As a follow-up to our feature in VentureBeat’s special issue AI & Security, Tessian’s Co-Founder and CTO Ed Bishop spoke with Joe Maglitta, Senior Contributor/Analyst at VentureBeat, to dive deep into how and why we need a different type of machine learning to protect people at work on email.
While you can watch and listen to the webinar on-demand here, below are some of the key takeaways from the discussion and live Q&A that followed.
The way we work has changed and will continue to change
Over the last decade, business has moved – and continues to move – towards digital interfaces. That means that email is now the main artery of communication and, importantly, where an organization’s most sensitive information is shared.
Unfortunately, email isn’t secure. It wasn’t created to be secure and – the surprising truth is – it hasn’t changed much since its inception. When you compound that with the fact that people are more connected than ever, using phones, tablets, and even watches to check and respond to emails, you can see why it’s so important that we protect people – and therefore data – on email.
This evolution towards digital interfaces has come to a head over the last several weeks as most of the world’s organizations have moved to remote-working in light of the outbreak of COVID-19.
Since the outbreak, Tessian has seen a 20% increase in the number of emails sent; that means there are more opportunities for data loss on email and opportunistic phishing attacks than ever before.
“Organizations are really only as secure as the gatekeepers to these digital systems and data. This is what we refer to as the Human Layer.”
Human Layer Vulnerabilities are the cause of data breaches
Employees control business’ most sensitive systems and data, whether that’s someone in your finance department who oversees billing and banking platforms or someone in your HR department who controls employee social security numbers and compensation plans.
They are the first and last line of defense; the gatekeepers of digital systems and data.
This is what we call the Human Layer. And people’s propensity to make mistakes, break the rules, or be hacked are Human Layer Vulnerabilities. But, these vulnerabilities don’t cause small issues. They’re responsible for big problems.
They’re the number one cause of data breaches, with 88% of data breaches reported to the UK’s Information Commissioner’s Office (ICO) being caused by human error.
This fact was highlighted in a live poll conducted during the webinar in which 40% of viewers said phishing was the security breach they’re most concerned about. This came first, followed by accidental data loss (30%) and ransomware (30%).
No one cited Denial of Services or Ransomware as their biggest concern.
“This problem exists across industries and sectors. If you have people controlling systems and data within your organization, then you have human layer vulnerabilities.”
IT and security leaders often don’t have visibility of the problems associated with human error within their organization
While human error on email is a problem in itself, the fact that many CISOs and other executives don’t know it’s a problem makes it even more of a challenge to solve.
In the second poll of the webinar, viewers were asked: “How confident are you in the measures your organization has in place to prevent data breaches caused by people making mistakes, breaking rules, or being hacked?”
Respondents were split down the middle.
But, according to Ed, confidence – especially from security leaders – is the wrong way to measure it, especially when their visibility of the problem relies on their employees repointing mistakes or other breaches.
“We like to look at what the data says. When we go in and do historical analysis, we’re able to show that the number of misdirected emails is as great as 20-30 times larger than CISOs think. A 10,000-person organization will send 130 misdirected emails a week, but the CISO doesn’t necessarily know that because only a few get reported to him or her a quarter.”
Human Layer Security isn’t replacing machine layer security, DLP, or training
There are thousands of security products on the market. That’s in addition to the policies and procedures implemented within individual organizations. Human Layer Security isn’t a replacement for your entire security stack; it’s a vital addition.
Machine layer security – often based on rules – is still effective in detecting malware. DLP solutions for physical security are still necessary. But, for those situations that can’t be defined or covered by “if this, then that” algorithms, you need something else.
Advanced threats caused by human error like spear phishing, misdirected emails, and data exfiltration all fall into that category and the only way to solve for them is by protecting the Human Layer.
“Many security products historically have failed to build trust with the end-user. There’s a real opportunity to empower people to do the work they need to do and use the tools they need to without security getting in the way.”
Stateful machine learning is the best way to balance security, productivity, and effectiveness
Everything involving humans is dynamic and in flux. Relationships are formed during the duration of a project and then fall away. For example, you may have worked with a counterparty a lot a year ago, but now it’d be unusual for them to email you asking for an invoice to be paid.
Stateful machine learning considers all of this by combining historical data with real-time analysis to answer the question: “At this exact moment in time, for this person, and their relationship, does this behavior look unusual?”
Beyond this, though, stateful machine learning and Tessian’s Human Layer Security platform do not get in users’ way; this helps balance productivity and effectiveness in a way that policies, training, removal of access and rule-based technology all do.
This is key; security should empower and enable your employees, not detract from their ability to do their jobs.
For more information about how Tessian uses stateful machine learning to protect people on email, read the full VentureBeat article, watch the webinar, or get in touch for a demo.