Spear Phishing
CISA Warns of New Attacks Targeting Remote Workers
Thursday, January 14th, 2021
tl;dr: The Cybersecurity and Infrastructure Security Agency (CISA) has warned of a string of successful phishing attacks exploiting weak cyber hygiene in remote work environments to access companies’ cloud services via employees’ corporate laptops and personal devices.*  According to the report, “the cyber actors designed emails that included a link to what appeared to be a secure message and also emails that looked like a legitimate file hosting service account login. After a targeted recipient provided their credentials, the threat actors then used the stolen credentials to gain Initial Access to the user’s cloud service account. … A variety of tactics and techniques—including phishing, brute force login attempts, and possibly a “pass-the-cookie” attack—to attempt to exploit weaknesses in the victim organizations’ cloud security practices.” 
Once the hackers had access an employee’s account, they were able to: Send other phishing emails to contacts in the employee’s network.  Modify existing forwarding rules so that emails that would normally automatically be forwarded to personal accounts were instead forwarded directly to the hacker’s inbox.  Create new mailbox rules to have emails containing specific keywords (i.e. finance-related terms) forwarded to the hacker’s account. This type of malicious activity targeting remote workers isn’t new. Henry Trevelyan Thomas, Tessian’s VP of Customer Success has seen many instances this year. “The shift to remote work has resulted in people needing more flexibility, and personal accounts provide that—for example, access to home printers or working from a partner’s computer. Personal accounts are easier to compromise as they almost always have less security controls, are outside organizations’ secure environments, and your guard is down when logging on to your personal account. Attackers have realized this and are seeing it as a soft underbelly and entry point into a full corporate account takeover.” Learn more about Account Takeover (ATO), and take a look at some real-life examples of phishing attacks we spotted last year.  CISA recommends the following steps for organizations to strengthen their cloud security practices: Establish a baseline for normal network activity within your environment Implement MFA for all users, without exception Routinely review user-created email forwarding rules and alerts, or restrict forwarding Have a mitigation plan or procedures in place; understand when, how, and why to reset passwords and to revoke session tokens Consider a policy that does not allow employees to use personal devices for work. At a minimum, use a trusted mobile device management solution. Consider restricting users from forwarding emails to accounts outside of your domain Focus on awareness and training. Make employees aware of the threats—such as phishing scams—and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities. Establish blame-free employee reporting and ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently. For more practical advice on how to avoid falling for a phishing scam, download Tessian’s guide to Remote Work and Cybersecurity. What Tessian’s Experts Say
Free resources to help keep your employees and organization secure.
*Note: the activity and information in this Analysis Report is not explicitly tied to any one threat actor or known to be specifically associated with the advanced persistent threat actor attributed with the compromise of SolarWinds Orion Platform software and other recent activity.
Spear Phishing
What is CEO Fraud? How to Identify CEO Email Attacks
Thursday, January 14th, 2021
Typically, the attacker will target an employee at a target organization and trick them into transferring them money. A CEO fraud email will usually urgently request the employee to pay a supplier’s “invoice” using new account details. Cybercriminals use sophisticated techniques and meticulous research to make the attack as persuasive as possible.  Why do cybercriminals impersonate CEOs and other high-level executives? Two reasons: Power: CEOs have the authority to instruct staff to make payments. Status: Employees tend to do what CEOs ask. No-one wants to upset the boss. CEO fraud vs. other types of cybercrime There’s some confusion about CEO fraud and how it relates to other types of cybercrime. Let’s clear a few things up before looking at CEO fraud in more detail. CEO fraud is related to the following types of cybercrime: Social engineering attack: Any cyberattack in which the attacker impersonates someone that their target is likely to trust. Phishing: A social engineering attack conducted via email (there are other forms of phishing, such as “smishing” and “vishing” via SMS and phone). Spear phishing: A phishing attack targeting a named individual. Business Email Compromise (BEC): A phishing attack conducted via a hacked or spoofed corporate email account. CEO fraud is not to be confused with “whaling”: a phishing attack where the cybercriminal targets — rather than impersonates — a CEO or other senior company employee. More on that in this article: Whaling: Examples and Prevention Strategies. How do CEO fraud attacks work? There are three main ways cybercriminals can compromise a CEO’s email account: Hacking: Forcing entry into the CEO’s business email account and using it to send emails. Spoofing: Sending an email from a forged email address and evading authentication techniques. Impersonation: Using an email address that looks similar to a CEO’s email address. A CEO fraud attack usually involves one of the following types of cybercrime: Wire transfer phishing: The attacker asks the target to pay an invoice. Gift certificate phishing: The attacker asks the targets to buy them gift certificates Malicious payload: The email contains a malware attachment Like all social engineering attacks, CEO fraud attacks exploit people’s feelings of trust and urgency. When the CEO is “in a meeting” or “at a conference” and needs an urgent favor, employees don’t tend to second-guess them.  Here’s how a CEO fraud email might look. Now, for the sake of the example, imagine your boss is Thomas Edison. Yes, that Thomas Edison.
There are a few things to note about this CEO fraud email: Note the subject line, “Urgent request,” and the impending payment deadline. This sense of urgency is ubiquitous among CEO fraud emails. The fraudster uses Thomas’s casual email tone and his trademark lightbulb emoji. Fraudsters can do a great impersonation of a CEO by scraping public data (plenty is available on social media!) or by hacking their email and observing their written style. Cybercriminals do meticulous research. Thomas probably is in Florida. “Filament Co.” might be a genuine supplier and an invoice might even actually be due tomorrow. There’s one more thing to note about the email above. Look at the display name — it’s “Thomas Edison”. But anyone can choose whatever email display name they want. Mobile email apps don’t show the full email address, leaving people vulnerable to crude “display name impersonation” attacks. That’s why it’s so important to examine the sender’s email address and make sure it matches the display name. Remember: on mobile, you’ll have to take an extra step to view the email address. But, it’s worth it.  It’s important to note that the difference between the display name and email address won’t always be easy to spot. Why? Because fraudsters can create look-a-like email addresses via “domain impersonation”. Let us explain. An email domain is the part of the email address after the “@” sign. A cybercriminal impersonating Bill Gates, for example, might purchase a domain such as “micros0ft.com” or “microsoft.co”.  Likewise, using “freemail impersonation”, a more unsophisticated attacker might simply set up an email account with any free email provider using the CEO’s name (think “[email protected]”). We explain domain impersonation in more detail – including plenty of examples – in this blog: Inside Email Impersonation: Why Domain Name Spoofs Could be Your Biggest Risk. How common is CEO fraud? It’s undeniable that cybercrime is on the increase. FBI statistics show that the total losses from cybercrime tripled between 2015-2019. Business Email Compromise (BEC) has also “increased, grown in sophistication, and become more targeted” due to the COVID-19 pandemic, according to Interpol. But what about CEO fraud itself? CEO fraud once dominated the cybercrime landscape. However, there is some evidence that cybercriminals are moving away from CEO fraud and towards a broader range of more sophisticated social engineering attacks. The FBI’s Internet Crime Complaint Center (IC3) estimates the global losses associated with BEC at over $26 billion in the period from 2016-19 and cites a 100% increase in BEC between 2018-19.  But this figure doesn’t distinguish CEO fraud from other types of BEC. The IC3’s 2019 cybercrime report suggests while CEO fraud previously dominated BEC, cybercriminals now impersonate a broader range of actors, including vendors, lawyers, and payroll departments. These days, employees don’t only have to be wary of CEO fraud attacks. They also need to watch out for more advanced cybercrime techniques like Account Takeover (ATO), deepfakes, and ransomware. But CEO fraud is still a big deal. In December 2020, the Bank of Ireland warned of an increase in Brexit-related CEO fraud attacks. The bank’s staff were reportedly dealing with two to three CEO fraud attacks per week, with some attacks compromising millions of euros. Want to know how to protect yourself and your business from CEO fraud? Read our article: How to Prevent CEO Fraud Attacks.
Spear Phishing
How to Prevent CEO Fraud: 3 Effective Solutions
Thursday, January 14th, 2021
CEO fraud is a type of cybercrime in which the attacker impersonates a CEO or other company executive. The fraudster will most often use the CEO’s email account — or an email address that looks very similar to the CEO’s — to trick an employee into transferring them money. This is one type of Business Email Compromise (BEC) — a serious cybersecurity threat that costs businesses billions each year. In this article, we’ll be talking you through the steps you can take to prevent successful CEO Fraud attacks on your organization. If you want to learn more about BEC before diving into CEO fraud, you can check out this article: Business Email Compromise: What it is and How it Happens. You can also get an introduction to CEO Fraud in this article: What is CEO Fraud? 1. Raise employee awareness Cybersecurity leaders know that security is everyone’s responsibility. Your whole team must understand what CEO fraud looks like. Staff training reduces (but does not eliminate) the likelihood that your employees will fall victim to an attack. So how will employees know when a CEO fraud attack is underway? Let’s look at an example of a CEO fraud email and identify some tell-tale signs that it’s a scam.
First, note the lack of spelling errors. Poor spelling and grammar can be a phishing indicator, but this is increasingly unlikely among today’s more sophisticated cybercrime environment. Also, notice the personal touches — Sam’s familiar tone, his references to Kat working from home, and his casual email sign-off. Fraudsters go to great efforts to research their subjects and their targets, whether via hacking or simply using publicly available information (for example, social media.) These persuasive elements aside, can you spot the red flags? Let’s break them down: The sender’s email address: The domain name is “abdbank.com” (which looks strikingly similar to abcbank.com, especially on mobile). Domain impersonation is a common tactic for CEO fraudsters. The sense of urgency: The subject line, the ongoing meeting, the late invoice. Creating a sense of urgency is near-universal in social engineering attacks. Panicked people make poor decisions. The authoritative tone: “Please pay immediately”: there’s a reason cybercriminals impersonate CEOs — they’re powerful, and people tend to do what they say. Playing on the target’s trust: “I’m counting on you”. Everyone wants to be chosen to do the boss a favor. Westinghouse’s “new account details”: CEO fraud normally involves “wire transfer phishing” — this new account is controlled by the cybercriminals. Your cybersecurity staff training program should educate employees on how to recognize CEO fraud, and what to do if they detect it. Check the sender’s email address for discrepancies. This is a dead giveaway of email impersonation. But remember that corporate email addresses can also be hacked or spoofed. Feeling pressured? Take a moment. Is this really something the CEO is likely to request so urgently? New account details? Always verify the payment. Don’t pay an invoice unless you know the money’s going to the right place. Looking for a resource that you can share with your employees? We put together an infographic outlining how to spot a spear phishing email. While these are important lessons for your employees, there’s only so much you can achieve via staff training. Humans are often led by emotion, and they’re not good at spotting the small giveaways that might reveal a fraudulent email. Sometimes, even security experts can’t! More on this here: Pros and Cons of Phishing Awareness Training. 
2. Implement best cybersecurity practice Beyond staff training, every thriving company takes an all-round approach to cybersecurity that minimizes the risk of serious fallout from an attack. Here are some important security measures that will help protect your company’s assets and data from CEO fraud: Put a system in place so employees can verify large and non-routine wire transfers, ideally via phone. Protect corporate email accounts and devices using multi-factor authentication (MFA). Ensure employees maintain strong passwords and change them regularly. Buy domains that are similar to your company’s brand name to prevent domain impersonation. Regularly patch all software. Closely monitor financial accounts for irregularities such as missing deposits. Use email security software. All the above points are crucial cybersecurity controls. But let’s take a closer look at that final point — email security software. 3. Use email security software Because CEO fraud attacks overwhelmingly take place via email (along with 96% of all phishing attacks), installing email security software is one of the most effective steps you can take to prevent this type of cybercrime. Social engineering attacks like CEO fraud take advantage of people’s trust, anxieties, and deference to authority. These are fundamentally human qualities — even the most tech-savvy companies fall victim to social engineering attacks. Here’s how the email security software product Tessian solves the problem of CEO fraud: Tessian’s machine learning algorithms analyze your company’s email data. The software learns every employee’s normal communication patterns and maps their trusted email relationships — both inside and outside your organization. Tessian inspects both the content and metadata of inbound emails for any signals suggestive of CEO fraud. For example, suspicious payloads, anomalous geophysical locations, out-of-the-ordinary IP addresses and email clients, keywords that suggests urgency, or unusual sending patterns.  Once it detects a threat, Tessian alerts employees that an email might be unsafe, explaining the threat in easy-to-understand language. Click here to learn more about how Tessian Defender protects your team from CEO fraud and other email-based cybersecurity attacks. You can also explore our customer stories to see how they’re using Tessian Defender to protect their people on email and prevent social engineering attacks like CEO Fraud.
Customer Stories, Spear Phishing
How Tessian Is Preventing Advanced Impersonation Attacks in Manufacturing
By Maddie Rosenthal
Tuesday, January 12th, 2021
Company: SPG Dry Cooling Industry: Manufacturing Seats: 368 Solutions: Defender About SPG Dry Cooling SPG Cooling is an innovative, global leading manufacturer of air-cooled condensers that has been providing exceptional quality equipment to coal, oil, and gas industrial plants for over a century. They employee a global workforce and have over 1,000 customer references. We talked to Thierry Clerens, Global IT Manager at SPG Dry Cooling, to learn more about the problems Tessian helps solve and why he chose Tessian Defender over other solutions.  Problem: The most advanced threats can slip past other controls  Phishing is a big problem across all industries.  But, because inbound email attacks are becoming more and more sophisticated and hackers continue using tactics like domain impersonation and email spoofing, Thierry knew he needed to implement a new solution that could stop the phishing emails that might slip past his O365 controls and trained employees. He cited one specific incident where a hacker impersonated a company in SPG Cooling’s supply chain and attempted to initiate a wire transfer.  How? A tiny, difficult-to-spot change in the domain name.  “They created a fake domain with exactly the same name as the real user. But the top-level domain .tr was missing at the end. So it was just .com. No user – not even IT! – is looking at the domain name that closely. They tried to get us to deliver money to another account,” Thierry explained. While the attack wasn’t successful (SPG Dry Cooling has strong policies and procedures in place to confirm the legitimacy of requests like this) he wanted to level-up his inbound email security and help users spot these advanced impersonation attacks. So, he invested in Tessian. Thierry explained why. 
Tessian Defender analyzes up to 12 months of historical email data to learn what “normal” looks like. It then uses natural language processing, behavioral analysis, and communication analysis to determine if a particular email is suspicious or not in real-time. To learn more, read the data sheet.  Problem: You can’t train employees to spot all phishing attacks Tessian also helps employees get better at spotting malicious emails with in-the-moment warnings (written in plain English) that reinforce training by explaining exactly why an email is being flagged. Here is an example:
This feature is especially important to Thierry, who values phishing awareness training but understands it has to be ongoing.  “We like to empower our users and we like that, with Tessian, our users learn and become better and better and better. That’s what we’re trying to do at SPG Dry Cooling. We’re trying to train and educate our users as much as possible. We’re trying to be innovative in the ways that we get our users, our company, our members, everybody, to better themselves,” he said. In evaluating solutions, he wanted something that would protect his people, while also empowering them to make smarter security decisions. He found that in Tessian, explaining that “the most interesting feature for me is the user education. You have to train your users. You have to help them get better at spotting threats by helping them understand the threats. Tessian does that.” Problem: It’s nearly impossible for IT teams to manually investigate all potential inbound threats Before Tessian, Thierry and his team had to manually investigate all emails that employees flagged as suspicious. With limited time and resources – and given the fact that “some are really good and are even hard for IT people to find” – it was nearly impossible for them to keep up. 
Thierry explained that Tessian extends the capabilities of his team. How?  It automatically detects and prevents threats Domains can be added to the denylist in a single click, before they even land in employee’s mailboxes Tessian dashboards make it easy for IT to see trends and create targeted security campaigns to help educate users.  Tessian was also easy to deploy. “As a part of our proof of concept, Tessian started ingesting historical data about employee’s IP addresses, what emails they normally send, who they normally communicate with. We saw how it was helping in just a few weeks. After that, we connected Tessian to Office 36. It took just 15 minutes,” he said.  Learn more about how Tessian prevents human error on email Powered by machine learning, Tessian’s Human Layer Security technology understands human behavior and relationships. Tessian Guardian automatically detects and prevents misdirected emails Tessian Enforcer automatically detects and prevents data exfiltration attempts Tessian Defender automatically detects and prevents spear phishing attacks Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of an organization’s email network. That means it gets smarter over time to keep you protected, wherever and however your work. Interested in learning more about how Tessian can help prevent email mistakes in your organization? You can read some of our customer stories here or book a demo.
Spear Phishing
What is a Malicious Payload and How is it Delivered?
Tuesday, January 12th, 2021
The term “payload” traditionally refers to the load carried by a vehicle — for example, the passengers in an aircraft or the cargo in a truck. But, in computing, “payload” refers to the content of a message.  When you send an email, you’re transmitting several pieces of data, including a header, some metadata, and the message itself. In this scenario, the message is the payload — it’s whatever content you want the recipient to receive. The term “malicious payload” comes into play when we talk about cybersecurity specifically.  In a cyberattack, a malicious payload is whatever the attacker wants to deliver to the target — it’s the content that causes harm to the victim of the attack. Oftentimes, it’s a URL that leads to a malicious website or an attachment that deploys malware. We talk more about malicious websites in this article: How to Identify a Malicious Website. How is a malicious payload delivered? Malicious payloads first need to find their way onto a target’s device. How? There are a couple of methods hackers use to do this. Social engineering attacks DNS hijacking  The most common way to deliver a malicious payload is via social engineering attacks like phishing, spear phishing, CEO Fraud, and other types of advanced impersonation attacks.  If you’re not sure what social engineering is – or if you want real-world examples of attacks – you can check out this article: 6 Real-World Examples of Social Engineering Attacks. Here’s how a typical phishing attack typically starts… Suppose your office has ordered some printer ink. You get an email from someone claiming to be “FedEx” that says: “click here to track your order.” Since you are – in fact – expecting a delivery, you click the link. The link appears to lead to FedEx’s order-tracking page, but the page causes a file to download onto your computer. This file is the malicious payload.  While email is the most common delivery vector for malicious payloads, they can also appear via vishing (via phone or VoIP) and smishing (via SMS) attacks. Another way to deliver a malicious payload is via DNS hijacking. Here, the attacker forces the target’s browser to redirect to a website where it will download the payload in the form of a malware file. Types of malicious payloads Malicious payloads can take a number of forms. The examples below are all types of “malware” (malicious software). Virus: A type of malware that can replicate itself and insert its code into other programs. Ransomware: Encrypts data on the target computer, rendering it unusable, and then demands a ransom to restore access. Spyware: A program that tracks user activity on a device — including which websites the user visits, which applications they use, and which keys they press (and, therefore, the user’s passwords). Trojan: Any file which appears to be innocent but performs malicious actions when executed. Adware: Hijacks the target computer and displays annoying pop-up ads, affecting performance. But a payload doesn’t need to come in the form of a file. “Fileless malware” uses your computer’s memory and existing system tools to carry out malicious actions — without the need for you to download any files. Fileless malware is notoriously hard to detect. Malicious payload vs. zero payload Not all phishing attacks rely on a malicious payload. Some attacks simply persuade the victim to action a request. Keep reading for examples.  Suppose someone claiming to be a regular supplier sends you an email. The email claims that there’s been a problem with your recent payment. With a malicious payload attack, the email might contain an attachment disguised as your latest invoice.  With a zero payload attack, the email may encourage you to simply initiate a wire transfer or manually update account details to divert the payment from the genuine supplier to the hacker.   Zero payload attacks can be just as devastating as malicious payload attacks, and traditional antivirus and anti-phishing software struggles to detect them. Case study: KONNI Malware, August 2020 Let’s look at a real-world example of a malicious payload attack. This example demonstrates how easy it can be to fall victim to a malicious payload. On August 14, 2020, the United States Cybersecurity and Infrastructure Security Agency (CISA) issued a warning that: “cyber actors using emails containing a Microsoft Word document with a malicious Visual Basic Application (VBA) macro code to deploy KONNI malware”  So, in this example, the malicious payload is a .doc file, delivered via a spear phishing email. The .doc file contains the “KONNI” malware. When the target opens the malicious payload, the KONNI malware is activated. It uses a “macro” (simple computer code used to automate tasks in Microsoft Office) to contact a server and download further files onto the target computer. The KONNI malware can perform different attacks, including: Logging the user’s keystrokes Taking screenshots Stealing credentials from web browsers Deleting files These actions would allow cybercriminals to steal crucial information — such as passwords and payment card details — and to cause critical damage to your device. How to stop malicious payloads You should take every reasonable step to ensure malicious payloads do not make their way onto your devices. Email security is a crucial means of achieving this. Why? Because email is the threat vector security and IT leaders are most concerned about. It’s also the most common medium for phishing attacks and a key entry-point for malicious payloads. If you want to learn more about preventing phishing, spear phishing, and other types of inbound attacks that carry malicious payloads, check out these resources: Must-Know Phishing Statistics: Updated 2021 How to Identify and Prevent Phishing Attacks What is Spear Phishing? How to Identify a Malicious Website What Does a Spear Phishing Email Look Like? And, if you want to stay-up-to-date with cybersecurity news, trends, and get the latest insights (and invites to events!) before anyone else, subscribe to our newsletter. 
Human Layer Security
21 Virtual Cybersecurity Events To Attend in 2021
Friday, January 8th, 2021
Our list of 21 cybersecurity events to attend in 2021 features premier cybersecurity summits, like the International Cybersecurity Forum in France and National Cyber Summit in the US, alongside intimate and industry-specific events (and webinars) you won’t want to miss. Many of these events are hosted online, but a lot of organizers are planning to host their conferences face-to-face. Watch out for last-minute changes as the COVID-19 situation continues to evolve. FloCon 2021 Date: January 12-14, 2021 Location: Online FloCon focuses on using big data to fight cybersecurity threats. FloCon demonstrates the latest research on how data analytics can be applied to any large dataset to improve networked system security. This event is perfect for operational analysts, tool developers, researchers, security professionals, and anyone interested in leveraging the power of big data to enhance cybersecurity. Cost to attend: Standard: $500. Government: $100. Academic: $125. Student: $50 10 Incredible Ways You Can Be Hacked Through Email, and How to Stop the Bad Guys Date: January 14, 2021 Location: Online Email remains the threat vector cybersecurity leaders are most concerned about. 2020 has seen a huge spike in email-based phishing and other cyberattacks. 2021 should be the year you lock down your company’s email system against intruders. Join Roger Grimes and Kevin Mitnick of KnowBe4 at this Secureworld webinar, as they talk participants through 10 ways cybercriminals can use email to trick users, launch malware, or hijack communications. Want to know more about protecting your business from email-based cyberattacks? Read our article on Email Security Best Practice. Cost to attend: Free. How to Hack a Human Date: January 26, 2021, 1:00pm EST Location: Online In this webinar, Tessian’s VP of Information Security, Trevor Luke, is joined by Katie Paxton-Fear, PhD Student and Ethical Hacker and Anne Benigsen, CISO at Banker’s Bank of West. They’ll discuss how our growing digital footprints make us more vulnerable than ever to social engineering attacks and BEC.  You’ll learn: What personal and work-related information many of us unwittingly share online How hackers use this information to socially engineer a personalized attack What you can do to reduce your company’s hackability Based in EMEA? You can register for this event instead, starting at 12:00pm GMT on January 27. Cost to attend: Free. RSA Conference 2021 Date: January 27, 2021 Location: Online The RSA Conference (RSAC) brings together expert speakers from across the global cybersecurity community, including Adam Hickey, Deputy Assistant Attorney General at the US Department of Justice, Target’s Product Security Director Jennifer Czaplewski, and Cybereason CTO Israel Barak. 2021 sees the RSAC operating 100% online for the second year running, with sessions on analytics, ransomware response, and machine learning security solutions. You can read our take on last year’s conference in this first-hand account, all about last year’s theme: The Human Element.  Cost: Early Bird: $79. Standard: $99. Showcase: Free. RegTech Live: an FStech Conference Date: March 3, 2021 Location: Online   RegTech Live is back for its third year, where – once again – industry leaders will be discussing the latest developments in tech, the biggest trends for 2021, and the emerging technologies those in the financial sector and insurance need to keep their eyes on.  While you can view a full list of speakers here, you can expect to hear from experts from BNY Mellon, UCL, NAtWest, the Financial Conduct Authority, and Tessian. Spoiler Alert: We’ll be speaking about How to Hack a Human.  Cost: Free for those in the financial sector and insurance, £395 + VAT for technology providers  Human Layer Security Summit Date: March 3, 2021 Location: Online   On March 3, Tessian will be hosting its first Human Layer Security (HLS) Summit of 2021. Want to be the first to receive an invitation and hear about the agenda and speakers? Sign up to our newsletter! First-timer? Check out our HLS On-Demand page for a collection of last year’s best panel discussions, interviews, and presentations.  Cost to attend: Free. CyberCon London 2021 Date: March 9, 2021 Location: Kimpton Fitzroy, London  CyberCon London features high-profile speakers bringing CTOs, CISOs, and IT directors up-to-date knowledge and practical advice on dealing with cyberthreats. Agenda items include panel sessions on fraud, remote working, and the costs of cybercrime —  plus lectures from world-renowned cybersecurity tsar Dr Jacqui Taylor and blockchain expert Aviya Arika. Cost to attend: Standard: £895 + tax. Super Early Bird: £595 + tax. Early Bird: £695 + tax. Fifth International Workshop on Security, Privacy and Trust in the Internet of Things (SPT-IoT) Date: March 22-26, 2021 Location: Online  The SPT-IoT workshop is part of the International Conference on Pervasive Computing and Communications (PerCom 2021), a conference organized by the IEEE Computer Society. The workshop brings together academics, researchers, and industry leaders to share ideas and advice on security within Internet of Things (IoT) devices.  IoT is a booming industry — but the security risks mean that manufacturers and developers are incurring an increasingly significant regulatory burden. Security leaders in the IoT sector should take every opportunity to learn about implementing better cybersecurity. Cost to attend: Free International Cybersecurity Forum (FIC) 2021 Date: April 6-8, 2021 Location: Grand Palais, Lille, France The International Cybersecurity Forum (Forum International Cybersecurite, or FIC) is one of the largest cybersecurity events in Europe, featuring over 450 speakers, 33 round tables, and 24 conferences, plus plenaries, demonstrations, and cybersecurity masterclasses. The 2021 program features sessions on information mapping, secure home working, and the emerging “cyberwar” between state powers. Speakers include privacy advocate Max Schrems, Jolicloud CEO Tariq Krem, and European Commission Vice President Margaritis Schinás. It’s hoped that FIC 2021 will go ahead as a face-to-face event, but remote participation is also available. Cost to attend: TBC Cybersecurity Digital Summit for Healthcare and Life Sciences 2021 Date: April 13-14, 2021 Location: Online 2020 saw some high-profile data breaches among healthcare companies, including the December cyberattack on the UK’s National Health Service and the devastating November attack on Blackbaud, which acted as a vendor to dozens of healthcare providers. Cybersecurity is absolutely crucial in this most tightly-regulated of industries, and healthcare professionals should learn as much as they can about emerging cyber threats. Cyber Security Hub’s Summit for Healthcare and Life Sciences Summit is a two-day event where industry leaders will advise healthcare professionals on how to keep patient data safe throughout 2021. Cost to attend: Free Third-Party & Supply Chain Cyber Security Summit Date: April 14-15, 2021 Location: Online Securing your own company’s end-points, devices, and networks is just part of the cybersecurity battle. You also need to ensure that your suppliers, vendors, and other third parties are secure and can take good care of your company’s data. In our article on What is Account Takeover (ATO)?, we look at the devastating attacks that can emerge from your supply chain. This two-day event from the Growth Innovation Agility (GIA) Global Group features speakers from Yandex, ENISA, GlaxoSmithKline, and Huawei. You’ll learn how much of your company’s data is really under its control, and how to manage risk when working with third parties. Cost to attend: Free 11th ACM Conference on Data and Application Security and Privacy (CODASPY) Date: April 26-28, 2021 Location: Online (Possible in-person enrolment available in the US, exact location TBC) This conference, organized by the Association for Computing Machinery (ACM) Special Interest Group on Security, Audit, and Control (SIGSAC), brings together academics and industry leaders to discuss security and privacy in software development. Applications, including mobile apps, are a key vulnerability of many systems. Read our article on zero-day vulnerabilities to learn about how hackers exploit software weaknesses. Software developers attending CODASPY will learn about cutting-edge research in the cybersecurity of software applications. Cost to attend: Free IAPP Global Privacy Summit Date: April 27-28, 2021 Location: Washington DC The International Association of Privacy Professionals (IAPP) is a globally-respected coalition of lawyers, developers, consultants, and other experts. The IAPP Global Privacy Summit features over 4000 attendees, at least 125 exhibitors, and more than 250 expert speakers. Privacy and cybersecurity are intertwined, and your business neglects on to the detriment of the other. Applying privacy-focused principles means collecting less personal information, deleting it when necessary, and — of course — storing it securely. The IAPP summit will feature sessions on data breach response, compliance with data protection laws such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), and privacy engineering. Cost: TBC CyberUK 2021 Date: 11-12 May, 2021 Location: International Convention Centre Wales, Newport, Wales CyberUK is hosted by the UK’s National Cyber Security Centre (NCSC), a government unit that advises on cybersecurity. It’s one of the UK’s most important cybersecurity events and is a “must-attend” for industry leaders. The program for 2021 has not yet been set, but expect a full and varied range of talks, demos, and workshops. The last CyberUK agenda included sessions on identifying supply chain risks, building the cybersecurity profession, and using machine learning to boost defences. Cost to attend: Free for public sector employees. Private sector employees — Early bird: £849 + tax. Standard rate: £999 + tax RSA Conference San Francisco The theme for this year’s fully virtual RSAC? Resilience.  While a full list of speakers hasn’t been released, you can see what Linda Gray Martin, VP of RSA Conference, has to say about what you should expect in this video. “See” you there! Did you know 2021 marks the 30th anniversary of this event? Infosecurity Europe 2021 Date: June 8-10, 2021 Location: Olympia London, Hammersmith, London. Infosecurity Europe features an eclectic range of exhibitors and networking opportunities for cybersecurity leaders across all industries. Many key players in cybersecurity are exhibiting in 2021, including Avast, Bitdefender, and SolarWinds. Public bodies, including the UK Department for Digital, Culture, Media and Sport (DCMS) and Nation Cyber Security Centre (NCSC), are also represented. Cost to attend: TBC National Cyber Summit 2021 Date: June 8-10, 2021 Location: Huntsville, Alabama The National Cyber Summit focuses on education, collaboration, and innovation, bringing together experts from government, academia, and industry to deliver an innovative, diverse, and accessible event. Speakers will include Robert Powell, Senior Advisor for Cybersecurity at NASA, Katie Arrington, Chief of Information Security Acquisition and the US Department of Defense, and Merritt Baer, Principal Security Architect at Amazon Web Services. Cost to attend: Full Access: Standard — $570, Onsite — $610. Student, Teacher/Faculty: Standard — $175,  Onsite — $200. Government: Free. Regulatory Compliance Conference Date: June 13-16 Location: Hyatt Regency, San Diego, California With nations worldwide passing ever-stricter privacy and security laws, your business should take every opportunity to learn how best to remain compliant. Join “the nation’s top risk-based thinkers” to discuss the most pressing issues in regulatory compliance. This conference from the American Bankers Association features over 50 sessions to help banking and fintech organizations comply with consumer protection and data security regulations. Want to know more about balancing your security and compliance obligations? Read Security vs. Compliance: What’s The Difference? Cost to attend: TBC British Legal Technology Forum 2021 Date: July 6, 2021 Location: Billinghurst, London The British Legal Technology Forum is Europe’s biggest legal technology conference and exhibition, featuring 2,500 square meters of exhibition space. BLTF 2021 is a crucial event for legal professionals, featuring talks from Prof. Richard Susskind, President of the Society for Computers & Law, and Bruna Pellicci, CTO at Linklaters.  Bonus: Tessian is the headline sponsor!  Want to learn more about how Tessian helps lock down email and prevent breaches for some of the world’s top law firms? Read our customer stories.  Cost to attend: Free International Conference on Cyber Security (ICCS) 2021 Date: July 19-22, 2021 Location: Fordham University, New York The International Conference of Cyber Security (ICCS), a collaboration between the FBI and Fordham University, is among the world’s premier cybersecurity events. Esteemed speakers from around the world will discuss how to address cyber threats in the private, government, academic, and law enforcement sectors. The 2021 agenda remains a work-in-progress, but previous ICCS events have featured presentations from the Director of National Intelligence (DNI), FBI, CIA, and NSA. Registration is limited to just 300 attendees. Cost to attend: $995. Cyber Security Tutorial (CST) and Law Enforcement Workshop (LEW): an extra $75 per session. Cybersecurity Digital Summit for EMEA 2021 Date: October 19-20, 2021 Location: Online  This Cybersecurity Digital Summit, hosted by Cyber Security Hub, is a two-day event focusing on the main threats affecting the Europe, Middle-East, and Africa (EMEA) region. The summit follows on from Cyber Security Hub’s events focusing on the Americas and Asia Pacific (APAC) regions. According to Cyber Security Hub’s publicity, the EMEA region “seems to set the course for the regulatory framework that APAC (Asia Pacific) and the Americas are adopting.” Whether you’re a cybersecurity professional working in the EMEA region — or you’re based elsewhere and hoping to understand the threats emerging from EMEA — this event is for you. Cost to attend: Free We’ll be updating this throughout 2021. For the latest updates – including industry insights, new research, and company news – subscribe to our newsletter.
Customer Stories, DLP
Why Caesars Entertainment Chose Tessian as Their Complete Outbound Email Security Solution
By Maddie Rosenthal
Thursday, January 7th, 2021
Company: Caesars Entertainment UK Industry: Entertainment Seats: 250 Solutions: Guardian and Enforcer  About Caesars Entertainment UK  In 2006, Caesars Entertainment – the world’s largest casino entertainment company, best known for properties such as Caesars Palace, Planet Hollywood, and Harrahs – acquired London Clubs International. The current seven casinos in the UK form Caesars Entertainment UK. While the organization is passionate about delivering exceptional gaming entertainment and proud to offer customers unrivaled networks and benefits, they’re also active in the community, sponsoring and supporting a number of charities, including YGAM, GamCare, and The Gordon Moody Association. To help prevent both accidental data loss and malicious data exfiltration, Caesars has deployed Tessian Guardian and Enforcer as a complete outbound email security solution to protect 250 employees. Tessian solves three key problems for Caesars, which we explore in the Q&A interview below. Or, you can keep reading for a summary of the discussion.  1. An honest mistake on email almost caused a data breach Oftentimes, cybersecurity solutions are purchased retroactively, meaning after a breach has occurred. But, for Charles Rayer, Group IT Director at Caesars Entertainment UK, Tessian was a proactive investment, elicited by a near-miss. Here’s what happened: A customer relations advisor was sending emails to the casino’s VIPs. But, in one email, the employee accidentally attached the wrong document, which was a spreadsheet containing personal information related to some of their top 100 customers.   Luckily, they also spelled the email address incorrectly, so it was never actually sent. Nonetheless, it was a wake-up call for Charles and his team.
So, what would the consequences have been if the email had actually gone through? Charles explained, saying, “We’re covered by the GDPR and the Sarbanes-Oxley Act because we’re a public listing with US parent companies which means, had the email been sent, we would have had to report it which is a long process. And, even though we had security solutions in place, we would have most likely recieved a fine.  But for us, the biggest issue would have been the reputational damage. If that personal information did fall into the wrong hands, what would they do with it? Would they use it for their own personal benefit? Would they use it against us?”  With Tessian Human Layer Security Intelligence, Charles now has clear visibility of misdirected emails – what he previously considered an “iceberg threat” – and, because Tessian Guardian automatically prevents emails from being sent to the wrong person, Charles feels confident that a simple mistake won’t cost Caesars its reputation.  “It’s an issue of human error. We truly believe people are 100x more likely to accidentally mishandle data than to do it deliberately. So how do you solve it? There are thousands of solutions that categorize emails, look for strings of numbers, and identify keywords based on rules. But they don’t help in this situation. Tessian does. It knows – and continues learning – what conversations you normally have with people and can pick-up when something’s off. That’s the feature that really stood out to us.” Charles said.  To learn more about how Tessian Guardian uses historical email analysis, real-time analysis, natural language processing, and employee relationship graphs to detect and prevent misdirected emails, download the data sheet.  2. Other solutions triggered 10x as many false positives as real events  While – prior to deploying Tessian  – Charles didn’t have any technology in place to prevent misdirected emails, he did have a solution in place to prevent unauthorized emails. But, because it triggered so many false positives, he and his security team were drowning in alerts, making it impossible to investigate even a fraction of the alleged incidents in real time.  It was also disruptive for employees to interact with day-to-day. “I would say on average, we saw 10x as many false positives as real incidents of data exfiltration. Some days you’d have 100 incidents logged, and not one of them would be of merit. It was a deluge of junk, with the occasional useful bit of information,” he explained.  Charlies pointed out that Tessian, on the other hand, flags just 5-6 unauthorized emails a day company-wide with a false positive rate that’s marginal now, and will only get smaller as it continues to learn from employee behavior and relationships. Yes, that means it gets smarter over time.  How? Enforcer analyzes historical email data to understand what “normal” content, context, and communication patterns look like. The technology uses this understanding alongside real-time analysis to accurately predict whether or not outbound emails are data exfiltration attempts.  That means Charles and his team can actually investigate each and every incident and, when employees do see a warning, they interact with it instead of ignoring it.
Want to learn more about how Tessian Enforcer’s machine learning algorithms get smarter over time? You can get more information here.  3. Employees in the entertainment industry handle highly sensitive data – but not all of them As Charles pointed out, employees working in the entertainment industry – especially those who work in customer service – handle a lot of sensitive information. That means that mistakes – like sending a misdirected email or emailing a contract to a personal email address to print at home – can have big consequences. It also means employees may be motivated to exfiltrate data for a competitive advantage or financial gain.  Charles has seen all of the above.  “Not just our sector, but all sectors in the entertainment industry are based around customer service and personal contact. That means we have to know a lot about our customers. And that information is valuable. It’s information people want which means we have to make sure we protect it,” he explained.  But, not all employees have access to the same type of information. Customization, therefore, was important to Charles, who said, “We have a number of employees who don’t actually have access to sensitive information and a number of employees who don’t email anyone external. So there’s no point deploying across the entire company. We wanted to focus on people who deal with customers.  Likewise, not everyone who has been onboarded is in the same internal email group, which means we have to apply different controls and rules to different people. We can do all of this easily with Tessian.” While Tessian does offer 100% automated threat prevention, we know that for security strategies to be truly effective, technology and in-house policies have to work together. With Tessian Constructor, security leaders can create personalized rules and policies for individuals and groups.  Learn more about how Tessian prevents human error on email Powered by machine learning, Tessian’s Human Layer Security technology understands human behavior and relationships. Tessian Guardian automatically detects and prevents misdirected emails Tessian Enforcer automatically detects and prevents data exfiltration attempts Tessian Defender automatically detects and prevents spear phishing attacks Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of an organization’s email network. That means it gets smarter over time to keep you protected, wherever and however your work. Interested in learning more about how Tessian can help prevent email mistakes in your organization? You can read some of our customer stories here or book a demo.
Human Layer Security, Spear Phishing
Must-Know Phishing Statistics: Updated 2021
By Maddie Rosenthal
Thursday, January 7th, 2021
Phishing attacks aren’t a new threat. In fact, these scams have been circulating since the mid-’90s. But, over time, they’ve become more and more sophisticated, have targeted larger numbers of people, and have caused more harm to both individuals and organizations. That means that this year – despite a growing number of vendors offering anti-phishing solutions – phishing is a bigger problem than ever. The problem is so big, in fact, that it’s hard to keep up with the latest facts and figures. That’s why we’ve put together this article. We’ve rounded up the latest phishing statistics, including: The frequency of phishing attacks The tactics employed by hackers The data that’s compromised by breaches The cost of a breach The most targeted industries The most impersonated brands  Facts and figures related to COVID-19 scams Looking for something more visual? Check out this infographic with key statistics.
If you’re familiar with phishing, spear phishing, and other forms of social engineering attacks, skip straight to the first category of 2020 phishing statistics. If not, we’ve pulled together some of our favorite resources that you can check out first to learn more about this hard-to-detect security threat.  How to Identify and Prevent Phishing Attacks What is Spear Phishing? Spear Phishing Demystified: The Terms You Need to Know Phishing vs. Spear Phishing: Differences and Defense Strategies How to Catch a Phish: A Closer Look at Email Impersonation CEO Fraud Email Attacks: How to Recognize & Block Emails that Impersonate Executives Business Email Compromise: What it is and How it Happens Whaling Attacks: Examples and Prevention Strategies  The frequency of phishing attacks According to Verizon’s 2020 Data Breach Investigations Report (DBIR), 22% of breaches in 2019 involved phishing. While this is down 6.6% from the previous year, it’s still the “threat action variety” most likely to cause a breach.  The frequency of attacks varies industry-by-industry (click here to jump to key statistics about the most phished). But 88% of organizations around the world experienced spear phishing attempts in 2019. Another 86% experienced business email compromise (BEC) attempts.  But, there’s a difference between an attempt and a successful attack. 65% of organizations in the United States experienced a successful phishing attack. This is 10% higher than the global average.  The tactics employed by hackers 96% of phishing attacks arrive by email. Another 3% are carried out through malicious websites and just 1% via phone. When it’s done over the telephone, we call it vishing and when it’s done via text message, we call it smishing. According to Symantec’s 2019 Internet Security Threat Report (ISTR), the top five subject lines for business email compromise (BEC) attacks: Urgent Request Important Payment Attention Hackers are relying more and more heavily on the credentials they’ve stolen via phishing attacks to access sensitive systems and data. That’s one reason why breaches involving malware have decreased by over 40%.
According to Sonic Wall’s 2020 Cyber Threat report, in 2019, PDFs and Microsoft Office files were the delivery vehicles of choice for today’s cybercriminals. Why? Because these files are universally trusted in the modern workplace.  When it comes to targeted attacks, 65% of active groups relied on spear phishing as the primary infection vector. This is followed by watering hole websites (23%), trojanized software updates (5%), web server exploits (2%), and data storage devices (1%).  The data that’s compromised by breaches The top five “types” of data that are compromised in a phishing attack are: Credentials (passwords, usernames, pin numbers) Personal data (name, address, email address) Internal data (sales projections, product roadmaps)  Medical (treatment information, insurance claims) Bank (account numbers, credit card information) While instances of financially-motivated social engineering incidents have more than doubled since 2015, this isn’t a driver for targeted attacks. Just 6% of targeted attacks are motivated by financial incentives, while 96% are motivated by intelligence gathering. The other 10% are simply trying to cause chaos and disruption. While we’ve already discussed credential theft, malware, and financial motivations, the consequences and impact vary. According to one report: Nearly 60% of organizations lose data Nearly 50% of organizations  have credentials or accounts compromised Nearly 50% of organizations are infected with ransomware Nearly 40% of organizations are infected with malware Nearly 35% of organizations experience financial losses
The cost of a breach According to IBM’s Cost of a Data Breach Report, the average cost per compromised record has steadily increased over the last three years. In 2019, the cost was $150. For some context, 5.2 million records were stolen in Marriott’s most recent breach. That means the cost of the breach could amount to $780 million. But, the average breach costs organizations $3.92 million. This number will generally be higher in larger organizations and lower in smaller organizations.  Losses from business email compromise (BEC) have skyrocketed over the last year. The FBI’s Internet Crime Report shows that in 2019, BEC scammers made nearly $1.8 billion. That’s over half of the total losses reported by organizations. And, this number is only increasing. According to the Anti-Phishing Working Group’s Phishing Activity Trends Report, the average wire-transfer loss from BEC attacks in the second quarter of 2020 was $80,183. This is up from $54,000 in the first quarter. This cost can be broken down into several different categories, including: Lost hours from employees Remediation Incident response Damaged reputation Lost intellectual property Direct monetary losses Compliance fines Lost revenue Legal fees Costs associated remediation generally account for the largest chunk of the total.  Importantly, these costs can be mitigated by cybersecurity policies, procedures, technology, and training. Artificial Intelligence platforms can save organizations $8.97 per record.  The most targeted industires While the Manufacturing industry saw the most breaches from social attacks (followed by Healthcare and then Professional services), employees working in Wholesale Trade are the most frequently targeted by phishing attacks, with 1 in every 22 users being targeted by a phishing email last year.   According to a different data set, the most phished industries vary by company size. Nonetheless, it’s clear Manufacturing and Healthcare are among the highest risk industries. The industries most at risk in companies with 1-249 employees are: Healthcare & Pharmaceuticals Education Manufacturing The industries most at risk in companies with 250-999 employees are: Construction Healthcare & Pharmaceuticals Business Services The industries most at risk in companies with 1,000+ employees are: Technology Healthcare & Pharmaceuticals Manufacturing The most impersonated brands Earlier this year, Check Point released its list of the most impersonated brands. These vary based on whether the attempt was via email or mobile, but the most impersonated brands overall for Q1 2020 were: Apple Netflix Yahoo WhatsApp PayPal Chase Facebook Microsoft eBay Amazon The common factor between all of these consumer brands? They’re trusted and frequently communicate with their customers via email. Whether we’re asked to confirm credit card details, our home address, or our password, we often think nothing of it and willingly hand over this sensitive information. But, after the outbreak of COVID-19 at the end of Q1, hackers changed their tactics and, by the end of Q2, Zoom was the most impersonated brand in email attacks. Read on for more COVID-related phishing statistics.
Facts and figures related to COVID-19 scams Because hackers tend to take advantage of key calendar moments (like Tax Day or the 2020 Census) and times of general uncertainty, individuals and organizations saw a spike in COVID-19 phishing attacks starting in March. But, according to one report, COVID-19 related scams reached their peak in the third and fourth weeks of April. And, it looks like hackers were laser-focused on money. Incidents involving payment and invoice fraud increased by 112% between Q1 2020 and Q2 2020. It makes sense, then, that finance employees were among the most frequently targeted employees. In fact, attacks on finance employees increased by 87% while attacks on the C-Suite decreased by 37%.
What can individuals and organizations do to prevent being targeted by phishing attacks? While you can’t stop hackers from sending phishing or spear phishing emails, you can make sure you (and your employees) are prepared if and when one is received. You should start with training. Educate employees about the key characteristics of a phishing email and remind them to be scrupulous and inspect emails, attachments, and links before taking any further action. Review the email address of senders and look out for impersonations of trusted brands or people (Check out our blog CEO Fraud Email Attacks: How to Recognize & Block Emails that Impersonate Executives for more information.) Always inspect URLs in emails for legitimacy by hovering over them before clicking Beware of URL redirects and pay attention to subtle differences in website content Genuine brands and professionals generally won’t ask you to reply divulging sensitive personal information. If you’ve been prompted to, investigate and contact the brand or person directly, rather than hitting reply We’ve created several resources to help employees identify phishing attacks. You can download a shareable PDF with examples of phishing emails and tips at the bottom of this blog: Coronavirus and Cybersecurity: How to Stay Safe From Phishing Attacks. But, humans shouldn’t be the last line of defense. That’s why organizations need to invest in technology and other solutions to prevent successful phishing attacks. But, given the frequency of attacks year-on-year, it’s clear that spam filters, antivirus software, and other legacy security solutions aren’t enough. That’s where Tessian comes in. By learning from historical email data, Tessian’s machine learning algorithms can understand specific user relationships and the context behind each email. This allows Tessian Defender to not only detect, but also prevent a wide range of impersonations, spanning more obvious, payload-based attacks to subtle, social-engineered ones. To learn more about how tools like Tessian Defender can prevent spear phishing attacks, speak to one of our experts and request a demo today.
Human Layer Security, Podcast
Episode 3: Security For The People, Not To The People, With Tim Fitzgerald
By Laura Brooks
Wednesday, January 6th, 2021
In this episode of the RE: Human Layer Security podcast, Tim Sadler is joined by Tim Fitzgerald, the chief information security officer at ARM and former chief security officer at Symantec.  Now, Tim believes that people are inherently good. And to think of employees as the weakest link when it comes to cybersecurity is undeserving. Tim thinks employees just want to do a good job. Sometimes mistakes happen, which can compromise security. But rather than blaming them, Tim urges leaders to first ask themselves, whether they’ve given their people the right tools, and they’ve armed them with the right information to help them avoid these mistakes in the first place. In this interview, we talked about the importance of changing behaviours, how businesses can make security part of everybody’s job, and how to get boards on board.  And if you want to hear more Human Layer Security insights, all podcast episodes can be found here.  Tim Sadler: As the CISO of ARM, then what are some of the biggest challenges that you face? And how does that affect the way you think about your security strategy?  Tim Fitzgerald: I guess our challenges are, you know, not to be trite, but they’re sort of opportunities as well. That by far, the biggest single challenge we have is ARM’s ethos around information sharing. As I noted, we have a belief, that I think it has proven out to be true over the 30+ years that ARM has been in business, that the level of information sharing has allowed ARM to be extraordinarily successful and innovative.  So there’s no backing up from that as an ethos of the company. But that represents a huge amount of challenge because we give a tremendous amount of personal freedom for how people can access our information and our systems, as well as how they use our data to share both internally with our peers, but also with our customers who we’re very deeply embedded with, you know. We don’t sell a traditional product where we, you know, they buy it, we deliver it to them, and then we’re done. The vast majority of our customers spend years with us developing their own product based on our intellectual property. And so that the level of information sharing that happens in a relationship like that is, is quite difficult to manage, to be candid. TS: Yeah, it really sounds like you’ve been balancing or having to think about not just the effectiveness of your security strategy or your systems but also that impact to the productivity of employees. So has Human Layer Security been part of your strategy for a long time at ARM or even in your career before ARM? TF: In my career before ARM, at Symantec. Symantec was a very different company, you know, more of a traditional software sales company. It also had 25,000 people who thought they knew more about security than I did. So that presented a unique challenge in terms of how we work with that community, but even at Symantec, I was thinking quite hard about how we influence behaviour.  And ultimately, what it comes down to, for me is that I view my job and human security as somewhere between a sociology and a marketing experiment, right? We’re really trying to change people’s behaviour in a moment, not universally and not their personal ethos. But will they make the right decision in this moment, to do something that won’t create security risk for us?  You know, I sort of label that sort of micro transactions. We get these small moments in time, where we have an opportunity to interact with and influence behaviour. And I’ve been sort of evolving that strategy as I thought about it at ARM. It’s a very different place in many respects, but trying to think about, not just how we influence their behaviour in that moment in time, but actually, can we change their ethos? Can we make responsible security decision-making part of everybody’s job? And I know that there’s not a single security person who will say they’re not trying to do that, right. But actually, that turns out to be a very, very hard problem.  The way that we think about this at ARM is that we have, you know, a centralized security team and I guess, ultimately, security is my responsibility at ARM. But we very much rely on what we consider to be our extended employee, or extended security team, which is all of our employees. Essentially, our view is that they can undo all of the good that we do behind them. But I think one of the things that’s unique about how we look at this at ARM is, you know, we very much take the view that people aren’t the weakest link. That they don’t come with good intent, or they don’t want to be good at their job or that they’re going to take shortcuts just to, you know, get that extra moment of productivity, but actually that everybody wants to do a good job. And our job is to arm them with both the knowledge and the tools to be able to keep themselves secure rather than trying to secure around them.
And, just to finish that thought, we do both, right? I mean, we’re not going to stop doing all the other stuff we do to kind of help protect our people in ways that they don’t even know exist. But the idea for us, here, is actually that we have rare opportunities to empower employees to take care of themselves.  One of the things we really like about Tessian is that this is something we’ve done for our employees, not to our employees. It’s a tool that is meant to keep them out of trouble.  TS: Yeah, I think I think that’s a really, really good point. You know, I think a lot of what you’re talking about here, as well as just security culture, and really establishing a great security culture as a company. And I love that for employees rather than to employees. I mean, it sounds like this really, you know, you have to at the core of the organization, and be thinking about the concept of human error in the right way when thinking about security decision making. And I guess, thinking that people are always going to make mistakes. And as you said, it’s just because they, you know, they are people, and maybe walk us through a bit more about how you how you think or what advice you might have for some of the other organizations that are on the line today about how they might talk to, you know, their boards or their other teams about rationalising this risk internally and working with the fact that our employees are only human. TF: Yeah, for me, this has been the most productive dialogue we’ve had with our board and our executive around security. I think most of you on the phone will recognise that when you go in and you start talking about the various technical layers that we have, that are available to protect our system, the eyes glaze over pretty quickly. And they really just want to know whether or not it works.  The human security problem is one that you can get a lot of passion on. In parts, because, I think it’s an unrecognized risk in the boardroom. That while the insider – meaning sort of a traditional insider threat that we think about which is a person who’s really acting against our best interest – can be very, very impactful. At least at ARM, and certainly in my prior career, the vast majority of issues that we have, and that have caused us harm over the last several years have been caused by people who do not wish us harm. 
They’ve been people just trying to do their job, and making mistakes or doing the wrong thing, making a bad decision at a moment in time. And trying to figure out how we help them not to do that is a much more difficult problem than trying to figure out how to put in a firewall or putting DLP. So we really try to separate that conversation. There are a lot of things we do to try and catch that person who is truly acting against our best interest but that actually, in many ways, is a totally different problem. At ARM, what accounts for more than 70% of our incidents, and certainly more than 90% of our loss scenarios is people just doing the wrong thing. And making the wrong decision, not that they were actively seeking to cause ARM harm.  If I might just give a couple of examples because it helps bring it home. The two most impactful events that we’ve had in the last two years at ARM was somebody in our royalties, you know, we sell software, right? So every time somebody produces a chip, we get paid. So that’s a good thing for ARM. But having somebody who’s royalty forecast gives you a really good sense of what markets they intend to enter and where they tend to go as a company.  And most of our customers compete with each other because they’re all selling similar chips, software design into various formats. So having one customer having somebody else’s data would be hugely impactful. And in fact, that’s exactly what we did not that long ago. Somebody pulled down some pertinent information for a customer into a spreadsheet, and then fat fingered an email and sent it to the wrong customer. Right, they send it to Joan at Customer X instead of Joan at customer Y. And that turned out to be a hugely impactful event for us as a company, because this is a major relationship and we essentially disclosed a strategic roadmap from one customer to another. A completely avoidable scenario. And it is a situation where that employee was trying to do their best for their customer and ultimately made a mistake. TS: Thanks for sharing that example with us. I think it’s a really, really good point. And I think for a long time in security, we were talking about insider threats, and people immediately think about malicious employees and malicious insiders. And I think it’s absolutely true what you say that, the reality is that most of your employees are, you know, trustworthy and want to do the right thing. But they sometimes make mistakes. And when you’re doing something as often as, say, sending an email or sharing data, the errors can be disastrous, and they can be frequent as well… TF: …it’s the frequency that really gets us right? So insider threat – the really bad guy who’s acting against our best interest. We have a whole bunch of other mechanisms that, while still hard, we have some other mechanisms to try and find them. That’s an infrequent high impact. What we’re finding is that the person who makes a mistake is high frequency, medium to high impact. And so we’re just getting hammered on that kind of stuff. And the reason we came to Tessian in the first place was to address that exact issue. As far as I really believe in where you guys are going in terms of trying to address the risk associated with people making bad choices versus acting against our interest. TS: This concept of high frequency, I think, is super interesting. And one of the questions I was actually going to ask you was around that. Hackers and cyber attacks get all the attention because these are the scary things. And naturally, it’s what you know, boards want to talk about, and executives want to talk about. Accidents almost seem less scary. So they get less focus. But this frequency point of how often we share data. We send emails, and it’s, you know, it has analogies in other parts, other parts of our lives as well with like, we don’t think twice before we get in a car. But actually, you know, it’s very easy to have human error there. Things can also be really bad. Do you think we need to do more to educate our, again, our boards, our executive teams and our employees to actually sort of open their eyes to the fact that inadvertent human error or accidents can be just as damaging as, as attackers or cyber attacks?  TF: Yeah, it depends on the organization. But I would suggest that generally, we do need to do more. We, as an industry, we’ve had a lot of amazing things to talk about to get our board’s attention over the last 10 years. These major events, and loss scenarios, often perpetrated by big hacking groups, sometimes nation-sponsored, are very sexy to talk about that kind of stuff and use that as justification for the reason we need to, to invest in security.  And actually, there’s a lot of legitimacy behind that. Right. It’s not that that’s fake messaging. It’s just, it’s just part of the narrative. The other side of the narrative is that, you know, we spend more time on now than we do on nation-state type threats. Because what we’re finding is not only by frequency, but by impact right now, the vast majority of what we’re dealing with is avoidable events, based on human error, and perhaps predictable human error.  I very much chafe at the idea that we think of our employees as the weakest link, right? I think it sort of under serves people’s intent and how they choose to operate. So rather than that, we try to take a look in the mirror and say, what are we not providing these people in order to help them avoid these types of scenarios?  And I think if you change your perspective on that, rather than see people as an intractable problem, and therefore we can’t, you know, we can’t conquer this. If we start thinking about how we mobilise them as part of our overall cybersecurity strategy and defense mechanisms, it causes you to rethink whether or not you’re serving your populace correctly.  And I think in general, not only should we be talking to our senior executives and boards more, more clearly about where real risk exists, which for most companies is right in this zone. But we need to be doing more to help those people combat rather than casting blame or thinking that the average employee is not trustworthy, or will do the wrong thing.  You know, I’m an optimist. So I genuinely believe that’s not true. I think if we give people the opportunity to make a good decision, and we make the easiest path to get their job done, the secure path, they will take it. That is our job as security professionals.
TS: Yeah, I think the huge point there and you know, the word that was jumping out for me is this concept of empowerment. And I think it is strange sometimes when you look at a lot of security initiatives that companies deploy, and how we almost don’t factor in that concept of the impact it will have on an employee’s productivity.  And I guess at Tessian, we’re great believers that, you know, the greatest technology we’ve created has really empowered society. So it’s made people’s lives better. And we think that security technology should not only keep people safe, but it should do it in a way that empowers them to do that best work. When you were sort of thinking about how to solve this problem of inadvertent human error on email people sending emails to the wrong people, or dealing with the issue of phishing and spear phishing. What consideration did you have for other solutions that were out there? You know, what did Tessian address for you that you couldn’t quite address with those other platforms?  TF: Yeah, a couple things. So coming from Symantec as you might expect, I used all of their technology extensively and one of the best products Symantec offers is their DLP solution. So I’m very, very familiar with that. And I would argue we had one of the more advanced installations in the world running internally at Symantec. So I’m extremely familiar with the capability of those technologies. I think what I learned in my time and doing that is when used correctly in a finite environment, a finite data set, that type of solution would be very, very effective in keeping that data where it’s supposed to be and understanding movement in that ecosystem. When you try and deploy that, broadly, it has all the same problems, as everything else is, you start to run into the inability of the DLP system to understand where that data is supposed to be. Is this person supposed to have it based on their role and their function? It’s not a smart technology like that. So you end up trying to write these very, very complex rules that are hard to manage. What I liked about Tessian is that it gave us an opportunity to use the machine learning in the background, to try and develop context about whether or not something that somebody was doing was, was either a typical, or perhaps just by the very nature, and maybe it’s not a typical, maybe it’s actually part of a bad process. But by their very nature of the type of information they’re sending around and the characteristics of information, we can get a sense of whether or not what they’re doing is causing us a risk. So it doesn’t require recipes, completely prescriptive about what we’re looking for. It allows us to learn with the technology and with the people on what normal patterns of behaviour look like, and therefore intervene when it matters and not, and not sort of having to react every time another bell goes off.  To be clear, we still use DLP in very limited circumstances. But what we found is that was not really a viable option for us, particularly in the email stream. To be able to accurately identify when people were doing things that were risky, versus, you know, moving a very specific data set that we didn’t want them to.  TS: Yeah, that makes a tonne of sense. And then if you’re thinking about the future, and sort of, you know, what you hope Tessian can actually become, you know, where, where does it go from here? What’s the opportunity for, for Tessian as a Human Layer Security platform?  TF: Yeah, I recall back to talking to you guys, I guess, last spring, and one of the things I was poking at was, you have all this amazing context of what people are doing an email, and that’s where people spend most of their time. It’s where most of the risk comes from for most organizations. So how can we turn that into beyond just you know, making sure someone doesn’t fat finger and email address, or they’re not sending a sensitive file where it’s not supposed to go? Or, you know, the other use cases that come along with Tessian? Can we take the context that we’re gaining through how people are using email, and create more of those moments in time to connect with them to become more predictive? Where we start to see patterns of behaviour of individuals that would suggest to us that they are either susceptible to certain types of risk, or, you know, are likely to take a particular action in the future, there’s a tremendous amount of knowledge that can be derived from that context, particularly if you start thinking about how you can put that together with what would traditionally be kind of the behavioural analytics space. Can we start to mesh together what we know about the technology and the machines with real human behaviour and, therefore, have a very good picture that would help us? It would help us not only to find those actual bad guys who were in our environment that we know were there, but also to get out in front of people’s behaviour, rather than reacting to it after it happened. And that, for me, that’s kind of the holy grail of what this could become. If not predictive, at least start leading us towards where we think risk exists, and allowing us an opportunity to intervene before things happen. TS: That’s great, Tim, thanks so much for sharing that with us. TS: It was great to understand how Tim has built up his security strategy, so that it aligns with and also enhances the overall ethos of the company. More information sharing equals a more innovative and more successful business. I particularly liked Tim’s point, when he said that businesses should make the path of least resistance the most secure one. And by doing that, you can enable people to make smart security decisions and build a more robust security culture within an organization.  As Tim says, It’s security for the people, not to the people. And that’s going to be so important as ways of working change. If you enjoyed our show, please rate and review it on Apple, Spotify, Google or wherever you get your podcasts. And remember you can access all the RE:Human Security Layer podcasts here.   
Tessian Culture
Seriously Tech, It’s Time to Ditch the Zero-Sum Game
By Sabrina Castiglione
Wednesday, January 6th, 2021
In the spirit of the late-90’s classic, 10 things I hate about you, here are 10 things I hate about how my industry thinks about Diversity: Assuming Diversity = Inclusion 1D-diversity: focus on only one of gender, race, sexuality, etc. Diversity as just a hiring problem Inclusion as just a People/HR team problem Ending the convo after unconscious bias training PR without follow-through Leaving D&I to the affinity groups Assuming Equality = Equity Lack of measurement  The Zero-Sum Game I could talk about any of these, but the zero-sum game is the one that doesn’t get spoken about anywhere near enough. An example: The gender gap in tech
Here’s a simplified version where we take gender as an example.  To make the numbers easier to understand, let’s imagine that the tech industry is 75% male, 25% female (this is generous; women make up c. 24% of Technology positions). Every Tech company:  ‘We want a 50/50 gender balance’  Does dedicated diversity sourcing, asks for diverse shortlists, shouts a lot about diversity, has a fancy policy, etc etc. Also many Tech companies:  Does nothing to improve the gender diversity of the overall industry pool This is crazy. If there were 100 tech workers in the whole world, 25 were female and 75 were male, and there were two 50-person tech companies out there… if one of those companies actually achieved a 50/50 gender split, the other company would be at 0/100.  This is, at best, a local, not global success.  The tech industry’s diversity push is one never ending tug of war, yet this is the zero-sum game and the approach most tech companies take. So what does really caring about diversity look like?  TL;DR: bringing up a more diverse next generation.  Stereotypes are insidious and start at an early age – way before workers enter the workforce, even before students pick their disciplines in school that affect how they enter the workforce. There’s even evidence to suggest these stereotypes are there before children even learn to read.  And these stereotypes tell minorities that technical, high-paying jobs in tech aren’t for people like them. We’re only going to solve the diversity problem in tech by going to the source, where there are two issues:  Not enough diverse people entering the technology workforce (whether out of school or switching later in life); and  The pipeline is leaky – diverse candidates are more likely to exit the tech industry (for caring duties, personal reasons, or discrimination) than those in the majority. Inclusion initiatives should help with the second facet – and there’s been great work by many tech companies to shift to more human-first working patterns, practices and policies to shore up the leaks. But there is a lot of work to do to combat the first challenge & get more people into tech in the first place.
What you can do to support diversity in tech So, tech companies out there, here are three things you can do to get us out of this zero-sum game: 1. Support early-age initiatives Awareness of future career opportunities in diverse populations is a challenge. At Tessian, we’ve been working with organisations such as the WISE Campaign’s Young Professionals’ Board whose mission is to inspire, engage & advocate for the next generation of STEM (science, technology, engineering and maths). Gisela Rossi, Tessian Engineer & WYPB member has been supporting initiatives such as the Tara Binns book series working to break down stereotypes in children aged 5-11, and running competitions to engage children in these industries. There are many great organisations out there such as the WISE Campaign, and STEM.org, but don’t just donate dollars – donate voices, and donate time. 2. Go back to school On that note, volunteering initiatives are powerful. We encourage our Tessians to take volunteer days & outreach to schools to raise the profile of voices in tech, and evangelize that tech can be for anyone. Don’t just leave it to teachers – show the promise of these roles to the next generation, don’t just tell them about it. A quick tip is to reach out to local schools – especially those that lack the resources to explore these subjects. Local alumni speakers who are actually in these industries are a quick and simple way to show children that there are real opportunities out there for all people – including people like them.  3. Grads Grads Grads (& Career Changers) Yes, you need diversity at the top too, but if all your roles demand 5+ years of experience, the next generation of diverse candidates is never going to arrive.  As soon as you reach a critical mass, you need entry-level programs and paid internships – and yes; they have to be paid, because unpaid internships are only viable for those who can already afford not to bring in earnings.  What about at Tessian? At Tessian, we were less than 15 people when we hired our first intern, and we’ve run paid internships (sometimes in full blown programs, sometimes ad-hoc) and brought in young talent ever since. And we’re hiring our next engineering grad intake now. Yes – it’s going to eat up some management time, but in my view, any tech company with a decent cash balance that isn’t running either paid internships or entry-level programs, isn’t taking diversity seriously in a meaningful sense. Doing the right thing, and running a human first company can be hard; the benefit of the initiatives will be felt by the tech industry in 10 or 20 years’ time, not the tech industry of today.  The ROI in your one to three year business plan isn’t going to bear the fruit of these initiatives, but folks, we have to solve this: we have a huge skills gap in tech and cyber security, where there are high paid jobs sitting vacant for lack of interest and training.  As an industry with so much promise and so much investment, we need to stop looking inwards and start looking outwards to the global tech ecosystem, or our diversity initiatives will just be us forever chasing our tail.
Data Exfiltration, DLP, Human Layer Security, Spear Phishing
Worst Email Mistakes at Work and How to Fix Them
By Maddie Rosenthal
Tuesday, January 5th, 2021
Everyone makes mistakes at work. It could be double-booking a meeting, attaching the wrong document to an email, or misinterpreting directions from your boss. While these snafus may cause red-faced embarrassment, they generally won’t have any long-term consequences. But, what about mistakes that compromise cybersecurity? This happens more often than you might think. In fact, nearly half of employees say they’ve done it, and employees under 40 are among the most likely. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); In this article, we’ll focus on email mistakes. You’ll learn: The top five email mistakes that compromise cybersecurity How frequently these incidents happen What to do if you make a mistake on email
I sent an email to the wrong person At Tessian, we call this a misdirected email. If you’ve sent one, you’re not alone. 58% of people say they’ve done it and, according to Tessian platform data, at least 800 are fired off every year in organizations with over 1,000 people. It’s also the number one security incident reported to the Information Commissioner’s Office (ICO) under the GDPR. (More on the consequences related to data privacy below.) Why does it happen so often? Well, because it’s incredibly easy to do. It could be a simple typo (for example, sending an email to [email protected] instead of [email protected]) or it could be an incorrect suggestion from autocomplete.  What are the consequences of sending a misdirected email? While we’ve written about the consequences of sending an email to the wrong person in this article, here’s a high-level overview:  Embarrassment  Fines under compliance standards like GDPR and CCPA Lost customer trust and increased churn Job loss Revenue loss Damaged reputation
Real-world example of a misdirected email In 2019, the names of 47 claimants who were the victims of sexual abuse were leaked in an email from the program administrator after her email client auto-populated the wrong email address.  While the program administrator is maintaining that this doesn’t qualify as a data leak or breach, the recipient of the email – who worked in healthcare and understands data privacy requirements under HIPAA – continues to insist that the 47 individuals must be notified.  As of September 2020, they still haven’t been. I attached the wrong file to an email Employees can do more than just send an email to the wrong person. They can also send the wrong file(s) to the right person. We call this a misattached file and, like fat fingering an email, it’s easy to do. Two files could have similar names, you may not attach the latest version of a document, or you might click on the wrong file entirely.  What are the consequences of sending a misattached file? As you may have guessed, the consequences are the same as the consequences of sending a misdirected email. Of course, the consequences depend entirely on what information was contained in the attachment. If it’s a presentation containing financial projections for the wrong client or a spreadsheet containing the PII of customers, you have a problem.  Real-world example of sending the wrong attachment A customer relations advisor at Caesars Entertainment UK – a part of Caesars Entertainment – was sending emails to the casino’s VIPs. In the emails, the employee was meant to attach a customized invitation to an event. But, in one email, the employee accidentally attached the wrong document, which was a spreadsheet containing personal information related to some of their top 100 customers.   Luckily, they also spelled the email address incorrectly, so it was never actually sent.  Charles Rayer, Group IT Director, details the incident – and explains why this prompted him to invest in Tessian Guardian – in a Q&A.  You can watch the interview here. I accidentally hit “reply all” or cc’ed someone instead of bcc’ing them Like sending a misdirected email, accidentally hitting “reply all” or cc instead of bcc are both easy mistakes to make.  What are the consequences of hitting “reply all” or cc instead of bcc? As you may have guessed, the consequences are the same as the consequences of sending a misdirected email. And, importantly, the consequences depend entirely on what information was contained in, or attached to, the email. For example, if you drafted a snarky response to a company-wide email and intended to send it to a single co-worker but ended up firing it off everyone, you’ll be embarrassed and may worry about your professional credibility.  But, if you replace that snarky response with a spreadsheet containing medical information about employees, you’ll have to report the data loss incident which could have long-term consequences. Real-world example of hitting “reply all” In 2018, an employee at the Utah Department of Corrections accidentally sent out a calendar invite for her division’s annual potluck. Harmless, right? Wrong. Instead of sending the invite to 80 people, it went to 22,000; nearly every employee in Utah government. While there were no long-term consequences (i.e., it wasn’t considered a data loss incident or breach) it does go to show how easily data can travel and land in the wrong hands.  Real-world example of cc’ing someone instead of bcc’ing them On January 21, 2020, 450 customer email addresses were inadvertently exposed after they were copied, rather than blind copied, into an email. The email was sent by an employee at speaker-maker Sonos and, while it was an accident, under GDPR, the mistake is considered a potential breach.  I fell for a phishing scam According to Tessian research, 1 in 4 employees has clicked on a phishing email. But, the odds aren’t exactly in our favor. In 2019, 22% of breaches in 2019 involved phishing…and 96% of phishing attacks start on email. (You can find more Phishing Statistics here.) Like sending an email to the wrong person, it’s easy to do, especially when we’re distracted, stressed, or tired. But, it doesn’t just come down to psychology. Phishing scams are getting harder and harder to detect as hackers use increasingly sophisticated techniques to dupe us.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); What are the consequences of falling for a phishing scam? Given the top five “types” of data that are compromised in phishing attacks (see below), the consequences of a phishing attack are virtually limitless. Identify theft. Revenue loss. Customer churn. A wiped hardrive. But, the top five “types” of data that are compromised in a phishing attack are: Credentials (passwords, usernames, pin numbers) Personal data (name, address, email address) Internal data (sales projections, product roadmaps)  Medical (treatment information, insurance claims) Bank (account numbers, credit card information) Real-world example of a successful phishing attack In August 2020, The SANS institute – a global cybersecurity training and certifications organization – revealed that nearly 30,000 accounts of PII were compromised in a phishing attack that convinced an end-user to install a self-hiding and malicious Office 365 add-on. While no passwords or financial information were compromised and all the affected individuals have been notified, the breach goes to show that anyone – even cybersecurity experts – can fall for phishing scams. But, most phishing attacks have serious consequences. According to one report, 60% of organizations lose data. 50% have credentials or accounts compromised. Another 50% are infected with ransomware. 35% experience financial losses. I sent an unauthorized email As a part of a larger cybersecurity strategy, most organizations will have policies in place that outline what data can be moved outside the network and how it can be moved outside the network. Generally speaking, sending data to personal email accounts or third-parties is a big no-no. At Tessian, we call these emails “unauthorized” and they’re sent 38x more than IT leaders estimate. Tessian platform data shows that nearly 28,000 unauthorized emails are sent in organizations with 1,000 employees every year.  So, why do people send them? It could be well-intentioned. For example, sending a spreadsheet to your personal email address to work over the weekend. Or, it could be malicious. For example, sending trade secrets to a third-party in exchange for a job opportunity.  What are the consequences of sending an unauthorized email Whether well-intentioned or malicious, the consequences are the same: if the email contains data, it could be considered a data loss incident or even a breach. In that case, the consequences include: Lost data Lost intellectual property Revenue loss Losing customers and/or their trust Regulatory fines Damaged reputation No sensitive data involved? The consequences will depend on the organization and existing policies. But, you should (at the very least) expect a warning.  Real-world example of an unauthorized email In 2017, an employee at Boeing shared a spreadsheet with his wife in hopes that she could help solve formatting issues. While this sounds harmless, it wasn’t. The personal information of 36,000 employees was exposed, including employee ID data, places of birth, and accounting department codes. You can find more real-word examples of “Insider Threats” in this article: Insider Threats: Types And Real-World Examples How can I avoid making mistakes on email? The easiest answer is: be vigilant. Double-check who you’re sending emails to and what you’re sending. Make sure you understand your company’s policies when it comes to data. Be cautious when responding to requests for information or money.  But vigilance alone isn’t enough. To err is human and, as we said at the beginning of this article, everyone makes mistakes.  That’s why to prevent email mistakes, data loss, and successful targeted attacks, organizations need to implement email security solutions that prevent human error. That’s exactly what Tessian does. Powered by machine learning, our Human Layer Security technology understands human behavior and relationships. Tessian Guardian automatically detects and prevents misdirected emails Tessian Enforcer automatically detects and prevents data exfiltration attempts Tessian Defender automatically detects and prevents spear phishing attacks Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of the organization’s email network. That means it gets smarter over time to keep you protected, always.  Interested in learning more about how Tessian can help prevent email mistakes in your organization? You can read some of our customer stories here or book a demo.
Human Layer Security, Podcast
Podcast Episode 2: We Just Accelerated The Future By A Decade, With Stephane Kasriel
By Laura Brooks
Thursday, December 31st, 2020
Tim Sadler: In this episode, I’m speaking with Stephane Kasriel, the former CEO of Upwork, and a future of work visionary. Now, some companies have been practising remote working for many years. But for others, the Covid-19 pandemic has forced a remote work environment almost overnight.  In my research for this discussion, I was amazed to find that last year 44% of companies didn’t allow remote work at all. And globally, only 52% of people worked from home at least once a week. We’re fast forward now to 2020. And things couldn’t look more different. And as Stephane says, in our upcoming discussion, it’s likely will never go fully back to our old ways of working. Stephane shares his tips on how to build a remote working strategy for the long term, his opinions on what the future holds, and explains why he believes flexible working is a win-win for everyone.  And, by the way, you can find all our podcast episodes here. TS: Stephane, can you tell us a bit more about how distributed working was built into upwards DNA? Stephane Kasriel: You know, there’s an expression here. So first of all, thank you for having me, Tim, this is fantastic. But really, you know, one of the expressions that people use in the Bay Area is eating your own dog food. And so Upwork is a website and a mobile app that helps people work from home, and helps companies engage with people that work from home. And so we decided from day one, that we couldn’t convince our customers to do this if we didn’t do it ourselves.  And so Upwork today has about 2000 people. There’s about 300 of them who work in an office, two offices in the Bay Area, one in Chicago, but the vast majority of people are working from home. I think we have people in something like 500 different cities in the world. And some of them have been working with a company for a decade or longer. So this is not just short term gigs for low value work. A lot of these core software development, legal services, financial services for the company, just people that are not physically present in the office. TS: 500 offices, that is a huge achievement to have that kind of scale of remote workforce. What have you actually learned along the way about making remote work a success with your team? SK: You know, there’s a lot of different learnings. I would say increasingly, people have documented those learnings. So Upwork has an entire website, and it’s been updated for the pandemic. You know, obviously to say the obvious, there’s a lot more people that are working from home right now than ever in the past, many of whom were not prepared for this, and their companies were not prepared for this. So Upwork has published a pretty meaningful set of recommendations. But it’s not the only company that has done it. GitLab has an amazing set of documents, Zapier, Trello – which is part of Atlassian. And there’s probably half a dozen different companies that have done remote that scale, you know, automatic. The people behind WordPress, are the people behind Basecamp.  So I would say like at the very highest level, I would just say treat people the way you want to be treated, right? Like, put yourself in the shoes of one of your people working from home, particularly in a time like today where this is not normal remote work. This is remote work where people may be sick, people may be scared of being sick, they may have people close to them that are sick, they may have children at home, they may have multiple people on zoom at any point in time and not enough bandwidth to connect.  And so just I would say rule number one is empathy, realize that this is a tough time for everybody. And leading with care and love is probably one of the best things you can do. The second one – which is probably pretty obvious if you manage people in different time zones – realize that they have different working hours from you. Switch from a very synchronous model, where everybody’s on Zoom all day long, or everybody’s meeting at the same time, to something that’s more asynchronous – where you you do more writing, or you do more things on Loom – which is kind of the the offline version of Zoom, if you will.  And you know, and I would say that the third thing is just realize that you need to communicate even more when people are distributed than when they’re local. So, you know, repeat yourself, set up meetings, when meetings need to be set up, document more than you would otherwise and don’t assume that everybody knows what’s in your head. Because that’s really not true even when they work close to you. But it’s even harder for them to get into your head if they’re remote. And there’s a long long list beyond that. But I would say those are like the high level ones.
TS: Yeah, and I love that point about leading with empathy. I think it’s so important during this time, and obviously these are… You know, we’re seeing the kind of the key takeaways from years and years of trial and error. What have been some of the lessons learned along the way? And, you know, you’ve outlined some really important practices here for companies who are just getting to grips with this with this new normal. But it’d be really interesting to understand, you know, what hasn’t worked out in the way that you thought it might have? And what approach would you encourage companies to take so that they can have a continual cycle of learning with how they’re improving their remote work initiative? SK: I think like, that’s the key, right is a continuous cycle of learning, like, get feedback on what’s working and not document the best practices, share them to the organization, especially if you’re a bigger company, there might be part of your organization that’s doing it really well, and other parts of their organization not so much. And sharing best practices is absolutely essential. But you know, I would, I would say, there’s probably two things. One is, learn about time zones, you know, if people are in multiple different countries, work life balance matters, and expecting somebody to be always awake from 2am to 5am, because that’s what you need. Unless that’s truly what they were signing up for. Initially, it’s probably not a good idea. So when we assembled teams within Upwork, we were always cognizant of having people and potentially two different time zones that were compatible with each other, but really on three, so for instance, us plus Asia plus Europe, somebody does not sleep. So that’s, that’s one component of it. The second one, which actually is what companies are being forced to do right now. So that’s helpful, is when you’re switching from a very local model to a very distributed model, the easiest way to do it is not to hire a bunch of people from the outside that are working remotely. But instead to allow your current employees, especially the people that are the most tenured, that really know how to get things done. When they give you feedback, you’re going to listen to the feedback, let them work remotely. And by the way, that doesn’t just mean working from home in San Francisco, that means if they choose to relocate to another part of the country, let them do that, in fact, encourage them to do it. We have a relocation package, we actually call it the relocation package, which is, if you’re based in San Francisco, and you want to move to another part of the country, we will actually pay for your moving expenses. It’s hard enough, if you’re not a remote first company, it’s hard enough for your existing employees to work remotely, it’s even harder for new people to come in and work remotely.  And so the challenge with a lot of companies is they try to go from one extreme, which is, you know, everybody’s in the same office to the other where you hire a bunch of new people who know nothing about the company, and don’t know anybody, and have them be successful. And I think the intermediate plan is to take your existing people and allow them to work from home. Check this is happening right now. Step two is allow your existing people to relocate to another part of the country if they choose to. And, then, step three, start to open up hiring, probably first in places where you have local employees already, because you’re going to have that, you know, face to face connection from time to time, which is really helpful to build a sense of community. TS: And this leads me on nicely. I think that the relocation pack – I like that terminology. And there are a lot of people who are, I think rethinking where they have to be based in terms of, you know, their location to actually now work for the companies they do. You describe flexible working as a win-win scenario, I guess, for employees, and also for the employer. Could you maybe unpack that a little bit and just share a bit more of your thinking around that with us? SK: Yeah, and I would say there’s even a third component, which is society as a whole. Right? So why is it a good thing for employers? Well, you know, the main downside, which is the myth is people are going to be working less, it’s bad for your culture, you’re going to have retention issues, all that stuff, none of which is true, right in, in companies that are good at measuring worker productivity, and most of them are not. There is no data that shows that worker productivity goes down when people are working remotely. In fact, there’s tonnes of data that shows the opposite. The idea that it’s bad for retention, like employee loyalty, I can give you the example of Upwork the people that work remotely stay at the company at least twice as long as the people that are based in San Francisco. And it’s pretty obvious why, you know, if you’re based in San Francisco, you’ve got all the other tech companies that are trying to poach you all the time. When you live in the middle of Sacramento or Stockton, Modesto or even outside of California, there’s a lot less competition for talent, right, so it’s good for companies. employee retention, obviously cost, you know, like the cost of living in San Francisco is so high that you can find equally talented talent for significantly less money elsewhere.  Right. So that’s the company point and I would say more than cost savings. For the most part. It’s about attraction of talent and retention of the talent on the employee side, you know, like, I think we’ve done many, many surveys over the years at Upwork. And most people would prefer to have more flexibility in their life, and to be able to potentially relocate to another part of the country. You know, the San Jose Mercury News does a study every year, and they just updated it and went up again. But last year, more than 50% of the tech employees who live in the Bay Area said that they would choose to leave the Bay Area if they could keep the same job and the same thing. And so there’s a meaningful number of people who live in places like New York and London and San Francisco and Shanghai, not because they really enjoy the lifestyle of the cost of living, but because that’s where the jobs are. So that’s, that’s how it helps people.  But secondly, it also helps people that are excluded from the current workforce to participate in the workforce. So one of the studies that Upwork does every year is called Freelancing in America. We asked freelancers, would you ever choose to work for a regular employer? And 50% of freelancers say no. And when you ask them why, usually the answers are care duties. If physical or mental disability makes it hard for them to contribute to a regular office environment, or living in a part of the country where there’s no job. So you’re really allowing lots and lots of people, who otherwise can’t get access to great jobs, to have access to them.  And then the third piece is society as a whole. So one thing that’s, you know, pretty well documented by economists. If you have a highly paid worker, moved to a part of the country that is economically challenged, it creates, on average, an extra four jobs. And it’s pretty obvious why right? You put a highly paid software developer in the middle of the country, and they’re going to start to consume goods and services, which further creates more jobs and restarts the new economy, as opposed to today. I mean, if you look at the situation here in San Francisco, almost all of the people whose jobs truly require them to be in San Francisco, can’t afford to live anywhere nearby. And meanwhile, the people whose jobs can be done from anywhere only live in San Francisco. So it’s kind of the opposite of where it needs to be. And I think this distributed work approach can really be a win-win for society, for the workers and for the employers as well.
TS: Yeah, yeah. There’s some fascinating stats there as well. I’d seen a few, a few of those recently. It does, you know, it seems obvious when you say it, that there are so many other benefits that come from this kind of setup. And I guess from the company’s perspective, it’s, it’s really, really important that you’re empowering your workforce and your employees to be successful in this environment. And there are certain things, when you’re running a company that you still have to get right, whether you’re a remote work environment, or whether you are in physical offices around the world.  And obviously, a topic very close to our heart is security and thinking about how you keep people secure with the data they’re handling, whether they’re working from their home office, or their front room. And it’d be good to hear your perspective, some of the things that you’ve done to empower your workforce overall from a technology perspective. And then, when it comes to actually security specifically, what do you think companies need to have in mind? SK: Yeah, absolutely. So there’s definitely several, you know, components to allowing a distributed workforce to be successful. There are human resources related matters. There are legal related matters, right? Employment is regulated in just about every country. So you need to understand what you’re getting yourself into. Usually, there’s tax and accounting implications, if you have Nexus in multiple states in the US, let alone if you have people in multiple countries, and you employ them directly, this might create financial tax and accounting matters that you need to resolve.  And then to your point, there’s huge security considerations that you need to take into account. And I would say, like in the case of Upwork, specifically, there’s two different natures of the issue, if you will. One is bring your own device, right? Most of the people on Upwork are freelancers. We don’t send them a laptop, we don’t send them an iPhone, we don’t control their environment. But then they get access to the secure environment of the network infrastructure. So securing a Bring Your Own Device type of environment, absolutely critical.  The second one is we don’t know where they are. You can’t assume that, right? So you need to design systems and policies to make sure that the intellectual property of the company and the security of the company is not compromised. To give you one example, very early on Upwork, we decided that anything that needs to be secure, should be behind the VPN, irrespective of whether you’re working from home, or working from the office. So from day one we said, location should not matter. There’s nothing magical about the office, we should always assume that you are in a non trusted environment, and make sure that we build systems to accommodate for that. TS: Yeah, and this also comes down to the point, I imagine, of the culture that you create as a remote work company. And you know, we can be used to building culture or certainly as a CEO, I’ve been used to building culture, when you have people in the office. You can get people together, you can do socials together, and those kinds of things. What are some of the tips that you have for organizations who are thinking about how you actually create a really, really amazing culture as a remote company, and, you know, having to consider all of these other things like the practices? And you ran through some of them HR legal security? SK: Yeah, well, you know, I would say other than right now, where everybody’s stuck at home and really can’t meet face to face. In general, I think most remote-first companies tend to do lots and lots of face to face meetings. At Upwork, we had a meaningful travel budget where we would do meet ups. So not 2,000 people in the same place, which, you know, doesn’t work for most people, but we would give agile teams a small budget every year so that they could meet up in a cool city. And every time we’d have meetings in, you know, Budapest, and Madrid and Chile and where have you. And it’s a great perk for people. For a couple of weeks, they would be in an Airbnb, and they’d be coding during the day. And they’d be, you know, socialising in the evenings and weekends, and people tend to really like that, right? So, face to face does matter.  I think we’re going to go from a world where we organize off-sites to a world where we organize on-sites, if you will. But this, you know, is really true. Like there is a social connection network, that is how to do a Zoom. And regularly you need to, you know, updated by having face to face meetings. Now, that’s not really possible right now. But I would say the second part of your answer is, culture is bigger than just, you know, free coffee in the office or ping pong table, or what have you. Culture is a set of values and a shared purpose. You’re widening the talent pool so much that you can find people that are really passionate about what you do. And so as a result, you can find people who really live the values, live the purpose of the company, they’re here, because they truly believe in the mission of what you’re trying to do. And that, to me, is really what culture is about.
TS: Yeah, it’s so important. I couldn’t agree more. And I think as well, for many companies there, it’s also a good thing that we’re being stretched, and they’re being challenged to think deeper than just some of the kind of superficial skin deep perks, maybe that you know, otherwise would have substituted something that is altogether so much more important for for companies. And I have to ask you, we’ve spoken a lot about remote work, this is something you’ve been practising for a long time. Now, what is your thesis? What’s your opinion on the future of work? And I guess I’m specifically interested as well, this change, I guess, nobody saw coming in this way that we, you know, we’ve been accelerated to remote working, what do you think it means for, you know, the next five years in terms of companies and technology, but also outside of our sector? SK: You know, I think it just accelerated the future by a decade. The sobering fact is, I think, the virus has done more in three months than I’ve been able to do in 10 years. But we’ve really gone into the future in a really big way. And I think what really matters here is to understand what’s not working and fix it quickly. There are plenty of things that you can do wrong. This is the time where we can improve diversity, we can improve inclusion, and we can improve efficiency, and have more efficient companies. And so I think it’s really important for companies to pull their managers, to pull their employees, and to figure out, you know, very quickly, like, what are we not doing well, and to optimise for it. Because that train has left the station, and it’s moving fast right now. TS: So you think that the, I guess this change will show companies a way of working, that means that you know, whether they like it or not, we’re not going back to the way things were, you know, this is something that’s here to stay. And whether we go to hybrid environments, or fully remote environments, we now have to adapt to this new way of working. SK: Yeah, I mean, I doubt that every company is going to be fully distributed anytime soon, right? I mean, there’s definitely going to be a hybrid model, which is one thing that companies need to figure out is how you become inclusive of the remote workforce when there’s a lot of people still in the office. But I think there’s a lot of misconceptions companies had about remote work that are being disproved right now.  Now, to be fair, I think there’s also a concern right now that because people are working from home in conditions that are not ideal, you know, as I said earlier, people that are sick, and people that have kids that are. I think some companies may come to the wrong conclusion, which is why this was really a failed experiment. We can’t wait to have everybody back in the office. But the reality, though, is the workforce has moved on. So if you as an employer think you can go back to the old ways, you’re going to lose a lot of your team members because they’re not moving back. In fact, the place they’re moving to might be outside of where they live right now, in a place where they can have a much better lifestyle.  Frankly, I think the workforce is going to be voting with their feet. If you don’t allow people to work more flexibly post COVID. There’s a lot of employers who will and they’ll attract the best talent. TS: That’s a really interesting way of looking at it, which actually, it’s the overall market for employment and flexibility. As you say, as soon as it’s there with one set of employers, it’s going to become something that people prioritise.  So there you have it. Remote work has its benefits for employers, employees and society. And, so, in Stephane’s opinion, we’ve accelerated the future by a decade. And it’s time for businesses to consider what the long term strategy for a hybrid or remote way of working will be. Whatever their decision, securing people and empowering them to work both productively and safely has to be a priority as employees can now work from anywhere.  If you want to learn more about securing your hybrid workforce, we have plenty of great content and actionable advice on the Tessian blog. And if you enjoyed our show, please rate and review it on Apple, Spotify, Google Play or wherever you get your podcasts. Remember, you can find all of the RE:Human Layer Security podcast episodes here.