What is DLP? Decades of digital technology transformation have given employees amazing powers. But with that power also comes the ability to send millions of dollars in just a few clicks, or share an entire customer database in a single emailed file. Today, your people are often the gatekeepers to your company’s most sensitive systems IP and data. Enter data loss prevention (DLP).  Your DLP tools and strategy are critical to the safe running of your business. At its core, DLP aims to minimize the risk of confidential or business-critical data leaving an organization.

How much business-critical data do you handle? Different people within your organization handle a variety of data types. Sales for example might have customer names and emails, whereas Finance would have staff payroll details. The product and dev team would probably have sensitive IP information, and roles like sales engineers and tech ops might handle your customers’ data. Regardless of the role though, it’s all information, it’s all valuable to you (and bad actors), and it can all be lost.    Take a moment to ask yourself if your business as a whole routinely handles any of the following: company IP credit card details medical records insurance details legal case notes sensitive financial data personally identifiable information (PII).  Chances are, if your business has customers or clients, you’re handling business-critical sensitive data.    Why email is your greatest DLP threat  Now let’s consider how data gets ‘lost’ in the first place… There are several ways, but nearly all of them come down to one thing: people make mistakes, either accidentally or on purpose.

Successful businesses are, by their very nature, porous. Information flows in and out at a near endless rate from staff, customers, prospects, suppliers, trade bodies, local authorities, and government.  While recent tools like Slack and Teams have eaten email’s dominance of internal communication, the main method for external communication remains email, and it is the primary way that most firms conduct business today.  In fact, an Adobe Email Usage Study found that employees routinely spend 40% of their work time reading, writing and sending emails.   Let’s stop pretending there are different jobs. There’s only one job and it’s emails. — Kate Helen Downey (@katehelendowney) July 13, 2021   How big is your problem? How big is your firm? According to data from Tessian’s own platform, employees send nearly 400 emails a month. If your organization has 1000 employees, that’s 400,000 emails, or around 13,000 a day. And if you’re routinely handling and emailing sensitive data, each of those is a data breach waiting to happen.. We don’t want to fearmonger (because Fear, Uncertainty, and Doubt (FUD) doesn’t fudging work…) but it’s clear email remains your number one threat vector.  The big challenge is that people make around 35,000 decisions every single day; that’s 35,000 chances to make a mistake..In the context of email, that means not always identifying phishing emails correctly, and sometimes attaching the wrong file. This is why, in 2021, an overwhelming 85% of data breaches involved human error.  

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Find more statistics at Statista  

Insider threats (and how to spot and stop them) You can secure your perimeter against external attack, but what about the ones that come from ‘inside the house’? The fact is, people break the rules way more often than IT leaders think, both intentionally and accidentally.

Insider threats are an organization’s biggest hidden security problem. With attention directed externally, internal issues are typically under-resourced and under-addressed. What’s more, unlike bad actors or state sponsored hackers, your staff have legitimate access to systems and data. That means they’re in an ideal position to exfiltrate data. You can see why for some companies, it’s a difficult conversation to have.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Yet our State of Data Loss Prevention report found that 45% of all employees download, save, send, or otherwise exfiltrate work related documents before leaving or after being dismissed from a job.  So what can be done? Well firstly, you need to recognize what data exfiltration looks like.  There are two distinct types of insider threats, malicious (those that set out to deliberately cause harm) and negligent (those that cause harm by accident).   Spotting malicious insider threats So how do you recognize if you have malicious or negligent staff within your organization? Well, there are several telltale signs. Malicious actors, for example, might display declining performance or other signs of dissatisfaction. They might start logging in at unusual hours, have multiple failed logins, or other abnormal login activity.

Spotting negligent insider threats Negligent staff meanwhile might repeatedly fall for phishing attacks, or fail to comply with basic security policies such as consistently misdirecting emails, or miss attaching files. There could be several reasons for this, from burnout, to boredom.  Remember also, that staff often have genuine reasons to send documents externally. Sending things like plane tickets, restaurant reservations, payslips, and other digital ‘pocket litter’ home isn’t going to cripple your business – but it will generate false positives in your SEG.

Stopping Insider Threats  What’s critical in stopping these events is real time oversight of when they happen. In the case of malicious intent, you need to know instantly when someone has attempted an exfiltration to prevent data loss.With negligent staff, on the other hand, it can help to have a build up of data over time to inform your actions.  Exfiltration types and methods What is Data Exfiltration? Tips for Preventing Data Exfiltration Webinar: How to Reduce Data data Exfiltration by 84% Within 30 Days How to Keep Your Data Safe in The Great Resignation Solutions Brief: Detect Insider Threats with Human Layer Security The silver lining to this cloud is it isn’t all on you – it’s as much a people issue as a technology issue. As your organization’s cybersecurity leader, you need to work with your people team and other senior leaders on addressing this. Why? Because the costs of an insider threat breach are getting bigger.

The repercussions of a breach Insider or external, a data breach can create significant fallout for your organization. First, there’s the financial cost. This isn’t a one-off fee – it can come in several forms. There’s the loss of revenue in the turbulence as customers churn or take their business elsewhere. Then, depending on your sector, there’s the increasing regulatory fines and legal actions. In the EU, GDPR has meant these costs have skyrocketed. Fines are particularly large in sectors like financial services and healthcare.    There’s also the time and resources you’ll spend dealing with a breach, not only the loss incurred by your own staff who have to now deal with this, but any external expertise you have to bring in to help repair or restore systems. But like an end-of-level boss in a video game, by far the biggest and most expensive repercussion is the reputational damage your organization suffers – this can last years.  When we asked security leaders what the biggest consequence of a breach is, here’s what they replied. See more at Why DLP Has Failed and What the Future Looks Like. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Every year, IBM publishes their Cost of a Data Breach report. You can get key findings from the 2021 version, as well as the report itself below, but the key findings regarding breach costs are: Data breach costs rose from $3.86 million to $4.24 million, the highest average total cost in the history of this report  There was a 10% increase in the average total cost of a breach between 2020 and 2021. This was the largest single year cost increase in the last seven years. The average cost of a breach at organizations with 81-100% of employees working remotely was $5.54 million

The problems with legacy DLP Early DLP solutions from the ‘00s were designed to filter bulk spam. Then Internet Service Providers, Secure Email Gateways, and antivirus software added pattern and keyword recognition to identify potentially threatening emails. And today’s DLP solutions added rules and a host of other technical measures… but they’re just not up to the job anymore.

Watch now: DLP Has Failed The Enterprise. What Now?

Blocking domains: Particular domains, often ‘freemail’, are blocked. But there are plenty of legitimate reasons to send and receive emails from people with ‘freemail’ domains. Many small businesses and freelancers use Gmail, for example.  Blacklisting: Security teams create a list of non-authorized email addresses and simply block all emails sent or received. This requires constant updating and is very time/resource intensive. It’s also reactive; you only know an address is bad after they’ve been known to be associated with unauthorized communications. Keywords: This method uses words and phrases to alert administrators of suspicious email activity. For example, IT and security teams can create rules to identify keywords like “social security numbers” or “bank account details”. But anyone trying to exfiltrate data can circumvent keyword tracking tools by sending the email and the attached data in an encrypted form. Tagging Data: After classifying data, an organization may attempt to tag sensitive data, allowing administrators to track it as it moves within and outside of a network. The drawback here is that, again, this is time and resource intensive and relies on employees accurately identifying and tagging all sensitive data. Miss a tag, and data is misclassified or simply overlooked The challenge with all of the above is that they are based on rules. But human behavior can’t be predicted or controlled by rules, and human’s often subvert, side step, or break the rules, even when they know they shouldn’t.

How to bend not break the rules -51% of staff say security tools and software impede their productivity at work -54% of staff say that if security software or policies make it difficult or prevent them from doing their job, they’ll find a workaround Read: Tessian’s State of Data Loss Protection Report But workarounds aren’t the only problem with rules… Binary, rule-based DLP solutions offer blunt protection and limited visibility into complex human behavior and data movement. This leaves security leaders in the dark, trawling through logs of flagged and self-reported incidents after they’ve occurred.  There’s also the problem of false positives, and genuine, important emails are often buried in quarantine along with potentially harmful ones.  And with most risks to data security actually coming from within an organization, security teams have to classify and monitor data across hundreds – even thousands – of different entry and exit points of a corporate network.  The result is that legacy DLP has gotten way more expensive, complicated, and requires more and more administration and fire-fighting from InfoSec teams. 

Is it time to re-think your DLP strategy? It’s clear that traditional DLP can’t prevent all data loss.  This is where Tessian comes in.  Tessian’s Human Layer Security platform automatically detects accidental data loss, malicious exfiltration, and phishing attacks in real-time, before sensitive data leaves your environment. Crucially, it doesn’t stop your employees from doing what they do best – their actual jobs, yet still provides you with clear visibility of threats. Indeed, a recent Forrester Consulting report found that the security and risk leaders who have adopted Human Layer Security feel more prepared to face security and data loss incidents and to face a hybrid workforce than those who haven’t. They believe their email security posture is extremely effective at alerting the organization to potential attacks/threats from users’ risky behaviors or poor security decisions. Meanwhile, those who don’t take a Human Layer approach feel less control over business disruptions.”

We’re seeing more and more industry pioneers explore this option, layering a tool like Tessian on top of Microsoft 356’s native tools. We take a deep dive into this new approach in our recent webinar ‘DLP Blindspots: Next Gen DLP’.

Ultimately, you know what stage of the journey your organization is on. But if you need further resources to comprehensively compare Tessian’s Human Layer Security alongside legacy DLP, Microsoft 365 DLP capabilities, legacy file encryption, and network and Perimeter Security, we’ve covered all that in forensic detail in this white paper. In it, you’ll learn the pros and cons of different email security solutions, and how they stack up against Human Layer Security. This will help you evaluate a solution that works for you, and that best protects sensitive data in your organization. Read now: Human Layer Security vs. Legacy Email Security Solutions white paper

DLP and Microsoft 365 So what does a smart, fit-for-the-21century DLP solution look like? Well, many organizations are now retiring their SEGs in favor of a Microsoft 365 solution, with Tessian layered on top as an EDR.  Over a million businesses worldwide use Microsoft 365, with 731,000 companies in the United States alone. Of course, because it’s the most popular solution on the planet, it also makes it a target for bad actors.  Although Microsoft 365 provides foundational rule-based data loss prevention (DLP) and data classification to address compliance requirements, it falls short when protecting against data loss caused by people.  Tessian complements Microsoft 365 with a behavioral analytics layer and offers enhanced data protection by closing critical DLP use case gaps such as inadvertent or accidental data loss, sensitive data exfiltration to unauthorized or personal accounts, and insider risks.

More on Microsoft 365 !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");

How Tessian helps secure your Human Layer We’ve come to the point where you’re considering how best to stop DLP in your organization. From working with our customers over the years, we’ve found that it’s best to think the following three ways  Research You’ve already started the research phase – simply be reading this page. Continue that process by auditing your estate, consulting team members, and identifying solutions. This is also the time to consult your network, join those webinars and read those whitepapers.  Rethink Any change in your DLP strategy needs to be able to face not only current threats, but future developments in those threats and their impact too. Maybe now really is the time to upgrade that legacy SEG with Microsoft 365 and Tessian. Perhaps you want to stay with a rule based DLP but are looking for something smarter? In which case Tessian Architect might be the right solution.  Part of the re-thinking phase is also re-training. With the average human makes 35,000 decisions every single day, we know that a morning of cybersecurity training every six months isn’t as effective as ‘in the moment’ training provided by Tessian. So now’s the time to rethink your training and awareness processes too. Resource  This is where the rubber hits the road, you can’t do anything of the above without the right resources – time, people and budget – but you’re not going to get those without first showing that you’ve done the previous two phases to arrive at a road map to securing your Human Layer. Introducing Tessian Architect: The Industry’s Only Intelligent Data Loss Prevention Policy Engine

The EU General Data Protection Regulation (GDPR) is among the world’s toughest data protection laws.  Under the GDPR, the EU’s data protection authorities can impose fines of up to up to €20 million (roughly $20,372,000), or 4 percent of worldwide turnover for the preceding financial year—whichever is higher. Since the GDPR took effect in May 2018, we’ve seen over 800 fines issued across the European Economic Area (EEA) and the U.K. GDPR fines have ramped up significantly in recent months. The sum total of GDPR fines levied in Q3 2021 hit nearly €1 billion—20 times greater than the totals for Q1 and Q2 2021 combined. Let’s take a look at the biggest GDPR fines of 2019, 2020, 2021, explore what caused them, and consider how you can avoid being fined for similar violations. Looking for information about achieving and maintaining compliance? We explore solutions for reducing email risk (the #1 threat vector according to security leaders) on this page.

The biggest GDPR fines of 2019, 2020, and 2021 (so far) 1. Amazon — €746 million ($877 million) Amazon’s gigantic GDPR fine, announced in the company’s July 2021 earnings report, is nearly 15 times bigger than the previous record. The full reasons behind the fine haven’t yet been confirmed, but we know the cause has to do with cookie consent. And this isn’t the first time Amazon has been punished due to the way it collects and shares personal data via cookies. In late 2020, France fined Amazon €35 million after the tech giant allegedly failed to get cookie consent on its website. How the fine could have been avoided: It’s tempting to force users to “agree” to cookies—or make opting out of cookies difficult—to collect as much personal data as possible. But regulators have shown some serious appetite for enforcing the EU’s cookie rules recently. If Amazon had obtained “freely given”, informed, and unambiguous opt-in consent before setting cookies on its users’ devices, the company probably could have avoided this huge GDPR fine. 2. WhatsApp — €225 million ($255 million) Mere months after Amazon’s colossal GDPR fine knocked Google off the number one GDPR fine spot, WhatsApp pushed Google into third place with a penalty nearly five times as large as the search giant’s previous record. Ireland slammed WhatsApp with this €225 million GDPR penalty after claiming that the messaging service had failed to properly explain its data processing practices in its privacy notice. Ireland is not known for issuing large fines, despite being the European home of nearly every US-based big tech firm. And even this penalty arrived only after other EU data protection authorities used the “one-stop-shop” mechanism to argue that it should have been higher. So what did WhatsApp do wrong? It’s complicated, and the company is appealing the decision. But it boils down to WhatsApp’s alleged failure to explain its legal basis for certain data processing—“legitimate interests.” How the fine could have been avoided: The Irish DPA said that WhatsApp’s somewhat opaque privacy notice was at fault here—the company should have provided privacy information in an easily accessible format using language its users could understand. If you’re relying on “legitimate interests,” you must make sure you explain what those interests are in respect of each relevant processing operation. 3. Google – €50 million ($56.6 million)  Google’s fine, levied in 2019 and finalized after an unsuccessful appeal in March 2020, was the largest on record until August 2021.  The case related to how Google provided privacy notice to its users—and how the company requested their consent for personalized advertising and other types of data processing. How the fine could have been avoided: Google should have provided more information to users in consent policies and granted them more control over how their personal data is processed. 4. H&M — €35 million ($41 million) On October 5, 2020 the Data Protection Authority of Hamburg, Germany, fined clothing retailer H&M €35,258,707.95 — the second-largest GDPR fine ever imposed at the time. H&M’s GDPR violations involved the “monitoring of several hundred employees.” After employees took vacation or sick leave, they were required to attend a return-to-work meeting. Some of these meetings were recorded and accessible to over 50 H&M managers. Senior H&M staff gained ”a broad knowledge of their employees’ private lives… ranging from rather harmless details to family issues and religious beliefs.” This “detailed profile” was used to help evaluate employees’ performance and make decisions about their employment. How the fine could have been avoided: H&M appears to have violated the GDPR’s principle of data minimization — don’t process personal information, particularly sensitive data about people’s health and beliefs, unless you need to for a specific purpose. H&M should also have placed strict access controls on the data, and the company should not have used this data to make decisions about people’s employment. 5. TIM – €27.8 million ($31.5 million) On January 15, 2020, Italian telecommunications operator TIM (or Telecom Italia) was stung with a €27.8 million GDPR fine from Garante, the Italian Data Protection Authority, for a series of infractions and violations that have accumulated over the last several years.  TIM’s infractions include a variety of unlawful actions, most of which stem from an overly aggressive marketing strategy. Millions of individuals were bombarded with promotional calls and unsolicited communications, some of whom were on non-contact and exclusion lists.   How the fine could have been avoided: TIM should have managed lists of data subjects more carefully and created specific opt-ins for different marketing activities. 6. British Airways – €22 million ($26 million) In October, the ICO hit British Airways with a $26 million fine for a breach that took place in 2018. This is considerably less than the $238 million fine that the ICO originally said it intended to issue back in 2019.   So, what happened back in 2018? British Airway’s systems were compromised. The breach affected 400,000 customers and hackers got their hands on log-in details, payment card information, and travelers’ names and addresses.   How the fine could have been avoided: According to the ICO, the attack was preventable, but BA didn’t have sufficient security measures in place to protect their systems, networks, and data. In fact, it seems BA didn’t even have basics like multi-factor authentication in place at the time of the breach.  Going forward, the airline should take a security-first approach, invest in security solutions, and ensure they have strict data privacy policies and procedures in place. 7. Marriott – €20.4 million ($23.8 million) While this is an eye-watering fine, it’s actually significantly lower than the $123 million fine the ICO originally said they’d levy. So, what happened?  383 million guest records (30 million EU residents) were exposed after the hotel chain’s guest reservation database was compromised. Personal data like guests’ names, addresses, passport numbers, and payment card information was exposed.  Note: The hack originated in Starwood Group’s reservation system in 2014. While Marriott acquired Starwood in 2016, the hack wasn’t detected until September 2018. How the fine could have been avoided: The ICO found that Marriott failed to perform adequate due diligence after acquiring Starwood. They should have done more to safeguard their systemswith a stronger data loss prevention (DLP) strategy and utilized de-identification methods.  8. Wind — €17 million ($20 million) On July 13, Italian Data Protection Authority imposed a fine of €16,729,600 on telecoms company Wind due to its unlawful direct marketing activities. The enforcement action started after Italy’s regulator received complaints about Wind Tre’s marketing communications. Wind reportedly spammed Italians with ads — without their consent — and provided incorrect contact details, leaving consumers unable to unsubscribe. The regulator also found that Wind’s mobile apps forced users to agree to direct marketing and location tracking and that its business partners had undertaken illegal data-collection activities.  How the fine could have been avoided: Wind should have established a valid lawful basis before using people’s contact details for direct marketing purposes. This probably would have meant getting consumers’ consent — unless it could  demonstrate that sending marketing materials was in its “legitimate interests.” For whatever reason you send direct marketing, you must ensure that consumers have an easy way to unsubscribe. And you must always ensure that your company’s Privacy Policy is accurate and up-to-date. 9. Vodafone Italia — €12.3 million ($14.5 million) Vodafone Italia’s November 2020 fine was issued in relation to a vast range of alleged GDPR violations, including provisions within Articles 5, 6, 7, 16, 21, 25, 32, and 33. So what did Vodafone do that resulted in so many GDPR violations?  The company’s data processing issues included failing to properly secure customer data, sharing personal data with third-party call centers, and processing without a legal basis—all brought to light after complaints about the company’s telemarketing campaign. How the fine could have been avoided: Vodafone’s marketing operations may have triggered the Italian DPA’s investigation, but the company’s data management and security were the fundamental issues here. Vodafone might have avoided this large fine by conducting regular audits of its data and properly documenting all relationships with third-party data processors. 10. Notebooksbilliger.de — €10.4 million ($12.5 million) German electronics retailer notebooksbilliger.de (NBB) received this significant GDPR fine on January 8, 2021. The penalty relates to how NBB used CCTV cameras to monitor its employees and customers. The CCTV system ran for two years, and NBB reportedly kept recordings for up to 60 days. NBB said it needed to record its staff and customers to prevent theft. The Lower Saxony DPA said the monitoring was an intrusion on its employees’ and customers’ privacy. How the fine could have been avoided: The NBB’s fine reflects strict attitudes towards CCTV monitoring in parts of Germany. The regulator said NBB’s CCTV program was not limited to a specific person or period. Using CCTV isn’t prohibited under the GDPR, but you must ensure it is a legitimate and proportionate response to a specific problem. The UK’s ICO has some guidance on using CCTV in a GDPR-compliant way. 11. Austrian Post — €9 million ($10.23 million) Austria’s largest GDPR fine hit in September 2021, when Austrian Post received a €9 million sanction for allegedly failing to facilitate data subject rights requests properly. If a data subject hoped to access, delete, or rectify personal data held by the Austrian Post, the company provided a variety of mediums by which to make a request, including a web form, mail, or phone number. The one means of communication that Austria Post did not recognize, however, was email—and the Austrian DPA said that the mail carrier should have allowed data subjects to submit a rights request via any medium they preferred. How the fine could have been avoided: Austrian Post (which is planning to appeal the fine) should have processed data subject rights requests however they arrived—forcing data subjects to use a particular communication method and excluding email is not an acceptable way to facilitate their rights. 12. Eni — €8.5 million ($10 million) Eni Gas e Luce (Eni) is an Italian gas and oil company that was found to have made marketing phone calls without a proper legal basis. While telemarketing is covered by the ePrivacy Directive, this is another example of how any processing of personal data without a proper legal basis can lead to a GDPR fine. How the fine could have been avoided: Eni should have ensured it had a proper legal basis for telemarketing before calling any of its customers or leads. In this case, the Italian DPA said that the proper lawful basis would have been consent. 13. Vodafone Spain — €8.15 million ($9.72 million) Vodafone’s €8.15 million fine, issued by the Spanish DPA (the AEPD) on March 11, 2021, is actually made up of four fines for violating the GDPR and other Spanish laws covering telecommunications and cookies. The Vodafone fine stands as Spain’s biggest yet—in a year that has seen the AEPD issue several substantial GDPR penalties. The fine results from 191 separate complaints regarding Vodafone’s marketing activity. Vodafone was alleged not to have taken sufficient organizational measures to ensure it was processing people’s personal data lawfully. How the fine could have been avoided: Vodafone’s complex series of legal violations all appear to have one thing in common: a lack of organization and control over personal data used for marketing purposes. Whenever you outsource any processing activity to a third party—for example, a marketing agency—you must ensure you have a clear legal basis for doing so.  Keep clear records, maintain data processing agreements with contractors, and regularly audit your processing activities to ensure they are lawful. 14. Google – €7 million ($8.3 million) From a GDPR enforcement perspective, 2020 was not a good year for Google.  Along with the company losing its appeal against French DPA in January, March saw the Swedish Data Protection Authority of Sweden (SDPA) fining Google for neglecting to remove a pair of search result listings under Europe’s GDPR “right to be forgotten” rules.  How the fine could have been avoided: Google should have fulfilled the rights of data subjects, primarily their right to be forgotten. This is also known as the right to erasure. How? By “ensuring a process was in place to respond to requests for erasure without undue delay and within one month of receipt.”  You can find more information about how to comply with requests for erasure from the ICO here.  15. Caixabank — €6 million ($7.2 million) This fine against financial services company Caixabank is the largest fine ever issued by the Spanish DPA (the AEPD).  The AEPD finalized Caixabank’s penalty on January 13, 2021, breaking Spain’s previous record GDPR fine, against BBVA — issued just one month earlier. This suggests a significant toughening of approach from the Spanish DPA. The first issue, which accounts for €4 million of the total fine, related to how Caixabank established a “legal basis” for using consumers’ personal data under Article 6. Second, Caixabank was fined €2 million for violating the GDPR’s transparency requirements at Articles 13 and 14.  How the fine could have been avoided: The AEPD said Caixabank relied on the legal basis of “legitimate interests” without proper justification. Before you rely on “legitimate interests,” you must conduct and document a “legitimate interests assessment.”  The company also failed to obtain consumers’ consent in a GDPR-compliant way. If you’re relying on “consent,” make sure it meets the GDPR’s strict “opt in” standards. The AEPD criticized Caixabank’s privacy policy as providing vague and inconsistent information about its data processing practices. Make sure you use clear language in your privacy notices and keep them consistent across websites and platforms. 16. BBVA (bank) — €5 million ($6 million) This fine against financial services giant BBVA (Banco Bilbao Vizcaya Argentaria) dates from December 11, 2020.  The BBVA’s penalty is the second biggest that the Spanish DPA (the AEPD) has ever imposed, and it shares many similarities with the AEPD’s largest-ever penalty, against Caixabank, issued the following month. Taken together with the record fine against Caixabank, it’s tempting to conclude that the Spanish DPA has its eye on the GDPR compliance of financial institutions. How the fine could have been avoided: The AEPD fined BBVA €3 million for sending SMS messages without obtaining consumers’ consent. In most circumstances, you must ensure you have GDPR-valid consent for sending direct marketing messages. The remaining €2 million of the penalty related to BBVA’s privacy policy, which failed to properly explain how the bank collected and use its customers’ personal data. Make sure you include all the necessary information under Articles 13 and 14 in your privacy policy. 17. Fastweb — €4.5 million ($5.5 million) Italy’s DPA (the Garante) fined telecoms company Fastweb €4.5 million on April 2 2021 for engaging in unsolicited telephone marketing without consent. In particular, the Garanta noted that Fastweb was using “fraudulent” telephone numbers that the company had not registered with Italy’s Register of Communication Operators. How the fine could have been avoided: Fastweb’s fine derives from telemarketing rules that are set out in Italy’s implementation of the ePrivacy Directive, rather than the GDPR. However, the company still appears to have violated the GDPR by failing to obtain valid consent. It’s important to remember this interplay between the EU’s main privacy laws. The ePrivacy Directive requires you to obtain consent for certain activities, but the GDPR sets the standard of consent—and the standard is very high. 18. Eni Gas e Luce — €3 million ($3.6 million) This fine is one of two imposed on the Italian gas and oil company Eni in December 2019. This is a complicated case involving the creation of new customer accounts—but it boils down to the failure of Eni to obey the GDPR’s principle of accuracy. How the fine could have been avoided: Data protection is about more than just privacy—it also covers issues like records management. Eni should have ensured its customer records were kept accurate and up-to-date. 19. Capio St. Göran AB — €2.9 million ($3.4 million) Capio St. Goran is a Swedish healthcare provider that received a GDPR fine following an audit of one of its hospitals by the Swedish DPA. The audit revealed that the company had failed to carry out appropriate risk assessments and implement effective access controls. As a result, too many employees had access to sensitive personal data. How the fine could have been avoided: Conducting a data protection impact assessment (DPIA) is mandatory under the GDPR for controllers undertaking certain risky activities or handling large-scale sensitive data. Eni should have conducted such an assessment to determine which staff required access to medical records. Access to sensitive personal data should be restricted to those who strictly require it. 20. Iren Mercato — €2.85 million ($3.4 million) In June 2021, the Italian DPA fined energy company Iren Mercato for carrying out a telephone marketing campaign without obtaining proper consent. The phone calls were conducted by a third party marketing company acting as a data processor. How the fine could have been avoided: Many of the fines on our list relate to telemarketing and the failure to obtain GDPR-valid consent. Remember that even when using third-party services to conduct marketing campaigns, you could still be directly liable under the GDPR if you fail to establish a valid legal basis for processing personal data. 21. Foodinho — €2.6 million ($3 million) Groceries delivery service Foodinho received this substantial fine in June 2021, after the Italian DPA found the company had failed to obey the GDPR’s rules on “automated processing,” in this case the use of an algorithm to determine employees’ wages and workflow. The company was also found to have violated the GDPR’s principle of “lawfulness, fairness, and transparency” by failing to provide employees with adequate information. How the fine could have been avoided: Foodinho’s fine mainly relates to a relatively niche area of GDPR compliance—”solely automated processing with legal or similarly significant effects.”  In short, if you’re making purely AI-driven decisions about people that could impact on their finances, employment, or access to services, you must ensure you provide a human review of such decisions. 22. National Revenue Agency (Bulgaria) — €2.6 million ($3 million) This August 2019 fine against Bulgaria’s National Revenue Agency was issued after the organization suffered a data breach affecting 5 million people. The breached data included people’s names, contact details, and tax information. The Bulgarian DPA found that the agency failed to take effective technical and organizational measures to protect the personal data under its control. How the fine could have been avoided: The Bulgarian National Revenue should have conducted a thorough risk assessment of its processing operations and taken effective steps to safeguard personal data. While it’s not clear what caused this data breach, it’s worth noting that the FBI’s Internet Crime Control Center cites email as the number one threat vector in cybercrime.  By securing your company’s email systems, you’re cutting off one of your major vulnerabilities and significantly reducing the likelihood of a data breach.

What else can organizations be fined for under GDPR?  While the biggest fines involve marketing activities, failure to remove personal data when requested by EU citizens, and unlawfully requiring employees to have their biometric data recorded, there are a number of ways in which a breach can occur.  In fact, so far this year, misdirected emails have been the primary cause of data loss reported to the ICO. But, how do you prevent an accident? By focusing on people rather than systems and networks. How does Tessian help organizations stay GDPR compliant?

Powered by machine learning, Tessian’s Human Layer Security technology understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity, including misdirected emails. Tessian also detects and prevents spear phishing attacks and data exfiltration attempts on email.  Importantly, though, Tessian doesn’t just prevent breaches. Tessian’s key features – which are both proactive and reactive – align with the GDPR requirement “to implement appropriate technical and organizational measures together with a process for regularly testing, assessing and evaluating the effectiveness of those measures to ensure the security of processing” (Article 32). To learn more about how Tessian helps with GDPR compliance, you can check out this page, our customer stories or book a demo. 

Ah, the holidays. As we roll up to the end of the year, one thing’s certain as the office party and failed New Year’s resolutions – cybersecurity 2022 trend articles.    And like festive holiday merch in stores, trends pieces seem to appear earlier and earlier each year.    Well this year, we’re taking a stand against ‘trends for 2022’ articles. Why? Here’s just a flavor of what real InfoSec leaders like you said when we talked trends.

And on Twitter, the feeling is similar… My prediction? The majority of 2022 cybersecurity predictions will again be “More of the same, packaged a bit differently” because that is how evolution works. It is only from an appreciable vantage point that one sees the scale of incremental change. 1/x — Rik Fërgüson (@rik_ferguson) November 1, 2021 My 2022 Cybersecurity Predictions: pic.twitter.com/7r4AC328q2 — c🎃e (@caseyjohnellis) November 2, 2021

So while someone, somewhere might fall for a high profile deepfake attack or AI generated breach, the main issues faced by the vast majority of InfoSec for next year will be… the same as last year, and similar to the years before that.    We like to call these The Infinity Trends, so pass the eggnog, throw another yule log on the fire, and let’s explore the five gems that’ll be taking up 91.4% of your time in the next 365 days.   Infinity Trend One: People are (still ) gonna fall for the same ol’ sh*t Year in, year out, there’s always a risk that someone is going to click on a malicious link. And when bad actors are using sweet, juicy bait like early access to Series 2 of Squid Games, you can see why. You're only as strong as your weakest link. Human error wins every time. Awareness training is key. #InfoSec pic.twitter.com/tPD9yBEse3 — Khalil (@sehnaoui) June 21, 2017 You can’t stop people clicking links any more than you can prevent them from sending or receiving them in the first place; for many people, that’s their job. Their inbox is a revolving door of links to documents, webpages, forms, and databases.   Infinity Trend Two: You’ll (still ) have to explain why cybersecurity matters to the CEO An important "soft skill" as you move up in leadership roles is brevity, the ability to not only be succinct but also flexible when presenting; knowing how to adjust your content on the fly. This is crucial when presenting to higher level business leaders. Practice this! — Alyssa Miller 👑 Duchess of Hackington (@AlyssaM_InfoSec) October 28, 2021 Looking back to the ‘before times’ circa 2012, a predicted trend was cybersecurity moving from being solely an IT department issue, to a C-suite issue. (Here’s Phil Gardner, founder of IANS, talking about exactly this back in the day.) Yet here we are, 10 years later, and despite the 2021 PwC Annual Global CEO Survey, revealing chief executives see cyber threats as the number one risk, the same report goes on to note that the majority of CISOs overall — 63% of organizations — don’t get the kind of support they need from their CEO. If you’ve got a CEO who gets security in all its forms, you’re one of the lucky ones. For everyone else, here’s the only three metrics they care about.  

Infinity Trend Three: Attacks will (still ) come after lunch or at the end of the day (on a Tuesday) Bad actors have a preferred time to strike. We know this because we analyzed four billion emails in a 12-month period and found that 2 million of them were malicious, and slipped past secure email gateways (SEGs). Further examination found that mid-afternoon, or just before the end of the day, is when most attacks occur. Why? Because our research shows that 45% of employees say they’ve clicked on a phishing email because they were distracted.

Interestingly, Tuesday – not Friday – was the time employees sent and received the most emails, and that’s also the preferred time for spear phishing. One particular Friday does rank the very highest however, Black Friday. So if you’re reading this….  incoming! It’s not all bad news, though. Our research also showed that, like everyone else, even the bad guys take a break over New Year, perhaps to make their own New Year’s resolutions? Infinity Trend Four: Your biggest risks will (still ) come from ‘inside the house’ The spear phishing of staff was an exotic emerging threat trend in 2012, and it’ll still be your number one threat a decade later. Then there’s the risk from misdirected emails, sending the wrong attachments, and deliberate exfiltration. You can see why Forrester’s recent report of over a 1,000 security professionals found that 61% think an employee will cause their next data breach.

  Infinity Trend Five: Hiring a diverse team will (still ) be one of your biggest priorities… and challenges Back in 2016, 72% of Black Hat attendees were saying that “they do not have enough staff to meet current threats”, and those trends have only gotten worse with 2021’s Great Resignation.    Add to this the fact that the average CISO is in post for a little over 26 months (plus a doesn’t-get-it-CEO), and you can see why it can be hard to foster a solid security culture.    InfoSec has a high turnover rate, too; keeping your people together, focused, and motivated was a challenge in 2012, and it’s still a challenge now.    So despite a decade passing, the problems most InfoSec, SOC teams, CISOs, and CTOs face daily haven’t really changed. What has changed is that everything has gotten bigger and more complicated – from the frequency and sophistication of attacks, to your attack surface and perimeter, to the sums of money and number of people involved.    So our number one cybersecurity trend’ for 2022?    Same as it ever was: cybersecurity is still primarily a people problem. This time of year we all make resolutions: get fit, quit that bad habit, be better at what we do. If you’re thinking about one more, why not make 2022 the year you secure your Human Layer?   Until then, Happy Holidays!