Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

New Webinar: Check out how PeaceHealth maintains word class email security with a vast supply chain and 19k caregivers. Register Now →

Email DLP

Read our latest articles, tips and industry-specific news around Data Loss Prevention (DLP). Learn about the implications of data loss on email.

Email DLP
New Report From The Ponemon Institute: Data Loss Prevention on Email in 2022 Report
By Negin Aminian
18 May 2022
New research from the Ponemon Institute reveals that nearly 60% of organizations experienced data loss or exfiltration caused by an employee mistake on email in the last 12 months. Email was revealed as the riskiest channel for data loss in organizations, as stated by 65% of IT security practitioners. This was closely followed by cloud file-sharing services (62%) and instant messaging platforms (57%).    Key findings The Ponemon Institute surveyed 614 IT security practitioners across the globe to also reveal that:  Employee negligence, because of not following policies, is the leading cause of data loss incidents (40%)  Over a quarter (27%) of data loss incidents are caused by malicious insiders  It takes up to three days for security and risk management teams to detect and remediate a data loss and exfiltration incident caused by a malicious insider on email  Almost one in four (23%) organizations experience up to 30 security incidents involving employees’ use of email every month (for example, email was sent to an unintended recipient)
The most common types of confidential and sensitive information lost or intentionally stolen include: customer information (61%); intellectual property (56%); and consumer information (47%). User-created data (sensitive email content, text files, M&A documents), regulated data (credit card data, Social Security numbers, national ID numbers, employee data), and intellectual property were identified as the three types of data that are most difficult to protect from data loss.    The top two consequences for data loss incidents were revealed as non-compliance with data protection regulations (57%) and damage to an organization’s reputation (52%). One of our previous studies found that almost one-third (29%) of businesses lost a client or customer because of an employee sending an email to the wrong person. 
Lack of visibility creates data loss challenges    Organizations cannot protect what they can’t see. A lack of visibility of sensitive data that employees transferred from the network to personal email was cited as the most common barrier (54%) to preventing data loss. Further, over half of respondents (52%) report being unable to identify legitimate data loss incidents and standard employee data handling behaviors.     As a result, it takes security teams 72 hours, on average, to detect and remediate a data loss and exfiltration incident caused by a malicious insider on email, and almost 48 hours to detect and remediate an incident caused by a negligent employee.   Greater education required for employees    The majority of organizations (73%) are concerned that employees do not understand the sensitivity or confidentiality of data they share through email. In addition, marketing and public relations departments are most likely to put data at risk when using email (61%), closely followed by production/manufacturing (58%) and operations (57%).    Despite these risks, organizations do not have adequate training in place. While 61% have security awareness training, only about half of IT security leaders say their programs properly address the sensitivity and confidentiality of the data that employees can access on email.    “This study showcases the severity of data loss on email and the implications it has for modern enterprises,” said Larry Ponemon, chairman and founder of Ponemon Institute. “Our findings prove the lack of visibility organizations have into sensitive data, how risky employee behavior can be on email and why enterprises should view data loss prevention as a top business priority.”
Tessian’s Chief Information Security Officer, Josh Yavor, said, “Most security awareness training programs focus on inbound threats, yet fail to adequately address the handling of sensitive data internally. But data loss – whether accidental or intentional – is a major threat and should be treated as a top priority.    “To create awareness and mitigate data loss incidents, organizations need to be proactive in delivering effective data loss prevention training while also gaining greater visibility into how employees handle company data. Security awareness training that directly addresses common types of data loss – including what’s okay to share with personal accounts and what’s not okay to take with you when you leave a company – and a culture that builds trust and confidence among employees will improve security behaviors and limit the amount of data that flows out of the organization.”  
Email DLP Data Exfiltration
Insider Threat Statistics You Should Know: Updated 2022
By Maddie Rosenthal
13 May 2022
Between 2018 and 2020, there was a 47% increase in the frequency of incidents involving Insider Threats. This includes malicious data exfiltration and accidental data loss. The latest research, from the Verizon 2021 Data Breach Investigations Report, suggests that Insiders are responsible for around 22% of security incidents. Why does this matter? Because these incidents cost organizations millions, are leading to breaches that expose sensitive customer, client, and company data, and are notoriously hard to prevent. In this article, we’ll explore: How often these incident are happening What motivates Insider Threats to act The financial  impact Insider Threats have on larger organizations The effectiveness of different preventive measures You can also download this infographic with the key statistics from this article. If you know what an Insider Threat is, click here to jump down the page. If not, you can check out some of these articles for a bit more background. What is an Insider Threat? Insider Threat Definition, Examples, and Solutions Insider Threat Indicators: 11 Ways to Recognize an Insider Threat Insider Threats: Types and Real-World Examples
How frequently are Insider Threat incidents happening? As we’ve said, incidents involving Insider Threats have increased by 47% between 2018 and 2020. A 2021 report from Cybersecurity Insiders also suggests that 57% of organizations feel insider incidents have become more frequent over the past 12 months. But the frequency of incidents varies industry by industry. The Verizon 2021 Breach Investigations Report offers a comprehensive overview of different incidents in different industries, with a focus on patterns, actions, and assets. Verizon found that: The Healthcare and Finance industries experience the most incidents involving employees misusing their access privileges The Healthcare and Finance industries also suffer the most from lost or stolen assets The Finance and Public Administration sectors experience the most “miscellaneous errors” (including misdirected emails)—with Healthcare in a close third place !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");
There are also several different types of Insider Threats and the “who and why” behind these incidents can vary. According to one study: Negligent Insiders are the most common and account for 62% of all incidents. Negligent Insiders who have their credentials stolen account for 25% of all incidents Malicious Insiders are responsible for 14% of all incidents. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Looking at Tessian’s own platform data, Negligent Insiders may be responsible for even more incidents than most expected. On average, 800 emails are sent to the wrong person every year in companies with 1,000 employees. This is 1.6x more than IT leaders estimate. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Malicious Insiders are likely responsible for more incidents than expected, too. Between March and July 2020, 43% of security incidents reported were caused by malicious insiders. We should expect this number to increase. Around 98% of organizations say they feel some degree of vulnerability to Insider Threats. Over three-quarters of IT leaders (78%) think their organization is at greater risk of Insider Threats if their company adopts a permanent hybrid working structure. Which, by the way, the majority of employees would prefer. What motivates Insider Threats to act? When it comes to the “why”, Insiders – specifically Malicious Insiders – are often motivated by money, a competitive edge, or revenge. But, according to one report, there is a range of reasons malicious Insiders act. Some just do it for fun. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); But, we don’t always know exactly “why”. For example, Tessian’s own survey data shows that 45% of employees download, save, send, or otherwise exfiltrate work-related documents before leaving a job or after being dismissed.  While we may be able to infer that they’re taking spreadsheets, contracts, or other documents to impress a future or potential employer, we can’t know for certain. Note: Incidents like this happen the most frequently in competitive industries like Financial Services and Business, Consulting, & Management. This supports our theory. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); How much do incidents involving Insider Threats cost? The cost of Insider Threat incidents varies based on the type of incident, with incidents involving stolen credentials causing the most financial damage. But, across the board, the cost has been steadily rising. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Likewise, there are regional differences in the cost of Insider Threats, with incidents in North America costing the most and almost twice as much as those in Asia-Pacific. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); But, overall, the average global cost has increased 31% over the last 2 years, from $8.76 million in 2018 to $11.45 in 2020 and the largest chunk goes towards containment, remediation, incident response, and investigation. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); But, what about prevention? How effective are preventative measures? As the frequency of Insider Threat incidents continues to increase, so does investment in cybersecurity. But, what solutions are available and which solutions do security, IT, and compliance leaders trust to detect and prevent data loss within their organizations? A 2021 report from Cybersecurity Insiders suggests that a shortfall in security monitoring might be contributing to the prevalence of Insider Threat incidents. Asked whether they monitor user behavior to detect anomalous activity: Just 28% of firms responded that they used automation to monitor user behavior 14% of firms don’t monitor user behavior at all 28% of firms said they only monitor access logs 17% of firms only monitor specific user activity under specific circumstances 10% of firms only monitor user behavior after an incident has occurred And, according to Tessian’s research report, The State of Data Loss Prevention, most rely on security awareness training, followed by following company policies/procedures, and machine learning/intelligent automation. But, incidents actually happen more frequently in organizations that offer training the most often and, while the majority of employees say they understand company policies and procedures, comprehension doesn’t help prevent malicious behavior. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); That’s why many organizations rely on rule-based solutions. But, those often fall short. Not only are they admin-intensive for security teams, but they’re blunt instruments and often prevent employees from doing their jobs while also failing to prevent data loss from Insiders. So, how can you detect incidents involving Insiders in order to prevent data loss and eliminate the cost of remediation? Machine learning. How does Tessian detect and prevent Insider Threats? Tessian turns an organization’s email data into its best defense against inbound and outbound email security threats. Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises. It understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity. Tessian Enforcer detects and prevents data exfiltration attempts Tessian Guardian detects and prevents misdirected emails Tessian Defender detects and prevents spear phishing attacks Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of the organization’s email network. Oh, and it works silently in the background, meaning employees can do their jobs without security getting in the way. Interested in learning more about how Tessian can help prevent Insider Threats in your organization? You can read some of our customer stories here or book a demo.
Email DLP Compliance
30 Biggest GDPR Fines So Far (2020, 2021, 2022)
05 May 2022
The EU General Data Protection Regulation (GDPR) is among the world’s toughest data protection laws. Under the GDPR, the EU’s data protection authorities can impose fines of up to up to €20 million (roughly $20,372,000), or 4% of worldwide turnover for the preceding financial year – whichever is higher.   Since the GDPR took effect in May 2018, we’ve seen over 900 fines issued across the European Economic Area (EEA) and the U.K. GDPR fines have ramped up significantly.   Let’s take a look at the biggest GDPR fines, explore what caused them, and consider how you can avoid being fined for similar violations. Last updated May 2022.
The biggest GDPR fines of 2020, 2021, and 2022 (so far)   1. Amazon — €746 million ($877 million) Amazon’s gigantic GDPR fine, announced in the company’s July 2021 earnings report, is nearly 15 times bigger than the previous record. The full reasons behind the fine haven’t yet been confirmed, but we know the cause has to do with cookie consent.   And this isn’t the first time Amazon has been punished due to the way it collects and shares personal data via cookies. In late 2020, France fined Amazon €35 million after the tech giant allegedly failed to get cookie consent on its website.   How the fine could have been avoided: It’s tempting to force users to “agree” to cookies—or make opting out of cookies difficult—to collect as much personal data as possible. But regulators have shown some serious appetite for enforcing the EU’s cookie rules recently. If Amazon had obtained “freely given”, informed, and unambiguous opt-in consent before setting cookies on its users’ devices, the company probably could have avoided this huge GDPR fine.     2. WhatsApp — €225 million ($255 million) Mere months after Amazon’s colossal GDPR fine knocked Google off the number one GDPR fine spot, WhatsApp pushed Google into third place with a penalty nearly five times as large as the search giant’s previous record. Ireland slammed WhatsApp with A €225 million GDPR penalty after claiming that the messaging service had failed to properly explain its data processing practices in its privacy notice. Ireland is not known for issuing large fines, despite being the European home of nearly every US-based big tech firm. And even this penalty arrived only after other EU data protection authorities used the “one-stop-shop” mechanism to argue that it should have been higher. So what did WhatsApp do wrong? It’s complicated, and the company is appealing the decision. But it boils down to WhatsApp’s alleged failure to explain its legal basis for certain data processing—“legitimate interests.”   How the fine could have been avoided: The Irish DPA said that WhatsApp’s somewhat opaque privacy notice was at fault here—the company should have provided privacy information in an easily accessible format using language its users could understand. If you’re relying on “legitimate interests,” you must make sure you explain what those interests are in respect of each relevant processing operation.     3. Google Ireland — €90 million ($102 million) The French data protection authority (the CNIL) hit Google Ireland with this substantial fine on Jan 6 2022. The fine relates to the way Google’s European arm implements cookie consent procedures on YouTube. The Google Ireland fine was one of two fines issued as part of the same decision, with the other being levied against California-based Google LLC (which operates Google Search).   So what’s the issue? In a nutshell, the CNIL said that Google should have made it easier for YouTube users to refuse cookies. YouTube sets cookies on our devices to track our online activity for marketing purposes. It’s easy to accept cookies on YouTube, but harder to refuse them. The CNIL noted that refusing cookies required a user to make several clicks, whereas accepting cookies required just one click.   The CNIL justified the relatively high fine by pointing to the large number of people using YouTube and the huge profits that Google derives from the service. But wait a minute—doesn’t Google run its EU operations out of Ireland? How come the Irish regulator didn’t deliver this fine?   The reason, the CNIL contended, is that cookie regulation primarily falls under the ePrivacy Directive, not the GDPR, so regulators can take direct action against website operators in their jurisdiction rather than referring everything back to the organization’s “main establishment.” But the decision still qualifies as a “GDPR fine” because it’s the GDPR that determines how website operators obtain consent.   How the fine could have been avoided: Under the GDPR, consent must be “freely given”: equally easy to accept or refuse: if you can accept with one click, you should also be able to refuse with one click.     4. Facebook — €60 million ($68 million) Facebook’s second-largest GDPR fine (including its WhatsApp fine, above) came from the French data protection authority, the CNIL, on Jan 6, 2022. The social media giant earned this €60 million penalty owing to—you guessed it—failing to obtain proper cookie consent from its users.   The issue here mainly related to the unclear way in which Facebook provided a cookie opt-out. Like with Google (see above and below), accepting cookies on Facebook is a piece of cake—just click “accept.” Refusing them is a little more complicated.   How the fine could have been avoided: The CNIL drew attention to how Facebook’s cookie consent interface seemed to offer no option except “Accept Cookies”—even when it appeared that users were actually refusing them. The CNIL reflected that this language” necessarily generates confusion and that the user may have the feeling that it is not possible to refuse the deposit of cookies and that they have no way to manage it. Don’t confuse your users. Keep language simple and straightforward whenever you’re providing privacy information.     5. Google LLC — €60 million ($68 million) This Jan 6 fine against Google’s California headquarters came alongside the CNIL’s €90 million penalty against the search giant’s European establishment (see fine number 3, above). That larger sanction was levied against Google’s non-compliant setting of cookies on the YouTube platform.   Google LLC was hit with this €60 million blow on the same day for precisely the same reason—but in relation to its search website rather than its video-sharing platform.   How the fine could have been avoided: The takeaway in both Google cases is clear: make sure it’s as easy for your users to accept cookie consent as it is for them to refuse it.
6. Google – €50 million ($56.6 million)  Google’s fine, levied in 2019 and finalized after an unsuccessful appeal in March 2020, was the largest on record until August 2021.    The case related to how Google provided privacy notice to its users—and how the company requested their consent for personalized advertising and other types of data processing.   How the fine could have been avoided: Google should have provided more information to users in consent policies and granted them more control over how their personal data is processed.     7. H&M — €35 million ($41 million) On October 5, 2020 the Data Protection Authority of Hamburg, Germany, fined clothing retailer H&M €35,258,707.95 — the second-largest GDPR fine ever imposed at the time.   H&M’s GDPR violations involved the “monitoring of several hundred employees.” After employees took vacation or sick leave, they were required to attend a return-to-work meeting. Some of these meetings were recorded and accessible to over 50 H&M managers.   Senior H&M staff gained ”a broad knowledge of their employees’ private lives… ranging from rather harmless details to family issues and religious beliefs.” This “detailed profile” was used to help evaluate employees’ performance and make decisions about their employment.   How the fine could have been avoided: H&M appears to have violated the GDPR’s principle of data minimization — don’t process personal information, particularly sensitive data about people’s health and beliefs, unless you need to for a specific purpose.   H&M should also have placed strict access controls on the data, and the company should not have used this data to make decisions about people’s employment.     8. TIM – €27.8 million ($31.5 million) On January 15, 2020, Italian telecommunications operator TIM (or Telecom Italia) was stung with a €27.8 million GDPR fine from Garante, the Italian Data Protection Authority, for a series of infractions and violations that have accumulated over the last several years.    TIM’s infractions include a variety of unlawful actions, most of which stem from an overly aggressive marketing strategy. Millions of individuals were bombarded with promotional calls and unsolicited communications, some of whom were on non-contact and exclusion lists.     How the fine could have been avoided: TIM should have managed lists of data subjects more carefully and created specific opt-ins for different marketing activities.   9. Enel Energia — €26.5 million ($29.3 million) On January 19th, 2022 the Italian data protection authority (‘Garante’) publicized its decision to fine the multinational electric and gas supplier Enel Energia €26.5 million for a range of GDPR violations including failing to get user consent or inform customers before using their personal data for telemarketing calls.   The complex investigation was triggered after Garante had received numerous complaints concerning the receipt of unwanted promotional calls among other problems. The investigation covered Enel Energia’s business partners and included four separate requests for cumulative information, from December 2018 to July 2020, concerning a total of 135 files. Garante also reported that Enel Energia had not sufficiently cooperated with the investigation by failing to respond adequately (if at all) to a number of requests.   How the fine could have been avoided: Enel Energia should have provided more information to users in consent policies and granted them more control over how their personal data is processed. Once caught out, Enel Energia could have also lessened the consequences had they responded to requests by investigators.   10. British Airways – €22 million ($26 million) In October, the ICO hit British Airways with a $26 million fine for a breach that took place in 2018. This is considerably less than the $238 million fine that the ICO originally said it intended to issue back in 2019.    So, what happened back in 2018? British Airway’s systems were compromised. The breach affected 400,000 customers and hackers got their hands on log-in details, payment card information, and travelers’ names and addresses.     How the fine could have been avoided: According to the ICO, the attack was preventable, but BA didn’t have sufficient security measures in place to protect their systems, networks, and data. In fact, it seems BA didn’t even have basics like multi-factor authentication in place at the time of the breach.    Going forward, the airline should take a security-first approach, invest in security solutions, and ensure they have strict data privacy policies and procedures in place.     11. Marriott – €20.4 million ($23.8 million)   While this is an eye-watering fine, it’s actually significantly lower than the $123 million fine the ICO originally said they’d levy. So, what happened?    383 million guest records (30 million EU residents) were exposed after the hotel chain’s guest reservation database was compromised. Personal data like guests’ names, addresses, passport numbers, and payment card information was exposed.    Note: The hack originated in Starwood Group’s reservation system in 2014. While Marriott acquired Starwood in 2016, the hack wasn’t detected until September 2018.   How the fine could have been avoided: The ICO found that Marriott failed to perform adequate due diligence after acquiring Starwood. They should have done more to safeguard their systems with a stronger data loss prevention (DLP) strategy and utilized de-identification methods. 
12. Clearview AI — €20 Million ($20.5 Million)   In what is shaping up to be a busy year for the Italian data protection authority, Clearview AI has been issued a fine of €20 Million by Garante. The fine came on 10 February 2022, after several issues in connection with Clearview’s facial recognition products.  A number of infringements were found including the unlawful processing of personal biometric and geolocation data, and the breaching of several fundamental principles of the GDPR, such as transparency, purpose limitation, and storage limitation. Like Enel Energia, the company also failed to respond to requests in a complete and timely manner.   How the fine could have been avoided: Less is more – Clearview should have only collected and held on to data with a clear purpose, and been transparent about this decision-making with their customers. Better co-operation in the investigation would have also decreased the fine. 13. Meta (Facebook) Ireland — €17 Million ($18.2 Million) On March 15th, 2022 the Irish Data Protection Commission (DPC) fined Meta Platforms Ireland €17 Million for issues which meant it could not readily demonstrate the security measures that it implemented to protect EU users’ data. This failure was spotted in 2018 after twelve personal data breaches were reported to the DPC. How the fine could have been avoided: In this case, these shortcomings were spotted before a more widespread breach occurred. To prepare for future threats, Meta should take a security-first approach, invest in security solutions, and ensure they have strict data privacy policies and procedures in place.   14. Wind — €17 million ($18.2 million) On July 13, Italian Data Protection Authority imposed a fine of €16,729,600 on telecoms company Wind due to its unlawful direct marketing activities.   The enforcement action started after Italy’s regulator received complaints about Wind Tre’s marketing communications. Wind reportedly spammed Italians with ads — without their consent — and provided incorrect contact details, leaving consumers unable to unsubscribe.   The regulator also found that Wind’s mobile apps forced users to agree to direct marketing and location tracking and that its business partners had undertaken illegal data-collection activities.    How the fine could have been avoided: Wind should have established a valid lawful basis before using people’s contact details for direct marketing purposes. This probably would have meant getting consumers’ consent — unless it could  demonstrate that sending marketing materials was in its “legitimate interests.”   For whatever reason you send direct marketing, you must ensure that consumers have an easy way to unsubscribe. And you must always ensure that your company’s Privacy Policy is accurate and up-to-date.     15. Vodafone Italia — €12.3 million ($14.5 million) Vodafone Italia’s November 2020 fine was issued in relation to a vast range of alleged GDPR violations, including provisions within Articles 5, 6, 7, 16, 21, 25, 32, and 33.   So what did Vodafone do that resulted in so many GDPR violations?    The company’s data processing issues included failing to properly secure customer data, sharing personal data with third-party call centers, and processing without a legal basis—all brought to light after complaints about the company’s telemarketing campaign.   How the fine could have been avoided: Vodafone’s marketing operations may have triggered the Italian DPA’s investigation, but the company’s data management and security were the fundamental issues here.   Vodafone might have avoided this large fine by conducting regular audits of its data and properly documenting all relationships with third-party data processors.     16. Notebooksbilliger.de — €10.4 million ($12.5 million) German electronics retailer notebooksbilliger.de (NBB) received this significant GDPR fine on January 8, 2021. The penalty relates to how NBB used CCTV cameras to monitor its employees and customers.   The CCTV system ran for two years, and NBB reportedly kept recordings for up to 60 days. NBB said it needed to record its staff and customers to prevent theft. The Lower Saxony DPA said the monitoring was an intrusion on its employees’ and customers’ privacy.   How the fine could have been avoided: The NBB’s fine reflects strict attitudes towards CCTV monitoring in parts of Germany. The regulator said NBB’s CCTV program was not limited to a specific person or period.   Using CCTV isn’t prohibited under the GDPR, but you must ensure it is a legitimate and proportionate response to a specific problem. The UK’s ICO has some guidance on using CCTV in a GDPR-compliant way.   17. Austrian Post — €9 million ($10.23 million) Austria’s largest GDPR fine hit in September 2021, when Austrian Post received a €9 million sanction for allegedly failing to facilitate data subject rights requests properly.   If a data subject hoped to access, delete, or rectify personal data held by the Austrian Post, the company provided a variety of mediums by which to make a request, including a web form, mail, or phone number.   The one means of communication that Austria Post did not recognize, however, was email—and the Austrian DPA said that the mail carrier should have allowed data subjects to submit a rights request via any medium they preferred.   How the fine could have been avoided: Austrian Post (which is planning to appeal the fine) should have processed data subject rights requests however they arrived—forcing data subjects to use a particular communication method and excluding email is not an acceptable way to facilitate their rights.   18. Eni — €8.5 million ($10 million) Eni Gas e Luce (Eni) is an Italian gas and oil company that was found to have made marketing phone calls without a proper legal basis.   While telemarketing is covered by the ePrivacy Directive, this is another example of how any processing of personal data without a proper legal basis can lead to a GDPR fine.   How the fine could have been avoided: Eni should have ensured it had a proper legal basis for telemarketing before calling any of its customers or leads. In this case, the Italian DPA said that the proper lawful basis would have been consent.
19. Vodafone Spain — €8.15 million ($9.72 million) Vodafone’s €8.15 million fine, issued by the Spanish DPA (the AEPD) on March 11, 2021, is actually made up of four fines for violating the GDPR and other Spanish laws covering telecommunications and cookies. The Vodafone fine stands as Spain’s biggest yet—in a year that has seen the AEPD issue several substantial GDPR penalties. The fine results from 191 separate complaints regarding Vodafone’s marketing activity. Vodafone was alleged not to have taken sufficient organizational measures to ensure it was processing people’s personal data lawfully.   How the fine could have been avoided: Vodafone’s complex series of legal violations all appear to have one thing in common: a lack of organization and control over personal data used for marketing purposes.   Whenever you outsource any processing activity to a third party—for example, a marketing agency—you must ensure you have a clear legal basis for doing so. Keep clear records, maintain data processing agreements with contractors, and regularly audit your processing activities to ensure they are lawful.   19. REWE International — €8 Million ($8.8 Million)   The Austrian Data Protection Authority (DPA) has fined Austrian food retailer REWE International €8 million after the mismanaging of the data of users involved in its loyalty program, jö Bonus Club. The subsidiary had been collecting users’ data without their consent and using it for marketing purposes.   However, REWE is set to appeal the decision, arguing that jö Bonus Club operates independently as a separate subsidiary, Unser Ö-Bonus Club. This comes hot off the heels of a 2021 fine after jö Bonus Club unlawfully collected millions of members’ data and sold it to third parties. The offense saw jö Bonus Club pay €2 Million. How the fine could have been avoided: There are a few things that could be done to stop these recurring fines – seeking consent from customers and applying the fundamental GDPR principles of transparency, purpose limitation, and storage limitation are good places to start. 20. Google – €7 million ($8.3 million) From a GDPR enforcement perspective, 2020 was not a good year for Google.    Along with the company losing its appeal against French DPA in January, March saw the Swedish Data Protection Authority of Sweden (SDPA) fining Google for neglecting to remove a pair of search result listings under Europe’s GDPR “right to be forgotten” rules.    How the fine could have been avoided: Google should have fulfilled the rights of data subjects, primarily their right to be forgotten. This is also known as the right to erasure. How? By “ensuring a process was in place to respond to requests for erasure without undue delay and within one month of receipt.”    You can find more information about how to comply with requests for erasure from the ICO here.  21. Caixabank — €6 million ($7.2 million) This fine against financial services company Caixabank is the largest fine ever issued by the Spanish DPA (the AEPD).    The AEPD finalized Caixabank’s penalty on January 13, 2021, breaking Spain’s previous record GDPR fine, against BBVA — issued just one month earlier. This suggests a significant toughening of approach from the Spanish DPA.   The first issue, which accounts for €4 million of the total fine, related to how Caixabank established a “legal basis” for using consumers’ personal data under Article 6. Second, Caixabank was fined €2 million for violating the GDPR’s transparency requirements at Articles 13 and 14.    How the fine could have been avoided: The AEPD said Caixabank relied on the legal basis of “legitimate interests” without proper justification. Before you rely on “legitimate interests,” you must conduct and document a “legitimate interests assessment.”    The company also failed to obtain consumers’ consent in a GDPR-compliant way. If you’re relying on “consent,” make sure it meets the GDPR’s strict “opt in” standards.   The AEPD criticized Caixabank’s privacy policy as providing vague and inconsistent information about its data processing practices. Make sure you use clear language in your privacy notices and keep them consistent across websites and platforms.   22. Cosmote Mobile Telecommunications — €6 Million ($6.6 Million)   In February 2022 the Greek data protection authority, the Hellenic Data Protection Authority (HDPA) fined Cosmote Mobile Telecommunications €6 Million.    The fine was issued after a hack in September 2020 led to customers’ private information being exposed, but the buck didn’t stop there. It was revealed that the company was illegally processing customer data – an activity that exacerbated the issues caused by the hack. To make matters worse, the private data was not fully pseudonymized, making it easier for hackers to identify individuals from the data.   Cosmote’s parent company, OTE group was then given an additional fine of €3.25 million after the Cosmote investigation determined that OTE should have been included in the process from the beginning but had not been.   How the fine could have been avoided: Unfortunately, this domino effect is not an uncommon occurrence that only highlights the importance of abiding by GDPR rules and principles. For a start, Cosmote should be only processing data legally, with purpose, and with proper encryption to ensure best customer security.    Secondly, this example demonstrates how devastating a hack can be. It has been reported that the hack that caused this breach was a phone hack – meaning secure internet connections, improved physical security and investing in security solutions are all good ways to prevent this from happening.   23. BBVA (bank) — €5 million ($6 million) This fine against financial services giant BBVA (Banco Bilbao Vizcaya Argentaria) dates from December 11, 2020.    The BBVA’s penalty is the second biggest that the Spanish DPA (the AEPD) has ever imposed, and it shares many similarities with the AEPD’s largest-ever penalty, against Caixabank, issued the following month. Taken together with the record fine against Caixabank, it’s tempting to conclude that the Spanish DPA has its eye on the GDPR compliance of financial institutions.   How the fine could have been avoided: The AEPD fined BBVA €3 million for sending SMS messages without obtaining consumers’ consent. In most circumstances, you must ensure you have GDPR-valid consent for sending direct marketing messages.   The remaining €2 million of the penalty related to BBVA’s privacy policy, which failed to properly explain how the bank collected and use its customers’ personal data. Make sure you include all the necessary information under Articles 13 and 14 in your privacy policy.
24. Fastweb — €4.5 million ($5.5 million) Italy’s DPA (the Garante) fined telecoms company Fastweb €4.5 million on April 2 2021 for engaging in unsolicited telephone marketing without consent. In particular, the Garanta noted that Fastweb was using “fraudulent” telephone numbers that the company had not registered with Italy’s Register of Communication Operators.   How the fine could have been avoided: Fastweb’s fine derives from telemarketing rules that are set out in Italy’s implementation of the ePrivacy Directive, rather than the GDPR. However, the company still appears to have violated the GDPR by failing to obtain valid consent.   It’s important to remember this interplay between the EU’s main privacy laws. The ePrivacy Directive requires you to obtain consent for certain activities, but the GDPR sets the standard of consent—and the standard is very high.   25. Dutch Tax and Customs Administration — €3.7 Million ($4 Million)   In April 2022, The Dutch Tax and Customs Administration was fined €3.7 Million after the illegal processing of personal data in the Fraud Signaling Facility (FSV) – a blacklist on which the Tax and Customs Administration kept records of fraud. For more than six years, the Tax and Customs Administration had been wrongly putting people on the FSV – around 270,000 people in total – with major consequences for those on the list. The investigation revealed a number of GDPR violations including widespread discrimination, with employees instructed to base the risk of fraud in part on people’s appearance and nationality.   “People were often wrongly labeled as fraudsters, with dire consequences,” Dutch Data Protection Authority Chairman Aleid Wolfsen said in a statement. “The tax authorities have turned lives upside down with FSV.”   This is the highest fine that the Dutch Data Protection Authority (AP) has ever imposed, and reflects the seriousness of the violations as well as the number of people affected and the timespan over which the violations occurred. How the fine could have been avoided: In this extraordinary case, the issues spread beyond data security, with intent and impact both being malicious. It looks like The Dutch Tax and Customs Administration could do with brushing up on not just GDPR rules, but discrimination and equality laws as well.   26. Eni Gas e Luce — €3 million ($3.6 million) This fine is one of two imposed on the Italian gas and oil company Eni in December 2019. This is a complicated case involving the creation of new customer accounts—but it boils down to the failure of Eni to obey the GDPR’s principle of accuracy.   How the fine could have been avoided: Data protection is about more than just privacy—it also covers issues like records management. Eni should have ensured its customer records were kept accurate and up-to-date.     27. Capio St. Göran AB — €2.9 million ($3.4 million) Capio St. Goran is a Swedish healthcare provider that received a GDPR fine following an audit of one of its hospitals by the Swedish DPA. The audit revealed that the company had failed to carry out appropriate risk assessments and implement effective access controls. As a result, too many employees had access to sensitive personal data.   How the fine could have been avoided: Conducting a data protection impact assessment (DPIA) is mandatory under the GDPR for controllers undertaking certain risky activities or handling large-scale sensitive data.   Eni should have conducted such an assessment to determine which staff required access to medical records. Access to sensitive personal data should be restricted to those who strictly require it.     28. Iren Mercato — €2.85 million ($3.4 million) In June 2021, the Italian DPA fined energy company Iren Mercato for carrying out a telephone marketing campaign without obtaining proper consent. The phone calls were conducted by a third party marketing company acting as a data processor.   How the fine could have been avoided: Many of the fines on our list relate to telemarketing and the failure to obtain GDPR-valid consent.   Remember that even when using third-party services to conduct marketing campaigns, you could still be directly liable under the GDPR if you fail to establish a valid legal basis for processing personal data.   29. Foodinho — €2.6 million ($3 million) Groceries delivery service Foodinho received this substantial fine in June 2021, after the Italian DPA found the company had failed to obey the GDPR’s rules on “automated processing,” in this case the use of an algorithm to determine employees’ wages and workflow.   The company was also found to have violated the GDPR’s principle of “lawfulness, fairness, and transparency” by failing to provide employees with adequate information.   How the fine could have been avoided: Foodinho’s fine mainly relates to a relatively niche area of GDPR compliance—”solely automated processing with legal or similarly significant effects.”    In short, if you’re making purely AI-driven decisions about people that could impact on their finances, employment, or access to services, you must ensure you provide a human review of such decisions.   30. National Revenue Agency (Bulgaria) — €2.6 million ($3 million) This August 2019 fine against Bulgaria’s National Revenue Agency was issued after the organization suffered a data breach affecting 5 million people. The breached data included people’s names, contact details, and tax information. The Bulgarian DPA found that the agency failed to take effective technical and organizational measures to protect the personal data under its control.   How the fine could have been avoided: The Bulgarian National Revenue should have conducted a thorough risk assessment of its processing operations and taken effective steps to safeguard personal data.   While it’s not clear what caused this data breach, it’s worth noting that the FBI’s Internet Crime Control Center cites email as the number one threat vector in cybercrime. By securing your company’s email systems, you’re cutting off one of your major vulnerabilities and significantly reducing the likelihood of a data breach.
What else can organizations be fined for under GDPR?    While the biggest fines involve marketing activities, failure to remove personal data when requested by EU citizens, and unlawfully requiring employees to have their biometric data recorded, there are a number of ways in which a breach can occur.    In fact, so far this year, misdirected emails have been the primary cause of data loss reported to the ICO. But, how do you prevent an accident? By focusing on people rather than systems and networks.   How does Tessian help organizations stay GDPR compliant?
Powered by machine learning, Tessian understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity, including misdirected emails. Tessian also detects and prevents spear phishing attacks and data exfiltration attempts on email.    Importantly, though, Tessian doesn’t just prevent breaches. Tessian’s key features – which are both proactive and reactive – align with the GDPR requirement “to implement appropriate technical and organizational measures together with a process for regularly testing, assessing and evaluating the effectiveness of those measures to ensure the security of processing” (Article 32).   To learn more about how Tessian helps with GDPR compliance, you can check out this page, our customer stories or book a demo. 
ATO/BEC Email DLP
Five Ways Tessian Cloud Email Security Improves Enterprise Cybersecurity
By Martin Nielsen
22 April 2022
Tessian, an intelligent cloud email security solution for the enterprise, prevents advanced email threats and protects against data loss. With email responsible for up to 90% of all breaches, rule based security solutions like Secure Email Gateways (SEGs) no longer cut it. This explains why 58% of cybersecurity leaders are actively looking to displace SEGs for the next generation of email security.   Next gen solutions like Tessian ensure significantly improved threat detection and prevention capabilities thanks to machine learning and behavioral user intelligence, and offer a simplified approach to solution integration and management.
Removing the pain from security management   Tessian’s API integration into both Microsoft 365 and Google Workspace cloud email environments enables deployment in seconds, and provides unparalleled protection within hours. No manual updates, complex mail rerouting, or MX record re-configuration is needed.   And, when customers integrate Tessian’s security event feed with other solutions, they’re able to streamline processes and workflows and get a more contextualized and complete risk profile of their environment, down to the employee level.   To help you better understand the value of Tessian with products like Splunk, Okta, and KnowBe4, let’s explore real use cases from our customers. 
Tessian + Splunk Customer: Financial Services Employees: 7,000 Tessian Products Deployed:  Enforcer and Guardian    Use case:  For one of our financial services customers, the integration of Tessian with Splunk has been essential in addressing insider threats and preventing data loss. The client ingests, triages and remediates Tessian’s alerts in its SOC which runs on Splunk.   By sending data to Splunk, the SOC is empowered to create dashboards for the key security events that they care about, for example users with the most flags, or top recipients of flagged emails. This data can be combined with metrics from other cybersecurity tools in the environment to form a more comprehensive risk profile. For example, correlating the data from Tessian with endpoint security alerts enabled the client to get a deeper level of risk understanding viewed from a single pane of glass.   From here the client is able to create workflows through ServiceNow, which allows streamlining of Tessian’s security feeds into existing security workflows.   Some of the key benefits of Tessian and Splunk integration include:   Setting up custom alerts Triaging security events Identifying risky users Easy reporting of risk to the risk committee
Tessian + Sumo Logic Customer: Financial Services Employees: 3,100 Tessian Products Deployed:  Defender, Enforcer, and Guardian   Use Case: Sumo Logic is a central source for log analysis and is often a starting point for remediation workflows. Tessian has a native app built to Sumo Logic’s Modern Enterprise Security Architecture (MESA). With this native app, Sumo Logic users can ingest Tessian alerts and correlate them with other events.    One of our financial services clients uses Sumo Logic for log correlation and analysis. By feeding logs and alerts into Sumo Logic, enables the client to quickly identify spikes in anomalous email activity, for example:  misdirected email (Guardian), unauthorized email (Enforcer) and phishing emails (Defender).    Once a verdict has been delivered on an email, the SecOps team is in a position to take mitigating actions. 
Tessian + Okta  Customer: Financial Services Employees: 1, 200 Tessian Products Deployed: Defender, Enforcer, and Guardian    Use case:  The Tessian integration with Okta enables clients to use Okta’s Universal Directory to set specific email security policies for user groups based on risk. For example, one client in financial services leverages the integration to enforce more stringent email security rules for the finance department – responsible for sending and receiving sensitive financial data.    Tessian is leveraged to target these specific user groups with email security policies that ensure safe email behavior and prevents email related data loss.    The integration with Okta enables greater security flexibility for user groups, rather than a standard one-size fits all approach to security policy orchestration.
Tessian + CrowdStrike + Netskope Customer: Healthcare Employees: 16,500 Tessian Products Deployed: Defender, Enforcer, and Guardian    Use case: A growing number of Tessian clients, such as one in healthcare, is using Tessian as an integral security pillar to keep their enterprise safe from external and insider threats, particularly concerning data loss.   Tessian is seen as one of core security pillars keeping employees and the email ecosystem safe. Other key security pillars and best-in-breed solutions include CrowdStrike for endpoint and Netskope for cloud security – deployed alongside Tessian.    By leveraging Tessian in combination with these tools enables a defense in depth approach, giving security practitioners peace of mind that they have the best tools in place to keep their employees and their data safe.
Tessian + KnowBe4 Customer: Pharmaceuticals Employees: 650 Tessian Products Deployed: Defender   Use case: The Tessian integration with Knowbe4 gives organizations more visibility into phishing risk by identifying the employees who are most likely to fall for phishing attacks. Tessian ingests KnowBe4’s Phish Prone Score and combines it with our own Risk Score, presenting a more comprehensive risk profile for each employee.   This way, security teams can customize security policies and training programs for more targeted and engaging security awareness for specific employees rather than a blanketed approach – that often lacks context.    After deploying Tessian to bolster KnowBe4, one pharmaceutical company saw click through rate drop significantly from 20% to below the industry benchmark of 3%. Another Tessian client in the financial services sector summed up the value of the Tessian and KnowBe4 integration:
Click here to book a demo of our market leading cloud email security and DLP platform.
ATO/BEC Email DLP Human Layer Security
New Research: One in Four Employees Who Made Cybersecurity Mistakes Lost Their Jobs Last Year
By Laura Brooks
29 March 2022
According to our new research, one in four employees lost their job in the last 12 months after making a mistake that compromised their company’s security. The new report, which explores human error on email at work, also found that:   Just over one in four respondents (26%) fell for a phishing email at work, in the last 12 months  Two-fifths (40%) of employees sent an email to the wrong person, with almost one-third (29%) saying their business lost a client or customer because of the error Over one-third (36%) of employees have made a mistake at work that compromised security and fewer are reporting their mistakes to IT
Why do people make mistakes at work?   When asked why these mistakes happened, half of employees said they had sent emails to the wrong person because they were under pressure to send the email quickly – up from 34% reported by Tessian in its 2020 study – while over two-fifths of respondents cited distraction and fatigue as reasons for falling for phishing attacks. More employees attributed their mistakes to fatigue and distraction in the past year, versus figures reported in 2020, likely brought on by the shift to hybrid working   “With the shift to hybrid work, people are contending with more distractions, frequent changes to working environments, and the very real issue of Zoom fatigue – something they didn’t face two years ago,” said Jeff Hancock, a professor at Stanford University who contributed to the report. 
People are falling for more advanced phishing attacks    While the number of employees who fell for phishing attacks only increased by 1% in the last 12 months, people were far more likely to fall for more advanced phishing attacks than they were in 2020.    Over half of employees (52%) said they fell for a phishing email because the attacker impersonated a senior executive at the company – up from 41% reported in 2020. In comparison, click-through rates on phishing emails whereby threat actors impersonated well-known brands dropped. These findings mirror those reported by the FBI, which found that business email compromise attacks (BEC) are eight times more common than ransomware and the losses from these attacks continue to grow year on year.    People were also susceptible to phishing attacks over SMS (smishing), with one-third of respondents being duped by a smishing request in the last 12 months, compared to 26% of those who fell for phishing scams over email. Older employees were more susceptible to smishing attacks; one-third of respondents aged over 55 complied with requests in smishing scam versus 24% of 18-to 24-year-olds.
The consequences for accidental data loss are more severe   On average, a US employee sends four emails to the wrong person every month – and organizations are taking tougher action in response to these mistakes that compromise data. Nearly a third of employees (29%) said their business lost a client or customer after sending an email to the wrong person – up from the 20% in 2020. One in four respondents (21%) also lost their job because of the mistake, versus 12% in July 2020.    Over a one-third (35%) of respondents had to report the accidental data loss incidents to their customers, breaking the trust they had built. Businesses also had to report the incidents to regulators. In fact, the number of breaches reported to the Information Commissioner’s Office, caused by data being sent to the wrong person on email, was 32% higher in the first nine months of 2021 than the same period in 2020.
Employees are fearful of reporting mistakes   With harsher consequences in place, Tessian found that fewer employees are reporting their mistakes to IT. Almost one in four (21%) said they didn’t report security incidents, versus 16% in 2020, resulting in security teams having less visibility of threats in the organization.
Josh Yavor, CISO at Tessian, said, “We know that the majority of security incidents begin with people’s mistakes. For IT and security teams to be successful, they need visibility into the human layer of an organization, so they can understand why mistakes are happening and proactively put measures in place to prevent them from turning into serious security incidents. This requires earning the trust of employees; and bullying employees into compliance won’t work. Security leaders need to create a culture that builds trust and confidence among employees and improves security behaviors, by providing people with the support and information they need to make safe decisions at work.”
ATO/BEC Email DLP
Buyer’s Guide to Integrated Cloud Email Security
By John Filitz
29 March 2022
The next generation of email security, referred to by Gartner as Integrated Cloud Email Security (ICES) solutions, bring a fresh approach to solving increasingly sophisticated and elusive email security threats.    Born in the cloud, for the cloud, ICES solutions are seen as an integral additional layer of email security to complement the native email security capabilities present in cloud productivity suites, such as Microsoft 365 and Google Workspace.   At last count, according to the latest Gartner Market Guide for Email Security (2021) there were 13 ICES vendors – giving customers a lot of choice to choose from.    Not every ICES vendor however, offers the same completeness of vision, degree of protection, or intelligent capabilities.   This short guide will bring insight on some of the key fundamentals that prospective buyers of an ICES solution should be aware of.
Why is there a need for ICES solutions in the first place?   Evidence shows that email remains an important and attractive attack vector for threat actors; according to a recent study, it’s responsible for up to 90% of all breaches.    The fact that the vast majority of breaches are attributed to an email compromise, indicates that the current status quo regarding email security is incapable and insufficient at preventing breaches. This was confirmed in a Forrester survey conducted on behalf of Tessian, with over 75% of organizations reporting on average of 20% of email security incidents getting by their existing security controls.   Threat actors are using more sophisticated email-based techniques, and attacks are achieving greater success. This is largely due to the commercialization of cybercrime, with Phishing-as-a-Service and Ransomware-as-a-Service offerings becoming more prevalent on the dark web.    In this new world, threat actors develop exploit kits and offer their services for sale. This has unfortunately led to a dramatic increase in the ability of attackers to find targets. And this explains why the cost of damages from cybercrime is expected to rocket to $10.5 trillion by 2025 – representing a +350% increase from 2015.   Digital transformation is another key reason too. Cloud adoption was accelerating prior to the Covid-19 pandemic. In the wake of the pandemic, cloud adoption accelerated even more quickly. This dramatic shift to the cloud has significantly expanded attack surface risk, with employees working from home, and often on personal devices.    This structural shift in computing has also revealed the soft underbelly of legacy cybersecurity solutions built for an on-premise world, including the rule-based and static protection for email offered by Secure Email Gateways (SEGs). And this explains why 58% of cybersecurity leaders are actively looking to displace SEGs for the next generation of email security – with behavioral intelligence and machine learning at the core.
ICES fundamentals  Approach to threat detection and prevention   The key differentiator between SEGs and ICES solutions from a threat detection standpoint is that ICES are underpinned by machine learning and utilize a behavioral intelligence approach to threat detection.    The algorithm of an ICES solution develops a historical behavioral map of an organization’s email ecosystem. This historical behavioral map is leveraged along with Natural Language Processing (NLP) and Natural Language Understanding (NLU) capabilities, to dynamically, and in-real-time, scan and detect any anomalous email behavior. Unlike SEGs, this enables these solutions to detect threats as they arise, in real time.  Deployment architecture   There are also important differences in the architecture and configuration of ICES solutions from SEGs. ICES solutions do not sit in-line like SEGs, they also do not require MX re-routing, but rather connect either via connect or API and scan email either pre-delivery or post-delivery – detecting and quarantining any malicious email. 
Degree of security automation    ICES solutions also offer a high degree of email security automation, including triaging of security incidents, which significantly reduces alert fatigue and the SOC burden, ultimately improving security effectiveness.
Key differences between SEGs and ICES   SEGs ICES Requires MX records changes, sits in-line, acts as a gateway for all email flow Requires no MX record changes and scans incoming email downstream from the MX record, either pre-delivery via a connector, or post-delivery via an API Designed to detect basic phishing attacks, spam, malware and graymail. No zero day protection Designed to detect advanced social engineering attacks including spear phishing, impersonation attacks, business email compromise (BEC), and account takeover (ATO). Advanced zero day protection Static, rule and policy based protection. No intelligent component to threat detection for inbound or outbound, resulting in high false positives and significant triaging of email security incidents  Behavioral and machine learning detection engine for advanced inbound and outbound threats, resulting in greater detection efficacy and lower false positives i.e. less business interruption and more SOC optimization Limited insider threat detection and no lateral attack detection capability. Once the threat has bypassed the gateway the threat actor as unlimited access to the victims’ data and information systems Advanced insider and lateral attack detection capability, stopping threats where and when they arise Basic email field scanning capability. Relies a threat engine of previously identified threats, and static rules and policies All of the email fields are analyzed using machine learning and compared against a historical mapping of email correspondence. Fields scanned include the sender, recipient, subject line, body, URL and attachments Advanced malicious emails go undetected and reach target inboxes. Some of the less sophisticated malicious emails end up in the spam or junk folder – enabling users to accidentally interact with it Advanced malicious emails are detected and automatically hidden from users’ inboxes. With the pre-delivery option, only email that is determined to be safe is delivered. Post-delivery solutions will in nanoseconds claw-back a suspected email determined to be malicious.  No in-the-moment employee security warnings. Security alerts are retroactive and aimed at SecOps, offering no context to employees or the ability to improve the security culture An in-the-moment security notification banner can be added to an incoming or outgoing email indicating the level of risk of the scanned email and the context. These real-time security notifications lead to improved security culture, by empowering employees to take safe action, in real time Basic DLP capability Some ICES like Tessian have advanced DLP capability
Five market differentiators for ICES solutions   Not all ICES solutions however, offer the same degree of completeness in product and protection. It is important that prospective customers of ICES solutions understand and interrogate the following key differentiators during the vendor selection process:   1: Completeness of the product offering and product roadmap Does the solution cover inbound and outbound email protection (i.e. does it prevent email data loss events from occurring?) Does it have pre-built integrations with other cybersecurity tools such as SIEMs?   2: Degree of protection offered During the POV it is important to test the efficacy of the algorithm and determine a true baseline of detection, including the % of false positives. Verify the actual results from the POV against the vendors stated claims.   3: Deployment and management overhead Some vendors have unrealistic claims of “protection within seconds” – understanding the actual amount of FTE resources and time needed for deployment is crucial, as well as the product’s ability to scale. Determining the degree of management FTE required for managing the tool on a day-to-day basis is equally important.   4: UX and reporting capability The overall UX including UI for SecOps teams, and feedback from employees after using the product during the POV is essential. Evidence shows that if the UX is poor, the security effectiveness of the tool will be diminished.  Having the ability to on-demand pull or automate risk metric reporting down to the employee level, for inbound and outbound email, is crucial for cybersecurity and risk compliance leaders.   5: Degree of automation Automation is fast becoming a buzzword in cybersecurity. Here buyers need to be aware of the degree of automation that the ICES solution actually delivers, ranging from threat detection to the triaging of threats, as well as risk reporting.
The final word   All it takes is one click on malicious content for a breach to take place. When assessing and selecting an ICES solution, it is important that customers consider the above listed criteria as part of their general vendor assessment criteria.     The considerations on the completeness of the product offering and the degree of protection offered should be weighed carefully.    Finally, it’s the human-side that often never gets mentioned in vendor assessments. The experience interacting with the vendor from the first interaction through to the end of the POV should provide key insight into what the future partnership with the vendor will look and feel like.
About Tessian Tessian is one of the few ICES vendors that offers comprehensive protection for inbound threats like advanced spear phishing attacks, as well as outbound protection, preventing malicious and accidental data loss.    Unlike many of our ICES competitors, we don’t treat our customers as test subjects – our algorithm was developed and fine tuned for 4 years before we went live. Due to this level of product maturity, we boast among the lowest percentage of false positives in our industry.   We have among the most attractive UI, delivering a phenomenal UX. This includes advanced and automated cyber risk reporting, making security and risk leaders lives’ easier.   We never make claims that we can’t back up. We deploy in seconds and protect within hours. Both the deployment and management overhead are extremely efficient due to product maturity and the degree of automation inherent in our product.   Finally it’s worthwhile mentioning we take our customers seriously. Here’s what some of them have to about using our product:
Email DLP Data Exfiltration
Insider Threats Examples: 17 Real Examples of Insider Threats
By Maddie Rosenthal
22 March 2022
Insider Threats are a big problem for organizations across industries. Why? Because they’re so hard to detect. After all, insiders have legitimate access to systems and data, unlike the external bad actors many security policies and tools help defend against.   It could be anyone, from a careless employee to a rogue business partner.   That’s why we’ve put together this list of Insider Threat types and examples. By exploring different methods and motives, security, compliance, and IT leaders (and their employees) will be better equipped to spot them before a data breach happens.  
Types of Insider Threats First things first, let’s define what exactly an insider Threats is.   Insider Threats stem from people – whether employees, former employees, contractors, business partners, or vendors – with legitimate access to an organization’s networks and systems who exfiltrate data for personal gain or accidentally leak sensitive information.   The key here is that there are two distinct types of Insider Threats: The Malicious Insider: Malicious Insiders knowingly and intentionally steal data. For example, an employee or contractor may exfiltrate valuable information (like Intellectual Property (IP), Personally Identifiable Information (PII), or financial information) for some kind of financial incentive, a competitive edge, or simply because they’re holding a grudge for being let go or furloughed. The Negligent Insider: Negligent insiders are just your average employees who have made a mistake. For example, an employee could send an email containing sensitive information to the wrong person, email company data to personal accounts to do some work over the weekend, fall victim to a phishing or spear phishing attack, or lose their work device.
1. The employee who exfiltrated data after being fired or furloughed   Since the outbreak of COVID-19, 81% of the global workforce have had their workplace fully or partially closed. And, with the economy grinding to a halt, employees across industries have been laid off or furloughed. This has caused widespread distress.   When you combine this distress with the reduced visibility of IT and security teams while their teams work from home, you’re bound to see more incidents of Malicious Insiders. One such case involves a former employee of a medical device packaging company who was let go in early March 2020.   By the end of March – and after he was given his final paycheck – Christopher Dobbins hacked into the company’s computer network, granted himself administrator access, and then edited and deleted nearly 120,000 records. This caused significant delays in the delivery of medical equipment to healthcare providers.
2. The employee who sold company data for financial gain   In 2017, an employee at Bupa accessed customer information via an in-house customer relationship management system, copied the information, deleted it from the database, and then tried to sell it on the Dark Web. The breach affected 547,000 customers and in 2018 after an investigation by the ICO, Bupa was fined £175,000.
3. The employee who stole trade secrets   In July 2020, further details emerged of a long-running insider job at General Electric (GE) that saw an employee steal valuable proprietary data and trade secrets. The employee, Jean Patrice Delia, gradually exfiltrated over 8,000 sensitive files from GE’s systems over eight years — intending to leverage his professional advantage to start a rival company.   The FBI investigation into Delia’s scam revealed that he persuaded an IT administrator to grant him access to files and that he emailed commercially-sensitive calculations to a co-conspirator. Having pleaded guilty to the charges, Delia faces up to 87 months in jail.   What can we learn from this extraordinary inside job? Ensure you have watertight access controls and that you can monitor employee email accounts for suspicious activity.
4. The employees who exposed 250 million customer records   Here’s an example of a “negligent insider” threat. In December 2019, a researcher from Comparitech noticed that around 250 million Microsoft customer records were exposed on the open web. This vulnerability meant that the personal information of up to 250 million people—including email addresses, IP addresses, and location—was accessible to anyone.   This incident represents a potentially serious breach of privacy and data protection law and could have left Microsoft customers open to scams and phishing attacks—all because the relevant employees failed to secure the databases properly.   Microsoft reportedly secured the information within 24 hours of being notified about the breach.
5. The nuclear scientists who hijacked a supercomputer to mine Bitcoin   Russian Secret Services reported in 2018 that they had arrested employees of the country’s leading nuclear research lab on suspicion of using a powerful supercomputer for bitcoin mining. Authorities discovered that scientists had abused their access to some of Russia’s most powerful supercomputers by rigging up a secret bitcoin-mining data center.   Bitcoin mining is extremely resource-intensive and some miners are always seeking new ways to outsource the expense onto other people’s infrastructure. This case is an example of how insiders can misuse company equipment.
6. The employee who fell for a phishing attack   While we’ve seen a spike in phishing and spear phishing attacks since the outbreak of COVID-19, these aren’t new threats. One example involves an email that was sent to a senior staff member at Australian National University. The result? 700 Megabytes of data were stolen.   That might not sound like a lot, but the data was related to both staff and students and included details like names, addresses, phone numbers, dates of birth, emergency contact numbers, tax file numbers, payroll information, bank account details, and student academic records.
7. The work-from-home employees duped by a vishing scam   Cybercriminals saw an opportunity when many of Twitter’s staff started working from home. One cybercrime group conducted one of the most high-profile hacks of 2020 — knocking 4% off Twitter’s share price in the process.   In July 2020, after gathering information on key home-working employees, the hackers called them up and impersonated Twitter IT administrators. During these calls, they successfully persuaded some employees to disclose their account credentials.   Using this information, the cybercriminals logged into Twitter’s admin tools, changed the passwords of around 130 high-profile accounts — including those belonging to Barack Obama, Joe Biden, and Kanye West — and used them to conduct a Bitcoin scam.   This incident put “vishing” (voice phishing) on the map, and it reinforces what all cybersecurity leaders know — your company must apply the same level of cybersecurity protection to all its employees, whether they’re working on your premises or in their own homes.
8. The ex-employee who got two years for sabotaging data   The case of San Jose resident Sudhish Kasaba Ramesh serves as a reminder that it’s not just your current employees that pose a potential internal threat—but your ex-employees, too.   Ramesh received two years imprisonment in December 2020 after a court found that he had accessed Cisco’s systems without authorization, deploying malware that deleted over 16,000 user accounts and caused $2.4 million in damage.   The incident emphasizes the importance of properly restricting access controls—and locking employees out of your systems as soon as they leave your organization.
9. The employee who took company data to a new employer for a competitive edge   This incident involves two of the biggest tech players: Google and Uber. In 2015, a lead engineer at Waymo, Google’s self-driving car project, left the company to start his own self-driving truck venture, Otto.   But, before departing, he exfiltrated several trade secrets including diagrams and drawings related to simulations, radar technology, source code snippets, PDFs marked as confidential, and videos of test drives.    How? By downloading 14,000 files onto his laptop directly from Google servers. Otto was acquired by Uber after a few months, at which point Google executives discovered the breach.   In the end, Waymo was awarded $245 million worth of Uber shares and, in March, the employee pleaded guilty.
10. The employee who stole a hard drive containing HR data   Coca-Cola was forced to issue data breach notification letters to around 8,000 employees after a worker stole a hard drive containing human resources records.   Why did this employee steal so much data about his colleagues? Coca-Cola didn’t say. But we do know that the employee had recently left his job—so he may have seen an opportunity to sell or misuse the data once outside of the company.   Remember – network and cybersecurity are crucial, but you need to consider whether insiders have physical access to data or assets, too.
11. The employees leaking customer data    Toward the end of October 2020, an unknown number of Amazon customers received an email stating that their email address had been “disclosed by an Amazon employee to a third-party.” Amazon said that the “employee” had been fired — but the story changed slightly later on, according to a statement shared by Motherboard which referred to multiple “individuals” and “bad actors.”   So how many customers were affected? What motivated the leakers? We still don’t know. But this isn’t the first time that the tech giant’s own employees have leaked customer data. Amazon sent out a near-identical batch of emails in January 2020 and November 2018.   If there’s evidence of systemic insider exfiltration of customer data at Amazon, this must be tackled via internal security controls.
12. The employee offered a bribe by a Russian national   In September 2020, a Nevada court charged Russian national Egor Igorevich Kriuchkov with conspiracy to intentionally cause damage to a protected computer. The court alleges that Kruichkov attempted to recruit an employee of Tesla’s Nevada Gigafactory.   Kriochkov and his associates reportedly offered a Tesla employee $1 million to “transmit malware” onto Tesla’s network via email or USB drive to “exfiltrate data from the network.” The Kruichkov conspiracy was disrupted before any damage could be done. But it wasn’t the first time Tesla had faced an insider threat. In June 2018, CEO Elon Musk emailed all Tesla staff to report that one of the company’s employees had “conducted quite extensive and damaging sabotage to [Tesla’s] operations.”   With state-sponsored cybercrime syndicates wreaking havoc worldwide, we could soon see further attempts to infiltrate companies. That’s why it’s crucial to run background checks on new hires and ensure an adequate level of internal security.
13. The ex-employee who offered 100 GB of company data for $4,000   Police in Ukraine reported in 2018 that a man had attempted to sell 100 GB of customer data to his ex-employer’s competitors—for the bargain price of $4,000. The man allegedly used his insider knowledge of the company’s security vulnerabilities to gain unauthorized access to the data.   This scenario presents another challenge to consider when preventing insider threats—you can revoke ex-employees’ access privileges, but they might still be able to leverage their knowledge of your systems’ vulnerabilities and weak points.
14. The employee who accidentally sent an email to the wrong person   Misdirected emails happen more than most think. In fact, Tessian platform data shows that at least 800 misdirected emails are sent every year in organizations with 1,000 employees. But, what are the implications? It depends on what data has been exposed.    In one incident in mid-2019, the private details of 24 NHS employees were exposed after someone in the HR department accidentally sent an email to a team of senior executives.   This included: Mental health information Surgery information   While the employee apologized, the exposure of PII like this can lead to medical identity theft and even physical harm to the patients. We outline even more consequences of misdirected emails in this article. 
15. The employee who accidentally misconfigured access privileges   NHS coronavirus contact-tracing app details were leaked after documents hosted in Google Drive were left open for anyone with a link to view. Worse still, links to the documents were included in several others published by the NHS.    These documents – marked “SENSITIVE” and “OFFICIAL” contained information about the app’s future development roadmap and revealed that officials within the NHS and Department of Health and Social Care are worried about the app’s reliance and that it could be open to abuse that leads to public panic.
16. The security officer who was fined $316,000 for stealing data (and more!)   In 2017, a California court found ex-security officer Yovan Garcia guilty of hacking his ex-employer’s systems to steal its data, destroy its servers, deface its website, and copy its proprietary software to set up a rival company.   The cybercrime spree was reportedly sparked after Garcia was fired for manipulating his timesheet. Garcia received a fine of over $316,000 for his various offenses.   The sheer amount of damage caused by this one disgruntled employee is pretty shocking. Garcia stole employee files, client data, and confidential business information; destroyed backups; and even uploaded embarrassing photos of his one-time boss to the company website.
17. The employee who sent company data to a personal email account   We mentioned earlier that employees oftentimes email company data to themselves to work over the weekend.    But, in this incident, an employee at Boeing shared a spreadsheet with his wife in hopes that she could help solve formatting issues. While this sounds harmless, it wasn’t. The personal information of 36,000 employees were exposed, including employee ID data, places of birth, and accounting department codes.
How common are Insider Threats?   Incidents involving Insider Threats are on the rise, with a marked 47% increase over the last two years. This isn’t trivial, especially considering the global average cost of an Insider Threat is $11.45 million. This is up from $8.76 in 2018.   Who’s more culpable, Negligent Insiders or Malicious Insiders?    Negligent Insiders (like those who send emails to the wrong person) are responsible for 62% of all incidents Negligent Insiders who have their credentials stolen (via a phishing attack or physical theft) are responsible for 25% of all incidents Malicious Insiders are responsible for 14% of all incidents   It’s worth noting, though, that credential theft is the most detrimental to an organization’s bottom line, costing an average of $2.79 million.    Which industries suffer the most? The “what, who, and why” behind incidents involving Insider Threats vary greatly by industry.    For example, customer data is most likely to be compromised by an Insider in the Healthcare industry, while money is the most common target in the Finance and Insurance sector.   But, who exfiltrated the data is just as important as what data was exfiltrated. The sectors most likely to experience incidents perpetrated by trusted business partners are:    Finance and Insurance  Federal Government  Entertainment  Information Technology  Healthcare  State and Local Government   Overall, though, when it comes to employees misusing their access privileges, the Healthcare and Manufacturing industries experience the most incidents.   On the other hand, the Public Sector suffers the most from lost or stolen assets and also ranks in the top three for miscellaneous errors (for example misdirected emails) alongside Healthcare and Finance.   The bottom line: Insider Threats are a growling problem. We have a solution.
Email DLP
What is Data Loss Prevention (DLP)? Complete Overview of DLP
17 March 2022
How does DLP work?   Put simply, DLP software monitors different entry and exit points (examples below) to “look” for data and keep it safe and sound inside the organization’s network.   A properly configured DLP solution can detect when sensitive or important data is leaving a company’s possession, alert the user and, ultimately, stop data loss.   A DLP solution has three main jobs. DLP software: Monitors and analyzes data while at rest, in motion, and in use. Detects suspicious activity or anomalous network traffic. Blocks or flags suspicious activity, preventing data loss.   Those entry and exit points we mentioned earlier include: Computers Mobile devices Email clients Servers Mail gateways   Different types of DLP solutions are required to safeguard data in these environments.   What are the different types of DLP?   DLP software can monitor and safeguards data in three states: Data in motion (or “in transit”): Data that is being sent or received by your network Data in use: Data that a user is currently interacting with Data at rest: Data stored in a file or database that is not moving or in use   There are three main types of DLP software designed to protect data in these different states.   Network data loss prevention   Network DLP software monitors network traffic passing through entry and exit points to protect data in motion. Network DLP scans all data passing through a company’s network. If it’s working properly, the software will detect sensitive data exiting the network and flag or block it while allowing other data to leave the network unimpeded where appropriate. Network administrators can customize network DLP software to block certain types of data from leaving the network by default or—by contrast—whitelist specific file types or URLs.   Endpoint data loss prevention   Endpoint DLP monitors data on devices and workstations, such as computers and mobile devices, to protect data in use. The software can monitor the device and detect a range of potentially malicious actions, including:   Printing a document Creating or renaming a file Copying data to removable media (e.g. a USB drive)   Such actions might be completely harmless—or they might be an attempt to exfiltrate confidential data. Effective endpoint DLP software (but not all endpoint DLP software) can distinguish between suspicious and non-suspicious activity.   Email data loss prevention   Email is the primary threat vector for most businesses, and the threat vector most security leaders are concerned about locking down with their DLP strategy.   Email represents a potential route straight through your company’s defenses for anyone wishing to deliver a malicious payload. And it’s also a way for insiders to send data out of your company’s network—whether by accident or on purpose.   Email DLP can therefore protect against some of the most common and serious causes of data loss, including: Email-based cyberattacks, such as phishing Malicious exfiltration of data by employees (also called insider threats) Accidental data loss (for example, sending an email to the wrong person or attaching the wrong file)
Does my company need a data loss prevention solution?   Almost certainly. DLP is a top priority for security leaders across industries and DLP software is a vital part of any organization’s security program.   Broadly, there are two reasons to implement an effective data loss prevention solution:   Protecting your customers’ and employees’ personal information. Your business is responsible for all the personal information it controls. Cyberattacks and employee errors can put this data at risk. Protecting your company’s non-personal data. DLP can thwart attempts to steal intellectual property, client lists, or financial data.   Want to learn more about how and why other organizations are leveraging DLP? We explore employee behavior, the frequency of data loss incidents, and the best (and worst) solutions in this report: The State of Data Loss Prevention.   Now let’s look at the practical ways DLP software can benefit your business.   What are the benefits of DLP?   There are 4 main benefits of data loss prevention, which we’ll unpack below: Protecting against external threats (like spear phishing attacks) Protecting against internal threats (like insider threats) Protecting against accidental data loss (like accidentally sending an email to the wrong person) Compliance with laws and regulations   Protecting against external threats   External security threats are often the main driver of a company’s cybersecurity program—although, as we’ll see below, they’re far from the only type of security threat that businesses are concerned about.   Here are some of the most significant external threats that can result in data loss: Phishing: Phishing is the most common online crime—and according to the latest FBI data, phishing rates doubled in 2020. Around 96% of phishing attacks take place via email. Spear phishing: A phishing attack targeting a specific individual. Spear phishing attacks are more effective than “bulk” phishing attacks and can target high-value individuals (whaling) or use advanced impersonation techniques (CEO fraud). Ransomware: A malicious actor encrypts company data and forces the company to pay a ransom to obtain the key. Cybercriminals can use various methods to undertake cyberattacks, including malicious email attachments or links and exploit kits.   DLP can prevent these external threats by preventing malicious actors from exfiltrating data from your network, storage, or endpoints.   Protecting against internal threats   Malicious employees can use email to exfiltrate company data. This type of insider threat is more common than you might think.   Verizon research shows how employees can misuse their company account privileges for malicious purposes, such as stealing or providing unauthorized access to company data. This problem is most significant in the healthcare and manufacturing industries.   Why would an employee misuse their account privileges in this way? In some cases, they’re working with outsiders. In others, they’re stealing data for their own purposes. For more information, read our 11 Real Examples of Insider Threats.   The difficulty is that your employees often need to send files and data outside of your company for perfectly legitimate purposes.   Thankfully, next-generation DLP can use machine learning to distinguish and block suspicious activity—while permitting data to leave your network where necessary.   Preventing accidental data loss   Human error is a widespread cause of data loss, but security teams sometimes overlook it.   In fact, misdirected emails—where a person sends an email to the wrong recipient—are the most common cause of data breaches, according to the UK’s data protection regulator.   Tessian platform data bears this out. In organizations with 1,000 or more employees, people send an average of 800 misdirected emails every year.   Misdirected emails take many forms. But any misdirected email can result in data loss—whether through accidentally clicking “reply all”, attaching the wrong file, accepting an erroneous autocomplete, or simply spelling someone’s email address wrong.   Compliance with laws and regulations   Governments are more and more concerned about data privacy and security.  Data protection and cybersecurity regulations are increasingly demanding—and failing to comply with them can incur increasingly severe penalties.   Implementing a DLP solution is an excellent way to demonstrate your organization’s compliance efforts with any of the following laws and standards: General Data Protection Regulation (GDPR): Any company doing business in the EU, or working with EU clients or customers, must comply with the GDPR. The regulation requires all organizations to implement security measures to protect the personal data in their control. California Consumer Privacy Act (CCPA): The CCPA is one example of the many state privacy laws emerging across the U.S. The law requires businesses to implement reasonable security measures to guard against the loss or exfiltration of personal information. Sector-specific regulations: Tightly regulated sectors are subject to privacy and security standards, such as the Health Insurance Portability and Accountability Act (HIPAA), which covers healthcare providers and their business associates, and the Gramm-Leach-Bliley Act (GLBA), which covers financial institutions. Cybersecurity frameworks: Compliance with cybersecurity frameworks, such as the NIST Framework, CIS Controls, or ISO 27000 Series, is an important way to demonstrate high standards of data security in your organization. Implementing a DLP solution is one step towards certification with one of these frameworks.   Bear in mind that, in certain industries, individual customers and clients will have their own regulatory requests, too.   Do DLP solutions work?   We’ve looked at the huge benefits that DLP software can bring your organization. But does DLP actually work? Some, but not all.   Effective DLP software works seamlessly in the background, allowing employees to work uninterrupted, but stepping in to prevent data loss whenever necessary. Likewise, they’re easy for SOC teams to manage.   Unfortunately, legacy features are still present in some DLP solutions, that either fail to prevent loss effectively, create too much noise for security teams, or are too cumbersome to enable employees to work unimpeded. Let’s take a look at some DLP methods and weigh up the pros and cons of each approach.   Blacklisting domains   IT administrators can block certain domains associated with malicious activity, for example, “freemail” domains such as gmail.com or yahoo.com. Blacklisting entire domains, particularly popular (if problematic) domains, is not ideal. There may be good reasons to communicate with someone using a freemail address—for example, if they are a customer, contractor, or a potential client.   Tagging sensitive data   Some DLP software allows users to tag certain types of sensitive data. For example, you may wish to block activity involving any file containing a 16-digit number (which might be a credit card number). But this rigid approach doesn’t account for the dynamic nature of sensitive data. In certain contexts, a 16 digit number might not be associated with a credit card. Or an employee may be using credit card data for legitimate purposes.   Implementing rules   Rule-based DLP uses “if-then” statements to block types of activities, such as “If an employee uploads a file of 10MB or larger, then block the upload and alert IT.” The problem here is that, like the other “data-centric” solutions identified above, rule-based DLP often blocks legitimate activity and allows malicious activity to occur unimpeded.   Machine learning   Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises. Here’s how it works: machine learning technology learns how people, teams, and customers communicate and understands the context behind every interaction with data.   By analyzing the evolving patterns of human interactions, machine learning DLP constantly reclassifies email addresses according to the relationship between a business and customers, suppliers, and other third parties.
Email DLP Data Exfiltration
What is Data Exfiltration? Tips for Preventing Data Exfiltration
22 February 2022
Data is valuable currency. Don’t believe us? Data brokering is a $200 billion industry…and this doesn’t even include the data that’s sold on the dark web.   This data could include anything from email addresses to financial projections, and the consequences of this data being leaked can be far-reaching. Data can be leaked in a number of ways, but when it’s stolen, we call it data exfiltration. You may also hear it referred to as data theft, data exportation, data extrusion, and data exfil.
  This article will explore what data exfiltration is, how it works, and how you can avoid the fines, losses, and reputational damage that can result from it.   Types of data exfiltration   Data exfiltration can involve the theft of many types of information, including:   Usernames, passwords, and other credentials Confidential company data, such as intellectual property or business strategy documents Personal data about your customers, clients, or employees b Keys used to decrypt encrypted information Financial data, such as credit card numbers or bank account details Software or proprietary algorithms   To understand how data exfiltration works, let’s consider a few different ways it can be exfiltrated.  Email    According to IT leaders, email is the number one threat vector. It makes sense.    Over 124 billion business emails are sent and received every day and employees spend 40% of their time on email, sharing memos, spreadsheets, invoices, and other sensitive information and unstructured data with people both in and outside of their organization.    Needless to say, it’s a treasure trove of information, which is why it’s so often used in data exfiltration attempts. But how?   Insider threats can email data to their own, personal accounts or third-parties External bad actors targeting employees with phishing, spear phishing, or ransomware attacks. Note:96% of phishing attacks start via email.   Remote access   Gaining remote access to a server, device, or cloud storage platform is another data exfiltration technique.   An attacker can gain remote access to a company’s data assets via several methods, including: Hacking to exploit access vulnerabilities Using a “brute force” attack to determine the password Installing malware, whether via phishing or another method Using stolen credentials, whether obtained via a phishing attack or purchased on the dark web   According to 2020 Verizon data, over 80% of “hacking” data exfiltration incidents involve brute force techniques or compromised user credentials. That’s why keeping passwords strong and safe is essential.   Remote data exfiltration might occur without a company ever noticing. Consider the now infamous 2020 SolarWinds hack: the attackers installed malware on thousands of organizations’ devices, which silently exfiltrated data for months before being detected.   Physical access    As well as using remote-access techniques, such as phishing and malware, attackers can simply upload sensitive data onto a laptop, USB drive, or another portable storage device, and walk it out of a company’s premises..   Physically stealing data from a business requires physical access to a server or device. That’s why this method of exfiltration is commonly associated with current or former employees.   And it happens more frequently than you might think. One report shows that:   15% of all insiders exfiltrate data via USBs and 8% of external bad actors do the same 11% of all insiders exfiltrate data via laptops/tablets and 13% of external bad actors do the same   Here’s an example: in 2020, a Russian national tried to persuade a Tesla employee to use a USB drive to exfiltrate insider data from the company’s Nevada premises.  
How common is data exfiltration?   So how significant a problem is data exfiltration, and why should your company take steps to prevent it? It’s hard to say how often data is successful exfiltrated from a company’s equipment or network. But we know that the cybercrime methods used to carry out data exfiltration are certainly on the increase.   For example, phishing was the leading cause of complaints to the FBI’s Internet Crime Complaint Centre (IC3) in 2020. The FBI’s data suggests that phishing incidents more than doubled compared to the previous year. The FBI also reported that the number of recorded personal data breaches increased from around 38,000 to over 45,000 in 2020.   Verizon’s 2020 data suggests that companies with more than 1000 employees were more likely to experience data exfiltration attempts—but that attacks against smaller companies were much more likely to succeed.   Verizon also noted that “the time required to exfiltrate data has been getting smaller,” but “the time required for an organization to notice that they have been breached is not keeping pace.” In other words, cybercriminals are getting quicker and harder to detect.   Consequences of data exfiltration   We’ve seen how data exfiltration, and cybercrime more generally, is becoming more common. But even if a company experiences one data exfiltration attack, the consequences can be devastating. There’s a lot at stake when it comes to the data in your company’s control.   Here are some stats from IBM about the cost of a data breach:   The average data breach costs $3.6 million The cost is highest for U.S. companies, at $8.6 million Healthcare is the hardest-hit sector, with companies facing an average loss of $7.1 million   What are the causes of these phenomenal costs? Here are three factors:   Containment: Hiring cybersecurity and identity fraud companies to contain a data breach is an expensive business—not to mention the thousands of hours that can be lost trying to determine the cause of a breach. Lawsuits: Many companies face enormous lawsuits for losing customer data. Trends suggest a continuing increase in data-breach class action cases through 2021. Penalties: Laws such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) enable regulators to impose significant fines for personal data breaches.
How to prevent data exfiltration Understanding the form, causes, and consequences of data exfiltration is important. But what’s the best way to prevent data exfiltration? 🎓 Staff training Business leaders know the importance of helping their employees understand information security.  Staff training can help your staff spot some of the less sophisticated phishing attacks and learn the protocol for reporting a data breach. However, while staff training is important, it’s not sufficient to prevent data exfiltration. Remember these words from the U.K.’s National Cyber Security Centre (NCSC): “No training package (of any type) can teach users to spot every phish. Spotting phishing emails is hard.” 🚫 Blocking or denylisting To prevent data exfiltration attempts, some organizations block or denylist certain domains or activities. This approach involves blocking certain email providers (like Gmail), domains, or software (like DropBox) that are associated with cyberattacks. However, this blunt approach impedes employee productivity. Denylisting fails to account for the dynamic nature of modern work, where employees need to work with many different stakeholders via a broad variety of mediums. 💬 Labeling and tagging sensitive data Another data loss prevention (DLP) strategy is to label and tag sensitive data. When DLP software notices tagged data moving outside of your company’s network, this activity can be flagged or prevented. However, this approach relies entirely on employees tagging data correctly. Given how much data organizations handle, the manual process of tagging isn’t viable—employees may label incorrectly or not label sensitive at all. 🔒 Email data loss prevention (DLP) Email is a crucial communication method for almost every business. But, as we’ve seen, it’s also a key way for fraudsters and criminals to gain access to your company’s valuable data. According to Tessian platform data, employees send nearly 400 emails a month. In an organization with 1,000 employees, that’s 400,000 possible data breaches each month. That’s why security-focused organizations seek to lock down this critical vulnerability by investing in email-specific DLP software. ⚡ Want to learn more about email DLP? We cover everything you need to know here: What is Email DLP? Complete Overview of DLP on Email. How does Tessian prevent data exfiltration? Tessian uses stateful machine learning to prevent data exfiltration on email by turning an organization’s own data into its best defense against inbound and outbound email security threats.   Our Human Layer Security platform understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity like data exfiltration attempts and targeted phishing attacks.  To learn more about how Tessian detects and prevents data exfiltration attempts, check out our customer stories or talk to one of our experts today.
Email DLP Data Exfiltration
Why Taking Your Work With You When You Leave a Company Isn’t a Smart Idea
By Andrew Webb
15 February 2022
Our latest research into The Great Resignation contains some startling statistics from IT security leaders. 71% told us the Great Resignation has increased security risks in their company. What’s more, 45% say incidents of data exfiltration have increased in the last year, as people took data when they left their jobs. But we also got the employees’ perspective. And it was clear that many staff thought that at least some of the work that they did while at their employer belonged to them. Not only that, it was okay to take that work with them when they moved on from the organization.    In fact one in three (29%) employees surveyed admitted to having taken data with them when they quit. And when you isolate employees in the US, this jumps to two-fifths (40%).   So here’s the question ‘does your work belong to you?’
Who’s taking data?    We saw noticeable differences in behaviors across typical departments found in most organizations. And the number one team to exfiltrate data? Marketing. A whopping 63% of respondents in this department admitted to taking data when they move on.    After marketing, employees in HR (37%) and IT (37%) had the next highest levels of exfiltration. Incidentally, rates of data exfiltration are much lower in highly regulated functions like accounting and finance, operations and legal, as these sectors have to comply with strict data regulations on a daily basis. Just 16% of workers in operations and 22% in accounting and finance say they have taken data with them when they’ve left a job.   !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");  
Why are people taking data on their way out?  According to Infosecurity magazine, 70% of intellectual property (IP) theft occurs within the 90 days before an employee’s resignation announcement.  But why are people taking data when they leave? Here are some of the most common reasons.    Competitive advantage  Maliciously-minded insiders can steal company data to get a competitive edge in their new role. 58% of workers we surveyed told us the information would help them in their new job. Think customer lists, software, project documents, frameworks and methodologies, and ultimately, IP.. This is more common than you might think. For example, a General Electric employee was imprisoned in 2020 for stealing the company’s trade secrets for his own business in China.    A belief they own it Many employees have a mentality that if they worked on that presentation, source code, or project, it’s theirs. In fact 53% of respondents to our survey felt this way, saying that because they worked on the document, and they believed the information belonged to them.   Financial gain The right sort of data in the wrong hands can be extremely valuable. Former staff can sell customer’s information on the dark web. There’s a huge market for personal information—research suggests you can steal a person’s identity for around $1,100. 40% of the people we surveyed said they intended to make money from the information.
So who does own your work?   But back to our original question. Does your work belong to you? Well, chances are – no. In nearly all sectors and jurisdictions, if you’re fully employed by the company they own the output of your endeavors. The situation might be slightly different if you’re a freelance contractor. In the end it all comes down to the contract.    But there are exceptions. Obviously personal items that belonged to you prior to starting employment remain yours. Secondly, you can leave with items that you have permission to take. There’s also knowledge that you obtained during the role – such as the names of the firm’s five biggest customers. This is why many senior roles in firms have non-compete clauses built into their employment contracts.
What does The Great Resignation mean for security teams?    With 55% of respondents revealing that they’re thinking about leaving their jobs in 2022, and two in five (39%) currently working their notice or actively looking for a new job in the next 6 months, it’s clear IT and security teams are under pressure to keep company data safe during the Great Resignation.   But this research shouldn’t be used to berate employees – as an security leader, that’s not your job. Rather it should be used to refresh the dialogue about security culture, and weave it into broader discussion about data loss prevention.    Josh Yavor, Chief Information Security Officer at Tessian comments, “It’s a rather common occurrence for employees in certain roles and teams to take data when they quit their job. While some people do take documents with malicious intent, many don’t even realize that what they are doing is wrong. Organizations have a duty to clearly communicate expectations regarding data ownership, and we need to recognize where there might be a breakdown in communication which has led to a cultural acceptance of employees taking documents when they leave.   “The Great Resignation, and the sharp increase in employee turnover, has exposed an opportunity for security and business leaders to consider a more effective way of addressing insider risk. It comes down to building better security cultures, gaining greater visibility into data loss threats, and defining and communicating expectations around data sharing to employees – both company-wide and at departmental level. Being proactive in setting the right policies and expectations is   How does Tessian prevent data exfiltration attempts?   Prevent unauthorized emails Whether it’s an employee sending sensitive information to less secure, personal accounts or a bad leaver maliciously exfiltrating data, Tessian automatically prevents data exfiltration over email. Learn more   Deeply understand your risk Whether careless, negligent, or malicious, insider threats are difficult to combat and even harder to detect. But with Tessian, you can quickly find and report the key areas of insider risk, use insights to predict future behavior, and take remedial action to prevent exfiltrations attempts. Learn more   In-the-moment educational warnings Tessian warnings act as in-the-moment training for employees, continuously educating them about treats, reinforcing your policies, and nudging them toward safe email behavior. Automatically build individualized policies at scale to reduce high-risk email use and track trends in unsafe activity over time. Learn more
ATO/BEC Email DLP Human Layer Security
Secure Email Gateways (SEGs) vs. Integrated Cloud Email Security (ICES) Solutions
By John Filitz
09 February 2022
Recent market developments in email security signal there is a new player in town. And what has been considered a solved-for cybersecurity challenge is receiving renewed attention, both in the enterprise and in the analyst community.    The next generation of email security, referred to by Gartner as Integrated Cloud Email Security (ICES) solutions, bring a welcome and new approach to solving for increasingly sophisticated and elusive email security threats.
Advanced threats require a new approach to addressing email security risk   Threat actors are using more sophisticated techniques, and attacks are achieving greater success. This is largely due to the commercialization of cybercrime, with Phishing-as-a-Service and Ransomware-as-a-Service offerings becoming more prevalent on the dark web.    The pace of digital transformation underway and key shifts in the way we work help explain it, too. In the wake of the pandemic, the accelerated adoption of public cloud has significantly expanded attack surface risk, with employees working from home, and often on personal devices.  Threat actors are exploiting these developments by targeting the most common threat vector for a breach, phishing via email.
Secure Email Gateways (SEGs)   SEGs were, until recently, considered a staple in the cybersecurity stack. But SEGs that run on static, rule-based detection engines are finding it increasingly challenging to protect in today’s threatscape. This is  largely due to SEGs relying on adversaries exploiting common and well-known attack vectors.    SEG solutions sit in-line and filter all inbound emails. SEGs use a threat intelligence engine that is combined with manual policy orchestration, creating “allow” or “deny” lists. In the world of SEGs, security administrators have to configure MX records, develop specific emails security policies, block domains, and triage incidents – with many of these incidents false positives due to its “wide-net” email filtering approach.    Given the threat engine for SEGs also relies on known threats, it can enable threat actors to bypass SEG controls, for example, by registering new domains which are combined with advanced impersonation techniques. That’s why Tessian saw 2 million malicious, inbound emails evade SEGs in a 12-month period.   And once an adversary has compromised an organization’s email (i.e. passed through the gateway) there is little stopping them. SEGs also offer very limited protection against insider threats or advanced methods for email based data exfiltration, for example renaming document file names to bypass manual orchestrated SEG DLP policy labels. 
The key attributes of SEGs include:   Designed to protect against commonly seen threats i.e. mainstream phishing activity, malware and spam The redirection of mail via MX records pointing to the SEG to scan all incoming email  Using a sandbox for detecting, isolating, and detonating suspected malicious emails or attachments Clawback ability for internal email only No ability to detect lateral movement by a threat actor that has breached the gateway Supplemental scanning solutions are often required to detect advanced inbound threats Manual orchestration of basic DLP policies
Integrated Cloud Email Security (ICES) Solutions   The main distinguishing characteristic of ICES solutions like Tessian compared to SEGs, is that ICES solutions were born in the cloud, for the cloud. But, they’re also able to provide protection for hybrid and on-premise environments.    Using machine learning and connecting via connectors or an API, the algorithm of an ICES solution develops a historical behavioral map of an organization’s email ecosystem. This historical behavioral map is leveraged along with Natural Language Processing (NLP) and Natural Language Understanding (NLU) capabilities, to dynamically, and in-real-time, scan and detect any anomalous email behavior on both the inbound and the outbound side.    ICES solutions also offer a high degree of email security automation, including triaging of security incidents, which significantly reduces the SOC burden and ultimately improves security effectiveness.
The key attributes of ICES solutions include:   Designed to detect advanced social engineering attacks including phishing, impersonation attacks, business email compromise (BEC), and account takeover (ATO) Require no MX record changes and scan incoming emails downstream from the MX record, either pre-delivery via a connector, or post-delivery via an API Behavioral detection engine for advanced inbound and outbound threats, resulting in greater detection efficacy and lower false positives i.e. less business interruption and  more SOC optimization A banner can be added to an incoming email indicating the level of risk of the scanned email Lateral attack detection capability Malicious emails are hidden from users’ inboxes. With the pre-delivery option, only email that is determined to be safe is delivered. Post-delivery solutions will claw-back a suspected email determined to be malicious All of the email fields are analyzed and compared against a historical mapping of email correspondence. Fields scanned include the sender, recipient, subject line, body, URL and attachments Prompts the end-user with in-the-moment contextual warnings on suspected malicious emails to take safe action, in real-time Some have advanced DLP capability
The evolution of the threatscape combined with the mainstream adoption of public cloud offerings and associated productivity suites, helps contextualize the emergence of the ICES vendor category.    Many of the productivity suites such as Microsoft 365 and Google Workspace include SEG-like features as part of their standard offerings. And Gartner predicts that by 2023, 40% of enterprises will be leveraging an ICES solution like Tessian with a public cloud’s productivity suite for comprehensive email protection. 
Want to learn more? See how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video, download our platform architecture whitepaper, or book a demo.
Email DLP Remote Working Data Exfiltration
How the Great Resignation is Creating More Security Challenges
By Laura Brooks
01 February 2022
New research from Tessian reveals just how deep The Great Resignation is, and how it’s continuing to increase work for security teams.   The Great Resignation of 2021 continues well into 2022, with record high numbers of people quitting their jobs and seeking opportunities for better positions, better pay, better work/life balance and even exploring a career in a completely new industry.   According to our latest survey of 2,000 employees in UK and US businesses, 55% are considering leaving their current employer this year, with two in five (39%) workers currently working their notice or actively looking for a new job in the next six months.    HR departments are under pressure to retain employees and replace the talent they lost. But they’re not the only team feeling the strain.    Our survey also revealed that 71% of IT decision makers in US and UK organizations told us the Great Resignation has increased security risks in their company. What’s more, 45% of IT leaders say incidents of data exfiltration have increased in the last year, as people took data when they left their jobs.    They’re not wrong. One in three (29%) UK and US employees admitted to having taken data with them when they quit. The figures were much higher in the US, with two fifths of US employees (40%) saying they’d taken data with them when they left their job.
Which employees are taking the data?   We see noticeable differences in behaviors across various departments. Employees in marketing were the most likely to data with them when they leave, with a staggering 63% of respondents in this department admitting to doing so. Employees in HR (37%) and IT (37%) followed.    Interestingly, rates of data exfiltration are much lower in highly regulated functions like accounting and finance, operations and legal. With employees in these departments having to comply with strict data regulations on a daily basis, the findings suggest that this impacts their data sharing behaviors and the security cultures in these departments. Just 16% of workers in operations and 22% in accounting and finance say they have taken data with them when they’ve left a job.
Why do employees take data with them?  The majority of employees are not taking data for malicious purposes. The most common reason for taking data, cited by 58% of respondents, was because the information would help them in their new job. In addition, 53% believe that because they worked on the document, it belongs to them.    A significant percentage of employees (44%) said they took the information to share with their new employer, while 40% said they intended to make money from the information.
The consequences of doing nothing   With 70% of US employees and 40% of UK employees thinking about leaving their employer this year, the pressure is on to protect the organization from insider risk.    Even if a company experiences one data exfiltration attack, the consequences can be huge. There’s a lot at stake when it comes to the data in your company’s control, particularly when you consider that the average cost of a data breach now stands at $4.24 million.    What are the causes of these phenomenal costs? Here are three factors:   Containment: Hiring cybersecurity and identity fraud companies to contain a data breach is expensive —not to mention the thousands of hours that can be lost trying to determine the cause.  Lawsuits: Many companies face enormous lawsuits for losing customer data.  Penalties: Laws such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) enable regulators to impose significant fines for personal data breaches.
What can IT and security leaders do to minimize the risk of data exfiltration during the Great Resignation period?   Taking data when leaving an organization has become one of those culturally-accepted things that people feel they can get away with. Let’s be clear, though, this is not a reason to blame and shame employees for their actions.    Rather this is an opportunity to see how we got to this point, assess where there are gaps in our data protection policies, and determine whether policies and guidelines are being communicated effectively to employees – both company-wide and in specific departments.    By defining and communicating the company’s expectations around data sharing and data handling in the organization, and training employees on safe cybersecurity practices, security leaders can start to build stronger security cultures that reduce insider risk.   As well as greater education and training, IT and security teams also need to ensure they have visibility of the risk across all channels, particularly email. A quarter of IT leaders we surveyed said they do not have visibility into incidents of data exfiltration, and this is an important first step.    The Great Resignation shows no sign of slowing down, and people will continue to move around looking for new opportunities throughout 2022. But this is also an opportunity for IT and security teams to build a more robust data loss prevention strategy, streamline defenses against insider risk, and put a safety net in place to stop the company’s most valuable and sensitive data from falling into the wrong hands.    How does Tessian prevent data exfiltration attempts?   Prevent unauthorized emails  Whether it’s an employee sending sensitive information to less secure, personal accounts or a bad leaver maliciously exfiltrating data, Tessian automatically prevents data exfiltration over email. Learn more   Deeply understand your risk Whether careless, negligent, or malicious, insider threats are difficult to combat and even harder to detect. But with Tessian, you can quickly find and report the key areas of insider risk, use insights to predict future behavior, and take remedial action to prevent exfiltrations attempts.  Learn more   In-the-moment educational warnings Tessian warnings act as in-the-moment training for employees, continuously educating them about treats, reinforcing your policies, and nudging them toward safe email behavior. Automatically build individualized policies at scale to reduce high-risk email use and track trends in unsafe activity over time. Learn more
Page