Data Loss Prevention Human Layer Security
Guide: How to Stop Data Loss Across 1 Million New Offices
By Maddie Rosenthal
28 May 2020
Now more than ever, security, IT, and compliance leaders are leaning on each other for support in navigating new challenges around remote-working. And, why wouldn’t they? While some organizations have operated virtually for months and even years before the outbreak of COVID-19, others had never operated a remote workforce. That means they’ve had to – very quickly – equip their teams with new devices and tools, implement new policies and procedures, and update security stacks. Of course, they’re doing all of this while trying to maintain “business as usual” which means trying to monitor and prevent data loss company-wide. That’s exactly why we’ve been hosting virtual events: to pool the wisdom of experienced security and IT leaders and share back with the broader community While you can access our library of webinars here (and register for our next virtual event here), we’ve compiled key takeaways below from our most recent webinar: How to Stop Data Loss Across 1 Million New Offices.  Here’s the actionable advice from Mark Settle, the former CIO of Okta and Karl Knowles, the Global Head of Cyber at HFW.
1. Prioritize email Even with collaboration tools like Slack, email is still King. Or, as Mark put it “email is the central nervous system of almost every company. You really can’t escape it”. Over 124 billion emails are sent and received everyday and employees spend 40% of their time on email. And, when you consider what’s being sent back and forth in emails (spreadsheets, invoices, client information, and other structured and unstructured data) it’s no wonder IT and security leaders consider it the number one threat vector for data loss. Whether it’s a disgruntled employee purposely exfiltrating data or a negligent employee who accidentally sends sensitive information to the wrong person, email is a leaky pipe.  Interested in learning more about how data is lost on email? Read this blog: A Complete Overview of DLP on Email. 2. Clearly communicate what constitutes “data loss” It’s employees who have to take on the role of protecting a company’s most important asset: data. But, unfortunately, many are blissfully unaware of what’s actually considered a data loss incident. It’s not their fault. It’s up to IT leaders – especially now as employees are adjusting to their new work environments – to really communicate what data is sensitive and how that data must be handled.  While those working in Healthcare or Financial Services may be well-versed in what data can and can’t be stored and shared, because of industry-specific compliance standards, the “average” professional may not be. For example: if you don’t tell employees that sending company data to their personal email accounts is considered unauthorized and could lead to a data breach, they’ll never know that they shouldn’t do it. Likewise, many employees don’t realize that sending an email to the wrong person could be classified as a data loss incident.  3. Don’t blame employees, empower them As we’ve said, employees are the gatekeepers of a company’s most sensitive systems and data. But, many aren’t familiar with security best practices or the implications of a breach. And, beyond that, many simply don’t have the necessary tools to work securely. It’s up to IT and security leaders to empower them to do so. How? According to Karl, it comes down to training and technology.
4. Re-think security awareness training Earlier this year at the world’s first Human Layer Security Summit, Mark Logsdon, Head of Cyber Assurance & Oversight at Prudential, explained there are three fundamental problems with training: It’s boring It’s often irrelevant It’s expensive Karl Knowles and Mark Settle shared many of these sentiments. The bottom line is: In order for training to be effective, it has to really resonate. And, for it to really resonate, employees have to understand the who, what, and why behind security policies and procedures. They recommend using different methods and mediums to communicate risks and preventative strategies and – perhaps most importantly – ensure you aren’t overloading them. That means breaking complex subjects down into more manageable pieces and translating technical jargon and concepts into language that’s easier to understand. Top Tip from Karl: Nominate Cyber Champions as a way to gamify training and encourage a positive security culture.  5. Know the limitations of rule-based DLP solutions and invest in technology that proactively adapts DLP isn’t just a challenge now that workforces are remote. It’s been a consistent pain point for IT and security teams for a long time and for several reasons. One of the biggest problems around DLP is that rule-based solutions aren’t adaptive. Not only are they admin-intensive to set-up, but they’re virtually impossible to maintain. You can read more about The Drawbacks of Traditional DLP on Email on our blog.  Learn more about Why DLP is Failing in Tessian’s latest report: The State of Data Loss Prevention 2020. That’s why Karl and Mark recommend investing in technology that’s fast and evolving. The technology is machine learning. Tessian’s DLP solutions (Tessian Enforcer and Tessian Guardian) are powered by machine learning which is why Karl – a customer – considered Tessian an extension of his cyber team.
Interested in learning more about how Tessian can help you detect and prevent data loss wherever your employees are working? Book a demo. And, for more advice, keep up with our blog, LinkedIn, and Twitter for guides, industry news, and events. 
Data Loss Prevention Human Layer Security
The State of Data Loss Prevention 2020: What You Need to Know
28 May 2020
Today, Tessian released The State of Data Loss Prevention 2020, a comprehensive report that explores new and perennial challenges around data loss prevention.
Our findings reveal that data loss on email is a bigger problem than most realize, that remote-working brings new challenges around DLP, and that the solutions currently deemed most effective may actually be the least. Why does this report matter? IT, security, and compliance readers have a lot to gain by reading this report. To really understand why, we have to look at the current landscape. Insider threats are a growing problem While email threats from external bad actors (like spear phishing and business email compromise) dominate headlines, email threats from insiders are steadily rising. In fact, there’s been a 47% increase in incidents over the last two years. This includes accidental data loss and deliberate data exfiltration. According to Verizon’s 2020 Data Breach Investigations Report “It is a bit disturbing when you realize that your employees’ mistakes account for roughly the same number of breaches as external parties who are actively attacking you.” The DLP market is booming and is on track for significant growth. Why? Because it’s one of the top spending priorities for IT leaders with 21% planning to acquire DLP tools within the next year.  Remote-working makes DLP even more challenging Over the last eight weeks, workforces around the world have transitioned from office-to-home. That means the perimeter has disappeared and past strategies have become obsolete. COVID-19 has been deemed a “field day for Insider Threats”. There are more opportunities than ever for employees to exploit privileged access to data, working from home can reduce the vigilance of employees handling confidential data, and there’s been a marked increase in COVID-19 phishing attacks. While some organizations will encourage their employees to migrate back to offices, many (including Facebook) have already opted to maintain remote-working set-ups.  Interested in learning more about the methods and motives of Insider Threats? Read our blog: What is an Insider Threat? Insider Threat Definitions, Examples, and Solutions. The implications of a data breach are far-reaching  The consequences of a data breach aren’t limited to lost data and revenue loss. Organizations also experience a 2-7% churn rate after a breach. Data privacy regulations add insult to injury. In the first quarter of 2020 alone, GDPR fines totaled nearly €50 million. But, we had to look beyond third-party research and conduct our own.  What will I learn? We analyzed Tessian platform data and commissioned OnePoll to survey 2,000 professionals (1,000 in the US and 1,000 in the UK) and 250 Information Technology (IT) leaders. We also interviewed IT, security, and compliance leaders about their own experiences with DLP. Here’s what we found out: !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");
Data loss incidents are happening as much as 38x more often than IT leaders currently estimate. 800 misdirected emails are sent every year in organizations with 1,000 employees. 27,500 emails containing company data are sent to personal accounts every year in organizations with 1,000 employees. 84% of IT leaders say DLP is more challenging when their workforce is working remotely. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");
While 91% of IT leaders say they trust their employees to follow security policies while working from home, almost half (48%) of employees say they’re less likely to follow safe data practices when working from home. Email is the threat vector IT leaders are most concerned about. 54% of employees say they’ll find a workaround if security software or policies prevent them from doing their job and 51% say security tools and software impede their productivity.  While IT leaders believe security awareness training is the most effective way to prevent data loss, machine learning is the better option.  Dozens more insights in the full report, including segmented data around industry, company size, age, and region.  How can I access The State of Data Loss Prevention 2020? IT leaders must have visibility over how their employees are handing and mishandling data on email in order to implement effective DLP strategies.  Our report shines a light on the problems and best solutions.  You can access the full report via our microsite. And, if you’re interested in learning more, save your spot at Tessian Human Layer Security Summit on June 18.
Data Loss Prevention Human Layer Security
13 Cybersecurity Sins When Working Remotely
By Maddie Rosenthal
27 May 2020
Over the last eight weeks, security vendors, thought leaders, and even mainstream media have been offering employees advice on how to stay secure and productive while working from home. And, why wouldn’t they? The transition from office-to-home has been both sudden and challenging and the risks associated with data loss haven’t disappeared just because the perimeter has. At Tessian, we’ve created (and have been consistently updating) our own remote-working content hub filled with actionable advice for security, IT, and compliance professionals as well as employees. While you can find the individual articles below, we thought we’d combine all of the tips we’ve shared over the last two months into one easy-to-read article. Advice from Security Leaders for Security Leaders: How to Navigate New Remote-Working Challenges Ultimate Guide to Staying Secure While Working Remotely  Remote Worker’s Guide to: Preventing Data Loss Remote Worker’s Guide to: BYOD Policies  11 Tools to Help You Stay Secure and Productive While Working Remotely  Here are 13 things you shouldn’t do when working remotely from a cybersecurity perspective.  1. Don’t send company data to your personal email accounts. As many organizations have had to adopt new tools and systems like VPNs and Cloud Storage on the fly, some employees may have had to resort to sending company data to their personal email accounts in order to continue doing their job.  We understand that doing so may have been viewed at the “only option”, but it’s important to note that this is not wise from a security perspective. While we’ve written about this in detail on our blog The Dark Side of Sending Work Emails “Home”, the short-and-sweet version is this: Personal email accounts are less secure and more likely to be compromised than work email accounts. Why? Read point #5 to find out.  2. Don’t share Zoom links or Meeting IDs.  Zoom – like so many other remote-working tools – is enabling workforces around the world to continue collaborating despite being out-of-office. But, as we highlighted in our Ultimate Guide to Staying Secure While Working Remotely, there are precautions you must take in order to prevent attackers from infiltrating your calls. While there are plenty of lists circulating with top tips around using Zoom, the most important piece of advice we can offer is to not share your Zoom Meeting ID (or link) with anyone you don’t work with directly or otherwise trust.  Importantly, this Meeting ID appears at the top of your conference window, which means if you share a screenshot of your call, anyone who sees the screenshot can access this meeting. If you want to be proactive in locking down your Zoom calls, you should also ensure all of your meetings require a password to join. 3. Don’t ignore warnings from IT and security teams or other authoritative sources.  Since the outbreak of COVID-19, we’ve seen a spike in phishing attacks. Why? Because hackers tend to take advantage of emergencies, times of general uncertainty, and key calendar moments. IT and security teams and even organizations like the FBI have been working hard to communicate these threats and how to avoid them. But – importantly – these warnings are useless unless employees heed the advice.  Whether it’s an email outlining how to spot a phishing email or an announcement from your line manager about updating your iOS, employees should take warnings seriously and take action immediately.  4. Don’t work off of personal devices.  While it may seem harmless, using your personal devices – whether it’s a laptop, desktop computer, mobile device, or tablet – for work-related activities creates big security risks. To start, your personal devices won’t be configured with the same security software as your work device.  Whether it’s the protection offered by a simple firewall or antivirus software, you and your data are more secure when working on company-sanctioned devices. Note: Some organizations have adopted more flexible BYOD policies. You can learn how to combat the security risks associated with these policies on our blog. 5. Don’t action email requests without double-checking their legitimacy.  Phishing and other social engineering attacks are designed for one of three reasons: to extract sensitive information or credentials, to install malware onto a network, or to initiate a wire transfer. To avoid falling victim to one of these scams and potentially actioning a request that isn’t legitimate, make sure you double-check that the person making the request is who they say they are.  For example, if your CEO asks you to change an account number on an invoice, contact him or her directly – via phone call, text, Slack or a separate email – before doing so. Likewise, if someone in HR asks you to share any credentialsor other personal information, get in touch with them via phone or a separate email thread before responding.  6. Don’t use weak passwords.  Many organizations have strict password policies, including the enforcement of multi-factor authentication. It makes sense. If a bad actor gained access to your applications – whether it’s your email account or collaboration tools – they’ll have free rein over your most sensitive systems and data.  If your organization doesn’t have any policies in place, our advice is to use 6-digit PINs or complex swipe codes on mobile devices and strong passwords that utilize numbers, letters, and characters for laptops and other log-ins.  If you’re having trouble managing your passwords, discuss the use of a password manager with your IT department. 7. Don’t lose touch with your IT or security teams.  Communication – especially during periods of transition and disruption- is key.  If you’re unsure about any security policies or procedures, how to use your personal device securely, or if you believe your device or network has been compromised in any way, don’t be afraid to communicate with your IT and security teams. That’s what they’re there for. Moreover, the more information they have and the sooner they have it, the better equipped they are to keep you and your devices protected.  8. Don’t use public Wi-Fi or mobile hotspots.  Given the digital transformation, most of us rely on internet access to do our jobs. Unfortunately, we can’t connect to just any network.  The open nature of public Wi-Fi means your laptop or other device could be accessible to opportunistic hackers. Likewise, if a phone is being used as a hotspot and has already been compromised by an attacker, it’s possible it could be used to pivot to the corporate network. With that said, you should only use networks you’re absolutely confident are secure.  9. Don’t download new tools or software without approval.  IT and security teams have processes in place that help them identify which applications are and aren’t in compliance with their data and privacy protection criteria. That means that if they haven’t approved the use of a certain tool, it probably isn’t safe in their opinion. Even if a certain tool makes your job easier to do, you shouldn’t download – or even use – tools or software without express permission to use them. Whether it’s a design, writing, or project management tool, you must communicate with your in-house teams before clicking “download”.  10. Don’t leave work devices or documents in plain sight.  Your devices are gateways to sensitive information. While we’ve already covered the importance of password-protecting these devices, preventing them from being stolen is vital, too.  Avoid leaving laptops, tablets, mobile devices, and documents containing sensitive company or client information in plain sight, such as near windows at home or on a passenger seat if traveling by car. This will help prevent opportunistic theft.  Any organization that has a remote-working policy in place should also provide employees with privacy screens for their laptops, and encourage employees to always work in positions that minimize line-of-sight views of their screens by others. This has the added benefit of showing clients or other professional contacts that the business takes security seriously. 11. Don’t give hackers the information they need to execute social engineering attacks.  When planning a spear phishing attack – a type of phishing attack that is targeted at a specific individual or small set of individuals – an attacker will try to gather as much open-source intelligence about their target as they can in order to make the email as believable as possible.  Don’t make it easier for them by sharing personal information on OOO messages or on social media like LinkedIn. This includes phone numbers, alternative email addresses, travel plans, details about company structure and reporting lines, and other data points.  12. Don’t be afraid to ask questions about security policies and procedures.  When working from home or otherwise outside of the office, you have much more autonomy. But that doesn’t mean you should disregard the processes and policies your organization has in place. And, part of following processes and policies is understanding them in the first place. IT and security teams are there to help you. If anything is unclear, send them an email, pick up the phone, or file a request.   13. Don’t forget the basics of security best practice.  While we’ve offered plenty of advice that’s specific to remote-working, following general security best practices will help prevent security incidents, too.  Most employees receive annual security training or, at the very least, had some security training during their onboarding process. If you didn’t, below are some of the basics. Don’t reuse passwords. Don’t share your passwords with anyone. Stay up-to-date on compliance standards and regulations specific to your industry. Report incidents of theft. Don’t share sensitive company information with people outside of your organization.  If any of the above are unclear, refer back to point #7. Ask your IT, security, or HR teams. Communication is key! What’s next? While most organizations and individuals have started to adjust to “the new normal”, it’s important to remember that, eventually, some of us will move back to our office environments. The above tips are relevant wherever you’re working, whether that’s at home, from a cafe, on public transport, or at your desk in the office. Looking for more insights on what\s next in this new world of work? We’re hosting our first virtual Human Layer Security Summit on June 18. Find out more – including the agenda for the day – here. 
Human Layer Security
7 Reasons to Attend Tessian Virtual Human Layer Security Summit
26 May 2020
On June 18, we’re hosting Tessian Human Layer Security Summit and you’re invited.  The theme? The new world of work. While businesses have flexed fast to adapt to remote-working, there are still plenty of challenges security, compliance, and IT leaders have to overcome.  That’s why we’re bringing thousands of people together from around the world – including over a dozen speakers and partners – to discuss what’s happened and (more importantly) what’s next. We know what you’re thinking: How is this virtual event different from others you’ve been invited to or attended? We’ll tell you.
1. You’ll hear from thought leaders from world-renowned institutions We believe that diverse perspectives lead to better solutions, which is why we’ve brought together such a wide range of voices from the world’s top businesses and institutions.  We’ll be welcoming security and business leaders from Amazon Web Services, The FBI, Unilever, Investec, and more and each speaker will cover a topic that demonstrates their expertise and unique point of view. So, what will they be covering? The evolving risk landscape, how new compliance standards affect business and cybersecurity strategies, challenges in preventing data loss, and how to build and maintain a happy and productive remote workforce.  2. You’ll have a chance to ask your most pressing questions around cybersecurity, remote-working, and business continuity While the agenda is jam-packed with fireside chats, presentations, and panel discussions, we’ve left plenty of time for you to voice your thoughts, too. After all, the name of the game is diverse perspectives. We’ll be opening the floor to all attendees to ask their most pressing questions and our speakers will answer them live. You can even submit your questions ahead of time by emailing [email protected] This way, you can leave the event with actionable advice related specifically to you and your organization. 
3. You’ll learn more about human-centric security strategies  The Human Element has been a buzzword throughout 2020. But, do you know how to create and implement security strategies that are human-centric? You will after this event. You’ll hear why solving the problem of human error on email is more important now than ever, how security and privacy risks have evolved as the perimeter has disappeared, and how Tessian’s Human Layer Security platform has helped Tessian customers prevent data loss incidents on email.  Want a sneak peek at what you might learn? Check out these insights from the world’s first Human Layer Security Summit.  4. You’ll be the first to know about exciting company and industry news  While we don’t want to spoil all the surprises, you should know that we’ll be announcing some very exciting news that will bring greater visibility into threats specific to your organization.  Not only will we be unveiling new technology that gives security, IT, and compliance leaders a birds’ eye view into data loss trends, but we’ll be sharing key findings from our groundbreaking research into the State of Data Loss Prevention 2020. 
5. You’ll be in good company  We hosted our first-ever Human Layer Security Summit in March where hundreds of attendees (both in-person and online) joined the conversation. This event will be even bigger. Thousands of leading C-suite executives, business leaders, and security professionals from across continents will be under the same (virtual) roof which means this event is the perfect opportunity to network and connect with the larger cybersecurity community.  Whether you’re looking for advice, allies, or future opportunities, this is your chance. 6. You don’t have to change out of your pajamas While most of us are all too familiar with challenges around remote-working, we can’t ignore that there are some benefits, too. For example: Being able to ask the former CEO of Upwork a question while sitting in your pajamas.  This is especially relevant for those tuning in from California, as the event kicks off at 7:00 AM PST. Of course, feel free to join in whatever you’re comfortable in.  7. …It’s free! Attendees have a lot to gain by joining us on June 18 and nothing to lose; the event is 100% free.  All you have to do is register now to save your spot and tune in on the day.  Can’t make it on June 18? Don’t worry! By registering, you’ll have on-demand access to watch the full series of keynotes, panel discussions, and more after the live session.
Data Loss Prevention Human Layer Security
What is an Insider Threat? Insider Threat Definition, Examples, and Solutions
By Maddie Rosenthal
15 May 2020
While cybersecurity policies, procedures, and solutions are often focused on cybercriminals outside of the organization, more and more often, it’s people inside the organization who are responsible for data breaches. In fact, there’s been a 47% increase in incidents over the last two years; this includes accidental data loss and deliberate data exfiltration by negligent or disgruntled employees or contractors. This is a big problem, especially considering the global average cost of an insider threat is a whopping $11.45 million.  So, what is an insider threat and how can organizations protect themselves from their own people?
Importantly, there are two distinct types of insider threats, and understanding different motives and methods of exfiltration is key for detection and prevention. Types of Insider Threats The Malicious Insider
Malicious Insiders knowingly and intentionally steal data. For example, an employee or contractor using valuable information (like Intellectual Property, Personally Identifiable Information (PII), or financial information) for personal gain. What’s in it for the insider? It depends. Financial Incentives Data is valuable currency. Case in point: data brokering is a $200 billion industry…and this doesn’t even include the data that’s sold on the dark web. Whether it’s a list of customer email addresses or trade secrets, bad-intentioned employees with privileged access to systems and networks can cause serious damage to an organization’s bottom line and reputation. Competitive Edge It’s not uncommon for employees to download, save, send, or otherwise exfiltrate work-related documents before leaving a job or after being dismissed. While this isn’t always malicious (they could simply be adding a project to their portfolio), it certainly can be. For example, an exiting employee could take customer lists or trading algorithms to a new employer.  The prevalence of these incidents varies greatly by industry. Unsurprisingly, highly competitive industries like Finance Services, Government, and Entertainment have the highest percentage of occurrences.  The Negligent (or Unaware) Insider 
Negligent or unaware insiders are just your “average” employees doing their jobs. Unfortunately, to err is human, which means people can – and do – make mistakes. While there are a number of ways employees can mishandle data, the common thread here is that data leaks are unintentional.  Sending a misdirected email Data emailed to the incorrect recipient is the second most reported cause of data breaches. And, while it’s unintentional, the implications can be far-reaching, especially for those organizations that are bound to compliance standards or data privacy regulations. Think about it: emails contain structured and unstructured data in either the body copy, as attachments, or both. In certain industries – like healthcare and financial services – the likelihood of email communications containing sensitive information is even greater.  Falling victim to a phishing or spear phishing attack Phishing and other social engineering attacks are designed for one of three reasons: to extract sensitive information or credentials, to install malware onto a network, or to initiate a wire transfer. If the attack is successful – meaning the target (an employee) falls for the scam – there could be serious consequences.  If you want more information, read this article: Phishing vs. Spear Phishing: Differences and Defense Strategies. Losing your work device(s)   Whether it’s a mobile phone, laptop, or tablet, losing a work device could lead to a data breach, especially if the device is left unlocked.  How can I protect against Insider Threats? While organizations are certainly aware of the risks around insider threats, preventing breaches caused by malicious or careless employees is a challenge. Why? Because to detect and prevent threats, IT, security, and compliance teams have to maintain full visibility over data – both digital and physical – including who has access to it. This is no easy task. You must consider all the different perimeters (networks, endpoints, and email), take stock of the massive amount of data that your organization handles, and identify all of the employees, contractors, and other third-parties who have access to that data.  From there, it comes down to training, monitoring (both digital and physical), and the implementation of security policies, procedures, and tools.  Training Education is one of the first steps in prevention, which means malicious and accidental insider threat awareness should be incorporated into periodic security training for all employees. While training won’t prevent those with nefarious intent from exfiltrating data, it will help build a positive security culture in which employees outside of IT and security teams will know how to identify an insider threat.  Beyond that, making employees aware of the dire consequences of mistakes on email will help encourage safe and secure data handling. Monitoring Today, most sensitive data is stored on networks, devices, and the cloud, which means controlled access is absolutely essential. But, if an individual has legitimate access to a system or network, how can IT or security teams know if and when they’re exfiltrating data? Monitoring.  Telltale signs of an insider threat include: Large data or file transfers Multiple failed logins (or other unusual login activity) Incorrect software access requests Machine’s take over Abuse by Service Accounts   Of course, insider threats can still steal physical data like sensitive documents. This is one reason why controlled access to buildings and even certain offices is just as important as network security.  Security Policies, Procedures, and Tools Many organizations look to Data Loss Prevention (DLP) strategies to help mitigate risk around insider threats.  Solutions include: Firewalls Endpoint scanning Rule-based systems Anti-phishing software Machine learning technology  Unsure what exactly DLP is? Read this article: A Complete Overview of DLP. What is the best Insider Threat Solution? While there are a number of ways in which malicious or careless employees can exfiltrate (or otherwise lose) data, email is no doubt the number one threat vector.  Billions of email messages are sent every day to and from organizations and many of these emails contain highly sensitive information including personal details, medical records, intellectual property, and financial projections. That means that in order to have a chance at detecting and preventing insider threats, organizations must look at securing email communications. But, traditional DLP solutions for email fall short and today, machine learning technology is the only way to prevent data loss and data exfiltration.  In fact, Tessian was recently recognized as a Cool Vendor in Gartner’s Cool Vendors in Cloud Office Security report. Why? Because, through a combination of machine intelligence, deep content inspection of email, and stateful mapping of human relationships, Tessian’s Human Layer Security Platform prevents misdirected emails and intentional (and malicious) attempts at data exfiltration.  How does Tessian detect and prevent Insider Threats? Tessian turns an organization’s email data into its best defense against inbound and outbound email security threats. Powered by machine learning, our Human Layer Security technology understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity like data exfiltration attempts and misdirected emails.  Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of the organization’s email network.  Tessian Enforcer detects and prevents data exfiltration attempts by: Analyzing historical email data to understand normal content, context, and communication patterns Establishing, mapping, and continuously updating every employee’s business and non-business email contacts into relationship graphs  Performing real-time analysis of outbound emails before they’re sent to automatically predict whether the email looks like data exfiltration. This is based on insights from relationship graphs, deep inspection of the email content, and previous user behavior Alerting users when data exfiltration attempts are detected with clear, concise, contextual warnings that reinforce security awareness training Tessian Guardian detects and prevents misdirected emails by: Analyzing historical email data to understand normal content, context, and communication patterns Establishing, mapping, and continuously updating every employee’s business and non-business email contacts into relationship graphs  Performing real-time analysis of outbound emails before they’re sent to automatically predict whether the email looks like it’s being sent to the wrong person. This is based on insights from relationship graphs, deep inspection of the email content, and previous user behavior Alerting users when a misdirected email is detected with clear, concise, contextual warnings that allow employees to correct the recipients before the email is sent
Compliance Human Layer Security
Two Years Later: 3 Ways GDPR Has Affected Cybersecurity
By Maddie Rosenthal
14 May 2020
This month we celebrate the two year anniversary of the General Data Protection Regulation (GDPR). While the road to compliance hasn’t been easy for organizations in Europe and beyond, it’s clear this benchmark legislation has been a step in the right direction for data rights, privacy, and protection.  It’s also had a big impact on cybersecurity. Not only is cybersecurity now considered business-critical – which is big news for an industry that has historically struggled to communicate its value and ROI – but we’ve seen incredible innovation in security solutions, too. Read on to learn more about how GDPR has affected cybersecurity or, for more context around GDPR and its implications, read GDPR: 13 Most Asked Questions + Answers.  1. Cybersecurity is now a business enabler  While cybersecurity has historically been a siloed department, data privacy regulations and compliance standards like GDPR have helped prove the business value of a strong cybersecurity strategy.  To start, cybersecurity solutions help organizations stay compliant by preventing data breaches. This isn’t trivial. While the fines under these new compliance standards are hefty (GDPR fines totaled nearly €50 million in the first quarter of 2020 alone), the implications of a breach extend far beyond regulatory penalties to include: Lost data Lost intellectual property Revenue loss Losing customers and/or their trust Regulatory fines Damaged reputation It’s no surprise, then, that the UK’s cybersecurity sector has grown by 44% since GDPR was rolled out. But, cybersecurity solutions don’t have to be limited to prevention or remediation. In fact, cybersecurity can actually enable businesses and become a unique selling point in and of itself. Now that data protection is top of mind, those organizations that are transparent about their policies and procedures will have a competitive advantage over those that aren’t and will gain credibility and trust from prospects and existing customers or clients. 
2. IT leaders are engaging with (and depending on) employees more often While cybersecurity teams are responsible for creating and implementing effective policies, procedures, and tech solutions, data protection is the responsibility of the entire organization. Why? Because data loss is a human problem with 88% of breaches being caused by human error, not cyberattacks. The fact is, employees control business’ most sensitive systems and data, and one mistake – whether it’s a misdirected email or a misconfigured firewall – could have tremendous consequences. That means accountability is required company-wide in order to truly keep data secure and stay compliant.  But, education is the first step in prevention which is why there’s express advice contained within the GDPR to train employees. Importantly, though, training has to actually cut through and stick, which means IT leaders are working hard to effectively communicate risks and responsibilities. Of course, anyone in a cybersecurity leadership position knows this is no easy task.  The key is to ensure training is aligned to the individual business, starting with the people in it and their attitudes towards security. Not sure where to start? Watch Mark Lodgson, Head of Cyber Assurance and Oversight at Prudential, talk about how he measures cyber culture within his organization. 3. The DLP market is booming  Post-GDPR, organizations are spending more than ever to protect their systems and data, and, unsurprisingly, one of the top spending priorities for IT leaders is data loss prevention (DLP). While the DLP market is keeping up with demand (DLP market revenues are projected to double from $1.24 billion in 2019 to $2.28 by the end of 2023), data loss prevention remains a pain point for most senior executives because, well, most DLP solutions don’t work. According to a new report from 451 Research “DLP technology has developed a reputation as much for inaccuracy, false positives, and poor performance as it has for protecting data.” The shortcomings of DLP solutions are reflected in the number of incidents of data loss and data exfiltration being reported, too, up 47% over the last two years. The problem is that most DLP solutions rely on rules to detect and prevent incidents and most rules cannot effectively be managed by people. It’s too time consuming and complex to update them in tandem with evolving human relationships and compliance standards. But, there’s a better way: machine learning. In fact, Tessian was recently recognized as a Cool Vendor in Gartner’s Cool Vendors in Cloud Office Security report. Why? Because, through a combination of machine intelligence, deep content inspection of email, and stateful mapping of human relationships, Tessian’s Human Layer Security Platform turns your email data into your biggest defense against email security threats.  To learn more about how Tessian uses machine learning to prevent data loss on email, click here.  What’s next? GDPR is just the beginning and the CCPA enforcement date is looming. Are you prepared? Find out on our blog: 5 Things Every CISO Should Know About CCPA’s Impact on Their InfoSec Programs.
Human Layer Security
Tessian Named a Gartner Cool Vendor
12 May 2020
We are thrilled to be recognized as a Cool Vendor in the recently published Gartner Cool Vendors in Cloud Office Security report. To us, being named a Gartner Cool Vendor is an honor. Vendors recognized in the report are interesting, new, and innovative. In the report Gartner explains, “as cloud office suite adoption becomes nearly universal, security and risk management leaders must explore ways to protect sensitive information from risks and threats.” Gartner adds that “security and risk management leaders should recognize that cloud office security technology is evolving and converging in sometimes unpredictable ways” and that “the gaps in cloud office technology convergence often result in incomplete data protection and multiple perspectives to data visibility.” The report further states, “the vendors included in this Cool Vendors report focus specifically upon securing applications, communication and data that occur within cloud office environments.”
Tessian recognized as a Cool Vendor in May 2020 Cool Vendors in Cloud Office Security report Tessian is the world’s first Human Layer Security platform that protects organizations from human layer security threats on email.  By turning your email data into your biggest defense, Tessian prevents inbound and outbound email threats caused by human error. Tessian defends against accidental data loss, data exfiltration and insider threats, in addition to defending against advanced inbound threats like business email compromise, spear phishing and other targeted impersonation attacks. Tessian’s machine learning technology turns your email data into intelligence, transforming your most vulnerable endpoint – your employees – into a trusted security asset by taking human error out of the equation.  Tessian Human Layer Security Prevents Human Error on Email Employees control business’ most sensitive systems and data. Whether it is someone in your finance department who oversees billing and banking platforms, or someone in your HR department who controls employee social security numbers and compensation plans — they are the first and last line of defense; the gatekeepers of digital systems and data. This is what we call the Human Layer. And people’s propensity to make mistakes, break the rules, or be hacked are Human Layer Vulnerabilities. These vulnerabilities can cause big problems. In fact, they’re the number one cause of data breaches: 88% of data breaches reported to the UK’s Information Commissioner’s Office (ICO) are due to human error. To prevent today’s Human Layer Security threats on email, your security controls must understand human behavior. Through a combination of machine intelligence, deep content inspection of email and stateful mapping of email relationships, Tessian turns your email data into your biggest defense against email security threats.  We call it Human Layer Security. What does this mean for security leaders? Our stateful machine learning allows Tessian to understand changing human behavior over time with high accuracy. This means employees experience fewer notification rates and false negatives. Tessian can be deployed in minutes, integrates with O365, Exchange and G-Suite environments and it automatically starts preventing threats within 24 hours of deployment.  Tessian is trusted by world-leading businesses like Arm, Man Group, Evercore and Schroders to protect their people on email. Gartner subscribers can view the Cool Vendors in Cloud Office Security Link.
Data Loss Prevention Human Layer Security
451 Research: Tessian Uses Machine Learning for Better DLP
11 May 2020
According to a new report from 451 Research, “the DLP market is ripe for change” and Tessian could be the next-generation solution organizations need to detect and prevent both inbound email attacks and outbound email threats.  Key findings from the report include: DLP is ranked at the top of a list of over 20 security categories that are expected to see a “significant” increase in spending in the next 12 months Tessian uses stateful machine learning across four different products to prevent human error on email with use cases for both inbound and outbound email threats including anti-phishing and advanced impersonation attacks, accidental data loss, and malicious data exfiltration Tessian is both complementary and competitive to traditional DLP offerings 
DLP: An Unsolvable Problem While the DLP market is saturated with products – from traditional DLP vendors like Broadcom, McAfee, Forcepoint, and Digital Guardian to newer entrants like ArmorBlox, Altitude Networks, and Code42, the consensus is that DLP is, in many ways, failing. According to the report, “DLP technology has developed a reputation as much for inaccuracy, false positives, and poor performance as it has for protecting data.” That may be why DLP remains one of the top spending priorities for IT leaders, with 13% of those surveyed by 451 Research saying they expect to see a “significant increase” in spending over the next 12 months and a further 11% saying they expect to see a “slight increase.” It’s clear organizations need a better way to prevent data loss.  Tessian believes it’s because DLP efforts aren’t addressing the real problem, which is that 88% of data breaches are caused by human error.   Tessian’s Approach to Data Loss Prevention Instead of focusing on the machine layer, Tessian focuses on the human layer and, in doing so, has developed the world’s first Human Layer Security platform.
Our Human Layer Security platform consists of four main products: Tessian Defender, which prevents advanced inbound attacks like spear phishing, Tessian Guardian, which prevents accidental data loss caused by misdirected emails, Tessian Enforcer, which prevents data exfiltration attempts on email. Organizations that implement any of these solutions also get Tessian Constructor, which allows admins to create blacklists, whitelists, and custom filters to ensure email usage remains compliant.  Each of these products applies stateful machine learning techniques to historical email messages (headers, body, and attachments) to understand relationships and establish normal behavior profiles that can be used to distinguish between safe and unsafe emails.  No rules required. According to 451 Research, Tessian succeeds in preventing data loss where others fall short.  “While [most existing DLP tools] are good at finding personally identifiable information (PII), finding and blocking actions such as employees sending files to a personal email account are surprisingly challenging and are quickly out-of-date, so predefined rules are not that effective.” You can read the full report here. Book a Demo By leveraging new capabilities in AI and machine learning, Tessian, according to 451 Research,“delivers more effective DLP” by preventing human error on email.  To learn more about how we prevent inbound and outbound email threats and why world-leading businesses like Arm, Man Group, Evercore, and Schroders trust Tessian to protect their people on email, book a demo.
Human Layer Security
Ed Bishop Joins SecureWorld “Emerging Threats” Panel
27 April 2020
The number of cybersecurity threats is growing every day, increasing the need for comprehensive security monitoring, analysis, and communication. With the sudden explosion of remote workers, we are encountering even more challenges and reasons for concern. The attackers are taking full advantage in these trying times, and it is critical for the security community to pool our collective intel on the shifting threat landscape. On April 16 2020, Ed Bishop, co-founder and Chief Technology Officer of Tessian, joined a SecureWorld panel of industry leaders — Erich Kron, Security Awareness Advocate for KnowBe4, Elvis Chan, Supervisory Special Agent from the FBI, and Mark Lance, Senior Director of Cyber Defense for GuidePoint Security — to discuss emerging threats being experienced in the wild, and strategies for staying ahead of cybercriminals. The panel was hosted by Bruce Sussman, Director of Content and host of weekly podcast, The SecureWorld Sessions. Listen to the full session below:
Below is a truncated transcript of Ed’s responses to Bruce’s questions. Bruce Sussman:  What do you see as new or growing security vulnerabilities in the rush to work remotely? Ed Bishop:  Yeah, I was just going to chip in and just say with the work from home I think it’s really important to highlight how much of a change this is for the individuals as well. It’s not just about the technology. People’s lives have been turned upside down and everything is super uncertain. And what we’re seeing is people are just trying to take advantage of that with COVID-19-related attacks. They’re specifically targeting that uncertainty and the fact that people’s technology stacks are changing and that they’re expecting to get emails about new video conferencing or VPN software, and I just think it’s important to bring it back to thinking about the people or the end users and not just focusing on the technology and really this is where we’re going to stop getting security vulnerabilities. People just attacking that uncertainty and taking advantage of it. Bruce Sussman:  What do you see as current or emerging human-caused security risks on email? Ed Bishop:  We’re seeing a lot of emerging threats. I actually think it’s interesting because I think maybe a lot of these threats have existed for a long time, and it’s just been considered the cost of doing email. If you want to send email, you need to open yourself up to phishing attacks and you need to open yourself up to data exfiltration etcetera. And it’s only recently in the last five years that we’ve been thinking about this as the real threat and then we’re seeing these threats get more and more advanced. And that’s why I think we’re seeing the emergence of the term emerging. So yeah I think you break it down into how to think about a new threat… it’s about the Human Layer. People make mistakes on email so that means you can basically just accidentally send an email to absolutely anyone with very sensitive information. That’s one of the number one reported data incidents to Information Commissioner’s office in the UK. People break the rules and this is around all kinds of data exfiltration. It’s about doing things on email that they’re not supposed to do. And then finally what we’ve just been discussing is people can get tricked into this and we’re seeing this a lot with COVID-19 attacks. But specifically this is all about Human Layer problems. It’s about understanding how people work, it’s about understanding their behaviors, it’s understanding their historical email data sets. Really it’s the only way that you can actually go about starting to tackle these emerging trends. We believe that kind of rule-based technologies play a good job at tackling standard threats, but for the emerging threats, the advanced threats, that we’re seeing today. You really need to take a different approach and that’s about understanding people, understanding their data points and really using and leveraging technologies like machine learning to be able to tackle these advanced threats. Bruce Sussman:  What role will Artificial Intelligence play in cybersecurity and any ideas on how criminals also use AI? Ed Bishop:  Tessian obviously is a machine learning company on the defense side so we think there’s a huge role to play for AI in detecting some of these emerging threats if we just bring it back to one of the core topics of this panel: email. I would say that there’s just so much work still to be done on the defense side that attackers don’t even need to be thinking about AI on the offense side. It is quite frankly far, far too easy to send very convincing impersonation emails taking advantage of COVID-19 and just bypass existing technologies and get straight to the end user to take advantage of those human vulnerabilities and social engineering. Although we’re seeing very interesting things, I think DeepFake is a great example of where it’s truly being used on the offensive side. If we take it back to email where 91 percent of all cyberattacks originate, I think we’re going to see a lot of work on the defense side where attackers can just be using really simple phishing kits to bypass existing solutions. Bruce Sussman:  Interesting and so that’s why we have to have to the machine learning in an AI on defense. Is that what you’re saying? Ed Bishop: Exactly. I think the legacy approach to tackling things like phishing and business email compromise is really predominately like Blacklist Space, where you have to assume the attack in a number of accounts or using basic respects or rules and quite frankly it seems if you introduce rules people are going to break those rules. Rules are made to be broken and attackers are constantly playing this game of cat and mouse. So yeah it’s all about defense, it’s understanding people, it’s understanding how they operate, what normal looks like for those end users and training machine learning models then that can detect people sending advanced impersonation emails. Bruce Sussman:  Are insider threats becoming more of a danger with the pandemic? Ed Bishop:  Yeah, I think that’s a great point that’s been mentioned. Obviously data exfiltration has been painted with quite a negative kind of brush and rightly so. But data exfiltration also covers people who aren’t necessarily being malicious, but they’re just trying to do that job and accidentally essentially breaking that IT policy.  So to give you an example you’re working from home, how you’re going to print something? Are you going to go through the headache of trying to set up your home printer with your work computer even though USB is disabled, Bluetooth disabled? You know what you’re probably going to do is you’re just going to forward that email to your freemail account, go onto your personal device and print it. You just exfiltrated data. Your data maybe travel to another jurisdiction just due to that event. We are seeing a trend of not necessarily malicious data exfiltration but definitely an increase in data exfiltration because people are trying to do their job effectively. And their workforce hasn’t provided them with the technology to do that so they’re always going to just go to the path of least resistance, which is often exfiltrate data to their personal email accounts. Bruce Sussman:  There are plenty of examples where the traditional cybersecurity methods prove ineffective. Why is this and will attackers always be a step ahead? Ed Bishop:  I think it’s a great point like why does it always feel like that they’re a step ahead. Remember that I think we always try and think of it at Tessian as a numbers game for the attacker: they can send 1000 emails and they only need one email for you to click that link, or for you to wire that money. Don’t forget that they probably sent 9999 other emails that were unsuccessful. But the point is all they need is one email to be successful and that’s why you will always hear about data breaches in the news and in the press. I think bringing it back to why traditional data security methods are ineffective, it really just comes down to this the game of cat and mouse. Putting myself in the shoes of the attacker, if I can go onto a security vendor’s website and go on to that WIKI and see how to set up policies that are rule-based, what are the attackers going to do going to? They’re going to send an attack that just flies past those rules because they just got an expose what that technology is looking for and how they can prevent it. I just also highlighted another kind of, I guess, traditional cybersecurity method, which is effective to some degree: Training and Awareness. But I think far too many companies rely on that as a silver bullet and again attackers know this. They know what people are trained against, they know the types of threats that people are trained against but there are just such sophisticated attacks out there that we cannot rely on people to detect. We need technology to do a better job and really understand kind of what normal looks like and be able to spot those anomalies.
Data Loss Prevention Human Layer Security
A Complete Overview of DLP on Email
By Maddie Rosenthal
27 April 2020
Data Loss Prevention is a vital part of security frameworks across industries, from Healthcare and Legal to Real Estate and Financial Services. There are dozens of different DLP solutions on the market, each of which secures data differently depending on the perimeter it is protecting. There are three main types of DLP, including: Network DLP Endpoint DLP Email DLP While we’ve covered the topic of Data Loss Prevention broadly in our blog What is DLP?, we think it’s important for individuals and larger organizations to understand why email is the most important threat vector to secure and how Tessian approaches the problem of data loss on email differently.  
Why is DLP on email important? Billions of email messages are sent every day to and from organizations. Contained within many of these emails is highly sensitive information including personal details, medical records, intellectual property, and financial projections. Businesses, institutions, and governments rely on being able to share sensitive data with the right people how and when they want. But, at the same time, they also need to ensure data isn’t put at risk, whether through careless mistakes or intentional exfiltration.  Once data leaves your organization, you lose control of it and now, with compliance standards like HIPPA, GDPR, and CCPA, organizations face greater consequences in the event of a data breach, including:  Lost data Lost intellectual property Revenue loss Losing customers and/or their trust Regulatory fines Damaged reputation  And, with employees being busier than ever, it’s easier to make mistakes, for example typing the wrong email address when sending an email, or emailing a document to a personal account and raising the chance of that data being compromised. Interested in Why People Make Mistakes? Click the link to read our report. Importantly, though, mistakes are just one of the main causes of data loss on email.
What are the main causes of data loss on email? The biggest risk to data security usually comes from within organizations. While few employees mean their company harm, the transfer of huge amounts of information every day by busy people means that mistakes happen, some with great cost to organizations’ reputations and balance sheets. People pose three main risks to their employers: they make mistakes, they can be hacked or tricked, and they can choose to break the rules. Mistakes People regularly send the wrong thing to the right person or, alternatively, the right thing to the wrong person. This is known as misdirected email. For example, an employee who means to send a spreadsheet of financial projections to Jean Smith who works for the firm’s accounting partner, but accidentally sends it to John Smith who works for a different firm entirely. Being tricked “Bulk” phishing, malware and ransomware scams, where employees are deceived or coerced into sending data or money, are increasingly common. But a bigger threat comes from spear phishing emails; these are targeted attempts by sophisticated attackers who have researched genuine business relationships to launch highly convincing attacks. This could manifest, for example, in a cybercriminal impersonating a real supplier claiming to need urgent payment to process an order. Breaking the rules At the extreme end, this could be an employee deliberately selling company secrets to competitors. But it may also be the result of ignorance: for example, the lawyer who sends a spreadsheet to his personal email on a Friday to get some work done over the weekend. Some cases may need disciplinary procedures, others a simple reminder that this is not allowed. But every instance places data at risk and must be stopped before the information leaves the organization. All of these circumstances pose tremendous risks. Even if 99% of information sharing is secure, it only takes one rushed email to the wrong person to expose sensitive data and raise the chance of data loss or data exfiltration. DLP aims to minimize the chance of any of the above happening by catching sensitive information before it reaches the wrong person.
How can DLP for email protect an organization? Based on the main causes of data loss on email, there are two threats DLP must account for: Accidental Data Loss: To err is human. For example, an employee might fat finger an email and send it to the wrong person. While unintentional, this mistake could and has led to a costly data breach. DLP solutions need to be able to flag the email as misdirected before it’s sent, either by warning the individual or automatically quarantining or blocking it. Malicious Exfiltration: Whether it’s a bad leaver or someone hoping to sell trade secrets, some employees do, unfortunately, have malicious intent. DLP solutions need to be able to identify data exfiltration attempts over email before they happen in order to prevent breaches.
The limitations of rule-based DLP Unfortunately, DLP – especially rule-based DLP – can be a blunt instrument. These solutions include: Blocking accounts/domains Blacklisting email addresses Tagging data Not only is creating and maintaining the rules that police data within an organization time-consuming for administrators, but, oftentimes, these rules don’t succeed in preventing data exfiltration or accidental data loss. Why? New threats can evade pre-existing rules and employees or hackers can find workarounds. Rules simply don’t reflect the limitless nuances of human behavior and data loss is a human problem: it is people that share data and it is their actions that lead to data getting lost. To accurately detect when data loss is about to happen, you actually need to understand the context behind the action an employee is taking, rather than just the content that’s being shared. You can read more about the Drawbacks of Traditional DLP on Email here. How does Tessian’s email DLP solution work? While IT and security teams could work tirelessly to properly deploy and maintain rule-based DLP solutions to detect potential threats and limit the exposure of sensitive data, there’s a better, smarter way. Human Layer Security. Tessian uses contextual machine learning to address the problem of accidental or deliberate data loss by applying human understanding to email behavior. Our contextual machine learning models analyze historical email data to understand how people work and communicate. They have been trained on more than two billion emails – rich in information on the kind of data people send and receive every day. And they continue to adapt and learn as human relationships evolve over time. This enables Tessian Guardian to look at email communications and determine in real-time if particular emails look like they’re about to be sent to the wrong person. Tessian Enforcer, meanwhile, can identify when sensitive data is about to be sent to an unsafe place outside an organization’s email network. Do I need an email DLP solution? Each organization has different needs when it comes to DLP. But, email DLP is more important now than ever, especially with misdirected emails being the number one incident reported under GDPR.  But, it’s important to consider the biggest problems in your own organization, ease-of-deployment, and internal resources when choosing a solution. If your biggest concern is data exfiltration and you’re looking for a solution that’s easy and quick to deploy and that doesn’t require heavy maintenance from an administrator, Tessian Enforcer may be right for you. If your biggest concern is accidental data loss and – again – you’re looking for a solution that’s easy and quick to deploy and that doesn’t require heavy maintenance from an administrator, Tessian Guardian might be for you.
Data Loss Prevention Human Layer Security
Ultimate Guide to Staying Secure While Working Remotely
By Maddie Rosenthal
27 March 2020
The gradual trend towards remote working has been expedited by recent events, and now businesses and employees alike find themselves adapting to moving almost everything online to accommodate a distributed workforce. Obviously, this has a massive impact on how we behave and how we work, which inevitably has an impact on security culture. In this blog, we’ll discuss what we consider to be the main challenges and questions that arise from moving to a remote working model, and how both management teams and employees can make good decisions about security.
The risk involved in sending work emails “home” It may seem harmless to send an email containing a spreadsheet or a project proposal to your personal email address in order to have easy and quick access whenever you need it. But doing so is risky for a number of reasons.  Personal email accounts can be compromised, especially as they are often configured with weak passwords Email is not a default encrypted medium. If an attacker were in a position to intercept your email, they would be able to read them, and any attachments if not encrypted Devices used to access personal email, such as personal laptops and mobile phones, may also be more easily compromised than work devices safeguarded by your company The bottom line is, sending sensitive information to your personal email accounts increases the risk of data exfiltration, both from insider threats and outsider threats. You can read more about this – including how to prevent data exfiltration – in this article.  Public Wi-Fi vs. using a personal device as a hotspot While for now, most of the world is working from home, “working remotely” can extend to a number of places. You could be staying with a friend, catching up on emails during your commute, or getting your head down at a café. Of course, to do work, you’ll likely rely on internet access. While connecting to public Wi-Fi is not encouraged, the risks can be managed if the right systems are put in place. As an employer, you should ensure that any services an employee must connect with over the internet (such as a web portal for your email or time tracking app), are only served over HTTPS. This is the encrypted version of HTTP, which is used to transfer data over the web. Using HTTPS ensures that all data transmitted between your network and the employee’s device is encrypted. For any services that should not be offered over the internet but that employees will require access to, you should enable them to connect via a VPN.  As an employee, here’s what you can do to be safe: When connecting to a service over the internet, check the address bar to ensure the protocol used is HTTPS, not HTTP. If you’re using a service from your employer that isn’t HTTPS, avoid connecting and let alert your IT team of the oversight.  Ensure you keeping VPN software on work devices up-to-date Importantly – and despite many articles written stating the contrary – using a personal mobile phone as a hotspot to connect a work laptop to the corporate network can actually raise more concerns than connecting via public Wi-Fi.  From a security perspective, any device used to connect to your network could be a risk. Why? Because there’s no way for a company to effectively manage the software and security of devices they do not own. If a phone is being used as a hotspot and has already been compromised by an attacker, it’s possible it could be used to pivot to the corporate network. Any connections made over HTTPS will still be encrypted, of course, but it’s still important to weigh up the risks and err on the side of caution.  This may be easier to understand with an example. Let’s say you open a malicious attachment from a phishing email on your mobile device. If that malicious attachment contains spyware, hackers can (rather easily) infiltrate your phone. That means that if you then connect to your company network on your laptop via your phone’s hotspot, hackers will have a foothold into your company network, too.  Top tip: Any personal devices used in this way should fall under the domain of your corporate “Bring your own device” (BYOD) policy. Each organization’s policy will be different, so it’s best to check with your IT and security teams before you consider using a hotspot as a workaround in the case of limited access to Wi-Fi.
Best practice around using cloud storage to share documents For many organizations, cloud services have replaced company local networks to store, manage, and share information. While it’s fair to say that the transition from office-to-home is certainly easier with cloud storage, there are still some security concerns that must be addressed in order to lock down your sensitive information. Most concerns center around the perceived risks of allowing someone else to host your data. And, because it’s stored on the “cloud” it can – in theory – be accessed by anyone on the internet with the right credentials. In the worst case, this could be an attacker who comprises a user laptop or guesses a weak password. But, there are several ways to ensure your cloud system is secure. Organizations considering moving to a cloud system should consider: How the data is backed up Risks associated with denial of service (DOS) attacks  Legal complications that may arise from certain types of data being stored overseas Not sure how to navigate these considerations? Concerns about standards and support can all be worked out during the contract stage, and many companies offer secure and resilient storage. It’s no different to any risk assessment phase when purchasing a new service. At Tessian, we use Google Drive. It’s still necessary to put in the work to ensure that your data is stored in the correct places, and appropriately secured, just as you would with a local storage solution. Folders should be structured and locked down with appropriate access permissions to ensure that only users who are authorized to view the contents can do so. For example, you can restrict access to and sharing with people outside the corporate network. In addition, requiring two-factor authentication for Google accounts is very important. Conferencing and collaboration tools Remote-working means an increased reliance on conferencing, chat, and other collaboration applications to stay in touch with colleagues. All such applications come with security considerations. IT and security teams must be clear with employees about what sort of information can be shared over these applications, after assessing their suitability. Without clear guidance, employees may act in ways that are less than secure in order to do their jobs, which means comprehensive policies and procedures must be put in place and communicated clearly across an organization.  We share our criteria for vetting and onboarding new tools in our blog, 11 Tools to Help You Stay Productive and Secure While Working Remotely. You’ll also find a list of tools we use across departments to stay connected while working remotely. Additionally, it’s important to ensure employees understand which applications should be used to share which kinds of information and where the design of the application itself may lead to a compromise.  For example, a screenshot of a conference call or online meeting may reveal information that would be useful to an attacker; such as a Zoom meeting ID that allows anyone to join that meeting without a PIN. If such a screenshot were shared online, this could be exploited by an attacker and give them unlimited access to private, internal communications.   
How to physically protect your devices Working on devices outside of the office, even in a home environment, carries additional risks. There is always the potential for an attacker to get physical access to a device. In the home environment, employees should be reminded that their devices are gateways to sensitive information. They should always lock devices, and make sure they’re secured with good passwords or, in the case of mobile phones, 6-digit PINs or complex swipe codes.
Employees should also make sure that devices aren’t left in plain sight, such as near windows at home or on a passenger seat if travelling by car. This will help prevent opportunistic theft. While it may sound unlikely, you should always assume that devices might be stolen. In fact, in an organization of reasonable size, it will almost certainly happen. That means that encryption should be used to protect the data on them, and employees should know exactly when and how to report thefts to the support team. This ensures that the devices can be wiped if they are activated. Any organization that has a remote-working policy in place should also provide employees with privacy screens for their laptops, and encourage them to always work in positions that minimize line-of-sight views of their device screens by others.  This has the added benefit of showing clients or other professional contacts that the business takes security seriously. About that OOO message… “Hi, I’m on vacation right now, returning April 15th. If it’s urgent, you can contact me directly on my personal number or email below, or my line manager at…” It’s human nature to want to be helpful. When setting an out-of-office message, therefore, we often try to give the recipient as much information as possible to help them out. However, it’s important to consider whether that information really needs to be shared, and whether it might be useful to an attacker. When planning a spear phishing attack – a type of phishing attack that is targeted at a specific individual or small set of individuals – an attacker will try to gather as much open-source intelligence about their target as they can in order to make the email as believable as possible.  Phone numbers, alternative email addresses, details about company structure and reporting lines, and other data points are all things that could be useful to an attacker. Again, businesses should make sure employees are aware of these risks and should provide them with a simple template for OOO messages alongside guidance on how and when to forward important emails while away. Top tips for businesses setting up remote-working policies…. Keep policy points clear and concise and support them with similarly written procedures. Employees cannot practically absorb or retain 60+ pages of security policy, especially not overnight. When approving the use of new tools or software, always communicate the change to your employees, including guidelines on how and where to access them. Remember that users are going to make mistakes because they are human. Support them and encourage them to report issues, rather than making them afraid to admit to a mistake. Give clear channels for reporting such issues, supported by technical and human resources; for example, guidance on how to report a potential phishing email along with a method to contact support in the event of account lockout. Consider other technical challenges, such as how your support team can verify user identity when asked to reset a password or perform other remote technical support functions. Ensure your support team is trained and briefed to offer remote workers reassurance and understanding when a security issue arises. Remote workers need to feel connected with their colleagues during difficult moments. Top tips for employees working from home… Use company-approved cloud or VPN services to access work documents instead of emailing sensitive information to your personal email accounts. Don’t download new software or tools without consulting your IT team. Keep your software and operating systems up-to-date. Always lock your laptop and keep all of your devices password-protected. Avoid public Wi-Fi and don’t rely on personal hotspots; whenever possible, find a secure, stable network to connect to. Before you join that call or connect to that site – especially if it requires installing new software – stop and think about the potential implications. If you’re not sure, ask your colleagues or support team for help. If you make a mistake and find yourself alarmed or fearful, it’s important to stop, think, and get someone else involved to support you. Report near misses. If you almost make a mistake, the odds are that others have also almost done the same thing. By sharing this information, your colleagues will be better informed and your business can modify procedures or applications to help prevent the issue ever occurring. During this transitional period, we think it’s incredibly important to provide everyone – our employees, our customers, and our community – with as much information as possible. With that said, you may also find the below links helpful in getting your team set up to work remotely.  FTC online security tips for working from home NCSC issues guidance as home working increases in response to COVID-19 We’ll also continue sharing best practice tips both on our blog and on LinkedIn. 
Human Layer Security
5 Key Takeaways Tessian’s VentureBeat Webinar
By Maddie Rosenthal
27 March 2020
As a follow-up to our feature in VentureBeat’s special issue AI & Security, Tessian’s Co-Founder and CTO Ed Bishop spoke with Joe Maglitta, Senior Contributor/Analyst at VentureBeat, to dive deep into how and why we need a different type of machine learning to protect people at work on email.  While you can watch and listen to the webinar on-demand here, below are some of the key takeaways from the discussion and live Q&A that followed.  The way we work has changed and will continue to change Over the last decade, business has moved – and continues to move – towards digital interfaces. That means that email is now the main artery of communication and, importantly, where an organization’s most sensitive information is shared.  Unfortunately, email isn’t secure. It wasn’t created to be secure and – the surprising truth is – it hasn’t changed much since its inception. When you compound that with the fact that people are more connected than ever, using phones, tablets, and even watches to check and respond to emails, you can see why it’s so important that we protect people – and therefore data – on email.  This evolution towards digital interfaces has come to a head over the last several weeks as most of the world’s organizations have moved to remote-working in light of the outbreak of COVID-19.  Since the outbreak, Tessian has seen a 20% increase in the number of emails sent; that means there are more opportunities for data loss on email and opportunistic phishing attacks than ever before.
Human Layer Vulnerabilities are the cause of data breaches  Employees control business’ most sensitive systems and data, whether that’s someone in your finance department who oversees billing and banking platforms or someone in your HR department who controls employee social security numbers and compensation plans. They are the first and last line of defense; the gatekeepers of digital systems and data. This is what we call the Human Layer. And people’s propensity to make mistakes, break the rules, or be hacked are Human Layer Vulnerabilities. But, these vulnerabilities don’t cause small issues. They’re responsible for big problems. They’re the number one cause of data breaches, with 88% of data breaches reported to the UK’s Information Commissioner’s Office (ICO) being caused by human error.  This fact was highlighted in a live poll conducted during the webinar in which 40% of viewers said phishing was the security breach they’re most concerned about. This came first, followed by accidental data loss (30%) and ransomware (30%).  No one cited Denial of Services or Ransomware as their biggest concern.
IT and security leaders often don’t have visibility of the problems associated with human error within their organization While human error on email is a problem in itself, the fact that many CISOs and other executives don’t know it’s a problem makes it even more of a challenge to solve. In the second poll of the webinar, viewers were asked: “How confident are you in the measures your organization has in place to prevent data breaches caused by people making mistakes, breaking rules, or being hacked?”  Respondents were split down the middle.
But, according to Ed, confidence – especially from security leaders – is the wrong way to measure it, especially when their visibility of the problem relies on their employees repointing mistakes or other breaches. “We like to look at what the data says. When we go in and do historical analysis, we’re able to show that the number of misdirected emails is as great as 20-30 times larger than CISOs think. A 10,000-person organization will send 130 misdirected emails a week, but the CISO doesn’t necessarily know that because only a few get reported to him or her a quarter.” Human Layer Security isn’t replacing machine layer security, DLP, or training There are thousands of security products on the market. That’s in addition to the policies and procedures implemented within individual organizations. Human Layer Security isn’t a replacement for your entire security stack; it’s a vital addition. Machine layer security  – often based on rules – is still effective in detecting malware. DLP solutions for physical security are still necessary. But, for those situations that can’t be defined or covered by “if this, then that” algorithms, you need something else.  Advanced threats caused by human error like spear phishing, misdirected emails, and data exfiltration all fall into that category and the only way to solve for them is by protecting the Human Layer.
Stateful machine learning is the best way to balance security, productivity, and effectiveness  Everything involving humans is dynamic and in flux. Relationships are formed during the duration of a project and then fall away. For example, you may have worked with a counterparty a lot a year ago, but now it’d be unusual for them to email you asking for an invoice to be paid. Stateful machine learning considers all of this by combining historical data with real-time analysis to answer the question: “At this exact moment in time, for this person, and their relationship, does this behavior look unusual?” Beyond this, though, stateful machine learning and Tessian’s Human Layer Security platform do not get in users’ way; this helps balance productivity and effectiveness in a way that policies, training, removal of access and rule-based technology all do. This is key; security should empower and enable your employees, not detract from their ability to do their jobs. For more information about how Tessian uses stateful machine learning to protect people on email, read the full VentureBeat article, watch the webinar, or get in touch for a demo.
Page