Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.
Human Layer Security
21 Virtual Cybersecurity Events To Attend in 2021
16 April 2021
Our list of 21 cybersecurity events to attend in 2021 features premier cybersecurity summits, like the International Cybersecurity Forum in France and National Cyber Summit in the US, alongside intimate and industry-specific events (and webinars) you won’t want to miss. Many of these events are hosted online, but a lot of organizers are planning to host their conferences face-to-face. Watch out for last-minute changes as the COVID-19 situation continues to evolve. Last updated April 16, 2021 Webinar: Account Takeover is an Issue, Your SEG Isn’t Enough Date: April 28, 2021 Location: Online External account takeover (ATO) attacks are a critical issue that hit many organizations today, and it happens more often than you think. They are considered one of the security industry’s most successful attack types. In fact, here at Tessian, we are seeing more attempts at these attacks than ever before, and they’re slipping right past Secure Email Gateways (SEGs) and other legacy email security tools. In this webinar: See real-world examples of external ATO attacks from our threat intelligence team at Tessian How ATOs bypass SEGs and why users fall for them Learn what tools can help you detect and avoid ATO breaches Cost to attend: Free 11th ACM Conference on Data and Application Security and Privacy (CODASPY) Date: April 26-28, 2021 Location: Online (Possible in-person enrolment available in the US, exact location TBC) This conference, organized by the Association for Computing Machinery (ACM) Special Interest Group on Security, Audit, and Control (SIGSAC), brings together academics and industry leaders to discuss security and privacy in software development. Applications, including mobile apps, are a key vulnerability of many systems. Read our article on zero-day vulnerabilities to learn about how hackers exploit software weaknesses. Software developers attending CODASPY will learn about cutting-edge research in the cybersecurity of software applications. Cost to attend: Free IAPP Global Privacy Summit Date: April 27-28, 2021 Location: Washington DC The International Association of Privacy Professionals (IAPP) is a globally-respected coalition of lawyers, developers, consultants, and other experts. The IAPP Global Privacy Summit features over 4000 attendees, at least 125 exhibitors, and more than 250 expert speakers. Privacy and cybersecurity are intertwined, and your business neglects on to the detriment of the other. Applying privacy-focused principles means collecting less personal information, deleting it when necessary, and — of course — storing it securely. The IAPP summit will feature sessions on data breach response, compliance with data protection laws such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), and privacy engineering. Cost: TBC FS-ISAC: Americas Spring Summit Date: April 27-29, 2021 Location: Online A lot changed with the shift to remote-working, and many of these changes are here to stay. But, these changes can be difficult to navigate. This three-day virtual summit – with speakers, panelists, and keynotes from Bank of America, Liberty Mutual, ADP and more – will help you stay at the forefront of these new technology trends and emerging paradigms. For a full program schedule, click here. Cost to Attend: Free for members CyberUK 2021 Date: May 11-12, 2021 Location: International Convention Centre Wales, Newport, Wales CyberUK is hosted by the UK’s National Cyber Security Centre (NCSC), a government unit that advises on cybersecurity. It’s one of the UK’s most important cybersecurity events and is a “must-attend” for industry leaders. The program for 2021 has not yet been set, but expect a full and varied range of talks, demos, and workshops. The last CyberUK agenda included sessions on identifying supply chain risks, building the cybersecurity profession, and using machine learning to boost defences. Cost to attend: Free for public sector employees. Private sector employees — Early bird: £849 + tax. Standard rate: £999 + tax CyberCon London 2021 Date: May 12-13, 2021 Location: Online CyberCon London features high-profile speakers bringing CTOs, CISOs, and IT directors up-to-date knowledge and practical advice on dealing with cyberthreats. Agenda items include panel sessions on fraud, remote working, and the costs of cybercrime —  plus lectures from world-renowned cybersecurity exxperts. Cost to attend: Standard: £95 + tax. RSA Conference San Francisco Date: May 17-20, 2021 Location: Online The theme for this year’s fully virtual RSAC? Resilience.  While a full list of speakers hasn’t been released, you can see what Linda Gray Martin, VP of RSA Conference, has to say about what you should expect in this video. “See” you there! Did you know 2021 marks the 30th anniversary of this event? International Privacy + Security Forum Date: May 24-26, 2021 Location: Online The International Privacy + Security Forum is organized by academics Daniel Solove and Paul Schwartz, both well-known figures in the world of privacy. The conference is open to privacy and security professionals from all walks of life. The event provides several sessions focusing on legal compliance with EU and California privacy law, plus workshops on data security law, health privacy, and data de-identification. Cost to attend: 2-day pass — $499 (general), or $299 (academic/NGO/government), 10% early bird discount before March 31. Infosecurity Europe 2021 Date: June 8-10, 2021 Location: Olympia London, Hammersmith, London. Infosecurity Europe features an eclectic range of exhibitors and networking opportunities for cybersecurity leaders across all industries. Many key players in cybersecurity are exhibiting in 2021, including Avast, Bitdefender, and SolarWinds. Public bodies, including the UK Department for Digital, Culture, Media and Sport (DCMS) and Nation Cyber Security Centre (NCSC), are also represented. Cost to attend: TBC National Cyber Summit 2021 Date: June 8-10, 2021 Location: Huntsville, Alabama The National Cyber Summit focuses on education, collaboration, and innovation, bringing together experts from government, academia, and industry to deliver an innovative, diverse, and accessible event. Speakers will include Robert Powell, Senior Advisor for Cybersecurity at NASA, Katie Arrington, Chief of Information Security Acquisition and the US Department of Defense, and Merritt Baer, Principal Security Architect at Amazon Web Services. Cost to attend: Full Access: Standard — $570, Onsite — $610. Student, Teacher/Faculty: Standard — $175,  Onsite — $200. Government: Free. Virtual Silicon Valley Cyber Security Summit 2021 Date: June 9, 2021 Location: Online The fourth annual Virtual Silicon Valley Cyber Security Summit features sessions from Verizon, IBM, and Chrome Enterprise. Attendees can attend sessions on: Identifying and avoiding insider threats, hosted by Sean Atkinson from the Center for Internet Security Combating ransomware, with Kristin Judge from the Cybercrime Support Network  The state of passwordless security, with HYPR’s George Avetisov. The event focuses on interactive discussion, so expect plenty of opportunities to network with colleagues and cybersecurity leaders. Cost to attend: $95 Regulatory Compliance Conference Date: June 13-16, 2021 Location: Hyatt Regency, San Diego, California With nations worldwide passing ever-stricter privacy and security laws, your business should take every opportunity to learn how best to remain compliant. Join “the nation’s top risk-based thinkers” to discuss the most pressing issues in regulatory compliance. This conference from the American Bankers Association features over 50 sessions to help banking and fintech organizations comply with consumer protection and data security regulations. Want to know more about balancing your security and compliance obligations? Read Security vs. Compliance: What’s The Difference? Cost to attend: TBC CogX Festival Date:  June 14-16, 2021 Location: London and Online With over 100,000 expected visitors (both in-person and online), ths hybrid festival features 1,000+ speakers covering 20 topics. The theme? “How do we get the next 10 years right?” For a list of topics, click here. For a list of speakers, click here.  Cost to Attend: £4-5,000 CISO Visions Virtual Cybersecurity Summit  Date: June 21-25, 2021 Location: Online CISO VISIONS is invitation-only for security executives.  Why is it exclusive? According to the event coordinators, it lets them cater to security leaders specific challenges and keep attendees in the company of the leaders driving progress in your field. At the event, you’ll be able to meet one-on-one with solution providers and learn from 30+ speakers driving innovation. Cost to Attend: Free (but you must apply!) PrivSec Global Date: June 22-24, 2021 Location: Online PrivSec Global returns on 22nd-24th June 2021 with over 200+ subject matter experts addressing prominent issues and challenges across 64 sessions, panel discussions, debates and fireside chats on data protection, privacy, security and beyond. Cost to Attend: Free British Legal Technology Forum 2021 Date: July 6, 2021 Location: Billinghurst, London The British Legal Technology Forum is Europe’s biggest legal technology conference and exhibition, featuring 2,500 square meters of exhibition space. BLTF 2021 is a crucial event for legal professionals, featuring talks from Prof. Richard Susskind, President of the Society for Computers & Law, and Bruna Pellicci, CTO at Linklaters.  Bonus: Tessian is the headline sponsor!  Want to learn more about how Tessian helps lock down email and prevent breaches for some of the world’s top law firms? Read our customer stories.  Cost to attend: Free International Conference on Cyber Security (ICCS) 2021 Date: July 19-22, 2021 Location: Fordham University, New York The International Conference of Cyber Security (ICCS), a collaboration between the FBI and Fordham University, is among the world’s premier cybersecurity events. Esteemed speakers from around the world will discuss how to address cyber threats in the private, government, academic, and law enforcement sectors. The 2021 agenda remains a work-in-progress, but previous ICCS events have featured presentations from the Director of National Intelligence (DNI), FBI, CIA, and NSA. Registration is limited to just 300 attendees. Cost to attend: $995. Cyber Security Tutorial (CST) and Law Enforcement Workshop (LEW): an extra $75 per session. WSTA: Smart, Fast, Effective: Cybersecurity in the Age of Analytics and Automation Date: July 21, 2021 Location: Online This seminar and panel session provides an overview of the threat universe facing financial cybersecurity firms.  You can expect to review operational security best practices, and dig deep into critical technology areas. Check out the agenda here. Cost to Attend: Members Only Black Hat USA 2021 Date: July 31-August 5, 2021 Location: Las Vegas and Online In its 24th year, this hybrid in-person and virtual event features virtual training sessions, briefings, and a Business Hall. More info coming soon! Cost to Attend: TBC Gartner Security and Risk Management Summit Date: September 20-22, 2021 Location: Orlando, FL Over four days, security, identity and access management, and risk management executives will come together to share valuable insights on establishing an effective, risk-based cybersecurity program.  Attendees will learn how to prepare for the new normal, with the tools they need to create agile security and IT risk management plans. For more information about speakers, click here. For more information about the agenda, click here. Cost to Attend: $3, 825 Cybersecurity Digital Summit for EMEA 2021 Date: October 19-20, 2021 Location: Online  This Cybersecurity Digital Summit, hosted by Cyber Security Hub, is a two-day event focusing on the main threats affecting the Europe, Middle-East, and Africa (EMEA) region. The summit follows on from Cyber Security Hub’s events focusing on the Americas and Asia Pacific (APAC) regions. According to Cyber Security Hub’s publicity, the EMEA region “seems to set the course for the regulatory framework that APAC (Asia Pacific) and the Americas are adopting.” Whether you’re a cybersecurity professional working in the EMEA region — or you’re based elsewhere and hoping to understand the threats emerging from EMEA — this event is for you. Cost to attend: Free
Human Layer Security DLP
What is Email DLP? Overview of DLP on Email
15 April 2021
Data loss prevention (DLP) and insider threat management are both top priorities for security leaders to protect data and meet compliance requirements.  And, while there are literally thousands of threat vectors – from devices to file sharing applications to physical security – email is the threat vector security leaders are most concerned about protecting. It makes sense, especially with remote or hybrid working environments. According to Tessian platform data, employees send nearly 400 emails a month. When you think about the total for an organization with 1,000+ employees, that’s 400,000 emails, many of which contain sensitive data. That’s 400,000 opportunities for a data breach.  The solution? Email data loss prevention.
This article will explain how email DLP works, consider the different types of email DLP, and help you decide whether you need to consider it as a part of your overall data protection strategy.  Looking for information about DLP more broadly? Check out this article instead: A Complete Overview of Data Loss Prevention.  ➡ What is email data loss prevention? Essentially, email DLP tools monitor a company’s email communications to determine whether data is at risk of loss or theft. There are several methods of email DLP, which we’ll look at below. But they all attempt to: Monitor data sent and received via email Detect suspicious email activity Flag or block email activity that leads to data loss ➡ Do I need email data loss prevention? Unless you’re working with a limitless security budget (lucky you!), it’s important to prioritize your company’s resources and target areas that represent key security vulnerabilities.  Implementing security controls is mandatory under data protection laws and cybersecurity frameworks, like the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and Health Insurance Portability and Accountability Act (HIPAA). And there’s a good reason to prioritize preventing data loss on email. As we’ve said, email is the threat vector security leaders are most concerned about. We’ll explain why.  📩 Inbound email security threats How can malicious external actors use email to steal data? There are many methods. Phishing—social engineering attacks designed to trick your employees into handing over sensitive data. According to the FBI, phishing is the leading cause of internet crime, and the number of phishing incidents doubled in 2020. Spear phishing—like phishing, but targeted at a specific individual. Spear phishing attacks are more sophisticated than the “bulk” phishing attacks many employees are used to. Malware—phishing emails can contain a “malicious payload”, such as a trojan, that installs itself on a user’s device and exfiltrates or corrupts data. Email DLP can help prevent criminals from exfiltrating your company’s data. 🏢 Internal email security threats While it’s crucial to guard against external security threats, security teams are increasingly concerned with protecting company data from internal actors. There are two types of internal security threats: accidental and malicious. 🙈 Accidental data loss Accidents happen. Don’t believe us?  Human error is the leading cause of data breaches. Tessian platform data shows that in organizations with 1,000 or more employees, people send an average of 800 misdirected emails (emails sent to the wrong recipient) every year. That’s two every day.  How can a misdirected email cause data loss? Misspelling the recipient’s address, attaching the wrong file, accidental “reply-all”—any of these common issues can lead to sensitive company data being emailed to the wrong person.  And remember—if the email contains information about an individual (personal data), this might be a data breach. Misdirected emails are the top cause of information security incidents according to the UK’s data regulator. We can’t forget that misattached files are also a big problem. In fact, nearly half (48%) of employees say they’ve attached the wrong file to an email. Worse will, according to survey data: 42% of documents sent in error contained company research and data 39% contained security information like passwords and passcodes 38% contained financial information and client information 36% contained employee data But, not all data loss incidents are an accident.  🕵 Insider threats  Employees or contractors can steal company data from the inside. While less common than accidental data loss, employees that steal data—or simply overstep the mark—are more common than you might think. Some employees steal company data to gain a competitive advantage in a new venture—or for the benefit of a third party. We covered some of these incidents in our article, 11 Real Insider Threats. But more commonly, employees are breaking the rules for less nefarious reasons. For example, employees send company data to a personal email address for convenience. For example, to work on a project at home or on another device. Sending unauthorized emails is a security risk, though. Tessian platform data shows that it occurs over 27,500 times per year in companies with 1,000 employees or more. And, while – yes – it’s often not done maliciously, the consequences are no less dire, especially in highly regulated industries.  So, how do you prevent these things from happening?  ➡ Email DLP solutions to consider Research shows that the majority of security leaders say that security awareness training and the implementation of policies and procedures are the best ways to prevent data loss. And both are very important.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); But – as well-intentioned as most employees are – mistakes still happen despite frequent training and despite stringent policies. That means a more holistic approach to email DLP – including technology – is your best bet.  Broadly, there are two “types” of DLP technology: ruled-based DLP and machine learning DLP. 📏 Rule-based email DLP Using rule-based DLP, IT administrators can tag sensitive domains, activities, or types of data. When the DLP software detects blacklisted data or behavior, it can flag it or block it. Like training and policies, rule-based DLP certainly has its place in security strategies. But there are limitations of ruled-based DLP. This “data-centric” model does not fully account for the range of behavior that is appropriate in different situations. For example, say an IT administrator asks email DLP software to block all correspondence arriving from “freemail” domains (such as gmail.com), which are often used to launch cyberattacks. What happens when you need to communicate with a contractor or customer using a freemail address? What’s more, rule-based DLP is very admin-intensive. Creating and managing rules and analyzing events takes a lot of time, which isn’t ideal for thinly-stretched security teams.  Want to learn more? We explore situations where rule-based DLP falls short. For more information, read The Drawbacks of Traditional DLP on Email. 🤖 Machine learning email DLP Machine learning email DLP is a “human-centric” approach. By learning how every member of your company communicates, machine learning DLP understands the context behind every human interaction with data. How does machine learning email DLP work? This DLP model processes large amounts of data and learns your employees’ communications patterns.  The software understands when a communication is anomalous or suspicious by constantly reclassifying data according to the relationship between a business and customers, suppliers, and other third parties. No rules required.  This type of DLP solution enables employees to work unimpeded until something goes wrong, and makes preventing data loss effortless for security teams.
💡 Learn more about how Tessian’s email DLP solutions Tessian uses contextual machine learning to address the problem of accidental or deliberate data loss by applying human understanding to email behavior. Our contextual machine learning models have been trained on more than two billion emails – rich in information on the kind of data people send and receive every day. And they continue to adapt and learn as human relationships evolve over time. This enables Tessian Guardian to look at email communications and determine in real-time if particular emails look like they’re about to be sent to the wrong person or if an employee has attached the wrong file. Tessian Enforcer, meanwhile, can identify when sensitive data is about to be sent to an unsafe place outside an organization’s email network. And, finally, Tessiden Defender prevents inbound threats, like spear phishing, business email compromise, and CEO fraud.  To learn more about data exfiltration and how Tessian uses machine learning to keep data safe, check out our customer stories or talk to one of our experts today. You can also subscribe to our monthly newsletter below to get more updates about DLP, compliance, spear phishing, industry trends, and more. 
Human Layer Security Podcast
Five Things I Learned From Launching A Podcast
By Tim Sadler
14 April 2021
At the start of this year, Tessian started a podcast. Why? Because since we launched the Human Layer Security category in 2013, the human factor has become one of the biggest considerations in cybersecurity today. Every day, we are speaking to CISOs, CIOs, business leaders and security professionals about how to secure the human layer. And I’m not just talking about conversations related to how to stop the ever-rising number of phishing attacks. We’re talking about insider threats and security incidents caused by simple human error, too. We’re discussing ways in which CISOs can better understand their employees’ behaviors and ways of working, in order to build security strategies that protect them and empower them to do great work. And we’re talking about how to get buy-in from boards. Rather than keeping the conversations to ourselves, we wanted the podcast to provide a platform for inspiring IT leaders, thought-provoking academics, and ethical hackers to discuss why it’s so important for businesses to protect their people – not just machines and data – and share their learnings so that how other security teams can do it too.
It’s been a lot of fun and I’ve spoken to some incredible people. So here are my highlights and my top learnings as we close out Season 1 of the RE:Human Layer Security podcast: 1. CISOs are doing an amazing job in their relentless roles. As Simon Hodgkinson, former CISO at bp said, the job of the CISO is truly 24/7. And it’s becoming “more and more challenging as the threats become more advanced and regulatory landscapes become even more complicated”. Hearing the work that CISOs like Jerry Perullo at ICE, Ray Espinoza at Cobalt, Tim Fitzgerald at ARM and Anne Benigsen at Bankers’ Bank of West are doing to not only navigate these landscapes and keep their companies safe, but also to help make their people into security champions and make security as seamless as possible is really inspiring. 2. … and they want to do more. It was clear from the leaders I spoke that they have a “duty of care to continue raising awareness” and “invest in making sure people are able to do the right thing.” Some believe, however, there are more engaging ways to do it, while others think there is more work to be done to get employees to buy-in to the security cultures. It was great to understand how they plan to do this.
3. Security can learn so much from psychology. In one of my favourite episodes, academics Dr Karen Renaud and Dr Marc Dupuis question why businesses continually use fear – a short term emotion – to try and engender long-term behavioral change in cybersecurity. They also explain why the role of employee self-efficacy is so important to encourage safer security practices. Their insight into what factors make people more or less likely to adopt safe cybersecurity behaviors makes me question whether FUD in security has had its day? 4. If you don’t get to know your people well, the bad guys certainly will. Ethical hackers and social engineering experts like Craig Hays and Jenny Radcliffe explained how cybercriminals select their targets and methods of attack, emphasizing the need for companies – at manager level – to know their people really well. As Jenny said, “the answer to becoming a more secure organization […] is to know your humans better than the bad guys.”
5. Employees aren’t the weakest link. The age-old saying that people are the weakest link in security is something our guests don’t believe in. To Dan Raywood, people are neither the strongest or weakest link, but rather “an essential part of your business”. Tim Fitzgerald agreed, stating that, as security leaders, “we try to take a look in the mirror and say, are we providing these people with the tools they need to help them avoid these types of threats or scenarios?” It’s been a privilege to speak with all of our guests on the RE:Human Security Layer podcast and, if you haven’t already, I encourage you to listen to their interviews and subscribe to the show.  We’re now planning Season 2 so stay tuned for that – and if you’d like to get involved or hear more about what we’re doing, please contact me on LinkedIn or Twitter.  
Human Layer Security
Machine vs. Machine: Setting the Record Straight on Offensive AI
By Trevor Luker
08 April 2021
In recent years, we’ve heard the term “Offensive AI” being used more frequently to describe a new type of cyber threat – one that sees cybercriminals using artificial intelligence (AI) to supercharge their cyber attacks, advance impersonation scams, and avoid detection. In response, organizations are being advised to “fight fire with fire” and invest in defensive AI solutions in order to stay ahead of the bad guys, a sort of modern day “spy on spy” warfare tactic. Sure, cybercriminals are using more sophisticated technologies to advance their attack campaigns, but let’s start by getting one thing straight: where we are at the moment is not “AI”. For a system to be considered intelligent, it needs to exhibit autonomous behavior and goal seeking. What we are seeing, though, is an emerging use of Machine Learning (ML) and adaptive algorithms, combined with large datasets, that are proving effective for cybercriminals in mounting attacks against their targets.  Semantics, I know. But it’s important that we manage the hype. Even the washing machine I just purchased says it includes “AI” functionality. It doesn’t.  Organizations do, though, need to be aware of attackers’ use of offensive ML, and every company needs to understand how to defend itself against it. I can help. 
So, what is offensive ML? At this stage, offensive ML is often the use of ML and large data-lakes to automate the first stages of cyber attacks. In particular the reconnaissance, weaponization, and delivery stages of the Cyber-Kill-Chain lend themselves to automation.  It allows attacks to be carried out on a much larger scale and faster than ever previously seen. It also helps attackers overcome their human-resource problem—yes, even cybercriminals have this problem; skilled cyber staff are hard to find.  Automation frees up the human’s time, keeping them involved for the later stages of an attack once a weakness that can be exploited has been found. To a large degree, many cyber attacks have become a data science issue, as opposed to requiring stereotypical ‘elite hackers’.  A good offensive ML will also have a feedback mechanism to tune the underlying models of an attack, for example, based on the success of a lure in front of a potential victim in a phishing attack. The models will start to favor successful approaches and, over time, increase in efficiency and effectiveness.  How is offensive ML being used today? One example of offensive ML I’ve observed is large-scale scanning of perimeter systems for fingerprinting purposes.  Fingerprinting the perimeter of organizations – assigning IP addresses with organizations, public data (DNS, MX lookup) and industry sectors – is a simple data-management issue. However, if this is combined with Common Vulnerabilities and Exposures (CVE) updates, and possibly dark web zero-day exploits, it provides attackers with a constantly updated list of vulnerable systems.  You can learn more about zero-day vulnerabilites here: What is a Zero-Day Vulnerability? 3 Real-World Examples. Organizations defending themselves against cybercrime frequently have to go through a time consuming testing process before deploying a patch and, in some cases, the systems are just not patched at all. This gives an attacker a window of opportunity to deploy automated scripts against any targets that have been selected by the ML as meeting the attack criteria. No humans need be involved except to set the parameters of the attack campaign: it’s fully automated. An attacker could, for example, have the ML algorithms send emails to known invalid email addresses at the target organization to see what information or responses they get—Do the email headers give clues about internal systems and defenses? Do any of the systems indicate unpatched vulnerabilities?  They can use ML to understand more about the employees they will target too, crawling through social media platforms like LinkedIn and Twitter to identify employees who recently joined an organization, any workers that have moved roles, or people that are dissatisfied with their company. Why? Because these people are prime targets to attempt to phish.  Combining this information is step one. Attackers then just need to understand how to get past defenses so that the phishing emails land into a target employee’s inbox. MX records – a mail exchanger record that specifies the mail server responsible for accepting email messages on behalf of a domain name – are public information and would give the ML information as to what Secure Email Gateway (SEG) a company is using so that an attacker could tailor the lure and have the most chance of getting through an organization’s defenses.  Another area in which offensive ML proves problematic for organizations is facial recognition. Attackers can deploy ML technology or facial recognition to match company photos with photos from across the Internet, and then build up a graph of relationships between people and their target. An exercise in understanding “who knows who?”.  With this information, bad actors could deploy social media bots under ML control to build trust with the target and their associates. From public sources, an attacker knows their target’s interests, who they work with, who they live with; all this is gold dust when it comes to the “phishing stage” as an attacker can make the scam more believable by referring to associates, shared interests, hobbies etc.  Using offensive ML in ransomware attacks There are other reasons to be concerned about the impact offensive ML can have on your organization’s security. Attackers can use it to advance their ransomware attacks.  Ransomware attacks – and any exploits used to deliver the ransomware – have a short shelf-life because defenses are constantly evolving too. Therefore, successful ROI for the attacker depends on whether they choose their targets carefully. Good reconnaissance will ensure resources are used more efficiently and effectively than using a simpler scatter-gun approach.  For any cybercriminal involved in “ransomware for hire”, offensive ML proves invaluable to earning a higher salary. They can use the data gathered above to set their pricing model for their customers. The better defended – or more valuable- the target, the higher the price. All this could be, and likely is, automated. So, how can organizations protect themselves from an offensive AI/ML attack? It’s the classic “spy vs spy” scenario; attacks evolve and so do defenses. With traditional, rule-based defensive systems, though, the defender is always at a disadvantage. Until an attack is observed, a rule can’t be written to counteract it. However, if an organization uses ML, the defensive systems don’t need to wait for new rules;  they can react to anomalous changes in behavior autonomously and adjust defensive thresholds accordingly. In addition, defensive ML systems can more accurately adjust thresholds based on the observed riskiness of behavior within a defender’s organization; there is no longer a need to have a one-size-fits-all defense.  A good ML-based system will adapt to each company, even each employee or department, and set corresponding defense levels. Traditional, rule-based systems can’t do this. In my opinion, the future of defensive security is a data-issue; the days of the traditional human-heavy Security Operations Center are numbered. What questions should organizations ask to ensure they have the right defenses in place? First and foremost, ask your IT service provider why they think their system is actually AI. Because it almost certainly isn’t. If the vendor maintains that they have a real AI solution, be very skeptical about them as a reliable vendor. Ask vendors how their system would react to a zero-day exploit: How long would their system need to deal with a novel attack? Would the user need to wait for a vendor update? Ask vendors about data and threat sharing. All companies are under reconnaissance and attack, and the more data that is shared about this, the better the defenses. So ask, does the vendor share attack data, even with their competitors?
Human Layer Security
Risk Management Made Easy: Introducing Tessian Human Layer Risk Hub
By Ed Bishop
06 April 2021
Today, comprehensive visibility into employee risk is one of the biggest challenges security and risk management leaders face.  Why? Because most security solutions offer a limited view of risk and don’t offer any insights into the likelihood of an employee falling for a phishing attack or exfiltrating data.  Worse still, when it is available, risk information is siloed and hard to interpret.  Insights around security awareness training exist in seperate systems from insights related to threats that have been detected and prevented. There’s no integration which means security leaders can’t get a full view of their risk profile. Without integration and visibility, it’s impossible to take a tailored, proactive approach to preventing threats. It’s an uphill battle. You may not even know where to start… But, we have a solution.  With Tessian Human Layer Risk Hub, our customers can now deeply understand their organization’s security posture with granular visibility into employee risk and insights into individual user risk levels and drivers.
This is the only solution that offers protection, training, and risk analytics all in one platform, giving you a clear picture of your organization’s risk and the tools needed to reduce that risk.  How does Tessian Human Layer Risk Hub work? With Tessian Human Layer Risk Hub, security leaders can quantify risk, take targeted actions, and offer the right training to continuously lower the risks posed by employees’ poor security decisions.  Let’s look at an example.  1. An employee in the Finance department is flagged as a high-risk user based on their access to sensitive information, their low level of security awareness training, and how frequently they’re targeted by spear phishing attacks.  Tessian looks at five risk drivers – accidental data loss, data exfiltration, social engineering, sensitive data handling, and security awareness – to generate individual risk scores. Each employee’s risk score is dynamically updated, decreasing when an employee makes the correct security decision, and increasing when they do something risky, such as clicking on a phishing email or sending company data to personal email accounts. 
2. Based on these insights, Tessian intelligently and automatically identifies actions teams can take within the platform (for example, custom protections for certain user groups) to reinforce policies, improve security awareness, and change behavior to help drive down risk.  Security teams can also implement additional processes and controls outside of Tessian to exercise better control over specific risks. 
3. With custom protections enabled, Tessian’s in-the-moment warnings help nudge employees towards safer behavior. For example, you could quickly and easily configure a trigger that always warns and educates users when they receive an email from a new domain, mentioning a wire transfer. But, even without custom protections,  Tessian Defender can detect spear phishing attacks with incredible accuracy. And, because the warnings are written in clear, easy-to-understand language, employees are continusouly learning and leveling up their security awareness. If targeted by a spear phishing attack, employees would receive a warning that looks something like this. 
4. With continuous protection and in-the-moment training, security leaders will see employees move from high-risk users to low-risk users over time. Risk scores and drivers are aggregated at employee, department, and company-level and are benchmarked against peers. This makes tracking and reporting on progress simple and effective. 
Benefits of Tessian Human Layer Risk Hub Tessian Human Layer Risk Hub enables security leaders to reduce risk and improve their organization’s security posture with unique insights you can’t get anywhere else. Targeted remediation at scale. With a bird’s eye view of your most risky and at-risk user groups, security leaders can make better decisions about how to distribute budget and resources, what mitigation measures to prioritize, and when to intervene. This goes beyond email. If you can see who has access to sensitive information – and how they’re handling that sensitive information – you’ll be able to create and update policies that really work.  More effective training. Every year, businesses spend nearly $300,000 and 276 hours on security awareness training. But, training is only effective when the messages are tailored and the employee is engaged. Tessian Human Layer Risk Hub gives security, risk management, and compliance leaders the insights they need to create tailored training programs that cut through. And, Tessian in-the-moment warnings help nudge employees towards safer behavior in real-time.  Clear ROI. Many solutions simply report risk; they don’t actually reduce risk. Tessian is different. Security leaders can easily measure and demonstrate how risk has changed over time, how the platform has proactively helped improve the organization’s security posture, and can even apply learnings from the platform to inform future decisions. The benefit? You’ll become a trusted partner across your organization.   Defensible audit. Tessian’s detailed reports and audit logs provide defensible proof against data breaches. If a risk is identified, you’ll be able to formally document all associated events, and track exposure, owner, mitigation decisions, and actions.  The bottom line: Tessian Human Layer Risk Hub gives security teams a unified view and a shared language to communicate risk to business, demonstrate progress towards lowering risk, and effectively secure their human layer.  Learn more about Tessian Interested in learning more about Tessian Human Layer Risk Hub? Current Tessian customers can get in touch with their Customer Success Manager. Not yet a Tessian customer? Learn more about the new Human Layer Risk Hub, explore our customer stories, or book a demo now. And, to be the first to hear about new product updates, sign-up for our newsletter below.
Human Layer Security Spear Phishing
Types of Email Attacks Every Business Should Prepare For
01 April 2021
Email remains the number one tool of business communication. The email network is open to practically anyone—and its flexibility, reliability, and convenience mean it’s not going away any time soon. But for all its benefits, email can also be a vector for serious cyberattacks. Social engineering attacks like phishing can lead to data breaches, malware attacks, and billions of dollars in losses for businesses worldwide. This article will explain the major types of email attacks, provide some data on how common they are, and consider the devastating impact that email attacks can have on your business. Types of email attacks First, we’ll walk you through some of the most common types of email attacks. Phishing Phishing can mean one of two things: An “umbrella term” meaning any social engineering attack that takes place via email. A type of email attack where the attacker sends a lot of malicious emails in an untargeted way. When we use “phishing” as an umbrella term, it refers to the most common type of email attack. Any malicious email that tries to trick you into clicking a link, opening a file, or taking any other action that causes harm, can be part of a phishing attack.  All of the other types of email attacks we’ll look at below are forms of phishing, if we use the term in this broad way. When we use “phishing” as a specific term, it means a “bulk” or “spray and pray” email attack, where the malicious email is sent to many unnamed recipients. Here’s an example:
What makes this a phishing email? There’s no addressee: It says “Hello,” not “Hello Rob.” The “update account now” button leads to a credential phishing page. Most importantly — Netflix didn’t send it! Want to know more about phishing? See our article What is Phishing? Spear phishing Spear phishing is an email attack targeting a specific individual. So, whereas bulk phishing uses a net — sending emails to as many potential victims as possible — spear phishing uses a spear to target one specific victim. Again, spear phishing is can also be an umbrella term, in that there are lots of different types of phishing attacks. Some of the examples below, including Business Email Compromise (BEC) and CEO fraud, are almost always spear phishing attacks. Why? Because whenever a phishing attack targets a specific individual, it’s a spear phishing attack. Here’s an example:
What makes this a spear phishing email? It targets a specific person. The “click here” link leads to a credential phishing website. Most importantly — you guessed it — DHL didn’t send it! For more information, see our article What is Spear Phishing? Business Email Compromise (BEC) Business Email Compromise (BEC) is any phishing attack where the attacker uses a hacked, spoofed, or impersonated corporate email address. In the sense that the attacker is impersonating a business, the Netflix and DHL examples above are both BEC attacks. But we normally use “BEC” to refer to a more sophisticated form of email attack. For example, one of the biggest cyberattacks of all time is an example of BEC. Between 2013 and 2015, a Latvian cybercrime gang headed by Evaldas Rimasauskas scammed Facebook and Google out of around $121 million by impersonating their suppliers and sending fake invoices via email. Want to know more about BEC? See our article What is Business Email Compromise (BEC)? CEO fraud In a CEO fraud attack, the attacker impersonates a company executive and targets a less senior employee. Here’s an example:
What makes this a CEO fraud attack? The sender’s email address impersonates a real company executive (note the method here is email impersonation — ”microsott.com” — but other methods such as email spoofing are also common). The sender (“Leon”) puts a lot of pressure on the recipient (Tess). Stressed people make poor decisions. The attack involves wire transfer fraud. While not all CEO fraud attacks involve wire transfer fraud, this is a very common tactic. Want to know more about CEO fraud? See our article What is CEO Fraud? How common are email attacks? Email attacks are on the rise, and are now extremely common. According to the FBI’s Internet Crime Complaint Center (IC3), phishing incidents more than doubled from 2019 to 2020, costing victims over $54 million in direct losses. Verizon says 22% of breaches in 2019 involved phishing. Around 75% of organizations around the world experienced some kind of phishing attack in 2020. Want more data on phishing and other email attacks? See our article Phishing Statistics (Updated 2021). Consequences of email attacks What are the main consequences of email attacks on businesses and their customers? Data breaches: Attackers use techniques such as credential phishing to exfiltrate your customers’ personal information. Data breaches can attract investigations, regulatory fines, and class-action lawsuits. IBM estimates that the average data breach costs a business $3.86 million Malware: Some email attacks aim to deposit a malicious payload on the recipient’s device. This payload is normally some form of malware, for example: A virus, which can infect other devices on your network Spyware, which can log your keystrokes and online activity  Ransomware, which encrypts your valuable data and demands you pay a ransom to get it back. Wire transfer fraud: Spear phishing attacks—particularly if they involve BEC or CEO fraud—often attempt to persuade the target into transferring funds into a bank account controlled by the attacker. And it really works—that’s why the FBI calls BEC “the $26 billion scam” How to prevent email attacks Now you know about the most common types of email attacks. Want to learn how to protect your business from these types of cybercrime? Take a look at the resources below: How to Avoid Falling For a Phishing Attack | 6 Useful Tips Prevent Business Email Compromise | BEC CEO Fraud Prevention: 3 Effective Solutions
Human Layer Security DLP Data Exfiltration
11 Examples of Data Breaches Caused By Misdirected Emails
17 March 2021
While phishing, ransomware, and brute force attacks tend to make headlines, misdirected emails (emails sent to the wrong person) are actually a much bigger problem. In fact, in organizations with 1,000 employees, at least 800 emails are sent to the wrong person every year. That’s two a day. You can find more insights in The Psychology of Human Error and The State of Data Loss Prevention 2020.  Are you surprised? Most people are. That’s why we’ve rounded up this list of 11 real-world (recent) examples of data breaches caused by misdirected emails. And, if you skip down to the bottom, you’ll see how you can prevent misdirected emails (and breaches!) in your organization.  If you’re looking for a bit more background, check out these two articles: What is a Misdirected Email? Consequences of Sending an Email to the Wrong Person 11 examples of data breaches caused by misdirected emails  1. University support service mass emails sensitive student information University and college wellbeing services deal with sensitive personal information, including details of the health, beliefs, and disabilities of students and their families.  Most privacy laws impose stricter obligations on organizations handling such sensitive personal information—and there are harsher penalties for losing control of such data. So imagine how awful the Wellbeing Adviser at the University of Liverpool must have felt when they emailed an entire school’s worth of undergraduates with details about a student’s recent wellbeing appointment. The email revealed that the student had visited the Adviser earlier that day, that he had been experiencing ongoing personal difficulties, and that the Adviser had advised the student to attend therapy. A follow-up email urged all the recipients to delete the message “immediately” and appeared to blame the student for providing the wrong email address. One recipient of the email reportedly said: “How much harder are people going to find it actually going to get help when something so personal could wind up in the inbox of a few hundred people?” 2. Trump White House emails Ukraine ‘talking points’ to Democrats Remember in 2019, when then-President Donald Trump faced accusations of pressuring Ukraine into investigating corruption allegations against now-President Joe Biden? Once this story hit the press, the White House wrote an email—intended for Trump’s political allies—setting out some “talking points” to be used when answering questions about the incident (including blaming the “Deep State media”). Unfortunately for the White House, they sent the email directly to political opponents in the Democratic Party. White House staff then attempted to “recall” the email. If you’ve ever tried recalling an email, you’ll notice that it doesn’t normally work.  Recalling an email only works if the recipient is on the same exchange server as you—and only if they haven’t read the email. Looking for information on this? Check out this article: You Sent an Email to the Wrong Person. Now What? Unsurprisingly, this was not the case for the Democrats who received the White House email, who subsequently leaked it on Twitter.  I would like to thank @WhiteHouse for sending me their talking points on how best to spin the disastrous Trump/Zelensky call in Trump’s favor. However, I will not be using their spin and will instead stick with the truth. But thanks though. — US Rep Brendan Boyle (@RepBrendanBoyle) September 25, 2019 3. Australia’s Department of Foreign Affairs and Trade  leaked 1,000 citizens’ email addresses On September 30, 2020, Australia’s Department of Foreign Affairs and Trade (DFAT) announced that the personal details of over 1,000 citizens were exposed after an employee failed to use BCC. So, who were the citizens Australians who have been stuck in other countries since inbound flights have been limited (even rationed) since the outbreak of COVID-19. The plan was to increase entry quotas and start an emergency loans scheme for those in dire need. Those who had their email addresses exposed were among the potential recipients of the loan. Immediately after the email was sent, employees at DFAT tried to recall the email, and event requested that recipients delete the email from their IT system and “refrain from any further forwarding of the email to protect the privacy of the individuals concerned.” 4. Serco exposes contact traces’ data in email error  In May 2020, an employee at Serco, a business services and outsourcing company, accidentally cc’d instead of bcc’ing almost 300 email addresses. Harmless, right? Unfortunately not.  The email addresses – which are considered personal data – belonged to newly recruited COVID-19 contact tracers. While a Serco spokesperson has apologized and announced that they would review and update their processes, the incident nonetheless has put confidentiality at risk and could leave the firm under investigation with the ICO.  5. Sonos accidentally exposes the email addresses of hundreds of customers in email blunder  In January 2020, 450+ email addresses were exposed after they were (similar to the example above) cc’d rather than bcc’d.  Here’s what happened: A Sonos employee was replying to customers’ complaints. Instead of putting all the email in BCC, they were CC’d, meaning that every customer who received the email could see the personal email addresses of everyone else on the list.  The incident was reported to the ICO and is subject to potential fines.
6. Gender identity clinic leaks patient email addresses In September 2019, a gender identity clinic in London exposed the details of close to 2,000 people on its email list after an employee cc’d recipients instead of bcc’ing them. Two separate emails were sent, with about 900 people cc’d on each.  While email addresses on their own are considered personal information, it’s important to bear in mind the nature of the clinic. As one patient pointed out, “It could out someone, especially as this place treats people who are transgender.”  The incident was reported to the ICO who is currently assessing the information provided. But, a similar incident may offer a glimpse of what’s to come.  In 2016, the email addresses of 800 patients who attended HIV clinics were leaked because they were – again – cc’d instead of bcc’d. An NHS Trust was £180,000. Bear in mind, this fine was issued before the introduction of GDPR. 7. University mistakenly emails 430 acceptance letters, blames “human error” In January 2019, The University of South Florida St. Petersburg sent nearly 700 acceptance emails to applicants. The problem? Only 250 of those students had actually been accepted. The other 400+ hadn’t. While this isn’t considered a breach (because no personal data was exposed) it does go to show that fat fingering an email can have a number of consequences.  In this case, the university’s reputation was damaged, hundreds of students were left confused and disappointed, and the employees responsible for the mistake likely suffered red-faced embarrassment on top of other, more formal ramifications. The investigation and remediation of the incident also will have taken up plenty of time and resources.  8. Union watchdog accidentally leaked secret emails from confidential whistleblower In January 2019, an official at Australia’s Registered Organisations Commission (ROC) accidentally leaked confidential information, including the identity of a whistleblower. How? The employee entered an incorrect character when sending an email. It was then forwarded to someone with the same last name – but different first initial –  as the intended recipient.  The next day, the ROC notified the whistleblower whose identity was compromised and disclosed the mistake to the Office of the Australian Information commissions as a potential privacy breach. 9. Major Health System Accidentally Shares Patient Information Due to Third-Party Software for the Second Time This Year In May 2018 Dignity Health – a major health system headquartered in San Francisco that operates 39 hospitals and 400 care centers around the west coast – reported a breach that affected 55,947 patients to the U.S. Department of Health and Human Services.  So, how did it happen? Dignity says the problem originated from a sorting error in an email list that had been formatted by one of its vendors. The error resulted in Dignity sending emails to the wrong patients, with the wrong names. Because Dignity is a health system, these emails also often contained the patient’s doctor’s name. That means PII and Protect health information (PHI) was exposed.  10. Inquiry reveals the identity of child sexual abuse victims This 2017 email blunder earned an organization a £200,000 ($278,552) fine from the ICO. The penalty would have been even higher if the GDPR has been in force at the time. When you look at the detail of this incident, it’s easy to see why the ICO wanted to impose a more severe fine. The Independent Inquiry into Child Sexual Abuse (IICSA) sent a Bcc email to 90 recipients, all of whom were involved in a public hearing about child abuse.  Sending a Bcc means none of the recipients can see each other’s details/ But the sender then sent a follow-up email to correct an error—using the “To” field by mistake. The organization made things even worse by sending three follow-up emails asking recipients to delete the original message—one of which generated 39 subsequent “Reply all” emails in response. The error revealed the email addresses of all 90 recipients and 54 people’s full names.  But is simply revealing someone’s name that big of a deal? Actually, a person’s name can be very sensitive data—depending on the context. In this case, IICSA’s error revealed that each of these 54 people might have been victims of child sexual abuse. 11. Boris Johnson’s dad’s email blunder nearly causes diplomatic incident Many of us know what it’s like to be embarrassed by our dad.  Remember when he interrogated your first love interest? Or that moment your friends overheard him singing in the shower. Or when he accidentally emailed confidential information about the Chinese ambassador to the BBC. OK, maybe not that last one. That happened to the father of U.K. Prime Minister Boris Johnson in February 2020. Johnson’s dad, Stanley Johnson, was emailing British officials following a meeting with Chinese ambassador Liu Xiaoming. He wrote that Liu was “concerned” about a lack of contact from the Prime Minister to the Chinese state regarding the coronavirus outbreak. The Prime Minister’s dad inexplicably copied the BBC into his email, providing some lucky journalists with a free scoop about the state of U.K.-China relations. It appears the incident didn’t cause any big diplomatic issues—but we can imagine how much worse it could have been if Johnson had revealed more sensitive details of the meeting.
Prevent misdirected emails (and breaches) with Tessian Guardian Regardless of your region or industry, protecting customer, client, and company information is essential. But, to err is human. So how do you prevent misdirected emails? With machine learning.  Tessian turns an organization’s email data into its best defense against human error on email. Our Human Layer Security technology understands human behavior and relationships and automatically detects and prevents emails from being sent to the wrong person. Yep, this includes typos, accidental “reply alls” and cc’ing instead of bcc’ing. Tessian Guardian can also detect when you’ve attached the wrong file. Interested in learning more about how Tessian can help prevent accidental data loss and data exfiltration in your organization? You can read some of our customer stories here or book a demo.
Human Layer Security
Email is the #1 Threat Vector. Here’s Why.
11 March 2021
Billions of people use email everyday — it’s the backbone of online collaboration, administration, and customer service. But businesses lose billions to email-based cyberattacks every year. Workers use email to exfiltrate sensitive company data. And simple human errors, like sending an email to the wrong person, can be highly problematic. The bottom line: for all its benefits, email communication is risky and, according to research, it’s the threat vector security leaders are most concerned about protecting.  This article will look at the main threats associated with using email — and consider what you can do to mitigate them. The scope of the problem Before we look at some of the risks of email communication, let’s consider the scope of the problem. After all, around 4 billion people worldwide use email regularly.  2020 estimates showed that people send and receive around 306.4 billion emails per day — up 4% from 2019. The Digital Marketing Association suggests that 90% of people check their email at least once per day.  Adobe data shows that email is the preferred contact method for marketing communications — by a long shot. So, with alternative platforms like Slack and Teams rising in popularity. why does email remain the world’s main artery of communication? Email is platform-independent, simple, and accessible. No company would consider cutting email out of its communication channels.  But for every “pro” involved in using email, there’s a “con.” If you’re relying on email communication, you need to mitigate the risks. Security risks involved in using email  A major risk of email communication is security. Because it’s so flexible and easy-to-use, email carries a unique set of security risks. Phishing attacks  Phishing is a type of online “social engineering” attack. The attacker impersonates somebody that their target is likely to trust and manipulates them into providing sensitive information, transferring money, or revealing login credentials. Around 90% of phishing occurs via email. Here are the main types: Spear phishing: The attacker targets a specific individual (instead of sending bulk phishing emails indiscriminately). Whaling: The attacker targets a CEO or other executive-level employee. Business Email Compromise (BEC): A phishing attack in which the attacker appears to be using a legitimate corporate email address. CEO fraud: The attacker impersonates a company’s CEO and targets a junior employee. Wire transfer phishing: The attacker persuades a company employee to transfer money to a fraudulent bank account. Credential phishing: The attacker steals login details, such as usernames or passwords While today, most people are attuned to the problem of phishing, the problem is only getting worse. Don’t believe us? Check out these 50+ must-know phishing statistics. That means phishing protection is an essential part of using email. Looking for more information on inbound email protection? Click here.  Insider threats As well as inbound email threats, like phishing, you must also consider the threats that can arise from inside your business. Tessian survey data suggests that 45% of employees download, save, send, or otherwise exfiltrate work-related documents before leaving their job. The most competitive industries — like tech, management consultancy, and finance — see the highest rates of this phenomenon.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Email is a quick and convenient way to send large amounts of data to external contacts — and can be a pipeline for disgruntled or corrupt employees to siphon off company assets. If you want to learn more about insider threats, including real-world examples, check out these articles: What is an Insider Threat? Insider Threat Types and Real-World Examples Insider Threat Statistic You Should Know Insider Threat Indicators: 11 Ways to Recognize an Insider Threat Remote working Phishing is a booming criminal industry — and there’s evidence that the new patterns of remote working are making phishing more common than ever. Tessian research shows that 65% of US and UK employees received a phishing email when working remotely in 2020 due to the COVID-19 pandemic, and 82% of IT leaders think their company is at greater risk of phishing attacks when employees are working from home. If your company operates a hybrid or remote working model, email security is even more crucial. Human error on email Innocent mistakes can be just as harmful as cyberattacks. In fact, 88% of data breaches are caused by human error. Misdirected emails Research shows that most people have sent at least one email to the wrong person, with nearly one-fifth admitting to sending an email to someone outside of their organization. Our platform data also shows that there are, on average, 800 misdirected emails per year in companies with more than 1000 employees.That’s two a day.  Sending an email to the wrong recipient is so common, you might not think they’re a big deal. But data from the UK’s Information Commissioner’s Office (ICO) consistently shows that misdirected emails are the number one cause of reportable data breaches. Misspelling, autocorrect, reply-all — these are all reasons you might send an email to the wrong recipient. It’s a serious risk of email communication — but you can prevent it. Misattached files Along with misdirected emails, “misattached files” are a major cause of data loss. New data shows some very worrying trends related to people sending emails with incorrect attachments. First, here’s what’s inside the documents people are sending in error: 42% contained company research or data  39% contained security information, such as login credentials  38% contained financial information and client information  36% contained employee data The survey also shows that – as a result of sending misattached files – one-third lost a customer or client — and 31% faced legal action. Email communication: how to mitigate the risks The risks we’ve described all depend on human vulnerabilities. Cyberattackers prey on people’s trust and deference to authority — and anyone can make a mistake when sending an email. That’s why email security is a must. Looking for help choosing a solution? We’ve put together this handy guide: 9 Questions That Will Help You Choose the Right Email Security Solution. If you want more tips, how-to guides, and checklists related to email security specifically and cybersecurity more broadly, sign-up for our newsletter!  While you’re here… Tessian software mitigates all types of risks associated with email communication: Tessian Defender: Automatically prevents spear phishing, account takeover, business email compromise, and other targeted email attacks. Tessian Enforcer: Automatically prevents data exfiltration over email. Tessian Guardian: Automatically prevents accidental data loss caused by misdirected emails and misattached files.
Human Layer Security
The Ultimate Guide to Human Layer Security
By Tim Sadler
01 March 2021
There’s a big problem in cybersecurity. Despite stricter data compliance standards, incredible technological innovation, and more investment from businesses, data breaches are at an all-time high.  In fact, businesses are at risk of insider and outsider threats, with a reported 67% increase in the volume of security breaches over the past five years. Why is this happening? Because, historically, security solutions have focused on securing the machine layer of an organization: networks, endpoints and devices.  But the majority of these solutions provide blunt protection, rely on retroactive threat detection and remediation, and don’t protect a businesses’ most important asset: its employees.   So, when you can get a firewall to protect your network, and EDR to protect your devices, what do you get to protect your people? Human Layer Security.
What is Human Layer Security?
Tessian’s Human Layer Security technology understands human behavior and relationships, enabling it to detect and prevent dangerous activity. Importantly, Tessian’s technology learns and adapts to how people work without getting in the way or impeding productivity. We created this category nearly two years ago, and it was the thesis for our Series B fundraise.  Since then, we’ve seamlessly deployed Tessian solutions to customers across industries from SMBs to multi-national enterprises, and are now detecting and preventing millions of inbound and outbound threats on email.
Why do we need Human Layer Security? Your employees now control both your systems and your data. But people make mistakes, people break the rules, and people can be deceived. 88% of data breaches are caused by human error, with AIG reporting “human errors and behavior continue to be a significant driver of cyber claims.”  It makes sense. Employees can transfer millions of dollars to a bank account in a few clicks and can share thousands of patient records in an Excel file in a single email. You can read more about The Psychology of Human Error here. So, instead of expecting people to do the right thing 100% of the time, we think it’s better to preempt these errors by detecting and preventing them from happening in the first place. Each of our solutions – Tessian Enforcer, Tessian Guardian, and Tessian Defender – is uniquely positioned to do just that. People break the rules Whether done maliciously or accidentally, people in every organization can (and do) break the rules. Those rules can be related to anything, from a password policy to how sensitive information is stored. But, what about rules related to data exfiltration? Oftentimes, employees are blissfully unaware. They’re not familiar with the policies themselves or the consequences of poor data handling. So, they think nothing of emailing company information to their personal email account to print at home, for example.  But not all employees are well-intentioned. Case in point: In late-2019, an employee at a cybersecurity and defense company sold 68,000 customer records to scammers. This isn’t an isolated incident. According to one report, 45% of employees say they’ve taken work-related documents with them after leaving or being dismissed from a job and, according to another, more than half of UK employees admitted to stealing corporate data. A quarter of those would be willing to do so for less than £1,000. Tessian Enforcer prevents data exfiltration attempts (both malicious and negligent. Looking for more real-world examples of malicious and negligent insiders? Read this article.
People make mistakes From a simple typo to a misconfigured firewall, mistakes are inevitable at work. To err is human! In fact, 43% of employees say they’ve made a mistake at work that compromised cybersecurity.  Unfortunately, though, the consequences of these mistakes can be severe. Imagine an employee sends a misdirected email. Penalties and fines could be incurred, customer trust could plummet, and reputational damage could be long-lasting. And those are just the consequences to the larger organization. Individuals will likely suffer, too.  We all know the sinking feeling of making a mistake. But, misdirected emails cause employees more than red-faced embarrassment and anxiety. These accidents put people at risk of losing their jobs.   Tessian Guardian detects and prevents misdirected emails and misattached files so that the right email and the right files are always shared with the right person.
People can be deceived  Businesses of all sizes and across industries work with a web of suppliers, contractors, and customers. And, most use email to communicate. That means it’s easy for hackers to impersonate internal and external contacts.  Business Email Compromise (BEC) attacks increased by over 100% in the last two years.  Worse still, the odds are against businesses and their employees. While a hacker only has to get it right once, we are expected to get it right every time. So, what happens if one employee is successfully tricked one time by a spear phishing email and wires money, shares credentials, or otherwise helps a hacker gain access to your network? The average breach costs organizations $3.92 million. But, these costs can be avoided with technology like Tessian Defender that detects and prevents advanced impersonation attacks.
Why focus on email? At Tessian, our mission is to secure the human layer. And we know that to be truly effective, Human Layer Security must protect people whenever and however they handle data.  But, we’re starting with email. It’s the most popular (we spend 40% of our time on it) and riskiest (most breaches happen here) communication channel. It’s also the threat vector IT leaders are most worried about.
You’re probably wondering how Tessian compares to other solutions and how our technology would fit in your larger security framework. We’ll tell you.  Tessian vs. Rule-Based Technology Traditional email security solutions are blunt instruments that tend to be disruptive for employees and admin-intensive for security teams who have to continuously create and maintain thousands of rules.  Don’t believe us? 85% of IT leaders say rule-based DLP is admin-intensive and over half of employees say they’ll find a workaround if security software or policies make it difficult or prevent them from doing their job.  The fact is, manually classifying emails, tagging emails sent to external contacts, encryption, and pesky pop-ups are roadblocks that slow the pace of business and create friction between security teams and other departments.   Worse still, these older technologies just can’t be configured to adequately defend against all the ways people make mistakes or cut corners on email. Tessian is automated. No rule-writing, manual investigation, or configuration required. Tessian vs. Training Training is a necessary part of every security strategy. But, the majority of employees aren’t trained frequently enough and lessons don’t always stick. Employees also tend to struggle applying what they’ve learned in training to real-world situations.  But we can’t blame employees. The average person isn’t a security expert and hackers are crafting more and more sophisticated attacks. It’s hard for even the most security-conscious among us to keep up. That’s why security leaders need to invest in technology that bolsters training and reinforces policies and procedures. That way, employees can improve their security reflexes over time.   That’s where Human Layer Security comes in. Tessian warnings act as in-the-moment training for employees. And, because Tessian only flags 1 in 1,000 emails on average, when a pop-up does appear, employees pay attention. Learn more about why security awareness training (SAT) alone isn’t effective enough in this article: SAT is Dead. Long Live SAT.
Tessian Human Layer Security technology Tessian deploys within minutes, learns within hours, and starts protecting in a day. Human Layer Security works by understanding and adapting to human behavior. Our machine learning algorithms analyze historical email data and build a unique security identity for every employee based on relationships and communication patterns.  The best part is: these ML models get smarter and better over time as more data is ingested. This helps the technology establish what normal (and abnormal) looks like and allows Tessian to automatically predict and prevent security breaches on email across devices.    For every inbound and outbound email, our ML algorithms analyze millions of data points, including: Relationship History: Analyzing past and real-time email data, Tessian has a historical view on all email communications and relationships. For example, we can determine in real-time if the wrong recipient has been included on an outbound email; if a sensitive attachment is being sent to a personal, non-business email account; if an inbound email with a legitimate-looking domain is a spoof Content & context: Using natural language processing to analyze historical email data, Tessian understands how people normally communicate on email and what topics they normally discuss. That way, our solutions can automatically detect anomalies in subject matter (i.e. project names) or sentiment (i.e. urgency), which might indicate a threat. Best of all, all of this analysis happens silently in the background and employees won’t know it’s there until they need it. Tessian stops threats, not business. And not flow. And, with Human Layer Security Intelligence, security and compliance leaders can get greater visibility into the threats prevented, track trends, and benchmark their organization’s security posture against others. This way, they can continuously reduce human layer risks over time. First, you protected our networks. Then, you protected our devices. Now, you can protect your people with Tessian’s Human Layer Security.
Human Layer Security Tessian Culture
Early adoption: Is Now the Time to Invest in the ‘New Breed’ of Security Products?
By Phil O'Hagan
25 February 2021
There’s an (unfair!) perception in the industry that most CISOs are skeptical, or at least conservative, when it comes to adopting the latest security technology. But the role of the CISO is evolving. It’s no longer to simply “own” risk. Today, they’re also tasked with educating and informing everybody within the company – including the C-Suite – on the risks and what can be done to mitigate them.  In this fast moving world, it’s no longer possible to be passive. Only those who are open-minded (and ideally progressive) will protect their company from the most advanced threats. A year of firsts  The security industry is moving in a different direction. We need only look back at the last 12 months to see why: COVID has raised the profile for security.  A greater attack profile has caught the attention of executive teams, and they are looking to CISOs to respond. But, it’s not all bad news. Just as cybercriminals see opportunity in disruption, CISOs have an opportunity to play a bigger role at the executive level. The digital transformation has been accelerated. The shift to remote working means an increased attack surface. Today, security teams must support whole departments of remote workers as they engage with technology in their kitchens, bedrooms, and coffee shops. CISOs need to do more than send the occasional email or facilitate annual training to raise awareness about cyber threats.  Ransomware is an ever-growing threat. In fact, almost a third of victims pay a ransom, which means the stakes are higher than ever.  Attackers have improved the implementation of their encryption schemes, making them harder to crack. And, rather than simply encrypting critical data, some criminals now steal sensitive data and threaten to release it if the ransom is not paid.  With so much changing, CISOs have to adapt fast and adopt new technology to succeed. Gartner calls this period of early adoption a “hype cycle”.  And, for any new innovation, early publicity produces a number of success stories — often accompanied by scores of failures. Some companies take action; many do not. Where do you stand? The technology balance Both inside and outside of security, there are plenty of arguments both for and against new technologies:
Given the rapidly evolving threat landscape, though, CISOs should be pushed harder than most to commit fully to the leading edge of security innovation. After all, “nobody got fired for buying IBM” and “fortune favors the brave“, right? The next generation of security  More and more CISOs are choosing to be brave. Why? It comes down to the modern way this next generation of security is being designed and built.  Today’s security benefits  are focused on cutting the risk out of early participation while amplifying the benefits. At the heart of the change are two related trends:  Next-generation security services  The advancement of machine learning The next generation of security services has removed the need for CISOs to be experts on negotiating IT project. Instead, they can focus on managing the risks to their business.  For example, with cloud services, the costs of infrastructure – and efforts of supporting it – are completely removed as the services you buy are scalable to match the business. Cloud services also require no maintenance or professional assistance beyond an internet browser. The cloud means that the hurdles and expense associated with “trying out something new” are hugely mitigated. And, because these next-gen security services are hosted on the cloud, you’ll always have the latest version.  There is only one “copy” of these software tools. That means upgrade cycles have come down from once a year to multiple times a day. Better still, these services connect to one another. This equates to a shallower learning curve for users, faster time-to-market, and the flexibility to bolt on future tools that suit the way you want to run your operation.
Legacy technology vs. machine learning Whereas legacy technology uses rule-based techniques to secure organizational risks, new providers leverage machine learning to provide accurate, automatic protection, and visibility against advanced risks, otherwise impossible to detect with legacy systems. Machine learning’s goal is to understand the structure of the data and fit theoretical distributions to that data that is well understood. And, because machine learning often uses an iterative approach to learn from data, the learning can be easily automated. Passes are run through the data until a robust pattern is found. In an ever-evolving security world, this allows for the identification of specific risks. By using machine learning algorithms to build models that uncover these connections, organizations can make better decisions without human intervention. For example, identifying anomalous behaviors that form part of the most advanced threats in the enterprise. The benefit for CISOs – and their security teams – is clear. Lower time commitment to identify and remediate issues and more accurate reporting on the risks to the business. These next generation tools also achieve something legacy systems can’t and don’t: they share de-identified data between customers to ensure everyone is protected, even from threats that haven’t (yet) been seen in their own network. The benefit? Organizations continually – and automatically – improve their protection against an ever-changing threat environment. Low risk, high reward  Finally, like never before – and because these services are in the cloud – security leaders are in a position to switch on new services at low risk, without any upfront investment.  With no upfront CapEx, chances are that your first steps will be below any procurement ceiling too – so PoCs become simple to execute. It becomes rational to test a service or strategy with a small team before rolling out more broadly.  And, because the barrier to try (and switch!) for these early adopters is so low, “try before you buy” is a prevalent trend. With low switching costs, the software developers behind the scenes have a wholehearted commitment to making the trial period compelling enough to convince you to take the next step. They have skin in the game and understand that happy customers dictate whether or not a product is successful. This lowering of barriers, enabling of small-scale testing, and offsetting of cost should all make it a little more tempting for CISOs to take the leap and occasionally try for first-mover status. Because adopting innovative practices has never been so low-risk and the rewards are well-worth it.  To name a few… improving your security posture, reducing admin, and protecting your employees from ever-evolving threats.
Human Layer Security Spear Phishing
Romance Fraud Scams Are On The Rise
By Laura Brooks
11 February 2021
Cybercriminals are exploiting “lockdown loneliness” for financial gain, according to various reports this week, which reveal that the number of incidents of romance fraud and romance scams increased in 2020.  UK Finance, for example, reported that bank transfer fraud related to romance scams rose by 20% in 2020 compared to 2019, while Action Fraud revealed that £68m was lost by people who had fallen victim to romance fraud last year – an increase on the year before. Why? Because people have become more reliant on online dating and dating apps to connect with others amid social distancing restrictions put in place for the Covid-19 pandemic.
With more people talking over the internet, there has been greater opportunity for cybercriminals to trick people online. Adopting a fake identity and posing as a romantic interest, scammers play on people’s emotions and build trust with their targets over time, before asking them to send money (perhaps for medical care), provide access to bank accounts or share personal information that could be used to later commit identity fraud. Cybercriminals will play the long-game; they have nothing but time on their hands.  A significant percentage of people have been affected by these romance scams. In a recent survey conducted by Tessian, one in five US and UK citizens has been a victim of romance fraud, with men and women being targeted equally.
Interestingly, people aged between 25-34 years old were the most likely to be affected by romance scams. Tessian data shows that of the respondents who said they had been a victim of romance fraud, 45% were aged between 25-34 versus just 4% of respondents who were aged over 55 years old.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); This may be because romance fraud victims are most commonly targeted on social media platforms like Facebook or Instagram, with a quarter of respondents (25%) saying they’d been successfully scammed on these channels.  This was closely followed by email (23%) while one in five people said they’d been targeted on mobile dating apps, and 16% said they’d been scammed via online dating websites.  This behavior is quite typical, say experts. Often romance fraud will start on dating apps or official dating websites but scammers will move to social media, email or text in order to reduce the trail of evidence.
How to avoid falling for a romance scam It’s important to remember that most dating apps and websites are completely safe. However, as social distancing restrictions remain in place for many regions, people should consider how they could be targeted by social engineering attacks and phishing scams at this time. We advise people to question any requests for personal or financial information from individuals they do not know or have not met in person, and to verify the identity of someone they’re speaking to via a video call. We also recommend the following: Never send money or a gift online to someone who you haven’t met in person. Be suspicious of requests from someone you’ve met on the internet. Scammers will often ask for money via wire transfers or reload cards because they’re difficult to reverse. Be wary of any email or DM you receive from someone you don’t know. Never click on a link or download an attachment from an unusual email address.  Keep social media profiles and posts private. Don’t accept friend requests or DMs from people you don’t know personally.  The FBI and Action Fraud have also provided citizens with useful advice on how to avoid falling for a romance scam and guidance for anyone who thinks they may have already been targeted by a scammer.  And if you want to learn more about social engineering attacks, you can read Tessian’s research How to Hack a Human. 
Human Layer Security DLP
Industry-First Product: Tessian Now Prevents Misattached Files on Email
By Harry Wetherald
11 February 2021
Misdirected emails – emails sent to the wrong person – are the number one security incident reported to the Information Commissioner’s Office. And, according to Tessian platform data, an average of 480 misdirected emails are sent every year in organizations with over 1,000 employees.  An unsolved problem We solved this years ago with Tessian Guardian, our solution for accidental data loss. But sending an email to the wrong person is just one part of the problem. What about sending the wrong attachment? After all, our data shows that 1 in 5 external emails contain an attachment and new Tessian research reveals that nearly half (48%) of employees have attached the wrong file to an email. We call these “misattached files” and we’re happy to announce a new, industry-first feature that prevents them from being sent.  The consequences of attaching the wrong file The consequences of a misattached file depend on what information is contained in the attachments.  According to Tessian’s survey results, 42% of documents sent in error contained company research and data. More worryingly, nearly two-fifths (39%) contained security information like passwords and passcodes, and another 38% contained financial information and client information.  36% of mistakenly attached documents contained employee data.  Any one of the above mistakes could result in lost customer data and IP, reputational damage, fines for non-compliance, and customer churn. In fact, one-third of respondents said their company lost a customer or client following this case of human error, and a further 31% said their company faced legal action.  Until now, there weren’t any email security tools that could consistently identify when wrong files were being shared. This meant attachment mistakes went undetected…until there were serious consequences.  How does Tessian detect misattached files? The latest upgrade to Tessian Guardian leverages historical learning to understand whether an employee is attaching the correct file or not. When an email is being sent, Guardian’s machine learning (ML) algorithm uses deep content inspection, natural language processing (NLP), and heuristics to detect attachment anomalies such as: Counterparty anomalies: The attachment is related to a company that isn’t typically discussed with the recipients. For example, attaching the wrong invoice. Name anomalies: The attachment is related to an individual who isn’t typically  discussed with the recipients. For example, attaching the wrong individual’s legal case files. Context anomalies: The attachment looks unusual based on the email context. For example, attaching financial-model.xlsx to an email about a “dinner reservation.” File type anomalies: The attachment file type hasn’t previously been shared with the receiving organization. For example, sending an .xlsx file to a press agency.
If a misattached file is detected, the sender is immediately alerted to the error before the email is sent. Best of all, the warnings are helpful, not annoying and flag rates are low. This means employees can do their jobs without security getting in the way.  Want to learn more about how Tessian detects attachment anomalies before they’re sent? Download the data sheet.
Benefits for Tessian customers Tessian is the only solution in the market that can solve the problem of misattached files, giving customers complete protection from accidental data loss on email.  In addition to preventing human error and subsequent breaches, Tessian Guardian has several features that help ease the burden of compliance on thinly-stretched security teams and give key key stakeholders peace of mind. These include: Automated protection: Tessian Guardian automatically detects and prevents misattached files. No rules or manual investigation required.   Flexible configuration options: With this new feature, customers will be able to configure Guardian’s algorithm to enable and/or disable specific use-cases. This allows administrators to balance user experience with the level of protection appropriate to their risk appetite. Data-rich dashboards: For the first time, customers will have visibility of how many misattached files are being sent in their organization and by whom. This demonstrates clear ROI and makes auditing and reporting easy. 
Learn more about Tessian Interested in learning more about Tessian Guardian’s new features? Current Tessian customers can get in touch with your Customer Success Manager. Not yet a Tessian customer? Learn more about our technology, explore our customer stories, or book a demo now.
Page
[if lte IE 8]
[if lte IE 8]