Request a Demo of Tessian Today.

Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

State of Email Security 2022: Every Company’s Riskiest Channel |  Read the Full Report →

Email DLP, Integrated Cloud Email Security, ATO/BEC
Buyer’s Guide to Integrated Cloud Email Security
by John Filitz Tuesday, March 29th, 2022
The next generation of email security, referred to by Gartner as Integrated Cloud Email Security (ICES) solutions, bring a fresh approach to solving increasingly sophisticated and elusive email security threats. Here’s what to look for when choosing a ICES. Born in the cloud, for the cloud, ICES solutions are seen as an integral additional layer of email security to complement the native email security capabilities present in cloud productivity suites, such as Microsoft 365 and Google Workspace. At last count, according to the latest Gartner Market Guide for Email Security (2021) there were 13 ICES vendors – giving customers a lot of choice to choose from.  Not every ICES vendor however, offers the same completeness of vision, degree of protection, or intelligent capabilities. This short guide will bring insight on some of the key fundamentals that prospective buyers of an ICES solution should be aware of.
Why is there a need for ICES solutions in the first place? Evidence shows that email remains an important and attractive attack vector for threat actors; according to a recent study, it’s responsible for up to 90% of all breaches.  The fact that the vast majority of breaches are attributed to an email compromise, indicates that the current status quo regarding email security is incapable and insufficient at preventing breaches. This was confirmed in a Forrester survey conducted on behalf of Tessian, with over 75% of organizations reporting on average of 20% of email security incidents getting by their existing security controls. Threat actors are using more sophisticated email-based techniques, and attacks are achieving greater success. This is largely due to the commercialization of cybercrime, with Phishing-as-a-Service and Ransomware-as-a-Service offerings becoming more prevalent on the dark web.  In this new world, threat actors develop exploit kits and offer their services for sale. This has unfortunately led to a dramatic increase in the ability of attackers to find targets. And this explains why the cost of damages from cybercrime is expected to rocket to $10.5 trillion by 2025 – representing a +350% increase from 2015. Digital transformation is another key reason too. Cloud adoption was accelerating prior to the Covid-19 pandemic. In the wake of the pandemic, cloud adoption accelerated even more quickly. This dramatic shift to the cloud has significantly expanded attack surface risk, with employees working from home, and often on personal devices.  This structural shift in computing has also revealed the soft underbelly of legacy cybersecurity solutions built for an on-premise world, including the rule-based and static protection for email offered by Secure Email Gateways (SEGs). And this explains why 58% of cybersecurity leaders are actively looking to displace SEGs for the next generation of email security – with behavioral intelligence and machine learning at the core.
ICES fundamentals  Approach to threat detection and prevention The key differentiator between SEGs and ICES solutions from a threat detection standpoint is that ICES are underpinned by machine learning and utilize a behavioral intelligence approach to threat detection.  The algorithm of an ICES solution develops a historical behavioral map of an organization’s email ecosystem. This historical behavioral map is leveraged along with Natural Language Processing (NLP) and Natural Language Understanding (NLU) capabilities, to dynamically, and in-real-time, scan and detect any anomalous email behavior. Unlike SEGs, this enables these solutions to detect threats as they arise, in real time.  Deployment architecture There are also important differences in the architecture and configuration of ICES solutions from SEGs. ICES solutions do not sit in-line like SEGs, they also do not require MX re-routing, but rather connect either via connect or API and scan email either pre-delivery or post-delivery – detecting and quarantining any malicious email. 
Degree of security automation  ICES solutions also offer a high degree of email security automation, including triaging of security incidents, which significantly reduces alert fatigue and the SOC burden, ultimately improving security effectiveness.
Key differences between SEGs and ICES SEGs ICES Requires MX records changes, sits in-line, acts as a gateway for all email flow Requires no MX record changes and scans incoming email downstream from the MX record, either pre-delivery via a connector, or post-delivery via an API Designed to detect basic phishing attacks, spam, malware and graymail. No zero day protection Designed to detect advanced social engineering attacks including spear phishing, impersonation attacks, business email compromise (BEC), and account takeover (ATO). Advanced zero day protection Static, rule and policy based protection. No intelligent component to threat detection for inbound or outbound, resulting in high false positives and significant triaging of email security incidents  Behavioral and machine learning detection engine for advanced inbound and outbound threats, resulting in greater detection efficacy and lower false positives i.e. less business interruption and more SOC optimization Limited insider threat detection and no lateral attack detection capability. Once the threat has bypassed the gateway the threat actor as unlimited access to the victims’ data and information systems Advanced insider and lateral attack detection capability, stopping threats where and when they arise Basic email field scanning capability. Relies a threat engine of previously identified threats, and static rules and policies All of the email fields are analyzed using machine learning and compared against a historical mapping of email correspondence. Fields scanned include the sender, recipient, subject line, body, URL and attachments Advanced malicious emails go undetected and reach target inboxes. Some of the less sophisticated malicious emails end up in the spam or junk folder – enabling users to accidentally interact with it Advanced malicious emails are detected and automatically hidden from users’ inboxes. With the pre-delivery option, only email that is determined to be safe is delivered. Post-delivery solutions will in nanoseconds claw-back a suspected email determined to be malicious.  No in-the-moment employee security warnings. Security alerts are retroactive and aimed at SecOps, offering no context to employees or the ability to improve the security culture An in-the-moment security notification banner can be added to an incoming or outgoing email indicating the level of risk of the scanned email and the context. These real-time security notifications lead to improved security culture, by empowering employees to take safe action, in real time Basic DLP capability Some ICES like Tessian have advanced DLP capability
Five market differentiators for ICES solutions Not all ICES solutions however, offer the same degree of completeness in product and protection. It is important that prospective customers of ICES solutions understand and interrogate the following key differentiators during the vendor selection process: 1: Completeness of the product offering and product roadmap Does the solution cover inbound and outbound email protection (i.e. does it prevent email data loss events from occurring?) Does it have pre-built integrations with other cybersecurity tools such as SIEMs? 2: Degree of protection offered During the POV it is important to test the efficacy of the algorithm and determine a true baseline of detection, including the % of false positives. Verify the actual results from the POV against the vendors stated claims. 3: Deployment and management overhead Some vendors have unrealistic claims of “protection within seconds” – understanding the actual amount of FTE resources and time needed for deployment is crucial, as well as the product’s ability to scale. Determining the degree of management FTE required for managing the tool on a day-to-day basis is equally important. 4: UX and reporting capability The overall UX including UI for SecOps teams, and feedback from employees after using the product during the POV is essential. Evidence shows that if the UX is poor, the security effectiveness of the tool will be diminished.  Having the ability to on-demand pull or automate risk metric reporting down to the employee level, for inbound and outbound email, is crucial for cybersecurity and risk compliance leaders. 5: Degree of automation Automation is fast becoming a buzzword in cybersecurity. Here buyers need to be aware of the degree of automation that the ICES solution actually delivers, ranging from threat detection to the triaging of threats, as well as risk reporting.
The final word All it takes is one click on malicious content for a breach to take place. When assessing and selecting an ICES solution, it is important that customers consider the above listed criteria as part of their general vendor assessment criteria.   The considerations on the completeness of the product offering and the degree of protection offered should be weighed carefully.  Finally, it’s the human-side that often never gets mentioned in vendor assessments. The experience interacting with the vendor from the first interaction through to the end of the POV should provide key insight into what the future partnership with the vendor will look and feel like.
About Tessian Tessian is one of the few ICES vendors that offers comprehensive protection for inbound threats like advanced spear phishing attacks, as well as outbound protection, preventing malicious and accidental data loss.  Unlike many of our ICES competitors, we don’t treat our customers as test subjects – our algorithm was developed and fine tuned for 4 years before we went live. Due to this level of product maturity, we boast among the lowest percentage of false positives in our industry. We have among the most attractive UI, delivering a phenomenal UX. This includes advanced and automated cyber risk reporting, making security and risk leaders lives’ easier. We never make claims that we can’t back up. We deploy in seconds and protect within hours. Both the deployment and management overhead are extremely efficient due to product maturity and the degree of automation inherent in our product. Finally it’s worthwhile mentioning we take our customers seriously. Here’s what some of them have to about using our product:
Read Blog Post
Email DLP, Data Exfiltration
Insider Threats Examples: 17 Real Examples of Insider Threats
by Maddie Rosenthal Tuesday, March 22nd, 2022
Insider Threats are a big problem for organizations across industries. Why? Because they’re so hard to detect. After all, insiders have legitimate access to systems and data, unlike the external bad actors many security policies and tools help defend against.   It could be anyone, from a careless employee to a rogue business partner.   That’s why we’ve put together this list of Insider Threat types and examples. By exploring different methods and motives, security, compliance, and IT leaders (and their employees) will be better equipped to spot them before a data breach happens.  
Types of Insider Threats First things first, let’s define what exactly an insider Threats is.   Insider Threats stem from people – whether employees, former employees, contractors, business partners, or vendors – with legitimate access to an organization’s networks and systems who exfiltrate data for personal gain or accidentally leak sensitive information.   The key here is that there are two distinct types of Insider Threats: The Malicious Insider: Malicious Insiders knowingly and intentionally steal data. For example, an employee or contractor may exfiltrate valuable information (like Intellectual Property (IP), Personally Identifiable Information (PII), or financial information) for some kind of financial incentive, a competitive edge, or simply because they’re holding a grudge for being let go or furloughed. The Negligent Insider: Negligent insiders are just your average employees who have made a mistake. For example, an employee could send an email containing sensitive information to the wrong person, email company data to personal accounts to do some work over the weekend, fall victim to a phishing or spear phishing attack, or lose their work device.
1. The employee who exfiltrated data after being fired or furloughed   Since the outbreak of COVID-19, 81% of the global workforce have had their workplace fully or partially closed. And, with the economy grinding to a halt, employees across industries have been laid off or furloughed. This has caused widespread distress.   When you combine this distress with the reduced visibility of IT and security teams while their teams work from home, you’re bound to see more incidents of Malicious Insiders. One such case involves a former employee of a medical device packaging company who was let go in early March 2020.   By the end of March – and after he was given his final paycheck – Christopher Dobbins hacked into the company’s computer network, granted himself administrator access, and then edited and deleted nearly 120,000 records. This caused significant delays in the delivery of medical equipment to healthcare providers.
2. The employee who sold company data for financial gain   In 2017, an employee at Bupa accessed customer information via an in-house customer relationship management system, copied the information, deleted it from the database, and then tried to sell it on the Dark Web. The breach affected 547,000 customers and in 2018 after an investigation by the ICO, Bupa was fined £175,000.
3. The employee who stole trade secrets   In July 2020, further details emerged of a long-running insider job at General Electric (GE) that saw an employee steal valuable proprietary data and trade secrets. The employee, Jean Patrice Delia, gradually exfiltrated over 8,000 sensitive files from GE’s systems over eight years — intending to leverage his professional advantage to start a rival company.   The FBI investigation into Delia’s scam revealed that he persuaded an IT administrator to grant him access to files and that he emailed commercially-sensitive calculations to a co-conspirator. Having pleaded guilty to the charges, Delia faces up to 87 months in jail.   What can we learn from this extraordinary inside job? Ensure you have watertight access controls and that you can monitor employee email accounts for suspicious activity.
4. The employees who exposed 250 million customer records   Here’s an example of a “negligent insider” threat. In December 2019, a researcher from Comparitech noticed that around 250 million Microsoft customer records were exposed on the open web. This vulnerability meant that the personal information of up to 250 million people—including email addresses, IP addresses, and location—was accessible to anyone.   This incident represents a potentially serious breach of privacy and data protection law and could have left Microsoft customers open to scams and phishing attacks—all because the relevant employees failed to secure the databases properly.   Microsoft reportedly secured the information within 24 hours of being notified about the breach.
5. The nuclear scientists who hijacked a supercomputer to mine Bitcoin   Russian Secret Services reported in 2018 that they had arrested employees of the country’s leading nuclear research lab on suspicion of using a powerful supercomputer for bitcoin mining. Authorities discovered that scientists had abused their access to some of Russia’s most powerful supercomputers by rigging up a secret bitcoin-mining data center.   Bitcoin mining is extremely resource-intensive and some miners are always seeking new ways to outsource the expense onto other people’s infrastructure. This case is an example of how insiders can misuse company equipment.
6. The employee who fell for a phishing attack   While we’ve seen a spike in phishing and spear phishing attacks since the outbreak of COVID-19, these aren’t new threats. One example involves an email that was sent to a senior staff member at Australian National University. The result? 700 Megabytes of data were stolen.   That might not sound like a lot, but the data was related to both staff and students and included details like names, addresses, phone numbers, dates of birth, emergency contact numbers, tax file numbers, payroll information, bank account details, and student academic records.
7. The work-from-home employees duped by a vishing scam   Cybercriminals saw an opportunity when many of Twitter’s staff started working from home. One cybercrime group conducted one of the most high-profile hacks of 2020 — knocking 4% off Twitter’s share price in the process.   In July 2020, after gathering information on key home-working employees, the hackers called them up and impersonated Twitter IT administrators. During these calls, they successfully persuaded some employees to disclose their account credentials.   Using this information, the cybercriminals logged into Twitter’s admin tools, changed the passwords of around 130 high-profile accounts — including those belonging to Barack Obama, Joe Biden, and Kanye West — and used them to conduct a Bitcoin scam.   This incident put “vishing” (voice phishing) on the map, and it reinforces what all cybersecurity leaders know — your company must apply the same level of cybersecurity protection to all its employees, whether they’re working on your premises or in their own homes.
8. The ex-employee who got two years for sabotaging data   The case of San Jose resident Sudhish Kasaba Ramesh serves as a reminder that it’s not just your current employees that pose a potential internal threat—but your ex-employees, too.   Ramesh received two years imprisonment in December 2020 after a court found that he had accessed Cisco’s systems without authorization, deploying malware that deleted over 16,000 user accounts and caused $2.4 million in damage.   The incident emphasizes the importance of properly restricting access controls—and locking employees out of your systems as soon as they leave your organization.
9. The employee who took company data to a new employer for a competitive edge   This incident involves two of the biggest tech players: Google and Uber. In 2015, a lead engineer at Waymo, Google’s self-driving car project, left the company to start his own self-driving truck venture, Otto.   But, before departing, he exfiltrated several trade secrets including diagrams and drawings related to simulations, radar technology, source code snippets, PDFs marked as confidential, and videos of test drives.    How? By downloading 14,000 files onto his laptop directly from Google servers. Otto was acquired by Uber after a few months, at which point Google executives discovered the breach.   In the end, Waymo was awarded $245 million worth of Uber shares and, in March, the employee pleaded guilty.
10. The employee who stole a hard drive containing HR data   Coca-Cola was forced to issue data breach notification letters to around 8,000 employees after a worker stole a hard drive containing human resources records.   Why did this employee steal so much data about his colleagues? Coca-Cola didn’t say. But we do know that the employee had recently left his job—so he may have seen an opportunity to sell or misuse the data once outside of the company.   Remember – network and cybersecurity are crucial, but you need to consider whether insiders have physical access to data or assets, too.
11. The employees leaking customer data    Toward the end of October 2020, an unknown number of Amazon customers received an email stating that their email address had been “disclosed by an Amazon employee to a third-party.” Amazon said that the “employee” had been fired — but the story changed slightly later on, according to a statement shared by Motherboard which referred to multiple “individuals” and “bad actors.”   So how many customers were affected? What motivated the leakers? We still don’t know. But this isn’t the first time that the tech giant’s own employees have leaked customer data. Amazon sent out a near-identical batch of emails in January 2020 and November 2018.   If there’s evidence of systemic insider exfiltration of customer data at Amazon, this must be tackled via internal security controls.
12. The employee offered a bribe by a Russian national   In September 2020, a Nevada court charged Russian national Egor Igorevich Kriuchkov with conspiracy to intentionally cause damage to a protected computer. The court alleges that Kruichkov attempted to recruit an employee of Tesla’s Nevada Gigafactory.   Kriochkov and his associates reportedly offered a Tesla employee $1 million to “transmit malware” onto Tesla’s network via email or USB drive to “exfiltrate data from the network.” The Kruichkov conspiracy was disrupted before any damage could be done. But it wasn’t the first time Tesla had faced an insider threat. In June 2018, CEO Elon Musk emailed all Tesla staff to report that one of the company’s employees had “conducted quite extensive and damaging sabotage to [Tesla’s] operations.”   With state-sponsored cybercrime syndicates wreaking havoc worldwide, we could soon see further attempts to infiltrate companies. That’s why it’s crucial to run background checks on new hires and ensure an adequate level of internal security.
13. The ex-employee who offered 100 GB of company data for $4,000   Police in Ukraine reported in 2018 that a man had attempted to sell 100 GB of customer data to his ex-employer’s competitors—for the bargain price of $4,000. The man allegedly used his insider knowledge of the company’s security vulnerabilities to gain unauthorized access to the data.   This scenario presents another challenge to consider when preventing insider threats—you can revoke ex-employees’ access privileges, but they might still be able to leverage their knowledge of your systems’ vulnerabilities and weak points.
14. The employee who accidentally sent an email to the wrong person   Misdirected emails happen more than most think. In fact, Tessian platform data shows that at least 800 misdirected emails are sent every year in organizations with 1,000 employees. But, what are the implications? It depends on what data has been exposed.    In one incident in mid-2019, the private details of 24 NHS employees were exposed after someone in the HR department accidentally sent an email to a team of senior executives.   This included: Mental health information Surgery information   While the employee apologized, the exposure of PII like this can lead to medical identity theft and even physical harm to the patients. We outline even more consequences of misdirected emails in this article. 
15. The employee who accidentally misconfigured access privileges   NHS coronavirus contact-tracing app details were leaked after documents hosted in Google Drive were left open for anyone with a link to view. Worse still, links to the documents were included in several others published by the NHS.    These documents – marked “SENSITIVE” and “OFFICIAL” contained information about the app’s future development roadmap and revealed that officials within the NHS and Department of Health and Social Care are worried about the app’s reliance and that it could be open to abuse that leads to public panic.
16. The security officer who was fined $316,000 for stealing data (and more!)   In 2017, a California court found ex-security officer Yovan Garcia guilty of hacking his ex-employer’s systems to steal its data, destroy its servers, deface its website, and copy its proprietary software to set up a rival company.   The cybercrime spree was reportedly sparked after Garcia was fired for manipulating his timesheet. Garcia received a fine of over $316,000 for his various offenses.   The sheer amount of damage caused by this one disgruntled employee is pretty shocking. Garcia stole employee files, client data, and confidential business information; destroyed backups; and even uploaded embarrassing photos of his one-time boss to the company website.
17. The employee who sent company data to a personal email account   We mentioned earlier that employees oftentimes email company data to themselves to work over the weekend.    But, in this incident, an employee at Boeing shared a spreadsheet with his wife in hopes that she could help solve formatting issues. While this sounds harmless, it wasn’t. The personal information of 36,000 employees were exposed, including employee ID data, places of birth, and accounting department codes.
How common are Insider Threats?   Incidents involving Insider Threats are on the rise, with a marked 47% increase over the last two years. This isn’t trivial, especially considering the global average cost of an Insider Threat is $11.45 million. This is up from $8.76 in 2018.   Who’s more culpable, Negligent Insiders or Malicious Insiders?    Negligent Insiders (like those who send emails to the wrong person) are responsible for 62% of all incidents Negligent Insiders who have their credentials stolen (via a phishing attack or physical theft) are responsible for 25% of all incidents Malicious Insiders are responsible for 14% of all incidents   It’s worth noting, though, that credential theft is the most detrimental to an organization’s bottom line, costing an average of $2.79 million.    Which industries suffer the most? The “what, who, and why” behind incidents involving Insider Threats vary greatly by industry.    For example, customer data is most likely to be compromised by an Insider in the Healthcare industry, while money is the most common target in the Finance and Insurance sector.   But, who exfiltrated the data is just as important as what data was exfiltrated. The sectors most likely to experience incidents perpetrated by trusted business partners are:    Finance and Insurance  Federal Government  Entertainment  Information Technology  Healthcare  State and Local Government   Overall, though, when it comes to employees misusing their access privileges, the Healthcare and Manufacturing industries experience the most incidents.   On the other hand, the Public Sector suffers the most from lost or stolen assets and also ranks in the top three for miscellaneous errors (for example misdirected emails) alongside Healthcare and Finance.   The bottom line: Insider Threats are a growling problem. We have a solution.
Read Blog Post
Email DLP
What is Data Loss Prevention (DLP)? Complete Overview of DLP
Thursday, March 17th, 2022
How does DLP work?   Put simply, DLP software monitors different entry and exit points (examples below) to “look” for data and keep it safe and sound inside the organization’s network.   A properly configured DLP solution can detect when sensitive or important data is leaving a company’s possession, alert the user and, ultimately, stop data loss.   A DLP solution has three main jobs. DLP software: Monitors and analyzes data while at rest, in motion, and in use. Detects suspicious activity or anomalous network traffic. Blocks or flags suspicious activity, preventing data loss.   Those entry and exit points we mentioned earlier include: Computers Mobile devices Email clients Servers Mail gateways   Different types of DLP solutions are required to safeguard data in these environments.   What are the different types of DLP?   DLP software can monitor and safeguards data in three states: Data in motion (or “in transit”): Data that is being sent or received by your network Data in use: Data that a user is currently interacting with Data at rest: Data stored in a file or database that is not moving or in use   There are three main types of DLP software designed to protect data in these different states.   Network data loss prevention   Network DLP software monitors network traffic passing through entry and exit points to protect data in motion. Network DLP scans all data passing through a company’s network. If it’s working properly, the software will detect sensitive data exiting the network and flag or block it while allowing other data to leave the network unimpeded where appropriate. Network administrators can customize network DLP software to block certain types of data from leaving the network by default or—by contrast—whitelist specific file types or URLs.   Endpoint data loss prevention   Endpoint DLP monitors data on devices and workstations, such as computers and mobile devices, to protect data in use. The software can monitor the device and detect a range of potentially malicious actions, including:   Printing a document Creating or renaming a file Copying data to removable media (e.g. a USB drive)   Such actions might be completely harmless—or they might be an attempt to exfiltrate confidential data. Effective endpoint DLP software (but not all endpoint DLP software) can distinguish between suspicious and non-suspicious activity.   Email data loss prevention   Email is the primary threat vector for most businesses, and the threat vector most security leaders are concerned about locking down with their DLP strategy.   Email represents a potential route straight through your company’s defenses for anyone wishing to deliver a malicious payload. And it’s also a way for insiders to send data out of your company’s network—whether by accident or on purpose.   Email DLP can therefore protect against some of the most common and serious causes of data loss, including: Email-based cyberattacks, such as phishing Malicious exfiltration of data by employees (also called insider threats) Accidental data loss (for example, sending an email to the wrong person or attaching the wrong file)
Does my company need a data loss prevention solution?   Almost certainly. DLP is a top priority for security leaders across industries and DLP software is a vital part of any organization’s security program.   Broadly, there are two reasons to implement an effective data loss prevention solution:   Protecting your customers’ and employees’ personal information. Your business is responsible for all the personal information it controls. Cyberattacks and employee errors can put this data at risk. Protecting your company’s non-personal data. DLP can thwart attempts to steal intellectual property, client lists, or financial data.   Want to learn more about how and why other organizations are leveraging DLP? We explore employee behavior, the frequency of data loss incidents, and the best (and worst) solutions in this report: The State of Data Loss Prevention.   Now let’s look at the practical ways DLP software can benefit your business.   What are the benefits of DLP?   There are 4 main benefits of data loss prevention, which we’ll unpack below: Protecting against external threats (like spear phishing attacks) Protecting against internal threats (like insider threats) Protecting against accidental data loss (like accidentally sending an email to the wrong person) Compliance with laws and regulations   Protecting against external threats   External security threats are often the main driver of a company’s cybersecurity program—although, as we’ll see below, they’re far from the only type of security threat that businesses are concerned about.   Here are some of the most significant external threats that can result in data loss: Phishing: Phishing is the most common online crime—and according to the latest FBI data, phishing rates doubled in 2020. Around 96% of phishing attacks take place via email. Spear phishing: A phishing attack targeting a specific individual. Spear phishing attacks are more effective than “bulk” phishing attacks and can target high-value individuals (whaling) or use advanced impersonation techniques (CEO fraud). Ransomware: A malicious actor encrypts company data and forces the company to pay a ransom to obtain the key. Cybercriminals can use various methods to undertake cyberattacks, including malicious email attachments or links and exploit kits.   DLP can prevent these external threats by preventing malicious actors from exfiltrating data from your network, storage, or endpoints.   Protecting against internal threats   Malicious employees can use email to exfiltrate company data. This type of insider threat is more common than you might think.   Verizon research shows how employees can misuse their company account privileges for malicious purposes, such as stealing or providing unauthorized access to company data. This problem is most significant in the healthcare and manufacturing industries.   Why would an employee misuse their account privileges in this way? In some cases, they’re working with outsiders. In others, they’re stealing data for their own purposes. For more information, read our 11 Real Examples of Insider Threats.   The difficulty is that your employees often need to send files and data outside of your company for perfectly legitimate purposes.   Thankfully, next-generation DLP can use machine learning to distinguish and block suspicious activity—while permitting data to leave your network where necessary.   Preventing accidental data loss   Human error is a widespread cause of data loss, but security teams sometimes overlook it.   In fact, misdirected emails—where a person sends an email to the wrong recipient—are the most common cause of data breaches, according to the UK’s data protection regulator.   Tessian platform data bears this out. In organizations with 1,000 or more employees, people send an average of 800 misdirected emails every year.   Misdirected emails take many forms. But any misdirected email can result in data loss—whether through accidentally clicking “reply all”, attaching the wrong file, accepting an erroneous autocomplete, or simply spelling someone’s email address wrong.   Compliance with laws and regulations   Governments are more and more concerned about data privacy and security.  Data protection and cybersecurity regulations are increasingly demanding—and failing to comply with them can incur increasingly severe penalties.   Implementing a DLP solution is an excellent way to demonstrate your organization’s compliance efforts with any of the following laws and standards: General Data Protection Regulation (GDPR): Any company doing business in the EU, or working with EU clients or customers, must comply with the GDPR. The regulation requires all organizations to implement security measures to protect the personal data in their control. California Consumer Privacy Act (CCPA): The CCPA is one example of the many state privacy laws emerging across the U.S. The law requires businesses to implement reasonable security measures to guard against the loss or exfiltration of personal information. Sector-specific regulations: Tightly regulated sectors are subject to privacy and security standards, such as the Health Insurance Portability and Accountability Act (HIPAA), which covers healthcare providers and their business associates, and the Gramm-Leach-Bliley Act (GLBA), which covers financial institutions. Cybersecurity frameworks: Compliance with cybersecurity frameworks, such as the NIST Framework, CIS Controls, or ISO 27000 Series, is an important way to demonstrate high standards of data security in your organization. Implementing a DLP solution is one step towards certification with one of these frameworks.   Bear in mind that, in certain industries, individual customers and clients will have their own regulatory requests, too.   Do DLP solutions work?   We’ve looked at the huge benefits that DLP software can bring your organization. But does DLP actually work? Some, but not all.   Effective DLP software works seamlessly in the background, allowing employees to work uninterrupted, but stepping in to prevent data loss whenever necessary. Likewise, they’re easy for SOC teams to manage.   Unfortunately, legacy features are still present in some DLP solutions, that either fail to prevent loss effectively, create too much noise for security teams, or are too cumbersome to enable employees to work unimpeded. Let’s take a look at some DLP methods and weigh up the pros and cons of each approach.   Blacklisting domains   IT administrators can block certain domains associated with malicious activity, for example, “freemail” domains such as gmail.com or yahoo.com. Blacklisting entire domains, particularly popular (if problematic) domains, is not ideal. There may be good reasons to communicate with someone using a freemail address—for example, if they are a customer, contractor, or a potential client.   Tagging sensitive data   Some DLP software allows users to tag certain types of sensitive data. For example, you may wish to block activity involving any file containing a 16-digit number (which might be a credit card number). But this rigid approach doesn’t account for the dynamic nature of sensitive data. In certain contexts, a 16 digit number might not be associated with a credit card. Or an employee may be using credit card data for legitimate purposes.   Implementing rules   Rule-based DLP uses “if-then” statements to block types of activities, such as “If an employee uploads a file of 10MB or larger, then block the upload and alert IT.” The problem here is that, like the other “data-centric” solutions identified above, rule-based DLP often blocks legitimate activity and allows malicious activity to occur unimpeded.   Machine learning   Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises. Here’s how it works: machine learning technology learns how people, teams, and customers communicate and understands the context behind every interaction with data.   By analyzing the evolving patterns of human interactions, machine learning DLP constantly reclassifies email addresses according to the relationship between a business and customers, suppliers, and other third parties.
Read Blog Post
Email DLP, Data Exfiltration
What is Data Exfiltration? Tips for Preventing Data Exfiltration
Tuesday, February 22nd, 2022
Data is valuable currency. Don’t believe us? Data brokering is a $200 billion industry…and this doesn’t even include the data that’s sold on the dark web.   This data could include anything from email addresses to financial projections, and the consequences of this data being leaked can be far-reaching. Data can be leaked in a number of ways, but when it’s stolen, we call it data exfiltration. You may also hear it referred to as data theft, data exportation, data extrusion, and data exfil.
  This article will explore what data exfiltration is, how it works, and how you can avoid the fines, losses, and reputational damage that can result from it.   Types of data exfiltration   Data exfiltration can involve the theft of many types of information, including:   Usernames, passwords, and other credentials Confidential company data, such as intellectual property or business strategy documents Personal data about your customers, clients, or employees b Keys used to decrypt encrypted information Financial data, such as credit card numbers or bank account details Software or proprietary algorithms   To understand how data exfiltration works, let’s consider a few different ways it can be exfiltrated.  Email    According to IT leaders, email is the number one threat vector. It makes sense.    Over 124 billion business emails are sent and received every day and employees spend 40% of their time on email, sharing memos, spreadsheets, invoices, and other sensitive information and unstructured data with people both in and outside of their organization.    Needless to say, it’s a treasure trove of information, which is why it’s so often used in data exfiltration attempts. But how?   Insider threats can email data to their own, personal accounts or third-parties External bad actors targeting employees with phishing, spear phishing, or ransomware attacks. Note:96% of phishing attacks start via email.   Remote access   Gaining remote access to a server, device, or cloud storage platform is another data exfiltration technique.   An attacker can gain remote access to a company’s data assets via several methods, including: Hacking to exploit access vulnerabilities Using a “brute force” attack to determine the password Installing malware, whether via phishing or another method Using stolen credentials, whether obtained via a phishing attack or purchased on the dark web   According to 2020 Verizon data, over 80% of “hacking” data exfiltration incidents involve brute force techniques or compromised user credentials. That’s why keeping passwords strong and safe is essential.   Remote data exfiltration might occur without a company ever noticing. Consider the now infamous 2020 SolarWinds hack: the attackers installed malware on thousands of organizations’ devices, which silently exfiltrated data for months before being detected.   Physical access    As well as using remote-access techniques, such as phishing and malware, attackers can simply upload sensitive data onto a laptop, USB drive, or another portable storage device, and walk it out of a company’s premises..   Physically stealing data from a business requires physical access to a server or device. That’s why this method of exfiltration is commonly associated with current or former employees.   And it happens more frequently than you might think. One report shows that:   15% of all insiders exfiltrate data via USBs and 8% of external bad actors do the same 11% of all insiders exfiltrate data via laptops/tablets and 13% of external bad actors do the same   Here’s an example: in 2020, a Russian national tried to persuade a Tesla employee to use a USB drive to exfiltrate insider data from the company’s Nevada premises.  
How common is data exfiltration?   So how significant a problem is data exfiltration, and why should your company take steps to prevent it? It’s hard to say how often data is successful exfiltrated from a company’s equipment or network. But we know that the cybercrime methods used to carry out data exfiltration are certainly on the increase.   For example, phishing was the leading cause of complaints to the FBI’s Internet Crime Complaint Centre (IC3) in 2020. The FBI’s data suggests that phishing incidents more than doubled compared to the previous year. The FBI also reported that the number of recorded personal data breaches increased from around 38,000 to over 45,000 in 2020.   Verizon’s 2020 data suggests that companies with more than 1000 employees were more likely to experience data exfiltration attempts—but that attacks against smaller companies were much more likely to succeed.   Verizon also noted that “the time required to exfiltrate data has been getting smaller,” but “the time required for an organization to notice that they have been breached is not keeping pace.” In other words, cybercriminals are getting quicker and harder to detect.   Consequences of data exfiltration   We’ve seen how data exfiltration, and cybercrime more generally, is becoming more common. But even if a company experiences one data exfiltration attack, the consequences can be devastating. There’s a lot at stake when it comes to the data in your company’s control.   Here are some stats from IBM about the cost of a data breach:   The average data breach costs $3.6 million The cost is highest for U.S. companies, at $8.6 million Healthcare is the hardest-hit sector, with companies facing an average loss of $7.1 million   What are the causes of these phenomenal costs? Here are three factors:   Containment: Hiring cybersecurity and identity fraud companies to contain a data breach is an expensive business—not to mention the thousands of hours that can be lost trying to determine the cause of a breach. Lawsuits: Many companies face enormous lawsuits for losing customer data. Trends suggest a continuing increase in data-breach class action cases through 2021. Penalties: Laws such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) enable regulators to impose significant fines for personal data breaches.
How to prevent data exfiltration Understanding the form, causes, and consequences of data exfiltration is important. But what’s the best way to prevent data exfiltration? 🎓 Staff training Business leaders know the importance of helping their employees understand information security.  Staff training can help your staff spot some of the less sophisticated phishing attacks and learn the protocol for reporting a data breach. However, while staff training is important, it’s not sufficient to prevent data exfiltration. Remember these words from the U.K.’s National Cyber Security Centre (NCSC): “No training package (of any type) can teach users to spot every phish. Spotting phishing emails is hard.” 🚫 Blocking or denylisting To prevent data exfiltration attempts, some organizations block or denylist certain domains or activities. This approach involves blocking certain email providers (like Gmail), domains, or software (like DropBox) that are associated with cyberattacks. However, this blunt approach impedes employee productivity. Denylisting fails to account for the dynamic nature of modern work, where employees need to work with many different stakeholders via a broad variety of mediums. 💬 Labeling and tagging sensitive data Another data loss prevention (DLP) strategy is to label and tag sensitive data. When DLP software notices tagged data moving outside of your company’s network, this activity can be flagged or prevented. However, this approach relies entirely on employees tagging data correctly. Given how much data organizations handle, the manual process of tagging isn’t viable—employees may label incorrectly or not label sensitive at all. 🔒 Email data loss prevention (DLP) Email is a crucial communication method for almost every business. But, as we’ve seen, it’s also a key way for fraudsters and criminals to gain access to your company’s valuable data. According to Tessian platform data, employees send nearly 400 emails a month. In an organization with 1,000 employees, that’s 400,000 possible data breaches each month. That’s why security-focused organizations seek to lock down this critical vulnerability by investing in email-specific DLP software. ⚡ Want to learn more about email DLP? We cover everything you need to know here: What is Email DLP? Complete Overview of DLP on Email. How does Tessian prevent data exfiltration? Tessian uses stateful machine learning to prevent data exfiltration on email by turning an organization’s own data into its best defense against inbound and outbound email security threats.   Our Human Layer Security platform understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity like data exfiltration attempts and targeted phishing attacks.  To learn more about how Tessian detects and prevents data exfiltration attempts, check out our customer stories or talk to one of our experts today.
Read Blog Post
Email DLP, Data Exfiltration
Why Taking Your Work With You When You Leave a Company Isn’t a Smart Idea
by Andrew Webb Tuesday, February 15th, 2022
Our latest research into The Great Resignation contains some startling statistics from IT security leaders. 71% told us the Great Resignation has increased security risks in their company. What’s more, 45% say incidents of data exfiltration have increased in the last year, as people took data when they left their jobs. But we also got the employees’ perspective. And it was clear that many staff thought that at least some of the work that they did while at their employer belonged to them. Not only that, it was okay to take that work with them when they moved on from the organization.    In fact one in three (29%) employees surveyed admitted to having taken data with them when they quit. And when you isolate employees in the US, this jumps to two-fifths (40%).   So here’s the question ‘does your work belong to you?’
Who’s taking data?    We saw noticeable differences in behaviors across typical departments found in most organizations. And the number one team to exfiltrate data? Marketing. A whopping 63% of respondents in this department admitted to taking data when they move on.    After marketing, employees in HR (37%) and IT (37%) had the next highest levels of exfiltration. Incidentally, rates of data exfiltration are much lower in highly regulated functions like accounting and finance, operations and legal, as these sectors have to comply with strict data regulations on a daily basis. Just 16% of workers in operations and 22% in accounting and finance say they have taken data with them when they’ve left a job.   !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");  
Why are people taking data on their way out?  According to Infosecurity magazine, 70% of intellectual property (IP) theft occurs within the 90 days before an employee’s resignation announcement.  But why are people taking data when they leave? Here are some of the most common reasons.    Competitive advantage  Maliciously-minded insiders can steal company data to get a competitive edge in their new role. 58% of workers we surveyed told us the information would help them in their new job. Think customer lists, software, project documents, frameworks and methodologies, and ultimately, IP.. This is more common than you might think. For example, a General Electric employee was imprisoned in 2020 for stealing the company’s trade secrets for his own business in China.    A belief they own it Many employees have a mentality that if they worked on that presentation, source code, or project, it’s theirs. In fact 53% of respondents to our survey felt this way, saying that because they worked on the document, and they believed the information belonged to them.   Financial gain The right sort of data in the wrong hands can be extremely valuable. Former staff can sell customer’s information on the dark web. There’s a huge market for personal information—research suggests you can steal a person’s identity for around $1,100. 40% of the people we surveyed said they intended to make money from the information.
So who does own your work?   But back to our original question. Does your work belong to you? Well, chances are – no. In nearly all sectors and jurisdictions, if you’re fully employed by the company they own the output of your endeavors. The situation might be slightly different if you’re a freelance contractor. In the end it all comes down to the contract.    But there are exceptions. Obviously personal items that belonged to you prior to starting employment remain yours. Secondly, you can leave with items that you have permission to take. There’s also knowledge that you obtained during the role – such as the names of the firm’s five biggest customers. This is why many senior roles in firms have non-compete clauses built into their employment contracts.
What does The Great Resignation mean for security teams?    With 55% of respondents revealing that they’re thinking about leaving their jobs in 2022, and two in five (39%) currently working their notice or actively looking for a new job in the next 6 months, it’s clear IT and security teams are under pressure to keep company data safe during the Great Resignation.   But this research shouldn’t be used to berate employees – as an security leader, that’s not your job. Rather it should be used to refresh the dialogue about security culture, and weave it into broader discussion about data loss prevention.    Josh Yavor, Chief Information Security Officer at Tessian comments, “It’s a rather common occurrence for employees in certain roles and teams to take data when they quit their job. While some people do take documents with malicious intent, many don’t even realize that what they are doing is wrong. Organizations have a duty to clearly communicate expectations regarding data ownership, and we need to recognize where there might be a breakdown in communication which has led to a cultural acceptance of employees taking documents when they leave.   “The Great Resignation, and the sharp increase in employee turnover, has exposed an opportunity for security and business leaders to consider a more effective way of addressing insider risk. It comes down to building better security cultures, gaining greater visibility into data loss threats, and defining and communicating expectations around data sharing to employees – both company-wide and at departmental level. Being proactive in setting the right policies and expectations is   How does Tessian prevent data exfiltration attempts?   Prevent unauthorized emails Whether it’s an employee sending sensitive information to less secure, personal accounts or a bad leaver maliciously exfiltrating data, Tessian automatically prevents data exfiltration over email. Learn more   Deeply understand your risk Whether careless, negligent, or malicious, insider threats are difficult to combat and even harder to detect. But with Tessian, you can quickly find and report the key areas of insider risk, use insights to predict future behavior, and take remedial action to prevent exfiltrations attempts. Learn more   In-the-moment educational warnings Tessian warnings act as in-the-moment training for employees, continuously educating them about treats, reinforcing your policies, and nudging them toward safe email behavior. Automatically build individualized policies at scale to reduce high-risk email use and track trends in unsafe activity over time. Learn more
Read Blog Post
Email DLP, Integrated Cloud Email Security, ATO/BEC
Secure Email Gateways (SEGs) vs. Integrated Cloud Email Security (ICES) Solutions
by John Filitz Wednesday, February 9th, 2022
Recent market developments in email security signal there is a new player in town. And what has been considered a solved-for cybersecurity challenge is receiving renewed attention, both in the enterprise and in the analyst community.    The next generation of email security, referred to by Gartner as Integrated Cloud Email Security (ICES) solutions, bring a welcome and new approach to solving for increasingly sophisticated and elusive email security threats.
Advanced threats require a new approach to addressing email security risk   Threat actors are using more sophisticated techniques, and attacks are achieving greater success. This is largely due to the commercialization of cybercrime, with Phishing-as-a-Service and Ransomware-as-a-Service offerings becoming more prevalent on the dark web.    The pace of digital transformation underway and key shifts in the way we work help explain it, too. In the wake of the pandemic, the accelerated adoption of public cloud has significantly expanded attack surface risk, with employees working from home, and often on personal devices.  Threat actors are exploiting these developments by targeting the most common threat vector for a breach, phishing via email.
Secure Email Gateways (SEGs)   SEGs were, until recently, considered a staple in the cybersecurity stack. But SEGs that run on static, rule-based detection engines are finding it increasingly challenging to protect in today’s threatscape. This is  largely due to SEGs relying on adversaries exploiting common and well-known attack vectors.    SEG solutions sit in-line and filter all inbound emails. SEGs use a threat intelligence engine that is combined with manual policy orchestration, creating “allow” or “deny” lists. In the world of SEGs, security administrators have to configure MX records, develop specific emails security policies, block domains, and triage incidents – with many of these incidents false positives due to its “wide-net” email filtering approach.    Given the threat engine for SEGs also relies on known threats, it can enable threat actors to bypass SEG controls, for example, by registering new domains which are combined with advanced impersonation techniques. That’s why Tessian saw 2 million malicious, inbound emails evade SEGs in a 12-month period.   And once an adversary has compromised an organization’s email (i.e. passed through the gateway) there is little stopping them. SEGs also offer very limited protection against insider threats or advanced methods for email based data exfiltration, for example renaming document file names to bypass manual orchestrated SEG DLP policy labels. 
The key attributes of SEGs include:   Designed to protect against commonly seen threats i.e. mainstream phishing activity, malware and spam The redirection of mail via MX records pointing to the SEG to scan all incoming email  Using a sandbox for detecting, isolating, and detonating suspected malicious emails or attachments Clawback ability for internal email only No ability to detect lateral movement by a threat actor that has breached the gateway Supplemental scanning solutions are often required to detect advanced inbound threats Manual orchestration of basic DLP policies
Integrated Cloud Email Security (ICES) Solutions   The main distinguishing characteristic of ICES solutions like Tessian compared to SEGs, is that ICES solutions were born in the cloud, for the cloud. But, they’re also able to provide protection for hybrid and on-premise environments.    Using machine learning and connecting via connectors or an API, the algorithm of an ICES solution develops a historical behavioral map of an organization’s email ecosystem. This historical behavioral map is leveraged along with Natural Language Processing (NLP) and Natural Language Understanding (NLU) capabilities, to dynamically, and in-real-time, scan and detect any anomalous email behavior on both the inbound and the outbound side.    ICES solutions also offer a high degree of email security automation, including triaging of security incidents, which significantly reduces the SOC burden and ultimately improves security effectiveness.
The key attributes of ICES solutions include:   Designed to detect advanced social engineering attacks including phishing, impersonation attacks, business email compromise (BEC), and account takeover (ATO) Require no MX record changes and scan incoming emails downstream from the MX record, either pre-delivery via a connector, or post-delivery via an API Behavioral detection engine for advanced inbound and outbound threats, resulting in greater detection efficacy and lower false positives i.e. less business interruption and  more SOC optimization A banner can be added to an incoming email indicating the level of risk of the scanned email Lateral attack detection capability Malicious emails are hidden from users’ inboxes. With the pre-delivery option, only email that is determined to be safe is delivered. Post-delivery solutions will claw-back a suspected email determined to be malicious All of the email fields are analyzed and compared against a historical mapping of email correspondence. Fields scanned include the sender, recipient, subject line, body, URL and attachments Prompts the end-user with in-the-moment contextual warnings on suspected malicious emails to take safe action, in real-time Some have advanced DLP capability
The evolution of the threatscape combined with the mainstream adoption of public cloud offerings and associated productivity suites, helps contextualize the emergence of the ICES vendor category.    Many of the productivity suites such as Microsoft 365 and Google Workspace include SEG-like features as part of their standard offerings. And Gartner predicts that by 2023, 40% of enterprises will be leveraging an ICES solution like Tessian with a public cloud’s productivity suite for comprehensive email protection. 
Want to learn more? See how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video, download our platform architecture whitepaper, or book a demo.
Read Blog Post
Remote Working, Email DLP, Data Exfiltration
How the Great Resignation is Creating More Security Challenges
by Laura Brooks Tuesday, February 1st, 2022
New research from Tessian reveals just how deep The Great Resignation is, and how it’s continuing to increase work for security teams.   The Great Resignation of 2021 continues well into 2022, with record high numbers of people quitting their jobs and seeking opportunities for better positions, better pay, better work/life balance and even exploring a career in a completely new industry.   According to our latest survey of 2,000 employees in UK and US businesses, 55% are considering leaving their current employer this year, with two in five (39%) workers currently working their notice or actively looking for a new job in the next six months.    HR departments are under pressure to retain employees and replace the talent they lost. But they’re not the only team feeling the strain.    Our survey also revealed that 71% of IT decision makers in US and UK organizations told us the Great Resignation has increased security risks in their company. What’s more, 45% of IT leaders say incidents of data exfiltration have increased in the last year, as people took data when they left their jobs.    They’re not wrong. One in three (29%) UK and US employees admitted to having taken data with them when they quit. The figures were much higher in the US, with two fifths of US employees (40%) saying they’d taken data with them when they left their job.
Which employees are taking the data?   We see noticeable differences in behaviors across various departments. Employees in marketing were the most likely to data with them when they leave, with a staggering 63% of respondents in this department admitting to doing so. Employees in HR (37%) and IT (37%) followed.    Interestingly, rates of data exfiltration are much lower in highly regulated functions like accounting and finance, operations and legal. With employees in these departments having to comply with strict data regulations on a daily basis, the findings suggest that this impacts their data sharing behaviors and the security cultures in these departments. Just 16% of workers in operations and 22% in accounting and finance say they have taken data with them when they’ve left a job.
Why do employees take data with them?  The majority of employees are not taking data for malicious purposes. The most common reason for taking data, cited by 58% of respondents, was because the information would help them in their new job. In addition, 53% believe that because they worked on the document, it belongs to them.    A significant percentage of employees (44%) said they took the information to share with their new employer, while 40% said they intended to make money from the information.
The consequences of doing nothing   With 70% of US employees and 40% of UK employees thinking about leaving their employer this year, the pressure is on to protect the organization from insider risk.    Even if a company experiences one data exfiltration attack, the consequences can be huge. There’s a lot at stake when it comes to the data in your company’s control, particularly when you consider that the average cost of a data breach now stands at $4.24 million.    What are the causes of these phenomenal costs? Here are three factors:   Containment: Hiring cybersecurity and identity fraud companies to contain a data breach is expensive —not to mention the thousands of hours that can be lost trying to determine the cause.  Lawsuits: Many companies face enormous lawsuits for losing customer data.  Penalties: Laws such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) enable regulators to impose significant fines for personal data breaches.
What can IT and security leaders do to minimize the risk of data exfiltration during the Great Resignation period?   Taking data when leaving an organization has become one of those culturally-accepted things that people feel they can get away with. Let’s be clear, though, this is not a reason to blame and shame employees for their actions.    Rather this is an opportunity to see how we got to this point, assess where there are gaps in our data protection policies, and determine whether policies and guidelines are being communicated effectively to employees – both company-wide and in specific departments.    By defining and communicating the company’s expectations around data sharing and data handling in the organization, and training employees on safe cybersecurity practices, security leaders can start to build stronger security cultures that reduce insider risk.   As well as greater education and training, IT and security teams also need to ensure they have visibility of the risk across all channels, particularly email. A quarter of IT leaders we surveyed said they do not have visibility into incidents of data exfiltration, and this is an important first step.    The Great Resignation shows no sign of slowing down, and people will continue to move around looking for new opportunities throughout 2022. But this is also an opportunity for IT and security teams to build a more robust data loss prevention strategy, streamline defenses against insider risk, and put a safety net in place to stop the company’s most valuable and sensitive data from falling into the wrong hands.    How does Tessian prevent data exfiltration attempts?   Prevent unauthorized emails  Whether it’s an employee sending sensitive information to less secure, personal accounts or a bad leaver maliciously exfiltrating data, Tessian automatically prevents data exfiltration over email. Learn more   Deeply understand your risk Whether careless, negligent, or malicious, insider threats are difficult to combat and even harder to detect. But with Tessian, you can quickly find and report the key areas of insider risk, use insights to predict future behavior, and take remedial action to prevent exfiltrations attempts.  Learn more   In-the-moment educational warnings Tessian warnings act as in-the-moment training for employees, continuously educating them about treats, reinforcing your policies, and nudging them toward safe email behavior. Automatically build individualized policies at scale to reduce high-risk email use and track trends in unsafe activity over time. Learn more
Read Blog Post
Remote Working
The Ultimate Guide to Security for Remote Working
by Andrew Webb Friday, January 28th, 2022
The future and nature of work is changing. So here’s all you need to know about how to keep your people secure in the ‘new normal’.
Remote working, hybrid working, anywhere-working, flexible-working, 4-day-week working, and everything in between – if the pandemic has done one thing, it seems to have destroyed nine-to-five in the office.   Saying so long to the stationary cupboard and “auf wiedersehen” to the water cooler might have been great for staff, but presented a serious challenge for security leaders back in 2020. And while, way back then, many thought the situation was temporary – a few months at most – and would be mitigated by vaccines, that clearly hasn’t been the case   Indeed Forrester’s Predictions 2022 anticipates the following set up:   10% of firms will shift to a fully remote model 🏡 30% will go back to a fully in-office model 🏢 The remaining 60% of firms will shift to a hybrid model 🏡 + 🏢   Those that insist on a fully in-office model, will find that employees simply won’t have it. Attrition at these firms will rise above their industry averages — monthly quit rates will rise to as high as 2.5% for as much of 2022 as needed until executives feel the pain and finally commit to making hybrid work … work.   Our own research bore this out too.    According to our Securing the Future of Hybrid Working report , just 11% of employees said they’d want to work exclusively in the office post-pandemic, with the average employee wanting to work from home at least two days a week. And, over a third of people said they wouldn’t even consider working for a company if it didn’t offer remote working in the future. That represents a lot of employee churn and HR headaches for you and your security team, which we’ll explore shortly. But first, given we are in security, let’s recap the current risks.
What are the security risks with remote working? The majority of IT leaders we surveyed believe permanent remote or hybrid work will put more pressure on their teams, while over a third (34%) were worried about their team becoming stretched too far in terms of time and resources.     While hybrid or flexi-working is great for employees, it’s the worst of both worlds for IT teams who have to simultaneously manage and mitigate security risks that occur in and out of the office, while providing a seamless experience that enables employees to work from anywhere. So if that’s the environment you’re having to work in, what are the risks?
Unsurprisingly, topping the charts is the classic phishing attack. 82% of IT leaders we surveyed believed employees are at greater risk of phishing attacks when working remotely. The pandemic saw a surge in these, with CISA specifically warning of attacks targeting remote workers back in Jan 2021.   Those threats haven’t gone anywhere in the meantime. Indeed, they’ve only increased with our reliance on delivery companies for shopping. But brand impersonations have expanded beyond the usual logistics and utility companies to software providers like Microsoft, Adobe and Zoom.
There’s a strong probability that, as we move forward in this new hybrid environment, remote work blindspots will be exploited.    This begs the question: How do you ensure people’s home networks are secure? There’s also concerns around liability. If company A faces a ransomware attack, it spreads to an employee, their home network, and then their partner’s company device to infect Company B…. Is Company A now liable for the losses Company B suffers?
This scenario is only exacerbated by having a Bring Your Own Device policy. Of course the benefits of BYOD are lower costs, increased flexibility for staff and a more productive workforce. But there are downsides around physical and network security.    An August 2021 survey conducted by Palo Alto Networks found that 83% of companies with relaxed bring-your-own-device (BYOD) usage led to increased security issues. We explore those for both security teams and workers themselves in this post.
How new habits become bad habits  That same Palo Alto survey also found that 35% of companies reported that their employees either circumvented or disabled remote security measures.  Our State of Data Loss Prevention report backs this up with the following alarming stats.   48% of employees say they’re less likely to follow safe data practices when working from home.    84% of IT leaders report DLP is more challenging when their workforce is working remotely.   52% of employees feel they can get away with riskier behavior when working outside of the office.   When asked why they were less likely to follow safe data practices when working from home, employees cited not working on their usual devices (50%) and being distracted (47%) as two of the top three reasons.    We’ve listed the 13 worst cybersecurity sins below. So take a moment to see if people in your organization are making these security errors. 
Evaluate and evolve your current process So, we’ve understood the risks, and are aware of some less-than-perfect security habits. Now we need to examine our processes. You’ve probably implemented some form of remote security processes since the start of the pandemic. But you should always be looking to evolve it to stay on top of your game and in light of new threats and changing circumstances.   Education in security has a huge part to play in making people aware of the risks associated with working remotely, and dispelling some of those new, bad habits. Our views on security awareness training are well-known. An hour-long ‘test quiz’ once a year just isn’t going to cut it. Instead you need to bake security into your organization’s daily operations.
As Bobby Ford, Global Chief Security Officer at Hewlett Packard Enterprise says in this video, how can you get a little bit of cyber into other programs in your organization? And don’t just stop at events, town halls, intranets, or staff newsletters. These are all places to continually beat the drum for good security. So work with your people and comms teams to help enable that. We have a bunch of tips, resources and best practice information in this post that you can use as part of your cyber security refresher training. And if you need support from the C-Suite, here’s how to get it.
We have a bunch of tips, resources and best practice information in this post that you can use as part of your cyber security refresher training. And if you need support from the C-Suite, here’s how to get it. What’s perhaps most remarkable about the switch to remote working is that it happened almost overnight. The efforts and tools IT and security teams put in place quickly ensured that many companies stayed operating – jobs and lives were no doubt saved.   
Now, however, those tools and processes are a permanent part of your business, and reviewing your security stack to ensure it’s fit for purpose in a remote world is critical. So what to look for? Well ask yourself questions like    👩‍💻 Does the application process personal data? If so, why and in what volume? 🌏 Where is the data processed?  📚 Does the application take back-ups of data? If so, how often? 🚫 Who has access to the data in the platform? 📱 Is access conditional upon Multi-Factor Authentication (2FA, for example)?  We’ve fully explored how to onboard remote Collaboration and productivity tools here
The Great Re-Evaluation and the future of remote work Finally, there’s one other aspect of remote working to address, and that’s people themselves. The pandemic caused a lot of soul searching in many employees about their future and the sort of companies they wanted to work for.    The past 18 months has seen unprecedented demand for highly skilled roles, and many people are using this to turbo charge their careers. The person in this BBC article increased her salary by £10,000 in six months, she surely can’t be the only one.  So as well as dealing with protecting your people from external threats, there’s also potential dangers from within. If people are leaving, what better way to make a great impression on the first day at their new gig than by bringing a juicy file of customer data, source code, or other highly valuable IP.    Again, our State of Data Loss Prevention Report found that 45% of employees admit to downloading, saving, or sending work-related documents to their personal accounts before leaving or after being dismissed from a job. Assuming your USB ports are disabled, staff will often extract these assets by emailing them to their personal accounts. This is a particular problem in sectors such as legal, financial services, and entertainment, where a client base and extensive networks are crucial.    We’ve explored in detail how to keep your data safe in The Great Re-Evaluation below
At Tessian, we know being an InfoSec leader is hard. The threats are relentless and the landscape is constantly changing. The halcyon days of rows of desktop PCs in an office block protected by on-prem Secure Email Gateway (SEG) are confined to the history books. Remote work, an infinite perimeter, and sophisticated attacks by email are here to stay.    The only question is, how are you going to deal with them?   To find out how Tessian can help secure your remote teams, get in touch for a demo
Read Blog Post
Email DLP
Why Email Security is a Top Cybersecurity Control
by John Filitz Wednesday, January 26th, 2022
Cybersecurity frameworks play an integral role in ensuring organizations have adopted the latest and best practice standards and strategies to safeguard their information systems and data. The most commonly adopted industry standard frameworks include the NIST Cybersecurity Framework, the CIS Controls, and ISO/IEC 27001/2. But, of these industry frameworks, only the ISO/IEC 27001/2 standard can be certified.    For organizations with well-developed cybersecurity strategies, often led by industry-leading CISOs, email security controls form a core control in preventing unauthorized information system access.    But the relationship between industry standard cybersecurity frameworks and the importance of email security can often appear to be subsumed by higher order security controls. For example only the CIS Controls explicitly mentions email security (control 09).    Read on to see why email security deserves higher priority in your security controls environment.
The market is once again signaling email security as a priority security control    Email security has, until recently, been seen as a low-priority “solved-for” cybersecurity challenge. Many of the analyst firms even stopped providing market coverage on the email security vendorscape, with market maturity cited as the leading reason. This world view saw a handful of legacy email security monoliths, built for an on-premise world, dominating the market on what appeared to be a rather straightforward cybersecurity challenge – filtering unsophisticated phishing attempts and spam.   The threat landscape however did not stop evolving. In fact, over the past 12-24 months there has been a marked shift in the sophistication of social engineering based attacks, which is placing renewed emphasis on email security as a high priority security control.    In spite of mature email security vendor offerings, breaches continue to proliferate. Phishing, Business Email Compromise (BEC) and account takeover (ATO) incidence are growing year-over-year and are responsible for 70 to 90% of all cybersecurity breaches. Malicious emails were also responsible for 54% of successful ransomware attacks in 2020. A further cybersecurity threat vector that has until recently been unaddressed, is unauthorized data exfiltration, either accidental or malicious – seen as a leading reported incident.   The growing threat reality of poorly secured email has called into question legacy email security vendors and approaches, with increasing displacement taking place by a new breed of advanced email security solutions.
Cybersecurity Frameworks    Given this evolving threat landscape, it’s worthwhile revisiting the mainstream adopted cybersecurity frameworks and the centrality of email security as a core element of cybersecurity resilience.   CIS Controls    Dating back to 2008, the CIS Controls dating back is seen by many in the industry as the gold standard of cybersecurity controls. In fact the NIST Cybersecurity Framework references the CIS Controls as an “informative resource,” with most practioners using the CIS Controls in conjunction with the NIST Cybersecurity Framework.   The CIS  Controls undergo periodic review; currently there are 18 controls:    CIS Control 1: Inventory and Control of Enterprise Assets   CIS Control 2: Inventory and Control of Software Assets   CIS Control 3: Data Protection  CIS Control 4: Secure Configuration of Enterprise Assets and Software  CIS Control 5: Account Management  CIS Control 6: Access Control Management  CIS Control 7: Continuous Vulnerability Management  CIS Control 8: Audit Log Management  CIS Control 9: Email Web Browser and Protections  CIS Control 10: Malware Defenses  CIS Control 11: Data Recovery  CIS Control 12: Network Infrastructure Management  CIS Control 13: Network Monitoring and Defense  CIS Control 14: Security Awareness and Skills Training  CIS Control 15: Service Provider Management  CIS Control 16: Application Software Security  CIS Control 17: Incident Response Management  CIS Control 18: Penetration Testing Control 9 is of specific relevance to this discussion, calling for the hardening of email and web browser protections, and underscores the susceptibility of falling victim to successful social engineering attacks:.
NIST Cybersecurity Framework    First introduced in 2014 and revised in 2018, the NIST Cybersecurity framework version 1.1 is premised on five key security controls:   Identify – developing an organizational understanding of cybersecurity risk to systems, people, assets, data and capabilities. Activities include Asset Management, Governance, Risk Assessment, Risk Management Strategy, and Supply Chain Risk Management.   Protect – developing and implementing safeguards to ensure the safe delivery of critical services. Activities include Identity and Access Management, Security Awareness Training, Data Security, Information Protection Processes and Procedures, Maintenance, and Protective Technology.  Detect – develop and implement capabilities that enable early cybersecurity event detection. Activities include detecting Anomalies and Events, Security Continuous Monitoring, and Detection Processes. Respond – develop and implement capabilities that enable a well-managed response after an incident has occured. Activities include Incident Response Planning, Communications, Analysis, Mitigation, and Improvements. Recover – develop and implement capabilities that enable the ability to recover after a cybersecurity incident has occured. Activities include Recovery Planning, Improvements, and Communications.   The hardening of email security controls relates directly to: Security controls 2 (Protect): Providing advanced Data Security and Information Protection Technology Security control 3 (Detect): Providing Anomalies and Events, Continuous Monitoring and Detection Processes capabilities
ISO/IEC 27001 and ISO27002   ISO 27001:2005 Information Technology – Security Techniques – Information Security Management Systems – Requirements, commonly referred to as ISO 27001, is used in conjunction with ISO 27002:2013 Code of Practice for Information Security Management, commonly referred to as ISO 27002.    ISO 27001/2 is the only cybersecurity framework that can be certified internationally by the ISO  standards body. To achieve ISO 27001/2 certification requires that organizations build an Information Security Management System that among other requirements, entails adopting all 14 of the Security Control categories listed under Annex A.    In total there are 114 security controls in the 14 categories. The CIS Controls and NIST Cybersecurity  Framework can also be mapped to the ISO 27001 controls.    The 14 security control categories include:     Annex A. 5 Information Security Policies   Annex A. 6 Organization of Information Security   Annex A. 7 Human Resource Security   Annex A. 8 Asset Management    Annex A. 9 Access Control   Annex A. 10 Cryptography   Annex A. 11 Physical and Environmental Security   Annex A. 12 Operations Security   Annex A. 13 Communications Security   Annex A. 14 System Acquisition, Development and Maintenance   Annex A. 15 Supplier Relationships   Annex A. 16 Information Security Incident Management    Annex A. 17 Information Security Aspects of Business Continuity Management   Annex. 18 Compliance    Of the 14 security control categories, control A12 Operations Security and A13 Communications Security underscore the importance of having robust email security in place. The two sub-controls under A12 and A13 that have direct relevance to email security are:   A. 12.2.1 Controls Against Malware – detection, prevention and recovery controls that protect against malware and also entail appropriate user security awareness. A. 13.2.3 Electronic Messaging – any information that is involved in any form of electronic messaging needs to be appropriately protected to prevent unauthorized access.
General Data protection Regulation (GDPR)   Although not a cybersecurity control framework, GDPR does outline legal processes and procedures to protect the data of European Union member countries’ citizens. Other similar data privacy and security legislation is being enacted around the world, calling for similar controls to be put in place. GDPR however is notorious for imposing the most stringent interpretations of its data privacy and data security regulations, along with handing out record setting financial penalties for infringements.   Chapter 4, Articles 25-43 set out the necessary legal stipulations for data controllers and processors, essentially calling for data protection by design and default.    Key information security principles listed in chapter 4  (Article 32) include:   Pseudonymisation and encryption of personal data. The ability to ensure the confidentiality, integrity, availability and resilience of processing systems and services. Ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident. A process for regular testing, assessing and evaluating the effectiveness of technical, and organizational measures for ensuring the security of the data processing.   Data loss, phishing, unauthorized access and ransomware are among the top reported incidents to the UK’s Information Commissioner Office (ICO) – the UK’s enforcing body for GDPR. Inadequate and ineffective email security controls is the leading cause of these incidents.  
MITRE ATT&CK Framework   Popular with threat intelligence, security operations centers, as well as the cybersecurity vendor community, the MITRE ATT&CK Framework is starting to gain mainstream recognition in the enterprise. Developed in 2013 and also referred to as the ATT&CK Framework, its utility for benchmarking the effectiveness of security controls is becoming increasingly apparent as attacks grow in sophistication and scope.   Although consisting of three matrices, the MITRE ATT&CK Framework for Enterprise is the most commonly used matrix. By offering an adversarial perspective on threat and attack vectors aka attack chain – starting with reconnaissance, resource development, initial access and ending with impact – enables security and risk leaders to gauge the robustness and breadth of controls in place.    According to the ATT&CK framework, social engineering based attacks, including phishing, remain one of the most common attack vectors enabling unauthorized access to information systems. The full matrix is available here.
Email security as a core control   Email security vulnerability remains a significant threat vector and features as a core cybersecurity control in all of the most widely adopted cybersecurity frameworks. And, given the increasing sophistication of email-based attacks, the importance of having industry leading email security protection in place must be reemphasized. Only by prioritizing email security will the risk of an email-related breach be significantly mitigated.
How can Tessian help you lock down email?    This is why enterprises are replacing legacy email security solutions for the next-generation of intelligent email security protection from Tessian. Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises.   By using industry leading machine learning the dynamic real time protection is enhanced with each threat mitigated, guaranteeing unparalleled protection against all email-based attack vectors, including insider threats.   Key features include:   Advanced Spear Phishing Protection Advanced Attachment and URL Protection   Internal Impersonation & CEO Fraud Advanced Spoof Detection Counterparty & Vendor Impersonation  Brand Impersonation External Account Takeover  Invoice Fraud Bulk Remediation Automated Quarantine  Threat Intelligence Insider Threat Management Accidental & Malicious DLP
Read Blog Post
Email DLP, Data Exfiltration
When Your Best DLP Rules Still Aren’t Good Enough…
by Stacia Tympanick Friday, January 14th, 2022
I was recently scrolling through a forum where the inevitable topic of creating perfect data loss prevention (DLP) regular expression (regex) queries began to simmer.   It started along the lines of this: “I need to build a regex query to look for credit card numbers within email or documents – how do I do this without an exorbitant amount of false positives?”    Turns out, many folks relate to this exact situation, and the discussion caught fire. Some are building the rules so tight and applying them to such specific users, they risk missing events that don’t fit the fold. Others are casting the net too wide and don’t have the manpower or the stamina to triage the alerts. Others have put an approval process in place, but this process slows down business. Managers end up having to approve all emails…but who has time for that?   So how can we both mitigate risk and reduce the amount of alerts DLP administrators are triaging?  Food for thought from a wise man: “If you are going to eat s*t, do not nibble…”
If you make it personal AND relevant, the employee will listen   When implementing policies that encourage employees towards positive behavior and are actually relevant to them, they will be more inclined to understand and listen.    For example, you may have a company policy that prohibits employees from sending sensitive company data to their personal email. Employees will typically take this approach because they want to access documents conveniently from another location that has less security; one less hurdle to jump through when on a plane, at a hotel, or working from home.    Other times, users literally do not know that this isn’t secure, or maybe they have just come into the organization via M&A and are unaware of the policy. Instead of reactively catching this after the fact and having HR or management punish the employee, what if you could eliminate it in the first place with a prompt?   Imagine employees saw this upon sending the email:
Which brings us to point #2…. We have to tell employees why this is important for them to personally consider. They will relate, understand, and heed the advice the next time they are thinking about sending sensitive data to unsecure places.    You can imagine sharing additional tips on your organization’s internal Wiki or Intranet to help really drive the point home:    Home tip: This policy should be followed when you’re sending personal, sensitive information about yourself to anyone. Not just when you’re at work. Make sure you are always sending personal information like credit card numbers and social security numbers through secure methods (like sites that have a lock located by the URL) and always ask if items like social security numbers are required. You would be surprised by how many places do not need this type of information yet ask for it!
Most employees are not malicious… they just aren’t enabled to make better decisions   More and more often, we’re hearing that people are responsible for breaches:   85% of data breaches are caused by human error 61% of security leaders think an employee will cause their next data breach   But the problem isn’t malicious employees.    For example, if we isolate the financial services industry, the majority of breaches were caused by an accident, like sending an email to the wrong person, which represents a whopping 55% of all error-based breaches (and 13% of all breaches for the year).   This all goes to show that most employees aren’t malicious; if they were asked to take an alternative, more secure route, they would! They just don’t know how.    Well-documented tutorials can help reduce unintentional data loss and IT tickets, which means security teams are only left with tickets that are actually worth triaging.
There is data outside of your regex queries that is worth protecting. Do you know what that data is?   Although there is tablestake data like social security numbers and account numbers that need to be protected due to regulations and mandates, there is also business data that is critical to protect.    What is your vital business data? Think: M&A confidential projects, clientele lists, portfolio company research and earnings, company budget information, case strategy documents….  This is just a small list of things that  – if in the wrong hands – could be very bad news for the business. Can you possibly create regex queries to identify and protect all of these types of data?   Considering the fact that organizations spend up to 600 hours a month resolving employee-related security incidents like data exfiltration or accidental data loss, I’d say no.   The bottom line is: your talented team members don’t want to spend their days combing through DLP alerts that could be eliminated in the first place. But, until we begin to enable our employees to be secure at work and at home, we will forever be salmon swimming upstream.  I encourage you to take a look at what Tessian can offer to build this positive, security-enabled culture. Check out the below resources, or book a demo to see the product in action.
Read research into the State of Data Loss Prevention See what Tessian customers are saying Download our platform overview datasheet
Read Blog Post
Remote Working, Email DLP, Data Exfiltration
Keeping Your Data Safe During The Great Re-Evaluation
by Andrew Webb Thursday, January 6th, 2022
Like Gandalf The Grey, it goes by many names.   Fast Company calls it the Great Reprioritization. LinkedIn prefers the Great Reshuffle, while Thrive Global opts for Great Re-evaluation. But whatever it’s called, it’s clearly a movement that’s broadened out from people quitting their jobs and moving to your competitors, to something much bigger around company culture, work/life balance, and job flexibility.   So what does this mean for your organization? How do you keep your data secure when your perimeter is over the horizon, your people are remotely distributed, and you’re facing threats that are increasing in both frequency and complexity?   What is the great re-evaluation?   The first wave of Great Resignation in 2021 saw an initial rush of people deciding they wanted a change, and quickly leaving their jobs. We covered the knock-on effects of keeping your data safe back then in this article.
And while much of those concerns are still valid, we’re now in a new space where other issues are starting to reveal themselves, too.    Those initial leavers were the “early adopters” who probably had itchy feet anyway, COVID was just the push they needed. But what about those who stayed? Having weathered the storm for the last two years and seen that it’s showing no signs of abating, people are looking around for companies that offer better remuneration, flexibility, and an exciting mission. Things they’re (likely) sorely missing in their current companies.   As the CISO, those things might not be in your power to grant to the entire company. But as your company’s security leader, you own the security impact of when people leave, when their replacements arrive, as well as those who choose to stay.
Who’s leaving? First off, let’s look at those who are (still) leaving. Resignation rates are highest among mid-career employees; that is those between 30 and 45 years old. And according to Harvard Business Review, the greatest churn was in Tech companies. Ah tech in the Bay Area. Where it's easier to just get a new job, than to stay long enough for a laptop refresh. — Bea Hughes (@beajammingh) January 5, 2022
They’re often highly experienced at their role and unlike younger employees, don’t need a lot of training. What’s more, they’re not leaving to ‘drop out’ and start a lifestyle project or go traveling, they’re leaving for a better, more flexible package.   These are staff who ‘know where the bodies are buried’. They have a highly detailed knowledge of your organization and its processes, products, and customers. This group has the highest probability of attempting to exfiltrate sensitive data – IP, clients or other corporate information – from your organization.   But the problem isn’t limited to mid-career employees in the tech industry. The Verizon Data Breach Investigations Report found that 72% of staff take some company data with them when they move on, whether intentionally or not. They also found that 70% of intellectual property theft occurs within the 90 days before an employee’s resignation announcement.   Even worse, a whitepaper published by Osterman Research found that a further 28% of employees admitted to taking data created by others when they leave – cheeky! Things to look out for include fluctuations in email activity, accessing documents or files at unusual times such as evenings or weekends, and spikes in data transfers.
If you’ve disabled your USB ports, email remains one of the most popular conduits for exfiltration attempts, so securing that channel now – before they hand in their resignation – is critical.    Once that’s in place, you need a structured and effective offboarding process in conjunction with your People team to disable methods of data exfiltration. (There’s some great advice on designing that process as a whole over on Security Intelligence and on AT&T Business.)   Why high attrition is a threat to your data security   A data breach has a number of financial consequences. First and foremost, there’s the time it takes you to handle the incident. There’s potential compliance violations and regulatory fines, legal costs pursuing the ex-employee, and loss of reputation and competitive  advantage that will affect your bottom line long-term.    The situation can be even worse when staff are let go as companies trim to stay afloat. One former credit union employee deleted 21GB of data after being fired, and one business collapsed entirely after an angry ex-employee deleted every single file.
Who’s arriving? The good news – enthusiastic new staff are brought in to replace those who have left, so aren’t likely to exfiltrate any data. The bad news? They’re also vulnerable to external attacks, and have yet to get up to speed on your security processes and familiarize themselves with the company as a whole.    What’s more, they’ve probably announced their new role on social media. Our How to Hack a Human Report found that an overwhelming 93% of workers also update their job status on social media, while 36% share information about their job. Hackers know this,  and do their research before hitting an organization with a spear phishing attack. Consequently, new starters are prime targets.    
But it’s not just role replacement staff, it’s entirely new staff too. After all, the pandemic has been very good for certain industries (infomation security for example) and some businesses are growing off the back of this and expanding their teams.   Who’s staying? When a team changes, there’s always disruption of some sort, and that problem is only exacerbated in today’s remote world. However, that disruption can also be an opportunity to refresh and remind people what a good security culture looks like and correct any bad habits that might have formed during remote working.   This is important as our ‘Back to Work’ research report found the following alarming statistics:   56% of IT leaders believe employees have picked up bad cybersecurity behaviors since working from home 40% of employees plan to bring their personal device into the office to work on 69% of IT leaders think that ransomware attacks will be a greater concern in a hybrid workplace 27% of workers are afraid to tell IT they’ve made a security mistake
Hybrid is here to stay – act accordingly  
Why the office is done The halcyon days of on prem servers and a load of desktop PCs all protected by a shiny new Secure Email Gateway (SEG) are long gone. And now, the office that once housed them is on the way out, too. According to one study, 79% of the C-suite say they will permit their staff to split their time between corporate offices and remote working, if their job allows for it.   There was the assumption in late 2021 that, once a vaccine was developed and staff afforded some sort of protection, things would soon return to normal – or at least something like it. Omicron has blown that notion to smithereens. And as this article suggests, maybe it’s time to admit defeat.
Remote working isn’t going anywhere anytime soon, and staff are still subject to the same distractions and security threats they were in March 2020.   The enemy here is complacency: bad habits as much as bad actors. People are once again distracted, angry, and anxious. Here’s some quick tips to help remind the team about good security practices (see more here) Use company-approved cloud or VPN services to access work documents instead of emailing sensitive information to your personal email accounts. Don’t download new software or tools without consulting your IT team. Keep your software and operating systems up-to-date. Always lock your laptop and keep all of your devices password-protected. If you make a mistake and find yourself alarmed or fearful, it’s important to stop, think, and get someone else involved to support you.
Look after yourself   Like an airplane oxygen mask, you can’t look after others until you’ve looked after yourself first. It’s been a tough few years and CISOs are burnt out, really burnt out. Our Lost Hours report found that CISOs, on average, worked 11 hours a week in unpaid overtime, and that 25% of CISOs spend 9-12 hours investigating and remediating each threat caused by human error. What’s more, the average time a CISO is in post is as little as 26 months.
A commissioned study conducted by Forrester Consulting on behalf of Tessian identified that organizations spend up to 600 hours per month resolving employee-related email security incidents. That is not healthy and it’s not sustainable, for either staff or the business. And your team As our 2022 trends post highlighted, hiring and keeping a diverse team will be one of your biggest priorities… and challenges. After all, at the end of 2021 there were nearly 500,000 unfilled cybersecurity roles in the US. The Department for Homeland Security was looking to hire 1800 but the end of 2021 alone Dealing with the rising security risks of the Great Re-evaluation needs a great team backed up by great tools that streamline defenses against phishing attacks and data exfiltration. That’s where we come in. So if you need some help we’d love to talk.   How does Tessian prevent data exfiltration attempts?   Prevent unauthorized emails Whether it’s an employee sending sensitive information to less secure, personal accounts or a bad leaver maliciously exfiltrating data, Tessian automatically prevents data exfiltration over email. Learn more   Deeply understand your risk Whether careless, negligent, or malicious, insider threats are difficult to combat and even harder to detect. But with Tessian, you can quickly find and report the key areas of insider risk, use insights to predict future behavior, and take remedial action to prevent exfiltrations attempts. Learn more   In-the-moment educational warnings Tessian warnings act as in-the-moment training for employees, continuously educating them about treats, reinforcing your policies, and nudging them toward safe email behavior. Automatically build individualized policies at scale to reduce high-risk email use and track trends in unsafe activity over time. Learn more
Read Blog Post
Email DLP, Interviews With CISOs
Q&A with Punit Rajpara, Head of IT and Business Systems at GoCardless
Tuesday, December 21st, 2021
Punit Rajpara is Head of IT and Business Systems at GoCardless. In this Q&A he tells us how GoCardless won over the entire organization—from employees to board members—with their forward-thinking data loss prevention (DLP) program. Dig deep into the intuitive and effective user warnings, powerful analytics, and reporting tools that helped prove their business case.   Could you please give us a quick introduction to yourself and your role at GoCardless?   I’m the Head of Business Systems at GoCardless. I’ve been here just over a year—joined at the crazy pandemic time so it’s been an interesting year. Plus, prior to GoCardless, I was at WeWork and Uber, so I clearly love the hot startup journey and putting in core tools. GoCardless is in the space solving for payments—so whether that’s recurring or one-time payments.   We’ve just really done some really cool stuff at the Urban Bank and you should check it out. We service payments across 30 different countries and we process about 20 billion in revenue for other merchants every year. DLP can be a really daunting project, for many. At GoCardless, was your starting point in DLP?   Yeah, I think I’d say boring and daunting. It’s one of those things that just kind of there, and it can be disruptive to users. So, I guess our starting point was we… like I said, it was kind of just there. We used Google DLP to kick off, and the inbuilt DLP tools, and we found those a little bit complex to configure.   So we’re coming to this realization—just when everything just happened and we went to market—to look for somebody better. We realized it needs an admin of its own—it’s just configured a bunch of policies that just block stuff for our users all the time. And it didn’t seem very “user-in-mind.” So that’s our starting point: Google-based DLP tools. A bit boring, a bit daunting, like you said, and just… there. What was it that instigated you to start thinking: “OK, we need a new approach”?   We had an incident where somebody sent a file to a friend, instead of to the right recipient. And we got a bit lucky, where the friend said: “Oh, did you really mean to send me this file?” and it was an important file that probably shouldn’t have gone to the friend. And the person that caught that and came straight to us and said, “Hey—do we have a way of stopping me from sending things I shouldn’t to the wrong people?” And we’re like: “Maybe… Let’s go and have a look at it.”    So, we weren’t intentionally looking at DLP, but it’s one of these things where it allows us to be used a little as well, so users will come and talk to the problem, and go: “Hey, I’ve made this stupid mistake—what should I do?” and “Can you do anything to help me not make that mistake again?”   So, that’s what really led us down the road of going: “We should look at this problem. We should look at inbound and outbound DLP and see if we can make it easy for our users not to do things that are going to be harmful to them and the business.” How have you got your employees to that state, where they’re actually coming forward and saying “Hey, how can we stop it going forward?” I think it’s part of that kind of scale-up workforce culture, where people are expecting not to do things by themselves constantly. If you look at all aspects of… mostly business systems and IT, there’s a huge focus today on ultimate automation and self-service. So people are used to working in organizations where you’re not having to report things, you’re not being blocked by things, you’re really being enabled to just go on with your work. And the expectation is that IT teams and business teams and security teams are becoming more and more “self-service,” and putting the control in the hands of the users. And that just really allows people to not worry about these things, and just get on and just be productive and work. What were you looking for when you set out to try to find a security partner? When we went looking for the right partner, the things that were front-of-mind were: whatever we chose had to be easy to use, it had to be easy to implement, and it had to be easy to administer. I was managing a small team last year, so it couldn’t be anything that required tons and tons of work for my team to implement. It couldn’t be something that required tons and tons of documentation to be written. It couldn’t be something that required using huge amounts of user training.  It had to be quick, easy to use, quick to deploy, easy to deploy, with a lot of support from the vendor will be required to get it out if we need that support, and it had to be self-service. It will have to be really really intuitive. So that’s our approach to how we were looking for the right partner. I think it actually hit the nail on the head with Tessian…  How was the feedback when you implemented Tessian? How did you garner that feedback and how did it change their perception of what security controls can be like? I’d say overwhelmingly, there was a positive response to our deployment of Tessian at the business. People—especially the exec team—would come into us quite quickly and say: “Hey, this is really cool. We’re going to stop data leakage.”  We were able to catch a couple of incidents that we maybe wouldn’t have otherwise, so overwhelmingly there was this really really positive response: “Hey, this tool is really awesome, didn’t know we could do this kind of stuff.”  
Read Blog Post