Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.
Human Layer Security DLP
What is Email DLP? Overview of DLP on Email
15 April 2021
Data loss prevention (DLP) and insider threat management are both top priorities for security leaders to protect data and meet compliance requirements.  And, while there are literally thousands of threat vectors – from devices to file sharing applications to physical security – email is the threat vector security leaders are most concerned about protecting. It makes sense, especially with remote or hybrid working environments. According to Tessian platform data, employees send nearly 400 emails a month. When you think about the total for an organization with 1,000+ employees, that’s 400,000 emails, many of which contain sensitive data. That’s 400,000 opportunities for a data breach.  The solution? Email data loss prevention.
This article will explain how email DLP works, consider the different types of email DLP, and help you decide whether you need to consider it as a part of your overall data protection strategy.  Looking for information about DLP more broadly? Check out this article instead: A Complete Overview of Data Loss Prevention.  ➡ What is email data loss prevention? Essentially, email DLP tools monitor a company’s email communications to determine whether data is at risk of loss or theft. There are several methods of email DLP, which we’ll look at below. But they all attempt to: Monitor data sent and received via email Detect suspicious email activity Flag or block email activity that leads to data loss ➡ Do I need email data loss prevention? Unless you’re working with a limitless security budget (lucky you!), it’s important to prioritize your company’s resources and target areas that represent key security vulnerabilities.  Implementing security controls is mandatory under data protection laws and cybersecurity frameworks, like the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and Health Insurance Portability and Accountability Act (HIPAA). And there’s a good reason to prioritize preventing data loss on email. As we’ve said, email is the threat vector security leaders are most concerned about. We’ll explain why.  📩 Inbound email security threats How can malicious external actors use email to steal data? There are many methods. Phishing—social engineering attacks designed to trick your employees into handing over sensitive data. According to the FBI, phishing is the leading cause of internet crime, and the number of phishing incidents doubled in 2020. Spear phishing—like phishing, but targeted at a specific individual. Spear phishing attacks are more sophisticated than the “bulk” phishing attacks many employees are used to. Malware—phishing emails can contain a “malicious payload”, such as a trojan, that installs itself on a user’s device and exfiltrates or corrupts data. Email DLP can help prevent criminals from exfiltrating your company’s data. 🏢 Internal email security threats While it’s crucial to guard against external security threats, security teams are increasingly concerned with protecting company data from internal actors. There are two types of internal security threats: accidental and malicious. 🙈 Accidental data loss Accidents happen. Don’t believe us?  Human error is the leading cause of data breaches. Tessian platform data shows that in organizations with 1,000 or more employees, people send an average of 800 misdirected emails (emails sent to the wrong recipient) every year. That’s two every day.  How can a misdirected email cause data loss? Misspelling the recipient’s address, attaching the wrong file, accidental “reply-all”—any of these common issues can lead to sensitive company data being emailed to the wrong person.  And remember—if the email contains information about an individual (personal data), this might be a data breach. Misdirected emails are the top cause of information security incidents according to the UK’s data regulator. We can’t forget that misattached files are also a big problem. In fact, nearly half (48%) of employees say they’ve attached the wrong file to an email. Worse will, according to survey data: 42% of documents sent in error contained company research and data 39% contained security information like passwords and passcodes 38% contained financial information and client information 36% contained employee data But, not all data loss incidents are an accident.  🕵 Insider threats  Employees or contractors can steal company data from the inside. While less common than accidental data loss, employees that steal data—or simply overstep the mark—are more common than you might think. Some employees steal company data to gain a competitive advantage in a new venture—or for the benefit of a third party. We covered some of these incidents in our article, 11 Real Insider Threats. But more commonly, employees are breaking the rules for less nefarious reasons. For example, employees send company data to a personal email address for convenience. For example, to work on a project at home or on another device. Sending unauthorized emails is a security risk, though. Tessian platform data shows that it occurs over 27,500 times per year in companies with 1,000 employees or more. And, while – yes – it’s often not done maliciously, the consequences are no less dire, especially in highly regulated industries.  So, how do you prevent these things from happening?  ➡ Email DLP solutions to consider Research shows that the majority of security leaders say that security awareness training and the implementation of policies and procedures are the best ways to prevent data loss. And both are very important.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); But – as well-intentioned as most employees are – mistakes still happen despite frequent training and despite stringent policies. That means a more holistic approach to email DLP – including technology – is your best bet.  Broadly, there are two “types” of DLP technology: ruled-based DLP and machine learning DLP. 📏 Rule-based email DLP Using rule-based DLP, IT administrators can tag sensitive domains, activities, or types of data. When the DLP software detects blacklisted data or behavior, it can flag it or block it. Like training and policies, rule-based DLP certainly has its place in security strategies. But there are limitations of ruled-based DLP. This “data-centric” model does not fully account for the range of behavior that is appropriate in different situations. For example, say an IT administrator asks email DLP software to block all correspondence arriving from “freemail” domains (such as gmail.com), which are often used to launch cyberattacks. What happens when you need to communicate with a contractor or customer using a freemail address? What’s more, rule-based DLP is very admin-intensive. Creating and managing rules and analyzing events takes a lot of time, which isn’t ideal for thinly-stretched security teams.  Want to learn more? We explore situations where rule-based DLP falls short. For more information, read The Drawbacks of Traditional DLP on Email. 🤖 Machine learning email DLP Machine learning email DLP is a “human-centric” approach. By learning how every member of your company communicates, machine learning DLP understands the context behind every human interaction with data. How does machine learning email DLP work? This DLP model processes large amounts of data and learns your employees’ communications patterns.  The software understands when a communication is anomalous or suspicious by constantly reclassifying data according to the relationship between a business and customers, suppliers, and other third parties. No rules required.  This type of DLP solution enables employees to work unimpeded until something goes wrong, and makes preventing data loss effortless for security teams.
💡 Learn more about how Tessian’s email DLP solutions Tessian uses contextual machine learning to address the problem of accidental or deliberate data loss by applying human understanding to email behavior. Our contextual machine learning models have been trained on more than two billion emails – rich in information on the kind of data people send and receive every day. And they continue to adapt and learn as human relationships evolve over time. This enables Tessian Guardian to look at email communications and determine in real-time if particular emails look like they’re about to be sent to the wrong person or if an employee has attached the wrong file. Tessian Enforcer, meanwhile, can identify when sensitive data is about to be sent to an unsafe place outside an organization’s email network. And, finally, Tessiden Defender prevents inbound threats, like spear phishing, business email compromise, and CEO fraud.  To learn more about data exfiltration and how Tessian uses machine learning to keep data safe, check out our customer stories or talk to one of our experts today. You can also subscribe to our monthly newsletter below to get more updates about DLP, compliance, spear phishing, industry trends, and more. 
Human Layer Security DLP Data Exfiltration
11 Examples of Data Breaches Caused By Misdirected Emails
17 March 2021
While phishing, ransomware, and brute force attacks tend to make headlines, misdirected emails (emails sent to the wrong person) are actually a much bigger problem. In fact, in organizations with 1,000 employees, at least 800 emails are sent to the wrong person every year. That’s two a day. You can find more insights in The Psychology of Human Error and The State of Data Loss Prevention 2020.  Are you surprised? Most people are. That’s why we’ve rounded up this list of 11 real-world (recent) examples of data breaches caused by misdirected emails. And, if you skip down to the bottom, you’ll see how you can prevent misdirected emails (and breaches!) in your organization.  If you’re looking for a bit more background, check out these two articles: What is a Misdirected Email? Consequences of Sending an Email to the Wrong Person 11 examples of data breaches caused by misdirected emails  1. University support service mass emails sensitive student information University and college wellbeing services deal with sensitive personal information, including details of the health, beliefs, and disabilities of students and their families.  Most privacy laws impose stricter obligations on organizations handling such sensitive personal information—and there are harsher penalties for losing control of such data. So imagine how awful the Wellbeing Adviser at the University of Liverpool must have felt when they emailed an entire school’s worth of undergraduates with details about a student’s recent wellbeing appointment. The email revealed that the student had visited the Adviser earlier that day, that he had been experiencing ongoing personal difficulties, and that the Adviser had advised the student to attend therapy. A follow-up email urged all the recipients to delete the message “immediately” and appeared to blame the student for providing the wrong email address. One recipient of the email reportedly said: “How much harder are people going to find it actually going to get help when something so personal could wind up in the inbox of a few hundred people?” 2. Trump White House emails Ukraine ‘talking points’ to Democrats Remember in 2019, when then-President Donald Trump faced accusations of pressuring Ukraine into investigating corruption allegations against now-President Joe Biden? Once this story hit the press, the White House wrote an email—intended for Trump’s political allies—setting out some “talking points” to be used when answering questions about the incident (including blaming the “Deep State media”). Unfortunately for the White House, they sent the email directly to political opponents in the Democratic Party. White House staff then attempted to “recall” the email. If you’ve ever tried recalling an email, you’ll notice that it doesn’t normally work.  Recalling an email only works if the recipient is on the same exchange server as you—and only if they haven’t read the email. Looking for information on this? Check out this article: You Sent an Email to the Wrong Person. Now What? Unsurprisingly, this was not the case for the Democrats who received the White House email, who subsequently leaked it on Twitter.  I would like to thank @WhiteHouse for sending me their talking points on how best to spin the disastrous Trump/Zelensky call in Trump’s favor. However, I will not be using their spin and will instead stick with the truth. But thanks though. — US Rep Brendan Boyle (@RepBrendanBoyle) September 25, 2019 3. Australia’s Department of Foreign Affairs and Trade  leaked 1,000 citizens’ email addresses On September 30, 2020, Australia’s Department of Foreign Affairs and Trade (DFAT) announced that the personal details of over 1,000 citizens were exposed after an employee failed to use BCC. So, who were the citizens Australians who have been stuck in other countries since inbound flights have been limited (even rationed) since the outbreak of COVID-19. The plan was to increase entry quotas and start an emergency loans scheme for those in dire need. Those who had their email addresses exposed were among the potential recipients of the loan. Immediately after the email was sent, employees at DFAT tried to recall the email, and event requested that recipients delete the email from their IT system and “refrain from any further forwarding of the email to protect the privacy of the individuals concerned.” 4. Serco exposes contact traces’ data in email error  In May 2020, an employee at Serco, a business services and outsourcing company, accidentally cc’d instead of bcc’ing almost 300 email addresses. Harmless, right? Unfortunately not.  The email addresses – which are considered personal data – belonged to newly recruited COVID-19 contact tracers. While a Serco spokesperson has apologized and announced that they would review and update their processes, the incident nonetheless has put confidentiality at risk and could leave the firm under investigation with the ICO.  5. Sonos accidentally exposes the email addresses of hundreds of customers in email blunder  In January 2020, 450+ email addresses were exposed after they were (similar to the example above) cc’d rather than bcc’d.  Here’s what happened: A Sonos employee was replying to customers’ complaints. Instead of putting all the email in BCC, they were CC’d, meaning that every customer who received the email could see the personal email addresses of everyone else on the list.  The incident was reported to the ICO and is subject to potential fines.
6. Gender identity clinic leaks patient email addresses In September 2019, a gender identity clinic in London exposed the details of close to 2,000 people on its email list after an employee cc’d recipients instead of bcc’ing them. Two separate emails were sent, with about 900 people cc’d on each.  While email addresses on their own are considered personal information, it’s important to bear in mind the nature of the clinic. As one patient pointed out, “It could out someone, especially as this place treats people who are transgender.”  The incident was reported to the ICO who is currently assessing the information provided. But, a similar incident may offer a glimpse of what’s to come.  In 2016, the email addresses of 800 patients who attended HIV clinics were leaked because they were – again – cc’d instead of bcc’d. An NHS Trust was £180,000. Bear in mind, this fine was issued before the introduction of GDPR. 7. University mistakenly emails 430 acceptance letters, blames “human error” In January 2019, The University of South Florida St. Petersburg sent nearly 700 acceptance emails to applicants. The problem? Only 250 of those students had actually been accepted. The other 400+ hadn’t. While this isn’t considered a breach (because no personal data was exposed) it does go to show that fat fingering an email can have a number of consequences.  In this case, the university’s reputation was damaged, hundreds of students were left confused and disappointed, and the employees responsible for the mistake likely suffered red-faced embarrassment on top of other, more formal ramifications. The investigation and remediation of the incident also will have taken up plenty of time and resources.  8. Union watchdog accidentally leaked secret emails from confidential whistleblower In January 2019, an official at Australia’s Registered Organisations Commission (ROC) accidentally leaked confidential information, including the identity of a whistleblower. How? The employee entered an incorrect character when sending an email. It was then forwarded to someone with the same last name – but different first initial –  as the intended recipient.  The next day, the ROC notified the whistleblower whose identity was compromised and disclosed the mistake to the Office of the Australian Information commissions as a potential privacy breach. 9. Major Health System Accidentally Shares Patient Information Due to Third-Party Software for the Second Time This Year In May 2018 Dignity Health – a major health system headquartered in San Francisco that operates 39 hospitals and 400 care centers around the west coast – reported a breach that affected 55,947 patients to the U.S. Department of Health and Human Services.  So, how did it happen? Dignity says the problem originated from a sorting error in an email list that had been formatted by one of its vendors. The error resulted in Dignity sending emails to the wrong patients, with the wrong names. Because Dignity is a health system, these emails also often contained the patient’s doctor’s name. That means PII and Protect health information (PHI) was exposed.  10. Inquiry reveals the identity of child sexual abuse victims This 2017 email blunder earned an organization a £200,000 ($278,552) fine from the ICO. The penalty would have been even higher if the GDPR has been in force at the time. When you look at the detail of this incident, it’s easy to see why the ICO wanted to impose a more severe fine. The Independent Inquiry into Child Sexual Abuse (IICSA) sent a Bcc email to 90 recipients, all of whom were involved in a public hearing about child abuse.  Sending a Bcc means none of the recipients can see each other’s details/ But the sender then sent a follow-up email to correct an error—using the “To” field by mistake. The organization made things even worse by sending three follow-up emails asking recipients to delete the original message—one of which generated 39 subsequent “Reply all” emails in response. The error revealed the email addresses of all 90 recipients and 54 people’s full names.  But is simply revealing someone’s name that big of a deal? Actually, a person’s name can be very sensitive data—depending on the context. In this case, IICSA’s error revealed that each of these 54 people might have been victims of child sexual abuse. 11. Boris Johnson’s dad’s email blunder nearly causes diplomatic incident Many of us know what it’s like to be embarrassed by our dad.  Remember when he interrogated your first love interest? Or that moment your friends overheard him singing in the shower. Or when he accidentally emailed confidential information about the Chinese ambassador to the BBC. OK, maybe not that last one. That happened to the father of U.K. Prime Minister Boris Johnson in February 2020. Johnson’s dad, Stanley Johnson, was emailing British officials following a meeting with Chinese ambassador Liu Xiaoming. He wrote that Liu was “concerned” about a lack of contact from the Prime Minister to the Chinese state regarding the coronavirus outbreak. The Prime Minister’s dad inexplicably copied the BBC into his email, providing some lucky journalists with a free scoop about the state of U.K.-China relations. It appears the incident didn’t cause any big diplomatic issues—but we can imagine how much worse it could have been if Johnson had revealed more sensitive details of the meeting.
Prevent misdirected emails (and breaches) with Tessian Guardian Regardless of your region or industry, protecting customer, client, and company information is essential. But, to err is human. So how do you prevent misdirected emails? With machine learning.  Tessian turns an organization’s email data into its best defense against human error on email. Our Human Layer Security technology understands human behavior and relationships and automatically detects and prevents emails from being sent to the wrong person. Yep, this includes typos, accidental “reply alls” and cc’ing instead of bcc’ing. Tessian Guardian can also detect when you’ve attached the wrong file. Interested in learning more about how Tessian can help prevent accidental data loss and data exfiltration in your organization? You can read some of our customer stories here or book a demo.
DLP
What is a Misdirected Email?
05 March 2021
Misdirected emails are common — sending an email to the wrong person is an easy mistake. Who hasn’t done it? But they can also be disastrous, potentially damaging a company’s reputation, revealing its confidential data, and breaching its customers’ privacy. If you’re looking for a solution versus an explanation of the problem, we’ve got you covered. Learn more about how Tessian Guardian prevents misdirected emails. How common are misdirected emails? Many of us have been using email daily for our entire working lives. In fact, around 4 billion people use email regularly, sending around 306.4 billion emails every day. That explains why misdirected emails are such a major problem. According to research, 58% of people have sent an email to the wrong person while at work, with 20% of recipients stating that this action has lost their company business — and 12% stating that it cost them their job.  And according to Tessian platform data, organizations with over 1,000 employees send around 800 misdirected emails every year. That’s more than two emails a day.  Indeed, year after year, the UK’s Information Commissioner’s Office reports misdirected emails as the number one cause of data breaches. And the latest breach data from California also shows that email “misdelivery” was the most common type of data breach caused by human error. Looking for some examples? Check out this article: 7 Data Breaches Caused by Misdirected Emails. Why do misdirected emails keep happening? So — why do we keep making this mistake?  Well, the problem is partly down to burnout. Around 52% of people say they were more likely to make mistakes while tired — and 93% said they were tired at some point during the working week. But there are some technical issues that lead to misdirected emails, too. Spelling mistakes Email is “interoperable,” meaning that, for example, Gmail users can email Outlook users without issue. In fact, any two people can email each other, as long as they have internet access. So this communication method is highly flexible — but also open to sending errors. Need to email your payroll data/passport photo/HR file to [email protected]? Make sure you don’t accidentally type “[email protected]”, or worse — “[email protected]”. The “To” field takes us back to a time before spellcheck began correcting our mistakes without us even noticing. One wrong letter can lead to a data breach. Autocomplete When you’re typing an email address into Gmail, Outlook, or any other popular email client, you may notice the “autocomplete” function trying to finish it off for you. Autocomplete can be a very useful feature when you email the same person regularly. But autocomplete can also lead to misdirected emails. Autocomplete can lead to misdirected emails when:  You start typing in the “To” field. You see the autocomplete function completing the recipient’s name. You press “Tab” or “Enter” — without checking whether autocomplete has chosen the right recipient from your address book, Productivity guru Cal Newport estimates that we send and receive around 126 email messages per day — so features like autocomplete save businesses significant amounts of time. But the impact of one misdirected email can undo these benefits. Bcc error Bcc (which stands for “blind carbon copy”) lets you hide recipients when sending an email.  There are a few benefits to using Bcc, but its most useful function is when emailing a large group of people. If you don’t want any of the recipients to know who else got the email, you can put them all in the Bcc field. Mailing lists are covered by data protection laws, such as the EU General Data Protection Regulation (GDPR). In most cases, each recipient of an email has the right to keep their email address private from the other recipients.  That’s why accidentally using the “Cc” or “To” field instead of the “Bcc” field can constitute a data breach. Indeed, in January 2020, speaker company Sonos referred itself to the UK’s data regulator after an employee accidentally copied 450 recipients into the Cc field. The dreaded “Reply All” Here’s one almost all of us have done before — hitting “Reply All” on an email to multiple recipients when we only meant to email one person (e.g., the sender). In most cases, accidentally “replying to all” is little more than an embarrassment. But consider Maria Peterson, who, in 2018, accidentally replied to all of Utah’s 22,000 public sector employees. Misattached files Misattached files and misdirected emails aren’t the same things — but misattached files (attaching the wrong file to an email) deserve a dishonorable mention in this article.  Around one in five emails contains an attachment, and Tessian research reveals some troubling data about this type of human error-based data breach: 48% of employees have emailed the wrong attachment 42% of misattached files contained company data or research 39% contained authentication data like passwords Misattached files caused the offending company legal issues in 31% of cases Looking for a solution? We have one.  Next steps We’ve looked at five types of misdirected email, and hopefully, you understand how serious a problem misdirected emails can be. To find out how to prevent — or recover from — misdirected emails, take a look at our article: You Sent an Email to the Wrong Person. Now What?
Human Layer Security DLP
Industry-First Product: Tessian Now Prevents Misattached Files on Email
By Harry Wetherald
11 February 2021
Misdirected emails – emails sent to the wrong person – are the number one security incident reported to the Information Commissioner’s Office. And, according to Tessian platform data, an average of 480 misdirected emails are sent every year in organizations with over 1,000 employees.  An unsolved problem We solved this years ago with Tessian Guardian, our solution for accidental data loss. But sending an email to the wrong person is just one part of the problem. What about sending the wrong attachment? After all, our data shows that 1 in 5 external emails contain an attachment and new Tessian research reveals that nearly half (48%) of employees have attached the wrong file to an email. We call these “misattached files” and we’re happy to announce a new, industry-first feature that prevents them from being sent.  The consequences of attaching the wrong file The consequences of a misattached file depend on what information is contained in the attachments.  According to Tessian’s survey results, 42% of documents sent in error contained company research and data. More worryingly, nearly two-fifths (39%) contained security information like passwords and passcodes, and another 38% contained financial information and client information.  36% of mistakenly attached documents contained employee data.  Any one of the above mistakes could result in lost customer data and IP, reputational damage, fines for non-compliance, and customer churn. In fact, one-third of respondents said their company lost a customer or client following this case of human error, and a further 31% said their company faced legal action.  Until now, there weren’t any email security tools that could consistently identify when wrong files were being shared. This meant attachment mistakes went undetected…until there were serious consequences.  How does Tessian detect misattached files? The latest upgrade to Tessian Guardian leverages historical learning to understand whether an employee is attaching the correct file or not. When an email is being sent, Guardian’s machine learning (ML) algorithm uses deep content inspection, natural language processing (NLP), and heuristics to detect attachment anomalies such as: Counterparty anomalies: The attachment is related to a company that isn’t typically discussed with the recipients. For example, attaching the wrong invoice. Name anomalies: The attachment is related to an individual who isn’t typically  discussed with the recipients. For example, attaching the wrong individual’s legal case files. Context anomalies: The attachment looks unusual based on the email context. For example, attaching financial-model.xlsx to an email about a “dinner reservation.” File type anomalies: The attachment file type hasn’t previously been shared with the receiving organization. For example, sending an .xlsx file to a press agency.
If a misattached file is detected, the sender is immediately alerted to the error before the email is sent. Best of all, the warnings are helpful, not annoying and flag rates are low. This means employees can do their jobs without security getting in the way.  Want to learn more about how Tessian detects attachment anomalies before they’re sent? Download the data sheet.
Benefits for Tessian customers Tessian is the only solution in the market that can solve the problem of misattached files, giving customers complete protection from accidental data loss on email.  In addition to preventing human error and subsequent breaches, Tessian Guardian has several features that help ease the burden of compliance on thinly-stretched security teams and give key key stakeholders peace of mind. These include: Automated protection: Tessian Guardian automatically detects and prevents misattached files. No rules or manual investigation required.   Flexible configuration options: With this new feature, customers will be able to configure Guardian’s algorithm to enable and/or disable specific use-cases. This allows administrators to balance user experience with the level of protection appropriate to their risk appetite. Data-rich dashboards: For the first time, customers will have visibility of how many misattached files are being sent in their organization and by whom. This demonstrates clear ROI and makes auditing and reporting easy. 
Learn more about Tessian Interested in learning more about Tessian Guardian’s new features? Current Tessian customers can get in touch with your Customer Success Manager. Not yet a Tessian customer? Learn more about our technology, explore our customer stories, or book a demo now.
DLP Data Exfiltration
12 Examples of Data Exfiltration
By Maddie Rosenthal
03 February 2021
Over the past two years, 90% of the world’s data has been generated. And, as the sheer volume of data continues to grow, organizations are becoming more and more susceptible to data exfiltration.  But, why would someone want to exfiltrate data? Data is valuable currency. From an e-commerce business to a manufacturing company, organizations across industries hold sensitive information about the business, its employees, customers, and clients. What is data exfiltration? Simply put, data exfiltration indicates the movement of sensitive data from inside the organization to outside without authorization. This can either be done accidentally or deliberately. The consequences of data exfiltration aren’t just around lost data. A breach means reputational damage, lost customer trust, and fines. The best way to illustrate the different types of data exfiltration and the impact these incidents have on businesses is with examples. Examples of data exfiltration  When it comes to data exfiltration, there are countless motives and methods. But, you can broadly group attempts into two categories: data exfiltration by someone within the organization, for example, a disgruntled or negligent employee, and data exfiltration by someone outside the organization; for example, a competitor.  Data exfiltration by insiders Data exfiltration by an insider indicates that company data has been shared by a member of the company to people (or organizations) outside of the company.   While most organizations have security software and policies in place to prevent insider threats from moving data outside of the office environment and outside of company control, insiders have easy access to company data, may know workarounds, and may have the technical know-how to infiltrate “secure” systems.  Here are six examples of data exfiltration by insiders:  Over the course of 9 months, an employee at Anthem Health Insurance forwarded 18,500 members records’ to a third-party vendor. These records included Personally Identifiable Information (PII) like social security numbers, last names, and dates of birth. After exfiltrating nearly 100 GB of data from an unnamed financial company that offered loan services to Ukraine citizens, an employee’s computer equipment was seized. Police later found out the suspect was planning on selling the data to a representative of one of his former employer’s competitors for $4,000.  Not all examples of data exfiltration are malicious, though. Some breaches happen inadvertently, like when an employee leaving the Federal Deposit Insurance Corporation (FDIC) accidentally downloaded data for 44,000 FDIC customers onto a personal storage device and took it out of the agency.  Jean Patrice Delia exfiltrated over 8,000 files from his employer, General Electric (GE), over eight years. Delia hoped to set up a rival company using insider secrets.The FBI investigation into Delia’s scam began in 2016. Details released in July 2020 showed how Delia persuaded a GE IT administrator to grant him privileged systems access — and emailed commercially-sensitive documents to a co-conspirator. On three occasions — in November 2018, January 2020, and October 2020 — Amazon has emailed customers to inform them that an insider has disclosed their personal information (usually email address) to a third party. Amazon hasn’t been very forthcoming about the details of these incidents, but there appears to be a pattern of insider data exfiltration emerging — which should be a serious concern for the company. After a data exfiltration near-miss, a Nevada court charged Egor Igorevich Kriuchkov with “conspiracy to intentionally cause damage to a protected computer” in September 2020. Kriuchkov attempted to bribe a Tesla employee to “transmit malware” onto Tesla’s network via email or USB drive to “exfiltrate data from the network.” The FBI disrupted the scheme, which could have caused serious damage to one of the world’s leading companies. Exfiltration by outsiders Unlike exfiltration by insiders, exfiltration by outsiders indicates that someone from outside an organization has stolen valuable company data.  Here are six examples of data exfiltration by outsiders:  In 2014, eBay suffered a breach that impacted 145 million users. In this case, cybercriminals gained unauthorized access to eBay’s corporate network through a handful of compromised employee log-in credentials. At the time, it was the second-biggest breach of a U.S. company based on the number of records accessed by hackers.  Stealing login credentials isn’t the only way bad actors can gain access to a network. In 2019, malware was discovered on Wawa payment processing servers. This malware harvested the credit card data of over 30 million customers, including card number, expiration date, and cardholder name.  Did you know? 91% of data breaches start with a phishing email. While many phishing emails direct targets to wire money, pay an invoice, or provide bank account details, some request sensitive employee or client information, for example, W-2 forms. You can read more about Tax Day scams on our blog.  In February 2021, Talos Intelligence researchers discovered a new variant of the “Masslogger” Trojan. Masslogger is a perfect example of how cybercriminals can use malware to exfiltrate data from online accounts. This new Masslogger variant arrives via a phishing email with “a legitimate-looking subject line” containing a malicious email attachment. The Trojan targets platforms like Discord, Outlook, Chrome, and NordVPN, using “fileless” attack methods to exfiltrate credentials. In October 2020, the UK’s Information Commissioner’s Office (ICO) fined British Airways (BA) £20 million ($28 million) after attackers exfiltrated customers’ data, including credit card numbers, names, and addresses. This massive data breach started in June 2018, when attackers installed malicious code on BA’s website. The ICO held BA fully responsible for the breach, which affected over 400,000 customers. Healthcare company Magellan Health discovered in April 2020 that hackers had exfiltrated sensitive customer data, including names, tax IDs, and Social Security Numbers. The breach started with a phishing email that an employee received five days earlier. This data exfiltration incident occurred just months after Magellan announced a similar phishing attack that exposed 50,000 customer records from its subsidiary companies Looking for more information about data exfiltration or data loss prevention? Follow these links: What is Data Exfiltration? Tips for Preventing Data Exfiltration Attacks What is Data Loss Prevention (DLP)? A Complete Overview of DLP on Email
DLP Compliance
14 Biggest GDPR Fines of 2020 and 2021 (So Far)
03 February 2021
Since the GDPR (General Data Protection Regulation) came into effect in May 2018, countless organizations have made headlines for violations. British Airways, Marriot International Hotels, Austrian Post…but what about in 2020 and 2021? According to research from DLA Piper, between January 26, 2020, and January 27, 2021: GDPR fines rose by nearly 40% Penalties under the GDPR totaled €158.5 million ($191.5 million) Data protection authorities recorded 121,165 data breach notifications (19% more than the previous 12-month period) The UK’s Data Protection Authority, the Information Commissioner’s Office (ICO), recently published data covering July 1, 2020, to October 31, 2020. The ICO’s data shows: The ICO received 2,594 data breach notifications.  The most common cybersecurity incident was phishing. As usual, the most common cause of data breaches was misdirected email. Keep reading to find out which organizations have been slapped with the biggest fines, why, and how the violation could have been prevented.  Looking for information about achieving and maintaining compliance? We explore solutions for reducing email risk (the #1 threat vector according to security leaders) on this page.
The biggest GDPR fines of 2020 and 2021 (so far) 1. Google – €50 million ($56.6 million)  Although Google’s fine is technically from 2019, the company appealed against it. In March 2020, judges at France’s top court for administrative law dismissed Google’s appeal and upheld the eye-watering penalty. How the violation(s) could have been avoided: Google should have provided more information to users in consent policies and should have granted them more control over how their personal data is processed. 2. H&M — €35 million ($41 million) On October 5, 2020 the Data Protection Authority of Hamburg, Germany, fined clothing retailer H&M €35,258,707.95 — the second-largest GDPR fine ever imposed. H&M’s GDPR violations involved the “monitoring of several hundred employees.” After employees took vacation or sick leave, they were required to attend a return-to-work meeting. Some of these meetings were recorded and accessible to over 50 H&M managers. Senior H&M staff gained ”a broad knowledge of their employees’ private lives… ranging from rather harmless details to family issues and religious beliefs.” This “detailed profile” was used to help evaluate employees’ performance and make decisions about their employment. How the violation(s) could have been avoided: Details of the decision haven’t been published, but the seriousness of H&M’s violation is clear. H&M appears to have violated the GDPR’s principle of data minimization — don’t process personal information, particularly sensitive data about people’s health and beliefs, unless you need to for a specific purpose. H&M should also have placed strict access controls on the data, and the company should not have used this data to make decisions about people’s employment. 3. TIM – €27.8 million ($31.5 million) On January 15, 2020 Italian telecommunications operator TIM (or Telecom Italia) was stung with a €27.8 million GDPR fine from Garante, the Italian Data Protection Authority, for a series of infractions and violations that have accumulated over the last several years.  TIM’s infractions include a variety of unlawful actions, most of which stem from an overly-aggressive marketing strategy. Millions of individuals were bombarded with promotional calls and unsolicited communications, some of whom were on non-contact and exclusion lists.   How the violation(s) could have been avoided: TIM should have managed lists of data subjects more carefully and created specific opt-ins for different marketing activities.   4. British Airways – €22 million ($26 million) In October, the ICO hit British Airways with a $26 million fine for a breach that took place in 2018. This is considerably less than $238 million dollar fine that the ICO originally said it intended to issue back in 2019.  So, what happened back in 2018? British Airway’s systems were compromised. The breach affected 400,000 customers and hackers got their hands on log in details, payment card information, and PI like travellers’ names and addresses.   How the violation(s) could have been avoided: According to the ICO, the attack was preventable, but BA didn’t have sufficient security measures in place to protect their systems, networks, and data. In fact, they didn’t even have basics like multi-factor authentication in place at the time of the breach. Going forward, the airline should take a data-first security approach, invest in security solutions, and ensure they have strict data privacy policies and procedures in place. 5. Marriott – €20.4 million ($23.8 million) While this is an eye-watering fine, it’s actually significantly lower than the $123 million fine the ICO originally said they’d levy. So, what happened? 383 million guest records (30 million EU residents) were exposed after the hotel chain’s guest reservation database was compromised. PI like guests’ names, addresses, passport numbers, and payment card information was exposed.  Note: The hack originated in Starwood Group’s reservation system in 2014. While Marriott acquired Starwood in 2016, the hack wasn’t detected until September 2018. How the violation(s) could have been avoided: The ICO found that Marriott failed to perform adequate due diligence after acquiring Starwood. They should have done more to safeguard their systemswith a stronger data loss prevention (DLP) strategyand utilized de-identification methods.  6. Wind — €17 million ($20 million) On July 13, Italian Data Protection Authority imposed a fine of €16,729,600 on telecoms company Wind due to its unlawful direct marketing activities. The enforcement action started after Italy’s regulator received complaints about Wind Tre’s marketing communications. Wind reportedly spammed Italians with ads — without their consent — and provided incorrect contact details, leaving consumers unable to unsubscribe. The regulator also found that Wind’s mobile apps forced users to agree to direct marketing and location tracking and that its business partners had undertaken illegal data-collection activities.  How the violation(s) could have been avoided:Wind should have established a valid lawful basis before using people’s contact details for direct marketing purposes. This probably would have meant getting consumers’ consent — unless it could  demonstrate that sending marketing materials was in its “legitimate interests.” For whatever reason you send direct marketing, you must ensure that consumers have an easy way to unsubscribe. And you must always ensure that your company’s Privacy Policy is accurate and up-to-date. 7. Notebooksbilliger.de — €10.4 million ($12.5 million) German electronics retailer notebooksbilliger.de (NBB) received this significant GDPR fine on January 8, 2021. The penalty relates to how NBB used CCTV cameras to monitor its employees and customers. The CCTV system had been running for two years, and NBB reportedly kept recordings for up to 60 days. NBB said it needed to record its staff and customers to prevent theft. The Lower Saxony DPA said the monitoring was an intrusion on its employees’ and customers’ privacy. NBB is disputing the fine. How the fine could have been avoided: The NBB’s fine reflects strict attitudes towards CCTV monitoring in parts of Germany. The regulator said NBB’s CCTV program was not limited to a specific person or period. Using CCTV isn’t prohibited under the GDPR, but you must ensure it is a legitimate and proportionate response to a specific problem. The UK’s ICO has some guidance on using CCTV in a GDPR-compliant way. 8. Google – €7 million ($7.9 million) 2020 was not a good year for Google. In March, the Swedish Data Protection Authority of Sweden (SDPA) fined Google for neglecting to remove a pair of search result listings under Europe’s “right to be forgotten” rules under the GDPR, which the SDPA ordered the company to do in 2017.  How the violation(s) could have been avoided: Google should have fulfilled the rights of data subjects, primarily their  right to be forgotten. This is also known as the right to erasure. How? By “ensuring a process was in place to respond to requests for erasure without undue delay and within one month of receipt.”  You can find more information about how to comply with requests for erasure from the ICO here.  9. Caixabank — €6 million ($7.2 million) This fine against financial services company Caixabank is the largest fine ever issued by the Spanish DPA (the AEPD).  The AEPD finalized Caixabank’s penalty on January 13, 2021, breaking Spain’s previous record GDPR fine, against BBVA — issued just one month earlier. This suggests a significant toughening of approach from the Spanish DPA. The first issue, which accounts for €4 million of the total fine, related to how Caixabank established a “legal basis” for using consumers’ personal data under Article 6. Second, Caixabank was fined €2 million for violating the GDPR’s transparency requirements at Articles 13 and 14.  How the fine could have been avoided:The AEPD said Caixabank relied on the legal basis of “legitimate interests” without proper justification. Before you rely on “legitimate interests,” you must conduct and document a “legitimate interests assessment.”  The company also failed to obtain consumers’ consent in a GDPR-compliant way. If you’re relying on “consent,” make sure it meets the GDPR’s strict “opt in” standards. The AEPD criticized Caixabank’s privacy policy as providing vague and inconsistent information about its data processing practices. Make sure you use clear language in your privacy notices and keep them consistent across websites and platforms. 10. BBVA (bank) — €5 million ($6 million) This fine against financial services giant BBVA (Banco Bilbao Vizcaya Argentaria) dates from December 11, 2020.  The BBVA’s penalty is the second biggest that the Spanish DPA (the AEPD) has ever imposed, and it shares many similarities with the AEPD’s largest-ever penalty, against Caixabank, issued the following month. Taken together with the record fine against Caixabank, it’s tempting to conclude that the Spanish DPA has its eye on the GDPR compliance of financial institutions. How the fine could have been avoided: The AEPD fined BBVA €3 million for sending SMS messages without obtaining consumers’ consent. In most circumstances, you must ensure you have GDPR-valid consent for sending direct marketing messages. The remaining €2 million of the penalty related to BBVA’s privacy policy, which failed to properly explain how the bank collected and use its customers’ personal data. Make sure you include all the necessary information under Articles 13 and 14 in your privacy policy. 11. AOK (Health Insurance) — €1.24 million ($1.5 million) On June 30, the Data Protection Authority of Baden-Wuerttemberg, Germany, imposed a €1.24 million fine on health insurance company Allgemeine Ortskrankenkasse (AOK).  AOK set up contests and lotteries using its customers’ personal information — including their health insurance details. The company also used this data for direct marketing. AOK tried to get consent for this, but it ended up marketing to some users who had not consented. The regulator found that the company had sent people marketing communications without establishing a lawful basis. AOK also failed to implement proper technical and organizational privacy safeguards to ensure they only sent marketing to those who consented. How the violation(s) could have been avoided: What’s the main takeaway from the AOK case? Be very careful when sending direct marketing. If you need people’s consent, make sure you keep adequate, up-to-date records of who has consented. 12. BKR (National Credit Register) — €830,000 ($973,000) On July 6, the Dutch Data Protection Authority fined the Bureau Krediet Registration (‘BKR’) €830,000 for charging individuals to access their personal information digitally. BKR allowed customers to access their personal information for free on paper, but only once per year. BKR is appealing the fine. How the violation(s) could have been avoided: BKR shouldn’t have been charging individuals to access their personal information, and they shouldn’t have been imposing a once-per-year limit. The GDPR is clear — you may only charge for access to personal information, or refuse access, if a person’s request is “manifestly unfounded or excessive.” 13. Iliad Italia — €800,000 ($976,000) On July 13, the Italian Data Protection Authority fined telecoms company Iliad Italia €800,000 for processing its users’ personal information unlawfully in numerous ways. One issue was Iliad’s collection of consent for its marketing activities, which the regulator found had been “bundled” with an acknowledgment of the company’s terms and conditions. Iliad also failed to store its users’ communications data securely. How the violation(s) could have been avoided: Consent under the GDPR is defined very narrowly. If you’re going to ask for a person’s consent, you must make it specific to a particular activity. Don’t “bundle” your consent requests — for example, by asking people to agree to marketing and sign a contract using one tickbox. Data security is one of the cornerstones of the GDPR. Iliad appears to have failed to implement proper access controls on its users’ personal information. You must ensure that personal information is only accessible on a “need to know” basis. 14. Unknown – €725,000 ($821,600) In April, the Dutch Data Protection Authority handed out its largest fine to date to a so-far unknown company for unlawfully using employees’ fingerprint scans for its attendance and timekeeping records. The violation took place over the course of 10 months. Note: Under the GDPR, biometric data like fingerprints are classified as sensitive personal data and it is subject to more stringent protections.  How the violation(s) could have been avoided: The company should have had a valid, lawful reason to collect employees’ fingerprints. They should have also had technical measures in place to process the data and a clear process for deleting the data. 
What else can organizations be fined for under GDPR?  While the biggest fines so far in 2020 involve marketing activities, failure to remove personal data when requested by EU citizens, and unlawfully requiring employees to have their biometric data recorded, there are a number of ways in which a breach can occur.  In fact, so far this year, misdirected emails have been the primary cause of data loss reported to the ICO. But, how do you prevent an accident? By focusing on people rather than systems and networks. How does Tessian help organizations stay GDPR compliant?
Powered by machine learning, Tessian’s Human Layer Security technology understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity, including misdirected emails. Tessian also detects and prevents spear phishing attacks and data exfiltration attempts on email.  Importantly, though, Tessian doesn’t just prevent breaches. Tessian’s key features – which are both proactive and reactive – align with the GDPR requirement “to implement appropriate technical and organizational measures together with a process for regularly testing, assessing and evaluating the effectiveness of those measures to ensure the security of processing” (Article 32). To learn more about how Tessian helps with GDPR compliance, you can read our customer stories or book a demo. Or, for information about other data privacy legislation, check out our compliance hub. 
Customer Stories DLP
Why Caesars Entertainment Chose Tessian as Their Complete Outbound Email Security Solution
By Maddie Rosenthal
07 January 2021
Company: Caesars Entertainment UK Industry: Entertainment Seats: 250 Solutions: Guardian and Enforcer  About Caesars Entertainment UK  In 2006, Caesars Entertainment – the world’s largest casino entertainment company, best known for properties such as Caesars Palace, Planet Hollywood, and Harrahs – acquired London Clubs International. The current seven casinos in the UK form Caesars Entertainment UK. While the organization is passionate about delivering exceptional gaming entertainment and proud to offer customers unrivaled networks and benefits, they’re also active in the community, sponsoring and supporting a number of charities, including YGAM, GamCare, and The Gordon Moody Association. To help prevent both accidental data loss and malicious data exfiltration, Caesars has deployed Tessian Guardian and Enforcer as a complete outbound email security solution to protect 250 employees. Tessian solves three key problems for Caesars, which we explore in the Q&A interview below. Or, you can keep reading for a summary of the discussion.  1. An honest mistake on email almost caused a data breach Oftentimes, cybersecurity solutions are purchased retroactively, meaning after a breach has occurred. But, for Charles Rayer, Group IT Director at Caesars Entertainment UK, Tessian was a proactive investment, elicited by a near-miss. Here’s what happened: A customer relations advisor was sending emails to the casino’s VIPs. But, in one email, the employee accidentally attached the wrong document, which was a spreadsheet containing personal information related to some of their top 100 customers.   Luckily, they also spelled the email address incorrectly, so it was never actually sent. Nonetheless, it was a wake-up call for Charles and his team.
So, what would the consequences have been if the email had actually gone through? Charles explained, saying, “We’re covered by the GDPR and the Sarbanes-Oxley Act because we’re a public listing with US parent companies which means, had the email been sent, we would have had to report it which is a long process. And, even though we had security solutions in place, we would have most likely recieved a fine.  But for us, the biggest issue would have been the reputational damage. If that personal information did fall into the wrong hands, what would they do with it? Would they use it for their own personal benefit? Would they use it against us?”  With Tessian Human Layer Security Intelligence, Charles now has clear visibility of misdirected emails – what he previously considered an “iceberg threat” – and, because Tessian Guardian automatically prevents emails from being sent to the wrong person, Charles feels confident that a simple mistake won’t cost Caesars its reputation.  “It’s an issue of human error. We truly believe people are 100x more likely to accidentally mishandle data than to do it deliberately. So how do you solve it? There are thousands of solutions that categorize emails, look for strings of numbers, and identify keywords based on rules. But they don’t help in this situation. Tessian does. It knows – and continues learning – what conversations you normally have with people and can pick-up when something’s off. That’s the feature that really stood out to us.” Charles said.  To learn more about how Tessian Guardian uses historical email analysis, real-time analysis, natural language processing, and employee relationship graphs to detect and prevent misdirected emails, download the data sheet.  2. Other solutions triggered 10x as many false positives as real events  While – prior to deploying Tessian  – Charles didn’t have any technology in place to prevent misdirected emails, he did have a solution in place to prevent unauthorized emails. But, because it triggered so many false positives, he and his security team were drowning in alerts, making it impossible to investigate even a fraction of the alleged incidents in real time.  It was also disruptive for employees to interact with day-to-day. “I would say on average, we saw 10x as many false positives as real incidents of data exfiltration. Some days you’d have 100 incidents logged, and not one of them would be of merit. It was a deluge of junk, with the occasional useful bit of information,” he explained.  Charlies pointed out that Tessian, on the other hand, flags just 5-6 unauthorized emails a day company-wide with a false positive rate that’s marginal now, and will only get smaller as it continues to learn from employee behavior and relationships. Yes, that means it gets smarter over time.  How? Enforcer analyzes historical email data to understand what “normal” content, context, and communication patterns look like. The technology uses this understanding alongside real-time analysis to accurately predict whether or not outbound emails are data exfiltration attempts.  That means Charles and his team can actually investigate each and every incident and, when employees do see a warning, they interact with it instead of ignoring it.
Want to learn more about how Tessian Enforcer’s machine learning algorithms get smarter over time? You can get more information here.  3. Employees in the entertainment industry handle highly sensitive data – but not all of them As Charles pointed out, employees working in the entertainment industry – especially those who work in customer service – handle a lot of sensitive information. That means that mistakes – like sending a misdirected email or emailing a contract to a personal email address to print at home – can have big consequences. It also means employees may be motivated to exfiltrate data for a competitive advantage or financial gain.  Charles has seen all of the above.  “Not just our sector, but all sectors in the entertainment industry are based around customer service and personal contact. That means we have to know a lot about our customers. And that information is valuable. It’s information people want which means we have to make sure we protect it,” he explained.  But, not all employees have access to the same type of information. Customization, therefore, was important to Charles, who said, “We have a number of employees who don’t actually have access to sensitive information and a number of employees who don’t email anyone external. So there’s no point deploying across the entire company. We wanted to focus on people who deal with customers.  Likewise, not everyone who has been onboarded is in the same internal email group, which means we have to apply different controls and rules to different people. We can do all of this easily with Tessian.” While Tessian does offer 100% automated threat prevention, we know that for security strategies to be truly effective, technology and in-house policies have to work together. With Tessian Constructor, security leaders can create personalized rules and policies for individuals and groups.  Learn more about how Tessian prevents human error on email Powered by machine learning, Tessian’s Human Layer Security technology understands human behavior and relationships. Tessian Guardian automatically detects and prevents misdirected emails Tessian Enforcer automatically detects and prevents data exfiltration attempts Tessian Defender automatically detects and prevents spear phishing attacks Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of an organization’s email network. That means it gets smarter over time to keep you protected, wherever and however your work. Interested in learning more about how Tessian can help prevent email mistakes in your organization? You can read some of our customer stories here or book a demo.
Caesars Case Study hbspt.cta.load(1670277, 'ff80e5bd-f870-47e7-b210-ba27519c7e77', {"region":"na1"});
Human Layer Security Spear Phishing DLP Data Exfiltration
Worst Email Mistakes at Work and How to Fix Them
By Maddie Rosenthal
05 January 2021
Everyone makes mistakes at work. It could be double-booking a meeting, attaching the wrong document to an email, or misinterpreting directions from your boss. While these snafus may cause red-faced embarrassment, they generally won’t have any long-term consequences. But, what about mistakes that compromise cybersecurity? This happens more often than you might think. In fact, nearly half of employees say they’ve done it, and employees under 40 are among the most likely. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); In this article, we’ll focus on email mistakes. You’ll learn: The top five email mistakes that compromise cybersecurity How frequently these incidents happen What to do if you make a mistake on email
I sent an email to the wrong person At Tessian, we call this a misdirected email. If you’ve sent one, you’re not alone. 58% of people say they’ve done it and, according to Tessian platform data, at least 800 are fired off every year in organizations with over 1,000 people. It’s also the number one security incident reported to the Information Commissioner’s Office (ICO) under the GDPR. (More on the consequences related to data privacy below.) Why does it happen so often? Well, because it’s incredibly easy to do. It could be a simple typo (for example, sending an email to [email protected] instead of [email protected]) or it could be an incorrect suggestion from autocomplete.  What are the consequences of sending a misdirected email? While we’ve written about the consequences of sending an email to the wrong person in this article, here’s a high-level overview:  Embarrassment  Fines under compliance standards like GDPR and CCPA Lost customer trust and increased churn Job loss Revenue loss Damaged reputation
Real-world example of a misdirected email In 2019, the names of 47 claimants who were the victims of sexual abuse were leaked in an email from the program administrator after her email client auto-populated the wrong email address.  While the program administrator is maintaining that this doesn’t qualify as a data leak or breach, the recipient of the email – who worked in healthcare and understands data privacy requirements under HIPAA – continues to insist that the 47 individuals must be notified.  As of September 2020, they still haven’t been. I attached the wrong file to an email Employees can do more than just send an email to the wrong person. They can also send the wrong file(s) to the right person. We call this a misattached file and, like fat fingering an email, it’s easy to do. Two files could have similar names, you may not attach the latest version of a document, or you might click on the wrong file entirely.  What are the consequences of sending a misattached file? As you may have guessed, the consequences are the same as the consequences of sending a misdirected email. Of course, the consequences depend entirely on what information was contained in the attachment. If it’s a presentation containing financial projections for the wrong client or a spreadsheet containing the PII of customers, you have a problem.  Real-world example of sending the wrong attachment A customer relations advisor at Caesars Entertainment UK – a part of Caesars Entertainment – was sending emails to the casino’s VIPs. In the emails, the employee was meant to attach a customized invitation to an event. But, in one email, the employee accidentally attached the wrong document, which was a spreadsheet containing personal information related to some of their top 100 customers.   Luckily, they also spelled the email address incorrectly, so it was never actually sent.  Charles Rayer, Group IT Director, details the incident – and explains why this prompted him to invest in Tessian Guardian – in a Q&A.  You can watch the interview here. I accidentally hit “reply all” or cc’ed someone instead of bcc’ing them Like sending a misdirected email, accidentally hitting “reply all” or cc instead of bcc are both easy mistakes to make.  What are the consequences of hitting “reply all” or cc instead of bcc? As you may have guessed, the consequences are the same as the consequences of sending a misdirected email. And, importantly, the consequences depend entirely on what information was contained in, or attached to, the email. For example, if you drafted a snarky response to a company-wide email and intended to send it to a single co-worker but ended up firing it off everyone, you’ll be embarrassed and may worry about your professional credibility.  But, if you replace that snarky response with a spreadsheet containing medical information about employees, you’ll have to report the data loss incident which could have long-term consequences. Real-world example of hitting “reply all” In 2018, an employee at the Utah Department of Corrections accidentally sent out a calendar invite for her division’s annual potluck. Harmless, right? Wrong. Instead of sending the invite to 80 people, it went to 22,000; nearly every employee in Utah government. While there were no long-term consequences (i.e., it wasn’t considered a data loss incident or breach) it does go to show how easily data can travel and land in the wrong hands.  Real-world example of cc’ing someone instead of bcc’ing them On January 21, 2020, 450 customer email addresses were inadvertently exposed after they were copied, rather than blind copied, into an email. The email was sent by an employee at speaker-maker Sonos and, while it was an accident, under GDPR, the mistake is considered a potential breach.  I fell for a phishing scam According to Tessian research, 1 in 4 employees has clicked on a phishing email. But, the odds aren’t exactly in our favor. In 2019, 22% of breaches in 2019 involved phishing…and 96% of phishing attacks start on email. (You can find more Phishing Statistics here.) Like sending an email to the wrong person, it’s easy to do, especially when we’re distracted, stressed, or tired. But, it doesn’t just come down to psychology. Phishing scams are getting harder and harder to detect as hackers use increasingly sophisticated techniques to dupe us.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); What are the consequences of falling for a phishing scam? Given the top five “types” of data that are compromised in phishing attacks (see below), the consequences of a phishing attack are virtually limitless. Identify theft. Revenue loss. Customer churn. A wiped hardrive. But, the top five “types” of data that are compromised in a phishing attack are: Credentials (passwords, usernames, pin numbers) Personal data (name, address, email address) Internal data (sales projections, product roadmaps)  Medical (treatment information, insurance claims) Bank (account numbers, credit card information) Real-world example of a successful phishing attack In August 2020, The SANS institute – a global cybersecurity training and certifications organization – revealed that nearly 30,000 accounts of PII were compromised in a phishing attack that convinced an end-user to install a self-hiding and malicious Office 365 add-on. While no passwords or financial information were compromised and all the affected individuals have been notified, the breach goes to show that anyone – even cybersecurity experts – can fall for phishing scams. But, most phishing attacks have serious consequences. According to one report, 60% of organizations lose data. 50% have credentials or accounts compromised. Another 50% are infected with ransomware. 35% experience financial losses. I sent an unauthorized email As a part of a larger cybersecurity strategy, most organizations will have policies in place that outline what data can be moved outside the network and how it can be moved outside the network. Generally speaking, sending data to personal email accounts or third-parties is a big no-no. At Tessian, we call these emails “unauthorized” and they’re sent 38x more than IT leaders estimate. Tessian platform data shows that nearly 28,000 unauthorized emails are sent in organizations with 1,000 employees every year.  So, why do people send them? It could be well-intentioned. For example, sending a spreadsheet to your personal email address to work over the weekend. Or, it could be malicious. For example, sending trade secrets to a third-party in exchange for a job opportunity.  What are the consequences of sending an unauthorized email Whether well-intentioned or malicious, the consequences are the same: if the email contains data, it could be considered a data loss incident or even a breach. In that case, the consequences include: Lost data Lost intellectual property Revenue loss Losing customers and/or their trust Regulatory fines Damaged reputation No sensitive data involved? The consequences will depend on the organization and existing policies. But, you should (at the very least) expect a warning.  Real-world example of an unauthorized email In 2017, an employee at Boeing shared a spreadsheet with his wife in hopes that she could help solve formatting issues. While this sounds harmless, it wasn’t. The personal information of 36,000 employees was exposed, including employee ID data, places of birth, and accounting department codes. You can find more real-word examples of “Insider Threats” in this article: Insider Threats: Types And Real-World Examples How can I avoid making mistakes on email? The easiest answer is: be vigilant. Double-check who you’re sending emails to and what you’re sending. Make sure you understand your company’s policies when it comes to data. Be cautious when responding to requests for information or money.  But vigilance alone isn’t enough. To err is human and, as we said at the beginning of this article, everyone makes mistakes.  That’s why to prevent email mistakes, data loss, and successful targeted attacks, organizations need to implement email security solutions that prevent human error. That’s exactly what Tessian does. Powered by machine learning, our Human Layer Security technology understands human behavior and relationships. Tessian Guardian automatically detects and prevents misdirected emails Tessian Enforcer automatically detects and prevents data exfiltration attempts Tessian Defender automatically detects and prevents spear phishing attacks Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of the organization’s email network. That means it gets smarter over time to keep you protected, always.  Interested in learning more about how Tessian can help prevent email mistakes in your organization? You can read some of our customer stories here or book a demo.
Spear Phishing DLP
December Cybersecurity News Roundup
30 December 2020
December 2020 might have been the most significant month in cybersecurity history.  Private companies continued to be used as attack vectors in the ongoing international cyberwar. The plague of COVID-19-related phishing scams showed no signs of stopping. And yet another big tech company faced a fine following a data breach. This month, we’ve split our cybersecurity roundup into two parts. Part 1 deals with the SolarWinds hack and the subsequent fallout, affecting tens of thousands of companies worldwide. Part 2 looks at some of December’s other major cybersecurity headlines. Part 1: SolarWinds Hack The cybersecurity headlines this month have been dominated by the discovery that US software company SolarWinds had been hacked by state-sponsored Russian hackers.  The SolarWinds story will continue to develop throughout 2021. Part 1 of our December cybersecurity news roundup sets out the major developments so far, to help you understand how this major cybersecurity incident is unfolding. FireEye’s “red team” tools compromised in cyberattack December’s cybersecurity saga begins with an announcement from security firm FireEye, made via a December 8 blog post.  FireEye reported that a “highly sophisticated state-sponsored adversary” had stolen “red team” tools, used to mimic the sorts of attacks and exploits carried out by malicious actors. When such tools fall into the wrong hands, they can be used to carry out real-life attacks. FireEye sought to reassure its clients in a further blog post on the same day, noting that none of the compromised tools contained zero-day exploits. We explored the danger of zero-day vulnerabilities in our article: What is a Zero-Day Vulnerability? Blame for the attack fell on the Russian cybercrime group known as “Cozy Bear.” FireEye’s revelations were newsworthy in themselves, but the full implications of the company’s announcement remained unclear until a few days later. SolarWinds discloses “highly-sophisticated, targeted and manual” attack On December 13, Texas-based IT company SolarWinds said that some of the software it released between March and June had been subject to a “highly-sophisticated, targeted and manual supply chain attack by a nation state.” SolarWinds’ announcement was the first clear indication that one of the biggest cyberattacks of all time might be underway. But why was SolarWinds’ announcement so significant?  SolarWinds software is used by thousands of organizations —  including many US governments organizations. The company’s announcement revealed that many of SolarWinds’ clients had had malware embedded in their systems for up to nine months. US government reveals massive data breach The next chapter in 2020’s biggest cybersecurity story came on December 13, when Reuters reported that internal email traffic had been compromised at the US Treasury and Department of Commerce. Just like FireEye, who had reported its breach five days earlier, these US government departments used the IT-monitoring software platform Orion. Orion is created by — you guessed it — SolarWinds.  When the organizations updated their Orion software back in March, they unwittingly installed malware. The blame for the hack continued to fall on Russia, which denied involvement via a statement on Facebook. Emergency directive urges US agencies to disconnect Orion products Shortly after the SolarWinds hack was announced, the US Cybersecurity and Infrastructure Agency (CISA) issued Emergency Directive 21-01. The directive’s full name is “Mitigate SolarWinds Orion Code Compromise,” and it instructs federal agencies to “immediately disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their network.” Agencies were also told to “block all traffic to and from hosts, external to the enterprise, where any version of SolarWinds Orion software has been installed.” The severity of CISA’s directive stood in stark contrast to SolarWinds’ reassuring press releases. SolarWinds attack thought to impact over 18,000 customers The full extent of the SolarWinds hack became clearer on December 14, when the company filed a report with the US Securities and Exchange Commission revealing that around 18,000 organizations may have installed the malicious Orion update. To put this in context, SolarWinds has roughly 300,000 customers in total. Around 33,000 of these use Orion, and more than half of these Orion users are believed to have been compromised by the hack. But these aren’t just any customers. According to SolarWinds’ website, Orion users include US public bodies such as the Department of Defense, Secret Service, and Airforce — not to mention private firms like Symantec, AT&T, and — crucially — Microsoft. CISA announces APT compromise of public institutions and infrastructure The SolarWinds saga continued on December 17, when US cybersecurity agency CISA announced an “advanced persistent threat compromise of government agencies, critical infrastructure, and private sector organizations.” CISA described the attacker as a “patient, well-resourced, and focused adversary that has sustained long duration activity on victim networks” that, among other activities, was “targeting email accounts belonging to key personnel, including IT and incident response personnel.” Once a hacker gains control of a target email account, it can use it to carry out advanced phishing operations. Read our articles on Business Email Compromise (BEC) and Account Takeover (ATO) attacks to learn how to avoid falling victim to these sorts of scams. US National Nuclear Security Administration confirms breach One of the more shocking threads of the SolarWinds story was revealed by Politico on December 17, when the US National Nuclear Security Administration (NNSA) and Department of Energy (DoE) revealed they had been affected by the hack. For many, this took an already deeply concerning event into “borderline terrifying” territory, as the NNSA maintains the world’s most powerful stockpile of nuclear weapons. However, a DoE spokesperson said that only business networks had been affected. The revelations came shortly after reports that CISA had been “overwhelmed” by the attacks, owing in part to staff shortages. CISA director Chris Krebs was fired by President Trump last month after Krebs defended the integrity of the 2020 election. Microsoft customers in at least seven countries affected by cyberattack In a December 17 blog post, Microsoft President Brad Smith claimed that the SolarWinds attack had impacted more than 40 Microsoft customers located across seven countries.  While 80 percent of Microsoft’s affected customers were in the US, others were located in Canada, Mexico, Belgium, Spain, the UK, Israel, and the UEA. Smith also said it was “certain” that more locations and victims would emerge. Smith’s blog post also called for “a more effective national and global strategy to protect against cyberattacks,” underpinned by better information sharing, stricter cybersecurity rules, and stronger accountability of nation-state cyber actors. NSA Cybersecurity Advisory warns of Microsoft exploits December 17 saw yet another newsworthy cybersecurity event when the US National Security Agency (NSA) issued a rare Cybersecurity Advisory, warning that “malicious cyber actors are abusing trust in federated authentication environments to access protected data.” The issue originated in Microsoft’s Active Directory Federation Services (ADFS) software, which provides single sign-on access across organizations, including via multi-factor authentication. The NSA’s Microsoft advisory followed a December 14 report by Volexity, revealing that an attacker had bypassed Duo’s multi-factor authentication service to gain access to a Microsoft Outlook Web App (OWA) inbox. These incidents serve as a stark reminder that while multi-factor authentication might be a crucial component of your cybersecurity ecosystem, you cannot rely on it to keep your email accounts safe. Part 2: Other Important Cybersecurity News While the SolarWinds hack generated the most headlines, December saw many other important, unrelated cybersecurity news stories. Part 2 of our December cybersecurity news roundup presents some of the month’s other big cybersecurity events. FBI warns of threats against ransomware victims The US Federal Bureau of Investigation (FBI) published a Private Industry Notification (PIN) on December 10, advising businesses to take steps to improve cybersecurity safeguards against ransomware attacks.  Perhaps most interestingly, the PIN warns that cybercriminals have been following up ransomware attacks with phone calls attempting to “extort payments through intimidation” and “threatening to release exfiltrated data.” The FBI does not advocate paying a ransom after falling victim to a ransomware attack. It suggests taking steps to mitigate or prevent attacks, including creating secure backups, monitoring network traffic, and enabling multi-factor authentication. Since many ransomware attacks occur via email, it’s essential to protect your business using email security software. Read our article on How to Choose the Right Email Security Software for more information. Research reveals COVID-19 phishing remains a serious problem Research reported by Health IT Security on December 11 showed that cyberattackers continue to exploit the COVID-19 pandemic through phishing scams. The report cites research by KnowBe4, which reveals a new batch of spear phishing emails relating to vaccinations. Armorblox also reports emails impersonating the US Internal Revenue Service (IRS) and purporting to offer COVID-19 financial relief.  The majority of COVID-19 phishing attacks target credentials — a common strategy which we discuss in our article What is Credential Phishing? You can also check out four real-world examples of other COVID-19 phishing attacks in this article.  These phishing scams are a new variant on the COVID-19 phishing theme started hitting inboxes in March — and, like all social engineering attacks, they seek to exploit people’s trust in authority. Want to learn how to avoid falling victim to these sorts of scams? See our article: How to Identify and Prevent Phishing Attacks. Irish regulator fines Twitter over data breach Ireland’s data protection authority, the Data Protection Commission (DPC) , issued a €450,000 fine against Twitter on December 15 over the company’s handling of a 2018 data breach affecting Android users. Twitter’s violations of the EU’s General Data Protection Regulation (GDPR) included failing to notify the DPC about a data breach within the required 72 hour period, and failing to document the breach properly. While nearly half a million euro is a lot of money, it’s fairly small beer for a company as large as Twitter. The GDPR allows fines of up to 2% of global turnover for this type of violation, which could have led to a maximum fine of around €60 million in Twitter’s case. We outline the biggest GDPR fines of 2020 in this article.  But the DPC originally proposed an even smaller fine of €135,000 and €275,000. This proposal was seen as excessively lenient by other EU data protection authorities, who disputed it under the first ever use of the GDPR’s Article 65 procedure. Other DPAs, such as Germany’s BfDI, argued that a higher fine of up to €22 million would be more appropriate. These arguments were put forward in a binding decision of the European Data Protection Board (EDPB) which required the DPC to reconsider its proposed fine. The regulator’s response — raising the fine to just 0.1% of Twitter’s 2019 turnover — will lead many to suggest that the social media giant got off lightly. Contact details of 270,000 cryptocurrency users leaked On December 22, BleepingComputer reported that the contact details of over 270,000 users of cryptocurrency wallet Ledger were being offered for sale on the dark web, following a data breach that occurred in July. Two text files were reportedly for sale, one containing 1,075,382 people’s email addresses, and the other containing 272,853 people’s names, mailing addresses, and phone numbers. Although this type of personal data is not considered sensitive, it is highly valuable to hackers as it can be used to launch phishing attacks against the users. Earlier this month, Ledger users reported receiving phishing emails from an actor impersonating Ledger’s security team. That’s all for this month. If we missed anything, please email [email protected] and stay tuned for the next roundup. Don’t forget: You can easily share this on social media via the buttons at the top right of this post.
DLP Data Exfiltration
2020 in Review: Top 17 Insights From Tessian Research
By Maddie Rosenthal
17 December 2020
This year, Tessian released four research reports, covering topics like the cybersecurity skills gap, social engineering, insider threats, and remote-working.  Now, looking back on the year, we wanted to highlight some of the most relevant insights for security leaders and the larger industry.  If you want more information about any individual insight, download the full report or check out the other suggested resources listed throughout.  Opportunity in Cybersecurity Report 2020 If the number of women working in cybersecurity rose to equal that of men, we’d see a $30.4 billion boost to the industry’s economic contribution in the US and a £12.6 billion boost in the UK. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); 66% of women agree there is a gender bias problem in the cybersecurity industry. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); 51% of women say that a more accurate representation of the industry in the media would encourage new entrants. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");
93% of women in cybersecurity feel secure in their roles. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); In addition to surveying hundreds of women currently working in cybersecurity, we also interviewed over a dozen female practitioners with titles ranging from CISO to backend Python engineer. Read their profiles here. 
The State of Data Loss Prevention 2020  Employees exfiltrate data on email 38x more than IT leaders estimate. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); 91% of IT leaders trust their employees to follow safe data practices while working from home….but nearly half (48%) of employees say they’re less likely to follow safe data practices when working from home. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); IT leaders say that the #1 consequence of a data breach is lost customers/lost customer trust. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); At least 800 emails are sent to the wrong person every year in organizations with 1,000+ employees. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Looking for industry-specific information about DLP? Read At a Glance: Data Loss Prevention in Healthcare and DLP in Financial Services.
The Psychology of Human Error 43% of people have made mistakes at work that compromise cybersecurity…
And younger workers are 5x times more likely to make such mistakes. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); A third of workers (33%) rarely or never think about cybersecurity when at work. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); 58% have sent an email to the wrong person at work, and 1/5 companies have lost a customer following a misdirected email. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Wondering why people make mistakes? Jeff Hancock, Professor of Communication at Stanford University and contributor to this report, discusses the psychology of human error in this panel discussion: Why People Fall for Social Engineering in a Crisis. 
The Future of Hybrid Work Phishing was the leading cause of security incidents when employees worked remotely (and email traffic increased by 129% at the start of lockdown). !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); 75% of IT decision makers believe the future of work will be “remote” or “hybrid”. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); 78% of IT decision makers believe their company is at greater risk of insider threats when employees work remotely. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); To learn more about the challenges security and IT leaders will have to overcome in hybrid-remote environments, read this article: 7 Concerns IT Leaders Have About Permanent Remote Working. 
Make sure you don’t miss the release of new research next year.  Connect with us on LinkedIn, follow us on Twitter, and subscribe to our newsletter to be the first to see new content and get invited to industry events.
DLP Data Exfiltration
Insider Threats Examples: 11 Real Examples of Insider Threats
By Maddie Rosenthal
08 December 2020
Insider threats are a big problem for organizations across industries, especially now with mass layoffs and new remote-working arrangements. Why? Because they’re so hard to detect. After all, insiders have legitimate access to systems and data, unlike the external bad actors many security policies and tools help defend against. It could be anyone, from a careless employee to a rogue business partner. That’s why we’ve put together this list of Insider Threat types and examples. By exploring different methods and motives, security, compliance, and IT leaders (and their employees) will be better equipped to spot Insider Threats before a data breach happens. Types of Insider Threats First things first, let’s define what exactly an Insider Threats is. Insider threats are people – whether employees, former employees, contractors, business partners, or vendors – with legitimate access to an organization’s networks and systems who deliberately exfiltrate data for personal gain or accidentally leak sensitive information. The key here is that there are two distinct types of Insider Threats:  The Malicious Insider: Malicious Insiders knowingly and intentionally steal data. For example, an employee or contractor may exfiltrate valuable information (like Intellectual Property (IP), Personally Identifiable Information (PII), or financial information) for some kind of financial incentive, a competitive edge, or simply because they’re holding a grudge for being let go or furloughed.  The Negligent Insider: Negligent insiders are just your average employees who have made a mistake. For example, an employee could send an email containing sensitive information to the wrong person, email company data to personal accounts to do some work over the weekend, fall victim to a phishing or spear phishing attack, or lose their work device.  We cover these different types of Insider Threats in detail in this article: What is an Insider Threat? Insider Threat Definition, Examples, and Solutions.
11 Examples of Insider Threats  1. The employee who exfiltrated data after being fired or furloughed Since the outbreak of COVID-19, 81% of the global workforce have had their workplace fully or partially closed. And, with the economy grinding to a halt, employees across industries have been laid off or furloughed.  This has caused widespread distress. When you combine this distress with the reduced visibility of IT and security teams while their teams work from home, you’re bound to see more incidents of Malicious Insiders.  One such case involves a former employee of a medical device packaging company who was let go in early March 2020  By the end of March – and after he was given his final paycheck – Dobbins hacked into the company’s computer network, granted himself administrator access, and then edited and deleted nearly 120,000 records.  This caused significant delays in the delivery of medical equipment to healthcare providers. 2. The employee who sold company data for financial gain In 2017, an employee at Bupa accessed customer information via an in-house customer relationship management system, copied the information, deleted it from the database, and then tried to sell it on the Dark Web.  The breach affected 547,000 customers and in 2018 after an investigation by the ICO, Bupa was fined £175,000. 3. The employee who stole trade secrets In July 2020, further details emerged of a long-running insider job at General Electric (GE) that saw an employee steal valuable proprietary data and trade secrets. The employee, named Jean Patrice Delia, gradually exfiltrated over 8,000 sensitive files from GE’s systems over eight years — intending to leverage his professional advantage to start a rival company. The FBI investigation into Delia’s scam revealed that he persuaded an IT administrator to grant him access to files and that he emailed commercially-sensitive calculations to a co-conspirator. Having pleaded guilty to the charges, Delia faces up to 87 months in jail. What can we learn from this extraordinary inside job? Ensure you have watertight access controls and that you can monitor employee email accounts for suspicious activity. 4. The employee who fell for a phishing attack While we’ve seen a spike in phishing and spear phishing attacks since the outbreak of COVID-19, these aren’t new threats. One example involves an email that was sent to a senior staff member at Australian National University. The result? 700 Megabytes of data were stolen. This data was related to both staff and students and included details like names, addresses, phone numbers, dates of birth, emergency contact numbers, tax file numbers, payroll information, bank account details, and student academic records. 5. The work-from-home employees duped by a vishing scam Cybercriminals saw an opportunity when many of Twitter’s staff started working from home. One cybercrime group conducted one of the most high-profile hacks of 2020 — knocking 4% off Twitter’s share price in the process. In July 2020, after gathering information on key home-working employees, the hackers called them up and impersonated Twitter IT administrators. During these calls, they successfully persuaded some employees to disclose their account credentials. Using this information, the cybercriminals logged into Twitter’s admin tools, changed the passwords of around 130 high-profile accounts — including those belonging to Barack Obama, Joe Biden, and Kanye West — and used them to conduct a Bitcoin scam. This incident put “vishing” (voice phishing) on the map, and it reinforces what all cybersecurity leaders know — your company must apply the same level of cybersecurity protection to all its employees, whether they’re working on your premises or in their own homes. Want to learn more about vishing? We cover it in detail in this article: Smishing and Vishing: What You Need to Know About These Phishing Attacks. 6. The employee who took company data to a new employer for a competitive edge This incident involves two of the biggest tech players: Google and Uber. In 2015, a lead engineer at Waymo, Google’s self-driving car project, left the company to start his own self-driving truck venture, Otto. But, before departing, he exfiltrated several trade secrets including diagrams and drawings related to simulations, radar technology, source code snippets, PDFs marked as confidential, and videos of test drives.  How? By downloading 14,000 files onto his laptop directly from Google servers. Otto was acquired by Uber after a few months, at which point Google executives discovered the breach. In the end, Waymo was awarded $245 million worth of Uber shares and, in March, the employee pleaded guilty. 7. The employees leaking customer data  Toward the end of October 2020, an unknown number of Amazon customers received an email stating that their email address had been “disclosed by an Amazon employee to a third-party.” Amazon said that the “employee” had been fired — but the story changed slightly later on, according to a statement shared by Motherboard which referred to multiple “individuals” and “bad actors.” So how many customers were affected? What motivated the leakers? We still don’t know. But this isn’t the first time that the tech giant’s own employees have leaked customer data. Amazon sent out a near-identical batch of emails in January 2020 and November 2018. If there’s evidence of systemic insider exfiltration of customer data at Amazon, this must be tackled via internal security controls. 8. The employee offered a bribe by a Russian national In September 2020, a Nevada court charged Russian national Egor Igorevich Kriuchkov with conspiracy to intentionally cause damage to a protected computer. The court alleges that Kruichkov attempted to recruit an employee of Tesla’s Nevada Gigafactory. Kriochkov and his associates reportedly offered a Tesla employee $1 million to “transmit malware” onto Tesla’s network via email or USB drive to “exfiltrate data from the network.” The Kruichkov conspiracy was disrupted before any damage could be done. But it wasn’t the first time Tesla had faced an insider threat. In June 2018, CEO Elon Musk emailed all Tesla staff to report that one of the company’s employees had “conducted quite extensive and damaging sabotage to [Tesla’s] operations.” With state-sponsored cybercrime syndicates wreaking havoc worldwide, we could soon see further attempts to infiltrate companies. That’s why it’s crucial to run background checks on new hires and ensure an adequate level of internal security. 9. The employee who accidentally sent an email to the wrong person Misdirected emails happen more than most think. In fact, Tessian platform data shows that at least 800 misdirected emails are sent every year in organizations with 1,000 employees. But, what are the implications? It depends on what data has been exposed.  In one incident in mid-2019, the private details of 24 NHS employees were exposed after someone in the HR department accidentally sent an email to a team of senior executives. This included: Mental health information Surgery information While the employee apologized, the exposure of PII like this can lead to medical identity theft and even physical harm to the patients. We outline even more consequences of misdirected emails in this article.  10. The employee who accidentally misconfigured access privileges Just last month, NHS coronavirus contact-tracing app details were leaked after documents hosted in Google Drive were left open for anyone with a link to view. Worse still, links to the documents were included in several others published by the NHS.  These documents – marked “SENSITIVE” and “OFFICIAL” contained information about the app’s future development roadmap and revealed that officials within the NHS and Department of Health and Social Care are worried about the app’s reliance and that it could be open to abuse that leads to public panic. 11. The employee who sent company data to a personal email account We mentioned earlier that employees oftentimes email company data to themselves to work over the weekend.  But, in this incident, an employee at Boeing shared a spreadsheet with his wife in hopes that she could help solve formatting issues. While this sounds harmless, it wasn’t. The personal information of 36,000 employees were exposed, including employee ID data, places of birth, and accounting department codes.
How common are Insider Threats? Incidents involving Insider Threats are on the rise, with a marked 47% increase over the last two years. This isn’t trivial, especially considering the global average cost of an Insider Threat is $11.45 million. This is up from $8.76 in 2018. Who’s more culpable, Negligent Insiders or Malicious Insiders?  Negligent Insiders (like those who send emails to the wrong person) are responsible for 62% of all incidents Negligent Insiders who have their credentials stolen (via a phishing attack or physical theft) are responsible for 25% of all incidents Malicious Insiders are responsible for 14% of all incidents It’s worth noting, though, that credential theft is the most detrimental to an organization’s bottom line, costing an average of $2.79 million.  Which industries suffer the most? The “what, who, and why” behind incidents involving Insider Threats vary greatly by industry.  For example, customer data is most likely to be compromised by an Insider in the Healthcare industry, while money is the most common target in the Finance and Insurance sector. But, who exfiltrated the data is just as important as what data was exfiltrated. The sectors most likely to experience incidents perpetrated by trusted business partners are: Finance and Insurance Federal Government Entertainment Information Technology Healthcare State and Local Government Overall, though, when it comes to employees misusing their access privileges, the Healthcare and Manufacturing industries experience the most incidents. On the other hand, the Public Sector suffers the most from lost or stolen assets and also ranks in the top three for miscellaneous errors (for example misdirected emails) alongside Healthcare and Finance. You can find even more stats about Insider Threats (including a downloadable infographic) here.  The bottom line: Insider Threats are a growling problem. We have a solution.
How does Tessian prevent Insider Threats? Tessian turns an organization’s email data into its best defense against inbound and outbound email security threats. Powered by machine learning, our Human Layer Security technology understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity. Tessian Enforcer detects and prevents data exfiltration attempts Tessian Guardian detects and prevents misdirected emails Tessian Defender detects and prevents spear phishing attacks Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of the organization’s email network.  Curious how frequently these incidents are happening in your organization? Click here for a free threat report.
DLP
Email Security: Best Practices and Tools to Lock Down Email
09 November 2020
What messaging channel has more users than Facebook and WeChat put together, has been around since 1971, and today is one of the biggest communications channels worldwide. You guessed it: email.  Today, there are around 3.9 billion email users around the world and, with steady annual growth of 3% expected, we should have 4.3 billion email users by 2022. But, email wasn’t designed to be secure which means that the data sent back and forth every day is at risk of being compromised.  The bottom line: It’s a serious security risk for businesses, which are now by-and-large bound to strict compliance standards. In fact, it’s the threat vector IT leaders are most concerned about protecting. Keep reading to find out what email security is, how data can be lost or breached on email, and what employees can do to prevent data loss on email.  If you’re looking for information about cybersecurity best practice while working remotely, check out our ultimate guide here.
But, why do organizations need to secure email? Because it’s “open” by nature. An unlocked door. That’s how it was designed! It actually started as an intra-organization chat tool.  
But an open network is an at-risk network. Anything can come in or go out.  Bad-intentioned hackers can send malicious attachments and malware-ridden into any organization, so long as they have the email address of just one employee.  Likewise, bad-intentioned employees can send sensitive data outside of an organization, simply by hitting “send”.  That’s why we have two categories of email security. Inbound email security: Inbound email security protects against threats like spam, phishing, spear phishing, and other advanced impersonation attacks.  Outbound email security: Outbound email security prevents data exfiltration and prevents accidental data loss via misdirected emails.  To really understand how email security works, you have to understand how email works, which we’ll cover next.  Not interested in the nitty gritty of email? Skip down the page to learn more about: The different types of email security solutions Best practice for email security How Tessian detects and prevents both inbound and outbound threats on email
Email 101: How does email work? Put simply, email operates by way of servers speaking with each other.  The framework that governs these communications is called Simple Mail Transfer Protocol (SMTP). SMTP is the protocol, which governs how servers send and receive packets of email data. The server sending an email will “push” the email to a receiving server. There are three key component parts of each email, all of which are to some extent based on traditional, physical mail. The envelope The envelope is the initial information pushed by the server sending an email to the receiving server. It simply indicates the email’s sender and recipient, as well as some validating commands exchanged between the sending and receiving servers. Email users can’t see the envelope, since it is part of the internal routing process for emails.  The header The email header, which is transmitted alongside the body of the email, contains metadata such as the time the email was sent, which servers sent and received the data, and so on. Email clients (such as Outlook, Gmail etc) hide header information from recipients. The body The body of an email is simply the content that a recipient sees and interacts with.  The envelope, the header and the body are all potential weak spots in organizations’ security perimeters. It is not difficult for an attacker in control of their own email server to spoof details of an email’s header, for instance, or to target an employee with a convincing impersonation of a trusted colleague or partner. (See other Tessian blogs for examples of display name and domain impersonation, which are regularly used to target enterprises and their employees in spear phishing campaigns.) So, what solutions exist to prevent inbound and outbound email threats?
Different types of email security solutions Secure Email Gateways Secure Email Gateways – also known as SEGs or Email Security Gateways – have been deployed by organizations for decades. SEGs offer an all-in-one solution that blocks spam, phishing, and some malware from reaching employees’ inboxes. They might use email encryption to make communications harder to intercept. As with DLP tools (see below), SEGs operate by way of extensive lists of rules that only defend against threats the system or organization has seen before.  SEGs use various methods to detect threats in emails. Generally, they inspect links and attachments, and apply rules to the email to raise suspicious characteristics (like if the email originates from a blacklisted IP address). Importantly, though, they can’t stop more advanced attacks like spear phishing. This is especially problematic because today, cybercriminals are using increasingly sophisticated social engineering tactics to bypass SEGs and trick end-users.  DLP Essentially, Data Loss Prevention (DLP) software ensures that organizations don’t leak sensitive data.  DLP software monitors different entry and exit points within a corporate network, such as user devices, email clients, servers and/or gateways within the network. Like SEGs, DLP tools are invariably rule-based, limiting the range of new and evolving threats DLP products can defend against. Interested in learning more? Check out these articles:  What is Data Loss Prevention? A Complete Overview of DLP on Email The State of Data Loss Prevention 2020 The Drawbacks of Traditional DLP on Email SPF / DKIM / DMARC SPF, DKIM and DMARC are email authentication records that, in short, help protect organizations against attackers spoofing their domains. Although they can help stop spoofing attempts, the effectiveness of these protocols is limited by their lack of adoption. The vast majority of organizations around the world have not yet implemented DMARC, which means attackers can easily target vulnerable companies and spoof their domains. (For more information, head to Tessian’s blog on DMARC.) Given the shortcomings of these traditional solutions, security leaders must educate their employees on best practice so that they’re well-equipped to defend against email attacks and prevent data loss (both accidental and malicious).
Best practices for email security
Here are a few key strategies virtually all organizations can employ to help them defend against cyber threats on email. Password protection Even when organizations and attackers are in a cybersecurity arms race, the basics of good security still apply. Email accounts need strong passwords: a good guideline is that if you can remember your password, it isn’t strong enough. If your organization uses a password management tool like Lastpass or 1Password, make sure all passwords are stored on that system. Top tip: You should also consider implementing 2Fa. Manage sensitive information carefully Organizations control all kinds of sensitive data, and the popularity (and necessity) of newly flexible working habits means that security leaders need to be especially vigilant as to how data moves inside and outside organizations’ networks. To control the flow of data, organizations implement policies and procedures, including access controls.  But, these controls and human policies can impede productivity. In fact, 51% say security tools and software impede their productivity. Another 54% of employees say they’ll find a workaround if security software or policies prevent them from doing their job. Leverage technology to train employees Training and awareness is regularly talked up among cybersecurity practitioners.  The problem is, taking employees away from their day-to-day duties and delivering context-free workshops on cybersecurity will rarely result in better vigilance and lasting threat protection. It’s important to invest in technology that can deliver in-situ, contextual training, allowing employees to learn from activity taking place in their own inboxes. You can read more about the Pros and Cons of Security Awareness Training here. While password protection, access controls, policies, and training can all help improve an organization’s email security, they alone aren’t enough. After all, to err is human! That’s why we can’t leave people as the last line of defense. And, since traditional email security solutions like SEGs and rule-based DLP can’t stop more advanced threats, security teams need to look at next-generation technology like Tessian. 
How does Tessian detect and prevent inbound and outbound threats on email? Tessian’s approach to email security is different. We call it Human Layer Security and, across three solutions, we prevent data exfiltration, accidental data loss, and spear phishing attacks. Powered by machine learning, Tessian maps employee email activity and builds unique security identities for every individual. Our algorithms can then predict when inbound and outbound email activity is normal or abnormal and detect potential security incidents before they become breaches. No rules required. We secure hundreds of thousands of employees at some of the world’s leading enterprises. But, don’t take our word for it. Take it from them! We have dozens of customer stories. Or, if you’re interested in learning more about how Tessian can help your organization level-up its email security, speak to one of our experts today.
Page
[if lte IE 8]
[if lte IE 8]