Get Your Complimentary Copy of the Gartner Market Guide For Email Security 2021 – Don’t miss out on the recommendations here

Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.
DLP

Read our latest articles, tips and industry-specific news around Data Loss Prevention (DLP). Learn about the implications of data loss on email.

DLP
The Ultimate Guide to Data Loss Prevention
By Andrew Webb
24 November 2021
What is DLP? Decades of digital technology transformation have given employees amazing powers. But with that power also comes the ability to send millions of dollars in just a few clicks, or share an entire customer database in a single emailed file. Today, your people are often the gatekeepers to your company’s most sensitive systems IP and data. Enter data loss prevention (DLP).  Your DLP tools and strategy are critical to the safe running of your business. At its core, DLP aims to minimize the risk of confidential or business-critical data leaving an organization.
How much business-critical data do you handle? Different people within your organization handle a variety of data types. Sales for example might have customer names and emails, whereas Finance would have staff payroll details. The product and dev team would probably have sensitive IP information, and roles like sales engineers and tech ops might handle your customers’ data. Regardless of the role though, it’s all information, it’s all valuable to you (and bad actors), and it can all be lost.    Take a moment to ask yourself if your business as a whole routinely handles any of the following: company IP credit card details medical records insurance details legal case notes sensitive financial data personally identifiable information (PII).  Chances are, if your business has customers or clients, you’re handling business-critical sensitive data.    Why email is your greatest DLP threat  Now let’s consider how data gets ‘lost’ in the first place… There are several ways, but nearly all of them come down to one thing: people make mistakes, either accidentally or on purpose.
Successful businesses are, by their very nature, porous. Information flows in and out at a near endless rate from staff, customers, prospects, suppliers, trade bodies, local authorities, and government.  While recent tools like Slack and Teams have eaten email’s dominance of internal communication, the main method for external communication remains email, and it is the primary way that most firms conduct business today.  In fact, an Adobe Email Usage Study found that employees routinely spend 40% of their work time reading, writing and sending emails.   Let’s stop pretending there are different jobs. There’s only one job and it’s emails. — Kate Helen Downey (@katehelendowney) July 13, 2021   How big is your problem? How big is your firm? According to data from Tessian’s own platform, employees send nearly 400 emails a month. If your organization has 1000 employees, that’s 400,000 emails, or around 13,000 a day. And if you’re routinely handling and emailing sensitive data, each of those is a data breach waiting to happen.. We don’t want to fearmonger (because Fear, Uncertainty, and Doubt (FUD) doesn’t fudging work…) but it’s clear email remains your number one threat vector.  The big challenge is that people make around 35,000 decisions every single day; that’s 35,000 chances to make a mistake..In the context of email, that means not always identifying phishing emails correctly, and sometimes attaching the wrong file. This is why, in 2021, an overwhelming 85% of data breaches involved human error.  
!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Find more statistics at Statista  
Insider threats (and how to spot and stop them) You can secure your perimeter against external attack, but what about the ones that come from ‘inside the house’? The fact is, people break the rules way more often than IT leaders think, both intentionally and accidentally.
Insider threats are an organization’s biggest hidden security problem. With attention directed externally, internal issues are typically under-resourced and under-addressed. What’s more, unlike bad actors or state sponsored hackers, your staff have legitimate access to systems and data. That means they’re in an ideal position to exfiltrate data. You can see why for some companies, it’s a difficult conversation to have.
!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Yet our State of Data Loss Prevention report found that 45% of all employees download, save, send, or otherwise exfiltrate work related documents before leaving or after being dismissed from a job.  So what can be done? Well firstly, you need to recognize what data exfiltration looks like.  There are two distinct types of insider threats, malicious (those that set out to deliberately cause harm) and negligent (those that cause harm by accident).   Spotting malicious insider threats So how do you recognize if you have malicious or negligent staff within your organization? Well, there are several telltale signs. Malicious actors, for example, might display declining performance or other signs of dissatisfaction. They might start logging in at unusual hours, have multiple failed logins, or other abnormal login activity.
Spotting negligent insider threats Negligent staff meanwhile might repeatedly fall for phishing attacks, or fail to comply with basic security policies such as consistently misdirecting emails, or miss attaching files. There could be several reasons for this, from burnout, to boredom.  Remember also, that staff often have genuine reasons to send documents externally. Sending things like plane tickets, restaurant reservations, payslips, and other digital ‘pocket litter’ home isn’t going to cripple your business – but it will generate false positives in your SEG.
Stopping Insider Threats  What’s critical in stopping these events is real time oversight of when they happen. In the case of malicious intent, you need to know instantly when someone has attempted an exfiltration to prevent data loss.With negligent staff, on the other hand, it can help to have a build up of data over time to inform your actions.  Exfiltration types and methods What is Data Exfiltration? Tips for Preventing Data Exfiltration Webinar: How to Reduce Data data Exfiltration by 84% Within 30 Days How to Keep Your Data Safe in The Great Resignation Solutions Brief: Detect Insider Threats with Human Layer Security The silver lining to this cloud is it isn’t all on you – it’s as much a people issue as a technology issue. As your organization’s cybersecurity leader, you need to work with your people team and other senior leaders on addressing this. Why? Because the costs of an insider threat breach are getting bigger.
The repercussions of a breach Insider or external, a data breach can create significant fallout for your organization. First, there’s the financial cost. This isn’t a one-off fee – it can come in several forms. There’s the loss of revenue in the turbulence as customers churn or take their business elsewhere. Then, depending on your sector, there’s the increasing regulatory fines and legal actions. In the EU, GDPR has meant these costs have skyrocketed. Fines are particularly large in sectors like financial services and healthcare.    There’s also the time and resources you’ll spend dealing with a breach, not only the loss incurred by your own staff who have to now deal with this, but any external expertise you have to bring in to help repair or restore systems. But like an end-of-level boss in a video game, by far the biggest and most expensive repercussion is the reputational damage your organization suffers – this can last years.  When we asked security leaders what the biggest consequence of a breach is, here’s what they replied. See more at Why DLP Has Failed and What the Future Looks Like. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Every year, IBM publishes their Cost of a Data Breach report. You can get key findings from the 2021 version, as well as the report itself below, but the key findings regarding breach costs are: Data breach costs rose from $3.86 million to $4.24 million, the highest average total cost in the history of this report  There was a 10% increase in the average total cost of a breach between 2020 and 2021. This was the largest single year cost increase in the last seven years. The average cost of a breach at organizations with 81-100% of employees working remotely was $5.54 million
The problems with legacy DLP Early DLP solutions from the ‘00s were designed to filter bulk spam. Then Internet Service Providers, Secure Email Gateways, and antivirus software added pattern and keyword recognition to identify potentially threatening emails. And today’s DLP solutions added rules and a host of other technical measures… but they’re just not up to the job anymore.
Watch now: DLP Has Failed The Enterprise. What Now?
Blocking domains: Particular domains, often ‘freemail’, are blocked. But there are plenty of legitimate reasons to send and receive emails from people with ‘freemail’ domains. Many small businesses and freelancers use Gmail, for example.  Blacklisting: Security teams create a list of non-authorized email addresses and simply block all emails sent or received. This requires constant updating and is very time/resource intensive. It’s also reactive; you only know an address is bad after they’ve been known to be associated with unauthorized communications. Keywords: This method uses words and phrases to alert administrators of suspicious email activity. For example, IT and security teams can create rules to identify keywords like “social security numbers” or “bank account details”. But anyone trying to exfiltrate data can circumvent keyword tracking tools by sending the email and the attached data in an encrypted form. Tagging Data: After classifying data, an organization may attempt to tag sensitive data, allowing administrators to track it as it moves within and outside of a network. The drawback here is that, again, this is time and resource intensive and relies on employees accurately identifying and tagging all sensitive data. Miss a tag, and data is misclassified or simply overlooked The challenge with all of the above is that they are based on rules. But human behavior can’t be predicted or controlled by rules, and human’s often subvert, side step, or break the rules, even when they know they shouldn’t.
How to bend not break the rules -51% of staff say security tools and software impede their productivity at work -54% of staff say that if security software or policies make it difficult or prevent them from doing their job, they’ll find a workaround Read: Tessian’s State of Data Loss Protection Report But workarounds aren’t the only problem with rules… Binary, rule-based DLP solutions offer blunt protection and limited visibility into complex human behavior and data movement. This leaves security leaders in the dark, trawling through logs of flagged and self-reported incidents after they’ve occurred.  There’s also the problem of false positives, and genuine, important emails are often buried in quarantine along with potentially harmful ones.  And with most risks to data security actually coming from within an organization, security teams have to classify and monitor data across hundreds – even thousands – of different entry and exit points of a corporate network.  The result is that legacy DLP has gotten way more expensive, complicated, and requires more and more administration and fire-fighting from InfoSec teams. 
Is it time to re-think your DLP strategy? It’s clear that traditional DLP can’t prevent all data loss.  This is where Tessian comes in.  Tessian’s Human Layer Security platform automatically detects accidental data loss, malicious exfiltration, and phishing attacks in real-time, before sensitive data leaves your environment. Crucially, it doesn’t stop your employees from doing what they do best – their actual jobs, yet still provides you with clear visibility of threats. Indeed, a recent Forrester Consulting report found that the security and risk leaders who have adopted Human Layer Security feel more prepared to face security and data loss incidents and to face a hybrid workforce than those who haven’t. They believe their email security posture is extremely effective at alerting the organization to potential attacks/threats from users’ risky behaviors or poor security decisions. Meanwhile, those who don’t take a Human Layer approach feel less control over business disruptions.”
We’re seeing more and more industry pioneers explore this option, layering a tool like Tessian on top of Microsoft 356’s native tools. We take a deep dive into this new approach in our recent webinar ‘DLP Blindspots: Next Gen DLP’.
Ultimately, you know what stage of the journey your organization is on. But if you need further resources to comprehensively compare Tessian’s Human Layer Security alongside legacy DLP, Microsoft 365 DLP capabilities, legacy file encryption, and network and Perimeter Security, we’ve covered all that in forensic detail in this white paper. In it, you’ll learn the pros and cons of different email security solutions, and how they stack up against Human Layer Security. This will help you evaluate a solution that works for you, and that best protects sensitive data in your organization. Read now: Human Layer Security vs. Legacy Email Security Solutions white paper
DLP and Microsoft 365 So what does a smart, fit-for-the-21century DLP solution look like? Well, many organizations are now retiring their SEGs in favor of a Microsoft 365 solution, with Tessian layered on top as an EDR.  Over a million businesses worldwide use Microsoft 365, with 731,000 companies in the United States alone. Of course, because it’s the most popular solution on the planet, it also makes it a target for bad actors.  Although Microsoft 365 provides foundational rule-based data loss prevention (DLP) and data classification to address compliance requirements, it falls short when protecting against data loss caused by people.  Tessian complements Microsoft 365 with a behavioral analytics layer and offers enhanced data protection by closing critical DLP use case gaps such as inadvertent or accidental data loss, sensitive data exfiltration to unauthorized or personal accounts, and insider risks.
More on Microsoft 365 !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");
How Tessian helps secure your Human Layer We’ve come to the point where you’re considering how best to stop DLP in your organization. From working with our customers over the years, we’ve found that it’s best to think the following three ways  Research You’ve already started the research phase – simply be reading this page. Continue that process by auditing your estate, consulting team members, and identifying solutions. This is also the time to consult your network, join those webinars and read those whitepapers.  Rethink Any change in your DLP strategy needs to be able to face not only current threats, but future developments in those threats and their impact too. Maybe now really is the time to upgrade that legacy SEG with Microsoft 365 and Tessian. Perhaps you want to stay with a rule based DLP but are looking for something smarter? In which case Tessian Architect might be the right solution.  Part of the re-thinking phase is also re-training. With the average human makes 35,000 decisions every single day, we know that a morning of cybersecurity training every six months isn’t as effective as ‘in the moment’ training provided by Tessian. So now’s the time to rethink your training and awareness processes too. Resource  This is where the rubber hits the road, you can’t do anything of the above without the right resources – time, people and budget – but you’re not going to get those without first showing that you’ve done the previous two phases to arrive at a road map to securing your Human Layer. Introducing Tessian Architect: The Industry’s Only Intelligent Data Loss Prevention Policy Engine
DLP Compliance
22 Biggest GDPR Fines of 2019, 2020, and 2021 (So Far)
19 November 2021
The EU General Data Protection Regulation (GDPR) is among the world’s toughest data protection laws.  Under the GDPR, the EU’s data protection authorities can impose fines of up to up to €20 million (roughly $20,372,000), or 4 percent of worldwide turnover for the preceding financial year—whichever is higher. Since the GDPR took effect in May 2018, we’ve seen over 800 fines issued across the European Economic Area (EEA) and the U.K. GDPR fines have ramped up significantly in recent months. The sum total of GDPR fines levied in Q3 2021 hit nearly €1 billion—20 times greater than the totals for Q1 and Q2 2021 combined. Let’s take a look at the biggest GDPR fines of 2019, 2020, 2021, explore what caused them, and consider how you can avoid being fined for similar violations. Looking for information about achieving and maintaining compliance? We explore solutions for reducing email risk (the #1 threat vector according to security leaders) on this page.
The biggest GDPR fines of 2019, 2020, and 2021 (so far) 1. Amazon — €746 million ($877 million) Amazon’s gigantic GDPR fine, announced in the company’s July 2021 earnings report, is nearly 15 times bigger than the previous record. The full reasons behind the fine haven’t yet been confirmed, but we know the cause has to do with cookie consent. And this isn’t the first time Amazon has been punished due to the way it collects and shares personal data via cookies. In late 2020, France fined Amazon €35 million after the tech giant allegedly failed to get cookie consent on its website. How the fine could have been avoided: It’s tempting to force users to “agree” to cookies—or make opting out of cookies difficult—to collect as much personal data as possible. But regulators have shown some serious appetite for enforcing the EU’s cookie rules recently. If Amazon had obtained “freely given”, informed, and unambiguous opt-in consent before setting cookies on its users’ devices, the company probably could have avoided this huge GDPR fine. 2. WhatsApp — €225 million ($255 million) Mere months after Amazon’s colossal GDPR fine knocked Google off the number one GDPR fine spot, WhatsApp pushed Google into third place with a penalty nearly five times as large as the search giant’s previous record. Ireland slammed WhatsApp with this €225 million GDPR penalty after claiming that the messaging service had failed to properly explain its data processing practices in its privacy notice. Ireland is not known for issuing large fines, despite being the European home of nearly every US-based big tech firm. And even this penalty arrived only after other EU data protection authorities used the “one-stop-shop” mechanism to argue that it should have been higher. So what did WhatsApp do wrong? It’s complicated, and the company is appealing the decision. But it boils down to WhatsApp’s alleged failure to explain its legal basis for certain data processing—“legitimate interests.” How the fine could have been avoided: The Irish DPA said that WhatsApp’s somewhat opaque privacy notice was at fault here—the company should have provided privacy information in an easily accessible format using language its users could understand. If you’re relying on “legitimate interests,” you must make sure you explain what those interests are in respect of each relevant processing operation. 3. Google – €50 million ($56.6 million)  Google’s fine, levied in 2019 and finalized after an unsuccessful appeal in March 2020, was the largest on record until August 2021.  The case related to how Google provided privacy notice to its users—and how the company requested their consent for personalized advertising and other types of data processing. How the fine could have been avoided: Google should have provided more information to users in consent policies and granted them more control over how their personal data is processed. 4. H&M — €35 million ($41 million) On October 5, 2020 the Data Protection Authority of Hamburg, Germany, fined clothing retailer H&M €35,258,707.95 — the second-largest GDPR fine ever imposed at the time. H&M’s GDPR violations involved the “monitoring of several hundred employees.” After employees took vacation or sick leave, they were required to attend a return-to-work meeting. Some of these meetings were recorded and accessible to over 50 H&M managers. Senior H&M staff gained ”a broad knowledge of their employees’ private lives… ranging from rather harmless details to family issues and religious beliefs.” This “detailed profile” was used to help evaluate employees’ performance and make decisions about their employment. How the fine could have been avoided: H&M appears to have violated the GDPR’s principle of data minimization — don’t process personal information, particularly sensitive data about people’s health and beliefs, unless you need to for a specific purpose. H&M should also have placed strict access controls on the data, and the company should not have used this data to make decisions about people’s employment. 5. TIM – €27.8 million ($31.5 million) On January 15, 2020, Italian telecommunications operator TIM (or Telecom Italia) was stung with a €27.8 million GDPR fine from Garante, the Italian Data Protection Authority, for a series of infractions and violations that have accumulated over the last several years.  TIM’s infractions include a variety of unlawful actions, most of which stem from an overly aggressive marketing strategy. Millions of individuals were bombarded with promotional calls and unsolicited communications, some of whom were on non-contact and exclusion lists.   How the fine could have been avoided: TIM should have managed lists of data subjects more carefully and created specific opt-ins for different marketing activities. 6. British Airways – €22 million ($26 million) In October, the ICO hit British Airways with a $26 million fine for a breach that took place in 2018. This is considerably less than the $238 million fine that the ICO originally said it intended to issue back in 2019.   So, what happened back in 2018? British Airway’s systems were compromised. The breach affected 400,000 customers and hackers got their hands on log-in details, payment card information, and travelers’ names and addresses.   How the fine could have been avoided: According to the ICO, the attack was preventable, but BA didn’t have sufficient security measures in place to protect their systems, networks, and data. In fact, it seems BA didn’t even have basics like multi-factor authentication in place at the time of the breach.  Going forward, the airline should take a security-first approach, invest in security solutions, and ensure they have strict data privacy policies and procedures in place. 7. Marriott – €20.4 million ($23.8 million) While this is an eye-watering fine, it’s actually significantly lower than the $123 million fine the ICO originally said they’d levy. So, what happened?  383 million guest records (30 million EU residents) were exposed after the hotel chain’s guest reservation database was compromised. Personal data like guests’ names, addresses, passport numbers, and payment card information was exposed.  Note: The hack originated in Starwood Group’s reservation system in 2014. While Marriott acquired Starwood in 2016, the hack wasn’t detected until September 2018. How the fine could have been avoided: The ICO found that Marriott failed to perform adequate due diligence after acquiring Starwood. They should have done more to safeguard their systemswith a stronger data loss prevention (DLP) strategy and utilized de-identification methods.  8. Wind — €17 million ($20 million) On July 13, Italian Data Protection Authority imposed a fine of €16,729,600 on telecoms company Wind due to its unlawful direct marketing activities. The enforcement action started after Italy’s regulator received complaints about Wind Tre’s marketing communications. Wind reportedly spammed Italians with ads — without their consent — and provided incorrect contact details, leaving consumers unable to unsubscribe. The regulator also found that Wind’s mobile apps forced users to agree to direct marketing and location tracking and that its business partners had undertaken illegal data-collection activities.  How the fine could have been avoided: Wind should have established a valid lawful basis before using people’s contact details for direct marketing purposes. This probably would have meant getting consumers’ consent — unless it could  demonstrate that sending marketing materials was in its “legitimate interests.” For whatever reason you send direct marketing, you must ensure that consumers have an easy way to unsubscribe. And you must always ensure that your company’s Privacy Policy is accurate and up-to-date. 9. Vodafone Italia — €12.3 million ($14.5 million) Vodafone Italia’s November 2020 fine was issued in relation to a vast range of alleged GDPR violations, including provisions within Articles 5, 6, 7, 16, 21, 25, 32, and 33. So what did Vodafone do that resulted in so many GDPR violations?  The company’s data processing issues included failing to properly secure customer data, sharing personal data with third-party call centers, and processing without a legal basis—all brought to light after complaints about the company’s telemarketing campaign. How the fine could have been avoided: Vodafone’s marketing operations may have triggered the Italian DPA’s investigation, but the company’s data management and security were the fundamental issues here. Vodafone might have avoided this large fine by conducting regular audits of its data and properly documenting all relationships with third-party data processors. 10. Notebooksbilliger.de — €10.4 million ($12.5 million) German electronics retailer notebooksbilliger.de (NBB) received this significant GDPR fine on January 8, 2021. The penalty relates to how NBB used CCTV cameras to monitor its employees and customers. The CCTV system ran for two years, and NBB reportedly kept recordings for up to 60 days. NBB said it needed to record its staff and customers to prevent theft. The Lower Saxony DPA said the monitoring was an intrusion on its employees’ and customers’ privacy. How the fine could have been avoided: The NBB’s fine reflects strict attitudes towards CCTV monitoring in parts of Germany. The regulator said NBB’s CCTV program was not limited to a specific person or period. Using CCTV isn’t prohibited under the GDPR, but you must ensure it is a legitimate and proportionate response to a specific problem. The UK’s ICO has some guidance on using CCTV in a GDPR-compliant way. 11. Austrian Post — €9 million ($10.23 million) Austria’s largest GDPR fine hit in September 2021, when Austrian Post received a €9 million sanction for allegedly failing to facilitate data subject rights requests properly. If a data subject hoped to access, delete, or rectify personal data held by the Austrian Post, the company provided a variety of mediums by which to make a request, including a web form, mail, or phone number. The one means of communication that Austria Post did not recognize, however, was email—and the Austrian DPA said that the mail carrier should have allowed data subjects to submit a rights request via any medium they preferred. How the fine could have been avoided: Austrian Post (which is planning to appeal the fine) should have processed data subject rights requests however they arrived—forcing data subjects to use a particular communication method and excluding email is not an acceptable way to facilitate their rights. 12. Eni — €8.5 million ($10 million) Eni Gas e Luce (Eni) is an Italian gas and oil company that was found to have made marketing phone calls without a proper legal basis. While telemarketing is covered by the ePrivacy Directive, this is another example of how any processing of personal data without a proper legal basis can lead to a GDPR fine. How the fine could have been avoided: Eni should have ensured it had a proper legal basis for telemarketing before calling any of its customers or leads. In this case, the Italian DPA said that the proper lawful basis would have been consent. 13. Vodafone Spain — €8.15 million ($9.72 million) Vodafone’s €8.15 million fine, issued by the Spanish DPA (the AEPD) on March 11, 2021, is actually made up of four fines for violating the GDPR and other Spanish laws covering telecommunications and cookies. The Vodafone fine stands as Spain’s biggest yet—in a year that has seen the AEPD issue several substantial GDPR penalties. The fine results from 191 separate complaints regarding Vodafone’s marketing activity. Vodafone was alleged not to have taken sufficient organizational measures to ensure it was processing people’s personal data lawfully. How the fine could have been avoided: Vodafone’s complex series of legal violations all appear to have one thing in common: a lack of organization and control over personal data used for marketing purposes. Whenever you outsource any processing activity to a third party—for example, a marketing agency—you must ensure you have a clear legal basis for doing so.  Keep clear records, maintain data processing agreements with contractors, and regularly audit your processing activities to ensure they are lawful. 14. Google – €7 million ($8.3 million) From a GDPR enforcement perspective, 2020 was not a good year for Google.  Along with the company losing its appeal against French DPA in January, March saw the Swedish Data Protection Authority of Sweden (SDPA) fining Google for neglecting to remove a pair of search result listings under Europe’s GDPR “right to be forgotten” rules.  How the fine could have been avoided: Google should have fulfilled the rights of data subjects, primarily their right to be forgotten. This is also known as the right to erasure. How? By “ensuring a process was in place to respond to requests for erasure without undue delay and within one month of receipt.”  You can find more information about how to comply with requests for erasure from the ICO here.  15. Caixabank — €6 million ($7.2 million) This fine against financial services company Caixabank is the largest fine ever issued by the Spanish DPA (the AEPD).  The AEPD finalized Caixabank’s penalty on January 13, 2021, breaking Spain’s previous record GDPR fine, against BBVA — issued just one month earlier. This suggests a significant toughening of approach from the Spanish DPA. The first issue, which accounts for €4 million of the total fine, related to how Caixabank established a “legal basis” for using consumers’ personal data under Article 6. Second, Caixabank was fined €2 million for violating the GDPR’s transparency requirements at Articles 13 and 14.  How the fine could have been avoided: The AEPD said Caixabank relied on the legal basis of “legitimate interests” without proper justification. Before you rely on “legitimate interests,” you must conduct and document a “legitimate interests assessment.”  The company also failed to obtain consumers’ consent in a GDPR-compliant way. If you’re relying on “consent,” make sure it meets the GDPR’s strict “opt in” standards. The AEPD criticized Caixabank’s privacy policy as providing vague and inconsistent information about its data processing practices. Make sure you use clear language in your privacy notices and keep them consistent across websites and platforms. 16. BBVA (bank) — €5 million ($6 million) This fine against financial services giant BBVA (Banco Bilbao Vizcaya Argentaria) dates from December 11, 2020.  The BBVA’s penalty is the second biggest that the Spanish DPA (the AEPD) has ever imposed, and it shares many similarities with the AEPD’s largest-ever penalty, against Caixabank, issued the following month. Taken together with the record fine against Caixabank, it’s tempting to conclude that the Spanish DPA has its eye on the GDPR compliance of financial institutions. How the fine could have been avoided: The AEPD fined BBVA €3 million for sending SMS messages without obtaining consumers’ consent. In most circumstances, you must ensure you have GDPR-valid consent for sending direct marketing messages. The remaining €2 million of the penalty related to BBVA’s privacy policy, which failed to properly explain how the bank collected and use its customers’ personal data. Make sure you include all the necessary information under Articles 13 and 14 in your privacy policy. 17. Fastweb — €4.5 million ($5.5 million) Italy’s DPA (the Garante) fined telecoms company Fastweb €4.5 million on April 2 2021 for engaging in unsolicited telephone marketing without consent. In particular, the Garanta noted that Fastweb was using “fraudulent” telephone numbers that the company had not registered with Italy’s Register of Communication Operators. How the fine could have been avoided: Fastweb’s fine derives from telemarketing rules that are set out in Italy’s implementation of the ePrivacy Directive, rather than the GDPR. However, the company still appears to have violated the GDPR by failing to obtain valid consent. It’s important to remember this interplay between the EU’s main privacy laws. The ePrivacy Directive requires you to obtain consent for certain activities, but the GDPR sets the standard of consent—and the standard is very high. 18. Eni Gas e Luce — €3 million ($3.6 million) This fine is one of two imposed on the Italian gas and oil company Eni in December 2019. This is a complicated case involving the creation of new customer accounts—but it boils down to the failure of Eni to obey the GDPR’s principle of accuracy. How the fine could have been avoided: Data protection is about more than just privacy—it also covers issues like records management. Eni should have ensured its customer records were kept accurate and up-to-date. 19. Capio St. Göran AB — €2.9 million ($3.4 million) Capio St. Goran is a Swedish healthcare provider that received a GDPR fine following an audit of one of its hospitals by the Swedish DPA. The audit revealed that the company had failed to carry out appropriate risk assessments and implement effective access controls. As a result, too many employees had access to sensitive personal data. How the fine could have been avoided: Conducting a data protection impact assessment (DPIA) is mandatory under the GDPR for controllers undertaking certain risky activities or handling large-scale sensitive data. Eni should have conducted such an assessment to determine which staff required access to medical records. Access to sensitive personal data should be restricted to those who strictly require it. 20. Iren Mercato — €2.85 million ($3.4 million) In June 2021, the Italian DPA fined energy company Iren Mercato for carrying out a telephone marketing campaign without obtaining proper consent. The phone calls were conducted by a third party marketing company acting as a data processor. How the fine could have been avoided: Many of the fines on our list relate to telemarketing and the failure to obtain GDPR-valid consent. Remember that even when using third-party services to conduct marketing campaigns, you could still be directly liable under the GDPR if you fail to establish a valid legal basis for processing personal data. 21. Foodinho — €2.6 million ($3 million) Groceries delivery service Foodinho received this substantial fine in June 2021, after the Italian DPA found the company had failed to obey the GDPR’s rules on “automated processing,” in this case the use of an algorithm to determine employees’ wages and workflow. The company was also found to have violated the GDPR’s principle of “lawfulness, fairness, and transparency” by failing to provide employees with adequate information. How the fine could have been avoided: Foodinho’s fine mainly relates to a relatively niche area of GDPR compliance—”solely automated processing with legal or similarly significant effects.”  In short, if you’re making purely AI-driven decisions about people that could impact on their finances, employment, or access to services, you must ensure you provide a human review of such decisions. 22. National Revenue Agency (Bulgaria) — €2.6 million ($3 million) This August 2019 fine against Bulgaria’s National Revenue Agency was issued after the organization suffered a data breach affecting 5 million people. The breached data included people’s names, contact details, and tax information. The Bulgarian DPA found that the agency failed to take effective technical and organizational measures to protect the personal data under its control. How the fine could have been avoided: The Bulgarian National Revenue should have conducted a thorough risk assessment of its processing operations and taken effective steps to safeguard personal data. While it’s not clear what caused this data breach, it’s worth noting that the FBI’s Internet Crime Control Center cites email as the number one threat vector in cybercrime.  By securing your company’s email systems, you’re cutting off one of your major vulnerabilities and significantly reducing the likelihood of a data breach.
What else can organizations be fined for under GDPR?  While the biggest fines involve marketing activities, failure to remove personal data when requested by EU citizens, and unlawfully requiring employees to have their biometric data recorded, there are a number of ways in which a breach can occur.  In fact, so far this year, misdirected emails have been the primary cause of data loss reported to the ICO. But, how do you prevent an accident? By focusing on people rather than systems and networks. How does Tessian help organizations stay GDPR compliant?
Powered by machine learning, Tessian’s Human Layer Security technology understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity, including misdirected emails. Tessian also detects and prevents spear phishing attacks and data exfiltration attempts on email.  Importantly, though, Tessian doesn’t just prevent breaches. Tessian’s key features – which are both proactive and reactive – align with the GDPR requirement “to implement appropriate technical and organizational measures together with a process for regularly testing, assessing and evaluating the effectiveness of those measures to ensure the security of processing” (Article 32). To learn more about how Tessian helps with GDPR compliance, you can check out this page, our customer stories or book a demo. 
DLP
Why Email Encryption Isn’t Enough: The Need for Intelligent Email Security
By Merlin Kafka
16 November 2021
Encryption of data, whether in transit or at rest, is seen as a cornerstone of data loss prevention best practice. But when it comes to the encryption of data sent via email, the efficacy of legacy approaches to email encryption are increasingly being called into question. This is largely due to the rigid and binary nature of legacy email encryption solutions.    Increasingly, email security solutions that rely on encryption to prevent data loss are unable to meet the demands for frictionless and time-sensitive communication. An even greater challenge, however, is the declining effectiveness of this approach to preventing data loss, especially in the face of increasingly sophisticated cyber adversaries and the growing prominence of insider threats.    The fundamental challenge of legacy email encryption solutions hinges on its inability to address the root cause of email related breaches and data loss: human error.   In this article, we’ll explore the pros and cons of encryption, and more effective alternatives.   What is encryption?   Encryption is a method of data protection that encodes data so that it can’t be accessed by unauthorized parties. File encryption solutions, in particular, often use AES-256 bit encryption to secure unstructured data, usually with a long list of policies and access rights that the end user must choose before sending an attachment through email.   This has a negative impact on real-time communication and collaboration in organizations and their legitimate business partners.   Is encryption useful in specific cases?   The short answer? Yes.    When the first order of business is simply to secure a particular asset, like an email or the attachment in that email, encryption can provide immediate protection of that sensitive information. Depending on the solution, it can work at rest or in-transit. It’s also a long-standing technology that’s widely used, especially when fulfilling particular compliance mandates. Finally, it tends to be inexpensive compared to other solutions, simply because it’s providing a very targeted and specific technology, as opposed to a more comprehensive data loss prevention solution.   However, we’ve learned from our customers and based on where the market is headed in terms of preventing sensitive data exfiltration that more and more, organizations are actually shifting away from encryption for a variety of reasons (more on this below).   Industry experts also see the severe limitations of encryption in email security.    As Gartner® states in the 2021 Email Security Market Guide, “Although email encryption has been available for many years, the workflow is often very poor, meaning open rates of encrypted emails are historically low. Authenticating the recipient has always been the challenge, requiring users to create new accounts on messaging portals and leading to very poor open rates. With the widespread adoption of cloud email, authenticating users that are on the same platform (e.g. Microsoft 365) has simplified the process, but as soon as recipients are on different platforms, the issue remains.   A number of vendors focused on email data protection are looking to address this with simplified workflows and second-factor authentication. Secure messaging portals that store sensitive information separate from email is one solution, but that raises questions over data residency and where the keys are stored.”
Looking at Encryption? Consider these issues first…   Encryption can give a false sense of security   Back in 2011, Lockhead Martin’s servers were hacked. It was reported extensively in the press and was characterized as “significant and tenacious”. The press reported that hackers gained access using stolen SecurID tokens from the security company, RSA.    In other words, hackers simply gained access to the private keys so they could access Lockheed Martin’s servers. Encryption is only as strong as the solution used to secure the credentials to those encrypted assets.   Encryption does NOT solve for accidental data loss   Encryption itself doesn’t prevent sharing emails to wrong parties or sending wrong attachments. It also doesn’t solve the root cause of many data loss incidents — sending information to unauthorized or unintended recipients. The recipients of encrypted emails, including incorrect recipients, are free to decrypt encrypted emails by requesting a one time password to view the information. Encryption requires end users to set policies and access rights which can be error prone and disruptive   File encryption requires that the end user define the policies and access rights to every file they attach to their emails. This is often a huge list of options, including view only, block printing, block sending, and time bombs, and many other policies.Naturally, users find this process cumbersome as it hinders their ability to collaborate and communicate through email effectively.   Encryption doesn’t work for Insider Threats Just as we saw in the Lockheed Martin example, the viability of encryption is often dependent on the security of the credentials used to access the encrypted assets. This is exactly what Edward Snowden did:He simply compromised the credentials of the admins who had access to the encrypted assets.    The bottom line   While security leaders have to consider the loop holes above, perhaps the most important aspect to consider with legacy encryption is its inability to engage the end user in any meaningful way. In other words, the context of the data and attachments in emails is never thoroughly examined, so it’s not addressing the root cause of data loss.    Instead, cumbersome solutions like encryption are used, which don’t account for unknown anomalies, or consider the friction and latency it produces when implemented. To prevent today’s email security incidents, your security controls must address the root cause of data loss — human behavior. This is why Gartner recommends adopting cloud native email security solutions that address data loss, by leveraging context-aware machine learning (ML) — able to detect threats and anomalies, while at the same time educating the end-user on email security best practice.   Tessian was included in the report as a Representative vendor. Here’s why:   Threat prevention: Tessian protects against both known and unknown email attacks, including business email compromise, account takeover, spear phishing, and all impersonation attacks that bypass SEGs, M365, and G Suite Education and awareness: With Tessian’s in-the-moment training, organizations can educate and empower users to build continuous email security awareness  Reduced admin overhead: Tessian removes the burden on SOC and admins by automating repetitive tasks such as maintaining triage and review. This eliminates the need for human verification of email threats, reducing FTE requirements. Data-rich dashboards: With Tessian, security teams have clear visibility and the ability to demonstrate clear ROI     Want to learn more about how Tessian compares to legacy solutions? This whitepaper provides an extensive comparison document that covers a variety of legacy security solutions, including encryption, Secure Email Gateways (SEGs), Legacy Data Loss Prevention, Network and Perimeter Security, DMARC, and many others. 
Human Layer Security Spear Phishing DLP
Tessian Recognized as a Representative Vendor in 2021 Gartner® Market Guide for Email Security
By Ed Bishop
09 November 2021
Tessian is honored to be recognized as a Representative Vendor for Integrated Cloud Email Security (ICES) in the recently released 2021 Gartner Market Guide for Email Security. According to Gartner the “continued increases in the volume and success of phishing attacks and migration to cloud email require a reevaluation of email security controls and processes. Security and risk management leaders must ensure that their existing solution remains appropriate for the changing landscape.”
The key findings listed in this Market Guide for Email Security  According to this report, “the adoption of cloud email systems continues to grow, forcing security and risk management leaders to evaluate the native capabilities offered by these providers”. The report further states “solutions that integrate directly into cloud email via an API, rather than as a gateway, ease evaluation and deployment and improve detection accuracy, while still taking advantage of the integration of the bulk of phishing protection with the core platform.”  The report also states that “ransomware, impersonation, and account takeover attacks are increasing and causing direct financial loss, as users place too much trust in the identities associated with email inherently vulnerable to deception and social engineering.”    Gartner recommends that the security and risk managers for email security should:   “Use email security solutions that include anti-phishing technology for business email compromise (BEC), protection that uses AI to detect communication patterns and conversation-style anomalies, as well as computer vision for inspecting suspect URLs.”  “Consider products that also include context-aware banners to help reinforce security awareness training.” “Invest in user education and implement standard operating procedures for handling financial and sensitive data transactions commonly targeted by impersonation attacks. Remove as many targeted ad hoc processes from email as possible.”   This report highlights trends that we believe Tessian is also seeing.    Historically, companies around the globe were deploying the Tessian platform to augment the shortcomings of their Secure Email Gateways (SEGs). Customers needed a more comprehensive solution that would stop the real nasty stuff like zero-day attacks and ransomware, and that was able to detect and stop the threats that often slip past their SEGs such as business email compromise (BEC), account takeover (ATO), spear phishing, and impersonation attacks.  Tessian’s recent Spear Phishing Threat Landscape 2021 Report examined emails from July 2020 – July 2021, and discovered nearly 2,000,000 emails slipped through SEGs.  An interesting shift we’ve observed over the past nine months is that we’re seeing more and more customers leveraging the enhancements made by Microsoft along with the Tessian platform to replace their SEG. We expect that trend to accelerate in 2022.  Gartner predicts that “by 2023, at least 40% of all organizations will use built-in protection capabilities from cloud email providers rather than a secure email gateway (SEG), up from 27% in 2020.”     Tessian’s approach Tessian’s Human Layer Security platform detects and prevents advanced inbound and outbound threats on email.   Tessian automatically stops data breaches and security threats caused by employees on email. Powered by machine learning, Tessian provides unparalleled visibility into human security risks, detects and prevents accidental data loss, data exfiltration, and advanced phishing attacks while continuously driving employees toward secure email behavior through in-the-moment training.  Built as a cloud-native platform, Tessian integrates seamlessly with O365, Google Workspace, and MS Exchange environments within minutes, learns in hours, and starts protecting in a day closing the critical gaps in the email security stack Powered by machine learning, our Human Layer Security platform understands normal behavior by analyzing content, context, and communication patterns from historical email data to establish trusted relationship graphs. Tessian can then detect anomalies in real-time using those employee relationship graphs alongside deep content analysis, natural language processing, and behavioral protecting organizations from both inbound and outbound attacks as well as protecting you from data leakage from accidental or malicious user behaviors.  
Tessian is honored to be recognized as a Representative Vendor for Integrated Cloud Email Security (ICES) in the recently released 2021 Gartner Market Guide for Email Security. According to Gartner the “continued increases in the volume and success of phishing attacks and migration to cloud email require a reevaluation of email security controls and processes. Security and risk management leaders must ensure that their existing solution remains appropriate for the changing landscape.”
The Tessian differentiators:  Threat prevention: Tessian protects against both known and unknown email attacks, including business email compromise, account takeover, spear-phishing, and all impersonation attacks that bypass SEGs, M365, and G Suite Education and awareness: With Tessian’s in-the-moment training, organizations can educate and empower users to build continuous email security awareness  Reduced admin overhead: Tessian removes the burden on SOC and admins by automating repetitive tasks such as maintaining triage and review. This eliminates the need for human verification of email threats, reducing FTE requirements. Data-rich dashboards: With Tessian, security teams have clear visibility and the ability to demonstrate clear ROI  
Tessian solutions: Tessian Defender is a comprehensive inbound email security solution that automatically prevents a wide range of attacks that bypass Secure Email Gateways (SEGs) while providing in-the-moment training to drive employees toward secure email behavior.  Tessian Guardian automatically detects and prevents accidental data loss from misdirected emails. Tessian Enforcer automatically detects and prevents data exfiltration attempts and ensures compliant email activity. Tessian Architect is a powerful policy engine for real-time email data loss prevention. It features a combination of classic elements of DLP policies that provide custom protection against sensitive data loss. To learn more about how Tessian can help strengthen your email security posture, book a demo now.    
Gartner, “Market Guide For Email Security”, Mark Harris, Peter Firstbrook, Ravisha Chugh, Mario de Boer, October 7, 2021. Gartner Disclaimer: GARTNER is registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
DLP Data Exfiltration
Insider Threats Examples: 17 Real Examples of Insider Threats
By Maddie Rosenthal
21 October 2021
Insider threats are a big problem for organizations across industries. Why? Because they’re so hard to detect. After all, insiders have legitimate access to systems and data, unlike the external bad actors many security policies and tools help defend against. It could be anyone, from a careless employee to a rogue business partner. That’s why we’ve put together this list of Insider Threat types and examples. By exploring different methods and motives, security, compliance, and IT leaders (and their employees) will be better equipped to spot Insider Threats before a data breach happens.
Types of Insider Threats First things first, let’s define what exactly an Insider Threats is. Insider threats are people – whether employees, former employees, contractors, business partners, or vendors – with legitimate access to an organization’s networks and systems who deliberately exfiltrate data for personal gain or accidentally leak sensitive information. The key here is that there are two distinct types of Insider Threats:  The Malicious Insider: Malicious Insiders knowingly and intentionally steal data. For example, an employee or contractor may exfiltrate valuable information (like Intellectual Property (IP), Personally Identifiable Information (PII), or financial information) for some kind of financial incentive, a competitive edge, or simply because they’re holding a grudge for being let go or furloughed.  The Negligent Insider: Negligent insiders are just your average employees who have made a mistake. For example, an employee could send an email containing sensitive information to the wrong person, email company data to personal accounts to do some work over the weekend, fall victim to a phishing or spear phishing attack, or lose their work device.  We cover these different types of Insider Threats in detail in this article: What is an Insider Threat? Insider Threat Definition, Examples, and Solutions. 17 Examples of Insider Threats 
1. The employee who exfiltrated data after being fired or furloughed Since the outbreak of COVID-19, 81% of the global workforce have had their workplace fully or partially closed. And, with the economy grinding to a halt, employees across industries have been laid off or furloughed.  This has caused widespread distress. When you combine this distress with the reduced visibility of IT and security teams while their teams work from home, you’re bound to see more incidents of Malicious Insiders.  One such case involves a former employee of a medical device packaging company who was let go in early March 2020  By the end of March – and after he was given his final paycheck – Dobbins hacked into the company’s computer network, granted himself administrator access, and then edited and deleted nearly 120,000 records.  This caused significant delays in the delivery of medical equipment to healthcare providers.
2. The employee who sold company data for financial gain In 2017, an employee at Bupa accessed customer information via an in-house customer relationship management system, copied the information, deleted it from the database, and then tried to sell it on the Dark Web.  The breach affected 547,000 customers and in 2018 after an investigation by the ICO, Bupa was fined £175,000.
3. The employee who stole trade secrets In July 2020, further details emerged of a long-running insider job at General Electric (GE) that saw an employee steal valuable proprietary data and trade secrets. The employee, named Jean Patrice Delia, gradually exfiltrated over 8,000 sensitive files from GE’s systems over eight years — intending to leverage his professional advantage to start a rival company. The FBI investigation into Delia’s scam revealed that he persuaded an IT administrator to grant him access to files and that he emailed commercially-sensitive calculations to a co-conspirator. Having pleaded guilty to the charges, Delia faces up to 87 months in jail. What can we learn from this extraordinary inside job? Ensure you have watertight access controls and that you can monitor employee email accounts for suspicious activity.
4. The employees who exposed 250 million customer records Here’s an example of a “negligent insider” threat. In December 2019, a researcher from Comparitech noticed that around 250 million Microsoft customer records were exposed on the open web. This vulnerability meant that the personal information of up to 250 million people—including email addresses, IP addresses, and location—was accessible to anyone with a web browser. This incident represents a potentially serious breach of privacy and data protection law and could have left Microsoft customers open to scams and phishing attacks—all because the relevant employees failed to secure the databases properly. Microsoft reportedly secured the information within 24 hours of being notified about the breach.
5. The nuclear scientists who hijacked a supercomputer to mine Bitcoin Russian secret services reported in 2018 that they had arrested employees of the country’s leading nuclear research lab on suspicion of using a powerful supercomputer for bitcoin mining. Authorities discovered that scientists had abused their access to some of Russia’s most powerful supercomputers by rigging up a secret bitcoin-mining data center. Bitcoin mining is extremely resource-intensive and some miners are always seeking new ways to outsource the expense onto other people’s infrastructure. This case is an example of how insiders can misuse company equipment.
6. The employee who fell for a phishing attack While we’ve seen a spike in phishing and spear phishing attacks since the outbreak of COVID-19, these aren’t new threats. One example involves an email that was sent to a senior staff member at Australian National University. The result? 700 Megabytes of data were stolen. This data was related to both staff and students and included details like names, addresses, phone numbers, dates of birth, emergency contact numbers, tax file numbers, payroll information, bank account details, and student academic records.
7. The work-from-home employees duped by a vishing scam Cybercriminals saw an opportunity when many of Twitter’s staff started working from home. One cybercrime group conducted one of the most high-profile hacks of 2020 — knocking 4% off Twitter’s share price in the process. In July 2020, after gathering information on key home-working employees, the hackers called them up and impersonated Twitter IT administrators. During these calls, they successfully persuaded some employees to disclose their account credentials. Using this information, the cybercriminals logged into Twitter’s admin tools, changed the passwords of around 130 high-profile accounts — including those belonging to Barack Obama, Joe Biden, and Kanye West — and used them to conduct a Bitcoin scam. This incident put “vishing” (voice phishing) on the map, and it reinforces what all cybersecurity leaders know — your company must apply the same level of cybersecurity protection to all its employees, whether they’re working on your premises or in their own homes. Want to learn more about vishing? We cover it in detail in this article: Smishing and Vishing: What You Need to Know About These Phishing Attacks.
8. The ex-employee who got two years for sabotaging data The case of San Jose resident Sudhish Kasaba Ramesh serves as a reminder that it’s not just your current employees that pose a potential internal threat—but your ex-employees, too. Ramesh received two years imprisonment in December 2020 after a court found that he had accessed Cisco’s systems without authorization, deploying malware that deleted over 16,000 user accounts and caused $2.4 million in damage. The incident emphasizes the importance of properly restricting access controls—and locking employees out of your systems as soon as they leave your organization.
9. The employee who took company data to a new employer for a competitive edge This incident involves two of the biggest tech players: Google and Uber. In 2015, a lead engineer at Waymo, Google’s self-driving car project, left the company to start his own self-driving truck venture, Otto. But, before departing, he exfiltrated several trade secrets including diagrams and drawings related to simulations, radar technology, source code snippets, PDFs marked as confidential, and videos of test drives.  How? By downloading 14,000 files onto his laptop directly from Google servers. Otto was acquired by Uber after a few months, at which point Google executives discovered the breach. In the end, Waymo was awarded $245 million worth of Uber shares and, in March, the employee pleaded guilty.
10. The employee who stole a hard drive containing HR data Coca-Cola was forced to issue data breach notification letters to around 8,000 employees after a worker stole a hard drive containing human resources records. Why did this employee steal so much data about his colleagues? Coca-Cola didn’t say. But we do know that the employee had recently left his job—so he may have seen an opportunity to sell or misuse the data once outside of the company. Remember—network and cybersecurity are crucial, but you need to consider whether insiders have physical access to data or assets, too.
11. The employees leaking customer data  Toward the end of October 2020, an unknown number of Amazon customers received an email stating that their email address had been “disclosed by an Amazon employee to a third-party.” Amazon said that the “employee” had been fired — but the story changed slightly later on, according to a statement shared by Motherboard which referred to multiple “individuals” and “bad actors.” So how many customers were affected? What motivated the leakers? We still don’t know. But this isn’t the first time that the tech giant’s own employees have leaked customer data. Amazon sent out a near-identical batch of emails in January 2020 and November 2018. If there’s evidence of systemic insider exfiltration of customer data at Amazon, this must be tackled via internal security controls.
12. The employee offered a bribe by a Russian national In September 2020, a Nevada court charged Russian national Egor Igorevich Kriuchkov with conspiracy to intentionally cause damage to a protected computer. The court alleges that Kruichkov attempted to recruit an employee of Tesla’s Nevada Gigafactory. Kriochkov and his associates reportedly offered a Tesla employee $1 million to “transmit malware” onto Tesla’s network via email or USB drive to “exfiltrate data from the network.” The Kruichkov conspiracy was disrupted before any damage could be done. But it wasn’t the first time Tesla had faced an insider threat. In June 2018, CEO Elon Musk emailed all Tesla staff to report that one of the company’s employees had “conducted quite extensive and damaging sabotage to [Tesla’s] operations.” With state-sponsored cybercrime syndicates wreaking havoc worldwide, we could soon see further attempts to infiltrate companies. That’s why it’s crucial to run background checks on new hires and ensure an adequate level of internal security.
13. The ex-employee who offered 100 GB of company data for $4,000 Police in Ukraine reported in 2018 that a man had attempted to sell 100 GB of customer data to his ex-employer’s competitors—for the bargain price of $4,000. The man allegedly used his insider knowledge of the company’s security vulnerabilities to gain unauthorized access to the data. This scenario presents another challenge to consider when preventing insider threats—you can revoke ex-employees’ access privileges, but they might still be able to leverage their knowledge of your systems’ vulnerabilities and weak points.
14. The employee who accidentally sent an email to the wrong person Misdirected emails happen more than most think. In fact, Tessian platform data shows that at least 800 misdirected emails are sent every year in organizations with 1,000 employees. But, what are the implications? It depends on what data has been exposed.  In one incident in mid-2019, the private details of 24 NHS employees were exposed after someone in the HR department accidentally sent an email to a team of senior executives. This included: Mental health information Surgery information While the employee apologized, the exposure of PII like this can lead to medical identity theft and even physical harm to the patients. We outline even more consequences of misdirected emails in this article. 
15. The employee who accidentally misconfigured access privileges NHS coronavirus contact-tracing app details were leaked after documents hosted in Google Drive were left open for anyone with a link to view. Worse still, links to the documents were included in several others published by the NHS.  These documents – marked “SENSITIVE” and “OFFICIAL” contained information about the app’s future development roadmap and revealed that officials within the NHS and Department of Health and Social Care are worried about the app’s reliance and that it could be open to abuse that leads to public panic.
16. The security officer who was fined $316,000 for stealing data (and more!) In 2017, a California court found ex-security officer Yovan Garcia guilty of hacking his ex-employer’s systems to steal its data, destroy its servers, deface its website, and copy its proprietary software to set up a rival company. The cybercrime spree was reportedly sparked after Garcia was fired for manipulating his timesheet. Garcia received a fine of over $316,000 for his various offenses. The sheer amount of damage caused by this one disgruntled employee is pretty shocking. Garcia stole employee files, client data, and confidential business information; destroyed backups; and even uploaded embarrassing photos of his one-time boss to the company website.
17. The employee who sent company data to a personal email account We mentioned earlier that employees oftentimes email company data to themselves to work over the weekend.  But, in this incident, an employee at Boeing shared a spreadsheet with his wife in hopes that she could help solve formatting issues. While this sounds harmless, it wasn’t. The personal information of 36,000 employees were exposed, including employee ID data, places of birth, and accounting department codes.
How common are Insider Threats? Incidents involving Insider Threats are on the rise, with a marked 47% increase over the last two years. This isn’t trivial, especially considering the global average cost of an Insider Threat is $11.45 million. This is up from $8.76 in 2018. Who’s more culpable, Negligent Insiders or Malicious Insiders?  Negligent Insiders (like those who send emails to the wrong person) are responsible for 62% of all incidents Negligent Insiders who have their credentials stolen (via a phishing attack or physical theft) are responsible for 25% of all incidents Malicious Insiders are responsible for 14% of all incidents It’s worth noting, though, that credential theft is the most detrimental to an organization’s bottom line, costing an average of $2.79 million.  Which industries suffer the most? The “what, who, and why” behind incidents involving Insider Threats vary greatly by industry.  For example, customer data is most likely to be compromised by an Insider in the Healthcare industry, while money is the most common target in the Finance and Insurance sector. But, who exfiltrated the data is just as important as what data was exfiltrated. The sectors most likely to experience incidents perpetrated by trusted business partners are: Finance and Insurance Federal Government Entertainment Information Technology Healthcare State and Local Government Overall, though, when it comes to employees misusing their access privileges, the Healthcare and Manufacturing industries experience the most incidents. On the other hand, the Public Sector suffers the most from lost or stolen assets and also ranks in the top three for miscellaneous errors (for example misdirected emails) alongside Healthcare and Finance. You can find even more stats about Insider Threats (including a downloadable infographic) here.  The bottom line: Insider Threats are a growling problem. We have a solution.
DLP
Introducing Tessian Architect: The Industry’s Only Intelligent Data Loss Prevention Policy Engine
By Ed Bishop
11 October 2021
Legacy Data Loss Prevention is quickly becoming an antiquated technology that isn’t evolving to meet the needs of enterprise organizations. Most of these solutions rely heavily on rules, create massive overhead for admin teams, and typically require constant manual fine-tuning to manage the myriad of false alerts.  And even with legacy DLP in place, data breaches continue to happen.  Perhaps the most important aspect to consider with legacy data loss prevention, is that static policies are often not as effective as we need them to be. They tend to be severely limited, and often restrict employees far more than what is necessary. These cumbersome solutions are based on known signatures, which don’t account for unknown anomalies, or consider the friction and latency they produce when implemented.  Here at Tessian, we believe that the next generation of Data Loss Prevention is fundamentally about shifting away from a static, rules-based approach, to a dynamic, behavioral approach that can address the specific context of each potential incident.  We have seen first hand how Data Loss Prevention has become too reliant on static rules and places far too much burden on admin to identify, investigate and remediate sensitive data loss. That’s why we built Guardian and Enforcer, to automatically prevent both accidental data loss and sensitive data exfiltration to unauthorized accounts.  However, we have also seen that custom policies, when combined with dynamic behavioral analysis, plays an important role for an organization’s DLP strategy. When policies are used, they should be intelligent where applicable, be easy to configure and manage, and leverage end-user remediation to reduce administrative burden. Now with Tessian Architect, enterprises can now deploy powerful intelligent DLP policies. Architect completes Tessian Guardian and Enforcer and provides the market’s best-in-class Email DLP platform.
Here Are Some of the Top Use Cases Architect Can Address Detect hidden content in Excel spreadsheets to prevent accidental disclosure of sensitive data Use regular expressions to detect specific data types and identify high severity breaches by defining unique match thresholds (e.g. more than 5 unique records) Warn on sensitive attachments without Microsoft Information Protection labels, and detect when attachments labelled as ‘Confidential’ are sent to unauthorized accounts Educate and remind users when a sensitive attachment has been labelled as ‘Public’ or ‘General’  Set up intelligent information barriers to prevent sensitive data sharing between teams Detect PII/PHI shared externally in bulk Detect financial data such as credit card numbers and bank account numbers Detect unencrypted personal health information shared externally Block attachments containing high volumes of PII from being sent to unauthorized accounts Use Architect to migrate and simplify DLP policies from legacy tools and consolidate related policies using powerful logic blocks. Use Architect to enhance rule-based legacy DLP policies with machine learning such as Tessian’s sensitivity algorithm and minimise the number of false positives
How Does Tessian Architect Work? Let’s take a deeper look at the product.  Create Custom Policies or Deploy Pre-built Tessian DLP Policies These new DLP capabilities allow administrators to quickly and easily build DLP policies to meet basic and advanced data loss requirements, including establishing and maintaining regulatory compliance.  Choose from pre-built policies that solve for your specific use cases or industry requirements, or build your own policies to meet your unique organization’s needs. Use community policies to adopt best practices sources from industry leaders in the Tessian Network. Policies may contain any number of DLP conditions and can be simple or complex, rely entirely on machine learning, basic rules, or both. Testing, tuning and rolling out policies can be done within hours, not days, weeks, or months. Test a policy change in production in as little as one minute. 
Analyze Email DLP Policy Performance Across Your Security Environment Quickly view real-time policy performance and determine what types of data loss are most prevalent in your organization. Insights are provided such as the number of data loss events detected, as well as information about those data loss incidents within specified time periods.
Policy Editor Provides Maximum Protection for Sensitive Data Build advanced, nested-logic policies and consolidate multiple policies that are related to similar topics. This is needed for advanced use cases to allow companies to consolidate and simplify policies as they’re migrating legacy DLP policies.
Integrate with Any Data Classification System, including Microsoft Information Protection (MIP)  Combine the machine learning and behavioral approach of Tessian with Microsoft Information Protection and data classification to further protect against sensitive data loss. Tessian detects sensitive attachments without Microsoft Information Protection labels. In addition, Tessian will also detect when data labeled “confidential” is about to be sent to unauthorized parties.
In-the-Moment Educational Warnings to Stop Accidental Data Loss and Sensitive Data Exfiltration in Real-Time Tessian warnings act as in-the-moment training for employees, continuously educating them about exfiltration, reinforcing your policies, and nudging them toward safe email behavior. Automatically build individualized policies at scale to reduce high-risk email use and track trends in unsafe activity over time.
Benefits of Tessian Architect 1. Automatically Stop Sensitive Data Exfiltration to Unauthorized Parties: Whether it’s an employee negligently sending emails to unauthorized or personal accounts, or individuals maliciously stealing company intellectual property, Tessian automatically stops sensitive data from being sent to any unauthorized recipients. 2. Automated and Pre-built DLP Policies: Take the guesswork out of building DLP policies with Tessian’s policy library, with the flexibility to build your own to adhere to your organization’s unique data protection requirements. 3. Reduce Admin Burden by Order of Magnitude: Reduce admin overhead with end-user remediation and powerful policy logic that simplifies DLP configurations. Cut through noisy DLP alerts and gain new visibility of high severity incidents and anomalous activity. 4. Ensure Regulatory Compliance: Protect against non-compliant activity and prevent users from sharing confidential data with non-business, personal addresses /unauthorized recipients; track and block compliance breaches in real-time. 5. Clear ROI: Many solutions simply report on data loss events; they don’t actually reduce sensitive data exfiltration and risk to the organization. Tessian is different. Security leaders can easily build and deploy DLP policies and show how those policies are proactively helping to improve the organization’s security posture. The benefit? You’ll become a trusted partner across your organization.
Learn more about Data Loss Prevention for the Human Layer  Tessian uses behavioral analysis to address the problem of accidental or intentional data loss by applying human understanding to data exfiltration incidents. Guardian: Automatically prevents accidental data loss via misdirected emails and misattached files. No rules required. Enforcer: Automatically prevents data exfiltration and other non-compliant activities on email  Human Layer Security Intelligence: Comprehensive visibility into employee risks, threat insights, and tools that enable rapid threat investigation and proactive risk mitigation Human Layer Risk Hub: Enables security and risk management teams to deeply understand their organization’s email security posture, including individual user risk levels and drivers Learn more about Tessian Interested in learning more about Tessian Architect? Current Tessian customers can get in touch with their Customer Success Manager. Not yet a Tessian customer? Learn more about Tessian Architect, or book a demo now.
Human Layer Security DLP Compliance Data Exfiltration
You Sent an Email to the Wrong Person. Now What?
By Maddie Rosenthal
04 October 2021
So, you’ve accidentally sent an email to the wrong person. Don’t worry, you’re not alone. According to Tessian research, over half (58%) of employees say they’ve sent an email to the wrong person.  We call this a misdirected email and it’s really, really easy to do. It could be a simple spelling mistake, it could be the fault of Autocomplete, or it could be an accidental “Reply All”. But, what are the consequences of firing off an email to the wrong person and what can you do to prevent it from happening?  We’ll get to that shortly. But first, let’s answer one of the internet’s most popular (and pressing) questions: Can I stop or “un-send” an email?
Can I un-send an email? The short (and probably disappointing) answer is no. Once an email has been sent, it can’t be “un-sent”. But, with some email clients, you can recall unread messages that are sent to people within your organization.  Below, we’ll cover Outlook/Office 365 and Gmail. Recalling messages in Outlook & Office 365 Before reading any further, please note: these instructions will only work on the desktop client, not the web-based version. They also only apply if both you (the sender) and the recipient use a Microsoft Exchange account in the same organization or if you both use Microsoft 365.  In layman’s terms: You’ll only be able to recall unread emails to people you work with, not customers or clients. But, here’s how to do it. Step 1: Open your “Sent Items” folder Step 2: Double-click on the email you want to recall Step 3: Click the “Message” tab in the upper left-hand corner of the navigation bar (next to “File”) → click “Move” → click “More Move Actions” → Click “Recall This Message” in the dropdown menu Step 4: A pop-up will appear, asking if you’d like to “Delete unread copies of the message” or “Delete unread copies and replace with a new message” Step 5: If you opt to draft a new message, a second window will open and you’ll be able to edit your original message While this is easy enough to do, it’s not foolproof. The recipient may still receive the message. They may also receive a notification that a message has been deleted from their inbox. That means that, even if they aren’t able to view the botched message, they’ll still know it was sent.  More information about recalling emails in Outlook here. Recalling messages in Gmail Again, we have to caveat our step-by-step instructions with an important disclaimer: this option to recall messages in Gmail only works if you’ve enabled the “Delay” function prior to fat fingering an email. The “Delay” function gives you a maximum of 30 seconds to “change your mind” and claw back the email.  Here’s how to enable the “Delay” function. Step 1: Navigate to the “Settings” icon → click “See All Settings” Step 2: In the “General” tab, find “Undo Send” and choose between 5, 10, 20, and 30 seconds.  Step 3: Now, whenever you send a message, you’ll see “Undo” or “View Message” in the bottom left corner of your screen. You’ll have 5, 10, 20, or 30 seconds to click “Undo” to prevent it from being sent.  Note: If you haven’t set-up the “Delay” function, you will not be able to “Undo” or “Recall” the message.  More information about delaying and recalling emails in Gmail here. So, what happens if you can’t recall the email? We’ve outlined the top six consequences of sending an email to the wrong person below. 
What are the consequences of sending a misdirected email? According to Verizon’s 2021 DBIR, misdelivery is the most common type of error to cause a breach. But is a breach the biggest consequence? We asked employees in the US and UK what they considered the biggest consequences of sending a misdirected email. Here’s what they had to say. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Importantly, though, the consequences of sending a misdirected email depend on who the email was sent to and what information was contained within the email. For example, if you accidentally sent a snarky email about your boss to your boss, you’ll have to suffer red-faced embarrassment (which 36% of employees were worried about). If, on the other hand, the email contained sensitive customer, client, or company information and was sent to someone outside of the relevant team or outside of the organization entirely, the incident would be considered a data loss incident or data breach. That means your organization could be in violation of data privacy and compliance standards and may be fined. But, incidents or breaches don’t just impact an organization’s bottom line. It could result in lost customer trust, a damaged reputation, and more. Let’s take a closer look at each of these consequences. Fines under compliance standards. Both regional and industry-specific data protection laws outline fines and penalties for the failure to implement effective security controls that prevent data loss incidents. Yep, that includes sending misdirected emails. Under GDPR, for example, organizations could face fines of up to 4% of annual global turnover, or €20 million, whichever is greater.  And these incidents are happening more often than you might think. Misdirected emails are the number one security incident reported to the Information Commissioner’s Office (ICO). They’re reported 20% more often than phishing attacks. You can read more about the biggest fines under GDPR so far on our blog. Or, if you want to learn how to achieve compliance by reducing email risk, you can check out this page. Lost customer trust and increased churn. Today, data privacy is taken seriously… and not just by regulatory bodies.  Don’t believe us? Research shows that organizations see a 2-7% customer churn after a data breach and 20% of employees say that their company lost a customer after they sent a misdirected email. A data breach can (and does) undermine the confidence that clients, shareholders, and partners have in an organization. Whether it’s via a formal report, word-of-mouth, negative press coverage, or social media, news of lost – or even misplaced – data can drive customers to jump ship. Revenue loss. Naturally, customer churn + hefty fines = revenue loss. But, organizations will also have to pay out for investigation and remediation and for future security costs. How much? According to IBM’s latest Cost of a Data Breach report, the average cost of a data breach today is $3.86 million. Damaged reputation. As an offshoot of lost customer trust and increased customer churn, organizations will – in the long-term – also suffer from a damaged reputation. Like we’ve said: people take data privacy seriously. That’s why, today, strong cybersecurity actually enables businesses and has become a unique selling point in and of itself. It’s a competitive differentiator. Of course, that means that a cybersecurity strategy that’s proven ineffective will detract from your business. But, individuals may also suffer from a damaged reputation or, at the very least, will be embarrassed. For example, the person who sent the misdirected email may be labeled careless and security leaders might be criticized for their lack of controls. This could lead to…. Job loss. Unfortunately, data breaches – even those caused by a simple mistake – often lead to job losses. It could be the Chief Information Security Officer, a line manager, or even the person who sent the misdirected email.  It goes to show that security really is about people. That’s why, at Tessian, we take a human-centric approach and, across three solutions, we prevent human error on email, including accidental data loss via misdirected emails.
How does Tessian prevent misdirected emails? Tessian turns an organization’s email data into its best defense against human error on email. Powered by machine learning, our Human Layer Security technology understands human behavior and relationships, enabling Tessian Guardian to automatically detect and prevent anomalous and dangerous activity like emails being sent to the wrong person. Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of the organization’s email network.  That means that if, for example, you frequently worked with “Jim Morris” on one project but then stopped interacting with him over email, Tessian would understand that he probably isn’t the person you meant to send your most recent (highly confidential) project proposal to. Crisis averted.  Interested in learning more about how Tessian can help prevent accidental data loss and data exfiltration in your organization? You can read some of our customer stories here or book a demo.
Customer Stories DLP
Customer Story: How Tessian Helped a Private Equity Firm Achieve Threat Visibility Through A Platform Approach
By Maddie Rosenthal
28 September 2021
With over 35 years of investment history, this private equity firm headquartered in Boston, MA, currently has more than 130 investments and nearly 200 employees. Having been a customer since 2018, the firm’s Senior Security Administrator shared how Tessian Guardian and Tessian Enforcer have helped him and his team prevent outbound threats while reducing admin overhead.  Tessian Solutions Enforcer:  Automatically prevents data exfiltration and other non-compliant activities on email. Enforcer can be easily configured to silently track, warn, or block sensitive emails. Guardian: Automatically prevents accidental data loss via misdirected emails and misattached files. No rules required.
Security Environment After Deploying Tessian The benefits of the platform approach The less tools security teams have to manage, the better. Especially since it can be difficult to get a single view of risk when having to pull insights from multiple sources. That’s why the firm bought into Tessian; it solves multiple use cases across one platform, including data exfiltration, accidental data loss, and advanced impersonation attacks.  And, with Human Layer Risk Hub, their security team gets granular visibility into employee risk and insights into individual risk levels and drivers. Today, they can differentiate between employees at different levels of risk, and evolve to support each group in unique, personalized ways through training, policies, and in-platform tools.  Find answers faster with Tessian integrations Integrations with other tools are key. And, while Tessian integrates with well over a dozen products, including SIEM/SOARs, SSO tools, and directory management tools,  these are the two Tessian integrations that stand out for the firm’s Senior Security Administrator: Azure Directory: While Azure Directory (AD) groups are a source of truth, building and maintaining them takes a lot of time and effort. Worse still, many security solutions don’t connect with AD groups, which makes zeroing in on an incident or potential risk that applies to a wider group of users is impossible. This forces security teams to look at each individual mailbox or user and aggregate them, which can take days. But, because Tessian syncs with AD, all you need to do is select the group. That means you can find what you’re looking for and take action right away. SIEM Integrations:  Tessian seamlessly integrates with SIEMs like Splunk and Rapid7. In  future, this will allow the firm’s security team to import valuable Tessian data for a more complete picture of their security posture.  According to their security team, the key to effectively garnering insights from data platforms is to decide what data is the most meaningful. That way, SOC teams can reduce the noise, focus on what’s truly valuable, and make informed security decisions.
Empower users without getting in the way Because Tessian is powered by machine learning instead of rules, it’s able to detect data exfiltration attempts and misdirected emails with incredible accuracy. In fact, on average, employees receive just two warning messages per month. That means when an email is flagged, they pay attention. Better still, Tessian gets smarter over time, and evolves in tandem with changing relationships. As data becomes more accurate, false positives decrease. And with a decrease in false positives, comes an increase in trust.
Want to learn more about how Tessian can help you prevent data loss on email? Book a demo now.
Spear Phishing DLP
New ESG Report Highlights Gaps in M365 Native Security Tools
By Jessica Cooper
28 September 2021
Millions of companies around the world depend daily on Microsoft 365, including yours. So to better understand its native security tools, and any gaps within them, we’ve partnered with Enterprise Strategy Group (ESG Global) to produce a new report exploring Microsoft 365’s security environments.  The report covers several topics of Microsoft 365, both E3 and E5, including capabilities and gaps for protecting against ransomware, phishing, accidental data loss and sensitive data exfiltration, as well as architectural challenges to consider. The full report, ESG Whitepaper: Closing Critical Gaps in Microsoft 365 Native Security Tools can be found here. Report highlights Phishing was involved in 43% of breaches in the past year Over two-thirds (69%) of respondents to the ESG research survey report that email security has become one of their top 5 cybersecurity priorities 18% cite email security as their most important cybersecurity priority 62% of organizations are reevaluating all security controls currently available natively Ransomware ranks as a top-3 risk concern, with 77% of organizations classifying ransomware as high or medium risk. 45% or organizations report that more than 40% of their sensitive data flows through their email application. Cloud-delivered email solutions aren’t a panacea. Moving on-prem email solutions to the cloud replaces the operational infrastructure but doesn’t necessarily fully replace security controls. Successful credential phishing attacks can lead to email account takeover (ATO), enabling hackers to appear as legitimate insiders, facilitating BEC, data exfiltration, and ransomware.
As the report states, email continues to be the backbone of enterprise communications and is considered the most critical infrastructure to daily operations for most. Cloud-delivered email infrastructure has rapidly become the preferred approach to enable email communications, with over 2.3m companies depending on Microsoft 365. For many, handing over email infrastructure to a cloud service provider means transferring and trusting email security and resilience to the provider. Yet as phishing, which was involved in 43% of breaches in the past year, continues at epidemic levels, over two-thirds (69%) of respondents to an ESG research survey report say that email security has become one of their top 5 cybersecurity priorities, with 18% citing email security as their most important cybersecurity priority. While cloud-delivered email providers promise security and resilience, most fall short of what many security and IT teams would consider adequate. Further, adversaries are capitalizing on these homogenous security systems to bypass controls. As a result, ESG research found that 62% of organizations are re-evaluating all security controls currently available natively, with many turning to third-party email security and resilience solutions to supplement native controls. Organizations that are planning to move or have recently moved to cloud-based email should strongly consider the use of third-party email security solutions to ensure that critical email infrastructure and data are adequately secured against the expanding email threat landscape.    Unpacking Microsoft 365 native security controls in E3 and E5 While Microsoft has invested significantly in strengthening security controls for Microsoft 365 (M365), organizations report continuing gaps in the controls included in both E3 and E5 licensing bundles.    Email security While EOP provides many valuable security features, it is limited in its ability to protect against more sophisticated email attacks, such as social engineering (or “spear-phishing”), business email compromise, account takeover, and many types of ransomware. Detecting these types of more sophisticated attacks requires both behavioral analytics and a contextual understanding of individual communication activities, which don’t exist in EOP. So, while native controls are effective at detecting mass/generic phishing campaigns, they are less effective at detecting highly targeted attacks. For example, EOP uses block lists to detect spam and known malware. Safe Links (available in E5) rewrites URLs and checks them against known lists of malicious URLs before allowing the user to visit the link. Microsoft 365 E5 bundle includes additional security features by adding the Microsoft 365 Defender endpoint security solution. Additional protection against phishing and ransomware is provided through more advanced malicious URL and attachment protection, including link re-writing and attachment sandboxing. Both approaches, however, can still be vulnerable to new URLs and attacks without “payloads.” Microsoft Defender depends on multiple scan engines to detect malware attachments and malicious URL links, leveraging both signature matching and machine learning to perform behavioral analysis. Because BEC and ATO impersonations often contain no malicious links or attachments, these threats can commonly escape this approach.    Data loss prevention Minimal data loss protection capabilities are included in the E3 bundle, relying on end-users to manually label documents as sensitive to protect them. Relying on end-users to accurately and consistently classify content puts organizations at risk. On the other hand, applying blanket policies and blocking sensitive information is highly disruptive to users’ productivity and can be an immense burden on security teams. Further, companies that opt for applying a default classification to all documents and emails end up with the same label being applied to everything, while lacking any new visibility into sensitive data. As a result, organizations most often resort to tracking and post remediation instead of proactive detection and real-time response. Additionally, E3 lacks capabilities natively to detect and manage insider risk (for example, preventing data theft by departing employees). Native controls also often lack the ability to properly classify non-Microsoft data and files, requiring admins to use workarounds to achieve consistent protection.  Data loss prevention is included in the E5 bundle for emails, Teams, and files. Advanced email encryption functionality is also provided, as well as email retention policies. Customer keys for Office 365 are also supported, and some level of insider risk management capabilities is also included.    Context matters in data loss prevention M365 Email DLP capabilities are, however, not context-aware (meaning that they lack context between parties exchanging email), resulting in an inability to proactively identify wrong recipients or unintended inclusion of attachments. M365 detection instead utilizes a rules-based approach to define DLP policies and classify data (regex pattern matches, proximity of certain keywords to the matching patterns, exact data matching, and fingerprinting). These techniques alone are often unable to detect when email recipients are misaddressed or when wrong attachments are involved.  Additionally, because these capabilities rely on rule-based techniques or trainable classifiers to align specific data types with DLP policies and to label data (using Azure Information Protection), effectively detecting sensitive information in unstructured data can be problematic (legal, mergers and acquisitions, work orders, bidding documents, and other non-Microsoft formatted files), resulting in users exfiltrating sensitive data and additional false positives. While encryption is often mistakenly perceived as a solution to solve for misdirected emails, recipients included by mistake can still often decrypt emails to gain access to sensitive data. User experience/friction when encrypting emails can also be a barrier to use. 
Email security has long been focused on inbound filtering and the monitoring of user activities looking for well-known patterns of misuse. Yet email usage patterns are more often unique to individual users, those that they communicate with, what they communicate, and how they communicate. This individual usage context is required to detect and stop many of today’s more sophisticated attacks such as spear phishing, BEC, and ATO.  Much of this personal context can be derived through behavioral analytics of historical email, including the analysis of who, what, and when emails were sent in the past. When individual historical patterns, along with context, can be matched against future activity, modern email threats can be detected and stopped, often with little to no user or administrator involvement.  Microsoft 365, the dominant cloud-delivered email solution adopted today, may lack critical security controls needed for certain organizations, therefore motivating many to add supplemental security solutions to close gaps. Whether in the planning stage, implementation stage, or post-implementation, third-party email security controls should be considered with all cloud-delivered email solutions.  To learn more, download the full report.
DLP Data Exfiltration
What is Data Exfiltration? Tips for Preventing Data Exfiltration
22 September 2021
Data is valuable currency. Don’t believe us? Data brokering is a $200 billion industry…and this doesn’t even include the data that’s sold on the dark web.  This data could include anything from email addresses to financial projections, and the consequences of this data being leaked can be far-reaching. Data can be leaked in a number of ways, but when it’s stolen, we call it data exfiltration. You may also hear it referred to as data theft, data exportation, data extrusion, and data exfil.
This article will explore what data exfiltration is, how it works, and how you can avoid the fines, losses, and reputational damage that can result from it. Types of data exfiltration Data exfiltration can involve the theft of many types of information, including: Usernames, passwords, and other credentials Confidential company data, such as intellectual property or business strategy documents Personal data about your customers, clients, or employees b Keys used to decrypt encrypted information Financial data, such as credit card numbers or bank account details Software or proprietary algorithms To understand how data exfiltration works, let’s consider a few different ways it can be exfiltrated.  ✉ Email  According to IT leaders, email is the number one threat vector. It makes sense.  Over 124 billion business emails are sent and received every day and employees spend 40% of their time on email, sharing memos, spreadsheets, invoices, and other sensitive information and unstructured data with people both in and outside of their organization.  Needless to say, it’s a treasure trove of information, which is why it’s so often used in data exfiltration attempts. But how? Insider threats can email data to their own, personal accounts or third-parties External bad actors targeting employees with phishing, spear phishing, or ransomware attacks. Note:96% of phishing attacks start via email. ⚡ To learn more about insider threats, check out this article: 11 Real Examples of Insider Threats  ⚡ For more information about phishing, click here: What is Spear Phishing? Targeted Phishing Attacks Explained 💻  Remote access Gaining remote access to a server, device, or cloud storage platform is another data exfiltration technique. An attacker can gain remote access to a company’s data assets via several methods, including: Hacking to exploit access vulnerabilities Using a “brute force” attack to determine the password Installing malware, whether via phishing or another method Using stolen credentials, whether obtained via a phishing attack or purchased on the dark web According to 2020 Verizon data, over 80% of “hacking” data exfiltration incidents involve brute force techniques or compromised user credentials. That’s why keeping passwords strong and safe is essential. Remote data exfiltration might occur without a company ever noticing. Consider the now infamous 2020 SolarWinds hack: the attackers installed malware on thousands of organizations’ devices, which silently exfiltrated data for months before being detected. 💾  Physical access  As well as using remote-access techniques, such as phishing and malware, attackers can simply upload sensitive data onto a laptop, USB drive, or another portable storage device, and walk it out of a company’s premises.. Physically stealing data from a business requires physical access to a server or device. That’s why this method of exfiltration is commonly associated with current or former employees. And it happens more frequently than you might think. One report shows that: 15% of all insiders exfiltrate data via USBs and 8% of external bad actors do the same 11% of all insiders exfiltrate data via laptops/tablets and 13% of external bad actors do the same Here’s an example: in 2020, a Russian national tried to persuade a Tesla employee to use a USB drive to exfiltrate insider data from the company’s Nevada premises. ⚡ We’ve rounded up a dozen examples of data exfiltration here: 12 Examples of Data Exfiltration.
How common is data exfiltration? So how significant a problem is data exfiltration, and why should your company take steps to prevent it? It’s hard to say how often data is successful exfiltrated from a company’s equipment or network. But we know that the cybercrime methods used to carry out data exfiltration are certainly on the increase. For example, phishing was the leading cause of complaints to the FBI’s Internet Crime Complaint Centre (IC3) in 2020. The FBI’s data suggests that phishing incidents more than doubled compared to the previous year. The FBI also reported that the number of recorded personal data breaches increased from around 38,000 to over 45,000 in 2020. Verizon’s 2020 data suggests that companies with more than 1000 employees were more likely to experience data exfiltration attempts—but that attacks against smaller companies were much more likely to succeed.  Verizon also noted that “the time required to exfiltrate data has been getting smaller,” but “the time required for an organization to notice that they have been breached is not keeping pace.” In other words, cybercriminals are getting quicker and harder to detect. Consequences of data exfiltration We’ve seen how data exfiltration, and cybercrime more generally, is becoming more common. But even if a company experiences one data exfiltration attack, the consequences can be devastating. There’s a lot at stake when it comes to the data in your company’s control. Here are some stats from IBM about the cost of a data breach: The average data breach costs $3.6 million The cost is highest for U.S. companies, at $8.6 million Healthcare is the hardest-hit sector, with companies facing an average loss of $7.1 million What are the causes of these phenomenal costs? Here are three factors: Containment: Hiring cybersecurity and identity fraud companies to contain a data breach is an expensive business—not to mention the thousands of hours that can be lost trying to determine the cause of a breach. Lawsuits: Many companies face enormous lawsuits for losing customer data. Trends suggest a continuing increase in data-breach class action cases through 2021. Penalties: Laws such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) enable regulators to impose significant fines for personal data breaches.
How to prevent data exfiltration Understanding the form, causes, and consequences of data exfiltration is important. But what’s the best way to prevent data exfiltration? 🎓 Staff training Business leaders know the importance of helping their employees understand information security.  Staff training can help your staff spot some of the less sophisticated phishing attacks and learn the protocol for reporting a data breach. However, while staff training is important, it’s not sufficient to prevent data exfiltration. Remember these words from the U.K.’s National Cyber Security Centre (NCSC): “No training package (of any type) can teach users to spot every phish. Spotting phishing emails is hard.” 🚫 Blocking or blacklisting To prevent data exfiltration attempts, some organizations block or blacklist certain domains or activities. This approach involves blocking certain email providers (like Gmail), domains, or software (like DropBox) that are associated with cyberattacks. However, this blunt approach impedes employee productivity. Blacklisting fails to account for the dynamic nature of modern work, where employees need to work with many different stakeholders via a broad variety of mediums. 💬 Labeling and tagging sensitive data Another data loss prevention (DLP) strategy is to label and tag sensitive data. When DLP software notices tagged data moving outside of your company’s network, this activity can be flagged or prevented. However, this approach relies entirely on employees tagging data correctly. Given how much data organizations handle, the manual process of tagging isn’t viable—employees may label incorrectly or not label sensitive at all. 🔒 Email data loss prevention (DLP) Email is a crucial communication method for almost every business. But, as we’ve seen, it’s also a key way for fraudsters and criminals to gain access to your company’s valuable data. According to Tessian platform data, employees send nearly 400 emails a month. In an organization with 1,000 employees, that’s 400,000 possible data breaches each month. That’s why security-focused organizations seek to lock down this critical vulnerability by investing in email-specific DLP software. ⚡ Want to learn more about email DLP? We cover everything you need to know here: What is Email DLP? Complete Overview of DLP on Email. How does Tessian prevent data exfiltration? Tessian uses stateful machine learning to prevent data exfiltration on email by turning an organization’s own data into its best defense against inbound and outbound email security threats.   Our Human Layer Security platform understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity like data exfiltration attempts and targeted phishing attacks.  To learn more about how Tessian detects and prevents data exfiltration attempts, check out our customer stories or talk to one of our experts today.
Customer Stories DLP
Customer Story: How Tessian Combines Data Loss Prevention With Education in Financial Services
20 September 2021
Having deployed Tessian at the end of 2020, Israel Bryski, Head of Information Security at an investment management firm headquartered in NYC, shared how Tessian has helped him and his team improve their security posture while changing employee behavior long-term.  The firm, which was formed in the early 1980s, has offices across Spain, Germany, the UK, and Singapore, and currently has 200 employees managing retirement plans and investments for roughly 30,000 current and former Mckinsey employees. Their journey to Tessian Before working with Tessian, the firm had their developers build a custom Outlook add-in to prevent accidental data loss via misdirected emails  Every time someone would send an outbound email to an external domain, they would get a pop-up asking them, “Are you sure to send to this domain?” But, because there was no context in the pop-up, it wasn’t as effective as it could have been immediately following roll-out. Employees were still blindly ignoring the warning, and accidentally sending emails to the wrong person.  At the same time, the security team was also struggling to make security awareness training engaging and relevant to employees Solution Guardian: Automatically prevents accidental data loss via misdirected emails and misattached files. No rules required. Human Layer Risk Hub: Enables security and risk management teams to deeply understand their organization’s email security posture, including individual user risk levels and drivers
Security Environment After Deploying Tessian Explaining the “why” behind policies to change behavior For Israel and his team, education is key.  Having learned from their custom-built Outlook Add-In which warned employees when an email was being sent to the wrong email address, but didn’t offer insight into the “why”, the team wanted to find a solution that offered context and that would bolster their security awareness training programs. They found that in Tessian and, since deployment, they’ve actually seen a change in behavior and a reduction in data loss incidents. 
Learn more about why in-the-moment warnings are so effective. Because Tessian is powered by machine learning instead of rules, it’s able to detect data exfiltration attempts and misdirected emails with incredible accuracy. In fact, on average, employees receive just two warning messages per month. That means when an email is flagged, they pay attention. Better still, Tessian gets smarter over time and evolves in tandem with changing relationships. As data becomes more accurate, false positives decrease. And with a decrease in false positives, comes an increase in trust.
Preventing accidental data loss without impeding productivity  Since deploying Tessian, over 100 data loss incidents have been prevented.  Israel shared an example:  Someone at the firm created a goodbye video for a senior exec who was retiring; they meant to send it to a colleague for them to play the video in the goodbye meeting. When the sender put the address in the To field, they typed in the first letters, and another external vendor’s email popped up that was cached. They didn’t pay attention, added that address to the email, and tried to send it.  When he went to send the email, he got the Guardian pop-up asking him if that vendor’s address was really meant to be part of the group of recipients. He read the contextualized warning, removed that particular vendor, and added the correct recipient.  It goes to show: Tessian does more than prevent breaches. It also saves employees from red-faced embarrassment. Israel and his team have gotten kudos from quite a few people in the firm. One exec in particular was always casting a shadow over the different security tools that had been deployed. He explained, saying “When we got kudos from him, that was a big win in my book! He actually sees the value of Tessian, why we’re purchasing new technology, and why we’re constantly evaluating new solutions on the market that can augment and complement our security program.” 
Interested in learning more about how Tessian can help prevent accidental data loss in your organization? You can read some of our customer stories here or book a demo.
DLP
How to Close Critical Data Loss Prevention (DLP) Gaps in Microsoft 365
By Jessica Cooper
15 September 2021
Over a million businesses worldwide use Microsoft 365, with 731,000 companies in the United States alone. That represents a big juicy audience for hackers, bad actors and others.  And although Microsoft 365 provides foundational rule-based data loss prevention (DLP) and data classification to address compliance requirements, it falls short when protecting against data loss caused by people.  That’s why many of our customers choose Tessian to layer on top of 365, to stop complex, targeted attacks most SEGs just can’t stop. Tessian complements Microsoft 365 with a behavioral analytics layer and offers enhanced data protection by closing critical DLP use case gaps such as inadvertent or accidental data loss, sensitive data exfiltration to unauthorized or personal accounts, and insider risks. Tessian also has more robust investigation, reporting, and remediation tools. In this article, we’ll explore three DLP challenges, identify where Microsoft 365 falls short, and describe how Tessian helps security teams overcome them. Want to explore this topic in greater detail? Download the Solution Brief: How Tessian Closes Critical DLP Gaps in Microsoft 365.  Microsoft 365 can’t stop accidental data loss  Misdirected emails are the number one data security incident reported to data protection regulators across the world.  Every day, inadvertent human error on email leads to organizations putting their customer’s data at risk, breaching mandatory industry and data protection regulations and losing highly sensitive intellectual property. In fact, according to Tessian research, 800 misdirected emails are sent every year in organizations with 1,000 employees. You can check out 11 data breaches caused by misdirected emails here. Microsoft’s capabilities here are limited to files on Sharepoint and OneDrive sites, where you can allow or block specific domains. It cannot detect if you shared an email or files (including files in Sharepoint) to a wrong party.  In addition, Microsoft 365 Email DLP capabilities are not context-aware. What that means in practice is that it lacks context between parties exchanging email and hence cannot proactively identify wrong recipients or wrong attachments.  Microsoft 365 detection is purely based on DLP policies and data classification – Regex pattern matches, proximity of certain keywords to the matching patterns, exact data matching and Fingerprinting. These techniques cannot be applied to detect wrong recipients or wrong attachments.
How does Tessian prevent accidental data loss? Stop Misdirected Emails Tessian’s behavioral approach ensures that emails reach the right recipients, preventing accidental data breaches over email. Leveraging historical data to map email relationships with context, deep content inspection, and behavioral analysis, Tessian identifies first-time contacts, flags recipient anomalies, and stops misdirected emails in real-time. Prevent Wrong Attachments Tessian uses a combination of attachment scanning, natural language processing (NLP), and deep content inspection to map email content to users, entities, and projects. This helps detect a variety of anomalies and warns when employees are about to send a wrong attachment. Easy and Accurate Reporting Insights and analytics with the Human Layer Security Platform makes compliance and reporting easy. Admins can readily filter, view, and track accidental data loss events prevented by type, as either misdirected emails or misattached files using the HLS intelligence portal to mitigate events. Learn more about Tessian Guardian. 
Microsoft 365 can’t prevent exfiltration of sensitive data to unauthorized or personal accounts  Whether it’s an employee negligently sending emails to unauthorized or personal accounts, or individuals maliciously stealing company intellectual property for personal gain while exiting the company, sensitive data exfiltration is a major problem in today’s organizations. Don’t believe us? 27,500 unauthorized emails are sent every year in organizations with 1,000 employees.  Unfortunately, Microsoft 365 DLP capabilities do not effectively detect when unstructured data leaves the organization. This is because it’s not able to identify the unique context of each employee at a granular level. Traditional approaches to prevent data exfiltration on email rely on a litany of pre-defined rules and denylists, and retrospective incident response.  Tackling the problem of data exfiltration by manually maintaining denylists in a world of innumerable new freemail and personal domains is a losing game. Relying on users to manually classify documents puts organizations at risk, while relying on machine based RegEx classification for sensitive content detection or human-in-the-loop quarantine leads to false positives, false negatives and significant administrative burden.
How does Tessian prevent data exfiltration?  Automatically Detect Non-business Email Accounts with Historical Email Data Tessian analyzes historical email data to understand normal content, context and communication patterns, enabling a comprehensive mapping of every employee’s business and non-business email contacts. Relationship graphs are continuously updated as email behavior changes over time after Tessian is deployed.  Perform Real-time Analysis of Emails Before They’re Sent to Detect Data Exfiltration Tessian’s Human Layer Security Engine analyzes all outbound emails in real-time and uses machine intelligence to automatically predict data exfiltration based on insights from the relationship graph, deep inspection of the email content, and previous user behavior.  Automatically Detect and Prevent Data Exfiltration Over Email With Tessian, you can automatically detect anomalous patterns of exfiltration. Real-time warnings are shown to employees when data exfiltration threats are detected and guides them towards secure behavior. Warning triggers can be tailored to suit your company’s security policies and workflow requirements; employees can be warned, emails can be blocked, or activity can be silently tracked. Employee interactions are also logged for inspection in the Tessian dashboard.  Learn more about Tessian Enforcer.  Microsoft 365 can’t measure and report impact of human layer risk Insider threats are often perceived to only include those who may have malicious intent, such as disgruntled employees or employees who hack into the organization to gain access to credentials. However, employees exfiltrating data via email are often simply careless or negligent as well.  Microsoft 365 monitoring and reporting capabilities, including insider risk capabilities, are content detection and triage focused and does not provide any type of holistic visibility into employee risk profiles, high risk users in order for security and risk management leaders to take specific actions to improve their employee’s data handling practices and strengthen their security posture. 
How does Tessian approach insider risk management? Tessian’s approach is human-centric and behavioral, and is able to detect intent and the unique context of the particular employee’s situation. The Human Layer Security Platform maps employee email activity and builds unique security identities for every individual. Dashboards and analytics surface these insights and give full visibility into threats you’ve never been able to detect before. With Tessian, you can predict and preempt security risks caused by human behavior. Superior Risk Analytics Enriched individual risk profiles that are modeled with a broad range of signals from email usage patterns, relationship graphs, job role, security decisions in real time as well as from 12 months of historical emails and calculates individual risk scores. Because of this unique data modeling, Tessian provides a profile that is contextually rich with granular visibility into risk drivers. Dynamic Risk Scoring Security risk scores are dynamically updated to represent an accurate individual risk profile in real time. The risk scores trend down when the user makes positive security decisions and trend up when poor security decisions are made, or if the user exhibits high-risk email security behavior. These scores and risk drivers are also aggregated at the user, department, and company level and are benchmarked against the Tessian network. Defend Against Data Breaches with Defensible Audit Detailed reporting and audit logs provide defensible proof against data breaches. If risk is identified, Tessian’s Human Layer Risk Hub enables you to formally document all associated events such as exposure, owner, mitigation decisions and actions. Learn more about Tessian Human Layer Risk Hub.
Page