Data Exfiltration DLP
What is Data Exfiltration? Tips for Preventing Data Exfiltration Attacks
25 February 2020
Today, data is valuable currency. Don’t believe us? Data brokering is a $200 billion industry…and this doesn’t even include the data that’s sold on the dark web.  For an organization, this data can be anything from customer email addresses to financial projections and the consequences of this data being leaked are tremendous and far-reaching. When data is leaked purposefully and without authorization, we call it data exfiltration. You may also hear it referred to as data theft, data exportation, data extrusion, and data exfil.
What are the various types of data exfiltration? Data can be exfiltrated in a number of ways from both insiders and external bad actors. We’ll cover both in this article but, if you want to learn more about insider threats, read this blog: What is an Insider Threat? Insider Threat Definition, Examples, and Solutions. Here are some of the most common ways in which data exfiltration can be carried out. Email According to IT leaders, email is the number one threat vector. It makes sense.  Over 124 billion business emails are sent and received every day and employees spend 40% of their time on email, sharing memos, spreadsheets, invoices, and other sensitive information and unstructured data with people both in and outside of their organization.  Needless to say, it’s a treasure trove of information, which is why it’s so often used in data exfiltration attempts. But how? Insider threats emailing data to their own, personal accounts or third-parties External bad actors targeting employees with phishing, spear phishing, or ransomware attacks Employees, contractors, and other individuals with access to an organization’s systems and networks could email databases, calendars, images, planning documents, and other sensitive data to their personal email accounts or to other third-parties.  If there’s no security software in place to prevent an email from being sent anywhere, it just takes one click of a mouse to move data from inside of an organization into the wild.  But, it’s not just insiders who can exfiltrate data via email. Bad actors can, too, via phishing, spear phishing, or ransomware attacks. In this case, an employee (the target) will receive an email that appears to be legitimate. If successful, this fraudulent email will get them to share credentials, download a malicious attachment, or otherwise share sensitive information.  If the bad actor crafts the email in such a way that it appears to genuinely be from a trusted source like a CEO or third-party supplier, the target will often fall for the scam. Downloads/Uploads Data can also be exfiltrated via a USB or another personal device like a smartphone, laptop, camera, or external drive.  An employee (or someone else with access to the company network) simply has to download or upload the data without being detected in order for the attempt to be successful.  This happens more frequently than you might think. One report shows that: 15% of insiders exfiltrate data via USBs and 8% of external bad actors do the same 11% of insiders exfiltrate data via laptops/tablets and 13% of external bad actors do the same Via the Cloud  While working in the cloud, storage services like Google Drive and DropBox offer employees incredible flexibility (especially when working outside of their office environment), but there is risk involved around data exfiltration. Again, both insiders and outsiders could exfiltrate data via the cloud; all the person needs is access. Once they have access, they could simply copy, download, or print sensitive documents or they could modify the virtual machines, make malicious requests to the cloud service, and deploy malicious software. Physical theft  Before the digitization of many business operations, data was exfiltrated via physical theft. It still happens! This could involve someone taking documents or entire servers with them when they leave the office, or faxing documents to themselves or a third-party. In this case, lockable confidential waste bins, paper shredding devices, and security cameras or personnel could help secure sensitive data. But, how do you prevent digital data exfiltration? 
What types of tools and technologies can prevent data exfiltration?  Preventing data loss is a top priority for IT, security, and compliance leaders. Not only do they want to protect client and customer information and their own Intellectual Property (IP), but they want to avoid the many consequences that come from a data breach. But, data loss prevention (DLP) is a real challenge. And, while there are a handful of solutions, many fall short. Blocking or blacklisting domains, channels, or software     What it is: Data exfiltration prevention has often been simplified to stopping communication with certain accounts/domains (namely freemail accounts like @gmail) or blocking access to certain tools and software (like DropBox, for example).  Why it doesn’t work: This is a blunt approach that impedes on employee productivity. There are many legitimate reasons to communicate with freemail accounts, such as updating private clients, managing freelancers, or emailing friends and family about non-work issues. What’s more, a determined insider could easily circumvent this by setting up an account with its own domain. Secure Email Gateways (SEGs) What it is: SEGs are essentially more sophisticated spam filters. They’re used to block malicious inbound email threats like phishing attacks. Why it doesn’t work: While SEGs may be effective in blocking bulk phishing emails, they can’t stop all spear phishing emails. That means the most targeted attacks can still get through and employees could easily fall victim to an attack and unknowingly exfiltrate data to a bad actor. (Not sure what the difference is between phishing and spear phishing? Read this.) Labeling and tagging sensitive data What it is: The first step in any DLP strategy is to label and tag sensitive data. This way, it can be monitored (and stopped) when it is seen moving outside the network.  Why it doesn’t work: This approach relies entirely on employees tagging data correctly. Given how much data organizations handle, the manual process of tagging isn’t viable; employees may label incorrectly or, worse, not do it at all. Rule-Based solutions What it is: Organizations could implement rule-based solutions that take the form of “if-then” statements. These “if-then” statements involve keywords, email addresses, and regular expressions that look for signals of data exfiltration. Why it doesn’t work: Similar to tagging, rule-based solutions are impossible to maintain because data changes in value and sensitivity over time. Beyond that, you simply can’t define or predict human behavior with rules. That’s why 85% of IT leaders say rule-based DLP is admin-intensive and just 18% say it’s the most effective way to prevent data loss.  Training  What it is: Because it’s people who control our data, training is a logical solution to data exfiltration. In fact, 61% of organizations have training every 6 months or more frequently.  Why it doesn’t work: While training does help educate employees about data exfiltration and what the consequences are, it’s not a long-term solution and won’t stop the few bad eggs from doing it. You also can’t train away human error, including breaking the rules or falling for scams like phishing attacks. Learn more in our report: Why the Threat of Phishing Can’t Be Trained Away. Machine Learning What it is: Machine learning – especially ML models trained on historical email data – understands the intricacies and fluctuations of human relationships over time. That means ML models can constantly update their “thinking” to determine whether an action looks like exfiltration or not.  Why it does work: This is the “human” way forward. Machine-intelligent software recognizes what looks suspicious, much like a trained security professional could. However, unlike humans, it can do this thousands of times per second without missing information or getting tired.  How does Tessian prevent data exfiltration? Tessian uses stateful machine learning to prevent data exfiltration on email by turning an organization’s own data into its best defense against inbound and outbound email security threats.   Our Human Layer Security platform understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity like data exfiltration attempts and targeted phishing attacks.  Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of the organization’s email network.  Tessian Enforcer detects and prevents data exfiltration attempts by: Analyzing historical email data to understand normal content, context, and communication patterns Establishing, mapping, and continuously updating every employee’s business and non-business email contacts into relationship graphs  Performing real-time analysis of outbound emails before they’re sent to automatically predict whether the email looks like data exfiltration. This is based on insights from relationship graphs, deep inspection of the email content, and previous user behavior Alerting users when data exfiltration attempts are detected with clear, concise, contextual warnings that reinforce security awareness training Tessian Defender detects and prevents data exfiltration attempts by: Analyzing historical email data to understand normal content, context, and communication patterns Establishing, mapping, and continuously updating every employee’s business and non-business email contacts into relationship graphs  Performing real-time analysis of inbound emails in real-time to automatically predict whether the email looks unsafe. This is based on insights from relationship graphs, deep inspection of the email content, and previous user behavior Alerting users when targeted email attacks are detected with clear, concise, contextual warnings that reinforce security awareness training To learn more about data exfiltration and how Tessian is helping organizations like Arm keep data safe, talk to one of our experts today.
DLP
How Does Data Loss Prevention for Email Work?
09 February 2020
Data Loss Prevention is a vital part of security frameworks across industries, from Healthcare and Legal to Real Estate and Financial Services. There are dozens of different DLP solutions on the market, each of which secures data differently depending on the perimeter it is protecting. There are three main types of DLP, including: Network DLP Endpoint DLP Email DLP While we’ve covered the topic of email DLP broadly in this Complete Overview of DLP on Email, we think it’s important for individuals and larger organizations to fully understand what the proper application of email DLP can offer and, with that, why it’s so important to know which email DLP system to implement. How can DLP for email protect an organization? Importantly, there are two types of threats DLP must account for: Accidental Data Loss: To err is human. For example, an employee might fat finger an email and send it to the wrong person. While unintentional, this mistake could and has led to a costly data breach. DLP solutions need to be able to flag the email as misdirected before it’s sent, either by warning the individual or automatically quarantining or blocking it. Malicious Exfiltration: Whether it’s a bad leaver or someone hoping to sell trade secrets, some employees do, unfortunately, have malicious intent. DLP solutions need to be able to identify data exfiltration attempts over email before they happen in order to prevent breaches. An introduction to rule-based DLP On a basic level, the bulk of DLP solutions operate via rule-based policies, using if-then statements to lock down data after it’s been classified. For example, if you want to ensure your HR department doesn’t share personally identifiable information (PII) like employees’ social security numbers, you could create a rule on email: “If an outbound email to a party outside of the organization contains the word ‘social security number’, then block. it.” You could also create a more broad rule. For example, if you wanted to prevent accidental data loss of company information, you might forbid employees to send emails to their personal email accounts. To enforce this, you might block all emails from an official company account to freemail accounts like  @gmail.com, @yahoo.com, or @hotmail.com. Of course, these rules need to be set up separately for each organization where a DLP system is implemented. Various factors can influence these rules, including the type of data being protected, workflows, and existing policies, procedures, and tools. This will help you recognize potential “borders” that sensitive data shouldn’t cross. The limitations of rule-based DLP Unfortunately, DLP – especially rule-based DLP – can be a blunt instrument.
Rules simply don’t reflect the limitless nuances of human behavior. A better approach to DLP While IT and security teams could work tirelessly to properly deploy and maintain rule-based DLP solutions to detect potential threats and limit the exposure of sensitive data, there’s a better, smarter way. Human Layer Security. Instead of rules, Tessian’s DLP solutions use contextual machine learning models to understand the context of human behavior and communications. Trained on historical emails and real-time correspondence, machine-intelligent software can recognize what looks suspicious; similar to what a human cybersecurity expert could do. However, unlike humans, it can do this thousands of times per second without missing key information or getting tired. Which email DLP solution is right for my organization? As we’ve mentioned, each organization has different needs when it comes to DLP. Some might need more network protection while others need to lock down email. In either case, it’s important to consider the budget, ease of deployment, and internal resources alongside the biggest threat vectors for data loss. If your biggest concern is data exfiltration and you’re looking for a solution that’s easy and quick to deploy and that doesn’t require heavy maintenance from an administrator, Tessian Enforcer may be right for you. If your biggest concern is accidental data loss and – again – you’re looking for a solution that’s easy and quick to deploy and that doesn’t require heavy maintenance from an administrator, Tessian Guardian might be for you.
DLP
Data Privacy Day: Why You Need to Protect Your People
28 January 2020
Everyone has an email blunder story. Whether you forgot to bcc someone or you sent a message to the wrong person, mistakes on email are common. After all, the average worker spends two fifths of their working week on email, so accidents are bound to happen. But it could be happening in your organization more often than you think. According to our data, employees at large organizations send over 130 emails a week to the wrong person. What’s more, workers are also sending company data to unauthorized or personal email accounts nearly 200,000 times a year. In SMBs, we found that employees send as many as 177 emails a year to the wrong person.
Our data highlights how much of a risk employees pose to an organization’s data security. Misdirected emails – emails accidentally sent to the wrong person – are particularly dangerous. Beyond just embarrassment over cc’ing the wrong person, for example, we are seeing serious repercussions as more people expose personal and corporate data. Simply misspelling a name can result in sensitive data or company secrets falling into the wrong hands and your company facing a regulator’s wrath. More than a simple mistake In fact, latest figures from the Information Commissioner’s Office (ICO) reveal that emails being sent to the wrong person were the leading cause of online data breaches during 2019. UK organizations reported 1,357 data breaches caused by people emailing the incorrect recipient last year, up from 447 in 2017. That’s a 300% increase in misdirected emails over two years.
Last year, the ICO made it clear that failure to implement appropriate organizational and technical measurements to protect data under GDPR will result in significant penalties. With so much at stake, businesses need to consider whether their company data is properly protected from incidents of human error. And Data Protection Day (EU) / Data Privacy Day (US) on 28 January acts as a timely reminder to do this. To keep data safe, businesses need to start at the human level and protect their people. Human error is the leading cause of data breaches, and this is because people make mistakes, break the rules and are easily hacked. In many cases, people may not even realize they’re doing anything wrong. Businesses, therefore, need to take a people-centric approach to cybersecurity that focuses on educating and protecting their employees. But in addition to policies and training, organizations also need to add an extra layer of security. Securing the human layer Human Layer Security (HLS) is technology that secures all human-digital interactions in the workplace. By focusing on the human layer (employees, suppliers, customers) as opposed to the machine and systems layer (networks, devices, apps), HLS keeps business’ sensitive data and systems safe. Tessian’s Human Layer Security technology understands human behavior and relationships, enabling it to detect and prevent dangerous activity. Importantly, Tessian’s technology learns and adapts to how people work without getting in the way or impeding productivity. Tessian uses stateful machine learning models to analyze historical email data in order to understand human relationships and communication patterns. Once we know what normal and abnormal look like, Tessian can automatically predict and prevent security breaches caused by people, for example, accidentally sending emails to the wrong person or exfiltrating sensitive data to personal accounts. Given the huge volumes of sensitive data exchanged every day, the consequences of just one of these emails ending up in the wrong hands are extremely damaging. Not to mention the serious financial penalties of personal data breaches. It’s time to protect your people with Human Layer Security.
Customer Stories DLP Human Layer Security
Insights on Human Layer Security from Tim Fitzgerald, CISO of Arm
23 January 2020
In case you missed it, on January 22 Tim Sadler, Tessian’s CEO and co-founder, hosted our first webinar of the year which explored the biggest threat to an organization’s security: its employees. To understand the risk of human error in the workplace and how Tessian’s Human Layer Security platform is able to mitigate that risk, Tim S. was joined by Tim Fitzgerald, the CISO of Arm for a live Q&A. Before joining Arm over two years ago, Tim F. served as the CSO of Symantec for over five years. He has a special interest in digital data and human security. Arm is a customer of Tessian’s, and has deployed Tessian Defender,  Tessian Guardian, and Tessian Constructor. Consequently, Tim F. is not just attuned to the security risks associated with employees making mistakes, he understands how best to combat those risks. While you can listen to the full webinar and Q&A on-demand here, below are some of the key takeaways from Tim Fitzgerald. Where does risk really exist? Tim Fitzgerald: “It is very ‘sexy’ in security to talk about big hacking groups and use that as justification to invest in security. And there’s a lot of legitimacy behind that. But the other side of the narrative – which we spend more time on now than nation-state type threats – is how do we not do it to ourselves? Because now we’re more often dealing with avoidable events caused by predictable human error.” “I think, in general, not only should we be talking to our senior executives and boards more clearly about where real risk exists – which for most companies is the human layer – but we also need to be doing more to help these people combat the problem rather than just passing blame.” To err is human, but people are (generally) well-intentioned TF: “I very much chafe at the idea that we think of our employees as the weakest link. It underserves peoples’ intent and how they choose to operate. Rather than that, we try to take a look in the mirror and say ‘What are we not providing our employees to help them avoid these type of scenarios?’” “At Arm, we take the ‘people-are-people’ view. Not that they’re the weakest link; not that they don’t come with good intent; or that they don’t want to be good at their job; or that they take shortcuts just to get that extra moment of productivity. But, actually, everyone wants to do a good job and our job is to arm them with both the knowledge and the tools to be able to keep themselves secure, rather than trying to secure around them.” The role of a CISO is people-centric TF: “I view my job in human security as somewhere between a sociology and a marketing experiment. We’re really trying to change peoples’ behaviors in a moment. Not universally, not their personal viewpoints. But will they make the right decision in this moment to do something that won’t create security risk for us? Evolving that strategy relies not just on how we influence behavior in that moment of time, but actually, can we change their ethos? Can we make responsible security decision-making part of everybody’s job?” “Security is ultimately my responsibility. But, we very much rely on what we consider our extended security team, which is all of our employees. Our view is that they can undo all the good that we’ve done behind them to try to compensate for the risk that normal human beings create.” Security solutions should empower employees TF: “By far the biggest single challenge we have is Arm’s ethos around information sharing. We have a belief – that has proven to be true – that this level of information sharing has allowed Arm to be extraordinarily successful and innovative. There’s no backing up from that, and that represents a huge amount of challenge; that level of information sharing is quite difficult to manage. “Rather than saying people are an intractable problem and therefore we can’t conquer this, if we start thinking about how we can mobilize them as a part of our overall cybersecurity defense mechanism, it causes you to rethink whether or not you’re serving your populous correctly.”
Machine learning enables Human Layer Security TF: “What I liked about Tessian is that it gave us an opportunity to use the ML in the background to try and develop context about whether or not something that someone was doing was either atypical or perhaps just part of a bad process. Either way, we can get a sense of whether or not what they’re doing is causing us risk. It doesn’t require us to be completely prescriptive about what we’re looking for, but it allows us to learn with the technology – and with the people – what normal patterns of behavior look like and, therefore, intervene when it matters and not have to react every time an alarm goes off. “You have all this amazing context of what people are doing on email, which is where people spend most of their time and where most of the risk comes for most organizations. How can we turn this into more than just making sure someone doesn’t fat finger an email address or send sensitive files where they’re not supposed to go? Can we take the context that we’re gaining through how people are using email and create more of those moments in time to connect with them?” Tessian fits into a larger security framework TF: “We have a whole bunch of other mechanisms to protect against traditional insider threats – the people who are really acting against our best interest – but that instance is infrequent and high impact. The person who makes the mistake is high frequency, medium-to high-impact. We were getting hammered on that sort of stuff, which is why we came to Tessian.”
“When used correctly and in a finite environment or a finite data set, DLP solutions are very effective at keeping that data where it’s supposed to be and understanding movement in that ecosystem. When you try to deploy that broadly though…you start to run into the inability of the DLP system to understand where that data is supposed to be. Is this person supposed to have it based on their role and their function? It’s not a smart technology like that. You end up trying to write these very complex rules that are hard to manage.” The future of Human Layer Security TF: “Can we start to mesh together what we know about the technology and the machines with real human behavior? It’ll not only help us find those bad guys in our environments who we know are there, but also to get out in front of people’s behavior rather than reacting to it after it happens. That’s the holy grail of what this could become. To get – if not predictive – at least start leading us toward where we think risk exists and allowing us an opportunity to intervene before things happen.” Want to learn more about how Tessian helps Arm catch and stop accidental data loss with Tessian Guardian and prevent spear phishing attacks with Tessian Defender? Read the case study here.
DLP
How a Gmail Design Flaw Causes Misdirected Emails
By Ed Bishop
15 January 2020
A seemingly innocuous and incredibly common occurrence like sending an email to the wrong recipient can have severe consequences. The sender of a misdirected email is often blamed for being careless, for not paying attention to detail and, in some cases, for being technically illiterate. This can set a culture of embarrassment for employees, which means many misdirected emails and their corresponding data breaches, are often not reported to line managers and compliance teams. Gmail Design Flaw A few years ago, Google added a feature to Gmail that suggests contacts to be added to an email’s recipient list. For example, if you add Jane and Sam to an email, it might suggest Ali, because Ali is often included on emails with Jane and Sam. Designed to be a productivity feature, this in itself could encourage a user to add a contact who maybe shouldn’t be included – resulting in a misdirected email. However, the focus of this article will be on what I consider to be an unpredictable UI (user interface) design flaw in the Gmail email compose window. We reported this flaw to Google’s Security Bug Report page on 18th December 2018. I consider this to be a relatively common email user flow: In a new email: Click in the recipient text area start typing the 1st recipient’s name, and press enter to select Start typing the 2nd recipient’s name, press enter to select Click in the Subject field to type desired email subject You can see this demonstrated in a video below: If you look carefully, as the second recipient is added—and after a significant delay, caused by an asynchronous API request—Google suggests that you might like to add two internal addresses to the email as they are often seen on emails with recipient 1 and recipient 2. But notice where Google positioned the “add recipient” hyperlink. It shifted the position of the subject text area down and placed the hyperlinks where the original subject text area was. The clickable hyperlink area is fully encapsulated by the old subject text area. In step 4 of the above user flow, if after adding the second recipient I quickly attempted to click in the subject text area, there is a chance that at that exact moment the delayed API request finishes, the subject bar shifts down, and I accidentally add an unintended recipient to the email. Ironically, I believe this unpredictable delay makes it more likely for a tech-savvy employee working quickly, — those who can navigate around the compose window more quickly than it takes for the API request to finish — to fall foul of this design flaw and accidentally misdirect an email. A Potential Fix There are many potential fixes, but I think a simple rule that “no UI component should unpredictably move” would solve this. I would suggest increasing the spacing of the default compose window so that the “add recipient” hyperlinks could fit above the subject bar without moving anything. Google’s Response We raised this design flaw with Google Security on 18th December 2018.
While Google does not feel it substantially affects the confidentiality or integrity of its users’ data, we disagree and believe this design flaw could lead to an increase in misdirected emails and data loss. Implications of sending misdirected emails can range from the embarrassing to the damaging, and can even lead to revenue loss due to reputational harm. Technology should be built and designed in a way to minimize human error, not increase the likelihood of it occurring. Update: this design flaw seems to only affect Gmail on browsers, not the mobile application.
DLP
A Brief History of Data Loss Prevention Solutions
09 January 2020
For many organizations, Data Loss Prevention (DLP) is at once one of the most important components of their security framework and the biggest headache for administrators. Why? Because most risks to data security actually come from within an organization, which means security teams have to classify and monitor data across hundreds – even thousands – of different entry and exit points of a corporate network. This includes user devices like laptops and mobile devices, email clients, servers, and gateways within the network. While every vendor offers a slightly different functionality – and can solve for data loss on email, endpoints, or networks – the goal of DLP software is essentially the same: to minimize the risk of data leaving the organization. To understand the agility and efficiency of some modern solutions, it’s important to understand not only the history of DLP but the history of email. This is, after all, where employees now spend 40% of their time. How has email changed over the years? Today, most of us have at least one email address. It’s the main form of communication both in the workplace and with consumer-facing brands. While a decade or two ago, we might have used traditional mail, picked up the phone, or even met in person to share information, now we freely send sensitive data and information like bank account details, medical records, and confidential trade secrets via email every day. And, the fact is, most of us don’t consider the security of these exchanges. But, with the exchange of sensitive information comes potential risks. As such, there’s an urgent need to keep email – and therefore data – safe and secure. Back in the 1990s, when email started to take off, there was little-to-no email security. It soon became apparent that some kind of filtering system was necessary. This way, people could not only limit the volume of emails they received, but they could ensure that whatever landed in their inbox was relevant. While this filtered out spam broadly, we remain exposed to targeted email threats like phishing or spear phishing attacks. Internet Service Providers (ISPs), Secure Email Gateways (SEGs), and anti-virus software took filtering a step further, using pattern and keyword recognition to identify potentially threatening emails, but it’s still not enough. In fact, the number of phishing attacks continues to rise and 2019 saw the highest number in three years. Of course, this isn’t the only problem with email. As we mentioned, there are also data risks within an organization. Data could be lost through a simple mistake, for example sending a misdirected email. Or, there could be more nefarious intent, like a disgruntled employee leaving the company on bad terms and taking valuable information with them. So, how do you solve all of these problems? There are two schools of thought: one is data-centric and the other is human-centric. Data vs. human behavior When you consider the objective of DLP, you realize there are two distinct approaches to take. Data-centric approach: Rule-based solutions use the content of an email to perform analysis. These rules consider keywords, attachments, seniority level, and even the role or department of an employee to identify sensitive information and keep it within the organization. Human-centric approach: Instead of focusing only on the data, human-centric approaches like those offered by Tessian seek to understand complex and ever-evolving human relationships in order to protect sensitive information. While both approaches have their merits, there are some clear shortcomings to a data-centric approach.
That means that the more effective solution is one that’s adaptable and can discern the variations in human behavior over time. A solution like this relies on machine-intelligent software that learns from historical email data to determine what is and isn’t anomalous in real-time. Learn more about human-centric DLP Tessian Guardian and Tessian Enforcer are advanced DLP solutions that leverage machine learning to offer superior data protection in real-time.
DLP Human Layer Security Spear Phishing
A Year in Review: 2019 Product Updates
By Harry Wetherald
01 January 2020
2019 was a big year for email security. While the world did see a record number of data breaches (up 33% from 2018) we also saw tighter security-related policies and regulations drafted and implemented, and, in general, an increased awareness amongst businesses about the importance of proactive security strategies. While we may be biased, it seems note-worthy that human error became more and more of a talking point in the cybersecurity space. In fact, human error and the importance of machine learning and artificial intelligence in protecting people has been one of the most talked about trends by analysts going into the new year. Similarly, companies are waking up to the fact that humans are their biggest risk. It’s about time. After all, misdirected emails – emails accidentally sent to the wrong person – have been one of the top data security incidents reported under GDPR according to the Information Commissioner’s Office. We believe it’s unreasonable to expect employees to do the right thing 100% of the time when it comes to making security-related decisions; people break the rules, people make mistakes, and people can be hacked. To err is human! What’s more, we have seen how quickly the threat landscape continues to evolve, which is why throughout 2019, we rolled out a series of important product updates that have kept our user base – which saw triple digit growth over the last 12 months – safe. Here are the most important product updates to Tessian’s Human Layer Security platform for 2019.
1. Human error, quantified. The new Tessian Dashboard gives customers an at-a-glance view of breaches and near-misses on email Keen to discover trends related to the number of breaches that were prevented by Tessian over the last 30 days? Our easy-to-navigate dashboard gives administrators a complete overview of activity, including any malicious and anomalous emails detected, misdirected emails prevented, and unauthorized email attempts thwarted. Module performance for Tessian Defender, Guardian, Enforcer, and Constructor are all visible on one page, and visual representations of data make it easy to monitor and drill down on activity day-by-day. If suspicious activity is spotted, you can quickly and easily generate a report without navigating off the page. The Tessian Dashboard also allows administrators to view user health at a glance, including the percentage of users active on the Add-in and Gateway and any connection issues across the network. This will help in-house security teams ensure every employee within their organization is protected by Tessian’s modules at all times. 2. Evolving algorithms. Tessian Defender can now detect and prevent more spear phishing attempts than ever Throughout 2019, Tessian Defender was improved through a series of subtle but impactful tweaks to our algorithms to be even more adept at detecting spear phishing attempts, including advanced, difficult-to-detect direct spoof attacks. The fact is, bad actors are using increasingly sophisticated techniques to trick unsuspecting people into handing over sensitive information or granting access to controlled networks. It’s imperative that we stay ahead of the curve, hence the regular updates. Tessian Defender has improved over time – and will continue to improve – enabling the detection and prevention of even the most advanced spear phishing attempts.
3. Thwarted first-attempts. It’s now even more difficult for employees to exfiltrate sensitive data Tessian Enforcer can now detect the first attempt an employee makes to exfiltrate data over email. How? By inferring what is and isn’t likely to be authorized communication based on the vast amount of data Tessian’s ML algorithm was trained on, which doesn’t necessarily rely on prior email history of a particular email address. For example, if an employee attempts to send an email to their personal, freemail account and that email address contains the employee’s first name or surname, Tessian Enforcer presents a warning to the user advising them that the behavior is potentially unsafe and prompting them to reconsider the action. Data exfiltration remains an incredibly unwieldy problem for businesses. Tessian gives businesses much-needed oversight of the problem over email.
4. In-situ learning opportunities. Employees have an opportunity to understand why an email is unsafe with contextual warnings While Tessian prides itself on low flag rates so that security doesn’t impede productivity, we wanted to maximize the opportunity to educate users through our warnings. This way, when users do see a notification, they understand why. Improved warnings across all four modules were designed for a more user-friendly experience that seamlessly reinforces any previous or ongoing security training. With more context included, employees can now see exactly why an email is being flagged as suspicious and – importantly – they can make their own decision on how to proceed. This is at the core of Tessian’s mission. Employees should be empowered by security solutions instead of burdened by them. 5. New detection capabilities. Customers can create rules that are specific to their environment Every business or enterprise is different and IT and Infosec security leaders need some flexibility in creating filter conditions that are applicable specifically to their operations. Because we’ve introduced new detection capabilities, users can now combine more conditions to create filters for their individual use cases; for example, scanning attachment content, identifying hidden fields in spreadsheets, and reading Azure Information Protect and other DLP labels. At the most basic level, these rules look something like this: If A and B, then C, except when D or E. These variables can apply to a number of elements contained in an email, from the recipient(s) to language patterns. One way an administrator might use these new detection capabilities would be to configure a filter which only allows the finance team, for example, to share spreadsheets with people outside of their organization if the recipient’s email address is recognized as a customer, except when the attachment contains a hidden row titled “social security numbers”. Protect your most valuable asset: your people Tessian is committed to creating the world’s first Human Layer Security platform and exciting developments lie ahead as we build out a holistic platform to protect people using email and, eventually, other interfaces frequently used in the workplace. Not yet a Tessian customer? Across four modules, Tessian protects the human layer by detecting and preventing both inbound and outbound threats. This includes advanced spear phishing attacks, accidental data loss, and data exfiltration. Tessian is quickly and easily deployed to Office 365, Exchange, and G-Suite, product updates are seamlessly rolled out for users and administrators, and the technology – which doesn’t disrupt workflow – was built with productivity in mind. To understand how Tessian can fit into your existing security framework, request a demo now.
Compliance DLP
Email: Your Data Security’s Weakest Link
15 November 2019
Email: Your Data Security’s Weak Link Emails are a crucial part of many work lives. We’re used to sending and receiving emails throughout the day, without much thought about the security of such exchanges. There’s a much bigger threat that originates from inside your organization. When an employee clicks that send button, they could potentially share sensitive information with the wrong recipient. Such mistakes carry high costs. It might compromise client data or confidential information, which causes your organization huge reputational damage and could hit your bottom-line. Not to mention the impact if the story leaks to the media. That level of reputational damage can take years to recover from. The biggest form of data loss Misdirected emails were reported by the Information Commissioner’s Office (ICO) to be the biggest form of data loss last year (and also the first quarter of 2018). Many companies are familiar with hacking as a form of data loss (hence the investment in physical database security, firewalls, and anti-virus) but less so with misdirected emails. Unfortunately, all the attributes of email that makes it so popular (that it’s a speedy, clear and common form of communication) are the very factors that make it such a risk. 95% of all security incidents involve human error. Many security systems that are focussed on keeping hackers out, are missing a vital part of defence – making sure sensitive information stays in. Email is the default means of communication The emails involved in this scenario are all outbound. That is, emails sent to other organizations or people outside of your own company domain. If you think about it, email is a pretty insecure way of sharing information. It can be hacked, end up with the wrong person, or send malware and spam itself. Worryingly, email still remains a means for many businesses to share confidential information. 89% of U.S. law firms use it as the main way to share information like case files or contracts. That’s despite 70% of them being aware of the risks and the importance of sharing files securely. It’s the default mode of communication for many companies, and that means we need to find ways of securing it. Firewalls and other security can only go so far. When an email is leaked, it could be your employees who are your weakest link. Employees can make mistakes It might even be unintentional on the part of an employee. If someone simply misspells a name or doesn’t realize others are copied into an email chain it can result in a data leak. Alternatively, their actions might be malicious and actually intending to cause harm to a company. Either way, the consequences are devastating for a business. Especially post-GDPR. Misdirected emails and GDPR For the few who are unaware, the EU’s  General Data Protection Regulation (GDPR) has strict stipulations on the use and sharing of personal data. Under GDPR, organizations could face a fine of up to €20 million or 4% of global revenue, whichever sum is greater. The fine depends on the severity of the data leak. So a leak of healthcare records or personal finance data is likely to attract a far greater fine than leaking email addresses. Even if the information shared isn’t customer data or personal information, there could be dire consequences. Imagine sharing client lists or your organization’s future product plans, business strategy or financial information with the wrong person. It only takes a few clicks before that information ends up in the hands of a competitor. Reputation and trust is damaged Data leaks are becoming increasingly common. The media has its eye fixed on any kind of data breach. Any company that leaks information, whether that’s through a hack or misdirected email, is likely to become front page news. Despite the saying, not all news is good for your company. Plus, there’s the significant loss of trust that occurs between organizations and consumers if a breach does occur. Especially if that information is highly sensitive, like the names and emails of attendees of a HIV clinic sent in an accidental group email. As you can see with this case, a breach could occur simply when someone doesn’t realize emails are inputted into a cc field and not blind-copied. The clinic was fined £180,000. A sum that would have been far greater had GDPR been enforced at the time. Other potential risks Then there’s the risks associated with an employee leaving their email account logged-in on a shared computer. They could also fail to lock their screen when leaving their computer. Alternatively, their laptop, phone or tablet could be stolen with their work email account still linked. When securing your emails, there’s definitely some employee education to be done. Make sure you communicate the risks of leaving inboxes on show or failing to lock screens. Employees must also understand how they can prevent misdirected emails and the consequences of such a leak. Identifying email leaks Of course, not all email leaks can be easily identified by organizations. Someone might maliciously forward an email. Others may accidentally send confidential information without realizing it. Under GDPR, there’s a requirement for any breach to be reported within 72 hours. Organizations need a way to track outbound emails and flag any misdirected emails. Luckily, there are tools like Tessian that notify you of any confidential information sent to personal email addresses or outside your organization. It also prevents misdirected emails from ever occurring. Prevention is your best cure. Once a leak has happened, it’s difficult to fully recover. It’s better to use machine learning and other technology to stop a breach occurring. Either through analyzing email addresses and flagging potential misdirected emails, or highlighting when employee behavior might cause a leak. Secure the outside and inside The risks of having a data leak are much higher compared to the past. GDPR has raised the stakes for many companies and also raised awareness about personal data security amongst consumers. Organizations need to ensure security is in top shape. However, most emphasis is placed on ways to keep hacks and database breaches from occurring. Not many business leaders have considered the risk of email leaks. This creates a chink in an otherwise impenetrable armor. You don’t just need to consider the dangers of people getting it, you also have to stop confidential information from getting out. Especially if it’s highly sensitive, which is often the case in the health and legal sectors.
DLP
What is Data Loss Prevention (DLP) – A Complete Overview of DLP
23 October 2019
Organizations across industries invest in Data Loss Prevention (DLP) solutions to combat perennial security risks along with new challenges like GDPR and CCPA compliance.  But, what is Data Loss Prevention (DLP), what are the benefits of implementing a DLP strategy, and how does DLP work?
What is Data Loss Prevention (DLP)? DLP software monitors different entry and exit points of a corporate network, such as user devices, email clients, servers, or gateways within the network to safeguard data in different forms, including data in motion, data in use, and data at rest.  Data in motion refers to data that is sent and received over your network.  Data in use refers to data that you are using in your computer memory.  Data at rest refers to data that is stored in a database, file, or a server.  If security software sees something suspicious, such as an email attachment containing credit card details or an attempt to print confidential documents, a predefined response will kick in. Most DLP software offers organizations the ability to block potentially risky communications or to simply flag the anomaly for administrators to follow up on. Properly configured DLP allows organizations to block sensitive information while permitting non-sensitive communications to continue which means there is a range of benefits of DLP. What are the benefits of DLP There are three main problems solved by DLP: Satisfying compliance standards. With compliance regulations like GDPR, CCPA, and HIPAA dictating how data is handled in different industries and regions, it’s more important than ever that organizations monitor activity and events around Personally Identifiable Information (PII), Protected Health Information (PHI), or payment card information (PCI). Any breaches that compromise the security of this data could mean big fines for organizations. GDPR fines alone can equal up to 4% of a business’ annual turnover.  Keeping intellectual property in-house. While customer, client, or patient information must be protected by law, organizations have a vested interest in also protecting intellectual property like financial information, design or development plans, and information related to the overall structure of the business. DLP helps protect against data exfiltration attempts. Monitoring how data is used. Not all data incidents lead to data breaches. That’s why it’s important for organizations to have full visibility over how individual users are using and interacting with data. This way, administrators can potentially spot a bad leaver or insider threat before any data is exfiltrated.  What are the different types of DLP? DLP does more or less the same thing wherever it is deployed – it looks for sensitive information crossing boundaries. But different DLP solutions operate in different ways depending on which “perimeter” is being guarded. There are three main types of DLP solutions: network DLP, endpoint DLP, and email DLP. Network DLP Network DLP protects data in motion by monitoring the traffic that enters and leaves the organization’s network.  These solutions are mostly cloud-based and are designed to monitor network traffic between users and other endpoints connected through the Internet; every byte of data transmitted through a network will go through the cloud-based DLP solution.  Like other DLP solutions, Network DLP can be customized to block custom defined data strings to prevent specific information from moving out of the network by blocking them. But, it can also be used to manage access to certain Uniform Resource Locators (URLs), prevent data or files being transferred to specific cloud storage, and block viruses and malware that are traversing the network. Endpoint DLP Endpoint DLP protects data in use on employee’s devices (computers, mobile phones) by preventing unauthorized access. How? By ensuring information isn’t taken off work devices and sent or copied to unauthorized devices by allowing or denying certain tasks to be performed on the computer.  It is also able to detect and block viruses and other malware that could be transferred into your computer system from external sources.  Universal Serial Bus (USB) blocking is one of the most popular methods used in endpoint DLP, because viruses can be replicated using USB storage, and once a USB flash drive is connected to a computer, the virus can be transmitted to the computer system.  Email DLP Email continues to be the most critical risk factor of data loss with both inbound and outbound traffic posing security threats.  To protect data, Email DLP monitors, tracks, and filters emails sent back and forth through the email client and checks every communication.  Inbound email DLP solutions monitor emails for certain keywords to identify phishing scams, spear phishing attacks, ransomware, or malware. It also quarantines any suspicious email message that contains specific types of data. Outbound email DLP, on the other hand, can be set up to check for misdirected emails,unauthorized emails, or sensitive data to prevent critical information moving out of an organization’s network. Do I need a DLP solution? Every company is different, but those handling sensitive information – especially from third-parties – will want to consider implementing a DLP solution in order to maintain customer or client trust and satisfy compliance standards. Larger organizations may want to secure every point as part of a layered defense, while smaller companies with limited IT budgets may decide to focus on their single biggest risk.  For many, this is email. Not only are misdirected emails one of the most common breaches reported under GDPR, but 90% of data breaches start on email. To learn more about why it’s so important to focus on email, read our Ultimate Guide to Human Layer Security. How does DLP work? Traditionally, DLP software has been built around creating long lists of rules and extensive manual tagging. Once set up, it can then monitor the flow of data through different parts of the network, to look for anything sensitive crossing a boundary. Administrators can create policies to dictate “if x happens, then do y.” These rules should be specific to your organization. For example, a rule may forbid sensitive information being sent to a “freemail” email account or any non-whitelisted third parties. Unfortunately, though, rule-based DLP has limitations. IT and security teams are tasked with not only creating but also maintaining long lists of rules and employees are often exposed to high flag rates that impede on their productivity. That’s why Tessian takes a different approach. How does Tessian prevent data loss? Tessian uses machine learning to address the problem of accidental or deliberate data loss by applying human understanding to email behavior. Our machine learning models analyze email data to understand how people work and communicate. They have been trained on more than two billion emails – rich in information on the kind of data people send and receive every day. And they continue to adapt and learn as human relationships evolve over time. This enables Tessian Guardian to look at email communications and determine in real-time if particular emails look like they’re about to be sent to the wrong person. Tessian Enforcer, meanwhile, can identify when sensitive data is about to be sent to an unsafe place outside an organization’s email network.
DLP Human Layer Security
The Dark Side of Sending Work Emails “Home”
By Cai Thomas
11 October 2019
This article was originally published on TechRadar Pro. In the last four years, the number of remote working jobs has more than doubled, as employers acknowledge the need to change traditional working practices. In fact, it’s expected that 50% of the UK workforce will work remotely by 2020, further blurring the lines between home and the office. This shift has huge benefits; improving people’s work-life balance, increasing employee productivity and boosting employee retention rates. However, it does also pose a problem for one very important aspect of business: data security. Data security is at a greater risk as staff are more likely to send important and, even, confidential company information to personal email accounts, with the usual intention of working on documents at home. Worryingly, many are completely unaware how risky these actions are. According to tech firm Probrand, nearly two-thirds of UK employees have forwarded customer emails to their personal email accounts and 84% of them did not feel they were doing anything wrong. So what are the risks with sending work home? And who are the workers you need to be wary of? 1. The 24/7 worker While a number of the emails sent ‘home’ contain non-sensitive information, like travel arrangements, cinema tickets or food recipes, we’ve seen that around 10-15% of emails sent to personal accounts contain company sensitive information. We’ve all been there; it’s late on a Friday, that Monday deadline is looming, and the employee thinks to themselves, “I’ll just have to finish this document at home over the weekend”. So they send the document to their, or their partner’s, personal freemail account. However, this can have devastating consequences for the company’s reputation and it could destroy customers’ trust in the business. The problem is that by sending emails ‘home’, the information the messages contain now sits in an environment that is not secured by the company, leaving the data vulnerable to cybercriminals. It’s also important to note that this simple act of sending work home means your company is now at risk of breaching data protection regulations, like GDPR, due to the fact that you, as the Data Controller, no longer have oversight as to where the data is held. Boeing, for example, faced scrutiny after an employee shared a spreadsheet containing the personal information of 36,000 co-workers with his spouse, simply because she was better at Excel formatting than him. The incident sparked an internal security investigation and was brought to the attention of the Washington state Attorney General and other officials in California because employee data had left the control of the company. 2. The leaver We often see a spike in data exfiltration during an employee’s notice period. Workers know they’re not supposed to, but the temptation to take information that will give them an advantage in their new role is hard to ignore. As such, we see people sending company IP and client data to personal accounts prior to moving to another employer. This happens most frequently in industries such as financial services, legal, healthcare and recruitment, where a person’s client base and network is king. The task of manually monitoring suspicious ‘leaver’ behaviour over email has become incredibly challenging for IT staff, due to the increased employee churn rate year on year. A study by LinkedIn found that young workers now switch jobs four times in their first 10 years after graduation. However, by not putting a stop to this act, companies could face losing their competitive advantage as well as their clients’ business due to leaked secrets, strategy and IP. 3. The malicious insider This is where employees steal data from their company for personal or financial gain. Despite being less common, the threat of the ‘malicious insider’ is something businesses have come up against more frequently in the past few years. Employees will typically steal confidential company secrets and/or client data with the intention of selling it on the dark web or handing it over to a competitor to damage their current company. Just last year, Bupa fell victim to this crime after the personal data of 500,000 customers was sold on the dark web while audit firm SRBC and Co.’s reputation was tarnished after its client’s earnings estimation was maliciously leaked over email. An intelligent solution for a flexible workforce There can be no denying that monitoring all employee email behavior is an arduous task for IT and compliance teams to undertake. With the average employee sending and receiving 124 emails a day, and with daily email traffic increasing 5% year on year, deciphering data exfiltration within email logs is like finding a needle in a haystack. To help tackle the problem of data being leaked to unauthorized accounts, some organizations opt to simply blacklist all freemail domains. However, this can impede productivity and is usually ineffective given that many clients, small businesses and contractors use freemail accounts, as do prospective applicants looking for jobs at the company. Businesses need a more intelligent approach to data exfiltration – one that can look at the emails each employee has sent and received in the past, in order to identify non-business contacts with whom each employee interacts with. Machine learning, for example, can evolve to understand the differences between authorized and unauthorized freemail accounts, and it can analyze email content to determine whether it is sensitive or non-sensitive. By doing so, machine learning can make an accurate prediction as to whether an employee is exfiltrating data and acting against company policies. There will always be reasons for people to bend the rules and leak data outside of their organization – maliciously or for convenience. The consequences for doing so, though, could be devastating for any company; huge fines, loss of competitive advantage and a damaged reputation. So as more businesses adopt remote working practices, it’s important that technologies are place to ensure company sensitive data is secure and not at risk of ‘being sent home’.
DLP
Behind the “Fat Finger”: All You Need to Know About Misdirected Emails
19 September 2019
Email is among the most used communication tools in the world. Research suggests that as of 2019, the amount of emails sent and received is almost 300 billion per day. Email has many powerful benefits, but it has given organizations significant security headaches too. No question: over the past few years, fending off email security threats has become a much higher priority for organizations. Today, senior leaders recognize that people pose a real threat to organizations’ security: 30% of enterprise cyber incidents are caused by employees. Although eye-catching and sophisticated scams like spear phishing attacks regularly make headlines, one of the most common threats to email security is email misdirection. What is a misdirected email?
What kinds of errors actually lead to misdirected emails? 1. Spelling mistakes One of the most common causes of a misdirected email is a user incorrectly spelling the email address of the correct recipient. An email intended for [email protected] might therefore be sent to [email protected] (As well as work emails, the risks also apply when dealing with clients, external partners or other suppliers.) Accidentally sending an email message to the wrong address might happen due to employees rushing, or switching focus too quickly when multitasking. 2. Autocomplete Today, the average person spends nearly a third of their working week on email. To save time, it’s not surprising that people often rely on the Autocomplete feature which is available on most email clients, including on Microsoft Outlook, Yahoo or Gmail accounts. With Autocomplete, people often don’t have to manually type email addresses in when sending emails, instead relying on Autocomplete’s speed and convenience to help them complete work quickly. While Autocomplete can boost productivity, it raises the risk of mistakes being made. Offering a suggested recipient to a sender who has only typed the first initial of the correct person’s Gmail address makes it much easier to accidentally add a wrong recipient with a similar name as the recipient. 3. To/Cc instead of Bcc The Blind Carbon Copy (Bcc) function allows the person sending an email to hide certain recipients from the main send list. Using Bcc also prevents the concealed recipients from receiving new emails in the same thread. In a work environment, it is often essential to use Bcc when sending a sensitive message to a group of people. Human error can play a part here, though. A common mistake involves the sender accidentally putting certain addresses into the To or Cc fields, rather than Bcc. The impact of this is that all the email’s public recipients become exposed to one another, giving the potential for data loss and compliance breaches. This can be particularly damaging if the content of the email contains personal information regarding sensitive matters like healthcare. Being able to understand which people in your address book need to be handled sensitively is vital. Exposing the real email addresses of individuals can have disastrous consequences for organizations. 4. Accidental “Reply All” People mistakenly using the “Reply All” function instead of just replying to a single recipient can put data at risk of being compromised. “Reply All” errors can cause email account data and personal information to be disclosed to a wider audience than intended. (It can also damage productivity. Last year, an email was accidentally sent to 22,000 employees of Utah state, with subsequent “reply all” messages from staff clogging up employees’ inboxes.) As we’ve seen, there are a number of circumstances that lead to misdirected emails in the workplace. So what are the consequences of this kind of error? Consequences of sending a misdirected email In enterprise environments, the content of the message (as well as attachments and links) may include highly sensitive information that regulated organizations have an obligation to protect. For example, law firms often send privileged client data related to ongoing legal matters via email. A pharmaceutical company, meanwhile, may have to pay particular attention to highly sensitive personal information such as patient records. Many countries have introduced or are introducing stricter data protection laws: GDPR in the European Union, California’s Consumer Privacy Act and the Notifiable Data Breaches scheme in Australia are just a few examples of recent legislation that punishes non-compliance more severely. Under GDPR, organizations failing to control human error on email systems could face fines of up to 4% of annual global turnover, or €20m, whichever is greater. For organizations, the margin for error when it comes to misdirected emails is growing slimmer. The second consequence concerns trust and reputation. Unlike dialing the wrong phone number, which might be slightly embarrassing, sending a misdirected email and experiencing a data breach as a result can significantly undermine the confidence that clients, shareholders and partners have in an organization. Negative coverage in the press and on social media can negatively affect the perception of companies’ brands, and a quick Google search is all that’s needed to see the damage done to organizations’ credibility. Earlier this year, an NHS employee sent an email to executives containing sensitive personal data regarding 24 NHS employees – who were all copied in on the message. Prevent misdirected emails with Tessian Guardian Looking to the future, organizations will have to adopt security solutions that help reduce the risk of human error. Tessian’s Guardian filter allows enterprises to take control over the errors that happen on email. When a technological solution lets system administrators automatically notify the sender in real time that they are in danger of making an error by sending an email to the wrong person, that organization is in a more secure and stable place. Speak to one of Tessian’s cybersecurity experts today, and learn whether we could help your organization.
Page