more about Tax Day scams on our blog.  Looking for more information about data exfiltration or data loss prevention? Follow these links: What is Data Exfiltration? Tips for Preventing Data Exfiltration Attacks What is Data Loss Prevention (DLP)? A Complete Overview of DLP on Email
Page
Follow Tessian
Copyright © 2020 Tessian Limited. All Rights Reserved.
Company registered number 08358482.