Get Your Complimentary Copy of the Gartner Market Guide For Email Security 2021 – Don’t miss out on the recommendations here

Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.
Interviews With CISOs, Podcast
Q&A with Ben Aung, Chief Risk Officer at SAGE
By Andrew Webb
Monday, November 29th, 2021
Ben Aung is the Chief Risk Officer at SAGE, formerly served as a Deputy Government Chief Security Officer in the UK government, and is a Tessian customer. He discussed insider threats, fear uncertainty and doubt (FUD), and the Great Resignation with Tessian CEO and Co-Founder, Tim Sadler, on the RE: Human Layer Security podcast. Listen here, or read the Q&A below.   Tessian: How has this year been for you and your team at SAGE?   Ben: I’m surprised how much we’ve managed to achieve under challenging circumstances.    We’ve managed to get to a “business-as-usual” state much faster than I would have expected, and many of the kind of “doomsday” threats that we might have been anticipating as a result of COVID haven’t really materialized for me.   Tessian: What are your thoughts on insider threats? Could you share a bit about how you’ve been focused on insider threats throughout your career? Ben: Most of my career in government has been in information security, computer security, or cybersecurity—depending on which term was de rigueur at the time—but when I joined the Cabinet Office in 2012, my first gig I got there was as the Senior Policy Adviser in the National Security Secretariat for insider threats.
Soon after I joined, we were dealing with the aftermath of the Edward Snowden disclosures, which—as many people will remember—were a seismic event in the insider threat world, and caused a great deal of reflection and introspection around how much confidence we could have in some of the very long-standing controls that we’d had around mitigating the most severe insider incidents, particularly in the national security context.   That was a real “baptism by fire” for me in the insider world. I was working across the Five Eyes countries and trying to join up what we all thought was a fairly consistent understanding of how to fight insider threats, but I found out we were all doing things in slightly different ways.    My experience of working with the intelligence community in that very high threat, high impact context was that—in amongst all of the complexity, and “smoke and mirrors,” and spookery—many of the issues were just fundamental people issues or control issues that I expect nearly every organization to face, in one way or another.   Tessian: According to stats, insider threats have risen almost about 50% in the past two years. Why do you think it’s such a challenging problem to solve?   Ben: I think we overcomplicate it, would be my headline. We don’t think holistically about the interventions we can make in the lifecycle of an individual or an insider incident that might reduce both the opportunity and the impact.   We often put too much emphasis on hard technical controls. We lock systems down, so they become unusable, and people just find ways to circumvent them.    We put too many eggs in one basket, and we don’t think about all the little things we can do that cumulatively, or in aggregate, can support us.   The other thing I’d say is—cybersecurity, as an area of risk, is too populated with anecdotes and an absence of data. And it’s too driven by the worst-case scenarios, rather than the everyday, which I think are too often the starting point for the more severe events that happen later down the line.    Tessian: How do we take steps towards that more data-driven approach, and what’s your advice to people who may agree that they find themselves swayed by headlines and the “fear factor”?   Ben: As security professionals, we sometimes have quite thankless roles in an organization. And actually bringing a bit of excitement and interest—it’s an interesting part of the job, and sometimes adds a bit of “mythology.”
The point is that the most effective interventions are some of the most boring and the most mundane. By that, I mean—if you look across all of the most severe insider incidents of the last “x” years, effective line management would have been one of the key mitigations.   Effect line management, good pastoral care, good understanding of employee wellbeing, good performance management processes, basic controls around access, audit, and monitoring.    I think because these things have existed for such a long time, and we don’t associate them with insider risks, then they’re either overlooked, they’ve degraded, they’re boring—they don’t attract investment in the same way that other things do.   The goal is to bank all of that stuff, get that foundation in place, and then supplement with some of the specialist tools that are available on the market—like Tessian—where you can say, “I’ve got confidence in some of these fundamentals, now I want to take that step and really understand my enterprise and what’s happening in and out of it in a much more sophisticated way.”
Tessian: There have been a number of incidents reported in the news where disgruntled employees are being targeted by cybercriminals to assist in malicious activities. Is this something that concerns you?   Ben: I used to think about this a lot in government, where the notion of a “blended attack”—particularly in the nation-state context—is very relevant.   There’s often a misconception that a hostile state actor says, “I’m going to launch a cyberattack on the UK,” or “I’m going to compromise ‘x’ system”—they have an objective, and often cyber or remote attacks are the cheapest way to achieve that objective.   But in some cases, they won’t be. And a blended attack, where you use some kind of close-access technology that’s deployed by a compromised individual as a precursor to a remote attack, is a threat model that governments have to deal with.
And some of the techniques that governments can deploy against one another are absolutely crazy… the level of creativity and imagination at play… That is a very real risk in that context, and I think it’s inevitable that elements of it are going to find their way out into the commercial world.   The key consideration is: what is the cost/benefit equation that the actor is going to be relying on? And as soon as you start including vulnerable individuals, you do increase operational risks as an attacker. The ransomware groups wouldn’t care too much about that, but it’s about whether they get the pay-off they need for the level of effort they put in. And I guess, in many cases, they would. 
If you just look, in more of a social context, about how teenagers and children can be blackmailed by people on the other side of the world, then there’s no reason why someone seeking monetary gain—through a ransomware attack or otherwise—wouldn’t do the same.   I haven’t seen any real evidence that it’s happening at any sort of scale, but I think having people in your organization—like we try and achieve at SAGE—who will report early… there’s a sort of “no consequence” reporting rule in SAGE and in many organizations, where we just want to know. I think that’s one of the most effective mitigations.   This Q&A was adapted from our RE: Human Layer Security podcast. You can hear the full interview here,
Read Blog Post
Human Layer Security
Legacy Secure Email Gateways Are No Match for the Cyber Threats of Tomorrow
By John Filitz
Thursday, November 25th, 2021
Email represents the greatest threat vector, responsible for 96% of cybersecurity breaches. And legacy email security solutions that rely on Secure Email Gateways (SEGs) and rule-based controls are simply not up to the task of mitigating increasingly advanced and evolving cyber threats.   In fact, between July 2020 and July 2021, Tessian detected 2 million malicious emails that bypassed SEGs. This declining security effectiveness is the principal reason why security leaders are starting to question whether standalone SEGs have a place in today’s cybersecurity stack.   Combined with growing alert fatigue, and an increasing level of redundancy as organizations adopt SaaS offerings like Microsoft 365 with SEG capabilities natively included, the calls for ripping and replacing SEGs are growing louder. Echoing this shift in the email security landscape, Gartner predicts by 2023, 40% of organizations will be using a cloud email security solution like Tessian in place of a SEG.
Static vs. dynamic protection   The vast majority of organizations still rely on SEGs as the main method of filtering out malicious email-based attacks. Developed in 2004 and designed in the era of on-premise email servers, one of several shortcomings of SEGs is the reliance on an overly manual, rule-based approach, based on threat intelligence.   By using threat intelligence-derived deny lists, creating allow lists, or using signatures for message authentication, SEG-based email security controls are reactively geared to protect your company’s email and data — but only from known threats. The SEG-based approach offers no protection against zero day attacks, which is a significant and growing threat vector — with zero day discoveries up by 100% in 2021. SEG solutions also fall short against attackers that have invested resources and effort into advanced social engineering campaigns, which are able to circumvent the static, rule-based controls. The greatest attack types that SEGs fail to prevent include Business Email Compromise (BEC), Account Takeover (ATO) and advanced Spear Phishing attacks.  
Email threats are on the rise   All it takes is one malicious email to bypass your existing security controls. And as Tessian research has demonstrated, malicious email bypassing SEGs and native tools is extremely common today. This is why Business Email Compromise (BEC) is seen as one of the leading threat vectors to organizations, resulting in $1.8 billion in losses in 2020.    Cybercrime is also steadily becoming more organized, with cybercriminals offering professionalized “Cybercrime-as-a-Service” offerings. Threat actors are able to bypass SEGs by leveraging intricate social engineering exploit kits procured on the dark web. They’ll even go so far as to recruit unsuspecting cybersecurity professionals to carry out attacks. Spear phishing and ATO are common methods for either perpetrating cyber fraud, data exfiltration, or even more worryingly, deploying ransomware.    The growing prominence of zero day attacks and ransomware is of particular concern. International law enforcement agencies note remote workers are being targeted with phishing emails carrying malicious payloads, including ransomware. With the  frequency of attacks doubling in the past year, ransomware attacks are now seen as the foremost threat faced by organizations.
Why organizations are ripping and replacing their SEGs   Only by shifting the focus from securing machines to securing the human layer will email-based threats be significantly mitigated. This is where best-in-breed email security solutions like Tessian come into play.    Relying on machine learning and behavioral intelligence, Tessian is able to detect and prevent anomalous and malicious inbound and outbound email traffic, including preventing data loss. Unlike SEGs, Tessian also offers protection against numerous collaboration platform entry points like Microsoft SharePoint, OneDrive and ShareFile.    And with over 70% of enterprises now hosted in one or more public clouds and utilizing SaaS productivity suites such as Microsoft 365 or Google Suite, which include native SEG capabilities such as sender reputation and authentication, spam filtering and custom routing rules, is yet another reason why standalone SEG solutions are redundant.   If you combine these native capabilities with an intelligent inbound and outbound solution like Tessian, robust email security protection is guaranteed.     Some of the standout features offered by Tessian include advanced Attachment and URL Protection (behavioral analysis and threat intelligence), as well as a range of Impersonation Attack Defense capabilities, such as:   Internal Impersonation & CEO Fraud Advanced Spoof Detection Counterparty & Vendor Impersonation  Brand Impersonation Advanced Spoof Detection External Account Takeover  Invoice Fraud Credential Theft   Tessian also offers protection against malicious data loss enabled through a successful social engineering campaign, or accidental, for example, an employee sending sensitive company data to a personal email address. Other unique features include in-the-moment- security awareness training for suspected phishing email, as well as in-the-moment DLP  pop-ups.   Tessian’s ability to address increasingly sophisticated inbound email security threats across expanding entry points is sufficient enough to place Tessian into the best-of-breed email security solution category. But when combined with its advanced DLP capability, it becomes undeniable that it’s time to rip and replace your SEG for the next generation of email security. And this is why Tessian was recognized as a representative vendor for Integrated Cloud Email Security in the 2021 Gartner Market Guide to Email Security.
Want to learn more about how and why security leaders are replacing their SEGs with Tessian? Check out our customer stories or book a demo.
Read Blog Post
Spear Phishing
How to Spot a Delivery Impersonation Attack
By Andrew Webb
Thursday, November 25th, 2021
Amazon, UPS, DHL, FedEx, USPS, Royal Mail – logistics delivery is a huge part of our lives. Amazon is said to ship 1.6m parcels a day and DHL delivers over 1.5 billion parcels per year. Of course all these parcels make this sector a prime theatre for bad actors to operate in. Why? Think about the process for ordering a package. You enter card details, your email address, and other Personally Identifiable Information (PII) like your home address. And, as we all know, pretty much all of us use logistic delivery services at some point.   In fact, according to Tessian research, nearly half (47%) of people say they shopped online more in the last year than the year prior. It’s no wonder delivery impersonation attacks are among the most common types of cyberattacks targeting people today.    What’s more, delivery impersonation scammers are using increasingly complex and hard-to-spot tactics to carry out their attacks.This article will explain what a delivery impersonation attack is and provide helpful guidance on how you can help yourself and your organization avoid falling victim to this type of scam.
What is a delivery impersonation attack?   First things first: what is a delivery impersonation attack? A delivery impersonation attack is a type of phishing where the attacker impersonates a delivery company.  The scam involves sending a fraudulent SMS or email to a consumer, telling them that they have missed a delivery. The message contains a link that, when followed, leads to a website operated by the scammers. When the target visits the fraudulent website, they are duped into revealing personal information, such as their login credentials, contact details, or payment information.
How common are delivery impersonation attacks?   It’s no exaggeration to say that delivery impersonation attacks are an endemic and widespread security threat.Delivery impersonation attacks occur year-round, but spike around the same periods each year, typically when consumers are making a lot of online orders—most notably around Black Friday.   In Q3 2020, Tessian detected a significant spike in fraudulent email activity in the run-up to Black Friday, as cybercriminals attempted to exploit the increase in online deliveries. More recent Tessian research reveals that around 20% of US consumers and 33% of UK consumers have received a delivery impersonation email or SMS so far in 2021.   This increase in delivery impersonation is part of a general surge in phishing that has occurred since the start of the pandemic.In October 2021, research from Ofcom revealed that 82% of UK adults received a suspicious text or email in the preceding three months. The situation has gotten so bad that the UK Government announced it was relaunching its Joint Fraud Taskforce in response.
Telltale signs of a delivery impersonation attack   Now we’ve explained what a delivery impersonation attack is, let’s consider what such an attack looks like.   As explained, a delivery impersonation message will always contain a link. The aim of the attack is to get you to click or tap the link and give up your personal information.   Therefore, it’s crucial that you carefully inspect any link contained in a text or email to determine whether it is malicious.    Here’s an example:   The phishing link contained in this delivery impersonation message points to a site that is operated by scammers, rather than the delivery company Hermes. But how can you tell whether a URL is malicious?   Well, it’s not always obvious. While some URLs are blatantly fraudulent, fraudsters have come up with ingenious ways of creating links that really look right. Here are some examples of different URL impersonation techniques.
Root domain impersonation   The “root domain” is the part of the URL that appears before the “top-level domain”. So, in “www.amazon.com”, the root domain is “amazon”, and the top-level domain is “.com”. Amazon owns the root domain “amazon”, so fraudsters can’t simply set up their own phishing sites under that domain. But they can create domains that look like “amazon.com” to fool people into clicking their phishing links. One common root domain impersonation tactic is to use numbers instead of letters. So, swap the “o” in “amazon” with a zero, and you have “amaz0n.com”. At first glance, an undiscerning target might mistake this for Amazon’s actual website. However, root domain impersonation is increasingly uncommon as this trick is relatively easy to spot. Also, major brands tend to buy up similar-looking domains to prevent cybercriminals from acquiring them. Tessian research reveals that only 20% of top couriers have configured their website’s DMARC policies to the strictest settings. This means fraudsters can use tactics like email spoofing to convincingly imitate these sites via fraudulent emails.
Subdomain impersonation   One highly persuasive impersonation technique is to include the impersonated company’s name in the subdomain of a URL operated by the cybercriminals. The subdomain is the part of a URL that appears before the root domain of a website. Here’s an example of a delivery impersonation attack message impersonating delivery company DPD:
The first part of this link is “dpd”, and so it may appear to lead to DPD’s website. However, the root domain—the website operated by the fraudsters—comes after “dpd”. It’s “track7k4”. So, if you receive a delivery message that looks real at first glance, take special care to check whether the root domain is as authentic-looking as the subdomain.   Top-level domain impersonation Attackers can also impersonate the top-level domain of a URL to make it appear authentic. The top-level domain appears last in a URL. Common examples include “.com”, “.net”, and “.co.uk”. Here’s an example:
In this delivery impersonation message, the link points to a URL that might seem authentic at first glance. Visiting “postoffice.co.uk” would take you to the Post Office website. But this URL doesn’t actually lead to “postoffice.co.uk”—the top-level domain is “co.uk-tracking.info”, not “.co.uk”. Note that the words “uk” and “tracking.info” are separated by a hyphen rather than a forward-slash, meaning that both words are part of the top-level domain.   Protecting employees from delivery impersonation attacks As noted, delivery impersonation attacks mainly target consumers. But they can be a problem for businesses too—particularly in the age of “bring-your-own-device” and remote working.So how can you protect your organization from delivery impersonation attacks?   Unfortunately, there is little you can do to stop employees from receiving delivery impersonation attacks via SMS. Android and iOS have some basic filtering and notification functions, but these often fall short and allow delivery impersonation attacks to reach people’s mobiles.   Therefore, incorporating information about delivery impersonation attacks into your company’s security training program is essential. When it comes to preventing delivery impersonation attacks via email, there is a viable solution.   Tessian Defender uses machine learning, anomaly detection, behavioral analysis, and natural language processing to detect even the most subtle signs of email impersonation and phishing.  Here’s how it works: Tessian’s machine learning algorithms analyze your company’s email data, learning each employee’s usual communication patterns and mapping their trusted email relationships inside and outside of your organization. Tessian inspects both the content and metadata of inbound emails for signals suggesting email impersonation or other phishing attacks. Such content might include suspicious payloads, geophysical locations, IP addresses, email clients, or sending patterns.  Once it detects a threat, Tessian alerts employees that an email might be unsafe, explaining the threat in easy-to-understand language.   Click here to learn more about how Tessian Defender protects your team from email impersonation and other cybersecurity attacks. You can also explore our customer stories to see how they’re using Tessian Defender to protect their people on email and prevent social engineering attacks like phishing.  
Read Blog Post
DLP
The Ultimate Guide to Data Loss Prevention
By Andrew Webb
Wednesday, November 24th, 2021
What is DLP? Decades of digital technology transformation have given employees amazing powers. But with that power also comes the ability to send millions of dollars in just a few clicks, or share an entire customer database in a single emailed file. Today, your people are often the gatekeepers to your company’s most sensitive systems IP and data. Enter data loss prevention (DLP).  Your DLP tools and strategy are critical to the safe running of your business. At its core, DLP aims to minimize the risk of confidential or business-critical data leaving an organization.
How much business-critical data do you handle? Different people within your organization handle a variety of data types. Sales for example might have customer names and emails, whereas Finance would have staff payroll details. The product and dev team would probably have sensitive IP information, and roles like sales engineers and tech ops might handle your customers’ data. Regardless of the role though, it’s all information, it’s all valuable to you (and bad actors), and it can all be lost.    Take a moment to ask yourself if your business as a whole routinely handles any of the following: company IP credit card details medical records insurance details legal case notes sensitive financial data personally identifiable information (PII).  Chances are, if your business has customers or clients, you’re handling business-critical sensitive data.    Why email is your greatest DLP threat  Now let’s consider how data gets ‘lost’ in the first place… There are several ways, but nearly all of them come down to one thing: people make mistakes, either accidentally or on purpose.
Successful businesses are, by their very nature, porous. Information flows in and out at a near endless rate from staff, customers, prospects, suppliers, trade bodies, local authorities, and government.  While recent tools like Slack and Teams have eaten email’s dominance of internal communication, the main method for external communication remains email, and it is the primary way that most firms conduct business today.  In fact, an Adobe Email Usage Study found that employees routinely spend 40% of their work time reading, writing and sending emails.   Let’s stop pretending there are different jobs. There’s only one job and it’s emails. — Kate Helen Downey (@katehelendowney) July 13, 2021   How big is your problem? How big is your firm? According to data from Tessian’s own platform, employees send nearly 400 emails a month. If your organization has 1000 employees, that’s 400,000 emails, or around 13,000 a day. And if you’re routinely handling and emailing sensitive data, each of those is a data breach waiting to happen.. We don’t want to fearmonger (because Fear, Uncertainty, and Doubt (FUD) doesn’t fudging work…) but it’s clear email remains your number one threat vector.  The big challenge is that people make around 35,000 decisions every single day; that’s 35,000 chances to make a mistake..In the context of email, that means not always identifying phishing emails correctly, and sometimes attaching the wrong file. This is why, in 2021, an overwhelming 85% of data breaches involved human error.  
!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Find more statistics at Statista  
Insider threats (and how to spot and stop them) You can secure your perimeter against external attack, but what about the ones that come from ‘inside the house’? The fact is, people break the rules way more often than IT leaders think, both intentionally and accidentally.
Insider threats are an organization’s biggest hidden security problem. With attention directed externally, internal issues are typically under-resourced and under-addressed. What’s more, unlike bad actors or state sponsored hackers, your staff have legitimate access to systems and data. That means they’re in an ideal position to exfiltrate data. You can see why for some companies, it’s a difficult conversation to have.
!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Yet our State of Data Loss Prevention report found that 45% of all employees download, save, send, or otherwise exfiltrate work related documents before leaving or after being dismissed from a job.  So what can be done? Well firstly, you need to recognize what data exfiltration looks like.  There are two distinct types of insider threats, malicious (those that set out to deliberately cause harm) and negligent (those that cause harm by accident).   Spotting malicious insider threats So how do you recognize if you have malicious or negligent staff within your organization? Well, there are several telltale signs. Malicious actors, for example, might display declining performance or other signs of dissatisfaction. They might start logging in at unusual hours, have multiple failed logins, or other abnormal login activity.
Spotting negligent insider threats Negligent staff meanwhile might repeatedly fall for phishing attacks, or fail to comply with basic security policies such as consistently misdirecting emails, or miss attaching files. There could be several reasons for this, from burnout, to boredom.  Remember also, that staff often have genuine reasons to send documents externally. Sending things like plane tickets, restaurant reservations, payslips, and other digital ‘pocket litter’ home isn’t going to cripple your business – but it will generate false positives in your SEG.
Stopping Insider Threats  What’s critical in stopping these events is real time oversight of when they happen. In the case of malicious intent, you need to know instantly when someone has attempted an exfiltration to prevent data loss.With negligent staff, on the other hand, it can help to have a build up of data over time to inform your actions.  Exfiltration types and methods What is Data Exfiltration? Tips for Preventing Data Exfiltration Webinar: How to Reduce Data data Exfiltration by 84% Within 30 Days How to Keep Your Data Safe in The Great Resignation Solutions Brief: Detect Insider Threats with Human Layer Security The silver lining to this cloud is it isn’t all on you – it’s as much a people issue as a technology issue. As your organization’s cybersecurity leader, you need to work with your people team and other senior leaders on addressing this. Why? Because the costs of an insider threat breach are getting bigger.
The repercussions of a breach Insider or external, a data breach can create significant fallout for your organization. First, there’s the financial cost. This isn’t a one-off fee – it can come in several forms. There’s the loss of revenue in the turbulence as customers churn or take their business elsewhere. Then, depending on your sector, there’s the increasing regulatory fines and legal actions. In the EU, GDPR has meant these costs have skyrocketed. Fines are particularly large in sectors like financial services and healthcare.    There’s also the time and resources you’ll spend dealing with a breach, not only the loss incurred by your own staff who have to now deal with this, but any external expertise you have to bring in to help repair or restore systems. But like an end-of-level boss in a video game, by far the biggest and most expensive repercussion is the reputational damage your organization suffers – this can last years.  When we asked security leaders what the biggest consequence of a breach is, here’s what they replied. See more at Why DLP Has Failed and What the Future Looks Like. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Every year, IBM publishes their Cost of a Data Breach report. You can get key findings from the 2021 version, as well as the report itself below, but the key findings regarding breach costs are: Data breach costs rose from $3.86 million to $4.24 million, the highest average total cost in the history of this report  There was a 10% increase in the average total cost of a breach between 2020 and 2021. This was the largest single year cost increase in the last seven years. The average cost of a breach at organizations with 81-100% of employees working remotely was $5.54 million
The problems with legacy DLP Early DLP solutions from the ‘00s were designed to filter bulk spam. Then Internet Service Providers, Secure Email Gateways, and antivirus software added pattern and keyword recognition to identify potentially threatening emails. And today’s DLP solutions added rules and a host of other technical measures… but they’re just not up to the job anymore.
Watch now: DLP Has Failed The Enterprise. What Now?
Blocking domains: Particular domains, often ‘freemail’, are blocked. But there are plenty of legitimate reasons to send and receive emails from people with ‘freemail’ domains. Many small businesses and freelancers use Gmail, for example.  Blacklisting: Security teams create a list of non-authorized email addresses and simply block all emails sent or received. This requires constant updating and is very time/resource intensive. It’s also reactive; you only know an address is bad after they’ve been known to be associated with unauthorized communications. Keywords: This method uses words and phrases to alert administrators of suspicious email activity. For example, IT and security teams can create rules to identify keywords like “social security numbers” or “bank account details”. But anyone trying to exfiltrate data can circumvent keyword tracking tools by sending the email and the attached data in an encrypted form. Tagging Data: After classifying data, an organization may attempt to tag sensitive data, allowing administrators to track it as it moves within and outside of a network. The drawback here is that, again, this is time and resource intensive and relies on employees accurately identifying and tagging all sensitive data. Miss a tag, and data is misclassified or simply overlooked The challenge with all of the above is that they are based on rules. But human behavior can’t be predicted or controlled by rules, and human’s often subvert, side step, or break the rules, even when they know they shouldn’t.
How to bend not break the rules -51% of staff say security tools and software impede their productivity at work -54% of staff say that if security software or policies make it difficult or prevent them from doing their job, they’ll find a workaround Read: Tessian’s State of Data Loss Protection Report But workarounds aren’t the only problem with rules… Binary, rule-based DLP solutions offer blunt protection and limited visibility into complex human behavior and data movement. This leaves security leaders in the dark, trawling through logs of flagged and self-reported incidents after they’ve occurred.  There’s also the problem of false positives, and genuine, important emails are often buried in quarantine along with potentially harmful ones.  And with most risks to data security actually coming from within an organization, security teams have to classify and monitor data across hundreds – even thousands – of different entry and exit points of a corporate network.  The result is that legacy DLP has gotten way more expensive, complicated, and requires more and more administration and fire-fighting from InfoSec teams. 
Is it time to re-think your DLP strategy? It’s clear that traditional DLP can’t prevent all data loss.  This is where Tessian comes in.  Tessian’s Human Layer Security platform automatically detects accidental data loss, malicious exfiltration, and phishing attacks in real-time, before sensitive data leaves your environment. Crucially, it doesn’t stop your employees from doing what they do best – their actual jobs, yet still provides you with clear visibility of threats. Indeed, a recent Forrester Consulting report found that the security and risk leaders who have adopted Human Layer Security feel more prepared to face security and data loss incidents and to face a hybrid workforce than those who haven’t. They believe their email security posture is extremely effective at alerting the organization to potential attacks/threats from users’ risky behaviors or poor security decisions. Meanwhile, those who don’t take a Human Layer approach feel less control over business disruptions.”
We’re seeing more and more industry pioneers explore this option, layering a tool like Tessian on top of Microsoft 356’s native tools. We take a deep dive into this new approach in our recent webinar ‘DLP Blindspots: Next Gen DLP’.
Ultimately, you know what stage of the journey your organization is on. But if you need further resources to comprehensively compare Tessian’s Human Layer Security alongside legacy DLP, Microsoft 365 DLP capabilities, legacy file encryption, and network and Perimeter Security, we’ve covered all that in forensic detail in this white paper. In it, you’ll learn the pros and cons of different email security solutions, and how they stack up against Human Layer Security. This will help you evaluate a solution that works for you, and that best protects sensitive data in your organization. Read now: Human Layer Security vs. Legacy Email Security Solutions white paper
DLP and Microsoft 365 So what does a smart, fit-for-the-21century DLP solution look like? Well, many organizations are now retiring their SEGs in favor of a Microsoft 365 solution, with Tessian layered on top as an EDR.  Over a million businesses worldwide use Microsoft 365, with 731,000 companies in the United States alone. Of course, because it’s the most popular solution on the planet, it also makes it a target for bad actors.  Although Microsoft 365 provides foundational rule-based data loss prevention (DLP) and data classification to address compliance requirements, it falls short when protecting against data loss caused by people.  Tessian complements Microsoft 365 with a behavioral analytics layer and offers enhanced data protection by closing critical DLP use case gaps such as inadvertent or accidental data loss, sensitive data exfiltration to unauthorized or personal accounts, and insider risks.
More on Microsoft 365 !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");
How Tessian helps secure your Human Layer We’ve come to the point where you’re considering how best to stop DLP in your organization. From working with our customers over the years, we’ve found that it’s best to think the following three ways  Research You’ve already started the research phase – simply be reading this page. Continue that process by auditing your estate, consulting team members, and identifying solutions. This is also the time to consult your network, join those webinars and read those whitepapers.  Rethink Any change in your DLP strategy needs to be able to face not only current threats, but future developments in those threats and their impact too. Maybe now really is the time to upgrade that legacy SEG with Microsoft 365 and Tessian. Perhaps you want to stay with a rule based DLP but are looking for something smarter? In which case Tessian Architect might be the right solution.  Part of the re-thinking phase is also re-training. With the average human makes 35,000 decisions every single day, we know that a morning of cybersecurity training every six months isn’t as effective as ‘in the moment’ training provided by Tessian. So now’s the time to rethink your training and awareness processes too. Resource  This is where the rubber hits the road, you can’t do anything of the above without the right resources – time, people and budget – but you’re not going to get those without first showing that you’ve done the previous two phases to arrive at a road map to securing your Human Layer. Introducing Tessian Architect: The Industry’s Only Intelligent Data Loss Prevention Policy Engine
Read Blog Post
Interviews With CISOs
Q&A with Jerry Perullo, CISO at ICE
By Andrew Webb
Monday, November 22nd, 2021
Jerry Perullo has served as the CISO of Intercontinental Exchange, Inc. (NYSE: ICE) since 2001 and in that time has seen how security has moved from the ‘blame game’ to securing the human layer. In this interview, he explains how InfoSec teams can work together with employees, for a stronger security culture.   You’ve been the CISO at Intercontinental Exchange for over 20 years. How has the narrative changed on the “human factor” over that time?   Jerry: I’ve always worked closely with customers and peers, so I’ve gotten a lot of insight into the financial services landscape. It wasn’t top-of-mind in the early days—mainly because it was such a small company. It was a bit later that phishing became the number one threat vector. Because of that, the human element really came up.   Unfortunately though—as technology professionals are wont to do—the initial reaction was full-on victim-shaming. In traditional IT, there’s a lot of: “I can’t believe this person didn’t know how to plug their keyboard in,” or whatever it’s going to be. And in security, it was immediately: “I can’t believe this person clicked that…” or “…plugged in this USB,” or whatever it may have been.   And then a bit later, I think that a lot of people came around to realizing that the people they were shaming were generating their revenues and paychecks, at the end of the day, and so it wasn’t a good idea to just mock them.   So things really did start to pivot to more of an era of collaboration, and that was great. And we see some evidence of that in a lot of the training material now, which came to be more entertaining—the gamification, trying to get people involved.   And then lately I’ve seen some questioning of where that line needs to be. Some people saying, “If anything goes wrong, it’s never the person’s fault,” so to speak—it’s always on information security, and we should know that people are humans and that they should be permitted to click things if they are available to them, and it should be on cyber to get in the way of problems.    
Do you think security teams are taking the attitude of: “It’s not because users are stupid, it’s because they’re human, and humans are going to make mistakes”?   Jerry: Yes. I do see a lot of that. And in different environments—some environments don’t have the ability to impose many controls at all. So in those cases, they’re playing “clean up” all the time.   And there’s other organizations that do have the ability to impose some pretty heavy controls. And there, it is a little bit different. There, you do have individuals who have a little more time so they can work with individuals and hold them to a higher standard.  
Everything you do as a security team is having some impact on the employee. How do you consider the trade-off of better security versus impacting the productivity of the employee that you’re trying to secure?   Jerry: There has historically been this notion of an inverse relationship between security and user experience.    I think that controls that have that attribute—when you impose it, people’s lives get a little bit less fun, and the more that you do the less fun it is—are generally bad controls. They’re really the “control of last resort.”   There are other things that can actually be quite helpful, and enhance productivity, visibility and awareness.    To that end, any tools that really empower the user and give them the means to protect themselves—so for example, enriching emails and giving them the idea of the threat of it, rather than just blocking it, and giving them advice, informing them and allowing them to make those calls, or phish report buttons that a lot of products have been delivering, so they can make their own claims about what they think is good or bad.   And then giving a feedback loop on that, so they know whether they’re right or wrong, just for their education. But also, where they can gamify it a bit, and really be incentivized to spot security issues—I think that’s been really effective overall.   How has the shift to remote work impacted organizations’ security strategies and the way they’re thinking about protecting their people in 2021?   Jerry: Having a unified security strategy—I’ll be the first to admit that that’s not a given, and it’s not universally agreed what that even means. I’m fortunate that we have gone through the process of doing that, and putting pen to paper.    For us, the strategy has really been about paying attention to the threat landscape, learning from our peers or others who may have had cybersecurity issues in the world, internalizing and seeing if those same issues could manifest, and—when we identify that they could—identifying the new controls that we need to adjust, making those adjustments, then repeating the whole cycle again.   That’s certainly not changed. So we’re going to look at what’s manifesting externally, and if that happens to lever the remote-work environment more, in the threat intelligence, then that would utilize the exact same strategy, but the operationalization of it would be a little bit different.   So strategy is unchanged—but the manifestation of it may.
I know you have a lot of thinking about this concept of adversarial risk management. Could you please outline your thoughts on that?   Jerry: Your controls that are good enough today will not be tomorrow. Because you have an adaptation of the problem.    As computing professionals, we want to have an algorithmic solution to something like phishing, And in many ways, we have.    We have a lot of platforms that are, for example, looking through attachments that are in email. And the ones that are either short-sighted or in a really unforgiving environment are trying to disassemble and sandbox attachments in real time—that sort of thing. The ones that are more effective are just blocking all attachments of certain natures.   But as that technology has evolved, the adversarial side has turned to what I call “narrative phish.” So, instead of a link or an attachment, it’s: “Hey Bob, do you have a minute?” And there’s not an algorithmic solution to that one.    I think you guys at Tessian are really fast on it. Because it’s great that the advances in machine learning have really matched that.    Because that’s what you need it for, isn’t it? Real-time, behavioral, statistical monitoring. To figure out that no-one calls you “Bob,” that this customer doesn’t really care how you’re doing. That’s how deep you’re going to have to get to really be able to have an adversarial management approach.   Listen to the full interview on our podcast, and follow us on your Spotify and Apple Music.  
Read Blog Post
Spear Phishing
What is Email Spoofing? How Does Email Spoofing Work?
Monday, November 22nd, 2021
Let’s start with a definition of email spoofing.
While email spoofing can have serious consequences, it’s not particularly difficult for a hacker to do. And, despite the fact that email filters and apps are getting better at detecting spoofed emails… they can still slip through.  Keep reading to find out: What motivates someone to spoof an email address How email spoofing works How common email spoofing is If you’re here to learn how to prevent email spoofing, check out this article instead: How to Prevent Email Spoofing. Why do people spoof emails? You might be wondering why someone would want to spoof another person or company’s email address in the first place. It’s simple: they want the recipient to believe that the email came from a trusted person. Most commonly it is used for activities such as: Spear phishing: A type of “social engineering” attack where the attacker impersonates a trusted person and targets a specific individual. Business Email Compromise (BEC): A phishing attack involving a spoofed, impersonated, or hacked corporate email address. CEO fraud: A BEC attack where the attacker impersonates a high-level company executive and targets an employee. Vendor Email Compromise (VEC): A BEC attack where the attack impersonates a vendor or another business in a company’s supply chain. Spamming: Sending unsolicited commercial email to large numbers of people. Now let’s look at the technical process behind email spoofing. How email spoofing works First, we need to distinguish between “email spoofing,” and “domain impersonation.” Sometimes these two techniques get conflated.  Here’s the difference: In an email spoofing attack, the sender’s email address looks identical to the genuine email address (jeff.bezos@amazon.com).  In a domain impersonation attack, the fraudster uses an email address that is very similar to another email address (jeff.bezos@amaz0n.co). When you receive an email, your email client (e.g. Outlook or Gmail) tells you who the email is supposedly from. When you click “reply,” your client automatically fills in the “to” field in your return email. It’s all done automatically and behind the scenes. But, this information is not as reliable as you might think. An email consists of several parts: Envelope: Tells the receiving server who sent the email and who will receive it. When you get an email, you don’t normally see the envelope. Header: Contains metadata about the email: including the sender’s name and email address, send date, subject, and “reply-to” address. You can see this part. Body: The content of the email itself. Spoofing is so common because it’s surprisingly easy to forge the “from” elements of an email’s envelope and header, to make it seem like someone else has sent it.  Obviously, we’re not going to provide instructions on how to spoof an email. But we can break down a spoofed email to help you understand how the process works.  Let’s take a look at the email header:
First, look at the “Received From” header, highlighted in blue, which shows that the email came from the domain “cybercrime.org.” But now look at the parts highlighted in yellow — the “Return-Path,” “From,” and “Reply-To” headers — which all point to “Mickey Mouse,” or “m.mouse@disney.com”. These headers dictate what the recipient sees in their inbox, and they’ve all been forged. The standard email protocol (SMTP) has no default way of authenticating an email. There are authentication checks that depend on the domain owner protecting its domain. In this case, the spoof email failed two important authentication processes (also highlighted in blue, above): SPF, short for Sender Policy Framework: Checks if the sender’s IP address is associated with the domain specified in the envelope. DMARC, short for Domain-based Message Authentication, Reporting, and Conformance: Verifies an email’s header information. DKIM, short for DomainKeys Identified Mail: Designed to make sure messages aren’t altered in transit between the sending and recipient servers. As you can see, DMARC, SPF, and DKIM all = none. That means our spoofed email slipped right through. Here’s how the email looks in the recipient’s inbox:
The email above appears to have been sent by Mickey Mouse, using the email address m.mouse@disney.com. But we know from the header that it actually came from cybercrime.org. This demonstrates the importance of setting up DMARC policies. You can learn more about how to do that here. Note: Disney does have DMARC enabled. This is a hypothetical example! Want to find out which companies don’t have DMARC set-up? Check out this website.  How common is spoofing? Measuring the precise number of spoofed emails sent and received every day is impossible. But we can look at how many cybercrime incidents involving spoofing get reported each year. A good place to start is the U.S. Federal Bureau of Investigation (FBI)’s Internet Crime Complaint Center (IC3) annual report.  In 2020, the IC3 reported that: In its latest report, the IC3 reported that throughout 2020: The IC3 received 28,218 complaints about spoofing (up from 25,789 in 2019). The losses associated with spoofing complaints totaled over $216.5 million. Note that the IC3’s definition of “spoofing” includes incidents involving spoofed phone numbers. But we already know that 96% of phishing attacks start with email. There are many examples of harmful email spoofing campaigns, and the COVID-19 pandemic has made it easier than ever for cybercriminals to trick people into falling for these scams. For example, in October 2021, a threat actor was found to have spoofed email domains belonging to the Philippine government, targeting shipping, manufacturing, and energy companies with fraudulent emails about COVID-19. And in March 2021, a widespread email spoofing campaign targeting C-suite executives was uncovered. The attackers created spoofed spear phishing emails that evaded “Office 365’s native defenses and other email security defenses.” Now you understand what email spoofing is, and how serious a threat it can be, it’s time to read our article on how to prevent email spoofing.
Read Blog Post
DLP, Compliance
22 Biggest GDPR Fines of 2019, 2020, and 2021 (So Far)
Friday, November 19th, 2021
The EU General Data Protection Regulation (GDPR) is among the world’s toughest data protection laws.  Under the GDPR, the EU’s data protection authorities can impose fines of up to up to €20 million (roughly $20,372,000), or 4 percent of worldwide turnover for the preceding financial year—whichever is higher. Since the GDPR took effect in May 2018, we’ve seen over 800 fines issued across the European Economic Area (EEA) and the U.K. GDPR fines have ramped up significantly in recent months. The sum total of GDPR fines levied in Q3 2021 hit nearly €1 billion—20 times greater than the totals for Q1 and Q2 2021 combined. Let’s take a look at the biggest GDPR fines of 2019, 2020, 2021, explore what caused them, and consider how you can avoid being fined for similar violations. Looking for information about achieving and maintaining compliance? We explore solutions for reducing email risk (the #1 threat vector according to security leaders) on this page.
The biggest GDPR fines of 2019, 2020, and 2021 (so far) 1. Amazon — €746 million ($877 million) Amazon’s gigantic GDPR fine, announced in the company’s July 2021 earnings report, is nearly 15 times bigger than the previous record. The full reasons behind the fine haven’t yet been confirmed, but we know the cause has to do with cookie consent. And this isn’t the first time Amazon has been punished due to the way it collects and shares personal data via cookies. In late 2020, France fined Amazon €35 million after the tech giant allegedly failed to get cookie consent on its website. How the fine could have been avoided: It’s tempting to force users to “agree” to cookies—or make opting out of cookies difficult—to collect as much personal data as possible. But regulators have shown some serious appetite for enforcing the EU’s cookie rules recently. If Amazon had obtained “freely given”, informed, and unambiguous opt-in consent before setting cookies on its users’ devices, the company probably could have avoided this huge GDPR fine. 2. WhatsApp — €225 million ($255 million) Mere months after Amazon’s colossal GDPR fine knocked Google off the number one GDPR fine spot, WhatsApp pushed Google into third place with a penalty nearly five times as large as the search giant’s previous record. Ireland slammed WhatsApp with this €225 million GDPR penalty after claiming that the messaging service had failed to properly explain its data processing practices in its privacy notice. Ireland is not known for issuing large fines, despite being the European home of nearly every US-based big tech firm. And even this penalty arrived only after other EU data protection authorities used the “one-stop-shop” mechanism to argue that it should have been higher. So what did WhatsApp do wrong? It’s complicated, and the company is appealing the decision. But it boils down to WhatsApp’s alleged failure to explain its legal basis for certain data processing—“legitimate interests.” How the fine could have been avoided: The Irish DPA said that WhatsApp’s somewhat opaque privacy notice was at fault here—the company should have provided privacy information in an easily accessible format using language its users could understand. If you’re relying on “legitimate interests,” you must make sure you explain what those interests are in respect of each relevant processing operation. 3. Google – €50 million ($56.6 million)  Google’s fine, levied in 2019 and finalized after an unsuccessful appeal in March 2020, was the largest on record until August 2021.  The case related to how Google provided privacy notice to its users—and how the company requested their consent for personalized advertising and other types of data processing. How the fine could have been avoided: Google should have provided more information to users in consent policies and granted them more control over how their personal data is processed. 4. H&M — €35 million ($41 million) On October 5, 2020 the Data Protection Authority of Hamburg, Germany, fined clothing retailer H&M €35,258,707.95 — the second-largest GDPR fine ever imposed at the time. H&M’s GDPR violations involved the “monitoring of several hundred employees.” After employees took vacation or sick leave, they were required to attend a return-to-work meeting. Some of these meetings were recorded and accessible to over 50 H&M managers. Senior H&M staff gained ”a broad knowledge of their employees’ private lives… ranging from rather harmless details to family issues and religious beliefs.” This “detailed profile” was used to help evaluate employees’ performance and make decisions about their employment. How the fine could have been avoided: H&M appears to have violated the GDPR’s principle of data minimization — don’t process personal information, particularly sensitive data about people’s health and beliefs, unless you need to for a specific purpose. H&M should also have placed strict access controls on the data, and the company should not have used this data to make decisions about people’s employment. 5. TIM – €27.8 million ($31.5 million) On January 15, 2020, Italian telecommunications operator TIM (or Telecom Italia) was stung with a €27.8 million GDPR fine from Garante, the Italian Data Protection Authority, for a series of infractions and violations that have accumulated over the last several years.  TIM’s infractions include a variety of unlawful actions, most of which stem from an overly aggressive marketing strategy. Millions of individuals were bombarded with promotional calls and unsolicited communications, some of whom were on non-contact and exclusion lists.   How the fine could have been avoided: TIM should have managed lists of data subjects more carefully and created specific opt-ins for different marketing activities. 6. British Airways – €22 million ($26 million) In October, the ICO hit British Airways with a $26 million fine for a breach that took place in 2018. This is considerably less than the $238 million fine that the ICO originally said it intended to issue back in 2019.   So, what happened back in 2018? British Airway’s systems were compromised. The breach affected 400,000 customers and hackers got their hands on log-in details, payment card information, and travelers’ names and addresses.   How the fine could have been avoided: According to the ICO, the attack was preventable, but BA didn’t have sufficient security measures in place to protect their systems, networks, and data. In fact, it seems BA didn’t even have basics like multi-factor authentication in place at the time of the breach.  Going forward, the airline should take a security-first approach, invest in security solutions, and ensure they have strict data privacy policies and procedures in place. 7. Marriott – €20.4 million ($23.8 million) While this is an eye-watering fine, it’s actually significantly lower than the $123 million fine the ICO originally said they’d levy. So, what happened?  383 million guest records (30 million EU residents) were exposed after the hotel chain’s guest reservation database was compromised. Personal data like guests’ names, addresses, passport numbers, and payment card information was exposed.  Note: The hack originated in Starwood Group’s reservation system in 2014. While Marriott acquired Starwood in 2016, the hack wasn’t detected until September 2018. How the fine could have been avoided: The ICO found that Marriott failed to perform adequate due diligence after acquiring Starwood. They should have done more to safeguard their systemswith a stronger data loss prevention (DLP) strategy and utilized de-identification methods.  8. Wind — €17 million ($20 million) On July 13, Italian Data Protection Authority imposed a fine of €16,729,600 on telecoms company Wind due to its unlawful direct marketing activities. The enforcement action started after Italy’s regulator received complaints about Wind Tre’s marketing communications. Wind reportedly spammed Italians with ads — without their consent — and provided incorrect contact details, leaving consumers unable to unsubscribe. The regulator also found that Wind’s mobile apps forced users to agree to direct marketing and location tracking and that its business partners had undertaken illegal data-collection activities.  How the fine could have been avoided: Wind should have established a valid lawful basis before using people’s contact details for direct marketing purposes. This probably would have meant getting consumers’ consent — unless it could  demonstrate that sending marketing materials was in its “legitimate interests.” For whatever reason you send direct marketing, you must ensure that consumers have an easy way to unsubscribe. And you must always ensure that your company’s Privacy Policy is accurate and up-to-date. 9. Vodafone Italia — €12.3 million ($14.5 million) Vodafone Italia’s November 2020 fine was issued in relation to a vast range of alleged GDPR violations, including provisions within Articles 5, 6, 7, 16, 21, 25, 32, and 33. So what did Vodafone do that resulted in so many GDPR violations?  The company’s data processing issues included failing to properly secure customer data, sharing personal data with third-party call centers, and processing without a legal basis—all brought to light after complaints about the company’s telemarketing campaign. How the fine could have been avoided: Vodafone’s marketing operations may have triggered the Italian DPA’s investigation, but the company’s data management and security were the fundamental issues here. Vodafone might have avoided this large fine by conducting regular audits of its data and properly documenting all relationships with third-party data processors. 10. Notebooksbilliger.de — €10.4 million ($12.5 million) German electronics retailer notebooksbilliger.de (NBB) received this significant GDPR fine on January 8, 2021. The penalty relates to how NBB used CCTV cameras to monitor its employees and customers. The CCTV system ran for two years, and NBB reportedly kept recordings for up to 60 days. NBB said it needed to record its staff and customers to prevent theft. The Lower Saxony DPA said the monitoring was an intrusion on its employees’ and customers’ privacy. How the fine could have been avoided: The NBB’s fine reflects strict attitudes towards CCTV monitoring in parts of Germany. The regulator said NBB’s CCTV program was not limited to a specific person or period. Using CCTV isn’t prohibited under the GDPR, but you must ensure it is a legitimate and proportionate response to a specific problem. The UK’s ICO has some guidance on using CCTV in a GDPR-compliant way. 11. Austrian Post — €9 million ($10.23 million) Austria’s largest GDPR fine hit in September 2021, when Austrian Post received a €9 million sanction for allegedly failing to facilitate data subject rights requests properly. If a data subject hoped to access, delete, or rectify personal data held by the Austrian Post, the company provided a variety of mediums by which to make a request, including a web form, mail, or phone number. The one means of communication that Austria Post did not recognize, however, was email—and the Austrian DPA said that the mail carrier should have allowed data subjects to submit a rights request via any medium they preferred. How the fine could have been avoided: Austrian Post (which is planning to appeal the fine) should have processed data subject rights requests however they arrived—forcing data subjects to use a particular communication method and excluding email is not an acceptable way to facilitate their rights. 12. Eni — €8.5 million ($10 million) Eni Gas e Luce (Eni) is an Italian gas and oil company that was found to have made marketing phone calls without a proper legal basis. While telemarketing is covered by the ePrivacy Directive, this is another example of how any processing of personal data without a proper legal basis can lead to a GDPR fine. How the fine could have been avoided: Eni should have ensured it had a proper legal basis for telemarketing before calling any of its customers or leads. In this case, the Italian DPA said that the proper lawful basis would have been consent. 13. Vodafone Spain — €8.15 million ($9.72 million) Vodafone’s €8.15 million fine, issued by the Spanish DPA (the AEPD) on March 11, 2021, is actually made up of four fines for violating the GDPR and other Spanish laws covering telecommunications and cookies. The Vodafone fine stands as Spain’s biggest yet—in a year that has seen the AEPD issue several substantial GDPR penalties. The fine results from 191 separate complaints regarding Vodafone’s marketing activity. Vodafone was alleged not to have taken sufficient organizational measures to ensure it was processing people’s personal data lawfully. How the fine could have been avoided: Vodafone’s complex series of legal violations all appear to have one thing in common: a lack of organization and control over personal data used for marketing purposes. Whenever you outsource any processing activity to a third party—for example, a marketing agency—you must ensure you have a clear legal basis for doing so.  Keep clear records, maintain data processing agreements with contractors, and regularly audit your processing activities to ensure they are lawful. 14. Google – €7 million ($8.3 million) From a GDPR enforcement perspective, 2020 was not a good year for Google.  Along with the company losing its appeal against French DPA in January, March saw the Swedish Data Protection Authority of Sweden (SDPA) fining Google for neglecting to remove a pair of search result listings under Europe’s GDPR “right to be forgotten” rules.  How the fine could have been avoided: Google should have fulfilled the rights of data subjects, primarily their right to be forgotten. This is also known as the right to erasure. How? By “ensuring a process was in place to respond to requests for erasure without undue delay and within one month of receipt.”  You can find more information about how to comply with requests for erasure from the ICO here.  15. Caixabank — €6 million ($7.2 million) This fine against financial services company Caixabank is the largest fine ever issued by the Spanish DPA (the AEPD).  The AEPD finalized Caixabank’s penalty on January 13, 2021, breaking Spain’s previous record GDPR fine, against BBVA — issued just one month earlier. This suggests a significant toughening of approach from the Spanish DPA. The first issue, which accounts for €4 million of the total fine, related to how Caixabank established a “legal basis” for using consumers’ personal data under Article 6. Second, Caixabank was fined €2 million for violating the GDPR’s transparency requirements at Articles 13 and 14.  How the fine could have been avoided: The AEPD said Caixabank relied on the legal basis of “legitimate interests” without proper justification. Before you rely on “legitimate interests,” you must conduct and document a “legitimate interests assessment.”  The company also failed to obtain consumers’ consent in a GDPR-compliant way. If you’re relying on “consent,” make sure it meets the GDPR’s strict “opt in” standards. The AEPD criticized Caixabank’s privacy policy as providing vague and inconsistent information about its data processing practices. Make sure you use clear language in your privacy notices and keep them consistent across websites and platforms. 16. BBVA (bank) — €5 million ($6 million) This fine against financial services giant BBVA (Banco Bilbao Vizcaya Argentaria) dates from December 11, 2020.  The BBVA’s penalty is the second biggest that the Spanish DPA (the AEPD) has ever imposed, and it shares many similarities with the AEPD’s largest-ever penalty, against Caixabank, issued the following month. Taken together with the record fine against Caixabank, it’s tempting to conclude that the Spanish DPA has its eye on the GDPR compliance of financial institutions. How the fine could have been avoided: The AEPD fined BBVA €3 million for sending SMS messages without obtaining consumers’ consent. In most circumstances, you must ensure you have GDPR-valid consent for sending direct marketing messages. The remaining €2 million of the penalty related to BBVA’s privacy policy, which failed to properly explain how the bank collected and use its customers’ personal data. Make sure you include all the necessary information under Articles 13 and 14 in your privacy policy. 17. Fastweb — €4.5 million ($5.5 million) Italy’s DPA (the Garante) fined telecoms company Fastweb €4.5 million on April 2 2021 for engaging in unsolicited telephone marketing without consent. In particular, the Garanta noted that Fastweb was using “fraudulent” telephone numbers that the company had not registered with Italy’s Register of Communication Operators. How the fine could have been avoided: Fastweb’s fine derives from telemarketing rules that are set out in Italy’s implementation of the ePrivacy Directive, rather than the GDPR. However, the company still appears to have violated the GDPR by failing to obtain valid consent. It’s important to remember this interplay between the EU’s main privacy laws. The ePrivacy Directive requires you to obtain consent for certain activities, but the GDPR sets the standard of consent—and the standard is very high. 18. Eni Gas e Luce — €3 million ($3.6 million) This fine is one of two imposed on the Italian gas and oil company Eni in December 2019. This is a complicated case involving the creation of new customer accounts—but it boils down to the failure of Eni to obey the GDPR’s principle of accuracy. How the fine could have been avoided: Data protection is about more than just privacy—it also covers issues like records management. Eni should have ensured its customer records were kept accurate and up-to-date. 19. Capio St. Göran AB — €2.9 million ($3.4 million) Capio St. Goran is a Swedish healthcare provider that received a GDPR fine following an audit of one of its hospitals by the Swedish DPA. The audit revealed that the company had failed to carry out appropriate risk assessments and implement effective access controls. As a result, too many employees had access to sensitive personal data. How the fine could have been avoided: Conducting a data protection impact assessment (DPIA) is mandatory under the GDPR for controllers undertaking certain risky activities or handling large-scale sensitive data. Eni should have conducted such an assessment to determine which staff required access to medical records. Access to sensitive personal data should be restricted to those who strictly require it. 20. Iren Mercato — €2.85 million ($3.4 million) In June 2021, the Italian DPA fined energy company Iren Mercato for carrying out a telephone marketing campaign without obtaining proper consent. The phone calls were conducted by a third party marketing company acting as a data processor. How the fine could have been avoided: Many of the fines on our list relate to telemarketing and the failure to obtain GDPR-valid consent. Remember that even when using third-party services to conduct marketing campaigns, you could still be directly liable under the GDPR if you fail to establish a valid legal basis for processing personal data. 21. Foodinho — €2.6 million ($3 million) Groceries delivery service Foodinho received this substantial fine in June 2021, after the Italian DPA found the company had failed to obey the GDPR’s rules on “automated processing,” in this case the use of an algorithm to determine employees’ wages and workflow. The company was also found to have violated the GDPR’s principle of “lawfulness, fairness, and transparency” by failing to provide employees with adequate information. How the fine could have been avoided: Foodinho’s fine mainly relates to a relatively niche area of GDPR compliance—”solely automated processing with legal or similarly significant effects.”  In short, if you’re making purely AI-driven decisions about people that could impact on their finances, employment, or access to services, you must ensure you provide a human review of such decisions. 22. National Revenue Agency (Bulgaria) — €2.6 million ($3 million) This August 2019 fine against Bulgaria’s National Revenue Agency was issued after the organization suffered a data breach affecting 5 million people. The breached data included people’s names, contact details, and tax information. The Bulgarian DPA found that the agency failed to take effective technical and organizational measures to protect the personal data under its control. How the fine could have been avoided: The Bulgarian National Revenue should have conducted a thorough risk assessment of its processing operations and taken effective steps to safeguard personal data. While it’s not clear what caused this data breach, it’s worth noting that the FBI’s Internet Crime Control Center cites email as the number one threat vector in cybercrime.  By securing your company’s email systems, you’re cutting off one of your major vulnerabilities and significantly reducing the likelihood of a data breach.
What else can organizations be fined for under GDPR?  While the biggest fines involve marketing activities, failure to remove personal data when requested by EU citizens, and unlawfully requiring employees to have their biometric data recorded, there are a number of ways in which a breach can occur.  In fact, so far this year, misdirected emails have been the primary cause of data loss reported to the ICO. But, how do you prevent an accident? By focusing on people rather than systems and networks. How does Tessian help organizations stay GDPR compliant?
Powered by machine learning, Tessian’s Human Layer Security technology understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity, including misdirected emails. Tessian also detects and prevents spear phishing attacks and data exfiltration attempts on email.  Importantly, though, Tessian doesn’t just prevent breaches. Tessian’s key features – which are both proactive and reactive – align with the GDPR requirement “to implement appropriate technical and organizational measures together with a process for regularly testing, assessing and evaluating the effectiveness of those measures to ensure the security of processing” (Article 32). To learn more about how Tessian helps with GDPR compliance, you can check out this page, our customer stories or book a demo. 
Read Blog Post
Spear Phishing
Ultimate Guide to Surviving Black Friday Phishing Attacks
By Andrew Webb
Thursday, November 18th, 2021
Ahh Black Friday, ‘o-phish-ally’ the phishiest day of the year according to our 12-month analysis of over 4 billion emails.     You can read more on our research below, and see why bad actors specifically use this day to launch the highest number of attacks of the year.     We also have articles explaining why attackers impersonate delivery firms, how to spot retail scams, and seven tips to help you survive Black Friday.
With over 165 million people heading to stores or shopping online during the frenzy that follows Thanksgiving, retailers will be busier and more distracted than ever. And this makes them a prime target for cybercriminals.  It’s no wonder 42% of CISOs miss Turkey Day… Read more below.
A recent survey also revealed that one in five (20%) U.S. consumers and 33% of U.K. consumers received a phishing scam from a hacker posing as a delivery service this year already. With consumers spending billions online during the upcoming Black Friday and Cyber Monday, it’s highly likely that delivery-related phishing scams will surge – especially against the backdrop of the supply chain issues retailers are currently facing, which are causing delays and product shortages. Read more below.  
With staff working hard to fulfill customers’ orders, they’re highly likely to be distracted, which is when bad actors like to strike. Read more on why they’re not only targeting consumers, but retail businesses themselves, in our  ‘Tis the Season to be Phished report
Cybercriminals follow the money, and at this time of year there’s LOTS of it flowing about. Read more on phishing in retail in this blog post.
New research shows that 30% of U.S. consumers received a phishing message around Black Friday 2020 by text or email. Do you know how to spot a scam? If your organization needs a reminder, download this infographic and circulate to the team. It explains What a phishing email looks like, Which organizations and retailers are most likely to impersonate, and what to do if they’re targeted.    
Find out how Tessian can help secure your Human Layer against threats not just on Black Friday, but every other day of the year too.
Read Blog Post
Tessian Culture
Tessian Named One of ‘Next Big Things in AI and Data’ by Fast Company
By Laura Brooks
Thursday, November 18th, 2021
We’ve been recognized in Fast Company’s inaugural Next Big Things in AI and Data list   The list honors technology breakthroughs that promise to shape the future of their industries, and includes global giants, intrepid startups, and research that is fresh from the labs.    In all, our approach to Human Layer Security joins 64 other technologies, products, and services that will have a positive impact for consumers, businesses, and society at large in the next five years.    If you’ve read this blog or any of our reports, you’ll know our approach to cybersecurity is designed to protect people, not just machines and data.    Why, because 95% of today’s data breaches are caused by human error. Using machine learning to understand people’s communication patterns and behaviors online, Tessian automatically stops data breaches caused by employees on email and continuously drives people towards safer email behavior, thanks to in-the-moment training.    “It just takes one mistake, one carefully crafted phishing email, or one moment when an employee lets their guard down for company security to be compromised,” says Tim Sadler, CEO and co-founder of Tessian. “Those ‘Oh Sh*t!’ security moments cost people their jobs and businesses their reputations – but they can be stopped. Our technology empowers employees to make safe cybersecurity decisions in-the-moment and prevents mistakes before they turn into breaches. In today’s threat landscape, this people-first approach to security has never been more important and I’m so proud to be recognized by Fast Company for our work.”    “Fast Company is thrilled to highlight cutting-edge technologies that are solving real-world problems in unexpected ways. From climate change and public health crises to machine learning and security, these technologies will certainly have a profound impact on the future, and we’re honored to bring attention to them today,” says Stephanie Mehta, editor-in-chief of Fast Company.   You can see the full list here
Read Blog Post
Interviews With CISOs
Almost Half of Chief Information Security Officers (CISOs) Have Missed Thanksgiving Because of Work
By Andrew Webb
Thursday, November 18th, 2021
Being a CISO or Security Leader in today’s InfoSec world is not for the faint hearted. CISOs are some of the hardest working people in any company, regularly working extra hours and overtime to keep the company secure from threats.    But this constant vigilance for threats can mean that CISOs miss out on everything from time with the family to getting enough down time to recharge.    We recently undertook research to see just how much time CISOs “lose” investigating potential breaches and threats and the headline is: security leaders don’t work hard, play hard. They work hard…then work harder.   In fact, 42% say they’ve missed out on a federal or national holiday like Thanksgiving or Christmas because of work.   You can see the full details here. But here’s some highlights.
CISOs hard work isn’t going unnoticed   While no one wants to miss out on family time, it’s not all bad news. 89% of CISOs we surveyed believe the work they do is appreciated by employees outside their team. Furthermore 66% of employees say they understand the role of the CISO. That’s a ringing endorsement of how valuable and visible the relatively new role of CISO has become in just a few short years.   However, just because the rest of the organization knows who you are and what you do, doesn’t mean it’s plane sailing.  As a result of their demanding roles, CISOs are struggling to keep up with developments that further strengthen the business like training, hiring talent, and staying on top of the latest threat intel. They’re also missing out on important personal and social things outside of work, like public holidays and family vacations. Most concerning is the fact that some CISOs are even putting their health at risk by skipping workouts or missing doctor’s appointments.
What are CISOs busy doing? So where is all the time going? What is it that’s causing CISOs to lose, on average, 11 hours a week in overtime?    According to Forrester’s research, organizations spend up to 600 hours per month resolving employee-related email security incidents.    And a quarter of CISOs say they spend 9-12 hours investigating and remediating each threat caused by human error, while more than 1 in 10 spend more than a day investigating and remediating each threat caused by human error.   On top of this, 38% believe they’re spending too much time in meetings and reporting to the board, and 33% also feel as though they’re being drained of time because of other administrative tasks. Looking for more detail on the things that are taking up CISOs time? We’ve got you covered here, but it’s clear that investigating breaches and dealing with the fallout from them is a major drain on time, resources, and mental health.
What would you do if your schedule was cleared? We asked CISOs what they would do if they were able to claw back those Lost Hours, and it turns out their three primary objectives are:    Spending time with family/friends  Further strengthening the business   Resting
Did you know that organizations with over 1,000 employees could save as many as 26,357 hours a year by automating security with Tessian?   While Tessian’s Human Layer Security platform can help you automate your security, which would help you strengthen your email security defenses and save you time, we’d rather use this opportunity to share some mindfulness and productivity tips to help you switch off.   Share the load: While – yes – CISOs are the Head Honcho within IT and security teams, that doesn’t mean you have to do everything. Remember that delegation is validation, it’s okay to ask for help, and your best bet is to prioritize, then divide and conquer. Set boundaries and stick to them: It can be difficult to establish a division between work and life. With mobile access to Slack, email, and Google Docs, “work creep” can seem inevitable. Likewise, if you’re working from home, personal tasks can take up mental space that could compromise your productivity. That’s why you need to define your work space and working hours, and try to create healthy habits that give you a chance to recharge.  Unplug (like, actually…): This is easier said than done, especially when CISOs are considered the superheroes of any organization. “When duty calls”, right? Yes and no. If you don’t take time for yourself, you won’t be up for the job. Consider mindfulness apps for day-to-day relaxation, and limit the number of people who have access to you while you’re OOO.  
Ready to learn more?    Want to find out how your security teams and employees can reclaim their Lost Hours? Get in touch with the Tessian team today to learn how Human Layer Security can help stop “Oh Sh*t!” moments from clogging up your schedule. 
Read Blog Post
DLP
Why Email Encryption Isn’t Enough: The Need for Intelligent Email Security
By Merlin Kafka
Tuesday, November 16th, 2021
Encryption of data, whether in transit or at rest, is seen as a cornerstone of data loss prevention best practice. But when it comes to the encryption of data sent via email, the efficacy of legacy approaches to email encryption are increasingly being called into question. This is largely due to the rigid and binary nature of legacy email encryption solutions.    Increasingly, email security solutions that rely on encryption to prevent data loss are unable to meet the demands for frictionless and time-sensitive communication. An even greater challenge, however, is the declining effectiveness of this approach to preventing data loss, especially in the face of increasingly sophisticated cyber adversaries and the growing prominence of insider threats.    The fundamental challenge of legacy email encryption solutions hinges on its inability to address the root cause of email related breaches and data loss: human error.   In this article, we’ll explore the pros and cons of encryption, and more effective alternatives.   What is encryption?   Encryption is a method of data protection that encodes data so that it can’t be accessed by unauthorized parties. File encryption solutions, in particular, often use AES-256 bit encryption to secure unstructured data, usually with a long list of policies and access rights that the end user must choose before sending an attachment through email.   This has a negative impact on real-time communication and collaboration in organizations and their legitimate business partners.   Is encryption useful in specific cases?   The short answer? Yes.    When the first order of business is simply to secure a particular asset, like an email or the attachment in that email, encryption can provide immediate protection of that sensitive information. Depending on the solution, it can work at rest or in-transit. It’s also a long-standing technology that’s widely used, especially when fulfilling particular compliance mandates. Finally, it tends to be inexpensive compared to other solutions, simply because it’s providing a very targeted and specific technology, as opposed to a more comprehensive data loss prevention solution.   However, we’ve learned from our customers and based on where the market is headed in terms of preventing sensitive data exfiltration that more and more, organizations are actually shifting away from encryption for a variety of reasons (more on this below).   Industry experts also see the severe limitations of encryption in email security.    As Gartner® states in the 2021 Email Security Market Guide, “Although email encryption has been available for many years, the workflow is often very poor, meaning open rates of encrypted emails are historically low. Authenticating the recipient has always been the challenge, requiring users to create new accounts on messaging portals and leading to very poor open rates. With the widespread adoption of cloud email, authenticating users that are on the same platform (e.g. Microsoft 365) has simplified the process, but as soon as recipients are on different platforms, the issue remains.   A number of vendors focused on email data protection are looking to address this with simplified workflows and second-factor authentication. Secure messaging portals that store sensitive information separate from email is one solution, but that raises questions over data residency and where the keys are stored.”
Looking at Encryption? Consider these issues first…   Encryption can give a false sense of security   Back in 2011, Lockhead Martin’s servers were hacked. It was reported extensively in the press and was characterized as “significant and tenacious”. The press reported that hackers gained access using stolen SecurID tokens from the security company, RSA.    In other words, hackers simply gained access to the private keys so they could access Lockheed Martin’s servers. Encryption is only as strong as the solution used to secure the credentials to those encrypted assets.   Encryption does NOT solve for accidental data loss   Encryption itself doesn’t prevent sharing emails to wrong parties or sending wrong attachments. It also doesn’t solve the root cause of many data loss incidents — sending information to unauthorized or unintended recipients. The recipients of encrypted emails, including incorrect recipients, are free to decrypt encrypted emails by requesting a one time password to view the information. Encryption requires end users to set policies and access rights which can be error prone and disruptive   File encryption requires that the end user define the policies and access rights to every file they attach to their emails. This is often a huge list of options, including view only, block printing, block sending, and time bombs, and many other policies.Naturally, users find this process cumbersome as it hinders their ability to collaborate and communicate through email effectively.   Encryption doesn’t work for Insider Threats Just as we saw in the Lockheed Martin example, the viability of encryption is often dependent on the security of the credentials used to access the encrypted assets. This is exactly what Edward Snowden did:He simply compromised the credentials of the admins who had access to the encrypted assets.    The bottom line   While security leaders have to consider the loop holes above, perhaps the most important aspect to consider with legacy encryption is its inability to engage the end user in any meaningful way. In other words, the context of the data and attachments in emails is never thoroughly examined, so it’s not addressing the root cause of data loss.    Instead, cumbersome solutions like encryption are used, which don’t account for unknown anomalies, or consider the friction and latency it produces when implemented. To prevent today’s email security incidents, your security controls must address the root cause of data loss — human behavior. This is why Gartner recommends adopting cloud native email security solutions that address data loss, by leveraging context-aware machine learning (ML) — able to detect threats and anomalies, while at the same time educating the end-user on email security best practice.   Tessian was included in the report as a Representative vendor. Here’s why:   Threat prevention: Tessian protects against both known and unknown email attacks, including business email compromise, account takeover, spear phishing, and all impersonation attacks that bypass SEGs, M365, and G Suite Education and awareness: With Tessian’s in-the-moment training, organizations can educate and empower users to build continuous email security awareness  Reduced admin overhead: Tessian removes the burden on SOC and admins by automating repetitive tasks such as maintaining triage and review. This eliminates the need for human verification of email threats, reducing FTE requirements. Data-rich dashboards: With Tessian, security teams have clear visibility and the ability to demonstrate clear ROI     Want to learn more about how Tessian compares to legacy solutions? This whitepaper provides an extensive comparison document that covers a variety of legacy security solutions, including encryption, Secure Email Gateways (SEGs), Legacy Data Loss Prevention, Network and Perimeter Security, DMARC, and many others. 
Read Blog Post
Human Layer Security, Spear Phishing, Interviews With CISOs
All Cybersecurity 2022 Trend Articles Are BS, Here’s Why
By Josh Yavor
Tuesday, November 16th, 2021
Ah, the holidays. As we roll up to the end of the year, one thing’s certain as the office party and failed New Year’s resolutions – cybersecurity 2022 trend articles.    And like festive holiday merch in stores, trends pieces seem to appear earlier and earlier each year.    Well this year, we’re taking a stand against ‘trends for 2022’ articles. Why? Here’s just a flavor of what real InfoSec leaders like you said when we talked trends.
And on Twitter, the feeling is similar… My prediction? The majority of 2022 cybersecurity predictions will again be “More of the same, packaged a bit differently” because that is how evolution works. It is only from an appreciable vantage point that one sees the scale of incremental change. 1/x — Rik Fërgüson (@rik_ferguson) November 1, 2021 My 2022 Cybersecurity Predictions: pic.twitter.com/7r4AC328q2 — c🎃e (@caseyjohnellis) November 2, 2021
So while someone, somewhere might fall for a high profile deepfake attack or AI generated breach, the main issues faced by the vast majority of InfoSec for next year will be… the same as last year, and similar to the years before that.    We like to call these The Infinity Trends, so pass the eggnog, throw another yule log on the fire, and let’s explore the five gems that’ll be taking up 91.4% of your time in the next 365 days.   Infinity Trend One: People are (still ) gonna fall for the same ol’ sh*t Year in, year out, there’s always a risk that someone is going to click on a malicious link. And when bad actors are using sweet, juicy bait like early access to Series 2 of Squid Games, you can see why. You're only as strong as your weakest link. Human error wins every time. Awareness training is key. #InfoSec pic.twitter.com/tPD9yBEse3 — Khalil (@sehnaoui) June 21, 2017 You can’t stop people clicking links any more than you can prevent them from sending or receiving them in the first place; for many people, that’s their job. Their inbox is a revolving door of links to documents, webpages, forms, and databases.   Infinity Trend Two: You’ll (still ) have to explain why cybersecurity matters to the CEO An important "soft skill" as you move up in leadership roles is brevity, the ability to not only be succinct but also flexible when presenting; knowing how to adjust your content on the fly. This is crucial when presenting to higher level business leaders. Practice this! — Alyssa Miller 👑 Duchess of Hackington (@AlyssaM_InfoSec) October 28, 2021 Looking back to the ‘before times’ circa 2012, a predicted trend was cybersecurity moving from being solely an IT department issue, to a C-suite issue. (Here’s Phil Gardner, founder of IANS, talking about exactly this back in the day.) Yet here we are, 10 years later, and despite the 2021 PwC Annual Global CEO Survey, revealing chief executives see cyber threats as the number one risk, the same report goes on to note that the majority of CISOs overall — 63% of organizations — don’t get the kind of support they need from their CEO. If you’ve got a CEO who gets security in all its forms, you’re one of the lucky ones. For everyone else, here’s the only three metrics they care about.  
Infinity Trend Three: Attacks will (still ) come after lunch or at the end of the day (on a Tuesday) Bad actors have a preferred time to strike. We know this because we analyzed four billion emails in a 12-month period and found that 2 million of them were malicious, and slipped past secure email gateways (SEGs). Further examination found that mid-afternoon, or just before the end of the day, is when most attacks occur. Why? Because our research shows that 45% of employees say they’ve clicked on a phishing email because they were distracted.
Interestingly, Tuesday – not Friday – was the time employees sent and received the most emails, and that’s also the preferred time for spear phishing. One particular Friday does rank the very highest however, Black Friday. So if you’re reading this….  incoming! It’s not all bad news, though. Our research also showed that, like everyone else, even the bad guys take a break over New Year, perhaps to make their own New Year’s resolutions? Infinity Trend Four: Your biggest risks will (still ) come from ‘inside the house’ The spear phishing of staff was an exotic emerging threat trend in 2012, and it’ll still be your number one threat a decade later. Then there’s the risk from misdirected emails, sending the wrong attachments, and deliberate exfiltration. You can see why Forrester’s recent report of over a 1,000 security professionals found that 61% think an employee will cause their next data breach.
  Infinity Trend Five: Hiring a diverse team will (still ) be one of your biggest priorities… and challenges Back in 2016, 72% of Black Hat attendees were saying that “they do not have enough staff to meet current threats”, and those trends have only gotten worse with 2021’s Great Resignation.    Add to this the fact that the average CISO is in post for a little over 26 months (plus a doesn’t-get-it-CEO), and you can see why it can be hard to foster a solid security culture.    InfoSec has a high turnover rate, too; keeping your people together, focused, and motivated was a challenge in 2012, and it’s still a challenge now.    So despite a decade passing, the problems most InfoSec, SOC teams, CISOs, and CTOs face daily haven’t really changed. What has changed is that everything has gotten bigger and more complicated – from the frequency and sophistication of attacks, to your attack surface and perimeter, to the sums of money and number of people involved.    So our number one cybersecurity trend’ for 2022?    Same as it ever was: cybersecurity is still primarily a people problem. This time of year we all make resolutions: get fit, quit that bad habit, be better at what we do. If you’re thinking about one more, why not make 2022 the year you secure your Human Layer?   Until then, Happy Holidays!
Read Blog Post
Page