DLP Human Layer Security Spear Phishing
A Year in Review: 2019 Product Updates
By Harry Wetherald
01 January 2020
2019 was a big year for email security. While the world did see a record number of data breaches (up 33% from 2018) we also saw tighter security-related policies and regulations drafted and implemented, and, in general, an increased awareness amongst businesses about the importance of proactive security strategies. While we may be biased, it seems note-worthy that human error became more and more of a talking point in the cybersecurity space. In fact, human error and the importance of machine learning and artificial intelligence in protecting people has been one of the most talked about trends by analysts going into the new year. Similarly, companies are waking up to the fact that humans are their biggest risk. It’s about time. After all, misdirected emails – emails accidentally sent to the wrong person – have been one of the top data security incidents reported under GDPR according to the Information Commissioner’s Office. We believe it’s unreasonable to expect employees to do the right thing 100% of the time when it comes to making security-related decisions; people break the rules, people make mistakes, and people can be hacked. To err is human! What’s more, we have seen how quickly the threat landscape continues to evolve, which is why throughout 2019, we rolled out a series of important product updates that have kept our user base – which saw triple digit growth over the last 12 months – safe. Here are the most important product updates to Tessian’s Human Layer Security platform for 2019.
1. Human error, quantified. The new Tessian Dashboard gives customers an at-a-glance view of breaches and near-misses on email Keen to discover trends related to the number of breaches that were prevented by Tessian over the last 30 days? Our easy-to-navigate dashboard gives administrators a complete overview of activity, including any malicious and anomalous emails detected, misdirected emails prevented, and unauthorized email attempts thwarted. Module performance for Tessian Defender, Guardian, Enforcer, and Constructor are all visible on one page, and visual representations of data make it easy to monitor and drill down on activity day-by-day. If suspicious activity is spotted, you can quickly and easily generate a report without navigating off the page. The Tessian Dashboard also allows administrators to view user health at a glance, including the percentage of users active on the Add-in and Gateway and any connection issues across the network. This will help in-house security teams ensure every employee within their organization is protected by Tessian’s modules at all times. 2. Evolving algorithms. Tessian Defender can now detect and prevent more spear phishing attempts than ever Throughout 2019, Tessian Defender was improved through a series of subtle but impactful tweaks to our algorithms to be even more adept at detecting spear phishing attempts, including advanced, difficult-to-detect direct spoof attacks. The fact is, bad actors are using increasingly sophisticated techniques to trick unsuspecting people into handing over sensitive information or granting access to controlled networks. It’s imperative that we stay ahead of the curve, hence the regular updates. Tessian Defender has improved over time – and will continue to improve – enabling the detection and prevention of even the most advanced spear phishing attempts.
3. Thwarted first-attempts. It’s now even more difficult for employees to exfiltrate sensitive data Tessian Enforcer can now detect the first attempt an employee makes to exfiltrate data over email. How? By inferring what is and isn’t likely to be authorized communication based on the vast amount of data Tessian’s ML algorithm was trained on, which doesn’t necessarily rely on prior email history of a particular email address. For example, if an employee attempts to send an email to their personal, freemail account and that email address contains the employee’s first name or surname, Tessian Enforcer presents a warning to the user advising them that the behavior is potentially unsafe and prompting them to reconsider the action. Data exfiltration remains an incredibly unwieldy problem for businesses. Tessian gives businesses much-needed oversight of the problem over email.
4. In-situ learning opportunities. Employees have an opportunity to understand why an email is unsafe with contextual warnings While Tessian prides itself on low flag rates so that security doesn’t impede productivity, we wanted to maximize the opportunity to educate users through our warnings. This way, when users do see a notification, they understand why. Improved warnings across all four modules were designed for a more user-friendly experience that seamlessly reinforces any previous or ongoing security training. With more context included, employees can now see exactly why an email is being flagged as suspicious and – importantly – they can make their own decision on how to proceed. This is at the core of Tessian’s mission. Employees should be empowered by security solutions instead of burdened by them. 5. New detection capabilities. Customers can create rules that are specific to their environment Every business or enterprise is different and IT and Infosec security leaders need some flexibility in creating filter conditions that are applicable specifically to their operations. Because we’ve introduced new detection capabilities, users can now combine more conditions to create filters for their individual use cases; for example, scanning attachment content, identifying hidden fields in spreadsheets, and reading Azure Information Protect and other DLP labels. At the most basic level, these rules look something like this: If A and B, then C, except when D or E. These variables can apply to a number of elements contained in an email, from the recipient(s) to language patterns. One way an administrator might use these new detection capabilities would be to configure a filter which only allows the finance team, for example, to share spreadsheets with people outside of their organization if the recipient’s email address is recognized as a customer, except when the attachment contains a hidden row titled “social security numbers”. Protect your most valuable asset: your people Tessian is committed to creating the world’s first Human Layer Security platform and exciting developments lie ahead as we build out a holistic platform to protect people using email and, eventually, other interfaces frequently used in the workplace. Not yet a Tessian customer? Across four modules, Tessian protects the human layer by detecting and preventing both inbound and outbound threats. This includes advanced spear phishing attacks, accidental data loss, and data exfiltration. Tessian is quickly and easily deployed to Office 365, Exchange, and G-Suite, product updates are seamlessly rolled out for users and administrators, and the technology – which doesn’t disrupt workflow – was built with productivity in mind. To understand how Tessian can fit into your existing security framework, request a demo now.
Compliance DLP
Email: Your Data Security’s Weakest Link
15 November 2019
Email: Your Data Security’s Weak Link Emails are a crucial part of many work lives. We’re used to sending and receiving emails throughout the day, without much thought about the security of such exchanges. There’s a much bigger threat that originates from inside your organization. When an employee clicks that send button, they could potentially share sensitive information with the wrong recipient. Such mistakes carry high costs. It might compromise client data or confidential information, which causes your organization huge reputational damage and could hit your bottom-line. Not to mention the impact if the story leaks to the media. That level of reputational damage can take years to recover from. The biggest form of data loss Misdirected emails were reported by the Information Commissioner’s Office (ICO) to be the biggest form of data loss last year (and also the first quarter of 2018). Many companies are familiar with hacking as a form of data loss (hence the investment in physical database security, firewalls, and anti-virus) but less so with misdirected emails. Unfortunately, all the attributes of email that makes it so popular (that it’s a speedy, clear and common form of communication) are the very factors that make it such a risk. 95% of all security incidents involve human error. Many security systems that are focussed on keeping hackers out, are missing a vital part of defence – making sure sensitive information stays in. Email is the default means of communication The emails involved in this scenario are all outbound. That is, emails sent to other organizations or people outside of your own company domain. If you think about it, email is a pretty insecure way of sharing information. It can be hacked, end up with the wrong person, or send malware and spam itself. Worryingly, email still remains a means for many businesses to share confidential information. 89% of U.S. law firms use it as the main way to share information like case files or contracts. That’s despite 70% of them being aware of the risks and the importance of sharing files securely. It’s the default mode of communication for many companies, and that means we need to find ways of securing it. Firewalls and other security can only go so far. When an email is leaked, it could be your employees who are your weakest link. Employees can make mistakes It might even be unintentional on the part of an employee. If someone simply misspells a name or doesn’t realize others are copied into an email chain it can result in a data leak. Alternatively, their actions might be malicious and actually intending to cause harm to a company. Either way, the consequences are devastating for a business. Especially post-GDPR. Misdirected emails and GDPR For the few who are unaware, the EU’s  General Data Protection Regulation (GDPR) has strict stipulations on the use and sharing of personal data. Under GDPR, organizations could face a fine of up to €20 million or 4% of global revenue, whichever sum is greater. The fine depends on the severity of the data leak. So a leak of healthcare records or personal finance data is likely to attract a far greater fine than leaking email addresses. Even if the information shared isn’t customer data or personal information, there could be dire consequences. Imagine sharing client lists or your organization’s future product plans, business strategy or financial information with the wrong person. It only takes a few clicks before that information ends up in the hands of a competitor. Reputation and trust is damaged Data leaks are becoming increasingly common. The media has its eye fixed on any kind of data breach. Any company that leaks information, whether that’s through a hack or misdirected email, is likely to become front page news. Despite the saying, not all news is good for your company. Plus, there’s the significant loss of trust that occurs between organizations and consumers if a breach does occur. Especially if that information is highly sensitive, like the names and emails of attendees of a HIV clinic sent in an accidental group email. As you can see with this case, a breach could occur simply when someone doesn’t realize emails are inputted into a cc field and not blind-copied. The clinic was fined £180,000. A sum that would have been far greater had GDPR been enforced at the time. Other potential risks Then there’s the risks associated with an employee leaving their email account logged-in on a shared computer. They could also fail to lock their screen when leaving their computer. Alternatively, their laptop, phone or tablet could be stolen with their work email account still linked. When securing your emails, there’s definitely some employee education to be done. Make sure you communicate the risks of leaving inboxes on show or failing to lock screens. Employees must also understand how they can prevent misdirected emails and the consequences of such a leak. Identifying email leaks Of course, not all email leaks can be easily identified by organizations. Someone might maliciously forward an email. Others may accidentally send confidential information without realizing it. Under GDPR, there’s a requirement for any breach to be reported within 72 hours. Organizations need a way to track outbound emails and flag any misdirected emails. Luckily, there are tools like Tessian that notify you of any confidential information sent to personal email addresses or outside your organization. It also prevents misdirected emails from ever occurring. Prevention is your best cure. Once a leak has happened, it’s difficult to fully recover. It’s better to use machine learning and other technology to stop a breach occurring. Either through analyzing email addresses and flagging potential misdirected emails, or highlighting when employee behavior might cause a leak. Secure the outside and inside The risks of having a data leak are much higher compared to the past. GDPR has raised the stakes for many companies and also raised awareness about personal data security amongst consumers. Organizations need to ensure security is in top shape. However, most emphasis is placed on ways to keep hacks and database breaches from occurring. Not many business leaders have considered the risk of email leaks. This creates a chink in an otherwise impenetrable armor. You don’t just need to consider the dangers of people getting it, you also have to stop confidential information from getting out. Especially if it’s highly sensitive, which is often the case in the health and legal sectors.
DLP
What is Data Loss Prevention (DLP) – A Complete Overview of DLP
23 October 2019
Organizations across industries invest in Data Loss Prevention (DLP) solutions to combat perennial security risks along with new challenges like GDPR and CCPA compliance.  But, what is Data Loss Prevention (DLP), what are the benefits of implementing a DLP strategy, and how does DLP work?
What is Data Loss Prevention (DLP)? DLP software monitors different entry and exit points of a corporate network, such as user devices, email clients, servers, or gateways within the network to safeguard data in different forms, including data in motion, data in use, and data at rest.  Data in motion refers to data that is sent and received over your network.  Data in use refers to data that you are using in your computer memory.  Data at rest refers to data that is stored in a database, file, or a server.  If security software sees something suspicious, such as an email attachment containing credit card details or an attempt to print confidential documents, a predefined response will kick in. Most DLP software offers organizations the ability to block potentially risky communications or to simply flag the anomaly for administrators to follow up on. Properly configured DLP allows organizations to block sensitive information while permitting non-sensitive communications to continue which means there is a range of benefits of DLP. What are the benefits of DLP There are three main problems solved by DLP: Satisfying compliance standards. With compliance regulations like GDPR, CCPA, and HIPAA dictating how data is handled in different industries and regions, it’s more important than ever that organizations monitor activity and events around Personally Identifiable Information (PII), Protected Health Information (PHI), or payment card information (PCI). Any breaches that compromise the security of this data could mean big fines for organizations. GDPR fines alone can equal up to 4% of a business’ annual turnover.  Keeping intellectual property in-house. While customer, client, or patient information must be protected by law, organizations have a vested interest in also protecting intellectual property like financial information, design or development plans, and information related to the overall structure of the business. DLP helps protect against data exfiltration attempts. Monitoring how data is used. Not all data incidents lead to data breaches. That’s why it’s important for organizations to have full visibility over how individual users are using and interacting with data. This way, administrators can potentially spot a bad leaver or insider threat before any data is exfiltrated.  What are the different types of DLP? DLP does more or less the same thing wherever it is deployed – it looks for sensitive information crossing boundaries. But different DLP solutions operate in different ways depending on which “perimeter” is being guarded. There are three main types of DLP solutions: network DLP, endpoint DLP, and email DLP. Network DLP Network DLP protects data in motion by monitoring the traffic that enters and leaves the organization’s network.  These solutions are mostly cloud-based and are designed to monitor network traffic between users and other endpoints connected through the Internet; every byte of data transmitted through a network will go through the cloud-based DLP solution.  Like other DLP solutions, Network DLP can be customized to block custom defined data strings to prevent specific information from moving out of the network by blocking them. But, it can also be used to manage access to certain Uniform Resource Locators (URLs), prevent data or files being transferred to specific cloud storage, and block viruses and malware that are traversing the network. Endpoint DLP Endpoint DLP protects data in use on employee’s devices (computers, mobile phones) by preventing unauthorized access. How? By ensuring information isn’t taken off work devices and sent or copied to unauthorized devices by allowing or denying certain tasks to be performed on the computer.  It is also able to detect and block viruses and other malware that could be transferred into your computer system from external sources.  Universal Serial Bus (USB) blocking is one of the most popular methods used in endpoint DLP, because viruses can be replicated using USB storage, and once a USB flash drive is connected to a computer, the virus can be transmitted to the computer system.  Email DLP Email continues to be the most critical risk factor of data loss with both inbound and outbound traffic posing security threats.  To protect data, Email DLP monitors, tracks, and filters emails sent back and forth through the email client and checks every communication.  Inbound email DLP solutions monitor emails for certain keywords to identify phishing scams, spear phishing attacks, ransomware, or malware. It also quarantines any suspicious email message that contains specific types of data. Outbound email DLP, on the other hand, can be set up to check for misdirected emails,unauthorized emails, or sensitive data to prevent critical information moving out of an organization’s network. Do I need a DLP solution? Every company is different, but those handling sensitive information – especially from third-parties – will want to consider implementing a DLP solution in order to maintain customer or client trust and satisfy compliance standards. Larger organizations may want to secure every point as part of a layered defense, while smaller companies with limited IT budgets may decide to focus on their single biggest risk.  For many, this is email. Not only are misdirected emails one of the most common breaches reported under GDPR, but 90% of data breaches start on email. To learn more about why it’s so important to focus on email, read our Ultimate Guide to Human Layer Security. How does DLP work? Traditionally, DLP software has been built around creating long lists of rules and extensive manual tagging. Once set up, it can then monitor the flow of data through different parts of the network, to look for anything sensitive crossing a boundary. Administrators can create policies to dictate “if x happens, then do y.” These rules should be specific to your organization. For example, a rule may forbid sensitive information being sent to a “freemail” email account or any non-whitelisted third parties. Unfortunately, though, rule-based DLP has limitations. IT and security teams are tasked with not only creating but also maintaining long lists of rules and employees are often exposed to high flag rates that impede on their productivity. That’s why Tessian takes a different approach. How does Tessian prevent data loss? Tessian uses machine learning to address the problem of accidental or deliberate data loss by applying human understanding to email behavior. Our machine learning models analyze email data to understand how people work and communicate. They have been trained on more than two billion emails – rich in information on the kind of data people send and receive every day. And they continue to adapt and learn as human relationships evolve over time. This enables Tessian Guardian to look at email communications and determine in real-time if particular emails look like they’re about to be sent to the wrong person. Tessian Enforcer, meanwhile, can identify when sensitive data is about to be sent to an unsafe place outside an organization’s email network.
DLP Human Layer Security
The Dark Side of Sending Work Emails “Home”
By Cai Thomas
11 October 2019
This article was originally published on TechRadar Pro. In the last four years, the number of remote working jobs has more than doubled, as employers acknowledge the need to change traditional working practices. In fact, it’s expected that 50% of the UK workforce will work remotely by 2020, further blurring the lines between home and the office. This shift has huge benefits; improving people’s work-life balance, increasing employee productivity and boosting employee retention rates. However, it does also pose a problem for one very important aspect of business: data security. Data security is at a greater risk as staff are more likely to send important and, even, confidential company information to personal email accounts, with the usual intention of working on documents at home. Worryingly, many are completely unaware how risky these actions are. According to tech firm Probrand, nearly two-thirds of UK employees have forwarded customer emails to their personal email accounts and 84% of them did not feel they were doing anything wrong. So what are the risks with sending work home? And who are the workers you need to be wary of? 1. The 24/7 worker While a number of the emails sent ‘home’ contain non-sensitive information, like travel arrangements, cinema tickets or food recipes, we’ve seen that around 10-15% of emails sent to personal accounts contain company sensitive information. We’ve all been there; it’s late on a Friday, that Monday deadline is looming, and the employee thinks to themselves, “I’ll just have to finish this document at home over the weekend”. So they send the document to their, or their partner’s, personal freemail account. However, this can have devastating consequences for the company’s reputation and it could destroy customers’ trust in the business. The problem is that by sending emails ‘home’, the information the messages contain now sits in an environment that is not secured by the company, leaving the data vulnerable to cybercriminals. It’s also important to note that this simple act of sending work home means your company is now at risk of breaching data protection regulations, like GDPR, due to the fact that you, as the Data Controller, no longer have oversight as to where the data is held. Boeing, for example, faced scrutiny after an employee shared a spreadsheet containing the personal information of 36,000 co-workers with his spouse, simply because she was better at Excel formatting than him. The incident sparked an internal security investigation and was brought to the attention of the Washington state Attorney General and other officials in California because employee data had left the control of the company. 2. The leaver We often see a spike in data exfiltration during an employee’s notice period. Workers know they’re not supposed to, but the temptation to take information that will give them an advantage in their new role is hard to ignore. As such, we see people sending company IP and client data to personal accounts prior to moving to another employer. This happens most frequently in industries such as financial services, legal, healthcare and recruitment, where a person’s client base and network is king. The task of manually monitoring suspicious ‘leaver’ behaviour over email has become incredibly challenging for IT staff, due to the increased employee churn rate year on year. A study by LinkedIn found that young workers now switch jobs four times in their first 10 years after graduation. However, by not putting a stop to this act, companies could face losing their competitive advantage as well as their clients’ business due to leaked secrets, strategy and IP. 3. The malicious insider This is where employees steal data from their company for personal or financial gain. Despite being less common, the threat of the ‘malicious insider’ is something businesses have come up against more frequently in the past few years. Employees will typically steal confidential company secrets and/or client data with the intention of selling it on the dark web or handing it over to a competitor to damage their current company. Just last year, Bupa fell victim to this crime after the personal data of 500,000 customers was sold on the dark web while audit firm SRBC and Co.’s reputation was tarnished after its client’s earnings estimation was maliciously leaked over email. An intelligent solution for a flexible workforce There can be no denying that monitoring all employee email behavior is an arduous task for IT and compliance teams to undertake. With the average employee sending and receiving 124 emails a day, and with daily email traffic increasing 5% year on year, deciphering data exfiltration within email logs is like finding a needle in a haystack. To help tackle the problem of data being leaked to unauthorized accounts, some organizations opt to simply blacklist all freemail domains. However, this can impede productivity and is usually ineffective given that many clients, small businesses and contractors use freemail accounts, as do prospective applicants looking for jobs at the company. Businesses need a more intelligent approach to data exfiltration – one that can look at the emails each employee has sent and received in the past, in order to identify non-business contacts with whom each employee interacts with. Machine learning, for example, can evolve to understand the differences between authorized and unauthorized freemail accounts, and it can analyze email content to determine whether it is sensitive or non-sensitive. By doing so, machine learning can make an accurate prediction as to whether an employee is exfiltrating data and acting against company policies. There will always be reasons for people to bend the rules and leak data outside of their organization – maliciously or for convenience. The consequences for doing so, though, could be devastating for any company; huge fines, loss of competitive advantage and a damaged reputation. So as more businesses adopt remote working practices, it’s important that technologies are place to ensure company sensitive data is secure and not at risk of ‘being sent home’.
DLP
Behind the “Fat Finger”: All You Need to Know About Misdirected Emails
19 September 2019
Email is among the most used communication tools in the world. Research suggests that as of 2019, the amount of emails sent and received is almost 300 billion per day. Email has many powerful benefits, but it has given organizations significant security headaches too. No question: over the past few years, fending off email security threats has become a much higher priority for organizations. Today, senior leaders recognize that people pose a real threat to organizations’ security: 30% of enterprise cyber incidents are caused by employees. Although eye-catching and sophisticated scams like spear phishing attacks regularly make headlines, one of the most common threats to email security is email misdirection. What is a misdirected email?
What kinds of errors actually lead to misdirected emails? 1. Spelling mistakes One of the most common causes of a misdirected email is a user incorrectly spelling the email address of the correct recipient. An email intended for [email protected] might therefore be sent to [email protected] (As well as work emails, the risks also apply when dealing with clients, external partners or other suppliers.) Accidentally sending an email message to the wrong address might happen due to employees rushing, or switching focus too quickly when multitasking. 2. Autocomplete Today, the average person spends nearly a third of their working week on email. To save time, it’s not surprising that people often rely on the Autocomplete feature which is available on most email clients, including on Microsoft Outlook, Yahoo or Gmail accounts. With Autocomplete, people often don’t have to manually type email addresses in when sending emails, instead relying on Autocomplete’s speed and convenience to help them complete work quickly. While Autocomplete can boost productivity, it raises the risk of mistakes being made. Offering a suggested recipient to a sender who has only typed the first initial of the correct person’s Gmail address makes it much easier to accidentally add a wrong recipient with a similar name as the recipient. 3. To/Cc instead of Bcc The Blind Carbon Copy (Bcc) function allows the person sending an email to hide certain recipients from the main send list. Using Bcc also prevents the concealed recipients from receiving new emails in the same thread. In a work environment, it is often essential to use Bcc when sending a sensitive message to a group of people. Human error can play a part here, though. A common mistake involves the sender accidentally putting certain addresses into the To or Cc fields, rather than Bcc. The impact of this is that all the email’s public recipients become exposed to one another, giving the potential for data loss and compliance breaches. This can be particularly damaging if the content of the email contains personal information regarding sensitive matters like healthcare. Being able to understand which people in your address book need to be handled sensitively is vital. Exposing the real email addresses of individuals can have disastrous consequences for organizations. 4. Accidental “Reply All” People mistakenly using the “Reply All” function instead of just replying to a single recipient can put data at risk of being compromised. “Reply All” errors can cause email account data and personal information to be disclosed to a wider audience than intended. (It can also damage productivity. Last year, an email was accidentally sent to 22,000 employees of Utah state, with subsequent “reply all” messages from staff clogging up employees’ inboxes.) As we’ve seen, there are a number of circumstances that lead to misdirected emails in the workplace. So what are the consequences of this kind of error? Consequences of sending a misdirected email In enterprise environments, the content of the message (as well as attachments and links) may include highly sensitive information that regulated organizations have an obligation to protect. For example, law firms often send privileged client data related to ongoing legal matters via email. A pharmaceutical company, meanwhile, may have to pay particular attention to highly sensitive personal information such as patient records. Many countries have introduced or are introducing stricter data protection laws: GDPR in the European Union, California’s Consumer Privacy Act and the Notifiable Data Breaches scheme in Australia are just a few examples of recent legislation that punishes non-compliance more severely. Under GDPR, organizations failing to control human error on email systems could face fines of up to 4% of annual global turnover, or €20m, whichever is greater. For organizations, the margin for error when it comes to misdirected emails is growing slimmer. The second consequence concerns trust and reputation. Unlike dialing the wrong phone number, which might be slightly embarrassing, sending a misdirected email and experiencing a data breach as a result can significantly undermine the confidence that clients, shareholders and partners have in an organization. Negative coverage in the press and on social media can negatively affect the perception of companies’ brands, and a quick Google search is all that’s needed to see the damage done to organizations’ credibility. Earlier this year, an NHS employee sent an email to executives containing sensitive personal data regarding 24 NHS employees – who were all copied in on the message. Prevent misdirected emails with Tessian Guardian Looking to the future, organizations will have to adopt security solutions that help reduce the risk of human error. Tessian’s Guardian filter allows enterprises to take control over the errors that happen on email. When a technological solution lets system administrators automatically notify the sender in real time that they are in danger of making an error by sending an email to the wrong person, that organization is in a more secure and stable place. Speak to one of Tessian’s cybersecurity experts today, and learn whether we could help your organization.
DLP
The Risks of Sending Data to Your Personal Email
02 April 2019
Across all industries, people routinely send work from their corporate email account to their personal account to more easily work from home, or outside of office hours. On the surface, this may not pose any great threat to your organization, be it because your employees are careful, or because the data they handle isn’t sensitive enough. The main reason employees send work home is that it’s easier. Easier than accessing files through the corporate VPN, easier than digging out the randomly generated password to their work email for use at home, easier than printing off everything they need and taking it home with them. They send an email, go home, and the documents are ready and waiting. In earlier 2017, an airline employee sent a spreadsheet containing approximately 36,000 employee records home so his wife could help with a formatting problem. Based on data from the Ponemon Institute, this single spreadsheet may have cost the company as much as $5.7m. While bad practice, a security breach like this (because it doesn’t have to be damaging, or even publicized to constitute a breach) will most of the time not result in damage or require clean up, but the one time it does, the financial and reputation risk can be high. There is also the possibility that disgruntled employees may deliberately send information to their personal email to more easily disseminate it to competitors or the press, as happened in 2016. A former employee at a UK law firm was pronounced liable by the ICO and prosecuted under the Data Protection Act for sending confidential client data to their personal account, which they hope to use as leverage in their new role at a rival company. Loss of data through personal email could mean: • Breach of contracts or non-disclosure agreements • Loss of IP and proprietary research • Breach of data protection regulations • Heavy fines imposed by regulators and clients (GDPR, in particular will greatly increase fines for all manner of data breaches) In brief: something as seemingly insignificant as sending sensitive company data to a personal email account can be devastating. “Nearly 75% of office employees send work files to a personal email account, a majority of whom say it’s because they prefer using their own computer, while 14% say it’s because it’s too much work to bring their work laptop home.” How do you fix the problem? 1. Educate your workforce Make sure your employees know how to observe best data security practices. Make sure they understand how best to secure the data they work with, especially confidential data, and ensure they adhere to company data security policies, hosting refresher courses if necessary. The ICO has released some posters to help you on your way. 2. Ease of access Try as much as possible to ensure that your employees don’t feel the need to send work to their personal emails. Implement secure file storage platforms they can access from home (SharePoint, GSuite, etc) or a corporate VPN so they can securely access the company network from anywhere. You need to strike that happy middle ground between “easy to use but insecure” and “airtight but really disruptive”. 3. Be proactive, not reactive Choose email security platforms that offer the most complete protection against sending to unauthorized email accounts before it becomes a problem, instead of being left scrambling for a solution in the aftermath. Find a solution that tracks and logs attempts to send data to a personal email address, and use the metrics to open a conversation with employees about data protection.
DLP
Risks of Email Communication
26 February 2019
A consumer survey conducted by Adobe in 2018 found that on a typical weekday, their consumers are checking their work email an average 3.1 hours; their personal email, 2.5 hours. This makes email one of the most habitual platforms employees use, which makes changing this user behavior that much more challenging. Email’s speed and ubiquity also make it one of the single biggest threats to a company, its employees, and its data. Employees of all levels, in all industries, depend on the ability to communicate quickly and easily in order to get their jobs done. Investment bankers share market sensitive information to buy and sell companies. Lawyers share evidence on litigation matters. Hedge fund managers share data on positions or trading strategies. Over the past 20 years, email has grown to become the main artery of communication for the enterprise. According to research conducted by McKinsey in 2012, reading and answering email accounts for 28% of the average employee workday this makes email one of the most habitual tasks employees conduct.
Human error is incredibly difficult to understand, let alone predict. Changes in people’s stress levels, morale, engagement and attention can lead to misdirected emails. While a growing number of enterprise processes are now being automated, email communication is currently still reliant on human interaction and judgement – all of which makes it particularly vulnerable to human error. No matter how structured or ingrained a process or behavior is, mistakes are inescapable, and inevitable. The risk of data leakage is heightened by many of the factors that make email so useful. The same email address will send personal and professional messages, often in succession. It is platform agnostic – you can send an email to any other email address regardless of its platform making it very difficult to develop a complete security solution for a channel with so many front-end standards and configurations. As email becomes easier to use the associated risks also increase. Paul Regan, Head of Cybersecurity at Winterflood Securities noted that misdirected emails are where his firm has seen the biggest risk in the last couple of years.
Email used to be much more manual, but functions such as those Regan refers to have upped the risk, and even with an emphasis on data privacy training, the risks have grown. Hyde pointed to another worrying trend: “The way email used to be used was very manual. As time has gone on, it’s become much easier to use. It’s available on more devices, better at predicting what you’re going to do – but with that ease of use comes risk. “We trust the technology hugely, so that when something goes wrong it happens so quickly that it’s impossible to do anything about it – that’s the reality of email.” A misdirected email, such a seemingly small mistake, could heavily damage your relationships with clients and your level of public trust.
“Imagine, your most important client receives an email with financial or sensitive information going to somebody else. You have a good chance of losing that client and certainly your standing will be hit.” “It’s too late to go back now”, noted Regan. “I feel that email is an inherently weak medium, and it’s not going to change. “Deploying Tessian for us is recognition that our employees are trying to do the right thing. “This is not about having some central security department, overseeing everybody and trying to catch someone doing bad things. It’s a safety net that catches things that otherwise would be a problem,” said Hyde.
DLP
Bupa Fined £175,000: The Risks and Costs of Unauthorized Emails
18 October 2018
As the recent Bupa data breach highlighted, the sending of unauthorized emails – an email that is intentionally sent to an unauthorized recipient, such as an employee’s personal email account – can have a detrimental financial and reputational impact upon an organization. The global insurance and healthcare group’s failure to prevent the exfiltration and attempted sale of over half a million international health insurance customers’ personal information led to a £175,000 fine and a damning evaluation of its negligent security practices.
The loss of consumer data can also result in: • Breaching contracts or non-disclosure agreements • The loss of IP and proprietary research • Breaching data protection regulations • Heavy fines imposed by regulators and clients (GDPR, in particular, will greatly increase fines for all manner of data breaches) Despite such demonstrably damaging ramifications, many organizations do not have sufficiently secure networks and, as a result, lack the necessary visibility over how sensitive data is processed and stored. Before they know it, sensitive data is shared, stolen and sold; the damage is done. For large organizations like Bupa, monitoring thousands of employees and hundreds of thousands of email communications containing millions of pieces of data can seem an insurmountable and relentless task. In 2018, it is estimated that 124.5 billion business emails were sent every day with each employee sending an average of 31 each. These figures are only expected to increase (by at a rate of 3% per annum over the next few years) as corporate email networks grow in size and importance. Organizations that possess large amounts of highly sensitive patient or consumer data like Bupa have a duty to prevent this kind of data breach from happening. If they cannot monitor or control employee behaviour, they must take the necessary steps to find and invest in an approach and solution that can prevent unauthorized emails from being sent. It’s crucial to be proactive – rather than reactive – to address this kind of threat As such, we recommend enterprises employ an email security platform that offers comprehensive protection against the sending of unauthorized emails. Tessian Enforcer, for example, uses machine learning to understand human conversation patterns in order to detect, flag and prevent anomalous emails, which may contain sensitive data, from being sent to unauthorized or personal email accounts.
Page