Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

Tessian Named Representative Vendor in the 2022 Gartner® Market Guide for Data Loss Prevention. Download →

Compliance

Read our latest articles, tips and news on Compliance including GDPR, CCPA and other industry-specific regulations and compliance requirements.

ATO/BEC Compliance
Building a Recession Proof Cybersecurity Program
By John Filitz
09 June 2022
The subject of prioritizing cybersecurity spending often arises in periods of economic uncertainty. As most security professionals will admit, the challenge of security budget justification is challenging in many organizations, regardless of the economic cycle. But in a recession, the challenge of cybersecurity budget allocation and spending can be compounded because, too often, cybersecurity is viewed as an auxiliary and non-critical IT program.   This blog sets out some core tenets essential for building a recession proof cybersecurity program. Spoiler: Building a resilient cybersecurity program starts with a mind shift
Cultivating a positive organizational cybersecurity culture   Many security leaders struggle to make the case for cybersecurity spending allocation, regardless of the economic environment. This is due to an out of touch mindset, with certain leaders failing to understand the importance of cybersecurity to their company’s overall business operations and objectives.     This poorly informed view was evidenced in a recent survey conducted by Tessian, with only 58% of employees thinking that senior executives at their company value cybersecurity. This explains why 1 in 3 employees don’t understand the value of cybersecurity, and why 30% of employees believe they play no role in cybersecurity threat prevention.   The mixed attitude towards cybersecurity could also explain why security leaders often find it challenging to justify cybersecurity program spend, which can become even more challenging in an economic downturn. The tide is slowly starting to turn, due in a large part to increasing cybersecurity risk and the catastrophic fallout associated with breaches, which can result in business failure.    Beyond an organization’s self-interest to keep their information systems and data secure, investors are starting to exert pressure on their portfolio companies to maintain an industry baseline of cybersecurity protection. Evidence of this shift in attitudes is reflected in the fact that environmental, social and governance (ESG) reporting now includes an assessment of an organization’s cybersecurity program and defenses.   It needn’t break the bank. Developing a positive cybersecurity culture in an organization is something that can be achieved on a relatively low cost basis. The key elements to achieve this include clear communication from the executive leadership on the importance of maintaining good cybersecurity hygiene. Creating a positive employee experience in relation to cybersecurity is essential. This entails developing engaging and context-based security awareness training programs that drive cybersecurity awareness – empowering employees to become part of the cyber defense.   
Using open source resources and frameworks to build cybersecurity resilience   While there is no singular approach to building out a cybersecurity program, there are a trove of freely available resources and best practice guides to assist with building information governance systems and cybersecurity programs. View cybersecurity program development as a work in progress. Many unique factors and characterics will come into play in shaping your cybersecurity program development.   By establishing a dedicated team to tackle enterprise security architecture and using well established enterprise architecture frameworks such as COBIT and TOGAF,  in conjunction with cybersecurity frameworks such as NIST Cybersecurity Framework, ISO 27001/02 and the CIS Critical Controls, organizations can start putting the building blocks in place for developing well-integrated and robust information governance systems.    Enterprise architecture frameworks such as COBIT are useful to build an information governance system that proactively identifies areas of risk or IT capabilities that need improvement to ensure that business objectives are achieved.
Ensuring compliance with industry and geo-specific regulations   Cyber risk is increasing year-over-year. In the latest FBI IC3 report, Business Email Compromise (BEC) fraud related losses increased by 65% globally in the period 2019 to December 2021. In the latest Verizon DBIR, ransomware attacks increased by 13% year-over-year, representing the largest increase in over 5 years.   Prioritize your cybersecurity technology budget from the assumption that there is a very strong likelihood that you will at some point suffer a breach. On this basis, focus on the fundamental threat vectors relative to your accepted risk threshold.    In US states such as California and many jurisdictions around the world, regulatory authorities are establishing minimum levels of cybersecurity preparedness that need to be met to ensure compliance.    The California Attorney General under the California Consumer Privacy Act (CCPA), has for instance established the requirement that businesses over a certain revenue threshold have to have a reasonable level of security in place. Reasonable security according to the CCPA is defined as having the CIS Controls implemented.   In the EU’s General Data Protection Regulation (GDPR), key stipulations include having data privacy and data security safeguards in place to ensure the confidentiality, integrity and availability of information processing systems and services. Other security controls include having the ability to restore availability and access to personal data, as well as having a process in place to regularly test, assess and evaluate the effectiveness of technical and organizational measures that ensure the security of data.  
Going beyond the minimum   Threat actors are continuously advancing their abilities. This is why cybersecurity and business leaders cannot afford to rest. Continuously testing your cybersecurity defenses through regular audits and penetration testing will help you identify areas for improvement. This includes practicing incident response and business continuity preparedness.   Cybersecurity is not a tick box compliance exercise.   Cybersecurity is everyone’s responsibility. Many of the core components that encompass a cybersecurity program do not require significant budget, but rather effective leadership, time and effort. Most importantly it requires adopting a mindset that recognizes the importance of being cyber resilient as essential to the organization’s overall success.
To see how the Tessian Intelligent Cloud Email Security platform  prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Compliance
9 Key CCPA Breaches So Far (And What We Can Learn From Them)
30 May 2022
On July 1st, 2020 enforcement of The California Consumer Privacy Act (CCPA) officially came into effect. Similar to the European Union’s General Data Protection Regulation (GDPR), CCPA is California’s answer to personal data protection – regulating how businesses across the globe are allowed to handle the personal information (PI) of California residents.   This means that California residents have the right to opt out of having their data sold to third parties, request disclosure of data already collected, and request deletion of data collected. As a part of this, corporations are required to respond promptly to consumer requests for information regarding their data. 
Though they share overarching objectives, there are a number of differences between CCPA and GDPA, with a significant difference being in the way fines are decided on. CCPA fines for a breach can include a civil penalty of up to $7,500, and fines of anywhere from $100 to $700 per consumer.    Though these numbers may appear small in comparison with GDPR fines, companies managing high volumes of personal data (i.e. a larger company with thousands of consumers) are vulnerable to seeing these numbers multiplied significantly. CCPA also allows the individual consumer to file civil claims, giving individuals the ability to exercise their rights to privacy.
While some of the details of CCPA enforcement are still being ironed out, this article provides a summary of 9 key breaches so far and what we can learn from them.   1: Zoom – An $85 million settlement for ‘Zoombombing’   In August 2021, Zoom Video Communications reached an $85 million settlement after a number of user privacy issues including those related to ‘Zoombombing’. Zoombombing involves outsiders hijacking Zoom meetings and posting disturbing content such as pornography, or using racist language. The lawsuit claimed that Zoom had violated users’ privacy rights by sharing personal data with Facebook, Google, and LinkedIn, and letting hackers ‘Zoombomb’ meetings.    As well as paying the sum, Zoom agreed to improve its security practices to comply with the CCPA, releasing a statement saying “The privacy and security of our users are top priorities for Zoom, and we take seriously the trust our users place in us.”.
2: A data broker – A broken link, opt-out barriers, and mandatory account creation   To comply with CCPA, an unnamed data broker added a “Do Not Sell My Personal Information” (DNSMPI) link to its homepage – but the link didn’t work.    The business also made users jump through a series of hoops (including providing government ID and proof of address) before being allowed to opt-out of the sale of personal information. Thirdly, customers were required to create an account in order to make a verifiable consumer request – including a CCPA request.    After being informed of these issues, the business updated its link, removed the barriers to opt out, and no longer requires the creation of an account to make a CCPA request.
3: A digital strategy partner — A privacy policy with missing parts   In another case of DNSMPI wrongdoings, a company that partners with major corporations on digital strategies did not tell consumers about their rights under the CCPA and did not provide adequate notice on how personal information was collected, used, or sold.    This is all information that should be included in a company’s privacy policy. The company also did not offer a way to make requests over the telephone or on the company’s website.    To fix this, the privacy policy was updated, and the business now also offers a DNSMPI link, email address, and telephone number for consumers.
4: T-Mobile — The (alleged) negligence that led to a data breach   In August 2021, T-Mobile USA Inc. was hit with two class-action lawsuits accusing the telecommunications company of violating the CCPA. It was alleged that ‘T-Mobile violated the CCPA and acted negligently by failing to protect consumer data from a recent data breach that exposed millions of customers’ records’.    The allegations came after T-Mobile had suffered a data breach that compromised the personal data, including names and phone numbers, of millions of customers.   It is thought that T-Mobile violated the CCPA by failing to prevent consumers’ non encrypted personally identifiable information from unauthorized access and exfiltration, theft, or disclosure. This is alleged to have stemmed from a failure to maintain reasonable security procedures to protect such information. The company offered two years of free McAfee ID theft protection to all people who believe they may have been affected by the breach, but investigations are ongoing.
5: An electronics retailer — Selling more than just electronics   A business that sells electronics was accused of selling a bit more than just that. The company had third-party trackers on its website that shared data with advertisers about visitors’ online shopping habits. There was no service provider contractual relationship in place and consumers’ requests to opt out were not being processed.   To solve these issues the company worked with its privacy vendor to honor consumer opt-out requests and avoid selling personal information to third parties in violation of the CCPA.
6: An online classified ad platform — Death by jargon   Alongside other CCPA breaches, a business that operates an online classified advertisement platform did not display the required CCPA consumer rights or explicitly state whether or not it had sold personal information in the past year.    After being informed of this, the company updated its privacy policy to include the required notice of CCPA rights and clearly stated that it did not sell personal information.    However, a second notice was prompted after the updated privacy policy was not consumer-friendly – containing unnecessary legal jargon and being difficult to read for the average person. Significant revisions to their privacy policy updates finally address these concerns.
7: A social media app — Speed matters   A social media app business was not responding to CCPA requests by consumers fast enough. The requests included consumers wanting to know and delete personal information – which users have a right to under the CCPA. Unfortunately, consumers were left unaware of whether their requests had been effectuated, or even received.   After notification by The Office of the Attorney General (OAG), the organization responded to the outstanding requests and updated its CCPA response system to improve its timeliness.
8: An ad-tech organization — Business or service provider?   Service providers and businesses have different obligations when it comes to complying with CCPA, with privacy policy requirements differing depending on this status.    This made it difficult for an online ad-tech organization, which, though primarily a service provider, is a business in some contexts. The company’s service provider contracts also lacked the necessary restrictions on the use of processed personal information.    To align with the rules, the company modified its privacy policy (clearly stating that it did not sell personal information), provided a way for consumers to submit CCPA requests, and updated their service provider contracts.
9: A grocery chain — Customers seeking clarity   A business that operates a chain of grocery stores recently came under fire not just by OAG, but by members of the public too. The chain was accused of leaving essential information out of its privacy policy, which lacked guidance on how authorized agents may submit CCPA requests on behalf of consumers, among other things.   In response to a notice of these violations, the business updated its privacy policy accordingly – explaining how agents can submit CCPA requests on behalf of consumers, as well as the business’s requirements for verifying such requests.   If there is one thing to learn from these breaches it is that doing the right thing is not enough. You need to tell your consumers what you are doing – transparently and in language that they understand.   For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Email DLP Compliance
30 Biggest GDPR Fines So Far (2020, 2021, 2022)
05 May 2022
The EU General Data Protection Regulation (GDPR) is among the world’s toughest data protection laws. Under the GDPR, the EU’s data protection authorities can impose fines of up to up to €20 million (roughly $20,372,000), or 4% of worldwide turnover for the preceding financial year – whichever is higher.   Since the GDPR took effect in May 2018, we’ve seen over 900 fines issued across the European Economic Area (EEA) and the U.K. GDPR fines have ramped up significantly.   Let’s take a look at the biggest GDPR fines, explore what caused them, and consider how you can avoid being fined for similar violations. Last updated May 2022.
The biggest GDPR fines of 2020, 2021, and 2022 (so far)   1. Amazon — €746 million ($877 million) Amazon’s gigantic GDPR fine, announced in the company’s July 2021 earnings report, is nearly 15 times bigger than the previous record. The full reasons behind the fine haven’t yet been confirmed, but we know the cause has to do with cookie consent.   And this isn’t the first time Amazon has been punished due to the way it collects and shares personal data via cookies. In late 2020, France fined Amazon €35 million after the tech giant allegedly failed to get cookie consent on its website.   How the fine could have been avoided: It’s tempting to force users to “agree” to cookies—or make opting out of cookies difficult—to collect as much personal data as possible. But regulators have shown some serious appetite for enforcing the EU’s cookie rules recently. If Amazon had obtained “freely given”, informed, and unambiguous opt-in consent before setting cookies on its users’ devices, the company probably could have avoided this huge GDPR fine.     2. WhatsApp — €225 million ($255 million) Mere months after Amazon’s colossal GDPR fine knocked Google off the number one GDPR fine spot, WhatsApp pushed Google into third place with a penalty nearly five times as large as the search giant’s previous record. Ireland slammed WhatsApp with A €225 million GDPR penalty after claiming that the messaging service had failed to properly explain its data processing practices in its privacy notice. Ireland is not known for issuing large fines, despite being the European home of nearly every US-based big tech firm. And even this penalty arrived only after other EU data protection authorities used the “one-stop-shop” mechanism to argue that it should have been higher. So what did WhatsApp do wrong? It’s complicated, and the company is appealing the decision. But it boils down to WhatsApp’s alleged failure to explain its legal basis for certain data processing—“legitimate interests.”   How the fine could have been avoided: The Irish DPA said that WhatsApp’s somewhat opaque privacy notice was at fault here—the company should have provided privacy information in an easily accessible format using language its users could understand. If you’re relying on “legitimate interests,” you must make sure you explain what those interests are in respect of each relevant processing operation.     3. Google Ireland — €90 million ($102 million) The French data protection authority (the CNIL) hit Google Ireland with this substantial fine on Jan 6 2022. The fine relates to the way Google’s European arm implements cookie consent procedures on YouTube. The Google Ireland fine was one of two fines issued as part of the same decision, with the other being levied against California-based Google LLC (which operates Google Search).   So what’s the issue? In a nutshell, the CNIL said that Google should have made it easier for YouTube users to refuse cookies. YouTube sets cookies on our devices to track our online activity for marketing purposes. It’s easy to accept cookies on YouTube, but harder to refuse them. The CNIL noted that refusing cookies required a user to make several clicks, whereas accepting cookies required just one click.   The CNIL justified the relatively high fine by pointing to the large number of people using YouTube and the huge profits that Google derives from the service. But wait a minute—doesn’t Google run its EU operations out of Ireland? How come the Irish regulator didn’t deliver this fine?   The reason, the CNIL contended, is that cookie regulation primarily falls under the ePrivacy Directive, not the GDPR, so regulators can take direct action against website operators in their jurisdiction rather than referring everything back to the organization’s “main establishment.” But the decision still qualifies as a “GDPR fine” because it’s the GDPR that determines how website operators obtain consent.   How the fine could have been avoided: Under the GDPR, consent must be “freely given”: equally easy to accept or refuse: if you can accept with one click, you should also be able to refuse with one click.     4. Facebook — €60 million ($68 million) Facebook’s second-largest GDPR fine (including its WhatsApp fine, above) came from the French data protection authority, the CNIL, on Jan 6, 2022. The social media giant earned this €60 million penalty owing to—you guessed it—failing to obtain proper cookie consent from its users.   The issue here mainly related to the unclear way in which Facebook provided a cookie opt-out. Like with Google (see above and below), accepting cookies on Facebook is a piece of cake—just click “accept.” Refusing them is a little more complicated.   How the fine could have been avoided: The CNIL drew attention to how Facebook’s cookie consent interface seemed to offer no option except “Accept Cookies”—even when it appeared that users were actually refusing them. The CNIL reflected that this language” necessarily generates confusion and that the user may have the feeling that it is not possible to refuse the deposit of cookies and that they have no way to manage it. Don’t confuse your users. Keep language simple and straightforward whenever you’re providing privacy information.     5. Google LLC — €60 million ($68 million) This Jan 6 fine against Google’s California headquarters came alongside the CNIL’s €90 million penalty against the search giant’s European establishment (see fine number 3, above). That larger sanction was levied against Google’s non-compliant setting of cookies on the YouTube platform.   Google LLC was hit with this €60 million blow on the same day for precisely the same reason—but in relation to its search website rather than its video-sharing platform.   How the fine could have been avoided: The takeaway in both Google cases is clear: make sure it’s as easy for your users to accept cookie consent as it is for them to refuse it.
6. Google – €50 million ($56.6 million)  Google’s fine, levied in 2019 and finalized after an unsuccessful appeal in March 2020, was the largest on record until August 2021.    The case related to how Google provided privacy notice to its users—and how the company requested their consent for personalized advertising and other types of data processing.   How the fine could have been avoided: Google should have provided more information to users in consent policies and granted them more control over how their personal data is processed.     7. H&M — €35 million ($41 million) On October 5, 2020 the Data Protection Authority of Hamburg, Germany, fined clothing retailer H&M €35,258,707.95 — the second-largest GDPR fine ever imposed at the time.   H&M’s GDPR violations involved the “monitoring of several hundred employees.” After employees took vacation or sick leave, they were required to attend a return-to-work meeting. Some of these meetings were recorded and accessible to over 50 H&M managers.   Senior H&M staff gained ”a broad knowledge of their employees’ private lives… ranging from rather harmless details to family issues and religious beliefs.” This “detailed profile” was used to help evaluate employees’ performance and make decisions about their employment.   How the fine could have been avoided: H&M appears to have violated the GDPR’s principle of data minimization — don’t process personal information, particularly sensitive data about people’s health and beliefs, unless you need to for a specific purpose.   H&M should also have placed strict access controls on the data, and the company should not have used this data to make decisions about people’s employment.     8. TIM – €27.8 million ($31.5 million) On January 15, 2020, Italian telecommunications operator TIM (or Telecom Italia) was stung with a €27.8 million GDPR fine from Garante, the Italian Data Protection Authority, for a series of infractions and violations that have accumulated over the last several years.    TIM’s infractions include a variety of unlawful actions, most of which stem from an overly aggressive marketing strategy. Millions of individuals were bombarded with promotional calls and unsolicited communications, some of whom were on non-contact and exclusion lists.     How the fine could have been avoided: TIM should have managed lists of data subjects more carefully and created specific opt-ins for different marketing activities.   9. Enel Energia — €26.5 million ($29.3 million) On January 19th, 2022 the Italian data protection authority (‘Garante’) publicized its decision to fine the multinational electric and gas supplier Enel Energia €26.5 million for a range of GDPR violations including failing to get user consent or inform customers before using their personal data for telemarketing calls.   The complex investigation was triggered after Garante had received numerous complaints concerning the receipt of unwanted promotional calls among other problems. The investigation covered Enel Energia’s business partners and included four separate requests for cumulative information, from December 2018 to July 2020, concerning a total of 135 files. Garante also reported that Enel Energia had not sufficiently cooperated with the investigation by failing to respond adequately (if at all) to a number of requests.   How the fine could have been avoided: Enel Energia should have provided more information to users in consent policies and granted them more control over how their personal data is processed. Once caught out, Enel Energia could have also lessened the consequences had they responded to requests by investigators.   10. British Airways – €22 million ($26 million) In October, the ICO hit British Airways with a $26 million fine for a breach that took place in 2018. This is considerably less than the $238 million fine that the ICO originally said it intended to issue back in 2019.    So, what happened back in 2018? British Airway’s systems were compromised. The breach affected 400,000 customers and hackers got their hands on log-in details, payment card information, and travelers’ names and addresses.     How the fine could have been avoided: According to the ICO, the attack was preventable, but BA didn’t have sufficient security measures in place to protect their systems, networks, and data. In fact, it seems BA didn’t even have basics like multi-factor authentication in place at the time of the breach.    Going forward, the airline should take a security-first approach, invest in security solutions, and ensure they have strict data privacy policies and procedures in place.     11. Marriott – €20.4 million ($23.8 million)   While this is an eye-watering fine, it’s actually significantly lower than the $123 million fine the ICO originally said they’d levy. So, what happened?    383 million guest records (30 million EU residents) were exposed after the hotel chain’s guest reservation database was compromised. Personal data like guests’ names, addresses, passport numbers, and payment card information was exposed.    Note: The hack originated in Starwood Group’s reservation system in 2014. While Marriott acquired Starwood in 2016, the hack wasn’t detected until September 2018.   How the fine could have been avoided: The ICO found that Marriott failed to perform adequate due diligence after acquiring Starwood. They should have done more to safeguard their systems with a stronger data loss prevention (DLP) strategy and utilized de-identification methods. 
12. Clearview AI — €20 Million ($20.5 Million)   In what is shaping up to be a busy year for the Italian data protection authority, Clearview AI has been issued a fine of €20 Million by Garante. The fine came on 10 February 2022, after several issues in connection with Clearview’s facial recognition products.  A number of infringements were found including the unlawful processing of personal biometric and geolocation data, and the breaching of several fundamental principles of the GDPR, such as transparency, purpose limitation, and storage limitation. Like Enel Energia, the company also failed to respond to requests in a complete and timely manner.   How the fine could have been avoided: Less is more – Clearview should have only collected and held on to data with a clear purpose, and been transparent about this decision-making with their customers. Better co-operation in the investigation would have also decreased the fine. 13. Meta (Facebook) Ireland — €17 Million ($18.2 Million) On March 15th, 2022 the Irish Data Protection Commission (DPC) fined Meta Platforms Ireland €17 Million for issues which meant it could not readily demonstrate the security measures that it implemented to protect EU users’ data. This failure was spotted in 2018 after twelve personal data breaches were reported to the DPC. How the fine could have been avoided: In this case, these shortcomings were spotted before a more widespread breach occurred. To prepare for future threats, Meta should take a security-first approach, invest in security solutions, and ensure they have strict data privacy policies and procedures in place.   14. Wind — €17 million ($18.2 million) On July 13, Italian Data Protection Authority imposed a fine of €16,729,600 on telecoms company Wind due to its unlawful direct marketing activities.   The enforcement action started after Italy’s regulator received complaints about Wind Tre’s marketing communications. Wind reportedly spammed Italians with ads — without their consent — and provided incorrect contact details, leaving consumers unable to unsubscribe.   The regulator also found that Wind’s mobile apps forced users to agree to direct marketing and location tracking and that its business partners had undertaken illegal data-collection activities.    How the fine could have been avoided: Wind should have established a valid lawful basis before using people’s contact details for direct marketing purposes. This probably would have meant getting consumers’ consent — unless it could  demonstrate that sending marketing materials was in its “legitimate interests.”   For whatever reason you send direct marketing, you must ensure that consumers have an easy way to unsubscribe. And you must always ensure that your company’s Privacy Policy is accurate and up-to-date.     15. Vodafone Italia — €12.3 million ($14.5 million) Vodafone Italia’s November 2020 fine was issued in relation to a vast range of alleged GDPR violations, including provisions within Articles 5, 6, 7, 16, 21, 25, 32, and 33.   So what did Vodafone do that resulted in so many GDPR violations?    The company’s data processing issues included failing to properly secure customer data, sharing personal data with third-party call centers, and processing without a legal basis—all brought to light after complaints about the company’s telemarketing campaign.   How the fine could have been avoided: Vodafone’s marketing operations may have triggered the Italian DPA’s investigation, but the company’s data management and security were the fundamental issues here.   Vodafone might have avoided this large fine by conducting regular audits of its data and properly documenting all relationships with third-party data processors.     16. Notebooksbilliger.de — €10.4 million ($12.5 million) German electronics retailer notebooksbilliger.de (NBB) received this significant GDPR fine on January 8, 2021. The penalty relates to how NBB used CCTV cameras to monitor its employees and customers.   The CCTV system ran for two years, and NBB reportedly kept recordings for up to 60 days. NBB said it needed to record its staff and customers to prevent theft. The Lower Saxony DPA said the monitoring was an intrusion on its employees’ and customers’ privacy.   How the fine could have been avoided: The NBB’s fine reflects strict attitudes towards CCTV monitoring in parts of Germany. The regulator said NBB’s CCTV program was not limited to a specific person or period.   Using CCTV isn’t prohibited under the GDPR, but you must ensure it is a legitimate and proportionate response to a specific problem. The UK’s ICO has some guidance on using CCTV in a GDPR-compliant way.   17. Austrian Post — €9 million ($10.23 million) Austria’s largest GDPR fine hit in September 2021, when Austrian Post received a €9 million sanction for allegedly failing to facilitate data subject rights requests properly.   If a data subject hoped to access, delete, or rectify personal data held by the Austrian Post, the company provided a variety of mediums by which to make a request, including a web form, mail, or phone number.   The one means of communication that Austria Post did not recognize, however, was email—and the Austrian DPA said that the mail carrier should have allowed data subjects to submit a rights request via any medium they preferred.   How the fine could have been avoided: Austrian Post (which is planning to appeal the fine) should have processed data subject rights requests however they arrived—forcing data subjects to use a particular communication method and excluding email is not an acceptable way to facilitate their rights.   18. Eni — €8.5 million ($10 million) Eni Gas e Luce (Eni) is an Italian gas and oil company that was found to have made marketing phone calls without a proper legal basis.   While telemarketing is covered by the ePrivacy Directive, this is another example of how any processing of personal data without a proper legal basis can lead to a GDPR fine.   How the fine could have been avoided: Eni should have ensured it had a proper legal basis for telemarketing before calling any of its customers or leads. In this case, the Italian DPA said that the proper lawful basis would have been consent.
19. Vodafone Spain — €8.15 million ($9.72 million) Vodafone’s €8.15 million fine, issued by the Spanish DPA (the AEPD) on March 11, 2021, is actually made up of four fines for violating the GDPR and other Spanish laws covering telecommunications and cookies. The Vodafone fine stands as Spain’s biggest yet—in a year that has seen the AEPD issue several substantial GDPR penalties. The fine results from 191 separate complaints regarding Vodafone’s marketing activity. Vodafone was alleged not to have taken sufficient organizational measures to ensure it was processing people’s personal data lawfully.   How the fine could have been avoided: Vodafone’s complex series of legal violations all appear to have one thing in common: a lack of organization and control over personal data used for marketing purposes.   Whenever you outsource any processing activity to a third party—for example, a marketing agency—you must ensure you have a clear legal basis for doing so. Keep clear records, maintain data processing agreements with contractors, and regularly audit your processing activities to ensure they are lawful.   19. REWE International — €8 Million ($8.8 Million)   The Austrian Data Protection Authority (DPA) has fined Austrian food retailer REWE International €8 million after the mismanaging of the data of users involved in its loyalty program, jö Bonus Club. The subsidiary had been collecting users’ data without their consent and using it for marketing purposes.   However, REWE is set to appeal the decision, arguing that jö Bonus Club operates independently as a separate subsidiary, Unser Ö-Bonus Club. This comes hot off the heels of a 2021 fine after jö Bonus Club unlawfully collected millions of members’ data and sold it to third parties. The offense saw jö Bonus Club pay €2 Million. How the fine could have been avoided: There are a few things that could be done to stop these recurring fines – seeking consent from customers and applying the fundamental GDPR principles of transparency, purpose limitation, and storage limitation are good places to start. 20. Google – €7 million ($8.3 million) From a GDPR enforcement perspective, 2020 was not a good year for Google.    Along with the company losing its appeal against French DPA in January, March saw the Swedish Data Protection Authority of Sweden (SDPA) fining Google for neglecting to remove a pair of search result listings under Europe’s GDPR “right to be forgotten” rules.    How the fine could have been avoided: Google should have fulfilled the rights of data subjects, primarily their right to be forgotten. This is also known as the right to erasure. How? By “ensuring a process was in place to respond to requests for erasure without undue delay and within one month of receipt.”    You can find more information about how to comply with requests for erasure from the ICO here.  21. Caixabank — €6 million ($7.2 million) This fine against financial services company Caixabank is the largest fine ever issued by the Spanish DPA (the AEPD).    The AEPD finalized Caixabank’s penalty on January 13, 2021, breaking Spain’s previous record GDPR fine, against BBVA — issued just one month earlier. This suggests a significant toughening of approach from the Spanish DPA.   The first issue, which accounts for €4 million of the total fine, related to how Caixabank established a “legal basis” for using consumers’ personal data under Article 6. Second, Caixabank was fined €2 million for violating the GDPR’s transparency requirements at Articles 13 and 14.    How the fine could have been avoided: The AEPD said Caixabank relied on the legal basis of “legitimate interests” without proper justification. Before you rely on “legitimate interests,” you must conduct and document a “legitimate interests assessment.”    The company also failed to obtain consumers’ consent in a GDPR-compliant way. If you’re relying on “consent,” make sure it meets the GDPR’s strict “opt in” standards.   The AEPD criticized Caixabank’s privacy policy as providing vague and inconsistent information about its data processing practices. Make sure you use clear language in your privacy notices and keep them consistent across websites and platforms.   22. Cosmote Mobile Telecommunications — €6 Million ($6.6 Million)   In February 2022 the Greek data protection authority, the Hellenic Data Protection Authority (HDPA) fined Cosmote Mobile Telecommunications €6 Million.    The fine was issued after a hack in September 2020 led to customers’ private information being exposed, but the buck didn’t stop there. It was revealed that the company was illegally processing customer data – an activity that exacerbated the issues caused by the hack. To make matters worse, the private data was not fully pseudonymized, making it easier for hackers to identify individuals from the data.   Cosmote’s parent company, OTE group was then given an additional fine of €3.25 million after the Cosmote investigation determined that OTE should have been included in the process from the beginning but had not been.   How the fine could have been avoided: Unfortunately, this domino effect is not an uncommon occurrence that only highlights the importance of abiding by GDPR rules and principles. For a start, Cosmote should be only processing data legally, with purpose, and with proper encryption to ensure best customer security.    Secondly, this example demonstrates how devastating a hack can be. It has been reported that the hack that caused this breach was a phone hack – meaning secure internet connections, improved physical security and investing in security solutions are all good ways to prevent this from happening.   23. BBVA (bank) — €5 million ($6 million) This fine against financial services giant BBVA (Banco Bilbao Vizcaya Argentaria) dates from December 11, 2020.    The BBVA’s penalty is the second biggest that the Spanish DPA (the AEPD) has ever imposed, and it shares many similarities with the AEPD’s largest-ever penalty, against Caixabank, issued the following month. Taken together with the record fine against Caixabank, it’s tempting to conclude that the Spanish DPA has its eye on the GDPR compliance of financial institutions.   How the fine could have been avoided: The AEPD fined BBVA €3 million for sending SMS messages without obtaining consumers’ consent. In most circumstances, you must ensure you have GDPR-valid consent for sending direct marketing messages.   The remaining €2 million of the penalty related to BBVA’s privacy policy, which failed to properly explain how the bank collected and use its customers’ personal data. Make sure you include all the necessary information under Articles 13 and 14 in your privacy policy.
24. Fastweb — €4.5 million ($5.5 million) Italy’s DPA (the Garante) fined telecoms company Fastweb €4.5 million on April 2 2021 for engaging in unsolicited telephone marketing without consent. In particular, the Garanta noted that Fastweb was using “fraudulent” telephone numbers that the company had not registered with Italy’s Register of Communication Operators.   How the fine could have been avoided: Fastweb’s fine derives from telemarketing rules that are set out in Italy’s implementation of the ePrivacy Directive, rather than the GDPR. However, the company still appears to have violated the GDPR by failing to obtain valid consent.   It’s important to remember this interplay between the EU’s main privacy laws. The ePrivacy Directive requires you to obtain consent for certain activities, but the GDPR sets the standard of consent—and the standard is very high.   25. Dutch Tax and Customs Administration — €3.7 Million ($4 Million)   In April 2022, The Dutch Tax and Customs Administration was fined €3.7 Million after the illegal processing of personal data in the Fraud Signaling Facility (FSV) – a blacklist on which the Tax and Customs Administration kept records of fraud. For more than six years, the Tax and Customs Administration had been wrongly putting people on the FSV – around 270,000 people in total – with major consequences for those on the list. The investigation revealed a number of GDPR violations including widespread discrimination, with employees instructed to base the risk of fraud in part on people’s appearance and nationality.   “People were often wrongly labeled as fraudsters, with dire consequences,” Dutch Data Protection Authority Chairman Aleid Wolfsen said in a statement. “The tax authorities have turned lives upside down with FSV.”   This is the highest fine that the Dutch Data Protection Authority (AP) has ever imposed, and reflects the seriousness of the violations as well as the number of people affected and the timespan over which the violations occurred. How the fine could have been avoided: In this extraordinary case, the issues spread beyond data security, with intent and impact both being malicious. It looks like The Dutch Tax and Customs Administration could do with brushing up on not just GDPR rules, but discrimination and equality laws as well.   26. Eni Gas e Luce — €3 million ($3.6 million) This fine is one of two imposed on the Italian gas and oil company Eni in December 2019. This is a complicated case involving the creation of new customer accounts—but it boils down to the failure of Eni to obey the GDPR’s principle of accuracy.   How the fine could have been avoided: Data protection is about more than just privacy—it also covers issues like records management. Eni should have ensured its customer records were kept accurate and up-to-date.     27. Capio St. Göran AB — €2.9 million ($3.4 million) Capio St. Goran is a Swedish healthcare provider that received a GDPR fine following an audit of one of its hospitals by the Swedish DPA. The audit revealed that the company had failed to carry out appropriate risk assessments and implement effective access controls. As a result, too many employees had access to sensitive personal data.   How the fine could have been avoided: Conducting a data protection impact assessment (DPIA) is mandatory under the GDPR for controllers undertaking certain risky activities or handling large-scale sensitive data.   Eni should have conducted such an assessment to determine which staff required access to medical records. Access to sensitive personal data should be restricted to those who strictly require it.     28. Iren Mercato — €2.85 million ($3.4 million) In June 2021, the Italian DPA fined energy company Iren Mercato for carrying out a telephone marketing campaign without obtaining proper consent. The phone calls were conducted by a third party marketing company acting as a data processor.   How the fine could have been avoided: Many of the fines on our list relate to telemarketing and the failure to obtain GDPR-valid consent.   Remember that even when using third-party services to conduct marketing campaigns, you could still be directly liable under the GDPR if you fail to establish a valid legal basis for processing personal data.   29. Foodinho — €2.6 million ($3 million) Groceries delivery service Foodinho received this substantial fine in June 2021, after the Italian DPA found the company had failed to obey the GDPR’s rules on “automated processing,” in this case the use of an algorithm to determine employees’ wages and workflow.   The company was also found to have violated the GDPR’s principle of “lawfulness, fairness, and transparency” by failing to provide employees with adequate information.   How the fine could have been avoided: Foodinho’s fine mainly relates to a relatively niche area of GDPR compliance—”solely automated processing with legal or similarly significant effects.”    In short, if you’re making purely AI-driven decisions about people that could impact on their finances, employment, or access to services, you must ensure you provide a human review of such decisions.   30. National Revenue Agency (Bulgaria) — €2.6 million ($3 million) This August 2019 fine against Bulgaria’s National Revenue Agency was issued after the organization suffered a data breach affecting 5 million people. The breached data included people’s names, contact details, and tax information. The Bulgarian DPA found that the agency failed to take effective technical and organizational measures to protect the personal data under its control.   How the fine could have been avoided: The Bulgarian National Revenue should have conducted a thorough risk assessment of its processing operations and taken effective steps to safeguard personal data.   While it’s not clear what caused this data breach, it’s worth noting that the FBI’s Internet Crime Control Center cites email as the number one threat vector in cybercrime. By securing your company’s email systems, you’re cutting off one of your major vulnerabilities and significantly reducing the likelihood of a data breach.
What else can organizations be fined for under GDPR?    While the biggest fines involve marketing activities, failure to remove personal data when requested by EU citizens, and unlawfully requiring employees to have their biometric data recorded, there are a number of ways in which a breach can occur.    In fact, so far this year, misdirected emails have been the primary cause of data loss reported to the ICO. But, how do you prevent an accident? By focusing on people rather than systems and networks.   How does Tessian help organizations stay GDPR compliant?
Powered by machine learning, Tessian understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity, including misdirected emails. Tessian also detects and prevents spear phishing attacks and data exfiltration attempts on email.    Importantly, though, Tessian doesn’t just prevent breaches. Tessian’s key features – which are both proactive and reactive – align with the GDPR requirement “to implement appropriate technical and organizational measures together with a process for regularly testing, assessing and evaluating the effectiveness of those measures to ensure the security of processing” (Article 32).   To learn more about how Tessian helps with GDPR compliance, you can check out this page, our customer stories or book a demo. 
Compliance
GDPR: 13 Most Asked Questions + Answers
15 March 2022
1. Who’s enforcing GDPR?   In May 2018, the GDPR came into force across the whole of the European Union. The GDPR applies equally to all EU member states, but that doesn’t mean each country will enforce its requirements equally. Each member state handles enforcement and will have a regulatory body called a supervisory authority that will be in charge of auditing and enforcement.   28 different countries will handle enforcement. That means Germany, for example, is expected to be tougher on enforcement of GDPR than elsewhere on the continent given data protection is conducted at a state level. Conversely, the U.K. has traditionally been the member state to push back against any overtly data-privacy regime that could impede global trade.   2. What are the penalties for non-compliance with GDPR?   Penalties can be a fine up to €20 million or 4 percent of a company’s annual revenue, whichever is higher. The latter is the steeper penalty and the assumption is that it will be levied in severe cases when a company has totally disregarded data privacy. The supervisory authority decides the fine’s amount based on the circumstances and the violation level.   3. What is a GDPR Data Processing Operation? A data subject is the person about whom data is being collected. The data controller is the person or organization that decides why personal data is held or used, and how it is held or used. Any person or organization that holds or uses data on behalf of the data controller is a data processor.   The good news is that organizations have become significantly better at containing breaches, with the average time dropping from 70 days in 2016 to 55 days. However, on average companies take nearly 200 days to detect a breach.   4. How does the GDPR handle this?   GDPR refers to the time between detecting a breach to the time of notifying impacted parties about it. However, part of the security for privacy concept is about being able to detect breaches and have best-practice tools and processes in place to do so.   5. What documentation do we need to prove that we’re GDPR compliant?   GDPR, compared to the Data Protection Act that it replaces, states there is a need to demonstrate compliance. According to Article 5(2) of the regulation, “The controller [i.e. your company] shall be responsible for, and be able to demonstrate compliance”.   It is a good idea to document everything about your GDPR process, so it is clear that you have taken the right investigative steps and have made reasonable steps to fix any issues. You then have a document you can point to if you’re ever asked any questions.  
6. What are the data requirements for GDPR?   Data can only be processed for the reasons it was collected Data must be accurate and kept up-to-date or else should be otherwise erased Data must be stored such that a subject is identifiable no longer than necessary Data must be processed securely 7. Is GDPR training mandatory for staff and management?   Anyone whose job involves processing personal data undertakes data protection and data handling training. This includes full-time staff, third-party contractors, temporary employees, and volunteers.   8. Does GDPR compliance differ based on the number of employees a company has?   GDPR doesn’t differentiate between the size of organizations.
9. What type of language should be included in a consent policy?   Check out the Tessian privacy policy, which shows you how detailed consent needs to be.   10. Is appointing a DPO mandatory?   GDPR requires appointing a DPO when an organization performs data processing on a large scale, processes certain types of data or processes data on an ongoing basis as opposed to a one-time process.   11. What happens if some data is processed outside the EU?   The GDPR allows for data transfers to countries deemed by the European Commission to provide an adequate level of personal data protection. In the absence, transfers are also allowed outside non-EU states under certain circumstances like standard contractual clauses or binding corporate rules.   12. Does GDPR affect US-based companies?   Any U.S. company that has a web presence and markets their products over the web will have to take notice. Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR.   13. If we are based in the US, have EU citizen data and experience a breach, who do we notify?   There are rules around what authority should be notified based on criteria like the situation, the organization and where the processing occurs.   How can Tessian make you GDPR Compliant?   Under GDPR, an organization is most likely to suffer a fine or penalty due to data loss through a misdirected email. Misdirected emails were the number one form of data loss reported to the Information Commissioner’s Office (ICO) in 2017. Some notable examples of penalties issued by the ICO for misaddressed emails include 56 Dean Street Clinic who were fined £180,000 for inadvertently disclosing the identities of HIV positive patients and also Dyfed-Powys Police who were fined £150,000 for inadvertently disclosing the identities of registered sex offenders to a member of the public.   GDPR forces organizations to report all personal data breaches to the appropriate governing body and maintain a register of these internally. Under GDPR, organizations have an obligation to report misdirected emails to the ICO and face fines of up to 4% of global turnover depending on the severity of the breach. Given that misdirected emails are the number one type of data security incident currently reported to the ICO, this should be of significant concern for all organizations in the transitioning years toward GDPR.   Tessian uses machine learning to automatically detect when emails are being sent to the wrong person, allowing organizations to both prevent information being sent to the wrong person and crucially, retain an audit log of warning messages shown to users when sending emails and the response that the user made on the warning that was shown.   The audit feature and preventative nature of Tessian align with the GDPR requirement “to implement appropriate technical and organizational measures together with a process for regularly testing, assessing and evaluating the effectiveness of those measures to ensure the security of processing” (Article 32).   Furthermore, with increasing numbers of firms adopting Tessian’s technology and their role in helping advising other companies in their transition to GDPR, simply relying on staff being as careful as possible and internal training, becomes an untenable posture when protecting personal data.
Compliance
Fostering a Risk-Aware Culture is Key to Ensuring Your Organization’s Cybersecurity
By John Filitz
08 March 2022
Operational complexity and risk are increasing. As the pandemic and the war unfolding in Ukraine have laid bare, risk can manifest unexpectedly. On the cybersecurity front, the risk faced by organizations is increasing steadily year-over-year, with threat actors continuously refining attack methodologies. This in part explains why the cost and impact of cybercrime damages is expected to reach $10.5 trillion by 2025 – a 350%+ increase from 2015.
Cyber threats are increasing  In response to this shifting cyber threatscape, the US government issued an Executive Order on the 12th of May 2021, recognizing the need to strengthen the nation’s cybersecurity posture for public and private sectors alike. The war against Ukraine has increased the threat of nation-state cyber attacks and has underscored the need to improve cyber resiliency for both the public and private sectors. This has prompted the US Cybersecurity and Infrastructure Agency (CISA) to issue a Shields Up notice for heightened awareness and increased protection for critical assets.   The Shields Up guidance includes the following recommendations:   Reduce the likelihood of a damaging cyber intrusion Validate remote access Ensure software is up to date Disable all non-essential ports and protocols   Take steps to quickly detect a potential intrusion Identify and quickly assess unusual network activity Ensure the organization’s network is protected by antivirus/anti-malware software    Ensure that the organization is prepared to respond if an intrusion occurs Designate a crisis-response team Assure availability of key personnel Conduct a table-top exercise so that all participants understand their roles during an incident   Maximize the organization’s resilience to a destructive cyber incident  Test backups procedures  to ensure that critical data can be rapidly restored i.e. Recovery Time Objective in hours vs days   The Shields Up guidance also calls for empowering CISOs, lowering the barriers to reporting threats, as well as focussing on investments and resilience that support critical business functions. It also recommends planning for the worst-case scenario, like disconnecting high-impact parts of the network in the event of an intrusion.   As CISA rightly pointed out, basic cybersecurity best practice is important, too. This includes:   Multi-factor authentication Updating and patching software Improving email security defenses to prevent phishing attacks Having an effective password policy in place and using strong passwords
The importance of a risk-aware culture   Moving beyond the Shield Up guidance, improving cybersecurity for critical industries and non-critical industries starts with ensuring that organizations have adopted a risk-aware mindset and culture. Evidence of this includes having well-developed and routinely exercised business continuity and disaster risk reduction plans – and ensuring that these are updated in accordance with the business strategy and objectives regularly.   Routinely reviewing the risk and threatscape is important, too. In addition to cyber risk, some of the other key risks for consideration in risk mitigating planning include environmental disaster risk, biological risk and man-made risks, such as insider threats, accidents and geopolitical risk.   But, the reality for most organizations is that it’s difficult to balance risk mitigation with a slew of other competing priorities.    Part of the challenge facing risk managers and risk mitigation efforts often includes inadequate resourcing (financial and non-financial). But the greatest impediment concerns the lack of prioritization of risk mitigation by the C-Suite as a business critical function.   Although the importance of prioritizing cybersecurity is starting to get due attention, the roots of the problem stem from the early days of viewing cybersecurity as a strictly IT function. As businesses digitally transform, data and information systems are now seen as the lifeblood of business.   Successful businesses are increasingly fostering a risk-aware culture that prioritizes the importance of cybersecurity along with key business objectives. These leaders understand that the robustness of the risk and the cybersecurity posture can determine whether a business survives a cyber disaster event.   Viewed this way, the cybersecurity resiliency of a business is integral to a business achieving its desired objectives. 
Getting C-Suite buy-in    Often getting C-Suite buy-in for cybersecurity initiatives can be challenging. We have detailed a number of ways on how to get the necessary buy-in. At a high-level, we provide an overview of the three steps below:   Firstly, it’s about getting the C-suite to understand the risk and whether the current cybersecurity posture is commensurate with the threatscape.    The second step entails quantification of that risk. It’s important to quantify what the financial fall-out would be from a successful cyber attack. There are also important non-financial aspects that need to be considered, such as reputational damage and a loss of customer trust.   Finally, it’s about understanding the business criticality of being able to successfully recover your data and information systems in the event of an attack, in the shortest possible time frame. The longer that a business does not have access to its data and information systems, the greater the risk of catastrophic business failure.
Taking a business critical approach to risk and cybersecurity planning   Given the importance of fostering a risk-aware culture and prioritizing cybersecurity as a business critical function, it is imperative that businesses routinely review the current and emerging threatscape – and take appropriate action.    As the past 24 months have borne out, risks that might not have been in the purview for decades can manifest within a short time-frame.    A key part of taking a business critical approach to risk and cybersecurity entails regularly testing cyber defenses and ensuring that emerging threats are addressed as they arise, and with the urgency that they deserve. Additional resources To help ensure you’re prepared for today’s threats, we’ve included some resources from CISA and the UK’s National Cyber Security Center (NCSC)   CISA: Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure: https://lnkd.in/gg2vRd29   CISA: Shields Up guidance: https://lnkd.in/dceQ9YGJ   CISA: Known Exploited Vulnerabilities (KEV) Catalog: https://lnkd.in/gRGpREQS   CISA: Insights on Preparing for and Mitigating Foreign Influence Operations Targeting Critical Infrastructure: https://lnkd.in/dntwU2DK   CISA: Free Public and Private Sector Cybersecurity Tools and Services: https://lnkd.in/dgUvqMwK   And guidance from the UK’s NCSC on what actions to take when the cyber threat is heightened: https://lnkd.in/dMem_PaH
Compliance
Everything You Need to Know About CIS Controls
01 February 2022
Every organization should constantly be striving to improve its cybersecurity posture. The best way to achieve this is to implement a cybersecurity framework.    While there are several cybersecurity frameworks to choose from, following the Center for Internet Security Critical Security Controls (CIS Controls) is an excellent way for an organization of any size to reduce the risk of a cyberattack.    The framework provides a comprehensive set of security controls to help you identify, detect threats, protect against and respond to cyberattacks, and recover from any attacks that may slip through your defenses.   This article will look at the latest version of the CIS Controls and provide a detailed overview of how you can meet the framework’s requirements.   Want to explore other frameworks? Check out this guide, which broadly covers the NIST Framework, ISO 27000 Series, and PCI-DSS, in addition to CIS Controls.
CIS Controls: The basics   The CIS Controls are a framework of 18 different types of security controls you can put in place to improve your company’s information security and cybersecurity; the framework is well-respected and considered a good security baseline for most organizations.   Note: before the latest CIS Controls update (version 8, released May 2021), there were 20 Controls.   It’s worth noting that in a 2016 California Data Breach Report, Kamala Harris (yes, that Kamala Harris, who was California Attorney-General at the time) said that meeting all 20 CIS Controls represents a reasonable level of security.
Safeguards   Each Control is a broad class of security control and comes with several Safeguards (previously called “Subcontrols”) that provide specific means of implementing the Control. There are 153 Safeguards in total—between 5-14 within each Control group.   There are five types of Safeguard:   Identify Detect Protect Respond Recover   It is advisable to work through the Safeguards in order of priority starting with Identify.
Implementation Groups   Because the CIS Control framework is designed for businesses of all sizes, the framework also distinguishes three “Implementation Groups” (IGs)—types of organizations distinguished by company size and level of resources.   Here’s a good way to think of how the IGs differ:   IG1 companies are typically smaller businesses without much cybersecurity expertise. IG2 companies have employees specifically dedicated to looking after cybersecurity IG3 companies have employees specializing in different aspects of cybersecurity However, even if your organization is very large and well-resourced, the Center for Internet Security recommends that “every enterprise should start with IG1.” Get the basics in place (if you haven’t done so already) before moving on to the more complex controls.
The CIS Controls   Now let’s dive in—we’re going to look at the basic requirements of each CIS Control and list three representative Safeguards for each. Control 1: Inventory and Control of Enterprise Assets   Control 1 requires that you actively manage all enterprise assets (such as workstations, mobile devices, and servers) that are either connected to your infrastructure—physically, virtually, or remotely—or within the cloud.   Having total knowledge and control over your assets might be challenging—particularly in the age of remote-working—but it’s a vital foundation for your security program.   Control 1 Safeguards include:   Establishing and maintaining an asset inventory (all IGs) Using an active discovery tool to detect assets (IGs 2 and 3) Using a passive asset discovery tool (IG3 only)
CIS Control 2: Inventory and Control of Software Assets   Control 2 focuses on control of software assets—the operating systems and apps that your company uses—to ensure that only authorized software can operate on your systems.   As with Control 1, Control 2 reinforces the principle that a detailed knowledge of your assets is crucial to protecting your systems. Using reputable software and keeping it patched is an essential part of keeping threat actors at bay.   Control 2 Safeguards include:   Establishing and maintaining a software inventory (all IGs) Using automated software inventory tools (IGs 2 and 3) Running an allowlist of authorized scripts (IG 3 only)
CIS Control 3: Data Protection   Control 3 requires organizations to maintain good data protection practices: properly identifying, classifying, securing, storing and deleting data.   Data might be your company’s most important asset—and you have a legal and ethical responsibility to protect the data in your control.    Control 3 Safeguards include:   Establishing and maintaining a data management process (all IGs) Establishing and maintaining a data classification scheme (IGs 2 and 3) Deploying a Data Loss Prevention solution (IG 3 only)   The CIS Control framework notes: “While some data is compromised or lost as a result of theft or espionage, the vast majority are a result of poorly understood data management rules, and user error.”   Employing an email security solution is a simple and effective way to prevent data loss through social engineering attacks like phishing, 96% of which are conducted via email.   Read more about why Tessian is a key way of meeting your organization’s data protection requirements.
CIS Control 4: Secure Configuration of Enterprise Assets and Software   Control 4 involves the secure configuration of enterprise assets (such as your company’s devices and servers) and software (the operating systems and applications your company uses).   Your devices and apps might not come fully configured for optimal security. Software developers and hardware manufacturers want their products to be easy to use—but the most convenient settings are rarely the most secure.   It’s important to ensure your assets are appropriately configured to offer the best protection against threats.   Control 4 Safeguards include:   Establishing and maintaining a secure configuration process (all IGs) Enforcing automatic device lockout on mobile devices (IGs 2 and 3) Separate enterprise workspaces (i.e. work profiles) on mobile devices (IG 3 only)
CIS Control 5: Account Management   Control 5 is all about managing your user accounts, such as by controlling access and ensuring good password hygiene.   Admin accounts are a particularly significant target for cyberattacks. If a malicious actor gains access to an admin account, they could get control over large portions of your systems and assets.   Control 5 Safeguards include:   Establishing and maintaining an inventory of accounts (all IGs) Using unique passwords (all IGs) Centralizing account management (IGs 2 and 3)
CIS Control 6: Access Control Management   Control 6 is closely linked to Control 5 (Account Management), but it focuses on your ability to create, assign, manage, and revoke access to different types of accounts.   Managing access to accounts is crucial, but so is assigning specific roles to each type of account. You also need to be able to easily provision and de-provision access in the event of a cyber incident.   Control 6 Safeguards include:   Establishing an access-granting process (all IGs) Establishing and maintaining an inventory of authentication and authorization systems (IGs 2 and 3) Defining and maintaining role-based access control
CIS Control 7: Continuous Vulnerability Management   Control 7 helps you develop a plan to monitor and address security vulnerabilities, minimizing the opportunities for attackers. Attackers are often one step ahead of security teams and can utilize “zero-day vulnerabilities” to take organizations by surprise. However, a diligent approach to monitoring, assessing and tracking vulnerabilities makes life a lot harder for threat actors.   Control 7 Safeguards include:   Establishing and maintaining a vulnerability management process (all IGs) Performing automated vulnerability scans of internal enterprise assets (IGs 2 and 3) Remediating detected vulnerabilities (IGs 2 and 3)  
CIS Control 8: Audit Log Management   Control 8 is about logging events to help you better understand your security posture.   Logging and analyzing events allows you to better anticipate threats. Proper log management will help ensure attackers can’t access or erase your logs to hide their tracks.   Control 8 Safeguards include:   Establishing and maintaining an audit log management program (all IGs) Standardizing log time synchronization (IGs 2 and 3) Collecting service provider logs (IG 3 only)
CIS Control 9: Email and Web Browser Protections   Email clients and web browsers are extremely common points of entry for attackers. Social engineering attacks remain among the most common causes of data breaches, and 96% of social engineering occurs via email. Of increasing concern is the growing sophistication of email based threats that make static and rule-based approaches to detecting these threats increasingly ineffective.   According to Tessian platform data, nearly 2 million malicious emails slipped past customers’ Secure Email Gateways (SEGs) and other existing controls.    That’s why locking down your users’ email clients and web browsers is one of the most fundamental steps you can take toward better cybersecurity.   Control 9 Safeguards include:   Using DNS filtering mechanisms (all IGs) Implementing DMARC (IGs 2 and 3) Deploying and maintaining email server anti-malware protections (IG 3)   Many of the protections outlined in the CIS Control 09 can be realized, and in fact be taken to a new level of protection, through the use of next-gen, behavioral-based and adaptive email security solutions such as Tessian.    Unlike the static rule based approaches of legacy email security providers such as SEGs, which rely on DNS filtering and DMARC, Tessian’s algorithm is able to map your users’ normal communication patterns to detect and prevent email-based attacks from occurring, in real-time
CIS Control 10: Malware Defenses   Malware (malicious software) includes threats such as viruses, ransomware, and spyware.   In addition to securing your organization’s entry points (such as email and web browsers), you should be scanning your networks and devices for evidence of malware infection.   Control 10 Safeguards include:   Deploying and maintaining anti-malware software (all IGs) Configuring automatic scanning of removable media (IGs 2 and 3) Using behavior-based anti-malware software (IGs 2 and 3)   CIS Control 11: Data Recovery   Effective security means maintaining access to critical data. If your organization is attacked, you must be able to recover your IT systems and data  quickly.   Control 11 Safeguards include:   Establishing and maintaining a data recovery process (all IGs) Protecting recovery data (IGs 2 and 3) Testing data recovery (IG 3 only)
CIS Control 12: Network Infrastructure Management   Network infrastructure includes gateways, firewalls, wireless access points (WAPs), and routers.    Because network infrastructure is an essential element of your defense against cyberattacks, it’s crucial that you ensure the network devices themselves are secure and properly configured.   Control 12 Safeguards include:   Ensuring network infrastructure is up-to-date (all IGs) Centralizing network Authentication, Authorization, and Auditing (AAA) (IGs 2 and 3) Establishing and maintaining dedicated computing resources for all administrative work (all IGs)   CIS Control 13: Network Monitoring and Defense   Despite your best efforts, network security controls can fail. You must be able to detect and defend against any attacks that break through your network defenses.   Network monitoring and defense is a relatively advanced control and does not contain any Safeguards recommended for IG1 organizations.   Control 13 Safeguards include:   Centralizing security event alerting (IGs 2 and 3) Deploying a host-based intrusion detection solution (IGs 2 and 3) Deploying a network intrusion detection solution (IGs 2 and 3)
CIS Control 14: Security Awareness and Skills Training   Everyone in your organization is responsible—to some extent—for security. Getting your whole team on the same page through security awareness training is a necessary (but insufficient) step toward better security.   Control 14 Safeguards include:   Establishing and maintaining a security awareness program (all IGs) Training workforce members to recognize social engineering attacks (all IGs) Conducting role-specific security awareness and skills training (IGs 2 and 3)   Note that, while vital, security awareness training is not enough to protect your organization from cyberattacks. Increasingly organizations are understanding that context aware and in-the-moment security awareness training is essential to improving cybersecurity culture.
CIS Control 16: Application Software Security   If your organization develops software applications—either for commercial distribution or in-house use—you must ensure these apps are secure.   Application software security is a relatively advanced control and does not contain any Safeguards recommended for IG1 organizations.   Control 16 Safeguards include:   Establishing and maintaining a secure application development process (IGs 2 and 3) Performing “root cause” analysis on security vulnerabilities (IGs 2 and 3) Conducting threat modeling (IG 3 only) CIS Control 17: Incident Response Management   Your security program must cover all bases—protection and detection of threats is crucial, but so is responding and recovering from successful attacks.   Control 17 Safeguards include:   Designating personnel to manage incident handling (all IGs) Establishing and maintaining an incident response process (IGs 2 and 3) Establishing and maintaining security incident thresholds (IG 3 only)  CIS Control 18: Penetration Testing   Penetration testing (or “pen-testing”) puts your defenses to the test.    Conducting independent assessments of your security posture is an important way to identify gaps and weak points that could let “real world” attackers through.   Penetration testing is a relatively advanced control and does not contain any Safeguards recommended for IG1 organizations.   Control 18 Safeguards include:   Establishing and maintaining a penetration testing program (IGs 2 and 3) Performing periodic external penetration tests (IGs 2 and 3) Performing periodic internal penetration tests (IG 3 only)
Email and CIS Controls   While organizations have dozens of threats and entry points to consider, and must have a well-rounded security stack to prevent attacks and breaches, email is mentioned in at least three controls. Control 9 specifically calls for the hardening of email and web browser protections, and underscores the susceptibility of falling victim to successful social engineering attacks.   But email remains a significant threat vector.    In spite of mature email security vendor offerings, breaches continue to proliferate. Phishing, Business Email Compromise (BEC) and account takeover (ATO) incidence are growing year-over-year and are responsible for 70 to 90% of all cybersecurity breaches. Malicious emails were also responsible for 54% of successful ransomware attacks in 2020. A further cybersecurity threat vector that has until recently been unaddressed, is unauthorized data exfiltration, either accidental or malicious – seen as a leading reported incident. Given the increasing sophistication of email-based attacks, the importance of having industry leading email security protection in place must be reemphasized. Tessian can help
How can Tessian help you lock down email?    This is why enterprises are replacing legacy email security solutions for the next-generation of intelligent email security protection from Tessian. By using industry leading machine learning the dynamic real time protection is enhanced with each threat mitigated, guaranteeing unparalleled protection against all email-based attack vectors, including insider threats.   Key features include:   Advanced Spear Phishing Protection Advanced Attachment and URL Protection   Internal Impersonation & CEO Fraud Advanced Spoof Detection Counterparty & Vendor Impersonation  Brand Impersonation External Account Takeover  Invoice Fraud Bulk Remediation Automated Quarantine  Threat Intelligence Insider Threat Management Accidental & Malicious DLP
Compliance
The Ultimate Guide to Compliance
By Andrew Webb
21 December 2021
Unless you’re operating out of somewhere like Somalia, nearly every country in the world has some form of legally binding compliance standards or requirements that cover cybercrime, data security, preventing attacks, litigation, and investigation.  These requirements can further vary (even in the same country) depending on the sector your organization operates in. But whatever the location and sector, to ensure good compliance you need to secure the information your organization handles, and have processes and procedures in place should anything happen to that data.
Security v Compliance Firstly, let’s explore the difference between security and compliance. Security and compliance are separate functions that help businesses ensure data protection. We take a comprehensive look at the difference between the two in this article, but the following sums it up.  Security is the infrastructure, tools, and policies you put in place to protect your company’s information and equipment. Compliance is the act of meeting a required set of security and regulatory standards. It means protecting the confidentiality, integrity, and availability of data that your company holds.  They’re obviously very closely linked, but each should drive and counterbalance the other.  
Six Steps to (Re)designing Your Compliance Whether you’re new in the role and starting from scratch, or just routinely updating your compliance procedures, there’s a few basics you need to cover. We’ve outlined the six key steps in this handy infographic, but here’s the key things.
Firstly, before you can protect your assets, you have to know what you have. Identify all of your organization’s applications, devices, servers, and people. These items are constantly subject to change, so a regular periodical re-examination is a good idea.  From there, prioritize. Some data is more sensitive than others, some vectors are more vulnerable than others, and you’ll need consent to even process some types of data. More on this below… After you know what you have – and what’s most important to protect – you can start exploring technology, policies, and procedures that will help you build an effective data loss prevention (DLP) program. This will include network, application, cloud, email, and physical security. Once you’ve identified what data you need consent to process, the next step is actually formulating the consent request. Where does it appear? How much information do you include? What language do you use? You’ll also need to set-up a process for recording and managing consent and a seamless process for customers to withdraw their consent.
Compliance Requirements Around the World What sort of compliance rules you have to follow depends on where you’re based and where you process data. For example, the data from any EU citizen is covered by Europe’s GDPR legislation, ‘no matter where in the world the data processing takes place’.  Finally, as you’ll see below, different sectors have different types of oversight, too. This is why getting your compliance house in order is crucial to your organization’s smooth governance.  
1:  Europe — GDPR In 2018 the European Union’s landmark data privacy legislation came into force (there’s a full timeline of its development and impact here if you want to really geek out). GDPR, or adaptations of it, were swiftly adopted by other countries around the world, while others either designed their own set of regulations or beefed up existing ones. 2: Brazil — Brazilian General Data Protection Law (LGPD) Known as “Brazil’s GDPR,” the LGPD imposes data processing principles on all organizations and provides consumers with legal rights. 3: Canada — Personal Information Protection and Electronic Documents Act (PIPEDA). A comprehensive privacy law that applies to all private sector organizations (unless covered by provincial privacy law). 4: Argentina — Personal Data Protection Act. A comprehensive privacy law that applies to all people and organizations doing business in Argentina. 5: Switzerland — Federal Act on Data Protection (FDAP). Like the GDPR, but with smaller fines — and it also applies to “legal persons” (e.g. corporations). 6: Nigeria — Nigerian Data Protection Regulation 2019 (NDPR). A strict data protection law with similar wording to the GDPR, applying to anyone processing personal information in Nigeria. 7: India — Personal Data Protection Bill. A strict and sweeping data protection law working its way through India’s lawmaking bodies. 8: Australia — Privacy Act 1988. Imposes the 13 Australian Privacy Principles, such as transparency and security, on public bodies and businesses with a turnover of over AUD 3 million. 9: Japan — Act on the Protection of Personal Information (APPI). Applies to all private sector organizations and requires consent for the sharing of personal information. 10: New Zealand — Privacy Act 2020. Came into effect on December 1, 2020, with new data breach notification rules, bigger fines, and application to foreign businesses.  11: China — Personal Information Security Specification. One of several laws covering privacy and information security in China — aimed at businesses. 12: South Africa — 2020 saw Protection of Personal Information (POPI) Act finally come into law in South Africa, and it is similar to several other African nation’s data privacy laws. Interestingly, one difference from the EU’s GDPR is that GDPR is extra-territorial, but POPI only applies to South African companies and when data is processed in South Africa. We’ve more on everything you need to know if you’re conducting business in South Africa in our Ultimate Guide below. 
13: The USA — Unlike the EU and other nations, the USA doesn’t have a single, overarching piece of legislation. There are some privacy laws at the federal level – most notably Health Insurance Portability and Accountability Act (HIPAA) covering the healthcare sector, California Consumer Privacy Act (CCPA) in California, and the New York SHIELD Act.
The biggest GDPR Fines Legislators haven’t been afraid to bring non-compliance cases to court. In Europe there have been several high profile fines for major enterprise organizations totaling hundreds of millions of dollars. We list out some of the biggest so far in this article, including such household names as Amazon (€746 million), WhatsApp (€225 million), Google (€50 million) and British Airways (€22 million). Incidentally, if you’re wondering where all that money goes, in the UK at least, it’s passed to the Treasury’s Consolidated Fund, and used to fund all public services, just like tax revenue.
But how has the threat of fines (and subsequent reputation damage) actually affected cybersecurity as an industry? Well, in the few years we’ve had GDPR we’ve seen cybersecurity become a business-critical function, which is big news for an industry that has historically struggled to communicate its value and ROI.
And with that, we’ve seen incredible innovation in security solutions, too. Indeed, the UK’s cybersecurity sector has grown by 44% since GDPR was rolled out. We explore more ways in which GDPR has altered the cybersecurity industry in this piece.    Compliance Legislation is Constantly Evolving Not only are more countries bringing compliance laws onto the statute books, those that already have them are updating and adapting them too. In the USA CCPA has been updated recently for example. The California Privacy Rights Act (CPRA) – also known as Proposition 24 – passed on November 3, 2020. The CPRA amends the CCPA, pushing the state statute closer to the GDPR.
Consequently, organizations must ensure compliance with the CPPA – integrating the demands of the CPRA – before it takes effect on January 1, 2023. We’ve a full round up of US data privacy laws, and what they mean for your company, here.   As we’ve seen with the CCPA, legislation is under constant review and subject to change. Apply this across several jurisdictions and keeping on top of compliance can be a sisyphean task.   
Compliance Guidance by Sector As stated, compliance isn’t just a geographical issue, it’s also a sector-based one too.  The legal sector, for example, is bound to strict compliance standards as lawyers’ hard drives, email accounts, and smartphones can contain anything from sensitive intellectual property and trade secrets to the Personally Identifiable Information (PII) of clients.  ISO/IEC 27037:2012 for example has guidelines for identification, collection, acquisition, and preservation of digital evidence.
Healthcare too, is highly regulated with strict regulatory compliance like HIPAA and HiTrust . Healthcare organizations handle massive amounts of sensitive information such as medical records, PHI, and PII, both internally, as well as emails exchanged between third-parties such as hospitals and insurance companies. Health care spending in the U.S. accounts for 18% of the nation’s gross domestic product, or about $3.5 trillion. That’s like a waterslide on a hot day to criminals which is why health care is plagued by all types of cyber crime. This account of a ransomware attack on a Kentucky optomatrists shows that even the smaller providers are being targeted.
Financial services are also subject to strict data regulation, for example In the USA, the Gramm-Leach-Bliley Act (GLBA) covers any business that is “significantly engaged in providing financial products or services.” Yet breaches – either intentionally or accidentally – are still happening. In our recent research report, we took a deep dive into Data Loss Prevention in Financial Services and revealed that data loss incidents are happening up to 38x more frequently than IT leaders currently estimate.
Guidance for the energy sector is provided by ISO/IEC TR 27019. Energy companies remain prime targets for attacks because if they don’t pay up, the lights go out. A recent survey found that 77% of U.S. energy companies are vulnerable to ransomware attacks. Even when infrastructure isn’t compromised, there’s still money to be had. One UK energy company even suffered what is thought to be the UK’s first deepfake attack.
Other Data Privacy regulations by Industry Other sectors and industries are covered by various legislation and information security management guidelines.  App and software developers: Payment Card Industry Mobile Payment Acceptance Security Guidelines. Provides standards for accepting payments over mobile apps.   Children’s online services: Children’s Online Privacy Protection Act (COPPA). US federal law applying to anyone operating a commercial website, online service, or mobile app aimed at children under 13.   Cloud service providers: ISO/IEC 27017:2015. Code of practice providing information security standards from cloud service providers.   Retail/eCommerce/ Payment processing: Payment Card Industry Data Security Standard (PCI DSS). Applies to all organizations that accept, transmit, or store information associated with payment cards.  Manufacturers: Payment Card Industry PIN Transaction Security (PCI PTS). Helps manufacturers create secure payment-processing equipment.
Why Ceos Should Care About Compliance The impact of compliance has forced cybersecurity from an IT issue to one at C-suite or board level. In fact, by 2024, Gartner believes CEOs will be held personally liable for data breaches. That’s why it’s essential the entire C-Suite understands the importance of privacy, data protection – and therefore cybersecurity – and how these functions can drive meaningful business outcomes.
It’s also worth mentioning that cybersecurity attacks can be highly damaging not only for businesses, but also CEOs themselves, often (very sadly) resulting in their resignation. Examples include Target CEO, Gregg Steinhafel, Equifax’s CEO Richard Smith, LandMark White’s Keith Perrett, and Chris Hylen of Imperva.  
It’s not just the CEO, the rest of the C-Suite should also have security top of mind. cybersecurity is a team sport. That means that (like it or not) the responsibility and burden sits with everyone in the company. , particularly the Chief Finance Officer (CFO).
How Tessian Helps   With 85% of data breaches caused by human error, and 90% of phishing occurring via email, it’s clear that securing your human layer is mission critical for your business. Here’s how Tessian does just that.   Prevent Accidental Data Loss: Automatically prevent misdirected emails through in-the-moment and unobtrusive end user alerts; ensure emails are always sent to the right person. Prevent Insider Threats: Stop sensitive data exfiltration to unauthorized accounts automatically and create custom filters to detect non-compliant email activity. Protect Against Advanced Phishing Attacks: Protect your business from BEC, spear phishing, payload – less attacks and zero-day exploits; keep your employees, customers, and data safe. Drive Secure Email Behavior: Tessian’s in-the-moment training contextually guides employees towards safe and compliant email practices, reducing compliance risks. Gain Visibility and Reporting Capabilities: Gain full visibility on previously unknown threats over email and give administrators the ability to audit, investigate and report data loss events prevented by Tessian. Never Compromise Productivity: Stay compliant without disrupting work for your employees. Tessian detects anomalous employee behavior with high accuracy, has a very low flag rate, and only surfaces when threats are detected.
Data Exfiltration Email DLP Integrated Cloud Email Security Compliance
You Sent an Email to the Wrong Person. Now What?
By Maddie Rosenthal
04 October 2021
So, you’ve accidentally sent an email to the wrong person. Don’t worry, you’re not alone. According to Tessian research, over half (58%) of employees say they’ve sent an email to the wrong person.   We call this a misdirected email and it’s really, really easy to do. It could be a simple spelling mistake, it could be the fault of Autocomplete, or it could be an accidental “Reply All”. But, what are the consequences of firing off an email to the wrong person and what can you do to prevent it from happening?   We’ll get to that shortly. But first, let’s answer one of the internet’s most popular (and pressing) questions: Can I stop or “un-send” an email?
Can I un-send an email?   The short (and probably disappointing) answer is no. Once an email has been sent, it can’t be “un-sent”. But, with some email clients, you can recall unread messages that are sent to people within your organization.    Below, we’ll cover Outlook/Office 365 and Gmail. Recalling messages in Outlook & Office 365   Before reading any further, please note: these instructions will only work on the desktop client, not the web-based version. They also only apply if both you (the sender) and the recipient use a Microsoft Exchange account in the same organization or if you both use Microsoft 365.    In simple terms: You’ll only be able to recall unread emails to people you work with, not customers or clients. But, here’s how to do it.   Step 1: Open your “Sent Items” folder Step 2: Double-click on the email you want to recall Step 3: Click the “Message” tab in the upper left-hand corner of the navigation bar (next to “File”) → click “Move” → click “More Move Actions” → Click “Recall This Message” in the dropdown menu Step 4: A pop-up will appear, asking if you’d like to “Delete unread copies of the message” or “Delete unread copies and replace with a new message” Step 5: If you opt to draft a new message, a second window will open and you’ll be able to edit your original message   While this is easy enough to do, it’s not foolproof. The recipient may still receive the message. They may also receive a notification that a message has been deleted from their inbox. That means that, even if they aren’t able to view the botched message, they’ll still know it was sent. There’s more information about recalling emails in Outlook here.  
Recalling messages in Gmail   Again, we have to caveat our step-by-step instructions with an important disclaimer: this option to recall messages in Gmail only works if you’ve enabled the “Delay” function prior to fat fingering an email. The “Delay” function gives you a maximum of 30 seconds to “change your mind” and claw back the email.    Here’s how to enable the “Delay” function.   Step 1: Navigate to the “Settings” icon → click “See All Settings” Step 2: In the “General” tab, find “Undo Send” and choose between 5, 10, 20, and 30 seconds.  Step 3: Now, whenever you send a message, you’ll see “Undo” or “View Message” in the bottom left corner of your screen. You’ll have 5, 10, 20, or 30 seconds to click “Undo” to prevent it from being sent.    Note: If you haven’t set-up the “Delay” function, you will not be able to “Undo” or “Recall” the message. There’s more information about delaying and recalling emails in Gmail here.   So, what happens if you can’t recall the email? We’ve outlined the top six consequences of sending an email to the wrong person below. 
What are the consequences of sending a misdirected email?   According to Verizon’s 2021 DBIR, misdelivery is the most common type of error to cause a breach. But is a breach the biggest consequence?   We asked employees in the US and UK what they considered the biggest consequences of sending a misdirected email. Here’s what they had to say. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");   Importantly, though, the consequences of sending a misdirected email depend on who the email was sent to and what information was contained within the email.   For example, if you accidentally sent a snarky email about your boss to your boss, you’ll have to suffer red-faced embarrassment (which 36% of employees were worried about).   If, on the other hand, the email contained sensitive customer, client, or company information and was sent to someone outside of the relevant team or outside of the organization entirely, the incident would be considered a data loss incident or data breach.   That means your organization could be in violation of data privacy and compliance standards and may be fined. But, incidents or breaches don’t just impact an organization’s bottom line. It could result in lost customer trust, a damaged reputation, and more.
Let’s take a closer look at each of these consequences.   Fines under compliance standards Both regional and industry-specific data protection laws outline fines and penalties for the failure to implement effective security controls that prevent data loss incidents. Yep, that includes sending misdirected emails.   Under GDPR, for example, organizations could face fines of up to 4% of annual global turnover, or €20 million, whichever is greater.    And these incidents are happening more often than you might think. Misdirected emails are the number one security incident reported to the Information Commissioner’s Office (ICO). They’re reported 20% more often than phishing attacks.  Lost customer trust and increased churn Today, data privacy is taken seriously, and not just by regulatory bodies.    Research shows that organizations see a 2-7% customer churn after a data breach and 20% of employees say that their company lost a customer after they sent a misdirected email.   A data breach can (and does) undermine the confidence that clients, shareholders, and partners have in an organization. Whether it’s via a formal report, word-of-mouth, negative press coverage, or social media, news of lost – or even misplaced – data can drive customers to jump ship. Revenue loss Naturally, customer churn + hefty fines = revenue loss. But, organizations will also have to pay out for investigation and remediation and for future security costs.   How much? According to IBM’s latest Cost of a Data Breach report, the average cost of a data breach today is $3.86 million. Reputation damage As an offshoot of lost customer trust and increased customer churn, organizations will – in the long-term – also suffer from a damaged reputation. Like we’ve said: people take data privacy seriously.   That’s why, today, strong cybersecurity actually enables businesses and has become a unique selling point in and of itself. It’s a competitive differentiator. Of course, that means that a cybersecurity strategy that’s proven ineffective will detract from your business.   But, individuals may also suffer from a damaged reputation or, at the very least, will be embarrassed. For example, the person who sent the misdirected email may be labeled careless and security leaders might be criticized for their lack of controls. This could lead to…. Job loss Unfortunately, data breaches – even those caused by a simple mistake – often lead to job losses. It could be the Chief Information Security Officer, a line manager, or even the person who sent the misdirected email. Our Psychology of Human report found 1 in 4 people who made email mistakes at work subsequently lost their jobs.   It goes to show that security really is about people. That’s why, at Tessian, we take a human-centric approach and, across three solutions, we prevent human error on email, including accidental data loss via misdirected emails.
How does Tessian prevent misdirected emails?   Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises. It turns an organization’s email data into its best defense against human error on email.   Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of the organization’s email network.    That means that if, for example, you frequently worked with “Jim Morris” on one project but then stopped interacting with him over email, Tessian would understand that he probably isn’t the person you meant to send your most recent (highly confidential) project proposal to. Crisis averted.    Interested in learning more about how Tessian can help prevent accidental data loss and data exfiltration in your organization? You can read some of our customer stories here or book a demo.
ATO/BEC Email DLP Compliance
5 Cyber Risks In Manufacturing Supply Chains
26 August 2021
When it comes to supply chain risks, cybersecurity and data loss are top of mind for security analysts and other professionals. The EU Agency for Cybersecurity (ENISA) notes that there has been a marked increase in such attacks since early 2020—and that most supply chain attacks target data (mainly personal information and intellectual property).   Manufacturers are typically involved in long and complex supply chains with many actors, making them particularly vulnerable to disruption and malicious activity in the supply chain. You must protect against these risks. Keep reading to learn more, including prevention tips.   Five manufacturing supply chain cyber risks   First, let’s look at five crucial supply chain cyber risks for manufacturers. We’ll then consider how manufacturers can improve their supply chain cybersecurity, referencing some real-life examples.   1. Intellectual property theft   One major concern for manufacturers is that third parties in their supply chain may abuse their access to intellectual property and other valuable or sensitive data. According to research by Kroll, guarding against supply chain IP theft is a priority for nearly three-quarters of companies.   Even if all your supply chain partners are legitimate, there is always the possibility that a rogue employee could steal your IP or trade secrets and pass them on to your competitors. Don’t believe us? Check out these 17 examples of real-world insider threats.     2. Supply chain attacks   Supply chain attacks leverage security vulnerabilities to steal data and spread malware such as ransomware. Some recent high-profile supply chain attacks include the attacks on software companies Solarwinds and Kaseya. These incidents involved software vendors pushing compromised updates to their customers, resulting in widespread malware infections.   There’s a reason that supply chains are particularly vulnerable to cyberattacks. The more organizations are involved in a manufacturing process, the greater the likelihood that one of the members will fall victim to a cyberattack and spread malware to their business partners. But that doesn’t mean that the chain is “only as strong as its weakest link.” A well-defended organization can stop a supply chain attack in its tracks.   Case study: supply chain attack   Here’s an example of a supply chain attack that leveraged email in an attempt to undermine a company’s security defenses. This type of threat is known as an “account take over” (ATO) attack. The cybercriminals targeted a medium-sized construction firm by first infiltrating one of the company’s trusted vendors.   The attackers managed to take over the email account of one of this vendor’s employees. By reading the employee’s emails, the criminals learned that the employee was in contact with several high-ranking staff members at the construction firm.   After observing the employee’s communication patterns and email style, the attackers then used the mailbox to send phishing emails to a targeted group of individuals at the construction firm.   The phishing emails encouraged the recipients to click a link to a cloud storage folder, claiming that the folder contained a request for a proposal. Clicking the link would have downloaded malware onto the recipient’s device.   Protecting against supply chain attacks   Protecting against supply chain attacks requires a comprehensive cybersecurity policy, including staff training, network defenses, and security software. Implementing email security software is a vital part of your defensive strategy in the case of email-based supply chain attacks, such as the one above.   The case study above is a real-life example of how Tessian, a comprehensive email security solution driven by machine learning, can help thwart supply chain attacks. Tessian Defender scans inbound emails for suspicious activity. The software also learns your employees’ communication patterns to understand what constitutes “normal” email activity.   In the attack described above, Tessian noted several subtle signs—including the sender’s location and choice of cloud storage platform—suggesting that the email could be part of a supply chain attack. Tessian alerted the employee to the potential danger, and the supply chain attack was averted.   It’s important to note that legacy email security software, which normally operates on a “rule-based” basis, can fall short when it comes to sophisticated account take-over attacks like this. Tessian was not the only security product this construction firm was running. But it was the only one to spot the attack.   3. Compromised hardware and software   Malicious actors can compromise hardware and software during the manufacturing process, creating vulnerabilities that are passed on down the supply chain or to equipment end-users. Hardware can be tampered with at any stage in the supply chain. As a manufacturer, you might obtain compromised hardware—or malicious actors could interrupt the manufacturing process downstream, tampering with products to install rootkits or other technologies.   But as a manufacturer, you must also protect against threats in your own portion of the supply chain—where internal or external actors could interfere with the products or components you create.   Case study: compromised software   In August 2020, reports emerged that Chinese phone manufacturer Transsion had shipped thousands of mobile devices containing pre-installed malware that signed users up to subscription services without their consent.   The pre-installed malware, known as Triada, automatically downloads and installs a trojan called “xHelper” that cannot be easily removed by users. The program covertly submits requests for subscription products at the user’s expense.Transsion blamed a malicious actor in its supply chain for installing Triada on its devices—but the culprit has yet to be discovered.   Defending against software compromise   One step towards to avoiding any type of malicious actor in your supply chain is conducting thorough due diligence. Identify and document all supply chain partners—as mentioned, you could be accountable for their malicious or negligent activity.   Integrating cybersecurity measures into your quality assurance regime may also be a way to prevent upstream malicious actors from tampering with firmware before your manufacturing process takes place.   And as we’ve seen, it’s crucial to protect your own systems from cyberattacks—which means ensuring the security of key communications channels like email.   4. Downstream software or hardware security vulnerabilities   It’s vital to protect data against access by other parties in your supply chain. But even if you could trust your supply chain partners not to steal your data, you must also ensure that they don’t make it accessible to unauthorized third parties.   No matter how much work you put into protecting your own systems from unauthorized access, your efforts could be rendered futile due to software or hardware vulnerabilities among other parties downstream.   5. Legal non-compliance   In addition to maintaining poor cybersecurity practices that directly impact your own organization’s security, third parties in the supply chain may follow poor information security practices for which you could be liable.   Case study: third-party legal non-compliance   In 2019 a U.K. pharmaceuticals company was fined after a third-party contractor left documents containing personal information publicly accessible in unsecured containers.   Under the GDPR, “data controllers” are responsible for many of the actions of their service providers. As such, the pharmaceuticals company was deemed liable for the error. The firm received a fine and engaged in a drawn-out legal battle with the U.K.’s data regulator.   Mitigating poor security practices among third parties   Research is crucial to ensure you’re working with reputable third parties that will undertake compliant and responsible data protection practices. Contracts stipulating particular security measures are also important. Such agreements can also contain contractual clauses that serve to indemnify your company against legal violations by the other party.   Under some data protection laws, including the GDPR and the upcoming Colorado Privacy Act, service providers processing personal information on another company’s behalf are required to submit to audits and inspections. Routinely inspecting the data security practices of your vendors and other service providers is an excellent way to ensure they are meeting their compliance obligations on your behalf.   How to prevent manufacturing supply chain risks In general, manufacturers can manage cyber risks in supply chains via a robust and comprehensive cybersecurity program. Here are some key cybersecurity principles for supply chain management from the National Institute for Standards and Technology (NIST): Assume your systems will be breached. This means considering not only how to defend against breaches, but determining how you will mitigate breaches once they have occurred. Think beyond technology. Cybersecurity is also about people, processes, and knowledge. Cybersecurity also means physical security. Threat actors can use physical security vulnerabilities to launch cyberattacks.   Implementing a cybersecurity framework is key to defending against supply chain threats. Manufacturers of any size can work towards cybersecurity framework compliance, implementing controls according to their resources and priorities.   The NIST Cybersecurity Framework Version Manufacturing Profile: NISTIR 8183 Revision 1 is an excellent starting point for manufacturers. For more information about the NIST framework, read our article on NIST and email security.   More specifically, manufacturers should be taking the following steps to protect their data and systems in supply chains: Identify and document all supply chain members Conduct careful due diligence on parties in the supply chain Require supply chain partners to contractually agree to maintain good cybersecurity and data protection practices Ensure inbound communications (particularly via email) are scanned for signs of phishing and other social engineering attacks Scan outbound communications to prevent data loss Ensure all employees are aware of the risks and their responsibilities Email is a key supply chain vulnerability   Of all the risks inherent to working in a supply chain, cyberattacks are perhaps the most critical in the current climate.   As ENISA notes, most supply chain attacks use malware to target company data. We also know that 96% of phishing attacks—which are the primary means of infecting business networks with malware—take place via email. The bottom line: email security is a crucial step for manufacturers to defend against supply chain cyber risks.  
Compliance
NIST Cybersecurity Framework and Email Security
25 August 2021
If you’re looking to improve your organization’s cybersecurity, the NIST Cybersecurity Framework provides an excellent starting point.   Compliance with the NIST Cybersecurity Framework enables you to:   Describe your current cybersecurity posture (“Current Profile”) Identify your target cybersecurity state (“Target Profile”) Continuously identify and prioritize vulnerabilities   While email security isn’t the only component, it is a vital component of your organization’s overall cybersecurity program. So how can levelling up your email security bring you closer towards your NIST Target Profile?   First, let’s look at the overall structure of the Framework. Then we’ll consider how developing your organization’s email security is a key step towards NIST Cybersecurity Framework compliance. NIST Cybersecurity Framework Structure   At its broadest level, the NIST Cybersecurity Framework consists of three parts: Core, Profile, and Tiers (or “Implementation Tiers”). Core: Functions, Categories, Subcategories   Think of the Core of the NIST Framework as a three-layered structure.   At its topmost level, the Core consists of five Functions: Identify: Develops an organizational understanding to manage cybersecurity Protect: Outlines appropriate cybersecurity safeguards Detect: Outlines cybersecurity activities designed to detect incidents Respond: Outlines cybersecurity activities to take during an incident Recover: Outlines cybersecurity activities to take after an incident   Then, at the next level down, each Function consists of Categories focusing on business outcomes. There are 23 Categories split across the five Functions. Here are a few examples of some of the NIST Framework’s Categories: Risk Assessment (ID.RA) Data Security (PR.DS) Detection Processes (DE.DP) Mitigation (RS.MI) Improvements (RC.IM) At the bottom level, each Category consists of a set of Subcategories and Informative References. Subcategories are more specific statements of an intended business outcome, while Informative References provide further technical detail available outside of the Framework.   For example, under the Data Security (PR.DS) Category sit eight Subcategories, including the following:   PR.DS-1: Data-at-rest is protected PR.DS-2: Data-in-transit is protected PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition   And here are some of the Informative References accompanying PR.DS-1: Data-at-rest is protected:   Center for Internet Security (CIS) Controls 13 and 14 COBIT 5 Management Practices APO01.06, BAI02.01, and BAI06.01, ISO/IEC 27001:2013 A.8.2.3   Check out the full framework for reference. Tiers   The Tiers represent different degrees to which organizations may implement the NIST Cybersecurity Framework.   There are four Tiers: Tier 1: Partial — Security controls are implemented on an “ad hoc” or sometimes reactive basis. External partners often assist with the cybersecurity program. Tier 2: Risk Informed — Implementation of controls is informed by risk objectives. Security awareness may not be standardized across the entire organization. Not all threats are proactively met. Tier 3: Repeatable — Risk management practices are formal organizational policy. Employees are well-informed about security in the context of their roles. The organization’s security is understood in the broader context of supply chains and partnerships. Tier 4: Adaptive — The organization can adapt its cybersecurity practices based on priorities and past experience. Security risks are taken seriously by senior management on par with financial risks. Formalized security processes are integrated into workflows.   You can choose the Tier most appropriate to you, depending on factors such as your resource level, organizational maturity, and compliance demands.   Profiles   Profiles allow you to adapt the Framework to meet the needs of your organization. Establishing your Current Profile and determining a Target Profile provides a systematic way for you to work through the Functions, implementing the Categories and Subcategories that are most relevant to your organization. Your organization’s size and resource levels may help to determine an appropriate Target Profile. But you can also consider the business context in which you operate — or the cybersecurity threats that are most likely to impact you. NIST recently released a preliminary draft profile for managing the threat of ransomware, which we’ll look at later in this article. Email security in the NIST Framework In the current cybersecurity climate, email security is a key consideration for business leaders. In fact, email is the attack vector security leaders are most worried about. We know that email serves as a key vector for ransomware, phishing, data exfiltration, and other increasingly widespread attacks and incidents. Around 96% of phishing attacks start via email Spear phishing emails are the most common delivery method for ransomware Other email-based threats, such as Business Email Compromise, cost organizations billions each year. As such, you can mitigate some of the most serious and destructive security threats by ensuring your organization operates a highly secure email system. Now we’re going to look at some of the Categories from across the NIST Cybersecurity Framework’s five Functions, and identify how maintaining robust email security can help you meet NIST Cybersecurity Framework outcomes. Asset Management (ID.AM) Asset Management (ID.AM): “The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy.” Effective asset management means ensuring you have overall knowledge and understanding of your organization’s inventory, information flows, and personnel. How is asset management relevant to email security? Well, understanding your organization’s communication networks and data flows is a vital part of asset management, and email is the primary means of communication for most companies. The ID.AM-3 Subcategory requires that “organizational communication and data flows are mapped.” Mapping communication flows is the first step in detecting email cybersecurity events and creating a data loss prevention (DLP) strategy. An effective email security solution will use machine learning technology to establish employees’ communications networks.   Awareness and Training (PR.AT) Awareness and Training: “The organization’s personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity related duties and responsibilities consistent with related policies, procedures, and agreements.” Security awareness training should always feature extensive information about social engineering attacks. Phishing, spear phishing, Business Email Compromise (BEC) — social engineering attacks that occur almost exclusively via email — rely on manipulating people into taking certain actions that expose data or compromise security. Therefore, email security training is essential to meet the outcome associated with the PR.AT-1 Subcategory: “All users are informed and trained.” But we know that, while essential, security training is not enough to tackle serious cybersecurity threats. Data Security (PR:DS) Data Security: “Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.”   Preventing data loss via email is a core requirement in maintaining data security. Email is at the root of most data breaches, whether due to phishing and other social engineering attacks, or “accidental” breaches involving misdirected emails or misattached files.   Preventing data loss via email is a key step towards meeting the outcome for Subcategory PR.DS 5: “Protections against data leaks are maintained.” Unless there is an operational requirement for data to leave your organization, your email security software should prevent it from doing so. Effective email security software can detect and prevent unauthorized data transfers. Learn more about how Tessian prevents data loss below. Anomalies and Events (DE.AE) Anomalies and Events: “Anomalous activity is detected and the potential impact on events is understood.” How does this Category tie in with email security? Well, most cyberattacks rely on email as the route through an organization’s defenses. So detecting and analyzing anomalous activity across your email activity is essential. Within the “Anomalies and Events” Category, the following Subcategories are particularly relevant to email security: DE.AE-1: “A baseline of network operations and expected data flows for users and systems is established and managed” — To detect anomalous email activity, your email security solution must understand what “normal” email looks like relative to each of your users. DE.AE-3: “Event data are collected and correlated from multiple sources and sensors” — Email attacks can be particularly sophisticated, relying on social engineering techniques to manipulate users. Effective email security software requires a large amount of data. Security Continuous Monitoring (DE.CM)   Security Continuous Monitoring: “The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures.”Monitoring your organization’s email activity is a crucial element in your overall security continuous monitoring efforts.The following “Security Continuous Monitoring” Subcategories are of particular relevance to email security:   DE.CM-3: “Personnel activity is monitored to detect potential cybersecurity events” — External emails are only part of your email security battle. Compromised or spoofed corporate email accounts should also be monitored as they can be used for internal phishing attacks. DE.CM-7: “Monitoring for unauthorized personnel, connections, devices, and software is performed” — Implementing email security software that scans email communication for suspicious text and attachments could help meet this outcome. Detection Processes (DE:DP) Detection Processes: “Detection processes and procedures are maintained and tested to ensure awareness of anomalous events.” This means any email security solution must be continuously monitored and improved to ensure it can defend against the latest cyberattacks. Here are some relevant “Detection Processes” Subcategories: DE.DP-4: “Event detection information is communicated” — Your email security software should notify both the affected user and IT administrators when a suspicious event occurs. DE.DP-5: “Detection processes are continuously improved” — Email security systems should be continuously learning and updating to adapt to emerging threats. NIST Preliminary Draft Ransomware Profile In June 2021, NIST published Preliminary Draft NISTIR 8374 — Cybersecurity Framework Profile for Ransomware Risk Management. Ransomware is becoming the most severe cybersecurity threat in the current threat landscape. Because many, if not most, ransomware attacks start via email, improving your organization’s email security and its ransomware defense posture go hand-in-hand. As mentioned above, setting a Target Profile is an important step in implementing the NIST Cybersecurity Framework. To defend against the increasingly serious ransomware threat, you may choose to work towards the Ransomware Risk Management Profile. Implementing the draft Profile means achieving numerous Category outcomes from across all five Functions. We won’t go into the full details of the Profile here, but we recommend checking it out — particularly in the current threat climate. Learn more about Tessian Human Layer Security Tessian is a modern email security solution driven by machine learning. As well as monitoring inbound and outbound emails for signs of phishing, malicious attachments, data exfiltration, and accidental data loss, Tessians scans your employees’ email activity to learn how they “normally” act, and flags suspicious behavior. This intelligent, context-driven approach means Tessian will allow your employees to work uninterrupted, and access the legitimate files and links they need across devices — while being alerted to anomalous and suspicious email content. Tessian’s in-the-moment warnings help reinforce training and nudge employees towards safer behavior over time. Tessian’s Human Layer Security platform uses machine learning (ML), anomaly detection, behavioral analysis, and natural language processing (NLP) to detect a variety of suspicious signals: Unusual sender characteristics: This includes anomalous geophysical locations, IP addresses, email clients, and reply-to addresses. Anomalous email sending patterns: Based on historical email analysis, Tessian can identity unusual recipients, unusual send times, and emails sent to an unusual number of recipients in order to detect malicious inbound emails and suspicious outbound emails. Malicious payloads: Tessian uses URL match patterns to spot suspicious URLs and ML to identify red flags indicative of suspicious attachments. Deep content inspection: Looking at the email content – for example, language that conveys suspicious intent – Tessian can detect zero-payload attacks, too. Learn more about how Tessian can transform your organization’s cybersecurity program.
ATO/BEC Compliance
Where Does Email Security Fit Into the MITRE ATT&CK Framework?
13 August 2021
If you’re aiming to achieve compliance with the MITRE ATT&CK Framework, email security will be among your top priorities. Why? Because securing your organization’s email is critical to detect, mitigate, and defend against some of the most widespread and harmful online threats.   In this article, we’ll offer a brief overview of the MITRE ATT&CK framework, then consider which attack techniques you can mitigate by improving your organization’s email security.   MITRE ATT&CK Framework 101   Here’s a brief introduction to the MITRE ATT&CK framework. Outlining the framework is important as it’ll help you see how its components tie in with your email security program. But feel free to skip ahead f you already know the basics.   ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. The ATT&CK framework has three iterations—ATT&CK for Enterprise, ATT&CK for Mobile, and Pre-ATT&CK.   We’re focusing on ATT&CK for Enterprise, covering threats to Windows, macOS, Linux, AWS, GCP, Azure, Azure AD, Office 365, SaaS, and Network environments. You can check out the Mobile Matrices here, and the PRE Matric here.   MITRE ATT&CK tactics, techniques, sub-techniques, and mitigations   At the core of the framework is the ATT&CK matrix—a set of “Tactics” and corresponding “Techniques” used by “Adversaries” (threat actors).   The ATT&ACK for Enterprise matrix includes 14 Tactics: TA0043: Reconnaissance TA0042: Resource Development TA0001: Initial Access TA0002: Execution TA0003: Persistence TA0004: Privilege Escalation TA0005: Defense Evasion TA0006: Credential Access TA0007: Discovery TA0008: Lateral Movement TA0009: Collection TA0011: Command and Control TA0010: Exfiltration TA0040: Impact   Think of these Tactics as the Adversary’s main objectives. For example, under the “Collection” Tactic (TA0009), the adversary is “trying to gather data of interest to their goal.” If you want to learn more about these tactics, or see a full list of the Techniques, Sub-Techniques, and Mitigations we mention below, click here.   A set of Techniques and sometimes “Sub-Techniques” is associated with each Tactic. Techniques are the methods an Adversary uses to achieve their tactical objectives. Sub-Techniques are variations on certain Techniques. We won’t list all the MITRE ATT&CK Techniques here, but we’ll identify some relevant to email security in just a second.   But first (and finally) there are “Mitigations”—methods of preventing or defending against adversaries. Examples of Mitigations include M1041: “Encrypt Sensitive Information,” and M1027: “Password Policies.” Back to email security… MITRE and Email Security   Now we’ll identify the MITRE ATT&CK framework Tactics and Techniques that are relevant to email security specifically. We’ll consider MITRE’s recommended Mitigations and look at how you can align your email security program to meet the framework’s requirements. Technique T1566: Phishing   “Phishing” is a MITRE ATT&CK Technique associated with the “Initial Access” Tactic (TA0001). As you’ll probably know, phishing is a type of social engineering attack—usually conducted via email—where an adversary impersonates a trusted person and brand and attempts to trick their target into divulging information, downloading malware, or transferring money.   The MITRE ATT&CK framework identifies both targeted phishing attacks (a technique known as “spear phishing”) and more general phishing attacks (conducted in bulk via spam emails). Now let’s look at the three Sub-Techniques associated with the Phishing Technique.   📎 T1566.001: Spearphishing Attachment   Sub-Technique T1566.001 involves sending a spear phishing email with a malicious attachment. The attachment is malware, such as a virus, spyware, or ransomware file that enables the adversary to harm or gain control of the target device or system.   A spear phishing attachment is usually disguised as a harmless Office, PDF, or ZIP file, and legacy email security software and spam filters can struggle to determine whether an attachment is malicious.   The spear phishing email itself will usually try to persuade the target to open the file. The Adversary may impersonate a trusted person and can even provide the target with instructions on opening the file that will bypass system protections. For more information about malicious email attachments, read What is a Malicious Payload?   🔗  T1566.002: Spearphishing Link   Alternatively to using a malicious attachment, a spear phishing email can include a link that leads to a malicious site such as a fraudulent account login page or a webpage that hosts a malicious download.   Like with the “Spearphishing Attachment” Sub-Technique, the “Spearphishing Link” Sub-Technique will normally employ social engineering methods—this time as a way to persuade the target to click the malicious link.   For example, the spear phishing email may be disguised as a “security alert” email from Microsoft, urging the target to log into their account. Upon following the link and “logging in,” the target’s login credentials will be sent to the adversary.   We’ve written in detail about this type of attack in our article What is Credential Phishing?   📱T1566.003: Spearphishing via Service   The “Spearphishing via Service” Sub-Technique uses platforms other than email to initiate a spearphishing attack—for example, a LinkedIn job post or WhatsApp message.   This Sub-Technique is not directly related to email security—but email security is still relevant here. For example, if an Adversary is able to establish rapport with their target via social media, then they might follow up with a spear phishing email.   ❌ Phishing Detection and Mitigation   Now let’s look at which Mitigations MITRE recommends for dealing with the Phishing Technique and its three associated Sub-Techniques: M1049: Antivirus/Antimalware — Quarantine suspicious files arriving via email. M1031: Network Intrusion Prevention — Monitor inbound email traffic for malicious attachments and links. M1021: Restrict Web-Based Content — Block access to web-based content and file types that are not necessary for business activity. M1054: Software Configuration — Use anti-spoofing methods to detect invalid Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) signatures. M1017: User Training — Educate employees to help them detect signs of a phishing attack.   Note: None of MITRE’s recommended Phishing Mitigations is sufficient on its own.   Antivirus Software, for example, can quarantine malicious files but is less likely to detect suspicious links. User Training helps embed a security-focused workplace culture—but you can’t expect employees to recognize sophisticated social engineering scenarios.   To prevent phishing attacks, it’s vital security leaders take a layered approach, including training, policies, and technology. Your best bet when it comes to technology? A next-gen email security solution that can automatically scan internal and external email communication for signs of malicious activity based on historical analysis.   Email security software can use several methods of detecting phishing attacks. Older solutions rely on techniques such as labeling and filtering—an administrator manually inputs the domain names, file types, and subject lines that the software should block.   Tessian is a modern email security solution driven by machine learning. As well as monitoring inbound emails for signs of phishing, the software scans your employees’ email activity to learn how they “normally” act, and flags suspicious behavior.   This intelligent, context-driven approach means Tessian will allow your employees to work uninterrupted, access the legitimate files and links they need— while being alerted to anomalous and suspicious email content.
These in-the-moment warnings help reinforce training, and nudges employees towards safer behavior over time.  Download the Tessian Platform Overview to learn more.   Technique T1534: Internal Spearphishing   The “Internal Spearphishing” Technique is associated with the “Lateral Movement” Tactic (TA0008) and is distinct from the “Phishing” Technique.   Internal Spearphishing takes place once an adversary has already penetrated your system or account. The adversary leverages existing account access to conduct an internal spear phishing campaign.   Internal Spearphishing is particularly damaging because the emails come from a genuine (albeit compromised) account. This makes them virtually impossible to spot, and therefore very persuasive.   Internal Spearphishing Detection and Mitigations   MITRE notes that detecting an Internal Spearphishing attack (also known as Account Takeover) can be difficult. There are no mitigations associated with the “Internal Spearphishing” Technique in the MITRE ATT&CK framework.   According to MITRE, the main difficulty associated with detecting and mitigating Internal Spearphishing attacks is that “network intrusion detection systems do not usually scan internal email.”   The main hallmarks of a spear phishing email—such as email impersonation or spoofing—are not present once an adversary has successfully compromised an internal email account. This means legacy email security software may be unable to detect Internal Spear Phishing attacks.   However, an AI-driven email security solution such as Tessian can scan internal email and will pick up on small inconsistencies in the sender’s email behavior and communication patterns.   If a sender is communicating outside of their normal internal networks or writing in an uncharacteristic style, Tessian can flag this unusual behavior and notify the recipient of any suspicious emails.   Learn more about how Tessian Defender defends against internal spear phishing. Technique T1598: Phishing for Information   T1598: Phishing for Information is a MITRE ATT&CK Technique associated with the “Reconnaissance” Tactic (TA0043). While Phishing involves an attempt to penetrate an organization’s defenses, Phishing for Information is a way to gather information about the target for use in an attack.   As such, Phishing for Information may occur via email—or via other communications channels, such as instant messaging applications or social media.   Phishing for Information Detection and Mitigations   To detect Phishing for Information, MITRE suggests monitoring for suspicious email activity. Email security software can monitor signs of a phishing attack, including DKIM misconfiguration, suspicious language, or erratic communication methods.   But legacy email security programs can only detect the more obvious indicators of phishing. On the other hand, Tessian is uniquely equipped to identify the subtle but distinctive signs that a sender is not who they say they are.   Tessian Defender uses machine learning (ML), anomaly detection, behavioral analysis, and natural language processing (NLP) to detect a variety of suspicious signals: Unusual sender characteristics: This includes anomalous geophysical locations, IP addresses, email clients, and reply-to addresses Anomalous email sending patterns: Based on historical email analysis, Tessian can identity unusual recipients, unusual send times, and emails sent to an unusual number of recipients Malicious payloads: Tessian uses URL match patterns to spot suspicious URLs and ML to identify red flags indicative of suspicious attachments Deep content inspection: Looking at the email content – for example, language that conveys suspicious intent – Tessian can detect zero-payload attacks, too Leveraging email security for MITRE ATT&CK framework compliance   We’ve seen how email security is a major factor in meeting the MITRE ATT&CK framework requirements.   To recap, Tessian can serve as a key Mitigation in respect of the following Techniques and Sub-Techniques: T1566: Phishing T1566.01: Spearphishing Attachment T1566.02: Spearphishing Link T1566.03: Spearphishing via Service T1534: Internal Spearphishing T1598: Phishing for Information Learn more about how Tessian can transform your organization’s cybersecurity program.
Compliance
Key Findings: IBM Cost of a Data Breach 2021 Report
By Maddie Rosenthal
03 August 2021
If you work in cybersecurity, follow breaches in the news, or if you’re involved in managing your company’s finances, you’ve likely been (patiently) waiting for IBM’s latest Cost of a Data Breach report.   The 2021 report was released on July 28 and we’ve summarized the key findings for you here. Note: In this case, we’re just here to deliver the cold, hard facts, not offer commentary. We have, however, offered additional resources for you to check out if you’re interested in exploring a specific threat type, industry, or solution further. The overall cost of a breach Data breach costs rose from $3.86 million to $4.24 million, the highest average total cost in the history of this report There was a 10% increase in the average total cost of a breach between 2020 and 2021. This was the largest single year cost increase in the last seven years. The average cost of a breach at organizations with 81-100% of employees working remotely was $5.54 million Lost business represented 38% of the overall average total breach costs and increased slightly from $1.52 million in the 2020 study.  Lost business costs include increased customer turnover, lost revenue due to system downtime, and the increasing cost of acquiring new business due to diminished reputation   Remote working and the cost of a breach   where remote work was a factor in causing the breach, the cost difference was $1.07 million Remote work was a factor in breaches at 17.5% of companies Organizations that had more than 50% of their workforce working remotely took 58 days longer to identify and contain breaches than those with 50% or less working remotely    The cost of a breach by industry    Healthcare has had the highest industry cost of a breach for 11 consecutive years Healthcare data breach costs increased from an average total cost of $7.13 million in 2020 to $9.23 million in 2021, a 29.5% increase. Learn how Tessian helps organizations in healthcare prevent breaches. Costs in the energy sector decreased from $6.39 million in 2020 to an average $4.65 million in 2021 Costs surged in the public sector, which saw a 78.7% increase in average total cost from $1.08 million to $1.93 million The cost of a breach by threat type Business email compromise (BEC) was responsible for only 4% of breaches, but had the highest average total cost of the 10 initial attack vectors in the study, at $5.01 million The second costliest was phishing ($4.65 million), followed by malicious insiders ($4.61 million), social engineering ($4.47 million), and compromised credentials ($4.37 million) Compromised credentials was the most common initial attack vector, responsible for 20% of breaches. Ransomware attacks cost an average of $4.62 million, more expensive than the average data breach ($4.24 million). These costs included escalation, notification, lost business, and response costs… but did not include the cost of the ransom.   How can cybersecurity solutions help? Security AI and automation had the biggest positive cost impact. Organizations with fully deployed security AI and automation experienced breach costs of $2.90 million, compared to $6.71 million at organizations without security AI and automation. Security AI/automation was associated with a faster time to identify and contain the breach Want to learn how Tessian leverages AI and ML to detect and prevent inbound and outbound threats legacy solutions can’t? Check out this whitepaper.
Page