Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.
Human Layer Security Spear Phishing DLP Data Exfiltration
October Cybersecurity News Roundup
30 October 2020
October 2020 has been another remarkable month in cybersecurity. And, since COVID-19 sent the world indoors and made us ever-more reliant on the internet, the importance of information security and data protection has never been more apparent. October saw numerous high-profile data breaches, cyberattacks, and online scams — but also brought us one of the biggest GDPR fines yet, an innovative solution to deepfake technology, and even more jostling between the US government and Chinese big tech. Let’s take a look at the biggest cybersecurity headlines of October 2020. Paying Cyberattack Ransoms Could Breach International Sanctions Rules New guidance from the US Treasury has big implications for companies hit by ransomware attacks from certain countries. (Companies affected by ransomware find their files encrypted — replaced by useless strings of seemingly random characters — with cybercriminals promising to return the data if the company pays a ransom.) Paying up might be the least-worst option where a company’s critical data is at stake…ut according to an October 1 US Treasury advisory note, paying cyberattack ransoms could violate legal rules on international sanctions. Businesses suffering a ransomware attack by hackers from a sanctioned country — like Iran, China, or Russia (where many such attacks do originate) — now face the threat of huge fines and legal action if they choose to buy back their files.  The Treasury’s advice reiterates what cybersecurity leaders have been saying for many years: in cybersecurity, prevention is far better than cure. Amazon Prime Day Sees Huge Spike in Phishing Scams With millions of consumers confined to their homes, this year’s Amazon Prime Day was a chance for millions of shoppers to grab a bargain — and an unmissable opportunity for cybercriminals to steal their personal information. October 8 research from Bolster detected over 800 “spoof” Amazon webpages in September (up from 50 in January), as fraudsters ramped up their phishing efforts in anticipation of the two-day Amazon Prime Day event, hosted October 13-14. Some sites looked near-identical to Amazon’s genuine web properties, with perfectly duplicated branding and convincing domain names. Unwary shoppers were asked for details such as their CVV2 code and social security number. See what advice Tessian co-founder and CEO, Tim Sadler, offered consumers in Tech Radar. FBI Warns of Ransomware Attacks Targeting Healthcare Providers On October 29, the FBI and other agencies issued a warning regarding an “increased and imminent cybercrime threat to US hospitals and healthcare providers.” The threats include a new tool named anchor_dns, a backdoor that can reportedly “evade typical network defense products,” and the Ryuk Ransomware. Among other measures, the FBI is advising healthcare providers to create business continuity plans, patch networked systems, and implement multi-factor authentication in preparation for an attack. According to Associated Press, 59 US healthcare systems have been attacked via ransomware so far this year. Looking for more information on why the healthcare industry is especially vulnerable? We talk more about The State of Data Loss Prevention in Healthcare in this article. UK Public Body Unable to Provide Services Follow “Serious Cyberattack” On October 14, Hackney London Borough Council, a UK local government body, announced that it had fallen victim to a “serious cyberattack.”  In an update two days later, the council revealed the extent of the damage. Among other things, the council was unable to accept rent payments, process planning applications, or pay some social security benefits. The council said it was “working hard to restore services, protect data, and investigate the attack,” but that services could remain unavailable for “some time.” UK Data Regulator Issues $26 Million Fine to Airline UK airline British Airways received a £20 million ($26 million) fine on October 17 for “failing to protect the personal and financial details of more than 400,000 of its customers.” The fine relates to a cyberattack suffered by the company in 2018. The Information Commissioner’s Office — the UK’s data protection authority — found that the airline had failed to limit access to data, had not undertaken sufficiently rigorous testing, and should have implemented multi-factor authentication on its employee and third-party accounts. The British Airways fine amounts to the fourth-largest GDPR fine of all time — but the airline actually got off relatively lightly, considering that the fine was initially touted as £183 million ($238 million).  To learn more about compliance standards like the GDPR (including the largest breaches and fines to-date) check out The CEO’s Guide to Data Protection and Compliance. Adobe Launches Content Authenticity Initiative Tool to Fight Deepfakes As video and audio manipulation techniques become more accessible, cybersecurity and intelligence experts have been warning about a potential onslaught of deepfakes that could have an unprecedented impact on security, politics, and society. Not sure what a deepfake is? Read this article. Cybercriminals can use deepfake technology to create video or audio clips of high-profile and trusted individuals. Deepfakes have already been used in phishing attacks and could also be used for blackmail and disinformation campaigns. On October 20, Adobe’s Content Authenticity Initiative announced a new tool that will add “a secure layer of tamper-evident attribution data to photos, including the author’s name, location, and edit history” to help creatives authenticate their content. Once deepfakes are sufficiently convincing, there might be no way to distinguish them from genuine material. Adobe’s project marks a promising first step in this emerging security front. Hackers Discover 55 Vulnerabilities Across Apple’s Systems A group of hackers earned $300,000 via Apple’s bug bounty scheme after identifying 55 vulnerabilities across Apple’s infrastructure. The security issues included vulnerabilities that would have allowed an attacker to “(take) over a victim’s iCloud account,” “fully compromise an industrial control warehouse software used by Apple,” and “access management tools and sensitive resources.” The group said Apple had fully addressed the majority of vulnerabilities reported. Around 3 Million Credit Cards Compromised After Breach at US Restaurant Franchise On Oct 12, details of around 3 million credit cards were posted on the dark web following a huge data breach at US restaurant franchise Dickey’s Barbeque Pit. According to an investigation by Gemini Advisory, 156 of 469 Dickey’s outlets were involved in the breach, with the highest levels of exposure present in California. The details appear to have been stolen between July 2018 and August 2020. Given California’s strict data breach rules, including a private right of action under the California Consumer Privacy Act, Dickey’s could be liable for some eye-watering sums if the breach is found to have resulted from lax cybersecurity practices. Questions about the CCPA? We answer 13 of them in this article: CCPA FAQs: Your Guide to California’s New Privacy Law. Russia Planned to Launch 2020 Olympics Cyberattack The GRU, Russia’s military intelligence agency, “conducted cyber reconnaissance against officials and organizations” involved in the Tokyo 2020 Olympic and Paralympic Games, according to a UK government announcement on October 19. Russian cybercrime groups are alleged to have targeted “organizers, logistics services, and sponsors.” The Games were originally due to tale place this summer but were postponed due to COVID-19.  The UK government also revealed the full extent of Russia’s hacking campaign against the 2018 Winter Games, during which Russian hackers are alleged to have disguised themselves as Chinese and North Korean attackers to target the opening ceremony in Seoul, South Korea. ENISA 2020 Threat Landscape Report Shows Increase in Cyberattacks  The European Union Agency for Cybersecurity (ENISA) released its 2020 Threat Landscape Report on October 20, and cybersecurity leaders (unfortunately) won’t be surprised at its conclusion: cybercrime is on the increase. The report cites “a new norm,” triggered by the COVID-19 pandemic, in which the world is even more dependent on “a secure and reliable cyberspace.” ENISA found that the number of phishing victims “continues to grow,” that Business Email Compromise (BEC) resulted in “the loss of millions of euros,” and that state-sponsored actors are propagating “finely targeted and persistent attacks on high-value data.” If you’re a security leader looking for solutions to these problems, click here to learn more about how Tessian Defender detects advanced impersonation attacks that slip past SEGs, native features, and legacy tools. Researcher Breaches US President’s Twitter Account By Guessing Password Dutch “ethical hacker” Victor Gevers found himself in control of Donald Trump’s Twitter account on October 16 after guessing the US president’s password. Trump’s Twitter account has over 87 million followers and is frequently used to deliver messages of international importance. Gevers said he correctly guessed the password, “maga2020!”, after seven attempts. The incident reveals that the president was using a simple, easy-to-guess password, and that he had multi-factor authentication disabled. Rectifying either of these two basic security errors would have prevented unauthorized access to the account. Overruling of WeChat Ban Denied by California Judge Another month, another development in the long-running battle between the US government and Chinese tech firms. On October 23, California struck a blow to the Trump administration’s efforts to restrict WeChat — a Chinese app used for currency transfers, social networking, and instant messaging. In September, the US Department of Commerce ordered Apple and Google to stop distributing WeChat via their app stores, citing security issues. The order was blocked in California following a legal challenge by WeChat. The US Justice Department brought further evidence and asked the court to reverse its WeChat ruling. The court declined to change its decision, meaning that the Commerce Department’s banning order will remain unenforced in California — despite the federal government’s allegations regarding WeChat’s security issues.  Finnish Therapy Center Hacked, Exposing Patient Data One of the most shocking data breaches of 2020 was brought to light on October 24, when Finnish psychotherapy center Vastaamo revealed a hack that compromised hundreds of patient records. The highly sensitive nature of the breach means that it is being taken extremely seriously. Finland’s interior minister summoned a cabinet meeting to determine how best to respond to the breach, promising “speedy crisis help” to the affected individuals. The hackers are demanding a ransom in exchange for the return of the files, which were reportedly accessed between November 2018 and March 2019. The ransomware attack further suggests that businesses worldwide lack proper cybersecurity infrastructure — even when handling highly sensitive and valuable data. That’s all for this month. If we missed anything, please email [email protected] and stay tuned for the next roundup. Don’t forget: You can easily share this on social media via the buttons at the top right of this post. 
Human Layer Security Spear Phishing Customer Stories DLP Data Exfiltration
How Tessian Is Preventing Breaches and Influencing Safer Behavior in Healthcare
By Maddie Rosenthal
28 October 2020
Company: Cordaan Industry: Healthcare Seats: 6,300 Solutions: Guardian, Enforcer, Defender  About Cordaan Cordaan – one of the largest healthcare providers in Amsterdam – provides care to over 20,000 people from 120 locations across Amsterdam. They do this with the help of 6,000 employees and more than 2,500 volunteers. Cordaan also works in association with research institutes and social organizations.  To help protect the organization’s people, sensitive data, and networks, Cordaan has deployed Tessian Guardian, Enforcer, and Defender to protect over 6,300 employees on email.  Tessian solves three key problems for Cordaan, which we explore in detail in the video below. Keep reading for a summary of the discussion. Problem: Healthcare employees are especially vulnerable to inbound attacks  When it comes to inbound attacks like spear phishing and business email compromise, the healthcare industry is among the most targeted. It also has the highest costs associated with data breaches. Why? According to Cas de Bie, the Dutch healthcare provider’s Chief Information Officer, it’s not just because organizations operating in this industry handle highly sensitive data. It also has a lot to do with the very nature of the work: helping people. 
Combine this empathetic approach with the stress of a global pandemic, and you’re left with an incredibly vulnerable workforce. With Tessian, Cas is now confident Tessian will identify spear phishing emails before his employees respond to them and that employees’ workflow won’t be disrupted in the process.  When talking about inbound attacks, Cas said “It’s all about awareness. While people probably do know what they’re supposed to do when it comes to email security, it’s different in real life. It’s hard to decide in the moment. Of course, they don’t do it on purpose. They want to make the right decision. Tessian helps them do that.” Problem: Reactive and rule-based solutions weren’t preventing human error on email in the short or long-term To ensure GDPR-compliance, Cordaan prioritized investment in privacy and security solutions. But, according to Cas, “standard” email security, spam filtering solutions, and encryption alone just weren’t enough. They weren’t keeping malicious emails out of inboxes, and they weren’t preventing data loss from insiders. They also weren’t doing anything to improve employee security reflexes in the long-term. 
So, to level-up Cordaan’s email security, Cas was looking for a solution that was: Technologically advanced User-friendly Proactive With Tessian, he found all three. Powered by contextual machine learning and artificial intelligence, our solutions can detect and prevent threats and risky behavior before they become incidents or breaches. How? With the in-the-moment warnings – triggered by anomalous email activity – that look something like this.
These warnings help nudge well-intentioned employees towards safer behavior and ensure data stays within Cordaan’s perimeter. And, because Tessian works silently in the background and analyzes inbound and outbound emails in milliseconds, it’s invisible to employees until they see a warning.   This was incredibly important to Cas, who said that “The added value of Tessian is that it influences behavior. That really resonated with the board and helped me make a strong business case. While I can’t show how cybersecurity creates revenue, I can show – via a risk management calculation – the potential fines we could avoid because of our investment in Tessian”.  Problem: Cordaan’s security team had limited visibility into – and control over – data loss incidents on email  While Cordaan had invested in other email security solutions, Cas and his team still lacked visibility into the frequency of data loss incidents on email. But, after deploying Tessian for a Proof of Value, the scope of the problem became crystal clear.
The reality is that employees do actually send unauthorized and misdirected emails more frequently than expected. (We explore this in detail in our report, The State of Data Loss Prevention 2020.) But, the good news is that this behavior can be influenced and corrected—all without access restrictions that make it harder (or impossible) for employees to do their jobs.  Cas explained it well, saying that “Of course there are things that we have to police and prohibit. But, most of the time, people aren’t doing things maliciously. So it’s nice that – with Tessian – we can take a more nuanced approach. We can influence behavior and help our employees do the right thing.” Learn more about how Tessian prevents human error on email Powered by machine learning, Tessian’s Human Layer Security technology understands human behavior and relationships. Tessian Guardian automatically detects and prevents misdirected emails Tessian Enforcer automatically detects and prevents data exfiltration attempts Tessian Defender automatically detects and prevents spear phishing attacks Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of an organization’s email network. That means it gets smarter over time to keep you protected, wherever and however your work. Interested in learning more about how Tessian can help prevent email mistakes in your organization? You can read some of our customer stories here or book a demo.
Cordaan Case Study hbspt.cta.load(1670277, '61cef6a6-03b0-4491-a81d-6e751eb924e8', {"region":"na1"});
Human Layer Security Spear Phishing DLP Data Exfiltration
Tessian Included as a Cloud Email Security Supplement Solution in Gartner’s 2020 Market Guide for Email Security
By Maddie Rosenthal
27 October 2020
Gartner recently released its Market Guide for Email Security and Tessian is thrilled to have been included as a representative vendor for Cloud Email Security Supplement Solutions. So, what does that mean? According to the report, representative vendors offer “email security capabilities in ways that are unique, innovative, and/or demonstrate forward-looking product strategies.”  How has the threat landscape changed? According to Gartner’s guide, there are a number of factors related to the market’s direction that security leaders need to consider, including the ways in which hackers are targeting organizations and how (and where) we work. Keep reading to learn more. Email is the #1 threat vector
As noted in the report, “According to the 2020 Verizon Data Breach report, 22% of breaches involved social engineering, and 96% of those breaches came through email. In the same report, another 22% of breaches were a result of “human failure” errors, where sensitive data was accidentally sent to the wrong recipient.” “Business email compromise (BEC), the takeover or fraudulent use of a legitimate account to divert funds, continues to grow, and simple payroll diversion scams accounted for  $8 million in 2019.” The bottom line: Whether it’s protecting against inbound threats like ransomware attacks, business email compromise (BEC), or account takeover (ATO) or outbound threats like accidental and malicious data exfiltration, security leaders need to prioritize email security and reevaluate the effectiveness of current solutions. This is especially pertinent as many organizations have moved to the cloud.    Increased cloud office adoption According to Gartner, “Enterprise adoption of cloud office systems, for which cloud email is a key capability, is continuing to grow, with 71% of companies using cloud or hybrid cloud email.” We can expect these numbers to rise, especially given the sudden shift to remote working set-ups in response to COVID-19 and the steep and steady rise in the use of mobile devices for work. But, there’s a problem. Despite G Suite and O365’s basic security controls as well as anti-spam, anti-phishing, and anti-malware services; advanced attachment; and URL-based threat defenses, “email threats have become sophisticated to evade detection by common email security technologies, particularly those that rely only on standard antivirus and reputation.”
What capabilities set vendors apart?  So, what capabilities set vendors apart? In other words what capabilities should security leaders be looking for? Gartner recommends that security leaders “invest in anti-phishing technology that can accurately detect BEC and account takeover attacks. In particular, seek solutions that use AI to create a baseline for communication patterns and conversation style and detect anomalies in these patterns. For account take over attacks, seek solutions that use computer vision when reviewing suspect URLs. Adjacent technologies such as multifactor authentication are used to protect against account takeover attacks.”.   Gartner also says “the following capabilities can be used as primary differentiators and selection criteria for email”. These include the ability to: “Protect against attachment-based threats” “Protect against URL-based advanced threats”  “Protect Against Impersonation and Social Engineering Tactics Used in URL-Based, Attachment-Based and Payloadless Advanced Threats” And, to help security leaders narrow down their search, Gartner identified specific categories of vendors that provide some of the above email capabilities. Tessian is recognized as a representative vendor for CESSs.  Keep reading to learn more about our products and technology.  Why Tessian?  Tessian Human Layer Security offers both inbound and outbound protection on email and satisfies criteria outlined in the report, including display name spoof detection, lookalike domain detection, anomaly detection, data protection, post delivery protection, and offers these protection for both web and mobile devices. Here’s how. Powered by machine learning, our Human Layer Security platform understands normal email behavior by analyzing content, context, and communication patterns from historical email data to establish trusted relationship graphs. Tessian can then detect anomalies in real-time using those employee relationship graphs alongside deep content analysis, natural language processing, and behavioral analysis. Tessian Guardian automatically detects and prevents accidental data loss from misdirected emails Tessian Enforcer automatically detects and prevents data exfiltration attempts and ensures compliant email activity Tessian Defender automatically detects and prevents spear phishing, Business Email Compromise and other advanced targeted impersonation attacks. Tessian’s technology updates its understanding of human behavior and evolving relationships through continuous analysis and learning of the organization’s email network without hands-on maintenance from security teams. That means it gets smarter over time to keep you protected, wherever and however you work, whether that’s a desktop computer in the office or a mobile device, tablet, or laptop at home. But Tessian doesn’t just detect and prevent threats.  When a security threat is triggered, contextual warnings provide employees with in-the-moment training on why an email was flagged unsafe (or an impersonation attempt)  or reinforce data security policies and procedures and improve their security reflexes. This nudges employees towards safer behavior in the long-term.  And, with Human Layer Security Intelligence, security and compliance leaders can get greater visibility into the threats prevented, track trends, and benchmark their organization’s security posture against others. This way, they can continuously reduce Human Layer risks over time. To learn more about how Tessian protects world-leading organizations across G Suite, O365, and Outlook, check out our customer stories or book a demo. 
Gartner, Market Guide for Email Security, September 2020 Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Human Layer Security Spear Phishing DLP Data Exfiltration
7 Concerns IT Leaders Have About Permanent Remote Working
By Laura Brooks
14 October 2020
According to Tessian research, 75% of IT leaders and 89% of employees believe the future of work will be “remote” or “hybrid” – a combination of working in the office and remotely.  This will have a significant impact on companies’ IT departments, who will be under pressure to deliver a seamless experience and create strategies that empower employees to work remotely and securely. In fact, 85% of IT leaders think they and their team will be under more pressure if their organization were to adopt a permanent remote working structure.  In this blog, we look at their top 7 concerns and explain how to overcome them.  1. Employee wellbeing Half of IT leaders’ are worried about staff’s wellbeing when they work remotely – making it the top concern among IT professionals.  Remote work can be incredibly stressful for employees. A survey by online employment platform Monster reported that over two-thirds of U.S. workers have experienced burnout symptoms while working from home. Why? Because people are more distracted, they’re taking less time off work, and they’re working longer hours. 61% of employees in another Tessian report said a culture of presenteeism in their organization makes them work longer hours than they need to.  The problem is that when people are stressed, tired and distracted, they make more mistakes that could compromise cybersecurity. In fact, 46% of employees say make more mistakes when they feel burned out.  IT professionals must recognize the correlation between employee wellbeing, their productivity, and security if they want to keep data and systems safe in a remote work world. Lead with empathy and find ways to prevent stressed and distracted employees from making costly cybersecurity mistakes.  2.Unsafe data practices 46% of IT leaders are also worried about employees practicing unsafe cybersecurity behaviors.  Their concerns are valid. A report published by Tessian in May 2020 revealed that 48% of employees feel they can get away with riskier cybersecurity behaviors when working from home, namely because they are working from unfamiliar devices and because they aren’t being watched by IT teams. A further 54% said they’ll find a workaround if security software or policies prevent them from doing their job. Educating employees on safe cybersecurity practices is a necessary first step. However, only 57% of companies implemented additional training at the start of the remote working period in March 2020. This isn’t trivial; businesses must continually educate staff on safe data practices because cybersecurity is rarely at the front of mind for every employee.  Businesses should also ensure that security solutions or policies do not stand in the way of people getting their jobs done. Workers will find the easiest or most convenient path, and this can often involve skirting around security rules. Security should, therefore, be as flexible as people’s working practices in order to mitigate unsafe behaviors online.
3. More data breaches Half of organizations we surveyed said they experienced a data breach or security incident between March and July 2020 – the period in which mandatory remote work arrangements were enforced. Consequently, 40% of IT leaders are worried their company will experience more data breaches if people continue to work remotely.  The causes of these data breaches included phishing attacks (49%), malware (45%) and malicious insider attacks (43%). In addition, 78% of IT leaders said they think their organization is at greater risk of insider threats when staff work from home.  To prevent data breaches caused by insider threats – and other threats caused by human error – IT teams need greater visibility into their riskiest and most at-risk employees. Only by understanding employees’ behaviors, can businesses tailor policies and training to prevent people’s actions from compromising company security and breaching sensitive data.  4. More phishing attacks Half of the security incidents reported between March-July 2020 were caused by successful phishing attacks – making phishing the top attack vector during this period of remote working.  Of the 78% of remote workers that received phishing emails while working on their personal devices, an overwhelming 68% clicked a link or downloaded an attachment from the malicious messages they received. It’s not surprising, then, that 82% of IT leaders think their organization is at greater risk of phishing attacks when people work remotely.  But why is phishing a greater risk for remote workers?  Because it is not uncommon for an employee to receive information about a new software update for a video conferencing app, or an email from a healthcare organization providing tips on how to stay safe, or a request from a supplier asking them to update payment details.  In fact, 43% of IT professionals said their staff had received phishing emails with hackers impersonating software brands, while 34% said they’d received emails from cybercriminals pretending to be an external supplier.  If the sender’s email domain looks legitimate and if hackers have used the correct logos in the body of the email, there’s very little reason why an employee would suspect they were the target of a scam. And, when working remotely, employees can’t easily verify the email with a colleague. They may, then, click the link to “join the meeting”, download the “new update” or share account credentials. To learn more about how to spot a spear phishing email, read our blog here.
5. The IT team’s bandwidth With organizations facing the threat of more data breaches and security incidents caused by unsafe cybersecurity behaviors, over a third (34%) of IT leaders worry that their teams will be stretched too far in terms of time and resource.  Security solutions powered by machine learning can help alleviate the strain. Solutions like Tessian use machine learning algorithms to understand human behaviors in order to automatically detect and prevent threats caused by human error – such as accidental data loss, data exfiltration or phishing attacks. When a potential threat is detected, the individual is alerted in real-time and a record of the incident is logged in a simple and accessible dashboard. IT professionals no longer have to spend hours manually looking back through logs to find incidents – the proverbial ‘needle in a haystack’.  When you consider that 55% of IT teams spend more time navigating manual processes than responding to vulnerabilities, finding ways to take away the manual, labor-intensive tasks will be critical in freeing up IT professionals’ time.  6. An increase to IT leaders’ workload In addition to concerns over their teams’ workloads increasing, IT leaders also fear they’ll face even longer to-do lists in a hybrid or remote working world. Why? To name a few: The majority of IT leaders will be implementing new BYOD policies, additional training programs, upgrades to endpoint protection as well as new VPNs in order to address employees’ expectations and safety.  They have to overcome challenges like data loss prevention (DLP), something 84% of IT leaders say is more difficult in distributed workforces.  They have to address and mitigate more security risks such as employees bringing infected devices or documents into the office, potentially compromising the company’s entire network.  According to Nominet’s 2020 report – The CISO Stress Report: Life Inside the Perimeter: One Year On – 88% of CISOs are moderately or tremendously stressed. What’s more, 95% work more than their contracted hours amounting to an extra 10 hours per week, on average.  As the pressure increases, businesses must find ways to alleviate stress and empower IT leaders to work effectively and efficiently in order to protect their company and employees.
7. Non-compliance with data protection regulations Nearly a third of IT leaders said that remote working could compromise compliance with data protection regulations.  In the last year, misdirected emails have been the number one cause of data breach incidents reported to the Information Commissioner’s Office. A previous Tessian report found that 58% of employees have sent an email to the wrong person during their career and, of these misdirected emails, nearly a fifth (17%) were sent to the wrong external party.  Their reasons? Nearly half said it was because they were tired and 41% said the error was made because they were distracted. Given that studies have shown people are feeling more fatigued and more distracted while working remotely, there is cause for concern that data breaches, caused by human error, will only increase.  Instead of expecting people to do the right thing 100% of the time while working away from the office, invest in security solutions that preempt these errors by detecting and preventing them from happening in the first place. That way, IT leaders can proactively stop sensitive information from leaving their environment, company IP stays secure, compliance standards are met, and customer trust is maintained. To find out more, read the full report – Securing the Future of Hybrid Work – here.
Human Layer Security DLP Data Exfiltration
Insider Threat Statistics You Should Know: Updated 2020
By Maddie Rosenthal
06 October 2020
Over the last two years, there’s been a 47% increase in the frequency of incidents involving Insider Threats. This includes malicious data exfiltration and accidental data loss. Why does this matter? Because these incidents cost organizations millions, are leading to breaches that expose sensitive customer, client, and company data, and are notoriously hard to prevent. In this article, we’ll explore: How often these incident are happening What motivates Insider Threats to act The financial  impact Insider Threats have on larger organizations The effectiveness of different preventive measures You can also download this infographic with the key statistics from this article. If you know what an Insider Threat is, click here to jump down the page. If not, you can check out some of these articles for a bit more background. What is an Insider Threat? Insider Threat Definition, Examples, and Solutions Insider Threat Indicators: 11 Ways to Recognize an Insider Threat Insider Threats: Types and Real-World Examples
How frequently are Insider Threat incidents happening? As we’ve said, incidents involving Insider Threats have increased by 47% since 2018. But the frequency of incidents varies industry-by-industry. Verizon’s 2020 Breach Investigations Report offers a comprehensive overview of different incidents in different industries, with a focus on patterns, actions, and assets.  They found that: The Healthcare and Manufacturing industries experience the most incidents involving  employees misusing their access privileges The Public Sector and Healthcare suffer the most from lost or stolen assets  Healthcare and Finance see the most “miscellaneous errors” (for example misdirected emails !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");
There are also several different types of Insider Threats and the “who and why” behind these incidents can vary. According to one study: Negligent Insiders are the most common and account for 62% of all incidents.  Negligent Insiders who have their credentials stolen account for 25% of all incidents Malicious Insiders are responsible for 14% of all incidents.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Looking at Tessian’s own platform data, Negligent Insiders may be responsible for even more incidents than most expected. On average, 800 emails are sent to the wrong person every year in companies with 1,000 employees. This is 1.6x more than IT leaders estimate.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Malicious Insiders are likely responsible for more incidents than expected, too. Between March and July 2020, 43% of security incidents reported were caused by malicious insiders. We should expect this number to increase. Over three-quarters of IT leaders (78%) think their organization is at greater risk of Insider Threats if their company adopts a permanent hybrid working structure. Which, by the way, the majority of employees would prefer. What motivates Insider Threats to act? When it comes to the “why”, Insiders – specifically Malicious Insiders – are often motivated by money, a competitive edge, or revenge. But, according to one report, there is a range of reasons malicious Insiders act. Some just do it for fun.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); But, we don’t always know exactly “why”. For example, Tessian’s own survey data shows that 45% of employees download, save, send, or otherwise exfiltrate work-related documents before leaving a job or after being dismissed.  While we may be able to infer that they’re taking spreadsheets, contracts, or other documents to impress a future or potential employer, we can’t know for certain.  Note: Incidents like this happen the most frequently in competitive industries like Financial Services and Business, Consulting, & Management. This supports our theory.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); How much do incidents involving Insider Threats cost? The cost of Insider Threat incidents varies based on the type of incident, with incidents involving stolen credentials causing the most financial damage. But, across the board, the cost has been steadily rising. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Likewise, there are regional differences in the cost of Insider Threats, with incidents in North America costing the most and almost twice as much as those in Asia-Pacific. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); But, overall, the average global cost has increased 31% over the last 2 years, from $8.76 million in 2018 to $11.45 in 2020 and the largest chunk goes towards containment, remediation, incident response, and investigation. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); But, what about prevention? How effective are preventative measures? As the frequency of Insider Threat incidents continues to increase, so does investment in cybersecurity. But, what solutions are available and which solutions do security, IT, and compliance leaders trust to detect and prevent data loss within their organizations? According to Tessian’s latest report, The State of Data Loss Prevention 2020, most rely on security awareness training, followed by following company policies/procedures, and machine learning/intelligent automation. But, incidents actually happen more frequently in organizations that offer training the most often and, while the majority of employees say they understand company policies and procedures, comprehension doesn’t help prevent malicious behavior. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); That’s why many organizations rely on rule-based solutions. But, those often fall short.  Not only are they admin-intensive for security teams, but they’re blunt instruments and often prevent employees from doing their jobs while also failing to prevent data loss from Insiders.  So, how can you detect incidents involving Insiders in order to prevent data loss and eliminate the cost of remediation? Machine learning. How does Tessian detect and prevent Insider Threats? Tessian turns an organization’s email data into its best defense against inbound and outbound email security threats. Powered by machine learning, our Human Layer Security technology understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity. Tessian Enforcer detects and prevents data exfiltration attempts Tessian Guardian detects and prevents misdirected emails Tessian Defender detects and prevents spear phishing attacks Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of the organization’s email network. Oh, and it works silently in the background, meaning employees can do their jobs without security getting in the way.  Interested in learning more about how Tessian can help prevent Insider Threats in your organization? You can read some of our customer stories here or book a demo.
DLP Compliance Data Exfiltration
A Beginner’s Guide to Cybersecurity Frameworks
05 October 2020
As rates of cybersecurity incidents rise and data security laws become stricter, organizations must take steps to protect the information under its control. But safeguarding your company’s information can be a daunting task.  So, where do you start? You can start by implementing a cybersecurity framework. In this article, we’ll look at four of the most prevalent cybersecurity frameworks — to help you get started on your journey toward better information security.  But first, let’s define what a cybersecurity framework is. What is a cybersecurity framework?
What are the benefits of implementing a cybersecurity framework? Running a business is a time-consuming and complicated task and many business leaders – especially those without any background in cybersecurity – worry that implementing a cybersecurity framework will create extra work. And, while it does take time and effort to follow a cybersecurity framework through to completion, it’s almost certainly going to save you time, stress — and money — in the long-term. Here’s how: It will strengthen your network protection, reducing your risk of a cybersecurity attack. It will help ensure better data security practices among staff, reducing the risk of accidental data loss, such as via misdirected email. It increases awareness of cybersecurity among staff, leading to a reduced risk from social engineering attacks. It improves your reputation among consumers and business partners. Implementing a cybersecurity framework is also a fundamental way of meeting your legal obligations under data privacy laws, such as:  The EU General Data Protection Regulation (GDPR)  The California Consumer Privacy Act (CCPA) The South Africa Protection of Personal Information Act (POPIA)  Under these laws — and many others worldwide — it is necessary for businesses to maintain a reasonable level of data security. Implementing a cybersecurity framework is an excellent way to achieve this. Looking for more information about regional and industry-specific data protection laws? Visit our compliance content hub. 
What sorts of organizations should implement a cybersecurity framework? Implementing a cybersecurity framework is mandatory in some industries. For example, organizations that handle cardholder data must comply with the PCI DSS framework. However, a business of virtually any size — and in any industry — can adopt a cybersecurity framework at relatively low cost.  One way that a small business can achieve cybersecurity compliance is by choosing a flexible framework —  such as the CIS Controls or NIST Cybersecurity Framework, and prioritizing the implementation of controls according to its business needs and operating context. Now, let’s look at four of the best-known cybersecurity frameworks.
Introduction to CIS Controls The Center for Internet Security (CIS) Controls framework can help you mitigate and defend against the most basic cyberattacks.  Here are the 20 CIS Controls: Basic CIS Controls Inventory and Control of Hardware Assets Inventory and Control of Software Assets Continuous Vulnerability Management Controlled Use of Administrative Privileges Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers Maintenance, Monitoring, and Analysis of Audit Logs Foundational CIS Controls Email and Web Browser Protections Malware Defenses Limitation and Control of Network Ports, Protocols, and Services Data Recovery Capabilities Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches Boundary Defense Data Protection Controlled Access Based on the Need to Know Wireless Access Control Account Monitoring and Control Organizational CIS Controls Implement a Security Awareness and Training Program Application Software Security Incident Response and Management Penetration Tests and Red Team Exercises
CIS Control 13: Data Protection  To give you an idea of what the CIS controls require, we’ll take a closer look at Control 13: Data Protection. CIS Control 13 provides some practical steps to help you protect data from exfiltration and cyberattacks. At its core, Control 13 requires organizations to: Use a combination of encryption, integrity protection, and data loss prevention (DLP) methods to ensure the security of data Limit and report on data exfiltration attempts Mitigate the effects of data compromise Control 13 contains nine sub-controls. Some of these are achievable for businesses of all sizes, such as: 13.1: Maintain an Inventory of Sensitive Information 13.2: Remove Sensitive Data or Systems Not Regularly Accessed by Organization 13.6: Encrypt Mobile Device Data If your organization has “moderate” or “significant” resources, it can implement further sub-controls, such as: 13.3: Monitor and Block Unauthorized Network Traffic 13.4: Only Allow Access to Authorized Cloud Storage or Email Providers 13.5: Monitor and Detect Any Unauthorized Use of Encryption By implementing the CIS controls and sub-controls on a priority basis, businesses can implement a reasonably effective cybersecurity program.  Looking for a straightforward way to implement multiple sub-controls across several CIS controls? implement email security software. Email is the entry-point for 96% of phishing attacks.
Introduction to the NIST Cybersecurity Framework The NIST Cybersecurity Framework (full title: Framework for Improving Critical Infrastructure Cybersecurity) is a comprehensive set of security controls and guidance for private sector organizations. Currently, at version 1.1, the framework aims to improve the general level of cybersecurity among US organizations. The framework is guidance — it’s entirely voluntary  — and it can be customized according to a company’s sector, resources, and risk profile. The framework’s “core” consists of cybersecurity activities and outcomes — written in accessible language that should be understandable to non-technical teams. (Phew!) The core activities and outcomes are sorted into five functions, which are further divided into categories. We’ve listed them below.  Identify: The “Identify” function provides the essential, foundational activities and outcomes necessary to use the framework. Outcomes categories associated with this function include: ID.AM: Asset Management ID.BE: Business Environment ID.RA: Risk Assessment Protect: The “Protect” function activities help mitigate the impact of a potential cyberattack or data breach. Protect outcome categories include: PR.AC: Identity Management and Access Control PR.AT: Awareness and Training PR.DS: Data Security Detect: The “Detect” function enables businesses to quickly detect that a cybersecurity event has occurred. Detect outcome categories include: DE.AE: Anomalies and Events  DE.CM: Security Continuous Monitoring DE.DP: Detection Processes Respond: Implementing the “Respond” function will ensure your business takes appropriate action during a cybersecurity event. Outcome categories in this function include: RS.RP: Response Planning  RS.CO: Communications  RS.AN: Analysis Recover: The “Recover” function allows an organization to return to normal functioning after a cyberattack. Recover function outcome categories include: RC.RP: Recovery Planning  RC.IM: Improvements RC.CO: Communications Each function’s categories are, in turn, divided into subcategories. For example: ID.AM (function: Identity, category: Asset Management): ID.AM-1: Physical devices and systems within the organization are inventoried ID.AM-2: Software platforms and applications within the organization are inventoried ID.AM-3: Organizational communication and data flows are mapped The subcategories all come with “informative references”, which are practical resources to help businesses achieve the outcomes.  For example, ID.AM-1 (Identify: Asset Management) includes the following references: CIS Control 1  ISO 27001:2013 Annexes A.8.1.1 and A.8.1.2 NIST Special Priority (SP) 800-53 (revision 4) CM-8 and PM-5 Introduction to ISO 27000 Series
The ISO 27000 Series (sometimes called the ISO/IEC 27000 Series) is a family of information security standards published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The ISO 27000 Series is extensive, covering information security requirements, guidelines, and sector-specific standards. Examples of some of the published standards in the ISO 27000 Series include: ISO 27000: Information Security Management Systems — Overview and Vocabulary ISO 27003: Information Security Management System Implementation Guidance ISO 27018: Code of Practice for Protection of Personally Identifiable Information (PII) in Public Clouds Acting as PII Processors ISO 27019: Information Security for Process Control in the Energy Industry ISO 27032: Guideline for cybersecurity ISO 27033: IT network security Businesses of all sizes can implement one or more of the ISO 27000 Series standards. These are internationally recognized standards and are well-respected around the world.  While implementing ISO 27000 controls is not legally mandatory, there is an expectation of ISO-compliance in many industries and contexts. For example, for public cloud storage service providers that process personal information, achieving ISO 27018 compliance is crucial. ISO 27001 To give you a feel for ISO 27000 implementation, we’re going to take a closer look at one of the more popular standards in the series: ISO 27001, full name “Information technology — Security techniques — Information security management systems — Requirements.” ISO 20071 aims to enable businesses to establish, implement, maintain, and continually improve an information security management system (ISMS). Unlike the CIS Controls or the NIST Cybersecurity Framework, ISO 20071 is not available for free. The ISO 27001 standard consists of ten “clauses,” and an annex containing 114 controls, sorted into 14 sets. A business can prioritize its implementation of these controls according to its operational requirements. An essential part of complying with ISO 27001 is risk assessment. An ISO 27001 risk assessment can be broken down into several stages: Creating a risk assessment methodology that accounts for: Your operating context Risk criteria Risk tolerance Identifying information assets, such as: Digital documents Paper files Storage devices Mobile devices Identifying threats: Social engineering attacks, such as spear phishing Exfiltration of data by trusted employees Weak passwords leading to hacked employee accounts ISO 27001 compliance is an ongoing process that requires the commitment of employees across your whole organization. Once a company has implemented sufficient controls, it can undergo an audit and obtain ISO 27001 certification. Tessian is ISO 27001 certified. You can read more about your integrations, compatibility, and partnerships here. 
Introduction to PCI DSS The PCI DSS applies to all organizations that accept, transmit, or store information associated with payment cards (known as “merchants”). The PCI DSS sits alongside the PCI PTS (for manufacturers) and the PCI PA-DSS (for software developers). Unlike the other frameworks we’ve looked at, the PCI DSS is mandatory for any business that qualifies as a merchant. The Payment Card Industry Council enforces PCI DSS compliance, and — in some jurisdictions — it is incorporated into law. The framework’s requirements differ according to how many Visa transactions a merchant processes per year. There are four levels of PCI DSS requirements: Level 1: Any merchant that:  Processes more than 6 million Visa transactions per year, or Is determined by Visa as needing to meet level 1 requirements Level 2: Any merchant that processes 1-6 million Visa transactions per year Level 3: Merchants that process 20,000-1 million eCommerce Visa transactions per year Level 4: Any merchant that: Processes fewer than 20,000 Visa transactions per year, or Processes fewer than 1 million non-eCommerce Visa transactions per year As you can see, eCommerce merchants have slightly stricter requirements due to the risks of transacting online.  If a merchant suffers a data breach, it might be required to move up a level to continue making card transactions. This is one of many reasons you should take a “security-first” approach and implement as many cybersecurity controls as your budget allows. The PCI DSS consists of 12 requirements, which can be summarized as: Use a firewall Change default passwords and other security parameters Protect cardholder data in storage Encrypt cardholder in transit Implement and update antivirus software  Ensure systems and applications are secure Restrict access to cardholder data Assign unique user IDs  Maintain physical safeguards over cardholder data Monitor access to cardholder data and network resources  Test security systems  Maintain an information security policy In fewer words: Merchants must protect cardholder data from internal and external threats.  How can Tessian help with cybersecurity framework implementation? As we’ve seen, all cybersecurity frameworks require businesses to protect the information in their control from threats such as: Social engineering attacks  Accidental data loss Insider threats Across three solutions, Tessian detects and prevents email-based cybersecurity threats. Why email? Read more about why email is the threat vector cybersecurity leaders are most concerned about on our blog.  You can also learn why rule-based DLP solutions are failing and why the world’s top organizations (in some of the most regulated industries) trust Tessian.
Spear Phishing DLP Compliance Data Exfiltration
Compliance in the Legal Sector: Laws & How to Comply
16 September 2020
Thanks to the digital transformation and increasingly strict data security obligations, law firms’ business priorities are changing. Today, data protection, transparency, and privacy are top-of-mind.  It makes sense.  Keep reading to find out… Why the legal sector is bound to such strict compliance standards Which regulations govern law firms How cybersecurity can help ensure compliance Interested in learning more about regional compliance standards or those that impact other industries? Check out our Compliance Hub to find articles, tips, guides, and more or download our CEO’s Guide to Data Protection and Compliance to learn more about how cybersecurity enables business and drives revenue. 
Why is the legal sector bound to strict compliance standards? Lawyers’ hard drives, email accounts, and smartphones can contain anything from sensitive intellectual property and trade secrets to the Personally Identifiable Information (PII) of clients.  Unfortunately, hackers and cybercriminals are all too aware of this. It’s no surprise, then, that the legal sector is amongst the most targeted by social engineering attacks like spear phishing. Ransomware is a big problem, too. In fact, just a few months ago, Grubman Shire Meiselas & Sacks, a prominent media law firm, had its client information compromised.  Those behind the attack later threatened to auction some of these files concerning major celebrities for as much as $1.5 million unless the firm paid a $42 million ransom.  But, it’s not just inbound attacks that law firms have to worry about. Because the legal sector is highly competitive, incidents involving Insider Threats are a concern, too.  96% of IT leaders working in the legal sector say they’re worried that someone within the organization will cause a breach, either accidentally (via a misdirected email, for example) or maliciously.  The regulations governing law firms When it comes to data protection and privacy, the legal sector is subject to a relatively strict regulatory framework both under the law and rules imposed by professional bodies. Depending on where a firm is based and what its practice areas are, it can be subject to several stringent laws and regulations. This is especially true for firms operating in major markets like the United States, the United Kingdom, and the European Union. In this article, we’ll focus on some of the more general regulations and standards that all firms operating in these markets are expected to abide by. General Data Protection Regulation (GDPR) When the GDPR was introduced in 2018, it represented the largest change to data protection legislation in almost two decades. It also contains some of the most thorough compliance obligations for law firms and indeed any other entity that collects, stores, and processes data. The GDPR has been designed to help and guide organizations with a legitimate business interest as to how personal data should be handled and gives regulators the power to impose large fines on firms that aren’t compliant.  You can read more about the largest GDPR fines (so far) in 2020 on our blog. What is the GDPR’s purpose? The GDPR was introduced amid growing concerns surrounding the safety of personal data and the need to protect it from hackers, cybercrime, Insider Threats, unethical use, and the growing attack surface.  Essentially, it gives citizens full and complete control of their data, subject to some restrictions (for example, where data must be held by firms by law).  What is the scope of the GDPR? The legislation regulates the use of ‘personal data’ and applies to all organizations located within the EU, as well as organizations outside the EU who offer their goods or services to EU citizens. It also applies to organizations that hold data pertaining to EU citizens, regardless of their location.  What should law firms know about the GDPR? The main part of the GDPR that law firms should be paying attention to is Article 5.  This sets out the principles relating to the collection and processing of personal data. The six key principles are that personal data: Should be processed lawfully, fairly and in a transparent manner; Should only be collected for legitimate purposes; Should be limited to what’s necessary in relation to the purpose(s) it’s processed; Must be accurate and kept up to date, with any inaccurate erased or rectified; Should be held for longer than is necessary for its purposes*; and Should be held with adequate security against theft, loss, and/or damage.  The GDPR also gives your clients the right to ask for their data to be removed (‘right of erasure’) without the need for any outside authorization. Note: Data can only be kept contrary to a client’s wishes to ensure compliance with other regulations.  What should a firm do in the event of a breach? Before GDPR, law firms could follow their own protocols when dealing with a data breach. But now, the GDPR forces firms to report any data breaches, no matter how big or small they are, to the relevant regulatory authority within 72 hours. In the UK, for example, the regulatory authority is the Information Commissioner’s Office (ICO):  The notification must: Contain relevant details regarding the nature of the breach; The approximate number of people impacted; and Contact details of the firm’s Data Protection Officer (DPO).  Clients who have had their personal data compromised must also be notified of the breach, the potential outcome, and any remediation “without undue delays”.  It’s important to note that breaches aren’t always the results of malicious activity by an Insider Threat or hacker outside the organization. Even accidents can result in breaches. In fact, misdirected emails (emails sent to the wrong person) has consistently been one of the most frequently reported incidents to the ICO.  That’s why it’s essential law firms (and other organizations) have safeguards in place to prevent mistakes like these from happening. Looking for a solution? Tessian Guardian prevents misdirected emails in some of the world’s most prestigious law firms, including Dentons, Hill Dickinson, and Travers Smith What are the penalties for non-compliance? Financial penalties imposed for GDPR violations can be harsh, and they often are; regulatory authorities are keen to highlight just how important the GDPR is and how seriously it should be taken. Fines for non-compliance can be as high as 4% of annual global turnover or €20 million—whichever is higher. American Bar Association Rule 1.6 Rule 1.6 governs the confidentiality of client information. It states, “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Simply put, lawyers must make efforts to protect the data of their clients.  Two years ago, the American Bar Association issued new guidance in the form of Formal Opinion 483. This covers the importance of data protection and how firms should act when, not if, a security breach happens. This wording demonstrates that the ABA recognizes that breaches are part and parcel of firms operating in the modern world, and the statistics confirm this. 
In essence, Formal Opinion 483 states:  Lawyers have a duty of competence in implementing adequate security measures regarding technology. Lawyers must reasonably and continuously assess their systems, operating procedures, and plans for mitigating a breach. In the event of a suspected or confirmed breach, lawyers must take steps to stop the attack and prevent any further loss of data. When a breach is detected and confirmed, lawyers must inform their clients in a timely manner and with enough information for clients to make informed decisions.  The bottom line: law firms must protect data with cybersecurity. Solicitors’ Regulation Authority Code of Conduct In the UK, solicitors are obliged under the Solicitors’ Regulation Authority (SRA) Code of Conduct to maintain effective systems and mitigate risks to client confidentiality and client money. Solicitors are also obliged to ensure systems comply more broadly with the SRA’s other regulatory arrangements.  The SRA says that, although being hacked or falling victim to a data breach is not necessarily a failure to meet these requirements, firms should take proportionate steps to protect themselves and their clients while retaining the advantages of advanced IT.  Where a report of cybercrime (note: crime, not a loss that takes place due to negligence) is received, the SRA takes a constructive approach in dealing with the firm, especially if the firm:  Is proactive and immediately notifies the SRA. Has taken steps to inform the client and as a minimum make good any loss. Shows they are taking steps to improve their systems and processes to reduce the risk of a similar incident happening again.  That means that, under the SRA’s Code of Conduct, law firms should take steps to prevent inbound attacks like spear phishing and set-up policies and processes that ensure swift reporting.  The good news is, Tessian can help with both inbound attacks and Insider Threats and has a history of successfully protecting law firms around the world from both. 
How Tessian helps law firms stay compliant Across all three of the regulations listed here, there’s one commonality: law firms are responsible for ensuring that their IT systems and processes are robust and secure enough to keep data safe and mitigate the chance of a breach taking place.  But, that’s easier said than done, especially in our dynamic and digitally connected world where threats are ever-evolving. So, where should law firms start? Email. 90% of all data breaches start on email and it’s the threat vector IT leaders are most concerned about protecting. That’s why Tessian is focused on protecting this channel. Across three solutions, Tessian detects and prevents threats using machine learning, which means it’s constantly adapting, without requiring maintenance from thinly-stretched security teams. Tessian Defender detects and prevents spear phishing Tessian Guardian detects and prevents accidental data loss via misdirected email Tessian Enforcer detects and prevents data exfiltration attempts from Insider Threats Importantly, Tessian is non-disruptive. That way, partners, lawyers, and administrators can do their jobs without security getting in the way. Tessian stops threats, not business.  To learn more about how Tessian helps law firms like Dentons, Hill Dickinson, and Travers Smith protect data, maintain client trust, and satisfy compliance standards, talk to one of our experts. 
Human Layer Security Spear Phishing Customer Stories DLP Compliance Data Exfiltration
18 Actionable Insights From Tessian Human Layer Security Summit
By Maddie Rosenthal
09 September 2020
In case you missed it, Tessian hosted its third (and final) Human Layer Security Summit of 2020 on September 9. This time, we welcomed over a dozen security and business leaders from the world’s top institutions to our virtual stage, including: Jeff Hancock from Stanford University David Kennedy, Co-Founder and Chief Hacking Officer at TrustedSec Merritt Baer, Principal Security Architect at AWS Rachel Beard, Principal Security Technical Architect at Salesforce  Tim Fitzgerald, CISO at Arm  Sandeep Amar, CPO at MSCI  Martyn Booth, CISO at Euromoney  Kevin Storli, Global CTO and UK CISO at PwC Elvis M. Chan, Supervisory Special Agent at the FBI  Nina Schick, Author of “Deep Fakes and the Infocalypse: What You Urgently Need to Know” Joseph Blankenship, VP Research, Security & Risk at Forrester Howard Shultz, Former CEO at Starbucks  While you can watch the full event on YouTube below, we’ve identified 18 valuable insights that security, IT, compliance, and business leaders should apply to their strategies as they round out this year and look forward to the next.
Here’s what we learned at Tessian’s most recent Human Layer Security Summit. Not sure what Human Layer Security is? Check out this guide which covers everything you need to know about this new category of protection.  1. Cybersecurity is mission-critical Security incidents – whether it’s a ransomware attack, brute force attack, or data leakage from an insider threat – have serious consequences. Not only can people lose their jobs, but businesses can lose customer trust, revenue, and momentum. While this may seem obvious to security leaders, it may not be so obvious to individual departments, teams, and stakeholders. But it’s essential that this is communicated (and re-communicated).  Why? Because a company that’s breached cannot fulfill its mission. Keep reading for insights and advice around keeping your company secure, all directly from your peers in the security community. 2. Most breaches start with people People control our most sensitive systems and data. It makes sense, then, that most data breaches start with people. But, that doesn’t mean employees are the weakest link. They’re a business’ strongest asset! So, it’s all about empowering them to make better security decisions. That’s why organizations have to adopt people-centric security solutions and strategies.
The good news is, security leaders don’t face an uphill battle when it comes to helping employees understand their responsibility when it comes to cybersecurity… 3. Yes, employees are aware of their duty to protect data Whether it’s because of compliance standards, cybersecurity headlines in mainstream media, or a larger focus on privacy and protection at work, Martyn Booth, CISO at Euromoney reminded us that most employees are actually well aware of the responsibility they bear when it comes to safeguarding data.  This is great news for security leaders. It means the average employee will be more likely to abide by policies and procedures, will pay closer attention during awareness training, and will therefore contribute to a more positive security culture company-wide. Win-win. 4. But, employees are more vulnerable to phishing scams outside of their normal office environment  While – yes – employees are more conscious of cybersecurity, the shift to remote working has also left them more vulnerable to attacks like phishing scams.  “We have three “places”: home, work, and where we have fun. When we combine two places into one, it’s difficult psychologically. When we’re at home sitting at our coffee table, we don’t have the same cues that remind us to think about security that we do in the office. This is a huge disruption,” Jeff Hancock, Professor at Stanford University explained.  Unfortunately, hackers are taking advantage of these psychological vulnerabilities. And, as David Kennedy, Co-Founder and Chief Hacking Officer at TrustedSec pointed out, this isn’t anything new. Cybercriminals have always been opportunistic in their attacks and therefore take advantage of chaos and emotional distress.  To prevent successful opportunistic attacks, he recommends that you: Reassess what the new baseline is for attacks Educate employees on what threats look like today, given recent events Identify which brands, organizations, people, and departments may be impersonated (and targeted) in relation to the pandemic But, it’s not just inbound email attacks we need to be worried about.  5. They’re more likely to make other mistakes that compromise cybersecurity, too This change to our normal environment doesn’t just affect our ability to spot phishing attacks. It also makes us more likely to make other mistakes that compromise cybersecurity. Across nearly every session, our guest speakers said they’ve seen more incidents involving human error and that security leaders should expect this trend to continue. That’s why training, policies, and technology are all essential components of any security strategy. More on this below. 6. Security awareness training has to be ongoing and ever-evolving At our first Human Layer Security Summit back in March, Mark Logsdon, Head of Cyber Assurance and Oversight at Prudential, highlighted three key flaws in security awareness training: It’s boring It’s often irrelevant It’s expensive What he said is still relevant six months on and it’s a bigger problem than ever, especially now that the perimeter has disappeared, security teams are short-handed, and individual employees are working at home and on their own devices. So, what can security leaders do?  Kevin Storli, Global CTO and UK CISO at PwC highlighted the importance of tailoring training to ensure it’s always relevant. That means that instead of just reminding employees about compliance standards and the importance of a strong password, we should also be focusing on educating employees about remote access, endpoints, and BYOD policies. But one training session isn’t enough to make security best practice really stick. These lessons have to be constantly reinforced through gamification, campaigns, and technology.  Tim Fitzgerald, CISO at Arm highlighted how Tessian’s in-the-moment warnings have helped his employees make the right decisions at the right time.  “Warnings help create that trigger in their brain. It makes them pause and gives them that extra breath before taking the next potentially unsafe step. This is especially important when they’re dealing with data or money. Tessian ensures they question what they’re doing,” he said.
7. You have to combine human policies with technical controls to ensure security  It’s clear that technology and training are both valuable. That means your best bet is to combine the two. In discussion with Ed Bishop, Tessian Co-Founder and CTO, Merritt Baer, Principal Security Architect at AWS and Rachel Beard, Principal Security Technical Architect at Salesforce, both highlighted how important it is for organizations to combine policies with technical controls. But security teams don’t have to shoulder the burden alone. When using tools like Salesforce, for example, organizations can really lean on the vendor to understand how to use the platform securely. Whether it’s 2FA, customized policies, or data encryption, many security features will be built-in.  8. But…Zero Trust security models aren’t always the answer While – yes – it’s up to security teams to ensure policies and controls are in place to safeguard data and systems, too many policies and controls could backfire. That means that “Zero Trust” security models aren’t necessarily the best way to prevent breaches.
9. Security shouldn’t distract people from their jobs  Security teams implement policies and procedures, introduce new software, and make training mandatory for good reason. But, if security becomes a distraction for employees, they won’t exercise best practice.  The truth is, they just want to do the job they were hired to do!  Top tip from the event: Whenever possible, make training and policies customized, succinct, and relevant to individual people or departments.  10. It also shouldn’t prevent them from doing their jobs  This insight goes back to the idea that “Zero Trust” security models may not be the best way forward. Why? Because, like Rachel, Merrit, Sandeep, and Martyn all pointed out: if access controls or policies prevent an employee from doing their job, they’ll find a workaround or a shortcut. But, security should stop threats, not flow. That’s why the most secure path should also be the path of least resistance. Security strategies should find a balance between the right controls and the right environment.  This, of course, is a challenge, especially when it comes to rule-based solutions. “If-then” controls are blunt instruments. Solutions powered by machine learning, on the other hand, detect and prevent threats without getting in the way. You can learn more about the limitations of traditional data loss prevention solutions in our report The State of Data Loss Prevention 2020.  11. Showing downtrending risks helps demonstrate the ROI of security solutions  Throughout the event, several speakers mentioned that preemptive controls are just as important as remediation. And it makes sense. Better to detect risky behavior before a security incident happens, especially given the time and resources required in the event of a data breach.  But tracking risky behavior is also important. That way, security leaders can clearly demonstrate the ROI of security solutions. Martyn Booth, CISO at Euromoney, explained how he uses Tessian Human Layer Security Intelligence to monitor user behavior, influence safer behavior, and track risk over time. “We record how many alerts are sent out and how employees interact with those alerts. Do they follow the acceptable use policy or not? Then, through our escalation workflows that ingest Tessian data, we can escalate or reinforce. From that, we’ve seen incidents involving data exfiltration trend downwards over time. This shows a really clear risk reduction,” he said. 12. Targeted attacks are becoming more difficult to spot and hackers are using more sophisticated techniques As we mentioned earlier, hackers take advantage of psychological vulnerabilities. But, social media has turbo-charged cybercrime, enabling cybercriminals to create more sophisticated attacks that can be directed at larger organizations. Yes, even those with strong cybersecurity. Our speakers mentioned several examples, including Garmin and Twitter. So, how do they do it? Research! LinkedIn, company websites, out-of-office messages, press releases, and news articles all provide valuable information that a hacker could use to craft a believable email. But, there are ways to limit open-source recon. See tips from David Kennedy, Co-Founder and Chief Hacking Officer at TrustedSec, below. 
13. Deepfakes are a serious concern Speaking of social media, Elvis M Chan, Supervisory Special Agent at the FBI and Nina Schick, Author of “Deep Fakes and the Infocalypse: What You Urgently Need to Know”,  took a deep dive into deepfakes. And, according to Nina, “This is not an emerging threat. This threat is here. Now.” While we tend to associate deepfakes with election security, it’s important to note that this is a threat that affects businesses, too.  In fact, Tim Fitzgerald, CISO at Arm, cited an incident in which his CEO was impersonated in a deepfake over Whatsapp. The ask? A request to move money. According to Tim, it was quite compelling.  Unfortunately, deepfakes are surprisingly easy to make and generation is outpacing detection. But, clear policies and procedures around authenticating and approving requests can ensure these scams aren’t successful. Not sure what a deepfake is? We cover everything you need to know in this article: Deepfakes: What Are They and Why Are They a Threat? 14. Supply chain attacks are, too  In conversation with Henry Treveleyan Thomas, Head of Customer Success at Tessian, Kevin Storli, Global CTO and UK CISO at PwC discussed how organizations with large supply chains are especially vulnerable to advanced impersonation attacks like spear phishing. “It’s one thing to ensure your own organization is secure. But, what about your supply chain? That’s a big focus for us: ensuring our supply chain has adequate security controls,” he said. Why is this so important? Because hackers know large organizations like PwC will have robust security strategies. So, they’ll look for vulnerabilities elsewhere to gain a foothold. That’s why strong cybersecurity can actually be a competitive differentiator and help businesses attract (and keep) more customers and clients.  15. People will generally make the right decisions if they’re given the right information 88% of data breaches start with people. But, that doesn’t mean people are careless or malicious. They’re just not security experts. That’s why it’s so important security leaders provide their employees with the right information at the right time. Both Sandeep Amar, CPO at MSCI and Tim Fitzgerald, CISO at Arm talked about this in detail.  It could be a guide on how to spot spear phishing attacks or – as we mentioned in point #6 – in-the-moment warnings that reinforce training.   Check out their sessions for more insights.  16. Success comes down to people While we’ve talked a lot about human error and psychological vulnerabilities, one thing was made clear throughout the Human Layer Security Summit. A business’s success is completely reliant on its people. And, we don’t just mean in terms of security. Howard Shultz, Former CEO at Starbucks, offered some incredible advice around leadership which we can all heed, regardless of our role. In particular, he recommended: Creating company values that really guide your organization Ensuring every single person understands how their role is tied to the goals of the organization Leading with truth, transparency, and humility
17. But people are dealing with a lot of anxiety right now Whether you’re a CEO or a CISO, you have to be empathetic towards your employees. And, the fact is, people are dealing with a lot of anxiety right now. Nearly every speaker mentioned this. We’re not just talking about the global pandemic.  We’re talking about racial and social inequality. Political unrest. New working environments. Bigger workloads. Mass lay-offs.  Joseph Blankenship, VP Research, Security & Risk at Forrester, summed it up perfectly, saying “We have an anxiety-ridden user base and an anxiety-ridden security base trying to work out how to secure these new environments. We call them users, but they’re actually human beings and they’re bringing all of that anxiety and stress to their work lives.” That means we all have to be human first. And, with all of this in mind, it’s clear that….. 18. The role of the CISO has changed  Sure, CISOs are – as the name suggests – responsible for security. But, to maintain security company-wide, initiatives have to be perfectly aligned with business objectives, and every individual department, team, and person has to understand the role they play. Kevin Storli, Global CTO and UK CISO at PwC touched on this in his session. “To be successful in implementing security change, you have to bring the larger organization along on the journey. How do you get them to believe in the mission? How do you communicate the criticality? How do you win the hearts and minds of the people? CISOs no longer live in the back office and address just tech aspects. It’s about being a leader and using security to drive value.” That’s a tall order and means that CISOs have to wear many hats. They need to be technology experts while also being laser-focused on the larger business. And, to build a strong security culture, they have to borrow tactics from HR and marketing.  The bottom line: The role of the CISO is more essential now than ever. It makes sense. Security is mission-critical, remember? If you’re looking for even more insights, make sure you watch the full event, which is available on-demand. You can also check out previous Human Layer Security Summits on YouTube.
DLP Compliance
Ultimate Guide to The POPIA – South Africa’s Privacy Law
03 September 2020
Over the last several years, there have been a number of generally applicable data privacy and protection laws rolled out around the world, starting with Europe’s General Data Protection Regulation back in 2018.  Earlier this year, California released The California Consumer Privacy Act (CCPA), which took an even broader view than the GDPR of what’s considered private data.  The most recent privacy law? South Africa’s Protection of Personal Information Act (POPIA). Note: The POPIA initially passed in 2013 but spent seven years in limbo, until it finally came into effect on July 1, 2020. It’s essential that security and business leaders understand which of these compliance standards they’re bound to comply with, how to comply, and the consequences of a compliance breach.
What businesses does the POPIA apply to? The POPIA applies to every type of company, regardless of size, sector, or location, so long as it is either: Based in South Africa, or Based outside of South Africa, but processes personal information within South Africa (unless it is only forwarding personal information through South Africa) That means that non-South African companies doing business in South Africa should comply with the POPIA, whether or not they have any physical presence in the country. We have good news, though. POPIA has a one-year transition period, so all affected businesses have until July 1, 2021 to ensure compliance. After this day, the South African Information Regulator will begin enforcing the law and fining non-compliant companies. Wondering how to ensure compliance? You can click the link to jump down the page to our section on “How to stay compliant with POPIA”. Otherwise, keep reading to find out what information is considered personal under POPIA.
What’s considered “personal information” under the POPIA? You have to remember, compliance is all about consumer privacy. So, POPIA, like the GDPR and CCPA, mandates that businesses properly “process” personal information. This includes collecting it, erasing it, and disclosing it to any third-parties.  So, what is “personal information”? The POPIA defines “personal information” as: “Information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person” Within this definition: A “natural person” means an individual. An “existing juristic person” means a “legal person,” such as a corporation or charity. Importantly, by extending the definition of “personal information” to “juristic (legal) persons,” the POPIA gains a very broad scope that would cover certain business-to-business communications, too. Below is a non-exhaustive list of examples of personal information provided within the POPIA: Information relating to: Race  Gender  Physical or mental health  Belief Information about a person’s  Education Medical history Financial history An ID number, email address, phone number, or online identifier Biometric information A person’s opinions or preferences Private correspondence Opinions about a person A name, if the context in which the name is disclosed would reveal something about a person This data could be related to a business’ customers, employees, business contacts, prospective customers, and even visitors to their website. 
Who’s liable under the POPIA? We’ve already outlined which businesses need to comply with the POPIA. But, what about liability? The two main players are the “responsible party” and the “operator.” What is a “responsible party”? A “responsible party” is a public or private body that decides why and how to process personal information. A similar concept is the “data controller” under the GDPR and the “business” under the CCPA. What is an “operator” An “operator” is “a person who processes personal information for a responsible party” but is not under the responsible party’s direct authority. A similar concept is the “data processor” under the GDPR and the “service provider” under the CCPA. Operators are directly liable under the POPIA and must treat the personal information they process as confidential and should never disclose it without the responsible parties authorization. In the event of a data breach, they must notify the responsible party immediately.  Responsible parties, on the other hand, must ensure they only engage with operators under a written contract (which should ensure that the operator meets the POPIA’s data security obligations).  They must also monitor the operator’s activities to ensure that it meets its data security operations. In fewer words: everyone is responsible on some level for ensuring safe (and compliant) data processing.
You may need to adjust your service contracts so that they include a requirement to safeguard personal information. Now that you know who must comply with the POPIA, who’s liable, and what data is considered “personal”, we’ll explore perhaps the most important concept: How to lawfully process data under the POPIA. How do I lawfully process data under the POPIA? The POPIA provides a set of eight conditions businesses must satisfy when processing personal information.  To be truly effective (and ultimately ensure compliance) these principles must be baked into your overall business operations, from cybersecurity to HR.  In brief, the eight conditions for lawful processing are: Accountability: You must ensure POPIA compliance in respect of all the personal information in your control. Lawfulness: You must only collect personal information if it is adequate and non-excessive. You must have a legally justifiable reason for collecting personal information. Where possible, you must collect personal information directly from the data subject. Purpose specification: You must only collect personal information for a specific purpose, and you must not store it for longer than necessary to meet that purpose. Further processing limitation: You may only process personal information for further purposes if they are compatible with the reason you collected it. Information quality: You must ensure the personal information you maintain is accurate and complete. Openness: You must be transparent about how you provide personal information and provide consumers with notice about how and why you process their personal information. Security safeguards: You must take reasonable steps to secure the personal information in your control, and you must report any data breaches as soon as reasonably possible. Data subject participation: You must allow data subjects to access their personal information and correct or erase any inaccurate personal information. But, there are additional requirements for particularly sensitive information.
What types of information are considered “special” under the POPIA? Under the POPIA, particularly sensitive types of personal information are called “special personal information.” The categories of special personal information include: Religious or philosophical beliefs  Race or ethnic origin  Trade union membership  Political persuasion  Health or sex life  Biometric information Information about criminal behavior, including: Alleged offenses that have been committed by the individual Proceedings that may have taken place regarding the alleged offenses Like the GDPR, the POPIA places a general prohibition on the processing of special personal information. However, it is possible to process special personal information on the following grounds: With the consent of the data subject To exercise or defend your legal rights or obligations To comply with an obligation under international public law For historical, statistical, or research purposes in the public interest Where the information has been made public by the data subject
How can cybersecurity help me stay compliant with the POPIA? We know what you’re thinking: what steps can I actually take to ensure every individual, team, and department across my organization safely processes data? Like other compliance standards, the POPIA mandates “appropriate, reasonable technical and organizational measures” to prevent the loss of, damage to, and unauthorized access to personal information. The POPIA sets out four broad ways in which responsible parties must secure personal information: Identify internal and external risks Establish and maintain safeguards Regularly verify safeguards Continually update safeguards The POPIA also requires responsible parties to keep up-to-date with any sector-specific security standards and professional regulations, and ensure any operators also apply security safeguards to personal information. There’s a lot to unpack here. But, it all comes down to data loss prevention (DLP). While you can read all about DLP in this article: What is Data Loss Prevention – A Complete Guide to DLP, we’ll outline the different “types” of DLP below. Note: DLP does more or less the same thing wherever it is deployed – it looks for sensitive information crossing boundaries. But different DLP solutions operate in different ways depending on which “perimeter” is being guarded. Network DLP Network DLP protects data in motion by monitoring the traffic that enters and leaves the organization’s network. These solutions are mostly cloud-based and are designed to monitor network traffic between users and other endpoints connected through the Internet; every byte of data transmitted through a network will go through the cloud-based DLP solution.  Endpoint DLP Endpoint DLP protects data in use on employee’s devices (computers, mobile phones) by preventing unauthorized access. How? By ensuring information isn’t taken off work devices and sent or copied to unauthorized devices by allowing or denying certain tasks to be performed on the computer.  It is also able to detect and block viruses and other malware that could be transferred into your computer system from external sources, like a USB. Email DLP Email is the threat vector security and IT leaders are most concerned about, Why? Because both inbound and outbound traffic pose serious security threats.  According to data from Verizon, email is the main entry point for social engineering attacks like phishing and incidents involving Insider Threats have increased by 47% over the last two years. And, we can’t forget about accidental data loss – like misdirected emails – which is actually the most frequently reported security incident under the GDPR. Learn more about how Tessian detects and prevents both inbound and outbound threats on email to help organizations around the world stay compliant.  But organizations need more than security solutions. Under the POPIA, every public and private organization must also have an Information Officer. What are their responsibilities?  Encouraging the organization to comply with the conditions for lawful processing Assisting data subjects with requests to access their personal information Working with the Information Regulator in the event of an investigation Otherwise ensuring that the organization complies with the POPIA Once you have appointed your Information Officer, you must register them with the Information Regulator. But, what happens if DLP solutions (and your Information Officer) don’t successfully prevent data loss and a breach occurs? You have to notify relevant bodies.
What do I do in the event of a breach? If personal information is subject to unauthorized access, (i.e., a data breach occurs), responsible parties must notify: The Information Regulator, and The affected data subjects  Importantly, this must happen “as soon as reasonably possible” and should include: A description of the consequences of the breach An explanation of what the responsible party has done to contain the breach Advice to the data subjects regarding how to mitigate the impact of the breach The identity of anyone who may have accessed the personal information (if known) This is a lot of work and one of the reasons why investigation and remediation are generally the costliest categories in an overall data breach. Which, by the way, cost organizations $3.92 million on average according to IBM’s latest Cost of a Data Breach Report.
What are the penalties under the POPIA? Breaches of the POPIA can lead to harsh penalties brought by the Information Regulator, including: A fine of between 1 million and 10 million ZAR (approximately $60,000 – $600,000 USD) Imprisonment for a term of up to ten years Both a fine and a prison term The POPIA also contains a private right of action, meaning that individual data subjects can bring a private legal claim against a responsible party. A case brought under the POPIA could lead to: “Actual damages,” to compensate data subjects for any losses they have incurred “Aggravated damages,” to compensate data subjects for the distress they have experienced Fines, imprisonment, and lawsuits are not the only concerns for businesses processing people’s personal information in South Africa. Even small-scale data breaches can lead to a complaint being lodged with the Information Regulator. For more information about how much business’ have been fined under other data protection laws, check out this article: 4 Biggest GDPR Fines of 2020 (So Far). If you take nothing else away from this article, it should be that compliance and security go hand-in-hand. Businesses in South Africa and beyond must take necessary steps to safeguard the data their organizations process and hold, which requires dedicated security and IT teams and a strong data loss prevention strategy. Wondering what’s top-of-mind for other security leaders when it comes to DLP? Download the report below.
Spear Phishing DLP Compliance Data Exfiltration
August Cybersecurity News Roundup
By Maddie Rosenthal
28 August 2020
The end of the month means another roundup of the top cybersecurity headlines. Keep reading for a summary of the top 12 stories from August. Bonus: We’ve included links to extra resources in case anything piques your interest and you want to take a deeper dive. Did we miss anything? Email [email protected] Russian charged with trying to recruit Tesla employee to plant malware  Earlier this week, news broke that the FBI had arrested Egor Igorevich Kriuchkov – a 27-year-old Russian citizen – for trying to recruit a fellow Tesla employee to plant malware inside the Gigafactory Nevada. The plan? Insert malware into the electric car maker’s system, causing a distributed denial of service (DDos) attack to occur. This would essentially give hackers free rein over the system.  But, instead of breaching the network, the Russian-speaking employee turned down Egor’s million-dollar offer (to be paid in cash or bitcoin) and instead worked closely with the FBI to thwart the attack. Feds warn election officials of potentially malicious ‘typosquatting’ websites Stories of election fraud have dominated headlines over the last several months. The latest story involves suspicious “typosquatting” websites that may be used for credential harvesting, phishing, and influence operations.
While the FBI hasn’t yet identified any malicious incidents, they have found dozens of illegitimate websites that could be used to interfere with the 2020 vote.   To stay safe, make sure you double-check any URLs you’ve typed in and never input any personal information unless you trust the domain.  Former Google engineer sent to prison for stealing robocar secrets An Insider Threat at Google who exfiltrated 14,000 files five years ago has been sentenced to 18 months in prison. The sentencing came four months after Anthony Levandowski plead guilty to stealing trade secrets, including diagrams and drawings related to simulations, radar technology, source code snippets, PDFs marked as confidential, and videos of test drives.  He’s also been ordered to pay more than $850,000. Looking for more information about the original incident? Check out this article: Insider Threats: Types and Real-World Examples. All the information you need is under Example #4. For six months, security researchers have secretly distributed an Emotet vaccine across the world Emotet – one of today’s most skilled malware groups – has caused security and IT leaders headaches since 2014.  But, earlier this year, James Quinn, a malware analyst working for Binary Defense, discovered a bug in Emotet’s code and was able to put together a PowerShell script that exploited the registry key mechanism to crash the malware. According to ZDNet, he essentially created “both an Emotet vaccine and killswitch at the same time.” Working with Team CYMRU, Binary Defense handed over the “vaccine” to national Computer Emergency Response Teams (CERTs), which then spread it around the world to companies in their respective jurisdictions. Online business fraud down, consumer fraud up New research from TransUnion shows that between March and July, hackers have started to change their tactics. Instead of targeting businesses, they’re now shifting their focus to consumers. Key findings include: Consumer fraud has increased 10%, while business fraud has declined 9% since the beginning of the pandemic Nearly one-third of consumers have been targeted by COVID-19 related fraud Phishing is the most common method used in fraud schemes You can read the full report here. FBI and CISA issue warning over increase in vishing attacks A joint warning from the Federal Bureau of Investigations (FBI) and Cybersecurity Infrastructure Security Agency (CISA) was released in mid-August, cautioning the public that they’ve seen a spike in voice phishing attacks (known as vishing).  They’ve attributed the increase in attacks to the shift to remote working. Why? Because people are no longer able to verify requests in-person. Not sure what vishing is? Check out this article, which outlines how hackers are able to pull off these attacks, how you can spot them, and what to do if you’re targeted.  TikTok sues U.S. government over Trump ban In last month’s cybersecurity roundup, we outlined why India had banned TikTok and why America might be next. 30 days later, we have a few updates. On August 3, President Trump said TikTok would be banned in the U.S. unless it was bought by Microsoft (or another company) before September 15. Three days later, Trump signed an executive order barring US businesses from making transactions with TikTok’s parent company, ByteDance. The order will go into effect 45 days after it was signed. A few weeks later, ByteDance filed a lawsuit against the U.S. government, arguing the company was denied due process to argue that it isn’t actually a national security threat. In the meantime, TikTok is continuing its sales conversations with Microsoft and Oracle. Stay tuned next month for an update on what happens in the next 30 days. A Stanford deception expert and cybersecurity CEO explain why people fall for online scams According to a new research report – The Psychology of Human Error – nearly half of employees have made a mistake at work that had security repercussions. But why? Employees say stress, distraction, and fatigue are part of the problem and drive them to make more mistakes at work, including sending emails to the wrong people and clicking on phishing emails.  And, as you might expect, the sudden transition to remote work has only added fuel to the fire. 57% of employees say they’re even more distracted when working from home.  To avoid making costly mistakes, Jeff Hancock, a professor at Stanford, recommends taking breaks and prioritizing self-care. Of course, cybersecurity solutions will help prevent employees from causing a breach, too. University of Utah pays $457,000 to ransomware gang On August 21, the University of Utah posted a statement on its website saying that they were the victim of a ransomware attack and, to avoid hackers leaking sensitive student information, they paid $457,000. But, according to the statement, the hackers only managed to encrypt .02% of the data stored on their servers. While the University hasn’t revealed which ransomware gang was behind the attack, they have confirmed that the attack took place on July 19, that it was the College of Social and Behavioral Sciences that was hacked, and that the university’s cyber insurance policy paid for part of the ransom. Verizon analyzed the COVID-19 data breach landscape This month, Verizon updates its annual Data Breach Landscape Report to include new facts and figures related to COVID-19. Here some of the trends to look out for based on their findings: Breaches caused by human error will increase. Why? Many organizations are operating with fewer staff than before due to either illness or layoffs. Some staff may also have limitations because of new remote working set-ups. When you combine that with larger workloads and more distractions, we’re bound to see more mistakes. Organizations should be especially wary of stolen-credential related hacking, especially as many IT and security teams are working to lock down and maintain remote access.  Ransomware attacks will increase in the coming months. SANS Institute Phishing Attack Leads to Theft of 28,000 Records  The SANS institute – a global cybersecurity training and certifications organization – revealed that nearly 30,000 accounts of PII were compromised in a phishing attack that convinced an end-user to install a self-hiding and malicious Office 365 add-on. While no passwords or financial information were compromised and all the affected individuals have been notified, the breach goes to show that anyone – even cybersecurity experts – can fall for phishing scams. The cybersecurity skills shortage is getting worse In March, Tessian released its Opportunity in Cybersecurity Report which set out to answer one (not-so-simple) question: Why are there over 4 million unfilled positions in cybersecurity and why is the workforce twice as likely to be male than female? The answer is multi-faceted and has a lot to do with a lack of knowledge of the industry and inaccurate perceptions of what it means to work in cybersecurity.  The bad news is, it looks like the problem is getting worse. A recent report, The Life and Times of Cybersecurity Professionals 2020, shows that only 7% of cybersecurity professionals say their organization has improved its position relative to the cybersecurity skills shortage in the last several years. Another 58% say their organizations should be doing more to bridge the gap. What do you think will help encourage more people to join the industry?  That’s all for this month! Keep up with us on social media and check our blog for more updates.
Human Layer Security Customer Stories DLP
9 Questions That Will Help You Choose The Right Email Security Solution
25 August 2020
When it comes to creating a cybersecurity strategy, security leaders have a lot to consider. There are various threat vectors, dozens of “types” of data to secure, thousands of products on the market, and oftentimes limited budget to work with. But, in this article, we’re going to focus on email security. Why? Because 90% of data breaches start on email. Data could be compromised via a spear phishing attack. Malware contained in one malicious attachment could infect an entire organization’s network. Insider threats could easily exfiltrate data for financial gain simply by emailing spreadsheets to their personal email accounts.   That’s why email is the threat vector security and IT leaders are most concerned about, and it’s why choosing the right email security software is so critically important. Keep reading to learn: What nine questions you should ask when choosing an email security solution  The solutions other security leaders across industries use to protect their people on email Why Tessian may be the right email security software for you How to get buy-in from your CEO after you’ve decided what the best solution is for your organization 1. Is it easy to deploy? Cybersecurity solutions should make life easier for your employees and your IT department. And, the bottom line is, a complicated setup process wastes time and resources. Worse still, it could lead to errors in deployment which may leave your company vulnerable. That’s why email security software must be easy to deploy across your organization and it should seamlessly integrate with a variety of email clients, all without any administrative burden. Before getting too far into the sales process, make sure you find out what support the vendor will provide, how long deployment takes, and – whenever possible – talk to an existing customer to find out how their deployment was.  2. Is it scalable and customizable? As your company grows and changes, your business tools must adapt. This includes email security software, which should work for you consistently, regardless of your company’s size. If you scale up or down, your email security software should change with you. Email security software must also allow customization so that it really aligns with your risk appetite, your employees’ preferences, and your specific business context. Too little flexibility is stifling — but too much choice is overwhelming (and could be resource-intensive).  3. Does it prevent a wide range of threats? Today, cybersecurity solutions must detect and prevent a broader range of threats than ever before. And, when it comes to email security software, you have to consider both inbound and outbound threats, including: Spear phishing: A sophisticated phishing attack in which the attacker emails a specific, named target. Verizon’s 2020 data breach report shows that 96% of social attacks (like spear phishing) occur via email. Check out more statistics related to social engineering attacks on our blog. Misdirected emails: An employee accidentally emails personal or sensitive data to the wrong recipient. This happens more often than you might think. The UK’s privacy regulator cited misdirected emails as the number one cause of data breaches in quarter four of 2019-20 and, according to Tessian platform data, over 800 emails are sent to the wrong person every year in organizations with 1,000 people.  Insider Threats: A trusted employee sends confidential or sensitive data to an unauthorized recipient. This recipient can be a third-party to whom a malicious insider is leaking intellectual property — or merely an employee forwarding correspondence to their personal email. Looking for more examples? We’ve rounded up 7 real-world Insider Threat examples here. 4. Can it keep up with the evolving threat landscape? Online threats are rapidly evolving and email security software is only as good as its ability to keep pace with these threats. Whether it’s vishing, smishing, or a new type of malware, hackers are always looking for new ways to take advantage of security vulnerabilities and unsuspecting (and often untrained) employees.  Can your email security software keep up? Tessian can. Scroll down to learn how Tessian uses machine learning to automatically “learn” and evolve in tandem with the threat landscape.  5. Are employees (and data) protected across devices? Businesses are increasingly reliant on cloud computing, remote working, and home offices — particularly since the outbreak of COVID-19. It’s hard enough to protect a set of company workstations located on company premises. Trying to manage security on any number of desktop, laptop, and mobile devices — located in offices, public places, and your employees’ homes — is even harder. But, unprotected devices represent a critical vulnerability in your company’s security. That’s why the right email security solution will work on any device that employees can use to access company data. 6. Is it easy to see (and communicate) ROI? It can be tough for security leaders to communicate the ROI of cybersecurity solutions. Why? Because it’s hard to put a value on something that hasn’t happened. But, a strong email security solution will make it easy for IT teams to assess risk, review trends over time, and create reports that demonstrate how risk is downtrending over time. This way, key stakeholders can really see the impact.  Unfortunately, a lot of solutions today are a black box when it comes to investigating incidents and garnering insights. So, when choosing an email security solution, consider what reporting tools the solution offers and whether or not any manual investigation is required. Most security teams are already thinly stretched; communicating ROI shouldn’t be an added burden. 7. Is it easy for employees to use? According to new research, 51% of employees say security tools and software impede their productivity. Likewise, 54% of employees say they’ll find a workaround if security software or policies prevent them from doing their job. This proves that the most secure path also has to be the path of least resistance. If the security solution you’re considering has high flag rates, creates extra work for your employees, or isn’t user-friendly, it will go unused. This is a security risk.  In layman’s terms: security shouldn’t get in the way. 8. Does it help ensure compliance?  Increasingly strict data privacy laws are setting new standards for companies handling personal information.  Businesses are accountable for taking a proactive approach to data security. You must take every reasonable step to ensure that the personal information in your control is kept safe and you must be able to demonstrate your security measures to regulators on demand.  That means that, when evaluating potential email security solutions, you should not only understand what data loss incidents they prevent, but also which security certifications they’ve earned.  9. Has it been vetted by relevant customers and industry leaders? Before selecting an email security software provider, you must ensure that it is well-established and has testimonials from previous customers, preferably in your company’s sector. Cybersecurity is a vast industry, and too many players are inexperienced, disreputable, or downright untrustworthy. You cannot afford to take any risks in choosing an email security software provider: reputation is everything in this field. Is Tessian the right email security solution for you?
Tessian is easy to deploy Deploying Tessian couldn’t be simpler. The software integrates with all email environments, including Office 365, Microsoft Exchange, and GSuite. And, plug-and-play intelligent filters make individual customization easy. Setup is also extremely fast. Within 24 hours, Tessian analyzes an entire year’s worth of your organization’s historic email data. Immediately afterward, you’re protected.  No rules are required.  Tessian is scalable and customizable Tessian’s stateful machine learning technology is always evolving, designed to suit your business’s needs as it scales and changes over time. Tessian automatically (and continuously) analyzes each employee’s historic email behavior to learn what is and isn’t “normal” for them. That way, it knows which emails to flag as anomalous.  But, we also understand how important customization is. With Tessian Constructor, you can create and implement security rules specific to your organization. Tessian prevents a wide range of threats Across three solutions, Tessian’s Human Layer Security platform can detect and prevent inbound and outbound threats, including advanced impersonation attacks, Insider Threats, and accidental data loss via misdirected emails. Tessian keeps pace with the evolving threat landscape Tessian doesn’t rely on a list of signatures of known malware and scams. Our machine learning algorithms are actively learning all the time, which enables Tessian Defender, Guardian, and Enforcer to spot unusual activity and discover new threats. And, with Human Layer Security Intelligence, Tessian customers benefit from a sort of “herd immunity”. If a threat is detected in another environment – for example, a never-before-seen social engineering attack – Tessian’s entire community of users will automatically be protected. How? The suspicious domain will automatically be placed on a “denylist” and blocked.  Tessian protects employees and data across devices Tessian is an ideal solution for remote or hybrid work environments. It protects your employees and your company’s data on laptops, desktops, and mobile devices. Tessian makes it easy to see ROI Tessian Human Layer Security Intelligence provides security leaders with detailed, easy-to-understand and – best of all – automated threat reports. In a single click, you’ll be able to see how your risk profile has improved over a certain period of time.
Security and IT teams can also get detailed information about specific incidents. Zero manual investigation required. Want to learn more about how Tessian customers can use HLSI to improve their security posture and communicate ROI? Read this: Introducing Tessian Human Layer Security Intelligence. Tessian is easy for employees to use Tessian is incredibly easy for anyone in your company to use. In fact, Tessian barely requires any “use” at all. The software runs silently in the background without any impediment to your employees’ productivity whatsoever. Flag rates are low, warnings – when triggered – are helpful, not annoying, and our customers see a very low number of false positives. With Tessian, the most secure path is the path of least resistance. It’s one piece of security software your employees will thank you for adopting.
Tessian helps ensure compliance The key to compliance with privacy law is assessing risks to privacy and taking reasonable steps to mitigate these risks. Email represents a critical risk area in any company’s data security architecture. Tessian can assist with compliance in a way that other email security software cannot. Tessian Guardian is unique in its ability to prevent misdirected emails, which are the leading cause of data breach, according to reports by the ICO and the California Attorney-General. Given that misdirected email is such a common cause of data breaches, you must take steps to safeguard against this risk.  But, it’s also important to note that Tessian was designed with security and privacy in mind. You can learn more about our security certifications and how we ensure data privacy and protection here.  Tessian has been vetted by industry leaders Leading organizations across industries rely on Tessian to protect their people and data on email.  Here are just some of the many businesses that endorse Tessian, by sector: Legal Customers Hill Dickinson (case study) Dentons (case study) Caplin and Drysdale (case study) Financial Services Customers Webb Henderson (case study) Man Group (case study) Evercore (case study) Tech Customers Rightmove (case study) Gubra (case study) Com Lauda (case study) Insurance Customers North (case study) Healthcare Customers Laya Healthcare (case study) Tessian has also received recognition and plaudits from industry bodies and tech experts.  In May 2020, Tessian was recognized as a Cool Vendor in the Gartner Cool Vendors in Cloud Office Security report, which recognizes security solutions that “focus specifically upon securing applications, communication and data that occur within cloud office environments.” Tessian has also been independently tested by IT analyst firm 451 Research, which assessed how the software fared against its competitors in data-loss prevention. According to 451 Research’s report, Tessian’s machine learning algorithms allow it to succeed in preventing data loss where rule-based solutions fall short. 
And, most recently, Tessian was included in Forrester’s Now Tech: Report for Enterprise Email Security Providers. You can read more about why Tessian was selected here.  While there is no one-size-fits-all approach to email security, this guide should help you research and vet which solution is right for you. If you’re considering Tessian, why not book a demo to have these questions (and more) answered by one of our experts.
Not ready to book a demo yet? Learn more about your products, our customers, and our Human Layer Security vision via the links below: Why Tessian? Our Technology What is Human Layer Security? Customer Stories  Bonus: If you have decided which email security solution is right for you but you’re struggling to get buy-in from your CEO, read this guide with tips from the world’s most innovative and trusted organizations.
Human Layer Security Customer Stories DLP
Prove the Value of Cybersecurity Solutions: 16 Tips From Security Leaders
By Maddie Rosenthal
18 August 2020
As a security or IT leader, researching and vetting security solutions is step one. What’s step two, then? Convincing key stakeholders like the CEO, CFO, and the board that the product needs to be implemented, that it needs to be implemented now, and that it’s worth the cost.  This is easier said than done, especially now that organizations around the world are facing budget cuts in the wake of COVID-19. But, security is business-critical.   So, how do you communicate risk and make a compelling case to (eventually) get buy-in from executives? We talked to security leaders from some of the world’s most trusted and innovative organizations to find out what they do to get buy-in from CxOs. Here’s a summary of their tips. You can download this infographic with a quick summary of all of the below tips. This is perfect for sharing with peers or colleagues. Or, download this eBook. 1. Familiarize yourself with overall business objectives While cybersecurity has historically been a siloed department, today, it’s an absolutely essential function that supports and enables the overall business. Think about the consequences of a data breach beyond lost data. Organizations experience higher rates of customer churn, reputations are damaged, and, with regulatory fines and the cost of investigation and remediation, there can be significant revenue loss.  The key, then, is to attach cybersecurity initiatives to key business objectives. The security leaders we interviewed recommended starting by reviewing annual reports and strategic roadmaps. Then, build your business case. If customer retention and growth are KPIs for the year, insist that cybersecurity builds customer trust and is a competitive differentiator. If the organization is looking for higher profits, make it clear how much a breach would impact the company’s bottom line. (According to IBM’s latest Cost of a Data Breach, the average cost of a data breach is $3.86 million.) 2. Create specific “what-if” scenarios A lot of security solutions are bought reactively (after an incident occurs), but security leaders need to take a proactive approach. The problem is, it’s more challenging for CxOs and the board to see the value of a solution when they haven’t yet experienced any consequences without it.  As the saying goes, “If it ain’t broke, don’t fix it”.  That’s why security leaders have to preempt push-back to proactive pitches by outlining what the consequences would be if a solution isn’t implemented so that stakeholders can understand both probability and impact. For example, if you’re trying to get buy-in for an outbound email security solution, focus on the “what-ifs” associated with sending misdirected emails  which – by the way- are sent 800 times a year in organizations with 1,000 employees. Ask executives to imagine a situation in which their biggest clients’ most sensitive data lands in the wrong inbox.  What would happen?  Make sure you identify clear, probable consequences. That way, the situation seems possible (if not likely) instead of being an exaggerated “worst-case scenario”.  3. Work closely with the security vendor You know your business. Security vendors know their product. If you combine each of your expertise – and really lean on each other – you’ll have a much better chance of making a compelling case for a particular solution. Ask the vendor for specific resources (if they don’t exist, ask them to create them!), ask for product training, ask if you can speak with an existing customer. Whatever you need to get buy-in, ask for it. Rest assured, they’ll be happy to help.  4. Collaborate and align with other departments It takes a village and cybersecurity is a “people problem”.  That means you should reach out to colleagues in different departments for advice and other input. Talk to the folks from Risk and Compliance, Legal, HR, Operations, and Finance early on.  Get their opinion on the product’s value. Find out how it might be able to help them with their goals and initiatives. In doing so, you might even be able to pool money from other budgets. Win-win! 5. Consider how much the executive(s) really know about security To communicate effectively, you have to speak the same language. And, we don’t just mean English versus French. We mean really getting on the same level as whomever you’re in conversation with. But, to do that, you have to first know how much your audience actually knows about the topic you’re discussing. For example, if you look into your CEO’s background and find out that he or she studied computer science, you’ll be able to get away with some technical jargon. But, if their background is limited to business studies, you’ll want to keep it simple. Avoid security-specific acronyms and – whatever you do – don’t bury the point underneath complex explanations of processes.  In short: Don’t succumb to the Curse of Knowledge. 
6. Use analogies to put costs into perspective  One of the best ways to avoid the Curse of Knowledge and give abstract ideas a bit more context is to use analogies. It could be the ROI of a product or the potential cost of a breach. Either way, analogies can make big, somewhat meaningless numbers more tangible and impactful. For example, imagine you’re trying to convince your CFO that the cost of a solution is worth it. But, the 6-digit, one-time cost is a hard sell. What do you do? Break the overall cost down by the product’s lifespan. Then, divide that number by the number of employees it will protect during that same period.  Suddenly, the cost will seem more manageable and worth the investment. 7. Invite key stakeholders to events or webinars  Before you even start pitching a particular solution, warm-up executives with educational webinars or events that aren’t product-specific. This will give CxOs a chance to better understand the problem, how it might apply to them, and how other people/organizations are finding solutions. Bear in mind: most vendors will have at least 1 (generally 2+) webinars or events during the standard sales cycle. Looking for events to attend? We’ve put together this list of 20 cybersecurity and business events – including Tessian Human Layer Security Summit – perfect for inviting your non-technical colleagues to.  8. Prepare concise and personalized briefing materials Individual stakeholders will be more likely to consider a particular solution if the problem it solves is directly relevant to them. How? Combine tips #1, #2, #3, and #5. After taking some time to understand the business’ overall objectives, take a closer look at individual peoples’ roles and responsibilities in meeting those objectives. Then, dig a bit deeper into how much they know about cybersecurity. Imagine you’re meeting with a COO with some technical experience whose focus is on maintaining relationships with customers. His or her briefing documents should contain minimal technical jargon and should focus on how a data breach affects customer churn.  The bottom line: make it about them. 9. Share these documents in advance of any formal meetings While this may seem obvious, the security leaders we spoke to made it clear that this is an essential step in getting buy-in. No one wants to feel caught off guard, unprepared, or rushed.  To avoid all of the above, make sure you share any documents relevant to the solution well in advance of any formal meetings. But, don’t just dump the documents on their desk or in their inbox. Outline exactly what each document is, why it’s relevant to the meeting, and what the key takeaways are. You want to do whatever you can to help them absorb the information, so make sure you make yourself available after sharing the documents and before the meeting, just in case they have any questions or need additional information. 10. Build a strong security culture Before we dive into why building a strong security culture can help you get buy-in, we want to make it clear that this isn’t something that can happen overnight. This is a long-term goal that requires the help of the entire organization. Yes, everyone. So, how do you build a strong security culture? Start by ensuring that security and IT teams are committed to helping – not blaming – employees. There has to be a certain level of mutual trust and respect.  Beyond that, employees have to accept responsibility for the overall security of the organization. They have to understand that their actions – whether it’s clicking on a phishing email or using a weak password – have consequences.  If they do accept this responsibility, and if they genuinely care about following policies and procedures and helping secure data and networks, high-level executives will care, too. They’ll therefore be more likely to sign-off on solutions. 11. Keep an eye on security trends outside of your industry  Some industries – specifically Healthcare, Financial Services, and Legal – are bound to compliance standards that formalize the need for effective security solutions. That means that, compared to other industries like Retail or Manufacturing, they’ll be required to have more robust strategies in place. What they’re doing now, the rest of us will be doing in 12 months. Keep this in mind. If you notice that organizations operating in the most highly regulated industries are all taking data loss prevention (DLP) seriously, you’ll be able to make a strong case that this is something that should be on your radar, too. 12. Approach non-executive stakeholders early on While – yes – getting buy-in from CxOs and the board is important, security leaders also need to get buy-in from non-executive stakeholders working in IT, infrastructure, etc.  After all, those are the people who will actually be responsible for deploying the solution and maintaining it.By approaching them early on (and assuming they’re interested in the solution, too) you’ll be able to paint a clear picture of the process after the solution has been signed off on.  How long will it take? Who’s involved? Will employees’ workflow be disrupted? These are all important questions to answer.  13. Match like-for-like people from both sides If you’re scheduling a meeting with executives from your side and key people from the vendor’s side, make sure you’re bringing in people that “match” in terms of function and seniority level. For example, if you work at a start-up and the founder of your company wants to be involved in the buying process, ask the vendor’s founders to join, too. Likewise, if the Head of Infrastructure is joining from your side, ask someone in a similar function to join from the other side. Why? Like-for-like people will be best placed to answer one another’s questions.  And, with that in mind…. 14. Preempt questions and prepare answers No one likes to be put on the spot. To avoid being asked a question that you don’t know the answer to, spend a good amount of time considering all the questions different stakeholders may ask and drafting well-thought-out answers. (Better yet, fit the answers into briefing documents or the presentation itself!) Remember, people are generally concerned with how a problem/solution affects them directly. That means the CEO will have different questions than the CFO, who will have different questions than the Head of IT.  15. Get specific customer references from the vendor We mentioned in tip #3 that you should lean on the vendor, especially when it comes to specific resources and customer references. And, we mentioned in tip #11 that you should match like-for-like people in meetings. It should make sense, then, that specific customer references will be more powerful than generic ones. For example, if you’re the CISO at a 4,000-person tech firm in North America, and you’re trying to convince you’re CTO that you need to implement a new solution, you should share a case study (or customer reference) from the vendor that outlines how their product has helped an organization in the same industry, that’s the same size, and in the same region. Ideally, it will also feature quotes from the CTO. Why? Professionals trust and rely on their peers when making difficult decisions. 16. Be conscious (and considerate of) peoples’ time  Decisions about security solutions can involve a lot of different people. That means you’ll have to balance several conflicting schedules and fight for time. Your best bet? Book meetings with all relevant people at once and get the vendor involved at the same time. Ahead of the meeting, share an agenda along with any relevant documents (see tip #8).  Are you a security leader who wants to offer advice to your peers? We’d love to hear from you! Please get in touch with [email protected] And, if you’re looking for more advice, check out these blogs: How to Communicate Cybersecurity ROI Advice from Security Leaders for Security Leaders: How to Navigate New Remote-Working Challenges How to Create an Enduring and Flexible Cybersecurity Strategy
Page
[if lte IE 8]
[if lte IE 8]