Compliance Data Exfiltration DLP Spear Phishing
August Cybersecurity News Roundup
By Maddie Rosenthal
28 August 2020
The end of the month means another roundup of the top cybersecurity headlines. Keep reading for a summary of the top 12 stories from August. Bonus: We’ve included links to extra resources in case anything piques your interest and you want to take a deeper dive. Did we miss anything? Email [email protected] Russian charged with trying to recruit Tesla employee to plant malware  Earlier this week, news broke that the FBI had arrested Egor Igorevich Kriuchkov – a 27-year-old Russian citizen – for trying to recruit a fellow Tesla employee to plant malware inside the Gigafactory Nevada. The plan? Insert malware into the electric car maker’s system, causing a distributed denial of service (DDos) attack to occur. This would essentially give hackers free rein over the system.  But, instead of breaching the network, the Russian-speaking employee turned down Egor’s million-dollar offer (to be paid in cash or bitcoin) and instead worked closely with the FBI to thwart the attack. Feds warn election officials of potentially malicious ‘typosquatting’ websites Stories of election fraud have dominated headlines over the last several months. The latest story involves suspicious “typosquatting” websites that may be used for credential harvesting, phishing, and influence operations.
While the FBI hasn’t yet identified any malicious incidents, they have found dozens of illegitimate websites that could be used to interfere with the 2020 vote.   To stay safe, make sure you double-check any URLs you’ve typed in and never input any personal information unless you trust the domain.  Former Google engineer sent to prison for stealing robocar secrets An Insider Threat at Google who exfiltrated 14,000 files five years ago has been sentenced to 18 months in prison. The sentencing came four months after Anthony Levandowski plead guilty to stealing trade secrets, including diagrams and drawings related to simulations, radar technology, source code snippets, PDFs marked as confidential, and videos of test drives.  He’s also been ordered to pay more than $850,000. Looking for more information about the original incident? Check out this article: Insider Threats: Types and Real-World Examples. All the information you need is under Example #4. For six months, security researchers have secretly distributed an Emotet vaccine across the world Emotet – one of today’s most skilled malware groups – has caused security and IT leaders headaches since 2014.  But, earlier this year, James Quinn, a malware analyst working for Binary Defense, discovered a bug in Emotet’s code and was able to put together a PowerShell script that exploited the registry key mechanism to crash the malware. According to ZDNet, he essentially created “both an Emotet vaccine and killswitch at the same time.” Working with Team CYMRU, Binary Defense handed over the “vaccine” to national Computer Emergency Response Teams (CERTs), which then spread it around the world to companies in their respective jurisdictions. Online business fraud down, consumer fraud up New research from TransUnion shows that between March and July, hackers have started to change their tactics. Instead of targeting businesses, they’re now shifting their focus to consumers. Key findings include: Consumer fraud has increased 10%, while business fraud has declined 9% since the beginning of the pandemic Nearly one-third of consumers have been targeted by COVID-19 related fraud Phishing is the most common method used in fraud schemes You can read the full report here. FBI and CISA issue warning over increase in vishing attacks A joint warning from the Federal Bureau of Investigations (FBI) and Cybersecurity Infrastructure Security Agency (CISA) was released in mid-August, cautioning the public that they’ve seen a spike in voice phishing attacks (known as vishing).  They’ve attributed the increase in attacks to the shift to remote working. Why? Because people are no longer able to verify requests in-person. Not sure what vishing is? Check out this article, which outlines how hackers are able to pull off these attacks, how you can spot them, and what to do if you’re targeted.  TikTok sues U.S. government over Trump ban In last month’s cybersecurity roundup, we outlined why India had banned TikTok and why America might be next. 30 days later, we have a few updates. On August 3, President Trump said TikTok would be banned in the U.S. unless it was bought by Microsoft (or another company) before September 15. Three days later, Trump signed an executive order barring US businesses from making transactions with TikTok’s parent company, ByteDance. The order will go into effect 45 days after it was signed. A few weeks later, ByteDance filed a lawsuit against the U.S. government, arguing the company was denied due process to argue that it isn’t actually a national security threat. In the meantime, TikTok is continuing its sales conversations with Microsoft and Oracle. Stay tuned next month for an update on what happens in the next 30 days. A Stanford deception expert and cybersecurity CEO explain why people fall for online scams According to a new research report – The Psychology of Human Error – nearly half of employees have made a mistake at work that had security repercussions. But why? Employees say stress, distraction, and fatigue are part of the problem and drive them to make more mistakes at work, including sending emails to the wrong people and clicking on phishing emails.  And, as you might expect, the sudden transition to remote work has only added fuel to the fire. 57% of employees say they’re even more distracted when working from home.  To avoid making costly mistakes, Jeff Hancock, a professor at Stanford, recommends taking breaks and prioritizing self-care. Of course, cybersecurity solutions will help prevent employees from causing a breach, too. University of Utah pays $457,000 to ransomware gang On August 21, the University of Utah posted a statement on its website saying that they were the victim of a ransomware attack and, to avoid hackers leaking sensitive student information, they paid $457,000. But, according to the statement, the hackers only managed to encrypt .02% of the data stored on their servers. While the University hasn’t revealed which ransomware gang was behind the attack, they have confirmed that the attack took place on July 19, that it was the College of Social and Behavioral Sciences that was hacked, and that the university’s cyber insurance policy paid for part of the ransom. Verizon analyzed the COVID-19 data breach landscape This month, Verizon updates its annual Data Breach Landscape Report to include new facts and figures related to COVID-19. Here some of the trends to look out for based on their findings: Breaches caused by human error will increase. Why? Many organizations are operating with fewer staff than before due to either illness or layoffs. Some staff may also have limitations because of new remote working set-ups. When you combine that with larger workloads and more distractions, we’re bound to see more mistakes. Organizations should be especially wary of stolen-credential related hacking, especially as many IT and security teams are working to lock down and maintain remote access.  Ransomware attacks will increase in the coming months. SANS Institute Phishing Attack Leads to Theft of 28,000 Records  The SANS institute – a global cybersecurity training and certifications organization – revealed that nearly 30,000 accounts of PII were compromised in a phishing attack that convinced an end-user to install a self-hiding and malicious Office 365 add-on. While no passwords or financial information were compromised and all the affected individuals have been notified, the breach goes to show that anyone – even cybersecurity experts – can fall for phishing scams. The cybersecurity skills shortage is getting worse In March, Tessian released its Opportunity in Cybersecurity Report which set out to answer one (not-so-simple) question: Why are there over 4 million unfilled positions in cybersecurity and why is the workforce twice as likely to be male than female? The answer is multi-faceted and has a lot to do with a lack of knowledge of the industry and inaccurate perceptions of what it means to work in cybersecurity.  The bad news is, it looks like the problem is getting worse. A recent report, The Life and Times of Cybersecurity Professionals 2020, shows that only 7% of cybersecurity professionals say their organization has improved its position relative to the cybersecurity skills shortage in the last several years. Another 58% say their organizations should be doing more to bridge the gap. What do you think will help encourage more people to join the industry?  That’s all for this month! Keep up with us on social media and check our blog for more updates.
Customer Stories DLP Human Layer Security
9 Questions That Will Help You Choose The Right Email Security Solution
25 August 2020
When it comes to creating a cybersecurity strategy, security leaders have a lot to consider. There are various threat vectors, dozens of “types” of data to secure, thousands of products on the market, and oftentimes limited budget to work with. But, in this article, we’re going to focus on email security. Why? Because 90% of data breaches start on email. Data could be compromised via a spear phishing attack. Malware contained in one malicious attachment could infect an entire organization’s network. Insider threats could easily exfiltrate data for financial gain simply by emailing spreadsheets to their personal email accounts.   That’s why email is the threat vector security and IT leaders are most concerned about, and it’s why choosing the right email security software is so critically important. Keep reading to learn: What nine questions you should ask when choosing an email security solution  The solutions other security leaders across industries use to protect their people on email Why Tessian may be the right email security software for you How to get buy-in from your CEO after you’ve decided what the best solution is for your organization 1. Is it easy to deploy? Cybersecurity solutions should make life easier for your employees and your IT department. And, the bottom line is, a complicated setup process wastes time and resources. Worse still, it could lead to errors in deployment which may leave your company vulnerable. That’s why email security software must be easy to deploy across your organization and it should seamlessly integrate with a variety of email clients, all without any administrative burden. Before getting too far into the sales process, make sure you find out what support the vendor will provide, how long deployment takes, and – whenever possible – talk to an existing customer to find out how their deployment was.  2. Is it scalable and customizable? As your company grows and changes, your business tools must adapt. This includes email security software, which should work for you consistently, regardless of your company’s size. If you scale up or down, your email security software should change with you. Email security software must also allow customization so that it really aligns with your risk appetite, your employees’ preferences, and your specific business context. Too little flexibility is stifling — but too much choice is overwhelming (and could be resource-intensive).  3. Does it prevent a wide range of threats? Today, cybersecurity solutions must detect and prevent a broader range of threats than ever before. And, when it comes to email security software, you have to consider both inbound and outbound threats, including: Spear phishing: A sophisticated phishing attack in which the attacker emails a specific, named target. Verizon’s 2020 data breach report shows that 96% of social attacks (like spear phishing) occur via email. Check out more statistics related to social engineering attacks on our blog. Misdirected emails: An employee accidentally emails personal or sensitive data to the wrong recipient. This happens more often than you might think. The UK’s privacy regulator cited misdirected emails as the number one cause of data breaches in quarter four of 2019-20 and, according to Tessian platform data, over 800 emails are sent to the wrong person every year in organizations with 1,000 people.  Insider Threats: A trusted employee sends confidential or sensitive data to an unauthorized recipient. This recipient can be a third-party to whom a malicious insider is leaking intellectual property — or merely an employee forwarding correspondence to their personal email. Looking for more examples? We’ve rounded up 7 real-world Insider Threat examples here. 4. Can it keep up with the evolving threat landscape? Online threats are rapidly evolving and email security software is only as good as its ability to keep pace with these threats. Whether it’s vishing, smishing, or a new type of malware, hackers are always looking for new ways to take advantage of security vulnerabilities and unsuspecting (and often untrained) employees.  Can your email security software keep up? Tessian can. Scroll down to learn how Tessian uses machine learning to automatically “learn” and evolve in tandem with the threat landscape.  5. Are employees (and data) protected across devices? Businesses are increasingly reliant on cloud computing, remote working, and home offices — particularly since the outbreak of COVID-19. It’s hard enough to protect a set of company workstations located on company premises. Trying to manage security on any number of desktop, laptop, and mobile devices — located in offices, public places, and your employees’ homes — is even harder. But, unprotected devices represent a critical vulnerability in your company’s security. That’s why the right email security solution will work on any device that employees can use to access company data. 6. Is it easy to see (and communicate) ROI? It can be tough for security leaders to communicate the ROI of cybersecurity solutions. Why? Because it’s hard to put a value on something that hasn’t happened. But, a strong email security solution will make it easy for IT teams to assess risk, review trends over time, and create reports that demonstrate how risk is downtrending over time. This way, key stakeholders can really see the impact.  Unfortunately, a lot of solutions today are a black box when it comes to investigating incidents and garnering insights. So, when choosing an email security solution, consider what reporting tools the solution offers and whether or not any manual investigation is required. Most security teams are already thinly stretched; communicating ROI shouldn’t be an added burden. 7. Is it easy for employees to use? According to new research, 51% of employees say security tools and software impede their productivity. Likewise, 54% of employees say they’ll find a workaround if security software or policies prevent them from doing their job. This proves that the most secure path also has to be the path of least resistance. If the security solution you’re considering has high flag rates, creates extra work for your employees, or isn’t user-friendly, it will go unused. This is a security risk.  In layman’s terms: security shouldn’t get in the way. 8. Does it help ensure compliance?  Increasingly strict data privacy laws are setting new standards for companies handling personal information.  Businesses are accountable for taking a proactive approach to data security. You must take every reasonable step to ensure that the personal information in your control is kept safe and you must be able to demonstrate your security measures to regulators on demand.  That means that, when evaluating potential email security solutions, you should not only understand what data loss incidents they prevent, but also which security certifications they’ve earned.  9. Has it been vetted by relevant customers and industry leaders? Before selecting an email security software provider, you must ensure that it is well-established and has testimonials from previous customers, preferably in your company’s sector. Cybersecurity is a vast industry, and too many players are inexperienced, disreputable, or downright untrustworthy. You cannot afford to take any risks in choosing an email security software provider: reputation is everything in this field. Is Tessian the right email security solution for you?
Tessian is easy to deploy Deploying Tessian couldn’t be simpler. The software integrates with all email environments, including Office 365, Microsoft Exchange, and GSuite. And, plug-and-play intelligent filters make individual customization easy. Setup is also extremely fast. Within 24 hours, Tessian analyzes an entire year’s worth of your organization’s historic email data. Immediately afterward, you’re protected.  No rules are required.  Tessian is scalable and customizable Tessian’s stateful machine learning technology is always evolving, designed to suit your business’s needs as it scales and changes over time. Tessian automatically (and continuously) analyzes each employee’s historic email behavior to learn what is and isn’t “normal” for them. That way, it knows which emails to flag as anomalous.  But, we also understand how important customization is. With Tessian Constructor, you can create and implement security rules specific to your organization. Tessian prevents a wide range of threats Across three solutions, Tessian’s Human Layer Security platform can detect and prevent inbound and outbound threats, including advanced impersonation attacks, Insider Threats, and accidental data loss via misdirected emails. Tessian keeps pace with the evolving threat landscape Tessian doesn’t rely on a list of signatures of known malware and scams. Our machine learning algorithms are actively learning all the time, which enables Tessian Defender, Guardian, and Enforcer to spot unusual activity and discover new threats. And, with Human Layer Security Intelligence, Tessian customers benefit from a sort of “herd immunity”. If a threat is detected in another environment – for example, a never-before-seen social engineering attack – Tessian’s entire community of users will automatically be protected. How? The suspicious domain will automatically be placed on a “denylist” and blocked.  Tessian protects employees and data across devices Tessian is an ideal solution for remote or hybrid work environments. It protects your employees and your company’s data on laptops, desktops, and mobile devices. Tessian makes it easy to see ROI Tessian Human Layer Security Intelligence provides security leaders with detailed, easy-to-understand and – best of all – automated threat reports. In a single click, you’ll be able to see how your risk profile has improved over a certain period of time.
Security and IT teams can also get detailed information about specific incidents. Zero manual investigation required. Want to learn more about how Tessian customers can use HLSI to improve their security posture and communicate ROI? Read this: Introducing Tessian Human Layer Security Intelligence. Tessian is easy for employees to use Tessian is incredibly easy for anyone in your company to use. In fact, Tessian barely requires any “use” at all. The software runs silently in the background without any impediment to your employees’ productivity whatsoever. Flag rates are low, warnings – when triggered – are helpful, not annoying, and our customers see a very low number of false positives. With Tessian, the most secure path is the path of least resistance. It’s one piece of security software your employees will thank you for adopting.
Tessian helps ensure compliance The key to compliance with privacy law is assessing risks to privacy and taking reasonable steps to mitigate these risks. Email represents a critical risk area in any company’s data security architecture. Tessian can assist with compliance in a way that other email security software cannot. Tessian Guardian is unique in its ability to prevent misdirected emails, which are the leading cause of data breach, according to reports by the ICO and the California Attorney-General. Given that misdirected email is such a common cause of data breaches, you must take steps to safeguard against this risk.  But, it’s also important to note that Tessian was designed with security and privacy in mind. You can learn more about our security certifications and how we ensure data privacy and protection here.  Tessian has been vetted by industry leaders Leading organizations across industries rely on Tessian to protect their people and data on email.  Here are just some of the many businesses that endorse Tessian, by sector: Legal Customers Hill Dickinson (case study) Dentons (case study) Caplin and Drysdale (case study) Financial Services Customers Webb Henderson (case study) Man Group (case study) Evercore (case study) Tech Customers Rightmove (case study) Gubra (case study) Com Lauda (case study) Insurance Customers North (case study) Healthcare Customers Laya Healthcare (case study) Tessian has also received recognition and plaudits from industry bodies and tech experts.  In May 2020, Tessian was recognized as a Cool Vendor in the Gartner Cool Vendors in Cloud Office Security report, which recognizes security solutions that “focus specifically upon securing applications, communication and data that occur within cloud office environments.” Tessian has also been independently tested by IT analyst firm 451 Research, which assessed how the software fared against its competitors in data-loss prevention. According to 451 Research’s report, Tessian’s machine learning algorithms allow it to succeed in preventing data loss where rule-based solutions fall short. 
And, most recently, Tessian was included in Forrester’s Now Tech: Report for Enterprise Email Security Providers. You can read more about why Tessian was selected here.  While there is no one-size-fits-all approach to email security, this guide should help you research and vet which solution is right for you. If you’re considering Tessian, why not book a demo to have these questions (and more) answered by one of our experts.
Not ready to book a demo yet? Learn more about your products, our customers, and our Human Layer Security vision via the links below: Why Tessian? Our Technology What is Human Layer Security? Customer Stories  Bonus: If you have decided which email security solution is right for you but you’re struggling to get buy-in from your CEO, read this guide with tips from the world’s most innovative and trusted organizations.
Customer Stories DLP Human Layer Security
Prove the Value of Cybersecurity Solutions: 16 Tips From Security Leaders
By Maddie Rosenthal
18 August 2020
As a security or IT leader, researching and vetting security solutions is step one. What’s step two, then? Convincing key stakeholders like the CEO, CFO, and the board that the product needs to be implemented, that it needs to be implemented now, and that it’s worth the cost.  This is easier said than done, especially now that organizations around the world are facing budget cuts in the wake of COVID-19. But, security is business-critical.   So, how do you communicate risk and make a compelling case to (eventually) get buy-in from executives? We talked to security leaders from some of the world’s most trusted and innovative organizations to find out what they do to get buy-in from CxOs. Here’s a summary of their tips. You can also download this infographic with a quick summary of all of the below tips. This is perfect for sharing with peers or colleagues. 1. Familiarize yourself with overall business objectives While cybersecurity has historically been a siloed department, today, it’s an absolutely essential function that supports and enables the overall business. Think about the consequences of a data breach beyond lost data. Organizations experience higher rates of customer churn, reputations are damaged, and, with regulatory fines and the cost of investigation and remediation, there can be significant revenue loss.  The key, then, is to attach cybersecurity initiatives to key business objectives. The security leaders we interviewed recommended starting by reviewing annual reports and strategic roadmaps. Then, build your business case. If customer retention and growth are KPIs for the year, insist that cybersecurity builds customer trust and is a competitive differentiator. If the organization is looking for higher profits, make it clear how much a breach would impact the company’s bottom line. (According to IBM’s latest Cost of a Data Breach, the average cost of a data breach is $3.86 million.) 2. Create specific “what-if” scenarios A lot of security solutions are bought reactively (after an incident occurs), but security leaders need to take a proactive approach. The problem is, it’s more challenging for CxOs and the board to see the value of a solution when they haven’t yet experienced any consequences without it.  As the saying goes, “If it ain’t broke, don’t fix it”.  That’s why security leaders have to preempt push-back to proactive pitches by outlining what the consequences would be if a solution isn’t implemented so that stakeholders can understand both probability and impact. For example, if you’re trying to get buy-in for an outbound email security solution, focus on the “what-ifs” associated with sending misdirected emails  which – by the way- are sent 800 times a year in organizations with 1,000 employees. Ask executives to imagine a situation in which their biggest clients’ most sensitive data lands in the wrong inbox.  What would happen?  Make sure you identify clear, probable consequences. That way, the situation seems possible (if not likely) instead of being an exaggerated “worst-case scenario”.  3. Work closely with the security vendor You know your business. Security vendors know their product. If you combine each of your expertise – and really lean on each other – you’ll have a much better chance of making a compelling case for a particular solution. Ask the vendor for specific resources (if they don’t exist, ask them to create them!), ask for product training, ask if you can speak with an existing customer. Whatever you need to get buy-in, ask for it. Rest assured, they’ll be happy to help.  4. Collaborate and align with other departments It takes a village and cybersecurity is a “people problem”.  That means you should reach out to colleagues in different departments for advice and other input. Talk to the folks from Risk and Compliance, Legal, HR, Operations, and Finance early on.  Get their opinion on the product’s value. Find out how it might be able to help them with their goals and initiatives. In doing so, you might even be able to pool money from other budgets. Win-win! 5. Consider how much the executive(s) really know about security To communicate effectively, you have to speak the same language. And, we don’t just mean English versus French. We mean really getting on the same level as whomever you’re in conversation with. But, to do that, you have to first know how much your audience actually knows about the topic you’re discussing. For example, if you look into your CEO’s background and find out that he or she studied computer science, you’ll be able to get away with some technical jargon. But, if their background is limited to business studies, you’ll want to keep it simple. Avoid security-specific acronyms and – whatever you do – don’t bury the point underneath complex explanations of processes.  In short: Don’t succumb to the Curse of Knowledge. 
6. Use analogies to put costs into perspective  One of the best ways to avoid the Curse of Knowledge and give abstract ideas a bit more context is to use analogies. It could be the ROI of a product or the potential cost of a breach. Either way, analogies can make big, somewhat meaningless numbers more tangible and impactful. For example, imagine you’re trying to convince your CFO that the cost of a solution is worth it. But, the 6-digit, one-time cost is a hard sell. What do you do? Break the overall cost down by the product’s lifespan. Then, divide that number by the number of employees it will protect during that same period.  Suddenly, the cost will seem more manageable and worth the investment. 7. Invite key stakeholders to events or webinars  Before you even start pitching a particular solution, warm-up executives with educational webinars or events that aren’t product-specific. This will give CxOs a chance to better understand the problem, how it might apply to them, and how other people/organizations are finding solutions. Bear in mind: most vendors will have at least 1 (generally 2+) webinars or events during the standard sales cycle. Looking for events to attend? We’ve put together this list of 20 cybersecurity and business events – including Tessian Human Layer Security Summit – perfect for inviting your non-technical colleagues to.  8. Prepare concise and personalized briefing materials Individual stakeholders will be more likely to consider a particular solution if the problem it solves is directly relevant to them. How? Combine tips #1, #2, #3, and #5. After taking some time to understand the business’ overall objectives, take a closer look at individual peoples’ roles and responsibilities in meeting those objectives. Then, dig a bit deeper into how much they know about cybersecurity. Imagine you’re meeting with a COO with some technical experience whose focus is on maintaining relationships with customers. His or her briefing documents should contain minimal technical jargon and should focus on how a data breach affects customer churn.  The bottom line: make it about them. 9. Share these documents in advance of any formal meetings While this may seem obvious, the security leaders we spoke to made it clear that this is an essential step in getting buy-in. No one wants to feel caught off guard, unprepared, or rushed.  To avoid all of the above, make sure you share any documents relevant to the solution well in advance of any formal meetings. But, don’t just dump the documents on their desk or in their inbox. Outline exactly what each document is, why it’s relevant to the meeting, and what the key takeaways are. You want to do whatever you can to help them absorb the information, so make sure you make yourself available after sharing the documents and before the meeting, just in case they have any questions or need additional information. 10. Build a strong security culture Before we dive into why building a strong security culture can help you get buy-in, we want to make it clear that this isn’t something that can happen overnight. This is a long-term goal that requires the help of the entire organization. Yes, everyone. So, how do you build a strong security culture? Start by ensuring that security and IT teams are committed to helping – not blaming – employees. There has to be a certain level of mutual trust and respect.  Beyond that, employees have to accept responsibility for the overall security of the organization. They have to understand that their actions – whether it’s clicking on a phishing email or using a weak password – have consequences.  If they do accept this responsibility, and if they genuinely care about following policies and procedures and helping secure data and networks, high-level executives will care, too. They’ll therefore be more likely to sign-off on solutions. 11. Keep an eye on security trends outside of your industry  Some industries – specifically Healthcare, Financial Services, and Legal – are bound to compliance standards that formalize the need for effective security solutions. That means that, compared to other industries like Retail or Manufacturing, they’ll be required to have more robust strategies in place. What they’re doing now, the rest of us will be doing in 12 months. Keep this in mind. If you notice that organizations operating in the most highly regulated industries are all taking data loss prevention (DLP) seriously, you’ll be able to make a strong case that this is something that should be on your radar, too. 12. Approach non-executive stakeholders early on While – yes – getting buy-in from CxOs and the board is important, security leaders also need to get buy-in from non-executive stakeholders working in IT, infrastructure, etc.  After all, those are the people who will actually be responsible for deploying the solution and maintaining it.By approaching them early on (and assuming they’re interested in the solution, too) you’ll be able to paint a clear picture of the process after the solution has been signed off on.  How long will it take? Who’s involved? Will employees’ workflow be disrupted? These are all important questions to answer.  13. Match like-for-like people from both sides If you’re scheduling a meeting with executives from your side and key people from the vendor’s side, make sure you’re bringing in people that “match” in terms of function and seniority level. For example, if you work at a start-up and the founder of your company wants to be involved in the buying process, ask the vendor’s founders to join, too. Likewise, if the Head of Infrastructure is joining from your side, ask someone in a similar function to join from the other side. Why? Like-for-like people will be best placed to answer one another’s questions.  And, with that in mind…. 14. Preempt questions and prepare answers No one likes to be put on the spot. To avoid being asked a question that you don’t know the answer to, spend a good amount of time considering all the questions different stakeholders may ask and drafting well-thought-out answers. (Better yet, fit the answers into briefing documents or the presentation itself!) Remember, people are generally concerned with how a problem/solution affects them directly. That means the CEO will have different questions than the CFO, who will have different questions than the Head of IT.  15. Get specific customer references from the vendor We mentioned in tip #3 that you should lean on the vendor, especially when it comes to specific resources and customer references. And, we mentioned in tip #11 that you should match like-for-like people in meetings. It should make sense, then, that specific customer references will be more powerful than generic ones. For example, if you’re the CISO at a 4,000-person tech firm in North America, and you’re trying to convince you’re CTO that you need to implement a new solution, you should share a case study (or customer reference) from the vendor that outlines how their product has helped an organization in the same industry, that’s the same size, and in the same region. Ideally, it will also feature quotes from the CTO. Why? Professionals trust and rely on their peers when making difficult decisions. 16. Be conscious (and considerate of) peoples’ time  Decisions about security solutions can involve a lot of different people. That means you’ll have to balance several conflicting schedules and fight for time. Your best bet? Book meetings with all relevant people at once and get the vendor involved at the same time. Ahead of the meeting, share an agenda along with any relevant documents (see tip #8).  Are you a security leader who wants to offer advice to your peers? We’d love to hear from you! Please get in touch with [email protected] And, if you’re looking for more advice, check out these blogs: How to Communicate Cybersecurity ROI Advice from Security Leaders for Security Leaders: How to Navigate New Remote-Working Challenges How to Create an Enduring and Flexible Cybersecurity Strategy
Data Exfiltration DLP Human Layer Security Spear Phishing
Research Shows Employee Burnout Could Cause Your Next Data Breach
By Maddie Rosenthal
12 August 2020
Understanding how stress impacts your employees’ cybersecurity behaviors could significantly reduce the chances of people’s mistakes compromising your company’s security, our latest research reveals.   Consider this. A shocking 93% of US and UK employees told us they feel tired and stressed at some point during their working week, with one in 10 feeling tired every day. And perhaps more worryingly, nearly half (46%) said they have experienced burnout in their career.  Then consider that nearly two-thirds of employees feel chained to their desks, as 61% of respondents in our report said there is a culture of presenteeism in their organization that makes them work longer hours than they need to. Nearly 70% of employees also agreed that there is an expectation within their company to respond to emails quickly.  Employees are overwhelmed, overworked and are feeling the pressure to keep pace with their organization’s demands. 
The effects of the pandemic  The events of 2020 haven’t helped matters either. In the wake of the global pandemic, people have experienced extremely stressful situations that affected their health and finances, against a backdrop of political uncertainty and social unrest, while simultaneously juggling the demands of their jobs. The sudden shift to remote working also meant that people were surrounded by new distractions, and over half of respondents (57%) told us they felt more distracted when working from home.  According to Jeff Hancock, a professor at Stanford University who collaborated with us on this report, people tend to make mistakes or decisions they later regret when they are stressed and distracted. This is because when our cognitive load is overwhelmed, and when our attention is split between multiple tasks, we aren’t able to fully concentrate on the task in front of us. What does this mean for security?  Not only are these findings incredibly concerning for employees’ health and wellbeing, these factors could also explain why mistakes that compromise cybersecurity are happening more than ever. The majority of employees (52%) we surveyed said they make more mistakes at work when they are stressed.  !function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async"); Younger employees seem to be more affected by stress than their older co-workers, though. Nearly two-thirds of workers aged 18-30 years old (62%) said they make more mistakes when they are stressed, compared to 45% of workers over 51 years old.  Our research also revealed that 43% and 41% of employees believe they are more error-prone when tired and distracted, respectively. In fact, people cited distraction as the top reason for why they fell for a phishing scam at work while 44% said they had accidentally sent an email to the wrong person (44%) because they were tired.  While these mistakes may seem trivial on the surface, phishing is the number one threat vector used by hackers today and one in five companies told us they have lost customers as a result of an employee sending an email to the wrong person. Far from red-faced embarrassment, these mistakes are compromising businesses’ cybersecurity.
The other problem is that hackers are preying on our vulnerable states, and using them to their advantage. Cybercriminals know people are stressed and looking for information about the pandemic and remote working. They know that some individuals are struggling financially and others have lost their jobs. The lure of a ‘too-good-to-be-true’ deal or ‘get a new job fast’ offer may suddenly look very appealing, especially if the email appears to have come from a trusted source, and cause people to click.  So what can businesses do to protect employees from mistakes caused by burnout?  Business and security leaders need to realise that it’s unrealistic for employees to act as the company’s first line of defence. You cannot expect every employee to spot every scam or make the right cybersecurity decision 100% of the time, particularly when they’re dealing with stressful situations and working in environments filled with distractions. When faced with never-ending to-do lists and back-to-back Zoom calls, cybersecurity is the last thing on people’s minds. In fact, a third of respondents told us they “rarely” or “never” think about security when at work.  Businesses, therefore, need to create a culture that doesn’t blame people for their mistakes and, instead, empowers them to do great work without security getting in the way. Understand how stress impacts people’s cybersecurity behaviors and tailor security policies and training so that they truly resonate for every employee.
Educating people on how hackers might take advantage of their stress and explaining the types of scams that people could be susceptible to is an important first step. For example, a hacker could impersonate a senior IT director, supposedly communicating the implementation of new software to accommodate the move back into the office, and asks employees to share their account credentials. Or a hacker may pose as a trusted government agency requesting personal information in relation to a new financial relief scheme.  Businesses should also implement solutions that can help employees make good cybersecurity decisions and reduce risk over time. Security solutions like Tessian use machine learning to understand employee behaviours to alert people to risks on email as and when they arise. By warning individuals in real-time, we can educate individuals as to why the email they were about to send or have received is a threat to company security. It helps to make people think twice before they do something they might regret.  With remote working here to stay, and with hackers continually finding ways to capitalize on people’s stress in order to manipulate them, businesses must prioritize cybersecurity at the human layer. Only by understanding why people make mistakes that compromise cybersecurity, can you begin to prevent burnout from causing your next data breach.
Compliance Data Exfiltration DLP Human Layer Security
You Sent an Email to the Wrong Person. Now What?
By Maddie Rosenthal
04 August 2020
So, you’ve sent an email to the wrong person. Don’t worry, you’re not alone. According to Tessian research, over half (58%) of employees say they’ve sent an email to the wrong person.  We call this a misdirected email and it’s really, really easy to do. It could be a simple spelling mistake, it could be the fault of Autocomplete, or it could be an accidental “Reply All”. But, what are the consequences of firing off an email to the wrong person and what can you do to prevent it from happening?  We’ll get to that shortly. But first, let’s answer one of the internet’s most popular (and pressing) questions: Can I stop or “un-send” an email?
Can I un-send an email? The short (and probably disappointing) answer is no. Once an email has been sent, it can’t be “un-sent”. But, with some email clients, you can recall unread messages that are sent to people within your organization.  Below, we’ll cover Outlook/Office 365 and Gmail. Recalling messages in Outlook & Office 365 Before reading any further, please note: these instructions will only work on the desktop client, not the web-based version. They also only apply if both you (the sender) and the recipient use a Microsoft Exchange account in the same organization or if you both use Microsoft 365.  In layman’s terms: You’ll only be able to recall unread emails to people you work with, not customers or clients. But, here’s how to do it. Step 1: Open your “Sent Items” folder Step 2: Double-click on the email you want to recall Step 3: Click the “Message” tab in the upper left-hand corner of the navigation bar (next to “File”) → click “Move” → click “More Move Actions” → Click “Recall This Message” in the dropdown menu Step 4: A pop-up will appear, asking if you’d like to “Delete unread copies of the message” or “Delete unread copies and replace with a new message” Step 5: If you opt to draft a new message, a second window will open and you’ll be able to edit your original message While this is easy enough to do, it’s not foolproof. The recipient may still receive the message. They may also receive a notification that a message has been deleted from their inbox. That means that, even if they aren’t able to view the botched message, they’ll still know it was sent.  More information about recalling emails in Outlook here. Recalling messages in Gmail Again, we have to caveat our step-by-step instructions with an important disclaimer: this option to recall messages in Gmail only works if you’ve enabled the “Delay” function prior to fat fingering an email. The “Delay” function gives you a maximum of 30 seconds to “change your mind” and claw back the email.  Here’s how to enable the “Delay” function. Step 1: Navigate to the “Settings” icon → click “See All Settings” Step 2: In the “General” tab, find “Undo Send” and choose between 5, 10, 20, and 30 seconds.  Step 3: Now, whenever you send a message, you’ll see “Undo” or “View Message” in the bottom left corner of your screen. You’ll have 5, 10, 20, or 30 seconds to click “Undo” to prevent it from being sent.  Note: If you haven’t set-up the “Delay” function, you will not be able to “Undo” or “Recall” the message.  More information about delaying and recalling emails in Gmail here. So, what happens if you can’t recall the email? We’ve outlined the top six consequences of sending an email to the wrong person below. 
What are the consequences of sending a misdirected email? We asked employees in the US and UK what they considered the biggest consequences of sending a misdirected email. Here’s what they had to say. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Importantly, though, the consequences of sending a misdirected email depend on who the email was sent to and what information was contained within the email. For example, if you accidentally sent a snarky email about your boss to your boss, you’ll have to suffer red-faced embarrassment (which 36% of employees were worried about). If, on the other hand, the email contained sensitive customer, client, or company information and was sent to someone outside of the relevant team or outside of the organization entirely, the incident would be considered a data loss incident or data breach. That means your organization could be in violation of data privacy and compliance standards and may be fined. But, incidents or breaches don’t just impact an organization’s bottom line. It could result in lost customer trust, a damaged reputation, and more. Let’s take a closer look at each of these consequences. Fines under compliance standards. Both regional and industry-specific data protection laws outline fines and penalties for the failure to implement effective security controls that prevent data loss incidents. Yep, that includes sending misdirected emails. Under GDPR, for example, organizations could face fines of up to 4% of annual global turnover, or €20 million, whichever is greater.  And these incidents are happening more often than you might think. Misdirected emails are the number one security incident reported to the Information Commissioner’s Office (ICO). They’re reported 20% more often than phishing attacks. You can read more about the biggest fines under GDPR so far in 2020 on our blog. Lost customer trust and increased churn. Today, data privacy is taken seriously… and not just by regulatory bodies.  Don’t believe us? Research shows that organizations see a 2-7% customer churn after a data breach and 20% of employees say that their company lost a customer after they sent a misdirected email. A data breach can (and does) undermine the confidence that clients, shareholders, and partners have in an organization. Whether it’s via a formal report, word-of-mouth, negative press coverage, or social media, news of lost – or even misplaced – data can drive customers to jump ship. Revenue loss. Naturally, customer churn + hefty fines = revenue loss. But, organizations will also have to pay out for investigation and remediation and for future security costs. How much? According to IBM’s latest Cost of a Data Breach report, the average cost of a data breach today is $3.86 million. Damaged reputation. As an offshoot of lost customer trust and increased customer churn, organizations will – in the long-term – also suffer from a damaged reputation. Like we’ve said: people take data privacy seriously. That’s why, today, strong cybersecurity actually enables businesses and has become a unique selling point in and of itself. It’s a competitive differentiator. Of course, that means that a cybersecurity strategy that’s proven ineffective will detract from your business. But, individuals may also suffer from a damaged reputation or, at the very least, will be embarrassed. For example, the person who sent the misdirected email may be labeled careless and security leaders might be criticized for their lack of controls. This could lead to…. Job loss. Unfortunately, data breaches – even those caused by a simple mistake – often lead to job losses. It could be the Chief Information Security Officer, a line manager, or even the person who sent the misdirected email.  It goes to show that security really is about people. That’s why, at Tessian, we take a human-centric approach and, across three solutions, we prevent human error on email, including accidental data loss via misdirected emails.
How does Tessian prevent misdirected emails? Tessian turns an organization’s email data into its best defense against human error on email. Powered by machine learning, our Human Layer Security technology understands human behavior and relationships, enabling Tessian Guardian to automatically detect and prevent anomalous and dangerous activity like emails being sent to the wrong person. Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of the organization’s email network.  That means that if, for example, you frequently worked with “Jim Morris” on one project but then stopped interacting with him over email, Tessian would understand that he probably isn’t the person you meant to send your most recent (highly confidential) project proposal to. Crisis averted.  Interested in learning more about how Tessian can help prevent accidental data loss and data exfiltration in your organization? You can read some of our customer stories here or book a demo.
Customer Stories DLP Human Layer Security
Data Leakage and Exfiltration: 7 Problems Tessian Helps Solve
03 August 2020
On Wednesday, July 29, Tessian hosted a webinar with two customers: Euromoney Institutional Investor and ERT. The topic? Data exfiltration and reduced visibility while workforces are remote. Martyn Booth, Chief Information Security Officer (CISO) at Euromoney Institutional Investor and Ted Crawford, Chief Information Officer (CIO) at ERT both offered incredible insights about how things have changed from a security perspective over the last four months and how Tessian has helped them lock down email, even before their employees started working from home. And, because Martyn and Ted are two security leaders in different industries (Financial Services and Tech/Healthcare respectively) and are based in different regions (England and The United States), they were able to share diverse opinions and experiences. Keep reading to learn more about how Tessian has helped them solve some of their biggest pain points.  7 Problems Tessian Helps Solve 1. Tessian prevents accidental data loss on email When you hear data exfiltration, what do you think of?  Many of you probably thought immediately about Insider Threats and other malicious activity. But, as our customers pointed out, most incidents involving data loss are accidental. Or, as Martyn put it, are the result of “naive email usage”. It could be an employee sending an email to the wrong person (we call this a misdirected email), it could be someone hitting “reply all”, or it could be someone emailing a spreadsheet to their personal email account to work on over the weekend.  Harmless, right? Not exactly. If these “accidents” involve sensitive information related to employees, customers, clients, or the company itself, it’s considered a breach.  Organizations can prevent all of the above with Tessian Guardian.  This is especially important now that employees are working remotely. Why? Because the lines between peoples’ personal and professional lives are blurred. Beyond that, people are distracted, stressed, and tired which, as we’ve shown in our latest research report The Psychology of Human Error, increases the likelihood that a mistake will happen. 2. Tessian prevents malicious data exfiltration on email While, many data loss incidents are accidental, some employees do intentionally exfiltrate data. There are a number of reasons why, but financial gain and a competitive edge are the most likely motivators.  Unfortunately, with so many people being laid off, made redundant, or furloughed, many organizations have seen a spike in this type of malicious activity. But, with Tessian Enforcer, organizations’ most sensitive data is kept safe.  Employees attempting to email sensitive information to themselves or a suspicious third-party will receive a warning message, explaining why the email has been flagged and asking if they’re sure they want to proceed. At the same time, security teams will get a notification.
Note: Instead of warning the employee and asking if they’d like to send the email anyway, security teams can easily configure Tessian to automatically quarantine emails that look like data exfiltration. Book a demo to see Tessian in action.  3. Tessian makes it easy to report security risks and communicate ROI  Communicating cybersecurity ROI has historically been a real challenge for security leaders. Not with Tessian. Martyn explained how Tessian enables him to share key results with executives and demonstrate the effectiveness of not just the solution, but his overall strategy. “One of the pillars of our infrastructure strategy was to build transparency across the organization. This comes from sharing metrics. With Tessian, we can show how many alerts were picked up and, each month, we can show the risk committee that we’re reducing the number of alerts. Now, are they actually interested in our preventative controls? I don’t think so. But the whole point of the metrics program is to show how well (or badly) our strategy is performing.  Before, they would make their decision based on cost or how much risk they thought we were going to be mitigating. It was quite subjective. We’ve moved that now into something more data-based. We can actually say “Well, actually, we pay x per year and, as a result of that, we’re going in the right direction in terms of our risk mitigations.” 4. Tessian helps organizations stay compliant  Both Healthcare and Financial Services are highly regulated industries that are bound to several compliance standards beyond GDPR.  That’s why, for Ted, protecting sensitive clinical data and ensuring “privacy and security by design” are both paramount. “There’s a lot of data that we need to protect and prevent from getting outside of the four walls of ERT,” he said. “As an offshoot of GDPR in 2018, we had to classify all of the data, determine from a privacy perspective how to treat it from a sensitivity perspective, and then decide how to treat it from a security perspective. Because it’s very easy to pull sensitive data and incur data loss on email, we needed a solution that would help us ensure data isn’t distributed where it shouldn’t go. That’s why we approached Tessian.” For more information about compliance in Financial Services, check out this article: Ultimate Guide to Data Protection and Compliance in Financial Services.
5. Tessian saves security teams time  While essential for compliance, classifying (and re-classifying) data, monitoring movement, investigating incidents, and generating reports all take a lot of time. That’s why 85% of IT leaders say rule-based DLP is admin-intensive.  With Tessian, security teams don’t have to do any of the above manually. This is a big selling point for Martyn, who said, “That’s where we really see the value with Tessian. It takes the burden off of people in my security team.” Tessian is powered by machine learning algorithms that have been trained on billions of data points. That means our solutions automatically understand what is and isn’t normal behavior for individual employees and can, therefore, detect and prevent threats before they turn into incidents or breaches. No rules required.  You can read more about our technology here.  6. Tessian gives security teams clear visibility of risks We’ve talked a lot about how Tessian detects and prevents risks. But for a solution to be really successful, it has to give security teams clear visibility of the risks in their organization. Tessian’s Human Layer Security platform does both.  With Tessian Human Layer Security Intelligence, our customers can easily and automatically get detailed insights into employee’s actions.  For example, imagine that in a single week, Tessian detects 12 different employees attempting to send sensitive information to their personal email accounts. When warned that sending the email is against company policy, nine of the employees opted to not send the email. The other three went ahead. Knowing this, security leaders can focus their efforts on the three that went ahead and offer additional, targeted training or, if necessary, they can escalate the incident to a line manager to issue a more formal warning.  This also helps predict future behavior. For example, if Tessian flags that an employee has sent upwards of 20 attachments – including Intellectual Property that would be valuable to a competitor – to a recipient he or she has no previous email history with soon after being denied a raise or promotion, security teams could infer that the employee is resigning and taking company data with them.  And, to prevent any further data exfiltration attempts, they can create custom filters specifically for that user, including customized warning messages or a filter that automatically blocks future exfiltration attempts. Before Tessian, this wasn’t possible for Martyn.  “Even if we suspected that an employee was going to go to a competitor and take data, we couldn’t check. We couldn’t see anything that was going up to the Cloud. It was all encrypted. The only way we would be able to see what people were emailing would be to actually go through individual emails to find ones that were problematic. We didn’t have time for that,” he said. 
7. Tessian helps reinforce training and improve employee’s security reflexes with in-the-moment warnings In the example above, three employees opted to send an email after being warned that doing so would be against company policy. But, what about the other nine? The warning message changed their behavior! It actually incentivized them to accurately mark emails as confidential or malicious if they were, in fact, confidential or malicious. This is really important. “You can’t take a ‘big bang’ approach to data privacy awareness training. To really see employees empowered, you have to constantly reinforce training,” Ted said.  The bottom line: For training to be effective long-term, employees need to apply what they learn to real-world situations and be reminded of policies in-the-moment. Over time, this will help improve their security reflexes and help build a more positive security culture.  Henry Trevelyan Thomas, the host of the webinar and Tessian’s Head of Customer Success, summarized the benefits of this for both employees and security leaders, “This is a really productive way to help employees take accountability for how they handle data. It democratizes security and takes some of the weight off of the Chief Information Security Officer’s shoulders.” Tessian can help prevent data exfiltration in your organization, too Tessian turns an organization’s email data into its best defense against inbound and outbound email security threats. Powered by machine learning, our Human Layer Security technology understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity. Tessian Enforcer detects and prevents data exfiltration attempts Tessian Guardian detects and prevents misdirected emails Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of the organization’s email network. Oh, and it works silently in the background, meaning employees can do their jobs without security getting in the way.  Interested in learning more about how Tessian can help prevent accidental data loss and data exfiltration in your organization? You can read some of our customer stories here or book a demo.
Data Exfiltration DLP Human Layer Security Spear Phishing
Research Shows How To Prevent Mistakes Before They Become Breaches
By Maddie Rosenthal
22 July 2020
We all make mistakes. But with over two-fifths of employees saying they’ve made mistakes at work that have had security repercussions, businesses need to find a way to stop mistakes from happening before they compromise cybersecurity.  That’s why we developed our report The Psychology of Human Error, with the help of Jeff Hancock, a professor at Stanford University and expert in social dynamics online.  We wanted to understand why these mistakes are happening, rather than simply dismissing incidents of human error as people acting carelessly or labeling people the ‘weakest link’ when it comes to security. By doing so, we hope businesses can better understand how to protect their people, and the data they control.  Key findings: 43% of employees have made mistakes that have compromised cybersecurity A third of workers (33%) rarely or never think about cybersecurity when at work 52% of employees make more mistakes when they’re stressed, while 43% are more error-prone when tired 58% have sent an email to the wrong person at work and 1 in 5 companies lost customers after an employee sent a misdirected email  Read on to learn why this matters. You can also register for our webinar on August 19 here. We’ll be exploring key findings from the report with Jeff Hancock. You’ll walk away with a better understanding of how hacker’s are manipulating employees and what you can do to stop them. What mistakes are people making?  The majority of our survey respondents said they had sent an email to the wrong person, with nearly one-fifth of these misdirected emails ending up in the wrong external person’s inbox.  Far from just red-faced embarrassment, this simple mistake has devastating consequences. Not only do companies face the wrath of data protection regulators for flouting the rules of regulations like GDPR, our research reveals that one in five companies lost customers as a result of a misdirected email, because the trust they once had with their clients was broken. What’s more, one in 10 workers said they lost their job.  !function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async"); Another mistake was clicking on links in phishing emails, something a quarter of respondents (25%) said they had done at work. This figure was significantly higher in the Technology industry however, with 47% of workers in this sector saying they’d fallen for phishing scams. It goes to show that even the most cybersecurity savvy people can make mistakes.  Interestingly, men were twice as likely as women to fall for phishing scams. While researchers aren’t 100% sure as to why gender differences play a factor in phishing susceptibility, our report does show that demographics play a role in people’s cybersecurity behaviors at work.  What’s causing these mistakes to happen?  1. Younger employees are 5x more likely to make mistakes 50% aged 18-30 years olds said they had made such mistakes with security repercussions for themselves or their organization. Just 10% of workers over 51 said the same.  This disparity, our report suggests, is not because younger workers are more careless. Rather, it may be because younger workers are actually more aware that they have made a mistake and are also more willing to admit their errors. For older generations, Professor Hancock explains, self-presentation and respect in the workplace are hugely important. They may be more reluctant to admit they’ve made a mistake because they feel ashamed due to preconceived notions about their generations and technology. Businesses, therefore, need to not only acknowledge how age affects cybersecurity behaviors but also find ways to deshame the reporting of mistakes in their organization. 2. 93% of employees are stressed and tired Employees told us they make more mistakes at work when they are stressed (52%), tired (43%), distracted (41%) and working quickly (36%).  This is concerning when you consider that an overwhelming 93% of employees surveyed said they were either tired or stressed at some point during the working week. This isn’t helped by the fact that nearly two-thirds of employees feel chained to their desks, with 61% saying there is a culture of presenteeism in their organization that makes them work longer hours than they need to.  The Covid-19 pandemic has put people under huge amounts of stress and change. In light of the events of 2020, our findings call for businesses to empathize with people’s positions and understand the impact stress and working cultures have on cybersecurity.
3. 57% of employees are being driven to distraction 47% of employees surveyed cited distraction as a top reason for falling for a phishing scam, while two-fifths said they sent an email to the wrong person because they were distracted.  With over half of workers (57%) admitting they’re more distracted when working from home, the sudden shift to remote-working could open businesses up to even more risks caused by human error. It’s hardly surprising. We suddenly had to set-up offices in the homes we share with our young children, pets and our housemates. There’s a lot going on, and mistakes are likely to happen. 
4. 41% thought phishing emails were from someone they trusted Over two-fifths of people (43%) mistakenly clicked on phishing emails because they thought the request was legitimate, while 41% said the email appeared to have come from either a senior executive or a well-known brand.  Over the past few months, we’ve seen hackers impersonating well-known brands and trusted authorities in their phishing scams, taking advantage of people’s desire to seek guidance and information on the pandemic. Impersonating someone in a position of trust or authority is a common and effective tactic used by hackers in phishing campaigns. Why? Because they know how difficult or unlikely it is to ignore a request from someone you like, respect or report into.  Businesses need to protect their people from these phishing scams. Educate staff on the ways hackers could take advantage of their circumstances and invest in solutions that can detect the impersonations, when your distracted and overworked employees can’t. !function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async"); But how can businesses prevent these mistakes from happening in the first place?  To successfully prevent mistakes from turning into serious security incidents, businesses have to take a more human approach.  It’s all too easy to place the blame of data breaches on people’s mistakes. But businesses have to remember that not every employee is an expert in cybersecurity. In fact, a third of our survey respondents (33%) said they rarely or never think about cybersecurity when at work. They are focused on getting the jobs they were hired to do, done. !function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async"); Training and policies help. However, combining this with machine intelligent security solutions – like Tessian – that automatically alert individuals of potential threats in real-time is a much more powerful tool in preventing mistakes before they turn into breaches.  Alerting employees to the threat in-the-moment helps override impulsive and dangerous decision-making that could compromise cybersecurity. By using explainable machine learning, we arm employees with the information they need to apply conscious reasoning to their actions over email, making them think twice before doing something they might regret. 
And with greater visibility into the behaviors of your riskiest and most at-risk employees, your teams can tailor security training and policies to influence and improve staff’s cybersecurity behaviors. Only by protecting people and preventing their mistakes can you ensure data and systems remain secure, and help your people do their best work. Read the full Psychology of Human Error report here.
DLP Spear Phishing
Why Political Campaigns Need Chief Information Security Officers
20 July 2020
On July 10th, Joe Biden’s US presidential campaign announced it was hiring a Chief Information Security Officer (CISO) and a Chief Technology Officer (CTO). Biden’s campaign team told The Hill that these security professionals would help “mitigate cyber threats, bolster… voter protection efforts, and enhance the overall efficiency and security of the entire campaign.” This development confirms what cybersecurity experts have long understood — that, just like businesses, political campaigns require a CISO. We’ll tell you why. Are political campaigns likely targets of cybercrime? Rates of cybercrime — and the sophistication of cybercriminals — continue to increase across all sectors. Whether it’s phishing attacks, malware, ransomware, or brute force attacks, incidents are on the rise.  And, when you consider which industries are the most targeted (Healthcare, Financial Services, Manufacturing) It’s easy to understand why political campaigns are also targets of hackers and scammers: Political campaigns are a cornerstone of the democratic process They process the personal information of thousands of voters  They handle confidential and security-sensitive information These aren’t anecdotal reasons. Political campaigns have been targeted by cybercriminals before. For example, in 2016, Hillary Clinton’s campaign manager, John Podesta, received a spear phishing email disguised as a Google security alert. Podesta followed a link, entered his login credentials, and exposed over 50,000 emails to malicious actors. This is a great example of how human error can lead to data breaches and goes to show that anyone can make a mistake.  That’s why cybersecurity is so important. Learn how Tessian prevents spear phishing attacks.  How can a CISO help a political campaign? Hiring a CISO — and thus improving the cybersecurity of political campaigns — has three main benefits: Safeguarding the democratic process Protecting voter privacy Maintaining national security Let’s explore each of these in a bit more detail. You can also check out our CISO Spotlight Series to get a better idea of what role a CISO plays across different sectors.  Safeguarding the Democratic Process Whatever your political persuasion, it’s hard to ignore headlines that detail the role cybercriminals played in the 2016 US election, including: Cyberattacks occurred against politicians Electoral meddling undermined voters’ faith in the democratic process Better cybersecurity could have mitigated the impact of electoral cyberattacks A CISO ensures better coordination of a political campaign’s IT security program. This can involve: Mandating security software on all campaign devices  Setting up DMARC records for domains used in campaigning Assessing risk and responding to threats Increasing staff awareness of good cybersecurity practices Of course, these functions aren’t specific to political campaigns. A CISO’s job, whether at a big bank or a law firm, is to safeguard systems, data, and devices by implementing policies, procedures, and technology and to help build a positive security culture. The difference, though, is that while a CISO at your “average” organization helps prevent data breaches and other security incidents, the CISO of a political campaign does all of this while also helping maintain faith in the process among voters.  Keep reading to find out how. Protecting voter privacy Political campaigns must communicate directly with individual voters which means those working on the campaign have access to highly sensitive information. And, we’re not just talking about names and addresses. Even a person’s intention to vote is highly sensitive personal information.  While – yes – many people publicly proclaim their ideology and voting intention via social media, those people don’t expect their information to be mined by data-harvesting software, combined with other personal information, and shared with unauthorized third parties. They simply want to share their views with friends, family, and followers.
Like hacking, data mining operations can affect the outcome of elections. They also represent a gross invasion of individual privacy.  How valuable an asset is voter data? A few recent high-profile examples will give you an idea. (Click the links to learn more about each individual incident.) The UK pro-Brexit Vote Leave campaign’s involvement in the Cambridge Analytica scandal Rand Paul and Ted Cruz’s campaigns allegedly selling their voters’ contact information to the Trump campaign Rick Santorum’s campaign selling voters’ data to a “doomsday prepper” firm These examples prove that voter data can be used to raise funds or create a political advantage. But what are the consequences? To start, voter trust is lost which – as we’ve discussed – can impact the democratic process. Beyond that, there are also legal ramifications. Under state and federal privacy laws, selling personal information is a legally-regulated activity. Any allegation that a campaign has violated privacy law would be extremely damaging not just reputationally, but financially.  A CISO can help ensure that a political campaign is less likely to engage in risky behavior with voters’ personal information and assist the campaign to comply with privacy law.  But it’s not just personal information that political campaigns handle. Maintaining National Security Political campaigns also handle security-sensitive information which must be carefully safeguarded. Robert Deitz, former senior counselor to the CIA, told Washington Post that a Russian cyberattack on the Trump campaign could reveal information about Trump’s foreign investments and negotiating style. Having access to this data could help Russia understand “where it can get away with foreign adventurism.” A CISO has overall responsibility for information safeguarding within an organization. They understand:  What types of data exist about the candidate  How and where the information is processed, stored, and transferred Who can access the data All of this information helps CISOs implement data loss prevention (DLP) strategies in order to keep sensitive information out of the hands of bad actors.  Why does this matter?  Data privacy – and therefore cybersecurity – is essential for the modern world.  In fact, in business, a strong security posture fosters trust with customers and prospects and is therefore considered a competitive edge. Why? Because data is valuable currency. Customers and prospects expect the organizations they interact with to safeguard the information shared with them. Shouldn’t politicians foster trust with voters in the same way? 
Compliance DLP Human Layer Security
At a Glance: Data Loss Prevention in Healthcare
By Maddie Rosenthal
30 June 2020
Data Loss Prevention (DLP) is a priority for organizations across all sectors, but especially for those in Healthcare. Why? To start, they process and hold incredible amounts of personal and medical data and they must comply with strict data privacy laws like HIPAA and HITECH.  Healthcare also has the highest costs associated with data breaches – 65% higher than the average across all industries – and has for nine years running.  But, in order to remain compliant and, more importantly, to prevent data loss incidents and breaches, security leaders must have visibility over data movement. The question is: Do they? According to our latest research report, The State of Data Loss Prevention 2020, not yet. How frequently are data loss incidents happening in Healthcare? Data loss incidents are happening up to 38x more frequently than IT leaders currently estimate.  Tessian platform data shows that in organizations with 1,000 employees, 800 emails are sent to the wrong person every year. Likewise, in organizations of the same size, 27,500 emails containing company data are sent to personal accounts. These numbers are significantly higher than IT leaders expected.
But, what about in Healthcare specifically? We found that: Over half (51%) of employees working in Healthcare admit to sending company data to personal email accounts 41% of employees working in Healthcare say they’ve sent an email to the wrong person 35% employees working in Healthcare have downloaded, saved, or sent work-related documents to personal accounts before leaving or after being dismissed from a job Download the data sheet for more stats, including graphs. This only covers outbound email security. Hospitals are also frequently targeted by ransomware and phishing attacks and Healthcare is the industry most likely to experience an incident involving employee misuse of access privileges.  Worse still, new remote-working structures are only making DLP more challenging.
Healthcare professionals feel less secure outside of the office  While over the last several months workforces around the world have suddenly transitioned from office-to-home, this isn’t a fleeting change. In fact, bolstered by digital solutions and streamlined virtual services, we can expect to see the global healthcare market grow exponentially over the next several years.  While this is great news in terms of general welfare, we can’t ignore the impact this might have on information security.   Half of employees working in Healthcare feel less secure outside of their normal office environment and 42% say they’re less likely to follow safe data practices when working remotely.   Why? Most employees surveyed said it was because IT isn’t watching, they’re distracted, and they’re not working on their normal devices. But, we can’t blame employees. After all, they’re just trying to do their jobs and cybersecurity isn’t top-of-mind, especially during a global pandemic. Perhaps that’s why over half (57%) say they’ll find a workaround if security software or policies make it difficult or prevent them from doing their job.  That’s why it’s so important that security leaders make the most secure path the path of least resistance. How can security leaders in Healthcare help protect employees and data? There are thousands of products on the market designed to detect and prevent data incidents and breaches and organizations are spending more than ever (up from $1.4 million to $13 million) to protect their systems and data.  But something’s wrong.  We’ve seen a 67% increase in the volume of breaches over the last five years and, as we’ve explored already, security leaders still don’t have visibility over risky and at-risk employees. So, what solutions are security, IT, and compliance leaders relying on? According to our research, most are relying on security training. And, it makes sense. Security awareness training confronts the crux of data loss by educating employees on best practice, company policies, and industry regulation. But, how effective is training, and can it influence and actually change human behavior for the long-term? Not on its own. Despite having training more frequently than most industries, Healthcare remains among the most likely to suffer a breach. The fact is, people break the rules and make mistakes. To err is human! That’s why security leaders have to bolster training and reinforce policies with tech that understands human behavior. How does Tessian prevent data loss on email? Tessian uses machine learning to address the problem of accidental or deliberate data loss. How? By analyzing email data to understand how people work and communicate.  This enables Tessian Guardian to look at email communications and determine in real-time if a particular email looks like they’re about to be sent to the wrong person. Tessian Enforcer, meanwhile, can identify when sensitive data is about to be sent to an unsafe place outside an organization’s email network. 
Interested in learning more about how Tessian can help prevent data loss in your organization? You can read some of our customer stories here or book a demo. You can also download this data sheet to share key statistics with others.
Data Exfiltration DLP Human Layer Security
Research Shows Employees Are Less Likely To Follow Safe Data Practices At Home
26 June 2020
While organizations may have struggled initially to get their employees set-up to work securely outside of their normal office environment, by now, most have introduced new software, policies, and procedures to accommodate their new distributed teams.  Problem solved, right? Not quite. While 91% of IT leaders trust their employees to follow security best practice while out of the office, almost half (48%) of employees say they’re less likely to follow safe data practices when working remotely and a further 52% say they feel as though they can get away with riskier behavior when working from home.   In our latest research report, The State of Data Loss Prevention 2020, we explore the reasons why.  Key findings include: 50% of employees say they’re less likely to follow safe data practices when working from home because they’re not working on their usual devices. 48% of employees say they’re less likely to follow safe data practices when working from home because they feel as though they’re not being watched by their IT teams. 47% of employees say they’re less likely to follow safe data practices when working from home because they’re distracted. Read on to learn why this matters and what you can do to promote safer security practices in your organization.
Why is data loss prevention (DLP) harder when workforces are remote? 84% of IT leaders say that DLP is more challenging when employees are working remotely. It makes sense. One or two offices have become thousands of virtual offices which means maintaining visibility over data flow is more difficult than ever.  People are relying more heavily on email and other communication tools and are therefore sending data more frequently. Security and IT teams have limited control over how employees handle physical data (for example how they print, store, and dispose of documents). And there’s been a spike in inbound attacks like phishing since the outbreak of COVID-19.  This is to say that organizations are more vulnerable across email security, physical security, and network security. While there are tools to detect and prevent incidents, data loss prevention ultimately relies on people. After all, it’s people who control our systems and data. They’re the gatekeepers of an organization’s most sensitive information. But, despite IT leaders’ confidence and optimism (91% say they trust their employees to follow security best practice while out of the office), nearly half (48%) of employees say they’re less likely to.   !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); The question is: Why?
1. 50% of employees say they’re less likely to follow safe data practices when working from home because they’re not working on their usual devices. Most of us have dedicated workstations in the office and have grown accustomed to certain equipment. Whether it’s multiple monitors, a desktop, a keyboard, a printer, or a trackpad, we’re comfortable working on our usual devices.  At home, not all of us are so lucky. And, while security and IT teams around the world have worked hard to get their teams set-up at home, there have been delays and even cancellations in global supply chains providing laptops, cell phones, and other technology.  What to do about it: If you’re unable to get your employees the equipment they need, you should consider BYOD policies. We’ve covered the benefits, potential security risks, and tips for employers and employees in this blog: Remote Worker’s Guide To: BYOD Policies.  You can also implement training sessions for new devices to ensure your employees feel comfortable using them. (Be sure to also train your employees on any new applications or software!) 2. 48% of employees say they’re less likely to follow safe data practices when working from home because they feel as though they’re not being watched by their IT teams. While we can say with confidence that the average employee wants to do the right thing when it comes to security, it’s important to remember that first and foremost, they want to get their jobs done. And, if security policies, procedures, or software makes that difficult or prevents them from doing it all together, they’ll find a workaround.  In fact, 54% of employees say exactly that. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); In an office environment, it’s easier for IT and security teams to maintain visibility of employee behavior. They can see if someone isn’t locking their laptop. They can see if someone is using a USB stick when they shouldn’t. They can see if someone has skipped security training. But, IT and security teams aren’t just there to enforce rules. They’re also there to educate employees and build a strong security culture. That’s harder with distributed workforces.
What to do about it: Communicate, communicate, communicate. Whether it’s sharing information about new threats, reminding employees of security do’s and don’ts, or offering an individual or team kudos for secure behavior, you need to consistently remind your team not only that you’re there, but that you’re there to help. But, you shouldn’t over-communicate. That means you should ensure there’s one point of contact (or source of truth) who shares updates at a regular, defined time and cadence as opposed to different people sharing updates as and when they happen. 3. 47% of employees say they’re less likely to follow safe data practices when working from home because they’re distracted. We’re not just working from home. We’re working from home during a crisis. It’s essential that security and business leaders keep this in mind. While most of us are trying to conduct “business as usual”, most of us are also dealing with a range of challenges. Parents have suddenly taken on the roles of teachers. Living rooms have been turned into makeshift coworking spaces for partners and roommates. Employees are navigating mass lay-offs and furlough schemes. Current social and political unrest is triggering emotional stress and anxiety. The bottom line: There’s a lot going on.  That means people are more likely to make mistakes. They may send an email to the wrong person. They may misconfigure a firewall. They may make sensitive documents public instead of private on a Google Drive. While these are “small” mishaps, they can have big consequences. In fact, each of the above incidents has caused a data breach.   What to do about it: Start by being empathetic and compassionate. Take the mental wellbeing of your employees seriously and give them the tools, resources, and support they need to thrive. We’ve put together some tips in this blog: 3 Practical Ways to Support Mental Wellbeing in the Workplace. Beyond that, though, you have to implement solutions that prevent human error. Why? Because it’s simply not fair (or realistic) to rely on people to do the right thing 100% of the time.  Tessian does this across three solutions: Tessian Enforcer detects and prevents data exfiltration attempts Tessian Guardian detects and prevents misdirected emails Tessian Defender detects and prevents spear phishing attacks Curious how frequently these incidents are happening in your organization? Click here for a free threat report. How does Tessian support employees and security leaders working remotely? Tessian turns an organization’s email data into its best defense against inbound and outbound email security threats. Powered by machine learning, our Human Layer Security technology understands evolvong human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity. 
Best of all: It works silently in the background across devices. That means employees can do their job without security getting in the way and they’re protected, wherever they work. Tessian bolsters training, reinforces policies and procedures, and enables employees to do their best work.  And, with Human Layer Security Intelligence, security, IT, and compliance leaders get clear visibility into employee behavior with visualized insights and automated threat intelligence. That means detecting and preventing human error is easier than ever and organizations can continuously lower the risks of misdirected emails, data exfiltration, and impersonation attacks.
To learn more about Tessian’s solutions, book a demo. And, for more insights around data loss on email (including the most and least effective solutions) read the report: The State of Data Loss Prevention 2020.
DLP Human Layer Security Spear Phishing
Tessian Human Layer Security Summit: Your Questions, Answered
24 June 2020
Last week, Tessian hosted the world’s first Virtual Human Layer Security Summit and, over the course of three hours, thought leaders from some of the world’s leading organizations shared insights and advice around business continuity, cybersecurity, and what the future looks like. Throughout the Summit, we asked the audience to submit questions but, with over 1,000 people tuning in, we weren’t able to address them all. Better late than never! Here are answers to some of your most pressing questions.  Did you miss the Human Layer Security Summit? You can view each session in the playlist below and you can read the key learnings from the day here: 13 Things We Learned at Tessian Virtual Human Layer Security Summit. You can also sign-up for our newsletter to ensure you’re the first to hear about upcoming events and other relevant industry and company news. 1. What is Human Layer Security? Human Layer Security (HLS) a new category of technology that secures all human-digital interactions in the workplace. Instead of protecting networks or devices, Human Layer Security protects people (employees, contractors, customers, suppliers). Why? Because people control our most sensitive systems and data. They’re the gatekeepers of information.  Tessian’s Human Layer Security technology understands human behavior and relationships, enabling it to detect and prevent dangerous activity like data exfiltration, accidental data loss, and spear phishing attacks. Importantly, Tessian’s technology learns and adapts to how people work without getting in the way or impeding productivity. You can learn more about this new category of security in our Ultimate Guide to Human Layer Security.  2. What are some of the key risk indicators used to measure human fallibility?  In the context of email security, Tessian looks at three key human vulnerabilities:  People break the rules  People make mistakes People can be easily tricked While risk indicators vary based on the vulnerability, monitoring data handling (both physical and digital) and assessing employee’s understanding of cybersecurity best practices should help you understand how risky or at-risk a particular employee is. Read: Insider Threat Indicators: 11 Ways to Recognize an Insider Threat  For example, if someone in your HR department consistently falls for phishing scams during simulations, they’re at risk of falling for one in real-life. Likewise, if someone in your finance department doesn’t change their passwords as requested, they may be more likely to break other security rules. But, keeping track of every employee and their attitudes towards security is nearly impossible, especially in large companies. That’s why solutions like Tessian are essential.  With Tessian Human Layer Security Intelligence, you’ll be able to see at a glance which employees are breaking the rules, making mistakes, and getting hacked. You’ll also be able to review historical data to see how behaviors have changed (for better or worse) in order to correct or reward individuals.  Want to learn more about how Tessian Human Layer Security Intelligence helps security teams maintain visibility of the Human Layer risks in their organizations? Read our blog, which outlines use cases, benefits, and more.
3. In the context of remote-working, how does decreased focus impact security? Over the last several months, we’ve been talking a lot about remote-working and how these new set-ups can impact cybersecurity. And, while there are a lot of technical challenges to overcome – from setting up VPNs to onboarding and offboarding employees while out of the office – we can’t ignore the more human challenges. Tessian actually took a closer look at these challenges in our latest research report, The State of Data Loss Prevention 2020, and found that 91% of employees are less likely to follow safe security practices when working from home. But why?  47% said it’s because they’re distracted. And, it makes sense. When working from home, people have other responsibilities like childcare, roommates and, more often than note, they don’t have dedicated workstations like they do in their normal office environment. That means it’s easier to make mistakes. This isn’t trivial. One misdirected email could cause a data breach. It only takes one click of a mouse.  4. Does Tessian believe that employees are always trying to “get away” with something?  The short answer: absolutely not. We believe that the average employee is just trying to do their job and, if you give people the opportunity to make smart security decisions, they will. But, too often, security policies, procedures, and tech get in the way. And that’s where you run into problems.  51% of employees say security tools or software impede their productivity and a further 54% say they’ll find a workaround if security software or policies prevent them from doing their job. So, what do you do? Find a better way! Make the easiest path the most secure path.  This is a part of Tessian’s ethos. That’s why our solutions work silently in the background, have low flag rates for false positives, and reinforce security policies with contextual warnings.   5. What are some effective ways to change human behavior?  Training, a strong security culture, and tech. Importantly, you have to have all three. You have to first educate employees on why security matters for the larger organization and then explain how individual behaviors can impact its overall security posture. Of course, one training session isn’t enough to make the message stick. Security awareness training should be ongoing.  In fact, security should be baked into the overall business. That way, you create a strong security culture (which should start from the top-down) that really values and rewards secure behavior. But, even reinforcing security best practices isn’t enough. (Read our report: Why the Threat of Phishing Can’t be ‘Trained Away’.) To err is human.  Whether accidental or malicious, data loss incidents happen – even with regular training – which means your people shouldn’t be the last line of defense. Tech should be. Ideally, that tech will bolster training by reinforcing policies and procedures.  Tessian does this via contextual warnings that empower the employee to make his or her own decision, while also giving security teams full oversight.
6. How can you teach people outside of the cybersecurity team how to spot phishing emails and other social engineering attacks?  As we’ve said, the average employee just wants to do their job. They don’t want to be a security expert. That’s why it’s so important to teach people about security risks in terms they understand and care about. We’ve found that one of the best ways to teach employees how to spot phishing emails is to use consumer examples. For example, stimulus check scams, Tax Day scams, and Census scams.  Once you have several examples, make sure you point out what’s suspicious about the email and what to do if and when an employee receives one. If you work in a highly-targeted industry, make sure you reinforce frequent training with posters, PDFs, and other resources. We put together a guide – including examples – for COVID-19 attacks, which you can download at the bottom of this blog: Coronavirus and Cybersecurity: how to Stay Safe From Phishing Attacks. Feel free to share it with your employees!  7. What is your advice for a Cybersecurity Master’s student looking to explore the job sector? There is no right (or wrong) way to break into the industry. Cybersecurity is incredibly diverse and no one job, company, or project is the same. While you’re in school, get as much work experience as you can to find out what really ignites your passion. But, don’t take our word for it! Check out the profiles of over a dozen cybersecurity professionals on our blog. Or, read our report, Opportunity in Cybersecurity 2020, for an overview of the industry and what it has to offer new entrants.  Oh, and be sure to check out our open roles, too. Do you have more questions about Tessian or cybersecurity? Email [email protected] and we’ll get back to you. You can also book a demo to see how Tessian’s solutions can help prevent data loss incidents in your organization.
Customer Stories DLP Human Layer Security Spear Phishing
13 Things We Learned at Tessian Virtual Human Layer Security Summit
18 June 2020
Tessian’s Virtual Human Layer Security Summit was an incredible success thanks to our partners, speakers, and – of course – all of those who attended. Over 1,000 security, IT, compliance, business, and HR professionals watched as we explored how business models have changed, what these changes mean for all of us, and what to expect over the next several months. If you weren’t able to tune into the Summit yesterday, don’t worry! You can watch the full video below or access it on-demand. We’ve summarized some of the key points into relevant and actionable advice. Share these with your co-workers, share them on social media, or bookmark this blog for yourself. Here’s what we learned at Tessian Virtual Human Layer Security Summit.
1. We must treat our employees with empathy and compassion.  While the event was focused on cybersecurity and tech, one of the most important takeaways from the day is about being human. The Summit kicked off with an important reminder from Bobby Ford, Vice President and Global CISO at Unilever: “We’re not just working from home, we’re working from home during a crisis.” While – yes – we’re all trying to conduct “business as usual”, all of us are dealing with unique challenges. Many parents have suddenly taken on the roles of teachers, and living rooms have been transformed into makeshift co-working spaces for partners and roommates. And this doesn’t even account for the emotional stress of a global pandemic and current social and political unrest.  There’s a lot to navigate, process, and overcome, and many of us are distracted, stressed, and anxious. And that’s okay. As leaders and as humans, we have to be empathetic and compassionate. We have to take the mental wellbeing of our employees seriously and give them the tools, resources, and support they need to thrive, wherever they’re working.
2. The secure thing to do should be the easiest thing to do.  Let’s face it. Security isn’t the average employee’s top priority. They just want to do their job. Over half (54%) of employees say they’ll find a workaround if security software or policies make it difficult or prevent them from doing their job.  That’s why it’s so important that we implement policies, procedures, and tech that’s frictionless.  Bobby put this into perspective with an example from his own life.  When you’re a parent helping your son or daughter learn how to walk, what do you do? Child-proof the house and get outta the way! That’s what we need to be doing as security leaders. Make sure the most secure path is the path of least resistance, whether that’s ensuring your employees have a secure way to print and dispose of documents or implementing flexible BYOD policies.  3. Detection and prevention alone aren’t enough.  We all work hard to detect and prevent both inbound and outbound threats. And, while even that isn’t always easy, that’s not our only job. We also have to have to maintain visibility of risks, manage teams that are often thinly stretched, move quickly from investigation to remediation, and communicate threats to executive teams.  Almost impossible, right? Not anymore.  Tessian’s Group Product Manager, Harry Wetherald and Product Marketing Manager, Shanthi Shambathkumar, announced some very exciting news during the Summit: the launch of Human Layer Security Intelligence. With HLS Intelligence, security leaders can now predict, prevent, and protect against threats with zero manual investigation. That means you can continuously and proactively downtrend risks in your organization. Want to learn more? We outline all the benefits of Human Layer Security Intelligence and explore use cases on our blog: Introducing Tessian Human Layer Security Intelligence. 4. Executive teams must invest in security now.  While cybersecurity has historically been a siloed department, it’s becoming more and more integrated with overall business functions. In fact, it can actually be a business enabler and a unique selling point for customers and prospects.  But, only if your organization is secure. And, as Clive Novis, Chief IT Risk Officer at Investec pointed out, it takes a village to ensure data is protected which means cybersecurity initiatives must get support from senior executives first. During the customer panel discussion, he said “The tone is set from the top in terms of the security culture. They help ensure not only that controls are effective, but that those controls are consistent across the globe.” Needless to say, this is more important now than ever. As we continue to adapt to new remote and hybrid working structures, many of us are introducing new policies and solutions and we need buy-in across departments for these policies and solutions to work. 5. Email is the #1 threat vector.  Over the last few months, we’ve heard a lot about the dangers of Zoombombing. But, we’ve heard even more about COVID-19 themed phishing attacks, Tax Day scams, and 2020 Census scams. (Jump to #7 for more information.) With that said, email is the threat vector most security and IT leaders are concerned about.
It makes sense. Over 124 billion business emails are sent and received every day and employees spend 40% of their time on email sharing memos, spreadsheets, invoices, and other sensitive information and unstructured data. It’s a gold mine. The bottom line: We need to be leveling up our DLP efforts on email. 6. Security incidents are happening up to 38x more than IT leaders currently estimate.  During the Summit, Tessian Co-founder and CEO Tim Sadler presented some of the key findings from our most recent report The State of Data Loss Prevention 2020. Our research reveals that data loss on email is a bigger problem than most realize, that remote-working brings new challenges around DLP, and that the solutions currently deemed most effective may actually be the least. While we addressed the frequency of misdirected emails and malicious data exfiltration, one of the most startling facts involves employees sending company data to personal email accounts.  At Tessian, we call these unauthorized emails, and according to our platform data, they’re being sent 27,500 times a year in organizations with 1,000 employees. Meanwhile, IT leaders estimate just 720 are sent. That’s a big difference and highlights the need for effective data loss prevention solutions.  Follow the links to learn more about how Tessian detects and prevents accidental data loss and data exfiltration attempts.  7. Phishing is still a big problem.  While phishing has always been a problem for organizations, we’ve seen a marked spike in incidents over the last few months. And it’s not just Tessian who has taken note. Elvis Chan, Supervisory Special Agent, National Security at the FBI has, too.  For him, phishing is the biggest risk.
What does this mean for you? Continue educating your employees about the risks associated with phishing and how to spot these attacks and ensure they’re protected with tech.  8. Security policies don’t stick unless they’re continuously reinforced.  We’ve said it before, but we’ll say it again: The average employee doesn’t care about security as much as you do. They just want to do their job. That means we have to continuously reinforce security policies, especially now that workforces are distributed.  But, repetition isn’t enough.  We have to communicate in terms our employees understand. Angela Henry, Business Information Security Officer at Rand Merchant Bank, recommends educating employees on business data privacy best practice alongside consumer data privacy best practice. Share tips that are relevant to their personal lives. Offer advice on how to keep their children secure online. Prepare resources around how to stay safe on e-commerce sites. Not only does this help foster a positive security culture in the office, but it also helps employees stay safe and secure at home.  9. …And policies aren’t effective unless they’re bolstered by technology.  While educating employees about policies is a vital part of any security strategy, it isn’t enough to prevent inbound and outbound threats and subsequent data breaches.  After all, we’re only human. We break the rules, make mistakes, and can be easily tricked. In fact, 44% of breaches are caused by human error. Elvis summed it up nicely when he said, “Even if we’re at technology 5.0, we’re still at human being 1.0.”  So, what do we do? Garrett recommends bolstering training with technology to ensure that people aren’t the last line of defense, saying “My ultimate view is that user awareness training is fine but – in mathematical terms – it’s necessary but not sufficient. I think it needs to be used in conjunction with other tools.” 10. Security needs diversity to thrive.  Throughout the Human Layer Security Summit, we talked a lot about security pre- and post-pandemic. But, Merrit Baer, Principal Security Architect at Amazon Web Services pointed out something else we shouldn’t forget.
She’s right. Cybersecurity needs diversity to thrive.  This diversity isn’t limited to gender or ethnic diversity. The field is wide open for a range of educational and professional backgrounds, from psychology majors to business analysts and just about everything in between.  You can read more about the opportunities available in cybersecurity in our report Opportunity in Cybersecurity 2020. 11. Remote working isn’t temporary. According to a recent poll by 451 Research, 38% of businesses expect work-from-home strategies will continue post-pandemic. And, when you consider companies like Facebook have already announced they’re permanently embracing remote-work, we should expect more to follow. The point? We should equip our workforces to thrive at home and ensure that we’re maintaining a strong security culture company-wide while also supporting our employees mentally and emotionally. (See #1.)  12. …And that doesn’t have to be a bad thing.  There are new and perennial challenges we must overcome in order to support a full-time remote workforce, but there are a number of benefits, too. Don’t take our word for it. Stephane Kasriel, Former CEO of Upwork – a company that has maintained a hybrid remote-working structure across 500 cities for nearly a decade – offered attendees of the Summit several reasons why this is something to look forward to, not dread.  To start, remote-working enables companies to find and work with the best talent, not just local talent. Beyond that, employees have more freedom to design their lives. They can more easily balance work and life, relocate as and when they need or want to, and create environments in which they can really thrive.  13. The Secret? Adapt, adopt, evolve. Repeat.  If there’s one thing that was made clear throughout every panel discussion, fireside chat, and interview, it’s that things have changed and will continue to change. The only way to succeed is to adapt and evolve. Adopt new technologies. Embrace new ways of working. Lean on peers and professional networks for advice.  In the spirit of change, we’ve put together a list of resources that will help you navigate security and business challenges of the present and future.  Security During Uncertainty: 6 Steps Security Leaders Can Take to Reduce Risk Cyber Culture in the Time of COVID COVID-19 and the Digital Pandemic Upwork Remote Work Resources COVID-19: Real-Life Examples of Phishing Emails 13 Cybersecurity Sins When Working Remotely Advice From Security Leaders for Security Leaders: How to Navigate New Remote-Working Challenges Remote-Worker’s Guide To: Preventing Data Loss 11 Tools to Help You Stay Secure and Productive While Working Remotely Did we miss anything? Feel free to email [email protected] with your key learnings.
Page