Data Loss Prevention
How a Gmail Design Flaw Causes Misdirected Emails
By Ed Bishop
15 January 2020
A seemingly innocuous and incredibly common occurrence like sending an email to the wrong recipient can have severe consequences. The sender of a misdirected email is often blamed for being careless, for not paying attention to detail and, in some cases, for being technically illiterate. This can set a culture of embarrassment for employees, which means many misdirected emails and their corresponding data breaches, are often not reported to line managers and compliance teams. Gmail Design Flaw A few years ago, Google added a feature to Gmail that suggests contacts to be added to an email’s recipient list. For example, if you add Jane and Sam to an email, it might suggest Ali, because Ali is often included on emails with Jane and Sam. Designed to be a productivity feature, this in itself could encourage a user to add a contact who maybe shouldn’t be included – resulting in a misdirected email. However, the focus of this article will be on what I consider to be an unpredictable UI (user interface) design flaw in the Gmail email compose window. We reported this flaw to Google’s Security Bug Report page on 18th December 2018. I consider this to be a relatively common email user flow: In a new email: Click in the recipient text area start typing the 1st recipient’s name, and press enter to select Start typing the 2nd recipient’s name, press enter to select Click in the Subject field to type desired email subject You can see this demonstrated in a video below: If you look carefully, as the second recipient is added—and after a significant delay, caused by an asynchronous API request—Google suggests that you might like to add two internal addresses to the email as they are often seen on emails with recipient 1 and recipient 2. But notice where Google positioned the “add recipient” hyperlink. It shifted the position of the subject text area down and placed the hyperlinks where the original subject text area was. The clickable hyperlink area is fully encapsulated by the old subject text area. In step 4 of the above user flow, if after adding the second recipient I quickly attempted to click in the subject text area, there is a chance that at that exact moment the delayed API request finishes, the subject bar shifts down, and I accidentally add an unintended recipient to the email. Ironically, I believe this unpredictable delay makes it more likely for a tech-savvy employee working quickly, — those who can navigate around the compose window more quickly than it takes for the API request to finish — to fall foul of this design flaw and accidentally misdirect an email. A Potential Fix There are many potential fixes, but I think a simple rule that “no UI component should unpredictably move” would solve this. I would suggest increasing the spacing of the default compose window so that the “add recipient” hyperlinks could fit above the subject bar without moving anything. Google’s Response We raised this design flaw with Google Security on 18th December 2018.
While Google does not feel it substantially affects the confidentiality or integrity of its users’ data, we disagree and believe this design flaw could lead to an increase in misdirected emails and data loss. Implications of sending misdirected emails can range from the embarrassing to the damaging, and can even lead to revenue loss due to reputational harm. Technology should be built and designed in a way to minimize human error, not increase the likelihood of it occurring. Update: this design flaw seems to only affect Gmail on browsers, not the mobile application.
Data Loss Prevention
A Brief History of Data Loss Prevention Solutions
09 January 2020
For many organizations, Data Loss Prevention (DLP) is at once one of the most important components of their security framework and the biggest headache for administrators. Why? Because most risks to data security actually come from within an organization, which means security teams have to classify and monitor data across hundreds – even thousands – of different entry and exit points of a corporate network. This includes user devices like laptops and mobile devices, email clients, servers, and gateways within the network. While every vendor offers a slightly different functionality – and can solve for data loss on email, endpoints, or networks – the goal of DLP software is essentially the same: to minimize the risk of data leaving the organization. To understand the agility and efficiency of some modern solutions, it’s important to understand not only the history of DLP but the history of email. This is, after all, where employees now spend 40% of their time. How has email changed over the years? Today, most of us have at least one email address. It’s the main form of communication both in the workplace and with consumer-facing brands. While a decade or two ago, we might have used traditional mail, picked up the phone, or even met in person to share information, now we freely send sensitive data and information like bank account details, medical records, and confidential trade secrets via email every day. And, the fact is, most of us don’t consider the security of these exchanges. But, with the exchange of sensitive information comes potential risks. As such, there’s an urgent need to keep email – and therefore data – safe and secure. Back in the 1990s, when email started to take off, there was little-to-no email security. It soon became apparent that some kind of filtering system was necessary. This way, people could not only limit the volume of emails they received, but they could ensure that whatever landed in their inbox was relevant. While this filtered out spam broadly, we remain exposed to targeted email threats like phishing or spear phishing attacks. Internet Service Providers (ISPs), Secure Email Gateways (SEGs), and anti-virus software took filtering a step further, using pattern and keyword recognition to identify potentially threatening emails, but it’s still not enough. In fact, the number of phishing attacks continues to rise and 2019 saw the highest number in three years. Of course, this isn’t the only problem with email. As we mentioned, there are also data risks within an organization. Data could be lost through a simple mistake, for example sending a misdirected email. Or, there could be more nefarious intent, like a disgruntled employee leaving the company on bad terms and taking valuable information with them. So, how do you solve all of these problems? There are two schools of thought: one is data-centric and the other is human-centric. Data vs. human behavior When you consider the objective of DLP, you realize there are two distinct approaches to take. Data-centric approach: Rule-based solutions use the content of an email to perform analysis. These rules consider keywords, attachments, seniority level, and even the role or department of an employee to identify sensitive information and keep it within the organization. Human-centric approach: Instead of focusing only on the data, human-centric approaches like those offered by Tessian seek to understand complex and ever-evolving human relationships in order to protect sensitive information. While both approaches have their merits, there are some clear shortcomings to a data-centric approach.
That means that the more effective solution is one that’s adaptable and can discern the variations in human behavior over time. A solution like this relies on machine-intelligent software that learns from historical email data to determine what is and isn’t anomalous in real-time. Learn more about human-centric DLP Tessian Guardian and Tessian Enforcer are advanced DLP solutions that leverage machine learning to offer superior data protection in real-time.
Data Loss Prevention Human Layer Security Spear Phishing
A Year in Review: 2019 Product Updates
By Harry Wetherald
01 January 2020
2019 was a big year for email security. While the world did see a record number of data breaches (up 33% from 2018) we also saw tighter security-related policies and regulations drafted and implemented, and, in general, an increased awareness amongst businesses about the importance of proactive security strategies. While we may be biased, it seems note-worthy that human error became more and more of a talking point in the cybersecurity space. In fact, human error and the importance of machine learning and artificial intelligence in protecting people has been one of the most talked about trends by analysts going into the new year. Similarly, companies are waking up to the fact that humans are their biggest risk. It’s about time. After all, misdirected emails – emails accidentally sent to the wrong person – have been one of the top data security incidents reported under GDPR according to the Information Commissioner’s Office. We believe it’s unreasonable to expect employees to do the right thing 100% of the time when it comes to making security-related decisions; people break the rules, people make mistakes, and people can be hacked. To err is human! What’s more, we have seen how quickly the threat landscape continues to evolve, which is why throughout 2019, we rolled out a series of important product updates that have kept our user base – which saw triple digit growth over the last 12 months – safe. Here are the most important product updates to Tessian’s Human Layer Security platform for 2019.
1. Human error, quantified. The new Tessian Dashboard gives customers an at-a-glance view of breaches and near-misses on email Keen to discover trends related to the number of breaches that were prevented by Tessian over the last 30 days? Our easy-to-navigate dashboard gives administrators a complete overview of activity, including any malicious and anomalous emails detected, misdirected emails prevented, and unauthorized email attempts thwarted. Module performance for Tessian Defender, Guardian, Enforcer, and Constructor are all visible on one page, and visual representations of data make it easy to monitor and drill down on activity day-by-day. If suspicious activity is spotted, you can quickly and easily generate a report without navigating off the page. The Tessian Dashboard also allows administrators to view user health at a glance, including the percentage of users active on the Add-in and Gateway and any connection issues across the network. This will help in-house security teams ensure every employee within their organization is protected by Tessian’s modules at all times. 2. Evolving algorithms. Tessian Defender can now detect and prevent more spear phishing attempts than ever Throughout 2019, Tessian Defender was improved through a series of subtle but impactful tweaks to our algorithms to be even more adept at detecting spear phishing attempts, including advanced, difficult-to-detect direct spoof attacks. The fact is, bad actors are using increasingly sophisticated techniques to trick unsuspecting people into handing over sensitive information or granting access to controlled networks. It’s imperative that we stay ahead of the curve, hence the regular updates. Tessian Defender has improved over time – and will continue to improve – enabling the detection and prevention of even the most advanced spear phishing attempts.
3. Thwarted first-attempts. It’s now even more difficult for employees to exfiltrate sensitive data Tessian Enforcer can now detect the first attempt an employee makes to exfiltrate data over email. How? By inferring what is and isn’t likely to be authorized communication based on the vast amount of data Tessian’s ML algorithm was trained on, which doesn’t necessarily rely on prior email history of a particular email address. For example, if an employee attempts to send an email to their personal, freemail account and that email address contains the employee’s first name or surname, Tessian Enforcer presents a warning to the user advising them that the behavior is potentially unsafe and prompting them to reconsider the action. Data exfiltration remains an incredibly unwieldy problem for businesses. Tessian gives businesses much-needed oversight of the problem over email.
4. In-situ learning opportunities. Employees have an opportunity to understand why an email is unsafe with contextual warnings While Tessian prides itself on low flag rates so that security doesn’t impede productivity, we wanted to maximize the opportunity to educate users through our warnings. This way, when users do see a notification, they understand why. Improved warnings across all four modules were designed for a more user-friendly experience that seamlessly reinforces any previous or ongoing security training. With more context included, employees can now see exactly why an email is being flagged as suspicious and – importantly – they can make their own decision on how to proceed. This is at the core of Tessian’s mission. Employees should be empowered by security solutions instead of burdened by them. 5. New detection capabilities. Customers can create rules that are specific to their environment Every business or enterprise is different and IT and Infosec security leaders need some flexibility in creating filter conditions that are applicable specifically to their operations. Because we’ve introduced new detection capabilities, users can now combine more conditions to create filters for their individual use cases; for example, scanning attachment content, identifying hidden fields in spreadsheets, and reading Azure Information Protect and other DLP labels. At the most basic level, these rules look something like this: If A and B, then C, except when D or E. These variables can apply to a number of elements contained in an email, from the recipient(s) to language patterns. One way an administrator might use these new detection capabilities would be to configure a filter which only allows the finance team, for example, to share spreadsheets with people outside of their organization if the recipient’s email address is recognized as a customer, except when the attachment contains a hidden row titled “social security numbers”. Protect your most valuable asset: your people Tessian is committed to creating the world’s first Human Layer Security platform and exciting developments lie ahead as we build out a holistic platform to protect people using email and, eventually, other interfaces frequently used in the workplace. Not yet a Tessian customer? Across four modules, Tessian protects the human layer by detecting and preventing both inbound and outbound threats. This includes advanced spear phishing attacks, accidental data loss, and data exfiltration. Tessian is quickly and easily deployed to Office 365, Exchange, and G-Suite, product updates are seamlessly rolled out for users and administrators, and the technology – which doesn’t disrupt workflow – was built with productivity in mind. To understand how Tessian can fit into your existing security framework, request a demo now.
Compliance Data Loss Prevention
Email: Your Data Security’s Weakest Link
15 November 2019
Email: Your Data Security’s Weak Link Emails are a crucial part of many work lives. We’re used to sending and receiving emails throughout the day, without much thought about the security of such exchanges. There’s a much bigger threat that originates from inside your organization. When an employee clicks that send button, they could potentially share sensitive information with the wrong recipient. Such mistakes carry high costs. It might compromise client data or confidential information, which causes your organization huge reputational damage and could hit your bottom-line. Not to mention the impact if the story leaks to the media. That level of reputational damage can take years to recover from. The biggest form of data loss Misdirected emails were reported by the Information Commissioner’s Office (ICO) to be the biggest form of data loss last year (and also the first quarter of 2018). Many companies are familiar with hacking as a form of data loss (hence the investment in physical database security, firewalls, and anti-virus) but less so with misdirected emails. Unfortunately, all the attributes of email that makes it so popular (that it’s a speedy, clear and common form of communication) are the very factors that make it such a risk. 95% of all security incidents involve human error. Many security systems that are focussed on keeping hackers out, are missing a vital part of defence – making sure sensitive information stays in. Email is the default means of communication The emails involved in this scenario are all outbound. That is, emails sent to other organizations or people outside of your own company domain. If you think about it, email is a pretty insecure way of sharing information. It can be hacked, end up with the wrong person, or send malware and spam itself. Worryingly, email still remains a means for many businesses to share confidential information. 89% of U.S. law firms use it as the main way to share information like case files or contracts. That’s despite 70% of them being aware of the risks and the importance of sharing files securely. It’s the default mode of communication for many companies, and that means we need to find ways of securing it. Firewalls and other security can only go so far. When an email is leaked, it could be your employees who are your weakest link. Employees can make mistakes It might even be unintentional on the part of an employee. If someone simply misspells a name or doesn’t realize others are copied into an email chain it can result in a data leak. Alternatively, their actions might be malicious and actually intending to cause harm to a company. Either way, the consequences are devastating for a business. Especially post-GDPR. Misdirected emails and GDPR For the few who are unaware, the EU’s  General Data Protection Regulation (GDPR) has strict stipulations on the use and sharing of personal data. Under GDPR, organizations could face a fine of up to €20 million or 4% of global revenue, whichever sum is greater. The fine depends on the severity of the data leak. So a leak of healthcare records or personal finance data is likely to attract a far greater fine than leaking email addresses. Even if the information shared isn’t customer data or personal information, there could be dire consequences. Imagine sharing client lists or your organization’s future product plans, business strategy or financial information with the wrong person. It only takes a few clicks before that information ends up in the hands of a competitor. Reputation and trust is damaged Data leaks are becoming increasingly common. The media has its eye fixed on any kind of data breach. Any company that leaks information, whether that’s through a hack or misdirected email, is likely to become front page news. Despite the saying, not all news is good for your company. Plus, there’s the significant loss of trust that occurs between organizations and consumers if a breach does occur. Especially if that information is highly sensitive, like the names and emails of attendees of a HIV clinic sent in an accidental group email. As you can see with this case, a breach could occur simply when someone doesn’t realize emails are inputted into a cc field and not blind-copied. The clinic was fined £180,000. A sum that would have been far greater had GDPR been enforced at the time. Other potential risks Then there’s the risks associated with an employee leaving their email account logged-in on a shared computer. They could also fail to lock their screen when leaving their computer. Alternatively, their laptop, phone or tablet could be stolen with their work email account still linked. When securing your emails, there’s definitely some employee education to be done. Make sure you communicate the risks of leaving inboxes on show or failing to lock screens. Employees must also understand how they can prevent misdirected emails and the consequences of such a leak. Identifying email leaks Of course, not all email leaks can be easily identified by organizations. Someone might maliciously forward an email. Others may accidentally send confidential information without realizing it. Under GDPR, there’s a requirement for any breach to be reported within 72 hours. Organizations need a way to track outbound emails and flag any misdirected emails. Luckily, there are tools like Tessian that notify you of any confidential information sent to personal email addresses or outside your organization. It also prevents misdirected emails from ever occurring. Prevention is your best cure. Once a leak has happened, it’s difficult to fully recover. It’s better to use machine learning and other technology to stop a breach occurring. Either through analyzing email addresses and flagging potential misdirected emails, or highlighting when employee behavior might cause a leak. Secure the outside and inside The risks of having a data leak are much higher compared to the past. GDPR has raised the stakes for many companies and also raised awareness about personal data security amongst consumers. Organizations need to ensure security is in top shape. However, most emphasis is placed on ways to keep hacks and database breaches from occurring. Not many business leaders have considered the risk of email leaks. This creates a chink in an otherwise impenetrable armor. You don’t just need to consider the dangers of people getting it, you also have to stop confidential information from getting out. Especially if it’s highly sensitive, which is often the case in the health and legal sectors.
Data Loss Prevention
What is Data Loss Prevention (DLP) – A Complete Overview of DLP
23 October 2019
Organizations across industries invest in Data Loss Prevention (DLP) solutions to combat perennial security risks along with new challenges like GDPR and CCPA compliance.  But, what is Data Loss Prevention (DLP), what are the benefits of implementing a DLP strategy, and how does DLP work?  
What is Data Loss Prevention (DLP)? DLP software monitors different entry and exit points of a corporate network, such as user devices, email clients, servers, or gateways within the network to safeguard data in different forms, including data in motion, data in use, and data at rest.  Data in motion refers to data that is sent and received over your network.  Data in use refers to data that you are using in your computer memory.  Data at rest refers to data that is stored in a database, file, or a server.  If security software sees something suspicious, such as an email attachment containing credit card details or an attempt to print confidential documents, a predefined response will kick in. Most DLP software offers organizations the ability to block potentially risky communications or to simply flag the anomaly for administrators to follow up on. Properly configured DLP allows organizations to block sensitive information while permitting non-sensitive communications to continue which means there is a range of benefits of DLP. What are the benefits of DLP There are three main problems solved by DLP: Satisfying compliance standards. With compliance regulations like GDPR, CCPA, and HIPAA dictating how data is handled in different industries and regions, it’s more important than ever that organizations monitor activity and events around Personally Identifiable Information (PII), Protected Health Information (PHI), or payment card information (PCI). Any breaches that compromise the security of this data could mean big fines for organizations. GDPR fines alone can equal up to 4% of a business’ annual turnover.  Keeping intellectual property in-house. While customer, client, or patient information must be protected by law, organizations have a vested interest in also protecting intellectual property like financial information, design or development plans, and information related to the overall structure of the business. DLP helps protect against data exfiltration attempts. Monitoring how data is used. Not all data incidents lead to data breaches. That’s why it’s important for organizations to have full visibility over how individual users are using and interacting with data. This way, administrators can potentially spot a bad leaver or insider threat before any data is exfiltrated.    What are the different types of DLP?   DLP does more or less the same thing wherever it is deployed – it looks for sensitive information crossing boundaries. But different DLP solutions operate in different ways depending on which “perimeter” is being guarded. There are three main types of DLP solutions: network DLP, endpoint DLP, and email DLP. Network DLP Network DLP protects data in motion by monitoring the traffic that enters and leaves the organization’s network.  These solutions are mostly cloud-based and are designed to monitor network traffic between users and other endpoints connected through the Internet; every byte of data transmitted through a network will go through the cloud-based DLP solution.  Like other DLP solutions, Network DLP can be customized to block custom defined data strings to prevent specific information from moving out of the network by blocking them. But, it can also be used to manage access to certain Uniform Resource Locators (URLs), prevent data or files being transferred to specific cloud storage, and block viruses and malware that are traversing the network. Endpoint DLP Endpoint DLP protects data in use on employee’s devices (computers, mobile phones) by preventing unauthorized access. How? By ensuring information isn’t taken off work devices and sent or copied to unauthorized devices by allowing or denying certain tasks to be performed on the computer.  It is also able to detect and block viruses and other malware that could be transferred into your computer system from external sources.  Universal Serial Bus (USB) blocking is one of the most popular methods used in endpoint DLP, because viruses can be replicated using USB storage, and once a USB flash drive is connected to a computer, the virus can be transmitted to the computer system.  Email DLP Email continues to be the most critical risk factor of data loss with both inbound and outbound traffic posing security threats.  To protect data, Email DLP monitors, tracks, and filters emails sent back and forth through the email client and checks every communication.  Inbound email DLP solutions monitor emails for certain keywords to identify phishing scams, spear phishing attacks, ransomware, or malware. It also quarantines any suspicious email message that contains specific types of data. Outbound email DLP, on the other hand, can be set up to check for misdirected emails,unauthorized emails, or sensitive data to prevent critical information moving out of an organization’s network. Do I need a DLP solution? Every company is different, but those handling sensitive information – especially from third-parties – will want to consider implementing a DLP solution in order to maintain customer or client trust and satisfy compliance standards. Larger organizations may want to secure every point as part of a layered defense, while smaller companies with limited IT budgets may decide to focus on their single biggest risk.  For many, this is email. Not only are misdirected emails one of the most common breaches reported under GDPR, but 90% of data breaches start on email. To learn more about why it’s so important to focus on email, read our Ultimate Guide to Human Layer Security. How does DLP work? Traditionally, DLP software has been built around creating long lists of rules and extensive manual tagging. Once set up, it can then monitor the flow of data through different parts of the network, to look for anything sensitive crossing a boundary. Administrators can create policies to dictate “if x happens, then do y.” These rules should be specific to your organization. For example, a rule may forbid sensitive information being sent to a “freemail” email account or any non-whitelisted third parties. Unfortunately, though, rule-based DLP has limitations. IT and security teams are tasked with not only creating but also maintaining long lists of rules and employees are often exposed to high flag rates that impede on their productivity. That’s why Tessian takes a different approach. How does Tessian prevent data loss? Tessian uses machine learning to address the problem of accidental or deliberate data loss by applying human understanding to email behavior. Our machine learning models analyze email data to understand how people work and communicate. They have been trained on more than two billion emails – rich in information on the kind of data people send and receive every day. And they continue to adapt and learn as human relationships evolve over time. This enables Tessian Guardian to look at email communications and determine in real-time if particular emails look like they’re about to be sent to the wrong person. Tessian Enforcer, meanwhile, can identify when sensitive data is about to be sent to an unsafe place outside an organization’s email network.
Data Loss Prevention
Email Security: Best Practices and Tools to Lock Down Email
19 October 2019
What messaging channel has more users than Facebook and WeChat put together, and has been around since 1971? It’s one of the world’s most significant technological innovations: email. As of 2019 there are around 3.9 billion email users around the world. With steady annual growth of 3% expected, we should have 4.3 billion email users by 2022. That’s far ahead of any social networking platform, and alongside SMS messaging, email is the biggest communications channel worldwide. This scale has resulted in new risks to businesses’ security. Organizations control unprecedented amounts of data: as of 2019, it’s thought that more data now sits within enterprise environments than on all consumer endpoints (or individual devices). That data presents a tempting target for malicious attackers who can sell and steal personal information or coerce employees into wiring money outside their organization. So what can security leaders and employees do to stop/reduce the tide of email threats threatening organizations’ money and data?
Email’s global scale means that it has created immeasurable value for businesses. But this has been accompanied by concurrent risks to people, systems and data. Virtually all the pieces of a traditional security toolkit – password protection, spam filtering, anti-virus tools – reflect the inherent danger of email communications. Although email is one of the most influential communication mediums for billions of people today, it’s worth remembering that it started as an intra-organization chat tool. In 1969, ARPANET, a US Department of Defense network and the forerunner of the modern internet, hosted the first electronic message sent between two different computers. This genesis shows the intimacy and openness of email – still a blessing and a curse today. Despite being “incubated” within a secretive government research unit, email is now uniquely open. This decentralised structure has taken the friction out of global commerce, and is vital to individuals and businesses alike. But there’s a tension here. An open network is a risky network. Decades after the first emails were sent, we’re seeing more and more sophisticated threats affecting organizations, from both inbound and outbound email activity. In this piece we’ll cover the basics of how email works, as well as describing some of the ways enterprises can be put at risk thanks to security failures. Email 101: How does email work? Put simply, email operates by way of servers speaking with each other. The framework that governs these communications is called Simple Mail Transfer Protocol (SMTP). SMTP is the protocol, which governs how servers send and receive packets of email data. The server sending an email will “push” the email to a receiving server. There are three key component parts of each email, all of which are to some extent based on traditional, physical mail. The envelope The envelope is the initial information pushed by the server sending an email to the receiving server. It simply indicates the email’s sender and recipient, as well as some validating commands exchanged between the sending and receiving servers. Email users can’t see the envelope, since it is part of the internal routing process for emails. The header The email header, which is transmitted alongside the body of the email, contains metadata such as the time the email was sent, which servers sent and received the data, and so on. Email clients (such as Outlook, Gmail etc) hide header information from recipients. The body The body of an email is simply the content that a recipient sees and interacts with. The envelope, the header and the body are all potential weak spots in organizations’ security perimeters. It is not difficult for an attacker in control of their own email server to spoof details of an email’s header, for instance, or to target an employee with a convincing impersonation of a trusted colleague or partner. (See other Tessian blogs for examples of display name and domain impersonation, which are regularly used to target enterprises and their employees in spear phishing campaigns.) So which parts of today’s email security stack pose potential risks to people and companies? Shortcomings of traditional email security tools Secure Email Gateways: Secure Email Gateways – also known as SEGs or Email Security Gateways – have been deployed by organizations for decades. SEGs offer an all-in-one solution that blocks spam, phishing and some malware from reaching employees’ inboxes. They might use email encryption to make communications harder to intercept. As with DLP tools (see below), SEGs operate by way of extensive lists of rules that only defend against threats the system or organization has seen before. DLP: Essentially, Data Loss Prevention (DLP) software ensures that organizations don’t leak sensitive data. DLP software monitors different entry and exit points within a corporate network, such as user devices, email clients, servers and/or gateways within the network. Like SEGs, DLP tools are invariably rule-based, limiting the range of new and evolving threats DLP products can defend against. SPF / DKIM / DMARC: SPF, DKIM and DMARC are email authentication records that, in short, help protect organizations against attackers spoofing their domains. Although they can help stop spoofing attempts, the effectiveness of these protocols is limited by their lack of adoption. The vast majority of organizations around the world have not yet implemented DMARC, which means attackers can easily target vulnerable companies and spoof their domains. (For more information, head to Tessian’s blog on DMARC.) The traditional technological armory used by enterprises hasn’t changed much in years. So how can employees and security professionals make sure organizations are well-equipped to defend against email attacks? Best practices for email security It’s vital that employees and organizations alike maintain strong email security. Although most traditional enterprise security products put up reasonably good defenses against the vast majority of spam and “bulk” phishing attacks, more advanced spear phishing emails and Business Email Compromise scams still evade defenses. What’s more, they still don’t prevent accidental data loss or deliberate exfiltration via email. Here are a few key strategies virtually all organizations can employ to get the basics right and defend against cyber threats on email. Password protection Even when organizations and attackers are in a cybersecurity arms race, the basics of good security still apply. (To see how Tessian is helping Arm with the basics of email security, read the case study.) Email accounts need strong passwords: a good guideline is that if you can remember your password, it isn’t strong enough. If your organization uses a password management tool like Lastpass or 1Password, make sure all passwords are stored on that system. Manage sensitive information carefully Organizations control all kinds of sensitive data, and the popularity of newly flexible working habits means that security leaders need to be especially vigilant as to how data moves inside and outside organizations’ networks. Sensitive customer or employee information should never be sent to non-business email addresses, for instance, whether through carelessness or malicious intent. Leverage technology to train employees Training and awareness is regularly talked up among cybersecurity practitioners. The problem is that taking employees away from their day-to-day duties and delivering context-free workshops on cybersecurity will rarely result in better vigilance and lasting threat protection. It’s important to invest in technology that can deliver in-situ, contextual training, allowing employees to learn from activity taking place in their own inboxes. Invest in machine learning to outsmart bad actors Today, too many email security products operate with complex lists of rules that govern which email threats can be detected. In addition, a lack of more intelligent offerings has led organizations to adopt security products that focus on protecting networks and individual devices, rather than the single most influential ingredient in any company’s security performance: its employees. At Tessian, we think security software should be people-oriented. When machines protect other machines, user experience learn from email activity and refine its performance over time. Machine learning offers organizations the opportunity to make their email protection more intelligent and better able to deal with evolving, unpredictable threats. Email has come a long way from those first ARPANET messages. But there’s still further to go. At Tessian, we’re building Human Layer Security for Email: our platform understands people’s behavior and prevents advanced threats in real time. We secure hundreds of thousands of employees at some of the world’s leading enterprises. To understand whether now is the right time for your organization to invest in a better email security solution, speak to one of our experts today.
Data Loss Prevention Human Layer Security
The Dark Side of Sending Work Emails “Home”
By Cai Thomas
11 October 2019
This article was originally published on TechRadar Pro. In the last four years, the number of remote working jobs has more than doubled, as employers acknowledge the need to change traditional working practices. In fact, it’s expected that 50% of the UK workforce will work remotely by 2020, further blurring the lines between home and the office. This shift has huge benefits; improving people’s work-life balance, increasing employee productivity and boosting employee retention rates. However, it does also pose a problem for one very important aspect of business: data security. Data security is at a greater risk as staff are more likely to send important and, even, confidential company information to personal email accounts, with the usual intention of working on documents at home. Worryingly, many are completely unaware how risky these actions are. According to tech firm Probrand, nearly two-thirds of UK employees have forwarded customer emails to their personal email accounts and 84% of them did not feel they were doing anything wrong. So what are the risks with sending work home? And who are the workers you need to be wary of? 1. The 24/7 worker While a number of the emails sent ‘home’ contain non-sensitive information, like travel arrangements, cinema tickets or food recipes, we’ve seen that around 10-15% of emails sent to personal accounts contain company sensitive information. We’ve all been there; it’s late on a Friday, that Monday deadline is looming, and the employee thinks to themselves, “I’ll just have to finish this document at home over the weekend”. So they send the document to their, or their partner’s, personal freemail account. However, this can have devastating consequences for the company’s reputation and it could destroy customers’ trust in the business. The problem is that by sending emails ‘home’, the information the messages contain now sits in an environment that is not secured by the company, leaving the data vulnerable to cybercriminals. It’s also important to note that this simple act of sending work home means your company is now at risk of breaching data protection regulations, like GDPR, due to the fact that you, as the Data Controller, no longer have oversight as to where the data is held. Boeing, for example, faced scrutiny after an employee shared a spreadsheet containing the personal information of 36,000 co-workers with his spouse, simply because she was better at Excel formatting than him. The incident sparked an internal security investigation and was brought to the attention of the Washington state Attorney General and other officials in California because employee data had left the control of the company. 2. The leaver We often see a spike in data exfiltration during an employee’s notice period. Workers know they’re not supposed to, but the temptation to take information that will give them an advantage in their new role is hard to ignore. As such, we see people sending company IP and client data to personal accounts prior to moving to another employer. This happens most frequently in industries such as financial services, legal, healthcare and recruitment, where a person’s client base and network is king. The task of manually monitoring suspicious ‘leaver’ behaviour over email has become incredibly challenging for IT staff, due to the increased employee churn rate year on year. A study by LinkedIn found that young workers now switch jobs four times in their first 10 years after graduation. However, by not putting a stop to this act, companies could face losing their competitive advantage as well as their clients’ business due to leaked secrets, strategy and IP. 3. The malicious insider This is where employees steal data from their company for personal or financial gain. Despite being less common, the threat of the ‘malicious insider’ is something businesses have come up against more frequently in the past few years. Employees will typically steal confidential company secrets and/or client data with the intention of selling it on the dark web or handing it over to a competitor to damage their current company. Just last year, Bupa fell victim to this crime after the personal data of 500,000 customers was sold on the dark web while audit firm SRBC and Co.’s reputation was tarnished after its client’s earnings estimation was maliciously leaked over email. An intelligent solution for a flexible workforce There can be no denying that monitoring all employee email behavior is an arduous task for IT and compliance teams to undertake. With the average employee sending and receiving 124 emails a day, and with daily email traffic increasing 5% year on year, deciphering data exfiltration within email logs is like finding a needle in a haystack. To help tackle the problem of data being leaked to unauthorized accounts, some organizations opt to simply blacklist all freemail domains. However, this can impede productivity and is usually ineffective given that many clients, small businesses and contractors use freemail accounts, as do prospective applicants looking for jobs at the company. Businesses need a more intelligent approach to data exfiltration – one that can look at the emails each employee has sent and received in the past, in order to identify non-business contacts with whom each employee interacts with. Machine learning, for example, can evolve to understand the differences between authorized and unauthorized freemail accounts, and it can analyze email content to determine whether it is sensitive or non-sensitive. By doing so, machine learning can make an accurate prediction as to whether an employee is exfiltrating data and acting against company policies. There will always be reasons for people to bend the rules and leak data outside of their organization – maliciously or for convenience. The consequences for doing so, though, could be devastating for any company; huge fines, loss of competitive advantage and a damaged reputation. So as more businesses adopt remote working practices, it’s important that technologies are place to ensure company sensitive data is secure and not at risk of ‘being sent home’.
Data Loss Prevention
Behind the “Fat Finger”: all you need to know about misdirected emails
19 September 2019
Email is among the most used communication tools in the world. Research suggests that as of 2019, the amount of emails sent and received is almost 300 billion per day. Email has many powerful benefits, but it has given organizations significant security headaches too. No question: over the past few years, fending off email security threats has become a much higher priority for organizations. Today, senior leaders recognize that people pose a real threat to organizations’ security: 30% of enterprise cyber incidents are caused by employees. Although eye-catching and sophisticated scams like spear phishing attacks regularly make headlines, one of the most common threats to email security is email misdirection. What is a misdirected email?
So what kinds of errors actually lead to misdirected emails? 1. Spelling mistakes One of the most common causes of a misdirected email is a user incorrectly spelling the email address of the correct recipient. An email intended for [email protected] might therefore be sent to [email protected] (As well as work emails, the risks also apply when dealing with clients, external partners or other suppliers.) Accidentally sending an email message to the wrong address might happen due to employees rushing, or switching focus too quickly when multitasking. 2. Autocomplete Today, the average person spends nearly a third of their working week on email. To save time, it’s not surprising that people often rely on the Autocomplete feature which is available on most email clients, including on Microsoft Outlook, Yahoo or Gmail accounts. With Autocomplete, people often don’t have to manually type email addresses in when sending emails, instead relying on Autocomplete’s speed and convenience to help them complete work quickly. While Autocomplete can boost productivity, it raises the risk of mistakes being made. Offering a suggested recipient to a sender who has only typed the first initial of the correct person’s Gmail address makes it much easier to accidentally add a wrong recipient with a similar name as the recipient. 3. To/Cc instead of Bcc The Blind Carbon Copy (Bcc) function allows the person sending an email to hide certain recipients from the main send list. Using Bcc also prevents the concealed recipients from receiving new emails in the same thread. In a work environment, it is often essential to use Bcc when sending a sensitive message to a group of people. Human error can play a part here, though. A common mistake involves the sender accidentally putting certain addresses into the To or Cc fields, rather than Bcc. The impact of this is that all the email’s public recipients become exposed to one another, giving the potential for data loss and compliance breaches. This can be particularly damaging if the content of the email contains personal information regarding sensitive matters like healthcare. Being able to understand which people in your address book need to be handled sensitively is vital. Exposing the real email addresses of individuals can have disastrous consequences for organizations. 4. Accidental “Reply All” People mistakenly using the “Reply All” function instead of just replying to a single recipient can put data at risk of being compromised. “Reply All” errors can cause email account data and personal information to be disclosed to a wider audience than intended. (It can also damage productivity. Last year, an email was accidentally sent to 22,000 employees of Utah state, with subsequent “reply all” messages from staff clogging up employees’ inboxes.) As we’ve seen, there are a number of circumstances that lead to misdirected emails in the workplace. So what are the consequences of this kind of error? In enterprise environments, the content of the message (as well as attachments and links) may include highly sensitive information that regulated organizations have an obligation to protect. For example, law firms often send privileged client data related to ongoing legal matters via email. A pharmaceutical company, meanwhile, may have to pay particular attention to highly sensitive personal information such as patient records. Many countries have introduced or are introducing stricter data protection laws: GDPR in the European Union, California’s Consumer Privacy Act and the Notifiable Data Breaches scheme in Australia are just a few examples of recent legislation that punishes non-compliance more severely. Under GDPR, organizations failing to control human error on email systems could face fines of up to 4% of annual global turnover, or €20m, whichever is greater. For organizations, the margin for error when it comes to misdirected emails is growing slimmer. The second consequence concerns trust and reputation. Unlike dialing the wrong phone number, which might be slightly embarrassing, sending a misdirected email and experiencing a data breach as a result can significantly undermine the confidence that clients, shareholders and partners have in an organization. Negative coverage in the press and on social media can negatively affect the perception of companies’ brands, and a quick Google search is all that’s needed to see the damage done to organizations’ credibility. Earlier this year, an NHS employee sent an email to executives containing sensitive personal data regarding 24 NHS employees – who were all copied in on the message. Looking to the future, organizations will have to adopt security solutions that help reduce the risk of human error. Tessian’s Guardian filter allows enterprises to take control over the errors that happen on email. When a technological solution lets system administrators automatically notify the sender in real time that they are in danger of making an error by sending an email to the wrong person, that organization is in a more secure and stable place. Speak to one of Tessian’s cybersecurity experts today, and learn whether we could help your organization.
Data Loss Prevention
The Risks of Sending Data to Your Personal Email
02 April 2019
Across all industries, people routinely send work from their corporate email account to their personal account to more easily work from home, or outside of office hours. On the surface, this may not pose any great threat to your organization, be it because your employees are careful, or because the data they handle isn’t sensitive enough. The main reason employees send work home is that it’s easier. Easier than accessing files through the corporate VPN, easier than digging out the randomly generated password to their work email for use at home, easier than printing off everything they need and taking it home with them. They send an email, go home, and the documents are ready and waiting. In earlier 2017, an airline employee sent a spreadsheet containing approximately 36,000 employee records home so his wife could help with a formatting problem. Based on data from the Ponemon Institute, this single spreadsheet may have cost the company as much as $5.7m. While bad practice, a security breach like this (because it doesn’t have to be damaging, or even publicized to constitute a breach) will most of the time not result in damage or require clean up, but the one time it does, the financial and reputation risk can be high. There is also the possibility that disgruntled employees may deliberately send information to their personal email to more easily disseminate it to competitors or the press, as happened in 2016. A former employee at a UK law firm was pronounced liable by the ICO and prosecuted under the Data Protection Act for sending confidential client data to their personal account, which they hope to use as leverage in their new role at a rival company. Loss of data through personal email could mean: • Breach of contracts or non-disclosure agreements • Loss of IP and proprietary research • Breach of data protection regulations • Heavy fines imposed by regulators and clients (GDPR, in particular will greatly increase fines for all manner of data breaches) In brief: something as seemingly insignificant as sending sensitive company data to a personal email account can be devastating. “Nearly 75% of office employees send work files to a personal email account, a majority of whom say it’s because they prefer using their own computer, while 14% say it’s because it’s too much work to bring their work laptop home.” How do you fix the problem? 1. Educate your workforce Make sure your employees know how to observe best data security practices. Make sure they understand how best to secure the data they work with, especially confidential data, and ensure they adhere to company data security policies, hosting refresher courses if necessary. The ICO has released some posters to help you on your way. 2. Ease of access Try as much as possible to ensure that your employees don’t feel the need to send work to their personal emails. Implement secure file storage platforms they can access from home (SharePoint, GSuite, etc) or a corporate VPN so they can securely access the company network from anywhere. You need to strike that happy middle ground between “easy to use but insecure” and “airtight but really disruptive”. 3. Be proactive, not reactive Choose email security platforms that offer the most complete protection against sending to unauthorized email accounts before it becomes a problem, instead of being left scrambling for a solution in the aftermath. Find a solution that tracks and logs attempts to send data to a personal email address, and use the metrics to open a conversation with employees about data protection.
Data Loss Prevention
Risks of Email Communication
26 February 2019
A consumer survey conducted by Adobe in 2018 found that on a typical weekday, their consumers are checking their work email an average 3.1 hours; their personal email, 2.5 hours. This makes email one of the most habitual platforms employees use, which makes changing this user behavior that much more challenging. Email’s speed and ubiquity also make it one of the single biggest threats to a company, its employees, and its data. Employees of all levels, in all industries, depend on the ability to communicate quickly and easily in order to get their jobs done. Investment bankers share market sensitive information to buy and sell companies. Lawyers share evidence on litigation matters. Hedge fund managers share data on positions or trading strategies. Over the past 20 years, email has grown to become the main artery of communication for the enterprise. According to research conducted by McKinsey in 2012, reading and answering email accounts for 28% of the average employee workday this makes email one of the most habitual tasks employees conduct.
Human error is incredibly difficult to understand, let alone predict. Changes in people’s stress levels, morale, engagement and attention can lead to misdirected emails. While a growing number of enterprise processes are now being automated, email communication is currently still reliant on human interaction and judgement – all of which makes it particularly vulnerable to human error. No matter how structured or ingrained a process or behavior is, mistakes are inescapable, and inevitable. The risk of data leakage is heightened by many of the factors that make email so useful. The same email address will send personal and professional messages, often in succession. It is platform agnostic – you can send an email to any other email address regardless of its platform making it very difficult to develop a complete security solution for a channel with so many front-end standards and configurations. As email becomes easier to use the associated risks also increase. Paul Regan, Head of Cybersecurity at Winterflood Securities noted that misdirected emails are where his firm has seen the biggest risk in the last couple of years.
Email used to be much more manual, but functions such as those Regan refers to have upped the risk, and even with an emphasis on data privacy training, the risks have grown. Hyde pointed to another worrying trend: “The way email used to be used was very manual. As time has gone on, it’s become much easier to use. It’s available on more devices, better at predicting what you’re going to do – but with that ease of use comes risk. “We trust the technology hugely, so that when something goes wrong it happens so quickly that it’s impossible to do anything about it – that’s the reality of email.” A misdirected email, such a seemingly small mistake, could heavily damage your relationships with clients and your level of public trust.
“Imagine, your most important client receives an email with financial or sensitive information going to somebody else. You have a good chance of losing that client and certainly your standing will be hit.” “It’s too late to go back now”, noted Regan. “I feel that email is an inherently weak medium, and it’s not going to change. “Deploying Tessian for us is recognition that our employees are trying to do the right thing. “This is not about having some central security department, overseeing everybody and trying to catch someone doing bad things. It’s a safety net that catches things that otherwise would be a problem,” said Hyde.
Data Loss Prevention
Bupa Fined £175,000: The Risks and Costs of Unauthorized Emails
18 October 2018
As the recent Bupa data breach highlighted, the sending of unauthorized emails – an email that is intentionally sent to an unauthorized recipient, such as an employee’s personal email account – can have a detrimental financial and reputational impact upon an organization. The global insurance and healthcare group’s failure to prevent the exfiltration and attempted sale of over half a million international health insurance customers’ personal information led to a £175,000 fine and a damning evaluation of its negligent security practices.
The loss of consumer data can also result in: • Breaching contracts or non-disclosure agreements • The loss of IP and proprietary research • Breaching data protection regulations • Heavy fines imposed by regulators and clients (GDPR, in particular, will greatly increase fines for all manner of data breaches) Despite such demonstrably damaging ramifications, many organizations do not have sufficiently secure networks and, as a result, lack the necessary visibility over how sensitive data is processed and stored. Before they know it, sensitive data is shared, stolen and sold; the damage is done. For large organizations like Bupa, monitoring thousands of employees and hundreds of thousands of email communications containing millions of pieces of data can seem an insurmountable and relentless task. In 2018, it is estimated that 124.5 billion business emails were sent every day with each employee sending an average of 31 each. These figures are only expected to increase (by at a rate of 3% per annum over the next few years) as corporate email networks grow in size and importance. Organizations that possess large amounts of highly sensitive patient or consumer data like Bupa have a duty to prevent this kind of data breach from happening. If they cannot monitor or control employee behaviour, they must take the necessary steps to find and invest in an approach and solution that can prevent unauthorized emails from being sent. It’s crucial to be proactive – rather than reactive – to address this kind of threat As such, we recommend enterprises employ an email security platform that offers comprehensive protection against the sending of unauthorized emails. Tessian Enforcer, for example, uses machine learning to understand human conversation patterns in order to detect, flag and prevent anomalous emails, which may contain sensitive data, from being sent to unauthorized or personal email accounts.
Page