Request a Demo of Tessian Today.

Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

State of Email Security 2022: Every Company’s Riskiest Channel |  Read the Full Report →

Compliance
Key Findings: IBM Cost of a Data Breach 2021 Report
by Maddie Rosenthal Tuesday, August 3rd, 2021
If you work in cybersecurity, follow breaches in the news, or if you’re involved in managing your company’s finances, you’ve likely been (patiently) waiting for IBM’s latest Cost of a Data Breach report.   The 2021 report was released on July 28 and we’ve summarized the key findings for you here. Note: In this case, we’re just here to deliver the cold, hard facts, not offer commentary. We have, however, offered additional resources for you to check out if you’re interested in exploring a specific threat type, industry, or solution further. The overall cost of a breach Data breach costs rose from $3.86 million to $4.24 million, the highest average total cost in the history of this report There was a 10% increase in the average total cost of a breach between 2020 and 2021. This was the largest single year cost increase in the last seven years. The average cost of a breach at organizations with 81-100% of employees working remotely was $5.54 million Lost business represented 38% of the overall average total breach costs and increased slightly from $1.52 million in the 2020 study.  Lost business costs include increased customer turnover, lost revenue due to system downtime, and the increasing cost of acquiring new business due to diminished reputation   Remote working and the cost of a breach   where remote work was a factor in causing the breach, the cost difference was $1.07 million Remote work was a factor in breaches at 17.5% of companies Organizations that had more than 50% of their workforce working remotely took 58 days longer to identify and contain breaches than those with 50% or less working remotely    The cost of a breach by industry    Healthcare has had the highest industry cost of a breach for 11 consecutive years Healthcare data breach costs increased from an average total cost of $7.13 million in 2020 to $9.23 million in 2021, a 29.5% increase. Learn how Tessian helps organizations in healthcare prevent breaches. Costs in the energy sector decreased from $6.39 million in 2020 to an average $4.65 million in 2021 Costs surged in the public sector, which saw a 78.7% increase in average total cost from $1.08 million to $1.93 million The cost of a breach by threat type Business email compromise (BEC) was responsible for only 4% of breaches, but had the highest average total cost of the 10 initial attack vectors in the study, at $5.01 million The second costliest was phishing ($4.65 million), followed by malicious insiders ($4.61 million), social engineering ($4.47 million), and compromised credentials ($4.37 million) Compromised credentials was the most common initial attack vector, responsible for 20% of breaches. Ransomware attacks cost an average of $4.62 million, more expensive than the average data breach ($4.24 million). These costs included escalation, notification, lost business, and response costs… but did not include the cost of the ransom.   How can cybersecurity solutions help? Security AI and automation had the biggest positive cost impact. Organizations with fully deployed security AI and automation experienced breach costs of $2.90 million, compared to $6.71 million at organizations without security AI and automation. Security AI/automation was associated with a faster time to identify and contain the breach Want to learn how Tessian leverages AI and ML to detect and prevent inbound and outbound threats legacy solutions can’t? Check out this whitepaper.
Read Blog Post
Email DLP, Compliance, Integrated Cloud Email Security, ATO/BEC
7 Ways CFOs Can (And Should) Support Cybersecurity
by Maddie Rosenthal Thursday, July 29th, 2021
We’ve said it before and we’ll say it again: cybersecurity is a team sport. That means that (like it or not) the responsibility and burden sits with everyone, including the Chief Finance Officer (CFO).  That’s right: quantifying cyber risk, navigating cyber insurance policies, and negotiating ransom with hacking groups can all be part of the job spec.  If you’re a CFO who’s struggling to understand their role in cybersecurity, keep reading. We share 7 opportunities to get involved and protect your company’s assets.  Note: Every company is different. Size, revenue, industry, and reporting structures all play a role. This is general advice meant to provide a bird’s eye view of a CFO’s potential involvement in cybersecurity. 1. Quantify risk It can be hard for the C-suite to see the value of a solution when they haven’t yet experienced any consequences without it. As the saying goes, “If it ain’t broke, don’t fix it”.  That’s why it’s so important CFOs step in to quantify risk using specific “what-if” scenarios. The most basic formula is: probability x expected cost. Let’s use the example of an email being sent to the wrong person. We know at least 800 misdirected emails are sent every year in organizations with 1,000 employees. The expected cost, of course, depends on the email content and recipient, but let’s look at the worst-case scenario. What would the cost be if your press release for an upcoming, highly confidential merger and acquisition landed in a disgruntled former employee’s inbox? How would this impact the M&A itself? The company’s reputation? Revenue? Not a risk worth taking. Learn more about the key security challenges organizations face during M&A events. 2. Benchmark spending against other organizations Just like a marketing team should use a benchmark to determine whether or not their email list is engaged, CFOs should use a benchmark to determine how much they should be spending on cybersecurity. Think of it as your North Star. Fortunately, it’s relatively easy to determine how much your competitors or industry mavericks are shelling out. At least if they’re publicly traded.  A good place to start is their S-1. Here, you’ll be able to see what percentage of the company’s revenue goes towards Sales and Marketing, Research and Development, and General and Administrative.  This should give you a good idea of how to allocate your revenue.  You can also look at more general benchmark reports. For example, according to a Deloitte study, cybersecurity spending has increased YoY, from .34% of a company’s overall revenue in 2019 to .48% in 2020.  In 2020, that equated to $2,691 per full-time employee.   Bonus: Did you know you can also benchmark your security posture against your industry peers with Tessian Human Layer Security Intelligence? Learn more.  3. Vet cyber insurance policies Today, virtually every business needs cyber liability insurance. If you run a business that stores client, customer, or partner data…you need it. But it’s money wasted if you aren’t fully familiar with the policy terms. Check to make sure your first-party cyber insurance includes: Breach response recovery (including technical and legal advice) Forensic analysis for identifying the attack source Event management (including data recovery, PR services, and notification of clients) Cyber extortion Network/business interruption (including those that are the result of an attack on a third party) Dependent business interruption Credit monitoring services Consequential reputational loss or loss of income It’s also worth exploring third-party cyber insurance to protect your company’s assets from subsequent compliance penalties and settlement costs.  For example, Facebook settled a class-action lawsuit over its use of facial recognition technology. Illinois. The case reportedly settled for $550 million for a violation of the Biometric Information Privacy Act.  Third-party cyber insurance should include: Network security failures and privacy events Regulatory defense and penalties (including coverage for GDPR liabilities) PCI-DSS liabilities and costs Media content liability  4. Communicate with the board In a sentence, the CFO is responsible for the financial security of an organization. And, in the event of a breach, financial security simply isn’t guaranteed. Don’t believe us? Check out the consequences of a breach, according to IT leaders: !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); All of these will impact a company’s bottom line, including share value and rate of growth… two things the board doesn’t want to hear and news a CFO would hate to deliver.   But this isn’t a case of shooting the messenger. The responsibility and burden of cybersecurity sits with everyone, remember?  Post-breach, the board, auditors, and other third parties will be examining how effectively budgets were allocated to prevent the worst. That’s why it’s essential the CFO is actively involved in creating and implementing cybersecurity strategies; they have skin in the game.  5. Create secure processes for the finance team While – yes – the CFO holds the power of the purse and therefore influences the overall cybersecurity strategy, they also have a massive responsibility to secure their own team’s processes. After all, the finance department is one of the most targeted, specifically by invoice fraud, wire transfer fraud, and business email compromise.  Between June 2016 and July 2019, FBI statistics show that wire transfer fraud via BEC occurred 166,349 times, and cost businesses over $26 billion. In 2019, the number of bank transfer phishing scams occurring in the UK increased by 40%. In 2017, the FBI received 15,690 complaints about BEC (primarily involving wire transfer), resulting in over $675 million in losses. In 2019, this increased to 23,775 complaints and over $1.7 billion in losses. To protect against these incidents, CFOs should work with security teams to help train employees to spot scams, implement email security software to spot suspicious domains, and create fool-proof payment validation processes. For more tips, check out this article: Everything You Need to Know About Wire Transfer Phishing. 6. Negotiate ransom in the event of a ransomware attack  This is a position no CFO wants to be in. But, more and more, we’re seeing organizations being forced to comply with cyber criminals’ extortion demands. (7 Examples of Ransomware Attacks here.) While this may seem far beyond the scope of a finance director’s role, they’re heavily involved in the process. Of course, the first question to answer is: To pay? Or not to pay? This depends on an infinite number of factors, including the data being held, the hacking group who infiltrated the network, your cyber insurance policy, the company’s liquid assets….  The list goes on.  To avoid being put between a rock and a hard place, CFOs (along with the rest of the C-Suite and security team) should take prevention seriously, including anti-malware software, patching processes, and security for email, web, and other services. Tessian can help with email by preventing ransomware attacks at the source. 7. Know how to spot a phish CFO’s are generally among the most frequently targeted by phishing attacks. They’re also frequently impersonated. It makes sense. They have access to and control over the company’s money. It’s essential, then, that CFOs are especially vigilant, know how to spot a spear phishing attack, and know what to do if they suspect an email, text, or call is malicious.  Training, technology, and processes can help. If you want to learn more about how Nudge theory plays a role, check out this article about in-the-moment warnings. Looking for more resources? Check out the following: ⚡ Relationship 15: A Framework to Help Security Leaders Influence Change ⚡ CEO’s Guide to Data Protection and Compliance ⚡ Who Are the Most Likely Targets of Spear Phishing Attacks? ⚡ Why Information Security Must Be a Priority for GCs in 2021
Read Blog Post
Email DLP, Compliance, Integrated Cloud Email Security
At a Glance: Data Loss Prevention in Healthcare
by Maddie Rosenthal Sunday, May 30th, 2021
Data Loss Prevention (DLP) is a priority for organizations across all sectors, but especially for those in Healthcare. Why? To start, they process and hold incredible amounts of personal and medical data and they must comply with strict data privacy laws like HIPAA and HITECH.  Healthcare also has the highest costs associated with data breaches – 65% higher than the average across all industries – and has for nine years running.  But, in order to remain compliant and, more importantly, to prevent data loss incidents and breaches, security leaders must have visibility over data movement. The question is: Do they? According to our latest research report, Data Loss Prevention in Healthcare, not yet. How frequently are data loss incidents happening in Healthcare? Data loss incidents are happening up to 38x more frequently than IT leaders currently estimate.  Tessian platform data shows that in organizations with 1,000 employees, 800 emails are sent to the wrong person every year. Likewise, in organizations of the same size, 27,500 emails containing company data are sent to personal accounts. These numbers are significantly higher than IT leaders expected.
But, what about in Healthcare specifically? We found that: Over half (51%) of employees working in Healthcare admit to sending company data to personal email accounts 46% of employees working in Healthcare say they’ve sent an email to the wrong person 35% employees working in Healthcare have downloaded, saved, or sent work-related documents to personal accounts before leaving or after being dismissed from a job This only covers outbound email security. Hospitals are also frequently targeted by ransomware and phishing attacks and Healthcare is the industry most likely to experience an incident involving employee misuse of access privileges.  Worse still, new remote-working structures are only making DLP more challenging.
Healthcare professionals feel less secure outside of the office  While over the last several months workforces around the world have suddenly transitioned from office-to-home, this isn’t a fleeting change. In fact, bolstered by digital solutions and streamlined virtual services, we can expect to see the global healthcare market grow exponentially over the next several years.  While this is great news in terms of general welfare, we can’t ignore the impact this might have on information security.   Half of employees working in Healthcare feel less secure outside of their normal office environment and 42% say they’re less likely to follow safe data practices when working remotely.   Why? Most employees surveyed said it was because IT isn’t watching, they’re distracted, and they’re not working on their normal devices. But, we can’t blame employees. After all, they’re just trying to do their jobs and cybersecurity isn’t top-of-mind, especially during a global pandemic. Perhaps that’s why over half (57%) say they’ll find a workaround if security software or policies make it difficult or prevent them from doing their job.  That’s why it’s so important that security leaders make the most secure path the path of least resistance. How can security leaders in Healthcare help protect employees and data? There are thousands of products on the market designed to detect and prevent data incidents and breaches and organizations are spending more than ever (up from $1.4 million to $13 million) to protect their systems and data.  But something’s wrong.  We’ve seen a 67% increase in the volume of breaches over the last five years and, as we’ve explored already, security leaders still don’t have visibility over risky and at-risk employees. So, what solutions are security, IT, and compliance leaders relying on? According to our research, most are relying on security training. And, it makes sense. Security awareness training confronts the crux of data loss by educating employees on best practice, company policies, and industry regulation. But, how effective is training, and can it influence and actually change human behavior for the long-term? Not on its own. Despite having training more frequently than most industries, Healthcare remains among the most likely to suffer a breach. The fact is, people break the rules and make mistakes. To err is human! That’s why security leaders have to bolster training and reinforce policies with tech that understands human behavior. How does Tessian prevent data loss on email? Tessian uses machine learning to address the problem of accidental or deliberate data loss. How? By analyzing email data to understand how people work and communicate.  This enables Tessian Guardian to look at email communications and determine in real-time if a particular email looks like they’re about to be sent to the wrong person. Tessian Enforcer, meanwhile, can identify when sensitive data is about to be sent to an unsafe place outside an organization’s email network. Finally, Tessian Defender detects and prevents inbound attacks like spear phishing, account takeover (ATO), and CEO Fraud.
Read Blog Post
Compliance
Why Information Security Must Be a Priority For GCs in 2021
Tuesday, May 11th, 2021
The business world was incredibly interconnected before the pandemic. Now that COVID-19 forced five years of tech adoption in three months, and with new technologies on the horizon, this trend isn’t reversing any time soon.  And while this global upgrade has many uses, and enables you to move huge parts of your life online, it also brings an increased focus on information security. Necessarily so.  Information security (Infosec) plays a vital role for all businesses that handle customer, client, or employee data. Nowadays, that’s pretty much every business.  Security breaches can seriously damage a company’s reputation, if not end their success altogether. Conversely, good cybersecurity can be a competitive advantage. Infosec also: Enables teams to build and implement their applications safely Allows the business to build trust with their customers Enables the organization to protect the data they collect and use Protects the tech used by teams within the company What does Infosec have to do with GCs? As the CEO and Co-Founder of Juro, I know how in-house legal teams work, particularly the General Counsel. The top lawyer in a company is increasingly focused on ‘adding value to the business’ as lawyers seek to bring their commercial savvy to bear to help with strategic projects.  But the first duty of a GC is to protect the company from legal risk – and in an interconnected world, the risks associated with breaches of information security loom large, both in terms of commercial and reputational impact.  It’s imperative that General Counsel work with Chief Information Security Officers (CISOs) to protect the business from an ever-growing array of risks.
The lawyer – CISO dynamic Lawyers don’t always play well with others. Historically, lawyers and CISO have kept their distance. The IT department of a traditional business was one of the last places you’d expect to find the General Counsel.  But over the years, the need for a CISO has grown, and the dynamic between the two roles has changed, for several reasons: 1. A huge explosion in SaaS businesses Even pre-COVID, the increase in automating processes – which moved traditional industries like finance, healthcare and legal into the cloud -drove an upsurge in adoption of SaaS tools.  Sales moved into Salesforce, marketing into HubSpot, and even legal teams moved online by embracing matter management and contract negotiation tools, alongside stalwarts like Zoom and Slack which seem to be ubiquitous to every business. Since the advent of COVID and universal lockdowns, it can often seem like collaborative SaaS platforms have become the rule, rather than the exception, such is their rate of adoption. But all these exciting changes present their own unique challenges when it comes to information security.  With so many verticals becoming digital-first overnight, their exposure to malicious (and negligent) actors both in and outside of the organization has led to a corresponding increase in legal risk.  Tessian research shows that 48% of employees say they’re less likely to follow safe security practices when working from home, and 84% of security leaders data loss prevention (DLP) is more challenging when their workforce is working outside of the office. It’s vital that GCs and CISOs help the business navigate the new world safely – together. 2. The ever-changing privacy landscape Most of these applications and SaaS tools require personal information of some kind, making privacy a key concern from day one. The complexity around this challenge only grows as the business does, which is why it’s essential that lawyers work with CISOs to manage that data security risk. Layered on top of this is the regulatory environment for personal data.  GDPR was a slow-moving iceberg that many businesses still haven’t fully reckoned with; the future is set to become even more complex thanks to developments like the Schrems II decision. GCs and CISOs can and should collaborate to create a privacy framework that allows them to keep on top of these challenges, iterating as the business continues to scale. Creating a robust privacy policy shouldn’t be viewed as a concern just for legal – GCs must encourage buy-in and participation from the wider business. 
What can GCs do to protect their company’s information security? Taking a leading role in information security doesn’t need to be daunting for legal counsel – in fact, a few simple steps can make all the difference. 1. Support CISOs GCs can ensure that they’re giving information security the attention it deserves by supporting and advising on any issues that arise. Often at a smaller business, there’s a single person assigned to manage Infosec – and much like the first lawyer at a scaling business, they have a mountain of work to do. Even in larger enterprises organizations, security teams can be thinly-stretched and resource-constrained.  Supporting CISOs through proactively dedicating a set amount of time and having regular check-ins can ensure that both lawyers and CISOs aren’t buried under this work in the future, as the business continues to grow.  Tone at the top dictates how others respond – it’s important for leaders to set the right example. Looking for a framework to help you establish better relationships with the right people? Use this template. 2. Offer training It’s important to emphasize that Infosec is a shared responsibility across the whole business – while one person may have ownership of it, it’s every employee’s responsibility to ensure the information processed by the business is secure, and data isn’t vulnerable to common attacks like data exfiltration and spear phishing..  GCs can help CISOs with this task by setting up training sessions with other teams in the company, to keep everyone up to date with the latest techniques.  For better or worse, lawyers are often seen as ‘bad cops’ in the business – having their backing for, and involvement in, data compliance training should reinforce the seriousness with which colleagues should approach the issue. Training shouldn’t be a one-off, of course – it should be part of every employee’s onboarding, and revisited on a regular basis. The bottom line: as the threats in Infosec constantly adapt, so should the methods used to mitigate risk and keep data safe. GCs and CISOs should work together to review the policies, frameworks and training in place, and iterate where necessary.  Falling behind on this will expose the business to risk. By prioritizing these tasks and placing security at the heart of everything they do, lawyers can ensure that their businesses continue to handle data securely as they scale. Written by Richard Mabey, CEO and co-founder of Juro.
Read Blog Post
Email DLP, Data Exfiltration, Compliance, Integrated Cloud Email Security
The State of Data Loss Prevention in the Financial Services Sector
by Maddie Rosenthal Monday, May 10th, 2021
In our latest research report, we took a deep dive into Data Loss Prevention in Financial Services and revealed that data loss incidents are happening up to 38x more frequently than IT leaders currently estimate.  And, while data loss is a big problem across all industries, it’s especially problematic in those that handle highly sensitive data. One of those industries is Financial Services. Before we dive into how frequently data loss incidents are happening and why, let’s define what exactly a data loss incident is in the context of this report. We focused on outbound data loss on email. This could be either intentional data exfiltration by a disgruntled or financially motivated employee or it could be accidental data loss.  Here’s what we found out. The majority of employees have accidentally or intentionally exfiltrated data  Tessian platform data shows that in organizations with 1,000 employees, 800 emails are sent to the wrong person every year. This is 1.6x more than IT leaders estimated. Likewise, in organizations of the same size, 27,500 emails containing company data are sent to personal accounts. We call these unauthorized emails, and IT leaders estimated just 720 are sent annually. That’s a big difference.
But, what about in this particular sector? Over half (57%) of Financial Services professionals across the US and the UK admit to sending at least one misdirected email and 67% say they’ve sent unauthorized emails. But, when you isolate the US employees, the percentage almost doubles. 91% of Financial Services professionals in the US say they’ve sent company data to their personal accounts.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); And, because Financial Services is highly competitive, professionals working in this industry are among the most likely to download, save, or send company data to personal accounts before leaving or after being dismissed from a job, with 47% of employees saying they’ve done it. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); To really understand the consequences of incidents like this, you have to consider the type of data this industry handles and the compliance standards and data privacy regulations they’re obligated to satisfy. Every day, professionals working in Financial Services send and receive: Bank Account Numbers Loan Account Numbers Credit/Debit Card Numbers Social Security Numbers M&A Data In order to protect that data, they must comply with regional and industry-specific laws, including: GLBA COPPA FACTA FDIC 370 HIPAA CCPA GDPR So, what happens if there’s a breach? The implications are far-reaching, ranging from lost customer trust and a damaged reputation to revenue loss and regulatory fines.  For more information on these and other compliance standards, visit our Compliance Hub. Remote-working is making Data Loss Prevention (DLP) more challenging  The sudden transition from office to home has presented a number of challenges to both employees and security, IT, and compliance leaders.  To start, 65% of professionals working in Financial Services say they feel less secure working from home than they do in the office. It makes sense. People aren’t working from their normal work stations and likely don’t have the same equipment. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); A further 56% say they’re less likely to follow safe data practices when working remotely. Why? The most common reason was that IT isn’t watching, followed by being distracted.  Most of us can relate. When working remotely – especially from home – people have other responsibilities and distractions like childcare and roommates and, the truth is, the average employee is just trying to do their job, not be a champion of cybersecurity.  That’s why it’s so important that security and IT teams equip employees with the solutions they need to work securely, wherever they are. Current solutions aren’t empowering employees to work securely  Training, policies, and rule-based technology all have a place in security strategies. But, based on our research, these solutions alone aren’t working. In fact, 64% of professionals working in Financial Services say they’ll find a workaround to security software or policies if they impede productivity. This is 10% higher than the average across all industries. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");
How does Tessian prevent data loss on email? Tessian uses machine learning to address the problem of accidental or deliberate data loss by applying human understanding to email behavior. Our machine learning models analyze email data to understand how people work and communicate. They have been trained on more than two billion emails and they continue to adapt and learn from your own data as human relationships evolve over time. This enables Tessian Guardian to look at email communications and determine in real time if particular emails look like they’re about to be sent to the wrong person. Tessian Enforcer, meanwhile, can identify when sensitive data is about to be sent to an unsafe place outside an organization’s email network. Finally, Tessian Defender detects and prevents inbound attacks like spear phishing, account takeover (ATO), and CEO Fraud. Enforcer and Guardian do all of this silently in the background. That means workflows aren’t disrupted and there’s no impact on productivity. Employees can do what they were hired to do without security getting in the way. Tessian bolsters training, complements rule-based solutions, and helps reinforce the policies security teams have worked so hard to create and embed in their organizations. That’s why so many Financial Services firms have adopted Tessian’s technology, including: Man Group Evercore BDO Affirm Armstrong Watson JTC DC Advisory Many More
Read Blog Post
Compliance
Cybersecurity: What Does Biden’s Executive Order Mean For Your Business?
Wednesday, May 5th, 2021
Remember last year’s SolarWinds attack? It was one of the most significant hacks in history and the fallout is ongoing. We may never know exactly how bad the attack was. But, we do know that it’s making waves and was a wake-up call for many organizations—not least the U.S. government, which has realized just how vulnerable it is to hackers targeting the countless companies in its supply chain. In response to SolarWinds, President Biden’s administration is drafting an executive order that aims to strengthen cybersecurity among both federal and private organizations. We’ve combed through the available information about the upcoming executive order to help you understand the potential implications for your business. 🕵  What information do we have about the executive order? We’ve had little communication from the White House about Biden’s upcoming executive order.  That means most of the information available derives from the following sources: The announcement that an executive order was in development, made in February by Anne Neuberger, White House deputy national security adviser for cyber and emerging technology A March speech made to the RSA Conference by Alejandro Mayorkas, secretary of homeland security  A leaked draft of the executive order seen by journalists in March An April speech to the Cybersecurity Coalition, given by Jeff Greene, acting senior director for cybersecurity at the National Security Council Further comments from Neuberger to NPR, made April 29 The order will likely tighten the rules around the procurement of private-sector software and services by government agencies—or, as Neuberger puts it: “If you’re doing business with the federal government, here’s a set of things you need to comply with in order to do business with us…” The means companies hoping to obtain or maintain government contracts, software developers, and government agencies will need to demonstrate that they have implemented certain security measures.  Don’t fall under any of the above three categories? Still worth paying attention. This executive order is a clear sign that the U.S. is taking cybersecurity seriously.  Now is the time to review your organization’s approach to cybersecurity—to ensure you have identified any vulnerabilities and can prevent or respond to attacks. 1. Breach notification  The order will likely include a breach notification rule that will impact companies supplying the federal government with software or hardware products. Of course, companies doing business with the federal government aren’t the only organizations to be obligated to breach notification rules.  Data breach notification rules are common worldwide, particularly in Europe, where the General Data Protection Regulation (GDPR) obliges organizations to notify regulators and individuals in the event of a breach of personal data within 72 hours. Further reading:  ⚡ GDPR: 13 Most Asked Questions + Answers ⚡ Biggest GDPR Fines in 2020 and 2021 There is currently no generally applicable federal breach notification law in the U.S. But, many states and some sectors have breach notification laws. We look at several of these in our article US Data Privacy Laws 2020: What Security Leaders Need to Know. The order’s breach notification rule would reportedly oblige federal contractors to notify a cyber incident response board (yet to be established) within days of a suspected hack or data breach. Organizations might also be required to cooperate with the FBI and the Cybersecurity and Infrastructure Agency (CISA) to investigate the incident. Reuters suggested that the order might also contain a public disclosure rule. Public disclosure might involve notifying any members of the public affected by a data breach, either individually or via the media. Note: Any organization operating under a data breach notification requirement must have robust and efficient procedures in place to identify and respond to a cybersecurity incident.  The sooner you can detect malicious activity, the sooner you can report it—and the sooner it can be contained or mitigated. 2. Software development security  The order will likely set out improved security requirements for software procured by federal agencies. This means developers of such software will need to implement stronger security standards in their products. Software vendors supplying the federal government may be required to create a “Software Bill of Materials” (SBOM) accompanying their products. An SBOM acts as an inventory that provides details about the components of a piece of software. Jeff Greene also reportedly suggested that National Institute of Standards and Technology (NIST) controls would play a role in providing improved security standards for government contractors. It’s not clear whether software vendors would be required to comply with an existing NIST framework, or whether the government would work with NIST to derive new standards. However, whether or not an organization supplies software to the federal government, compliance with a scheme such as the NIST Cybersecurity Framework is strongly recommended.  See our Beginner’s Guide to Cybersecurity Frameworks for more information. 3. Improved security within federal agencies  Finally, Biden’s executive order will likely include some mandatory security standards for government agencies and employees, including encryption of data and the use of multi-factor authentication (MFA). These technical controls are basic, and they are already best practice for any organization handling personal or sensitive data. But mandating such controls by law is a significant step. As we learn more, we’ll update this article. Want to be the first to know? Sign-up for our weekly blog digest, including global cybersecurity news, original research, and tips from security leaders.
Read Blog Post
Engineering Team, Compliance, Life at Tessian
Securing SOC 2 Certification
by Trevor Luker Tuesday, March 30th, 2021
Building on our existing ISO 27001 security certification, Tessian is excited to announce that we have achieved Service Organization Control 2 Type 2 (SOC 2) compliance in the key domains of Security, Confidentiality and Availability with zero exceptions on our very first attempt. Achieving full SOC 2 Type 2 compliance within 6 months is simply sensational and is a huge achievement for our company. It reinforces our message to customers and prospects that Information Security and protecting customer data is at the very core of everything Tessian does.
The Journey We began the preparations for SOC 2 in September 2020 and initiated the formal process in October. Having previously experienced the pain and trauma of doing SOC 2 manually, we knew that to move quickly, we needed tooling to assist with the evidence gathering and reporting.  Fortunately we were introduced to VANTA, which automates the majority of the information gathering tasks, allowing the Tessian team to concentrate on identifying and closing any gaps we had. VANTA is a great platform, and we would recommend it to any other company undertaking SOC 2 or ISO 27001 certification. For the external audit part of the process, we were especially fortunate to team up with Barr Advisory who proactively helped us navigate the maze of the Trust Service Criteria requirements. They provided skilled, objective advice and guidance along the way, and we would particularly like to thank Cody Hewell and Kyle Helles for their insights, enthusiasm and support. Tessian chose an accelerated three month observation period, which in turn, put a lot of pressure on internal resources to respond to information requests and deliver process changes as required. The Tessian team knew how important SOC 2 was to us strategically and rallied to the challenge. Despite some extremely short timeframes, we were able to deliver the evidence that the auditors needed.  A huge team effort and a great reflection of Tessian’s Craft At Speed value. What Next? Achieving SOC 2 Type 2 is a crucial step for Tessian as we expand further into the large enterprise space. It’s also the basis on which we will further develop our compliance and risk management initiatives, leading to specialized government security accreditation in the US and Europe over the next year or two.
Read Blog Post
Compliance, Integrated Cloud Email Security
10 Reasons Why CEOs Should Care About Cybersecurity
by Tim Sadler Wednesday, November 25th, 2020
Cybersecurity is a team sport. And for strategies to be truly effective, security leaders and business leaders have to work together.  In fewer words: Cybersecurity should be on the CEO’s agenda. So, to help bridge the gap and to really highlight why privacy and data protection matter now, I put together this list of reasons why CEOs should care about cybersecurity. Here are 10 reasons why CEOs should care about cybersecurity.
1. Cybersecurity is a competitive differentiator Today, customers and clients don’t just care about privacy, they expect it. That means that a strong cybersecurity culture can actually enable businesses. At our first Human Layer Security Summit of 2020, Mark Parr, Global Director at HFW, summed it up nicely, saying “You’re only going to win more work if you’re reputable. And you’re only going to be reputable if you demonstrate you have a strong information security framework.” He’s not alone in thinking this. According to Cisco’s global survey of security professionals and business leaders, 41% of survey respondents said “competitive advantage” was a benefit of their privacy investment.  2. The biggest consequence of a data breach is lost customer trust Earlier this year, we asked security leaders what the biggest consequence of a data breach would be. The #1 answer? Not lost data. Not regulatory fines or revenue loss. Lost customer trust. Breaches damage your brand and it can be very hard to win back customers’, clients’, and even the public’s trust. That’s why organizations see (on average) 3.9% customer churn after a data breach.  3. You will inevitably empower your people to do their best work Prioritizing cybersecurity isn’t just good for the business. It’s great for your people.  Here’s why: 90% of breaches are caused by human error. But people aren’t intentionally making these errors, they’re moving fast to get their job done. Security just isn’t top of mind for them.  So, it’s our job to set them up for success and empower them to do their best work securely. How do you do that? By removing the sharp objects.  At Tessian’s second Human Layer Security Summit, Bobby Ford, Vice President and Global CISO at Unilever put this into perspective with an example from his own life.   When you’re a parent helping your son or daughter learn how to walk, what do you do? Child-proof the house and get outta the way! 4. Privacy investment can help reduce delays in sales processes and improve operational efficiency Remember that Cisco global survey I mentioned earlier? “Competitive advantage” wasn’t the only benefit security professionals and business leaders experienced as a result of their investment in privacy and cybersecurity. 41% achieved operational efficiency from having data organized and cataloged and 37% saw a reduction in sales delays due to privacy concerns from customers and prospects. It makes sense. Data protection, privacy, and cybersecurity force businesses to be more transparent. That transparency fosters customer loyalty and increases organizational alignment.  
5. The average data breach costs $3.86 million While most security leaders agree that the biggest consequence of a breach is lost customer trust and damaged reputation, we can’t ignore the financial implications. In IBM’s latest Cost of a Data Breach report, they found the average data breach costs $3.86 million. This figure includes costs associated with: Detection and Escalation Notification  Lost Business Ex-post response. And this doesn’t even account for the potential fines from regulators.  Why does this matter? If we’re talking about the ROI of cybersecurity, the cost of non-compliance is actually 2.71 times higher than the cost of compliance. Translation: Prevention is better than cure.  6. The investigation and remediation of breaches disrupts productivity On average, it takes companies 197 days to identify and 69 days to contain a breach. And this process of investigating and remediating requires time and resources from plenty of departments, teams, and people outside of IT. Legal, compliance, executive, marketing, HR, and people teams will get pulled in. Spokespeople will be appointed. External security/IT support will have to be hired and onboarded. The bottom line: you hired great people to do great things. Post-breach activities pull them away from their day-to-work, disrupt their flow and productivity, and distract them from the business’ larger mission. 7. Data protection laws are only going to get more strict  On the topic of compliance, it’s important to point out that data protection laws are only going to get more strict and enforcement agencies are only going to be given more resources to enforce data requirements. That means organizations around the world and across industries won’t just benefit from strong cybersecurity programs, but they’ll be obligated to have one.  Top tip: Industries like financial services tend to be 5+ years ahead in cybersecurity maturity. If you don’t operate in these industries, it’s worth taking note of what’s top-of-mind for the business and security leaders that do.  8. Security culture is built from the top down Just like company culture, the C-suite sets the tone for security culture and therefore must lead by example.  It’s especially important that the CEO plays an active role in not just creating the overall security strategy, but actually rolling it out. Why? The CEO can connect cybersecurity to business objectives and help employees understand what it’s such a critical component in enabling the company to achieve its mission.
But business leaders will soon have no choice but to actively contribute to their organization’s security culture…. 9. By 2024, CEOs could be held personally liable for data breaches As I’ve said, cybersecurity is mission critical. But, for now, it’s security and IT teams who shoulder the responsibility. In a few years, this could change.  According to Gartner, CEO’s will be held personally liable for data breaches by 2024. 10. You owe it to your customers We mentioned earlier that strong cybersecurity can help businesses win new customers. But it’s not just about winning new customers. It’s also about supporting the ones you have.  This is one of Tessian’s core values: Customer-Centricity. Your customers entrust you with their data, their intellectual property, their secrets. You have to keep it safe. That’s why we believe that – as a cybersecurity vendor – it’s our mission to protect every other business’ mission. If you’re looking for more insights into how security and business leaders can work together, check out our latest eBook: CEO’s Guide to Data Protection and Compliance. 
Read Blog Post
Compliance
CCPA FAQs: Your Guide to California’s New Privacy Law
Sunday, November 8th, 2020
The California Consumer Privacy Act (CCPA) is now in force, and those that fail to comply are open to civil penalties and private lawsuits.  But, many business, security, and compliance leaders are still scratching their heads, wondering how the CCPA will affect them, how to stay compliant, and what consequences they face in the event of a data breach. We’re here to help. We’ve answered some of the key questions businesses are asking about, from the scope of the CCPA to violations under this strict data privacy law.  Important Note: The California Privacy Rights Act (CPRA) – also known as Proposition 24 – passed on November 3, 2020. The CPRA amends the CCPA, taking away some of the ambiguity and pushing the state statute closer to the GDPR. The CPRA: Gives consumers the right to opt out of sharing their data. That means publishers will be required to display “prominently and conspicuously” on their homepages a “Do Not Sell or Share My Personal Information” link. Enforces a general purpose limitation on personal information use, limiting a business’s use and sharing of personal information to the purposes for which it was collected. Remember, consumers must be informed about how their data will be use before it is collected. Creates an agency to enforce compliance and dish out fines. The new regulatory body – California Privacy Protection Agency – has dedicated resources and the power to determine whether or not a violation was intentional or not. While – yes- the CCPA already contains similar notice requirements with respect to the purposes for which personal information will be processed, the CPRA offers California regulators additional enforcement options. What does this mean for you? Organizations must ensure compliance with the CPPA,  integrating the demands of the CPRA. The CPRA is set to take effect on January 1, 2023, but will apply to data collected from January 1, 2022.
Scope of the CCPA Who is covered by the CCPA? The CCPA covers several types of entities, primarily “businesses.” If your company qualifies as a business, it needs to comply with the CCPA. A business can be any legal entity that operates for profit in California and meets one or more of the CCPA’s three thresholds: It has annual gross revenues in excess of $25 million It annually buys, sells, or shares for commercial purposes, the personal information of 50,000 or more California consumers, households, or devices  It earns 50 percent or more of its annual revenues from selling consumers’ personal information Does the CCPA only apply to big businesses? At first glance, the thresholds above may appear to only apply to large corporations, social media companies, and “data brokers.”  But the truth is, many companies with targeted advertising campaigns may meet the requirements of threshold “B.” This is because using third-party cookies is likely to constitute “selling personal information. (More information below. Click here to jump ahead.)  Therefore, a company is likely to be covered by the CCPA if its website or mobile app: Uses third-party advertising or analytics cookies (or similar technologies), and Generates at least 50,000 unique hits originating in California per year.
Does the CCPA cover non-Californian companies? It doesn’t matter if your business is based in Los Angeles, London, or Lahore. The determining factors are whether you collect the personal information of California residents (“consumers”), and whether you meet one or more of the three thresholds above. Does your business collect the personal information of California residents? It does if they:  Visit your website (assuming you use web analytics or cookies to measure engagement or track visitors) Sign up to your newsletter Make an enquiry about your services That means that if you have a website that attracts visitors from around the world, chances are you’re obligated to satisfy the CCPA.  What is “Personal Information” under the CCPA? The CCPA defines “personal information” as: “…information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” It’s worth mentioning that this is arguably the broadest definition of “personal information” under any privacy law in the world. Nonetheless, the CCPA provides examples of the types of data that might qualify as personal information.  While this list is not exhaustive, it includes: Name Email address IP address Cookie data Device ID Biometric data Geolocation data It’s very common for a business to collect these types of information every time a person visits its website or uses its app. And, it’s also impossible to do business with a consumer without collecting at least some of this information.  Think about it. When you buy something on an e-commerce website, what information do you provide? What is a “Service Provider” under the CCPA? A service provider is a legal entity that processes personal information on behalf of a business.  For example, a marketing company receives a list of email addresses from a business and sends out its newsletter. The marketing company doesn’t have a direct interest in the end result of this activity — it simply obeys the instructions of the business. A service provider must also operate under a contract with the business from whom it receives personal information. This contract must prohibit the service provider from retaining, using, or disclosing the personal information for any purpose outside of the contract. In layman’s terms: Service providers are not directly liable for most CCPA obligations. But, if a service provider’s negligence or wrongdoing leads to a data breach, it can be sued by the client.  Service providers can also receive civil penalties (more on that here) in certain circumstances. Unfortunately, it’s not clear yet what these “certain circumstances” are. As and when we have more context, we’ll update this blog! Violating the CCPA What is the CCPA’s Private Right of Action? Under the CCPA’s private right of action, a consumer — or group of consumers — can bring a legal claim against a business that fails to secure certain types of their personal information and suffers a data breach. (You can read more about what types of PI in this blog.) But, what happens if a consumer does pursue this private right of action? It can lead to: Statutory damages — an amount of money paid to each consumer, determined by the court, depending on the seriousness of the breach (among other factors). Statutory damages fall between $100 and $750 per consumer, per incident. Actual damages —  an amount of money paid to each consumer, based on what they have actually lost as the result of a breach. In the event of large-scale data breaches involving millions of consumers, damages could add up to billions of dollars. We’ve yet to see any legal claims completed under the CCPA. However, what if the CCPA had been in force throughout Facebook’s “Cambridge Analytica” scandal? Privacy lawyer Nicholas Schmidt estimates that the damage could have been between $61.6 billion and $184.7 billion. What are the CCPA’s civil penalties? The California Attorney General can issue civil penalties to businesses or service providers that violate any part of the CCPA. The CCPA’s civil penalties can be for an amount of: Up to $7,500 per intentional violation, such as knowingly selling personal information where a consumer has opted out. Up to $2,500 per unintentional violation, such as failing to impose reasonable security measures leading to a data breach.  Note: This is why it’s so important organization’s have strong security policies, procedures, and solutions in place. Reducing risk by improving your security posture is key. Tessian helps prevent data exfiltration and accidental data loss. Our solutions also help security leaders proactively protect their systems and data through automated intelligence and robust investigation and remediation tools. Learn more. The California Attorney-General must give a business 30 days’ notice of its alleged CCPA violation. If the business can “cure” the violation within this period, it can escape a penalty. While it’s not clear how a business can “cure” a CCPA violation, examples may include imposing security measures to “stem” a data breach or successfully retrieving personal information that has been exfiltrated. Privacy regulators are increasingly imposing harsh penalties on big tech companies. The CCPA takes clear inspiration from the EU General Data Protection Regulation (GDPR), which has seen the following large fines: €50 million (Google, France) €27.8 million (TIM telecommunications company, Italy) €204.6 million (British Airways, UK — not yet enforced)
CCPA Data Security Requirements What counts as a data breach under the CCPA? The CCPA defines a data breach as: “…unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information” Here are the key elements of this definition: Unauthorized access Exfiltration Theft Disclosure A failure to “maintain reasonable security procedures and practices” Remember that a data breach can be intentional or unintentional and it can originate from a person inside or outside of your business. Read more about Insider Threats on our blog. According to the most recent California Data Breach Report, misdirected emails (emails sent to the wrong recipient) were the leading cause of data breaches. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");
In the UK, misdirected emails were also the most common cause of data breach in quarter 4 of 2019-20, according to the UK Information Commissioner’s Office (ICO). As we’ve said, the CCPA requires a proactive approach to maintaining data security. Read about how Tessian can help CCPA compliance below or learn more about Tessian Guardian, which detects and prevents misdirected emails before they happen. What is “reasonable security” under the CCPA? The CCPA doesn’t define “reasonable security procedures and practices.”  However, in the most recent California Data Breach Report, the California Attorney-General clearly states that meeting the 20 Critical Security Controls from the Center for Internet Security (CIS) represents a minimum reasonable level of security.
The CIS Critical Security Controls include: Email and web browser protection Malware protection Application software security It’s worth noting that email is the threat vector most security leaders are worried about protecting. Find out why.  CCPA Consumer Rights What are the CCPA Consumer Rights? The CCPA’s consumer rights are: The right to know — consumers may request information about the types of information a business has collected, used, and shared about them over the past 12 months. They may also request copies of the specific pieces of information that the business holds about them. The right to delete — consumers may request that a business deletes the personal information it holds about them. The right to opt out — consumers may instruct a business not to sell their personal information The right to non-discrimination — businesses may not offer a lesser quality of goods or services or demand a higher price for goods or services if a consumer exercises their CCPA rights. The right to opt in (for minors) — businesses must obtain opt-in consent before selling the personal information of minors under the age of 16. They must obtain parental consent before selling the personal information of minors under the age of 13. In upholding these consumer rights, businesses have an obligation to provide individuals certain types of notice. More on that below.  What are the CCPA’s notice requirements? Under the CCPA, businesses must provide up to four types of notice to consumers: Privacy Policy — details which categories of personal information the business has collected, used, disclosed, and sold over the past 12 months. Every businesses must include a clear and prominent link to its Privacy Policy on its website and/or app. Notice at collection — provided at the point at which the business collects personal information from a consumer. This could appear, for example, as a disclaimer at the top of a sign-up form, informing consumers about what personal information the business is collecting and why. Notice of the right to opt-out — enables consumers to opt out of the sale of their personal information (where applicable). This must include a prominent link on a business’s homepage reading “Do Not Sell My Personal Information.” It might also take the form of a “cookie banner” enabling consumers to opt out of personalized advertising. Notice of financial incentives — informs consumers about any financial incentives offered for the processing of their personal information (where applicable). This can appear as a disclaimer when consumers are invited to sign up to certain types of “loyalty schemes.” What counts as “selling” Personal Information under the CCPA? The CCPA defines “selling” personal information as: “…selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” There is a lot of debate about what this means for businesses. Virtually any transfer of personal information that benefits your company could constitute a “sale.”  And, because of the very broad phrasing, this definition is likely to include the use of third-party cookies, which involve “transferring” “personal information” (such as IP addresses and device IDs) to “a third party” for “valuable consideration.” Don’t worry, there are several approaches to transferring Personal Information without “selling” it, including engaging a service provider when disclosing personal information for business purposes. How can Tessian help with CCPA compliance? While some parts of the CCPA are still open to debate, we know the following facts for certain: Data breaches will leave CCPA-covered businesses open to significant risks of private litigation and civil penalties. Failure to implement reasonable security procedures and practices will: Increase the likelihood of a data breach occurring, and Lead to more substantial fines and more serious legal claims. As one of the CIS Critical Security Controls, “email protection” is one of the minimum requirements for “reasonable security.” Tessian’s Human Layer Security solutions can fulfill a crucial element of your company’s duty to maintain reasonable security procedures and practices. Tessian Guardian — prevents your employees from emailing personal or sensitive company information to the wrong person. Tessian Enforcer — prevents the exfiltration of company data to unauthorized recipients. Tessian Defender — detects and prevents inbound “spear-phishing” attacks designed to trick your employees into divulging personal information. Learn more about Tessian’s solutions by booking a demo. 
Read Blog Post
Compliance
6 Reasons to Download The CEO’s Guide to Data Protection and Compliance
by Maddie Rosenthal Thursday, October 29th, 2020
Over the last several months, Tessian has published a ton of articles related to data compliance, the business value of cybersecurity, and the importance of executive buy-in when it comes to security strategies.  We’ve combined all of that information to create our latest eBook: CEO’s Guide to Data Protection and Compliance.  We know what you’re thinking. A guide for CEOs? Why? Let us explain by telling you why you should download it.  1. We explain why business leaders should care about cybersecurity While we don’t want to fear monger, it’s important to know that, according to Gartner, CEOs will be held personally liable for data breaches by 2024. But that’s not the only reason why business leaders should care about cybersecurity. They should care because cybersecurity can actually be a business enabler and competitive differentiator. More on this in point six.  2. We offer resources that will help bridge the gap between security and commercial teams Cybersecurity is a team sport and in order for strategies to be truly effective, the C-suite has to be on board. But, communicating risk, opportunity, and cybersecurity ROI can be tough….especially when – in most organizations – CISOs don’t have a seat at the table. We created this eBook to mitigate that disconnect. We considered both the CEOs and the CISOs perspective, avoided the “curse of knowledge”, and provided dozens of resources that will help security and commercial teams communicate better. Like what? A checklist for ensuring compliance A detailed breakdown of the steps organizations must take post-breach A shareable infographic of relevant statistics An industry-specific “worksheet” to help you understand the cost of a breach A list of the biggest breaches (and fines) under the GDPR, CCPA, HIPAA, GLBA, and PCI DSS Over 15 additional resources to help answer your questions  3. We share a high-level overview of 25 compliance standards While the GDPR and HIPAA tend to make headlines, there are actually dozens of regional and industry-specific data privacy regulations that you may be obligated to satisfy. Not sure where to start? We offer a high-level overview of 25 different compliance standards and explain who must comply and what data is protected.  4. We break down five compliance standards (in layman’s terms) While the high-level overview mentioned above will help business (and security!) leaders understand the broader compliance landscape, we wanted to double-click on a few. In the eBook we answer the following eight questions about GDPR, CCPA, HIPAA, GLBA, and PCI DSS: What is it? Who enforces it? When was it enacted? Who is obligated to comply? What are the penalties for non-compliance? What data is protected? What are the data requirements? What have been the biggest breaches? 5. We highlight the biggest breaches in recent history and how they could have been avoided As they say “history is a great teacher”. So, to help CEOs and CISOs understand potential vulnerabilities, the consequences of breaches, and how to prevent them, we outline the three biggest breaches (and fines) for each compliance standard.  Note: While – yes – some of this information is easy to find with a simple Google search, other information has been pulled from case dockets and breach notifications. That means we’ve done the heavy lifting for you.  6. We list the benefits of compliance from a business perspective This is what CEOs care about. Business value. Revenue drivers. And, while cybersecurity has historically not been viewed as a business enabler, this eBook proves that it is. We list 4 clear benefits of compliance beyond avoiding fines and explain how strong cybersecurity can help you build (and maintain) customer trust, attract investment, and help you streamline business operations.  Ready to learn more? Download the eBook and toolkit now.
Read Blog Post
Email DLP, Data Exfiltration, Compliance
A Beginner’s Guide to Cybersecurity Frameworks
Monday, October 5th, 2020
As rates of cybersecurity incidents rise and data security laws become stricter, organizations must take steps to protect the information under its control. But safeguarding your company’s information can be a daunting task.  So, where do you start? You can start by implementing a cybersecurity framework. In this article, we’ll look at four of the most prevalent cybersecurity frameworks — to help you get started on your journey toward better information security.  But first, let’s define what a cybersecurity framework is. What is a cybersecurity framework?
What are the benefits of implementing a cybersecurity framework? Running a business is a time-consuming and complicated task and many business leaders – especially those without any background in cybersecurity – worry that implementing a cybersecurity framework will create extra work. And, while it does take time and effort to follow a cybersecurity framework through to completion, it’s almost certainly going to save you time, stress — and money — in the long-term. Here’s how: It will strengthen your network protection, reducing your risk of a cybersecurity attack. It will help ensure better data security practices among staff, reducing the risk of accidental data loss, such as via misdirected email. It increases awareness of cybersecurity among staff, leading to a reduced risk from social engineering attacks. It improves your reputation among consumers and business partners. Implementing a cybersecurity framework is also a fundamental way of meeting your legal obligations under data privacy laws, such as:  The EU General Data Protection Regulation (GDPR)  The California Consumer Privacy Act (CCPA) The South Africa Protection of Personal Information Act (POPIA)  Under these laws — and many others worldwide — it is necessary for businesses to maintain a reasonable level of data security. Implementing a cybersecurity framework is an excellent way to achieve this. Looking for more information about regional and industry-specific data protection laws? Visit our compliance content hub. 
What sorts of organizations should implement a cybersecurity framework? Implementing a cybersecurity framework is mandatory in some industries. For example, organizations that handle cardholder data must comply with the PCI DSS framework. However, a business of virtually any size — and in any industry — can adopt a cybersecurity framework at relatively low cost.  One way that a small business can achieve cybersecurity compliance is by choosing a flexible framework —  such as the CIS Controls or NIST Cybersecurity Framework, and prioritizing the implementation of controls according to its business needs and operating context. Now, let’s look at four of the best-known cybersecurity frameworks.
Introduction to CIS Controls The Center for Internet Security (CIS) Controls framework can help you mitigate and defend against the most basic cyberattacks.  Here are the 20 CIS Controls: Basic CIS Controls Inventory and Control of Hardware Assets Inventory and Control of Software Assets Continuous Vulnerability Management Controlled Use of Administrative Privileges Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers Maintenance, Monitoring, and Analysis of Audit Logs Foundational CIS Controls Email and Web Browser Protections Malware Defenses Limitation and Control of Network Ports, Protocols, and Services Data Recovery Capabilities Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches Boundary Defense Data Protection Controlled Access Based on the Need to Know Wireless Access Control Account Monitoring and Control Organizational CIS Controls Implement a Security Awareness and Training Program Application Software Security Incident Response and Management Penetration Tests and Red Team Exercises
CIS Control 13: Data Protection  To give you an idea of what the CIS controls require, we’ll take a closer look at Control 13: Data Protection. CIS Control 13 provides some practical steps to help you protect data from exfiltration and cyberattacks. At its core, Control 13 requires organizations to: Use a combination of encryption, integrity protection, and data loss prevention (DLP) methods to ensure the security of data Limit and report on data exfiltration attempts Mitigate the effects of data compromise Control 13 contains nine sub-controls. Some of these are achievable for businesses of all sizes, such as: 13.1: Maintain an Inventory of Sensitive Information 13.2: Remove Sensitive Data or Systems Not Regularly Accessed by Organization 13.6: Encrypt Mobile Device Data If your organization has “moderate” or “significant” resources, it can implement further sub-controls, such as: 13.3: Monitor and Block Unauthorized Network Traffic 13.4: Only Allow Access to Authorized Cloud Storage or Email Providers 13.5: Monitor and Detect Any Unauthorized Use of Encryption By implementing the CIS controls and sub-controls on a priority basis, businesses can implement a reasonably effective cybersecurity program.  Looking for a straightforward way to implement multiple sub-controls across several CIS controls? implement email security software. Email is the entry-point for 96% of phishing attacks.
Introduction to the NIST Cybersecurity Framework The NIST Cybersecurity Framework (full title: Framework for Improving Critical Infrastructure Cybersecurity) is a comprehensive set of security controls and guidance for private sector organizations. Currently, at version 1.1, the framework aims to improve the general level of cybersecurity among US organizations. The framework is guidance — it’s entirely voluntary  — and it can be customized according to a company’s sector, resources, and risk profile. The framework’s “core” consists of cybersecurity activities and outcomes — written in accessible language that should be understandable to non-technical teams. (Phew!) The core activities and outcomes are sorted into five functions, which are further divided into categories. We’ve listed them below.  Identify: The “Identify” function provides the essential, foundational activities and outcomes necessary to use the framework. Outcomes categories associated with this function include: ID.AM: Asset Management ID.BE: Business Environment ID.RA: Risk Assessment Protect: The “Protect” function activities help mitigate the impact of a potential cyberattack or data breach. Protect outcome categories include: PR.AC: Identity Management and Access Control PR.AT: Awareness and Training PR.DS: Data Security Detect: The “Detect” function enables businesses to quickly detect that a cybersecurity event has occurred. Detect outcome categories include: DE.AE: Anomalies and Events  DE.CM: Security Continuous Monitoring DE.DP: Detection Processes Respond: Implementing the “Respond” function will ensure your business takes appropriate action during a cybersecurity event. Outcome categories in this function include: RS.RP: Response Planning  RS.CO: Communications  RS.AN: Analysis Recover: The “Recover” function allows an organization to return to normal functioning after a cyberattack. Recover function outcome categories include: RC.RP: Recovery Planning  RC.IM: Improvements RC.CO: Communications Each function’s categories are, in turn, divided into subcategories. For example: ID.AM (function: Identity, category: Asset Management): ID.AM-1: Physical devices and systems within the organization are inventoried ID.AM-2: Software platforms and applications within the organization are inventoried ID.AM-3: Organizational communication and data flows are mapped The subcategories all come with “informative references”, which are practical resources to help businesses achieve the outcomes.  For example, ID.AM-1 (Identify: Asset Management) includes the following references: CIS Control 1  ISO 27001:2013 Annexes A.8.1.1 and A.8.1.2 NIST Special Priority (SP) 800-53 (revision 4) CM-8 and PM-5 Introduction to ISO 27000 Series
The ISO 27000 Series (sometimes called the ISO/IEC 27000 Series) is a family of information security standards published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The ISO 27000 Series is extensive, covering information security requirements, guidelines, and sector-specific standards. Examples of some of the published standards in the ISO 27000 Series include: ISO 27000: Information Security Management Systems — Overview and Vocabulary ISO 27003: Information Security Management System Implementation Guidance ISO 27018: Code of Practice for Protection of Personally Identifiable Information (PII) in Public Clouds Acting as PII Processors ISO 27019: Information Security for Process Control in the Energy Industry ISO 27032: Guideline for cybersecurity ISO 27033: IT network security Businesses of all sizes can implement one or more of the ISO 27000 Series standards. These are internationally recognized standards and are well-respected around the world.  While implementing ISO 27000 controls is not legally mandatory, there is an expectation of ISO-compliance in many industries and contexts. For example, for public cloud storage service providers that process personal information, achieving ISO 27018 compliance is crucial. ISO 27001 To give you a feel for ISO 27000 implementation, we’re going to take a closer look at one of the more popular standards in the series: ISO 27001, full name “Information technology — Security techniques — Information security management systems — Requirements.” ISO 20071 aims to enable businesses to establish, implement, maintain, and continually improve an information security management system (ISMS). Unlike the CIS Controls or the NIST Cybersecurity Framework, ISO 20071 is not available for free. The ISO 27001 standard consists of ten “clauses,” and an annex containing 114 controls, sorted into 14 sets. A business can prioritize its implementation of these controls according to its operational requirements. An essential part of complying with ISO 27001 is risk assessment. An ISO 27001 risk assessment can be broken down into several stages: Creating a risk assessment methodology that accounts for: Your operating context Risk criteria Risk tolerance Identifying information assets, such as: Digital documents Paper files Storage devices Mobile devices Identifying threats: Social engineering attacks, such as spear phishing Exfiltration of data by trusted employees Weak passwords leading to hacked employee accounts ISO 27001 compliance is an ongoing process that requires the commitment of employees across your whole organization. Once a company has implemented sufficient controls, it can undergo an audit and obtain ISO 27001 certification. Tessian is ISO 27001 certified. You can read more about your integrations, compatibility, and partnerships here. 
Introduction to PCI DSS The PCI DSS applies to all organizations that accept, transmit, or store information associated with payment cards (known as “merchants”). The PCI DSS sits alongside the PCI PTS (for manufacturers) and the PCI PA-DSS (for software developers). Unlike the other frameworks we’ve looked at, the PCI DSS is mandatory for any business that qualifies as a merchant. The Payment Card Industry Council enforces PCI DSS compliance, and — in some jurisdictions — it is incorporated into law. The framework’s requirements differ according to how many Visa transactions a merchant processes per year. There are four levels of PCI DSS requirements: Level 1: Any merchant that:  Processes more than 6 million Visa transactions per year, or Is determined by Visa as needing to meet level 1 requirements Level 2: Any merchant that processes 1-6 million Visa transactions per year Level 3: Merchants that process 20,000-1 million eCommerce Visa transactions per year Level 4: Any merchant that: Processes fewer than 20,000 Visa transactions per year, or Processes fewer than 1 million non-eCommerce Visa transactions per year As you can see, eCommerce merchants have slightly stricter requirements due to the risks of transacting online.  If a merchant suffers a data breach, it might be required to move up a level to continue making card transactions. This is one of many reasons you should take a “security-first” approach and implement as many cybersecurity controls as your budget allows. The PCI DSS consists of 12 requirements, which can be summarized as: Use a firewall Change default passwords and other security parameters Protect cardholder data in storage Encrypt cardholder in transit Implement and update antivirus software  Ensure systems and applications are secure Restrict access to cardholder data Assign unique user IDs  Maintain physical safeguards over cardholder data Monitor access to cardholder data and network resources  Test security systems  Maintain an information security policy In fewer words: Merchants must protect cardholder data from internal and external threats.  How can Tessian help with cybersecurity framework implementation? As we’ve seen, all cybersecurity frameworks require businesses to protect the information in their control from threats such as: Social engineering attacks  Accidental data loss Insider threats Across three solutions, Tessian detects and prevents email-based cybersecurity threats. Why email? Read more about why email is the threat vector cybersecurity leaders are most concerned about on our blog.  You can also learn why rule-based DLP solutions are failing and why the world’s top organizations (in some of the most regulated industries) trust Tessian.
Read Blog Post
Data Exfiltration, Compliance, ATO/BEC
September Cybersecurity News Roundup
Wednesday, September 30th, 2020
We’re back with another monthly roundup of cybersecurity news. Cybercriminals have once again been busy, with several high-profile data breaches and ransomware attacks occurring throughout September. And – rather unsurprisingly – social media platforms Twitter and TikTok have made the cut for the third month running. Here are the top cybersecurity stories from September 2020, including links to further information. Need to catch-up? Check out headlines from July and top stories from August on our blog. Researchers Predict That CEOs Will Be Personally Liable for Cyber-Physical Attacks Research and advisory firm Gartner (who recently named Tessian a Cool Vendor) predicted this month that 75% of CEOs could hold personal liability for “cyber-physical” attacks by 2024. Cyber-physical attacks aim to impact the “real world,” including critical infrastructure, internet of things devices, and healthcare equipment. Such attacks can result in physical injury and death. Gartner predicts that that cyber-physical attacks will cause up to $50 billion of damage by 2023 So what if Gartner is right? It would mean that if a company suffers a cyberattack resulting in physical harm — and it turns out that the company has not implemented appropriate cybersecurity measures — the company’s CEO could have to pay fines with their own money. 
Gartner’s research tells us what every effective business leader already knows — an effective cybersecurity program is an essential requirement for every organization. If a cyberattack occurs, the buck stops with the company’s senior executives. Argentinian Government Faces $4 Million Ransom Following Cyberattack On September 6, Argentina temporarily stopped allowing people to cross its borders after the Netwalker ransomware hit the country. The attackers encrypted government migration data and demanded 355 Bitcoins (around $4 million) to unencrypt it. This cyberattack led to chaos across border checkpoints — but the Argentinian government told domestic news website Infobae that it had no intention of negotiating with the hackers. Ransomware continues to cause havoc worldwide, and it appears the problem is only getting worse. Research by SonicWall recorded approximately 121 million ransomware attacks in the first half of 2020. Personal Information of 46,000 US Military Veterans Breached The US Veterans Association (VA) announced this month that the personal information of around 46,000 military veterans had been “accessed by unauthorized users.” The cybercriminals aimed to “divert payments” intended for healthcare providers. The VA’s financial services team wrote to the affected individuals to advise on how to mitigate the effects of the breach and offer free access to credit monitoring services. The VA serves veterans all over the US. Strict new data breach laws in several jurisdictions — including New York, Washington DC, and Oregan — mean that the VA could face huge fines given the breach’s context. Want to know more about US data security laws? Read our guidance for security leaders. 75% of IT leaders believe the future of work is hybrid In a new report – The Future of Hybrid Working – Tessian reveals that IT leaders and employees both believe the future of work will be remote or hybrid. But, it’s clear this shift won’t be easy. Check out some of the key stats below: 82% of IT leaders believe employees are at greater risk of phishing attacks when working remotely Over a third of IT leaders are worried about their teams will stretched too far in terms of time and resource Half of emoployees have been working on their personal devices since March 2020 Nearly 75% of employees said they received a phishing email while working on a personal device between March and July 2020….and 68% admitted to clicking a link or downloading an attachment within that email 78% of IT leaders think their organization is at greater risk of insider threats if their company adopts a permanent hybrid working structure Read the full report to learn more and to understand how business can balance flexibility and security without draining IT teams’ resources. Thousands of COVID-19 Patients’ Data Leaked Due to “Human Error” A massive data breach occurred in Wales this month when the personal information of 18,105 coronavirus patients was leaked following an “individual human error.” The breach affected every Welsh resident who tested positive for COVID-19 between February 27 and August 30. Public Health Wales said that the data included the “initials, date of birth, geographical area, and sex” of the affected individuals. In nearly 11% of people, though, the data also included the name of the nursing home or other healthcare setting in which the individual lived. The data was uploaded onto a public server, where it was accessible and searchable for around 20 hours. It was viewed 56 times throughout this period.  Human error is a key cause of data breaches. Statistics show that around 88% of data breaches start with human error, and almost half of all employees believe they have made an error at work leading to security repercussions. Chinese Company Holds Data About 2.4 million Influential People An academic at Fulbright University, Vietnam, has uncovered a vast Chinese database containing personal information of around 2.4 million people and their families. It looks like these individuals are “people of interest” to the Chinese Communist Party (CCP). The company responsible for maintaining this huge database “provides big data analytics as well as other functionality to support Chinese military and intelligence analysts,” according to a research paper. The research also suggests that the CCP uses the data for “intelligence, military, security, and state operations in information warfare and influence targeting.”  The database is believed to provide a way for the CCP to influence people in target sectors. It may be one of many such databases maintained by Chinese companies. Much of the information in the database has been gleaned from publicly-available sources. The Chinese database is yet another important reason you should consider limiting the amount of personal information you put online. You can learn more about how hackers are using open-source recon for deepfakes and other social engineering attacks from Elvis M. Chan, Supervisory Special Agent at the FBI and Nina Schick, Author of “Deep Fakes and the Infocalypse: What You Urgently Need to Know”, who both joined us at Tessian Human Layer Security Summit. You can access their session “Safeguarding the 2020 Elections, Disarming Deepfakes via HLS On-Demand.  Twitter Provides Enhanced Security For US Election Following its spear phishing incident this July, Twitter has announced enhanced account security for certain “high-profile accounts” throughout the US election. Twitter said that various types of accounts, including those belonging to US politicians, campaign officials, and political journalists, would receive the security enhancements from September 17. So what’s changing? First, affected users must create “strong passwords,” of at least ten characters in length. They will need to confirm password reset requests via email. The affected users will also be “strongly encouraged” to enable two-factor authentication (2FA). But that’s not all. Recall that the July spear phishing incident involved “internal support tools” — it wasn’t primarily an issue with users’ account passwords. To address this, Twitter also states that it will improve internal monitoring of the affected accounts, including by using “more sophisticated detections and alerts,” “increased login defenses,” and “expedited account recovery” processes. Want to know how to avoid the issues Twitter faced this July? Read our guidance on “vishing” attacks. UHS Hospitals Hit by Reported Country-Wide Ryuk Ransomware Attack On September 27, Universal Health Services (UHS) – a Fortune 500 hospital and healthcare services provider that serves 3.5 million patients a year – was the target of a cyberattack that disable multiple antivirus programs and left hospitals around the country without access to computer and phone systems. According to employees, files were being renamed to include the .ryk extenstion, computers’ screens changed, and – eventually – shut down, leaving them without access to anything computer-based. And, in response to the attack, employees were told to shut down all systems to block attackers’ from reaching more devices on the network. While UHS hasn’t made a statement, the logistics of the incident suggest ransomware. That means patient and employee data is at risk. Energy Companies Advised to Create Cyberattack Response Plans The US Federal Energy Regulatory Commission (FERC) and the North American Electricity Reliability Corporation (NERC) have released a report advising energy providers on creating an Incident Response and Recovery (IRR) plan for cyberattacks. The report is based around an existing cybersecurity framework: the National Institute of Standards and Technology (NIST) Special Publication 800-61, also known as the Computer Security Incident Handling Guide.  Governments appear to be increasingly concerned about the cybersecurity of critical infrastructure. This concern is well-founded — in 2019, 90% of security professionals surveyed across the utilities, energy, health, and transport sectors reported that their organizations had faced at least one successful cyberattack. Much of the advice to energy providers is good practice across all sectors. FERC and NERC recommend a four-part framework, consisting of security controls relating to preparation, detection and analysis, containment and eradication, and post-incident activity.
UK Agency Warns Schools and Universities About Ransomware Attacks As students worldwide return to schools, colleges, and universities, education providers are most concerned with defending against a COVID-19 outbreak. But the UK’s National Cyber Security Centre (NCSC) gave a stark warning about a different type of threat: ransomware. The NCSC’s alert describes “recent trends observed in ransomware attacks” targeting the education sector, which the agency says are increasingly common. The guidance follows a series of ransomware attacks against universities in the UK, US, and Canada this July. The agency warns that cybercriminals are exploiting out-of-date software and are accessing remote desktop protocol (RDP) software using credentials stolen via phishing attacks. It also warns that phishing emails are being used to deploy ransomware. So how does the NCSC recommend education providers protect themselves? The same ways all cyber-secure organizations protect themselves — including ”disrupting ransomware attack vectors” by implementing phishing defenses, and “enabling effective recovery” by keeping backups of data. Implementing DMARC is also essential to prevent brand impersonation and successful spear phishing attacks. And, according to Tessian research, 40% of the top 20 US universities aren’t using DMARC records.  TikTok Ban Delayed Following ByteDance Sale On September 21, US President Trump said he had approved the sale of part of ByteDance, the parent company of video-sharing platform TikTok, to Oracle and Wal-Mart. The deal temporarily averts harsh restrictions on TikTok set out by the US Department of Commerce three days earlier. The sale results from an executive order issued by President Trump in August, stating that the TikTok app “captures vast swaths of information from its users, including… location data and browsing and search histories.” TikTok maintains that this activity is standard industry practice. The US companies could take a collective 20% stake in ByteDance, with Oracle hosting TikTok user data in Oracle Cloud. Some analyses suggest that security-conscious nations and businesses are increasingly likely to implement these sorts of “data localization” measures. Trump had previously assured the public that TikTok would be “totally controlled” by the US firms. However, the president assured a press conference that the companies would be using “separate clouds and very, very powerful security.” That’s all for this month. If we missed anything, please email madeline.rosenthal@tessian.com and stay tuned for the next roundup. Don’t forget: You can easily share this on social media via the buttons at the top right of this post. 
Read Blog Post