Step Into The Future of Cybersecurity — Save your spot at the Human Layer Security Summit for free.

Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.
Human Layer Security

90% of data breaches are caused by human error. Stay up to date on the latest tips, guides, and industry news on Human Layer Security.

Human Layer Security
Fear Isn’t The Motivator We Think It Is…
19 October 2021
The ground is shaking under one of cybersecurity’s favorite acronyms. Dr. Karen Renaud, Chancellor’s Fellow at the University of Strathclyde and Dr. Marc Dupuis, Assistant Professor at the University of Washington Bothell believe that fear, uncertainty and doubt (FUD) aren’t all they are cracked up to be.  In their recent Wall Street Journal Article, ‘Why Companies Should Stop Scaring Employees About Security’, they unpack the use of scaremongering in cybersecurity training and tell us how fear truly impacts decision making. Listen to the full podcast here, or read on for Dr. Karen Renaud’s & Dr. Marc Dupuis’s top three takeaways. Too much fear burns people out and makes them less responsive to fear appeals KR: The literature tells us that when people are targeted by a fear appeal they can respond in one of two ways. They can either engage in a danger-control response or a fear-control response.  A danger-control response is generally aligned with what the designer of the appeal intended. So if a fear appeal is trying to encourage a user to back up their files, a danger-control response would involve the user making the backup.  Alternatively, a fear-control response sees the user try to combat the fear. They don’t like the feeling of fear, so they act to stop feeling it – they attack the fear rather than the danger itself. This response is undesirable as the user might go into denial or become angry with the person or organisation who has exposed them to the fear appeal. Ultimately, the user is unlikely to take the recommended action. When we consider events such as the COVID-19 pandemic, you can see how adding cybersecurity fear appeals to people’s pre-existing fear runs the risk of users feeling overwhelmed and having a fear-control response. People are already seeing so many fear appeals that they are likely to go into denial and refuse to take the message on board.  Fear appeals can encourage people to take more risks MD: I have a three-and-a-half-year-old son. Unlike my daughter, if I tell him to not do something like stand on a chair, and explain that he might crack his head open if he does, he’ll do it. So, he’ll climb on the chair, and then if he doesn’t crack his head open he’ll say ‘See daddy, I didn’t crack my head open!’, and in his mind, my warning has been disproved. This scenario with my son speaks to another point on fear appeals – we scare people to try and get them to not do something, but when they do it anyway and nothing bad happens it only reinforces the idea that the consequences aren’t that bad. KR: You can see examples of this kind of thing throughout history. If you look back at the German bombings of London during the second world war, something similar happened. Though the goal of the Germans was to get Britain to capitulate, the bombings provoked a totally different response – the British people became more defiant. People get afraid of being afraid, and we need to consider this when designing cybersecurity training and messaging.
MD: We are all responsible for changing the narrative in cybersecurity away from fear, uncertainty, and doubt (FUD), and it starts with conversations like this. It is easy to criticize something, but the question we then need to answer is… what can we replace it with? We know self-efficacy is the major player – but what is that going to look like? I believe that approaches will vary between organisations but the underlying concepts will be the same, such as creating a less punitive system and building a sense of togetherness. KR: When you treat your users as a problem it informs the way you manage them. Currently, many organisations see their employees as a problem – they’ll train them, they’ll constrain them, and then they’ll blame them when things go wrong! Unfortunately, this method stops users from being part of the solution and creates the very problem you’re trying to solve.  To improve cybersecurity, it is crucial that you make everyone feel like they’re part of the defense of the organisation. My research with the Technical University of Darmstadt looked into what kind of things we could do to make this happen, and it really comes down to a few core principles: Encourage collaboration and communication between colleagues – So we can support each other. Build resilience as well as resistance – Currently, there is a huge focus on resisting security threats, but we also need to know how to bounce back when things do go wrong.  Flexible and responsive security training and awareness policies – We treat security training and awareness policies as a one-size-fits-all, but this is outdated. We need to ask people if what we are proposing is possible for them and the role that they do, and adapt accordingly.  Learn from successes, not just mistakes – What did some people spot in a phishing message that others didn’t? Teach other people those techniques. Recent examples in other industries, such as safety, have shown that putting the power into employees’ hands can be revolutionary. We are yet to see it done in cybersecurity, but I’m certain that it is right around the corner.   Want more insights like this? Make sure you subscribe to RE: Human Layer Security on Apple and Spotify.
Human Layer Security
Here’s What’s Happening at our SIXTH Human Layer Security Summit on Nov 4th
By Andrew Webb
14 October 2021
November 4th sees Tessian’s sixth Human Layer Security Summit. Nearly 3000 people tuned in to our last summit in June, and the event is rapidly establishing itself as an industry ‘must attend’.    We started our flagship event summits with one goal in mind, to bring security leaders together to network, share learnings and discuss a new wave of security that is ‘Human First’. This Fall summit will be our biggest and best yet, and is packed with the latest insights from industry experts, all in just a few hours.    If you’ve not already reserved your place, do it now, because here’s what’s packed into just three hours on November 4th.
🎣 Fighting Phishing: Everything We Learned From Analyzing 2 Million Malicious Emails   Unless you’ve been at the beach this past month, you can’t have failed to notice Tessian’s recent Spear Phishing Threat Landscape 2021 report based on two million emails flagged by Tessian Defender as malicious.    Tessian’s CISO, Josh Yavor, is joined by two industry experts; James McQuiggan, Security Awareness Advocate at KnowBe4, and Jason Lang, from TrustedSec. Together they’ll dig into the report’s findings in greater detail, and identify the what, how, who, why, and when of today’s spear phishing landscape.    If you can only make one session, make it this one.       🏗 How to Build A High-Impact Security Culture For ‘Oh Sh*t’ Moments    You don’t have a cybersecurity issue… until you do. At Tessian, we call that an ‘Oh Sh*t’ moment.    Kim Burton, Security Education InfoSec Manager Cisco, details how the right culture in your company can help stop that from ever happening. She’ll explain how to create and enable a positive security culture so you can help people sort through information and be confident in their approach to security.    The result: your people become your greatest asset, and develop, as Kim puts it, a security spider sense!      🤖 Threats Of The Future Are Here: Hacking Humans with AI-as-a-Service   These days you can get seemingly everything as a service, and that includes Ai. Ed Bishop, our co-founder and CTO, discusses this new threat with the team from GovTech Singapore. Eugene Lim, Glenice Tan, Tan Kee Hock and Timothy Lee explain how their latest research repurposed easily-accessible personality analysis AIaaS products to generate persuasive phishing emails.   The emails were automatically personalized based on a target’s social media information and created by state-of-the-art natural language generators. The results mean that even low-skilled, limited resource actors could use these methods to execute effective AI-assisted phishing campaigns at scale.   And as Wired reported, an AI wrote better phishing emails than humans in a recent test. This is sure to be a fascinating technical session, so book your place now and learn how to protect your organisation from these emerging threats.    😩 DLP Has Failed The Enterprise. What Now?   Look someone has to say it… Legacy DLP solutions are complex, have limited visibility, give you a constant headache with false positives, and users hate it. And don’t get us started on the ROI…    In this session you’ll hear from leading experts including not-for-profit health care provider, PeaceHealth, on why now is the time to rip and replace your DLP solution.      👮Why Human Layer Security is the Missing Link in Enterprise Security    We’re thrilled to have guest speaker, Jess Burn, from Forrester joining us to offer up her insights on why human layer security is the missing link for Enterprises. She’ll offer her insights on what the top priorities for Enterprise Security and Risk Management leaders over the next 12 months, as well as tell us how Human Layer Security fits into the wider tech stack solutions. Jess brings with her a wealth of experience as a senior analyst at Forrester serving security and risk professionals. Hosted by Henry Trevelyan Thomas, VP of Customer Success at Tessian.         💭 Security Philosophies from Trailblazers; Q&A with leading CISOs   Closing out our summit, Tim Sadler, CEO and Co-Founder of Tessian, invites two security heavyweights center stage to discuss their guiding philosophies that have led them to security success in their organizations.    With decades of experience between them, Jerry Perullo (CISO, ICE NYSE) and DJ Goldsworthy (Director, Aflac) will discuss how they position security as a value driver, not a cost-center in their orgs, and how they keep their teams innovating and approaching security creatively to build agile models.      So what are you waiting for?   That’s a pretty awesome schedule full of world-class insights, advice, and experience from experts who’ve secured their people and business against attacks. We believe learning directly from others experiences’ is the best way to drive the security industry forward, so our aim is to bring as many diverse speakers together. The only thing missing is you. 
Human Layer Security
21 Virtual Cybersecurity Events To Attend This Fall and Winter
12 October 2021
This list of cybersecurity events is updated every month and includes in-person events, virtual summits, and one-off webinars. Highlights for fall/winter include: Human Layer Security Summit — November 4, 2021 Black Hat Europe 2021 — November 8, 2021 CyberSecure — November 16-17, 2021 Hybrid Identity Protection (HIP) Conference — December 1-2, 2021 Keep reading for more 17 more events, and to learn more about each (including speakers, sessions, cost, and how to sign-up). SANS Webcast(s) – Ongoing If you don’t already know, SANS hosts daily webinars (sometimes several a day!). Topics include network security, insider risk management, to social engineering, bug bounties, risk management frameworks, ransomware, and more. Better still, these webinars are hosted by and feature some of security’s most prolific trailblazers like Dough Graham, AJ Yawn, Russel Eubanks, and more. Cost to Attend: Free Core BTS Security Conference, October 12, 2021 The Core BTS Security Conference focuses on fundamental cybersecurity issues as they relate to today’s threat landscape. This conference will provide practical sessions aimed at security and business executives, security architects, and data security managers. Subjects for panels and sessions include ransomware, zero-trust, and third-party risk. Speakers include Nat Smith, Senior Director Analyst at Gartner, Microsoft’s Chris Reinhold, and Leo Wentline, Director of Tech Support & Services at KidsPeace. Cost: Free Virtual Cybersecurity & Fraud Summit: Toronto, October 12-13, 2021 This conference from the Information Security Media Group (ISMG) offers a global perspective on the intersection between fraud and cybersecurity. On the agenda are fraud and breach prevention, zero-trust security, connected devices, and many more contemporary security issues. Speakers include Taher Elgamal, CTO Security at Salesforce, Nicole Ford, CISO and VP at Carrier, and Karim Rajwani, SVP and COO, Financial Crimes Risk Management at Scotiabank. Cost: Free SecureWorld Texas Virtual Conference: October 14, 2021 SecureWorld’s Texas conference turns digital with 20+ educational sessions aimed at security professionals of all levels of experience. Learn about zero-trust, security validation, the intersection between security and privacy, and more. Speakers include Nancy Rainosek, CISO for the State of Texas, Eve Maler, CTO at ForgeRock, and Jon Ehret, VP Strategy & Risk at RiskRecon (Mastercard). DevSecCon London — October 20-21, 2021 Integrating security into development is a critical front in the battle against cybercrime. DevSecCon showcases new ideas and approaches in DevSecOps—the collaboration of DevOps and security.  2021’s agenda is still in development—but expect some big industry names discussing issues from supply chain to customer experience. Cost to attend: TBA Women in Cybersecurity: A Special Careerbuilder Event — October 21, 2021 This event from George Washington University aims to champion female leaders in cybersecurity and help more women enter into this flourishing industry. Panelists include Teri Takai, Vice President at the Center for Digital Government, and Lydia Payne-Johnson, Director of IT Security, Information Management, and Risk at George Washington University. Cost: Free Virtual Houston CyberSecurity Conference — October 21, 2021 Aimed at C-suite executives and CISOs, FutureCon’s Virtual House CyberSecurity Conference will offer talks and guidance on how to tackle the global cybercrime epidemic. Speakers include Brian Contos VP & CISO Mandiant Advantage, Rachel Arnold “The Human API,” and Jonathan Kimmitt, Chief Information Security Officer at the University of Tulsa. And if you drink on weekdays (no judgment here), there’s even a private CISO happy hour featuring blind bourbon tasting at 5 pm CDT. Cost: $100 VIRTUAL Eastern CyberSecurity Conference — October 28, 2021 FutureCon’s VIRTUAL Eastern CyberSecurity Conference is for advanced cybersecurity professionals and includes training in cutting-edge tech to fight cyber threats. Sessions include a keynote on success as a cybersecurity leader, how to stop cyber threats against remote workers, and best practices in PAM security and data privacy. Speakers include Keith O’Sullivan, SVP, Chief Information Security Officer at Standard Industries, Otavio Freire, CTO and Co-Founder at SafeGuard Cyber, and Anthony Johnson Managing Partner at Delve Risk.  Cost: Free Tessian Human Layer Security Summit — November 4, 2021 Tessian’s 6th Summit will provide insights from top CISOs, Infosec leaders, and cyber visionaries leading with the new wave of Human Layer Security.  From fighting phishing to building a high-impact security culture, speakers will offer practical solutions to help protect employees from themselves using cutting-edge technical and organizational solutions. The event will benefit anyone involved in securing your organization—from data protection officers to CISOs. Speakers include Tim Sadler, CEO and Co-Founder of Tessian, James McQuiggan, Security Awareness Advocate at KnowBe4, and Eugene Lim, Associate Cybersecurity Specialist, GovTech Singapore. Learn more about the speakers and sessions here. Cost: Free CyberSec&AI Connected 2021 — November 4-5, 2021 AI is everywhere—and governments are increasingly keen to regulate it. But AI cybersecurity is an aspect of AI that many people overlook. Take the upcoming EU AI Regulation—many AI providers will need to provide an assessment of the security of their AI systems. But few people understand the implications of this requirement. The CyberSec&AI Connected conference will consider important issues in the AI context, like differential privacy, bias, and advanced persistent threats. Speakers include Alessandro Acquisti, Professor at Carnegie Mellon University, Jaya Baloo Chief Information Security Officer at Avast, and Nicholas Carlini, Research Scientist at Google Brain Cost to attend: €130 (standard), with discounts for groups, students, and academics. Black Hat Europe 2021 — November 8, 2021 Black Hat Europe is the European iteration of the Black Hat Briefings—a day filled with 30-40-minute cutting-edge presentations on security. The Black Hat Briefings have been running for over 24 years. These briefings are a chance for computer security leaders to share insights into the latest research, developments, and issues across industries. See you there! Cost to attend: TBA InfoSec World Digital — November 9-10, 2021 InfoSec World Digital features a broad range of sessions aimed at cybersecurity professionals of all levels, including cloud security, risk mitigation, and privacy. The event offers opportunities for learning, networking, and—of course—earning CPE credits. Speakers include Robert Herjavec Cybersecurity Expert & CEO of Herjavek Group, Cathy Lanier, SVP & Chief of Security at the NFL, and Roland Cloutier, TikTok Global CSO. Cost: $545 Miami Cybersecurity Conference — November 9-10, 2021 Data Connectors brings together industry leaders for a day of cybersecurity training and discussion, covering topics such as the state of secure identity, remote work, and rethinking data protection in the age of ransomware. Speakers include Merritt Baer. Principal Security Architect at Amazon Web Services, Jameeka Green Aaron, CISO at Auth0, and James J.W. Grant, Chief Information Officer of the State of Florida. Cost: Free Hack In Paris 2021 — November 15-19, 2021 Hack in Paris is a two-part event. From November 15-17, there are training sessions delivered by CISOs, CIOs, and other experts. Then between November 18-19, there are talks and workshops. This year’s schedule has yet to be announced, but the conference has been running for a decade and remains popular. Last year featured sessions on harnessing AI to accelerate machine exploits, hacking GPS trackers, and IoT reverse engineering. Cost to attend: €144.00 for the conference (early bird and student discounts available), with individual prices for training sessions. CyberSecure — November 16-17, 2021 CyberSecure is run by MIT Technology Review and this November the focus is on ransomware. The best defense against ransomware is taking a coordinated approach to developing your cyber-resilience. CyberSecure will explore how to take the first steps, incorporate AI into your security toolkit, and ensure your ransomware program is financially efficient. Speakers include Sandra Joyce, EVP, Head of Global Intelligence at FireEye Mandiant, Timothy Brown, CISO & Vice President of Security at SolarWinds, Caroline Wong, Chief Strategy Officer at Cobalt. Cost: $650 Cyber Security and Cloud Expo Amsterdam — November 23-24, 2021 The Cyber Security and Cloud Expo in Amsterdam is a large exposition covering areas such as security strategy, data protection, identity and trust, and more. The in-person event is followed by virtual content between November 30 – December 1 for those unable to attend in-person. Speakers include Angelos Varthalitis, CISO at Transdev Netherlands, Ariel Lemelson, Head of Cyber Detection & Response at Booking.com, and Daniela Almeida Lourenço, BISO at CarNext.com. Cost: Expo pass: Free; Day 1 or 2 Gold Pass: €499; Both Days Gold Pass: €699; Ultimate Pass: €949; Virtual Pass: €299 Canada West Region Virtual Cybersecurity Summit — November 23, 2021 This one-day conference brings together local CISOs and subject matter experts to deliver panels on a broad range of cybersecurity topics. The event will feature sessions on supply chain and third-party risk management, compliance and automation in cybersecurity, managing insider threats, and much more. Cost to attend: Free (subject to approval) Gartner Security & Risk Management Summit EMEA — November 29–December 1, 2021  Gartner’s EMEA security conference is available online this year and provides practical sessions for CISOs, security executives, risk management leaders, security architects and planners, and network, application, data security managers. The summit offers a huge variety of sessions built around 12 tracks, focusing on topics such as business enablement, infrastructure protection strategies, security and technology architecture, and more. Speakers include John Amaechi. Organizational Psychologist and Founder of APS, and a range of experts from Gartner, including Eric Ahlm, Mario de Boer, and Jon Amato. Cost: Standard price: €1,275; Public-sector price: €850 Hybrid Identity Protection (HIP) Conference — December 1-2, 2021 Hybrid workplaces are becoming the norm, and holding some data in the cloud is almost ubiquitous among modern organizations. With sessions on the future of cloud security, recovery in hybrid infrastructures, and deploying a zero-trust infrastructure, the Hybrid Identity Protection (HIP) Conference will help your security team learn cutting-edge techniques for protecting data in hybrid environments. Speakers include Andy Greenberg, Senior Writer at WIRED, Juliet Okafor CEO & Founder at RevolutionCyber, and Holger Zimmermann, Technical Specialist – Security & Compliance at Microsoft. Cost: Free International Conference on Cyber Security and Privacy in Communication Networks (ICCS) 2021 — December 9-10, 2021 The International Conference on Cyber Security and Privacy in Communication Networks (ICCS) presents the latest research on cyberthreat analysis, privacy, and security from academia, government, and industry thinkers. In the conference’s seventh year, delegates can expect talks on cloud security, databases security, digital signature techniques, and much more. Cost to attend: Various prices, with discounts available for student and faculty staff, ranging from £35 GBP to £240 GBP. Atlanta CyberSecurity Conference — December 15, 2021 FutureCon’s Atlanta CyberSecurity Conference will be held both in-person and online this year, and it aims to educate C-suite executives and CISOs on building cyber-resilient organizations that can thrive in the global cybercrime epidemic. The conference features presentations from some major names in tech, including Cisco, Axio, and Bitglass. Speakers include Kenneth Foster, Head Global Cyber Risk Governance Fiserv, and James Azar, Host of The CyberHub Podcast, CISO Talk Cost: Virtual: $100; In-person: $200
Human Layer Security
New Technology Integration: Sumo Logic Tessian App
05 October 2021
Tessian is excited to announce a new integration with Sumo Logic that allows customers to understand their risk through out-of-the-box monitoring and analytics capabilities.
Benefits of the Sumo Logic integration Easily and instantly gain visibility into data loss, email security, and insider risks that could potentially lead to data breaches   Quickly analyze incidents in real time, enabling fast prioritization and remediation of threats posed by employee’s risky behavior Combine Tessian’s human risk intelligence with additional data sources to detect anomalies and gain a holistic picture of organizational risk Easily learn your top targeted employees or risky employees and take proactive remedial actions How to install and use the Sumo Logic Tessian App Security leaders who use both Tessian and Sumo Logic can access and install the app in the Sumo Logic app catalog. Pre-built dashboards include:  Tessian Overview Dashboard: visibility into all Tessian modules in one pane of glass
Tessian Defender Dashboard: visibility into inbound email security events and common threat types, along with your top targeted users
Tessian Guardian Dashboard: visibility into the number of prevented misdirected email, users and flag reasons
Tessian Enforcer Dashboard: visibility into sensitive data exfiltration by providing insights into attempted and prevented unauthorized email attempts including users behind these attempts
Learn more Want to learn more about Tessian’s integrations? Click here.
Human Layer Security Spear Phishing
Must-Know Phishing Statistics: Updated 2021
By Maddie Rosenthal
16 September 2021
Looking for something more visual? Check out this infographic with key statistics.
The frequency of phishing attacks According to the FBI, phishing was the most common type of cybercrime in 2020—and phishing incidents nearly doubled in frequency, from 114,702 incidents in 2019, to 241,324 incidents in 2020.  The FBI said there were more than 11 times as many phishing complaints in 2020 compared to 2016. According to Verizon’s 2021 Data Breach Investigations Report (DBIR), phishing is the top “action variety” seen in breaches in the last year and 43% of breaches involved phishing and/or pretexting. The frequency of attacks varies industry-by-industry (click here to jump to key statistics about the most phished). But 75% of organizations around the world experienced some kind of phishing attack in 2020. Another 35% experienced spear phishing, and 65% faced BEC attacks. But, there’s a difference between an attempt and a successful attack. 74% of organizations in the United States experienced a successful phishing attack. This is 30% higher than the global average, and 14% higher than last year. ESET’s Threat Report reveals that malicious email detections rose 9% between Q2 and Q3, 2020. This followed a 9% rise from Q1 to Q2, 2020. ⚡  Want to learn how to prevent successful attacks? Check out this page all about BEC prevention. How phishing attacks are delivered 96% of phishing attacks arrive by email. Another 3% are carried out through malicious websites and just 1% via phone. When it’s done over the telephone, we call it vishing and when it’s done via text message, we call it smishing. The increase in phishing attacks means email communications networks are now riddled with cybercrime. Symantec research suggests that throughout 2020, 1 in every 4,200 emails was a phishing email. According to Sonic Wall’s 2020 Cyber Threat report, in 2019, PDFs and Microsoft Office files (sent via email) were the delivery vehicles of choice for today’s cybercriminals. Why? Because these files are universally trusted in the modern workplace.  When it comes to targeted attacks, 65% of active groups relied on spear phishing as the primary infection vector. This is followed by watering hole websites (23%), trojanized software updates (5%), web server exploits (2%), and data storage devices (1%). 
The most common subject lines According to Symantec’s 2019 Internet Security Threat Report (ISTR), the top five subject lines for business email compromise (BEC) attacks: Urgent Request Important Payment Attention Analysis of real-world phishing emails revealed these to be the most common subject lines in Q4, 2020: IT: Annual Asset Inventory Changes to your health benefits Twitter: Security alert: new or unusual Twitter login Amazon: Action Required | Your Amazon Prime Membership has been declined Zoom: Scheduled Meeting Error Google Pay: Payment sent Stimulus Cancellation Request Approved Microsoft 365: Action needed: update the address for your Xbox Game Pass for Console subscription RingCentral is coming! Workday: Reminder: Important Security Upgrade Required
The prevalence of phishing websites Google Safe Browsing uncovers unsafe URLs across the web. The latest data shows a world-wide-web rife with phishing websites. Since 2016, phishing has replaced malware as the leading type of unsafe website. While there were once twice as many malware sites as phishing sites, there are now nearly 75 times as many phishing sites as there are malware sites. Google has registered 2,145,013 phishing sites as of Jan 17, 2021. This is up from 1,690,000 on Jan 19, 2020 (up 27% over 12 months). This compares to malware sites rising from 21,803 to 28,803 over the same period (up 32%). Here you can see how phishing sites have rocketed ahead of malware sites over the years.
Research from Cofense suggests phishing emails are slightly more like to contain a link to a malicious website (38%) than a malicious attachment (36%). Further reading: ⚡ How to Identify a Malicious Website The most common malicious attachments Many phishing emails contain malicious payloads such as malware files. ESET’s Threat Report reports that in Q3 2020, these were the most common type of malicious files attached to phishing emails: Windows executables (74%) Script files (11%) Office documents (5%) Compressed archives (4%) PDF documents (2%) Java files (2%) Batch files (2%) Shortcuts (>1%) Android executables (>1%) You can learn more about malicious payloads here. The data that’s compromised in phishing attacks The top three “types” of data that are compromised in a phishing attack are: Credentials (passwords, usernames, pin numbers) Personal data (name, address, email address) Medical (treatment information, insurance claims) When asked about the impact of successful phishing attacks, security leaders around the world cited the following consequences:  60% of organizations lost data 52% of organizations had credentials or accounts compromised 47% of organizations were infected with ransomware 29% of organizations were infected with malware 18% of organizations experienced financial losses
The cost of a breach RiskIQ estimates that businesses worldwide lose $17,700 every minute due to phishing attacks—and that top companies lose $25 per minute to cybercrime. IBM’s 2021 research into the cost of a data breach ranks the causes of data breaches according to the level of costs they impose on businesses.  Phishing ranks as the second most expensive cause of data breaches—a breach caused by phishing costs businesses an average of $4.65 million, according to IBM. And Business Email Compromise (BEC)—a type of phishing whereby the attackers hijack or spoof a legitimate corporate email account—ranks at number one, costing businesses an average of $5.01 million per breach. That’s not the only way phishing can lead to a costly breach—attacks using compromised credentials were ranked as the fifth most costly cause of a data breach (averaging $4.37 million). And how do credentials get compromised? More often than not, due to phishing. On the plus side, IBM found that businesses with AI-based security solutions experienced a significant reduction in the costs associated with a data breach. In fact, AI security solutions were found to be the biggest factor in cutting breach costs, from $6.71 million to $2.90 million. According to Verizon, organizations also see a 5% drop in stock price in the 6 months following a breach. Losses from business email compromise (BEC) have skyrocketed over the last year. The FBI’s Internet Crime Report shows that in 2020, BEC scammers made over $1.8 billion—far more than via any other type of cybercrime. And, this number is only increasing. According to the Anti-Phishing Working Group’s Phishing Activity Trends Report, the average wire-transfer loss from BEC attacks in the second quarter of 2020 was $80,183. This is up from $54,000 in the first quarter. This cost can be broken down into several different categories, including: Lost hours from employees Remediation Incident response Damaged reputation Lost intellectual property Direct monetary losses Compliance fines Lost revenue Legal fees Costs associated remediation generally account for the largest chunk of the total.  Importantly, these costs can be mitigated by cybersecurity policies, procedures, technology, and training. Artificial Intelligence platforms can save organizations $8.97 per record.  The most targeted industries Last year, Public Administration saw the most breaches from social engineering (which caused 69% of the industry’s breaches), followed by Mining and Utilities and Professional Services. But, according to another report, employees working in Wholesale Trade are the most frequently targeted by phishing attacks, with 1 in every 22 users being targeted by a phishing email last year.  According to yet another data set, the most phished industries vary by company size. Nonetheless, it’s clear Manufacturing and Healthcare are among the highest risk industries. The industries most at risk in companies with 1-249 employees are: Healthcare & Pharmaceuticals Education Manufacturing The industries most at risk in companies with 250-999 employees are: Construction Healthcare & Pharmaceuticals Business Services The industries most at risk in companies with 1,000+ employees are: Technology Healthcare & Pharmaceuticals Manufacturing But there’s another way in which phishing impacts organizations differently across industries—resilience. Some industries are more susceptible to phishing than others. By considering factors like awareness, susceptibility, and reporting rate Cofense estimates the following ranking of industries according to their resilience to phishing attacks: Agriculture Mining Professional services Finance Utilities Retail Trade Construction Public Entertainment Information Manufacturing Transport Education Other services Real estate Healthcare Management Administrative Accommodation As noted, healthcare has been hit particularly hard by phishing and other cybercrimes throughout the pandemic. According to the HIPAA Journal, an average of 58.8 data breaches occurred among U.S. healthcare providers between August 2020 and July 2021—around 3.70 million records were breached per month. Many of these breaches were caused, directly or indirectly, by phishing. In July 2021, one phishing attack on an Orlando-based family physicians’ practice affected nearly half a million individuals. Phishing by country Not all countries and regions are impacted by phishing to the same extent, or in the same way. Here are some statistics from another source showing the percentage of companies that experienced a successful phishing attack in 2020, by country: United States: 74% United Kingdom: 66% Australia: 60% Japan: 56% Spain: 51% France: 48% Germany: 47% Phishing awareness also varies geographically. Here’s the percentage of people who correctly answered the question: “What is phishing?”, by country: United Kingdom: 69% Australia: 66% Japan: 66% Germany: 64% France: 63% Spain: 63% United States: 52% As you can see, there’s no direct correlation between phishing awareness and phishing susceptibility, which is why security training isn’t enough to prevent cybercrime. The most impersonated brands New research found the brands below to be the most impersonated brands used in phishing attacks throughout Q4, 2020. In order of the total number of instances the brand appeared in phishing attacks: Microsoft (related to 43% of all brand phishing attempts globally) DHL (18%) LinkedIn (6%) Amazon (5%) Rakuten (4%) IKEA (3%) Google (2%) Paypal (2%) Chase (2%) Yahoo (1%) The common factor between all of these consumer brands? They’re trusted and frequently communicate with their customers via email. Whether we’re asked to confirm credit card details, our home address, or our password, we often think nothing of it and willingly hand over this sensitive information. But it’s not just consumer brands that scammers impersonate. Public bodies are also commonly mimicked in phishing scams. Between August 2020 and July 2021, the UK’s tax authority (HMRC) reported: Over than 450 COVID-19-related financial support scams More than one million reports of “suspicious contact” (namely, phishing attempts) More than 13,000 malicious web pages (used as part of phishing attacks) The rates of phishing and other scams reported by HMRC more than doubled in this period.
Facts and figures related to COVID-19 scams Because hackers tend to take advantage of key calendar moments (like Tax Day or the 2020 Census) and times of general uncertainty, individuals and organizations saw a spike in COVID-19 phishing attacks starting in March. But, according to one report, COVID-19 related scams reached their peak in the third and fourth weeks of April. And, it looks like hackers were laser-focused on money. Incidents involving payment and invoice fraud increased by 112% between Q1 2020 and Q2 2020. It makes sense, then, that finance employees were among the most frequently targeted employees. In fact, attacks on finance employees increased by 87% while attacks on the C-Suite decreased by 37%. Further reading: ⚡ COVID-19: Screenshots of Phishing Emails ⚡How Hackers Are Exploiting the COVID-19 Vaccine Rollout ⚡ Coronavirus and Cybersecurity: How to Stay Safe From Phishing Attacks. Phishing and the future of work The move to remote work has presented many challenges to business—and the increased range, frequency, and probability of security incidents are among the most serious. New working habits have contributed to the recent surge in phishing because IT teams have less oversight over how colleagues are using their devices and can struggle to provide support when things go wrong. According to Microsoft’s New Future of Work Report:  80% of security professionals surveyed said they had encountered increased security threats since the shift to remote work began.  Of these, 62% said phishing campaigns had increased more than any other type of threat. Employees said they believed IT departments would be able to mitigate these phishing attacks if they had been working in the office Furthermore, an August 2021 survey conducted by Palo Alto Networks found that: 35% of companies reported that their employees either circumvented or disabled remote security measures Workers at organizations that lacked effective remote collaboration tools were more than eight times as likely to report high levels of security evasion 83% of companies with relaxed bring-your-own-device (BYOD) usage led to increased security issue Further reading: ⚡ The Future of Hybrid Work  ⚡ 7 Concerns Security Leaders Have About Permanent Remote Working
What can individuals and organizations do to prevent being targeted by phishing attacks? While you can’t stop hackers from sending phishing or spear phishing emails, you can make sure you (and your employees) are prepared if and when one is received. You should start with training. Educate employees about the key characteristics of a phishing email and remind them to be scrupulous and inspect emails, attachments, and links before taking any further action. Review the email address of senders and look out for impersonations of trusted brands or people (Check out our blog CEO Fraud Email Attacks: How to Recognize & Block Emails that Impersonate Executives for more information.) Always inspect URLs in emails for legitimacy by hovering over them before clicking Beware of URL redirects and pay attention to subtle differences in website content Genuine brands and professionals generally won’t ask you to reply divulging sensitive personal information. If you’ve been prompted to, investigate and contact the brand or person directly, rather than hitting reply But, humans shouldn’t be the last line of defense. That’s why organizations need to invest in technology and other solutions to prevent successful phishing attacks. But, given the frequency of attacks year-on-year, it’s clear that spam filters, antivirus software, and other legacy security solutions aren’t enough. That’s where Tessian comes in. By learning from historical email data, Tessian’s machine learning algorithms can understand specific user relationships and the context behind each email. This allows Tessian Defender to not only detect, but also prevent a wide range of impersonations, spanning more obvious, payload-based attacks to subtle, social-engineered ones. Further reading: ⚡ Tessian Defender: Product Data Sheet  
Human Layer Security DLP
Legacy Data Loss Prevention vs. Human Layer Security
By Jessica Cooper
09 September 2021
Email is the threat vector security leaders are most worried about protecting.  It’s the most common channel for data exfiltration, fraud, and targeted attacks such as impersonation and phishing, and it’s the major point of egress for sensitive data. And, in most cases, the root cause of these incidents is human error.  Employees break the rules, make mistakes, and can easily be tricked or hacked. This begs the question: what’s the best solution? This blog evaluates legacy data loss prevention (DLP) solutions and is based on an extensive whitepaper available for download. The whitepaper provides greater depth and compares human layer security (HLS) with the legacy security solutions discussed here.   Why Aren’t Legacy Data Loss Prevention (DLP) Solutions Effective? While DLP provides value in certain cases, it does not solve the fundamental problem facing organizations – how to keep data secure in the real world where the information and attachments in emails move and are always accessible to anyone.  Once data leaves the point of control, whether at the endpoint or the network, DLP no longer has control over that content.  If your emails contain information and files that are forwarded and accidentally exposed to the wrong people, there is very little that DLP can do. In this blog, we’ll focus on the five biggest problems with legacy DLP solutions. Remember: you can download the whitepaper for a more detailed analysis. Does Not Protect Against Accidental Data Loss Rules-based approaches simply cannot detect accidental data loss – for example, when emails are sent to the wrong people or the wrong file is attached – because there are no regex or pattern matches that can be applied. This level of protection requires context that DLP just doesn’t have. But, it’s important, especially when research shows at least 800 emails are sent to the wrong person every year in organizations with 1,000+ employees. The HLS Difference: Tessian Guardian automatically detects and prevents misdirected emails and misattached files.  DLP Focuses on a Negative Control Model Legacy DLP is very strict with a binary approach to protecting data. It either allows it or blocks it. In a post-perimeter architecture, this is highly disruptive to business and unsustainable. The HLS Difference: Tessian is frictionless; it’s invisible until you need it, which has helped enterprise customers across industries prevent data loss, without impeding productivity. Read our customer stories to learn more.   Slow, Cumbersome and Non-adaptive 85% of security leaders say DLP is admin-intensive.  Legacy DLP must analyze all content and try to match it to block lists. This requires extensive analysis and the matching can be wrong as enterprise email content is constantly changing.  As content and locations get more complex, legacy DLP can develop problems very quickly.  The HLS Difference: Tessian uses contextual machine learning, and our ML models have been trained on more than two billion emails – rich in information on the kind of data people send and receive every day. Importantly, they continue to automatically adapt and learn as human relationships evolve over time. Learn more about our technology.  Difficult and Expensive to Implement While DLP may be regarded as a check-the-box solution for compliance, it is incredibly cumbersome, complex, and expensive to deploy, often requiring huge spend in professional services to implement and maintain.  Typical deployments are at least 12 months which makes it hard to justify the return on investment vs. the security it provides. The HLS Difference: With Tessian, there is no pre-configuration required, and the platform starts preventing threats within 24 hours of deployment.
Limited Threat Visibility Legacy DLP, including Email DLP, Endpoint DLP, and Network DLP offer little to no visibility into employee risk is one of the biggest challenges security and risk management leaders face.  Worse still, when insights around risk are available, it’s siloed and hard to interpret.  Insights around security awareness training exist in separate systems from insights related to threats that have been detected and prevented. There’s no integration which means security leaders can’t get a full view of their risk profile. Without integration and visibility, it’s impossible to take a tailored, proactive approach to preventing threats.  The HLS Difference: With Tessian Human Layer Risk Hub, our customers can now deeply understand their organization’s security posture with granular visibility into employee risk and insights into individual user risk levels and drivers. Learn more about Human Layer Security Tessian uses contextual machine learning to address the problem of accidental or deliberate data loss by applying human understanding to email behavior. Guardian: Automatically prevents accidental data loss via misdirected emails and misattached files. No rules required. Enforcer: Automatically prevents data exfiltration and other non-compliant activities on email  Human Layer Security Intelligence: Comprehensive visibility into employee risks, threat insights, and tools that enable rapid threat investigation and proactive risk mitigation Human Layer Risk Hub: Enables security and risk management teams to deeply understand their organization’s email security posture, including individual user risk levels and drivers
Human Layer Security Spear Phishing
Legacy Phishing Prevention Solutions vs. Human Layer Security
By Jessica Cooper
27 August 2021
Phishing – in its many varieties – is the threat most security leaders are concerned about protecting their organizations against. Why? Because attacks are frequent, hard-to-spot, time-consuming to investigate, and expensive to recover from.  And legacy solutions like Secure Email Gateways (SEGs), sandboxes, DMARC, and security awareness training out there just aren’t enough. With these methods, users aren’t engaged in a meaningful way and unknown anomalies aren’t accounted for. But there’s a better way.  This blog evaluates the shortcomings of legacy phishing prevention solutions, and proposes a different approach: Human Layer Security. Note: This article is based on an extensive whitepaper available for download. The whitepaper provides greater depth as it compares Human Layer Security with the legacy security solutions discussed here. The problem with SEGs & native tools SEGs lack the intelligence to learn user behavior or rapidly adapt.  The backbone of a SEG is traditional email security approaches – static rules, signature based detection, library of known threats, etc. Meanwhile, attackers consistently evolve their techniques, email networks are dynamic in nature, and human behavior is inconsistent and unpredictable. That means rules are out of date as soon as they are created and signature-based approaches are ineffective. They can’t detect advanced impersonation, account takeover (ATO), third-party supply chain risk, or wire fraud. Worse still, SEGs don’t address other entry points like Microsoft SharePoint, OneDrive, and ShareFile, which are some of the most hacked cloud tools.  What about native controls like Microsoft ATP? O365’s native security controls do protect users against bulk phishing scams, spam, malware, and domain spoofing. And these tools are great when it comes to stopping broad-based, high-volume, low-effort attacks – they offer a baseline protection.  But, today’s email attacks have mutated to become more sophisticated and targeted.  Attackers use automation to make small, random modifications to existing malware signatures and use transformation techniques to bypass these native O365 security tools. Unsuspecting – and often untrained – users fall prey to socially engineered attacks that would be hard for even a security expert to spot.  To learn more about why Office 365 accounts are vulnerable to attack, click here. Why sandboxes fail to detect phishing attacks One of the primary ways sandboxes can fail is in phishing attempts.  Any detection made by the sandbox is dependent on a file exhibiting malicious behavior. This is easy to work around. Hackers will often send a PDF that contains a link to a malicious form to avoid detection.  Likewise, documents with a URI (Uniform Resource Identifier) have an extremely low footprint for sandboxes to detect. And the short TTL domain doesn’t leave much evidence for event analysis or threat intelligence. There are issues with latency, too. Emails, communications, downloads, and important files can take several minutes to reach their destination because of the bottleneck sandboxes can create. This is not an option in today’s modern enterprises where real-time communication and collaboration is paramount. Why DMARC isn’t enough Domain-Based Message Authentication Reporting and Conformance (DMARC), is an added authentication method that uses both SPF and DKIM to verify whether or not an email was actually sent by the owner of the domain that the user sees.  In order for DMARC to pass, both SPF and DKIM must pass, and at least one of them must be aligned. While impersonating a given domain is a common method used for phishing and other malicious activities, there are other attack vectors that DMARC does not address. For example, DMARC does not address domain impersonation attacks (i.e. sending from a domain that looks like the target being abused – e.g. exampl3.com vs. example.com), or display name impersonation (i.e. modifying the “From” field to look as if it comes from the target being abused). The other misunderstood aspect of DMARC is that enabling DMARC on your domain protects your domain from being used in a phishing attack. But to protect your organization against phishing and spear phishing attacks, all domains used in communication with your employees should have DMARC enabled on them.  But still, only one-third of businesses employ DMARC.  This makes the security of your organization dependent on other companies communicating with your organization and vulnerable to supply chain risk, especially since DMARC records are publicly available, meaning attackers can easily identify and target domains that are not registered, and thus are vulnerable to impersonation. Finally, in addition to their own internal domains, organizations are likely to use some combination of Office 365, Gmail, MailChimp, Salesforce.com and other third-party email services. But it’s a challenge to then retrofit them all with DMARC. Want to learn more? We explore the limitations of DMARC in more detail here. The limitations of security awareness training Security Awareness Training (SAT) is seen as a “quick win” when it comes to security – a box-ticking exercise that companies can do in order to tell their shareholders, regulators and customers that they’re taking security seriously.  Sadly, the evidence of these initiatives being conducted is much more important than the effectiveness of them.  And engagement is a big problem. Too many SAT programs are delivered once or twice a year in lengthy sessions. This makes it really hard for employees to remember the training they were given, and the sessions themselves have to cram in too much content to be memorable.  It’s also difficult for security leaders to trains their employees to spot today’s sophisticated attacks. That’s because SAT platforms rely on simulating phishing threats by using pre-defined templates of common threats. This is a fair approach for generic phishing awareness (e.g. beware the fake O365 password login page), but it’s ineffective at driving awareness and preparing employees for the highly targeted and continuously evolving phishing threats they’re increasingly likely to see today (e.g. an email impersonating their CFO with a spoofed domain). We explore the pros and cons of phishing awareness training here. What is Human Layer Security?  The only question left to answer is: When legacy solutions and training programs aren’t enough, how can we prevent employees from interacting with the malicious emails that land in their inbox? The answer is Human Layer Security (HLS). SEGS and native tools like O365 provide basic phishing protection, but organizations need an intelligent solution like Tessian to detect and prevent advanced inbound attacks like BEC, ATO, and CEO Fraud that make it through inbuilt bulk phishing and spam filters. Tessian Defender uses machine learning (ML) to protect your people from even the most advanced inbound threats.  Here’s how: Tessian’s machine learning algorithms analyze your company’s email data, learn employees’ normal communication patterns, and map their trusted email relationships — both inside and outside your organization. Tessian inspects both the content and metadata of inbound emails for any suspicious or unusual signals pointing to a potential impersonation, ATO, or BEC threat. For example, payloads, anomalous geophysical locations, IP addresses, email clients, and sending patterns.  Once it detects a threat, Tessian alerts employees that an email might be unsafe, explaining the threat in easy-to-understand language via an interactive notification.
Human Layer Security
Tessian Partners with Optiv Security and Moves to a 100% Channel Model
By Tessian
24 August 2021
Today, we announce the news that Tessian is moving to a 100% channel model, partnering with leading cybersecurity partners like Optiv Security to help enterprises secure the human layer and protect against threats caused by human error. There’s currently a gap in enterprise email security. Nearly 50% of advanced phishing emails bypass secure email gateways while legacy email solutions and data loss prevention (DLP) controls aren’t stopping employees from leaking data, accidentally or otherwise. Using machine learning, Tessian is solving these problems in a way that current technology providers can’t – opening up a huge opportunity for security-focused partners. 
Led by the company’s Chief Strategy Officer, Matt Smith, and the team who successfully built and scaled the Duo Security channel program, Tessian’s channel team has launched a best of breed, invite-only partner program and has also signed partnerships with the likes of Altinet and CTS in the UK, Asystec and Kontex in Ireland, and Nclose in South Africa. It is now looking to bring more security-centric and strategic go-to-market partners onboard to help holistically solve one of the biggest problems in enterprise security today.
“A 100% channel model means the Tessian team is ‘all-in’ on partners,” says Smith. “We’re committed to helping our partners differentiate their offerings, design new service packages and increase their profitability. Channel partners play a critical role in advising and helping CISOs and CIOs solve major security challenges – which today includes data loss and breaches caused by people. With trusted partners like Optiv, we can truly accelerate our mission of securing the human layer in the enterprise.”  “A solid cybersecurity infrastructure is a core asset to every organization. As companies become increasingly vulnerable to security threats, both intentional and unintentional, it’s vital that tested and trusted security solutions are in place,” says Ahmed Shah, senior vice president of alliances and strategic partnerships at Optiv. “We welcome the opportunity to partner with companies like Tessian that provide these types of services to enterprise clients.” To find out more about Tessian’s channel program, click here. 
Human Layer Security Customer Stories DLP
16 Ways to Get Buy-In For Cybersecurity Solutions
By Maddie Rosenthal
20 August 2021
As a security or IT leader, researching and vetting security solutions is step one. What’s step two, then? Convincing key stakeholders like the CEO, CFO, and the board that the product needs to be implemented, that it needs to be implemented now, and that it’s worth the cost.  This is easier said than done, but security is business-critical.   So, how do you communicate risk and make a compelling case to (eventually) get buy-in from executives? We talked to security leaders from some of the world’s most trusted and innovative organizations to find out what they do to get buy-in from CxOs. Here’s a summary of their tips. You can download this infographic with a quick summary of all of the below tips. This is perfect for sharing with peers or colleagues. Or, download this eBook. 1. Familiarize yourself with overall business objectives While cybersecurity has historically been a siloed department, today, it’s an absolutely essential function that supports and enables the overall business. Think about the consequences of a data breach beyond lost data. Organizations experience higher rates of customer churn, reputations are damaged, and, with regulatory fines and the cost of investigation and remediation, there can be significant revenue loss.  The key, then, is to attach cybersecurity initiatives to key business objectives. The security leaders we interviewed recommended starting by reviewing annual reports and strategic roadmaps. Then, build your business case. If customer retention and growth are KPIs for the year, insist that cybersecurity builds customer trust and is a competitive differentiator. If the organization is looking for higher profits, make it clear how much a breach would impact the company’s bottom line. (According to IBM’s latest Cost of a Data Breach, the average cost of a data breach is $4.24 million.) 2. Create specific “what-if” scenarios A lot of security solutions are bought reactively (after an incident occurs), but security leaders need to take a proactive approach. The problem is, it’s more challenging for CxOs and the board to see the value of a solution when they haven’t yet experienced any consequences without it.  As the saying goes, “If it ain’t broke, don’t fix it”.  That’s why security leaders have to preempt push-back to proactive pitches by outlining what the consequences would be if a solution isn’t implemented so that stakeholders can understand both probability and impact. For example, if you’re trying to get buy-in for an outbound email security solution, focus on the “what-ifs” associated with sending misdirected emails  which – by the way- are sent 800 times a year in organizations with 1,000 employees. Ask executives to imagine a situation in which their biggest clients’ most sensitive data lands in the wrong inbox.  What would happen?  Make sure you identify clear, probable consequences. That way, the situation seems possible (if not likely) instead of being an exaggerated “worst-case scenario”.  3. Work closely with the security vendor You know your business. Security vendors know their product. If you combine each of your expertise – and really lean on each other – you’ll have a much better chance of making a compelling case for a particular solution. Ask the vendor for specific resources (if they don’t exist, ask them to create them!), ask for product training, ask if you can speak with an existing customer. Whatever you need to get buy-in, ask for it. Rest assured, they’ll be happy to help.  4. Collaborate and align with other departments It takes a village and cybersecurity is a “people problem”.  That means you should reach out to colleagues in different departments for advice and other input. Talk to the folks from Risk and Compliance, Legal, HR, Operations, and Finance early on.  Get their opinion on the product’s value. Find out how it might be able to help them with their goals and initiatives. In doing so, you might even be able to pool money from other budgets. Win-win! 5. Consider how much the executive(s) really know about security To communicate effectively, you have to speak the same language. And, we don’t just mean English versus French. We mean really getting on the same level as whomever you’re in conversation with. But, to do that, you have to first know how much your audience actually knows about the topic you’re discussing. For example, if you look into your CEO’s background and find out that he or she studied computer science, you’ll be able to get away with some technical jargon. But, if their background is limited to business studies, you’ll want to keep it simple. Avoid security-specific acronyms and – whatever you do – don’t bury the point underneath complex explanations of processes.  In short: Don’t succumb to the Curse of Knowledge. 
6. Use analogies to put costs into perspective  One of the best ways to avoid the Curse of Knowledge and give abstract ideas a bit more context is to use analogies. It could be the ROI of a product or the potential cost of a breach. Either way, analogies can make big, somewhat meaningless numbers more tangible and impactful. For example, imagine you’re trying to convince your CFO that the cost of a solution is worth it. But, the 6-digit, one-time cost is a hard sell. What do you do? Break the overall cost down by the product’s lifespan. Then, divide that number by the number of employees it will protect during that same period.  Suddenly, the cost will seem more manageable and worth the investment. 7. Invite key stakeholders to events or webinars  Before you even start pitching a particular solution, warm-up executives with educational webinars or events that aren’t product-specific. This will give CxOs a chance to better understand the problem, how it might apply to them, and how other people/organizations are finding solutions. Bear in mind: most vendors will have at least 1 (generally 2+) webinars or events during the standard sales cycle.  8. Prepare concise and personalized briefing materials Individual stakeholders will be more likely to consider a particular solution if the problem it solves is directly relevant to them. How? Combine tips #1, #2, #3, and #5. After taking some time to understand the business’ overall objectives, take a closer look at individual peoples’ roles and responsibilities in meeting those objectives. Then, dig a bit deeper into how much they know about cybersecurity. Imagine you’re meeting with a COO with some technical experience whose focus is on maintaining relationships with customers. His or her briefing documents should contain minimal technical jargon and should focus on how a data breach affects customer churn.  The bottom line: make it about them. 9. Share these documents in advance of any formal meetings While this may seem obvious, the security leaders we spoke to made it clear that this is an essential step in getting buy-in. No one wants to feel caught off guard, unprepared, or rushed.  To avoid all of the above, make sure you share any documents relevant to the solution well in advance of any formal meetings. But, don’t just dump the documents on their desk or in their inbox. Outline exactly what each document is, why it’s relevant to the meeting, and what the key takeaways are. You want to do whatever you can to help them absorb the information, so make sure you make yourself available after sharing the documents and before the meeting, just in case they have any questions or need additional information. 10. Build a strong security culture Before we dive into why building a strong security culture can help you get buy-in, we want to make it clear that this isn’t something that can happen overnight. This is a long-term goal that requires the help of the entire organization. Yes, everyone. So, how do you build a strong security culture? Start by ensuring that security and IT teams are committed to helping – not blaming – employees. There has to be a certain level of mutual trust and respect.  Beyond that, employees have to accept responsibility for the overall security of the organization. They have to understand that their actions – whether it’s clicking on a phishing email or using a weak password – have consequences.  If they do accept this responsibility, and if they genuinely care about following policies and procedures and helping secure data and networks, high-level executives will care, too. They’ll therefore be more likely to sign-off on solutions. 11. Keep an eye on security trends outside of your industry  Some industries – specifically Healthcare, Financial Services, and Legal – are bound to compliance standards that formalize the need for effective security solutions. That means that, compared to other industries like Retail or Manufacturing, they’ll be required to have more robust strategies in place. What they’re doing now, the rest of us will be doing in 12 months. Keep this in mind. If you notice that organizations operating in the most highly regulated industries are all taking data loss prevention (DLP) seriously, you’ll be able to make a strong case that this is something that should be on your radar, too. 12. Approach non-executive stakeholders early on While – yes – getting buy-in from CxOs and the board is important, security leaders also need to get buy-in from non-executive stakeholders working in IT, infrastructure, etc.  After all, those are the people who will actually be responsible for deploying the solution and maintaining it.By approaching them early on (and assuming they’re interested in the solution, too) you’ll be able to paint a clear picture of the process after the solution has been signed off on.  How long will it take? Who’s involved? Will employees’ workflow be disrupted? These are all important questions to answer.  13. Match like-for-like people from both sides If you’re scheduling a meeting with executives from your side and key people from the vendor’s side, make sure you’re bringing in people that “match” in terms of function and seniority level. For example, if you work at a start-up and the founder of your company wants to be involved in the buying process, ask the vendor’s founders to join, too. Likewise, if the Head of Infrastructure is joining from your side, ask someone in a similar function to join from the other side. Why? Like-for-like people will be best placed to answer one another’s questions.  And, with that in mind…. 14. Preempt questions and prepare answers No one likes to be put on the spot. To avoid being asked a question that you don’t know the answer to, spend a good amount of time considering all the questions different stakeholders may ask and drafting well-thought-out answers. (Better yet, fit the answers into briefing documents or the presentation itself!) Remember, people are generally concerned with how a problem/solution affects them directly. That means the CEO will have different questions than the CFO, who will have different questions than the Head of IT.  15. Get specific customer references from the vendor We mentioned in tip #3 that you should lean on the vendor, especially when it comes to specific resources and customer references. And, we mentioned in tip #11 that you should match like-for-like people in meetings. It should make sense, then, that specific customer references will be more powerful than generic ones. For example, if you’re the CISO at a 4,000-person tech firm in North America, and you’re trying to convince you’re CTO that you need to implement a new solution, you should share a case study (or customer reference) from the vendor that outlines how their product has helped an organization in the same industry, that’s the same size, and in the same region. Ideally, it will also feature quotes from the CTO. Why? Professionals trust and rely on their peers when making difficult decisions. 16. Be conscious (and considerate of) peoples’ time  Decisions about security solutions can involve a lot of different people. That means you’ll have to balance several conflicting schedules and fight for time. Your best bet? Book meetings with all relevant people at once and get the vendor involved at the same time. Ahead of the meeting, share an agenda along with any relevant documents (see tip #8).  Are you a security leader who wants to offer advice to your peers? We’d love to hear from you! Please get in touch with madeline.rosenthal@tessian.com. And, if you’re looking for more advice, check out these blogs: How to Communicate Cybersecurity ROI Advice from Security Leaders for Security Leaders: How to Navigate New Remote-Working Challenges How to Create an Enduring and Flexible Cybersecurity Strategy
Human Layer Security DLP
What is Email DLP? Overview of DLP on Email
19 August 2021
Data loss prevention (DLP) and insider threat management are both top priorities for security leaders to protect data and meet compliance requirements.  And, while there are literally thousands of threat vectors – from devices to file sharing applications to physical security – email is the threat vector security leaders are most concerned about protecting. It makes sense, especially with remote or hybrid working environments. According to Tessian platform data, employees send nearly 400 emails a month. When you think about the total for an organization with 1,000+ employees, that’s 400,000 emails, many of which contain sensitive data. That’s 400,000 opportunities for a data breach.  The solution? Email data loss prevention.
This article will explain how email DLP works, consider the different types of email DLP, and help you decide whether you need to consider it as a part of your overall data protection strategy.  Looking for information about DLP more broadly? Check out this article instead: A Complete Overview of Data Loss Prevention. 
➡ What is email data loss prevention? Essentially, email DLP tools monitor a company’s email communications to determine whether data is at risk of loss or theft. There are several methods of email DLP, which we’ll look at below. But they all attempt to: Monitor data sent and received via email Detect suspicious email activity Flag or block email activity that leads to data loss ➡ Do I need email data loss prevention? Unless you’re working with a limitless security budget (lucky you!), it’s important to prioritize your company’s resources and target areas that represent key security vulnerabilities.  Implementing security controls is mandatory under data protection laws and cybersecurity frameworks, like the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and Health Insurance Portability and Accountability Act (HIPAA). And there’s a good reason to prioritize preventing data loss on email. As we’ve said, email is the threat vector security leaders are most concerned about. We’ll explain why.  📩 Inbound email security threats How can malicious external actors use email to steal data? There are many methods. Phishing—social engineering attacks designed to trick your employees into handing over sensitive data. According to the FBI, phishing is the leading cause of internet crime, and the number of phishing incidents doubled in 2020. Spear phishing—like phishing, but targeted at a specific individual. Spear phishing attacks are more sophisticated than the “bulk” phishing attacks many employees are used to. Malware—phishing emails can contain a “malicious payload”, such as a trojan, that installs itself on a user’s device and exfiltrates or corrupts data. Email DLP can help prevent criminals from exfiltrating your company’s data. 🏢 Internal email security threats While it’s crucial to guard against external security threats, security teams are increasingly concerned with protecting company data from internal actors. There are two types of internal security threats: accidental and malicious. 🙈 Accidental data loss Accidents happen. Don’t believe us?  Human error is the leading cause of data breaches. Tessian platform data shows that in organizations with 1,000 or more employees, people send an average of 800 misdirected emails (emails sent to the wrong recipient) every year. That’s two every day.  How can a misdirected email cause data loss? Misspelling the recipient’s address, attaching the wrong file, accidental “reply-all”—any of these common issues can lead to sensitive company data being emailed to the wrong person.  And remember—if the email contains information about an individual (personal data), this might be a data breach. Misdirected emails are the top cause of information security incidents according to the UK’s data regulator. We can’t forget that misattached files are also a big problem. In fact, nearly half (48%) of employees say they’ve attached the wrong file to an email. Worse will, according to survey data: 42% of documents sent in error contained company research and data 39% contained security information like passwords and passcodes 38% contained financial information and client information 36% contained employee data But, not all data loss incidents are an accident.  🕵 Insider threats  Employees or contractors can steal company data from the inside. While less common than accidental data loss, employees that steal data—or simply overstep the mark—are more common than you might think. Some employees steal company data to gain a competitive advantage in a new venture—or for the benefit of a third party. We covered some of these incidents in our article, 11 Real Insider Threats. But more commonly, employees are breaking the rules for less nefarious reasons. For example, employees send company data to a personal email address for convenience. For example, to work on a project at home or on another device. Sending unauthorized emails is a security risk, though. Tessian platform data shows that it occurs over 27,500 times per year in companies with 1,000 employees or more. And, while – yes – it’s often not done maliciously, the consequences are no less dire, especially in highly regulated industries.  So, how do you prevent these things from happening?  ➡ Email DLP solutions to consider Research shows that the majority of security leaders say that security awareness training and the implementation of policies and procedures are the best ways to prevent data loss. And both are very important.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); But – as well-intentioned as most employees are – mistakes still happen despite frequent training and despite stringent policies. That means a more holistic approach to email DLP – including technology – is your best bet.  Broadly, there are two “types” of DLP technology: ruled-based DLP and machine learning DLP. 📏 Rule-based email DLP Using rule-based DLP, IT administrators can tag sensitive domains, activities, or types of data. When the DLP software detects blacklisted data or behavior, it can flag it or block it. Like training and policies, rule-based DLP certainly has its place in security strategies. But there are limitations of ruled-based DLP. This “data-centric” model does not fully account for the range of behavior that is appropriate in different situations. For example, say an IT administrator asks email DLP software to block all correspondence arriving from “freemail” domains (such as gmail.com), which are often used to launch cyberattacks. What happens when you need to communicate with a contractor or customer using a freemail address? What’s more, rule-based DLP is very admin-intensive. Creating and managing rules and analyzing events takes a lot of time, which isn’t ideal for thinly-stretched security teams.  Want to learn more? We explore situations where rule-based DLP falls short. For more information, read The Drawbacks of Traditional DLP on Email. 🤖 Machine learning email DLP Machine learning email DLP is a “human-centric” approach. By learning how every member of your company communicates, machine learning DLP understands the context behind every human interaction with data. How does machine learning email DLP work? This DLP model processes large amounts of data and learns your employees’ communications patterns.  The software understands when a communication is anomalous or suspicious by constantly reclassifying data according to the relationship between a business and customers, suppliers, and other third parties. No rules required.  This type of DLP solution enables employees to work unimpeded until something goes wrong, and makes preventing data loss effortless for security teams.
💡 Learn more about how Tessian’s email DLP solutions Tessian uses contextual machine learning to address the problem of accidental or deliberate data loss by applying human understanding to email behavior. Our contextual machine learning models have been trained on more than two billion emails – rich in information on the kind of data people send and receive every day. And they continue to adapt and learn as human relationships evolve over time. This enables Tessian Guardian to look at email communications and determine in real-time if particular emails look like they’re about to be sent to the wrong person or if an employee has attached the wrong file. Tessian Enforcer, meanwhile, can identify when sensitive data is about to be sent to an unsafe place outside an organization’s email network. And, finally, Tessiden Defender prevents inbound threats, like spear phishing, business email compromise, and CEO fraud.  To learn more about data exfiltration and how Tessian uses machine learning to keep data safe, check out our customer stories or talk to one of our experts today. You can also subscribe to our monthly newsletter below to get more updates about DLP, compliance, spear phishing, industry trends, and more. 
Human Layer Security Spear Phishing DLP Compliance
7 Ways CFOs Can (And Should) Support Cybersecurity
By Maddie Rosenthal
29 July 2021
We’ve said it before and we’ll say it again: cybersecurity is a team sport. That means that (like it or not) the responsibility and burden sits with everyone, including the Chief Finance Officer (CFO).  That’s right: quantifying cyber risk, navigating cyber insurance policies, and negotiating ransom with hacking groups can all be part of the job spec.  If you’re a CFO who’s struggling to understand their role in cybersecurity, keep reading. We share 7 opportunities to get involved and protect your company’s assets.  Note: Every company is different. Size, revenue, industry, and reporting structures all play a role. This is general advice meant to provide a bird’s eye view of a CFO’s potential involvement in cybersecurity. 1. Quantify risk It can be hard for the C-suite to see the value of a solution when they haven’t yet experienced any consequences without it. As the saying goes, “If it ain’t broke, don’t fix it”.  That’s why it’s so important CFOs step in to quantify risk using specific “what-if” scenarios. The most basic formula is: probability x expected cost. Let’s use the example of an email being sent to the wrong person. We know at least 800 misdirected emails are sent every year in organizations with 1,000 employees. The expected cost, of course, depends on the email content and recipient, but let’s look at the worst-case scenario. What would the cost be if your press release for an upcoming, highly confidential merger and acquisition landed in a disgruntled former employee’s inbox? How would this impact the M&A itself? The company’s reputation? Revenue? Not a risk worth taking. Learn more about the key security challenges organizations face during M&A events. 2. Benchmark spending against other organizations Just like a marketing team should use a benchmark to determine whether or not their email list is engaged, CFOs should use a benchmark to determine how much they should be spending on cybersecurity. Think of it as your North Star. Fortunately, it’s relatively easy to determine how much your competitors or industry mavericks are shelling out. At least if they’re publicly traded.  A good place to start is their S-1. Here, you’ll be able to see what percentage of the company’s revenue goes towards Sales and Marketing, Research and Development, and General and Administrative.  This should give you a good idea of how to allocate your revenue.  You can also look at more general benchmark reports. For example, according to a Deloitte study, cybersecurity spending has increased YoY, from .34% of a company’s overall revenue in 2019 to .48% in 2020.  In 2020, that equated to $2,691 per full-time employee.   Bonus: Did you know you can also benchmark your security posture against your industry peers with Tessian Human Layer Security Intelligence? Learn more.  3. Vet cyber insurance policies Today, virtually every business needs cyber liability insurance. If you run a business that stores client, customer, or partner data…you need it. But it’s money wasted if you aren’t fully familiar with the policy terms. Check to make sure your first-party cyber insurance includes: Breach response recovery (including technical and legal advice) Forensic analysis for identifying the attack source Event management (including data recovery, PR services, and notification of clients) Cyber extortion Network/business interruption (including those that are the result of an attack on a third party) Dependent business interruption Credit monitoring services Consequential reputational loss or loss of income It’s also worth exploring third-party cyber insurance to protect your company’s assets from subsequent compliance penalties and settlement costs.  For example, Facebook settled a class-action lawsuit over its use of facial recognition technology. Illinois. The case reportedly settled for $550 million for a violation of the Biometric Information Privacy Act.  Third-party cyber insurance should include: Network security failures and privacy events Regulatory defense and penalties (including coverage for GDPR liabilities) PCI-DSS liabilities and costs Media content liability  4. Communicate with the board In a sentence, the CFO is responsible for the financial security of an organization. And, in the event of a breach, financial security simply isn’t guaranteed. Don’t believe us? Check out the consequences of a breach, according to IT leaders: !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); All of these will impact a company’s bottom line, including share value and rate of growth… two things the board doesn’t want to hear and news a CFO would hate to deliver.   But this isn’t a case of shooting the messenger. The responsibility and burden of cybersecurity sits with everyone, remember?  Post-breach, the board, auditors, and other third parties will be examining how effectively budgets were allocated to prevent the worst. That’s why it’s essential the CFO is actively involved in creating and implementing cybersecurity strategies; they have skin in the game.  5. Create secure processes for the finance team While – yes – the CFO holds the power of the purse and therefore influences the overall cybersecurity strategy, they also have a massive responsibility to secure their own team’s processes. After all, the finance department is one of the most targeted, specifically by invoice fraud, wire transfer fraud, and business email compromise.  Between June 2016 and July 2019, FBI statistics show that wire transfer fraud via BEC occurred 166,349 times, and cost businesses over $26 billion. In 2019, the number of bank transfer phishing scams occurring in the UK increased by 40%. In 2017, the FBI received 15,690 complaints about BEC (primarily involving wire transfer), resulting in over $675 million in losses. In 2019, this increased to 23,775 complaints and over $1.7 billion in losses. To protect against these incidents, CFOs should work with security teams to help train employees to spot scams, implement email security software to spot suspicious domains, and create fool-proof payment validation processes. For more tips, check out this article: Everything You Need to Know About Wire Transfer Phishing. 6. Negotiate ransom in the event of a ransomware attack  This is a position no CFO wants to be in. But, more and more, we’re seeing organizations being forced to comply with cyber criminals’ extortion demands. (7 Examples of Ransomware Attacks here.) While this may seem far beyond the scope of a finance director’s role, they’re heavily involved in the process. Of course, the first question to answer is: To pay? Or not to pay? This depends on an infinite number of factors, including the data being held, the hacking group who infiltrated the network, your cyber insurance policy, the company’s liquid assets….  The list goes on.  To avoid being put between a rock and a hard place, CFOs (along with the rest of the C-Suite and security team) should take prevention seriously, including anti-malware software, patching processes, and security for email, web, and other services. Tessian can help with email by preventing ransomware attacks at the source. 7. Know how to spot a phish CFO’s are generally among the most frequently targeted by phishing attacks. They’re also frequently impersonated. It makes sense. They have access to and control over the company’s money. It’s essential, then, that CFOs are especially vigilant, know how to spot a spear phishing attack, and know what to do if they suspect an email, text, or call is malicious.  Training, technology, and processes can help. If you want to learn more about how Nudge theory plays a role, check out this article about in-the-moment warnings. Looking for more resources? Check out the following: ⚡ Relationship 15: A Framework to Help Security Leaders Influence Change ⚡ CEO’s Guide to Data Protection and Compliance ⚡ Who Are the Most Likely Targets of Spear Phishing Attacks? ⚡ Why Information Security Must Be a Priority for GCs in 2021
Human Layer Security
5 Challenges Enterprise Customers Face With Security Vendors
By Will Patterson
27 July 2021
When our three  founders, Tim, Ed, and Tom conceived of a company initially called “CheckRecipient” in their London apartment, the path to working with the largest and most prestigious companies on the planet would have felt a long way away.  Yet here we are, 9.5 years later, already growing our base of Fortune 500 customers while plotting our journey to 50k+ employee companies and beyond.
Of course, regardless of the size of our customers, our mission is the same. We continue to empower people to do their best work, without security getting in the way. But working relationships between customers and vendors change when you go upmarket. Based on my experience of working with our largest customers, here are five challenges enterprise customers face with security vendors, and tips to help CISOs and Heads of Infosec carefully navigate the often rewarding (and always noisy) world of vendor partnerships. Vendors, vendors everywhere… So you’re a CISO at a prestigious bank, law firm, or healthcare company.  Every security vendor under the sun wants a piece of your time. This is exhausting. And frequently counterproductive. Don’t they know you also have a job to do? So, what do you do about it? Go to every meeting your vendors book in and try to work around it? Go completely quiet on all your vendors and hope that you’re getting value from the partnerships anyhow? We’ve learned with our customers that it’s worth taking control of this situation early on. 1. Categorize your vendors into a quadrant based on the current value you’re seeing and their potential value. Work with your team to sketch out a framework for current value, and then challenge your vendors to supply you with the telemetry to feed that framework. Potential value is more of a judgement call, but here are a list of questions you may want to consider.  How fast is the vendor growing?  How innovative is their roadmap?  How many of their products/services are we currently not using that we could be?  By the way, this quadrant will also be really useful when it comes to budgeting season and renewal conversations with your vendors…  Think very critically about whether you should be continuing to partner with your “Low Performers”.
2. Based on the quadrant, communicate with your vendors how often you need to connect with them. (If you want to go a step further, you can even take the lead on scheduling so meetings go in at convenient times for you.). For example, you may want to meet with your magic quadrant and high potential vendors quarterly, but the “Steady Eddies” may only require your attention once a year. Longer time to value They say that time heals all. But in SaaS, time is the biggest killer for momentum, engagement, and ultimately ROI.  That’s why the onboarding process is critical to the long-term success of a partnership.  There’s two determining steps for onboarding:  Internal Processes: For the enterprise, there is plenty of red tape and change management when it comes to deploying new tech. The most successful deployments I’ve seen involved a proactive CISO or Head of Infosec pulling as much process management forward as possible. Technical Deployment Considerations. Rome wasn’t built in a day. Likewise, enterprise tech teams will often adopt a 1-9-90 approach to deployment (e.g. a pilot 1% group of friendly users getting the tech initially, then 9%, then the rest). Those security leaders who agree on and stick to a deployment plan, encourage deployment project leads to connect regularly with the vendor, and ensure roadblocks are identified and escalated early are the most successful.  Support tickets and feature request prioritization I’ve seen support processes and feature requests work really well and in all such cases, the key is communication. Encourage your technical leads to agree up front with your vendors how best to flag high priority tickets. It’s worth keeping oversight on this to ensure it aligns with what’s strategically important to you. This is the hymn sheet that both parties can sing from when it comes to escalation and helps everyone involved avoid the old fashioned (and slightly anarchical) “who shouts the loudest” method of prioritization. The same goes for feature requests. Agree a process for tracking these and allocating a scale all the way from “deal breaker” to “nice to have” (and what’s needed now vs in the future). Strength in numbers As 1997 UK trip-hop band Olive (niche reference?) once sang: “You’re not alone”. No enterprise CISO Head of Infosec is an island. There’s often a temptation to hoard ownership of the partnership with a vendor to prevent those pesky folks running wild throughout your business. In practice, this probably achieves the opposite effect. Our most successful Tessian customers involve a broad set of stakeholders in the ownership of the vendor partnership and outsource some of the heavy lifting of demonstrating the product ROI to the vendor’s CSM. For example, at Tessian, stakeholders from the security function, IT, HR, compliance, and legal will all have a say in the successful implementation of the product. The exact same process is going on internally at Tessian, with exec sponsors, product managers, CSMs, and account executives all aligned to each enterprise account.  Integration is king (and consolidation is… prince?) Finally, the enterprise space is becoming increasingly cluttered with more and more vendors seemingly popping up every day.  You may find yourself looking at the 10s or even 100s of vendors they partner with and asking, “Do I actually feel more secure?”. It’s a fine balancing act between the skyscraper of layered defenses and the modest bungalow of a lean stack.  And the wire that connects these two buildings is – you guessed it – integration. Now, I dislike the cliche of “Make 1+1=3” (it doesn’t). But pushing your key vendors to integrate will not only improve the value you get out of them individually, it will also bring clarity to any overlap or redundancies in functionality between them. Any opportunity to trim down bulky incumbent contracts where another vendor can pick up the slack has to be considered a win. I’d emphasize that this refers to integration not just in terms of functionality, but also reporting. Over half of our enterprise clients have already enabled the SIEM API to create a “single pane of glass” view of insights that becomes tool agnostic.  For example, Investec joined us for a webinar to explain how they’re using Splunk to centralize and correlate their Tessian reporting with other tools. You can check out a summary of their tips here]. Conclusion   If you’ve made it this far I commend your ability to put up with my penchant for a metaphor… Increasingly, we’re moving away from the classic, client-vendor relationships and towards a more symbiotic model of shared goals. This is vastly more conducive to getting holistic value for what you pay for.  The bottom line: the foundation for any halfway decent partnership is good communication. That’s not “communication” in the sense of spending hours on calls with a vendor every day. What it does mean is early alignment with them on what it is you hope to achieve through working together – that way we all really are singing from the same hymn sheet 🎼
Page