If you’re aiming to achieve compliance with the MITRE ATT&CK Framework, email security will be among your top priorities. Why? Because securing your organization’s email is critical to detect, mitigate, and defend against some of the most widespread and harmful online threats.   In this article, we’ll offer a brief overview of the MITRE ATT&CK framework, then consider which attack techniques you can mitigate by improving your organization’s email security.   MITRE ATT&CK Framework 101   Here’s a brief introduction to the MITRE ATT&CK framework. Outlining the framework is important as it’ll help you see how its components tie in with your email security program. But feel free to skip ahead f you already know the basics.   ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. The ATT&CK framework has three iterations—ATT&CK for Enterprise, ATT&CK for Mobile, and Pre-ATT&CK.   We’re focusing on ATT&CK for Enterprise, covering threats to Windows, macOS, Linux, AWS, GCP, Azure, Azure AD, Office 365, SaaS, and Network environments. You can check out the Mobile Matrices here, and the PRE Matric here.   MITRE ATT&CK tactics, techniques, sub-techniques, and mitigations   At the core of the framework is the ATT&CK matrix—a set of “Tactics” and corresponding “Techniques” used by “Adversaries” (threat actors).   The ATT&ACK for Enterprise matrix includes 14 Tactics: TA0043: Reconnaissance TA0042: Resource Development TA0001: Initial Access TA0002: Execution TA0003: Persistence TA0004: Privilege Escalation TA0005: Defense Evasion TA0006: Credential Access TA0007: Discovery TA0008: Lateral Movement TA0009: Collection TA0011: Command and Control TA0010: Exfiltration TA0040: Impact   Think of these Tactics as the Adversary’s main objectives. For example, under the “Collection” Tactic (TA0009), the adversary is “trying to gather data of interest to their goal.” If you want to learn more about these tactics, or see a full list of the Techniques, Sub-Techniques, and Mitigations we mention below, click here.   A set of Techniques and sometimes “Sub-Techniques” is associated with each Tactic. Techniques are the methods an Adversary uses to achieve their tactical objectives. Sub-Techniques are variations on certain Techniques. We won’t list all the MITRE ATT&CK Techniques here, but we’ll identify some relevant to email security in just a second.   But first (and finally) there are “Mitigations”—methods of preventing or defending against adversaries. Examples of Mitigations include M1041: “Encrypt Sensitive Information,” and M1027: “Password Policies.” Back to email security… MITRE and Email Security   Now we’ll identify the MITRE ATT&CK framework Tactics and Techniques that are relevant to email security specifically. We’ll consider MITRE’s recommended Mitigations and look at how you can align your email security program to meet the framework’s requirements. Technique T1566: Phishing   “Phishing” is a MITRE ATT&CK Technique associated with the “Initial Access” Tactic (TA0001). As you’ll probably know, phishing is a type of social engineering attack—usually conducted via email—where an adversary impersonates a trusted person and brand and attempts to trick their target into divulging information, downloading malware, or transferring money.   The MITRE ATT&CK framework identifies both targeted phishing attacks (a technique known as “spear phishing”) and more general phishing attacks (conducted in bulk via spam emails). Now let’s look at the three Sub-Techniques associated with the Phishing Technique.   📎 T1566.001: Spearphishing Attachment   Sub-Technique T1566.001 involves sending a spear phishing email with a malicious attachment. The attachment is malware, such as a virus, spyware, or ransomware file that enables the adversary to harm or gain control of the target device or system.   A spear phishing attachment is usually disguised as a harmless Office, PDF, or ZIP file, and legacy email security software and spam filters can struggle to determine whether an attachment is malicious.   The spear phishing email itself will usually try to persuade the target to open the file. The Adversary may impersonate a trusted person and can even provide the target with instructions on opening the file that will bypass system protections. For more information about malicious email attachments, read What is a Malicious Payload?   🔗  T1566.002: Spearphishing Link   Alternatively to using a malicious attachment, a spear phishing email can include a link that leads to a malicious site such as a fraudulent account login page or a webpage that hosts a malicious download.   Like with the “Spearphishing Attachment” Sub-Technique, the “Spearphishing Link” Sub-Technique will normally employ social engineering methods—this time as a way to persuade the target to click the malicious link.   For example, the spear phishing email may be disguised as a “security alert” email from Microsoft, urging the target to log into their account. Upon following the link and “logging in,” the target’s login credentials will be sent to the adversary.   We’ve written in detail about this type of attack in our article What is Credential Phishing?   📱T1566.003: Spearphishing via Service   The “Spearphishing via Service” Sub-Technique uses platforms other than email to initiate a spearphishing attack—for example, a LinkedIn job post or WhatsApp message.   This Sub-Technique is not directly related to email security—but email security is still relevant here. For example, if an Adversary is able to establish rapport with their target via social media, then they might follow up with a spear phishing email.   ❌ Phishing Detection and Mitigation   Now let’s look at which Mitigations MITRE recommends for dealing with the Phishing Technique and its three associated Sub-Techniques: M1049: Antivirus/Antimalware — Quarantine suspicious files arriving via email. M1031: Network Intrusion Prevention — Monitor inbound email traffic for malicious attachments and links. M1021: Restrict Web-Based Content — Block access to web-based content and file types that are not necessary for business activity. M1054: Software Configuration — Use anti-spoofing methods to detect invalid Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) signatures. M1017: User Training — Educate employees to help them detect signs of a phishing attack.   Note: None of MITRE’s recommended Phishing Mitigations is sufficient on its own.   Antivirus Software, for example, can quarantine malicious files but is less likely to detect suspicious links. User Training helps embed a security-focused workplace culture—but you can’t expect employees to recognize sophisticated social engineering scenarios.   To prevent phishing attacks, it’s vital security leaders take a layered approach, including training, policies, and technology. Your best bet when it comes to technology? A next-gen email security solution that can automatically scan internal and external email communication for signs of malicious activity based on historical analysis.   Email security software can use several methods of detecting phishing attacks. Older solutions rely on techniques such as labeling and filtering—an administrator manually inputs the domain names, file types, and subject lines that the software should block.   Tessian is a modern email security solution driven by machine learning. As well as monitoring inbound emails for signs of phishing, the software scans your employees’ email activity to learn how they “normally” act, and flags suspicious behavior.   This intelligent, context-driven approach means Tessian will allow your employees to work uninterrupted, access the legitimate files and links they need— while being alerted to anomalous and suspicious email content.

These in-the-moment warnings help reinforce training, and nudges employees towards safer behavior over time.  Download the Tessian Platform Overview to learn more.   Technique T1534: Internal Spearphishing   The “Internal Spearphishing” Technique is associated with the “Lateral Movement” Tactic (TA0008) and is distinct from the “Phishing” Technique.   Internal Spearphishing takes place once an adversary has already penetrated your system or account. The adversary leverages existing account access to conduct an internal spear phishing campaign.   Internal Spearphishing is particularly damaging because the emails come from a genuine (albeit compromised) account. This makes them virtually impossible to spot, and therefore very persuasive.   Internal Spearphishing Detection and Mitigations   MITRE notes that detecting an Internal Spearphishing attack (also known as Account Takeover) can be difficult. There are no mitigations associated with the “Internal Spearphishing” Technique in the MITRE ATT&CK framework.   According to MITRE, the main difficulty associated with detecting and mitigating Internal Spearphishing attacks is that “network intrusion detection systems do not usually scan internal email.”   The main hallmarks of a spear phishing email—such as email impersonation or spoofing—are not present once an adversary has successfully compromised an internal email account. This means legacy email security software may be unable to detect Internal Spear Phishing attacks.   However, an AI-driven email security solution such as Tessian can scan internal email and will pick up on small inconsistencies in the sender’s email behavior and communication patterns.   If a sender is communicating outside of their normal internal networks or writing in an uncharacteristic style, Tessian can flag this unusual behavior and notify the recipient of any suspicious emails.   Learn more about how Tessian Defender defends against internal spear phishing. Technique T1598: Phishing for Information   T1598: Phishing for Information is a MITRE ATT&CK Technique associated with the “Reconnaissance” Tactic (TA0043). While Phishing involves an attempt to penetrate an organization’s defenses, Phishing for Information is a way to gather information about the target for use in an attack.   As such, Phishing for Information may occur via email—or via other communications channels, such as instant messaging applications or social media.   Phishing for Information Detection and Mitigations   To detect Phishing for Information, MITRE suggests monitoring for suspicious email activity. Email security software can monitor signs of a phishing attack, including DKIM misconfiguration, suspicious language, or erratic communication methods.   But legacy email security programs can only detect the more obvious indicators of phishing. On the other hand, Tessian is uniquely equipped to identify the subtle but distinctive signs that a sender is not who they say they are.   Tessian Defender uses machine learning (ML), anomaly detection, behavioral analysis, and natural language processing (NLP) to detect a variety of suspicious signals: Unusual sender characteristics: This includes anomalous geophysical locations, IP addresses, email clients, and reply-to addresses Anomalous email sending patterns: Based on historical email analysis, Tessian can identity unusual recipients, unusual send times, and emails sent to an unusual number of recipients Malicious payloads: Tessian uses URL match patterns to spot suspicious URLs and ML to identify red flags indicative of suspicious attachments Deep content inspection: Looking at the email content – for example, language that conveys suspicious intent – Tessian can detect zero-payload attacks, too Leveraging email security for MITRE ATT&CK framework compliance   We’ve seen how email security is a major factor in meeting the MITRE ATT&CK framework requirements.   To recap, Tessian can serve as a key Mitigation in respect of the following Techniques and Sub-Techniques: T1566: Phishing T1566.01: Spearphishing Attachment T1566.02: Spearphishing Link T1566.03: Spearphishing via Service T1534: Internal Spearphishing T1598: Phishing for Information Learn more about how Tessian can transform your organization’s cybersecurity program.

If you work in cybersecurity, follow breaches in the news, or if you’re involved in managing your company’s finances, you’ve likely been (patiently) waiting for IBM’s latest Cost of a Data Breach report.   The 2021 report was released on July 28 and we’ve summarized the key findings for you here. Note: In this case, we’re just here to deliver the cold, hard facts, not offer commentary. We have, however, offered additional resources for you to check out if you’re interested in exploring a specific threat type, industry, or solution further. The overall cost of a breach Data breach costs rose from $3.86 million to $4.24 million, the highest average total cost in the history of this report There was a 10% increase in the average total cost of a breach between 2020 and 2021. This was the largest single year cost increase in the last seven years. The average cost of a breach at organizations with 81-100% of employees working remotely was $5.54 million Lost business represented 38% of the overall average total breach costs and increased slightly from $1.52 million in the 2020 study.  Lost business costs include increased customer turnover, lost revenue due to system downtime, and the increasing cost of acquiring new business due to diminished reputation   Remote working and the cost of a breach   where remote work was a factor in causing the breach, the cost difference was $1.07 million Remote work was a factor in breaches at 17.5% of companies Organizations that had more than 50% of their workforce working remotely took 58 days longer to identify and contain breaches than those with 50% or less working remotely    The cost of a breach by industry    Healthcare has had the highest industry cost of a breach for 11 consecutive years Healthcare data breach costs increased from an average total cost of $7.13 million in 2020 to $9.23 million in 2021, a 29.5% increase. Learn how Tessian helps organizations in healthcare prevent breaches. Costs in the energy sector decreased from $6.39 million in 2020 to an average $4.65 million in 2021 Costs surged in the public sector, which saw a 78.7% increase in average total cost from $1.08 million to $1.93 million The cost of a breach by threat type Business email compromise (BEC) was responsible for only 4% of breaches, but had the highest average total cost of the 10 initial attack vectors in the study, at $5.01 million The second costliest was phishing ($4.65 million), followed by malicious insiders ($4.61 million), social engineering ($4.47 million), and compromised credentials ($4.37 million) Compromised credentials was the most common initial attack vector, responsible for 20% of breaches. Ransomware attacks cost an average of $4.62 million, more expensive than the average data breach ($4.24 million). These costs included escalation, notification, lost business, and response costs… but did not include the cost of the ransom.   How can cybersecurity solutions help? Security AI and automation had the biggest positive cost impact. Organizations with fully deployed security AI and automation experienced breach costs of $2.90 million, compared to $6.71 million at organizations without security AI and automation. Security AI/automation was associated with a faster time to identify and contain the breach Want to learn how Tessian leverages AI and ML to detect and prevent inbound and outbound threats legacy solutions can’t? Check out this whitepaper.

We’ve said it before and we’ll say it again: cybersecurity is a team sport. That means that (like it or not) the responsibility and burden sits with everyone, including the Chief Finance Officer (CFO).  That’s right: quantifying cyber risk, navigating cyber insurance policies, and negotiating ransom with hacking groups can all be part of the job spec.  If you’re a CFO who’s struggling to understand their role in cybersecurity, keep reading. We share 7 opportunities to get involved and protect your company’s assets.  Note: Every company is different. Size, revenue, industry, and reporting structures all play a role. This is general advice meant to provide a bird’s eye view of a CFO’s potential involvement in cybersecurity. 1. Quantify risk It can be hard for the C-suite to see the value of a solution when they haven’t yet experienced any consequences without it. As the saying goes, “If it ain’t broke, don’t fix it”.  That’s why it’s so important CFOs step in to quantify risk using specific “what-if” scenarios. The most basic formula is: probability x expected cost. Let’s use the example of an email being sent to the wrong person. We know at least 800 misdirected emails are sent every year in organizations with 1,000 employees. The expected cost, of course, depends on the email content and recipient, but let’s look at the worst-case scenario. What would the cost be if your press release for an upcoming, highly confidential merger and acquisition landed in a disgruntled former employee’s inbox? How would this impact the M&A itself? The company’s reputation? Revenue? Not a risk worth taking. Learn more about the key security challenges organizations face during M&A events. 2. Benchmark spending against other organizations Just like a marketing team should use a benchmark to determine whether or not their email list is engaged, CFOs should use a benchmark to determine how much they should be spending on cybersecurity. Think of it as your North Star. Fortunately, it’s relatively easy to determine how much your competitors or industry mavericks are shelling out. At least if they’re publicly traded.  A good place to start is their S-1. Here, you’ll be able to see what percentage of the company’s revenue goes towards Sales and Marketing, Research and Development, and General and Administrative.  This should give you a good idea of how to allocate your revenue.  You can also look at more general benchmark reports. For example, according to a Deloitte study, cybersecurity spending has increased YoY, from .34% of a company’s overall revenue in 2019 to .48% in 2020.  In 2020, that equated to $2,691 per full-time employee.   Bonus: Did you know you can also benchmark your security posture against your industry peers with Tessian Human Layer Security Intelligence? Learn more.  3. Vet cyber insurance policies Today, virtually every business needs cyber liability insurance. If you run a business that stores client, customer, or partner data…you need it. But it’s money wasted if you aren’t fully familiar with the policy terms. Check to make sure your first-party cyber insurance includes: Breach response recovery (including technical and legal advice) Forensic analysis for identifying the attack source Event management (including data recovery, PR services, and notification of clients) Cyber extortion Network/business interruption (including those that are the result of an attack on a third party) Dependent business interruption Credit monitoring services Consequential reputational loss or loss of income It’s also worth exploring third-party cyber insurance to protect your company’s assets from subsequent compliance penalties and settlement costs.  For example, Facebook settled a class-action lawsuit over its use of facial recognition technology. Illinois. The case reportedly settled for $550 million for a violation of the Biometric Information Privacy Act.  Third-party cyber insurance should include: Network security failures and privacy events Regulatory defense and penalties (including coverage for GDPR liabilities) PCI-DSS liabilities and costs Media content liability  4. Communicate with the board In a sentence, the CFO is responsible for the financial security of an organization. And, in the event of a breach, financial security simply isn’t guaranteed. Don’t believe us? Check out the consequences of a breach, according to IT leaders: !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); All of these will impact a company’s bottom line, including share value and rate of growth… two things the board doesn’t want to hear and news a CFO would hate to deliver.   But this isn’t a case of shooting the messenger. The responsibility and burden of cybersecurity sits with everyone, remember?  Post-breach, the board, auditors, and other third parties will be examining how effectively budgets were allocated to prevent the worst. That’s why it’s essential the CFO is actively involved in creating and implementing cybersecurity strategies; they have skin in the game.  5. Create secure processes for the finance team While – yes – the CFO holds the power of the purse and therefore influences the overall cybersecurity strategy, they also have a massive responsibility to secure their own team’s processes. After all, the finance department is one of the most targeted, specifically by invoice fraud, wire transfer fraud, and business email compromise.  Between June 2016 and July 2019, FBI statistics show that wire transfer fraud via BEC occurred 166,349 times, and cost businesses over $26 billion. In 2019, the number of bank transfer phishing scams occurring in the UK increased by 40%. In 2017, the FBI received 15,690 complaints about BEC (primarily involving wire transfer), resulting in over $675 million in losses. In 2019, this increased to 23,775 complaints and over $1.7 billion in losses. To protect against these incidents, CFOs should work with security teams to help train employees to spot scams, implement email security software to spot suspicious domains, and create fool-proof payment validation processes. For more tips, check out this article: Everything You Need to Know About Wire Transfer Phishing. 6. Negotiate ransom in the event of a ransomware attack  This is a position no CFO wants to be in. But, more and more, we’re seeing organizations being forced to comply with cyber criminals’ extortion demands. (7 Examples of Ransomware Attacks here.) While this may seem far beyond the scope of a finance director’s role, they’re heavily involved in the process. Of course, the first question to answer is: To pay? Or not to pay? This depends on an infinite number of factors, including the data being held, the hacking group who infiltrated the network, your cyber insurance policy, the company’s liquid assets….  The list goes on.  To avoid being put between a rock and a hard place, CFOs (along with the rest of the C-Suite and security team) should take prevention seriously, including anti-malware software, patching processes, and security for email, web, and other services. Tessian can help with email by preventing ransomware attacks at the source. 7. Know how to spot a phish CFO’s are generally among the most frequently targeted by phishing attacks. They’re also frequently impersonated. It makes sense. They have access to and control over the company’s money. It’s essential, then, that CFOs are especially vigilant, know how to spot a spear phishing attack, and know what to do if they suspect an email, text, or call is malicious.  Training, technology, and processes can help. If you want to learn more about how Nudge theory plays a role, check out this article about in-the-moment warnings. Looking for more resources? Check out the following: ⚡ Relationship 15: A Framework to Help Security Leaders Influence Change ⚡ CEO’s Guide to Data Protection and Compliance ⚡ Who Are the Most Likely Targets of Spear Phishing Attacks? ⚡ Why Information Security Must Be a Priority for GCs in 2021

Data Loss Prevention (DLP) is a priority for organizations across all sectors, but especially for those in Healthcare. Why? To start, they process and hold incredible amounts of personal and medical data and they must comply with strict data privacy laws like HIPAA and HITECH.  Healthcare also has the highest costs associated with data breaches – 65% higher than the average across all industries – and has for nine years running.  But, in order to remain compliant and, more importantly, to prevent data loss incidents and breaches, security leaders must have visibility over data movement. The question is: Do they? According to our latest research report, Data Loss Prevention in Healthcare, not yet. How frequently are data loss incidents happening in Healthcare? Data loss incidents are happening up to 38x more frequently than IT leaders currently estimate.  Tessian platform data shows that in organizations with 1,000 employees, 800 emails are sent to the wrong person every year. Likewise, in organizations of the same size, 27,500 emails containing company data are sent to personal accounts. These numbers are significantly higher than IT leaders expected.

But, what about in Healthcare specifically? We found that: Over half (51%) of employees working in Healthcare admit to sending company data to personal email accounts 46% of employees working in Healthcare say they’ve sent an email to the wrong person 35% employees working in Healthcare have downloaded, saved, or sent work-related documents to personal accounts before leaving or after being dismissed from a job This only covers outbound email security. Hospitals are also frequently targeted by ransomware and phishing attacks and Healthcare is the industry most likely to experience an incident involving employee misuse of access privileges.  Worse still, new remote-working structures are only making DLP more challenging.

Healthcare professionals feel less secure outside of the office  While over the last several months workforces around the world have suddenly transitioned from office-to-home, this isn’t a fleeting change. In fact, bolstered by digital solutions and streamlined virtual services, we can expect to see the global healthcare market grow exponentially over the next several years.  While this is great news in terms of general welfare, we can’t ignore the impact this might have on information security.   Half of employees working in Healthcare feel less secure outside of their normal office environment and 42% say they’re less likely to follow safe data practices when working remotely.   Why? Most employees surveyed said it was because IT isn’t watching, they’re distracted, and they’re not working on their normal devices. But, we can’t blame employees. After all, they’re just trying to do their jobs and cybersecurity isn’t top-of-mind, especially during a global pandemic. Perhaps that’s why over half (57%) say they’ll find a workaround if security software or policies make it difficult or prevent them from doing their job.  That’s why it’s so important that security leaders make the most secure path the path of least resistance. How can security leaders in Healthcare help protect employees and data? There are thousands of products on the market designed to detect and prevent data incidents and breaches and organizations are spending more than ever (up from $1.4 million to $13 million) to protect their systems and data.  But something’s wrong.  We’ve seen a 67% increase in the volume of breaches over the last five years and, as we’ve explored already, security leaders still don’t have visibility over risky and at-risk employees. So, what solutions are security, IT, and compliance leaders relying on? According to our research, most are relying on security training. And, it makes sense. Security awareness training confronts the crux of data loss by educating employees on best practice, company policies, and industry regulation. But, how effective is training, and can it influence and actually change human behavior for the long-term? Not on its own. Despite having training more frequently than most industries, Healthcare remains among the most likely to suffer a breach. The fact is, people break the rules and make mistakes. To err is human! That’s why security leaders have to bolster training and reinforce policies with tech that understands human behavior. How does Tessian prevent data loss on email? Tessian uses machine learning to address the problem of accidental or deliberate data loss. How? By analyzing email data to understand how people work and communicate.  This enables Tessian Guardian to look at email communications and determine in real-time if a particular email looks like they’re about to be sent to the wrong person. Tessian Enforcer, meanwhile, can identify when sensitive data is about to be sent to an unsafe place outside an organization’s email network. Finally, Tessian Defender detects and prevents inbound attacks like spear phishing, account takeover (ATO), and CEO Fraud.

The business world was incredibly interconnected before the pandemic. Now that COVID-19 forced five years of tech adoption in three months, and with new technologies on the horizon, this trend isn’t reversing any time soon.  And while this global upgrade has many uses, and enables you to move huge parts of your life online, it also brings an increased focus on information security. Necessarily so.  Information security (Infosec) plays a vital role for all businesses that handle customer, client, or employee data. Nowadays, that’s pretty much every business.  Security breaches can seriously damage a company’s reputation, if not end their success altogether. Conversely, good cybersecurity can be a competitive advantage. Infosec also: Enables teams to build and implement their applications safely Allows the business to build trust with their customers Enables the organization to protect the data they collect and use Protects the tech used by teams within the company What does Infosec have to do with GCs? As the CEO and Co-Founder of Juro, I know how in-house legal teams work, particularly the General Counsel. The top lawyer in a company is increasingly focused on ‘adding value to the business’ as lawyers seek to bring their commercial savvy to bear to help with strategic projects.  But the first duty of a GC is to protect the company from legal risk – and in an interconnected world, the risks associated with breaches of information security loom large, both in terms of commercial and reputational impact.  It’s imperative that General Counsel work with Chief Information Security Officers (CISOs) to protect the business from an ever-growing array of risks.

The lawyer – CISO dynamic Lawyers don’t always play well with others. Historically, lawyers and CISO have kept their distance. The IT department of a traditional business was one of the last places you’d expect to find the General Counsel.  But over the years, the need for a CISO has grown, and the dynamic between the two roles has changed, for several reasons: 1. A huge explosion in SaaS businesses Even pre-COVID, the increase in automating processes – which moved traditional industries like finance, healthcare and legal into the cloud -drove an upsurge in adoption of SaaS tools.  Sales moved into Salesforce, marketing into HubSpot, and even legal teams moved online by embracing matter management and contract negotiation tools, alongside stalwarts like Zoom and Slack which seem to be ubiquitous to every business. Since the advent of COVID and universal lockdowns, it can often seem like collaborative SaaS platforms have become the rule, rather than the exception, such is their rate of adoption. But all these exciting changes present their own unique challenges when it comes to information security.  With so many verticals becoming digital-first overnight, their exposure to malicious (and negligent) actors both in and outside of the organization has led to a corresponding increase in legal risk.  Tessian research shows that 48% of employees say they’re less likely to follow safe security practices when working from home, and 84% of security leaders data loss prevention (DLP) is more challenging when their workforce is working outside of the office. It’s vital that GCs and CISOs help the business navigate the new world safely – together. 2. The ever-changing privacy landscape Most of these applications and SaaS tools require personal information of some kind, making privacy a key concern from day one. The complexity around this challenge only grows as the business does, which is why it’s essential that lawyers work with CISOs to manage that data security risk. Layered on top of this is the regulatory environment for personal data.  GDPR was a slow-moving iceberg that many businesses still haven’t fully reckoned with; the future is set to become even more complex thanks to developments like the Schrems II decision. GCs and CISOs can and should collaborate to create a privacy framework that allows them to keep on top of these challenges, iterating as the business continues to scale. Creating a robust privacy policy shouldn’t be viewed as a concern just for legal – GCs must encourage buy-in and participation from the wider business. 

What can GCs do to protect their company’s information security? Taking a leading role in information security doesn’t need to be daunting for legal counsel – in fact, a few simple steps can make all the difference. 1. Support CISOs GCs can ensure that they’re giving information security the attention it deserves by supporting and advising on any issues that arise. Often at a smaller business, there’s a single person assigned to manage Infosec – and much like the first lawyer at a scaling business, they have a mountain of work to do. Even in larger enterprises organizations, security teams can be thinly-stretched and resource-constrained.  Supporting CISOs through proactively dedicating a set amount of time and having regular check-ins can ensure that both lawyers and CISOs aren’t buried under this work in the future, as the business continues to grow.  Tone at the top dictates how others respond – it’s important for leaders to set the right example. Looking for a framework to help you establish better relationships with the right people? Use this template. 2. Offer training It’s important to emphasize that Infosec is a shared responsibility across the whole business – while one person may have ownership of it, it’s every employee’s responsibility to ensure the information processed by the business is secure, and data isn’t vulnerable to common attacks like data exfiltration and spear phishing..  GCs can help CISOs with this task by setting up training sessions with other teams in the company, to keep everyone up to date with the latest techniques.  For better or worse, lawyers are often seen as ‘bad cops’ in the business – having their backing for, and involvement in, data compliance training should reinforce the seriousness with which colleagues should approach the issue. Training shouldn’t be a one-off, of course – it should be part of every employee’s onboarding, and revisited on a regular basis. The bottom line: as the threats in Infosec constantly adapt, so should the methods used to mitigate risk and keep data safe. GCs and CISOs should work together to review the policies, frameworks and training in place, and iterate where necessary.  Falling behind on this will expose the business to risk. By prioritizing these tasks and placing security at the heart of everything they do, lawyers can ensure that their businesses continue to handle data securely as they scale. Written by Richard Mabey, CEO and co-founder of Juro.

In our latest research report, we took a deep dive into Data Loss Prevention in Financial Services and revealed that data loss incidents are happening up to 38x more frequently than IT leaders currently estimate.  And, while data loss is a big problem across all industries, it’s especially problematic in those that handle highly sensitive data. One of those industries is Financial Services. Before we dive into how frequently data loss incidents are happening and why, let’s define what exactly a data loss incident is in the context of this report. We focused on outbound data loss on email. This could be either intentional data exfiltration by a disgruntled or financially motivated employee or it could be accidental data loss.  Here’s what we found out. The majority of employees have accidentally or intentionally exfiltrated data  Tessian platform data shows that in organizations with 1,000 employees, 800 emails are sent to the wrong person every year. This is 1.6x more than IT leaders estimated. Likewise, in organizations of the same size, 27,500 emails containing company data are sent to personal accounts. We call these unauthorized emails, and IT leaders estimated just 720 are sent annually. That’s a big difference.

But, what about in this particular sector? Over half (57%) of Financial Services professionals across the US and the UK admit to sending at least one misdirected email and 67% say they’ve sent unauthorized emails. But, when you isolate the US employees, the percentage almost doubles. 91% of Financial Services professionals in the US say they’ve sent company data to their personal accounts.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); And, because Financial Services is highly competitive, professionals working in this industry are among the most likely to download, save, or send company data to personal accounts before leaving or after being dismissed from a job, with 47% of employees saying they’ve done it. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); To really understand the consequences of incidents like this, you have to consider the type of data this industry handles and the compliance standards and data privacy regulations they’re obligated to satisfy. Every day, professionals working in Financial Services send and receive: Bank Account Numbers Loan Account Numbers Credit/Debit Card Numbers Social Security Numbers M&A Data In order to protect that data, they must comply with regional and industry-specific laws, including: GLBA COPPA FACTA FDIC 370 HIPAA CCPA GDPR So, what happens if there’s a breach? The implications are far-reaching, ranging from lost customer trust and a damaged reputation to revenue loss and regulatory fines.  For more information on these and other compliance standards, visit our Compliance Hub. Remote-working is making Data Loss Prevention (DLP) more challenging  The sudden transition from office to home has presented a number of challenges to both employees and security, IT, and compliance leaders.  To start, 65% of professionals working in Financial Services say they feel less secure working from home than they do in the office. It makes sense. People aren’t working from their normal work stations and likely don’t have the same equipment. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); A further 56% say they’re less likely to follow safe data practices when working remotely. Why? The most common reason was that IT isn’t watching, followed by being distracted.  Most of us can relate. When working remotely – especially from home – people have other responsibilities and distractions like childcare and roommates and, the truth is, the average employee is just trying to do their job, not be a champion of cybersecurity.  That’s why it’s so important that security and IT teams equip employees with the solutions they need to work securely, wherever they are. Current solutions aren’t empowering employees to work securely  Training, policies, and rule-based technology all have a place in security strategies. But, based on our research, these solutions alone aren’t working. In fact, 64% of professionals working in Financial Services say they’ll find a workaround to security software or policies if they impede productivity. This is 10% higher than the average across all industries. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");

How does Tessian prevent data loss on email? Tessian uses machine learning to address the problem of accidental or deliberate data loss by applying human understanding to email behavior. Our machine learning models analyze email data to understand how people work and communicate. They have been trained on more than two billion emails and they continue to adapt and learn from your own data as human relationships evolve over time. This enables Tessian Guardian to look at email communications and determine in real time if particular emails look like they’re about to be sent to the wrong person. Tessian Enforcer, meanwhile, can identify when sensitive data is about to be sent to an unsafe place outside an organization’s email network. Finally, Tessian Defender detects and prevents inbound attacks like spear phishing, account takeover (ATO), and CEO Fraud. Enforcer and Guardian do all of this silently in the background. That means workflows aren’t disrupted and there’s no impact on productivity. Employees can do what they were hired to do without security getting in the way. Tessian bolsters training, complements rule-based solutions, and helps reinforce the policies security teams have worked so hard to create and embed in their organizations. That’s why so many Financial Services firms have adopted Tessian’s technology, including: Man Group Evercore BDO Affirm Armstrong Watson JTC DC Advisory Many More

Remember last year’s SolarWinds attack? It was one of the most significant hacks in history and the fallout is ongoing. We may never know exactly how bad the attack was. But, we do know that it’s making waves and was a wake-up call for many organizations—not least the U.S. government, which has realized just how vulnerable it is to hackers targeting the countless companies in its supply chain. In response to SolarWinds, President Biden’s administration is drafting an executive order that aims to strengthen cybersecurity among both federal and private organizations. We’ve combed through the available information about the upcoming executive order to help you understand the potential implications for your business. 🕵  What information do we have about the executive order? We’ve had little communication from the White House about Biden’s upcoming executive order.  That means most of the information available derives from the following sources: The announcement that an executive order was in development, made in February by Anne Neuberger, White House deputy national security adviser for cyber and emerging technology A March speech made to the RSA Conference by Alejandro Mayorkas, secretary of homeland security  A leaked draft of the executive order seen by journalists in March An April speech to the Cybersecurity Coalition, given by Jeff Greene, acting senior director for cybersecurity at the National Security Council Further comments from Neuberger to NPR, made April 29 The order will likely tighten the rules around the procurement of private-sector software and services by government agencies—or, as Neuberger puts it: “If you’re doing business with the federal government, here’s a set of things you need to comply with in order to do business with us…” The means companies hoping to obtain or maintain government contracts, software developers, and government agencies will need to demonstrate that they have implemented certain security measures.  Don’t fall under any of the above three categories? Still worth paying attention. This executive order is a clear sign that the U.S. is taking cybersecurity seriously.  Now is the time to review your organization’s approach to cybersecurity—to ensure you have identified any vulnerabilities and can prevent or respond to attacks. 1. Breach notification  The order will likely include a breach notification rule that will impact companies supplying the federal government with software or hardware products. Of course, companies doing business with the federal government aren’t the only organizations to be obligated to breach notification rules.  Data breach notification rules are common worldwide, particularly in Europe, where the General Data Protection Regulation (GDPR) obliges organizations to notify regulators and individuals in the event of a breach of personal data within 72 hours. Further reading:  ⚡ GDPR: 13 Most Asked Questions + Answers ⚡ Biggest GDPR Fines in 2020 and 2021 There is currently no generally applicable federal breach notification law in the U.S. But, many states and some sectors have breach notification laws. We look at several of these in our article US Data Privacy Laws 2020: What Security Leaders Need to Know. The order’s breach notification rule would reportedly oblige federal contractors to notify a cyber incident response board (yet to be established) within days of a suspected hack or data breach. Organizations might also be required to cooperate with the FBI and the Cybersecurity and Infrastructure Agency (CISA) to investigate the incident. Reuters suggested that the order might also contain a public disclosure rule. Public disclosure might involve notifying any members of the public affected by a data breach, either individually or via the media. Note: Any organization operating under a data breach notification requirement must have robust and efficient procedures in place to identify and respond to a cybersecurity incident.  The sooner you can detect malicious activity, the sooner you can report it—and the sooner it can be contained or mitigated. 2. Software development security  The order will likely set out improved security requirements for software procured by federal agencies. This means developers of such software will need to implement stronger security standards in their products. Software vendors supplying the federal government may be required to create a “Software Bill of Materials” (SBOM) accompanying their products. An SBOM acts as an inventory that provides details about the components of a piece of software. Jeff Greene also reportedly suggested that National Institute of Standards and Technology (NIST) controls would play a role in providing improved security standards for government contractors. It’s not clear whether software vendors would be required to comply with an existing NIST framework, or whether the government would work with NIST to derive new standards. However, whether or not an organization supplies software to the federal government, compliance with a scheme such as the NIST Cybersecurity Framework is strongly recommended.  See our Beginner’s Guide to Cybersecurity Frameworks for more information. 3. Improved security within federal agencies  Finally, Biden’s executive order will likely include some mandatory security standards for government agencies and employees, including encryption of data and the use of multi-factor authentication (MFA). These technical controls are basic, and they are already best practice for any organization handling personal or sensitive data. But mandating such controls by law is a significant step. As we learn more, we’ll update this article. Want to be the first to know? Sign-up for our weekly blog digest, including global cybersecurity news, original research, and tips from security leaders.

Building on our existing ISO 27001 security certification, Tessian is excited to announce that we have achieved Service Organization Control 2 Type 2 (SOC 2) compliance in the key domains of Security, Confidentiality and Availability with zero exceptions on our very first attempt. Achieving full SOC 2 Type 2 compliance within 6 months is simply sensational and is a huge achievement for our company. It reinforces our message to customers and prospects that Information Security and protecting customer data is at the very core of everything Tessian does.

The Journey We began the preparations for SOC 2 in September 2020 and initiated the formal process in October. Having previously experienced the pain and trauma of doing SOC 2 manually, we knew that to move quickly, we needed tooling to assist with the evidence gathering and reporting.  Fortunately we were introduced to VANTA, which automates the majority of the information gathering tasks, allowing the Tessian team to concentrate on identifying and closing any gaps we had. VANTA is a great platform, and we would recommend it to any other company undertaking SOC 2 or ISO 27001 certification. For the external audit part of the process, we were especially fortunate to team up with Barr Advisory who proactively helped us navigate the maze of the Trust Service Criteria requirements. They provided skilled, objective advice and guidance along the way, and we would particularly like to thank Cody Hewell and Kyle Helles for their insights, enthusiasm and support. Tessian chose an accelerated three month observation period, which in turn, put a lot of pressure on internal resources to respond to information requests and deliver process changes as required. The Tessian team knew how important SOC 2 was to us strategically and rallied to the challenge. Despite some extremely short timeframes, we were able to deliver the evidence that the auditors needed.  A huge team effort and a great reflection of Tessian’s Craft At Speed value. What Next? Achieving SOC 2 Type 2 is a crucial step for Tessian as we expand further into the large enterprise space. It’s also the basis on which we will further develop our compliance and risk management initiatives, leading to specialized government security accreditation in the US and Europe over the next year or two.

Cybersecurity is a team sport. And for strategies to be truly effective, security leaders and business leaders have to work together.  In fewer words: Cybersecurity should be on the CEO’s agenda. So, to help bridge the gap and to really highlight why privacy and data protection matter now, I put together this list of reasons why CEOs should care about cybersecurity. Here are 10 reasons why CEOs should care about cybersecurity.

1. Cybersecurity is a competitive differentiator Today, customers and clients don’t just care about privacy, they expect it. That means that a strong cybersecurity culture can actually enable businesses. At our first Human Layer Security Summit of 2020, Mark Parr, Global Director at HFW, summed it up nicely, saying “You’re only going to win more work if you’re reputable. And you’re only going to be reputable if you demonstrate you have a strong information security framework.” He’s not alone in thinking this. According to Cisco’s global survey of security professionals and business leaders, 41% of survey respondents said “competitive advantage” was a benefit of their privacy investment.  2. The biggest consequence of a data breach is lost customer trust Earlier this year, we asked security leaders what the biggest consequence of a data breach would be. The #1 answer? Not lost data. Not regulatory fines or revenue loss. Lost customer trust. Breaches damage your brand and it can be very hard to win back customers’, clients’, and even the public’s trust. That’s why organizations see (on average) 3.9% customer churn after a data breach.  3. You will inevitably empower your people to do their best work Prioritizing cybersecurity isn’t just good for the business. It’s great for your people.  Here’s why: 90% of breaches are caused by human error. But people aren’t intentionally making these errors, they’re moving fast to get their job done. Security just isn’t top of mind for them.  So, it’s our job to set them up for success and empower them to do their best work securely. How do you do that? By removing the sharp objects.  At Tessian’s second Human Layer Security Summit, Bobby Ford, Vice President and Global CISO at Unilever put this into perspective with an example from his own life.   When you’re a parent helping your son or daughter learn how to walk, what do you do? Child-proof the house and get outta the way! 4. Privacy investment can help reduce delays in sales processes and improve operational efficiency Remember that Cisco global survey I mentioned earlier? “Competitive advantage” wasn’t the only benefit security professionals and business leaders experienced as a result of their investment in privacy and cybersecurity. 41% achieved operational efficiency from having data organized and cataloged and 37% saw a reduction in sales delays due to privacy concerns from customers and prospects. It makes sense. Data protection, privacy, and cybersecurity force businesses to be more transparent. That transparency fosters customer loyalty and increases organizational alignment.  

5. The average data breach costs $3.86 million While most security leaders agree that the biggest consequence of a breach is lost customer trust and damaged reputation, we can’t ignore the financial implications. In IBM’s latest Cost of a Data Breach report, they found the average data breach costs $3.86 million. This figure includes costs associated with: Detection and Escalation Notification  Lost Business Ex-post response. And this doesn’t even account for the potential fines from regulators.  Why does this matter? If we’re talking about the ROI of cybersecurity, the cost of non-compliance is actually 2.71 times higher than the cost of compliance. Translation: Prevention is better than cure.  6. The investigation and remediation of breaches disrupts productivity On average, it takes companies 197 days to identify and 69 days to contain a breach. And this process of investigating and remediating requires time and resources from plenty of departments, teams, and people outside of IT. Legal, compliance, executive, marketing, HR, and people teams will get pulled in. Spokespeople will be appointed. External security/IT support will have to be hired and onboarded. The bottom line: you hired great people to do great things. Post-breach activities pull them away from their day-to-work, disrupt their flow and productivity, and distract them from the business’ larger mission. 7. Data protection laws are only going to get more strict  On the topic of compliance, it’s important to point out that data protection laws are only going to get more strict and enforcement agencies are only going to be given more resources to enforce data requirements. That means organizations around the world and across industries won’t just benefit from strong cybersecurity programs, but they’ll be obligated to have one.  Top tip: Industries like financial services tend to be 5+ years ahead in cybersecurity maturity. If you don’t operate in these industries, it’s worth taking note of what’s top-of-mind for the business and security leaders that do.  8. Security culture is built from the top down Just like company culture, the C-suite sets the tone for security culture and therefore must lead by example.  It’s especially important that the CEO plays an active role in not just creating the overall security strategy, but actually rolling it out. Why? The CEO can connect cybersecurity to business objectives and help employees understand what it’s such a critical component in enabling the company to achieve its mission.

But business leaders will soon have no choice but to actively contribute to their organization’s security culture…. 9. By 2024, CEOs could be held personally liable for data breaches As I’ve said, cybersecurity is mission critical. But, for now, it’s security and IT teams who shoulder the responsibility. In a few years, this could change.  According to Gartner, CEO’s will be held personally liable for data breaches by 2024. 10. You owe it to your customers We mentioned earlier that strong cybersecurity can help businesses win new customers. But it’s not just about winning new customers. It’s also about supporting the ones you have.  This is one of Tessian’s core values: Customer-Centricity. Your customers entrust you with their data, their intellectual property, their secrets. You have to keep it safe. That’s why we believe that – as a cybersecurity vendor – it’s our mission to protect every other business’ mission. If you’re looking for more insights into how security and business leaders can work together, check out our latest eBook: CEO’s Guide to Data Protection and Compliance. 

The California Consumer Privacy Act (CCPA) is now in force, and those that fail to comply are open to civil penalties and private lawsuits.  But, many business, security, and compliance leaders are still scratching their heads, wondering how the CCPA will affect them, how to stay compliant, and what consequences they face in the event of a data breach. We’re here to help. We’ve answered some of the key questions businesses are asking about, from the scope of the CCPA to violations under this strict data privacy law.  Important Note: The California Privacy Rights Act (CPRA) – also known as Proposition 24 – passed on November 3, 2020. The CPRA amends the CCPA, taking away some of the ambiguity and pushing the state statute closer to the GDPR. The CPRA: Gives consumers the right to opt out of sharing their data. That means publishers will be required to display “prominently and conspicuously” on their homepages a “Do Not Sell or Share My Personal Information” link. Enforces a general purpose limitation on personal information use, limiting a business’s use and sharing of personal information to the purposes for which it was collected. Remember, consumers must be informed about how their data will be use before it is collected. Creates an agency to enforce compliance and dish out fines. The new regulatory body – California Privacy Protection Agency – has dedicated resources and the power to determine whether or not a violation was intentional or not. While – yes- the CCPA already contains similar notice requirements with respect to the purposes for which personal information will be processed, the CPRA offers California regulators additional enforcement options. What does this mean for you? Organizations must ensure compliance with the CPPA,  integrating the demands of the CPRA. The CPRA is set to take effect on January 1, 2023, but will apply to data collected from January 1, 2022.

Scope of the CCPA Who is covered by the CCPA? The CCPA covers several types of entities, primarily “businesses.” If your company qualifies as a business, it needs to comply with the CCPA. A business can be any legal entity that operates for profit in California and meets one or more of the CCPA’s three thresholds: It has annual gross revenues in excess of $25 million It annually buys, sells, or shares for commercial purposes, the personal information of 50,000 or more California consumers, households, or devices  It earns 50 percent or more of its annual revenues from selling consumers’ personal information Does the CCPA only apply to big businesses? At first glance, the thresholds above may appear to only apply to large corporations, social media companies, and “data brokers.”  But the truth is, many companies with targeted advertising campaigns may meet the requirements of threshold “B.” This is because using third-party cookies is likely to constitute “selling personal information. (More information below. Click here to jump ahead.)  Therefore, a company is likely to be covered by the CCPA if its website or mobile app: Uses third-party advertising or analytics cookies (or similar technologies), and Generates at least 50,000 unique hits originating in California per year.

Does the CCPA cover non-Californian companies? It doesn’t matter if your business is based in Los Angeles, London, or Lahore. The determining factors are whether you collect the personal information of California residents (“consumers”), and whether you meet one or more of the three thresholds above. Does your business collect the personal information of California residents? It does if they:  Visit your website (assuming you use web analytics or cookies to measure engagement or track visitors) Sign up to your newsletter Make an enquiry about your services That means that if you have a website that attracts visitors from around the world, chances are you’re obligated to satisfy the CCPA.  What is “Personal Information” under the CCPA? The CCPA defines “personal information” as: “…information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” It’s worth mentioning that this is arguably the broadest definition of “personal information” under any privacy law in the world. Nonetheless, the CCPA provides examples of the types of data that might qualify as personal information.  While this list is not exhaustive, it includes: Name Email address IP address Cookie data Device ID Biometric data Geolocation data It’s very common for a business to collect these types of information every time a person visits its website or uses its app. And, it’s also impossible to do business with a consumer without collecting at least some of this information.  Think about it. When you buy something on an e-commerce website, what information do you provide? What is a “Service Provider” under the CCPA? A service provider is a legal entity that processes personal information on behalf of a business.  For example, a marketing company receives a list of email addresses from a business and sends out its newsletter. The marketing company doesn’t have a direct interest in the end result of this activity — it simply obeys the instructions of the business. A service provider must also operate under a contract with the business from whom it receives personal information. This contract must prohibit the service provider from retaining, using, or disclosing the personal information for any purpose outside of the contract. In layman’s terms: Service providers are not directly liable for most CCPA obligations. But, if a service provider’s negligence or wrongdoing leads to a data breach, it can be sued by the client.  Service providers can also receive civil penalties (more on that here) in certain circumstances. Unfortunately, it’s not clear yet what these “certain circumstances” are. As and when we have more context, we’ll update this blog! Violating the CCPA What is the CCPA’s Private Right of Action? Under the CCPA’s private right of action, a consumer — or group of consumers — can bring a legal claim against a business that fails to secure certain types of their personal information and suffers a data breach. (You can read more about what types of PI in this blog.) But, what happens if a consumer does pursue this private right of action? It can lead to: Statutory damages — an amount of money paid to each consumer, determined by the court, depending on the seriousness of the breach (among other factors). Statutory damages fall between $100 and $750 per consumer, per incident. Actual damages —  an amount of money paid to each consumer, based on what they have actually lost as the result of a breach. In the event of large-scale data breaches involving millions of consumers, damages could add up to billions of dollars. We’ve yet to see any legal claims completed under the CCPA. However, what if the CCPA had been in force throughout Facebook’s “Cambridge Analytica” scandal? Privacy lawyer Nicholas Schmidt estimates that the damage could have been between $61.6 billion and $184.7 billion. What are the CCPA’s civil penalties? The California Attorney General can issue civil penalties to businesses or service providers that violate any part of the CCPA. The CCPA’s civil penalties can be for an amount of: Up to $7,500 per intentional violation, such as knowingly selling personal information where a consumer has opted out. Up to $2,500 per unintentional violation, such as failing to impose reasonable security measures leading to a data breach.  Note: This is why it’s so important organization’s have strong security policies, procedures, and solutions in place. Reducing risk by improving your security posture is key. Tessian helps prevent data exfiltration and accidental data loss. Our solutions also help security leaders proactively protect their systems and data through automated intelligence and robust investigation and remediation tools. Learn more. The California Attorney-General must give a business 30 days’ notice of its alleged CCPA violation. If the business can “cure” the violation within this period, it can escape a penalty. While it’s not clear how a business can “cure” a CCPA violation, examples may include imposing security measures to “stem” a data breach or successfully retrieving personal information that has been exfiltrated. Privacy regulators are increasingly imposing harsh penalties on big tech companies. The CCPA takes clear inspiration from the EU General Data Protection Regulation (GDPR), which has seen the following large fines: €50 million (Google, France) €27.8 million (TIM telecommunications company, Italy) €204.6 million (British Airways, UK — not yet enforced)

CCPA Data Security Requirements What counts as a data breach under the CCPA? The CCPA defines a data breach as: “…unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information” Here are the key elements of this definition: Unauthorized access Exfiltration Theft Disclosure A failure to “maintain reasonable security procedures and practices” Remember that a data breach can be intentional or unintentional and it can originate from a person inside or outside of your business. Read more about Insider Threats on our blog. According to the most recent California Data Breach Report, misdirected emails (emails sent to the wrong recipient) were the leading cause of data breaches. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");

In the UK, misdirected emails were also the most common cause of data breach in quarter 4 of 2019-20, according to the UK Information Commissioner’s Office (ICO). As we’ve said, the CCPA requires a proactive approach to maintaining data security. Read about how Tessian can help CCPA compliance below or learn more about Tessian Guardian, which detects and prevents misdirected emails before they happen. What is “reasonable security” under the CCPA? The CCPA doesn’t define “reasonable security procedures and practices.”  However, in the most recent California Data Breach Report, the California Attorney-General clearly states that meeting the 20 Critical Security Controls from the Center for Internet Security (CIS) represents a minimum reasonable level of security.

The CIS Critical Security Controls include: Email and web browser protection Malware protection Application software security It’s worth noting that email is the threat vector most security leaders are worried about protecting. Find out why.  CCPA Consumer Rights What are the CCPA Consumer Rights? The CCPA’s consumer rights are: The right to know — consumers may request information about the types of information a business has collected, used, and shared about them over the past 12 months. They may also request copies of the specific pieces of information that the business holds about them. The right to delete — consumers may request that a business deletes the personal information it holds about them. The right to opt out — consumers may instruct a business not to sell their personal information The right to non-discrimination — businesses may not offer a lesser quality of goods or services or demand a higher price for goods or services if a consumer exercises their CCPA rights. The right to opt in (for minors) — businesses must obtain opt-in consent before selling the personal information of minors under the age of 16. They must obtain parental consent before selling the personal information of minors under the age of 13. In upholding these consumer rights, businesses have an obligation to provide individuals certain types of notice. More on that below.  What are the CCPA’s notice requirements? Under the CCPA, businesses must provide up to four types of notice to consumers: Privacy Policy — details which categories of personal information the business has collected, used, disclosed, and sold over the past 12 months. Every businesses must include a clear and prominent link to its Privacy Policy on its website and/or app. Notice at collection — provided at the point at which the business collects personal information from a consumer. This could appear, for example, as a disclaimer at the top of a sign-up form, informing consumers about what personal information the business is collecting and why. Notice of the right to opt-out — enables consumers to opt out of the sale of their personal information (where applicable). This must include a prominent link on a business’s homepage reading “Do Not Sell My Personal Information.” It might also take the form of a “cookie banner” enabling consumers to opt out of personalized advertising. Notice of financial incentives — informs consumers about any financial incentives offered for the processing of their personal information (where applicable). This can appear as a disclaimer when consumers are invited to sign up to certain types of “loyalty schemes.” What counts as “selling” Personal Information under the CCPA? The CCPA defines “selling” personal information as: “…selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” There is a lot of debate about what this means for businesses. Virtually any transfer of personal information that benefits your company could constitute a “sale.”  And, because of the very broad phrasing, this definition is likely to include the use of third-party cookies, which involve “transferring” “personal information” (such as IP addresses and device IDs) to “a third party” for “valuable consideration.” Don’t worry, there are several approaches to transferring Personal Information without “selling” it, including engaging a service provider when disclosing personal information for business purposes. How can Tessian help with CCPA compliance? While some parts of the CCPA are still open to debate, we know the following facts for certain: Data breaches will leave CCPA-covered businesses open to significant risks of private litigation and civil penalties. Failure to implement reasonable security procedures and practices will: Increase the likelihood of a data breach occurring, and Lead to more substantial fines and more serious legal claims. As one of the CIS Critical Security Controls, “email protection” is one of the minimum requirements for “reasonable security.” Tessian’s Human Layer Security solutions can fulfill a crucial element of your company’s duty to maintain reasonable security procedures and practices. Tessian Guardian — prevents your employees from emailing personal or sensitive company information to the wrong person. Tessian Enforcer — prevents the exfiltration of company data to unauthorized recipients. Tessian Defender — detects and prevents inbound “spear-phishing” attacks designed to trick your employees into divulging personal information. Learn more about Tessian’s solutions by booking a demo. 

Over the last several months, Tessian has published a ton of articles related to data compliance, the business value of cybersecurity, and the importance of executive buy-in when it comes to security strategies.  We’ve combined all of that information to create our latest eBook: CEO’s Guide to Data Protection and Compliance.  We know what you’re thinking. A guide for CEOs? Why? Let us explain by telling you why you should download it.  1. We explain why business leaders should care about cybersecurity While we don’t want to fear monger, it’s important to know that, according to Gartner, CEOs will be held personally liable for data breaches by 2024. But that’s not the only reason why business leaders should care about cybersecurity. They should care because cybersecurity can actually be a business enabler and competitive differentiator. More on this in point six.  2. We offer resources that will help bridge the gap between security and commercial teams Cybersecurity is a team sport and in order for strategies to be truly effective, the C-suite has to be on board. But, communicating risk, opportunity, and cybersecurity ROI can be tough….especially when – in most organizations – CISOs don’t have a seat at the table. We created this eBook to mitigate that disconnect. We considered both the CEOs and the CISOs perspective, avoided the “curse of knowledge”, and provided dozens of resources that will help security and commercial teams communicate better. Like what? A checklist for ensuring compliance A detailed breakdown of the steps organizations must take post-breach A shareable infographic of relevant statistics An industry-specific “worksheet” to help you understand the cost of a breach A list of the biggest breaches (and fines) under the GDPR, CCPA, HIPAA, GLBA, and PCI DSS Over 15 additional resources to help answer your questions  3. We share a high-level overview of 25 compliance standards While the GDPR and HIPAA tend to make headlines, there are actually dozens of regional and industry-specific data privacy regulations that you may be obligated to satisfy. Not sure where to start? We offer a high-level overview of 25 different compliance standards and explain who must comply and what data is protected.  4. We break down five compliance standards (in layman’s terms) While the high-level overview mentioned above will help business (and security!) leaders understand the broader compliance landscape, we wanted to double-click on a few. In the eBook we answer the following eight questions about GDPR, CCPA, HIPAA, GLBA, and PCI DSS: What is it? Who enforces it? When was it enacted? Who is obligated to comply? What are the penalties for non-compliance? What data is protected? What are the data requirements? What have been the biggest breaches? 5. We highlight the biggest breaches in recent history and how they could have been avoided As they say “history is a great teacher”. So, to help CEOs and CISOs understand potential vulnerabilities, the consequences of breaches, and how to prevent them, we outline the three biggest breaches (and fines) for each compliance standard.  Note: While – yes – some of this information is easy to find with a simple Google search, other information has been pulled from case dockets and breach notifications. That means we’ve done the heavy lifting for you.  6. We list the benefits of compliance from a business perspective This is what CEOs care about. Business value. Revenue drivers. And, while cybersecurity has historically not been viewed as a business enabler, this eBook proves that it is. We list 4 clear benefits of compliance beyond avoiding fines and explain how strong cybersecurity can help you build (and maintain) customer trust, attract investment, and help you streamline business operations.  Ready to learn more? Download the eBook and toolkit now.

As rates of cybersecurity incidents rise and data security laws become stricter, organizations must take steps to protect the information under its control. But safeguarding your company’s information can be a daunting task.  So, where do you start? You can start by implementing a cybersecurity framework. In this article, we’ll look at four of the most prevalent cybersecurity frameworks — to help you get started on your journey toward better information security.  But first, let’s define what a cybersecurity framework is. What is a cybersecurity framework?

What are the benefits of implementing a cybersecurity framework? Running a business is a time-consuming and complicated task and many business leaders – especially those without any background in cybersecurity – worry that implementing a cybersecurity framework will create extra work. And, while it does take time and effort to follow a cybersecurity framework through to completion, it’s almost certainly going to save you time, stress — and money — in the long-term. Here’s how: It will strengthen your network protection, reducing your risk of a cybersecurity attack. It will help ensure better data security practices among staff, reducing the risk of accidental data loss, such as via misdirected email. It increases awareness of cybersecurity among staff, leading to a reduced risk from social engineering attacks. It improves your reputation among consumers and business partners. Implementing a cybersecurity framework is also a fundamental way of meeting your legal obligations under data privacy laws, such as:  The EU General Data Protection Regulation (GDPR)  The California Consumer Privacy Act (CCPA) The South Africa Protection of Personal Information Act (POPIA)  Under these laws — and many others worldwide — it is necessary for businesses to maintain a reasonable level of data security. Implementing a cybersecurity framework is an excellent way to achieve this. Looking for more information about regional and industry-specific data protection laws? Visit our compliance content hub. 

What sorts of organizations should implement a cybersecurity framework? Implementing a cybersecurity framework is mandatory in some industries. For example, organizations that handle cardholder data must comply with the PCI DSS framework. However, a business of virtually any size — and in any industry — can adopt a cybersecurity framework at relatively low cost.  One way that a small business can achieve cybersecurity compliance is by choosing a flexible framework —  such as the CIS Controls or NIST Cybersecurity Framework, and prioritizing the implementation of controls according to its business needs and operating context. Now, let’s look at four of the best-known cybersecurity frameworks.

Introduction to CIS Controls The Center for Internet Security (CIS) Controls framework can help you mitigate and defend against the most basic cyberattacks.  Here are the 20 CIS Controls: Basic CIS Controls Inventory and Control of Hardware Assets Inventory and Control of Software Assets Continuous Vulnerability Management Controlled Use of Administrative Privileges Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers Maintenance, Monitoring, and Analysis of Audit Logs Foundational CIS Controls Email and Web Browser Protections Malware Defenses Limitation and Control of Network Ports, Protocols, and Services Data Recovery Capabilities Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches Boundary Defense Data Protection Controlled Access Based on the Need to Know Wireless Access Control Account Monitoring and Control Organizational CIS Controls Implement a Security Awareness and Training Program Application Software Security Incident Response and Management Penetration Tests and Red Team Exercises

CIS Control 13: Data Protection  To give you an idea of what the CIS controls require, we’ll take a closer look at Control 13: Data Protection. CIS Control 13 provides some practical steps to help you protect data from exfiltration and cyberattacks. At its core, Control 13 requires organizations to: Use a combination of encryption, integrity protection, and data loss prevention (DLP) methods to ensure the security of data Limit and report on data exfiltration attempts Mitigate the effects of data compromise Control 13 contains nine sub-controls. Some of these are achievable for businesses of all sizes, such as: 13.1: Maintain an Inventory of Sensitive Information 13.2: Remove Sensitive Data or Systems Not Regularly Accessed by Organization 13.6: Encrypt Mobile Device Data If your organization has “moderate” or “significant” resources, it can implement further sub-controls, such as: 13.3: Monitor and Block Unauthorized Network Traffic 13.4: Only Allow Access to Authorized Cloud Storage or Email Providers 13.5: Monitor and Detect Any Unauthorized Use of Encryption By implementing the CIS controls and sub-controls on a priority basis, businesses can implement a reasonably effective cybersecurity program.  Looking for a straightforward way to implement multiple sub-controls across several CIS controls? implement email security software. Email is the entry-point for 96% of phishing attacks.

Introduction to the NIST Cybersecurity Framework The NIST Cybersecurity Framework (full title: Framework for Improving Critical Infrastructure Cybersecurity) is a comprehensive set of security controls and guidance for private sector organizations. Currently, at version 1.1, the framework aims to improve the general level of cybersecurity among US organizations. The framework is guidance — it’s entirely voluntary  — and it can be customized according to a company’s sector, resources, and risk profile. The framework’s “core” consists of cybersecurity activities and outcomes — written in accessible language that should be understandable to non-technical teams. (Phew!) The core activities and outcomes are sorted into five functions, which are further divided into categories. We’ve listed them below.  Identify: The “Identify” function provides the essential, foundational activities and outcomes necessary to use the framework. Outcomes categories associated with this function include: ID.AM: Asset Management ID.BE: Business Environment ID.RA: Risk Assessment Protect: The “Protect” function activities help mitigate the impact of a potential cyberattack or data breach. Protect outcome categories include: PR.AC: Identity Management and Access Control PR.AT: Awareness and Training PR.DS: Data Security Detect: The “Detect” function enables businesses to quickly detect that a cybersecurity event has occurred. Detect outcome categories include: DE.AE: Anomalies and Events  DE.CM: Security Continuous Monitoring DE.DP: Detection Processes Respond: Implementing the “Respond” function will ensure your business takes appropriate action during a cybersecurity event. Outcome categories in this function include: RS.RP: Response Planning  RS.CO: Communications  RS.AN: Analysis Recover: The “Recover” function allows an organization to return to normal functioning after a cyberattack. Recover function outcome categories include: RC.RP: Recovery Planning  RC.IM: Improvements RC.CO: Communications Each function’s categories are, in turn, divided into subcategories. For example: ID.AM (function: Identity, category: Asset Management): ID.AM-1: Physical devices and systems within the organization are inventoried ID.AM-2: Software platforms and applications within the organization are inventoried ID.AM-3: Organizational communication and data flows are mapped The subcategories all come with “informative references”, which are practical resources to help businesses achieve the outcomes.  For example, ID.AM-1 (Identify: Asset Management) includes the following references: CIS Control 1  ISO 27001:2013 Annexes A.8.1.1 and A.8.1.2 NIST Special Priority (SP) 800-53 (revision 4) CM-8 and PM-5 Introduction to ISO 27000 Series

The ISO 27000 Series (sometimes called the ISO/IEC 27000 Series) is a family of information security standards published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The ISO 27000 Series is extensive, covering information security requirements, guidelines, and sector-specific standards. Examples of some of the published standards in the ISO 27000 Series include: ISO 27000: Information Security Management Systems — Overview and Vocabulary ISO 27003: Information Security Management System Implementation Guidance ISO 27018: Code of Practice for Protection of Personally Identifiable Information (PII) in Public Clouds Acting as PII Processors ISO 27019: Information Security for Process Control in the Energy Industry ISO 27032: Guideline for cybersecurity ISO 27033: IT network security Businesses of all sizes can implement one or more of the ISO 27000 Series standards. These are internationally recognized standards and are well-respected around the world.  While implementing ISO 27000 controls is not legally mandatory, there is an expectation of ISO-compliance in many industries and contexts. For example, for public cloud storage service providers that process personal information, achieving ISO 27018 compliance is crucial. ISO 27001 To give you a feel for ISO 27000 implementation, we’re going to take a closer look at one of the more popular standards in the series: ISO 27001, full name “Information technology — Security techniques — Information security management systems — Requirements.” ISO 20071 aims to enable businesses to establish, implement, maintain, and continually improve an information security management system (ISMS). Unlike the CIS Controls or the NIST Cybersecurity Framework, ISO 20071 is not available for free. The ISO 27001 standard consists of ten “clauses,” and an annex containing 114 controls, sorted into 14 sets. A business can prioritize its implementation of these controls according to its operational requirements. An essential part of complying with ISO 27001 is risk assessment. An ISO 27001 risk assessment can be broken down into several stages: Creating a risk assessment methodology that accounts for: Your operating context Risk criteria Risk tolerance Identifying information assets, such as: Digital documents Paper files Storage devices Mobile devices Identifying threats: Social engineering attacks, such as spear phishing Exfiltration of data by trusted employees Weak passwords leading to hacked employee accounts ISO 27001 compliance is an ongoing process that requires the commitment of employees across your whole organization. Once a company has implemented sufficient controls, it can undergo an audit and obtain ISO 27001 certification. Tessian is ISO 27001 certified. You can read more about your integrations, compatibility, and partnerships here. 

Introduction to PCI DSS The PCI DSS applies to all organizations that accept, transmit, or store information associated with payment cards (known as “merchants”). The PCI DSS sits alongside the PCI PTS (for manufacturers) and the PCI PA-DSS (for software developers). Unlike the other frameworks we’ve looked at, the PCI DSS is mandatory for any business that qualifies as a merchant. The Payment Card Industry Council enforces PCI DSS compliance, and — in some jurisdictions — it is incorporated into law. The framework’s requirements differ according to how many Visa transactions a merchant processes per year. There are four levels of PCI DSS requirements: Level 1: Any merchant that:  Processes more than 6 million Visa transactions per year, or Is determined by Visa as needing to meet level 1 requirements Level 2: Any merchant that processes 1-6 million Visa transactions per year Level 3: Merchants that process 20,000-1 million eCommerce Visa transactions per year Level 4: Any merchant that: Processes fewer than 20,000 Visa transactions per year, or Processes fewer than 1 million non-eCommerce Visa transactions per year As you can see, eCommerce merchants have slightly stricter requirements due to the risks of transacting online.  If a merchant suffers a data breach, it might be required to move up a level to continue making card transactions. This is one of many reasons you should take a “security-first” approach and implement as many cybersecurity controls as your budget allows. The PCI DSS consists of 12 requirements, which can be summarized as: Use a firewall Change default passwords and other security parameters Protect cardholder data in storage Encrypt cardholder in transit Implement and update antivirus software  Ensure systems and applications are secure Restrict access to cardholder data Assign unique user IDs  Maintain physical safeguards over cardholder data Monitor access to cardholder data and network resources  Test security systems  Maintain an information security policy In fewer words: Merchants must protect cardholder data from internal and external threats.  How can Tessian help with cybersecurity framework implementation? As we’ve seen, all cybersecurity frameworks require businesses to protect the information in their control from threats such as: Social engineering attacks  Accidental data loss Insider threats Across three solutions, Tessian detects and prevents email-based cybersecurity threats. Why email? Read more about why email is the threat vector cybersecurity leaders are most concerned about on our blog.  You can also learn why rule-based DLP solutions are failing and why the world’s top organizations (in some of the most regulated industries) trust Tessian.