Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

See a sneak peek of Tessian in action featuring admin and end user experiences. Watch the Product Tour →

Email DLP

Read our latest articles, tips and industry-specific news around Data Loss Prevention (DLP). Learn about the implications of data loss on email.

ATO/BEC Email DLP Integrated Cloud Email Security Compliance
7 Ways CFOs Can (And Should) Support Cybersecurity
By Maddie Rosenthal
29 July 2021
We’ve said it before and we’ll say it again: cybersecurity is a team sport. That means that (like it or not) the responsibility and burden sits with everyone, including the Chief Finance Officer (CFO).  That’s right: quantifying cyber risk, navigating cyber insurance policies, and negotiating ransom with hacking groups can all be part of the job spec.  If you’re a CFO who’s struggling to understand their role in cybersecurity, keep reading. We share 7 opportunities to get involved and protect your company’s assets.  Note: Every company is different. Size, revenue, industry, and reporting structures all play a role. This is general advice meant to provide a bird’s eye view of a CFO’s potential involvement in cybersecurity. 1. Quantify risk It can be hard for the C-suite to see the value of a solution when they haven’t yet experienced any consequences without it. As the saying goes, “If it ain’t broke, don’t fix it”.  That’s why it’s so important CFOs step in to quantify risk using specific “what-if” scenarios. The most basic formula is: probability x expected cost. Let’s use the example of an email being sent to the wrong person. We know at least 800 misdirected emails are sent every year in organizations with 1,000 employees. The expected cost, of course, depends on the email content and recipient, but let’s look at the worst-case scenario. What would the cost be if your press release for an upcoming, highly confidential merger and acquisition landed in a disgruntled former employee’s inbox? How would this impact the M&A itself? The company’s reputation? Revenue? Not a risk worth taking. Learn more about the key security challenges organizations face during M&A events. 2. Benchmark spending against other organizations Just like a marketing team should use a benchmark to determine whether or not their email list is engaged, CFOs should use a benchmark to determine how much they should be spending on cybersecurity. Think of it as your North Star. Fortunately, it’s relatively easy to determine how much your competitors or industry mavericks are shelling out. At least if they’re publicly traded.  A good place to start is their S-1. Here, you’ll be able to see what percentage of the company’s revenue goes towards Sales and Marketing, Research and Development, and General and Administrative.  This should give you a good idea of how to allocate your revenue.  You can also look at more general benchmark reports. For example, according to a Deloitte study, cybersecurity spending has increased YoY, from .34% of a company’s overall revenue in 2019 to .48% in 2020.  In 2020, that equated to $2,691 per full-time employee.   Bonus: Did you know you can also benchmark your security posture against your industry peers with Tessian Human Layer Security Intelligence? Learn more.  3. Vet cyber insurance policies Today, virtually every business needs cyber liability insurance. If you run a business that stores client, customer, or partner data…you need it. But it’s money wasted if you aren’t fully familiar with the policy terms. Check to make sure your first-party cyber insurance includes: Breach response recovery (including technical and legal advice) Forensic analysis for identifying the attack source Event management (including data recovery, PR services, and notification of clients) Cyber extortion Network/business interruption (including those that are the result of an attack on a third party) Dependent business interruption Credit monitoring services Consequential reputational loss or loss of income It’s also worth exploring third-party cyber insurance to protect your company’s assets from subsequent compliance penalties and settlement costs.  For example, Facebook settled a class-action lawsuit over its use of facial recognition technology. Illinois. The case reportedly settled for $550 million for a violation of the Biometric Information Privacy Act.  Third-party cyber insurance should include: Network security failures and privacy events Regulatory defense and penalties (including coverage for GDPR liabilities) PCI-DSS liabilities and costs Media content liability  4. Communicate with the board In a sentence, the CFO is responsible for the financial security of an organization. And, in the event of a breach, financial security simply isn’t guaranteed. Don’t believe us? Check out the consequences of a breach, according to IT leaders: !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); All of these will impact a company’s bottom line, including share value and rate of growth… two things the board doesn’t want to hear and news a CFO would hate to deliver.   But this isn’t a case of shooting the messenger. The responsibility and burden of cybersecurity sits with everyone, remember?  Post-breach, the board, auditors, and other third parties will be examining how effectively budgets were allocated to prevent the worst. That’s why it’s essential the CFO is actively involved in creating and implementing cybersecurity strategies; they have skin in the game.  5. Create secure processes for the finance team While – yes – the CFO holds the power of the purse and therefore influences the overall cybersecurity strategy, they also have a massive responsibility to secure their own team’s processes. After all, the finance department is one of the most targeted, specifically by invoice fraud, wire transfer fraud, and business email compromise.  Between June 2016 and July 2019, FBI statistics show that wire transfer fraud via BEC occurred 166,349 times, and cost businesses over $26 billion. In 2019, the number of bank transfer phishing scams occurring in the UK increased by 40%. In 2017, the FBI received 15,690 complaints about BEC (primarily involving wire transfer), resulting in over $675 million in losses. In 2019, this increased to 23,775 complaints and over $1.7 billion in losses. To protect against these incidents, CFOs should work with security teams to help train employees to spot scams, implement email security software to spot suspicious domains, and create fool-proof payment validation processes. For more tips, check out this article: Everything You Need to Know About Wire Transfer Phishing. 6. Negotiate ransom in the event of a ransomware attack  This is a position no CFO wants to be in. But, more and more, we’re seeing organizations being forced to comply with cyber criminals’ extortion demands. (7 Examples of Ransomware Attacks here.) While this may seem far beyond the scope of a finance director’s role, they’re heavily involved in the process. Of course, the first question to answer is: To pay? Or not to pay? This depends on an infinite number of factors, including the data being held, the hacking group who infiltrated the network, your cyber insurance policy, the company’s liquid assets….  The list goes on.  To avoid being put between a rock and a hard place, CFOs (along with the rest of the C-Suite and security team) should take prevention seriously, including anti-malware software, patching processes, and security for email, web, and other services. Tessian can help with email by preventing ransomware attacks at the source. 7. Know how to spot a phish CFO’s are generally among the most frequently targeted by phishing attacks. They’re also frequently impersonated. It makes sense. They have access to and control over the company’s money. It’s essential, then, that CFOs are especially vigilant, know how to spot a spear phishing attack, and know what to do if they suspect an email, text, or call is malicious.  Training, technology, and processes can help. If you want to learn more about how Nudge theory plays a role, check out this article about in-the-moment warnings. Looking for more resources? Check out the following: ⚡ Relationship 15: A Framework to Help Security Leaders Influence Change ⚡ CEO’s Guide to Data Protection and Compliance ⚡ Who Are the Most Likely Targets of Spear Phishing Attacks? ⚡ Why Information Security Must Be a Priority for GCs in 2021
Remote Working ATO/BEC Data Exfiltration Email DLP
How to Keep Your Data Safe in The Great Resignation
28 July 2021
The pandemic has changed people and society in ways we wouldn’t have thought imaginable just 24 months ago.  Lockdown restrictions and remote working allowed many employees to reflect on what they want to do with their lives and the sort of companies they want to work for, as well as those they don’t.  Consequently, in April 2021 four million US workers quit their jobs, and according to recent research by Microsoft, over 40% of employees are considering leaving their employer this year. It’s being called ‘#TheGreatResignation’, and it presents a whole pile of problems for CISOs and other security leaders.  Here are some of the common problems you might face in keeping data secure when staff move on.  Staff burnout Let’s face it, everyone’s a little frazzled round the edges right now.  Our 2020 report, The Psychology Of Human Error, revealed that a shocking 93% of US and UK employees feel tired and stressed at some point during their working week. Staff burnout was real before the pandemic, and it’s only got worse during it as the months have turned into years.  Over half the employees (52%) we surveyed said they make more mistakes at work when they’re stressed. And we know that as some employees move on, others are left to pick up the slack, adding to their stress and further increasing the potential for human error. This goes to show that this isn’t just a cyber security issue, it’s a people issue, so get your COO and HR team involved and start exploring ways to improve company well-being. Mentally, they’ve already left Staff who are leaving will have ‘mentally uncoupled’ from your organization and its processes well before they actually make their exit. They’re distracted – perhaps even excited – about their new future and where they’re going. Our survey found that 47% of employees surveyed cited distraction as a top reason for falling for a phishing scam, while two-fifths said they sent an email to the wrong person because they were distracted.  This is made worse by the next problem…  “Hi, it’s Mark from HR, we haven’t met…” Changing jobs can bring staff into contact with people they might not have had much contact with before. In a big multinational, we doubt many staff can name every member of the payroll team – they might even be in another country! Our How to Hack a Human report found that an overwhelming 93% of workers also update their job status on social media, while 36% share information about their job.  If an employee has announced their imminent departure on social media, they can potentially be targets of spear phishing by hackers impersonating HR or operations staff. These could contain seemingly innocuous requests for key card returns, contract documents, and even IT hardware. We’ve seen it before! Check out our Threat Catalogue to see real examples of phishing attacks targeting (and impersonating!) new starters.  Notice period exfiltration Unless they’re leaving for a complete lifestyle change, like being a warden on a deserted Scottish island, many people tend to stay in the same sector or industry.  This means there’s a high probability of staff going to one of your competitors.  Our research reveals an increase in data exfiltration during an employee’s notice period. In fact, 45% of employees admit to “stealing” data before leaving or after being dismissed from a job. You can see the temptation – what better way to make a great impression on your first day than by bringing a juicy file of customer data, source code, or other highly valuable IP. People will often extract these assets by emailing them to their personal accounts. This is a particular problem in sectors such as legal, financial services, and entertainment, where a client base and extensive networks are crucial.  New staff So far all these problems have focused on leaving staff or those that remain, but another potential weak spot is the new hire that will replace them.  They’ve yet to undertake security awareness training on your systems and processes. They may have also announced their new role on social media (which means they could be victim to the same problem we explained in point 3).  It all comes back to one crucial point: 85% of data breaches are caused by human error.  How Tessian helps Security leaders have a big job; they have to secure networks, endpoints, and platforms like Slack and Microsoft Teams. But email remains the #1 threat vector. So how do you lock down email and prevent data exfiltration and successful phishing attacks? By empowering your people to do their best work, without security getting in the way. We believe employees should be experts in their respective fields, not in cybersecurity. Tessian’s suite of products secure the human layer, so that staff can concentrate on their roles and be empowered to do their best work.  Tessian Defender: Automatically prevents spear phishing, account takeover, business email compromise, and other targeted email attacks. Tessian Enforcer: Automatically prevents data exfiltration over email. Tessian Guardian: Automatically prevents accidental data loss caused by misdirected emails and misattached files.
Data Exfiltration Email DLP Integrated Cloud Email Security
What is an Insider Threat? Insider Threat Definition, Examples, and Solutions
By Tessian
29 June 2021
Organizations often focus their security efforts on threats from outside. But increasingly, it’s people inside the organization who cause data breaches. There was a 47% increase in Insider Threat incidents between 2018 and 2020, including via malicious data exfiltration and accidental data loss. And the comprehensive Verizon 2021 Data Breach Investigations Report suggests that Insiders are directly responsible for around 22% of security incidents. So, what is an insider threat and how can organizations protect themselves from their own people?
Importantly, there are two distinct types of insider threats, and understanding different motives and methods of exfiltration is key for detection and prevention. Types of Insider Threats The Malicious Insider
Malicious Insiders knowingly and intentionally steal data, money, or other assets. For example, an employee or contractor exfiltrating intellectual property, personal information, or financial information for personal gain.  What’s in it for the insider? It depends. Financial Incentives Data is extremely valuable. Malicious insiders can sell customer’s information on the dark web. There’s a huge market for personal information—research suggests you can steal a person’s identity for around $1,010. Malicious Insiders can steal leads, intellectual property, or other confidential information for their own financial gain—causing serious damage to an organization in the process. Competitive Edge Malicious Insiders can steal company data to get a competitive edge in a new venture. This is more common than you might think.  For example, a General Electric employee was imprisoned in 2020 for stealing thousands of proprietary files for use in a rival business. Unsurprisingly, stealing data to gain a competitive edge is most common in competitive industries, like finance and entertainment. The Negligent (or Unaware) Insider 
Negligent Insiders are just “average” employees doing their jobs. Unfortunately, “to err is human”… which means people can—and do—make mistakes. Sending a misdirected email Sending an email to the wrong person is one of the most common ways a negligent insider can lose control of company data. Indeed, the UK’s Information Commissioner’s Office reports misdirected emails as the number one cause of data breaches.  And according to Tessian platform data, organizations with over 1,000 employees send around 800 misdirected emails every year. We’ve put together 11 Examples of Data Breaches Caused By Misdirected Emails if you want to see how bad this type of Insider Threat can get. Phishing attacks Last year, 66% of organizations worldwide experienced spear phishing attacks. Like all social engineering attacks, phishing involves tricking a person into clicking a link, downloading malware, or taking some other action to compromise a company’s security. A successful phishing attack requires an employee to fall for it. And practically any of your employees could fall for a sophisticated spear phishing attack. Want to know more about this type of Negligent Insider threat? Read Who Are the Most Likely Targets of Spear Phishing Attacks? Physical data loss   Whether it’s a phone, laptop, or a paper file, losing devices or hard-copy data can constitute a data breach. Indeed, in June 2021, a member of the public top-secret British military documents in a “soggy heap” behind a bus stop. Looking for more examples of Insider Threats (both malicious and negligent?) Check out this article: 17 Real-World Examples of Insider Threats How can I protect against Insider Threats? As we’ve seen, common Insider Threats are common. So why is so hard to prevent them? Detecting and preventing Insider Threats is such a challenge because it requires full visibility over your data—including who has access to it. This means fully mapping your company’s data, finding all entry and exit points, and identifying all the employees, contractors, and third parties who have access to it. From there, it comes down to training, monitoring, and security. Training While security awareness training isn’t the only measure you need to take to improve security, it is important. Security awareness training can help you work towards legal compliance, build threat awareness, and foster a security culture among your employees. Looking for resources to help train your employees? Check out this blog with a shareable PDF. Monitoring Insider Threats can be difficult to detect because insiders normally leverage their legitimate access to data. That’s why it’s important to monitor data for signs of potentially suspicious activity. Telltale signs of an insider threat include: Large data or file transfers Multiple failed logins (or other unusual login activity) Incorrect software access requests Machine’s take over Abuse by Service Accounts Email Security The vast majority of data exfiltration attempts, accidental data loss incidents, and phishing attacks take place via email. Therefore, the best action you can take to prevent insider threats is to implement an email security solution. Tessian is a machine learning-powered email security solution that uses anomaly detection, behavioral analysis, and natural language processing to detect data loss. Tessian Enforcer detects data exfiltration attempts and non-compliant emails Tessian Guardian detects misdirected emails and misattached files Tessian Defender detects and prevents spear phishing attacks How does Tessian detect and prevent Insider Threats? Tessian’s machine learning algorithms analyze your company’s email data. The software learns every employee’s normal communication patterns and maps their trusted email relationships — both inside and outside your organization. Tessian inspects the content and metadata of inbound emails for any signals suggestive of phishing—like suspicious payloads, geophysical locations, IP addresses, email clients—or data exfiltration—like anomalous attachments, content, or sending patterns. Once it detects a threat, Tessian alerts employees and administrators with clear, concise, contextual warnings that reinforce security awareness training
Remote Working
5 Reasons to Download Our Back to Work Security Behaviors Report
By Laura Brooks
15 June 2021
It’s been a whirlwind of a year and now – at last – employees around the world are heading back to the office. Well, at least some of them, some of the time. As we all well know, the future of work is hybrid.  In fact, employees demand it with 89% of employees wanting to work remotely part of the week. That means organizations have to adapt quickly and adopt new policies, collaboration tools, and ways of working.  They’ll also have to evolve their cybersecurity strategies. In our new research, Back to Work: Security Behaviors Report, we explore how employees’ security behaviors have changed and what security pitfalls IT teams need to address ASAP. You can access the report here or, if you need a bit of convincing to click, keep reading Here are 5 reasons to download the report. 1. You’ll get actionable advice and insights from other security leaders We surveyed 200 IT decision makers to understand what’s top of mind and how they’re tackling challenges related to remote and hybrid working. That means this report is packed with helpful insights that will help guide your cybersecurity strategy.  For example: 69% of IT leaders believe ransomware will be a greater concern in a hybrid workplace 54% of IT decision makers are worried remote workers will being infected devices and malware into the office 56% of IT leaders believe employees have picked up bad cybersecurity behaviors while working from home (more on that below…) 2. You’ll have access to tons of additional resources  Because this report was written to help security professionals, we’ve included four additional resources related to hybrid working, getting buy-in, phishing, and data loss prevention (DLP). Download the report for easy access! 3. We share threat intelligence related to phishing scams in the last 6 months Between January and June, we saw a huge uptick in suspicious and malicious emails containing one specific term….
Find out what it is on page 16. 4. You’ll gain a better understanding of employees’ security behavior To get the big picture, we surveyed 4,000 employees in addition to the IT decision makers we mentioned in point 1. We found out that: 1 in 3 employees think they can get away with riskier security behaviors when working remotely 27% of workers are afraid to tell IT they’ve made a security mistake Just 51% of employees say they always report when they receive a phishing email or click on a phishing link How will you incorporate these insights into your hybrid security strategy?  5. There’s plenty of good news While the report is focused on how the threat landscape will change in a hybrid working environment, we also wanted to understand how the role of the CISO has changed (and is changing!) as a result. We have good news! We found out that 59% of IT leaders think their roles and responsibilities have been recognized as more important over the last year and that 67% say they have a seat at the table when it comes to office reopening plans.  Download the report to see how these sentiments vary by industry.
Email DLP Integrated Cloud Email Security Compliance
At a Glance: Data Loss Prevention in Healthcare
By Maddie Rosenthal
30 May 2021
Data Loss Prevention (DLP) is a priority for organizations across all sectors, but especially for those in Healthcare. Why? To start, they process and hold incredible amounts of personal and medical data and they must comply with strict data privacy laws like HIPAA and HITECH.  Healthcare also has the highest costs associated with data breaches – 65% higher than the average across all industries – and has for nine years running.  But, in order to remain compliant and, more importantly, to prevent data loss incidents and breaches, security leaders must have visibility over data movement. The question is: Do they? According to our latest research report, Data Loss Prevention in Healthcare, not yet. How frequently are data loss incidents happening in Healthcare? Data loss incidents are happening up to 38x more frequently than IT leaders currently estimate.  Tessian platform data shows that in organizations with 1,000 employees, 800 emails are sent to the wrong person every year. Likewise, in organizations of the same size, 27,500 emails containing company data are sent to personal accounts. These numbers are significantly higher than IT leaders expected.
But, what about in Healthcare specifically? We found that: Over half (51%) of employees working in Healthcare admit to sending company data to personal email accounts 46% of employees working in Healthcare say they’ve sent an email to the wrong person 35% employees working in Healthcare have downloaded, saved, or sent work-related documents to personal accounts before leaving or after being dismissed from a job This only covers outbound email security. Hospitals are also frequently targeted by ransomware and phishing attacks and Healthcare is the industry most likely to experience an incident involving employee misuse of access privileges.  Worse still, new remote-working structures are only making DLP more challenging.
Healthcare professionals feel less secure outside of the office  While over the last several months workforces around the world have suddenly transitioned from office-to-home, this isn’t a fleeting change. In fact, bolstered by digital solutions and streamlined virtual services, we can expect to see the global healthcare market grow exponentially over the next several years.  While this is great news in terms of general welfare, we can’t ignore the impact this might have on information security.   Half of employees working in Healthcare feel less secure outside of their normal office environment and 42% say they’re less likely to follow safe data practices when working remotely.   Why? Most employees surveyed said it was because IT isn’t watching, they’re distracted, and they’re not working on their normal devices. But, we can’t blame employees. After all, they’re just trying to do their jobs and cybersecurity isn’t top-of-mind, especially during a global pandemic. Perhaps that’s why over half (57%) say they’ll find a workaround if security software or policies make it difficult or prevent them from doing their job.  That’s why it’s so important that security leaders make the most secure path the path of least resistance. How can security leaders in Healthcare help protect employees and data? There are thousands of products on the market designed to detect and prevent data incidents and breaches and organizations are spending more than ever (up from $1.4 million to $13 million) to protect their systems and data.  But something’s wrong.  We’ve seen a 67% increase in the volume of breaches over the last five years and, as we’ve explored already, security leaders still don’t have visibility over risky and at-risk employees. So, what solutions are security, IT, and compliance leaders relying on? According to our research, most are relying on security training. And, it makes sense. Security awareness training confronts the crux of data loss by educating employees on best practice, company policies, and industry regulation. But, how effective is training, and can it influence and actually change human behavior for the long-term? Not on its own. Despite having training more frequently than most industries, Healthcare remains among the most likely to suffer a breach. The fact is, people break the rules and make mistakes. To err is human! That’s why security leaders have to bolster training and reinforce policies with tech that understands human behavior. How does Tessian prevent data loss on email? Tessian uses machine learning to address the problem of accidental or deliberate data loss. How? By analyzing email data to understand how people work and communicate.  This enables Tessian Guardian to look at email communications and determine in real-time if a particular email looks like they’re about to be sent to the wrong person. Tessian Enforcer, meanwhile, can identify when sensitive data is about to be sent to an unsafe place outside an organization’s email network. Finally, Tessian Defender detects and prevents inbound attacks like spear phishing, account takeover (ATO), and CEO Fraud.
Data Exfiltration Email DLP Integrated Cloud Email Security Compliance
The State of Data Loss Prevention in the Financial Services Sector
By Maddie Rosenthal
10 May 2021
In our latest research report, we took a deep dive into Data Loss Prevention in Financial Services and revealed that data loss incidents are happening up to 38x more frequently than IT leaders currently estimate.  And, while data loss is a big problem across all industries, it’s especially problematic in those that handle highly sensitive data. One of those industries is Financial Services. Before we dive into how frequently data loss incidents are happening and why, let’s define what exactly a data loss incident is in the context of this report. We focused on outbound data loss on email. This could be either intentional data exfiltration by a disgruntled or financially motivated employee or it could be accidental data loss.  Here’s what we found out. The majority of employees have accidentally or intentionally exfiltrated data  Tessian platform data shows that in organizations with 1,000 employees, 800 emails are sent to the wrong person every year. This is 1.6x more than IT leaders estimated. Likewise, in organizations of the same size, 27,500 emails containing company data are sent to personal accounts. We call these unauthorized emails, and IT leaders estimated just 720 are sent annually. That’s a big difference.
But, what about in this particular sector? Over half (57%) of Financial Services professionals across the US and the UK admit to sending at least one misdirected email and 67% say they’ve sent unauthorized emails. But, when you isolate the US employees, the percentage almost doubles. 91% of Financial Services professionals in the US say they’ve sent company data to their personal accounts.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); And, because Financial Services is highly competitive, professionals working in this industry are among the most likely to download, save, or send company data to personal accounts before leaving or after being dismissed from a job, with 47% of employees saying they’ve done it. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); To really understand the consequences of incidents like this, you have to consider the type of data this industry handles and the compliance standards and data privacy regulations they’re obligated to satisfy. Every day, professionals working in Financial Services send and receive: Bank Account Numbers Loan Account Numbers Credit/Debit Card Numbers Social Security Numbers M&A Data In order to protect that data, they must comply with regional and industry-specific laws, including: GLBA COPPA FACTA FDIC 370 HIPAA CCPA GDPR So, what happens if there’s a breach? The implications are far-reaching, ranging from lost customer trust and a damaged reputation to revenue loss and regulatory fines.  For more information on these and other compliance standards, visit our Compliance Hub. Remote-working is making Data Loss Prevention (DLP) more challenging  The sudden transition from office to home has presented a number of challenges to both employees and security, IT, and compliance leaders.  To start, 65% of professionals working in Financial Services say they feel less secure working from home than they do in the office. It makes sense. People aren’t working from their normal work stations and likely don’t have the same equipment. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); A further 56% say they’re less likely to follow safe data practices when working remotely. Why? The most common reason was that IT isn’t watching, followed by being distracted.  Most of us can relate. When working remotely – especially from home – people have other responsibilities and distractions like childcare and roommates and, the truth is, the average employee is just trying to do their job, not be a champion of cybersecurity.  That’s why it’s so important that security and IT teams equip employees with the solutions they need to work securely, wherever they are. Current solutions aren’t empowering employees to work securely  Training, policies, and rule-based technology all have a place in security strategies. But, based on our research, these solutions alone aren’t working. In fact, 64% of professionals working in Financial Services say they’ll find a workaround to security software or policies if they impede productivity. This is 10% higher than the average across all industries. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");
How does Tessian prevent data loss on email? Tessian uses machine learning to address the problem of accidental or deliberate data loss by applying human understanding to email behavior. Our machine learning models analyze email data to understand how people work and communicate. They have been trained on more than two billion emails and they continue to adapt and learn from your own data as human relationships evolve over time. This enables Tessian Guardian to look at email communications and determine in real time if particular emails look like they’re about to be sent to the wrong person. Tessian Enforcer, meanwhile, can identify when sensitive data is about to be sent to an unsafe place outside an organization’s email network. Finally, Tessian Defender detects and prevents inbound attacks like spear phishing, account takeover (ATO), and CEO Fraud. Enforcer and Guardian do all of this silently in the background. That means workflows aren’t disrupted and there’s no impact on productivity. Employees can do what they were hired to do without security getting in the way. Tessian bolsters training, complements rule-based solutions, and helps reinforce the policies security teams have worked so hard to create and embed in their organizations. That’s why so many Financial Services firms have adopted Tessian’s technology, including: Man Group Evercore BDO Affirm Armstrong Watson JTC DC Advisory Many More
Email DLP
Unauthorized Emails: The Risks of Sending Data to Your Personal Email Accounts
27 April 2021
Whether it’s done to work from home, to print something, or to get a second opinion from a spouse, most of us have sent “work stuff” to our personal email accounts. And, while we might think it’s harmless…it’s not.   At Tessian, we call these emails “unauthorized emails”.
In this article, we’ll explore the reasons why employees might send emails to personal accounts, why sending these emails can be problematic, and how security leaders can solve the problem.    Why would an employee send company data to personal accounts? It’s easier than following security policies    Most of the time, employees send company data to their personal email addresses because they’re trying to get their job done and – well – it’s easier than the alternative.   Easier than accessing files through the corporate VPN, easier than digging out the randomly generated password to their work email for use at home, easier than printing off everything they need and taking it home with them. They send an email, go home, and the documents are ready and waiting.   Most of us can relate. 54% of employees say they’ll find a workaround if security policies or software make it difficult for them to do their job.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");
Unfortunately, there can be more nefarious reasons for sending company data to personal email accounts. They’re maliciously trying to exfiltrate data    45% of employees say they’ve taken data with them before leaving or after being dismissed from a job. Can you guess what the most common way of exfiltrating data is? Email.   Whatever the reason, employees send a lot more unauthorized emails than security leaders currently estimate. How many? At least 27,500 a year in organizations with 1,000 employees.
What consequences are associated with sending company data to personal accounts?   Most organizations have policies in place explicitly saying that employees can’t email company data to personal email accounts. That’s not because every single email to a person results in a data loss incident or breach.    It’s because when it does result in a data loss incident or a breach, the consequences can be far-reaching.   Consequences include: Breach of contracts or non-disclosure agreements Loss of IP and proprietary research Breach of data protection regulations Heavy fines imposed by regulators and clients (GDPR, in particular, will greatly increase fines for all manner of data breaches) Lost customer trust, damaged reputation, and revenue loss    Check out this real-world example: In early 2017, an airline employee sent a spreadsheet containing approximately 36,000 employee records home so his wife could help with a formatting problem.    Based on data from the Ponemon Institute, this single spreadsheet may have cost the company as much as $5.7m. How can security leaders solve the problem?   It’s important security leaders take a holistic approach to data loss prevention (DLP). We suggest you…   1. Educate your workforce Make sure your employees know how to observe best data security practices and they understand how best to secure the data they work with, especially confidential data. Top tip: Host refresher courses if necessary.   2. Ease of access Try as much as possible to ensure that your employees don’t feel the need to send work to their personal emails. Implement secure file storage platforms they can access from home (SharePoint, GSuite, etc) or a corporate VPN so they can securely access the company network from anywhere. You need to strike that happy middle ground between “easy to use but insecure” and “airtight but really disruptive”.   3. Be proactive, not reactive Choose email security platforms that offer complete protection against unauthorized email before it becomes a problem, instead of being left scrambling for a solution in the aftermath. Find a solution that tracks and logs attempts to send data to a personal email address, and use the metrics to open a conversation with employees about data protection.
Email DLP
7 Tips for SOC Teams Using Splunk
By Maddie Rosenthal
22 April 2021
For most security leaders and SOC teams, “visibility” is the holy grail. It makes sense…   Why does visibility matter?   Clear visibility of threats is the first step in effectively reducing risk. It’s what makes analyzing, correlating, reporting, and proactively preventing security events possible. It’s what allows security teams to find the needle in the haystack. That’s why Splunk is so valuable, and why it’s essential security solutions easily integrate with SIEM (pronounced “sim”) systems.
Looking for some tips and tricks to help you and your team get the most out of your data in Splunk?   We talked to Imraan Dawood, Information Security Officer at Investec, and Martin Nortje, Information Security Engineer at Investec, about how they use Splunk to level up their security, without over-burdening their SOC teams.     We’ve captured the highlights below.   7 tips for SOC teams using Splunk   1. Don’t create too many dashboards   For those who have the tool, Splunk is the front door for all analytics for SOC and data security teams. It’s the first thing they log into when they sit down at their desk, and the one place they can see security events pulled from across their security stack.   According to Imraan and Martin, it enables SOC teams to pinpoint potential problems in a matter of minutes or seconds versus hours or days. But, too much information or “noise” can be overwhelming and counterproductive.   So, instead of tracking everything, be choosy. Imraan and Martin suggest that SOC teams work backward. First, consider what would be most valuable for analysts to see. Then, consider what you need to filter out in order for them to see that at a glance. (See point 2….)   2. Create a “hit list” of words and terms to help you zero in on the events that could have the biggest business impact   While – yes – SOC teams will want to have visibility of all security events, it’s important to take the time to plan the structure and layout of the information in your dashboards to ensure you have an accurate picture of the security landscape and to help quickly identify high-impact threats – for example, misdirected emails.   Not all misdirected emails are created equal, though.   Let’s say Donna, a sales executive, accidentally emailed the wrong Brad to ask “Can you still make the call at 2:00?”. Now, let’s say Elaine, a Finance Director, accidentally emailed the wrong Todd financial projections for Q2 2021. Which requires more immediate attention? Which could have the biggest business impact? The latter. I mraan and Martin suggest that SOC teams create a “hit list” of words and terms – for example, those related to financial data, PII, or R&D – to get a better view of what really matters.   Here’s how you do that: Make a list of the keywords and terms that you would like to report on Perform a search for those terms within Splunk to verify that the search term is only yielding the results that you’d like to alert on. (Doing this will ensure that you aren’t generating unnecessary noise for your SOC teams and will reduce notification fatigue.) Configure an alert to search and identify those specific keywords and terms within the platform.   Looking for more details? Check out this article from Splunk: Save your search as an alert 3. Remember that you can’t automate everything   Splunk is great because it automatically integrates data from endpoints, applications, servers, etc. It makes life much easier for data analysts and the rest of the security team. But you can’t automate everything. For example, what happens after Elaine, the Finance Director, accidentally sends that email with financial projections to the wrong Todd?   Several teams will have to be involved, from HR, to Customer Success, to Legal. It’s difficult – if not impossible – to automate those processes and workflows completely.  To put it simply, follow-up will still be manual. Top tip from Imraan and Martin: Automate your case management instead.   4. Consider the “why” and the “how” just as much as the “what”   We all know that employees can make mistakes. Whether it’s cc’ing someone instead of bcc’ing someone, logging onto an unsecured network, or re-using a password. But, some employees aren’t simply acting negligently. They’re acting maliciously. And, it’s essential SOC teams can differentiate between the two. The question is: How?   Imraan and Martin suggest relying on historical data. After all, it takes multiple insights to understand what’s business as usual vs. something more malicious. For example, if you’ve had an incident of a “bad leaver” in the past, use that data to compare and “match” the same behavior in real-time.   What does a “bad leaver” look like? Are they sending 1 email to a personal account a day over the course of 2 months? Or are they sending 15-20 emails a day for a week? Are they including attachments or not?   5. Be thoughtful in what data you include in reports for specific teams   As we’ve said, Splunk makes reporting easy. But, to effectively communicate risks (and wins!) and actually influence change, you have to be thoughtful in what data you include in reports for specific teams. Your Risk Committee and your CEO will care about different things.   A few things you should consider when preparing reports: How much do they know about cybersecurity? What’s most relevant to their day-to-day? What metrics and KPIs are they held accountable for? What’s the organization’s risk tolerance? 6. Lean on the vendors in your security stack for queries   Most vendors understand the importance of capturing security events in SEIM and will have advice on best practices and use cases that they’ve seen work well for other customers.   Are you a Tessian customer? If you didn’t already know, we’ve created dozens of articles and guides for customers to make sure they get the most out of our products via Splunk. Just log into the Help Center or shoot your Customer Success Manager a message. 7. Use the insights!   Last but certainly not least, Imraan and Martin made it clear that viewing the data in Splunk is just step one. Step two is actually implementing processes that help reduce security incidents and improve the organization’s security posture.   For example, if you saw a massive spike in the number of employees who were printing sensitive documents or sending attachments to personal devices immediately after the move to remote-working, you might want to consider reminding employees or existing policies or – better yet – creating new policies that enable them to do their jobs without breaking the rules.   The key is to combine data-centric and human-centric approaches to really effect change.
Learn more about Tessian’s integrations Tessian’s Human Layer Security (HLS) platform has vast integration capabilities to help security teams achieve increased visibility and extended protection. Learn more here. Or, if you’re looking for more tips, subscribe to our newsletter below.
Data Exfiltration Email DLP Integrated Cloud Email Security
11 Examples of Data Breaches Caused By Misdirected Emails
17 March 2021
While phishing, ransomware, and brute force attacks tend to make headlines, misdirected emails (emails sent to the wrong person) are actually a much bigger problem.   In fact, in organizations with 1,000 employees, at least 800 emails are sent to the wrong person every year. That’s two a day. You can find more insights in The Psychology of Human Error and The State of Data Loss Prevention 2020.   Are you surprised? Most people are. That’s why we’ve rounded up this list of 11 real-world (recent) examples of data breaches caused by misdirected emails. And, if you skip down to the bottom, you’ll see how you can prevent misdirected emails (and breaches!) in your organization.     11 examples of data breaches caused by misdirected emails   1. University support service mass emails sensitive student information   University and college wellbeing services deal with sensitive personal information, including details of the health, beliefs, and disabilities of students and their families. Most privacy laws impose stricter obligations on organizations handling such sensitive personal information—and there are harsher penalties for losing control of such data.   So imagine how awful the Wellbeing Adviser at the University of Liverpool must have felt when they emailed an entire school’s worth of undergraduates with details about a student’s recent wellbeing appointment. The email revealed that the student had visited the Adviser earlier that day, that he had been experiencing ongoing personal difficulties, and that the Adviser had advised the student to attend therapy.   A follow-up email urged all the recipients to delete the message “immediately” and appeared to blame the student for providing the wrong email address.One recipient of the email reportedly said: “How much harder are people going to find it actually going to get help when something so personal could wind up in the inbox of a few hundred people?”   2. Trump White House emails Ukraine ‘talking points’ to Democrats   Remember in 2019, when then-President Donald Trump faced accusations of pressuring Ukraine into investigating corruption allegations against now-President Joe Biden?Once this story hit the press, the White House wrote an email—intended for Trump’s political allies—setting out some “talking points” to be used when answering questions about the incident (including blaming the “Deep State media”).   Unfortunately for the White House, they sent the email directly to political opponents in the Democratic Party.White House staff then attempted to “recall” the email. If you’ve ever tried recalling an email, you’ll notice that it doesn’t normally work.   Recalling an email only works if the recipient is on the same exchange server as you—and only if they haven’t read the email. Looking for information on this? Check out this article: You Sent an Email to the Wrong Person. Now What? Unsurprisingly, this was not the case for the Democrats who received the White House email, who subsequently leaked it on Twitter.   I would like to thank @WhiteHouse for sending me their talking points on how best to spin the disastrous Trump/Zelensky call in Trump’s favor. However, I will not be using their spin and will instead stick with the truth. But thanks though. — US Rep Brendan Boyle (@RepBrendanBoyle) September 25, 2019 3. Australia’s Department of Foreign Affairs and Trade  leaked 1,000 citizens’ email addresses   On September 30, 2020, Australia’s Department of Foreign Affairs and Trade (DFAT) announced that the personal details of over 1,000 citizens were exposed after an employee failed to use BCC. So, who were the citizens Australians who have been stuck in other countries since inbound flights have been limited (even rationed) since the outbreak of COVID-19.   The plan was to increase entry quotas and start an emergency loans scheme for those in dire need. Those who had their email addresses exposed were among the potential recipients of the loan.Immediately after the email was sent, employees at DFAT tried to recall the email, and event requested that recipients delete the email from their IT system and “refrain from any further forwarding of the email to protect the privacy of the individuals concerned.”   4. Serco exposes contact traces’ data in email error    In May 2020, an employee at Serco, a business services and outsourcing company, accidentally cc’d instead of bcc’ing almost 300 email addresses. Harmless, right? Unfortunately not.   The email addresses – which are considered personal data – belonged to newly recruited COVID-19 contact tracers. While a Serco spokesperson has apologized and announced that they would review and update their processes, the incident nonetheless has put confidentiality at risk and could leave the firm under investigation with the ICO.   5. Sonos accidentally exposes the email addresses of hundreds of customers in email blunder    In January 2020, 450+ email addresses were exposed after they were (similar to the example above) cc’d rather than bcc’d. Here’s what happened: A Sonos employee was replying to customers’ complaints. Instead of putting all the email in BCC, they were CC’d, meaning that every customer who received the email could see the personal email addresses of everyone else on the list. The incident was reported to the ICO and is subject to potential fines.
6. Gender identity clinic leaks patient email addresses   In September 2019, a gender identity clinic in London exposed the details of close to 2,000 people on its email list after an employee cc’d recipients instead of bcc’ing them. Two separate emails were sent, with about 900 people cc’d on each.   While email addresses on their own are considered personal information, it’s important to bear in mind the nature of the clinic. As one patient pointed out, “It could out someone, especially as this place treats people who are transgender.”   The incident was reported to the ICO who is currently assessing the information provided. But, a similar incident may offer a glimpse of what’s to come.   In 2016, the email addresses of 800 patients who attended HIV clinics were leaked because they were – again – cc’d instead of bcc’d. An NHS Trust was £180,000. Bear in mind, this fine was issued before the introduction of GDPR.   7. University mistakenly emails 430 acceptance letters, blames “human error”   In January 2019, The University of South Florida St. Petersburg sent nearly 700 acceptance emails to applicants. The problem? Only 250 of those students had actually been accepted. The other 400+ hadn’t. While this isn’t considered a breach (because no personal data was exposed) it does go to show that fat fingering an email can have a number of consequences.   In this case, the university’s reputation was damaged, hundreds of students were left confused and disappointed, and the employees responsible for the mistake likely suffered red-faced embarrassment on top of other, more formal ramifications. The investigation and remediation of the incident also will have taken up plenty of time and resources.   8. Union watchdog accidentally leaked secret emails from confidential whistleblower   In January 2019, an official at Australia’s Registered Organisations Commission (ROC) accidentally leaked confidential information, including the identity of a whistleblower. How? The employee entered an incorrect character when sending an email. It was then forwarded to someone with the same last name – but different first initial –  as the intended recipient.   The next day, the ROC notified the whistleblower whose identity was compromised and disclosed the mistake to the Office of the Australian Information commissions as a potential privacy breach.   9. Major Health System Accidentally Shares Patient Information Due to Third-Party Software for the Second Time This Year   In May 2018 Dignity Health – a major health system headquartered in San Francisco that operates 39 hospitals and 400 care centers around the west coast – reported a breach that affected 55,947 patients to the U.S. Department of Health and Human Services.   So, how did it happen? Dignity says the problem originated from a sorting error in an email list that had been formatted by one of its vendors. The error resulted in Dignity sending emails to the wrong patients, with the wrong names. Because Dignity is a health system, these emails also often contained the patient’s doctor’s name. That means PII and Protect health information (PHI) was exposed.   10. Inquiry reveals the identity of child sexual abuse victims   This 2017 email blunder earned an organization a £200,000 ($278,552) fine from the ICO. The penalty would have been even higher if the GDPR has been in force at the time. When you look at the detail of this incident, it’s easy to see why the ICO wanted to impose a more severe fine.   The Independent Inquiry into Child Sexual Abuse (IICSA) sent a Bcc email to 90 recipients, all of whom were involved in a public hearing about child abuse. Sending a Bcc means none of the recipients can see each other’s details/ But the sender then sent a follow-up email to correct an error—using the “To” field by mistake.   The organization made things even worse by sending three follow-up emails asking recipients to delete the original message—one of which generated 39 subsequent “Reply all” emails in response. The error revealed the email addresses of all 90 recipients and 54 people’s full names.   But is simply revealing someone’s name that big of a deal? Actually, a person’s name can be very sensitive data—depending on the context. In this case, IICSA’s error revealed that each of these 54 people might have been victims of child sexual abuse.   11. Boris Johnson’s dad’s email blunder nearly causes diplomatic incident   Many of us know what it’s like to be embarrassed by our dad. Remember when he interrogated your first love interest? Or that moment your friends overheard him singing in the shower. Or when he accidentally emailed confidential information about the Chinese ambassador to the BBC.   OK, maybe not that last one. That happened to the father of U.K. Prime Minister Boris Johnson in February 2020.Johnson’s dad, Stanley Johnson, was emailing British officials following a meeting with Chinese ambassador Liu Xiaoming. He wrote that Liu was “concerned” about a lack of contact from the Prime Minister to the Chinese state regarding the coronavirus outbreak.   The Prime Minister’s dad inexplicably copied the BBC into his email, providing some lucky journalists with a free scoop about the state of U.K.-China relations. It appears the incident didn’t cause any big diplomatic issues—but we can imagine how much worse it could have been if Johnson had revealed more sensitive details of the meeting.
Prevent misdirected emails (and breaches) with Tessian Guardian Regardless of your region or industry, protecting customer, client, and company information is essential. But, to err is human. So how do you prevent misdirected emails? With machine learning.   Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises.   Interested in learning more about how Tessian can help prevent accidental data loss and data exfiltration in your organization? You can read some of our customer stories here or book a demo.
Email DLP Integrated Cloud Email Security
Industry-First Product: Tessian Now Prevents Misattached Files on Email
By Harry Wetherald
11 February 2021
Misdirected emails – emails sent to the wrong person – are the number one security incident reported to the Information Commissioner’s Office. And, according to Tessian platform data, an average of 800 misdirected emails are sent every year in organizations with over 1,000 employees.  An unsolved problem We solved this years ago with Tessian Guardian, our solution for accidental data loss. But sending an email to the wrong person is just one part of the problem. What about sending the wrong attachment? After all, our data shows that 1 in 5 external emails contain an attachment and new Tessian research reveals that nearly half (48%) of employees have attached the wrong file to an email. We call these “misattached files” and we’re happy to announce a new, industry-first feature that prevents them from being sent.  The consequences of attaching the wrong file The consequences of a misattached file depend on what information is contained in the attachments.  According to Tessian’s survey results, 42% of documents sent in error contained company research and data. More worryingly, nearly two-fifths (39%) contained security information like passwords and passcodes, and another 38% contained financial information and client information.  36% of mistakenly attached documents contained employee data.  Any one of the above mistakes could result in lost customer data and IP, reputational damage, fines for non-compliance, and customer churn. In fact, one-third of respondents said their company lost a customer or client following this case of human error, and a further 31% said their company faced legal action.  Until now, there weren’t any email security tools that could consistently identify when wrong files were being shared. This meant attachment mistakes went undetected…until there were serious consequences.  How does Tessian detect misattached files? The latest upgrade to Tessian Guardian leverages historical learning to understand whether an employee is attaching the correct file or not. When an email is being sent, Guardian’s machine learning (ML) algorithm uses deep content inspection, natural language processing (NLP), and heuristics to detect attachment anomalies such as: Counterparty anomalies: The attachment is related to a company that isn’t typically discussed with the recipients. For example, attaching the wrong invoice. Name anomalies: The attachment is related to an individual who isn’t typically  discussed with the recipients. For example, attaching the wrong individual’s legal case files. Context anomalies: The attachment looks unusual based on the email context. For example, attaching financial-model.xlsx to an email about a “dinner reservation.” File type anomalies: The attachment file type hasn’t previously been shared with the receiving organization. For example, sending an .xlsx file to a press agency.
If a misattached file is detected, the sender is immediately alerted to the error before the email is sent. Best of all, the warnings are helpful, not annoying and flag rates are low. This means employees can do their jobs without security getting in the way.  Want to learn more about how Tessian detects attachment anomalies before they’re sent? Download the data sheet.
Benefits for Tessian customers Tessian is the only solution in the market that can solve the problem of misattached files, giving customers complete protection from accidental data loss on email.  In addition to preventing human error and subsequent breaches, Tessian Guardian has several features that help ease the burden of compliance on thinly-stretched security teams and give key key stakeholders peace of mind. These include: Automated protection: Tessian Guardian automatically detects and prevents misattached files. No rules or manual investigation required.   Flexible configuration options: With this new feature, customers will be able to configure Guardian’s algorithm to enable and/or disable specific use-cases. This allows administrators to balance user experience with the level of protection appropriate to their risk appetite. Data-rich dashboards: For the first time, customers will have visibility of how many misattached files are being sent in their organization and by whom. This demonstrates clear ROI and makes auditing and reporting easy. 
Learn more about Tessian Interested in learning more about Tessian Guardian’s new features? Current Tessian customers can get in touch with your Customer Success Manager. Not yet a Tessian customer? Learn more about our technology, explore our customer stories, or book a demo now.
Data Exfiltration Email DLP
12 Examples of Data Exfiltration
By Maddie Rosenthal
03 February 2021
Over the past two years, 90% of the world’s data has been generated. And, as the sheer volume of data continues to grow, organizations are becoming more and more susceptible to data exfiltration.   But, why would someone want to exfiltrate data?   Data is valuable currency. From an e-commerce business to a manufacturing company, organizations across industries hold sensitive information about the business, its employees, customers, and clients.   What is data exfiltration?   Simply put, data exfiltration indicates the movement of sensitive data from inside the organization to outside without authorization. This can either be done accidentally or deliberately.   The consequences of data exfiltration aren’t just around lost data. A breach means reputational damage, lost customer trust, and fines. The best way to illustrate the different types of data exfiltration and the impact these incidents have on businesses is with examples.   Examples of data exfiltration   When it comes to data exfiltration, there are countless motives and methods. But, you can broadly group attempts into two categories: data exfiltration by someone within the organization, for example, a disgruntled or negligent employee, and data exfiltration by someone outside the organization; for example, a competitor.   Data exfiltration by insiders   Data exfiltration by an insider indicates that company data has been shared by a member of the company to people (or organizations) outside of the company.   While most organizations have security software and policies in place to prevent insider threats from moving data outside of the office environment and outside of company control, insiders have easy access to company data, may know workarounds, and may have the technical know-how to infiltrate “secure” systems.   Here are six examples of data exfiltration by insiders:    Over the course of 9 months, an employee at Anthem Health Insurance forwarded 18,500 members records’ to a third-party vendor. These records included Personally Identifiable Information (PII) like social security numbers, last names, and dates of birth. After exfiltrating nearly 100 GB of data from an unnamed financial company that offered loan services to Ukraine citizens, an employee’s computer equipment was seized. Police later found out the suspect was planning on selling the data to a representative of one of his former employer’s competitors for $4,000. Not all examples of data exfiltration are malicious, though. Some breaches happen inadvertently, like when an employee leaving the Federal Deposit Insurance Corporation (FDIC) accidentally downloaded data for 44,000 FDIC customers onto a personal storage device and took it out of the agency. Jean Patrice Delia exfiltrated over 8,000 files from his employer, General Electric (GE), over eight years. Delia hoped to set up a rival company using insider secrets.The FBI investigation into Delia’s scam began in 2016. Details released in July 2020 showed how Delia persuaded a GE IT administrator to grant him privileged systems access — and emailed commercially-sensitive documents to a co-conspirator. On three occasions — in November 2018, January 2020, and October 2020 — Amazon has emailed customers to inform them that an insider has disclosed their personal information (usually email address) to a third party. Amazon hasn’t been very forthcoming about the details of these incidents, but there appears to be a pattern of insider data exfiltration emerging — which should be a serious concern for the company. After a data exfiltration near-miss, a Nevada court charged Egor Igorevich Kriuchkov with “conspiracy to intentionally cause damage to a protected computer” in September 2020. Kriuchkov attempted to bribe a Tesla employee to “transmit malware” onto Tesla’s network via email or USB drive to “exfiltrate data from the network.” The FBI disrupted the scheme, which could have caused serious damage to one of the world’s leading companies. Exfiltration by outsiders   Unlike exfiltration by insiders, exfiltration by outsiders indicates that someone from outside an organization has stolen valuable company data. Here are six examples of data exfiltration by outsiders: In 2014, eBay suffered a breach that impacted 145 million users. In this case, cybercriminals gained unauthorized access to eBay’s corporate network through a handful of compromised employee log-in credentials. At the time, it was the second-biggest breach of a U.S. company based on the number of records accessed by hackers. Stealing login credentials isn’t the only way bad actors can gain access to a network. In 2019, malware was discovered on Wawa payment processing servers. This malware harvested the credit card data of over 30 million customers, including card number, expiration date, and cardholder name. Did you know? 91% of data breaches start with a phishing email. While many phishing emails direct targets to wire money, pay an invoice, or provide bank account details, some request sensitive employee or client information, for example, W-2 forms. You can read more about Tax Day scams on our blog.  In February 2021, Talos Intelligence researchers discovered a new variant of the “Masslogger” Trojan. Masslogger is a perfect example of how cybercriminals can use malware to exfiltrate data from online accounts. This new Masslogger variant arrives via a phishing email with “a legitimate-looking subject line” containing a malicious email attachment. The Trojan targets platforms like Discord, Outlook, Chrome, and NordVPN, using “fileless” attack methods to exfiltrate credentials. In October 2020, the UK’s Information Commissioner’s Office (ICO) fined British Airways (BA) £20 million ($28 million) after attackers exfiltrated customers’ data, including credit card numbers, names, and addresses. This massive data breach started in June 2018, when attackers installed malicious code on BA’s website. The ICO held BA fully responsible for the breach, which affected over 400,000 customers. Healthcare company Magellan Health discovered in April 2020 that hackers had exfiltrated sensitive customer data, including names, tax IDs, and Social Security Numbers. The breach started with a phishing email that an employee received five days earlier. This data exfiltration incident occurred just months after Magellan announced a similar phishing attack that exposed 50,000 customer records from its subsidiary companies Looking for more information about data exfiltration or data loss prevention? Follow these links: What is Data Exfiltration? Tips for Preventing Data Exfiltration Attacks What is Data Loss Prevention (DLP)? A Complete Overview of DLP on Email
Remote Working ATO/BEC
CISA Warns of New Attacks Targeting Remote Workers
14 January 2021
tl;dr: The Cybersecurity and Infrastructure Security Agency (CISA) has warned of a string of successful phishing attacks exploiting weak cyber hygiene in remote work environments to access companies’ cloud services via employees’ corporate laptops and personal devices.*  According to the report, “the cyber actors designed emails that included a link to what appeared to be a secure message and also emails that looked like a legitimate file hosting service account login. After a targeted recipient provided their credentials, the threat actors then used the stolen credentials to gain Initial Access to the user’s cloud service account. … A variety of tactics and techniques—including phishing, brute force login attempts, and possibly a “pass-the-cookie” attack—to attempt to exploit weaknesses in the victim organizations’ cloud security practices.” 
Once the hackers had access an employee’s account, they were able to: Send other phishing emails to contacts in the employee’s network.  Modify existing forwarding rules so that emails that would normally automatically be forwarded to personal accounts were instead forwarded directly to the hacker’s inbox.  Create new mailbox rules to have emails containing specific keywords (i.e. finance-related terms) forwarded to the hacker’s account. This type of malicious activity targeting remote workers isn’t new. Henry Trevelyan Thomas, Tessian’s VP of Customer Success has seen many instances this year. “The shift to remote work has resulted in people needing more flexibility, and personal accounts provide that—for example, access to home printers or working from a partner’s computer. Personal accounts are easier to compromise as they almost always have less security controls, are outside organizations’ secure environments, and your guard is down when logging on to your personal account. Attackers have realized this and are seeing it as a soft underbelly and entry point into a full corporate account takeover.” Learn more about Account Takeover (ATO), and take a look at some real-life examples of phishing attacks we spotted last year.  CISA recommends the following steps for organizations to strengthen their cloud security practices: Establish a baseline for normal network activity within your environment Implement MFA for all users, without exception Routinely review user-created email forwarding rules and alerts, or restrict forwarding Have a mitigation plan or procedures in place; understand when, how, and why to reset passwords and to revoke session tokens Consider a policy that does not allow employees to use personal devices for work. At a minimum, use a trusted mobile device management solution. Consider restricting users from forwarding emails to accounts outside of your domain Focus on awareness and training. Make employees aware of the threats—such as phishing scams—and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities. Establish blame-free employee reporting and ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently. For more practical advice on how to avoid falling for a phishing scam, download Tessian’s guide to Remote Work and Cybersecurity. What Tessian’s Experts Say
Free resources to help keep your employees and organization secure.
*Note: the activity and information in this Analysis Report is not explicitly tied to any one threat actor or known to be specifically associated with the advanced persistent threat actor attributed with the compromise of SolarWinds Orion Platform software and other recent activity.
Page