The Human Layer Security Summit is back. Save your spot today.

Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.
Compliance
Why Information Security Must Be a Priority For GCs in 2021
11 May 2021
The business world was incredibly interconnected before the pandemic. Now that COVID-19 forced five years of tech adoption in three months, and with new technologies on the horizon, this trend isn’t reversing any time soon.  And while this global upgrade has many uses, and enables you to move huge parts of your life online, it also brings an increased focus on information security. Necessarily so.  Information security (Infosec) plays a vital role for all businesses that handle customer, client, or employee data. Nowadays, that’s pretty much every business.  Security breaches can seriously damage a company’s reputation, if not end their success altogether. Conversely, good cybersecurity can be a competitive advantage. Infosec also: Enables teams to build and implement their applications safely Allows the business to build trust with their customers Enables the organization to protect the data they collect and use Protects the tech used by teams within the company What does Infosec have to do with GCs? As the CEO and Co-Founder of Juro, I know how in-house legal teams work, particularly the General Counsel. The top lawyer in a company is increasingly focused on ‘adding value to the business’ as lawyers seek to bring their commercial savvy to bear to help with strategic projects.  But the first duty of a GC is to protect the company from legal risk – and in an interconnected world, the risks associated with breaches of information security loom large, both in terms of commercial and reputational impact.  It’s imperative that General Counsel work with Chief Information Security Officers (CISOs) to protect the business from an ever-growing array of risks.
The lawyer – CISO dynamic Lawyers don’t always play well with others. Historically, lawyers and CISO have kept their distance. The IT department of a traditional business was one of the last places you’d expect to find the General Counsel.  But over the years, the need for a CISO has grown, and the dynamic between the two roles has changed, for several reasons: 1. A huge explosion in SaaS businesses Even pre-COVID, the increase in automating processes – which moved traditional industries like finance, healthcare and legal into the cloud -drove an upsurge in adoption of SaaS tools.  Sales moved into Salesforce, marketing into HubSpot, and even legal teams moved online by embracing matter management and contract negotiation tools, alongside stalwarts like Zoom and Slack which seem to be ubiquitous to every business. Since the advent of COVID and universal lockdowns, it can often seem like collaborative SaaS platforms have become the rule, rather than the exception, such is their rate of adoption. But all these exciting changes present their own unique challenges when it comes to information security.  With so many verticals becoming digital-first overnight, their exposure to malicious (and negligent) actors both in and outside of the organization has led to a corresponding increase in legal risk.  Tessian research shows that 48% of employees say they’re less likely to follow safe security practices when working from home, and 84% of security leaders data loss prevention (DLP) is more challenging when their workforce is working outside of the office. It’s vital that GCs and CISOs help the business navigate the new world safely – together. 2. The ever-changing privacy landscape Most of these applications and SaaS tools require personal information of some kind, making privacy a key concern from day one. The complexity around this challenge only grows as the business does, which is why it’s essential that lawyers work with CISOs to manage that data security risk. Layered on top of this is the regulatory environment for personal data.  GDPR was a slow-moving iceberg that many businesses still haven’t fully reckoned with; the future is set to become even more complex thanks to developments like the Schrems II decision. GCs and CISOs can and should collaborate to create a privacy framework that allows them to keep on top of these challenges, iterating as the business continues to scale. Creating a robust privacy policy shouldn’t be viewed as a concern just for legal – GCs must encourage buy-in and participation from the wider business. 
What can GCs do to protect their company’s information security? Taking a leading role in information security doesn’t need to be daunting for legal counsel – in fact, a few simple steps can make all the difference. 1. Support CISOs GCs can ensure that they’re giving information security the attention it deserves by supporting and advising on any issues that arise. Often at a smaller business, there’s a single person assigned to manage Infosec – and much like the first lawyer at a scaling business, they have a mountain of work to do. Even in larger enterprises organizations, security teams can be thinly-stretched and resource-constrained.  Supporting CISOs through proactively dedicating a set amount of time and having regular check-ins can ensure that both lawyers and CISOs aren’t buried under this work in the future, as the business continues to grow.  Tone at the top dictates how others respond – it’s important for leaders to set the right example. Looking for a framework to help you establish better relationships with the right people? Use this template. 2. Offer training It’s important to emphasize that Infosec is a shared responsibility across the whole business – while one person may have ownership of it, it’s every employee’s responsibility to ensure the information processed by the business is secure, and data isn’t vulnerable to common attacks like data exfiltration and spear phishing..  GCs can help CISOs with this task by setting up training sessions with other teams in the company, to keep everyone up to date with the latest techniques.  For better or worse, lawyers are often seen as ‘bad cops’ in the business – having their backing for, and involvement in, data compliance training should reinforce the seriousness with which colleagues should approach the issue. Training shouldn’t be a one-off, of course – it should be part of every employee’s onboarding, and revisited on a regular basis. The bottom line: as the threats in Infosec constantly adapt, so should the methods used to mitigate risk and keep data safe. GCs and CISOs should work together to review the policies, frameworks and training in place, and iterate where necessary.  Falling behind on this will expose the business to risk. By prioritizing these tasks and placing security at the heart of everything they do, lawyers can ensure that their businesses continue to handle data securely as they scale. Written by Richard Mabey, CEO and co-founder of Juro.
Compliance
Cybersecurity: What Does Biden’s Executive Order Mean For Your Business?
05 May 2021
Remember last year’s SolarWinds attack? It was one of the most significant hacks in history and the fallout is ongoing. We may never know exactly how bad the attack was. But, we do know that it’s making waves and was a wake-up call for many organizations—not least the U.S. government, which has realized just how vulnerable it is to hackers targeting the countless companies in its supply chain. In response to SolarWinds, President Biden’s administration is drafting an executive order that aims to strengthen cybersecurity among both federal and private organizations. We’ve combed through the available information about the upcoming executive order to help you understand the potential implications for your business. 🕵  What information do we have about the executive order? We’ve had little communication from the White House about Biden’s upcoming executive order.  That means most of the information available derives from the following sources: The announcement that an executive order was in development, made in February by Anne Neuberger, White House deputy national security adviser for cyber and emerging technology A March speech made to the RSA Conference by Alejandro Mayorkas, secretary of homeland security  A leaked draft of the executive order seen by journalists in March An April speech to the Cybersecurity Coalition, given by Jeff Greene, acting senior director for cybersecurity at the National Security Council Further comments from Neuberger to NPR, made April 29 The order will likely tighten the rules around the procurement of private-sector software and services by government agencies—or, as Neuberger puts it: “If you’re doing business with the federal government, here’s a set of things you need to comply with in order to do business with us…” The means companies hoping to obtain or maintain government contracts, software developers, and government agencies will need to demonstrate that they have implemented certain security measures.  Don’t fall under any of the above three categories? Still worth paying attention. This executive order is a clear sign that the U.S. is taking cybersecurity seriously.  Now is the time to review your organization’s approach to cybersecurity—to ensure you have identified any vulnerabilities and can prevent or respond to attacks. 1. Breach notification  The order will likely include a breach notification rule that will impact companies supplying the federal government with software or hardware products. Of course, companies doing business with the federal government aren’t the only organizations to be obligated to breach notification rules.  Data breach notification rules are common worldwide, particularly in Europe, where the General Data Protection Regulation (GDPR) obliges organizations to notify regulators and individuals in the event of a breach of personal data within 72 hours. Further reading:  ⚡ GDPR: 13 Most Asked Questions + Answers ⚡ Biggest GDPR Fines in 2020 and 2021 There is currently no generally applicable federal breach notification law in the U.S. But, many states and some sectors have breach notification laws. We look at several of these in our article US Data Privacy Laws 2020: What Security Leaders Need to Know. The order’s breach notification rule would reportedly oblige federal contractors to notify a cyber incident response board (yet to be established) within days of a suspected hack or data breach. Organizations might also be required to cooperate with the FBI and the Cybersecurity and Infrastructure Agency (CISA) to investigate the incident. Reuters suggested that the order might also contain a public disclosure rule. Public disclosure might involve notifying any members of the public affected by a data breach, either individually or via the media. Note: Any organization operating under a data breach notification requirement must have robust and efficient procedures in place to identify and respond to a cybersecurity incident.  The sooner you can detect malicious activity, the sooner you can report it—and the sooner it can be contained or mitigated. 2. Software development security  The order will likely set out improved security requirements for software procured by federal agencies. This means developers of such software will need to implement stronger security standards in their products. Software vendors supplying the federal government may be required to create a “Software Bill of Materials” (SBOM) accompanying their products. An SBOM acts as an inventory that provides details about the components of a piece of software. Jeff Greene also reportedly suggested that National Institute of Standards and Technology (NIST) controls would play a role in providing improved security standards for government contractors. It’s not clear whether software vendors would be required to comply with an existing NIST framework, or whether the government would work with NIST to derive new standards. However, whether or not an organization supplies software to the federal government, compliance with a scheme such as the NIST Cybersecurity Framework is strongly recommended.  See our Beginner’s Guide to Cybersecurity Frameworks for more information. 3. Improved security within federal agencies  Finally, Biden’s executive order will likely include some mandatory security standards for government agencies and employees, including encryption of data and the use of multi-factor authentication (MFA). These technical controls are basic, and they are already best practice for any organization handling personal or sensitive data. But mandating such controls by law is a significant step. As we learn more, we’ll update this article. Want to be the first to know? Sign-up for our weekly blog digest, including global cybersecurity news, original research, and tips from security leaders.
Compliance Tessian Culture
Securing SOC 2 Certification
By Trevor Luker
30 March 2021
Building on our existing ISO 27001 security certification, Tessian is excited to announce that we have achieved Service Organization Control 2 Type 2 (SOC 2) compliance in the key domains of Security, Confidentiality and Availability with zero exceptions on our very first attempt. Achieving full SOC 2 Type 2 compliance within 6 months is simply sensational and is a huge achievement for our company. It reinforces our message to customers and prospects that Information Security and protecting customer data is at the very core of everything Tessian does.
The Journey We began the preparations for SOC 2 in September 2020 and initiated the formal process in October. Having previously experienced the pain and trauma of doing SOC 2 manually, we knew that to move quickly, we needed tooling to assist with the evidence gathering and reporting.  Fortunately we were introduced to VANTA, which automates the majority of the information gathering tasks, allowing the Tessian team to concentrate on identifying and closing any gaps we had. VANTA is a great platform, and we would recommend it to any other company undertaking SOC 2 or ISO 27001 certification. For the external audit part of the process, we were especially fortunate to team up with Barr Advisory who proactively helped us navigate the maze of the Trust Service Criteria requirements. They provided skilled, objective advice and guidance along the way, and we would particularly like to thank Cody Hewell and Kyle Helles for their insights, enthusiasm and support. Tessian chose an accelerated three month observation period, which in turn, put a lot of pressure on internal resources to respond to information requests and deliver process changes as required. The Tessian team knew how important SOC 2 was to us strategically and rallied to the challenge. Despite some extremely short timeframes, we were able to deliver the evidence that the auditors needed.  A huge team effort and a great reflection of Tessian’s Craft At Speed value. What Next? Achieving SOC 2 Type 2 is a crucial step for Tessian as we expand further into the large enterprise space. It’s also the basis on which we will further develop our compliance and risk management initiatives, leading to specialized government security accreditation in the US and Europe over the next year or two.
Compliance
7 Things We Learned at Tessian Human Layer Security Summit
By Maddie Rosenthal
02 March 2021
That’s a wrap! Thanks to our incredible line-up of speakers and panelists, the first Human Layer Security Summit of 2021 was jam-packed with insights and advice that will help you level-up your security strategy, connect with your employees, and thrive in your role. Looking for a recap? We’ve rounded up the top seven things we learned. 1. CISOs can’t succeed without building cross-functional relationships  Today, security leaders are responsible for communicating risk, enabling individuals and teams, and influencing change at all levels of the organization. That’s easier said than done, though…especially when research shows less than 50% of employees (including executives) can identify their CISO.  The key is building relationships with the right people. But how? Patricia Patton, Human Capital Strategist and Executive Coach, Annick O’Brien, Data Protection Officer and Cyber Risk Officer, and Gaynor Rich, Global Director Cybersecurity Strategy & Transformation at Unilever tackled this topic head-on and introduced a new framework for security leaders to use: Relationship 15.
Find out more by watching the full session below or check out this blog to download a template for the Relationship 15 Framework. Further reading: Relationship 15: A Framework to Help Security Leaders Influence Change CEO’s Guide to Data Protection and Compliance  16 Tips From Security Leaders: How to Get Buy-In For Cybersecurity How to Communicate Cybersecurity ROI to Your CEO 2. Securing your own organization isn’t enough. You have to consider your supply chain’s attack surface and risk profile, too We often talk about how cybersecurity is a team sport. And it is. But, today your “team” needs to extend beyond your own network.  Why? Because more and more often, bad actors are gaining access to the email accounts of trusted senders (suppliers, customers, and other third-parties) to breach a target company in account takeover (ATO) attacks. The problem is, you’re only as strong as the weakest (cybersecurity) link in your supply chain, and these sophisticated attacks slip right past Secure Email Gateways (SEGs), legacy tools, and rule-based solutions. Marie Measures, CTO, at Sanne Group, and Joe Hancock, Head of Cyber at Mishcon de Reya explain how firms in both the legal sector and financial services are preventing these threats by consulting enterprise risk management frameworks, partnering with customers, and leveraging technology. Further reading: What is Account Takeover? How to Defend Against Account Takeover 3. If you want to understand and reduce risk, you need data (and smart tech) Throughout the Human Layer Security Summit, one word was repeated over, and over, and over again. Visibility. It makes sense. Clear visibility of threats is the first step in effectively reducing risk. But, because so many security solutions are black boxes that make investigation, remediation, and reporting admin-intensive, this can be a real challenge. We have a solution, though. Tessian Human Layer Risk Hub. This game-changing product (coming soon!) enables security and risk management leaders to deeply understand their organization’s security posture by providing granular visibility and reporting into individual user risk levels. How? Each user is assigned a risk score based on dozens of factors and risk drivers, including email behavior, training track record, and access to sensitive information. This clearly shows administrators who needs help (on an individual level and a team level).  The tool also intelligently recommends actions to take within and outside the Tessian portal to mitigate risk. Finally, with industry benchmarking and dashboards that show how risk changes over time, you’ll be able to easily track and report progress. Want to learn more about Tessian Human Layer Risk Hub? Sign-up for our newsletter to get an alert on launch day or book a demo. Further reading: Ultimate Guide to Human Layer Security Worst Email Mistakes at Work (And How to Fix Them) 4. Rule-based solutions aren’t enough to prevent data exfiltration 
If you’re interested in learning more about Human Layer Security, this is the session for you. David Aird, IT Director at DAC Beachcroft, and Elsa Ferreira, CISO at Evercore take a deep dive into why people make mistakes, what the consequences of those mistakes are, and how they – as security leaders – can support their employees while protecting the organization. Spoiler alert: blunt rules, blocking by default, and one-and-done training sessions aren’t enough. To learn how they’re using Tessian to automatically prevent data exfiltration and reinforce training/policies – and to hear what prompted Elsa to say “They say security is a thankless job. But Tessian was the first security platform that we deployed across the organization where I personally received ‘thank you’s’ from employees…”– watch the full session. Further reading:  Research Report: Why DLP Has Failed and What the Future Looks Like 12 Examples of Data Exfiltration 5. When it comes to security awareness training, one size doesn’t fit all  Security awareness training is an essential part of every cybersecurity strategy. But, when it comes to phishing prevention, are traditional simulation techniques effective? According to Joe Mancini, VP Enterprise Risk at BankProv, and Ian Schneller, CISO, at RealPage they’re important… but not good enough on their own. Their advice: Find ways to make training more engaging and tailored to your business initiatives and employees’ individual risk levels  Focus on education and awareness versus “catching” people Make sure training is continuously reinforced (Tessian in-the-moment warnings can help with that) Don’t just consider who clicks; pay attention to who reports the phish, too Consider what happens if an employee fails a phishing test once, twice, or three times Want more tips? Watch the full session. Further reading: Why The Threat of Phishing Can’t be Trained Away Why Security Awareness Training is Dead Phishing Statistics (Updated 2021) 6. The future will be powered by AI Nina Schick, Deepfakes expert, Dan Raywood, Former deputy-editor at Infosec Magazine, and Samy Kamkar, Privacy and Security Researcher and Hacker went back and forth, discussing the biggest moments in security over the last year, what’s top of mind today, and what we should prepare for in the next 5-10 years. Insider threats, state-sponsored threats, and human error made everyone’s lists…and so did AI.
Watch the full session to hear more expert insights. Further reading: 2021 Cybersecurity Predictions  21 Cybersecurity Events to Attend in 2021 7. Hackers can – and do – use social media and OOO messages to help them craft targeted social engineering attacks against organizations  Spear phishing, Business Email Compromise (BEC), and other forms of social engineering attacks are top of mind for security leaders. And, while most organizations have a defense strategy in place – including training, policies, and technology – there’s one vulnerability most of us aren’t accounting for. Our digital footprints. Every photo we post, status we update, person we tag, and place we check-in to reveals valuable information about our personal and professional lives. With this information, hackers are able to craft more targeted, more believable, and – most importantly – more effective social engineering attacks. So, what can you do to level-up your defenses? Jenny Radcliffe, Host of The Human Factor, and James McQuiggan, CISSP Security Awareness Advocate, KnowBe4, share personal anecdotes and actionable advice in the first session of the Human Layer Security Summit.  Watch it now. Further reading: New Research: How to Hack a Human  6 Real-World Social Engineering Examples Want to join us next time? Subscribe to our blog below to be the first to hear about events, product updates, and new research. 
DLP Compliance
14 Biggest GDPR Fines of 2020 and 2021 (So Far)
03 February 2021
Since the GDPR (General Data Protection Regulation) came into effect in May 2018, countless organizations have made headlines for violations. British Airways, Marriot International Hotels, Austrian Post…but what about in 2020 and 2021? According to research from DLA Piper, between January 26, 2020, and January 27, 2021: GDPR fines rose by nearly 40% Penalties under the GDPR totaled €158.5 million ($191.5 million) Data protection authorities recorded 121,165 data breach notifications (19% more than the previous 12-month period) The UK’s Data Protection Authority, the Information Commissioner’s Office (ICO), recently published data covering July 1, 2020, to October 31, 2020. The ICO’s data shows: The ICO received 2,594 data breach notifications.  The most common cybersecurity incident was phishing. As usual, the most common cause of data breaches was misdirected email. Keep reading to find out which organizations have been slapped with the biggest fines, why, and how the violation could have been prevented.  Looking for information about achieving and maintaining compliance? We explore solutions for reducing email risk (the #1 threat vector according to security leaders) on this page.
The biggest GDPR fines of 2020 and 2021 (so far) 1. Google – €50 million ($56.6 million)  Although Google’s fine is technically from 2019, the company appealed against it. In March 2020, judges at France’s top court for administrative law dismissed Google’s appeal and upheld the eye-watering penalty. How the violation(s) could have been avoided: Google should have provided more information to users in consent policies and should have granted them more control over how their personal data is processed. 2. H&M — €35 million ($41 million) On October 5, 2020 the Data Protection Authority of Hamburg, Germany, fined clothing retailer H&M €35,258,707.95 — the second-largest GDPR fine ever imposed. H&M’s GDPR violations involved the “monitoring of several hundred employees.” After employees took vacation or sick leave, they were required to attend a return-to-work meeting. Some of these meetings were recorded and accessible to over 50 H&M managers. Senior H&M staff gained ”a broad knowledge of their employees’ private lives… ranging from rather harmless details to family issues and religious beliefs.” This “detailed profile” was used to help evaluate employees’ performance and make decisions about their employment. How the violation(s) could have been avoided: Details of the decision haven’t been published, but the seriousness of H&M’s violation is clear. H&M appears to have violated the GDPR’s principle of data minimization — don’t process personal information, particularly sensitive data about people’s health and beliefs, unless you need to for a specific purpose. H&M should also have placed strict access controls on the data, and the company should not have used this data to make decisions about people’s employment. 3. TIM – €27.8 million ($31.5 million) On January 15, 2020 Italian telecommunications operator TIM (or Telecom Italia) was stung with a €27.8 million GDPR fine from Garante, the Italian Data Protection Authority, for a series of infractions and violations that have accumulated over the last several years.  TIM’s infractions include a variety of unlawful actions, most of which stem from an overly-aggressive marketing strategy. Millions of individuals were bombarded with promotional calls and unsolicited communications, some of whom were on non-contact and exclusion lists.   How the violation(s) could have been avoided: TIM should have managed lists of data subjects more carefully and created specific opt-ins for different marketing activities.   4. British Airways – €22 million ($26 million) In October, the ICO hit British Airways with a $26 million fine for a breach that took place in 2018. This is considerably less than $238 million dollar fine that the ICO originally said it intended to issue back in 2019.  So, what happened back in 2018? British Airway’s systems were compromised. The breach affected 400,000 customers and hackers got their hands on log in details, payment card information, and PI like travellers’ names and addresses.   How the violation(s) could have been avoided: According to the ICO, the attack was preventable, but BA didn’t have sufficient security measures in place to protect their systems, networks, and data. In fact, they didn’t even have basics like multi-factor authentication in place at the time of the breach. Going forward, the airline should take a data-first security approach, invest in security solutions, and ensure they have strict data privacy policies and procedures in place. 5. Marriott – €20.4 million ($23.8 million) While this is an eye-watering fine, it’s actually significantly lower than the $123 million fine the ICO originally said they’d levy. So, what happened? 383 million guest records (30 million EU residents) were exposed after the hotel chain’s guest reservation database was compromised. PI like guests’ names, addresses, passport numbers, and payment card information was exposed.  Note: The hack originated in Starwood Group’s reservation system in 2014. While Marriott acquired Starwood in 2016, the hack wasn’t detected until September 2018. How the violation(s) could have been avoided: The ICO found that Marriott failed to perform adequate due diligence after acquiring Starwood. They should have done more to safeguard their systemswith a stronger data loss prevention (DLP) strategyand utilized de-identification methods.  6. Wind — €17 million ($20 million) On July 13, Italian Data Protection Authority imposed a fine of €16,729,600 on telecoms company Wind due to its unlawful direct marketing activities. The enforcement action started after Italy’s regulator received complaints about Wind Tre’s marketing communications. Wind reportedly spammed Italians with ads — without their consent — and provided incorrect contact details, leaving consumers unable to unsubscribe. The regulator also found that Wind’s mobile apps forced users to agree to direct marketing and location tracking and that its business partners had undertaken illegal data-collection activities.  How the violation(s) could have been avoided:Wind should have established a valid lawful basis before using people’s contact details for direct marketing purposes. This probably would have meant getting consumers’ consent — unless it could  demonstrate that sending marketing materials was in its “legitimate interests.” For whatever reason you send direct marketing, you must ensure that consumers have an easy way to unsubscribe. And you must always ensure that your company’s Privacy Policy is accurate and up-to-date. 7. Notebooksbilliger.de — €10.4 million ($12.5 million) German electronics retailer notebooksbilliger.de (NBB) received this significant GDPR fine on January 8, 2021. The penalty relates to how NBB used CCTV cameras to monitor its employees and customers. The CCTV system had been running for two years, and NBB reportedly kept recordings for up to 60 days. NBB said it needed to record its staff and customers to prevent theft. The Lower Saxony DPA said the monitoring was an intrusion on its employees’ and customers’ privacy. NBB is disputing the fine. How the fine could have been avoided: The NBB’s fine reflects strict attitudes towards CCTV monitoring in parts of Germany. The regulator said NBB’s CCTV program was not limited to a specific person or period. Using CCTV isn’t prohibited under the GDPR, but you must ensure it is a legitimate and proportionate response to a specific problem. The UK’s ICO has some guidance on using CCTV in a GDPR-compliant way. 8. Google – €7 million ($7.9 million) 2020 was not a good year for Google. In March, the Swedish Data Protection Authority of Sweden (SDPA) fined Google for neglecting to remove a pair of search result listings under Europe’s “right to be forgotten” rules under the GDPR, which the SDPA ordered the company to do in 2017.  How the violation(s) could have been avoided: Google should have fulfilled the rights of data subjects, primarily their  right to be forgotten. This is also known as the right to erasure. How? By “ensuring a process was in place to respond to requests for erasure without undue delay and within one month of receipt.”  You can find more information about how to comply with requests for erasure from the ICO here.  9. Caixabank — €6 million ($7.2 million) This fine against financial services company Caixabank is the largest fine ever issued by the Spanish DPA (the AEPD).  The AEPD finalized Caixabank’s penalty on January 13, 2021, breaking Spain’s previous record GDPR fine, against BBVA — issued just one month earlier. This suggests a significant toughening of approach from the Spanish DPA. The first issue, which accounts for €4 million of the total fine, related to how Caixabank established a “legal basis” for using consumers’ personal data under Article 6. Second, Caixabank was fined €2 million for violating the GDPR’s transparency requirements at Articles 13 and 14.  How the fine could have been avoided:The AEPD said Caixabank relied on the legal basis of “legitimate interests” without proper justification. Before you rely on “legitimate interests,” you must conduct and document a “legitimate interests assessment.”  The company also failed to obtain consumers’ consent in a GDPR-compliant way. If you’re relying on “consent,” make sure it meets the GDPR’s strict “opt in” standards. The AEPD criticized Caixabank’s privacy policy as providing vague and inconsistent information about its data processing practices. Make sure you use clear language in your privacy notices and keep them consistent across websites and platforms. 10. BBVA (bank) — €5 million ($6 million) This fine against financial services giant BBVA (Banco Bilbao Vizcaya Argentaria) dates from December 11, 2020.  The BBVA’s penalty is the second biggest that the Spanish DPA (the AEPD) has ever imposed, and it shares many similarities with the AEPD’s largest-ever penalty, against Caixabank, issued the following month. Taken together with the record fine against Caixabank, it’s tempting to conclude that the Spanish DPA has its eye on the GDPR compliance of financial institutions. How the fine could have been avoided: The AEPD fined BBVA €3 million for sending SMS messages without obtaining consumers’ consent. In most circumstances, you must ensure you have GDPR-valid consent for sending direct marketing messages. The remaining €2 million of the penalty related to BBVA’s privacy policy, which failed to properly explain how the bank collected and use its customers’ personal data. Make sure you include all the necessary information under Articles 13 and 14 in your privacy policy. 11. AOK (Health Insurance) — €1.24 million ($1.5 million) On June 30, the Data Protection Authority of Baden-Wuerttemberg, Germany, imposed a €1.24 million fine on health insurance company Allgemeine Ortskrankenkasse (AOK).  AOK set up contests and lotteries using its customers’ personal information — including their health insurance details. The company also used this data for direct marketing. AOK tried to get consent for this, but it ended up marketing to some users who had not consented. The regulator found that the company had sent people marketing communications without establishing a lawful basis. AOK also failed to implement proper technical and organizational privacy safeguards to ensure they only sent marketing to those who consented. How the violation(s) could have been avoided: What’s the main takeaway from the AOK case? Be very careful when sending direct marketing. If you need people’s consent, make sure you keep adequate, up-to-date records of who has consented. 12. BKR (National Credit Register) — €830,000 ($973,000) On July 6, the Dutch Data Protection Authority fined the Bureau Krediet Registration (‘BKR’) €830,000 for charging individuals to access their personal information digitally. BKR allowed customers to access their personal information for free on paper, but only once per year. BKR is appealing the fine. How the violation(s) could have been avoided: BKR shouldn’t have been charging individuals to access their personal information, and they shouldn’t have been imposing a once-per-year limit. The GDPR is clear — you may only charge for access to personal information, or refuse access, if a person’s request is “manifestly unfounded or excessive.” 13. Iliad Italia — €800,000 ($976,000) On July 13, the Italian Data Protection Authority fined telecoms company Iliad Italia €800,000 for processing its users’ personal information unlawfully in numerous ways. One issue was Iliad’s collection of consent for its marketing activities, which the regulator found had been “bundled” with an acknowledgment of the company’s terms and conditions. Iliad also failed to store its users’ communications data securely. How the violation(s) could have been avoided: Consent under the GDPR is defined very narrowly. If you’re going to ask for a person’s consent, you must make it specific to a particular activity. Don’t “bundle” your consent requests — for example, by asking people to agree to marketing and sign a contract using one tickbox. Data security is one of the cornerstones of the GDPR. Iliad appears to have failed to implement proper access controls on its users’ personal information. You must ensure that personal information is only accessible on a “need to know” basis. 14. Unknown – €725,000 ($821,600) In April, the Dutch Data Protection Authority handed out its largest fine to date to a so-far unknown company for unlawfully using employees’ fingerprint scans for its attendance and timekeeping records. The violation took place over the course of 10 months. Note: Under the GDPR, biometric data like fingerprints are classified as sensitive personal data and it is subject to more stringent protections.  How the violation(s) could have been avoided: The company should have had a valid, lawful reason to collect employees’ fingerprints. They should have also had technical measures in place to process the data and a clear process for deleting the data. 
What else can organizations be fined for under GDPR?  While the biggest fines so far in 2020 involve marketing activities, failure to remove personal data when requested by EU citizens, and unlawfully requiring employees to have their biometric data recorded, there are a number of ways in which a breach can occur.  In fact, so far this year, misdirected emails have been the primary cause of data loss reported to the ICO. But, how do you prevent an accident? By focusing on people rather than systems and networks. How does Tessian help organizations stay GDPR compliant?
Powered by machine learning, Tessian’s Human Layer Security technology understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity, including misdirected emails. Tessian also detects and prevents spear phishing attacks and data exfiltration attempts on email.  Importantly, though, Tessian doesn’t just prevent breaches. Tessian’s key features – which are both proactive and reactive – align with the GDPR requirement “to implement appropriate technical and organizational measures together with a process for regularly testing, assessing and evaluating the effectiveness of those measures to ensure the security of processing” (Article 32). To learn more about how Tessian helps with GDPR compliance, you can read our customer stories or book a demo. Or, for information about other data privacy legislation, check out our compliance hub. 
Human Layer Security Compliance
10 Reasons Why CEOs Should Care About Cybersecurity
By Tim Sadler
25 November 2020
Cybersecurity is a team sport. And for strategies to be truly effective, security leaders and business leaders have to work together.  In fewer words: Cybersecurity should be on the CEO’s agenda. So, to help bridge the gap and to really highlight why privacy and data protection matter now, I put together this list of reasons why CEOs should care about cybersecurity. Here are 10 reasons why CEOs should care about cybersecurity.
1. Cybersecurity is a competitive differentiator Today, customers and clients don’t just care about privacy, they expect it. That means that a strong cybersecurity culture can actually enable businesses. At our first Human Layer Security Summit of 2020, Mark Parr, Global Director at HFW, summed it up nicely, saying “You’re only going to win more work if you’re reputable. And you’re only going to be reputable if you demonstrate you have a strong information security framework.” He’s not alone in thinking this. According to Cisco’s global survey of security professionals and business leaders, 41% of survey respondents said “competitive advantage” was a benefit of their privacy investment.  2. The biggest consequence of a data breach is lost customer trust Earlier this year, we asked security leaders what the biggest consequence of a data breach would be. The #1 answer? Not lost data. Not regulatory fines or revenue loss. Lost customer trust. Breaches damage your brand and it can be very hard to win back customers’, clients’, and even the public’s trust. That’s why organizations see (on average) 3.9% customer churn after a data breach.  3. You will inevitably empower your people to do their best work Prioritizing cybersecurity isn’t just good for the business. It’s great for your people.  Here’s why: 90% of breaches are caused by human error. But people aren’t intentionally making these errors, they’re moving fast to get their job done. Security just isn’t top of mind for them.  So, it’s our job to set them up for success and empower them to do their best work securely. How do you do that? By removing the sharp objects.  At Tessian’s second Human Layer Security Summit, Bobby Ford, Vice President and Global CISO at Unilever put this into perspective with an example from his own life.   When you’re a parent helping your son or daughter learn how to walk, what do you do? Child-proof the house and get outta the way! 4. Privacy investment can help reduce delays in sales processes and improve operational efficiency Remember that Cisco global survey I mentioned earlier? “Competitive advantage” wasn’t the only benefit security professionals and business leaders experienced as a result of their investment in privacy and cybersecurity. 41% achieved operational efficiency from having data organized and cataloged and 37% saw a reduction in sales delays due to privacy concerns from customers and prospects. It makes sense. Data protection, privacy, and cybersecurity force businesses to be more transparent. That transparency fosters customer loyalty and increases organizational alignment.  
5. The average data breach costs $3.86 million While most security leaders agree that the biggest consequence of a breach is lost customer trust and damaged reputation, we can’t ignore the financial implications. In IBM’s latest Cost of a Data Breach report, they found the average data breach costs $3.86 million. This figure includes costs associated with: Detection and Escalation Notification  Lost Business Ex-post response. And this doesn’t even account for the potential fines from regulators.  Why does this matter? If we’re talking about the ROI of cybersecurity, the cost of non-compliance is actually 2.71 times higher than the cost of compliance. Translation: Prevention is better than cure.  6. The investigation and remediation of breaches disrupts productivity On average, it takes companies 197 days to identify and 69 days to contain a breach. And this process of investigating and remediating requires time and resources from plenty of departments, teams, and people outside of IT. Legal, compliance, executive, marketing, HR, and people teams will get pulled in. Spokespeople will be appointed. External security/IT support will have to be hired and onboarded. The bottom line: you hired great people to do great things. Post-breach activities pull them away from their day-to-work, disrupt their flow and productivity, and distract them from the business’ larger mission. 7. Data protection laws are only going to get more strict  On the topic of compliance, it’s important to point out that data protection laws are only going to get more strict and enforcement agencies are only going to be given more resources to enforce data requirements. That means organizations around the world and across industries won’t just benefit from strong cybersecurity programs, but they’ll be obligated to have one.  Top tip: Industries like financial services tend to be 5+ years ahead in cybersecurity maturity. If you don’t operate in these industries, it’s worth taking note of what’s top-of-mind for the business and security leaders that do.  8. Security culture is built from the top down Just like company culture, the C-suite sets the tone for security culture and therefore must lead by example.  It’s especially important that the CEO plays an active role in not just creating the overall security strategy, but actually rolling it out. Why? The CEO can connect cybersecurity to business objectives and help employees understand what it’s such a critical component in enabling the company to achieve its mission.
But business leaders will soon have no choice but to actively contribute to their organization’s security culture…. 9. By 2024, CEOs could be held personally liable for data breaches As I’ve said, cybersecurity is mission critical. But, for now, it’s security and IT teams who shoulder the responsibility. In a few years, this could change.  According to Gartner, CEO’s will be held personally liable for data breaches by 2024. 10. You owe it to your customers We mentioned earlier that strong cybersecurity can help businesses win new customers. But it’s not just about winning new customers. It’s also about supporting the ones you have.  This is one of Tessian’s core values: Customer-Centricity. Your customers entrust you with their data, their intellectual property, their secrets. You have to keep it safe. That’s why we believe that – as a cybersecurity vendor – it’s our mission to protect every other business’ mission. If you’re looking for more insights into how security and business leaders can work together, check out our latest eBook: CEO’s Guide to Data Protection and Compliance. 
Compliance
CCPA FAQs: Your Guide to California’s New Privacy Law
08 November 2020
The California Consumer Privacy Act (CCPA) is now in force, and those that fail to comply are open to civil penalties and private lawsuits.  But, many business, security, and compliance leaders are still scratching their heads, wondering how the CCPA will affect them, how to stay compliant, and what consequences they face in the event of a data breach. We’re here to help. We’ve answered some of the key questions businesses are asking about, from the scope of the CCPA to violations under this strict data privacy law.  Important Note: The California Privacy Rights Act (CPRA) – also known as Proposition 24 – passed on November 3, 2020. The CPRA amends the CCPA, taking away some of the ambiguity and pushing the state statute closer to the GDPR. The CPRA: Gives consumers the right to opt out of sharing their data. That means publishers will be required to display “prominently and conspicuously” on their homepages a “Do Not Sell or Share My Personal Information” link. Enforces a general purpose limitation on personal information use, limiting a business’s use and sharing of personal information to the purposes for which it was collected. Remember, consumers must be informed about how their data will be use before it is collected. Creates an agency to enforce compliance and dish out fines. The new regulatory body – California Privacy Protection Agency – has dedicated resources and the power to determine whether or not a violation was intentional or not. While – yes- the CCPA already contains similar notice requirements with respect to the purposes for which personal information will be processed, the CPRA offers California regulators additional enforcement options. What does this mean for you? Organizations must ensure compliance with the CPPA,  integrating the demands of the CPRA. The CPRA is set to take effect on January 1, 2023, but will apply to data collected from January 1, 2022.
Scope of the CCPA Who is covered by the CCPA? The CCPA covers several types of entities, primarily “businesses.” If your company qualifies as a business, it needs to comply with the CCPA. A business can be any legal entity that operates for profit in California and meets one or more of the CCPA’s three thresholds: It has annual gross revenues in excess of $25 million It annually buys, sells, or shares for commercial purposes, the personal information of 50,000 or more California consumers, households, or devices  It earns 50 percent or more of its annual revenues from selling consumers’ personal information Does the CCPA only apply to big businesses? At first glance, the thresholds above may appear to only apply to large corporations, social media companies, and “data brokers.”  But the truth is, many companies with targeted advertising campaigns may meet the requirements of threshold “B.” This is because using third-party cookies is likely to constitute “selling personal information. (More information below. Click here to jump ahead.)  Therefore, a company is likely to be covered by the CCPA if its website or mobile app: Uses third-party advertising or analytics cookies (or similar technologies), and Generates at least 50,000 unique hits originating in California per year.
Does the CCPA cover non-Californian companies? It doesn’t matter if your business is based in Los Angeles, London, or Lahore. The determining factors are whether you collect the personal information of California residents (“consumers”), and whether you meet one or more of the three thresholds above. Does your business collect the personal information of California residents? It does if they:  Visit your website (assuming you use web analytics or cookies to measure engagement or track visitors) Sign up to your newsletter Make an enquiry about your services That means that if you have a website that attracts visitors from around the world, chances are you’re obligated to satisfy the CCPA.  What is “Personal Information” under the CCPA? The CCPA defines “personal information” as: “…information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” It’s worth mentioning that this is arguably the broadest definition of “personal information” under any privacy law in the world. Nonetheless, the CCPA provides examples of the types of data that might qualify as personal information.  While this list is not exhaustive, it includes: Name Email address IP address Cookie data Device ID Biometric data Geolocation data It’s very common for a business to collect these types of information every time a person visits its website or uses its app. And, it’s also impossible to do business with a consumer without collecting at least some of this information.  Think about it. When you buy something on an e-commerce website, what information do you provide? What is a “Service Provider” under the CCPA? A service provider is a legal entity that processes personal information on behalf of a business.  For example, a marketing company receives a list of email addresses from a business and sends out its newsletter. The marketing company doesn’t have a direct interest in the end result of this activity — it simply obeys the instructions of the business. A service provider must also operate under a contract with the business from whom it receives personal information. This contract must prohibit the service provider from retaining, using, or disclosing the personal information for any purpose outside of the contract. In layman’s terms: Service providers are not directly liable for most CCPA obligations. But, if a service provider’s negligence or wrongdoing leads to a data breach, it can be sued by the client.  Service providers can also receive civil penalties (more on that here) in certain circumstances. Unfortunately, it’s not clear yet what these “certain circumstances” are. As and when we have more context, we’ll update this blog! Violating the CCPA What is the CCPA’s Private Right of Action? Under the CCPA’s private right of action, a consumer — or group of consumers — can bring a legal claim against a business that fails to secure certain types of their personal information and suffers a data breach. (You can read more about what types of PI in this blog.) But, what happens if a consumer does pursue this private right of action? It can lead to: Statutory damages — an amount of money paid to each consumer, determined by the court, depending on the seriousness of the breach (among other factors). Statutory damages fall between $100 and $750 per consumer, per incident. Actual damages —  an amount of money paid to each consumer, based on what they have actually lost as the result of a breach. In the event of large-scale data breaches involving millions of consumers, damages could add up to billions of dollars. We’ve yet to see any legal claims completed under the CCPA. However, what if the CCPA had been in force throughout Facebook’s “Cambridge Analytica” scandal? Privacy lawyer Nicholas Schmidt estimates that the damage could have been between $61.6 billion and $184.7 billion. What are the CCPA’s civil penalties? The California Attorney General can issue civil penalties to businesses or service providers that violate any part of the CCPA. The CCPA’s civil penalties can be for an amount of: Up to $7,500 per intentional violation, such as knowingly selling personal information where a consumer has opted out. Up to $2,500 per unintentional violation, such as failing to impose reasonable security measures leading to a data breach.  Note: This is why it’s so important organization’s have strong security policies, procedures, and solutions in place. Reducing risk by improving your security posture is key. Tessian helps prevent data exfiltration and accidental data loss. Our solutions also help security leaders proactively protect their systems and data through automated intelligence and robust investigation and remediation tools. Learn more. The California Attorney-General must give a business 30 days’ notice of its alleged CCPA violation. If the business can “cure” the violation within this period, it can escape a penalty. While it’s not clear how a business can “cure” a CCPA violation, examples may include imposing security measures to “stem” a data breach or successfully retrieving personal information that has been exfiltrated. Privacy regulators are increasingly imposing harsh penalties on big tech companies. The CCPA takes clear inspiration from the EU General Data Protection Regulation (GDPR), which has seen the following large fines: €50 million (Google, France) €27.8 million (TIM telecommunications company, Italy) €204.6 million (British Airways, UK — not yet enforced)
CCPA Data Security Requirements What counts as a data breach under the CCPA? The CCPA defines a data breach as: “…unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information” Here are the key elements of this definition: Unauthorized access Exfiltration Theft Disclosure A failure to “maintain reasonable security procedures and practices” Remember that a data breach can be intentional or unintentional and it can originate from a person inside or outside of your business. Read more about Insider Threats on our blog. According to the most recent California Data Breach Report, misdirected emails (emails sent to the wrong recipient) were the leading cause of data breaches. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");
In the UK, misdirected emails were also the most common cause of data breach in quarter 4 of 2019-20, according to the UK Information Commissioner’s Office (ICO). As we’ve said, the CCPA requires a proactive approach to maintaining data security. Read about how Tessian can help CCPA compliance below or learn more about Tessian Guardian, which detects and prevents misdirected emails before they happen. What is “reasonable security” under the CCPA? The CCPA doesn’t define “reasonable security procedures and practices.”  However, in the most recent California Data Breach Report, the California Attorney-General clearly states that meeting the 20 Critical Security Controls from the Center for Internet Security (CIS) represents a minimum reasonable level of security.
The CIS Critical Security Controls include: Email and web browser protection Malware protection Application software security It’s worth noting that email is the threat vector most security leaders are worried about protecting. Find out why.  CCPA Consumer Rights What are the CCPA Consumer Rights? The CCPA’s consumer rights are: The right to know — consumers may request information about the types of information a business has collected, used, and shared about them over the past 12 months. They may also request copies of the specific pieces of information that the business holds about them. The right to delete — consumers may request that a business deletes the personal information it holds about them. The right to opt out — consumers may instruct a business not to sell their personal information The right to non-discrimination — businesses may not offer a lesser quality of goods or services or demand a higher price for goods or services if a consumer exercises their CCPA rights. The right to opt in (for minors) — businesses must obtain opt-in consent before selling the personal information of minors under the age of 16. They must obtain parental consent before selling the personal information of minors under the age of 13. In upholding these consumer rights, businesses have an obligation to provide individuals certain types of notice. More on that below.  What are the CCPA’s notice requirements? Under the CCPA, businesses must provide up to four types of notice to consumers: Privacy Policy — details which categories of personal information the business has collected, used, disclosed, and sold over the past 12 months. Every businesses must include a clear and prominent link to its Privacy Policy on its website and/or app. Notice at collection — provided at the point at which the business collects personal information from a consumer. This could appear, for example, as a disclaimer at the top of a sign-up form, informing consumers about what personal information the business is collecting and why. Notice of the right to opt-out — enables consumers to opt out of the sale of their personal information (where applicable). This must include a prominent link on a business’s homepage reading “Do Not Sell My Personal Information.” It might also take the form of a “cookie banner” enabling consumers to opt out of personalized advertising. Notice of financial incentives — informs consumers about any financial incentives offered for the processing of their personal information (where applicable). This can appear as a disclaimer when consumers are invited to sign up to certain types of “loyalty schemes.” What counts as “selling” Personal Information under the CCPA? The CCPA defines “selling” personal information as: “…selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” There is a lot of debate about what this means for businesses. Virtually any transfer of personal information that benefits your company could constitute a “sale.”  And, because of the very broad phrasing, this definition is likely to include the use of third-party cookies, which involve “transferring” “personal information” (such as IP addresses and device IDs) to “a third party” for “valuable consideration.” Don’t worry, there are several approaches to transferring Personal Information without “selling” it, including engaging a service provider when disclosing personal information for business purposes. How can Tessian help with CCPA compliance? While some parts of the CCPA are still open to debate, we know the following facts for certain: Data breaches will leave CCPA-covered businesses open to significant risks of private litigation and civil penalties. Failure to implement reasonable security procedures and practices will: Increase the likelihood of a data breach occurring, and Lead to more substantial fines and more serious legal claims. As one of the CIS Critical Security Controls, “email protection” is one of the minimum requirements for “reasonable security.” Tessian’s Human Layer Security solutions can fulfill a crucial element of your company’s duty to maintain reasonable security procedures and practices. Tessian Guardian — prevents your employees from emailing personal or sensitive company information to the wrong person. Tessian Enforcer — prevents the exfiltration of company data to unauthorized recipients. Tessian Defender — detects and prevents inbound “spear-phishing” attacks designed to trick your employees into divulging personal information. Learn more about Tessian’s solutions by booking a demo. 
Compliance
6 Reasons to Download The CEO’s Guide to Data Protection and Compliance
By Maddie Rosenthal
29 October 2020
Over the last several months, Tessian has published a ton of articles related to data compliance, the business value of cybersecurity, and the importance of executive buy-in when it comes to security strategies.  We’ve combined all of that information to create our latest eBook: CEO’s Guide to Data Protection and Compliance.  We know what you’re thinking. A guide for CEOs? Why? Let us explain by telling you why you should download it.  1. We explain why business leaders should care about cybersecurity While we don’t want to fear monger, it’s important to know that, according to Gartner, CEOs will be held personally liable for data breaches by 2024. But that’s not the only reason why business leaders should care about cybersecurity. They should care because cybersecurity can actually be a business enabler and competitive differentiator. More on this in point six.  2. We offer resources that will help bridge the gap between security and commercial teams Cybersecurity is a team sport and in order for strategies to be truly effective, the C-suite has to be on board. But, communicating risk, opportunity, and cybersecurity ROI can be tough….especially when – in most organizations – CISOs don’t have a seat at the table. We created this eBook to mitigate that disconnect. We considered both the CEOs and the CISOs perspective, avoided the “curse of knowledge”, and provided dozens of resources that will help security and commercial teams communicate better. Like what? A checklist for ensuring compliance A detailed breakdown of the steps organizations must take post-breach A shareable infographic of relevant statistics An industry-specific “worksheet” to help you understand the cost of a breach A list of the biggest breaches (and fines) under the GDPR, CCPA, HIPAA, GLBA, and PCI DSS Over 15 additional resources to help answer your questions  3. We share a high-level overview of 25 compliance standards While the GDPR and HIPAA tend to make headlines, there are actually dozens of regional and industry-specific data privacy regulations that you may be obligated to satisfy. Not sure where to start? We offer a high-level overview of 25 different compliance standards and explain who must comply and what data is protected.  4. We break down five compliance standards (in layman’s terms) While the high-level overview mentioned above will help business (and security!) leaders understand the broader compliance landscape, we wanted to double-click on a few. In the eBook we answer the following eight questions about GDPR, CCPA, HIPAA, GLBA, and PCI DSS: What is it? Who enforces it? When was it enacted? Who is obligated to comply? What are the penalties for non-compliance? What data is protected? What are the data requirements? What have been the biggest breaches? 5. We highlight the biggest breaches in recent history and how they could have been avoided As they say “history is a great teacher”. So, to help CEOs and CISOs understand potential vulnerabilities, the consequences of breaches, and how to prevent them, we outline the three biggest breaches (and fines) for each compliance standard.  Note: While – yes – some of this information is easy to find with a simple Google search, other information has been pulled from case dockets and breach notifications. That means we’ve done the heavy lifting for you.  6. We list the benefits of compliance from a business perspective This is what CEOs care about. Business value. Revenue drivers. And, while cybersecurity has historically not been viewed as a business enabler, this eBook proves that it is. We list 4 clear benefits of compliance beyond avoiding fines and explain how strong cybersecurity can help you build (and maintain) customer trust, attract investment, and help you streamline business operations.  Ready to learn more? Download the eBook and toolkit now.
DLP Compliance Data Exfiltration
A Beginner’s Guide to Cybersecurity Frameworks
05 October 2020
As rates of cybersecurity incidents rise and data security laws become stricter, organizations must take steps to protect the information under its control. But safeguarding your company’s information can be a daunting task.  So, where do you start? You can start by implementing a cybersecurity framework. In this article, we’ll look at four of the most prevalent cybersecurity frameworks — to help you get started on your journey toward better information security.  But first, let’s define what a cybersecurity framework is. What is a cybersecurity framework?
What are the benefits of implementing a cybersecurity framework? Running a business is a time-consuming and complicated task and many business leaders – especially those without any background in cybersecurity – worry that implementing a cybersecurity framework will create extra work. And, while it does take time and effort to follow a cybersecurity framework through to completion, it’s almost certainly going to save you time, stress — and money — in the long-term. Here’s how: It will strengthen your network protection, reducing your risk of a cybersecurity attack. It will help ensure better data security practices among staff, reducing the risk of accidental data loss, such as via misdirected email. It increases awareness of cybersecurity among staff, leading to a reduced risk from social engineering attacks. It improves your reputation among consumers and business partners. Implementing a cybersecurity framework is also a fundamental way of meeting your legal obligations under data privacy laws, such as:  The EU General Data Protection Regulation (GDPR)  The California Consumer Privacy Act (CCPA) The South Africa Protection of Personal Information Act (POPIA)  Under these laws — and many others worldwide — it is necessary for businesses to maintain a reasonable level of data security. Implementing a cybersecurity framework is an excellent way to achieve this. Looking for more information about regional and industry-specific data protection laws? Visit our compliance content hub. 
What sorts of organizations should implement a cybersecurity framework? Implementing a cybersecurity framework is mandatory in some industries. For example, organizations that handle cardholder data must comply with the PCI DSS framework. However, a business of virtually any size — and in any industry — can adopt a cybersecurity framework at relatively low cost.  One way that a small business can achieve cybersecurity compliance is by choosing a flexible framework —  such as the CIS Controls or NIST Cybersecurity Framework, and prioritizing the implementation of controls according to its business needs and operating context. Now, let’s look at four of the best-known cybersecurity frameworks.
Introduction to CIS Controls The Center for Internet Security (CIS) Controls framework can help you mitigate and defend against the most basic cyberattacks.  Here are the 20 CIS Controls: Basic CIS Controls Inventory and Control of Hardware Assets Inventory and Control of Software Assets Continuous Vulnerability Management Controlled Use of Administrative Privileges Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers Maintenance, Monitoring, and Analysis of Audit Logs Foundational CIS Controls Email and Web Browser Protections Malware Defenses Limitation and Control of Network Ports, Protocols, and Services Data Recovery Capabilities Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches Boundary Defense Data Protection Controlled Access Based on the Need to Know Wireless Access Control Account Monitoring and Control Organizational CIS Controls Implement a Security Awareness and Training Program Application Software Security Incident Response and Management Penetration Tests and Red Team Exercises
CIS Control 13: Data Protection  To give you an idea of what the CIS controls require, we’ll take a closer look at Control 13: Data Protection. CIS Control 13 provides some practical steps to help you protect data from exfiltration and cyberattacks. At its core, Control 13 requires organizations to: Use a combination of encryption, integrity protection, and data loss prevention (DLP) methods to ensure the security of data Limit and report on data exfiltration attempts Mitigate the effects of data compromise Control 13 contains nine sub-controls. Some of these are achievable for businesses of all sizes, such as: 13.1: Maintain an Inventory of Sensitive Information 13.2: Remove Sensitive Data or Systems Not Regularly Accessed by Organization 13.6: Encrypt Mobile Device Data If your organization has “moderate” or “significant” resources, it can implement further sub-controls, such as: 13.3: Monitor and Block Unauthorized Network Traffic 13.4: Only Allow Access to Authorized Cloud Storage or Email Providers 13.5: Monitor and Detect Any Unauthorized Use of Encryption By implementing the CIS controls and sub-controls on a priority basis, businesses can implement a reasonably effective cybersecurity program.  Looking for a straightforward way to implement multiple sub-controls across several CIS controls? implement email security software. Email is the entry-point for 96% of phishing attacks.
Introduction to the NIST Cybersecurity Framework The NIST Cybersecurity Framework (full title: Framework for Improving Critical Infrastructure Cybersecurity) is a comprehensive set of security controls and guidance for private sector organizations. Currently, at version 1.1, the framework aims to improve the general level of cybersecurity among US organizations. The framework is guidance — it’s entirely voluntary  — and it can be customized according to a company’s sector, resources, and risk profile. The framework’s “core” consists of cybersecurity activities and outcomes — written in accessible language that should be understandable to non-technical teams. (Phew!) The core activities and outcomes are sorted into five functions, which are further divided into categories. We’ve listed them below.  Identify: The “Identify” function provides the essential, foundational activities and outcomes necessary to use the framework. Outcomes categories associated with this function include: ID.AM: Asset Management ID.BE: Business Environment ID.RA: Risk Assessment Protect: The “Protect” function activities help mitigate the impact of a potential cyberattack or data breach. Protect outcome categories include: PR.AC: Identity Management and Access Control PR.AT: Awareness and Training PR.DS: Data Security Detect: The “Detect” function enables businesses to quickly detect that a cybersecurity event has occurred. Detect outcome categories include: DE.AE: Anomalies and Events  DE.CM: Security Continuous Monitoring DE.DP: Detection Processes Respond: Implementing the “Respond” function will ensure your business takes appropriate action during a cybersecurity event. Outcome categories in this function include: RS.RP: Response Planning  RS.CO: Communications  RS.AN: Analysis Recover: The “Recover” function allows an organization to return to normal functioning after a cyberattack. Recover function outcome categories include: RC.RP: Recovery Planning  RC.IM: Improvements RC.CO: Communications Each function’s categories are, in turn, divided into subcategories. For example: ID.AM (function: Identity, category: Asset Management): ID.AM-1: Physical devices and systems within the organization are inventoried ID.AM-2: Software platforms and applications within the organization are inventoried ID.AM-3: Organizational communication and data flows are mapped The subcategories all come with “informative references”, which are practical resources to help businesses achieve the outcomes.  For example, ID.AM-1 (Identify: Asset Management) includes the following references: CIS Control 1  ISO 27001:2013 Annexes A.8.1.1 and A.8.1.2 NIST Special Priority (SP) 800-53 (revision 4) CM-8 and PM-5 Introduction to ISO 27000 Series
The ISO 27000 Series (sometimes called the ISO/IEC 27000 Series) is a family of information security standards published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The ISO 27000 Series is extensive, covering information security requirements, guidelines, and sector-specific standards. Examples of some of the published standards in the ISO 27000 Series include: ISO 27000: Information Security Management Systems — Overview and Vocabulary ISO 27003: Information Security Management System Implementation Guidance ISO 27018: Code of Practice for Protection of Personally Identifiable Information (PII) in Public Clouds Acting as PII Processors ISO 27019: Information Security for Process Control in the Energy Industry ISO 27032: Guideline for cybersecurity ISO 27033: IT network security Businesses of all sizes can implement one or more of the ISO 27000 Series standards. These are internationally recognized standards and are well-respected around the world.  While implementing ISO 27000 controls is not legally mandatory, there is an expectation of ISO-compliance in many industries and contexts. For example, for public cloud storage service providers that process personal information, achieving ISO 27018 compliance is crucial. ISO 27001 To give you a feel for ISO 27000 implementation, we’re going to take a closer look at one of the more popular standards in the series: ISO 27001, full name “Information technology — Security techniques — Information security management systems — Requirements.” ISO 20071 aims to enable businesses to establish, implement, maintain, and continually improve an information security management system (ISMS). Unlike the CIS Controls or the NIST Cybersecurity Framework, ISO 20071 is not available for free. The ISO 27001 standard consists of ten “clauses,” and an annex containing 114 controls, sorted into 14 sets. A business can prioritize its implementation of these controls according to its operational requirements. An essential part of complying with ISO 27001 is risk assessment. An ISO 27001 risk assessment can be broken down into several stages: Creating a risk assessment methodology that accounts for: Your operating context Risk criteria Risk tolerance Identifying information assets, such as: Digital documents Paper files Storage devices Mobile devices Identifying threats: Social engineering attacks, such as spear phishing Exfiltration of data by trusted employees Weak passwords leading to hacked employee accounts ISO 27001 compliance is an ongoing process that requires the commitment of employees across your whole organization. Once a company has implemented sufficient controls, it can undergo an audit and obtain ISO 27001 certification. Tessian is ISO 27001 certified. You can read more about your integrations, compatibility, and partnerships here. 
Introduction to PCI DSS The PCI DSS applies to all organizations that accept, transmit, or store information associated with payment cards (known as “merchants”). The PCI DSS sits alongside the PCI PTS (for manufacturers) and the PCI PA-DSS (for software developers). Unlike the other frameworks we’ve looked at, the PCI DSS is mandatory for any business that qualifies as a merchant. The Payment Card Industry Council enforces PCI DSS compliance, and — in some jurisdictions — it is incorporated into law. The framework’s requirements differ according to how many Visa transactions a merchant processes per year. There are four levels of PCI DSS requirements: Level 1: Any merchant that:  Processes more than 6 million Visa transactions per year, or Is determined by Visa as needing to meet level 1 requirements Level 2: Any merchant that processes 1-6 million Visa transactions per year Level 3: Merchants that process 20,000-1 million eCommerce Visa transactions per year Level 4: Any merchant that: Processes fewer than 20,000 Visa transactions per year, or Processes fewer than 1 million non-eCommerce Visa transactions per year As you can see, eCommerce merchants have slightly stricter requirements due to the risks of transacting online.  If a merchant suffers a data breach, it might be required to move up a level to continue making card transactions. This is one of many reasons you should take a “security-first” approach and implement as many cybersecurity controls as your budget allows. The PCI DSS consists of 12 requirements, which can be summarized as: Use a firewall Change default passwords and other security parameters Protect cardholder data in storage Encrypt cardholder in transit Implement and update antivirus software  Ensure systems and applications are secure Restrict access to cardholder data Assign unique user IDs  Maintain physical safeguards over cardholder data Monitor access to cardholder data and network resources  Test security systems  Maintain an information security policy In fewer words: Merchants must protect cardholder data from internal and external threats.  How can Tessian help with cybersecurity framework implementation? As we’ve seen, all cybersecurity frameworks require businesses to protect the information in their control from threats such as: Social engineering attacks  Accidental data loss Insider threats Across three solutions, Tessian detects and prevents email-based cybersecurity threats. Why email? Read more about why email is the threat vector cybersecurity leaders are most concerned about on our blog.  You can also learn why rule-based DLP solutions are failing and why the world’s top organizations (in some of the most regulated industries) trust Tessian.
Spear Phishing Compliance Data Exfiltration
September Cybersecurity News Roundup
30 September 2020
We’re back with another monthly roundup of cybersecurity news. Cybercriminals have once again been busy, with several high-profile data breaches and ransomware attacks occurring throughout September. And – rather unsurprisingly – social media platforms Twitter and TikTok have made the cut for the third month running. Here are the top cybersecurity stories from September 2020, including links to further information. Need to catch-up? Check out headlines from July and top stories from August on our blog. Researchers Predict That CEOs Will Be Personally Liable for Cyber-Physical Attacks Research and advisory firm Gartner (who recently named Tessian a Cool Vendor) predicted this month that 75% of CEOs could hold personal liability for “cyber-physical” attacks by 2024. Cyber-physical attacks aim to impact the “real world,” including critical infrastructure, internet of things devices, and healthcare equipment. Such attacks can result in physical injury and death. Gartner predicts that that cyber-physical attacks will cause up to $50 billion of damage by 2023 So what if Gartner is right? It would mean that if a company suffers a cyberattack resulting in physical harm — and it turns out that the company has not implemented appropriate cybersecurity measures — the company’s CEO could have to pay fines with their own money. 
Gartner’s research tells us what every effective business leader already knows — an effective cybersecurity program is an essential requirement for every organization. If a cyberattack occurs, the buck stops with the company’s senior executives. Argentinian Government Faces $4 Million Ransom Following Cyberattack On September 6, Argentina temporarily stopped allowing people to cross its borders after the Netwalker ransomware hit the country. The attackers encrypted government migration data and demanded 355 Bitcoins (around $4 million) to unencrypt it. This cyberattack led to chaos across border checkpoints — but the Argentinian government told domestic news website Infobae that it had no intention of negotiating with the hackers. Ransomware continues to cause havoc worldwide, and it appears the problem is only getting worse. Research by SonicWall recorded approximately 121 million ransomware attacks in the first half of 2020. Personal Information of 46,000 US Military Veterans Breached The US Veterans Association (VA) announced this month that the personal information of around 46,000 military veterans had been “accessed by unauthorized users.” The cybercriminals aimed to “divert payments” intended for healthcare providers. The VA’s financial services team wrote to the affected individuals to advise on how to mitigate the effects of the breach and offer free access to credit monitoring services. The VA serves veterans all over the US. Strict new data breach laws in several jurisdictions — including New York, Washington DC, and Oregan — mean that the VA could face huge fines given the breach’s context. Want to know more about US data security laws? Read our guidance for security leaders. 75% of IT leaders believe the future of work is hybrid In a new report – The Future of Hybrid Working – Tessian reveals that IT leaders and employees both believe the future of work will be remote or hybrid. But, it’s clear this shift won’t be easy. Check out some of the key stats below: 82% of IT leaders believe employees are at greater risk of phishing attacks when working remotely Over a third of IT leaders are worried about their teams will stretched too far in terms of time and resource Half of emoployees have been working on their personal devices since March 2020 Nearly 75% of employees said they received a phishing email while working on a personal device between March and July 2020….and 68% admitted to clicking a link or downloading an attachment within that email 78% of IT leaders think their organization is at greater risk of insider threats if their company adopts a permanent hybrid working structure Read the full report to learn more and to understand how business can balance flexibility and security without draining IT teams’ resources. Thousands of COVID-19 Patients’ Data Leaked Due to “Human Error” A massive data breach occurred in Wales this month when the personal information of 18,105 coronavirus patients was leaked following an “individual human error.” The breach affected every Welsh resident who tested positive for COVID-19 between February 27 and August 30. Public Health Wales said that the data included the “initials, date of birth, geographical area, and sex” of the affected individuals. In nearly 11% of people, though, the data also included the name of the nursing home or other healthcare setting in which the individual lived. The data was uploaded onto a public server, where it was accessible and searchable for around 20 hours. It was viewed 56 times throughout this period.  Human error is a key cause of data breaches. Statistics show that around 88% of data breaches start with human error, and almost half of all employees believe they have made an error at work leading to security repercussions. Chinese Company Holds Data About 2.4 million Influential People An academic at Fulbright University, Vietnam, has uncovered a vast Chinese database containing personal information of around 2.4 million people and their families. It looks like these individuals are “people of interest” to the Chinese Communist Party (CCP). The company responsible for maintaining this huge database “provides big data analytics as well as other functionality to support Chinese military and intelligence analysts,” according to a research paper. The research also suggests that the CCP uses the data for “intelligence, military, security, and state operations in information warfare and influence targeting.”  The database is believed to provide a way for the CCP to influence people in target sectors. It may be one of many such databases maintained by Chinese companies. Much of the information in the database has been gleaned from publicly-available sources. The Chinese database is yet another important reason you should consider limiting the amount of personal information you put online. You can learn more about how hackers are using open-source recon for deepfakes and other social engineering attacks from Elvis M. Chan, Supervisory Special Agent at the FBI and Nina Schick, Author of “Deep Fakes and the Infocalypse: What You Urgently Need to Know”, who both joined us at Tessian Human Layer Security Summit. You can access their session “Safeguarding the 2020 Elections, Disarming Deepfakes via HLS On-Demand.  Twitter Provides Enhanced Security For US Election Following its spear phishing incident this July, Twitter has announced enhanced account security for certain “high-profile accounts” throughout the US election. Twitter said that various types of accounts, including those belonging to US politicians, campaign officials, and political journalists, would receive the security enhancements from September 17. So what’s changing? First, affected users must create “strong passwords,” of at least ten characters in length. They will need to confirm password reset requests via email. The affected users will also be “strongly encouraged” to enable two-factor authentication (2FA). But that’s not all. Recall that the July spear phishing incident involved “internal support tools” — it wasn’t primarily an issue with users’ account passwords. To address this, Twitter also states that it will improve internal monitoring of the affected accounts, including by using “more sophisticated detections and alerts,” “increased login defenses,” and “expedited account recovery” processes. Want to know how to avoid the issues Twitter faced this July? Read our guidance on “vishing” attacks. UHS Hospitals Hit by Reported Country-Wide Ryuk Ransomware Attack On September 27, Universal Health Services (UHS) – a Fortune 500 hospital and healthcare services provider that serves 3.5 million patients a year – was the target of a cyberattack that disable multiple antivirus programs and left hospitals around the country without access to computer and phone systems. According to employees, files were being renamed to include the .ryk extenstion, computers’ screens changed, and – eventually – shut down, leaving them without access to anything computer-based. And, in response to the attack, employees were told to shut down all systems to block attackers’ from reaching more devices on the network. While UHS hasn’t made a statement, the logistics of the incident suggest ransomware. That means patient and employee data is at risk. Energy Companies Advised to Create Cyberattack Response Plans The US Federal Energy Regulatory Commission (FERC) and the North American Electricity Reliability Corporation (NERC) have released a report advising energy providers on creating an Incident Response and Recovery (IRR) plan for cyberattacks. The report is based around an existing cybersecurity framework: the National Institute of Standards and Technology (NIST) Special Publication 800-61, also known as the Computer Security Incident Handling Guide.  Governments appear to be increasingly concerned about the cybersecurity of critical infrastructure. This concern is well-founded — in 2019, 90% of security professionals surveyed across the utilities, energy, health, and transport sectors reported that their organizations had faced at least one successful cyberattack. Much of the advice to energy providers is good practice across all sectors. FERC and NERC recommend a four-part framework, consisting of security controls relating to preparation, detection and analysis, containment and eradication, and post-incident activity.
UK Agency Warns Schools and Universities About Ransomware Attacks As students worldwide return to schools, colleges, and universities, education providers are most concerned with defending against a COVID-19 outbreak. But the UK’s National Cyber Security Centre (NCSC) gave a stark warning about a different type of threat: ransomware. The NCSC’s alert describes “recent trends observed in ransomware attacks” targeting the education sector, which the agency says are increasingly common. The guidance follows a series of ransomware attacks against universities in the UK, US, and Canada this July. The agency warns that cybercriminals are exploiting out-of-date software and are accessing remote desktop protocol (RDP) software using credentials stolen via phishing attacks. It also warns that phishing emails are being used to deploy ransomware. So how does the NCSC recommend education providers protect themselves? The same ways all cyber-secure organizations protect themselves — including ”disrupting ransomware attack vectors” by implementing phishing defenses, and “enabling effective recovery” by keeping backups of data. Implementing DMARC is also essential to prevent brand impersonation and successful spear phishing attacks. And, according to Tessian research, 40% of the top 20 US universities aren’t using DMARC records.  TikTok Ban Delayed Following ByteDance Sale On September 21, US President Trump said he had approved the sale of part of ByteDance, the parent company of video-sharing platform TikTok, to Oracle and Wal-Mart. The deal temporarily averts harsh restrictions on TikTok set out by the US Department of Commerce three days earlier. The sale results from an executive order issued by President Trump in August, stating that the TikTok app “captures vast swaths of information from its users, including… location data and browsing and search histories.” TikTok maintains that this activity is standard industry practice. The US companies could take a collective 20% stake in ByteDance, with Oracle hosting TikTok user data in Oracle Cloud. Some analyses suggest that security-conscious nations and businesses are increasingly likely to implement these sorts of “data localization” measures. Trump had previously assured the public that TikTok would be “totally controlled” by the US firms. However, the president assured a press conference that the companies would be using “separate clouds and very, very powerful security.” That’s all for this month. If we missed anything, please email [email protected] and stay tuned for the next roundup. Don’t forget: You can easily share this on social media via the buttons at the top right of this post. 
Spear Phishing DLP Compliance Data Exfiltration
Compliance in the Legal Sector: Laws & How to Comply
16 September 2020
Thanks to the digital transformation and increasingly strict data security obligations, law firms’ business priorities are changing. Today, data protection, transparency, and privacy are top-of-mind.  It makes sense.  Keep reading to find out… Why the legal sector is bound to such strict compliance standards Which regulations govern law firms How cybersecurity can help ensure compliance Interested in learning more about regional compliance standards or those that impact other industries? Check out our Compliance Hub to find articles, tips, guides, and more or download our CEO’s Guide to Data Protection and Compliance to learn more about how cybersecurity enables business and drives revenue. 
Why is the legal sector bound to strict compliance standards? Lawyers’ hard drives, email accounts, and smartphones can contain anything from sensitive intellectual property and trade secrets to the Personally Identifiable Information (PII) of clients.  Unfortunately, hackers and cybercriminals are all too aware of this. It’s no surprise, then, that the legal sector is amongst the most targeted by social engineering attacks like spear phishing. Ransomware is a big problem, too. In fact, just a few months ago, Grubman Shire Meiselas & Sacks, a prominent media law firm, had its client information compromised.  Those behind the attack later threatened to auction some of these files concerning major celebrities for as much as $1.5 million unless the firm paid a $42 million ransom.  But, it’s not just inbound attacks that law firms have to worry about. Because the legal sector is highly competitive, incidents involving Insider Threats are a concern, too.  96% of IT leaders working in the legal sector say they’re worried that someone within the organization will cause a breach, either accidentally (via a misdirected email, for example) or maliciously.  The regulations governing law firms When it comes to data protection and privacy, the legal sector is subject to a relatively strict regulatory framework both under the law and rules imposed by professional bodies. Depending on where a firm is based and what its practice areas are, it can be subject to several stringent laws and regulations. This is especially true for firms operating in major markets like the United States, the United Kingdom, and the European Union. In this article, we’ll focus on some of the more general regulations and standards that all firms operating in these markets are expected to abide by. General Data Protection Regulation (GDPR) When the GDPR was introduced in 2018, it represented the largest change to data protection legislation in almost two decades. It also contains some of the most thorough compliance obligations for law firms and indeed any other entity that collects, stores, and processes data. The GDPR has been designed to help and guide organizations with a legitimate business interest as to how personal data should be handled and gives regulators the power to impose large fines on firms that aren’t compliant.  You can read more about the largest GDPR fines (so far) in 2020 on our blog. What is the GDPR’s purpose? The GDPR was introduced amid growing concerns surrounding the safety of personal data and the need to protect it from hackers, cybercrime, Insider Threats, unethical use, and the growing attack surface.  Essentially, it gives citizens full and complete control of their data, subject to some restrictions (for example, where data must be held by firms by law).  What is the scope of the GDPR? The legislation regulates the use of ‘personal data’ and applies to all organizations located within the EU, as well as organizations outside the EU who offer their goods or services to EU citizens. It also applies to organizations that hold data pertaining to EU citizens, regardless of their location.  What should law firms know about the GDPR? The main part of the GDPR that law firms should be paying attention to is Article 5.  This sets out the principles relating to the collection and processing of personal data. The six key principles are that personal data: Should be processed lawfully, fairly and in a transparent manner; Should only be collected for legitimate purposes; Should be limited to what’s necessary in relation to the purpose(s) it’s processed; Must be accurate and kept up to date, with any inaccurate erased or rectified; Should be held for longer than is necessary for its purposes*; and Should be held with adequate security against theft, loss, and/or damage.  The GDPR also gives your clients the right to ask for their data to be removed (‘right of erasure’) without the need for any outside authorization. Note: Data can only be kept contrary to a client’s wishes to ensure compliance with other regulations.  What should a firm do in the event of a breach? Before GDPR, law firms could follow their own protocols when dealing with a data breach. But now, the GDPR forces firms to report any data breaches, no matter how big or small they are, to the relevant regulatory authority within 72 hours. In the UK, for example, the regulatory authority is the Information Commissioner’s Office (ICO):  The notification must: Contain relevant details regarding the nature of the breach; The approximate number of people impacted; and Contact details of the firm’s Data Protection Officer (DPO).  Clients who have had their personal data compromised must also be notified of the breach, the potential outcome, and any remediation “without undue delays”.  It’s important to note that breaches aren’t always the results of malicious activity by an Insider Threat or hacker outside the organization. Even accidents can result in breaches. In fact, misdirected emails (emails sent to the wrong person) has consistently been one of the most frequently reported incidents to the ICO.  That’s why it’s essential law firms (and other organizations) have safeguards in place to prevent mistakes like these from happening. Looking for a solution? Tessian Guardian prevents misdirected emails in some of the world’s most prestigious law firms, including Dentons, Hill Dickinson, and Travers Smith What are the penalties for non-compliance? Financial penalties imposed for GDPR violations can be harsh, and they often are; regulatory authorities are keen to highlight just how important the GDPR is and how seriously it should be taken. Fines for non-compliance can be as high as 4% of annual global turnover or €20 million—whichever is higher. American Bar Association Rule 1.6 Rule 1.6 governs the confidentiality of client information. It states, “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Simply put, lawyers must make efforts to protect the data of their clients.  Two years ago, the American Bar Association issued new guidance in the form of Formal Opinion 483. This covers the importance of data protection and how firms should act when, not if, a security breach happens. This wording demonstrates that the ABA recognizes that breaches are part and parcel of firms operating in the modern world, and the statistics confirm this. 
In essence, Formal Opinion 483 states:  Lawyers have a duty of competence in implementing adequate security measures regarding technology. Lawyers must reasonably and continuously assess their systems, operating procedures, and plans for mitigating a breach. In the event of a suspected or confirmed breach, lawyers must take steps to stop the attack and prevent any further loss of data. When a breach is detected and confirmed, lawyers must inform their clients in a timely manner and with enough information for clients to make informed decisions.  The bottom line: law firms must protect data with cybersecurity. Solicitors’ Regulation Authority Code of Conduct In the UK, solicitors are obliged under the Solicitors’ Regulation Authority (SRA) Code of Conduct to maintain effective systems and mitigate risks to client confidentiality and client money. Solicitors are also obliged to ensure systems comply more broadly with the SRA’s other regulatory arrangements.  The SRA says that, although being hacked or falling victim to a data breach is not necessarily a failure to meet these requirements, firms should take proportionate steps to protect themselves and their clients while retaining the advantages of advanced IT.  Where a report of cybercrime (note: crime, not a loss that takes place due to negligence) is received, the SRA takes a constructive approach in dealing with the firm, especially if the firm:  Is proactive and immediately notifies the SRA. Has taken steps to inform the client and as a minimum make good any loss. Shows they are taking steps to improve their systems and processes to reduce the risk of a similar incident happening again.  That means that, under the SRA’s Code of Conduct, law firms should take steps to prevent inbound attacks like spear phishing and set-up policies and processes that ensure swift reporting.  The good news is, Tessian can help with both inbound attacks and Insider Threats and has a history of successfully protecting law firms around the world from both. 
How Tessian helps law firms stay compliant Across all three of the regulations listed here, there’s one commonality: law firms are responsible for ensuring that their IT systems and processes are robust and secure enough to keep data safe and mitigate the chance of a breach taking place.  But, that’s easier said than done, especially in our dynamic and digitally connected world where threats are ever-evolving. So, where should law firms start? Email. 90% of all data breaches start on email and it’s the threat vector IT leaders are most concerned about protecting. That’s why Tessian is focused on protecting this channel. Across three solutions, Tessian detects and prevents threats using machine learning, which means it’s constantly adapting, without requiring maintenance from thinly-stretched security teams. Tessian Defender detects and prevents spear phishing Tessian Guardian detects and prevents accidental data loss via misdirected email Tessian Enforcer detects and prevents data exfiltration attempts from Insider Threats Importantly, Tessian is non-disruptive. That way, partners, lawyers, and administrators can do their jobs without security getting in the way. Tessian stops threats, not business.  To learn more about how Tessian helps law firms like Dentons, Hill Dickinson, and Travers Smith protect data, maintain client trust, and satisfy compliance standards, talk to one of our experts. 
Human Layer Security Spear Phishing Customer Stories DLP Compliance Data Exfiltration
18 Actionable Insights From Tessian Human Layer Security Summit
By Maddie Rosenthal
09 September 2020
In case you missed it, Tessian hosted its third (and final) Human Layer Security Summit of 2020 on September 9. This time, we welcomed over a dozen security and business leaders from the world’s top institutions to our virtual stage, including: Jeff Hancock from Stanford University David Kennedy, Co-Founder and Chief Hacking Officer at TrustedSec Merritt Baer, Principal Security Architect at AWS Rachel Beard, Principal Security Technical Architect at Salesforce  Tim Fitzgerald, CISO at Arm  Sandeep Amar, CPO at MSCI  Martyn Booth, CISO at Euromoney  Kevin Storli, Global CTO and UK CISO at PwC Elvis M. Chan, Supervisory Special Agent at the FBI  Nina Schick, Author of “Deep Fakes and the Infocalypse: What You Urgently Need to Know” Joseph Blankenship, VP Research, Security & Risk at Forrester Howard Shultz, Former CEO at Starbucks  While you can watch the full event on YouTube below, we’ve identified 18 valuable insights that security, IT, compliance, and business leaders should apply to their strategies as they round out this year and look forward to the next.
Here’s what we learned at Tessian’s most recent Human Layer Security Summit. Not sure what Human Layer Security is? Check out this guide which covers everything you need to know about this new category of protection.  1. Cybersecurity is mission-critical Security incidents – whether it’s a ransomware attack, brute force attack, or data leakage from an insider threat – have serious consequences. Not only can people lose their jobs, but businesses can lose customer trust, revenue, and momentum. While this may seem obvious to security leaders, it may not be so obvious to individual departments, teams, and stakeholders. But it’s essential that this is communicated (and re-communicated).  Why? Because a company that’s breached cannot fulfill its mission. Keep reading for insights and advice around keeping your company secure, all directly from your peers in the security community. 2. Most breaches start with people People control our most sensitive systems and data. It makes sense, then, that most data breaches start with people. But, that doesn’t mean employees are the weakest link. They’re a business’ strongest asset! So, it’s all about empowering them to make better security decisions. That’s why organizations have to adopt people-centric security solutions and strategies.
The good news is, security leaders don’t face an uphill battle when it comes to helping employees understand their responsibility when it comes to cybersecurity… 3. Yes, employees are aware of their duty to protect data Whether it’s because of compliance standards, cybersecurity headlines in mainstream media, or a larger focus on privacy and protection at work, Martyn Booth, CISO at Euromoney reminded us that most employees are actually well aware of the responsibility they bear when it comes to safeguarding data.  This is great news for security leaders. It means the average employee will be more likely to abide by policies and procedures, will pay closer attention during awareness training, and will therefore contribute to a more positive security culture company-wide. Win-win. 4. But, employees are more vulnerable to phishing scams outside of their normal office environment  While – yes – employees are more conscious of cybersecurity, the shift to remote working has also left them more vulnerable to attacks like phishing scams.  “We have three “places”: home, work, and where we have fun. When we combine two places into one, it’s difficult psychologically. When we’re at home sitting at our coffee table, we don’t have the same cues that remind us to think about security that we do in the office. This is a huge disruption,” Jeff Hancock, Professor at Stanford University explained.  Unfortunately, hackers are taking advantage of these psychological vulnerabilities. And, as David Kennedy, Co-Founder and Chief Hacking Officer at TrustedSec pointed out, this isn’t anything new. Cybercriminals have always been opportunistic in their attacks and therefore take advantage of chaos and emotional distress.  To prevent successful opportunistic attacks, he recommends that you: Reassess what the new baseline is for attacks Educate employees on what threats look like today, given recent events Identify which brands, organizations, people, and departments may be impersonated (and targeted) in relation to the pandemic But, it’s not just inbound email attacks we need to be worried about.  5. They’re more likely to make other mistakes that compromise cybersecurity, too This change to our normal environment doesn’t just affect our ability to spot phishing attacks. It also makes us more likely to make other mistakes that compromise cybersecurity. Across nearly every session, our guest speakers said they’ve seen more incidents involving human error and that security leaders should expect this trend to continue. That’s why training, policies, and technology are all essential components of any security strategy. More on this below. 6. Security awareness training has to be ongoing and ever-evolving At our first Human Layer Security Summit back in March, Mark Logsdon, Head of Cyber Assurance and Oversight at Prudential, highlighted three key flaws in security awareness training: It’s boring It’s often irrelevant It’s expensive What he said is still relevant six months on and it’s a bigger problem than ever, especially now that the perimeter has disappeared, security teams are short-handed, and individual employees are working at home and on their own devices. So, what can security leaders do?  Kevin Storli, Global CTO and UK CISO at PwC highlighted the importance of tailoring training to ensure it’s always relevant. That means that instead of just reminding employees about compliance standards and the importance of a strong password, we should also be focusing on educating employees about remote access, endpoints, and BYOD policies. But one training session isn’t enough to make security best practice really stick. These lessons have to be constantly reinforced through gamification, campaigns, and technology.  Tim Fitzgerald, CISO at Arm highlighted how Tessian’s in-the-moment warnings have helped his employees make the right decisions at the right time.  “Warnings help create that trigger in their brain. It makes them pause and gives them that extra breath before taking the next potentially unsafe step. This is especially important when they’re dealing with data or money. Tessian ensures they question what they’re doing,” he said.
7. You have to combine human policies with technical controls to ensure security  It’s clear that technology and training are both valuable. That means your best bet is to combine the two. In discussion with Ed Bishop, Tessian Co-Founder and CTO, Merritt Baer, Principal Security Architect at AWS and Rachel Beard, Principal Security Technical Architect at Salesforce, both highlighted how important it is for organizations to combine policies with technical controls. But security teams don’t have to shoulder the burden alone. When using tools like Salesforce, for example, organizations can really lean on the vendor to understand how to use the platform securely. Whether it’s 2FA, customized policies, or data encryption, many security features will be built-in.  8. But…Zero Trust security models aren’t always the answer While – yes – it’s up to security teams to ensure policies and controls are in place to safeguard data and systems, too many policies and controls could backfire. That means that “Zero Trust” security models aren’t necessarily the best way to prevent breaches.
9. Security shouldn’t distract people from their jobs  Security teams implement policies and procedures, introduce new software, and make training mandatory for good reason. But, if security becomes a distraction for employees, they won’t exercise best practice.  The truth is, they just want to do the job they were hired to do!  Top tip from the event: Whenever possible, make training and policies customized, succinct, and relevant to individual people or departments.  10. It also shouldn’t prevent them from doing their jobs  This insight goes back to the idea that “Zero Trust” security models may not be the best way forward. Why? Because, like Rachel, Merrit, Sandeep, and Martyn all pointed out: if access controls or policies prevent an employee from doing their job, they’ll find a workaround or a shortcut. But, security should stop threats, not flow. That’s why the most secure path should also be the path of least resistance. Security strategies should find a balance between the right controls and the right environment.  This, of course, is a challenge, especially when it comes to rule-based solutions. “If-then” controls are blunt instruments. Solutions powered by machine learning, on the other hand, detect and prevent threats without getting in the way. You can learn more about the limitations of traditional data loss prevention solutions in our report The State of Data Loss Prevention 2020.  11. Showing downtrending risks helps demonstrate the ROI of security solutions  Throughout the event, several speakers mentioned that preemptive controls are just as important as remediation. And it makes sense. Better to detect risky behavior before a security incident happens, especially given the time and resources required in the event of a data breach.  But tracking risky behavior is also important. That way, security leaders can clearly demonstrate the ROI of security solutions. Martyn Booth, CISO at Euromoney, explained how he uses Tessian Human Layer Security Intelligence to monitor user behavior, influence safer behavior, and track risk over time. “We record how many alerts are sent out and how employees interact with those alerts. Do they follow the acceptable use policy or not? Then, through our escalation workflows that ingest Tessian data, we can escalate or reinforce. From that, we’ve seen incidents involving data exfiltration trend downwards over time. This shows a really clear risk reduction,” he said. 12. Targeted attacks are becoming more difficult to spot and hackers are using more sophisticated techniques As we mentioned earlier, hackers take advantage of psychological vulnerabilities. But, social media has turbo-charged cybercrime, enabling cybercriminals to create more sophisticated attacks that can be directed at larger organizations. Yes, even those with strong cybersecurity. Our speakers mentioned several examples, including Garmin and Twitter. So, how do they do it? Research! LinkedIn, company websites, out-of-office messages, press releases, and news articles all provide valuable information that a hacker could use to craft a believable email. But, there are ways to limit open-source recon. See tips from David Kennedy, Co-Founder and Chief Hacking Officer at TrustedSec, below. 
13. Deepfakes are a serious concern Speaking of social media, Elvis M Chan, Supervisory Special Agent at the FBI and Nina Schick, Author of “Deep Fakes and the Infocalypse: What You Urgently Need to Know”,  took a deep dive into deepfakes. And, according to Nina, “This is not an emerging threat. This threat is here. Now.” While we tend to associate deepfakes with election security, it’s important to note that this is a threat that affects businesses, too.  In fact, Tim Fitzgerald, CISO at Arm, cited an incident in which his CEO was impersonated in a deepfake over Whatsapp. The ask? A request to move money. According to Tim, it was quite compelling.  Unfortunately, deepfakes are surprisingly easy to make and generation is outpacing detection. But, clear policies and procedures around authenticating and approving requests can ensure these scams aren’t successful. Not sure what a deepfake is? We cover everything you need to know in this article: Deepfakes: What Are They and Why Are They a Threat? 14. Supply chain attacks are, too  In conversation with Henry Treveleyan Thomas, Head of Customer Success at Tessian, Kevin Storli, Global CTO and UK CISO at PwC discussed how organizations with large supply chains are especially vulnerable to advanced impersonation attacks like spear phishing. “It’s one thing to ensure your own organization is secure. But, what about your supply chain? That’s a big focus for us: ensuring our supply chain has adequate security controls,” he said. Why is this so important? Because hackers know large organizations like PwC will have robust security strategies. So, they’ll look for vulnerabilities elsewhere to gain a foothold. That’s why strong cybersecurity can actually be a competitive differentiator and help businesses attract (and keep) more customers and clients.  15. People will generally make the right decisions if they’re given the right information 88% of data breaches start with people. But, that doesn’t mean people are careless or malicious. They’re just not security experts. That’s why it’s so important security leaders provide their employees with the right information at the right time. Both Sandeep Amar, CPO at MSCI and Tim Fitzgerald, CISO at Arm talked about this in detail.  It could be a guide on how to spot spear phishing attacks or – as we mentioned in point #6 – in-the-moment warnings that reinforce training.   Check out their sessions for more insights.  16. Success comes down to people While we’ve talked a lot about human error and psychological vulnerabilities, one thing was made clear throughout the Human Layer Security Summit. A business’s success is completely reliant on its people. And, we don’t just mean in terms of security. Howard Shultz, Former CEO at Starbucks, offered some incredible advice around leadership which we can all heed, regardless of our role. In particular, he recommended: Creating company values that really guide your organization Ensuring every single person understands how their role is tied to the goals of the organization Leading with truth, transparency, and humility
17. But people are dealing with a lot of anxiety right now Whether you’re a CEO or a CISO, you have to be empathetic towards your employees. And, the fact is, people are dealing with a lot of anxiety right now. Nearly every speaker mentioned this. We’re not just talking about the global pandemic.  We’re talking about racial and social inequality. Political unrest. New working environments. Bigger workloads. Mass lay-offs.  Joseph Blankenship, VP Research, Security & Risk at Forrester, summed it up perfectly, saying “We have an anxiety-ridden user base and an anxiety-ridden security base trying to work out how to secure these new environments. We call them users, but they’re actually human beings and they’re bringing all of that anxiety and stress to their work lives.” That means we all have to be human first. And, with all of this in mind, it’s clear that….. 18. The role of the CISO has changed  Sure, CISOs are – as the name suggests – responsible for security. But, to maintain security company-wide, initiatives have to be perfectly aligned with business objectives, and every individual department, team, and person has to understand the role they play. Kevin Storli, Global CTO and UK CISO at PwC touched on this in his session. “To be successful in implementing security change, you have to bring the larger organization along on the journey. How do you get them to believe in the mission? How do you communicate the criticality? How do you win the hearts and minds of the people? CISOs no longer live in the back office and address just tech aspects. It’s about being a leader and using security to drive value.” That’s a tall order and means that CISOs have to wear many hats. They need to be technology experts while also being laser-focused on the larger business. And, to build a strong security culture, they have to borrow tactics from HR and marketing.  The bottom line: The role of the CISO is more essential now than ever. It makes sense. Security is mission-critical, remember? If you’re looking for even more insights, make sure you watch the full event, which is available on-demand. You can also check out previous Human Layer Security Summits on YouTube.
Page
[if lte IE 8]
[if lte IE 8]