While phishing, ransomware, and brute force attacks tend to make headlines, misdirected emails (emails sent to the wrong person) are actually a much bigger problem. In fact, in organizations with 1,000 employees, at least 800 emails are sent to the wrong person every year. That’s two a day. You can find more insights in The Psychology of Human Error and The State of Data Loss Prevention 2020.  Are you surprised? Most people are. That’s why we’ve rounded up this list of 11 real-world (recent) examples of data breaches caused by misdirected emails. And, if you skip down to the bottom, you’ll see how you can prevent misdirected emails (and breaches!) in your organization.  If you’re looking for a bit more background, check out these two articles: What is a Misdirected Email? Consequences of Sending an Email to the Wrong Person 11 examples of data breaches caused by misdirected emails  1. University support service mass emails sensitive student information University and college wellbeing services deal with sensitive personal information, including details of the health, beliefs, and disabilities of students and their families.  Most privacy laws impose stricter obligations on organizations handling such sensitive personal information—and there are harsher penalties for losing control of such data. So imagine how awful the Wellbeing Adviser at the University of Liverpool must have felt when they emailed an entire school’s worth of undergraduates with details about a student’s recent wellbeing appointment. The email revealed that the student had visited the Adviser earlier that day, that he had been experiencing ongoing personal difficulties, and that the Adviser had advised the student to attend therapy. A follow-up email urged all the recipients to delete the message “immediately” and appeared to blame the student for providing the wrong email address. One recipient of the email reportedly said: “How much harder are people going to find it actually going to get help when something so personal could wind up in the inbox of a few hundred people?” 2. Trump White House emails Ukraine ‘talking points’ to Democrats Remember in 2019, when then-President Donald Trump faced accusations of pressuring Ukraine into investigating corruption allegations against now-President Joe Biden? Once this story hit the press, the White House wrote an email—intended for Trump’s political allies—setting out some “talking points” to be used when answering questions about the incident (including blaming the “Deep State media”). Unfortunately for the White House, they sent the email directly to political opponents in the Democratic Party. White House staff then attempted to “recall” the email. If you’ve ever tried recalling an email, you’ll notice that it doesn’t normally work.  Recalling an email only works if the recipient is on the same exchange server as you—and only if they haven’t read the email. Looking for information on this? Check out this article: You Sent an Email to the Wrong Person. Now What? Unsurprisingly, this was not the case for the Democrats who received the White House email, who subsequently leaked it on Twitter.  I would like to thank @WhiteHouse for sending me their talking points on how best to spin the disastrous Trump/Zelensky call in Trump’s favor. However, I will not be using their spin and will instead stick with the truth. But thanks though. — US Rep Brendan Boyle (@RepBrendanBoyle) September 25, 2019 3. Australia’s Department of Foreign Affairs and Trade  leaked 1,000 citizens’ email addresses On September 30, 2020, Australia’s Department of Foreign Affairs and Trade (DFAT) announced that the personal details of over 1,000 citizens were exposed after an employee failed to use BCC. So, who were the citizens Australians who have been stuck in other countries since inbound flights have been limited (even rationed) since the outbreak of COVID-19. The plan was to increase entry quotas and start an emergency loans scheme for those in dire need. Those who had their email addresses exposed were among the potential recipients of the loan. Immediately after the email was sent, employees at DFAT tried to recall the email, and event requested that recipients delete the email from their IT system and “refrain from any further forwarding of the email to protect the privacy of the individuals concerned.” 4. Serco exposes contact traces’ data in email error  In May 2020, an employee at Serco, a business services and outsourcing company, accidentally cc’d instead of bcc’ing almost 300 email addresses. Harmless, right? Unfortunately not.  The email addresses – which are considered personal data – belonged to newly recruited COVID-19 contact tracers. While a Serco spokesperson has apologized and announced that they would review and update their processes, the incident nonetheless has put confidentiality at risk and could leave the firm under investigation with the ICO.  5. Sonos accidentally exposes the email addresses of hundreds of customers in email blunder  In January 2020, 450+ email addresses were exposed after they were (similar to the example above) cc’d rather than bcc’d.  Here’s what happened: A Sonos employee was replying to customers’ complaints. Instead of putting all the email in BCC, they were CC’d, meaning that every customer who received the email could see the personal email addresses of everyone else on the list.  The incident was reported to the ICO and is subject to potential fines.

6. Gender identity clinic leaks patient email addresses In September 2019, a gender identity clinic in London exposed the details of close to 2,000 people on its email list after an employee cc’d recipients instead of bcc’ing them. Two separate emails were sent, with about 900 people cc’d on each.  While email addresses on their own are considered personal information, it’s important to bear in mind the nature of the clinic. As one patient pointed out, “It could out someone, especially as this place treats people who are transgender.”  The incident was reported to the ICO who is currently assessing the information provided. But, a similar incident may offer a glimpse of what’s to come.  In 2016, the email addresses of 800 patients who attended HIV clinics were leaked because they were – again – cc’d instead of bcc’d. An NHS Trust was £180,000. Bear in mind, this fine was issued before the introduction of GDPR. 7. University mistakenly emails 430 acceptance letters, blames “human error” In January 2019, The University of South Florida St. Petersburg sent nearly 700 acceptance emails to applicants. The problem? Only 250 of those students had actually been accepted. The other 400+ hadn’t. While this isn’t considered a breach (because no personal data was exposed) it does go to show that fat fingering an email can have a number of consequences.  In this case, the university’s reputation was damaged, hundreds of students were left confused and disappointed, and the employees responsible for the mistake likely suffered red-faced embarrassment on top of other, more formal ramifications. The investigation and remediation of the incident also will have taken up plenty of time and resources.  8. Union watchdog accidentally leaked secret emails from confidential whistleblower In January 2019, an official at Australia’s Registered Organisations Commission (ROC) accidentally leaked confidential information, including the identity of a whistleblower. How? The employee entered an incorrect character when sending an email. It was then forwarded to someone with the same last name – but different first initial –  as the intended recipient.  The next day, the ROC notified the whistleblower whose identity was compromised and disclosed the mistake to the Office of the Australian Information commissions as a potential privacy breach. 9. Major Health System Accidentally Shares Patient Information Due to Third-Party Software for the Second Time This Year In May 2018 Dignity Health – a major health system headquartered in San Francisco that operates 39 hospitals and 400 care centers around the west coast – reported a breach that affected 55,947 patients to the U.S. Department of Health and Human Services.  So, how did it happen? Dignity says the problem originated from a sorting error in an email list that had been formatted by one of its vendors. The error resulted in Dignity sending emails to the wrong patients, with the wrong names. Because Dignity is a health system, these emails also often contained the patient’s doctor’s name. That means PII and Protect health information (PHI) was exposed.  10. Inquiry reveals the identity of child sexual abuse victims This 2017 email blunder earned an organization a £200,000 ($278,552) fine from the ICO. The penalty would have been even higher if the GDPR has been in force at the time. When you look at the detail of this incident, it’s easy to see why the ICO wanted to impose a more severe fine. The Independent Inquiry into Child Sexual Abuse (IICSA) sent a Bcc email to 90 recipients, all of whom were involved in a public hearing about child abuse.  Sending a Bcc means none of the recipients can see each other’s details/ But the sender then sent a follow-up email to correct an error—using the “To” field by mistake. The organization made things even worse by sending three follow-up emails asking recipients to delete the original message—one of which generated 39 subsequent “Reply all” emails in response. The error revealed the email addresses of all 90 recipients and 54 people’s full names.  But is simply revealing someone’s name that big of a deal? Actually, a person’s name can be very sensitive data—depending on the context. In this case, IICSA’s error revealed that each of these 54 people might have been victims of child sexual abuse. 11. Boris Johnson’s dad’s email blunder nearly causes diplomatic incident Many of us know what it’s like to be embarrassed by our dad.  Remember when he interrogated your first love interest? Or that moment your friends overheard him singing in the shower. Or when he accidentally emailed confidential information about the Chinese ambassador to the BBC. OK, maybe not that last one. That happened to the father of U.K. Prime Minister Boris Johnson in February 2020. Johnson’s dad, Stanley Johnson, was emailing British officials following a meeting with Chinese ambassador Liu Xiaoming. He wrote that Liu was “concerned” about a lack of contact from the Prime Minister to the Chinese state regarding the coronavirus outbreak. The Prime Minister’s dad inexplicably copied the BBC into his email, providing some lucky journalists with a free scoop about the state of U.K.-China relations. It appears the incident didn’t cause any big diplomatic issues—but we can imagine how much worse it could have been if Johnson had revealed more sensitive details of the meeting.

Prevent misdirected emails (and breaches) with Tessian Guardian Regardless of your region or industry, protecting customer, client, and company information is essential. But, to err is human. So how do you prevent misdirected emails? With machine learning.  Tessian turns an organization’s email data into its best defense against human error on email. Our Human Layer Security technology understands human behavior and relationships and automatically detects and prevents emails from being sent to the wrong person. Yep, this includes typos, accidental “reply alls” and cc’ing instead of bcc’ing. Tessian Guardian can also detect when you’ve attached the wrong file. Interested in learning more about how Tessian can help prevent accidental data loss and data exfiltration in your organization? You can read some of our customer stories here or book a demo.

Over the past two years, 90% of the world’s data has been generated. And, as the sheer volume of data continues to grow, organizations are becoming more and more susceptible to data exfiltration.  But, why would someone want to exfiltrate data? Data is valuable currency. From an e-commerce business to a manufacturing company, organizations across industries hold sensitive information about the business, its employees, customers, and clients. What is data exfiltration? Simply put, data exfiltration indicates the movement of sensitive data from inside the organization to outside without authorization. This can either be done accidentally or deliberately. The consequences of data exfiltration aren’t just around lost data. A breach means reputational damage, lost customer trust, and fines. The best way to illustrate the different types of data exfiltration and the impact these incidents have on businesses is with examples. Examples of data exfiltration  When it comes to data exfiltration, there are countless motives and methods. But, you can broadly group attempts into two categories: data exfiltration by someone within the organization, for example, a disgruntled or negligent employee, and data exfiltration by someone outside the organization; for example, a competitor.  Data exfiltration by insiders Data exfiltration by an insider indicates that company data has been shared by a member of the company to people (or organizations) outside of the company.   While most organizations have security software and policies in place to prevent insider threats from moving data outside of the office environment and outside of company control, insiders have easy access to company data, may know workarounds, and may have the technical know-how to infiltrate “secure” systems.  Here are six examples of data exfiltration by insiders:  Over the course of 9 months, an employee at Anthem Health Insurance forwarded 18,500 members records’ to a third-party vendor. These records included Personally Identifiable Information (PII) like social security numbers, last names, and dates of birth. After exfiltrating nearly 100 GB of data from an unnamed financial company that offered loan services to Ukraine citizens, an employee’s computer equipment was seized. Police later found out the suspect was planning on selling the data to a representative of one of his former employer’s competitors for $4,000.  Not all examples of data exfiltration are malicious, though. Some breaches happen inadvertently, like when an employee leaving the Federal Deposit Insurance Corporation (FDIC) accidentally downloaded data for 44,000 FDIC customers onto a personal storage device and took it out of the agency.  Jean Patrice Delia exfiltrated over 8,000 files from his employer, General Electric (GE), over eight years. Delia hoped to set up a rival company using insider secrets.The FBI investigation into Delia’s scam began in 2016. Details released in July 2020 showed how Delia persuaded a GE IT administrator to grant him privileged systems access — and emailed commercially-sensitive documents to a co-conspirator. On three occasions — in November 2018, January 2020, and October 2020 — Amazon has emailed customers to inform them that an insider has disclosed their personal information (usually email address) to a third party. Amazon hasn’t been very forthcoming about the details of these incidents, but there appears to be a pattern of insider data exfiltration emerging — which should be a serious concern for the company. After a data exfiltration near-miss, a Nevada court charged Egor Igorevich Kriuchkov with “conspiracy to intentionally cause damage to a protected computer” in September 2020. Kriuchkov attempted to bribe a Tesla employee to “transmit malware” onto Tesla’s network via email or USB drive to “exfiltrate data from the network.” The FBI disrupted the scheme, which could have caused serious damage to one of the world’s leading companies. Exfiltration by outsiders Unlike exfiltration by insiders, exfiltration by outsiders indicates that someone from outside an organization has stolen valuable company data.  Here are six examples of data exfiltration by outsiders:  In 2014, eBay suffered a breach that impacted 145 million users. In this case, cybercriminals gained unauthorized access to eBay’s corporate network through a handful of compromised employee log-in credentials. At the time, it was the second-biggest breach of a U.S. company based on the number of records accessed by hackers.  Stealing login credentials isn’t the only way bad actors can gain access to a network. In 2019, malware was discovered on Wawa payment processing servers. This malware harvested the credit card data of over 30 million customers, including card number, expiration date, and cardholder name.  Did you know? 91% of data breaches start with a phishing email. While many phishing emails direct targets to wire money, pay an invoice, or provide bank account details, some request sensitive employee or client information, for example, W-2 forms. You can read more about Tax Day scams on our blog.  In February 2021, Talos Intelligence researchers discovered a new variant of the “Masslogger” Trojan. Masslogger is a perfect example of how cybercriminals can use malware to exfiltrate data from online accounts. This new Masslogger variant arrives via a phishing email with “a legitimate-looking subject line” containing a malicious email attachment. The Trojan targets platforms like Discord, Outlook, Chrome, and NordVPN, using “fileless” attack methods to exfiltrate credentials. In October 2020, the UK’s Information Commissioner’s Office (ICO) fined British Airways (BA) £20 million ($28 million) after attackers exfiltrated customers’ data, including credit card numbers, names, and addresses. This massive data breach started in June 2018, when attackers installed malicious code on BA’s website. The ICO held BA fully responsible for the breach, which affected over 400,000 customers. Healthcare company Magellan Health discovered in April 2020 that hackers had exfiltrated sensitive customer data, including names, tax IDs, and Social Security Numbers. The breach started with a phishing email that an employee received five days earlier. This data exfiltration incident occurred just months after Magellan announced a similar phishing attack that exposed 50,000 customer records from its subsidiary companies Looking for more information about data exfiltration or data loss prevention? Follow these links: What is Data Exfiltration? Tips for Preventing Data Exfiltration Attacks What is Data Loss Prevention (DLP)? A Complete Overview of DLP on Email

This year, Tessian released four research reports, covering topics like the cybersecurity skills gap, social engineering, insider threats, and remote-working.  Now, looking back on the year, we wanted to highlight some of the most relevant insights for security leaders and the larger industry.  If you want more information about any individual insight, download the full report or check out the other suggested resources listed throughout.  Opportunity in Cybersecurity Report 2020 If the number of women working in cybersecurity rose to equal that of men, we’d see a $30.4 billion boost to the industry’s economic contribution in the US and a £12.6 billion boost in the UK. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); 66% of women agree there is a gender bias problem in the cybersecurity industry. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); 51% of women say that a more accurate representation of the industry in the media would encourage new entrants. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");

93% of women in cybersecurity feel secure in their roles. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); In addition to surveying hundreds of women currently working in cybersecurity, we also interviewed over a dozen female practitioners with titles ranging from CISO to backend Python engineer. Read their profiles here. 

The State of Data Loss Prevention 2020  Employees exfiltrate data on email 38x more than IT leaders estimate. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); 91% of IT leaders trust their employees to follow safe data practices while working from home….but nearly half (48%) of employees say they’re less likely to follow safe data practices when working from home. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); IT leaders say that the #1 consequence of a data breach is lost customers/lost customer trust. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); At least 800 emails are sent to the wrong person every year in organizations with 1,000+ employees. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Looking for industry-specific information about DLP? Read At a Glance: Data Loss Prevention in Healthcare and DLP in Financial Services.

The Psychology of Human Error 43% of people have made mistakes at work that compromise cybersecurity…

And younger workers are 5x times more likely to make such mistakes. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); A third of workers (33%) rarely or never think about cybersecurity when at work. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); 58% have sent an email to the wrong person at work, and 1/5 companies have lost a customer following a misdirected email. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Wondering why people make mistakes? Jeff Hancock, Professor of Communication at Stanford University and contributor to this report, discusses the psychology of human error in this panel discussion: Why People Fall for Social Engineering in a Crisis. 

The Future of Hybrid Work Phishing was the leading cause of security incidents when employees worked remotely (and email traffic increased by 129% at the start of lockdown). !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); 75% of IT decision makers believe the future of work will be “remote” or “hybrid”. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); 78% of IT decision makers believe their company is at greater risk of insider threats when employees work remotely. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); To learn more about the challenges security and IT leaders will have to overcome in hybrid-remote environments, read this article: 7 Concerns IT Leaders Have About Permanent Remote Working. 

Make sure you don’t miss the release of new research next year.  Connect with us on LinkedIn, follow us on Twitter, and subscribe to our newsletter to be the first to see new content and get invited to industry events.

Insider threats are a big problem for organizations across industries, especially now with mass layoffs and new remote-working arrangements. Why? Because they’re so hard to detect. After all, insiders have legitimate access to systems and data, unlike the external bad actors many security policies and tools help defend against. It could be anyone, from a careless employee to a rogue business partner. That’s why we’ve put together this list of Insider Threat types and examples. By exploring different methods and motives, security, compliance, and IT leaders (and their employees) will be better equipped to spot Insider Threats before a data breach happens. Types of Insider Threats First things first, let’s define what exactly an Insider Threats is. Insider threats are people – whether employees, former employees, contractors, business partners, or vendors – with legitimate access to an organization’s networks and systems who deliberately exfiltrate data for personal gain or accidentally leak sensitive information. The key here is that there are two distinct types of Insider Threats:  The Malicious Insider: Malicious Insiders knowingly and intentionally steal data. For example, an employee or contractor may exfiltrate valuable information (like Intellectual Property (IP), Personally Identifiable Information (PII), or financial information) for some kind of financial incentive, a competitive edge, or simply because they’re holding a grudge for being let go or furloughed.  The Negligent Insider: Negligent insiders are just your average employees who have made a mistake. For example, an employee could send an email containing sensitive information to the wrong person, email company data to personal accounts to do some work over the weekend, fall victim to a phishing or spear phishing attack, or lose their work device.  We cover these different types of Insider Threats in detail in this article: What is an Insider Threat? Insider Threat Definition, Examples, and Solutions.

11 Examples of Insider Threats  1. The employee who exfiltrated data after being fired or furloughed Since the outbreak of COVID-19, 81% of the global workforce have had their workplace fully or partially closed. And, with the economy grinding to a halt, employees across industries have been laid off or furloughed.  This has caused widespread distress. When you combine this distress with the reduced visibility of IT and security teams while their teams work from home, you’re bound to see more incidents of Malicious Insiders.  One such case involves a former employee of a medical device packaging company who was let go in early March 2020  By the end of March – and after he was given his final paycheck – Dobbins hacked into the company’s computer network, granted himself administrator access, and then edited and deleted nearly 120,000 records.  This caused significant delays in the delivery of medical equipment to healthcare providers. 2. The employee who sold company data for financial gain In 2017, an employee at Bupa accessed customer information via an in-house customer relationship management system, copied the information, deleted it from the database, and then tried to sell it on the Dark Web.  The breach affected 547,000 customers and in 2018 after an investigation by the ICO, Bupa was fined £175,000. 3. The employee who stole trade secrets In July 2020, further details emerged of a long-running insider job at General Electric (GE) that saw an employee steal valuable proprietary data and trade secrets. The employee, named Jean Patrice Delia, gradually exfiltrated over 8,000 sensitive files from GE’s systems over eight years — intending to leverage his professional advantage to start a rival company. The FBI investigation into Delia’s scam revealed that he persuaded an IT administrator to grant him access to files and that he emailed commercially-sensitive calculations to a co-conspirator. Having pleaded guilty to the charges, Delia faces up to 87 months in jail. What can we learn from this extraordinary inside job? Ensure you have watertight access controls and that you can monitor employee email accounts for suspicious activity. 4. The employee who fell for a phishing attack While we’ve seen a spike in phishing and spear phishing attacks since the outbreak of COVID-19, these aren’t new threats. One example involves an email that was sent to a senior staff member at Australian National University. The result? 700 Megabytes of data were stolen. This data was related to both staff and students and included details like names, addresses, phone numbers, dates of birth, emergency contact numbers, tax file numbers, payroll information, bank account details, and student academic records. 5. The work-from-home employees duped by a vishing scam Cybercriminals saw an opportunity when many of Twitter’s staff started working from home. One cybercrime group conducted one of the most high-profile hacks of 2020 — knocking 4% off Twitter’s share price in the process. In July 2020, after gathering information on key home-working employees, the hackers called them up and impersonated Twitter IT administrators. During these calls, they successfully persuaded some employees to disclose their account credentials. Using this information, the cybercriminals logged into Twitter’s admin tools, changed the passwords of around 130 high-profile accounts — including those belonging to Barack Obama, Joe Biden, and Kanye West — and used them to conduct a Bitcoin scam. This incident put “vishing” (voice phishing) on the map, and it reinforces what all cybersecurity leaders know — your company must apply the same level of cybersecurity protection to all its employees, whether they’re working on your premises or in their own homes. Want to learn more about vishing? We cover it in detail in this article: Smishing and Vishing: What You Need to Know About These Phishing Attacks. 6. The employee who took company data to a new employer for a competitive edge This incident involves two of the biggest tech players: Google and Uber. In 2015, a lead engineer at Waymo, Google’s self-driving car project, left the company to start his own self-driving truck venture, Otto. But, before departing, he exfiltrated several trade secrets including diagrams and drawings related to simulations, radar technology, source code snippets, PDFs marked as confidential, and videos of test drives.  How? By downloading 14,000 files onto his laptop directly from Google servers. Otto was acquired by Uber after a few months, at which point Google executives discovered the breach. In the end, Waymo was awarded $245 million worth of Uber shares and, in March, the employee pleaded guilty. 7. The employees leaking customer data  Toward the end of October 2020, an unknown number of Amazon customers received an email stating that their email address had been “disclosed by an Amazon employee to a third-party.” Amazon said that the “employee” had been fired — but the story changed slightly later on, according to a statement shared by Motherboard which referred to multiple “individuals” and “bad actors.” So how many customers were affected? What motivated the leakers? We still don’t know. But this isn’t the first time that the tech giant’s own employees have leaked customer data. Amazon sent out a near-identical batch of emails in January 2020 and November 2018. If there’s evidence of systemic insider exfiltration of customer data at Amazon, this must be tackled via internal security controls. 8. The employee offered a bribe by a Russian national In September 2020, a Nevada court charged Russian national Egor Igorevich Kriuchkov with conspiracy to intentionally cause damage to a protected computer. The court alleges that Kruichkov attempted to recruit an employee of Tesla’s Nevada Gigafactory. Kriochkov and his associates reportedly offered a Tesla employee $1 million to “transmit malware” onto Tesla’s network via email or USB drive to “exfiltrate data from the network.” The Kruichkov conspiracy was disrupted before any damage could be done. But it wasn’t the first time Tesla had faced an insider threat. In June 2018, CEO Elon Musk emailed all Tesla staff to report that one of the company’s employees had “conducted quite extensive and damaging sabotage to [Tesla’s] operations.” With state-sponsored cybercrime syndicates wreaking havoc worldwide, we could soon see further attempts to infiltrate companies. That’s why it’s crucial to run background checks on new hires and ensure an adequate level of internal security. 9. The employee who accidentally sent an email to the wrong person Misdirected emails happen more than most think. In fact, Tessian platform data shows that at least 800 misdirected emails are sent every year in organizations with 1,000 employees. But, what are the implications? It depends on what data has been exposed.  In one incident in mid-2019, the private details of 24 NHS employees were exposed after someone in the HR department accidentally sent an email to a team of senior executives. This included: Mental health information Surgery information While the employee apologized, the exposure of PII like this can lead to medical identity theft and even physical harm to the patients. We outline even more consequences of misdirected emails in this article.  10. The employee who accidentally misconfigured access privileges Just last month, NHS coronavirus contact-tracing app details were leaked after documents hosted in Google Drive were left open for anyone with a link to view. Worse still, links to the documents were included in several others published by the NHS.  These documents – marked “SENSITIVE” and “OFFICIAL” contained information about the app’s future development roadmap and revealed that officials within the NHS and Department of Health and Social Care are worried about the app’s reliance and that it could be open to abuse that leads to public panic. 11. The employee who sent company data to a personal email account We mentioned earlier that employees oftentimes email company data to themselves to work over the weekend.  But, in this incident, an employee at Boeing shared a spreadsheet with his wife in hopes that she could help solve formatting issues. While this sounds harmless, it wasn’t. The personal information of 36,000 employees were exposed, including employee ID data, places of birth, and accounting department codes.

How common are Insider Threats? Incidents involving Insider Threats are on the rise, with a marked 47% increase over the last two years. This isn’t trivial, especially considering the global average cost of an Insider Threat is $11.45 million. This is up from $8.76 in 2018. Who’s more culpable, Negligent Insiders or Malicious Insiders?  Negligent Insiders (like those who send emails to the wrong person) are responsible for 62% of all incidents Negligent Insiders who have their credentials stolen (via a phishing attack or physical theft) are responsible for 25% of all incidents Malicious Insiders are responsible for 14% of all incidents It’s worth noting, though, that credential theft is the most detrimental to an organization’s bottom line, costing an average of $2.79 million.  Which industries suffer the most? The “what, who, and why” behind incidents involving Insider Threats vary greatly by industry.  For example, customer data is most likely to be compromised by an Insider in the Healthcare industry, while money is the most common target in the Finance and Insurance sector. But, who exfiltrated the data is just as important as what data was exfiltrated. The sectors most likely to experience incidents perpetrated by trusted business partners are: Finance and Insurance Federal Government Entertainment Information Technology Healthcare State and Local Government Overall, though, when it comes to employees misusing their access privileges, the Healthcare and Manufacturing industries experience the most incidents. On the other hand, the Public Sector suffers the most from lost or stolen assets and also ranks in the top three for miscellaneous errors (for example misdirected emails) alongside Healthcare and Finance. You can find even more stats about Insider Threats (including a downloadable infographic) here.  The bottom line: Insider Threats are a growling problem. We have a solution.

How does Tessian prevent Insider Threats? Tessian turns an organization’s email data into its best defense against inbound and outbound email security threats. Powered by machine learning, our Human Layer Security technology understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity. Tessian Enforcer detects and prevents data exfiltration attempts Tessian Guardian detects and prevents misdirected emails Tessian Defender detects and prevents spear phishing attacks Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of the organization’s email network.  Curious how frequently these incidents are happening in your organization? Click here for a free threat report.

October 2020 has been another remarkable month in cybersecurity. And, since COVID-19 sent the world indoors and made us ever-more reliant on the internet, the importance of information security and data protection has never been more apparent. October saw numerous high-profile data breaches, cyberattacks, and online scams — but also brought us one of the biggest GDPR fines yet, an innovative solution to deepfake technology, and even more jostling between the US government and Chinese big tech. Let’s take a look at the biggest cybersecurity headlines of October 2020. Paying Cyberattack Ransoms Could Breach International Sanctions Rules New guidance from the US Treasury has big implications for companies hit by ransomware attacks from certain countries. (Companies affected by ransomware find their files encrypted — replaced by useless strings of seemingly random characters — with cybercriminals promising to return the data if the company pays a ransom.) Paying up might be the least-worst option where a company’s critical data is at stake…ut according to an October 1 US Treasury advisory note, paying cyberattack ransoms could violate legal rules on international sanctions. Businesses suffering a ransomware attack by hackers from a sanctioned country — like Iran, China, or Russia (where many such attacks do originate) — now face the threat of huge fines and legal action if they choose to buy back their files.  The Treasury’s advice reiterates what cybersecurity leaders have been saying for many years: in cybersecurity, prevention is far better than cure. Amazon Prime Day Sees Huge Spike in Phishing Scams With millions of consumers confined to their homes, this year’s Amazon Prime Day was a chance for millions of shoppers to grab a bargain — and an unmissable opportunity for cybercriminals to steal their personal information. October 8 research from Bolster detected over 800 “spoof” Amazon webpages in September (up from 50 in January), as fraudsters ramped up their phishing efforts in anticipation of the two-day Amazon Prime Day event, hosted October 13-14. Some sites looked near-identical to Amazon’s genuine web properties, with perfectly duplicated branding and convincing domain names. Unwary shoppers were asked for details such as their CVV2 code and social security number. See what advice Tessian co-founder and CEO, Tim Sadler, offered consumers in Tech Radar. FBI Warns of Ransomware Attacks Targeting Healthcare Providers On October 29, the FBI and other agencies issued a warning regarding an “increased and imminent cybercrime threat to US hospitals and healthcare providers.” The threats include a new tool named anchor_dns, a backdoor that can reportedly “evade typical network defense products,” and the Ryuk Ransomware. Among other measures, the FBI is advising healthcare providers to create business continuity plans, patch networked systems, and implement multi-factor authentication in preparation for an attack. According to Associated Press, 59 US healthcare systems have been attacked via ransomware so far this year. Looking for more information on why the healthcare industry is especially vulnerable? We talk more about The State of Data Loss Prevention in Healthcare in this article. UK Public Body Unable to Provide Services Follow “Serious Cyberattack” On October 14, Hackney London Borough Council, a UK local government body, announced that it had fallen victim to a “serious cyberattack.”  In an update two days later, the council revealed the extent of the damage. Among other things, the council was unable to accept rent payments, process planning applications, or pay some social security benefits. The council said it was “working hard to restore services, protect data, and investigate the attack,” but that services could remain unavailable for “some time.” UK Data Regulator Issues $26 Million Fine to Airline UK airline British Airways received a £20 million ($26 million) fine on October 17 for “failing to protect the personal and financial details of more than 400,000 of its customers.” The fine relates to a cyberattack suffered by the company in 2018. The Information Commissioner’s Office — the UK’s data protection authority — found that the airline had failed to limit access to data, had not undertaken sufficiently rigorous testing, and should have implemented multi-factor authentication on its employee and third-party accounts. The British Airways fine amounts to the fourth-largest GDPR fine of all time — but the airline actually got off relatively lightly, considering that the fine was initially touted as £183 million ($238 million).  To learn more about compliance standards like the GDPR (including the largest breaches and fines to-date) check out The CEO’s Guide to Data Protection and Compliance. Adobe Launches Content Authenticity Initiative Tool to Fight Deepfakes As video and audio manipulation techniques become more accessible, cybersecurity and intelligence experts have been warning about a potential onslaught of deepfakes that could have an unprecedented impact on security, politics, and society. Not sure what a deepfake is? Read this article. Cybercriminals can use deepfake technology to create video or audio clips of high-profile and trusted individuals. Deepfakes have already been used in phishing attacks and could also be used for blackmail and disinformation campaigns. On October 20, Adobe’s Content Authenticity Initiative announced a new tool that will add “a secure layer of tamper-evident attribution data to photos, including the author’s name, location, and edit history” to help creatives authenticate their content. Once deepfakes are sufficiently convincing, there might be no way to distinguish them from genuine material. Adobe’s project marks a promising first step in this emerging security front. Hackers Discover 55 Vulnerabilities Across Apple’s Systems A group of hackers earned $300,000 via Apple’s bug bounty scheme after identifying 55 vulnerabilities across Apple’s infrastructure. The security issues included vulnerabilities that would have allowed an attacker to “(take) over a victim’s iCloud account,” “fully compromise an industrial control warehouse software used by Apple,” and “access management tools and sensitive resources.” The group said Apple had fully addressed the majority of vulnerabilities reported. Around 3 Million Credit Cards Compromised After Breach at US Restaurant Franchise On Oct 12, details of around 3 million credit cards were posted on the dark web following a huge data breach at US restaurant franchise Dickey’s Barbeque Pit. According to an investigation by Gemini Advisory, 156 of 469 Dickey’s outlets were involved in the breach, with the highest levels of exposure present in California. The details appear to have been stolen between July 2018 and August 2020. Given California’s strict data breach rules, including a private right of action under the California Consumer Privacy Act, Dickey’s could be liable for some eye-watering sums if the breach is found to have resulted from lax cybersecurity practices. Questions about the CCPA? We answer 13 of them in this article: CCPA FAQs: Your Guide to California’s New Privacy Law. Russia Planned to Launch 2020 Olympics Cyberattack The GRU, Russia’s military intelligence agency, “conducted cyber reconnaissance against officials and organizations” involved in the Tokyo 2020 Olympic and Paralympic Games, according to a UK government announcement on October 19. Russian cybercrime groups are alleged to have targeted “organizers, logistics services, and sponsors.” The Games were originally due to tale place this summer but were postponed due to COVID-19.  The UK government also revealed the full extent of Russia’s hacking campaign against the 2018 Winter Games, during which Russian hackers are alleged to have disguised themselves as Chinese and North Korean attackers to target the opening ceremony in Seoul, South Korea. ENISA 2020 Threat Landscape Report Shows Increase in Cyberattacks  The European Union Agency for Cybersecurity (ENISA) released its 2020 Threat Landscape Report on October 20, and cybersecurity leaders (unfortunately) won’t be surprised at its conclusion: cybercrime is on the increase. The report cites “a new norm,” triggered by the COVID-19 pandemic, in which the world is even more dependent on “a secure and reliable cyberspace.” ENISA found that the number of phishing victims “continues to grow,” that Business Email Compromise (BEC) resulted in “the loss of millions of euros,” and that state-sponsored actors are propagating “finely targeted and persistent attacks on high-value data.” If you’re a security leader looking for solutions to these problems, click here to learn more about how Tessian Defender detects advanced impersonation attacks that slip past SEGs, native features, and legacy tools. Researcher Breaches US President’s Twitter Account By Guessing Password Dutch “ethical hacker” Victor Gevers found himself in control of Donald Trump’s Twitter account on October 16 after guessing the US president’s password. Trump’s Twitter account has over 87 million followers and is frequently used to deliver messages of international importance. Gevers said he correctly guessed the password, “maga2020!”, after seven attempts. The incident reveals that the president was using a simple, easy-to-guess password, and that he had multi-factor authentication disabled. Rectifying either of these two basic security errors would have prevented unauthorized access to the account. Overruling of WeChat Ban Denied by California Judge Another month, another development in the long-running battle between the US government and Chinese tech firms. On October 23, California struck a blow to the Trump administration’s efforts to restrict WeChat — a Chinese app used for currency transfers, social networking, and instant messaging. In September, the US Department of Commerce ordered Apple and Google to stop distributing WeChat via their app stores, citing security issues. The order was blocked in California following a legal challenge by WeChat. The US Justice Department brought further evidence and asked the court to reverse its WeChat ruling. The court declined to change its decision, meaning that the Commerce Department’s banning order will remain unenforced in California — despite the federal government’s allegations regarding WeChat’s security issues.  Finnish Therapy Center Hacked, Exposing Patient Data One of the most shocking data breaches of 2020 was brought to light on October 24, when Finnish psychotherapy center Vastaamo revealed a hack that compromised hundreds of patient records. The highly sensitive nature of the breach means that it is being taken extremely seriously. Finland’s interior minister summoned a cabinet meeting to determine how best to respond to the breach, promising “speedy crisis help” to the affected individuals. The hackers are demanding a ransom in exchange for the return of the files, which were reportedly accessed between November 2018 and March 2019. The ransomware attack further suggests that businesses worldwide lack proper cybersecurity infrastructure — even when handling highly sensitive and valuable data. That’s all for this month. If we missed anything, please email [email protected] and stay tuned for the next roundup. Don’t forget: You can easily share this on social media via the buttons at the top right of this post. 

Company: Cordaan Industry: Healthcare Seats: 6,300 Solutions: Guardian, Enforcer, Defender  About Cordaan Cordaan – one of the largest healthcare providers in Amsterdam – provides care to over 20,000 people from 120 locations across Amsterdam. They do this with the help of 6,000 employees and more than 2,500 volunteers. Cordaan also works in association with research institutes and social organizations.  To help protect the organization’s people, sensitive data, and networks, Cordaan has deployed Tessian Guardian, Enforcer, and Defender to protect over 6,300 employees on email.  Tessian solves three key problems for Cordaan, which we explore in detail in the video below. Keep reading for a summary of the discussion. Problem: Healthcare employees are especially vulnerable to inbound attacks  When it comes to inbound attacks like spear phishing and business email compromise, the healthcare industry is among the most targeted. It also has the highest costs associated with data breaches. Why? According to Cas de Bie, the Dutch healthcare provider’s Chief Information Officer, it’s not just because organizations operating in this industry handle highly sensitive data. It also has a lot to do with the very nature of the work: helping people. 

Combine this empathetic approach with the stress of a global pandemic, and you’re left with an incredibly vulnerable workforce. With Tessian, Cas is now confident Tessian will identify spear phishing emails before his employees respond to them and that employees’ workflow won’t be disrupted in the process.  When talking about inbound attacks, Cas said “It’s all about awareness. While people probably do know what they’re supposed to do when it comes to email security, it’s different in real life. It’s hard to decide in the moment. Of course, they don’t do it on purpose. They want to make the right decision. Tessian helps them do that.” Problem: Reactive and rule-based solutions weren’t preventing human error on email in the short or long-term To ensure GDPR-compliance, Cordaan prioritized investment in privacy and security solutions. But, according to Cas, “standard” email security, spam filtering solutions, and encryption alone just weren’t enough. They weren’t keeping malicious emails out of inboxes, and they weren’t preventing data loss from insiders. They also weren’t doing anything to improve employee security reflexes in the long-term. 

So, to level-up Cordaan’s email security, Cas was looking for a solution that was: Technologically advanced User-friendly Proactive With Tessian, he found all three. Powered by contextual machine learning and artificial intelligence, our solutions can detect and prevent threats and risky behavior before they become incidents or breaches. How? With the in-the-moment warnings – triggered by anomalous email activity – that look something like this.

These warnings help nudge well-intentioned employees towards safer behavior and ensure data stays within Cordaan’s perimeter. And, because Tessian works silently in the background and analyzes inbound and outbound emails in milliseconds, it’s invisible to employees until they see a warning.   This was incredibly important to Cas, who said that “The added value of Tessian is that it influences behavior. That really resonated with the board and helped me make a strong business case. While I can’t show how cybersecurity creates revenue, I can show – via a risk management calculation – the potential fines we could avoid because of our investment in Tessian”.  Problem: Cordaan’s security team had limited visibility into – and control over – data loss incidents on email  While Cordaan had invested in other email security solutions, Cas and his team still lacked visibility into the frequency of data loss incidents on email. But, after deploying Tessian for a Proof of Value, the scope of the problem became crystal clear.

The reality is that employees do actually send unauthorized and misdirected emails more frequently than expected. (We explore this in detail in our report, The State of Data Loss Prevention 2020.) But, the good news is that this behavior can be influenced and corrected—all without access restrictions that make it harder (or impossible) for employees to do their jobs.  Cas explained it well, saying that “Of course there are things that we have to police and prohibit. But, most of the time, people aren’t doing things maliciously. So it’s nice that – with Tessian – we can take a more nuanced approach. We can influence behavior and help our employees do the right thing.” Learn more about how Tessian prevents human error on email Powered by machine learning, Tessian’s Human Layer Security technology understands human behavior and relationships. Tessian Guardian automatically detects and prevents misdirected emails Tessian Enforcer automatically detects and prevents data exfiltration attempts Tessian Defender automatically detects and prevents spear phishing attacks Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of an organization’s email network. That means it gets smarter over time to keep you protected, wherever and however your work. Interested in learning more about how Tessian can help prevent email mistakes in your organization? You can read some of our customer stories here or book a demo.

Cordaan Case Study hbspt.cta.load(1670277, '61cef6a6-03b0-4491-a81d-6e751eb924e8', {"region":"na1"});

Gartner recently released its Market Guide for Email Security and Tessian is thrilled to have been included as a representative vendor for Cloud Email Security Supplement Solutions. So, what does that mean? According to the report, representative vendors offer “email security capabilities in ways that are unique, innovative, and/or demonstrate forward-looking product strategies.”  How has the threat landscape changed? According to Gartner’s guide, there are a number of factors related to the market’s direction that security leaders need to consider, including the ways in which hackers are targeting organizations and how (and where) we work. Keep reading to learn more. Email is the #1 threat vector

As noted in the report, “According to the 2020 Verizon Data Breach report, 22% of breaches involved social engineering, and 96% of those breaches came through email. In the same report, another 22% of breaches were a result of “human failure” errors, where sensitive data was accidentally sent to the wrong recipient.” “Business email compromise (BEC), the takeover or fraudulent use of a legitimate account to divert funds, continues to grow, and simple payroll diversion scams accounted for  $8 million in 2019.” The bottom line: Whether it’s protecting against inbound threats like ransomware attacks, business email compromise (BEC), or account takeover (ATO) or outbound threats like accidental and malicious data exfiltration, security leaders need to prioritize email security and reevaluate the effectiveness of current solutions. This is especially pertinent as many organizations have moved to the cloud.    Increased cloud office adoption According to Gartner, “Enterprise adoption of cloud office systems, for which cloud email is a key capability, is continuing to grow, with 71% of companies using cloud or hybrid cloud email.” We can expect these numbers to rise, especially given the sudden shift to remote working set-ups in response to COVID-19 and the steep and steady rise in the use of mobile devices for work. But, there’s a problem. Despite G Suite and O365’s basic security controls as well as anti-spam, anti-phishing, and anti-malware services; advanced attachment; and URL-based threat defenses, “email threats have become sophisticated to evade detection by common email security technologies, particularly those that rely only on standard antivirus and reputation.”

What capabilities set vendors apart?  So, what capabilities set vendors apart? In other words what capabilities should security leaders be looking for? Gartner recommends that security leaders “invest in anti-phishing technology that can accurately detect BEC and account takeover attacks. In particular, seek solutions that use AI to create a baseline for communication patterns and conversation style and detect anomalies in these patterns. For account take over attacks, seek solutions that use computer vision when reviewing suspect URLs. Adjacent technologies such as multifactor authentication are used to protect against account takeover attacks.”.   Gartner also says “the following capabilities can be used as primary differentiators and selection criteria for email”. These include the ability to: “Protect against attachment-based threats” “Protect against URL-based advanced threats”  “Protect Against Impersonation and Social Engineering Tactics Used in URL-Based, Attachment-Based and Payloadless Advanced Threats” And, to help security leaders narrow down their search, Gartner identified specific categories of vendors that provide some of the above email capabilities. Tessian is recognized as a representative vendor for CESSs.  Keep reading to learn more about our products and technology.  Why Tessian?  Tessian Human Layer Security offers both inbound and outbound protection on email and satisfies criteria outlined in the report, including display name spoof detection, lookalike domain detection, anomaly detection, data protection, post delivery protection, and offers these protection for both web and mobile devices. Here’s how. Powered by machine learning, our Human Layer Security platform understands normal email behavior by analyzing content, context, and communication patterns from historical email data to establish trusted relationship graphs. Tessian can then detect anomalies in real-time using those employee relationship graphs alongside deep content analysis, natural language processing, and behavioral analysis. Tessian Guardian automatically detects and prevents accidental data loss from misdirected emails Tessian Enforcer automatically detects and prevents data exfiltration attempts and ensures compliant email activity Tessian Defender automatically detects and prevents spear phishing, Business Email Compromise and other advanced targeted impersonation attacks. Tessian’s technology updates its understanding of human behavior and evolving relationships through continuous analysis and learning of the organization’s email network without hands-on maintenance from security teams. That means it gets smarter over time to keep you protected, wherever and however you work, whether that’s a desktop computer in the office or a mobile device, tablet, or laptop at home. But Tessian doesn’t just detect and prevent threats.  When a security threat is triggered, contextual warnings provide employees with in-the-moment training on why an email was flagged unsafe (or an impersonation attempt)  or reinforce data security policies and procedures and improve their security reflexes. This nudges employees towards safer behavior in the long-term.  And, with Human Layer Security Intelligence, security and compliance leaders can get greater visibility into the threats prevented, track trends, and benchmark their organization’s security posture against others. This way, they can continuously reduce Human Layer risks over time. To learn more about how Tessian protects world-leading organizations across G Suite, O365, and Outlook, check out our customer stories or book a demo. 

Gartner, Market Guide for Email Security, September 2020 Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

According to Tessian research, 75% of IT leaders and 89% of employees believe the future of work will be “remote” or “hybrid” – a combination of working in the office and remotely.  This will have a significant impact on companies’ IT departments, who will be under pressure to deliver a seamless experience and create strategies that empower employees to work remotely and securely. In fact, 85% of IT leaders think they and their team will be under more pressure if their organization were to adopt a permanent remote working structure.  In this blog, we look at their top 7 concerns and explain how to overcome them.  1. Employee wellbeing Half of IT leaders’ are worried about staff’s wellbeing when they work remotely – making it the top concern among IT professionals.  Remote work can be incredibly stressful for employees. A survey by online employment platform Monster reported that over two-thirds of U.S. workers have experienced burnout symptoms while working from home. Why? Because people are more distracted, they’re taking less time off work, and they’re working longer hours. 61% of employees in another Tessian report said a culture of presenteeism in their organization makes them work longer hours than they need to.  The problem is that when people are stressed, tired and distracted, they make more mistakes that could compromise cybersecurity. In fact, 46% of employees say make more mistakes when they feel burned out.  IT professionals must recognize the correlation between employee wellbeing, their productivity, and security if they want to keep data and systems safe in a remote work world. Lead with empathy and find ways to prevent stressed and distracted employees from making costly cybersecurity mistakes.  2.Unsafe data practices 46% of IT leaders are also worried about employees practicing unsafe cybersecurity behaviors.  Their concerns are valid. A report published by Tessian in May 2020 revealed that 48% of employees feel they can get away with riskier cybersecurity behaviors when working from home, namely because they are working from unfamiliar devices and because they aren’t being watched by IT teams. A further 54% said they’ll find a workaround if security software or policies prevent them from doing their job. Educating employees on safe cybersecurity practices is a necessary first step. However, only 57% of companies implemented additional training at the start of the remote working period in March 2020. This isn’t trivial; businesses must continually educate staff on safe data practices because cybersecurity is rarely at the front of mind for every employee.  Businesses should also ensure that security solutions or policies do not stand in the way of people getting their jobs done. Workers will find the easiest or most convenient path, and this can often involve skirting around security rules. Security should, therefore, be as flexible as people’s working practices in order to mitigate unsafe behaviors online.

3. More data breaches Half of organizations we surveyed said they experienced a data breach or security incident between March and July 2020 – the period in which mandatory remote work arrangements were enforced. Consequently, 40% of IT leaders are worried their company will experience more data breaches if people continue to work remotely.  The causes of these data breaches included phishing attacks (49%), malware (45%) and malicious insider attacks (43%). In addition, 78% of IT leaders said they think their organization is at greater risk of insider threats when staff work from home.  To prevent data breaches caused by insider threats – and other threats caused by human error – IT teams need greater visibility into their riskiest and most at-risk employees. Only by understanding employees’ behaviors, can businesses tailor policies and training to prevent people’s actions from compromising company security and breaching sensitive data.  4. More phishing attacks Half of the security incidents reported between March-July 2020 were caused by successful phishing attacks – making phishing the top attack vector during this period of remote working.  Of the 78% of remote workers that received phishing emails while working on their personal devices, an overwhelming 68% clicked a link or downloaded an attachment from the malicious messages they received. It’s not surprising, then, that 82% of IT leaders think their organization is at greater risk of phishing attacks when people work remotely.  But why is phishing a greater risk for remote workers?  Because it is not uncommon for an employee to receive information about a new software update for a video conferencing app, or an email from a healthcare organization providing tips on how to stay safe, or a request from a supplier asking them to update payment details.  In fact, 43% of IT professionals said their staff had received phishing emails with hackers impersonating software brands, while 34% said they’d received emails from cybercriminals pretending to be an external supplier.  If the sender’s email domain looks legitimate and if hackers have used the correct logos in the body of the email, there’s very little reason why an employee would suspect they were the target of a scam. And, when working remotely, employees can’t easily verify the email with a colleague. They may, then, click the link to “join the meeting”, download the “new update” or share account credentials. To learn more about how to spot a spear phishing email, read our blog here.

5. The IT team’s bandwidth With organizations facing the threat of more data breaches and security incidents caused by unsafe cybersecurity behaviors, over a third (34%) of IT leaders worry that their teams will be stretched too far in terms of time and resource.  Security solutions powered by machine learning can help alleviate the strain. Solutions like Tessian use machine learning algorithms to understand human behaviors in order to automatically detect and prevent threats caused by human error – such as accidental data loss, data exfiltration or phishing attacks. When a potential threat is detected, the individual is alerted in real-time and a record of the incident is logged in a simple and accessible dashboard. IT professionals no longer have to spend hours manually looking back through logs to find incidents – the proverbial ‘needle in a haystack’.  When you consider that 55% of IT teams spend more time navigating manual processes than responding to vulnerabilities, finding ways to take away the manual, labor-intensive tasks will be critical in freeing up IT professionals’ time.  6. An increase to IT leaders’ workload In addition to concerns over their teams’ workloads increasing, IT leaders also fear they’ll face even longer to-do lists in a hybrid or remote working world. Why? To name a few: The majority of IT leaders will be implementing new BYOD policies, additional training programs, upgrades to endpoint protection as well as new VPNs in order to address employees’ expectations and safety.  They have to overcome challenges like data loss prevention (DLP), something 84% of IT leaders say is more difficult in distributed workforces.  They have to address and mitigate more security risks such as employees bringing infected devices or documents into the office, potentially compromising the company’s entire network.  According to Nominet’s 2020 report – The CISO Stress Report: Life Inside the Perimeter: One Year On – 88% of CISOs are moderately or tremendously stressed. What’s more, 95% work more than their contracted hours amounting to an extra 10 hours per week, on average.  As the pressure increases, businesses must find ways to alleviate stress and empower IT leaders to work effectively and efficiently in order to protect their company and employees.

7. Non-compliance with data protection regulations Nearly a third of IT leaders said that remote working could compromise compliance with data protection regulations.  In the last year, misdirected emails have been the number one cause of data breach incidents reported to the Information Commissioner’s Office. A previous Tessian report found that 58% of employees have sent an email to the wrong person during their career and, of these misdirected emails, nearly a fifth (17%) were sent to the wrong external party.  Their reasons? Nearly half said it was because they were tired and 41% said the error was made because they were distracted. Given that studies have shown people are feeling more fatigued and more distracted while working remotely, there is cause for concern that data breaches, caused by human error, will only increase.  Instead of expecting people to do the right thing 100% of the time while working away from the office, invest in security solutions that preempt these errors by detecting and preventing them from happening in the first place. That way, IT leaders can proactively stop sensitive information from leaving their environment, company IP stays secure, compliance standards are met, and customer trust is maintained. To find out more, read the full report – Securing the Future of Hybrid Work – here.

Over the last two years, there’s been a 47% increase in the frequency of incidents involving Insider Threats. This includes malicious data exfiltration and accidental data loss. Why does this matter? Because these incidents cost organizations millions, are leading to breaches that expose sensitive customer, client, and company data, and are notoriously hard to prevent. In this article, we’ll explore: How often these incident are happening What motivates Insider Threats to act The financial  impact Insider Threats have on larger organizations The effectiveness of different preventive measures You can also download this infographic with the key statistics from this article. If you know what an Insider Threat is, click here to jump down the page. If not, you can check out some of these articles for a bit more background. What is an Insider Threat? Insider Threat Definition, Examples, and Solutions Insider Threat Indicators: 11 Ways to Recognize an Insider Threat Insider Threats: Types and Real-World Examples

How frequently are Insider Threat incidents happening? As we’ve said, incidents involving Insider Threats have increased by 47% since 2018. But the frequency of incidents varies industry-by-industry. Verizon’s 2020 Breach Investigations Report offers a comprehensive overview of different incidents in different industries, with a focus on patterns, actions, and assets.  They found that: The Healthcare and Manufacturing industries experience the most incidents involving  employees misusing their access privileges The Public Sector and Healthcare suffer the most from lost or stolen assets  Healthcare and Finance see the most “miscellaneous errors” (for example misdirected emails !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");

There are also several different types of Insider Threats and the “who and why” behind these incidents can vary. According to one study: Negligent Insiders are the most common and account for 62% of all incidents.  Negligent Insiders who have their credentials stolen account for 25% of all incidents Malicious Insiders are responsible for 14% of all incidents.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Looking at Tessian’s own platform data, Negligent Insiders may be responsible for even more incidents than most expected. On average, 800 emails are sent to the wrong person every year in companies with 1,000 employees. This is 1.6x more than IT leaders estimate.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Malicious Insiders are likely responsible for more incidents than expected, too. Between March and July 2020, 43% of security incidents reported were caused by malicious insiders. We should expect this number to increase. Over three-quarters of IT leaders (78%) think their organization is at greater risk of Insider Threats if their company adopts a permanent hybrid working structure. Which, by the way, the majority of employees would prefer. What motivates Insider Threats to act? When it comes to the “why”, Insiders – specifically Malicious Insiders – are often motivated by money, a competitive edge, or revenge. But, according to one report, there is a range of reasons malicious Insiders act. Some just do it for fun.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); But, we don’t always know exactly “why”. For example, Tessian’s own survey data shows that 45% of employees download, save, send, or otherwise exfiltrate work-related documents before leaving a job or after being dismissed.  While we may be able to infer that they’re taking spreadsheets, contracts, or other documents to impress a future or potential employer, we can’t know for certain.  Note: Incidents like this happen the most frequently in competitive industries like Financial Services and Business, Consulting, & Management. This supports our theory.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); How much do incidents involving Insider Threats cost? The cost of Insider Threat incidents varies based on the type of incident, with incidents involving stolen credentials causing the most financial damage. But, across the board, the cost has been steadily rising. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Likewise, there are regional differences in the cost of Insider Threats, with incidents in North America costing the most and almost twice as much as those in Asia-Pacific. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); But, overall, the average global cost has increased 31% over the last 2 years, from $8.76 million in 2018 to $11.45 in 2020 and the largest chunk goes towards containment, remediation, incident response, and investigation. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); But, what about prevention? How effective are preventative measures? As the frequency of Insider Threat incidents continues to increase, so does investment in cybersecurity. But, what solutions are available and which solutions do security, IT, and compliance leaders trust to detect and prevent data loss within their organizations? According to Tessian’s latest report, The State of Data Loss Prevention 2020, most rely on security awareness training, followed by following company policies/procedures, and machine learning/intelligent automation. But, incidents actually happen more frequently in organizations that offer training the most often and, while the majority of employees say they understand company policies and procedures, comprehension doesn’t help prevent malicious behavior. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); That’s why many organizations rely on rule-based solutions. But, those often fall short.  Not only are they admin-intensive for security teams, but they’re blunt instruments and often prevent employees from doing their jobs while also failing to prevent data loss from Insiders.  So, how can you detect incidents involving Insiders in order to prevent data loss and eliminate the cost of remediation? Machine learning. How does Tessian detect and prevent Insider Threats? Tessian turns an organization’s email data into its best defense against inbound and outbound email security threats. Powered by machine learning, our Human Layer Security technology understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity. Tessian Enforcer detects and prevents data exfiltration attempts Tessian Guardian detects and prevents misdirected emails Tessian Defender detects and prevents spear phishing attacks Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of the organization’s email network. Oh, and it works silently in the background, meaning employees can do their jobs without security getting in the way.  Interested in learning more about how Tessian can help prevent Insider Threats in your organization? You can read some of our customer stories here or book a demo.

As rates of cybersecurity incidents rise and data security laws become stricter, organizations must take steps to protect the information under its control. But safeguarding your company’s information can be a daunting task.  So, where do you start? You can start by implementing a cybersecurity framework. In this article, we’ll look at four of the most prevalent cybersecurity frameworks — to help you get started on your journey toward better information security.  But first, let’s define what a cybersecurity framework is. What is a cybersecurity framework?

What are the benefits of implementing a cybersecurity framework? Running a business is a time-consuming and complicated task and many business leaders – especially those without any background in cybersecurity – worry that implementing a cybersecurity framework will create extra work. And, while it does take time and effort to follow a cybersecurity framework through to completion, it’s almost certainly going to save you time, stress — and money — in the long-term. Here’s how: It will strengthen your network protection, reducing your risk of a cybersecurity attack. It will help ensure better data security practices among staff, reducing the risk of accidental data loss, such as via misdirected email. It increases awareness of cybersecurity among staff, leading to a reduced risk from social engineering attacks. It improves your reputation among consumers and business partners. Implementing a cybersecurity framework is also a fundamental way of meeting your legal obligations under data privacy laws, such as:  The EU General Data Protection Regulation (GDPR)  The California Consumer Privacy Act (CCPA) The South Africa Protection of Personal Information Act (POPIA)  Under these laws — and many others worldwide — it is necessary for businesses to maintain a reasonable level of data security. Implementing a cybersecurity framework is an excellent way to achieve this. Looking for more information about regional and industry-specific data protection laws? Visit our compliance content hub. 

What sorts of organizations should implement a cybersecurity framework? Implementing a cybersecurity framework is mandatory in some industries. For example, organizations that handle cardholder data must comply with the PCI DSS framework. However, a business of virtually any size — and in any industry — can adopt a cybersecurity framework at relatively low cost.  One way that a small business can achieve cybersecurity compliance is by choosing a flexible framework —  such as the CIS Controls or NIST Cybersecurity Framework, and prioritizing the implementation of controls according to its business needs and operating context. Now, let’s look at four of the best-known cybersecurity frameworks.

Introduction to CIS Controls The Center for Internet Security (CIS) Controls framework can help you mitigate and defend against the most basic cyberattacks.  Here are the 20 CIS Controls: Basic CIS Controls Inventory and Control of Hardware Assets Inventory and Control of Software Assets Continuous Vulnerability Management Controlled Use of Administrative Privileges Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers Maintenance, Monitoring, and Analysis of Audit Logs Foundational CIS Controls Email and Web Browser Protections Malware Defenses Limitation and Control of Network Ports, Protocols, and Services Data Recovery Capabilities Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches Boundary Defense Data Protection Controlled Access Based on the Need to Know Wireless Access Control Account Monitoring and Control Organizational CIS Controls Implement a Security Awareness and Training Program Application Software Security Incident Response and Management Penetration Tests and Red Team Exercises

CIS Control 13: Data Protection  To give you an idea of what the CIS controls require, we’ll take a closer look at Control 13: Data Protection. CIS Control 13 provides some practical steps to help you protect data from exfiltration and cyberattacks. At its core, Control 13 requires organizations to: Use a combination of encryption, integrity protection, and data loss prevention (DLP) methods to ensure the security of data Limit and report on data exfiltration attempts Mitigate the effects of data compromise Control 13 contains nine sub-controls. Some of these are achievable for businesses of all sizes, such as: 13.1: Maintain an Inventory of Sensitive Information 13.2: Remove Sensitive Data or Systems Not Regularly Accessed by Organization 13.6: Encrypt Mobile Device Data If your organization has “moderate” or “significant” resources, it can implement further sub-controls, such as: 13.3: Monitor and Block Unauthorized Network Traffic 13.4: Only Allow Access to Authorized Cloud Storage or Email Providers 13.5: Monitor and Detect Any Unauthorized Use of Encryption By implementing the CIS controls and sub-controls on a priority basis, businesses can implement a reasonably effective cybersecurity program.  Looking for a straightforward way to implement multiple sub-controls across several CIS controls? implement email security software. Email is the entry-point for 96% of phishing attacks.

Introduction to the NIST Cybersecurity Framework The NIST Cybersecurity Framework (full title: Framework for Improving Critical Infrastructure Cybersecurity) is a comprehensive set of security controls and guidance for private sector organizations. Currently, at version 1.1, the framework aims to improve the general level of cybersecurity among US organizations. The framework is guidance — it’s entirely voluntary  — and it can be customized according to a company’s sector, resources, and risk profile. The framework’s “core” consists of cybersecurity activities and outcomes — written in accessible language that should be understandable to non-technical teams. (Phew!) The core activities and outcomes are sorted into five functions, which are further divided into categories. We’ve listed them below.  Identify: The “Identify” function provides the essential, foundational activities and outcomes necessary to use the framework. Outcomes categories associated with this function include: ID.AM: Asset Management ID.BE: Business Environment ID.RA: Risk Assessment Protect: The “Protect” function activities help mitigate the impact of a potential cyberattack or data breach. Protect outcome categories include: PR.AC: Identity Management and Access Control PR.AT: Awareness and Training PR.DS: Data Security Detect: The “Detect” function enables businesses to quickly detect that a cybersecurity event has occurred. Detect outcome categories include: DE.AE: Anomalies and Events  DE.CM: Security Continuous Monitoring DE.DP: Detection Processes Respond: Implementing the “Respond” function will ensure your business takes appropriate action during a cybersecurity event. Outcome categories in this function include: RS.RP: Response Planning  RS.CO: Communications  RS.AN: Analysis Recover: The “Recover” function allows an organization to return to normal functioning after a cyberattack. Recover function outcome categories include: RC.RP: Recovery Planning  RC.IM: Improvements RC.CO: Communications Each function’s categories are, in turn, divided into subcategories. For example: ID.AM (function: Identity, category: Asset Management): ID.AM-1: Physical devices and systems within the organization are inventoried ID.AM-2: Software platforms and applications within the organization are inventoried ID.AM-3: Organizational communication and data flows are mapped The subcategories all come with “informative references”, which are practical resources to help businesses achieve the outcomes.  For example, ID.AM-1 (Identify: Asset Management) includes the following references: CIS Control 1  ISO 27001:2013 Annexes A.8.1.1 and A.8.1.2 NIST Special Priority (SP) 800-53 (revision 4) CM-8 and PM-5 Introduction to ISO 27000 Series

The ISO 27000 Series (sometimes called the ISO/IEC 27000 Series) is a family of information security standards published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The ISO 27000 Series is extensive, covering information security requirements, guidelines, and sector-specific standards. Examples of some of the published standards in the ISO 27000 Series include: ISO 27000: Information Security Management Systems — Overview and Vocabulary ISO 27003: Information Security Management System Implementation Guidance ISO 27018: Code of Practice for Protection of Personally Identifiable Information (PII) in Public Clouds Acting as PII Processors ISO 27019: Information Security for Process Control in the Energy Industry ISO 27032: Guideline for cybersecurity ISO 27033: IT network security Businesses of all sizes can implement one or more of the ISO 27000 Series standards. These are internationally recognized standards and are well-respected around the world.  While implementing ISO 27000 controls is not legally mandatory, there is an expectation of ISO-compliance in many industries and contexts. For example, for public cloud storage service providers that process personal information, achieving ISO 27018 compliance is crucial. ISO 27001 To give you a feel for ISO 27000 implementation, we’re going to take a closer look at one of the more popular standards in the series: ISO 27001, full name “Information technology — Security techniques — Information security management systems — Requirements.” ISO 20071 aims to enable businesses to establish, implement, maintain, and continually improve an information security management system (ISMS). Unlike the CIS Controls or the NIST Cybersecurity Framework, ISO 20071 is not available for free. The ISO 27001 standard consists of ten “clauses,” and an annex containing 114 controls, sorted into 14 sets. A business can prioritize its implementation of these controls according to its operational requirements. An essential part of complying with ISO 27001 is risk assessment. An ISO 27001 risk assessment can be broken down into several stages: Creating a risk assessment methodology that accounts for: Your operating context Risk criteria Risk tolerance Identifying information assets, such as: Digital documents Paper files Storage devices Mobile devices Identifying threats: Social engineering attacks, such as spear phishing Exfiltration of data by trusted employees Weak passwords leading to hacked employee accounts ISO 27001 compliance is an ongoing process that requires the commitment of employees across your whole organization. Once a company has implemented sufficient controls, it can undergo an audit and obtain ISO 27001 certification. Tessian is ISO 27001 certified. You can read more about your integrations, compatibility, and partnerships here. 

Introduction to PCI DSS The PCI DSS applies to all organizations that accept, transmit, or store information associated with payment cards (known as “merchants”). The PCI DSS sits alongside the PCI PTS (for manufacturers) and the PCI PA-DSS (for software developers). Unlike the other frameworks we’ve looked at, the PCI DSS is mandatory for any business that qualifies as a merchant. The Payment Card Industry Council enforces PCI DSS compliance, and — in some jurisdictions — it is incorporated into law. The framework’s requirements differ according to how many Visa transactions a merchant processes per year. There are four levels of PCI DSS requirements: Level 1: Any merchant that:  Processes more than 6 million Visa transactions per year, or Is determined by Visa as needing to meet level 1 requirements Level 2: Any merchant that processes 1-6 million Visa transactions per year Level 3: Merchants that process 20,000-1 million eCommerce Visa transactions per year Level 4: Any merchant that: Processes fewer than 20,000 Visa transactions per year, or Processes fewer than 1 million non-eCommerce Visa transactions per year As you can see, eCommerce merchants have slightly stricter requirements due to the risks of transacting online.  If a merchant suffers a data breach, it might be required to move up a level to continue making card transactions. This is one of many reasons you should take a “security-first” approach and implement as many cybersecurity controls as your budget allows. The PCI DSS consists of 12 requirements, which can be summarized as: Use a firewall Change default passwords and other security parameters Protect cardholder data in storage Encrypt cardholder in transit Implement and update antivirus software  Ensure systems and applications are secure Restrict access to cardholder data Assign unique user IDs  Maintain physical safeguards over cardholder data Monitor access to cardholder data and network resources  Test security systems  Maintain an information security policy In fewer words: Merchants must protect cardholder data from internal and external threats.  How can Tessian help with cybersecurity framework implementation? As we’ve seen, all cybersecurity frameworks require businesses to protect the information in their control from threats such as: Social engineering attacks  Accidental data loss Insider threats Across three solutions, Tessian detects and prevents email-based cybersecurity threats. Why email? Read more about why email is the threat vector cybersecurity leaders are most concerned about on our blog.  You can also learn why rule-based DLP solutions are failing and why the world’s top organizations (in some of the most regulated industries) trust Tessian.

We’re back with another monthly roundup of cybersecurity news. Cybercriminals have once again been busy, with several high-profile data breaches and ransomware attacks occurring throughout September. And – rather unsurprisingly – social media platforms Twitter and TikTok have made the cut for the third month running. Here are the top cybersecurity stories from September 2020, including links to further information. Need to catch-up? Check out headlines from July and top stories from August on our blog. Researchers Predict That CEOs Will Be Personally Liable for Cyber-Physical Attacks Research and advisory firm Gartner (who recently named Tessian a Cool Vendor) predicted this month that 75% of CEOs could hold personal liability for “cyber-physical” attacks by 2024. Cyber-physical attacks aim to impact the “real world,” including critical infrastructure, internet of things devices, and healthcare equipment. Such attacks can result in physical injury and death. Gartner predicts that that cyber-physical attacks will cause up to $50 billion of damage by 2023 So what if Gartner is right? It would mean that if a company suffers a cyberattack resulting in physical harm — and it turns out that the company has not implemented appropriate cybersecurity measures — the company’s CEO could have to pay fines with their own money. 

Gartner’s research tells us what every effective business leader already knows — an effective cybersecurity program is an essential requirement for every organization. If a cyberattack occurs, the buck stops with the company’s senior executives. Argentinian Government Faces $4 Million Ransom Following Cyberattack On September 6, Argentina temporarily stopped allowing people to cross its borders after the Netwalker ransomware hit the country. The attackers encrypted government migration data and demanded 355 Bitcoins (around $4 million) to unencrypt it. This cyberattack led to chaos across border checkpoints — but the Argentinian government told domestic news website Infobae that it had no intention of negotiating with the hackers. Ransomware continues to cause havoc worldwide, and it appears the problem is only getting worse. Research by SonicWall recorded approximately 121 million ransomware attacks in the first half of 2020. Personal Information of 46,000 US Military Veterans Breached The US Veterans Association (VA) announced this month that the personal information of around 46,000 military veterans had been “accessed by unauthorized users.” The cybercriminals aimed to “divert payments” intended for healthcare providers. The VA’s financial services team wrote to the affected individuals to advise on how to mitigate the effects of the breach and offer free access to credit monitoring services. The VA serves veterans all over the US. Strict new data breach laws in several jurisdictions — including New York, Washington DC, and Oregan — mean that the VA could face huge fines given the breach’s context. Want to know more about US data security laws? Read our guidance for security leaders. 75% of IT leaders believe the future of work is hybrid In a new report – The Future of Hybrid Working – Tessian reveals that IT leaders and employees both believe the future of work will be remote or hybrid. But, it’s clear this shift won’t be easy. Check out some of the key stats below: 82% of IT leaders believe employees are at greater risk of phishing attacks when working remotely Over a third of IT leaders are worried about their teams will stretched too far in terms of time and resource Half of emoployees have been working on their personal devices since March 2020 Nearly 75% of employees said they received a phishing email while working on a personal device between March and July 2020….and 68% admitted to clicking a link or downloading an attachment within that email 78% of IT leaders think their organization is at greater risk of insider threats if their company adopts a permanent hybrid working structure Read the full report to learn more and to understand how business can balance flexibility and security without draining IT teams’ resources. Thousands of COVID-19 Patients’ Data Leaked Due to “Human Error” A massive data breach occurred in Wales this month when the personal information of 18,105 coronavirus patients was leaked following an “individual human error.” The breach affected every Welsh resident who tested positive for COVID-19 between February 27 and August 30. Public Health Wales said that the data included the “initials, date of birth, geographical area, and sex” of the affected individuals. In nearly 11% of people, though, the data also included the name of the nursing home or other healthcare setting in which the individual lived. The data was uploaded onto a public server, where it was accessible and searchable for around 20 hours. It was viewed 56 times throughout this period.  Human error is a key cause of data breaches. Statistics show that around 88% of data breaches start with human error, and almost half of all employees believe they have made an error at work leading to security repercussions. Chinese Company Holds Data About 2.4 million Influential People An academic at Fulbright University, Vietnam, has uncovered a vast Chinese database containing personal information of around 2.4 million people and their families. It looks like these individuals are “people of interest” to the Chinese Communist Party (CCP). The company responsible for maintaining this huge database “provides big data analytics as well as other functionality to support Chinese military and intelligence analysts,” according to a research paper. The research also suggests that the CCP uses the data for “intelligence, military, security, and state operations in information warfare and influence targeting.”  The database is believed to provide a way for the CCP to influence people in target sectors. It may be one of many such databases maintained by Chinese companies. Much of the information in the database has been gleaned from publicly-available sources. The Chinese database is yet another important reason you should consider limiting the amount of personal information you put online. You can learn more about how hackers are using open-source recon for deepfakes and other social engineering attacks from Elvis M. Chan, Supervisory Special Agent at the FBI and Nina Schick, Author of “Deep Fakes and the Infocalypse: What You Urgently Need to Know”, who both joined us at Tessian Human Layer Security Summit. You can access their session “Safeguarding the 2020 Elections, Disarming Deepfakes via HLS On-Demand.  Twitter Provides Enhanced Security For US Election Following its spear phishing incident this July, Twitter has announced enhanced account security for certain “high-profile accounts” throughout the US election. Twitter said that various types of accounts, including those belonging to US politicians, campaign officials, and political journalists, would receive the security enhancements from September 17. So what’s changing? First, affected users must create “strong passwords,” of at least ten characters in length. They will need to confirm password reset requests via email. The affected users will also be “strongly encouraged” to enable two-factor authentication (2FA). But that’s not all. Recall that the July spear phishing incident involved “internal support tools” — it wasn’t primarily an issue with users’ account passwords. To address this, Twitter also states that it will improve internal monitoring of the affected accounts, including by using “more sophisticated detections and alerts,” “increased login defenses,” and “expedited account recovery” processes. Want to know how to avoid the issues Twitter faced this July? Read our guidance on “vishing” attacks. UHS Hospitals Hit by Reported Country-Wide Ryuk Ransomware Attack On September 27, Universal Health Services (UHS) – a Fortune 500 hospital and healthcare services provider that serves 3.5 million patients a year – was the target of a cyberattack that disable multiple antivirus programs and left hospitals around the country without access to computer and phone systems. According to employees, files were being renamed to include the .ryk extenstion, computers’ screens changed, and – eventually – shut down, leaving them without access to anything computer-based. And, in response to the attack, employees were told to shut down all systems to block attackers’ from reaching more devices on the network. While UHS hasn’t made a statement, the logistics of the incident suggest ransomware. That means patient and employee data is at risk. Energy Companies Advised to Create Cyberattack Response Plans The US Federal Energy Regulatory Commission (FERC) and the North American Electricity Reliability Corporation (NERC) have released a report advising energy providers on creating an Incident Response and Recovery (IRR) plan for cyberattacks. The report is based around an existing cybersecurity framework: the National Institute of Standards and Technology (NIST) Special Publication 800-61, also known as the Computer Security Incident Handling Guide.  Governments appear to be increasingly concerned about the cybersecurity of critical infrastructure. This concern is well-founded — in 2019, 90% of security professionals surveyed across the utilities, energy, health, and transport sectors reported that their organizations had faced at least one successful cyberattack. Much of the advice to energy providers is good practice across all sectors. FERC and NERC recommend a four-part framework, consisting of security controls relating to preparation, detection and analysis, containment and eradication, and post-incident activity.

UK Agency Warns Schools and Universities About Ransomware Attacks As students worldwide return to schools, colleges, and universities, education providers are most concerned with defending against a COVID-19 outbreak. But the UK’s National Cyber Security Centre (NCSC) gave a stark warning about a different type of threat: ransomware. The NCSC’s alert describes “recent trends observed in ransomware attacks” targeting the education sector, which the agency says are increasingly common. The guidance follows a series of ransomware attacks against universities in the UK, US, and Canada this July. The agency warns that cybercriminals are exploiting out-of-date software and are accessing remote desktop protocol (RDP) software using credentials stolen via phishing attacks. It also warns that phishing emails are being used to deploy ransomware. So how does the NCSC recommend education providers protect themselves? The same ways all cyber-secure organizations protect themselves — including ”disrupting ransomware attack vectors” by implementing phishing defenses, and “enabling effective recovery” by keeping backups of data. Implementing DMARC is also essential to prevent brand impersonation and successful spear phishing attacks. And, according to Tessian research, 40% of the top 20 US universities aren’t using DMARC records.  TikTok Ban Delayed Following ByteDance Sale On September 21, US President Trump said he had approved the sale of part of ByteDance, the parent company of video-sharing platform TikTok, to Oracle and Wal-Mart. The deal temporarily averts harsh restrictions on TikTok set out by the US Department of Commerce three days earlier. The sale results from an executive order issued by President Trump in August, stating that the TikTok app “captures vast swaths of information from its users, including… location data and browsing and search histories.” TikTok maintains that this activity is standard industry practice. The US companies could take a collective 20% stake in ByteDance, with Oracle hosting TikTok user data in Oracle Cloud. Some analyses suggest that security-conscious nations and businesses are increasingly likely to implement these sorts of “data localization” measures. Trump had previously assured the public that TikTok would be “totally controlled” by the US firms. However, the president assured a press conference that the companies would be using “separate clouds and very, very powerful security.” That’s all for this month. If we missed anything, please email [email protected] and stay tuned for the next roundup. Don’t forget: You can easily share this on social media via the buttons at the top right of this post.