Human Layer Security Summit is back. Register now to save your spot.

Compliance DLP
Email: Your Data Security’s Weakest Link
15 November 2019
Email: Your Data Security’s Weak Link Emails are a crucial part of many work lives. We’re used to sending and receiving emails throughout the day, without much thought about the security of such exchanges. There’s a much bigger threat that originates from inside your organization. When an employee clicks that send button, they could potentially share sensitive information with the wrong recipient. Such mistakes carry high costs. It might compromise client data or confidential information, which causes your organization huge reputational damage and could hit your bottom-line. Not to mention the impact if the story leaks to the media. That level of reputational damage can take years to recover from. The biggest form of data loss Misdirected emails were reported by the Information Commissioner’s Office (ICO) to be the biggest form of data loss last year (and also the first quarter of 2018). Many companies are familiar with hacking as a form of data loss (hence the investment in physical database security, firewalls, and anti-virus) but less so with misdirected emails. Unfortunately, all the attributes of email that makes it so popular (that it’s a speedy, clear and common form of communication) are the very factors that make it such a risk. 95% of all security incidents involve human error. Many security systems that are focussed on keeping hackers out, are missing a vital part of defence – making sure sensitive information stays in. Email is the default means of communication The emails involved in this scenario are all outbound. That is, emails sent to other organizations or people outside of your own company domain. If you think about it, email is a pretty insecure way of sharing information. It can be hacked, end up with the wrong person, or send malware and spam itself. Worryingly, email still remains a means for many businesses to share confidential information. 89% of U.S. law firms use it as the main way to share information like case files or contracts. That’s despite 70% of them being aware of the risks and the importance of sharing files securely. It’s the default mode of communication for many companies, and that means we need to find ways of securing it. Firewalls and other security can only go so far. When an email is leaked, it could be your employees who are your weakest link. Employees can make mistakes It might even be unintentional on the part of an employee. If someone simply misspells a name or doesn’t realize others are copied into an email chain it can result in a data leak. Alternatively, their actions might be malicious and actually intending to cause harm to a company. Either way, the consequences are devastating for a business. Especially post-GDPR. Misdirected emails and GDPR For the few who are unaware, the EU’s  General Data Protection Regulation (GDPR) has strict stipulations on the use and sharing of personal data. Under GDPR, organizations could face a fine of up to €20 million or 4% of global revenue, whichever sum is greater. The fine depends on the severity of the data leak. So a leak of healthcare records or personal finance data is likely to attract a far greater fine than leaking email addresses. Even if the information shared isn’t customer data or personal information, there could be dire consequences. Imagine sharing client lists or your organization’s future product plans, business strategy or financial information with the wrong person. It only takes a few clicks before that information ends up in the hands of a competitor. Reputation and trust is damaged Data leaks are becoming increasingly common. The media has its eye fixed on any kind of data breach. Any company that leaks information, whether that’s through a hack or misdirected email, is likely to become front page news. Despite the saying, not all news is good for your company. Plus, there’s the significant loss of trust that occurs between organizations and consumers if a breach does occur. Especially if that information is highly sensitive, like the names and emails of attendees of a HIV clinic sent in an accidental group email. As you can see with this case, a breach could occur simply when someone doesn’t realize emails are inputted into a cc field and not blind-copied. The clinic was fined £180,000. A sum that would have been far greater had GDPR been enforced at the time. Other potential risks Then there’s the risks associated with an employee leaving their email account logged-in on a shared computer. They could also fail to lock their screen when leaving their computer. Alternatively, their laptop, phone or tablet could be stolen with their work email account still linked. When securing your emails, there’s definitely some employee education to be done. Make sure you communicate the risks of leaving inboxes on show or failing to lock screens. Employees must also understand how they can prevent misdirected emails and the consequences of such a leak. Identifying email leaks Of course, not all email leaks can be easily identified by organizations. Someone might maliciously forward an email. Others may accidentally send confidential information without realizing it. Under GDPR, there’s a requirement for any breach to be reported within 72 hours. Organizations need a way to track outbound emails and flag any misdirected emails. Luckily, there are tools like Tessian that notify you of any confidential information sent to personal email addresses or outside your organization. It also prevents misdirected emails from ever occurring. Prevention is your best cure. Once a leak has happened, it’s difficult to fully recover. It’s better to use machine learning and other technology to stop a breach occurring. Either through analyzing email addresses and flagging potential misdirected emails, or highlighting when employee behavior might cause a leak. Secure the outside and inside The risks of having a data leak are much higher compared to the past. GDPR has raised the stakes for many companies and also raised awareness about personal data security amongst consumers. Organizations need to ensure security is in top shape. However, most emphasis is placed on ways to keep hacks and database breaches from occurring. Not many business leaders have considered the risk of email leaks. This creates a chink in an otherwise impenetrable armor. You don’t just need to consider the dangers of people getting it, you also have to stop confidential information from getting out. Especially if it’s highly sensitive, which is often the case in the health and legal sectors.
Compliance DLP
What is Data Loss Prevention (DLP) – A Complete Overview of DLP
23 October 2019
Organizations across industries invest in Data Loss Prevention (DLP) solutions to combat perennial security risks along with new challenges like GDPR and CCPA compliance.  But, what is Data Loss Prevention (DLP), what are the benefits of implementing a DLP strategy, and how does DLP work?
What is Data Loss Prevention (DLP)? DLP software monitors different entry and exit points of a corporate network, such as user devices, email clients, servers, or gateways within the network to safeguard data in different forms, including data in motion, data in use, and data at rest.  Data in motion refers to data that is sent and received over your network.  Data in use refers to data that you are using in your computer memory.  Data at rest refers to data that is stored in a database, file, or a server.  If security software sees something suspicious, such as an email attachment containing credit card details or an attempt to print confidential documents, a predefined response will kick in. Most DLP software offers organizations the ability to block potentially risky communications or to simply flag the anomaly for administrators to follow up on. Properly configured DLP allows organizations to block sensitive information while permitting non-sensitive communications to continue which means there is a range of benefits of DLP. What are the benefits of DLP There are three main problems solved by DLP: Satisfying compliance standards. With compliance regulations like GDPR, CCPA, and HIPAA dictating how data is handled in different industries and regions, it’s more important than ever that organizations monitor activity and events around Personally Identifiable Information (PII), Protected Health Information (PHI), or payment card information (PCI). Any breaches that compromise the security of this data could mean big fines for organizations. GDPR fines alone can equal up to 4% of a business’ annual turnover.  Keeping intellectual property in-house. While customer, client, or patient information must be protected by law, organizations have a vested interest in also protecting intellectual property like financial information, design or development plans, and information related to the overall structure of the business. DLP helps protect against data exfiltration attempts. Monitoring how data is used. Not all data incidents lead to data breaches. That’s why it’s important for organizations to have full visibility over how individual users are using and interacting with data. This way, administrators can potentially spot a bad leaver or insider threat before any data is exfiltrated.  What are the different types of DLP? DLP does more or less the same thing wherever it is deployed – it looks for sensitive information crossing boundaries. But different DLP solutions operate in different ways depending on which “perimeter” is being guarded. There are three main types of DLP solutions: network DLP, endpoint DLP, and email DLP. Network DLP Network DLP protects data in motion by monitoring the traffic that enters and leaves the organization’s network.  These solutions are mostly cloud-based and are designed to monitor network traffic between users and other endpoints connected through the Internet; every byte of data transmitted through a network will go through the cloud-based DLP solution.  Like other DLP solutions, Network DLP can be customized to block custom defined data strings to prevent specific information from moving out of the network by blocking them. But, it can also be used to manage access to certain Uniform Resource Locators (URLs), prevent data or files being transferred to specific cloud storage, and block viruses and malware that are traversing the network. Endpoint DLP Endpoint DLP protects data in use on employee’s devices (computers, mobile phones) by preventing unauthorized access. How? By ensuring information isn’t taken off work devices and sent or copied to unauthorized devices by allowing or denying certain tasks to be performed on the computer.  It is also able to detect and block viruses and other malware that could be transferred into your computer system from external sources.  Universal Serial Bus (USB) blocking is one of the most popular methods used in endpoint DLP, because viruses can be replicated using USB storage, and once a USB flash drive is connected to a computer, the virus can be transmitted to the computer system.  Email DLP Email continues to be the most critical risk factor of data loss with both inbound and outbound traffic posing security threats.  To protect data, Email DLP monitors, tracks, and filters emails sent back and forth through the email client and checks every communication.  Inbound email DLP solutions monitor emails for certain keywords to identify phishing scams, spear phishing attacks, ransomware, or malware. It also quarantines any suspicious email message that contains specific types of data. Outbound email DLP, on the other hand, can be set up to check for misdirected emails,unauthorized emails, or sensitive data to prevent critical information moving out of an organization’s network. Do I need a DLP solution? Every company is different, but those handling sensitive information – especially from third-parties – will want to consider implementing a DLP solution in order to maintain customer or client trust and satisfy compliance standards. Larger organizations may want to secure every point as part of a layered defense, while smaller companies with limited IT budgets may decide to focus on their single biggest risk.  For many, this is email. Not only are misdirected emails one of the most common breaches reported under GDPR, but 90% of data breaches start on email. To learn more about why it’s so important to focus on email, read our Ultimate Guide to Human Layer Security. How does DLP work? Traditionally, DLP software has been built around creating long lists of rules and extensive manual tagging. Once set up, it can then monitor the flow of data through different parts of the network, to look for anything sensitive crossing a boundary. Administrators can create policies to dictate “if x happens, then do y.” These rules should be specific to your organization. For example, a rule may forbid sensitive information being sent to a “freemail” email account or any non-whitelisted third parties. Unfortunately, though, rule-based DLP has limitations. IT and security teams are tasked with not only creating but also maintaining long lists of rules and employees are often exposed to high flag rates that impede on their productivity. That’s why Tessian takes a different approach. How does Tessian prevent data loss? Tessian uses machine learning to address the problem of accidental or deliberate data loss by applying human understanding to email behavior. Our machine learning models analyze email data to understand how people work and communicate. They have been trained on more than two billion emails – rich in information on the kind of data people send and receive every day. And they continue to adapt and learn as human relationships evolve over time. This enables Tessian Guardian to look at email communications and determine in real-time if particular emails look like they’re about to be sent to the wrong person. Tessian Enforcer, meanwhile, can identify when sensitive data is about to be sent to an unsafe place outside an organization’s email network.
Compliance DLP Human Layer Security
The Dark Side of Sending Work Emails “Home”
By Cai Thomas
11 October 2019
This article was originally published on TechRadar Pro. In the last four years, the number of remote working jobs has more than doubled, as employers acknowledge the need to change traditional working practices. In fact, it’s expected that 50% of the UK workforce will work remotely by 2020, further blurring the lines between home and the office. This shift has huge benefits; improving people’s work-life balance, increasing employee productivity and boosting employee retention rates. However, it does also pose a problem for one very important aspect of business: data security. Data security is at a greater risk as staff are more likely to send important and, even, confidential company information to personal email accounts, with the usual intention of working on documents at home. Worryingly, many are completely unaware how risky these actions are. According to tech firm Probrand, nearly two-thirds of UK employees have forwarded customer emails to their personal email accounts and 84% of them did not feel they were doing anything wrong. So what are the risks with sending work home? And who are the workers you need to be wary of? 1. The 24/7 worker While a number of the emails sent ‘home’ contain non-sensitive information, like travel arrangements, cinema tickets or food recipes, we’ve seen that around 10-15% of emails sent to personal accounts contain company sensitive information. We’ve all been there; it’s late on a Friday, that Monday deadline is looming, and the employee thinks to themselves, “I’ll just have to finish this document at home over the weekend”. So they send the document to their, or their partner’s, personal freemail account. However, this can have devastating consequences for the company’s reputation and it could destroy customers’ trust in the business. The problem is that by sending emails ‘home’, the information the messages contain now sits in an environment that is not secured by the company, leaving the data vulnerable to cybercriminals. It’s also important to note that this simple act of sending work home means your company is now at risk of breaching data protection regulations, like GDPR, due to the fact that you, as the Data Controller, no longer have oversight as to where the data is held. Boeing, for example, faced scrutiny after an employee shared a spreadsheet containing the personal information of 36,000 co-workers with his spouse, simply because she was better at Excel formatting than him. The incident sparked an internal security investigation and was brought to the attention of the Washington state Attorney General and other officials in California because employee data had left the control of the company. 2. The leaver We often see a spike in data exfiltration during an employee’s notice period. Workers know they’re not supposed to, but the temptation to take information that will give them an advantage in their new role is hard to ignore. As such, we see people sending company IP and client data to personal accounts prior to moving to another employer. This happens most frequently in industries such as financial services, legal, healthcare and recruitment, where a person’s client base and network is king. The task of manually monitoring suspicious ‘leaver’ behaviour over email has become incredibly challenging for IT staff, due to the increased employee churn rate year on year. A study by LinkedIn found that young workers now switch jobs four times in their first 10 years after graduation. However, by not putting a stop to this act, companies could face losing their competitive advantage as well as their clients’ business due to leaked secrets, strategy and IP. 3. The malicious insider This is where employees steal data from their company for personal or financial gain. Despite being less common, the threat of the ‘malicious insider’ is something businesses have come up against more frequently in the past few years. Employees will typically steal confidential company secrets and/or client data with the intention of selling it on the dark web or handing it over to a competitor to damage their current company. Just last year, Bupa fell victim to this crime after the personal data of 500,000 customers was sold on the dark web while audit firm SRBC and Co.’s reputation was tarnished after its client’s earnings estimation was maliciously leaked over email. An intelligent solution for a flexible workforce There can be no denying that monitoring all employee email behavior is an arduous task for IT and compliance teams to undertake. With the average employee sending and receiving 124 emails a day, and with daily email traffic increasing 5% year on year, deciphering data exfiltration within email logs is like finding a needle in a haystack. To help tackle the problem of data being leaked to unauthorized accounts, some organizations opt to simply blacklist all freemail domains. However, this can impede productivity and is usually ineffective given that many clients, small businesses and contractors use freemail accounts, as do prospective applicants looking for jobs at the company. Businesses need a more intelligent approach to data exfiltration – one that can look at the emails each employee has sent and received in the past, in order to identify non-business contacts with whom each employee interacts with. Machine learning, for example, can evolve to understand the differences between authorized and unauthorized freemail accounts, and it can analyze email content to determine whether it is sensitive or non-sensitive. By doing so, machine learning can make an accurate prediction as to whether an employee is exfiltrating data and acting against company policies. There will always be reasons for people to bend the rules and leak data outside of their organization – maliciously or for convenience. The consequences for doing so, though, could be devastating for any company; huge fines, loss of competitive advantage and a damaged reputation. So as more businesses adopt remote working practices, it’s important that technologies are place to ensure company sensitive data is secure and not at risk of ‘being sent home’.
DLP
The Risks of Sending Data to Your Personal Email
02 April 2019
Across all industries, people routinely send work from their corporate email account to their personal account to more easily work from home, or outside of office hours. On the surface, this may not pose any great threat to your organization, be it because your employees are careful, or because the data they handle isn’t sensitive enough. The main reason employees send work home is that it’s easier. Easier than accessing files through the corporate VPN, easier than digging out the randomly generated password to their work email for use at home, easier than printing off everything they need and taking it home with them. They send an email, go home, and the documents are ready and waiting. In earlier 2017, an airline employee sent a spreadsheet containing approximately 36,000 employee records home so his wife could help with a formatting problem. Based on data from the Ponemon Institute, this single spreadsheet may have cost the company as much as $5.7m. While bad practice, a security breach like this (because it doesn’t have to be damaging, or even publicized to constitute a breach) will most of the time not result in damage or require clean up, but the one time it does, the financial and reputation risk can be high. There is also the possibility that disgruntled employees may deliberately send information to their personal email to more easily disseminate it to competitors or the press, as happened in 2016. A former employee at a UK law firm was pronounced liable by the ICO and prosecuted under the Data Protection Act for sending confidential client data to their personal account, which they hope to use as leverage in their new role at a rival company. Loss of data through personal email could mean: • Breach of contracts or non-disclosure agreements • Loss of IP and proprietary research • Breach of data protection regulations • Heavy fines imposed by regulators and clients (GDPR, in particular will greatly increase fines for all manner of data breaches) In brief: something as seemingly insignificant as sending sensitive company data to a personal email account can be devastating. “Nearly 75% of office employees send work files to a personal email account, a majority of whom say it’s because they prefer using their own computer, while 14% say it’s because it’s too much work to bring their work laptop home.” How do you fix the problem? 1. Educate your workforce Make sure your employees know how to observe best data security practices. Make sure they understand how best to secure the data they work with, especially confidential data, and ensure they adhere to company data security policies, hosting refresher courses if necessary. 2. Ease of access Try as much as possible to ensure that your employees don’t feel the need to send work to their personal emails. Implement secure file storage platforms they can access from home (SharePoint, GSuite, etc) or a corporate VPN so they can securely access the company network from anywhere. You need to strike that happy middle ground between “easy to use but insecure” and “airtight but really disruptive”. 3. Be proactive, not reactive Choose email security platforms that offer the most complete protection against sending to unauthorized email accounts before it becomes a problem, instead of being left scrambling for a solution in the aftermath. Find a solution that tracks and logs attempts to send data to a personal email address, and use the metrics to open a conversation with employees about data protection.
DLP
Risks of Email Communication
26 February 2019
A consumer survey conducted by Adobe in 2018 found that on a typical weekday, their consumers are checking their work email an average 3.1 hours; their personal email, 2.5 hours. This makes email one of the most habitual platforms employees use, which makes changing this user behavior that much more challenging. Email’s speed and ubiquity also make it one of the single biggest threats to a company, its employees, and its data. Employees of all levels, in all industries, depend on the ability to communicate quickly and easily in order to get their jobs done. Investment bankers share market sensitive information to buy and sell companies. Lawyers share evidence on litigation matters. Hedge fund managers share data on positions or trading strategies. Over the past 20 years, email has grown to become the main artery of communication for the enterprise. According to research conducted by McKinsey in 2012, reading and answering email accounts for 28% of the average employee workday this makes email one of the most habitual tasks employees conduct.
Human error is incredibly difficult to understand, let alone predict. Changes in people’s stress levels, morale, engagement and attention can lead to misdirected emails. While a growing number of enterprise processes are now being automated, email communication is currently still reliant on human interaction and judgement – all of which makes it particularly vulnerable to human error. No matter how structured or ingrained a process or behavior is, mistakes are inescapable, and inevitable. The risk of data leakage is heightened by many of the factors that make email so useful. The same email address will send personal and professional messages, often in succession. It is platform agnostic – you can send an email to any other email address regardless of its platform making it very difficult to develop a complete security solution for a channel with so many front-end standards and configurations. As email becomes easier to use the associated risks also increase. Paul Regan, Head of Cybersecurity at Winterflood Securities noted that misdirected emails are where his firm has seen the biggest risk in the last couple of years.
Email used to be much more manual, but functions such as those Regan refers to have upped the risk, and even with an emphasis on data privacy training, the risks have grown. Hyde pointed to another worrying trend: “The way email used to be used was very manual. As time has gone on, it’s become much easier to use. It’s available on more devices, better at predicting what you’re going to do – but with that ease of use comes risk. “We trust the technology hugely, so that when something goes wrong it happens so quickly that it’s impossible to do anything about it – that’s the reality of email.” A misdirected email, such a seemingly small mistake, could heavily damage your relationships with clients and your level of public trust.
“Imagine, your most important client receives an email with financial or sensitive information going to somebody else. You have a good chance of losing that client and certainly your standing will be hit.” “It’s too late to go back now”, noted Regan. “I feel that email is an inherently weak medium, and it’s not going to change. “Deploying Tessian for us is recognition that our employees are trying to do the right thing. “This is not about having some central security department, overseeing everybody and trying to catch someone doing bad things. It’s a safety net that catches things that otherwise would be a problem,” said Hyde.
DLP
Bupa Fined £175,000: The Risks and Costs of Unauthorized Emails
18 October 2018
As the recent Bupa data breach highlighted, the sending of unauthorized emails – an email that is intentionally sent to an unauthorized recipient, such as an employee’s personal email account – can have a detrimental financial and reputational impact upon an organization. The global insurance and healthcare group’s failure to prevent the exfiltration and attempted sale of over half a million international health insurance customers’ personal information led to a £175,000 fine and a damning evaluation of its negligent security practices.
The loss of consumer data can also result in: • Breaching contracts or non-disclosure agreements • The loss of IP and proprietary research • Breaching data protection regulations • Heavy fines imposed by regulators and clients (GDPR, in particular, will greatly increase fines for all manner of data breaches) Despite such demonstrably damaging ramifications, many organizations do not have sufficiently secure networks and, as a result, lack the necessary visibility over how sensitive data is processed and stored. Before they know it, sensitive data is shared, stolen and sold; the damage is done. For large organizations like Bupa, monitoring thousands of employees and hundreds of thousands of email communications containing millions of pieces of data can seem an insurmountable and relentless task. In 2018, it is estimated that 124.5 billion business emails were sent every day with each employee sending an average of 31 each. These figures are only expected to increase (by at a rate of 3% per annum over the next few years) as corporate email networks grow in size and importance. Organizations that possess large amounts of highly sensitive patient or consumer data like Bupa have a duty to prevent this kind of data breach from happening. If they cannot monitor or control employee behaviour, they must take the necessary steps to find and invest in an approach and solution that can prevent unauthorized emails from being sent. It’s crucial to be proactive – rather than reactive – to address this kind of threat As such, we recommend enterprises employ an email security platform that offers comprehensive protection against the sending of unauthorized emails. Tessian Enforcer, for example, uses machine learning to understand human conversation patterns in order to detect, flag and prevent anomalous emails, which may contain sensitive data, from being sent to unauthorized or personal email accounts.
Page