Live Webinar | Ready to Supercharge Your Microsoft Environment? Yes, sign me up!

Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.
Human Layer Security

90% of data breaches are caused by human error. Stay up to date on the latest tips, guides, and industry news on Human Layer Security.

ATO/BEC Human Layer Security
Must-Know Phishing Statistics: Updated 2022
By Maddie Rosenthal
12 January 2022
Looking for something more visual? Check out this infographic with key statistics.
The frequency of phishing attacks   Phishing is a huge threat and growing more widespread every year. 2021 Tessian research found that employees receive an average of 14 malicious emails per year. Some industries were hit particularly hard, with retail workers receiving an average of 49.   ESET’s 2021 research found a 7.3% increase in email-based attacks between May and August 2021, the majority of which were part of phishing campaigns.   And 2021 research from IBM confirmed this trend, citing a 2 percentage-point rise in phishing attacks between 2019 and 2020, partly driven by COVID-19 and supply chain uncertainty.   CISCO’s 2021 Cybersecurity threat trends report suggests that at least one person clicked a phishing link in around 86% of organizations. The company’s data suggests that phishing accounts for around 90% of data breaches. There’s an uneven distribution in phishing attacks throughout the year. CISCO found that phishing tends to peak around holiday times, finding that phishing attacks soared by 52% in December. We’ve written about a similar phenomenon that typically occurs around Black Friday.   ⚡  Want to learn how to prevent successful attacks? Check out this page all about BEC prevention.   How phishing attacks are delivered 96% of phishing attacks arrive by email. Another 3% are carried out through malicious websites and just 1% via phone. When it’s done over the telephone, we call it vishing and when it’s done via text message, we call it smishing. The increase in phishing attacks means email communications networks are now riddled with cybercrime. Symantec research suggests that throughout 2020, 1 in every 4,200 emails was a phishing email. When it comes to targeted attacks, 65% of active groups relied on spear phishing as the primary infection vector. This is followed by watering hole websites (23%), trojanized software updates (5%), web server exploits (2%), and data storage devices (1%). 
The most common subject lines According to Symantec’s 2019 Internet Security Threat Report (ISTR), the top five subject lines for business email compromise (BEC) attacks: Urgent Request Important Payment Attention   Analysis of real-world phishing emails revealed these to be the most common subject lines in Q4, 2020:   IT: Annual Asset Inventory Changes to your health benefits Twitter: Security alert: new or unusual Twitter login Amazon: Action Required | Your Amazon Prime Membership has been declined Zoom: Scheduled Meeting Error Google Pay: Payment sent Stimulus Cancellation Request Approved Microsoft 365: Action needed: update the address for your Xbox Game Pass for Console subscription RingCentral is coming! Workday: Reminder: Important Security Upgrade Required
Research from Cofense suggests phishing emails are slightly more like to contain a link to a malicious website (38%) than a malicious attachment (36%).   Further reading: ⚡ How to Identify a Malicious Website   The most common malicious attachments 2021 Tessian research suggests that PDFs are the most common type of malicious file attached with phishing emails. This trusted and versatile file format can be used to hide phishing links, run JavaScript, and deliver fraudulent invoices.   SonicWall’s 2021 Cyber Threat report suggests that there was a huge jump in the number of malicious PDFs and Microsoft Office files (sent via email) between 2018 and 2020. Workers are particularly likely to click these trusted formats. The volume of malicious Office and PDF files did start to dip in 2021, however, as some workers returned to working in the office.   However, it’s important to note—as users become more wary of opening suspicious-looking files—that many malicious emails don’t contain an attachment. In fact, 2021 Tessian research found that 76% of malicious emails did not contain an attachment.   The data that’s compromised in phishing attacks   The top three “types” of data that are compromised in a phishing attack are: Credentials (passwords, usernames, pin numbers) Personal data (name, address, email address) Medical (treatment information, insurance claims)   When asked about the impact of successful phishing attacks, security leaders around the world cited the following consequences:  60% of organizations lost data 52% of organizations had credentials or accounts compromised 47% of organizations were infected with ransomware 29% of organizations were infected with malware 18% of organizations experienced financial losses
The cost of a breach   In 2021, RiskIQ estimated that businesses worldwide lose $1,797,945 per minute due to cybercrime—and that the average breach costs a company $7.2 per minute. IBM’s 2021 research into the cost of a data breach ranks the causes of data breaches according to the level of costs they impose on businesses.    Phishing ranks as the second most expensive cause of data breaches—a breach caused by phishing costs businesses an average of $4.65 million, according to IBM. And Business Email Compromise (BEC)—a type of phishing whereby the attackers hijack or spoof a legitimate corporate email account—ranks at number one, costing businesses an average of $5.01 million per breach.   That’s not the only way phishing can lead to a costly breach—attacks using compromised credentials were ranked as the fifth most costly cause of a data breach (averaging $4.37 million). And how do credentials get compromised? More often than not, due to phishing.   On the plus side, IBM found that businesses with AI-based security solutions experienced a significant reduction in the costs associated with a data breach. In fact, AI security solutions were found to be the biggest factor in cutting breach costs, from $6.71 million to $2.90 million.   According to Verizon, organizations also see a 5% drop in stock price in the 6 months following a breach. Losses from business email compromise (BEC) have skyrocketed over the last year. The FBI’s Internet Crime Report shows that in 2020, BEC scammers made over $1.8 billion—far more than via any other type of cybercrime.   And, this number is only increasing. According to the Anti-Phishing Working Group’s Phishing Activity Trends Report, the average wire-transfer loss from BEC attacks in the second quarter of 2020 was $80,183. This is up from $54,000 in the first quarter.   This cost can be broken down into several different categories, including:   Lost hours from employees Remediation Incident response Damaged reputation Lost intellectual property Direct monetary losses Compliance fines Lost revenue Legal fees   Costs associated remediation generally account for the largest chunk of the total.    Importantly, these costs can be mitigated by cybersecurity policies, procedures, technology, and training. Artificial Intelligence platforms can save organizations $8.97 per record.  The most targeted industries   CISCO’s 2021 data suggests that financial services firms are the most likely to be targeted by phishing attacks, having been targeted by 60% more phishing attacks than the next-highest sector (which CISCO identifies as higher education).   Tessian’s 2021 research suggests workers in the following industries received a particularly large quantity of malicious emails:   Retail (an average of 49 malicious emails per worker, per year) Manufacturing (31) Food and beverage (22) Research and development (16) Tech (14) Phishing by country   Not all countries and regions are impacted by phishing to the same extent, or in the same way.   Here are some statistics from another source showing the percentage of companies that experienced a successful phishing attack in 2020, by country: United States: 74% United Kingdom: 66% Australia: 60% Japan: 56% Spain: 51% France: 48% Germany: 47%   Phishing awareness also varies geographically. Here’s the percentage of people who correctly answered the question: “What is phishing?”, by country: United Kingdom: 69% Australia: 66% Japan: 66% Germany: 64% France: 63% Spain: 63% United States: 52%   As you can see, there’s no direct correlation between phishing awareness and phishing susceptibility, which is why security training isn’t enough to prevent cybercrime. The most impersonated brands   2021 Tessian research found these to be the most commonly impersonated brands in phishing attacks:   Microsoft ADP Amazon Adobe Sign Zoom   The common factor between all of these consumer brands? They’re trusted and frequently communicate with their customers via email. Whether we’re asked to confirm credit card details, our home address, or our password, we often think nothing of it and willingly hand over this sensitive information.   But it’s not just consumer brands that scammers impersonate. Public bodies are also commonly mimicked in phishing scams.   Between August 2020 and July 2021, the UK’s tax authority (HMRC) reported: Over than 450 COVID-19-related financial support scams More than one million reports of “suspicious contact” (namely, phishing attempts) More than 13,000 malicious web pages (used as part of phishing attacks) The rates of phishing and other scams reported by HMRC more than doubled in this period.
Facts and figures related to COVID-19 scams   Phishing scammers had a field day exploiting the fear and uncertainty that arose as a result of COVID-19. Crowdstrike identified the following most common themes among COVID-related phishing emails    Exploitation of individuals looking for details on disease tracking, testing and treatment  Impersonation of medical bodies, including the World Health Organization (WHO) and U.S. Centers for Disease Control and Prevention (CDC)  Financial assistance and government stimulus packages  Tailored attacks against employees working from home  Scams offering personal protective equipment (PPE)  Passing mention of COVID-19 within previously used phishing lure content (e.g., deliveries, invoices and purchase orders)   And the COVID phishing surge is far from over. In December 2021, the US Federal Trade Commission (FTC) launched a new rule-making initiative aiming to combat the tidal wave of COVID scams, having received 12,491 complaints of government impersonation and 8,794 complaints of business impersonation related to the pandemic.   Further reading: ⚡ COVID-19: Screenshots of Phishing Emails ⚡How Hackers Are Exploiting the COVID-19 Vaccine Rollout ⚡ Coronavirus and Cybersecurity: How to Stay Safe From Phishing Attacks. Phishing and the future of work   The move to remote work has presented many challenges to business—and the increased range, frequency, and probability of security incidents are among the most serious.   New working habits have contributed to the recent surge in phishing because IT teams have less oversight over how colleagues are using their devices and can struggle to provide support when things go wrong.   According to Microsoft’s New Future of Work Report:    80% of security professionals surveyed said they had encountered increased security threats since the shift to remote work began.  Of these, 62% said phishing campaigns had increased more than any other type of threat. Employees said they believed IT departments would be able to mitigate these phishing attacks if they had been working in the office   Furthermore, an August 2021 survey conducted by Palo Alto Networks found that: 35% of companies reported that their employees either circumvented or disabled remote security measures Workers at organizations that lacked effective remote collaboration tools were more than eight times as likely to report high levels of security evasion 83% of companies with relaxed bring-your-own-device (BYOD) usage led to increased security issue   Further reading: ⚡ The Future of Hybrid Work ⚡ 7 Concerns Security Leaders Have About Permanent Remote Working
What can individuals and organizations do to prevent being targeted by phishing attacks?   While you can’t stop hackers from sending phishing or spear phishing emails, you can make sure you (and your employees) are prepared if and when one is received.   You should start with training. Educate employees about the key characteristics of a phishing email and remind them to be scrupulous and inspect emails, attachments, and links before taking any further action.   Review the email address of senders and look out for impersonations of trusted brands or people (Check out our blog CEO Fraud Email Attacks: How to Recognize & Block Emails that Impersonate Executives for more information.) Always inspect URLs in emails for legitimacy by hovering over them before clicking Beware of URL redirects and pay attention to subtle differences in website content Genuine brands and professionals generally won’t ask you to reply divulging sensitive personal information. If you’ve been prompted to, investigate and contact the brand or person directly, rather than hitting reply   But, humans shouldn’t be the last line of defense. That’s why organizations need to invest in technology and other solutions to prevent successful phishing attacks. But, given the frequency of attacks year-on-year, it’s clear that spam filters, antivirus software, and other legacy security solutions aren’t enough.   That’s where Tessian comes in. By learning from historical email data, Tessian’s machine learning algorithms can understand specific user relationships and the context behind each email. This allows Tessian Defender to not only detect, but also prevent a wide range of impersonations, spanning more obvious, payload-based attacks to subtle, social-engineered ones.   Further reading: ⚡ Tessian Defender: Product Data Sheet  
ATO/BEC Human Layer Security Life at Tessian Engineering Team
Why Confidence Matters: How Good is Tessian Defender’s Scoring Model?
10 January 2022
This post is part two of Why Confidence Matters, a series about how we improved Defender’s confidence score to unlock a number of important features. You can read part one here.   In this part, we will focus on how we measured the quality of confidence scores generated by Tessian Defender. As we’ll explain later, a key consideration when deciding on metrics and setting objectives for our research was a strong focus on product outcomes.   Part 2.1 – Confidence score fundamentals   Before we jump into the particular metrics and objectives we used for the project, it’s useful to discuss the fundamental attributes that constitute a good scoring model.   1. Discriminatory power   The discriminatory power of a score tells us how good the score is at separating between positive (i.e. phishy) and negative examples (i.e. safe). The chart below illustrates this idea.    For each of two models, the image shows a histogram of the model’s predicted scores on a sample of safe and phish emails, where 0 is very sure the email is safe and 1 is absolutely certain the email is phishing.    While both are generally likely to assign a higher score for a phishing email than a safe one, the example on the left shows a clearer distinction between the most likely score for a phishing vs a safe email.
 
Discriminatory power is very important in the context of phishing because it determines how well we can differentiate between phishing and safe emails, providing a meaningful ranking of flags from most to least likely to be malicious. This confidence also unlocks the ability for Tessian Defender to quarantine emails which are likely to be phishing, and reduce flagging on emails we are least confident about, improving the precision of our warnings.  
2. Calibration Calibration is another important attribute of the confidence score. A well-calibrated score will reliably reflect the probability that a sample is positive. Calibration is normally assessed using a calibration curve, which looks at the precision of unseen samples across different confidence scores (see below).
The above graph shows two example calibration curves. The gray line shows what a perfectly calibrated model would look like: the confidence score predicted for samples (x-axis) always matches the observed proportion of phishy emails (y-axis) at that score. In contrast, the poorly-calibrated red line shows a model that is underconfident for lower scores (model predicts a lower score than the observed precision) and overconfident for high scores.   From the end-user’s perspective, calibration is especially important to make the score interpretable, and especially matters if the score will be exposed to the user.
3. Consistency  A good score will also generalize well across different cuts of the samples it applies to. For example, in the context of Tessian Defender, we needed a score that would be comparable across different types of phishing. For example, we should expect the scoring to work just as well for Account Takeover (ATO) as it does for a Brand Impersonation. We also had to make sure that the score generalized well across different customers, who operate in different industries and send and receive very different types of emails. For example, a financial services firm may receive a phishing email in the form of a spoofed financial newsletter, but such an email would not appear in the inbox of someone working in the healthcare sector.
Metrics  How do we then quantify the above attributes for a good score? This is where metrics come into play – it is important to design appropriate metrics that are technically robust, yet easily understandable and translatable to a positive user experience.   A good metric for capturing the overall discriminatory power of a model is the area under the ROC curve (AUC-ROC) or the average precision of a model at different thresholds, which capture the performance of the model across all possible thresholds. Calibration can be measured with metrics that estimate the error between the predicted score and true probability, such as the Adaptive Calibration Error (ACE).    While these out-of-the-box metrics are commonly used to assess machine learning (ML) models, there are a few challenges which make it hard to use in a business context.    First, it is quite difficult to explain simply to stakeholders who are not familiar with statistics and ML. For example, the AUC-ROC score doesn’t tell most people how well they should expect a model to behave. Second, it’s difficult to translate real product requirements into AUC-ROC scores. Even for those who understand these metrics, it’s not easy to specify what increase in these scores would be required to achieve a particular outcome for the product.
Defender product-centric metrics   While we still use AUC-ROC scores within the team and compare models by this metric, the above limitations meant that we had to also design metrics that could be understood by everyone at Tessian, and directly translatable to a user’s product feature experience.    First, we defined five simpler-to-understand priority buckets that were easier to communicate with stakeholders and users (from Very Low to Very High). We aimed to be able to quarantine emails in the highest priority bucket, so we calibrated each bucket to the probability of an email being malicious. This makes each bucket intuitive to understand, and allows us to clearly translate to our users’ experience of the quarantine feature.    For the feature to be effective, we also defined a minimum number of malicious emails to prevent reaching the inbox, as a percentage of the company’s inbound email traffic. Keeping track of this metric prevents us from over-optimizing the accuracy of the Very-High bucket at the expense of capturing most of the malicious emails (recall), which would greatly limit the feature’s usefulness.   While good precision in the highest confidence bucket is important, so is accuracy on the lower end of the confidence spectrum.    A robust lower end score will allow us to stop warning on emails we are not confident in, unlocking improvements in overall precision to the Defender algorithm. Hence, we also set targets for accuracy amongst emails in the Very-Low/Low buckets.    For assurance of consistency, the success of this project also depended on achieving the above metrics across slices of data – the scores would have to be good across the different email threat types we detect, and different clients who use Tessian Defender.
Part 2.2 – Our Data: Leveraging User Feedback After identifying the metrics, we can now look at the data we used to train and benchmark our improvements to the confidence score.Having the right data is key to any ML application, and this is particularly difficult for phishing detection. Specifically, most ML applications rely on labelled datasets to learn from.    We found building a labelled dataset of phishing and non-phishing emails especially challenging for a few reasons:
Data challenges Phishing is a highly imbalanced problem. On the whole, phishing emails are extremely low in volumes compared to all other legitimate email transactions for the average user. On a daily basis, over 300 billion emails are being sent and received around the world, according to recent statistics. This means that efforts to try to label emails manually will be highly ineffective, like finding a needle in a haystack.   Also, phishing threats and techniques are constantly evolving, such that even thousands of emails labelled today would quickly become obsolete. The datasets we use to train phishing detection models must constantly be updated to reflect new types of attacks.   Email data is also very sensitive by nature. Our clients trust us to process their emails, many of which contain sensitive data, in a very secure manner.  For good reasons, this means we control who can access email data very strictly, which makes labelling harder.    All these challenges make it quite difficult to collect large amounts of labelled data to train end-to-end ML models to detect phishing.
User feedback and why it’s so useful   As you may remember from part one of this series, end-users have the ability to provide feedback about Tessian Defender warnings. We collect thousands of these user responses weekly, providing us with invaluable data about phishing.   User responses help address a number of the challenges mentioned above.    First, they provide a continually updated view of changes in the attack landscape. Unlike a static email dataset labelled at a particular point in time, user response labels can capture information about the latest phishing trends as we collect them, day-in and day-out. With each iteration of model retraining with the newest user labels, user feedback is automatically incorporated into the product. This creates a positive feedback loop, allowing the product to evolve in response to users’ needs.   Relying on end-users to label their own emails also helps alleviate concerns related to data sensitivity and security. In addition, end-users also have the most context about the particular emails they receive. Combined with explanations provided by Tessian warnings, they are more likely to provide accurate feedback.    These benefits address all the previous challenges we faced neatly, but it is not without its limitations.    For one, the difference between phishing, spam and graymail is not always clear to users, causing spam and graymail to often be labelled as malicious. Often, several recipients of the same email can also disagree on whether it is malicious. Secondly, user feedback data may not be a uniform representation of the email threat landscape – we often receive more feedback from some clients or certain types of phishing. Neglecting to address this under-representation would result in a model that performs better for some clients, something we absolutely need to avoid in order to ensure consistency in the quality of our product for all new and existing clients.   In the last part of the series Why Confidence Matters, we’ll discuss how we navigated the above challenges, delve deeper into the technical design of the research pipeline used to build the confidence-scoring model, and the impact that this has brought to our customers.
(Co-authored by Gabriel Goulet-Langlois and Cassie Quek)
ATO/BEC Human Layer Security Life at Tessian Engineering Team
Why Confidence Matters: How We Improved Defender’s Confidence Scores to Fight Phishing Attacks
04 January 2022
‘Why Confidence Matters’ is a weekly three-part series. In this first article, we’ll explore why a reliable confidence score is important for our users. In part two, we’ll explain more about how we measured improvements in our scores using responses from our users. And finally, in part three, we’ll go over the pipeline we used to test different approaches and the resulting impact in production.   Part One: Why Confidence Matters   Across many applications of machine learning (ML), being able to quantify the uncertainty associated with the prediction of a model is almost as important as the prediction itself.  Take, for example, chatbots designed to resolve customer support queries. A bot which provides an answer when it is very uncertain about it, will likely cause confusion and dissatisfied users. In contrast, a bot that can quantify its own uncertainty, admit it doesn’t understand a question, and ask for clarification is much less likely to generate nonsense messages and cause frustration amongst its users.
The importance of quantifying uncertainty   Almost no ML model gets every prediction right every time – there’s always some uncertainty associated with a prediction. For many product features, the cost of errors can be quite high. For example, mis-labelling an important email as phishing and quarantining it could result in a customer missing a crucial invoice, or mislabelling a bank transaction as fraudulent could result in an abandoned purchase for an online merchant.    Hence, ML models that make critical decisions need to predict two key pieces of information: 1. the best answer to provide a user 2. a confidence score to quantify uncertainty about the answer. Quantifying the uncertainty associated with a prediction can help us to decide if, and what actions should be taken.
How does Tessian Defender work?   Every day, Tessian Defender checks millions of emails to prevent phishing and spear phishing attacks. In order to maximise coverage,  Defender is made up of multiple machine learning models, each contributing to the detection of a particular type of email threat (see our other posts on phishing, spear phishing, and account takeover).      Each model identifies phishing emails based on signals relevant to the specific type of attack it targets. Then, beyond this primary binary classification task, Defender also generates two key outputs for any email that is identified as potentially malicious across any of the models:   A confidence score, which is related to the probability that the email flagged is actually a phishing attack. This score is a value between 0 (most likely safe) and 1 (most certainly phishing), which is then broken down into 4 categories of Priority (from Low to Very High). This score is important for various reasons, which we further expand on in the next section. An explanation of why Defender flagged the email. This is an integral part of Tessian’s approach to Human Layer Security: we aim not only to detect phishy emails, but also to educate users in-the-moment so they can continually get better at spotting future phishing emails. In the banner, we aim to concisely explain the type of email attack, as well as why Defender thinks it is suspicious. Users who see these emails can then provide feedback about whether they think the email is indeed malicious or not. Developing explainable AI is a super interesting challenge which probably deserves its own content, so we won’t focus on it in this particular series. Watch this space!   
Why Confidence Scores Matters  Beyond Defender’s capability to warn on suspicious emails, there were several key product features we wanted to unlock for our customers that could only be done with a robust confidence score. These were: Email quarantine Based on the score, Defender first aims to quarantine the highest priority emails to prevent malicious emails from ever reaching their employees’ mailboxes. This not only reduces the risk exposure for the company from an employee still potentially interacting with a malicious email; it also removes burden and responsibility from the user to make a decision, and reduces interruption to their work.   Therefore, for malicious emails that we’re most confident about, quarantining is extremely useful. In order for quarantine to work effectively, we must:   Identify malicious emails with very high precision (i.e. very few false positives). We understand the reliance of our customers on emails to conduct their business, and so we needed to make sure that any important communications must still come through to their inboxes unimpeded. This was very important so that Tessian’s Defender can secure the human layer without security getting in our user’s way.  Identify a large enough subset of high confidence emails to quarantine. It would be easy to achieve a very high precision by quarantining very few emails with a very high score (a low recall), but this would greatly limit the impact of quarantine on how many threats we can prevent. In order to be a useful tool, Defender would need to quarantine a sizable volume of malicious emails.   Both these objectives directly depend on the quality of the confidence score. A good score would allow for a large proportion of flags to be quarantined with high precision.
Prioritizing phishy emails In today’s threat landscape, suspicious emails come into inboxes in large volumes, with varying levels of importance. That means it’s critical to provide security admins who review these flagged emails with a meaningful way to order and prioritize the ones that they need to act upon. A good score will provide a useful ranking of these emails, from most to least likely to be malicious, ensuring that an admin’s limited time is focused on mitigating the most likely threats, while having the assurance that Defender continues to warn and educate users on other emails that contain suspicious elements.   The bottom line: Being able to prioritize emails makes Defender a much more intelligent tool that is effective at improving workflows and saving our customers time, by drawing their attention to where it is most needed.  
Removing false positives We want to make sure that all warnings Tessian Defender shows employees are relevant and help prevent real attacks.    False positives occur when Defender warns on a safe email. If this happens too often, warnings could become a distraction, which could have a big impact on productivity for both security admins and email users. Beyond a certain point, a high false positive rate could mean that warnings lose their effectiveness altogether, as users may ignore it completely. Being aware of these risks, we take extra care to minimize the number of false positives flagged by Defender.    Similarly to quarantine, a good confidence score can be used to filter out false positives without impacting the number of malicious emails detected. For example, emails with a confidence score below a given threshold could be removed to avoid showing employees unnecessary warnings.
What’s next?   Overall, you can see there were plenty of important use cases for improving Tessian Defender’s confidence score. The next thing we had to do was to look at how we could measure any improvements to the score. You can find a link to part two in the series below (Co-authored by Gabriel Goulet-Langlois and Cassie Quek)
ATO/BEC Email DLP Human Layer Security
A Year in Review: 2021 Product Updates
By Harry Wetherald
16 December 2021
Looking back at the last 12 months, Tessian’s Human Layer Security platform has scanned nearly 5 billion emails, identified over half a million malicious emails, stopped close to 30,000 account takeover attempts, and prevented over 100,000 data breaches due to a misdirected email…   At the same time, we rolled out a number of important product updates to help keep our customers safe. Here are the most important product updates to Tessian’s Human Layer Security platform from 2021.   We built world’s first Intelligent Data Loss Prevention Engine   We believe that the next generation of Data Loss Prevention is fundamentally about shifting away from entirely rule-based techniques towards a dynamic, behavioral approach. That’s why we built Guardian and Enforcer, to automatically prevent both accidental data loss and sensitive data exfiltration to unauthorized accounts.    But we have also seen that, when combined with dynamic behavioral analysis, custom DLP policies, play an important role in an organization’s data security strategy.   With the launch of Tessian Architect in October 2021, enterprises can now deploy powerful, intelligent DLP policies. Architect is a perfect complement to Tessian Guardian and Enforcer and provides the market’s best-in-class Email DLP platform:   Architect was built together with leading security teams – it’s intuitive, quick-to-learn and comes with a library of prebuilt policies Architect has built-in machine learning capabilities and features a powerful logic engine to address even the most complex DLP use cases Architect is designed to educate users about data security practices in-the-moment and guide people towards better behavior Want to learn more about Tessian Architect? Read more about it here.
We now protect customers from compromised external counterparties   This year, we saw a record number of bad actors compromising email accounts of trusted external senders (suppliers, customers, and other third-parties) to breach a target company. These attacks are canned external Account Takeovers (ATO), and they’re one of the main pathways to Business Email Compromise (BEC).   Because these malicious emails don’t just appear to have come from a trusted vendor or supplier’s legitimate email address, but actually do come from it, external ATOs are incredibly hard to spot, meaning organizations are exceptionally vulnerable to them.    Tessian Defender now automatically detects and stops external Account Takeover attacks.    By using machine learning to understand a sender’s normal email sending patterns (like where they usually send from, what they talk about, what services they use, and more), it can identify suspicious deviations from the norm and detect malicious emails.    When this happens, Defender can either block these attacks, or show educational alerts to end-users, helping them identify and self-triage attacks.   Learn more about External Account Takeover protection here.
We now stop more threats, with better accuracy, with less admin overhead   In-the-moment warnings are one of the features that set Tessian apart from the competition. When Tessian Defender detects a potentially malicious email, it warns users with a pop-up, explaining exactly why the email was flagged.   But, we know that sometimes, it’s better to automatically block phishing emails.   Tessian Defender now automatically blocks attacks, before they reach a user’s mailbox. This gives security teams an  additional layer of email security, preventing end-users from receiving emails that are highly likely to be phishing attacks.    Defender can also adapt the response it takes to remediate a threat. If our machine learning is close to certain an email is malicious, it can quarantine it. Otherwise, it can deliver it to the end-user with an educational warning. This adaptive approach is so powerful because it strikes a balance between disrupting end-users and protecting them.   Finally, this year, Tessian Defender’s detection algorithm made some big strides. In particular, improvements in our risk confidence model allowed us to reduce false positives by significantly providing a better experience to end-users and security teams.
We now stop employees from accidentally sending the wrong attachment   Accidental data loss is the number one security incident reported to the Information Commissioner’s Office, and sending an incorrect attachment is part of that problem. In fact, 1 in 5 external emails contain an attachment, and research shows nearly half (48%) of employees have attached the wrong file to an email.    42% of documents sent in error contained company research and data 39% contained security information like passwords and passcodes 38% contained financial information and client information.  36% of mistakenly attached documents contained employee data   Thanks to an upgrade to Tessian Guardian, organizations can now prevent employees from accidentally sending the wrong attachment in an email.    The upgrade uses historical learning, deep content inspection, natural language processing (NPL), and heuristics to detect counterparty anomalies, name anomalies, context anomalies, and file type anomalies to understand whether an employee is attaching the correct file or not. If a misattached file is detected, the sender is immediately alerted to the error before the email is sent. This is completely automated, requiring no overhead from IT teams.   Best of all, the warnings are helpful, and flag rates are extremely low. This means employees can do their jobs without security getting in the way.   Learn more about misattached file protection here.
We can now quantify and measure human layer risk   Comprehensive visibility into employee risk is one of the biggest challenges security leaders face. With the Tessian Human Layer Risk Hub, our customers can now deeply understand their organization’s security posture, with granular visibility into employee risk, and insights into their risk levels and drivers.   How does it work? Tessian creates risk profiles for each employee, modelled from a range of signals like email usage patterns, indirect risk indicators, and employee security decisions (both historic and in real-time). Because of this unique data modelling, Tessian can gauge employees’ risk level, including whether or not they’re careful, careless, frequently attacked, and more.   This offers organizations protection, training, and risk analytics all in one platform, providing a clear picture of risk and the tools needed to reduce it.   Learn more about the Human Layer Risk Hub here.
We now integrate with KnowBe4, Sumo Logic, Okta, and more… Tessian is even more powerful when integrated with other security solutions that help address the risk posed by employees. That’s why, in the last 12 months, we’ve announced exciting integrations with Okta, Sumo Logic, and KnowBe4, each with their own unique benefits for joint customers. With Sumo Logic + Tessian, security and risk team can understand their risk through out-of-the-box monitoring and analytics capabilities.
With Okta + Tessian, security and risk management teams geet granular visibility into their organization’s riskiest and most at-risk employees and consequently enable them to deploy policies that can help protect particular groups of users from threats like advanced spear phishing and account compromise and prevent accidental data leaks.
And with KnowBe4 + Tessian, security and risk management teams get more visibility into phishing risk than ever before.
Want to help us solve more challenges across use cases? Come build with us.
Human Layer Security
Introducing HumanLayerSecurity.com: An Online Magazine for Security Leaders
By Maddie Rosenthal
15 December 2021
2021 has been a huge year for Human Layer Security (HLS).    Both Gartner and Forrester recognized the benefits of this new approach. The RE: Human Layer Security podcast hosted by Tessian Co-Founder and CEO, Tim Sadler, received over 5,000 downloads, and nearly 6,000 security, risk, compliance, and business leaders attended the Human Layer Security Summit.   This represents a fundamental shift in how we all approach cybersecurity, and firmly cements HLS as a new category in the space.    Instead of focusing on networks, endpoints, and devices, security teams are now focusing on people. They’re adopting next-gen technology that tackles human error, they’re re-thinking standard security awareness training (SAT) in favor of more engaging and effective alternatives, and are prioritizing strong, inclusive security cultures that make people a part of the solution, instead of just an intractable problem.    Introducing HumanLayerSecurity.com   Such a shift demands a watering hole; a space where the larger security community can share ideas and best practices, actively engage with one another, and drive the industry forward, together.    So, we’ve launched just that.   Humanlayersecurity.com is a thought leadership hub with crowd-sourced content from the security community, for the security community. (Because we know the that the #1 source of information for security leaders is…other security leaders…)
What’s next?   In the short-term, it’s an online magazine featuring thought leadership from some of the industry’s most respected (and diverse) voices, including CISOs, ethical hackers, and academics. Long-term, it will evolve to become something living and breathing, with a Slack channel and curated events.    If you’d like to submit a piece, drop the editorial team a note at marketing@tessian.com. And if you have ideas for topics that you’d like to see covered in a future issue, we’d love to hear that, too.   One more thing before you go…   Follow us on Twitter and subscribe to the bi-weekly newsletter to be the first to hear about new articles, job openings in cybersecurity, and much more.
ATO/BEC Human Layer Security
Product Integration News: Tessian + KnowBe4 = Tailored Phishing Training
By Austin Zide
07 December 2021
Following other recent integrations (Okta, Sumo Logic…) we’re adding KnowBe4 – the world’s largest integrated security awareness training and simulated phishing platform – to the list, giving organizations more  visibility into phishing risk than ever.
What are the benefits of Tessian + KnowBe4? The integration combines KnowBe4’s phishing simulation and training results with powerful insights from Tessian’s Human Layer Risk Hub, to give security and risk management teams a more comprehensive view of their riskiest employees. By identifying the employees who are most likely to fall for phishing attacks, security teams can adjust their security policies to the specific risks posed by individuals or deliver more tailored training in the areas where people are struggling most.    With Tessian + KnowBe4: Training is more relevant Employees are more engaged  Security leaders can easily report on the impact training has on improving the company’s overall security posture   This is a shift away from the traditional approach to security awareness training and is a much-needed solution to the ever-growing problem of phishing attacks. Figures show that 1 in 4 employees has clicked on a phishing email at work, while the FBI revealed that phishing was the most common type of cybercrime last year, with 11x as many phishing reports in 2020 compared to 2016.
Learn more To find out more about the Tessian and KnowBe4 integration, click here.
Email DLP Human Layer Security Customer Stories
16 Ways to Get Buy-In For Cybersecurity Solutions
By Maddie Rosenthal
03 December 2021
As a security or IT leader, researching and vetting security solutions is step one. What’s step two, then? Convincing key stakeholders like the CEO, CFO, and the board that the product needs to be implemented, that it needs to be implemented now, and that it’s worth the cost.  This is easier said than done, but security is business-critical.   So, how do you communicate risk and make a compelling case to (eventually) get buy-in from executives? We talked to security leaders from some of the world’s most trusted and innovative organizations to find out what they do to get buy-in from CxOs. Here’s a summary of their tips. You can download this infographic with a quick summary of all of the below tips. This is perfect for sharing with peers or colleagues. Or, download this eBook. 1. Familiarize yourself with overall business objectives While cybersecurity has historically been a siloed department, today, it’s an absolutely essential function that supports and enables the overall business. Think about the consequences of a data breach beyond lost data. Organizations experience higher rates of customer churn, reputations are damaged, and, with regulatory fines and the cost of investigation and remediation, there can be significant revenue loss.  The key, then, is to attach cybersecurity initiatives to key business objectives. The security leaders we interviewed recommended starting by reviewing annual reports and strategic roadmaps. Then, build your business case. If customer retention and growth are KPIs for the year, insist that cybersecurity builds customer trust and is a competitive differentiator. If the organization is looking for higher profits, make it clear how much a breach would impact the company’s bottom line. (According to IBM’s latest Cost of a Data Breach, the average cost of a data breach is $4.24 million.)
2. Create specific “what-if” scenarios A lot of security solutions are bought reactively (after an incident occurs), but security leaders need to take a proactive approach. The problem is, it’s more challenging for CxOs and the board to see the value of a solution when they haven’t yet experienced any consequences without it.  As the saying goes, “If it ain’t broke, don’t fix it”.  That’s why security leaders have to preempt push-back to proactive pitches by outlining what the consequences would be if a solution isn’t implemented so that stakeholders can understand both probability and impact. For example, if you’re trying to get buy-in for an outbound email security solution, focus on the “what-ifs” associated with sending misdirected emails  which – by the way- are sent 800 times a year in organizations with 1,000 employees. Ask executives to imagine a situation in which their biggest clients’ most sensitive data lands in the wrong inbox.  What would happen?  Make sure you identify clear, probable consequences. That way, the situation seems possible (if not likely) instead of being an exaggerated “worst-case scenario”.  3. Work closely with the security vendor You know your business. Security vendors know their product. If you combine each of your expertise – and really lean on each other – you’ll have a much better chance of making a compelling case for a particular solution. Ask the vendor for specific resources (if they don’t exist, ask them to create them!), ask for product training, ask if you can speak with an existing customer. Whatever you need to get buy-in, ask for it. Rest assured, they’ll be happy to help.  4. Collaborate and align with other departments It takes a village and cybersecurity is a “people problem”.  That means you should reach out to colleagues in different departments for advice and other input. Talk to the folks from Risk and Compliance, Legal, HR, Operations, and Finance early on.  Get their opinion on the product’s value. Find out how it might be able to help them with their goals and initiatives. In doing so, you might even be able to pool money from other budgets. Win-win!
5. Consider how much the executive(s) really know about security To communicate effectively, you have to speak the same language. And, we don’t just mean English versus French. We mean really getting on the same level as whomever you’re in conversation with. But, to do that, you have to first know how much your audience actually knows about the topic you’re discussing. For example, if you look into your CEO’s background and find out that he or she studied computer science, you’ll be able to get away with some technical jargon. But, if their background is limited to business studies, you’ll want to keep it simple. Avoid security-specific acronyms and – whatever you do – don’t bury the point underneath complex explanations of processes.  In short: Don’t succumb to the Curse of Knowledge. 
6. Use analogies to put costs into perspective  One of the best ways to avoid the Curse of Knowledge and give abstract ideas a bit more context is to use analogies. It could be the ROI of a product or the potential cost of a breach. Either way, analogies can make big, somewhat meaningless numbers more tangible and impactful. For example, imagine you’re trying to convince your CFO that the cost of a solution is worth it. But, the 6-digit, one-time cost is a hard sell. What do you do? Break the overall cost down by the product’s lifespan. Then, divide that number by the number of employees it will protect during that same period.  Suddenly, the cost will seem more manageable and worth the investment. 7. Invite key stakeholders to events or webinars  Before you even start pitching a particular solution, warm-up executives with educational webinars or events that aren’t product-specific. This will give CxOs a chance to better understand the problem, how it might apply to them, and how other people/organizations are finding solutions. Bear in mind: most vendors will have at least 1 (generally 2+) webinars or events during the standard sales cycle.  8. Prepare concise and personalized briefing materials Individual stakeholders will be more likely to consider a particular solution if the problem it solves is directly relevant to them. How? Combine tips #1, #2, #3, and #5. After taking some time to understand the business’ overall objectives, take a closer look at individual peoples’ roles and responsibilities in meeting those objectives. Then, dig a bit deeper into how much they know about cybersecurity. Imagine you’re meeting with a COO with some technical experience whose focus is on maintaining relationships with customers. His or her briefing documents should contain minimal technical jargon and should focus on how a data breach affects customer churn.  The bottom line: make it about them. 9. Share these documents in advance of any formal meetings While this may seem obvious, the security leaders we spoke to made it clear that this is an essential step in getting buy-in. No one wants to feel caught off guard, unprepared, or rushed.  To avoid all of the above, make sure you share any documents relevant to the solution well in advance of any formal meetings. But, don’t just dump the documents on their desk or in their inbox. Outline exactly what each document is, why it’s relevant to the meeting, and what the key takeaways are. You want to do whatever you can to help them absorb the information, so make sure you make yourself available after sharing the documents and before the meeting, just in case they have any questions or need additional information. 10. Build a strong security culture Before we dive into why building a strong security culture can help you get buy-in, we want to make it clear that this isn’t something that can happen overnight. This is a long-term goal that requires the help of the entire organization. Yes, everyone. So, how do you build a strong security culture? Start by ensuring that security and IT teams are committed to helping – not blaming – employees. There has to be a certain level of mutual trust and respect.  Beyond that, employees have to accept responsibility for the overall security of the organization. They have to understand that their actions – whether it’s clicking on a phishing email or using a weak password – have consequences.  If they do accept this responsibility, and if they genuinely care about following policies and procedures and helping secure data and networks, high-level executives will care, too. They’ll therefore be more likely to sign-off on solutions. 11. Keep an eye on security trends outside of your industry  Some industries – specifically Healthcare, Financial Services, and Legal – are bound to compliance standards that formalize the need for effective security solutions. That means that, compared to other industries like Retail or Manufacturing, they’ll be required to have more robust strategies in place. What they’re doing now, the rest of us will be doing in 12 months. Keep this in mind. If you notice that organizations operating in the most highly regulated industries are all taking data loss prevention (DLP) seriously, you’ll be able to make a strong case that this is something that should be on your radar, too. 12. Approach non-executive stakeholders early on While – yes – getting buy-in from CxOs and the board is important, security leaders also need to get buy-in from non-executive stakeholders working in IT, infrastructure, etc.  After all, those are the people who will actually be responsible for deploying the solution and maintaining it.By approaching them early on (and assuming they’re interested in the solution, too) you’ll be able to paint a clear picture of the process after the solution has been signed off on.  How long will it take? Who’s involved? Will employees’ workflow be disrupted? These are all important questions to answer.  13. Match like-for-like people from both sides If you’re scheduling a meeting with executives from your side and key people from the vendor’s side, make sure you’re bringing in people that “match” in terms of function and seniority level. For example, if you work at a start-up and the founder of your company wants to be involved in the buying process, ask the vendor’s founders to join, too. Likewise, if the Head of Infrastructure is joining from your side, ask someone in a similar function to join from the other side. Why? Like-for-like people will be best placed to answer one another’s questions.  And, with that in mind…. 14. Preempt questions and prepare answers No one likes to be put on the spot. To avoid being asked a question that you don’t know the answer to, spend a good amount of time considering all the questions different stakeholders may ask and drafting well-thought-out answers. (Better yet, fit the answers into briefing documents or the presentation itself!) Remember, people are generally concerned with how a problem/solution affects them directly. That means the CEO will have different questions than the CFO, who will have different questions than the Head of IT.  15. Get specific customer references from the vendor We mentioned in tip #3 that you should lean on the vendor, especially when it comes to specific resources and customer references. And, we mentioned in tip #11 that you should match like-for-like people in meetings. It should make sense, then, that specific customer references will be more powerful than generic ones. For example, if you’re the CISO at a 4,000-person tech firm in North America, and you’re trying to convince you’re CTO that you need to implement a new solution, you should share a case study (or customer reference) from the vendor that outlines how their product has helped an organization in the same industry, that’s the same size, and in the same region. Ideally, it will also feature quotes from the CTO. Why? Professionals trust and rely on their peers when making difficult decisions. 16. Be conscious (and considerate of) peoples’ time  Decisions about security solutions can involve a lot of different people. That means you’ll have to balance several conflicting schedules and fight for time. Your best bet? Book meetings with all relevant people at once and get the vendor involved at the same time. Ahead of the meeting, share an agenda along with any relevant documents (see tip #8).  Are you a security leader who wants to offer advice to your peers? We’d love to hear from you! Please get in touch with madeline.rosenthal@tessian.com. And, if you’re looking for more advice, check out these blogs: How to Communicate Cybersecurity ROI Advice from Security Leaders for Security Leaders: How to Navigate New Remote-Working Challenges How to Create an Enduring and Flexible Cybersecurity Strategy
ATO/BEC Human Layer Security Life at Tessian
Holiday Book Recommendations for Security Professionals
By Maddie Rosenthal
01 December 2021
It’s the holidays, so we thought we’d pull together a little reading guide for when you get some well-earned downtime.  Got a voucher (or even cash – retro!) these past holidays and need some reading inspo? We asked around the Tessian offices for recommendations for good reads in the tech and security space. Here’s the team’s recommendations.
Cyber Privacy: Who Has Your Data and Why You Should Care April Falcon Doss Amazon, Google, Facebook, governments. No matter who we are or where we go, someone is collecting our data: to profile us, target us, assess us; to predict our behavior and analyze our attitudes; to influence the things we do and buy — even to impact our vote. Read more at Good Reads   Social Engineering: The Science of Human Hacking Christopher Hadnagy Social Engineering: The Science of Human Hacking reveals the craftier side of the hacker’s repertoire—why hack into something when you could just ask for access? Undetectable by firewalls and antivirus software, social engineering relies on human fault to gain access to sensitive spaces; in this book, renowned expert Christopher Hadnagy explains the most commonly-used techniques that fool even the most robust security personnel, and shows you how these techniques have been used in the past. We take a deep dive into the psychology of human error in this report, with insights from Stanford Psychology and Communications professor Jeff Hancock. Read more at Good Reads.    The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats Richard A. Clarke  “Great book on the challenges of cyberwarfare policy” – Paul Sanglé-Ferrière, Product Manager, Tessian. An urgent new warning from two bestselling security experts – and a gripping inside look at how governments, firms, and ordinary citizens can confront and contain the tyrants, hackers, and criminals bent on turning the digital realm into a war zone. Read more at Good Reads   The Wires of War: Technology and the Global Struggle for Power Jacob Helberg From the former news policy lead at Google, an urgent and groundbreaking account of the high-stakes global cyberwar brewing between Western democracies and the autocracies of China and Russia that could potentially crush democracy. Read more at Good Reads   This Is How They Tell Me the World Ends: The Cyberweapons Arms Race Nicole Perlroth Filled with spies, hackers, arms dealers, and a few unsung heroes, written like a thriller and a reference, This Is How They Tell Me the World Ends is an astonishing feat of journalism. Based on years of reporting and hundreds of interviews, The New York Times reporter Nicole Perlroth lifts the curtain on a market in shadow, revealing the urgent threat faced by us all if we cannot bring the global cyber arms race to heel. Read more at Good Reads.   The Art of Invisibility: The World’s Most Famous Hacker Teaches You How to Be Safe in the Age of Big Brother and Big Data Kevin Mitnick & Robert Vamosi  In The Art of Invisibility Mitnick provides both online and real life tactics and inexpensive methods to protect you and your family, in easy step-by-step instructions. He even talks about more advanced “elite” techniques, which, if used properly, can maximize your privacy. Read more at Good Reads The Cuckoo’s Egg Clifford Stoll “Probably the original threat actor report – so good” – Matt Smith, Software Engineer at Tessian In 1986,  Clifford Stoll – a systems administrator at the Lawrence Berkeley National Laboratory – wrote this book. Based on his field notes, this is arguably one of the first documented cases of a computer hack and the subsequent investigation, which eventually led to the arrest of Markus Hess. It’s now considered an essential read for anyone interested in cybersecurity. Read more at Good Reads. CISO Compass: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers  Todd Fitzgerald While this book covers all the fundamentals of IT security governance and risk management, it also digs deeper into people. After all, being a CISO isn’t just about technology. The insights in the book come directly from CISOs. In total, 75 security leaders contributed to the book, which means there’s plenty of actionable advice you can apply to your strategies.  Looking for more insights from security leaders? Check out Tessian’s CISO Spotlight series. Read more at Good Reads.   Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers  Andy Greenburg Politics play a big role in cybercrime. This book is focused on Sandworm, the group of Russian hackers who, over the last decade, has targeted American utility companies, NATO, and electric grids in Eastern Europe and paralyzed some of the world’s largest businesses with malware. But the author, Wired senior writer Andy Greenberg, also provides plenty of background on both the technology and the relationships between various countries. Read more on Good Reads.   Cult of the Dead Cow Joseph Menn Cult of the Dead Cow is the tale of the oldest, most respected, and most famous American hacking group of all time. Though until now it has remained mostly anonymous, its members invented the concept of hacktivism, released the top tool for testing password security, and created what was for years the best technique for controlling computers from afar, forcing giant companies to work harder to protect customers.  Cult of the Dead Cow explores some of the world’s most infamous hacking groups – particularly the cDc – and explains how technology, data, and – well – the world has changed because of them. Read more at Good Reads. The Making of a Manager: What to Do When Everyone Looks to You Julie Zhuo  Congratulations, you’re a manager! After you pop the champagne, accept the shiny new title, and step into this thrilling next chapter of your career, the truth descends like a fog: you don’t really know what you’re doing. Read more at Good Reads. CISM Certified Information Security Manager All-in-One Exam Guide Yes, this is an exam guide…and yes you should add it to your reading list. If nothing else, to have on-hand as a reference. Why? It covers everything. Security governance, risk management, security program development, and security incident management. Curious as to whether or not other security professionals have their CISM certification? We interviewed 12 women about their journeys in cybersecurity. Read their profiles here and the full report, Opportunity in Cybersecurity Report 2020. Read more on Good Reads. The health benefits of reading Whatever you choose to read these holidays, the health benefits of reading are well documented. As our Lost Hours report revealed, many CISOs aren’t taking time out from their jobs to de-stress and unwind. So make sure you schedule a little you time with a good book.  
Interviews With CISOs Podcast
Q&A with Ben Aung, Chief Risk Officer at SAGE
29 November 2021
Ben Aung is the Chief Risk Officer at SAGE, formerly served as a Deputy Government Chief Security Officer in the UK government, and is a Tessian customer. He discussed insider threats, fear uncertainty and doubt (FUD), and the Great Resignation with Tessian CEO and Co-Founder, Tim Sadler, on the RE: Human Layer Security podcast. Listen here, or read the Q&A below.   Tessian: How has this year been for you and your team at SAGE?   Ben: I’m surprised how much we’ve managed to achieve under challenging circumstances.    We’ve managed to get to a “business-as-usual” state much faster than I would have expected, and many of the kind of “doomsday” threats that we might have been anticipating as a result of COVID haven’t really materialized for me.   Tessian: What are your thoughts on insider threats? Could you share a bit about how you’ve been focused on insider threats throughout your career? Ben: Most of my career in government has been in information security, computer security, or cybersecurity—depending on which term was de rigueur at the time—but when I joined the Cabinet Office in 2012, my first gig I got there was as the Senior Policy Adviser in the National Security Secretariat for insider threats.
Soon after I joined, we were dealing with the aftermath of the Edward Snowden disclosures, which—as many people will remember—were a seismic event in the insider threat world, and caused a great deal of reflection and introspection around how much confidence we could have in some of the very long-standing controls that we’d had around mitigating the most severe insider incidents, particularly in the national security context.   That was a real “baptism by fire” for me in the insider world. I was working across the Five Eyes countries and trying to join up what we all thought was a fairly consistent understanding of how to fight insider threats, but I found out we were all doing things in slightly different ways.    My experience of working with the intelligence community in that very high threat, high impact context was that—in amongst all of the complexity, and “smoke and mirrors,” and spookery—many of the issues were just fundamental people issues or control issues that I expect nearly every organization to face, in one way or another.   Tessian: According to stats, insider threats have risen almost about 50% in the past two years. Why do you think it’s such a challenging problem to solve?   Ben: I think we overcomplicate it, would be my headline. We don’t think holistically about the interventions we can make in the lifecycle of an individual or an insider incident that might reduce both the opportunity and the impact.   We often put too much emphasis on hard technical controls. We lock systems down, so they become unusable, and people just find ways to circumvent them.    We put too many eggs in one basket, and we don’t think about all the little things we can do that cumulatively, or in aggregate, can support us.   The other thing I’d say is—cybersecurity, as an area of risk, is too populated with anecdotes and an absence of data. And it’s too driven by the worst-case scenarios, rather than the everyday, which I think are too often the starting point for the more severe events that happen later down the line.    Tessian: How do we take steps towards that more data-driven approach, and what’s your advice to people who may agree that they find themselves swayed by headlines and the “fear factor”?   Ben: As security professionals, we sometimes have quite thankless roles in an organization. And actually bringing a bit of excitement and interest—it’s an interesting part of the job, and sometimes adds a bit of “mythology.”
The point is that the most effective interventions are some of the most boring and the most mundane. By that, I mean—if you look across all of the most severe insider incidents of the last “x” years, effective line management would have been one of the key mitigations.   Effect line management, good pastoral care, good understanding of employee wellbeing, good performance management processes, basic controls around access, audit, and monitoring.    I think because these things have existed for such a long time, and we don’t associate them with insider risks, then they’re either overlooked, they’ve degraded, they’re boring—they don’t attract investment in the same way that other things do.   The goal is to bank all of that stuff, get that foundation in place, and then supplement with some of the specialist tools that are available on the market—like Tessian—where you can say, “I’ve got confidence in some of these fundamentals, now I want to take that step and really understand my enterprise and what’s happening in and out of it in a much more sophisticated way.”
Tessian: There have been a number of incidents reported in the news where disgruntled employees are being targeted by cybercriminals to assist in malicious activities. Is this something that concerns you?   Ben: I used to think about this a lot in government, where the notion of a “blended attack”—particularly in the nation-state context—is very relevant.   There’s often a misconception that a hostile state actor says, “I’m going to launch a cyberattack on the UK,” or “I’m going to compromise ‘x’ system”—they have an objective, and often cyber or remote attacks are the cheapest way to achieve that objective.   But in some cases, they won’t be. And a blended attack, where you use some kind of close-access technology that’s deployed by a compromised individual as a precursor to a remote attack, is a threat model that governments have to deal with.
And some of the techniques that governments can deploy against one another are absolutely crazy… the level of creativity and imagination at play… That is a very real risk in that context, and I think it’s inevitable that elements of it are going to find their way out into the commercial world.   The key consideration is: what is the cost/benefit equation that the actor is going to be relying on? And as soon as you start including vulnerable individuals, you do increase operational risks as an attacker. The ransomware groups wouldn’t care too much about that, but it’s about whether they get the pay-off they need for the level of effort they put in. And I guess, in many cases, they would. 
If you just look, in more of a social context, about how teenagers and children can be blackmailed by people on the other side of the world, then there’s no reason why someone seeking monetary gain—through a ransomware attack or otherwise—wouldn’t do the same.   I haven’t seen any real evidence that it’s happening at any sort of scale, but I think having people in your organization—like we try and achieve at SAGE—who will report early… there’s a sort of “no consequence” reporting rule in SAGE and in many organizations, where we just want to know. I think that’s one of the most effective mitigations.   This Q&A was adapted from our RE: Human Layer Security podcast. You can hear the full interview here,
Human Layer Security
Legacy Secure Email Gateways Are No Match for the Cyber Threats of Tomorrow
By John Filitz
25 November 2021
Email represents the greatest threat vector, responsible for 96% of cybersecurity breaches. And legacy email security solutions that rely on Secure Email Gateways (SEGs) and rule-based controls are simply not up to the task of mitigating increasingly advanced and evolving cyber threats.   In fact, between July 2020 and July 2021, Tessian detected 2 million malicious emails that bypassed SEGs. This declining security effectiveness is the principal reason why security leaders are starting to question whether standalone SEGs have a place in today’s cybersecurity stack.   Combined with growing alert fatigue, and an increasing level of redundancy as organizations adopt SaaS offerings like Microsoft 365 with SEG capabilities natively included, the calls for ripping and replacing SEGs are growing louder. Echoing this shift in the email security landscape, Gartner predicts by 2023, 40% of organizations will be using a cloud email security solution like Tessian in place of a SEG.
Static vs. dynamic protection   The vast majority of organizations still rely on SEGs as the main method of filtering out malicious email-based attacks. Developed in 2004 and designed in the era of on-premise email servers, one of several shortcomings of SEGs is the reliance on an overly manual, rule-based approach, based on threat intelligence.   By using threat intelligence-derived deny lists, creating allow lists, or using signatures for message authentication, SEG-based email security controls are reactively geared to protect your company’s email and data — but only from known threats. The SEG-based approach offers no protection against zero day attacks, which is a significant and growing threat vector — with zero day discoveries up by 100% in 2021. SEG solutions also fall short against attackers that have invested resources and effort into advanced social engineering campaigns, which are able to circumvent the static, rule-based controls. The greatest attack types that SEGs fail to prevent include Business Email Compromise (BEC), Account Takeover (ATO) and advanced Spear Phishing attacks.  
Email threats are on the rise   All it takes is one malicious email to bypass your existing security controls. And as Tessian research has demonstrated, malicious email bypassing SEGs and native tools is extremely common today. This is why Business Email Compromise (BEC) is seen as one of the leading threat vectors to organizations, resulting in $1.8 billion in losses in 2020.    Cybercrime is also steadily becoming more organized, with cybercriminals offering professionalized “Cybercrime-as-a-Service” offerings. Threat actors are able to bypass SEGs by leveraging intricate social engineering exploit kits procured on the dark web. They’ll even go so far as to recruit unsuspecting cybersecurity professionals to carry out attacks. Spear phishing and ATO are common methods for either perpetrating cyber fraud, data exfiltration, or even more worryingly, deploying ransomware.    The growing prominence of zero day attacks and ransomware is of particular concern. International law enforcement agencies note remote workers are being targeted with phishing emails carrying malicious payloads, including ransomware. With the  frequency of attacks doubling in the past year, ransomware attacks are now seen as the foremost threat faced by organizations.
Why organizations are ripping and replacing their SEGs   Only by shifting the focus from securing machines to securing the human layer will email-based threats be significantly mitigated. This is where best-in-breed email security solutions like Tessian come into play.    Relying on machine learning and behavioral intelligence, Tessian is able to detect and prevent anomalous and malicious inbound and outbound email traffic, including preventing data loss. Unlike SEGs, Tessian also offers protection against numerous collaboration platform entry points like Microsoft SharePoint, OneDrive and ShareFile.    And with over 70% of enterprises now hosted in one or more public clouds and utilizing SaaS productivity suites such as Microsoft 365 or Google Suite, which include native SEG capabilities such as sender reputation and authentication, spam filtering and custom routing rules, is yet another reason why standalone SEG solutions are redundant.   If you combine these native capabilities with an intelligent inbound and outbound solution like Tessian, robust email security protection is guaranteed.     Some of the standout features offered by Tessian include advanced Attachment and URL Protection (behavioral analysis and threat intelligence), as well as a range of Impersonation Attack Defense capabilities, such as:   Internal Impersonation & CEO Fraud Advanced Spoof Detection Counterparty & Vendor Impersonation  Brand Impersonation External Account Takeover  Invoice Fraud Credential Theft   Tessian also offers protection against malicious data loss enabled through a successful social engineering campaign, or accidental, for example, an employee sending sensitive company data to a personal email address. Other unique features include in-the-moment- security awareness training for suspected phishing email, as well as in-the-moment DLP  pop-ups.   Combined with Microsoft 365 or Google Workspace, Tessian’s ability to address sophisticated inbound email security threats across expanding entry points places it into the best-of-breed inbound email security solution category. But when combined with Tessian’s advanced DLP capability, it becomes undeniable that it’s time to replace your SEG for the next generation of unrivaled email security. And this is why Tessian was recognized as a representative vendor for Integrated Cloud Email Security in the 2021 Gartner Market Guide to Email Security.
Want to learn more about how and why security leaders are replacing their SEGs with Tessian? Check out our customer stories or book a demo.
ATO/BEC Human Layer Security Interviews With CISOs
All Cybersecurity 2022 Trend Articles Are BS, Here’s Why
By Josh Yavor
16 November 2021
Ah, the holidays. As we roll up to the end of the year, one thing’s certain as the office party and failed New Year’s resolutions – cybersecurity 2022 trend articles.    And like festive holiday merch in stores, trends pieces seem to appear earlier and earlier each year.    Well this year, we’re taking a stand against ‘trends for 2022’ articles. Why? Here’s just a flavor of what real InfoSec leaders like you said when we talked trends.
And on Twitter, the feeling is similar… My prediction? The majority of 2022 cybersecurity predictions will again be “More of the same, packaged a bit differently” because that is how evolution works. It is only from an appreciable vantage point that one sees the scale of incremental change. 1/x — Rik Fërgüson (@rik_ferguson) November 1, 2021 My 2022 Cybersecurity Predictions: pic.twitter.com/7r4AC328q2 — c🎃e (@caseyjohnellis) November 2, 2021
So while someone, somewhere might fall for a high profile deepfake attack or AI generated breach, the main issues faced by the vast majority of InfoSec for next year will be… the same as last year, and similar to the years before that.    We like to call these The Infinity Trends, so pass the eggnog, throw another yule log on the fire, and let’s explore the five gems that’ll be taking up 91.4% of your time in the next 365 days.   Infinity Trend One: People are (still ) gonna fall for the same ol’ sh*t Year in, year out, there’s always a risk that someone is going to click on a malicious link. And when bad actors are using sweet, juicy bait like early access to Series 2 of Squid Games, you can see why. You're only as strong as your weakest link. Human error wins every time. Awareness training is key. #InfoSec pic.twitter.com/tPD9yBEse3 — Khalil (@sehnaoui) June 21, 2017 You can’t stop people clicking links any more than you can prevent them from sending or receiving them in the first place; for many people, that’s their job. Their inbox is a revolving door of links to documents, webpages, forms, and databases.   Infinity Trend Two: You’ll (still ) have to explain why cybersecurity matters to the CEO An important "soft skill" as you move up in leadership roles is brevity, the ability to not only be succinct but also flexible when presenting; knowing how to adjust your content on the fly. This is crucial when presenting to higher level business leaders. Practice this! — Alyssa Miller 👑 Duchess of Hackington (@AlyssaM_InfoSec) October 28, 2021 Looking back to the ‘before times’ circa 2012, a predicted trend was cybersecurity moving from being solely an IT department issue, to a C-suite issue. (Here’s Phil Gardner, founder of IANS, talking about exactly this back in the day.) Yet here we are, 10 years later, and despite the 2021 PwC Annual Global CEO Survey, revealing chief executives see cyber threats as the number one risk, the same report goes on to note that the majority of CISOs overall — 63% of organizations — don’t get the kind of support they need from their CEO. If you’ve got a CEO who gets security in all its forms, you’re one of the lucky ones. For everyone else, here’s the only three metrics they care about.  
Infinity Trend Three: Attacks will (still ) come after lunch or at the end of the day (on a Tuesday) Bad actors have a preferred time to strike. We know this because we analyzed four billion emails in a 12-month period and found that 2 million of them were malicious, and slipped past secure email gateways (SEGs). Further examination found that mid-afternoon, or just before the end of the day, is when most attacks occur. Why? Because our research shows that 45% of employees say they’ve clicked on a phishing email because they were distracted.
Interestingly, Tuesday – not Friday – was the time employees sent and received the most emails, and that’s also the preferred time for spear phishing. One particular Friday does rank the very highest however, Black Friday. So if you’re reading this….  incoming! It’s not all bad news, though. Our research also showed that, like everyone else, even the bad guys take a break over New Year, perhaps to make their own New Year’s resolutions? Infinity Trend Four: Your biggest risks will (still ) come from ‘inside the house’ The spear phishing of staff was an exotic emerging threat trend in 2012, and it’ll still be your number one threat a decade later. Then there’s the risk from misdirected emails, sending the wrong attachments, and deliberate exfiltration. You can see why Forrester’s recent report of over a 1,000 security professionals found that 61% think an employee will cause their next data breach.
  Infinity Trend Five: Hiring a diverse team will (still ) be one of your biggest priorities… and challenges Back in 2016, 72% of Black Hat attendees were saying that “they do not have enough staff to meet current threats”, and those trends have only gotten worse with 2021’s Great Resignation.    Add to this the fact that the average CISO is in post for a little over 26 months (plus a doesn’t-get-it-CEO), and you can see why it can be hard to foster a solid security culture.    InfoSec has a high turnover rate, too; keeping your people together, focused, and motivated was a challenge in 2012, and it’s still a challenge now.    So despite a decade passing, the problems most InfoSec, SOC teams, CISOs, and CTOs face daily haven’t really changed. What has changed is that everything has gotten bigger and more complicated – from the frequency and sophistication of attacks, to your attack surface and perimeter, to the sums of money and number of people involved.    So our number one cybersecurity trend’ for 2022?    Same as it ever was: cybersecurity is still primarily a people problem. This time of year we all make resolutions: get fit, quit that bad habit, be better at what we do. If you’re thinking about one more, why not make 2022 the year you secure your Human Layer?   Until then, Happy Holidays!
Human Layer Security
Five Reasons Why Enterprise Sales Engineers Are At Higher Risk From Misdirected Emails
By Andrew Webb
10 November 2021
From the CEO to that new intern, everyone in the company email directory is a potential risk for sending misdirected emails. Misdirected emails are common — sending an email to the wrong person is an easy mistake. Who hasn’t done it? But they can also be disastrous, potentially damaging a company’s reputation, revealing its confidential data, and breaching its customers’ privacy.   One new group, however, can potentially present more of a risk than most – Sales Engineers (SEs)  and Tech Ops (TOs) teams. SEs and TOs are mainly found in enterprise-level, technology-focused *aaS businesses in sectors such as software systems, manufacturing, or telecoms, where the product is some form of data handling solution.    According to the Bureau of Labor Statistics Occupational Outlook Handbook, there were 63,800 SEs in the US in 2020. Their role is like a SWAT team, called in by the sales team to help ‘seal the deal’, either when a lead is deep into the process and needs extra clarity, or when they have too many technical obstacles for the sales rep to handle. SEs have a sales mentality, but couple that with a deeper understanding of the form and function of the product, processes, or service.    Here’s five reasons why they might be at higher risk, and how you can mitigate that risk.
They support several salespeople In a typical large enterprise, one SE might support several sales reps. Numbers vary depending on the size and scope of the business in question, but a typical ratio might be one SE to four or more sales people. The higher the number, the higher the potential risks, because they now touch four times the amount of data and contacts flowing through an organization compared to their colleagues.   
…And several other teams. SEs not only work hand in hand with salespeople on new leads, they might also help Customer Success teams move existing customers to higher plans or additional services – again, more potential risk. Of course, being deep in the workings of the product means they also interact regularly with the product or engineering team. They might even work with marketing on case studies and testimonial content. So as you can see, they occupy a highly central function within large, complex matrix organizations.  
Meaning they have access to lots and lots of data… SEs not only have access to leads’ personal details, they might also have access to that company’s critical data such as customer information, financial data, or intellectual property. Many firms conduct proof of concept (PoC) and proof of value (PoV) tests, where the solution is prototyped with the lead’s firm. Depending on the solution and the customer firm, this can involve actual company data, assets, or information.  All of this data is highly attractive to bad actors who can ransom it back to you, sell it to others, mine bitcoin using your systems, and generally trash your processes and reputation. As one security analyst from our friends at KnowBe4 put it, we’re in the age of the ‘quintuple extortion’.  
…and highly sensitive information. They They could be privy to what the company’s employees are doing, where they are, or their Personally Identifiable Information (PII) such as staff’s social security numbers, bank details, and personal email addresses. There’s also sensitive details on business structure things, like potential mergers and acquisitions, reorganizations, or redundancies. In short, SEs have access to a wide group, and interact with that group at a higher frequency.   Which means they’re severely time pressured. Reps might call in an SE as a last ditch effort to save a deal from potentially falling through. Perhaps the lead is thinking of walking away because they have several technical questions that the rep can’t answer. The SE is needed fast and plunged deep into the deal to try to save it.    That creates a time sensitivity pressure for the SE. As this blog post by GoConsensus says, the problem supporting several sales people is that at times, a sales rep may not have access to a sales engineer to provide the support they need.    That can mean the SE is under pressure from both their colleagues to save the deal, as well as the lead who might be cooling on the idea because it doesn’t appear to fit their needs. As the time ticks down and the pressure increases, so do the potential risks of making mistakes.     We know this because our Psychology of Human Error Report revealed that working in tech doesn’t necessarily make you cybersecurity savvy. Employees in the technology industry were the most likely to click on links in phishing emails, with nearly half of respondents in this sector (47%) admitting they had done so. This was closely followed by employees in banking and finance (45%).   The tech industry also had the highest percentage of employees that agree there is an expectation in their organization to respond to emails quickly (85%), while 77% in the financial sector said the same. This suggests that quick-to-click and fast-paced working cultures could result in employees mistakenly clicking on phishing emails.   Why? Because nearly half of respondents (45%) cited distraction as the top reason for falling for a phishing scam. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");
So how does this threat manifest itself at enterprise level? In many ways, these issues at enterprise level are a double edge sword. On the one hand, enterprises can have great software and processes, as well as the budget and teams to support it. On the other hand they’re larger and more complex, so the potential for danger is greater.    So how many people are we talking about here? Take a big global company like Salesforce for example, with 64,000 employees according to LinkedIn. A quick search for ‘Sales Engineers’ in their people section returns 3,955 people. For Amazon (868,467 employees) it’s even bigger – 5,792.    Yet our State of Data Loss Prevention report revealed an average of 800 emails are misdirected in organizations with 1,000 employees during a single year. What’s more, Forrester Consulting’s recent Take Control Of Email Security With Human Layer Security Protection report, commissioned by Tessian, found that the percentage of employee-related email security incidents by company size was significantly higher in companies with more than 20,000 employees.    With all that it’s clear why 61% of security and risk leaders surveyed in the Forrester Consulting report believed that an employee’s actions will cause their organization’s next data breach. They’ve simply done the math.     How can enterprise organizations secure themselves against these dangers? The consequences and fall out of any potential misdirected email can be mundane, or they can be utterly catastrophic (as these real world examples reveal). We spoke to one CISO on condition of anonymity, who told us, “For the C-Suite, the most important thing is understanding risk scoring – who’s the most targeted departments and what data do they handle?” – SEs and TOs fall into this category.   That risk has to be balanced more broadly with having processes that still let employees do their jobs in highly dynamic environments. A process where a deal is lost because an email is in a quarantine outbox with several thousand others waiting for the IT department to approve it isn’t going to help your team hit their quarterly targets.    This ‘human first’ approach centers on two things: using great tools that don’t hamper the workflow, and flagging when potentially moving data with the communication chain.    Both these things drive what we do at Tessian. Our Human Layer Security platform detects and prevents advanced inbound and outbound threats on email, automatically stopping data breaches and security threats caused by employees. Powered by machine learning, Tessian provides unparalleled visibility into human security risks, detects and prevents accidental data loss, data exfiltration, and advanced phishing attacks while continuously driving employees toward secure email behavior through in-the-moment training.    Built as a cloud-native platform, Tessian integrates seamlessly with O365, Google Workspace, and MS Exchange environments within minutes, learns in hours, and starts protecting in a day closing the critical gaps in the email security stack   The Tessian differentiators: Threat prevention: Tessian protects against both known and unknown email attacks, including business email compromise, account takeover, spear-phishing, and all impersonation attacks that bypass SEGs, M365, and G Suite Education and awareness: With Tessian’s in-the-moment training, organizations can educate and empower users to build continuous email security awareness  Reduced admin overhead: Tessian removes the burden on SOC and admins by automating repetitive tasks such as maintaining triage and review. This eliminates the need for human verification of email threats, reducing FTE requirements. Data-rich dashboards: With Tessian, security teams have clear visibility and the ability to demonstrate clear ROI   So if you want to ensure your Sales Engineers can do what they do best – be that SWAT Team for your sales reps – rather than a higher risk to your business, get in touch today and see how we can help you secure your organization’s Human Layer.  
Page