Tessian Blog

October is Cyber Awareness Month, and this year’s theme is “See Yourself in Cyber.”   Fun fact: Cyber Awareness Month started back in 2004, the same year a former AOL software engineer stole 92 million screen names and email addresses and sold them to spammers. Sadly, that’s peanuts compared to more recent breaches. Incidents involving insider threats are at an all-time high, phishing incidents are doubling and even tripling in frequency year-on-year, and the cost of a breach is now over $4 million. This is all to say that cybersecurity is more important than ever. And at Tessian, we live by the motto that cybersecurity is a team sport. So, to help you educate and empower your employees, we’ve put together a toolkit with over a dozen resources, including:

You can download them all for free, no email address or other information required. But, that’s far from the only content we have to share… CEO’s Guide to Data Protection and Compliance By 2024, CEOs will be personally responsible for data breaches. So it’s essential they (and other execs) understand the importance of privacy, data protection and cybersecurity best practices. To help you out, we’ve published an eBook which breaks down: How different regulations have changed how businesses operate  How cybersecurity and compliance can be leveraged as a business enabler The financial and operational costs of data breaches OOO Templates OOO emails can contain everything a hacker needs to know to craft a targeted spear phishing attack… Where you are How long you’ll be gone Who to get in touch with while you’re away Your personal phone number Use these templates as a guide to make sure you don’t give too much away👇🏼

Human Layer Security Knowledge Hub Cyber Awareness Month is all about raising awareness and sharing best practices, and we know the #1 source of trusted information and advice for CISOs are…other CISOs….  That’s why we’ve created a hub filled with dozens of fireside chats and panel discussions about enterprise security, spear phishing, data loss prevention, leadership, and the human element. Sign-up for free and hear from some of the biggest names in the industry.   You Sent an Email to the Wrong Person. Now What? Did you know at least 800 emails are sent to the wrong person in organizations with 1,000 employees every year. While it’s easy to shrug something like this off as a simple mistake, the consequences can be far-reaching and long-term. Learn more, including how to prevent mistakes like this.   6 Best Cybersecurity Podcasts While we’re partial to our own podcast – RE: Human Layer Security – we’ve learned from the best in the business.  To get our fix of cybersecurity breaking news, threat intel, and inspiring interviews, we regularly tune into these podcasts: The CyberWire Daily The Many Hats Club WIRED Security Get the full breakdown here.   How to Get Buy-In For Security Solutions As a security or IT leader, researching and vetting security solutions is step one. Step two involves convincing key stakeholders like the CEO, CFO, and the board that the product needs to be implemented, that it needs to be implemented now, and that it’s worth the cost.  This is easier said than done… So, how do you communicate risk and make a compelling case to (eventually) get buy-in from executives? We talked to security leaders from some of the world’s most trusted and innovative organizations to find out what they do to get buy-in from CxOs.  Here’s a summary of their tips.    Ultimate Guide to Staying Secure While Working Remotely While most of us have been working remotely or in a hybrid environment for well over a year, we know that more than half of IT leaders believe employees have picked up bad cybersecurity behaviors since working remotely. This eBook offers plenty of helpful reminders, including: The risk involved in sending work emails “home” Why using public Wi-Fi and/or your personal device as a hotspot aren’t good ideas Best practice around using cloud storage to share documents How to physically protect your devices Top tips for businesses setting up remote-working policies What Does a Spear Phishing Email Look Like? We know you’re working hard to train employees to spot advanced impersonation attacks…but every email looks different. A hacker could be impersonating your CEO or a client. They could be asking for a wire transfer or a spreadsheet. And malware can be distributed via a link or an attachment. But it’s not all bad news. While – yes – each email is different, there are four commonalities in virtually all spear phishing emails.  Download the infographic now to help your employees spot the phish.   The Risks of Sending Data to Your Personal Email Accounts  Whether it’s done to work from home (or outside of the office), to print something, or to get a second opinion from a friend or partner, most of us have sent “work stuff” to our personal email accounts.  And, while we might think it’s harmless…it’s not. In this article, we explore the reasons why employees might send emails to personal accounts, why sending these emails can be problematic, and how security leaders can solve the problem.  Looking for more helpful content? Sign-up to our weekly newsletter, or follow us on LinkedIn and Twitter (or do all three!).

A growing incidence of multi factor authentication (MFA) compromises is dominating the threatscape.    The recent breaches at Cisco and Twilio were part of a large phishing campaign that resulted in close to 10,000 credentials at 130 organizations being compromised. Another noteworthy MFA attack was the recent adversary-in-the-middle (AiTM) compromise at Microsoft, impacting over 10,000 organizations. We’re also tracking the persistent and growing challenges posed by ransomware and nation-state campaigns.   Sign-up for our Threat Intel update to get this monthly update straight to your inbox.    

  The use of MFA is an essential security control but has been over-hyped as providing fail-safe protection.   Social engineering using phishing for credential theft is central to recent MFA compromises.   Phishing attacks are escalating month over month to record highs.   MFA bypass attacks targeting organizations that use Microsoft 365 are on the rise.   ATO attacks are increasing and disproportionately targeting the financial sector.   Ransomware attacks are increasing and are targeting the industrial sector.   The threat posed by nation-state cyber campaigns is expected to persist and increase as geopolitical tensions escalate.

  The cost of a data breach is now $4.35m per incident. For healthcare that figure rises to $10.1m.   Phishing attacks are the costliest form of a breach coming in at $4.91m.   ATO attacks have increased by 307% in the last 2 years, with ATO related losses increasing by 90% in 2021 alone.   Phishing attacks escalated to over 1 million attacks in Q1 2022 – a new record.   Credential theft campaigns that resulted in the Cisco and Twilio breaches are part of a  phishing campaign that made use of what has been dubbed the “oktapus phishing kit.” This phishing campaign netted the Okta login credentials of almost 10k users at 130 organizations – mostly located in the US. Victims were targeted with a SMS phishing campaign linked to a malicious site that captured Okta login credentials and 2FA codes. The credentials were then used to gain access to the corporate networks of the affected companies via VPNs and remote devices.   The recent Microsoft 365 MFA related compromises were, according to Microsoft, attributed to the theft of a significant amount of login-in credentials through a large-scale phishing campaign. Using the compromised credentials, threat actors were able to hijack users’ already authenticated sign-in sessions. The threat actors were then able to access victims’ mailboxes and carry-out business email compromise campaigns against other targets.    According to Mitiga, the vulnerability inherent in Microsoft’s MFA authentication protocol is at the heart of the compromise. In particular, the lack of regular re-authentication prompts for a user’s session, even when a user is provisioning applications of a sensitive security nature, such as registering a second authenticator application in their Microsoft profile, played a big role in enabling escalation of the compromise.    This weakness is further demonstrated in the Privilege Identity Management feature of Microsoft’s MFA, enabling admin users to request admin privileges through the PIM  feature only when needed. However Microsoft does not prompt users to reauthenticate for this privilege escalation on the basis that their existing session has already been authenticated. Compounding these vulnerabilities is the fact that there is no-way for customers of Microsoft 365 to override the MFA native features and request additional reauthentication prompts.   According to NCC Group, ransomware attacks are up 47% compared to a month earlier, with the top 3 targeted industry verticals industrials (32%), consumers cyclicals (17%), and technology (14%).    Lockbit 3.0 and Hiveleaks and BlackBasta are the top 3 trending ransomware groups, with Lazarus Group activity also increasing.   The threat of nation-state cyber campaigns is growing according to CSIS, with 86% of organizations indicating that they have been recently targeted on behalf of a nation-state.

  The recent MFA compromise breaches indicate the limitations of this singular security control. This is resulting in an increasing number of successful ATO attacks.    As threat actors become more sophisticated, adopting a defense-in-depth strategy is essential. One key attribute of hardening your information system against ATO attacks is leveraging machine learning powered behavioral-based cybersecurity like Tessian that is able to detect anomalous behavior as it arises. This includes once an attacker has effectively bypassed security controls such as MFA.

To see how Tessian prevents ATO attacks, and protects against DLP, watch a product overview video or book a demo.   For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn

Our research report into security culture reveals a startling disconnect between security leaders’ views and those of employees when it comes to cybersecurity. Our survey of 2,000 employees in the UK and US revealed that just 39% say they’re very likely to report a security incident, making investigation and remediation even more challenging and time-consuming for security teams. When asked why, over two-fifths (42%) of employees said they wouldn’t know if they had caused an incident in the first place, and 25% say they just don’t care enough about cybersecurity to mention it – a sentiment that should set alarm bells ringing for security leaders.    What’s more, for some staff, this attitude is bleeding into their home life. 20% of employees say they don’t care about cybersecurity at work – over 1 in 10 say they don’t care about it in their personal lives!   It’s clear then, that a significant percentage of employees are simply not engaged with the organization’s cybersecurity procedures and how they play their part in keeping their company secure.

Turning to IT and security leaders, virtually all of the 500 leaders we surveyed (99%) agreed that a strong security culture is important in maintaining a strong security posture. And yet despite rating their organization’s security 8 out 10, on average, three-quarters of organizations experienced a security incident in the last 12 months.    There’s clearly a disconnect here between the views of the SOC team, and those in other teams around the business, and one reason for that could be the reliance on traditional training programs.   48% of security leaders say training is one the most important influences on building a positive security posture. But the reality is that employees aren’t engaged; just 28% of UK and US workers say security awareness training is engaging and only 36% say they’re paying full attention. Of those who are, only half say it’s helpful, while another 50% have had a negative experience with a phishing simulation. 1 in 5 employees don’t even show up for SAT sessions.    As indicated above, the report also reveals a disconnect when it comes to actually reporting security risks and incidents. Eighty percent of security leaders believe robust feedback loops are in place to report incidents, but less than half of employees feel the same, suggesting clearer processes are needed so that security teams have greater visibility of risk in their organization.

Boomers v Gen Z: The Generational Divide    The report also revealed stark generational differences when it comes to cybersecurity culture perceptions. The youngest generation (18- 24 year olds) is almost three times as likely to say they’ve had a negative experience with phishing simulations when compared to the oldest generation (55+). In contrast, older employees are four times more likely to have a clear understanding of their company’s cybersecurity policies compared to their younger colleagues, and are five times more likely to follow those policies.    When it comes to risky cybersecurity practices such as reusing passwords, exfiltrating company data and opening attachments from unknown sources, younger employees are the least likely to see anything wrong with these practices. 

A commissioned study conducted by Forrester Consulting on behalf of Tessian in July 2022 reveals that a composite enterprise of 10,000 protected inboxes saw 268% Return On Investment (ROI) over three years after deploying Tessian. This amounts to over 29,600 labor hours saved.   In addition to the significant time savings, the benefit of having Tessian deployed focused on reducing email security risk against advanced email threats, as well as preventing email data loss. Additional key benefits included quantifiable improvements to the security culture of customer organizations, leading to lower click-through-rates and a greater awareness of the cyber risks posed on email. 

Tessian commissioned Forrester Consulting to conduct a Total Economic Impact™ study to examine the ROI that a composite enterprise realized by deploying Tessian over a 3 year period. The value of having Tessian deployed was distributed accordingly:   • Savings of  $3.1 million due to inbound email threat prevention, including against advanced malicious emails that upstream solutions failed to detect.   • Savings of $2.6 million from preventing email data loss incidents thanks to Tessian’s advanced email data loss protection capability.   • $2.9 million in savings from preventing accidental email from being sent – this includes preventing misdirected and miss-attached emails from being sent.   For modeling purposes Forrester Consulting used full Tessian Platform implementation for a 10,000 end-user enterprise. The study found total benefits of $8.6m, a net present value (NPV) of $6.2m, and an ROI of 268%.

Risk Reduction   Email remains the preferred delivery mechanism for devastating malware attacks, including ransomware. The FBI notes in its latest IC3 report that Business Email Compromise (BEC) has led to losses of $43 billion in the past 5 years, with 65% of these losses occurring in the period 2019 to 2021.   According to the study, this is supported by Forrester’s own research, finding that email-based phishing attacks are playing an increasingly prominent role in security breaches, rising from 23% in 2020 to 31% in 2021. This represents a 35% year-over-year increase. Of concern are the increasing sophistication of BEC, account takeover attacks (ATO), and the devastating impact that insider threats pose, particularly from a data breach perspective.   An information gap that Forrester Consulting identified in the study is the lack of research available and awareness surrounding email data loss. This was mirrored both in published research and in the enterprise. Only after deploying Tessian, did customers realize the magnitude of the data loss risk they faced.

Challenges before Tessian   Some of the key email security challenges prior to interviewed organizations choosing Tessian, included:   • A lack of detection and prevention capability of existing email security tools against advanced threats. Interviewees noted that advanced email threats are becoming more prevalent and more targeted at senior executives.   • Previous email security tools had limited or no email data loss capabilities. Due to the sensitive nature of data processed by the interviewees’ organizations, they could no longer take the risk of not addressing email data loss risk arising from either exfiltration and misdirected emails. • Existing email security solutions that relied on rule-based policies resulted in excessive and disruptive banner warnings without context and didn’t offer protection. In this noisy environment every email had to be treated as a threat, the organizations had no trust in the security efficacy of their existing email security solutions.

Solution Requirements   Prior to choosing Tessian, the features interviewees wanted in an advanced email security solution included:   • Definitive and demonstrable AI and ML capabilities. • High-quality and actionable alerts. • Advanced protection capabilities for inbound as well as outbound email. • API-based integrations into the existing security stack and email environments.  • Fast deployment and low management overhead. • Ability to scale as well as providing a flexible and strategic partnership.

Impact of Tessian   The enterprise organizations that Forrester evaluated found Tessian delivered the following:    • Halving the phishing rate for a large healthcare enterprise, while also reducing the time to diagnose and respond to phishing campaigns from 8.5 hours down to 5 hours.   • Blocking 143 malicious emails in 1 month for a financial services company, and significantly reducing the click-through-rate while improving the security awareness of employees to better identify malicious emails.   • Detecting and preventing 901 malicious emails in one month at another financial services company that had gone undetected by other upstream email security tools.

For data exfiltration, Tessian had the following impact:   • Detected and enabled fast and effective protection and response against data exfiltration attempts for a healthcare enterprise.   • Enabled a culture shift in the professional services company, reducing data exfiltration over email due to the proactive warnings provided by Tessian.      

For misdirected emails Tessian had the following impact:   • 270 instances of accidental data loss in 90 days were prevented for a professional services firm. • 243 misdirected emails and 9 incorrect attachments were detected in one month at a financial services firm.   • Significant reduction in misdirected emails at a healthcare company with the director of information security citing an overall improvement of security awareness among end-users, evidenced by fewer accidental data loss instances every month.

Additional benefits   Better security decision-making: The Forrester study also found there was better end-user security decision-making due to contextual prompts end-users receive in real time on likely malicious emails. Security administrators also leveraged the improved risk analytics to better understand how email security risk is trending in their environment.   Greater investigation efficiency and ability to demonstrate ROI to leadership: Another key benefit realized was significantly faster investigations of email security incidents, as well as a low effort in communicating the ROI of Tessian and how it is reducing email risk to the executive leadership.    Enhanced end-user experience: The user experience and positive feedback from end-users of Tessian were among the notable findings. The positive feedback was tied to the fact that Tessian makes end-users feel more secure and confident on email. This was in large part due to the context driven alerts on likely malicious emails, as well Tessian’s ability to prevent email mistakes from happening.  Improved security culture: The impact Tessian was having on improving the security culture across the organizations interviewed was significant, with one of the interviewees sharing that thanks to Tessian, their latest phishing-prone score was 10% lower than the industry benchmark.

Tessian for advanced email ecosystem protection    Although there are numerous cloud email security solutions on the market today, only Tessian  offers the most comprehensive cloud email security protection available. Thanks to our machine learning powered behavioral detection and cloud email security platform approach, Tessian offers protection against advanced email threats as well as prevents email data loss.    Combined with in-the-moment security awareness coaching, the easy ability to demonstrate ROI, and the strategic and flexible nature of our customer partnerships, leads Tessian to be among the most liked security tools by security leaders and end-users alike.   Want more information on how Tessian can protect your organization? Book a call with one of the team below or try our free email threat assessment.

To see how the Tessian Intelligent Cloud Email Security platform  prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn

The Tessian Threat Intel team continues its focus on business email compromise (BEC) campaigns. We issued a Threat Advisory for a PayPal themed campaign we have been tracking since January.   The threat actors in this campaign are seeking to illicit payment fraud and potentially compromise credentials. Other key threats that we are focussing on include increasingly advanced methods for Account Takeover (ATO) and the persistent threat of email-delivered ransomware, including a spike of wiper-malware. Sign-up for our Threat Intel update to get this monthly update straight to your inbox.

  Tessian Threat Intelligence has recently tracked and observed scammers, on numerous occasions sending emails with fake invoice payment requests from payment service providers such as PayPal. From early evidence we are seeing, online fraud campaigns are on the rise, with the potential to evolve to ATO based attacks. Although the primary targets are private consumers, we are likely to see similar attacks targeting vendors and suppliers in the enterprise. The increasing sophistication and targeted nature of attacks observed across the cybercrime landscape represent the maturation of cyber crime, with threat actors targeting specific entities rather than random targets. A number of these phishing attacks are leveraging open source information, as well as relying on information gathered from previous data breaches to identify high yield targets.

  Tessian Threat Intel continues to track BEC and payment fraud campaigns with executive impersonation observed as a consistent theme.  Cryptocurrency payment fraud has already resulted in over $1billion in losses according to the FTC and is up 60x in 2021 compared to 2018. Ransomware-as-a-Service gang activity emanating from Russia is on the rise once again, with REvil re-emerging after an initial law enforcement crackdown. Wiper-malware is surging in 2022, first seen in Russian cyber attacks against Ukraine. Russian APT groups have been observed exploiting the Follina vulnerability.  Microsoft released a patch for Follina in June but we may see a spike in attachment-themed phishing abusing the vulnerability before the fix is widely implemented. Chinese APT groups have been using ransomware as a decoy to carry out espionage campaigns. Other attack campaigns that have captured our attention include the increasing phenomenon of voicemail themed phishing campaigns observed by Zscaler. We expect email delivered ransomware, including the growing prominence of wiper-malware to remain leading threats in 2022. A recently launched carding site ‘BidenCash’ gave away a list of stolen card details for free across darkweb forums to promote their store.

  Having intelligent and layered cybersecurity defenses in place, particularly securing email and the endpoint, are critical for staying safe. Leveraging behavioral cybersecurity solutions that can detect sophisticated social engineering attempts is essential, as threat actors continually develop intelligent methods to bypass rule-based security controls. Practicing good cybersecurity hygiene and regularly testing your security controls, including business continuity and disaster resilience capabilities, are of fundamental importance to cyber resilience. Conducting in-the-moment and contextual cybersecurity awareness training on advanced email threats for your employees should be prioritized  – end-users are your first line of defense.

To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn

The subject of prioritizing cybersecurity spending often arises in periods of economic uncertainty. As most security professionals will admit, the challenge of security budget justification is challenging in many organizations, regardless of the economic cycle. But in a recession, the challenge of cybersecurity budget allocation and spending can be compounded because, too often, cybersecurity is viewed as an auxiliary and non-critical IT program.   This blog sets out some core tenets essential for building a recession proof cybersecurity program. Spoiler: Building a resilient cybersecurity program starts with a mind shift

Cultivating a positive organizational cybersecurity culture   Many security leaders struggle to make the case for cybersecurity spending allocation, regardless of the economic environment. This is due to an out of touch mindset, with certain leaders failing to understand the importance of cybersecurity to their company’s overall business operations and objectives.     This poorly informed view was evidenced in a recent survey conducted by Tessian, with only 58% of employees thinking that senior executives at their company value cybersecurity. This explains why 1 in 3 employees don’t understand the value of cybersecurity, and why 30% of employees believe they play no role in cybersecurity threat prevention.   The mixed attitude towards cybersecurity could also explain why security leaders often find it challenging to justify cybersecurity program spend, which can become even more challenging in an economic downturn. The tide is slowly starting to turn, due in a large part to increasing cybersecurity risk and the catastrophic fallout associated with breaches, which can result in business failure.    Beyond an organization’s self-interest to keep their information systems and data secure, investors are starting to exert pressure on their portfolio companies to maintain an industry baseline of cybersecurity protection. Evidence of this shift in attitudes is reflected in the fact that environmental, social and governance (ESG) reporting now includes an assessment of an organization’s cybersecurity program and defenses.   It needn’t break the bank. Developing a positive cybersecurity culture in an organization is something that can be achieved on a relatively low cost basis. The key elements to achieve this include clear communication from the executive leadership on the importance of maintaining good cybersecurity hygiene. Creating a positive employee experience in relation to cybersecurity is essential. This entails developing engaging and context-based security awareness training programs that drive cybersecurity awareness – empowering employees to become part of the cyber defense.   

Using open source resources and frameworks to build cybersecurity resilience   While there is no singular approach to building out a cybersecurity program, there are a trove of freely available resources and best practice guides to assist with building information governance systems and cybersecurity programs. View cybersecurity program development as a work in progress. Many unique factors and characterics will come into play in shaping your cybersecurity program development.   By establishing a dedicated team to tackle enterprise security architecture and using well established enterprise architecture frameworks such as COBIT and TOGAF,  in conjunction with cybersecurity frameworks such as NIST Cybersecurity Framework, ISO 27001/02 and the CIS Critical Controls, organizations can start putting the building blocks in place for developing well-integrated and robust information governance systems.    Enterprise architecture frameworks such as COBIT are useful to build an information governance system that proactively identifies areas of risk or IT capabilities that need improvement to ensure that business objectives are achieved.

Ensuring compliance with industry and geo-specific regulations   Cyber risk is increasing year-over-year. In the latest FBI IC3 report, Business Email Compromise (BEC) fraud related losses increased by 65% globally in the period 2019 to December 2021. In the latest Verizon DBIR, ransomware attacks increased by 13% year-over-year, representing the largest increase in over 5 years.   Prioritize your cybersecurity technology budget from the assumption that there is a very strong likelihood that you will at some point suffer a breach. On this basis, focus on the fundamental threat vectors relative to your accepted risk threshold.    In US states such as California and many jurisdictions around the world, regulatory authorities are establishing minimum levels of cybersecurity preparedness that need to be met to ensure compliance.    The California Attorney General under the California Consumer Privacy Act (CCPA), has for instance established the requirement that businesses over a certain revenue threshold have to have a reasonable level of security in place. Reasonable security according to the CCPA is defined as having the CIS Controls implemented.   In the EU’s General Data Protection Regulation (GDPR), key stipulations include having data privacy and data security safeguards in place to ensure the confidentiality, integrity and availability of information processing systems and services. Other security controls include having the ability to restore availability and access to personal data, as well as having a process in place to regularly test, assess and evaluate the effectiveness of technical and organizational measures that ensure the security of data.  

Going beyond the minimum   Threat actors are continuously advancing their abilities. This is why cybersecurity and business leaders cannot afford to rest. Continuously testing your cybersecurity defenses through regular audits and penetration testing will help you identify areas for improvement. This includes practicing incident response and business continuity preparedness.   Cybersecurity is not a tick box compliance exercise.   Cybersecurity is everyone’s responsibility. Many of the core components that encompass a cybersecurity program do not require significant budget, but rather effective leadership, time and effort. Most importantly it requires adopting a mindset that recognizes the importance of being cyber resilient as essential to the organization’s overall success.

To see how the Tessian Intelligent Cloud Email Security platform  prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn

Tessian Threat Intel focussed on crypto and payment fraud campaigns for the month of May, particularly PayPal related scams which have become increasingly sophisticated over the last several months. Most recently we have identified scams relating to fraudulent email invoices requesting payment via PayPal, with some of these scams requesting payment in Bitcoin.    Keep reading for recommendations for staying safe, and sign-up for our Threat Intel update to get this monthly update straight to your inbox. 

Social engineering remains a persistent global threat that continues to evolve to evade law enforcement and cybersecurity detection and prevention efforts.   Email-delivered crypto Business Email Compromise (BEC) campaigns are increasing in volume and sophistication.   Threat actors are targeting payment providers such as PayPal and fraudulently creating email invoices to perpetrate payment fraud.   Bitcoin is the preferred payment method due to its ability to transverse geographic borders.   In their latest annual IC3 report, the FBI notes over $43 billion has been lost globally due to BEC compromises in the past 5 years. The true figure is likely significantly higher due to unreported incidents.   The FBI notes phishing is increasing and remains the most reported cyber crime incident.   To stay safe: Never click on links from suspicious emails and be on the lookout for increasingly sophisticated BEC attempts to perpetrate invoice payment/wire fraud.

Tessian Threat Intel have noted an uptick in BEC efforts, with invoice/payment fraud the primary objective of threat actors.   We have been tracking payment provider related fraud since January 2022.   Also noteworthy is the increasing sophistication of campaigns targeting victims using a range of themes including the COVID-19 pandemic and, more recently, the conflict in Ukraine.    Over the past 30 days we are still seeing an average of 45 new Ukraine themed domains registered every day. (See April’s round up on Ukraine).   Key themes of the attacks still include crypto donation scams as well as ecommerce spam, romance scams, and loans for refugees.    The donation scams are increasing in volume and expanding in variety with themes for humanitarian aid and support for children or refugees.   As the digital payment market grows, so too will the range of attacks.   Bitcoin remains the preferred medium of payment for the BEC campaigns we have been tracking.   FBI notes a 65% increase in BEC fraud related losses globally in the period 2019 to December 2021.

Be suspicious of any invoice related request, even from a trusted party.   Always verify the authenticity of the invoice by contacting the party via an independent method, for example via telephone – and never use a telephone number provided in the suspicious email.   Report suspicious emails to your security administrator.   Use an advanced email protection solution that relies on behavioral intelligence modeling vs. a static, rule based approach to threat detection.   Report all BEC related losses to your relevant law enforcement agency – only by having an accurate picture on the extent of the crime threat, can we as a community harness the required resources to effectively deal with this challenge.

To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn

New research from the Ponemon Institute reveals that nearly 60% of organizations experienced data loss or exfiltration caused by an employee mistake on email in the last 12 months. Email was revealed as the riskiest channel for data loss in organizations, as stated by 65% of IT security practitioners. This was closely followed by cloud file-sharing services (62%) and instant messaging platforms (57%).    Key findings The Ponemon Institute surveyed 614 IT security practitioners across the globe to also reveal that:  Employee negligence, because of not following policies, is the leading cause of data loss incidents (40%)  Over a quarter (27%) of data loss incidents are caused by malicious insiders  It takes up to three days for security and risk management teams to detect and remediate a data loss and exfiltration incident caused by a malicious insider on email  Almost one in four (23%) organizations experience up to 30 security incidents involving employees’ use of email every month (for example, email was sent to an unintended recipient)

The most common types of confidential and sensitive information lost or intentionally stolen include: customer information (61%); intellectual property (56%); and consumer information (47%). User-created data (sensitive email content, text files, M&A documents), regulated data (credit card data, Social Security numbers, national ID numbers, employee data), and intellectual property were identified as the three types of data that are most difficult to protect from data loss.    The top two consequences for data loss incidents were revealed as non-compliance with data protection regulations (57%) and damage to an organization’s reputation (52%). One of our previous studies found that almost one-third (29%) of businesses lost a client or customer because of an employee sending an email to the wrong person. 

Lack of visibility creates data loss challenges    Organizations cannot protect what they can’t see. A lack of visibility of sensitive data that employees transferred from the network to personal email was cited as the most common barrier (54%) to preventing data loss. Further, over half of respondents (52%) report being unable to identify legitimate data loss incidents and standard employee data handling behaviors.     As a result, it takes security teams 72 hours, on average, to detect and remediate a data loss and exfiltration incident caused by a malicious insider on email, and almost 48 hours to detect and remediate an incident caused by a negligent employee.   Greater education required for employees    The majority of organizations (73%) are concerned that employees do not understand the sensitivity or confidentiality of data they share through email. In addition, marketing and public relations departments are most likely to put data at risk when using email (61%), closely followed by production/manufacturing (58%) and operations (57%).    Despite these risks, organizations do not have adequate training in place. While 61% have security awareness training, only about half of IT security leaders say their programs properly address the sensitivity and confidentiality of the data that employees can access on email.    “This study showcases the severity of data loss on email and the implications it has for modern enterprises,” said Larry Ponemon, chairman and founder of Ponemon Institute. “Our findings prove the lack of visibility organizations have into sensitive data, how risky employee behavior can be on email and why enterprises should view data loss prevention as a top business priority.”

Tessian’s Chief Information Security Officer, Josh Yavor, said, “Most security awareness training programs focus on inbound threats, yet fail to adequately address the handling of sensitive data internally. But data loss – whether accidental or intentional – is a major threat and should be treated as a top priority.    “To create awareness and mitigate data loss incidents, organizations need to be proactive in delivering effective data loss prevention training while also gaining greater visibility into how employees handle company data. Security awareness training that directly addresses common types of data loss – including what’s okay to share with personal accounts and what’s not okay to take with you when you leave a company – and a culture that builds trust and confidence among employees will improve security behaviors and limit the amount of data that flows out of the organization.”  

Over the last decade, phishing – a type of social engineering attack – has transformed from something more like spam to the threat most likely to cause a breach. During that same period, the number of adults on social media platforms like Facebook increased by almost 1,300%.   Every photo we post, status we update, person we tag, and place we check into reveals valuable information about our personal and professional lives. And hackers use this information to craft targeted – and effective – attacks at scale.

How big are our digital footprints?    Our digital footprints are bigger than ever. There are over: 2,701,000,000 users on Facebook 1,158,000,000 users on Instagram 722,000,000 users on LinkedIn 353,000,000 users on Twitter And it shouldn’t surprise you that, according to research, 90% of people post information related to their personal and professional lives online. This number is even higher among 18-34 year olds. And, across LinkedIn, Instagram, and Facebook, 55% of people have publicly visible accounts.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");

When an account is public, anyone can see the information you post online, whether it’s a photo of your boarding pass, or a birthday shout-out to a colleague. Harmless, right? Unfortunately not.   This information is gold dust to hackers and makes reconnaissance impossibly easy.    Take the former Australian Prime Minister, Tony Abbott. He posted a picture of his boarding pass on Instagram. From the booking reference, hackers found his passport number and phone number – information that could have helped them gain access to other accounts, including sensitive personal and government information.   It didn’t take much work. According to an ethical hacker we spoke to, “Anyone who saw that Instagram post could also have [his passport number and phone number].”   Mr. Abbott isn’t the only person who posts this kind of information online…

32% of employees post business travel photos and updates. Nearly 72% mention birthday celebrations. 36% share information about their jobs. And don’t forget about all the information we share about our pets, partners, and children.     Hackers use all of it. Yep, even that photo of your pup.    How do bad actors use this information?   To understand exactly how hackers leverage all of this information, we have to look at a social engineering attack from start to finish.   First, a hacker identifies a target organization.    Depending on their motivations, they could choose an asset management firm with hopes of initiating a wire transfer or a pharmaceutical company with hopes of getting their hands on R&D. From there, they’ll research supply chains and vendors, study company org. charts, map employee relationships, and monitor individual behavior. And, by running scripts, they can do this automatically and at scale.     Why do all this reconnaissance? To pinpoint potential entry points, identify viable third-parties to impersonate, and to collect information (however subtle) that’ll help them nudge their targets towards unconscious (and conscious) confirmation and – eventually – trust and compliance. 

While behavior varies by region, most of us eagerly announce when we start a new job. In the US, almost everyone does – with 93% of employees in the US saying they update their job status on social media.   We share press releases about new clients and mergers and acquisitions. We post photos of our employee IDs and screenshots of Zoom calls. We tag our colleagues and customers in our updates and comment on theirs. We share all of this information regularly.    Almost half (43%) of us post every day, giving hackers up-to-date intelligence about where we’re working, who we’re working with, and what we’re working on.   Passwords play a role, too   When it comes to Business Email Compromise, information related to your professional life is important. But your personal information can be just as valuable.   Hackers can use information about your pets, partner, children, and even your interests to crack passwords and answer security questions, giving them full access to personal and work accounts, including password managers and even your email.    Don’t believe us? 21% of people use information like their favorite football team, their pet’s name, or birthdays when creating passwords and some of the most common security questions include: What is your mother’s maiden name? What was your first car? What elementary school did you attend? What year were you married?    This is all readily available online. 34% of people share the names of their pets, 34% mention their children/partner, and 40% share information about their interests.     People may even unwittingly share this information via gimmicks or memes that make their rounds on social media. For example, “name generators” that ask you to combine your pet’s name with your childhood street address. Sound familiar?

An example of a social engineering attack leveraging social media In this example of a social engineering attack, hackers use an OOO message and other publicly available information to initiate a wire transfer.   Type of Attack: CEO/CXO Fraud Industry: Financial Services Hacker Motivation: (Quick) Financial Gain

The hacker group monitors news wires for up-to-date information about banks in the United States to find their target, an asset management firm called SoBank.  They see that the company’s CFO – Andrew Neal – is OOO at a conference. Thanks to his OOO message, they’re able to identify their target, Tristan Porter. They also learn that Andrew goes by “Andy” at work. The hacker group sends a fabricated email chain that appears to be between Andy and Gregory Ellwood, Senior Partner at Dorling Clayton – SoBank’s advising firm – urging Tristan to make a wire transfer.

Cybersecurity best practice   Want to better manage your digital footprint and avoid being targeted by (and falling for) a social engineering attack?   Here’s a list of do’s and don’ts.

Cybercrime is big business. But just how big? Well, big. A recent report from Cybercrime Magazine predicted cybercrime would cost the world $10.5 trillion annually by 2025. Bear in mind that estimates in 2020 were just over half that, at $6 trillion, and up from $2.9 trillion in 2015. So ,why is there a cybercriminal gold rush? And why are attacks getting increasingly more sophisticated, more numerous, and more successful?

Legacy solutions are no match for today’s attacks   As we noted in our recent Spear Phishing Threat Landscape Report, attacks are getting more sophisticated and are bypassing traditional defense systems like rule-based Secure Email Gateways (SEGs). We know this because we examined platform data and found that between July 2020 and July 2021, Tessian scanned nearly 4 billion emails and flagged nearly 2 million as malicious. These emails sailed right past our customers’ Secure Email Gateways (SEGs) and native tools and would have left employees as the last line of defense if it wasn’t for Tessian. Not only that, attacks are getting more frequent. Cybersecurity Magazine estimated a new ransomware attack hits every 11 seconds.    Oftentimes, big problems (like paying out millions for a ransom) can be traced back to small oversights. Like not using Multi-Factor Authentication (MFA). This is particularly common in mid-market SMEs, despite the fact that Microsoft Research found that MFA blocks 99.9% of all automated attacks. As Dave Kennedy, Founder of TrustedSec said at our Spring 2022 Human Layer Security Summit, just 22% of O365 users have MFA enabled. And so attackers can target these firms much more easily. SMEs also have smaller budgets and headcount allocated to cyber compared to the enterprise. The result: 60% of SMEs file for bankruptcy within six months of a breach. 

https://www.tessian.com/wp-content/uploads/2022/04/MFA-quote-Dave-Kennedy-Trusted-Sec.m4v

Email is inherently flawed   If someone broke into your office, chances are you’d know about it quickly and do something about it. Unfortunately, the same doesn’t apply to many organizations’ networks and inboxes. From a simple way of sending asynchronous ASCII messages between user accounts on an academic network in the 1970s, email has grown into a world-devouring beast that is the very backbone of commerce and information exchange. Over 7 billion users globally send and receive 333.2 billion emails a day. Such a vast user base means email is the number one threat vector. 

After all, for many, moving data via email IS their job. What’s more, email is on all our devices: desktops, tablets, and phones. But as Will Patterson, Enterprise Customer Success Lead, notes in this webinar, email has some inherent problems when it comes to security. Firstly, it’s open (in that you can email anyone) and secondly, email attacks are cheap to deploy; they’re effective and can be launched from anywhere. A big audience and low entry bar make it the ideal medium in which to conduct attacks.   It’s no wonder 90% of phishing occurs via email.

Cybercrime pays out – big time   Cybercriminals continue to attack because those attacks continue to be successful, netting potentially hundreds of thousands of dollars from companies for little effort and risk (compared with other types of crime).    The international nature of cybercrime adds another layer of complexity and helps shield attackers from law enforcement. According to the FBI, in 2021, BEC scammers made over $2.4 billion – far more than via any other type of cybercrime. Of course, the cost to the company isn’t just these initial losses, it’s the further costs of containing, reporting, and remediating the breach. IBM currently puts the cost to businesses at $4.24 million per breach. 

It’s faster, easier, and cheaper than ever to execute attacks   With such a big potential target group, attackers are using automation and off-the-shelf tools to not only launch attacks but process the data they exfiltrate in the process. And as James McQuiggan, Security Awareness Advocate at KnowBe4, said at our Fall Human Layer Security Summit, “the bad guys are buying the same hardware and software configurations we’re using – they’re then testing their attacks and then see what gets through”. So if criminals are automating many of their repetitive processes, you should too.   Not only that, but it’s also easier and cheaper than ever to execute attacks, and technical skills are no longer required. There are numerous tools, platforms, and services that make executing attacks as easy as building a webpage. The following open-source intelligence (OSINT) apps and tools can be used to gather precise information about a person’s social media details, location, and their work email address, making it impossibly easy to identify and manipulate a target.  

Security teams are burned out   Against this cybercrime tsunami stands the CISO and the company’s security team, and the daily battle to keep employees and the organization safe. That’s taking its toll on security teams, who are often stressed and burned out. Our Lost Hours Report found CISOs regularly working extra hours and overtime to keep the company secure from threats.    The CISOs we surveyed worked, on average, 11 hours more than they’re contracted to each week. Nearly 1 in 10 work 20-24 hours more a week. What’s eating up that time is dealing with potential breaches. A quarter of respondents say they spend 9-12 hours investigating and remediating each threat caused by human error, while more than 1 in 10 spend more than a day.    A global study by The Ponemon Institute found that the average amount of time required to identify a data breach is 197 days. that’s over six months. It then takes another 69 days on average to contain and deal with the fallout of that breach. Better alerts and warning systems, as well as swift procedures in place to respond to them, are a must. Over six months is more than enough time to wreak havoc in a network. In medicine, there’s the concept of ‘the golden hour’, security needs to aim for a golden 24 hours because the faster an organization can respond the better and faster its recovery will be. 

Employees are busy, stressed, and distracted   The modern workplace is a fuzzy blend of devices (laptop/phone) and locations (home/office/coffee shop etc) with people constantly switching between them trying to juggle, on average, around 100 emails a day. You can see why our Psychology of Human Error report found that 26% of people fell for a phishing email at work in the last 12 months alone. People are maxed out trying to do their jobs, and it’s exactly this pressure that attackers are looking to exploit and manipulate, which underscores the important of building a positive security culture alongside HR.   So, as cybercrime is becoming more and more profitable, here’s what you need to do to strengthen your security stack and keep your people and organization safe:   Layer up your security stack with Integrated Cloud Email Security (ICES) to augment your SEG Implement better email monitoring Automate repetitive security tasks Improve your response time and processes Work with the people team on fostering a positive security culture and engaging security awareness training programs And don’t forget to switch on MFA ASAP!

It’s a fact that C-suite executives are high-profile targets. According to Verizon’s Data Breach Investigations Report, a C-level executive is 12 times more likely to get phished than a junior employee.    Why? Because when you control the head you can control the body. Hack a CxO, and you have the power to command subordinates with requests such as wire transfers, account access resets, network access, corporate credit card details, and company financial functions.    So how can you help better protect your C-suite from attacks?    In former roles, a current Tessian employee used this training technique to test the c-suite’s resilience to an attack and improve their security awareness. Here’s how you can run this experiment on your c-suite; we’ve anonymized and edited some of the details for security and clarity.

The technique   The target for the attack is a CxO or another highly senior person in your company. Your first step is to send a ‘spoof’ email from one of the senior VPs on the team to the target. For real attackers, finding the targets is easy enough as most companies list out their senior team on their websites, sometimes even complete with links to their LinkedIn profiles. And even if the information isn’t available there, it’s easy enough to find with a quick Google search or browse around social media. 

The message you design from the spoof account has to say something along the lines of “Hey Tom (CxO), Dick here, Harry (another real VP on the team) is being a blocker and I need this out ASAP, can you just take a look at this work he sent me.”   

The ‘work’ is of course a document containing the malware. Phrased in this way there is an extremely high probability that Tom, the CxO, will open that attachment. As our anonymous employee explains, “you don’t even need to hack a VP account, you can simply spoof it. I’ve had clicks on this with email metadata that clearly does not match.”

The psychology of why this is so effective   Why this works so well, despite not being a particularly technologically sophisticated technique, is all to do with human nature and the power dynamics found in the top tier of organizations. The message is ‘validated’ because it is supported in the target’s mind by using a bond of trust the CxO has in Harry, the innocent VP. But the attacker is borrowing that trust bond to psychologically ‘authenticate’ the email with the target. 

This is textbook social engineering, which is the technique of manipulating the victim’s natural emotional responses and reactions. Which is why we see other classic ingredients common in phishing attacks like a sense of urgency (I need this ASAP) and a cry for help or a perceived problem that only the target can rectify. After all, there’s some evidence that humans are born with an urge to help. 

Why do senior leaders fall for this?   This exercise manipulates the tendency for senior leaders to overvalue trust bonds from people closest to them and undervalue potentially conflicting information coming from those far below in the org chart. The fact that the message appears to have come from two people that the CXO talks to all the time means they will tend to overvalue communication with them. Furthermore, the message is contextualized around potential turbulence in the relationship dynamic within that inner circle, rather than an external generic ‘your accounts been suspended’ phishing attempt. This only adds to its legitimacy.    As for that relationship turbulence, our recent psychology of Human Error 2022 report found that people make mistakes when they are in highly emotional states. Catch the CxO when they’re distracted, stressed or working quickly and the odds of them clicking only increase.  Finally, traditional SAT training for the C-suite often means they’re aware of it’s deployment across the organization, making it even harder for them to experience a genuine attack moment.

Advice for running this experiment in your organization   If you’re looking to run this phishing test on your team, there are two important principles to consider. The first: don’t cause chaos on your own network. The second: this is about building relationships with the security team, not about adversarial content. “The most important thing is consent,” advises our employee. All too often companies run phishing programs that don’t involve other people and teams before they start their campaigns.    To do this successfully, you’ll need to define parameters such as:   Who is this test targeted at? What will the message describe? What am I allowed to include in the payload? Between what dates will I run the test and at what time? What happens after the click?   That last one is perhaps the most important. What program will you have in place for those who fall for the phish? Remember, these are high-profile people with limited time, so your response has to be concise yet impactful.    Consider scheduling a face-to-face 15-minute discussion where you can explain how the attack worked and what the employee should do in the future. Be sure to  back this up by evidence and statistics on what happens when a C-suite member gets hacked, and what the impact is on the organization. The aim is to connect their click event, with specific actionable risks being brought into the business. 

Technology can help, too. Tessian Defender would have detected this social engineering attack as the metadata in the email address wouldn’t have matched the legitimate address. Defender could have quarantined it for SOC analysis or alerted Tom, the CxO, in real-time with an ‘in the moment’ notification.    Learn more about how Tessian detects and prevents BEC attacks, ATO attacks, CEO Fraud, and other advanced email threats by watching our product tour, or book a demo to learn more. 

The Cyberseek heatmap shows there are over 500,000 cyber job openings in the US alone, and globally over 3.5 million.. With so many unfilled vacancies there must be a skills shortage, right? I’m not so sure. I think our perceived talent and skills shortage is largely self-inflicted because as an industry we’re sadly terrible at hiring, growing, and retaining people.  Too many organizations are chasing a finite number of senior-level people which results in two critical problems. The first is self-inflicted: over the past decade as an industry, we have failed to grow enough people from entry and mid-level positions into senior level roles. The second thing is that many organizations believe they can only hire senior talent rather than grow and retain the talent they already have. If we don’t invest in people earlier in their career, we will never have the talent pool our collective job postings demand.

The problem with hiring only senior talent   We tend to spend a lot of time and energy looking for “unicorn hires”. These hires can take months of our energy and attention for each role. In aggregate, we risk incurring opportunity costs that prevent us from  growing a person – or several people – into these capabilities. Of course, the security industry is not the only offender. Many technical roles outside of security are subject to the same type of bad behavior. We allow ourselves to create job postings with requirements that are sometimes impossible – like requesting 10+ years experience in a technology that has literally only existed for five.    So why are situations like this happening? Despite good intentions, a recruitment team supporting a security team without enough investment of time and partnership from the engineering managers is going to get these things wrong. It’s not their fault, but a clear indication that we need to be better together.

https://www.tessian.com/wp-content/uploads/2022/03/josh-audiogram.mp4

I challenge hiring managers to answer this important question: Describe the specific skills and experiences that 5-10 years of experience mean to you?    When I ask this, one of two things happens: they either can’t answer it – which is a good indicator that it shouldn’t go in the job description – or they can, and this becomes the start of better job requirements. Chronological time doesn’t tell us all that much about someone’s capabilities, how they grew (or didn’t), or what they’re good at.   Instead, we should be focussing on things like core experiences, history of growth, skill sets, and capabilities. That’s what we should switch our requirements and expectation language to. So we should seek people who have specific experiences or capabilities, such as leading specific team sizes, adapting to rapid change in a high growth organization, or have navigated significant technology migrations. These are more equitable, measurable, and useful capability assessments that don’t rule out qualified candidates by setting minimums for years of work experience.

Reminder: if a team runs itself for six months while you hire a manager, you shouldn't be hiring, you should be promoting. — Matt Wallaert (@mattwallaert) November 18, 2020  

The great resignation   We’ve covered the great resignation/re-evaluation/migration previously on this blog. But even before this movement, we were already seeing an average ‘in role’ time of just 18 to 36 months for many security individuals. That’s a high turnover, and The Great Migration has only increased it. Senior decision-makers across the US report an average security staff turnover rate of 20% according to research from ThreatConnect. Compare that to another study by Michael Booz that found that the global average for all roles was around 11%.

Organizations should be focused on what it takes to keep people longer. To retain people, there are two key factors. First, people must have confidence that they can grow and gain value by staying within the organization. Second, they need to be able to experience recognition, and crucially – rewards, for their increasing value both in the market and in their organization. Too often we prioritize budget for new hires when the best option is to invest in the people we already have on staff and reward them before someone else does.    In my experience, not enough is done during the first two years of employment to give employees confidence that there is an ongoing trajectory for them in terms of growth, recognition, and rewards. And by the time we get to that two-year point, the first time that the organization hears about it is when they’re getting the resignation letter.    Sadly that is THE WORST time to attempt a growth and rewards conversation.

Creating a better pipeline   Of course as people levelup and grow into new roles, you need new recruits. But many security leaders are reluctant to have their teams be the first stop in someone’s security career. However, there are plenty of security roles that are great places to get a start in security while applying relevant and overlapping skills from previous non-security roles.    There are very few cases where significant skill transfer from non-security to security roles is not possible. Some of the more obvious examples are IT system administrators becoming enterprise security engineers, software developers being successful in product security roles, etc. We need to look beyond these examples and expand our mapping of critical skills and capabilities to additional roles and backgrounds. Some of the most talented security professionals in our industry today come from much more diverse backgrounds. Some went to university to study linguistics, art, or math, and many never pursued higher education.

Your next security hire could come from customer success, marketing, or human resources   One of the things we need to be more conscious of is that security roles don’t just need technical skill sets. In fact training people up in specific technical skills is relatively easy to do. Instead, we should be optimizing security roles for people who are making a job transition. Security teams can benefit hugely from the things that are NOT easy to train people up on, like emotional intelligence, personal relationship management, and communication skills.   I’ve done this myself. I supported hiring someone with a background in customer service for a security operations role. 90% of the job is still based on providing effective customer service and rapidly triaging problems to identify the most appropriate solutions; it’s just a different set of customers and problems. We can train people on how to use our technology and how to think about security. What’s much harder is training people to be effective communicators with empathy and the high emotional intelligence to provide exceptional outcomes while supporting people.    I’ll finish how I started, by saying again that, there isn’t necessarily a skills shortage in many cybersecurity roles. We’re just setting the requirements poorly, largely ignoring retention, failing to take advantage of skill transference opportunities from non-security roles, and not giving people the opportunity to grow. Want to Join us at Tessian and start or develop your security career? Check out our open roles. What’s it like to work here? Here’s 200 reasons why you’ll love it. Want to find out more about diversity and the cyber skills gap? Register for our up-coming LinkedIn Live.

The advancing sophistication of cybersecurity threat campaigns have brought legacy cybersecurity tools into sharp focus. Built for an on-premise world, these manual, rule-based approaches to cybersecurity are unable to ward off adaptive and increasingly intelligent attack methods.   On the other side of the coin are security leaders who are overwhelmed and overworked. This is largely due to the proliferation of threats, juxtaposed against managing their IT environments from a tooling and staff resource perspective.    Tool sprawl is reaching excessive levels that are simply impossible to manage. The average enterprise now has in excess of 45 cybersecurity tools deployed. Research shows excessive tools deployed leads to a decline of security effectiveness.    The bottom line: Increasing complexity warrants tool rationalization.    Keep reading to learn:   Why Secure Email Gateways (SEGs) have become redundant The powerful capabilities (and shortcomings) of Microsoft  The benefits of replacing your SEG with Tessian + Microsoft

SEG redundancy   The effectiveness of legacy Secure Email Gateway (SEG) solutions is starting to receive due attention as email related breaches continue to snowball. Depending on the statistic cited, the email threat vector accounts for anywhere between 80-96% of cybersecurity attacks.   Replacing SEGs represents a high return, low risk optimization opportunity, due to declining security effectiveness and the high degree of redundancy in the enterprise.     SEG security effectiveness is declining for two reasons:    The majority of enterprises have adopted cloud hosted productivity suites such as Microsoft 365, which natively provide SEG capabilities including malware, phishing and URL protection.  SEGs rely on static, rule-based approaches that are ineffective in safeguarding  email users and data from advanced threats.    Once a threat actor is able to bypass the SEG, they effectively have unmitigated access to carry out their threat campaign. This can (and often does) include Account Takeover (ATO), deploying exploit kits or more damagingly, delivering ransomware. And little protection is offered against insider threats – a growing concern.  

The powerful capabilities (and shortcomings) of Microsoft    Microsoft 365, which includes Exchange Online Protection (EOP) and Microsoft 365 Defender, provides a reasonable degree of email security that effectively makes the legacy SEG redundant.   M365 on E5 licensing provides the following capabilities:   Anti-malware protection Anti-phishing protection Anti-spam protection Insider risk management  Protection from malicious URLs and files in email and Office documents (Safe Links and Safe Attachments) Message encryption via issued PKI Audit logging Quarantine Exchange archiving

Microsoft alone, however, does not guarantee against advanced email threats. Significant gaps remain in Microsoft’s ability to protect against advanced social engineering campaigns that can result in business email  compromise (BEC), ATO, or zero day exploitation. And this is why these shortcomings are also reflected in Microsoft’s Service Level Agreement (SLA) exclusions, for example excluding guarantees against zero day exploits and phishing in non-English languages.    Microsoft + Tessian = Comprehensive security   This is where a next-gen behavioral cybersecurity solution like Tessian comes into play, providing advanced automated email threat detection and prevention capability.   With Tessian, no mail exchange (MX) records need to be changed. Tessian is able to construct a historical user email pattern map of all email behavior in the organization. The best-in-class algorithm is then able to detect and prevent threats that Microsoft or SEGs have failed to detect within 5 days of deployment.    This dynamic protection improves with each threat that is prevented, and unlike the in-line static nature of SEGs, it ensures 24/7 real time protection against all attack vectors, including insider threats. That is why the leading enterprises are opting for displacing their legacy SEG and augmenting Microsoft’s native security capabilities with Tessian.   

Tessian Defender’s capabilities include:   Advanced Spear Phishing Protection Advanced Attachment and URL Protection   Internal Impersonation & CEO Fraud Advanced Spoof Detection Counterparty & Vendor Impersonation  Brand Impersonation External Account Takeover Invoice FraudBulk Remediation Automated Quarantine  Threat Intelligence

No black box threat visibility and intelligent risk mitigation   Beyond the cost and resource optimization realized by removing SEGs, Tessian clients see significant efficiency gains in the SOC due to the high degree of automating triage and the enablement of a distilled view on the threats that matter  –  finding that needle in the haystack, in real time and in context.    For example, with one-click, SOC analysts can bulk remediate high volume phishing campaigns (aka burst attacks) that are targeting the organization as they happen. Suspicious emails are also automatically quarantined, with threat remediation context provided.    The platform provides a single pane of glass, giving security and risk leaders visibility of how cybersecurity risk is trending in their organization and the types of threats thwarted, down to individual employee-level risk scoring.

Context aware security awareness training  The context-aware security capability of Tessian extends to providing in-the-moment security awareness training to employees. The real-time security notifications flag suspicious and malicious emails received, offer a clear explanation, and provide education to employees in real time. Most enterprises experience a 30% click through rate (CTR) on simulated phishing exercises – including our clients prior to deployment. Tessian clients see simulated phishing exercises returning a less than 5% CTR after deployment – illustrating the effectiveness of Tessian’s security awareness training.

Stopping threats, reducing complexity    Tessian enables security teams to focus on mission critical tasks rather than manually and retroactively triaging already occurred security events. Legacy email security approaches relying on SEGs simply no longer have a place in an increasingly crowded cybersecurity stack. By leveraging Microsoft 365’s native capability together with Tessian, presents an opportunity for security leaders to improve security while reducing complexity.

This is why according to a Tessian commissioned Forrester study, 58% of cybersecurity leaders are reevaluating legacy email security tools and approaches, and why 56% will be investing in behavioral email security solutions with automated detection capabilities.

Traditionally, security leaders view of  nation-state attacks has been ‘as long as you’re not someone like BAE systems or a Government, you’re fine’ But in the last three years nation-state attacks doubled in number to over 200… and we’ve yet to see the full cyber impact of the war in Ukraine. Consequently, nation-state attacks are something all security leaders should be aware of and understand. Here’s what you need to know.

How a nation-state attack differs from a regular cyber attack    Nation-state attacks are typically defined as APTs, or advanced persistent threats – a term first defined in 2005. They are referred to as advanced because they have access to exploits and techniques that are more professional, more effective, and more expensive than the average criminal actors.   Nation-state attackers can have teams full of people that can work a 24-hour shift and handoff every 8 hours. There’s also the question of the duration of an attack. APTs play the long-game, and can sometimes take 18 to 24 months before any compromise takes place. The bottom line: nation-state hackers have the resources to wait for the perfect moment to strike.

What are the aims of a nation-state APT attack? With the nearly unlimited money and resources of a nation-state , nation-state attackers can try every technique and tactic available until they eventually accomplish their goal. And those goals are nearly always political rather than purely criminal. APT attacks generally aim to do one of the following:    Exfiltrate data containing military secrets or intellectual property Conduct propaganda or disinformation campaigns Compromised sensitive information for further attacks or identity theft sabotage of critical organizational infrastructures  Russia blurs this line in that they use criminal activity in furtherance of political goals, and have been for years. They also have an APT set whose objective is essentially disruption and discord, so that security teams and government agencies don’t know where to place the defense resources.

Which businesses are most at risk from a nation-state attack?  A sector all threat actor groups are interested in is Cleared Defense Contractors (CDCs). CDCs are businesses granted clearance by the US Department of Defense to access, receive, or store classified information when bidding for a contract or other supporting activities.   One of the first APT attacks against CDCs was Titan Rain in 2003. Suspected Chinese hackers gained access to the computer networks companies such as Lockheed Martin, Sandia National Laboratories, Redstone Arsenal, and NASA, as well as UK Government departments and companies. What’s more, it’s believed that they were inside the network for over three years.  Infrastructure companies are also popular targets. US infrastructure companies such as Colonial Pipeline have been getting hit more and more frequently, and Ukraine suffered a power grid outage in 2015. And banks – especially national banks – are under continual attack, and in light of the recent removal of Russia from the SWIFT payment system, western banks are presumed to be under increased threat in retaliation.

Softer secondary targets   Although traditionally, targets with connections to the military bore the brunt of APTs, there are signs that this is spreading to other industries. In 2021 Microsoft shared detailed information regarding a “state-sponsored threat actor” based in China that targeted a wide range of entities in the U.S. — including law firms. The highly sophisticated cyber-attack used previously unknown exploits to infiltrate Microsoft Exchange Server software, so it’s reasonable to assume that if you have tangential connections to a political target of one of these countries, then you could be at risk.

As KC Busch, Tessian’s Head of Security Engineering & Operations explains “APTs might need to spend a million dollars to compromise their direct target. But if they can find a law firm connected with that target that doesn’t encrypt outbound comms or has adequate email protection, then they’re going to go for the law firm rather than the million-dollar target”   This underscores the importance of not just your own cybersecurity posture, but that of every organization in your network or supply chain. You’re only as strong as your weakest link.. 

The phases of an APT attack   APT attacks come in three phases.    First, there’s network infiltration, typically achieved through compromised credentials. If compromised credentials aren’t an option, or defenses are particularly robust, nation-state attackers might use a zero-day attack. Countries can have teams that will research and write their own zero-days, but more commonly, they will buy them from a gray market of third-party companies that aggregate exploits and sell them without much ethical thought of how they’re used.    This murky world of zero-day exploits and the people that broker them to Governments and security agencies was chronicled by Former New York Times cybersecurity reporter Nicole Perlroth in her recent book, ‘This Is How They Tell Me The World Ends’. Perlorth’s book highlights how for decades, US government agents paid thousands, and later millions of dollars to hackers willing to sell zero-days, and how they lost control of the market. The result is that zero-days are in the hands of hostile nations, who have money to purchase them and a need to deploy them as they’re becoming rarer and more expensive.    The second phase is the expansion of the attack to spread to all parts of the network or system. As we’ve mentioned, APT attacks are not hit-and-run. With time on their side, hackers can wait patiently in the network before gaining full access and control of it.   Thirdly, there’s the attack itself. This could involve collecting data and exfiltrating it, or disrupting critical infrastructure systems. Furthermore, several APT attacks have started with a distributed denial-of-service (DDoS) attack which acts as a smokescreen as data that’s been amassed over what could be months or years is exfiltrated. 

Notable nation-state attacks The most sophisticated: Stuxnet is widely believed to have been developed by the USA and Israel for use against Iran’s uranium enrichment program. It disrupted the plant’s uranium centrifuges by varying their spin rate, but not enough to cause them to shut down. Furthermore, false data was displayed back to the controller, so employees thought everything was business as usual.. Designed to be delivered by an infected USB stick, it could cross the air gap that protected the plant. However, it got out into the wild when an engineer took his infected laptop home from the plant, and connected it to the internet.   The biggest: 2015’s Anthem breach (China was reported to be behind it) saw the sensitive personal data of approximately 78.8 million Americans fall into the wrong hands. Brian Benczkowski, the assistant attorney general in charge of the Department of Justice Criminal Division, called the Anthem hack “one of the worst data breaches in history.”    The data wasn’t ransomed back to the company, and the reasons for the attack remain unclear. By 2019 the DOJ unsealed an indictment charging two Chinese nationals for the attack, but an indication of the alleged hackers’ motives or affiliation was noticeably absent. Current thinking is that it will be used for identity theft or to identify interesting individuals or Government employees for further exploitation and attack. Only nation-states have the resources to process that much intel and find the 100 or so people whose credentials can be further targeted. As for Anthem, the breach cost them over $40 millionto settle the resulting claims, and clear up the mess. 

What’s the future of nation-state attacks?    The Anthem breach and others led to a very loose set of guidelines on what is, and what is not, acceptable. This was hammered out between former President Obama and President Xi Jinpingof China in 2015, but none of this has the force of law like the Geneva Convention. And with an actor like Russia currently in a highly aggressive position, it’s reasonable to expect an escalation until desired political goals are achieved.  Attack types are likely to evolve, too. One example: wipers.. Unlike ransomware, where you pay the money and (hopefully) get your data back, a wiper will display the message as it’s erasing all your data. They’re a class of malware that have a narrowly targeted use, but if someone decided to let those loose, the damage could be astronomical. And worryingly, they’ve already been spotted in Ukraine.

How to protect your organization from nation-state attacks The federal Cybersecurity & Infrastructure Security Agency (CISA) posted a bulletin, titled “Shields Up,” which includes an evolving overview of the current cyber threat environment and specific steps that organizations, corporate leaders, and CEOs can take to bolster their cyber defenses. We have more on those recommendations, as well as how to foster a risk-aware culture, in this blog post. Enacting these defenses and upskilling your team is the best way to protect your organization from Nation-state attacks.   For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn

Phishing, spear phishing, smishing, vishing, and several other *ishing techniques all aim to do one thing: convince targets to reveal information which is either valuable in itself and can be ransomed or sold, or can be used to access financial systems to transfer money.   That information could be account logins, bank details, customer information, or personal identifiable information (PII).  Types of phishing attacks Phishing is a numbers game; hackers send hundreds or thousands of messages in the hope that even just oneeee person is distracted enough to click.    That’s why a lot of attacks leverage popular culture. For example, when the smash hit series Squid Games ended, bad actors wasted no time in sending out ‘exclusive look at season 2’ scams.  TA575 Uses ‘Squid Game’ Lures to Distribute Dridex malware https://t.co/iTTPjTSwWi @proofpoint #SquidGame #Dridex pic.twitter.com/ShwKRnoimi — David Bisson (@DMBisson) November 1, 2021 Scammers are like wasps at a picnic, they’ll try and attack anything to provoke you… even your daily cup of Joe. As one InfoSec attendee at our Human Layer Security Summit in November said, “If a hacker created a fake offer for free pumpkin spiced latte from Starbucks, trust me, this time a year, people will click on it”.   But there’s a much more targeted sub-category of phishing: spear phishing. Spear phishing attacks center on one or a few individuals. Hackers generally use information like a person’s whereabouts, nickname, or details about their work to craft customized, believable messages.   And getting that information is surprisingly easy. We live our lives online, and every action we take leaves a trail of data and information. Social media status updates, geo-located photographs, travel tickets, venue check-ins, all these can be used to build a picture about an individual’s movements and preferences.

In fact, our How to Hack a Human report revealed that 90% of people post information related to their personal and professional lives online. One-third of people share business travel updates and photos online, and 93% of people update their social profiles when they get a new job. Out of Office replies also contain plenty of data that can be harnessed for an attack.

Our research also revealed that 88% of people have received a suspicious message this year. Can you guess the most popular channel? Email.    Verizon’s 2021 Data Breach Investigations Report found that a staggering 96% of phishing or spear phishing attacks arrive via email (the other means are smishing, which uses SMS, and vishing, which uses faked voicemail or phone calls). Here then, is our ultimate guide to spear phishing attacks: how to spot them, how to stop them, and how to ensure your organization is alert, trained and protected.

How big of an issue are we talking about here? It’s a big problem. 2021’s Spear Phishing Threat Landscape Report revealed that 75% of organizations experienced some kind of phishing attack in 2020. Another 65% faced Business Email Compromise (BEC) attacks, and 35% experienced spear phishing attacks. Graph from the FBI’s Internet Crime Report 2020   And according to the FBI, phishing incidents nearly doubled in frequency, from 114,702 in 2019, to 241,324 incidents in 2020. In all, there were more than 11 times as many phishing complaints to the FBI in 2020 compared to 2016. The numbers for 2021 will no doubt be even higher.

Our report also found that the average employee receives 14 malicious emails a year. For a 500-person company, that’s 7,000 a year. However, this number rose dramatically in the retail sector to 49 on average. Manufacturing employees received 31, R&D 16, and tech employees 14. The problem is, you just can’t stop people from using email. For many of us, it’s a critical part of our jobs. In fact, according to data from Tessian’s own platform, employees send around 4800 emails a year. Our inboxes are a revolving door of links, documents, and information – a door bad actors are quietly trying to slip through.

How a phishing attack starts… Just like real fishing, the cyber version needs bait – something to entice, scare, or shock the target to act. For this, bad actors like to tap into the zeitgeist. Whatever trend, fashion, must-see TV show, or social concern is currently top of mind for their victims, they’ll try to exploit it.   What bad actors like most is something big that affects a large number of people at the same time, and things don’t get much bigger than a global pandemic. At the end of 2020, Britain’s National Cyber Security Centre (NCSC) revealed that it removed more online scams that year than in 2016 to 2019 combined.    In total they found 120 separate phishing campaigns in which the UK’s National Health Service was impersonated – up from just 36 in 2019. The lure commonly used in these scams? The vaccine roll-out.

Indeed, the pandemic provided – and is still providing – a once in a lifetime global opportunity for scammers. Our own survey from 2021 found that 35% of US citizens and 22% of UK citizens said they’d received a ‘proof of vaccination’ phishing email this year. On top of these were Zoom link scams as we all went remote, logistic firm scams as we ordered everything online, romance scams as we got lonely, and ‘back to school’ scams as young people went back into in-person education. Scammers even went for tax day scams as everyone prepared to file their tax returns.

The hook: impersonation Again, just like real fishing, you need a mechanism to get the bait into the water – the hook. An email has to come from someone, right? And getting someone to click a link that appears to have come from Zoom, Netflix, or their boss means convincing them that it’s really from that organization or person.    Business email compromise (BEC) One way scammers do this is with business email compromise (BEC). BEC is any phishing attack where the attacker uses a hacked, spoofed, or impersonated corporate email address to convince a target that the email is from a legitimate business.

Here attackers are looking to spoof big global organizations that everyone will have heard of and therefore trust and potentially use – so think Microsoft, Apple, Google, as well as Amazon, DHL, and UPS. We all receive perfectly legitimate emails from these companies all the time, so our defenses are lower. You can find out more about spoof emails here   As well as global brands and companies, BEC attacks can also impersonate a person, typically a senior executive or leader. The target is often a junior employee who’s instructed to urgently help close a deal by transferring funds. This is called CEO Fraud.

CEO fraud   CEO fraud is a particular type of spear phishing in which a fraudster impersonates a senior company executive via email. This could be a CEO, CFO, Head of HR — or anyone with the power to ask employees to make payments or send sensitive information. In these types of attacks, there is again normally a sense of urgency, a perceived external threat, and crucially, often the promise of some sort of incentive for the employee to carry out the action.  Urgency is not always the case however, there’s also the ‘reasonable request’. As Glyn Wintle, CTO and co-founder of Tradecraft, told us, “If you say the request must be actioned in one day, you will get a large number of replies from employees complaining it’s not enough time. If you say it must be actioned in a week, a lot of people will forget about it. If you say it must be actioned in two working days, people think it’s a reasonable period of time and will do it immediately to avoid forgetting about it”.

It even happens to Tessian staffers, a hacker impersonated our CEO and co-founder, Tim Sadler, and tried to get an employee to get them some iTunes vouchers. Needless to say, they didn’t fall for it.   Account Takeover (ATO) Attacks launched from Account Takeovers (ATOs) are some of the hardest to stop because the attacker will start the phishing process from a genuine, compromised account belonging to a real person, rather than a spoofed or fake one.  That’s why ATOs are able to slip past traditional phishing solutions like Secure Email Gateways (SEGs).During the pandemic, ATO attacks increased 307% between 2019 and 2021, and for sectors like Fintech the figure was 850%

Why we click phishing links Hackers like to take advantage of psychological factors like stress, social relationships, and uncertainty that affect people’s decision-making, as this is often when they make mistakes.    In our Psychology of Human Error report we asked 2,000 professionals about mistakes they’ve made at work. The results made for interesting reading.    Worryingly, nearly half of employees (43%) say they’ve made a mistake at work that had security repercussions for themselves or their company.   One in four employees (25%) said they have clicked on a phishing email at work. Men were twice as likely as women to fall for phishing scams, with 34% of male respondents saying they have clicked on a link in a phishing email versus just 17% of women.

Distraction means bad action Nearly half of respondents (45%) surveyed in our report cited distraction as the top reason for falling for a phishing scam. Other reasons for clicking on phishing emails included the perceived legitimacy of the email (43%) and the fact that it appeared to have come from either a senior executive (41%) or a well-known brand (40%). Impersonating a position of trust or authority is a common and effective tactic used by hackers in phishing campaigns.

In our spring 2020 Human Layer Summit, Glyn Wintle gave us several examples of how to set up your people and security to mitigate the risks from spear phishing.  

So what does a phishing email look like? As we know, 75% of organizations experienced some kind of phishing attack in 2020 and almost all (96%) arrived via email. But what does an actual phishing attack look like? We’re rounded up five REAL examples of typical spear phishing attacks you can read here. All these attacks were detected (and prevented) by Tessian Defender, so no employees were harmed in the making of this blog post.

Most employees don’t really understand what a spear phishing email looks like until it’s too late. And while attacks can take lots of different forms and approaches, there are four commonalities in virtually all spear phishing emails: impersonation, motivation, urgency, and payload.

When are you most likely to be targeted by a phishing attack? Unsurprisingly, scammers have access to a huge amount of data and, like a regular business sending a newsletter or social media post, they’ve studied when is the best time to launch an attack.    A big event in every scammer’s calendar is Black Friday, and with lots of email, money, and pressure to grab a bargain flying around, it’s easy to see why. 

Black Friday came out as the worst time of the year in Our Spear Phishing Threat Landscape report, which details how Tessian detected nearly 2 million malicious emails that slipped past legacy phishing solutions over a 12-month period.   As for the most popular time of day to launch an attack, research shows that after lunch was the most popular time, followed by just before the end of the day. You can see why. People have just eaten, they’ve come back to a newly full inbox, and they’re trying to get on with the rest of their day.   At the end of the day people have one eye on the door, they might be thinking about the commute home, or dinner, or going somewhere…anything except phishing attacks.   

You’re secure, but what about your suppliers? Even if you’ve done the best you can to mitigate external risks to your organization’s staff, dangers can still come from your suppliers and other partners you work with. Businesses are porous institutions and rely on other businesses for everything from raw materials to stocking the stationary cupboard.

Big businesses rarely publish data on their supply chains, but according to this article from Forbes, Proctor and Gamble list over 75,000 suppliers, while the retailer Walmart uses over 100,000.    Hackers exploit these relationships in software supply chain attacks. These  involve inserting malicious code into a piece of software that is then distributed among multiple organizations, usually the customers of the software company that owns the software. Like all other forms of attack, supply chain attacks are increasing, up 4 fold in 2021 from 2020. The UK’s National Cyber Security Center has detailed examples of typical supply chain attacks, as well as advice on how to defend against them.

The impact of an attack Phishing of all types is the threat most security leaders are concerned about for the following reasons: attacks are becoming more frequent, they’re performed at scale, they’re hard-to-spot, they’re time-consuming to investigate, and can be very expensive to recover from.    IBM’s annual Cost of a Data Breach found that the average cost in 2021 was $4.24 million, but can be as high as $7million depending on the sector involved and size of the breach.  Why so much?. There’s the potential ransom from the hacker, but also reputation damage, regulatory fines, and time and resources diverted from other things to deal with the attack. It adds up.

The problems with legacy phishing prevention solutions As the attacks have gotten smarter, faster, and more varied, existing solutions are struggling to stop them. Here’s why.    Secure Email Gateways (SEGs) Problem: SEGs lack the intelligence to learn user behavior or rapidly adapt. The backbone of a SEG is traditional email security approaches – static rules, signature based detection, library of known threats, etc. Meanwhile, attackers consistently evolve their techniques, email networks are dynamic in nature, and human behavior is inconsistent and unpredictable. That means rules are out of date as soon as they are created and signature-based approaches are ineffective.   SEGs can’t detect advanced impersonation, account takeover (ATO), third-party supply chain risk, or wire fraud.

Karl Knowles, Global Head of Cyber for law firm HFW, told us how there’s been a huge rise in impersonation attacks, accounting for more than half of the threats HFW gets. With domain impersonation attacks also getting more sophisticated, SEGs alone can’t cope.

And as James McQuiggan, Security Awareness Advocate at KnowBe4, explained in our Fall Summit, bad actors have upped their game and started to find ways to bypass these systems by buying and configuring the same off- the- shelf hardware and software firms use, and seeing what gets through.

Sandboxes Problem: Easily bypassed yet potential bottlenecks to genuine business needs   Any detection made by the sandbox is dependent on a file exhibiting malicious behavior. This is easy to work around. Hackers will often send a PDF that contains a link to a malicious form to avoid detection. Likewise, documents with a URI (Uniform Resource Identifier) have an extremely low footprint for sandboxes to detect. And the short TTL domain doesn’t leave much evidence for event analysis or threat intelligence.   There are issues with latency, too. Emails, communications, downloads, and important files can take several minutes to reach their destination because of the bottleneck sandboxes can create.

DMARC Problem: Only one-third of businesses employ DMARC and the info is publicly accessible.   Domain-Based Message Authentication Reporting and Conformance (DMARC), is an added authentication method that uses both Sender Policy Framework (SPF)  and DomainKeys Identified Mail (DKIM) to verify whether or not an email was actually sent by the owner of the domain that the user sees. However, DMARC, SPF, and DKIM records are inherently public information – they need to be so that receiving mail clients can authenticate a sender’s domain. Attackers can see not only if your organization has a DMARC policy, but also how strictly you have configured it. Before trying to impersonate your email domain directly, a sophisticated attacker will check if you have a strict DMARC policy in place. If you do, the attacker can still carry out an advanced spear phishing attack.

Ok so what about more security training? You might think that your legacy solutions in conjunction with more security awareness training (SAT), will help mitigate some of these attacks. Training is important, but the trouble with most security training is no matter how fun and engaging you try to make it, pretty much everyone in the room has somewhere else they’d rather be. It’s also expensive, time consuming, and will always be one step behind actual threats.  

 

For most non-IT staff, trying to explain things like how potentially spoofed domain URLs are constructed is just far too technical, and something they’re hardly likely to remember in the heat of their inboxes weeks or months later. After all, as we learned at our Human Layer Security Spring Summit, the average human makes 35,000 decisions a day – analysing a suspect domain URL in detail probably isn’t going to be one of them. Regardless of how frequent, tailored, and engaging it is – security awareness training can’t be your only defense against social engineering. Why? many of the more sophisticated attacks just aren’t detectable by humans.

How Tessian can help So the only question left to answer is this. When legacy solutions and training programs aren’t enough, how can we prevent employees from interacting with the malicious emails that land in their inbox? Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises. Tessian Defender uses machine learning (ML) to protect your people from even the most advanced inbound threats. Here’s how: Tessian’s machine learning algorithms analyze your company’s email data, learn employees’ normal communication patterns, and map their trusted email relationships — both inside and outside your organization. Tessian inspects both the content and metadata of inbound emails for any suspicious or unusual signals pointing to a potential impersonation, ATO, or BEC threat. For example, payloads, anomalous geophysical locations, IP addresses, email clients, and sending patterns. Once it detects a threat, Tessian alerts employees that an email might be unsafe, explaining the threat in easy-to-understand language via an interactive notification. If you’re in InfoSec, you’ll know only too well that your organization is one click away from an ‘Oh Sh*t’ moment. Tessian automatically stops those moments from happening. Questions? We’d be happy to help. Book a demo today.

Data is the lifeblood of a successful business, and email systems are the veins through which it travels. But new Forrester Consulting research commissioned by Tessian shows legacy solutions aren’t enough to protect this vital business organ…   Key insights from the study include:   Nearly 40% of organizations report 10+ employee-related email security incidents per month 61% of our survey respondents think an employee will cause their next data breach Over 75% of  firms report that 20% or more email security incidents get past their existing security controls One-third say they lack visibility into threats and risky behaviors Organizations spend up to 600 hours per month resolving employee-related email security incidents 42% of security and risk leaders are looking to improve their email security postures  

To err is human…   While security and risk leaders have a lot to worry about, human error tops the list.    That’s because, on average, organizations experience between one and fifty employee-related email security incidents per month, depending on the company size. Nearly 40% report 10+ incidents a month.   Accidental data loss and business email compromise are most common, with nearly half of respondents saying they’ve experienced an incident in the past 12 months.   It’s no wonder 61% of our survey respondents think an employee will cause their next data breach.    So, how are they trying to solve the problem?   Trying to solve the “people problem”   One thing is for sure: security leaders are trying to bolster their defenses, and they know email is every bit as crucial an environment to protect as network and databases. The problem is, built-in security controls and legacy technology alone aren’t enough to prevent human error. In fact, these solutions are actually creating more work for thinly-stretched security teams.   Over a third of firms say they’re wasting a precious amount of time, money, and effort combating email security challenges.    How much time? According to Forrester’s research, organizations spend up to 600 hours per month resolving employee-related email security incidents.   Alas, despite so much time and effort, over 75% of firms report that 20% or more email security incidents get past their existing security controls and, despite phishing simulations and ongoing security awareness training, roughly one-quarter report that 21% or more of employees have failed a phishing test in the past year.    Accidental data loss is a big problem, too with 24% saying they simply don’t have controls in place to prevent misdirected emails.    That’s a lot of risk, but it could be just the tip of the iceberg…One-third say they lack visibility into threats and risky behaviors, proving traditional security solutions have inherent limitations when it comes to solving for risks posed by people.    In fact, according to Tessian’s State of Data Loss Prevention report, IT leaders working at organizations with 1,000+ people in the US estimate 480 emails are sent to the wrong person every year. In reality, Tessian found that an average of 800 emails are misdirected in organizations with 1,000 employees during a single year.   That’s a big difference…

The solution?   Based on all of the above, it’s no wonder 42% of security and risk leaders are looking to improve their email security postures, and are specifically seeking solutions that allow them to gain visibility into risky human behaviors and build unique security identity and risk scores for each employee.    They then want to use this information to feed automated, ML-based threat detection systems to help them predict and protect against unknown threats.  Download the full study.   You can also book a demo to see Tessian’s  platform in action.