While there are various ways in which someone can exfiltrate data – which we’ve covered in What is Data Exfiltration? Tips for Preventing Data Exfiltration Attacks – email is the biggest risk. In fact, it’s the threat vector IT leaders are most concerned about protecting.   In this article we’ll answer three key questions: What is data exfiltration on email? Why is it so dangerous? How can organizations prevent it from happening? What is data exfiltration on email?   In order to understand what data exfiltration on email is, we should start with what data exfiltration is more broadly.   Data exfiltration is the act of sensitive data deliberately being moved from inside an organization to outside an organization’s perimeter without permission. This can be done through the digital transfer of data, the theft of documents or servers, or via an automated process.   Data and sensitive information found in spreadsheets, calendars, trading algorithms, planning documents, and customer PII can be moved outside of an organization’s perimeter via email in one of two ways:   Someone inside the organization (like an employee, exiting employee, contractor, or business partner) emailing data to their own personal accounts or to a third-party. External bad actors targeting employees with phishing or spear phishing scams. While these email attacks can be designed for the purpose of initiating a wire transfer, they’re often ploys to extract sensitive information or credentials or to install malware onto a network.

Why is data exfiltration on email so dangerous?   We’ve already mentioned that email is the threat vector IT leaders are most concerned about protecting. But why?   There are two key reasons: it’s easy to access (email accounts today are managed on laptops, smartphones, tablets, and even watches) and the underlying technology behind email hasn’t evolved since its inception in the 1970s. That means there are core security features missing that modern communication platforms have as a standard, including the ability to redact or recall and encryption-by-default.    This makes it one of the go-to mediums for data exfiltration. In fact, according to one report, 10% of all insiders and 10% of all external bad actors use email to steal data. And, if data is successfully exfiltrated, the consequences can be tremendous.   Case in point: A major US health insurance provider agreed to pay $115 million to settle a class-action lawsuit after it was discovered that an employee had stolen data on 18,000 Medicare members, including names, ID numbers, Social Security numbers, health plan IDs, and dates of enrollment.    Interested in learning more about incidents like this? Read 6 Examples of Data Exfiltration on our blog.    How can I prevent data exfiltration on email?   Data exfiltration is a big problem for organizations.    Whether it’s an exiting employee emailing data to their personal accounts on their way out (which 45% of employees admit to doing) or a hacker targeting someone with privileged access to networks and data via a phishing email, security, IT, and compliance leaders must find a way to prevent sensitive information from leaving their organization.    There are several solutions available, but few succeed in preventing data exfiltration attempts on email. Blocking or blacklisting domains   What it is: Data exfiltration prevention has often been simplified to stopping communication with certain accounts/domains (namely freemail accounts like @gmail).   Why it doesn’t work: This is a blunt approach that impedes on employee productivity. There are many legitimate reasons to communicate with freemail accounts, such as updating private clients, managing freelancers, or emailing friends and family about non-work issues. What’s more, a determined insider could easily circumvent this by setting up an account with its own domain. Secure Email Gateways (SEGs)   What it is: SEGs are essentially more sophisticated spam filters. They’re used to block malicious inbound email threats like phishing attacks.   Why it doesn’t work: While SEGs may be effective in blocking bulk phishing emails, they can’t stop all spear phishing emails. That means the most targeted attacks can still get through and employees could easily fall victim to an attack and unknowingly exfiltrate data to a bad actor. (Not sure what the difference is between phishing and spear phishing? Read this.) Rule-Based solutions   What it is: Organizations could implement rule-based solutions that take the form of “if-then” statements. These “if-then” statements involve keywords, email addresses, and regular expressions that look for signals of data exfiltration. For example, “If an email contains the word “social security number”, then quarantine the email and alert IT.”   Why it doesn’t work: Rule-based solutions are impossible to maintain because data changes in value and sensitivity over time. Beyond that, you simply can’t define or predict human behavior with rules. That’s why 85% of IT leaders say rule-based DLP is admin-intensive and just 18% say it’s the most effective way to prevent data loss.  Training    What it is: Because it’s people who control our data, training is a logical solution to data exfiltration. In fact, 61% of organizations have training every 6 months or more frequently.    Why it doesn’t work: While training does help educate employees about data exfiltration and what the consequences are, it’s not a long-term solution and won’t stop the few bad eggs from doing it. You also can’t train away human error.  Machine Learning   What it is: Machine learning (ML) models trained on historical email data understand the intricacies and fluctuations of human relationships over time. That means ML models can constantly update their “thinking” to determine whether an action looks like exfiltration or not.    Why it does work: This is the “human” way forward. At Tessian, we call it Human Layer Security. Machine-intelligent software recognizes what looks suspicious, much like a trained security professional could. However, unlike humans, it can do this thousands of times per second without missing information or getting tired.  How does Tessian prevent data exfiltration on email?   Tessian uses stateful machine learning to prevent data exfiltration on email by turning an organization’s own data into its best defense against inbound and outbound email security threats. We currently protect customers across industries, including those that are highly regulated like Legal and Financial Services.   Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises. Our platform understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity like data exfiltration attempts and targeted phishing attacks.    Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of the organization’s email network.   

There’s been a 47% increase in data loss incidents over the last two years; this includes accidental data loss and deliberate data exfiltration by negligent or disgruntled employees or contractors. While every incident of data loss or leakage may not result in a breach, many do, and the cost can be tremendous. That’s why today, data loss prevention (DLP) is one of the top spending priorities for IT leaders.

We’ve covered data loss prevention broadly in this blog: What is Data Loss Prevention (DLP) – A Complete Overview of DLP, but in this article, we’ll detail how exactly DLP works.  How does DLP work? DLP software monitors, detects, and blocks sensitive data from leaving an organization.  Monitor  DLP solutions monitor different entry and exit points of a corporate network, such as user devices, email clients, servers, or gateways within the network to safeguard data in different forms, including data in motion, data in use, and data at rest.  Data in motion refers to data that is sent and received over your network.  Data in use refers to data that you are using in your computer memory.  Data at rest refers to data that is stored in a database, file, or a server.  Detect If security software detects anything suspicious, such as an email attachment containing credit card details or an attempt to print confidential documents, a predefined response will kick in.  Note: This predefined response will depend on the solution itself and how it’s configured. Block Most DLP solutions offer organizations the ability to block potentially risky communications or to simply flag the anomaly for administrators to follow up on. Properly configured DLP allows organizations to block sensitive information while permitting non-sensitive communications to continue.  Again, this depends entirely on the solution and how it’s configured. So, how do current solutions prevent data loss? How do current solutions prevent data loss? While all DLP solutions will monitor, detect, and block data, there are still several different solutions.  Unfortunately, many fall short. Manually labeling and tagging sensitive data How it works: Security teams can manually label and tag sensitive data. This way, it can be monitored (and blocked) when it is seen moving outside the network.  Why it’s ineffective: This approach relies entirely on employees tagging data correctly. Given how much data organizations handle, the manual process of tagging isn’t viable; employees may label incorrectly or, worse, not do it at all. Rule-Based solutions How it works: The majority of DLP solutions rely on rules that take the form of “if-then” statements. These “if-then” statements involve keywords, email addresses, and regular expressions that look for signals of data exfiltration or accidental data loss. For example, “If an employee attempts to download a file larger than 1.0 MB, then block the download and alert IT.” Why it’s ineffective: Similar to tagging, rule-based solutions are impossible to maintain because data changes in value and sensitivity over time. Beyond that, you simply can’t define or predict human behavior with rules. That’s why 85% of IT leaders say rule-based DLP is admin-intensive and just 18% say it’s the most effective way to prevent data loss.  Blocking or blacklisting domains, channels, or software     How it works: DLP has often been simplified to simply stopping communication with certain accounts/domains (namely freemail accounts like @gmail) or blocking access to certain tools and software (like DropBox, for example).  Why it’s ineffective: This is a blunt approach that impedes on employee productivity. There are many legitimate reasons to communicate with freemail accounts, such as updating private clients, managing freelancers, or emailing friends and family about non-work issues. What’s more, a determined insider could easily circumvent this by setting up an account with its own domain. Machine Learning How it works: Machine learning models are trained off human behavior which means they understand the intricacies and fluctuations of human relationships over time. This way, they can determine whether an action looks like deliberate exfiltration or accidental data loss and prevent it before it happens.  Why it IS effective: This is the “human” way forward. Machine-intelligent software recognizes what looks suspicious, much like a trained security professional could. However, unlike humans, it can do this thousands of times per second without missing information or getting tired.  How to choose a DLP solution Importantly, before a DLP solution is even considered, security teams have to determine which data is considered most sensitive and which threat vectors are a priority. Step 1: Prioritize your data Here are just a few of the things security teams should consider: Industry. DLP efforts should start with the most valuable or sensitive information. What is sensitive within your organization? Naturally, those working in Financial Services will have different priorities than those working in Manufacturing. Compliance standards and data protection regulations.GDPR, CCPA, and HIPPA are just a few pieces of legislation that CISOs have to consider when putting together a DLP strategy. In addition to identifying which data is the most valuable for your organization, you have to consider which data you’re obligated to protect by law. How employees communicate. After identifying which data you want to protect and which data you have to protect, you have to figure out how that data is being stored, managed and transmitted by people and teams. Is it via the Cloud? On email? Through text messages? This will help determine which type of DLP solution you need. Step 2: Identify the biggest threat vectors Based on how your employees communicate, you can decide which type of DLP solution is right for your organization.  For example: Network DLP monitors traffic entering and leaving an organization’s network. Endpoint DLP is installed on devices (for example, company laptops or mobile phones) and checks that information is not taken off the device and placed on, or sent to, a non-authorized device. Email DLP is integrated into the email client itself and monitors emails as they are sent.  While these safeguard different threat vectors, they all do the same thing: monitor, detect, and block sensitive data from leaving an organization.  Did you know that email is the top priority for IT leaders? In fact, according to Tessian’s new research report The State of Data Loss Prevention 2020, almost half (47%) said it’s the threat vector they’re most concerned about protecting.  How Does Tessian Next-Gen DLP Work?  Tessian turns an organization’s email data into its best defense against inbound and outbound email security threats. Powered by machine learning, our Human Layer Security technology understands human behavior and relationships, enabling it to automatically detect and prevent dangerous activity like data exfiltration attempts and misdirected emails. Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of the organization’s email network. No rules needed.  Tessian Enforcer detects and prevents data exfiltration attempts by: Analyzing historical email data to understand normal content, context, and communication patterns Establishing, mapping, and continuously updating every employee’s business and non-business email contacts into relationship graphs  Performing real-time analysis of outbound emails before they’re sent to automatically predict whether the email looks like data exfiltration. This is based on insights from relationship graphs, deep inspection of the email content, and previous user behavior Alerting users when data exfiltration attempts are detected with clear, concise, contextual warnings that reinforce security awareness training Tessian Guardian detects and prevents misdirected emails by: Analyzing historical email data to understand normal content, context, and communication patterns Establishing, mapping, and continuously updating every employee’s business and non-business email contacts into relationship graphs  Performing real-time analysis of outbound emails before they’re sent to automatically predict whether the email looks like it’s being sent to the wrong person. This is based on insights from relationship graphs, deep inspection of the email content, and previous user behavior Alerting users when a misdirected email is detected with clear, concise, contextual warnings that allow employees to correct the recipients before the email is sent

We are proud to say that Tessian has received a 451 Firestarter award from leading technology research and advisory firm 451 Research.   The 451 Research Firestarter program recognizes exceptional innovation within the information technology industry. Introduced in 2018 and awarded quarterly, the program is exclusively analyst-led, allowing its team of technology and market experts to highlight organizations they believe are significantly contributing to the overall pace and extent of innovation in the technology market.  In its recent spotlight report, 451 Research said: “Most existing data discovery and data loss prevention (DLP) tools try to discover ‘personally identifiable information’ (PII) like credit card, driver’s license and social security numbers using RegEx searches, fingerprinting or optical character recognition (OCR). In contrast, Tessian’s focus is on finding bad behavior rather than finding sensitive data or PII, by applying machine learning techniques to historical email messages (headers, body and attachments) in order to distinguish between ‘safe’ and ‘unsafe’ emails.”

Earlier this year, 451 Research wrote a report stating that the “the DLP market is ripe for change” and that modern enterprises are looking for next-generation solutions that can detect and prevent both inbound email attacks and outbound email threats. Being recognized as a 451 Firestarter is a recognition of Tessian’s innovative approach to data loss protection. You can learn more about how Tessian is addressing DLP shortcomings here: 451 Research: Market Insight Report. Book a Demo To learn more about how we prevent inbound and outbound email threats and why world-leading businesses like Arm, Man Group, Evercore, and Schroders trust Tessian to protect their people on email, book a demo.

Now more than ever, security, IT, and compliance leaders are leaning on each other for support in navigating new challenges around remote-working. And, why wouldn’t they? While some organizations have operated virtually for months and even years before the outbreak of COVID-19, others had never operated a remote workforce. That means they’ve had to – very quickly – equip their teams with new devices and tools, implement new policies and procedures, and update security stacks. Of course, they’re doing all of this while trying to maintain “business as usual” which means trying to monitor and prevent data loss company-wide. That’s exactly why we’ve been hosting virtual events: to pool the wisdom of experienced security and IT leaders and share back with the broader community While you can access our library of webinars here (and register for our next virtual event here), we’ve compiled key takeaways below from our most recent webinar: How to Stop Data Loss Across 1 Million New Offices.  Here’s the actionable advice from Mark Settle, the former CIO of Okta and Karl Knowles, the Global Head of Cyber at HFW.

1. Prioritize email Even with collaboration tools like Slack, email is still King. Or, as Mark put it “email is the central nervous system of almost every company. You really can’t escape it”. Over 124 billion emails are sent and received everyday and employees spend 40% of their time on email. And, when you consider what’s being sent back and forth in emails (spreadsheets, invoices, client information, and other structured and unstructured data) it’s no wonder IT and security leaders consider it the number one threat vector for data loss. Whether it’s a disgruntled employee purposely exfiltrating data or a negligent employee who accidentally sends sensitive information to the wrong person, email is a leaky pipe.  Interested in learning more about how data is lost on email? Read this blog: A Complete Overview of DLP on Email. 2. Clearly communicate what constitutes “data loss” It’s employees who have to take on the role of protecting a company’s most important asset: data. But, unfortunately, many are blissfully unaware of what’s actually considered a data loss incident. It’s not their fault. It’s up to IT leaders – especially now as employees are adjusting to their new work environments – to really communicate what data is sensitive and how that data must be handled.  While those working in Healthcare or Financial Services may be well-versed in what data can and can’t be stored and shared, because of industry-specific compliance standards, the “average” professional may not be. For example: if you don’t tell employees that sending company data to their personal email accounts is considered unauthorized and could lead to a data breach, they’ll never know that they shouldn’t do it. Likewise, many employees don’t realize that sending an email to the wrong person could be classified as a data loss incident.  3. Don’t blame employees, empower them As we’ve said, employees are the gatekeepers of a company’s most sensitive systems and data. But, many aren’t familiar with security best practices or the implications of a breach. And, beyond that, many simply don’t have the necessary tools to work securely. It’s up to IT and security leaders to empower them to do so. How? According to Karl, it comes down to training and technology.

4. Re-think security awareness training Earlier this year at the world’s first Human Layer Security Summit, Mark Logsdon, Head of Cyber Assurance & Oversight at Prudential, explained there are three fundamental problems with training: It’s boring It’s often irrelevant It’s expensive Karl Knowles and Mark Settle shared many of these sentiments. The bottom line is: In order for training to be effective, it has to really resonate. And, for it to really resonate, employees have to understand the who, what, and why behind security policies and procedures. They recommend using different methods and mediums to communicate risks and preventative strategies and – perhaps most importantly – ensure you aren’t overloading them. That means breaking complex subjects down into more manageable pieces and translating technical jargon and concepts into language that’s easier to understand. Top Tip from Karl: Nominate Cyber Champions as a way to gamify training and encourage a positive security culture.  5. Know the limitations of rule-based DLP solutions and invest in technology that proactively adapts DLP isn’t just a challenge now that workforces are remote. It’s been a consistent pain point for IT and security teams for a long time and for several reasons. One of the biggest problems around DLP is that rule-based solutions aren’t adaptive. Not only are they admin-intensive to set-up, but they’re virtually impossible to maintain. You can read more about The Drawbacks of Traditional DLP on Email on our blog.  Learn more about Why DLP is Failing in Tessian’s latest report: The State of Data Loss Prevention 2020. That’s why Karl and Mark recommend investing in technology that’s fast and evolving. The technology is machine learning. Tessian’s DLP solutions (Tessian Enforcer and Tessian Guardian) are powered by machine learning which is why Karl – a customer – considered Tessian an extension of his cyber team.

Interested in learning more about how Tessian can help you detect and prevent data loss wherever your employees are working? Book a demo. And, for more advice, keep up with our blog, LinkedIn, and Twitter for guides, industry news, and events. 

Today, Tessian released The State of Data Loss Prevention 2020, a comprehensive report that explores new and perennial challenges around data loss prevention.

Our findings reveal that data loss on email is a bigger problem than most realize, that remote-working brings new challenges around DLP, and that the solutions currently deemed most effective may actually be the least. Why does this report matter? IT, security, and compliance readers have a lot to gain by reading this report. To really understand why, we have to look at the current landscape. Insider threats are a growing problem While email threats from external bad actors (like spear phishing and business email compromise) dominate headlines, email threats from insiders are steadily rising. In fact, there’s been a 47% increase in incidents over the last two years. This includes accidental data loss and deliberate data exfiltration. According to Verizon’s 2020 Data Breach Investigations Report “It is a bit disturbing when you realize that your employees’ mistakes account for roughly the same number of breaches as external parties who are actively attacking you.” The DLP market is booming and is on track for significant growth. Why? Because it’s one of the top spending priorities for IT leaders with 21% planning to acquire DLP tools within the next year.  Remote-working makes DLP even more challenging Over the last eight weeks, workforces around the world have transitioned from office-to-home. That means the perimeter has disappeared and past strategies have become obsolete. COVID-19 has been deemed a “field day for Insider Threats”. There are more opportunities than ever for employees to exploit privileged access to data, working from home can reduce the vigilance of employees handling confidential data, and there’s been a marked increase in COVID-19 phishing attacks. While some organizations will encourage their employees to migrate back to offices, many (including Facebook) have already opted to maintain remote-working set-ups.  Interested in learning more about the methods and motives of Insider Threats? Read our blog: What is an Insider Threat? Insider Threat Definitions, Examples, and Solutions. The implications of a data breach are far-reaching  The consequences of a data breach aren’t limited to lost data and revenue loss. Organizations also experience a 2-7% churn rate after a breach. Data privacy regulations add insult to injury. In the first quarter of 2020 alone, GDPR fines totaled nearly €50 million. But, we had to look beyond third-party research and conduct our own.  What will I learn? We analyzed Tessian platform data and commissioned OnePoll to survey 2,000 professionals (1,000 in the US and 1,000 in the UK) and 250 Information Technology (IT) leaders. We also interviewed IT, security, and compliance leaders about their own experiences with DLP. Here’s what we found out: !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");

Data loss incidents are happening as much as 38x more often than IT leaders currently estimate. 800 misdirected emails are sent every year in organizations with 1,000 employees. 27,500 emails containing company data are sent to personal accounts every year in organizations with 1,000 employees. 84% of IT leaders say DLP is more challenging when their workforce is working remotely. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");

While 91% of IT leaders say they trust their employees to follow security policies while working from home, almost half (48%) of employees say they’re less likely to follow safe data practices when working from home. Email is the threat vector IT leaders are most concerned about. 54% of employees say they’ll find a workaround if security software or policies prevent them from doing their job and 51% say security tools and software impede their productivity.  While IT leaders believe security awareness training is the most effective way to prevent data loss, machine learning is the better option.  Dozens more insights in the full report, including segmented data around industry, company size, age, and region.  How can I access The State of Data Loss Prevention 2020? IT leaders must have visibility over how their employees are handing and mishandling data on email in order to implement effective DLP strategies.  Our report shines a light on the problems and best solutions.  You can access the full report via our microsite. And, if you’re interested in learning more, save your spot at Tessian Human Layer Security Summit on June 18.

Over the last eight weeks, security vendors, thought leaders, and even mainstream media have been offering employees advice on how to stay secure and productive while working from home. And, why wouldn’t they? The transition from office-to-home has been both sudden and challenging and the risks associated with data loss haven’t disappeared just because the perimeter has. At Tessian, we’ve created (and have been consistently updating) our own remote-working content hub filled with actionable advice for security, IT, and compliance professionals as well as employees. While you can find the individual articles below, we thought we’d combine all of the tips we’ve shared over the last two months into one easy-to-read article. Advice from Security Leaders for Security Leaders: How to Navigate New Remote-Working Challenges Ultimate Guide to Staying Secure While Working Remotely  Remote Worker’s Guide to: Preventing Data Loss Remote Worker’s Guide to: BYOD Policies  11 Tools to Help You Stay Secure and Productive While Working Remotely  Here are 13 things you shouldn’t do when working remotely from a cybersecurity perspective.  1. Don’t send company data to your personal email accounts. As many organizations have had to adopt new tools and systems like VPNs and Cloud Storage on the fly, some employees may have had to resort to sending company data to their personal email accounts in order to continue doing their job.  We understand that doing so may have been viewed at the “only option”, but it’s important to note that this is not wise from a security perspective. While we’ve written about this in detail on our blog The Dark Side of Sending Work Emails “Home”, the short-and-sweet version is this: Personal email accounts are less secure and more likely to be compromised than work email accounts. Why? Read point #5 to find out.  2. Don’t share Zoom links or Meeting IDs.  Zoom – like so many other remote-working tools – is enabling workforces around the world to continue collaborating despite being out-of-office. But, as we highlighted in our Ultimate Guide to Staying Secure While Working Remotely, there are precautions you must take in order to prevent attackers from infiltrating your calls. While there are plenty of lists circulating with top tips around using Zoom, the most important piece of advice we can offer is to not share your Zoom Meeting ID (or link) with anyone you don’t work with directly or otherwise trust.  Importantly, this Meeting ID appears at the top of your conference window, which means if you share a screenshot of your call, anyone who sees the screenshot can access this meeting. If you want to be proactive in locking down your Zoom calls, you should also ensure all of your meetings require a password to join. 3. Don’t ignore warnings from IT and security teams or other authoritative sources.  Since the outbreak of COVID-19, we’ve seen a spike in phishing attacks. Why? Because hackers tend to take advantage of emergencies, times of general uncertainty, and key calendar moments. IT and security teams and even organizations like the FBI have been working hard to communicate these threats and how to avoid them. But – importantly – these warnings are useless unless employees heed the advice.  Whether it’s an email outlining how to spot a phishing email or an announcement from your line manager about updating your iOS, employees should take warnings seriously and take action immediately.  4. Don’t work off of personal devices.  While it may seem harmless, using your personal devices – whether it’s a laptop, desktop computer, mobile device, or tablet – for work-related activities creates big security risks. To start, your personal devices won’t be configured with the same security software as your work device.  Whether it’s the protection offered by a simple firewall or antivirus software, you and your data are more secure when working on company-sanctioned devices. Note: Some organizations have adopted more flexible BYOD policies. You can learn how to combat the security risks associated with these policies on our blog. 5. Don’t action email requests without double-checking their legitimacy.  Phishing and other social engineering attacks are designed for one of three reasons: to extract sensitive information or credentials, to install malware onto a network, or to initiate a wire transfer. To avoid falling victim to one of these scams and potentially actioning a request that isn’t legitimate, make sure you double-check that the person making the request is who they say they are.  For example, if your CEO asks you to change an account number on an invoice, contact him or her directly – via phone call, text, Slack or a separate email – before doing so. Likewise, if someone in HR asks you to share any credentialsor other personal information, get in touch with them via phone or a separate email thread before responding.  6. Don’t use weak passwords.  Many organizations have strict password policies, including the enforcement of multi-factor authentication. It makes sense. If a bad actor gained access to your applications – whether it’s your email account or collaboration tools – they’ll have free rein over your most sensitive systems and data.  If your organization doesn’t have any policies in place, our advice is to use 6-digit PINs or complex swipe codes on mobile devices and strong passwords that utilize numbers, letters, and characters for laptops and other log-ins.  If you’re having trouble managing your passwords, discuss the use of a password manager with your IT department. 7. Don’t lose touch with your IT or security teams.  Communication – especially during periods of transition and disruption- is key.  If you’re unsure about any security policies or procedures, how to use your personal device securely, or if you believe your device or network has been compromised in any way, don’t be afraid to communicate with your IT and security teams. That’s what they’re there for. Moreover, the more information they have and the sooner they have it, the better equipped they are to keep you and your devices protected.  8. Don’t use public Wi-Fi or mobile hotspots.  Given the digital transformation, most of us rely on internet access to do our jobs. Unfortunately, we can’t connect to just any network.  The open nature of public Wi-Fi means your laptop or other device could be accessible to opportunistic hackers. Likewise, if a phone is being used as a hotspot and has already been compromised by an attacker, it’s possible it could be used to pivot to the corporate network. With that said, you should only use networks you’re absolutely confident are secure.  9. Don’t download new tools or software without approval.  IT and security teams have processes in place that help them identify which applications are and aren’t in compliance with their data and privacy protection criteria. That means that if they haven’t approved the use of a certain tool, it probably isn’t safe in their opinion. Even if a certain tool makes your job easier to do, you shouldn’t download – or even use – tools or software without express permission to use them. Whether it’s a design, writing, or project management tool, you must communicate with your in-house teams before clicking “download”.  10. Don’t leave work devices or documents in plain sight.  Your devices are gateways to sensitive information. While we’ve already covered the importance of password-protecting these devices, preventing them from being stolen is vital, too.  Avoid leaving laptops, tablets, mobile devices, and documents containing sensitive company or client information in plain sight, such as near windows at home or on a passenger seat if traveling by car. This will help prevent opportunistic theft.  Any organization that has a remote-working policy in place should also provide employees with privacy screens for their laptops, and encourage employees to always work in positions that minimize line-of-sight views of their screens by others. This has the added benefit of showing clients or other professional contacts that the business takes security seriously. 11. Don’t give hackers the information they need to execute social engineering attacks.  When planning a spear phishing attack – a type of phishing attack that is targeted at a specific individual or small set of individuals – an attacker will try to gather as much open-source intelligence about their target as they can in order to make the email as believable as possible.  Don’t make it easier for them by sharing personal information on OOO messages or on social media like LinkedIn. This includes phone numbers, alternative email addresses, travel plans, details about company structure and reporting lines, and other data points.  12. Don’t be afraid to ask questions about security policies and procedures.  When working from home or otherwise outside of the office, you have much more autonomy. But that doesn’t mean you should disregard the processes and policies your organization has in place. And, part of following processes and policies is understanding them in the first place. IT and security teams are there to help you. If anything is unclear, send them an email, pick up the phone, or file a request.   13. Don’t forget the basics of security best practice.  While we’ve offered plenty of advice that’s specific to remote-working, following general security best practices will help prevent security incidents, too.  Most employees receive annual security training or, at the very least, had some security training during their onboarding process. If you didn’t, below are some of the basics. Don’t reuse passwords. Don’t share your passwords with anyone. Stay up-to-date on compliance standards and regulations specific to your industry. Report incidents of theft. Don’t share sensitive company information with people outside of your organization.  If any of the above are unclear, refer back to point #7. Ask your IT, security, or HR teams. Communication is key! What’s next? While most organizations and individuals have started to adjust to “the new normal”, it’s important to remember that, eventually, some of us will move back to our office environments. The above tips are relevant wherever you’re working, whether that’s at home, from a cafe, on public transport, or at your desk in the office. Looking for more insights on what\s next in this new world of work? We’re hosting our first virtual Human Layer Security Summit on June 18. Find out more – including the agenda for the day – here. 

According to a new report from 451 Research, “the DLP market is ripe for change” and Tessian could be the next-generation solution organizations need to detect and prevent both inbound email attacks and outbound email threats.  Key findings from the report include: DLP is ranked at the top of a list of over 20 security categories that are expected to see a “significant” increase in spending in the next 12 months Tessian uses stateful machine learning across four different products to prevent human error on email with use cases for both inbound and outbound email threats including anti-phishing and advanced impersonation attacks, accidental data loss, and malicious data exfiltration Tessian is both complementary and competitive to traditional DLP offerings 

DLP: An Unsolvable Problem While the DLP market is saturated with products – from traditional DLP vendors like Broadcom, McAfee, Forcepoint, and Digital Guardian to newer entrants like ArmorBlox, Altitude Networks, and Code42, the consensus is that DLP is, in many ways, failing. According to the report, “DLP technology has developed a reputation as much for inaccuracy, false positives, and poor performance as it has for protecting data.” That may be why DLP remains one of the top spending priorities for IT leaders, with 13% of those surveyed by 451 Research saying they expect to see a “significant increase” in spending over the next 12 months and a further 11% saying they expect to see a “slight increase.” It’s clear organizations need a better way to prevent data loss.  Tessian believes it’s because DLP efforts aren’t addressing the real problem, which is that 88% of data breaches are caused by human error.   Tessian’s Approach to Data Loss Prevention Instead of focusing on the machine layer, Tessian focuses on the human layer and, in doing so, has developed the world’s first Human Layer Security platform.

Our Human Layer Security platform consists of four main products: Tessian Defender, which prevents advanced inbound attacks like spear phishing, Tessian Guardian, which prevents accidental data loss caused by misdirected emails, Tessian Enforcer, which prevents data exfiltration attempts on email. Organizations that implement any of these solutions also get Tessian Constructor, which allows admins to create blacklists, whitelists, and custom filters to ensure email usage remains compliant.  Each of these products applies stateful machine learning techniques to historical email messages (headers, body, and attachments) to understand relationships and establish normal behavior profiles that can be used to distinguish between safe and unsafe emails.  No rules required. According to 451 Research, Tessian succeeds in preventing data loss where others fall short.  “While [most existing DLP tools] are good at finding personally identifiable information (PII), finding and blocking actions such as employees sending files to a personal email account are surprisingly challenging and are quickly out-of-date, so predefined rules are not that effective.” You can read the full report here. Book a Demo By leveraging new capabilities in AI and machine learning, Tessian, according to 451 Research,“delivers more effective DLP” by preventing human error on email.  To learn more about how we prevent inbound and outbound email threats and why world-leading businesses like Arm, Man Group, Evercore, and Schroders trust Tessian to protect their people on email, book a demo.

For many organizations, Data Loss Prevention (DLP) is at once one of the most important components of their security framework and the biggest headache for administrators. Why? Because most risks to data security actually come from within an organization, which means security teams have to classify and monitor data across hundreds – even thousands – of different entry and exit points of a corporate network. This includes user devices like laptops and mobile devices, email clients, servers, and gateways within the network. While “DLP” applies to more than email, email has become one of the most important vectors to safeguard.

Why is email the number one threat vector for data loss? Employees spend 40% of their digital time on email sending memos, spreadsheets, invoices, and other sensitive information and data (structured and unstructured alike). When you combine this with the fact that the underlying technology behind email hasn’t evolved since its inception and its ease-of-access – email accounts today are accessible on laptops, smartphones, tablets, smartwatches and even cars – it’s easy to see why 90% of data breaches start on email. A major US health insurance provider had to pay out $115 million in a class-action lawsuit after an employee stole the data of over 18,000 members over the course of nine months. How? Via email. The data exfiltrated included the members’ ID numbers, names, social security numbers, and other personal information.  Of course, not all incidents of data loss make headlines. According to Tessian data, over 700 misdirected emails are sent in organizations with 1,000 people every year.  This goes to show that businesses must be vigilant in assessing risk around both data loss and data exfiltration and, in doing so, must implement security measures that decrease their likelihood of suffering a breach. Unfortunately, that’s easier said than done. Data sent through email is hard to regulate As security leaders know, preventing data loss requires not only advanced security tools but also buy-in from the entire organization. Here are three reasons why data sent through email is hard to regulate:  Billions of emails are sent and received every day. According to research, over 124 billion business emails are sent and received every day. That means it’s virtually impossible for IT teams – often resource-constrained themselves – to monitor all of those emails for incidents that could (or do) result in data loss.  Organizations hold a lot of data. Whether it’s employees’ social security numbers, insurance policies for clients, or bank account details for suppliers, organizations across industries deal with more data than most of us can imagine. What’s more, it’s stored in various ways, from spreadsheets to project proposals. Limiting access to this data is one solution, but IT teams run the risk of limiting employee productivity in doing so. People make mistakes and break the rules. Human error is the number one cause of breaches under GDPR. Whether it’s an employee sending an email to the wrong person or a disgruntled employee intentionally exfiltrating data, there are numerous ways in which sensitive data can fall into the wrong hands. Unfortunately, to err is human and even training can’t eliminate this risk entirely.  Data vs. human behavior When you consider the objective of DLP, you realize there are two distinct approaches to take. Data-centric approach: Rule-based solutions use the content of an email to perform analysis. These rules consider keywords, attachments, seniority level, and even the role or department of an employee to identify sensitive information and keep it within the organization. Human-centric approach: Instead of focusing only on the data, human-centric approaches like those offered by Tessian seek to understand complex and ever-evolving human relationships in order to protect sensitive information. While both approaches have their merits, there are some clear shortcomings to a data-centric approach.

Why current DLP solutions are failing There are several different approaches organizations can take in preventing data loss. But, given the fact that security breaches have increased by 67% in the last five years, it’s worth noting the drawbacks of each solution.  Blocking accounts/domains: In this approach, particular domains (particularly free mail domains like @gmail.com or @yahoo.com) are blocked by the company. Why? These emails will undoubtedly be attached to people outside of the organization and, oftentimes, are actually the personal email accounts of employees themselves. Drawbacks: There are legitimate reasons to send and receive emails from people or organizations outside of your company’s network and with “freemail” domains. Employees might need to communicate with a client or manage freelancers. They may also simply be trying to send documents “home” to work after hours or over the weekend. Unfortunately, it’s not difficult for employees to find workarounds, regardless of their intentions.  Blacklisting email addresses: Security teams can create a list of non-authorized email addresses and simply block all emails sent or received.  Drawbacks: Because blacklisting requires constant updating, it’s very time- and resource-intensive. Beyond that, though, this is a very reactive measure. Email addresses will only be added to a blacklist after they’ve been known to be associated with unauthorized communications, which means data exfiltration attempts may be successful before IT and security teams are able to take steps towards remediation.  Focusing on Keywords: This method uses words and phrases to alert administrators of suspicious email activity. For example, IT and security teams can create rules to identify keywords like “social security numbers” or “bank account details”, which will then signal an email should be quarantined or blocked before sent. Drawbacks: The person trying to exfiltrate data – like social security numbers or bank account details – can circumvent keyword tracking tools by sending the email and the attached data in an encrypted form. Tagging Data: After classifying data, an organization may attempt to tag sensitive data, allowing administrators to track it as it moves within and outside of a network.  Drawbacks: Again, this system is time- and resource-intensive and relies on employees accurately identifying and tagging all sensitive data. Data could be misclassified or simply overlooked, allowing it to move freely within and out of a network. Additionally, employees often get fatigued with enforced tagging which could lead to default tagging everything as sensitive.  You can find more information about email tagging in this guide. The challenge with all of the above is that they are based on rules. But human behavior can’t be predicted or controlled by rules. That means that the more effective solution is one that’s adaptable and can discern the variations in human behavior over time. A solution like this relies on machine-intelligent software that learns from historical email data to determine what is and isn’t anomalous in real-time. What’s the best solution? Tessian uses contextual machine learning to prevent data exfiltration. Our machine learning models look at evolving patterns in data and constantly reclassifies email addresses based on changing relationships between employees and third-parties like vendors and suppliers.  This way, Tessian can determine whether a communication is legitimate information sharing or exfiltration. To learn more about data exfiltration and how Tessian is helping organizations like Arm keep data safe, talk to one of our experts today.

The California Consumer Privacy Act (or “the CCPA” for short) is California’s new data privacy law that came into effect on January 1, 2020.   This is the first of its kind in the US, and it’s going to impact your InfoSec program.  The purpose of this new law from a privacy perspective is to give consumers greater control over their personal information (PI). How? By giving consumers key privacy rights. You may be familiar with some of these rights, including: The right to know what PI a business is collecting about you  The right to know what these businesses do with that PI (via a privacy notice) The right to request access to that data  The right to have PI deleted  But, some rights are new, including: The right to request a business stops “selling” your PI The right to not be treated differently when making such a request While it’s essential consumers know their rights, security and compliance leaders need to pay attention, too. After all, failure to comply will result in fines up to $7,500 per violation.  So, if you’re a CISO, here’s everything you need to know about CCPA. Important Note: The California Privacy Rights Act (CPRA) – also known as Proposition 24 – passed on November 3, 2020. The CPRA amends the CCPA, pushing the state statute closer to the GDPR. The CPRA creates a general purpose limitation on personal information use, limiting a business’s use and sharing of personal information to the purposes for which it was collected and for purposes of which the consumer has been informed. While – yes- the CCPA already contains similar notice requirements with respect to the purposes for which personal information will be processed, the CPRA offers California regulators additional enforcement options. What does this mean for you? Organizations must ensure compliance with the CPPA – integrating the demands of the CPRA – before it takes effect on January 1, 2023. The CCPA is one of the strictest consumer privacy laws in the US and it’s become the new standard Unlike Europe, the US doesn’t have a federal consumer privacy law. Instead, the US privacy landscape is made up of a smattering of both state and sectoral laws. As the CCPA ties enforcement to “California residents”, it may apply to services provided outside of California to Californians. Because it’s virtually impossible to know with absolute certainty who or where your customers are, it can become tricky to determine who you offer CCPA rights to and who you don’t. The result? Many companies have given CCPA rights to everyone.

The CCPA includes an obligation for your infosec program Indeed, when it comes to security, the CCPA only specifies that a business must “implement and maintain reasonable security procedures and practices appropriate to the nature of the information” it processes.   Importantly, though, what those “reasonable” security procedures are and how they differ based on the information involved remains undefined.   But, what we do know is that if your business experiences a data breach and a Californian consumer’s PI is taken by an unauthorized person, your business could be on the hook for failing to implement reasonable security procedures. In addition to fines, the CCPA grants Californian consumers the right to sue you. This is called a private right of action.  While there is still much to be determined as to what “reasonable” means, the onus rests on you, as CISO, to review your infosec program and make sure you’re comfortable you’re doing your best to reach this “reasonable” standard. Looking at the NIST (800-53 or CSF), ISO 27001, and CIS controls are a great place to start.  The bottom line: businesses need to protect their data. Implementing a DLP solution is a necessary step all businesses need to take.

If a data breach happens on your watch, you may be held responsible for damages Statutory damages are new for Californian data privacy law.  Now, consumers can sue you for a data breach and they don’t have to show harm, meaning we could see a rise in data privacy class actions.   This CCPA private right of action promises to shake up the data breach class action landscape in which such actions have generally been settled for small amounts or dismissed due to lack of injury. Because, demonstrating and quantifying damages caused by a data breach can be difficult to show. With the CCPA, companies are vulnerable to potentially staggering damages in relation to a breach. Of course, this is in addition to revenue loss, damaged reputation, and lost customer trust. The CCPA allows consumers to seek statutory damages of between $100 and $750 (or actual damages if greater) against a company in the event of a data breach of PI that results from the company’s failure to implement reasonable security procedures. Putting this into context, a data breach affecting the PI of 100 California consumers may result in statutory damages ranging from $10,000 to $75,000, and a data breach affecting the PI of one million California consumers may result in statutory damages ranging from $100 million to $750 million.  These potential statutory damages dwarf almost every previous large data breach settlement in the US, and have the potential to see higher awards than we’ve seen with GDPR. It’s worth noting, though, that there is a 30-day cure period in which businesses can in some way remedy a data breach after receiving written notice from the consumer.  But, because the CCPA doesn’t define “cure,” it’s unclear how a business can successfully “cure” data security violations.  Prevention is better than cure. Your best chance of avoiding a breach and/or hefty fines afterward is to ensure your business has ‘reasonable’ security procedures implemented, including policies and other DLP solutions. While cybersecurity ROI is notoriously hard to measure, it’ll no doubt pale in comparison to the cost of a breach.  Learn how to communicate cybersecurity ROI to your CEO here. A successful private right of action by a consumer only applies to certain PI A couple of things need to happen before a Californian consumer can pursue this private right of action, including: The right only applies to data that is not encrypted or redacted. In other words, de-identified data or encrypted data is not subject to the private right of action or class action lawsuit.   The right only applies to limited types of PI – not the expansive definition found in the CCPA. This is a much more limited definition of PI than contemplated by the CCPA and, in practice, the majority of businesses’ data stores will not include this level of sensitive data.  The right does not apply if there has only been unauthorized access to data. There must also be exfiltration. This means that unsecured access to a cloud storage system on its own will not give rise to the right. There must also have been theft and unauthorized disclosures. For example, by an insider threat or nefarious third-party.   The harm to the consumer must flow from a violation of the business’s duty to implement reasonable security procedures. It will, therefore, be key for businesses to show a documented assessment of their security procedures in light of CCPA and to ensure a robust security program is in place to protect against data loss. If you are GDPR compliant, your infosec program is likely compliant The GDPR, somewhat similar to the CCPA, is vague when it comes to cybersecurity.  It makes data security a general obligation for all companies processing personal data from the European Union (EU) by requiring controllers and processors to implement “appropriate technical and organizational measures to ensure a level of security appropriate to the risk”.  This means that companies controlling or processing EU personal data should have implemented comprehensive internal policies and procedures to be in compliance with the GDPR. This likely makes them CCPA-ready, but IT leaders should still review their security programs. The most important thing to know is that businesses affected by the CCPA will now be responsible for not only knowing what data they hold, but also how it’s controlled. In order to ensure compliance, the first step should be revisiting your cybersecurity program. And, while it may be surprising to some, cybercriminals actually aren’t your biggest threat when it comes to data loss. It’s actually your own employees. After all, it’s your people who control all of the data within your organization. But, you can empower them to work securely and prevent data loss with Tessian.

Prevent data loss with Tessian To err is human which means your employees may make mistakes that could lead to a potential breach under CCPA.  Traditionally legacy technology has leveraged hardware and software focused on the machine layer to fight cybersecurity risks. This, of course, doesn’t address the biggest problem, though: The Human Element.  Tessian leverages intelligent machine learning to secure the Human Layer in order to understand human relationships and communication patterns. Once Tessian knows what “normal” looks like, Tessian can automatically predict and prevent dangerous activity, including accidental data loss and data exfiltration.  People shouldn’t have to be security experts to do their job. Taking advantage of Tessian solutions can help your organization mitigate your employee’s mistakes and keep them productive which is a key component of a robust security program.

CIOs, CISOs, and other IT leaders have a long list of internal and external factors to consider when putting together a cybersecurity strategy. If the ever-evolving threat landscape wasn’t challenging enough to keep up with on its own, there’s also a growing number of privacy regulations and compliance standards to satisfy and a market that’s more saturated with products than ever before. There’s also the issue of budgets. Oftentimes, it’s difficult to measure and communicate cybersecurity ROI which means justifying security investment can be challenging, especially when most organizations are facing significant budget cuts in light of COVID-19. Cybersecurity is, however, a business-critical function. It’s not a nice-to-have, but a must-have.  We’ve put together 3 tips to help you demonstrate the business value of cybersecurity solutions and get buy-in from your CEO.

Reframe cybersecurity solutions as business enablers While cybersecurity has historically been a siloed department, it’s becoming more and more integrated with overall business functions.  To see how far-reaching the implications of a cybersecurity strategy are, let’s consider the consequences of a data breach:  Lost data Lost intellectual property Revenue loss Losing customers and/or their trust Regulatory fines Damaged reputation These consequences directly affect a business’s bottom line.  But, cybersecurity solutions don’t have to be limited to prevention or remediation. In fact, cybersecurity can actually enable businesses and become a unique selling point in and of itself.  With regulations like HIPAA, CCPA, and GDPR dictating how organizations handle sensitive data, your cybersecurity framework can actually support growth by being a strong competitive differentiator. By investing in cybersecurity tools and personnel and being transparent about how your organization protects data, you’ll actually bolster credibility and trust amongst prospects and existing customers and clients.

Lead with facts and figures specific to your organization A critical aspect of communicating ROI is evidence. It’s important you come armed with the right evidence and, whenever possible, quantify the threats and the risk.  For example, you could start with the more general statistics that 90% of data breaches start on email and that misdirected emails were the number one incident reported under GDPR. Then you could use Tessian’s Breach Calculator to determine your organization’s potential exposure. According to our data, on average, 707 misdirected emails are sent every year in businesses with 1,000 people. Referencing this specific number will make the risk more tangible and the need for a solution more urgent.  Likewise, if you’re pitching for new inbound email security solutions, a phishing simulation could help demonstrate the likelihood of a successful attack. Or, if you need to make a case for network vulnerabilities, hiring a penetration tester could help prove that there are, in fact, chinks in your armor.  Curious how many misdirected or unauthorized emails are sent in your organization? Book a demo to find out. 

Engage with the larger organization Communicating the value (and necessity) of cybersecurity measures to your larger organization isn’t easy. Not only are technical risks hard to translate across departments, but policies and procedures can often be seen as a hindrance to employee productivity.  But, if you can engage with the larger organization and create a positive security culture, you’ll have a better chance of getting buy-in from C-level executives. How? More and more, CISOs are relying on gamification, positive reinforcement, and interactive content like videos and podcasts to promote their strategies. Whatever the method or medium, the most important thing is that risks and responsibilities – which the entire organization bears the burden of – are communicated so that everyone, regardless of department or level of seniority, can understand.  The benefits of this are two-fold. Not only will you demonstrate the value of cybersecurity via in-house evangelists, but you’ll also empower security-aware employees to become your biggest cybersecurity asset. (You can read more about the importance of empowering your people and protecting the Human Layer here.) This, in turn, helps your overall objective to prevent data loss and data exfiltration. Get more advice from security leaders for security leaders Ultimately, communicating security ROI relies on translating cyber risk to business risk, and making security a guiding principle for your larger organization. This is more important today than ever with new risks and challenges related to remote-working.  Looking for more advice? We constantly update our blog with new tips and best practices around security. We also found this article: The 5-Step Framework for CISOs Starting in a New Company very helpful, especially when it comes to negotiating budgets and delegating risk owners.

With the outbreak of COVID-19, workforces around the world have transitioned from secure office environments to their homes.  While some companies already had the infrastructure and policies in place to support a remote workforce, other smaller organizations and even some large enterprises are facing a number of challenges in getting their teams set up, starting with access to secure devices like laptops and phones. One way to empower your employees to work safely wherever they are is to implement BYOD (Bring Your Own Device) policies. What is a BYOD Policy?

While BYOD policies are something of a necessity now – especially with delays and even cancellations in global supply chains for the devices virtual workers rely on – they were formerly an answer to IT consumerization.  Consumerization of IT refers to the cycle of technology first being built for personal, consumer use and then later being adopted by businesses and other organizations at an enterprise level. It’s often the result of employees using popular consumer apps or devices at work, because they are better than the legacy tech used by the organization. What are the benefits of a BYOD policy? There’s a reason why the BYOD market was booming pre-COVID-19. In fact, the market is expected to be valued at more than $366.95 by 2020, a big jump from its valuation of $30 billion in 2014. Note: This forecast was made three years ago, which means the sudden and global transition to remote-working will likely drive more growth. So, what are some of the benefits for businesses? You’ll Enable a Productive Remote Workforce  This is no doubt the most important reason to adopt BYOD policies, especially now. If your employees have historically worked on desktops and you’re struggling to set each person up with a laptop, BYOD policies will enable your people to keep working, despite hardware shortages and other challenges. Beyond that, though, you’ll also enable your people to work freely from wherever they need to, whether that be in transit, at home, or in the office. You’ll Reduce Burden on IT Teams Employees tend to be more comfortable and confident using their own personal devices and their native interfaces. For example, someone who has worked on a Windows computer for 15 years may struggle to suddenly start working on a Mac. That means there will be less dependence on IT teams to train or otherwise set-up employees on new devices. But, it’s important to consider the security risks along with the benefits so that your employees and data stay safe while working from personal devices.  What are the security risks involved in using personal devices? Physical security Loss or theft of a personal device is one of the biggest concerns around BYOD policies, especially when you consider that people tend to carry their mobile phones and even laptops with them at all times. If a device fell into the wrong hands and adequate security measures weren’t in place, sensitive data could be at risk.  Network security If a cybercriminal was able to gain access to a personal device, they could maneuver from one device to another and move through an organization’s network quickly. Once inside, they could install malware, steal sensitive information, or simply maintain a foothold to control systems later. Information security Data is currency and personal devices hold a lot of information not just about an organization and its clients, vendors, and suppliers, but also about the individual. If you imagine all the sensitive data contained in Outlook or Gmail accounts, you can begin to see the magnitude of the risks if this data were exposed. Physical and network security risks are threats to information security, which proves how important securing devices really is. Tips for employers To minimize the risk associated with BYOD policies, we recommend that you: Enforce strict password policies. Mobile phones should be locked down with 6-digit PINs or complex swipe codes, and laptops should be secured with strong passwords that utilize numbers, letters, and characters. Your best bet is to enforce MFA or SSO and provide your employees with a password manager to keep track of their details securely. Equip devices with reliable security solutions. From encryption to antivirus software, personal devices need to have the same security solutions installed as work devices. Ideally, solutions will operate on both desktop and mobile ensuring protection across the board. For example, Tessian defends against both inbound and outbound email threats on desktop and mobile. Read more about our solutions here.  Restrict data access. Whether your organization uses a VPN or cloud services, it’s important to ensure the infrastructure is configured properly in order to reduce risk. We recommend limiting access through stringent access controls whenever possible (without impeding productivity) and creating policies around how to safely share documents externally. Limit or block downloads of software and applications. IT and security teams can use either blacklisting or whitelisting to ensure employees are only downloading and using vetted software and applications. Alternatively, IT and security teams could exercise even more control by preventing downloads altogether. Educate your employees. Awareness training is an essential part of any security strategy. But, it’s important that the training is relevant to your organization. If you do implement a BYOD policy, ensure every employee is educated about the rules and risks.  Tips for employees  To minimize the risk associated with BYOD policies, we recommend that you: Password-protect your personal devices. Adhere to internal security policies around password-protection or, alternatively, use 6-digit PINs or complex swipe codes on mobile devices and strong passwords that utilize numbers, letters, and characters for laptops. If you’re having trouble managing your passwords, discuss the use of a password manager with your IT department. Avoid public Wi-Fi and hotspotting. The open nature of public Wi-Fi means your laptop or other device could be accessible to opportunistic hackers. Likewise, if a phone is being used as a hotspot and has already been compromised by an attacker, it’s possible it could be used to pivot to the corporate network. Put training into practice. While security training is notoriously boring, it’s incredibly important and effective if put into practice. Always pay attention during training sessions and action the advice you’re given. Report loss or theft. In the event your device is lost or stolen, file a report internally immediately. If you’re unfamiliar with procedures around reporting, check with your line manager or IT team ASAP. They’ll be able to better mitigate risks around data loss the sooner they’re notified.  Communicate with IT and security teams. If you’re unsure about how to use your personal device securely or if you think your device has been compromised in some way, don’t be afraid to communicate with your IT and security teams. That’s what they’re there for. Moreover, the more information they have, the better equipped they are to keep you and your device protected.  BYOD policies offer organizations and employees much-needed flexibility. But, in order to be effective as opposed to detrimental, strict security policies must be in place. It’s not just up to security teams. Employees must do their part to make smart security decisions in order to protect their devices, personal data and sensitive business information. Looking for more tips on staying secure while working remotely? We’re here to help! Check out these blogs: Ultimate Guide to Staying Secure While Working Remotely Remote Worker’s Guide To: Preventing Data Loss 11 Tools to Help You Stay Secure and Productive While Working Remotely 

As a part of our ongoing efforts to help security professionals around the world manage their new remote workforces, we’ve been holding virtual panel discussions and roundtables with ethical hackers and security and compliance leaders from some of the world’s leading institutions to discuss cybersecurity best practice while working from home. Our panelists and speakers have included David Kennedy, Co-Founder and Chief Hacking Officer at TrustedSec, Jenna Franklin, Managing Counsel, Privacy & Data at Santander, Stacey Champagne, Head of Insider Threat at Blackstone, Ben Sadeghipour, Head of Hacker Education at HackerOne, Chris Turek, CIO at Evercore, Jon Washburn, CISO at Stoel Rives, Peter Keenan, CISO at Lazard, Gil Danieli, Director of Information security at Stroock, and Justin Daniels, General Counsel at Baker Donelson We’ve compiled some of the key takeaways to help IT, privacy, and security professionals and employees stay secure wherever they’re working. 

How to defend against spear phishing (inbound threats) Communicate new threats. Cybercriminals are carrying out opportunistic phishing attacks around COVID-19 and the mass transition from office-to-home. Keep employees in the loop by showing them examples of these threats. But, it’s important to not over-communicate. That means you should ensure there’s one point of contact (or source of truth) who shares updates at a regular, defined time and cadence as opposed to different people sharing updates as and when they happen. Create policies and procedures around authenticating requests. Communicating new threats isn’t enough to stop them. To protect your employees and your data, you should also set up a system for verifying and authorizing requests via a known communication channel. For example, if an employee receives an email requesting an invoice be paid, they should contact the relevant department or individual via phone before making any payments. Enable multi-factor authentication. This easy-to-implement security precaution helps prevent unauthorized individuals from accessing systems and data in the event a password is compromised.   Encourage reporting. Creating and maintaining a positive security culture is one of the best ways to help defend against phishing and spear phishing attacks. If employees make a habit of reporting new threats, security and IT teams have a better chance of remediating them and preventing future threats.  Update security awareness training. Remote-working brings with it a host of new security challenges. From the do’s and don’t of using personal devices to identifying new threat vectors for phishing, employees need to refresh their security know-how now more than ever.

How to defend against data exfiltration (outbound threats) Exercise strict control over your VPN. Whether it’s disabling split tunneling on your  VPN or limiting local admin access, it’s absolutely vital that you minimize lateral movements within your network. This will not only help prevent insider threats from stealing data, but it will also prevent hackers from moving quickly from one device to another.  Block downloads of software and applications. This is one of the easiest ways to minimize the attack vectors within your network. By preventing downloads by individual users, you’ll be able to exercise more control over the software and applications your employees use. This way, only vetted tools and solutions will be available for use.  Secure your cloud services. As workforces around the world are suddenly remote, cloud services are more important than ever. But, it’s important to ensure the infrastructure is configured properly in order to reduce risk. We recommend limiting access whenever possible (without impeding productivity) and creating policies around how to safely share documents externally. Create a system for onboarding and offboarding employees. Both negligent and malicious incidents of data exfiltration are on the rise. To prevent new starters or bad leavers from mishandling your data, make sure you create and communicate new policies for onboarding and offboarding employees. In order to be truly effective, this will need to be a joint effort between HR, IT and security teams. Update security awareness training. Again, remote-working brings with it a host of new security challenges. Give your employees the best chance of preventing data loss by updating your security awareness training. Bonus: Check your cybersecurity insurance. Organizations are now especially vulnerable to cyber attacks. While preventative measures like the above should be in place, if you have cybersecurity insurance, now is the time to review your policy to ensure you’re covered across both new and pre-existing threat vectors.  Our panelist cited two key points to review: If you are allowing employees to use personal devices for anything work-related, check whether personal devices are included in your insurance policy. Verify whether or not your policy places a cap on scams and social engineering attacks and scrutinize the language around both terms. In some instances, there may be different caps placed on these different types of attacks which means your policy may not be as comprehensive as you might have thought. For example, under your policy, what would a phishing attack fall under? 

How to stay compliant Share updated policies and detailed guides with employees. While employees may know and understand security policies in the context of an office environment, they may not understand how to apply them in the context of their homes. In order to prevent data loss (and fines), ensure your employees know exactly how to handle sensitive information. This could mean wearing a headset while on calls with clients or customers, avoiding any handwritten notes, and – in general – storing information electronically. Update security awareness training. As we’ve mentioned, organizations around the world have seen a spike in inbound attacks like phishing. And, when you consider that 91% of data breaches start with a phishing attack, you can begin to understand why it’s absolutely essential that employees in every department know how to catch a phish and are especially cautious and vigilant when responding to emails. Conduct a Data Protection Impact Assessment (DPIA). As employees have moved out of offices and into their homes, businesses need to ensure personal data about employees and customers is protected while the employees are accessing it and while it’s in transit, wherever that may be. That means compliance teams need to consider localized regulations and compliance standards and IT and security teams have to take necessary steps to secure devices with software, restricted access, and physical security. Note: personal devices will also have to be safeguarded if employees are using those devices to access work.  Remember that health data requires special care. In light of COVID-19, a lot of organizations are monitoring employee health. But, it’s important to remember that health data is a special category under GDPR and requires special care both in terms of obtaining consent and how it’s processed and stored.  This is the case unless one of the exceptions apply. For example, processing is necessary for health and safety obligations under employment law. Likewise, processing is necessary for reasons of public interest in the area of public health. An important step here is to update employee privacy notices so that they know what information you’re collecting and how you’re using it, which meets the transparency requirement under GDPR.   Revise your Business Continuity Plan (BCP). For many organizations, recent events will have been the ultimate stress test for BCPs. With that said, though, these plans should continually be reviewed. For the best outcome, IT, security, legal, and compliance teams should work cross-functionally. Beyond that, you should stay in touch with suppliers to ensure service can be maintained, consistently review the risk profile of those suppliers, and scrutinize your own plans, bearing in mind redundancies and furloughs.  Stay up-to-date with regulatory authorities. Some regulators responsible for upholding data privacy have been releasing guidance around their attitude and approach to organizations meeting their regulatory obligations during this public health emergency.  In some cases, fines may be reduced, there may be fewer investigations, they may stand down new audits, and – while they cannot alter statutory deadlines – there is an acknowledgment that there may be some delays in fulfilling certain requests such as Data Subject Access Requests (DSARs). The UK privacy regulator, the ICO, has said they will continue acting proportionately, taking into account the challenges organizations face at this time. But, regulators won’t accept excuses and they will take strong action against those who take advantage of the pandemic; this crisis should not be used as an artificial reason for not investing in security.  

Looking for more advice around remote-working and the new world of work? We’ve created a hub with curated content around remote working security which we’ll be updating regularly with more helpful guides and tips.