We’re back with another monthly roundup of cybersecurity news. Cybercriminals have once again been busy, with several high-profile data breaches and ransomware attacks occurring throughout September. And – rather unsurprisingly – social media platforms Twitter and TikTok have made the cut for the third month running. Here are the top cybersecurity stories from September 2020, including links to further information. Need to catch-up? Check out headlines from July and top stories from August on our blog. Researchers Predict That CEOs Will Be Personally Liable for Cyber-Physical Attacks Research and advisory firm Gartner (who recently named Tessian a Cool Vendor) predicted this month that 75% of CEOs could hold personal liability for “cyber-physical” attacks by 2024. Cyber-physical attacks aim to impact the “real world,” including critical infrastructure, internet of things devices, and healthcare equipment. Such attacks can result in physical injury and death. Gartner predicts that that cyber-physical attacks will cause up to $50 billion of damage by 2023 So what if Gartner is right? It would mean that if a company suffers a cyberattack resulting in physical harm — and it turns out that the company has not implemented appropriate cybersecurity measures — the company’s CEO could have to pay fines with their own money. 

Gartner’s research tells us what every effective business leader already knows — an effective cybersecurity program is an essential requirement for every organization. If a cyberattack occurs, the buck stops with the company’s senior executives. Argentinian Government Faces $4 Million Ransom Following Cyberattack On September 6, Argentina temporarily stopped allowing people to cross its borders after the Netwalker ransomware hit the country. The attackers encrypted government migration data and demanded 355 Bitcoins (around $4 million) to unencrypt it. This cyberattack led to chaos across border checkpoints — but the Argentinian government told domestic news website Infobae that it had no intention of negotiating with the hackers. Ransomware continues to cause havoc worldwide, and it appears the problem is only getting worse. Research by SonicWall recorded approximately 121 million ransomware attacks in the first half of 2020. Personal Information of 46,000 US Military Veterans Breached The US Veterans Association (VA) announced this month that the personal information of around 46,000 military veterans had been “accessed by unauthorized users.” The cybercriminals aimed to “divert payments” intended for healthcare providers. The VA’s financial services team wrote to the affected individuals to advise on how to mitigate the effects of the breach and offer free access to credit monitoring services. The VA serves veterans all over the US. Strict new data breach laws in several jurisdictions — including New York, Washington DC, and Oregan — mean that the VA could face huge fines given the breach’s context. Want to know more about US data security laws? Read our guidance for security leaders. Thousands of COVID-19 Patients’ Data Leaked Due to “Human Error” A massive data breach occurred in Wales this month when the personal information of 18,105 coronavirus patients was leaked following an “individual human error.” The breach affected every Welsh resident who tested positive for COVID-19 between February 27 and August 30. Public Health Wales said that the data included the “initials, date of birth, geographical area, and sex” of the affected individuals. In nearly 11% of people, though, the data also included the name of the nursing home or other healthcare setting in which the individual lived. The data was uploaded onto a public server, where it was accessible and searchable for around 20 hours. It was viewed 56 times throughout this period.  Human error is a key cause of data breaches. Statistics show that around 88% of data breaches start with human error, and almost half of all employees believe they have made an error at work leading to security repercussions. Chinese Company Holds Data About 2.4 million Influential People An academic at Fulbright University, Vietnam, has uncovered a vast Chinese database containing personal information of around 2.4 million people and their families. It looks like these individuals are “people of interest” to the Chinese Communist Party (CCP). The company responsible for maintaining this huge database “provides big data analytics as well as other functionality to support Chinese military and intelligence analysts,” according to a research paper. The research also suggests that the CCP uses the data for “intelligence, military, security, and state operations in information warfare and influence targeting.”  The database is believed to provide a way for the CCP to influence people in target sectors. It may be one of many such databases maintained by Chinese companies. Much of the information in the database has been gleaned from publicly-available sources. The Chinese database is yet another important reason you should consider limiting the amount of personal information you put online. You can learn more about how hackers are using open-source recon for deepfakes and other social engineering attacks from Elvis M. Chan, Supervisory Special Agent at the FBI and Nina Schick, Author of “Deep Fakes and the Infocalypse: What You Urgently Need to Know”, who both joined us at Tessian Human Layer Security Summit. You can access their session “Safeguarding the 2020 Elections, Disarming Deepfakes via HLS On-Demand.  Twitter Provides Enhanced Security For US Election Following its spear phishing incident this July, Twitter has announced enhanced account security for certain “high-profile accounts” throughout the US election. Twitter said that various types of accounts, including those belonging to US politicians, campaign officials, and political journalists, would receive the security enhancements from September 17. So what’s changing? First, affected users must create “strong passwords,” of at least ten characters in length. They will need to confirm password reset requests via email. The affected users will also be “strongly encouraged” to enable two-factor authentication (2FA). But that’s not all. Recall that the July spear phishing incident involved “internal support tools” — it wasn’t primarily an issue with users’ account passwords. To address this, Twitter also states that it will improve internal monitoring of the affected accounts, including by using “more sophisticated detections and alerts,” “increased login defenses,” and “expedited account recovery” processes. Want to know how to avoid the issues Twitter faced this July? Read our guidance on “vishing” attacks. Energy Companies Advised to Create Cyberattack Response Plans The US Federal Energy Regulatory Commission (FERC) and the North American Electricity Reliability Corporation (NERC) have released a report advising energy providers on creating an Incident Response and Recovery (IRR) plan for cyberattacks. The report is based around an existing cybersecurity framework: the National Institute of Standards and Technology (NIST) Special Publication 800-61, also known as the Computer Security Incident Handling Guide.  Governments appear to be increasingly concerned about the cybersecurity of critical infrastructure. This concern is well-founded — in 2019, 90% of security professionals surveyed across the utilities, energy, health, and transport sectors reported that their organizations had faced at least one successful cyberattack. Much of the advice to energy providers is good practice across all sectors. FERC and NERC recommend a four-part framework, consisting of security controls relating to preparation, detection and analysis, containment and eradication, and post-incident activity.

UK Agency Warns Schools and Universities About Ransomware Attacks As students worldwide return to schools, colleges, and universities, education providers are most concerned with defending against a COVID-19 outbreak. But the UK’s National Cyber Security Centre (NCSC) gave a stark warning about a different type of threat: ransomware. The NCSC’s alert describes “recent trends observed in ransomware attacks” targeting the education sector, which the agency says are increasingly common. The guidance follows a series of ransomware attacks against universities in the UK, US, and Canada this July. The agency warns that cybercriminals are exploiting out-of-date software and are accessing remote desktop protocol (RDP) software using credentials stolen via phishing attacks. It also warns that phishing emails are being used to deploy ransomware. So how does the NCSC recommend education providers protect themselves? The same ways all cyber-secure organizations protect themselves — including ”disrupting ransomware attack vectors” by implementing phishing defenses, and “enabling effective recovery” by keeping backups of data. Implementing DMARC is also essential to prevent brand impersonation and successful spear phishing attacks. And, according to Tessian research, 40% of the top 20 US universities aren’t using DMARC records.  TikTok Ban Delayed Following ByteDance Sale On September 21, US President Trump said he had approved the sale of part of ByteDance, the parent company of video-sharing platform TikTok, to Oracle and Wal-Mart. The deal temporarily averts harsh restrictions on TikTok set out by the US Department of Commerce three days earlier. The sale results from an executive order issued by President Trump in August, stating that the TikTok app “captures vast swaths of information from its users, including… location data and browsing and search histories.” TikTok maintains that this activity is standard industry practice. The US companies could take a collective 20% stake in ByteDance, with Oracle hosting TikTok user data in Oracle Cloud. Some analyses suggest that security-conscious nations and businesses are increasingly likely to implement these sorts of “data localization” measures. Trump had previously assured the public that TikTok would be “totally controlled” by the US firms. However, the president assured a press conference that the companies would be using “separate clouds and very, very powerful security.” That’s all for this month. If we missed anything, please email [email protected] and stay tuned for the next roundup. Don’t forget: You can easily share this on social media via the buttons at the top right of this post. 

Thanks to the digital transformation and increasingly strict data security obligations, law firms’ business priorities are changing. Today, data protection, transparency, and privacy are top-of-mind.  It makes sense.  Keep reading to find out… Why the legal sector is bound to such strict compliance standards Which regulations govern law firms How cybersecurity can help ensure compliance Interested in learning more about regional compliance standards or those that impact other industries? Check out our Compliance Hub to find articles, tips, guides, and more.

Why is the legal sector bound to strict compliance standards? Lawyers’ hard drives, email accounts, and smartphones can contain anything from sensitive intellectual property and trade secrets to the Personally Identifiable Information (PII) of clients.  Unfortunately, hackers and cybercriminals are all too aware of this. It’s no surprise, then, that the legal sector is amongst the most targeted by social engineering attacks like spear phishing. Ransomware is a big problem, too. In fact, just a few months ago, Grubman Shire Meiselas & Sacks, a prominent media law firm, had its client information compromised.  Those behind the attack later threatened to auction some of these files concerning major celebrities for as much as $1.5 million unless the firm paid a $42 million ransom.  But, it’s not just inbound attacks that law firms have to worry about. Because the legal sector is highly competitive, incidents involving Insider Threats are a concern, too.  96% of IT leaders working in the legal sector say they’re worried that someone within the organization will cause a breach, either accidentally (via a misdirected email, for example) or maliciously.  The regulations governing law firms When it comes to data protection and privacy, the legal sector is subject to a relatively strict regulatory framework both under the law and rules imposed by professional bodies. Depending on where a firm is based and what its practice areas are, it can be subject to several stringent laws and regulations. This is especially true for firms operating in major markets like the United States, the United Kingdom, and the European Union. In this article, we’ll focus on some of the more general regulations and standards that all firms operating in these markets are expected to abide by. General Data Protection Regulation (GDPR) When the GDPR was introduced in 2018, it represented the largest change to data protection legislation in almost two decades. It also contains some of the most thorough compliance obligations for law firms and indeed any other entity that collects, stores, and processes data. The GDPR has been designed to help and guide organizations with a legitimate business interest as to how personal data should be handled and gives regulators the power to impose large fines on firms that aren’t compliant.  You can read more about the largest GDPR fines (so far) in 2020 on our blog. What is the GDPR’s purpose? The GDPR was introduced amid growing concerns surrounding the safety of personal data and the need to protect it from hackers, cybercrime, Insider Threats, unethical use, and the growing attack surface.  Essentially, it gives citizens full and complete control of their data, subject to some restrictions (for example, where data must be held by firms by law).  What is the scope of the GDPR? The legislation regulates the use of ‘personal data’ and applies to all organizations located within the EU, as well as organizations outside the EU who offer their goods or services to EU citizens. It also applies to organizations that hold data pertaining to EU citizens, regardless of their location.  What should law firms know about the GDPR? The main part of the GDPR that law firms should be paying attention to is Article 5.  This sets out the principles relating to the collection and processing of personal data. The six key principles are that personal data: Should be processed lawfully, fairly and in a transparent manner; Should only be collected for legitimate purposes; Should be limited to what’s necessary in relation to the purpose(s) it’s processed; Must be accurate and kept up to date, with any inaccurate erased or rectified; Should be held for longer than is necessary for its purposes*; and Should be held with adequate security against theft, loss, and/or damage.  The GDPR also gives your clients the right to ask for their data to be removed (‘right of erasure’) without the need for any outside authorization. Note: Data can only be kept contrary to a client’s wishes to ensure compliance with other regulations.  What should a firm do in the event of a breach? Before GDPR, law firms could follow their own protocols when dealing with a data breach. But now, the GDPR forces firms to report any data breaches, no matter how big or small they are, to the relevant regulatory authority within 72 hours. In the UK, for example, the regulatory authority is the Information Commissioner’s Office (ICO):  The notification must: Contain relevant details regarding the nature of the breach; The approximate number of people impacted; and Contact details of the firm’s Data Protection Officer (DPO).  Clients who have had their personal data compromised must also be notified of the breach, the potential outcome, and any remediation “without undue delays”.  It’s important to note that breaches aren’t always the results of malicious activity by an Insider Threat or hacker outside the organization. Even accidents can result in breaches. In fact, misdirected emails (emails sent to the wrong person) has consistently been one of the most frequently reported incidents to the ICO.  That’s why it’s essential law firms (and other organizations) have safeguards in place to prevent mistakes like these from happening. Looking for a solution? Tessian Guardian prevents misdirected emails in some of the world’s most prestigious law firms, including Dentons, Hill Dickinson, and Travers Smith What are the penalties for non-compliance? Financial penalties imposed for GDPR violations can be harsh, and they often are; regulatory authorities are keen to highlight just how important the GDPR is and how seriously it should be taken. Fines for non-compliance can be as high as 4% of annual global turnover or €20 million—whichever is higher. American Bar Association Rule 1.6 Rule 1.6 governs the confidentiality of client information. It states, “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Simply put, lawyers must make efforts to protect the data of their clients.  Two years ago, the American Bar Association issued new guidance in the form of Formal Opinion 483. This covers the importance of data protection and how firms should act when, not if, a security breach happens. This wording demonstrates that the ABA recognizes that breaches are part and parcel of firms operating in the modern world, and the statistics confirm this. 

In essence, Formal Opinion 483 states:  Lawyers have a duty of competence in implementing adequate security measures regarding technology. Lawyers must reasonably and continuously assess their systems, operating procedures, and plans for mitigating a breach. In the event of a suspected or confirmed breach, lawyers must take steps to stop the attack and prevent any further loss of data. When a breach is detected and confirmed, lawyers must inform their clients in a timely manner and with enough information for clients to make informed decisions.  The bottom line: law firms must protect data with cybersecurity. Solicitors’ Regulation Authority Code of Conduct In the UK, solicitors are obliged under the Solicitors’ Regulation Authority (SRA) Code of Conduct to maintain effective systems and mitigate risks to client confidentiality and client money. Solicitors are also obliged to ensure systems comply more broadly with the SRA’s other regulatory arrangements.  The SRA says that, although being hacked or falling victim to a data breach is not necessarily a failure to meet these requirements, firms should take proportionate steps to protect themselves and their clients while retaining the advantages of advanced IT.  Where a report of cybercrime (note: crime, not a loss that takes place due to negligence) is received, the SRA takes a constructive approach in dealing with the firm, especially if the firm:  Is proactive and immediately notifies the SRA. Has taken steps to inform the client and as a minimum make good any loss. Shows they are taking steps to improve their systems and processes to reduce the risk of a similar incident happening again.  That means that, under the SRA’s Code of Conduct, law firms should take steps to prevent inbound attacks like spear phishing and set-up policies and processes that ensure swift reporting.  The good news is, Tessian can help with both inbound attacks and Insider Threats and has a history of successfully protecting law firms around the world from both. 

How Tessian helps law firms stay compliant Across all three of the regulations listed here, there’s one commonality: law firms are responsible for ensuring that their IT systems and processes are robust and secure enough to keep data safe and mitigate the chance of a breach taking place.  But, that’s easier said than done, especially in our dynamic and digitally connected world where threats are ever-evolving. So, where should law firms start? Email. 90% of all data breaches start on email and it’s the threat vector IT leaders are most concerned about protecting. That’s why Tessian is focused on protecting this channel. Across three solutions, Tessian detects and prevents threats using machine learning, which means it’s constantly adapting, without requiring maintenance from thinly-stretched security teams. Tessian Defender detects and prevents spear phishing Tessian Guardian detects and prevents accidental data loss via misdirected email Tessian Enforcer detects and prevents data exfiltration attempts from Insider Threats Importantly, Tessian is non-disruptive. That way, partners, lawyers, and administrators can do their jobs without security getting in the way. Tessian stops threats, not business.  To learn more about how Tessian helps law firms like Dentons, Hill Dickinson, and Travers Smith protect data, maintain client trust, and satisfy compliance standards, talk to one of our experts. 

Everyone makes mistakes at work. It could be double-booking a meeting, attaching the wrong document to an email, or misinterpreting directions from your boss. While these snafus may cause red-faced embarrassment, they generally won’t have any long-term consequences. But, what about mistakes that compromise cybersecurity? This happens more often than you might think. In fact, nearly half of employees say they’ve done it, and employees under 40 are among the most likely. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); In this article, we’ll focus on email mistakes. You’ll learn: The top five email mistakes that compromise cybersecurity How frequently these incidents happen What to do if you make a mistake on email

I sent an email to the wrong person At Tessian, we call this a misdirected email. If you’ve sent one, you’re not alone. 58% of people say they’ve done it and, according to Tessian platform data, at least 800 are fired off every year in organizations with over 1,000 people. It’s also the number one security incident reported to the Information Commissioner’s Office (ICO) under the GDPR. (More on the consequences related to data privacy below.) Why does it happen so often? Well, because it’s incredibly easy to do. It could be a simple typo (for example, sending an email to [email protected] instead of [email protected]) or it could be an incorrect suggestion from autocomplete.  What are the consequences of sending a misdirected email? While we’ve written about the consequences of sending an email to the wrong person in this article, here’s a high-level overview:  Embarrassment  Fines under compliance standards like GDPR and CCPA Lost customer trust and increased churn Job loss Revenue loss Damaged reputation

Real-world example of a misdirected email In 2019, the names of 47 claimants who were the victims of sexual abuse were leaked in an email from the program administrator after her email client auto-populated the wrong email address.  While the program administrator is maintaining that this doesn’t qualify as a data leak or breach, the recipient of the email – who worked in healthcare and understands data privacy requirements under HIPAA – continues to insist that the 47 individuals must be notified.  As of September 2020, they still haven’t been. I accidentally hit “reply all” or cc’ed someone instead of bcc’ing them Like sending a misdirected email, accidentally hitting “reply all” or cc instead of bcc are both easy mistakes to make.  What are the consequences of hitting “reply all” or cc instead of bcc? As you may have guessed, the consequences are the same as the consequences of sending a misdirected email. And, importantly, the consequences depend entirely on what information was contained in, or attached to, the email. For example, if you drafted a snarky response to a company-wide email and intended to send it to a single co-worker but ended up firing it off everyone, you’ll be embarrassed and may worry about your professional credibility.  But, if you replace that snarky response with a spreadsheet containing medical information about employees, you’ll have to report the data loss incident which could have long-term consequences. Real-world example of hitting “reply all” In 2018, an employee at the Utah Department of Corrections accidentally sent out a calendar invite for her division’s annual potluck. Harmless, right? Wrong. Instead of sending the invite to 80 people, it went to 22,000; nearly every employee in Utah government. While there were no long-term consequences (i.e., it wasn’t considered a data loss incident or breach) it does go to show how easily data can travel and land in the wrong hands.  Real-world example of cc’ing someone instead of bcc’ing them On January 21, 2020, 450 customer email addresses were inadvertently exposed after they were copied, rather than blind copied, into an email. The email was sent by an employee at speaker-maker Sonos and, while it was an accident, under GDPR, the mistake is considered a potential breach.  I fell for a phishing scam According to Tessian research, 1 in 4 employees has clicked on a phishing email. But, the odds aren’t exactly in our favor. In 2019, 22% of breaches in 2019 involved phishing…and 96% of phishing attacks start on email. (You can find more Phishing Statistics here.) Like sending an email to the wrong person, it’s easy to do, especially when we’re distracted, stressed, or tired. But, it doesn’t just come down to psychology. Phishing scams are getting harder and harder to detect as hackers use increasingly sophisticated techniques to dupe us.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); What are the consequences of falling for a phishing scam? Given the top five “types” of data that are compromised in phishing attacks (see below), the consequences of a phishing attack are virtually limitless. Identify theft. Revenue loss. Customer churn. A wiped hardrive. But, the top five “types” of data that are compromised in a phishing attack are: Credentials (passwords, usernames, pin numbers) Personal data (name, address, email address) Internal data (sales projections, product roadmaps)  Medical (treatment information, insurance claims) Bank (account numbers, credit card information) Real-world example of a successful phishing attack In August 2020, The SANS institute – a global cybersecurity training and certifications organization – revealed that nearly 30,000 accounts of PII were compromised in a phishing attack that convinced an end-user to install a self-hiding and malicious Office 365 add-on. While no passwords or financial information were compromised and all the affected individuals have been notified, the breach goes to show that anyone – even cybersecurity experts – can fall for phishing scams. But, most phishing attacks have serious consequences. According to one report, 60% of organizations lose data. 50% have credentials or accounts compromised. Another 50% are infected with ransomware. 35% experience financial losses. I sent an unauthorized email As a part of a larger cybersecurity strategy, most organizations will have policies in place that outline what data can be moved outside the network and how it can be moved outside the network. Generally speaking, sending data to personal email accounts or third-parties is a big no-no. At Tessian, we call these emails “unauthorized” and they’re sent 38x more than IT leaders estimate. Tessian platform data shows that nearly 28,000 unauthorized emails are sent in organizations with 1,000 employees every year.  So, why do people send them? It could be well-intentioned. For example, sending a spreadsheet to your personal email address to work over the weekend. Or, it could be malicious. For example, sending trade secrets to a third-party in exchange for a job opportunity.  What are the consequences of sending an unauthorized email Whether well-intentioned or malicious, the consequences are the same: if the email contains data, it could be considered a data loss incident or even a breach. In that case, the consequences include: Lost data Lost intellectual property Revenue loss Losing customers and/or their trust Regulatory fines Damaged reputation No sensitive data involved? The consequences will depend on the organization and existing policies. But, you should (at the very least) expect a warning.  Real-world example of an unauthorized email In 2017, an employee at Boeing shared a spreadsheet with his wife in hopes that she could help solve formatting issues. While this sounds harmless, it wasn’t. The personal information of 36,000 employees was exposed, including employee ID data, places of birth, and accounting department codes. You can find more real-word examples of “Insider Threats” in this article: Insider Threats: Types And Real-World Examples How can I avoid making mistakes on email? The easiest answer is: be vigilant. Double-check who you’re sending emails to and what you’re sending. Make sure you understand your company’s policies when it comes to data. Be cautious when responding to requests for information or money.  But vigilance alone isn’t enough. To err is human and, as we said at the beginning of this article, everyone makes mistakes.  That’s why to prevent email mistakes, data loss, and successful targeted attacks, organizations need to implement email security solutions that prevent human error. That’s exactly what Tessian does. Powered by machine learning, our Human Layer Security technology understands human behavior and relationships. Tessian Guardian automatically detects and prevents misdirected emails Tessian Enforcer automatically detects and prevents data exfiltration attempts Tessian Defender automatically detects and prevents spear phishing attacks Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of the organization’s email network. That means it gets smarter over time to keep you protected, always.  Interested in learning more about how Tessian can help prevent email mistakes in your organization? You can read some of our customer stories here or book a demo.

The end of the month means another roundup of the top cybersecurity headlines. Keep reading for a summary of the top 12 stories from August. Bonus: We’ve included links to extra resources in case anything piques your interest and you want to take a deeper dive. Did we miss anything? Email [email protected] Russian charged with trying to recruit Tesla employee to plant malware  Earlier this week, news broke that the FBI had arrested Egor Igorevich Kriuchkov – a 27-year-old Russian citizen – for trying to recruit a fellow Tesla employee to plant malware inside the Gigafactory Nevada. The plan? Insert malware into the electric car maker’s system, causing a distributed denial of service (DDos) attack to occur. This would essentially give hackers free rein over the system.  But, instead of breaching the network, the Russian-speaking employee turned down Egor’s million-dollar offer (to be paid in cash or bitcoin) and instead worked closely with the FBI to thwart the attack. Feds warn election officials of potentially malicious ‘typosquatting’ websites Stories of election fraud have dominated headlines over the last several months. The latest story involves suspicious “typosquatting” websites that may be used for credential harvesting, phishing, and influence operations.

While the FBI hasn’t yet identified any malicious incidents, they have found dozens of illegitimate websites that could be used to interfere with the 2020 vote.   To stay safe, make sure you double-check any URLs you’ve typed in and never input any personal information unless you trust the domain.  Former Google engineer sent to prison for stealing robocar secrets An Insider Threat at Google who exfiltrated 14,000 files five years ago has been sentenced to 18 months in prison. The sentencing came four months after Anthony Levandowski plead guilty to stealing trade secrets, including diagrams and drawings related to simulations, radar technology, source code snippets, PDFs marked as confidential, and videos of test drives.  He’s also been ordered to pay more than $850,000. Looking for more information about the original incident? Check out this article: Insider Threats: Types and Real-World Examples. All the information you need is under Example #4. For six months, security researchers have secretly distributed an Emotet vaccine across the world Emotet – one of today’s most skilled malware groups – has caused security and IT leaders headaches since 2014.  But, earlier this year, James Quinn, a malware analyst working for Binary Defense, discovered a bug in Emotet’s code and was able to put together a PowerShell script that exploited the registry key mechanism to crash the malware. According to ZDNet, he essentially created “both an Emotet vaccine and killswitch at the same time.” Working with Team CYMRU, Binary Defense handed over the “vaccine” to national Computer Emergency Response Teams (CERTs), which then spread it around the world to companies in their respective jurisdictions. Online business fraud down, consumer fraud up New research from TransUnion shows that between March and July, hackers have started to change their tactics. Instead of targeting businesses, they’re now shifting their focus to consumers. Key findings include: Consumer fraud has increased 10%, while business fraud has declined 9% since the beginning of the pandemic Nearly one-third of consumers have been targeted by COVID-19 related fraud Phishing is the most common method used in fraud schemes You can read the full report here. FBI and CISA issue warning over increase in vishing attacks A joint warning from the Federal Bureau of Investigations (FBI) and Cybersecurity Infrastructure Security Agency (CISA) was released in mid-August, cautioning the public that they’ve seen a spike in voice phishing attacks (known as vishing).  They’ve attributed the increase in attacks to the shift to remote working. Why? Because people are no longer able to verify requests in-person. Not sure what vishing is? Check out this article, which outlines how hackers are able to pull off these attacks, how you can spot them, and what to do if you’re targeted.  TikTok sues U.S. government over Trump ban In last month’s cybersecurity roundup, we outlined why India had banned TikTok and why America might be next. 30 days later, we have a few updates. On August 3, President Trump said TikTok would be banned in the U.S. unless it was bought by Microsoft (or another company) before September 15. Three days later, Trump signed an executive order barring US businesses from making transactions with TikTok’s parent company, ByteDance. The order will go into effect 45 days after it was signed. A few weeks later, ByteDance filed a lawsuit against the U.S. government, arguing the company was denied due process to argue that it isn’t actually a national security threat. In the meantime, TikTok is continuing its sales conversations with Microsoft and Oracle. Stay tuned next month for an update on what happens in the next 30 days. A Stanford deception expert and cybersecurity CEO explain why people fall for online scams According to a new research report – The Psychology of Human Error – nearly half of employees have made a mistake at work that had security repercussions. But why? Employees say stress, distraction, and fatigue are part of the problem and drive them to make more mistakes at work, including sending emails to the wrong people and clicking on phishing emails.  And, as you might expect, the sudden transition to remote work has only added fuel to the fire. 57% of employees say they’re even more distracted when working from home.  To avoid making costly mistakes, Jeff Hancock, a professor at Stanford, recommends taking breaks and prioritizing self-care. Of course, cybersecurity solutions will help prevent employees from causing a breach, too. University of Utah pays $457,000 to ransomware gang On August 21, the University of Utah posted a statement on its website saying that they were the victim of a ransomware attack and, to avoid hackers leaking sensitive student information, they paid $457,000. But, according to the statement, the hackers only managed to encrypt .02% of the data stored on their servers. While the University hasn’t revealed which ransomware gang was behind the attack, they have confirmed that the attack took place on July 19, that it was the College of Social and Behavioral Sciences that was hacked, and that the university’s cyber insurance policy paid for part of the ransom. Verizon analyzed the COVID-19 data breach landscape This month, Verizon updates its annual Data Breach Landscape Report to include new facts and figures related to COVID-19. Here some of the trends to look out for based on their findings: Breaches caused by human error will increase. Why? Many organizations are operating with fewer staff than before due to either illness or layoffs. Some staff may also have limitations because of new remote working set-ups. When you combine that with larger workloads and more distractions, we’re bound to see more mistakes. Organizations should be especially wary of stolen-credential related hacking, especially as many IT and security teams are working to lock down and maintain remote access.  Ransomware attacks will increase in the coming months. SANS Institute Phishing Attack Leads to Theft of 28,000 Records  The SANS institute – a global cybersecurity training and certifications organization – revealed that nearly 30,000 accounts of PII were compromised in a phishing attack that convinced an end-user to install a self-hiding and malicious Office 365 add-on. While no passwords or financial information were compromised and all the affected individuals have been notified, the breach goes to show that anyone – even cybersecurity experts – can fall for phishing scams. The cybersecurity skills shortage is getting worse In March, Tessian released its Opportunity in Cybersecurity Report which set out to answer one (not-so-simple) question: Why are there over 4 million unfilled positions in cybersecurity and why is the workforce twice as likely to be male than female? The answer is multi-faceted and has a lot to do with a lack of knowledge of the industry and inaccurate perceptions of what it means to work in cybersecurity.  The bad news is, it looks like the problem is getting worse. A recent report, The Life and Times of Cybersecurity Professionals 2020, shows that only 7% of cybersecurity professionals say their organization has improved its position relative to the cybersecurity skills shortage in the last several years. Another 58% say their organizations should be doing more to bridge the gap. What do you think will help encourage more people to join the industry?  That’s all for this month! Keep up with us on social media and check our blog for more updates.

Understanding how stress impacts your employees’ cybersecurity behaviors could significantly reduce the chances of people’s mistakes compromising your company’s security, our latest research reveals.   Consider this. A shocking 93% of US and UK employees told us they feel tired and stressed at some point during their working week, with one in 10 feeling tired every day. And perhaps more worryingly, nearly half (46%) said they have experienced burnout in their career.  Then consider that nearly two-thirds of employees feel chained to their desks, as 61% of respondents in our report said there is a culture of presenteeism in their organization that makes them work longer hours than they need to. Nearly 70% of employees also agreed that there is an expectation within their company to respond to emails quickly.  Employees are overwhelmed, overworked and are feeling the pressure to keep pace with their organization’s demands. 

The effects of the pandemic  The events of 2020 haven’t helped matters either. In the wake of the global pandemic, people have experienced extremely stressful situations that affected their health and finances, against a backdrop of political uncertainty and social unrest, while simultaneously juggling the demands of their jobs. The sudden shift to remote working also meant that people were surrounded by new distractions, and over half of respondents (57%) told us they felt more distracted when working from home.  According to Jeff Hancock, a professor at Stanford University who collaborated with us on this report, people tend to make mistakes or decisions they later regret when they are stressed and distracted. This is because when our cognitive load is overwhelmed, and when our attention is split between multiple tasks, we aren’t able to fully concentrate on the task in front of us. What does this mean for security?  Not only are these findings incredibly concerning for employees’ health and wellbeing, these factors could also explain why mistakes that compromise cybersecurity are happening more than ever. The majority of employees (52%) we surveyed said they make more mistakes at work when they are stressed.  !function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async"); Younger employees seem to be more affected by stress than their older co-workers, though. Nearly two-thirds of workers aged 18-30 years old (62%) said they make more mistakes when they are stressed, compared to 45% of workers over 51 years old.  Our research also revealed that 43% and 41% of employees believe they are more error-prone when tired and distracted, respectively. In fact, people cited distraction as the top reason for why they fell for a phishing scam at work while 44% said they had accidentally sent an email to the wrong person (44%) because they were tired.  While these mistakes may seem trivial on the surface, phishing is the number one threat vector used by hackers today and one in five companies told us they have lost customers as a result of an employee sending an email to the wrong person. Far from red-faced embarrassment, these mistakes are compromising businesses’ cybersecurity.

The other problem is that hackers are preying on our vulnerable states, and using them to their advantage. Cybercriminals know people are stressed and looking for information about the pandemic and remote working. They know that some individuals are struggling financially and others have lost their jobs. The lure of a ‘too-good-to-be-true’ deal or ‘get a new job fast’ offer may suddenly look very appealing, especially if the email appears to have come from a trusted source, and cause people to click.  So what can businesses do to protect employees from mistakes caused by burnout?  Business and security leaders need to realise that it’s unrealistic for employees to act as the company’s first line of defence. You cannot expect every employee to spot every scam or make the right cybersecurity decision 100% of the time, particularly when they’re dealing with stressful situations and working in environments filled with distractions. When faced with never-ending to-do lists and back-to-back Zoom calls, cybersecurity is the last thing on people’s minds. In fact, a third of respondents told us they “rarely” or “never” think about security when at work.  Businesses, therefore, need to create a culture that doesn’t blame people for their mistakes and, instead, empowers them to do great work without security getting in the way. Understand how stress impacts people’s cybersecurity behaviors and tailor security policies and training so that they truly resonate for every employee.

Educating people on how hackers might take advantage of their stress and explaining the types of scams that people could be susceptible to is an important first step. For example, a hacker could impersonate a senior IT director, supposedly communicating the implementation of new software to accommodate the move back into the office, and asks employees to share their account credentials. Or a hacker may pose as a trusted government agency requesting personal information in relation to a new financial relief scheme.  Businesses should also implement solutions that can help employees make good cybersecurity decisions and reduce risk over time. Security solutions like Tessian use machine learning to understand employee behaviours to alert people to risks on email as and when they arise. By warning individuals in real-time, we can educate individuals as to why the email they were about to send or have received is a threat to company security. It helps to make people think twice before they do something they might regret.  With remote working here to stay, and with hackers continually finding ways to capitalize on people’s stress in order to manipulate them, businesses must prioritize cybersecurity at the human layer. Only by understanding why people make mistakes that compromise cybersecurity, can you begin to prevent burnout from causing your next data breach.

We all make mistakes. But with over two-fifths of employees saying they’ve made mistakes at work that have had security repercussions, businesses need to find a way to stop mistakes from happening before they compromise cybersecurity.  That’s why we developed our report The Psychology of Human Error, with the help of Jeff Hancock, a professor at Stanford University and expert in social dynamics online.  We wanted to understand why these mistakes are happening, rather than simply dismissing incidents of human error as people acting carelessly or labeling people the ‘weakest link’ when it comes to security. By doing so, we hope businesses can better understand how to protect their people, and the data they control.  Key findings: 43% of employees have made mistakes that have compromised cybersecurity A third of workers (33%) rarely or never think about cybersecurity when at work 52% of employees make more mistakes when they’re stressed, while 43% are more error-prone when tired 58% have sent an email to the wrong person at work and 1 in 5 companies lost customers after an employee sent a misdirected email  Read on to learn why this matters. You can also register for our webinar on August 19 here. We’ll be exploring key findings from the report with Jeff Hancock. You’ll walk away with a better understanding of how hacker’s are manipulating employees and what you can do to stop them. What mistakes are people making?  The majority of our survey respondents said they had sent an email to the wrong person, with nearly one-fifth of these misdirected emails ending up in the wrong external person’s inbox.  Far from just red-faced embarrassment, this simple mistake has devastating consequences. Not only do companies face the wrath of data protection regulators for flouting the rules of regulations like GDPR, our research reveals that one in five companies lost customers as a result of a misdirected email, because the trust they once had with their clients was broken. What’s more, one in 10 workers said they lost their job.  !function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async"); Another mistake was clicking on links in phishing emails, something a quarter of respondents (25%) said they had done at work. This figure was significantly higher in the Technology industry however, with 47% of workers in this sector saying they’d fallen for phishing scams. It goes to show that even the most cybersecurity savvy people can make mistakes.  Interestingly, men were twice as likely as women to fall for phishing scams. While researchers aren’t 100% sure as to why gender differences play a factor in phishing susceptibility, our report does show that demographics play a role in people’s cybersecurity behaviors at work.  What’s causing these mistakes to happen?  1. Younger employees are 5x more likely to make mistakes 50% aged 18-30 years olds said they had made such mistakes with security repercussions for themselves or their organization. Just 10% of workers over 51 said the same.  This disparity, our report suggests, is not because younger workers are more careless. Rather, it may be because younger workers are actually more aware that they have made a mistake and are also more willing to admit their errors. For older generations, Professor Hancock explains, self-presentation and respect in the workplace are hugely important. They may be more reluctant to admit they’ve made a mistake because they feel ashamed due to preconceived notions about their generations and technology. Businesses, therefore, need to not only acknowledge how age affects cybersecurity behaviors but also find ways to deshame the reporting of mistakes in their organization. 2. 93% of employees are stressed and tired Employees told us they make more mistakes at work when they are stressed (52%), tired (43%), distracted (41%) and working quickly (36%).  This is concerning when you consider that an overwhelming 93% of employees surveyed said they were either tired or stressed at some point during the working week. This isn’t helped by the fact that nearly two-thirds of employees feel chained to their desks, with 61% saying there is a culture of presenteeism in their organization that makes them work longer hours than they need to.  The Covid-19 pandemic has put people under huge amounts of stress and change. In light of the events of 2020, our findings call for businesses to empathize with people’s positions and understand the impact stress and working cultures have on cybersecurity.

3. 57% of employees are being driven to distraction 47% of employees surveyed cited distraction as a top reason for falling for a phishing scam, while two-fifths said they sent an email to the wrong person because they were distracted.  With over half of workers (57%) admitting they’re more distracted when working from home, the sudden shift to remote-working could open businesses up to even more risks caused by human error. It’s hardly surprising. We suddenly had to set-up offices in the homes we share with our young children, pets and our housemates. There’s a lot going on, and mistakes are likely to happen. 

4. 41% thought phishing emails were from someone they trusted Over two-fifths of people (43%) mistakenly clicked on phishing emails because they thought the request was legitimate, while 41% said the email appeared to have come from either a senior executive or a well-known brand.  Over the past few months, we’ve seen hackers impersonating well-known brands and trusted authorities in their phishing scams, taking advantage of people’s desire to seek guidance and information on the pandemic. Impersonating someone in a position of trust or authority is a common and effective tactic used by hackers in phishing campaigns. Why? Because they know how difficult or unlikely it is to ignore a request from someone you like, respect or report into.  Businesses need to protect their people from these phishing scams. Educate staff on the ways hackers could take advantage of their circumstances and invest in solutions that can detect the impersonations, when your distracted and overworked employees can’t. !function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async"); But how can businesses prevent these mistakes from happening in the first place?  To successfully prevent mistakes from turning into serious security incidents, businesses have to take a more human approach.  It’s all too easy to place the blame of data breaches on people’s mistakes. But businesses have to remember that not every employee is an expert in cybersecurity. In fact, a third of our survey respondents (33%) said they rarely or never think about cybersecurity when at work. They are focused on getting the jobs they were hired to do, done. !function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async"); Training and policies help. However, combining this with machine intelligent security solutions – like Tessian – that automatically alert individuals of potential threats in real-time is a much more powerful tool in preventing mistakes before they turn into breaches.  Alerting employees to the threat in-the-moment helps override impulsive and dangerous decision-making that could compromise cybersecurity. By using explainable machine learning, we arm employees with the information they need to apply conscious reasoning to their actions over email, making them think twice before doing something they might regret. 

And with greater visibility into the behaviors of your riskiest and most at-risk employees, your teams can tailor security training and policies to influence and improve staff’s cybersecurity behaviors. Only by protecting people and preventing their mistakes can you ensure data and systems remain secure, and help your people do their best work. Read the full Psychology of Human Error report here.

While organizations may have struggled initially to get their employees set-up to work securely outside of their normal office environment, by now, most have introduced new software, policies, and procedures to accommodate their new distributed teams.  Problem solved, right? Not quite. While 91% of IT leaders trust their employees to follow security best practice while out of the office, almost half (48%) of employees say they’re less likely to follow safe data practices when working remotely and a further 52% say they feel as though they can get away with riskier behavior when working from home.   In our latest research report, The State of Data Loss Prevention 2020, we explore the reasons why.  Key findings include: 50% of employees say they’re less likely to follow safe data practices when working from home because they’re not working on their usual devices. 48% of employees say they’re less likely to follow safe data practices when working from home because they feel as though they’re not being watched by their IT teams. 47% of employees say they’re less likely to follow safe data practices when working from home because they’re distracted. Read on to learn why this matters and what you can do to promote safer security practices in your organization.

Why is data loss prevention (DLP) harder when workforces are remote? 84% of IT leaders say that DLP is more challenging when employees are working remotely. It makes sense. One or two offices have become thousands of virtual offices which means maintaining visibility over data flow is more difficult than ever.  People are relying more heavily on email and other communication tools and are therefore sending data more frequently. Security and IT teams have limited control over how employees handle physical data (for example how they print, store, and dispose of documents). And there’s been a spike in inbound attacks like phishing since the outbreak of COVID-19.  This is to say that organizations are more vulnerable across email security, physical security, and network security. While there are tools to detect and prevent incidents, data loss prevention ultimately relies on people. After all, it’s people who control our systems and data. They’re the gatekeepers of an organization’s most sensitive information. But, despite IT leaders’ confidence and optimism (91% say they trust their employees to follow security best practice while out of the office), nearly half (48%) of employees say they’re less likely to.   !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); The question is: Why?

1. 50% of employees say they’re less likely to follow safe data practices when working from home because they’re not working on their usual devices. Most of us have dedicated workstations in the office and have grown accustomed to certain equipment. Whether it’s multiple monitors, a desktop, a keyboard, a printer, or a trackpad, we’re comfortable working on our usual devices.  At home, not all of us are so lucky. And, while security and IT teams around the world have worked hard to get their teams set-up at home, there have been delays and even cancellations in global supply chains providing laptops, cell phones, and other technology.  What to do about it: If you’re unable to get your employees the equipment they need, you should consider BYOD policies. We’ve covered the benefits, potential security risks, and tips for employers and employees in this blog: Remote Worker’s Guide To: BYOD Policies.  You can also implement training sessions for new devices to ensure your employees feel comfortable using them. (Be sure to also train your employees on any new applications or software!) 2. 48% of employees say they’re less likely to follow safe data practices when working from home because they feel as though they’re not being watched by their IT teams. While we can say with confidence that the average employee wants to do the right thing when it comes to security, it’s important to remember that first and foremost, they want to get their jobs done. And, if security policies, procedures, or software makes that difficult or prevents them from doing it all together, they’ll find a workaround.  In fact, 54% of employees say exactly that. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); In an office environment, it’s easier for IT and security teams to maintain visibility of employee behavior. They can see if someone isn’t locking their laptop. They can see if someone is using a USB stick when they shouldn’t. They can see if someone has skipped security training. But, IT and security teams aren’t just there to enforce rules. They’re also there to educate employees and build a strong security culture. That’s harder with distributed workforces.

What to do about it: Communicate, communicate, communicate. Whether it’s sharing information about new threats, reminding employees of security do’s and don’ts, or offering an individual or team kudos for secure behavior, you need to consistently remind your team not only that you’re there, but that you’re there to help. But, you shouldn’t over-communicate. That means you should ensure there’s one point of contact (or source of truth) who shares updates at a regular, defined time and cadence as opposed to different people sharing updates as and when they happen. 3. 47% of employees say they’re less likely to follow safe data practices when working from home because they’re distracted. We’re not just working from home. We’re working from home during a crisis. It’s essential that security and business leaders keep this in mind. While most of us are trying to conduct “business as usual”, most of us are also dealing with a range of challenges. Parents have suddenly taken on the roles of teachers. Living rooms have been turned into makeshift coworking spaces for partners and roommates. Employees are navigating mass lay-offs and furlough schemes. Current social and political unrest is triggering emotional stress and anxiety. The bottom line: There’s a lot going on.  That means people are more likely to make mistakes. They may send an email to the wrong person. They may misconfigure a firewall. They may make sensitive documents public instead of private on a Google Drive. While these are “small” mishaps, they can have big consequences. In fact, each of the above incidents has caused a data breach.   What to do about it: Start by being empathetic and compassionate. Take the mental wellbeing of your employees seriously and give them the tools, resources, and support they need to thrive. We’ve put together some tips in this blog: 3 Practical Ways to Support Mental Wellbeing in the Workplace. Beyond that, though, you have to implement solutions that prevent human error. Why? Because it’s simply not fair (or realistic) to rely on people to do the right thing 100% of the time.  Tessian does this across three solutions: Tessian Enforcer detects and prevents data exfiltration attempts Tessian Guardian detects and prevents misdirected emails Tessian Defender detects and prevents spear phishing attacks Curious how frequently these incidents are happening in your organization? Click here for a free threat report. How does Tessian support employees and security leaders working remotely? Tessian turns an organization’s email data into its best defense against inbound and outbound email security threats. Powered by machine learning, our Human Layer Security technology understands evolvong human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity. 

Best of all: It works silently in the background across devices. That means employees can do their job without security getting in the way and they’re protected, wherever they work. Tessian bolsters training, reinforces policies and procedures, and enables employees to do their best work.  And, with Human Layer Security Intelligence, security, IT, and compliance leaders get clear visibility into employee behavior with visualized insights and automated threat intelligence. That means detecting and preventing human error is easier than ever and organizations can continuously lower the risks of misdirected emails, data exfiltration, and impersonation attacks.

To learn more about Tessian’s solutions, book a demo. And, for more insights around data loss on email (including the most and least effective solutions) read the report: The State of Data Loss Prevention 2020.

Over the last two years, there’s been a 47% increase in the frequency of incidents involving Insider Threats. This includes malicious data exfiltration and accidental data loss. Why does this matter? Because these incidents cost organizations millions, are leading to breaches that expose sensitive customer, client, and company data, and are notoriously hard to prevent. In this article, we’ll explore how often these incidents (with different methods and motives)  are happening, the financial  impact these incidents have on larger organizations, and the effectiveness of different preventive measures.  But first: What is an Insider Threat?

If you’re looking for more background on Insider Threats, we have several resources you can read first: What is an Insider Threat? Insider Threat Definition, Examples, and Solutions Insider Threat Indicators: 11 Ways to Recognize an Insider Threat Insider Threats: Types and Real-World Examples You can also download an infographic with the key statistics from this article. Click here. How frequently are different Insider Threat incidents happening? As we’ve said, incidents involving Insider Threats have increased by 47% since 2018. But the frequency of incidents varies industry-by-industry. Which industries are the most affected overall? Verizon’s 2020 Breach Investigations Report offers a comprehensive overview of different incidents in different industries, with a focus on patterns, actions, and assets.  They found that: The Healthcare and Manufacturing industries experience the most incidents involving  employees misusing their access privileges The Public Sector and Healthcare suffer the most from lost or stolen assets  Healthcare and Finance see the most “miscellaneous errors” (for example misdirected emails !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");

Who’s the Insider? There are several different types of Insider Threats and the “who and why” behind these incidents can vary.  According to one study: Negligent Insiders are the most common and account for 62% of all incidents.  Negligent Insiders who have their credentials stolen account for 25% of all incidents Malicious Insiders are responsible for 14% of all incidents !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Looking at Tessian’s own platform data, Negligent Insiders may be responsible for even more incidents than most expected. On average, 800 emails are sent to the wrong person every year in companies with 1,000 employees. This is 1.6x more than IT leaders estimate.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Why did they do it? When it comes to the “why”, Insiders – specifically Malicious Insiders – are often motivated by money, a competitive edge, or revenge. But, according to one report, there is a range of reasons malicious Insiders act. Some just do it for fun.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); But, we don’t always know exactly “why”.  For example, Tessian’s own survey data shows that 45% of employees download, save, send, or otherwise exfiltrate work-related documents before leaving a job or after being dismissed.  While we may be able to infer that they’re taking spreadsheets, contracts, or other documents to impress a future or potential employer, we can’t know for certain.  It’s worth noting, though, that this number is highest in competitive industries like Financial Services and Business, Consulting, & Management, which supports our theory.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); How much do incidents involving Insider Threats cost?  The cost of Insider Threat incidents varies based on the type of incident, with incidents involving stolen credentials causing the most financial damage. But, across the board, the cost has been steadily rising. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Likewise, there are regional differences in the cost of Insider Threats, with incidents in North America costing the most and almost twice as much as those in Asia-Pacific. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); But, overall, the average global cost has increased 31% over the last 2 years, from $8.76 million in 2018 to $11.45 in 2020 and the largest chunk goes towards containment, remediation, incident response, and investigation. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); But, what about prevention? How effective are preventative measures? As the frequency of Insider Threat incidents continues to increase, so does investment in cybersecurity. But, what solutions are available and which solutions do security, IT, and compliance leaders trust to detect and prevent data loss within their organizations? According to Tessian’s latest report, The State of Data Loss Prevention 2020, most rely on security awareness training, followed by following company policies/procedures, and machine learning/intelligent automation. But, incidents actually happen more frequently in organizations that offer training the most often and, while the majority of employees say they understand company policies and procedures, comprehension doesn’t help prevent malicious behavior. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); That’s why many organizations rely on rule-based solutions. But, those often fall short.  Not only are they admin-intensive for security teams, but they’re blunt instruments and often prevent employees from doing their jobs while also failing to prevent data loss from Insiders.  So, how can you detect incidents involving Insiders in order to prevent data loss and eliminate the cost of remediation? Machine learning. How does Tessian detect and prevent Insider Threats? Tessian turns an organization’s email data into its best defense against inbound and outbound email security threats. Powered by machine learning, our Human Layer Security technology understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity. Tessian Enforcer detects and prevents data exfiltration attempts Tessian Guardian detects and prevents misdirected emails Tessian Defender detects and prevents spear phishing attacks Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of the organization’s email network. Oh, and it works silently in the background, meaning employees can do their jobs without security getting in the way.  Interested in learning more about how Tessian can help prevent Insider Threats in your organization? You can read some of our customer stories here or book a demo.

Detecting and preventing Insider Threats isn’t easy. Why? Because unlike external bad actors, Insiders – whether a disgruntled employee, a distracted freelancer, or a rogue business partner – have legitimate access to systems and data. That means they’re in an ideal position to exfiltrate data. So, how do you spot one? To start, you have to know what an Insider threat is and understand the different methods and motives behind these data exfiltration attempts. What is an Insider Threat? We’ve covered this in detail in this article: What is an Insider Threat? Insider Threat Definition, Examples, and Solutions. But, to summarize:

Insider Threats can be malicious or the result of negligence.  Malicious Insiders knowingly and intentionally steal data and generally do so for one of three reasons: financial incentives, a competitive edge, or because they’re dissatisfied at work. Negligent Insiders are just your average employees who have made a mistake. For example, they could send an email to the wrong person, misconfigure a system, fall for a phishing email, or lose their work device.   How often do incidents involving Insider Threats happen? More often than you might think. In fact, there’s been a 47% increase in incidents over the last two years. We discuss seven recent examples in this blog: Insider Threats: Types and Real-World Examples.   While every incident is different, there are some tell-tale signs of an Insider Threat.  Insider Threat indicators: Malicious Insiders Malicious Insiders may act suspiciously well before they actually exfiltrate any data. For example: 1. Declining performance or other signs of dissatisfaction As we’ve said, one reason why Insiders exfiltrate data is that they’re dissatisfied at work. It could be because of a poor performance appraisal, because they were denied a promotion or raise, or because of a disagreement with a co-worker or manager.  Whatever the reason, 1 in 10 Insider Threats is motivated by a grudge. Look out for a consistent or sudden decline in performance or attitude and for employees who become angry or combative. Employees who are actively looking for other jobs should also be on your radar. While they could simply be moving on to a new opportunity, they may be inclined to steal data in order to impress or bribe a new or potential employer.  Don’t believe us? 45% of employees download, save, send, or otherwise exfiltrate work-related documents before leaving a job or after being dismissed. This number nearly doubles in highly competitive industries like Financial Services and Business, Consulting, & Management.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); 2. Unusual working hours While passion and enthusiasm are generally considered positive attributes when talking about an employee, these can occasionally be early signs of bad intent. For example, if an employee consistently volunteers for extra work, regularly works in the office late, comes in early, or attempts to perform work that’s outside of the scope of their normal duties, they could be trying to gain access to sensitive systems or data.  Then, of course, there are signs of the data exfiltration attempt itself. For example: 3. Large data transfers or downloads There are a number of ways to exfiltrate data, including email, Cloud Storage, USB sticks. In fact, 23% of insiders exfiltrate data via USBs and 24% exfiltrate data via laptops/tablets. Nevertheless email is the threat vector most IT leaders are concerned about. After all, it only takes one click to transfer dozens of files.  But, monitoring data movement is a challenge. How can you realistically monitor every email sent and received within your organization? With Tessian Human Layer Security Intelligence, it’s easy.  Security, IT, and compliance leaders can get detailed insights around employee behavior in a single click. No manual investigation required. 

4. Multiple failed logins (or other abnormal login activity) Whether it’s an employee trying to access networks or systems they don’t have access to or an employee with legitimate access logging in more frequently than usual, login activity can offer security teams clues about Malicious Insiders. Certainly the employee could simply be curious and may even be going above and beyond to get their job done, but these behaviors could also be indicative of nefarious intent and should be investigated.  5. Upgraded privileges or sharing access When someone is promoted or there’s some other shift in the structure of an organization, it makes sense that access to systems and data might change. But, what about when someone’s privileges or access are escalated without a clear reason why? It could be an administrator granting him or herself more privileged access or it could be a team effort. For example, an administrator could be bribed to upgrade another employee’s access. Both are signs of a Malicious Insider. Finally, there are signs that the Insider has successfully exfiltrated data or is still successfully exfiltrating data. For example: 6. Unexpected changes in financial circumstances 86% of breaches are financially motivated.  Whether it’s a list of customer email addresses being sold on the Dark Web or trade secrets being sold to a competitor, data is valuable currency. So, if you hear of or notice an employee suddenly and unexpectedly paying off debt or making expensive purchases, you may need to investigate the source of the additional income. It could be a sign that they’re profiting from company or customer data. 7. Consistent (and unusual) overseas travel Like many of the other indicators on this list, there could be a perfectly good reason why an employee travels overseas. He or she could be going on vacation, visiting friends or family, or may be traveling for work. But, as we’ve seen, it could also be a sign of corporate or foreign espionage. Case in point: A former engineer at a massive aerospace company frequently traveled to China, claiming he was lecturing. In reality, he was acting as an agent of the People’s Republic of China and was selling trade secrets. This went on for nearly 30 years before he was caught and later convicted.  Insider Threat indicators: Negligent Insiders While certain behaviors exhibited by Malicious Insiders may set off alarm bells for security teams before exfiltration attempts occur, Negligent Insiders can be harder to preempt.  Nonetheless, there are four key things to look out for. 8. Failure to comply with basic security policies Whether it’s consistently using weak passwords, refusing to enable 2FA, or frequently downloading tools or software that haven’t been approved by security teams, an employee who disregards security policies could be more likely to accidentally exfiltrate data than one who consistently plays by the book.  That’s why reminding employees of existing policies and procedures is so important. 9. Low engagement in security awareness training Most employees (and even some security leaders!) would agree that security awareness training is “boring”. And, while that may be the case, training is absolutely essential. It could be training around how to spot a phish (see below) or training around new and existing compliance standards or data privacy laws. Employees who either don’t attend training at all or who perform poorly on assessments related to that training should be closely monitored and be re-targeted with tailored programs. You can read more about how to up-level your training and create a positive security culture here. 10. History of falling for phishing attacks Phishing and other social engineering attacks are designed for one of three reasons: to extract sensitive information or credentials, to install malware onto a network, or to initiate a wire transfer. If the attack is successful – meaning the target (an employee) falls for the scam – there could be serious consequences.  That means any employee who falls for a scam should be reminded of phishing tools and techniques and may need to be more closely monitored. 11. General carelessness or haste Accidents happen. Whether it’s firing off an email to the wrong person or accidentally leaving a computer unblocked, we all make mistakes. Nonetheless, they aren’t trivial and any employee who consistently makes mistakes will need to be reminded of security best practices and may, in some cases, need to be monitored with more stringent policies.  How can you detect and prevent Insider Threats?  When it comes to detecting and preventing Insider Threats, there are a number of solutions, including: Training Physical and Digital Monitoring  DLP tools and software  Importantly, all of these have a place in security strategies. Training should be used to reinforce existing policies, especially for those employees who consistently break the rules or make mistakes.  Security teams should be diligent in their physical and digital data monitoring and should always look out for the above warning signs. And DLP tools like rule-based solutions, endpoint scanning, firewalls, and anti-phishing software do, in some instances, help curb the problem of data loss. But, as we’ve said, incidents involving Insider Threats are on the rise which means security stacks are missing something. What they’re missing is protection for their people and at Tessian, we call it Human Layer Security. How does Tessian prevent Insider Threats? Tessian turns an organization’s email data into its best defense against inbound and outbound email security threats. Powered by machine learning, our Human Layer Security technology understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity. Tessian Enforcer detects and prevents data exfiltration attempts Tessian Guardian detects and prevents misdirected emails Tessian Defender detects and prevents spear phishing attacks Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of the organization’s email network. Oh, and it works silently in the background, meaning employees can do their jobs without security getting in the way.  Interested in learning more about how Tessian can help prevent Insider Threats in your organization? You can read some of our customer stories here or book a demo.