Traditionally, security leaders view of  nation-state attacks has been ‘as long as you’re not someone like BAE systems or a Government, you’re fine’ But in the last three years nation-state attacks doubled in number to over 200… and we’ve yet to see the full cyber impact of the war in Ukraine. Consequently, nation-state attacks are something all security leaders should be aware of and understand. Here’s what you need to know.

How a nation-state attack differs from a regular cyber attack    Nation-state attacks are typically defined as APTs, or advanced persistent threats – a term first defined in 2005. They are referred to as advanced because they have access to exploits and techniques that are more professional, more effective, and more expensive than the average criminal actors.   Nation-state attackers can have teams full of people that can work a 24-hour shift and handoff every 8 hours. There’s also the question of the duration of an attack. APTs play the long-game, and can sometimes take 18 to 24 months before any compromise takes place. The bottom line: nation-state hackers have the resources to wait for the perfect moment to strike.

What are the aims of a nation-state APT attack? With the nearly unlimited money and resources of a nation-state , nation-state attackers can try every technique and tactic available until they eventually accomplish their goal. And those goals are nearly always political rather than purely criminal. APT attacks generally aim to do one of the following:    Exfiltrate data containing military secrets or intellectual property Conduct propaganda or disinformation campaigns Compromised sensitive information for further attacks or identity theft sabotage of critical organizational infrastructures  Russia blurs this line in that they use criminal activity in furtherance of political goals, and have been for years. They also have an APT set whose objective is essentially disruption and discord, so that security teams and government agencies don’t know where to place the defense resources.

Which businesses are most at risk from a nation-state attack?  A sector all threat actor groups are interested in is Cleared Defense Contractors (CDCs). CDCs are businesses granted clearance by the US Department of Defense to access, receive, or store classified information when bidding for a contract or other supporting activities.   One of the first APT attacks against CDCs was Titan Rain in 2003. Suspected Chinese hackers gained access to the computer networks companies such as Lockheed Martin, Sandia National Laboratories, Redstone Arsenal, and NASA, as well as UK Government departments and companies. What’s more, it’s believed that they were inside the network for over three years.  Infrastructure companies are also popular targets. US infrastructure companies such as Colonial Pipeline have been getting hit more and more frequently, and Ukraine suffered a power grid outage in 2015. And banks – especially national banks – are under continual attack, and in light of the recent removal of Russia from the SWIFT payment system, western banks are presumed to be under increased threat in retaliation.

Softer secondary targets   Although traditionally, targets with connections to the military bore the brunt of APTs, there are signs that this is spreading to other industries. In 2021 Microsoft shared detailed information regarding a “state-sponsored threat actor” based in China that targeted a wide range of entities in the U.S. — including law firms. The highly sophisticated cyber-attack used previously unknown exploits to infiltrate Microsoft Exchange Server software, so it’s reasonable to assume that if you have tangential connections to a political target of one of these countries, then you could be at risk.

As KC Busch, Tessian’s Head of Security Engineering & Operations explains “APTs might need to spend a million dollars to compromise their direct target. But if they can find a law firm connected with that target that doesn’t encrypt outbound comms or has adequate email protection, then they’re going to go for the law firm rather than the million-dollar target”   This underscores the importance of not just your own cybersecurity posture, but that of every organization in your network or supply chain. You’re only as strong as your weakest link.. 

The phases of an APT attack   APT attacks come in three phases.    First, there’s network infiltration, typically achieved through compromised credentials. If compromised credentials aren’t an option, or defenses are particularly robust, nation-state attackers might use a zero-day attack. Countries can have teams that will research and write their own zero-days, but more commonly, they will buy them from a gray market of third-party companies that aggregate exploits and sell them without much ethical thought of how they’re used.    This murky world of zero-day exploits and the people that broker them to Governments and security agencies was chronicled by Former New York Times cybersecurity reporter Nicole Perlroth in her recent book, ‘This Is How They Tell Me The World Ends’. Perlorth’s book highlights how for decades, US government agents paid thousands, and later millions of dollars to hackers willing to sell zero-days, and how they lost control of the market. The result is that zero-days are in the hands of hostile nations, who have money to purchase them and a need to deploy them as they’re becoming rarer and more expensive.    The second phase is the expansion of the attack to spread to all parts of the network or system. As we’ve mentioned, APT attacks are not hit-and-run. With time on their side, hackers can wait patiently in the network before gaining full access and control of it.   Thirdly, there’s the attack itself. This could involve collecting data and exfiltrating it, or disrupting critical infrastructure systems. Furthermore, several APT attacks have started with a distributed denial-of-service (DDoS) attack which acts as a smokescreen as data that’s been amassed over what could be months or years is exfiltrated. 

Notable nation-state attacks The most sophisticated: Stuxnet is widely believed to have been developed by the USA and Israel for use against Iran’s uranium enrichment program. It disrupted the plant’s uranium centrifuges by varying their spin rate, but not enough to cause them to shut down. Furthermore, false data was displayed back to the controller, so employees thought everything was business as usual.. Designed to be delivered by an infected USB stick, it could cross the air gap that protected the plant. However, it got out into the wild when an engineer took his infected laptop home from the plant, and connected it to the internet.   The biggest: 2015’s Anthem breach (China was reported to be behind it) saw the sensitive personal data of approximately 78.8 million Americans fall into the wrong hands. Brian Benczkowski, the assistant attorney general in charge of the Department of Justice Criminal Division, called the Anthem hack “one of the worst data breaches in history.”    The data wasn’t ransomed back to the company, and the reasons for the attack remain unclear. By 2019 the DOJ unsealed an indictment charging two Chinese nationals for the attack, but an indication of the alleged hackers’ motives or affiliation was noticeably absent. Current thinking is that it will be used for identity theft or to identify interesting individuals or Government employees for further exploitation and attack. Only nation-states have the resources to process that much intel and find the 100 or so people whose credentials can be further targeted. As for Anthem, the breach cost them over $40 millionto settle the resulting claims, and clear up the mess. 

What’s the future of nation-state attacks?    The Anthem breach and others led to a very loose set of guidelines on what is, and what is not, acceptable. This was hammered out between former President Obama and President Xi Jinpingof China in 2015, but none of this has the force of law like the Geneva Convention. And with an actor like Russia currently in a highly aggressive position, it’s reasonable to expect an escalation until desired political goals are achieved.  Attack types are likely to evolve, too. One example: wipers.. Unlike ransomware, where you pay the money and (hopefully) get your data back, a wiper will display the message as it’s erasing all your data. They’re a class of malware that have a narrowly targeted use, but if someone decided to let those loose, the damage could be astronomical. And worryingly, they’ve already been spotted in Ukraine.

How to protect your organization from nation-state attacks The federal Cybersecurity & Infrastructure Security Agency (CISA) posted a bulletin, titled “Shields Up,” which includes an evolving overview of the current cyber threat environment and specific steps that organizations, corporate leaders, and CEOs can take to bolster their cyber defenses. We have more on those recommendations, as well as how to foster a risk-aware culture, in this blog post. Enacting these defenses and upskilling your team is the best way to protect your organization from Nation-state attacks.   For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn

Malicious URL link-based attacks are tried and tested methods for threat actors to compromise information systems. Although legacy Secure Email Gateway (SEG) vendors offer URL link rewriting protection – also referred to as time-of-click protection – there are significant limitations in the degree of protection provided by this security control.    Unlike behavioral cybersecurity solutions like Tessian that dynamically and in real time scan all of the content in an email, including URL links and attachments, SEGs rely on a manual, rule-based threat detection approach. But with this approach, your protection is only as effective as the rules and policies you have created, combined with the relevancy of your threat detection engine.    The static approach to malicious URL link detection by SEGs explains why zero day threats often get through defenses. And the lack of machine learning scanning capability also explains why threat actors are able to successfully hide malicious URLs either as attachments or even in plain text.  For example, APT 39 successfully leveraged malicious URL links that  were hidden or attached in phishing emails to carry out an elaborate espionage and data gathering campaign, across multiple jurisdictions. Similar attacks are usually but not exclusively motivated by credential harvesting for Account Takeover (ATO) purposes.

How URL link rewriting protection works   SEGs that offer URL link rewriting typically scan and rewrite URLs that are contained in any inbound email via its own network. This means all links contained in any email received through the gateway are rewritten via the email security vendor’s system.     URL link rewriting detects malicious URL links at the time of a user clicking on the link by analyzing the link against key criteria specified in the security rules and policies, as well as against its threat repository of known malicious URLs.    When it comes to the security rules and policies, SEGs require the security admin to set the degree to which URL categories are scanned and also allows select email groups in an organization to be included or excluded. The scanning intensity settings typically range from relaxed, moderate to aggressive.    If a URL link is determined to be malicious based on rules and policies, as well as the reputation of the link, the end-user will be notified and warned against accessing the malicious URL.

Five shortcomings of URL link rewriting protection    1. URL link rewriting is an overly manual security control prone to human error   URL link rewriting or time-of-click protection requires a significant degree of manual security rule and policy orchestration. Due to the post-delivery approach of allowing malicious URLs to be delivered and only scanning URLs upon being clicked, without well-configured URL detection rules and policies, the security effectiveness of this static control is significantly compromised.The static nature of URL policy and rule orchestration also opens up the probability of human error introducing security risk, by either failing to set the appropriate degree of URL scanning intensity, or failing to include appropriate user groups.     2. URL link rewriting is ineffective at protecting against zero day attacks   URL link rewriting offers protection against known threats only. It offers limited protection against zero day attacks. For example, registering new domains or hijacking existing “trusted” domains are popular methods of evasion by threat actors. Once the threat actor has evaded security controls aka passed through the gateway, they have unfettered access to end-users who are under the impression that the email and included URL link has been scanned and is safe. Usually only after a successful compromise is the malicious URL threat detection engine updated.     3. URL link rewriting lacks the intelligence to detect advanced phishing subterfuge    Threat actors find sophisticated ways to obfuscate malicious URLs. They typically do not include malicious URLs in the email but often hide them in “safe” URL redirects or in attachments that are not commonly used, or are outside of the security policy ambit. Upon opening the file or clicking on the URL link, victims are taken to what appears to be a legitimate website, which redirects to a malicious website appearing as a trusted services provider.       4. Protection starts and stops at the gateway   URL link rewriting can be deployed from within the organization via a lateral phishing attack. Malicious URLs can be deployed from trusted sources within the organization and thereby misses the gateway protection.      5. If all you have is a hammer, everything looks like a nail   URL link rewriting offers no protection against cross-site scripting (XSS) attacks. In this type of attack, threat actors will send a benign looking URL link to a victim, usually from a legitimate but recently compromised website. Here the threat actor is able to capture credentials from the victim, for example on a log-in page of the compromised website. Legacy email security solutions would have determined that the link is “safe” even if the email was received from an unknown or suspicious party.

The need for intelligent email security    Email-based attacks remain the overwhelming favorite vector for attack. The forever evolving and advancing nature of email based threats has placed the effectiveness of legacy email security controls into sharp focus.    With its static orchestration and binary threat detection approach, URL link rewriting is the embodiment of legacy approaches to addressing email security risk. Simply stated, this security control is no longer fit for purpose in a dynamic threatscape, where threat actors are continuously honing their capabilities at circumventing rule-based security controls.  Only by leveraging email security solutions that have machine learning and contextually aware scanning capability, can you significantly improve your email security posture. See why CISOs at some of the leading organizations around the world are selecting Tessian as the advanced email security provider of choice. Book a demo now.

‘Why Confidence Matters’ is a weekly three-part series. In this first article, we’ll explore why a reliable confidence score is important for our users. In part two, we’ll explain more about how we measured improvements in our scores using responses from our users. And finally, in part three, we’ll go over the pipeline we used to test different approaches and the resulting impact in production.   Part One: Why Confidence Matters   Across many applications of machine learning (ML), being able to quantify the uncertainty associated with the prediction of a model is almost as important as the prediction itself.    Take, for example, chatbots designed to resolve customer support queries. A bot which provides an answer when it is very uncertain about it, will likely cause confusion and dissatisfied users. In contrast, a bot that can quantify its own uncertainty, admit it doesn’t understand a question, and ask for clarification is much less likely to generate nonsense messages and cause frustration amongst its users.

The importance of quantifying uncertainty   Almost no ML model gets every prediction right every time – there’s always some uncertainty associated with a prediction. For many product features, the cost of errors can be quite high. For example, mis-labelling an important email as phishing and quarantining it could result in a customer missing a crucial invoice, or mislabelling a bank transaction as fraudulent could result in an abandoned purchase for an online merchant.      Hence, ML models that make critical decisions need to predict two key pieces of information: 1. the best answer to provide a user 2. a confidence score to quantify uncertainty about the answer. Quantifying the uncertainty associated with a prediction can help us to decide if, and what actions should be taken.

How does Tessian Defender work?   Every day, Tessian Defender checks millions of emails to prevent phishing and spear phishing attacks. In order to maximise coverage,  Defender is made up of multiple machine learning models, each contributing to the detection of a particular type of email threat (see our other posts on phishing, spear phishing, and account takeover).      Each model identifies phishing emails based on signals relevant to the specific type of attack it targets. Then, beyond this primary binary classification task, Defender also generates two key outputs for any email that is identified as potentially malicious across any of the models:   A confidence score, which is related to the probability that the email flagged is actually a phishing attack. This score is a value between 0 (most likely safe) and 1 (most certainly phishing), which is then broken down into 4 categories of Priority (from Low to Very High). This score is important for various reasons, which we further expand on in the next section. An explanation of why Defender flagged the email. This is an integral part of Tessian’s approach to Human Layer Security: we aim not only to detect phishy emails, but also to educate users in-the-moment so they can continually get better at spotting future phishing emails. In the banner, we aim to concisely explain the type of email attack, as well as why Defender thinks it is suspicious. Users who see these emails can then provide feedback about whether they think the email is indeed malicious or not. Developing explainable AI is a super interesting challenge which probably deserves its own content, so we won’t focus on it in this particular series. Watch this space!   

Why Confidence Scores Matters    Beyond Defender’s capability to warn on suspicious emails, there were several key product features we wanted to unlock for our customers that could only be done with a robust confidence score. These were: Email quarantine Based on the score, Defender first aims to quarantine the highest priority emails to prevent malicious emails from ever reaching their employees’ mailboxes. This not only reduces the risk exposure for the company from an employee still potentially interacting with a malicious email; it also removes burden and responsibility from the user to make a decision, and reduces interruption to their work.   Therefore, for malicious emails that we’re most confident about, quarantining is extremely useful. In order for quarantine to work effectively, we must:   Identify malicious emails with very high precision (i.e. very few false positives). We understand the reliance of our customers on emails to conduct their business, and so we needed to make sure that any important communications must still come through to their inboxes unimpeded. This was very important so that Tessian’s Defender can secure the human layer without security getting in our user’s way. Identify a large enough subset of high confidence emails to quarantine. It would be easy to achieve a very high precision by quarantining very few emails with a very high score (a low recall), but this would greatly limit the impact of quarantine on how many threats we can prevent. In order to be a useful tool, Defender would need to quarantine a sizable volume of malicious emails.   Both these objectives directly depend on the quality of the confidence score. A good score would allow for a large proportion of flags to be quarantined with high precision.

Prioritizing phishy emails In today’s threat landscape, suspicious emails come into inboxes in large volumes, with varying levels of importance. That means it’s critical to provide security admins who review these flagged emails with a meaningful way to order and prioritize the ones that they need to act upon. A good score will provide a useful ranking of these emails, from most to least likely to be malicious, ensuring that an admin’s limited time is focused on mitigating the most likely threats, while having the assurance that Defender continues to warn and educate users on other emails that contain suspicious elements.   The bottom line: Being able to prioritize emails makes Defender a much more intelligent tool that is effective at improving workflows and saving our customers time, by drawing their attention to where it is most needed.  

Removing false positives We want to make sure that all warnings Tessian Defender shows employees are relevant and help prevent real attacks.    False positives occur when Defender warns on a safe email. If this happens too often, warnings could become a distraction, which could have a big impact on productivity for both security admins and email users. Beyond a certain point, a high false positive rate could mean that warnings lose their effectiveness altogether, as users may ignore it completely. Being aware of these risks, we take extra care to minimize the number of false positives flagged by Defender.    Similarly to quarantine, a good confidence score can be used to filter out false positives without impacting the number of malicious emails detected. For example, emails with a confidence score below a given threshold could be removed to avoid showing employees unnecessary warnings.

What’s next?   Overall, you can see there were plenty of important use cases for improving Tessian Defender’s confidence score. The next thing we had to do was to look at how we could measure any improvements to the score. You can find a link to part two in the series below (Co-authored by Gabriel Goulet-Langlois and Cassie Quek)

Looking back at the last 12 months, Tessian’s Human Layer Security platform has scanned nearly 5 billion emails, identified over half a million malicious emails, stopped close to 30,000 account takeover attempts, and prevented over 100,000 data breaches due to a misdirected email…   At the same time, we rolled out a number of important product updates to help keep our customers safe. Here are the most important product updates to Tessian’s Human Layer Security platform from 2021.   We built world’s first Intelligent Data Loss Prevention Engine   We believe that the next generation of Data Loss Prevention is fundamentally about shifting away from entirely rule-based techniques towards a dynamic, behavioral approach. That’s why we built Guardian and Enforcer, to automatically prevent both accidental data loss and sensitive data exfiltration to unauthorized accounts.    But we have also seen that, when combined with dynamic behavioral analysis, custom DLP policies, play an important role in an organization’s data security strategy.   With the launch of Tessian Architect in October 2021, enterprises can now deploy powerful, intelligent DLP policies. Architect is a perfect complement to Tessian Guardian and Enforcer and provides the market’s best-in-class Email DLP platform:   Architect was built together with leading security teams – it’s intuitive, quick-to-learn and comes with a library of prebuilt policies Architect has built-in machine learning capabilities and features a powerful logic engine to address even the most complex DLP use cases Architect is designed to educate users about data security practices in-the-moment and guide people towards better behavior Want to learn more about Tessian Architect? Read more about it here.

We now protect customers from compromised external counterparties   This year, we saw a record number of bad actors compromising email accounts of trusted external senders (suppliers, customers, and other third-parties) to breach a target company. These attacks are canned external Account Takeovers (ATO), and they’re one of the main pathways to Business Email Compromise (BEC).   Because these malicious emails don’t just appear to have come from a trusted vendor or supplier’s legitimate email address, but actually do come from it, external ATOs are incredibly hard to spot, meaning organizations are exceptionally vulnerable to them.    Tessian Defender now automatically detects and stops external Account Takeover attacks.    By using machine learning to understand a sender’s normal email sending patterns (like where they usually send from, what they talk about, what services they use, and more), it can identify suspicious deviations from the norm and detect malicious emails.    When this happens, Defender can either block these attacks, or show educational alerts to end-users, helping them identify and self-triage attacks.   Learn more about External Account Takeover protection here.

We now stop more threats, with better accuracy, with less admin overhead   In-the-moment warnings are one of the features that set Tessian apart from the competition. When Tessian Defender detects a potentially malicious email, it warns users with a pop-up, explaining exactly why the email was flagged.   But, we know that sometimes, it’s better to automatically block phishing emails.   Tessian Defender now automatically blocks attacks, before they reach a user’s mailbox. This gives security teams an  additional layer of email security, preventing end-users from receiving emails that are highly likely to be phishing attacks.    Defender can also adapt the response it takes to remediate a threat. If our machine learning is close to certain an email is malicious, it can quarantine it. Otherwise, it can deliver it to the end-user with an educational warning. This adaptive approach is so powerful because it strikes a balance between disrupting end-users and protecting them.   Finally, this year, Tessian Defender’s detection algorithm made some big strides. In particular, improvements in our risk confidence model allowed us to reduce false positives by significantly providing a better experience to end-users and security teams.

We now stop employees from accidentally sending the wrong attachment   Accidental data loss is the number one security incident reported to the Information Commissioner’s Office, and sending an incorrect attachment is part of that problem. In fact, 1 in 5 external emails contain an attachment, and research shows nearly half (48%) of employees have attached the wrong file to an email.    42% of documents sent in error contained company research and data 39% contained security information like passwords and passcodes 38% contained financial information and client information.  36% of mistakenly attached documents contained employee data   Thanks to an upgrade to Tessian Guardian, organizations can now prevent employees from accidentally sending the wrong attachment in an email.    The upgrade uses historical learning, deep content inspection, natural language processing (NPL), and heuristics to detect counterparty anomalies, name anomalies, context anomalies, and file type anomalies to understand whether an employee is attaching the correct file or not. If a misattached file is detected, the sender is immediately alerted to the error before the email is sent. This is completely automated, requiring no overhead from IT teams.   Best of all, the warnings are helpful, and flag rates are extremely low. This means employees can do their jobs without security getting in the way.   Learn more about misattached file protection here.

We can now quantify and measure human layer risk   Comprehensive visibility into employee risk is one of the biggest challenges security leaders face. With the Tessian Human Layer Risk Hub, our customers can now deeply understand their organization’s security posture, with granular visibility into employee risk, and insights into their risk levels and drivers.   How does it work? Tessian creates risk profiles for each employee, modelled from a range of signals like email usage patterns, indirect risk indicators, and employee security decisions (both historic and in real-time). Because of this unique data modelling, Tessian can gauge employees’ risk level, including whether or not they’re careful, careless, frequently attacked, and more.   This offers organizations protection, training, and risk analytics all in one platform, providing a clear picture of risk and the tools needed to reduce it.   Learn more about the Human Layer Risk Hub here.

We now integrate with KnowBe4, Sumo Logic, Okta, and more… Tessian is even more powerful when integrated with other security solutions that help address the risk posed by employees. That’s why, in the last 12 months, we’ve announced exciting integrations with Okta, Sumo Logic, and KnowBe4, each with their own unique benefits for joint customers. With Sumo Logic + Tessian, security and risk team can understand their risk through out-of-the-box monitoring and analytics capabilities.

With Okta + Tessian, security and risk management teams geet granular visibility into their organization’s riskiest and most at-risk employees and consequently enable them to deploy policies that can help protect particular groups of users from threats like advanced spear phishing and account compromise and prevent accidental data leaks.

And with KnowBe4 + Tessian, security and risk management teams get more visibility into phishing risk than ever before.

Want to help us solve more challenges across use cases? Come build with us.

Following other recent integrations (Okta, Sumo Logic…) we’re adding KnowBe4 – the world’s largest integrated security awareness training and simulated phishing platform – to the list, giving organizations more  visibility into phishing risk than ever.

What are the benefits of Tessian + KnowBe4? The integration combines KnowBe4’s phishing simulation and training results with powerful insights from Tessian’s Human Layer Risk Hub, to give security and risk management teams a more comprehensive view of their riskiest employees. By identifying the employees who are most likely to fall for phishing attacks, security teams can adjust their security policies to the specific risks posed by individuals or deliver more tailored training in the areas where people are struggling most.    With Tessian + KnowBe4: Training is more relevant Employees are more engaged  Security leaders can easily report on the impact training has on improving the company’s overall security posture   This is a shift away from the traditional approach to security awareness training and is a much-needed solution to the ever-growing problem of phishing attacks. Figures show that 1 in 4 employees has clicked on a phishing email at work, while the FBI revealed that phishing was the most common type of cybercrime last year, with 11x as many phishing reports in 2020 compared to 2016.

Learn more To find out more about the Tessian and KnowBe4 integration, click here.

As a security or IT leader, researching and vetting security solutions is step one. What’s step two, then? Convincing key stakeholders like the CEO, CFO, and the board that the product needs to be implemented, that it needs to be implemented now, and that it’s worth the cost.   This is easier said than done, but security is business-critical.   So, how do you communicate risk and make a compelling case to (eventually) get buy-in from executives?   We talked to security leaders from some of the world’s most trusted and innovative organizations to find out what they do to get buy-in from CxOs. Here’s a summary of their tips.   You can download this infographic with a quick summary of all of the below tips. This is perfect for sharing with peers or colleagues. Or, download this eBook.   1. Familiarize yourself with overall business objectives   While cybersecurity has historically been a siloed department, today, it’s an absolutely essential function that supports and enables the overall business. Think about the consequences of a data breach beyond lost data. Organizations experience higher rates of customer churn, reputations are damaged, and, with regulatory fines and the cost of investigation and remediation, there can be significant revenue loss.   The key, then, is to attach cybersecurity initiatives to key business objectives. The security leaders we interviewed recommended starting by reviewing annual reports and strategic roadmaps. Then, build your business case.   If customer retention and growth are KPIs for the year, insist that cybersecurity builds customer trust and is a competitive differentiator. If the organization is looking for higher profits, make it clear how much a breach would impact the company’s bottom line. (According to IBM’s latest Cost of a Data Breach, the average cost of a data breach is $4.24 million.)

2. Create specific “what-if” scenarios   A lot of security solutions are bought reactively (after an incident occurs), but security leaders need to take a proactive approach. The problem is, it’s more challenging for CxOs and the board to see the value of a solution when they haven’t yet experienced any consequences without it.    As the saying goes, “If it ain’t broke, don’t fix it”.    That’s why security leaders have to preempt push-back to proactive pitches by outlining what the consequences would be if a solution isn’t implemented so that stakeholders can understand both probability and impact.   For example, if you’re trying to get buy-in for an outbound email security solution, focus on the “what-ifs” associated with sending misdirected emails  which – by the way- are sent 800 times a year in organizations with 1,000 employees. Ask executives to imagine a situation in which their biggest clients’ most sensitive data lands in the wrong inbox.  What would happen?    Make sure you identify clear, probable consequences. That way, the situation seems possible (if not likely) instead of being an exaggerated “worst-case scenario”.    3. Work closely with the security vendor   You know your business. Security vendors know their product. If you combine each of your expertise – and really lean on each other – you’ll have a much better chance of making a compelling case for a particular solution.   Ask the vendor for specific resources (if they don’t exist, ask them to create them!), ask for product training, ask if you can speak with an existing customer. Whatever you need to get buy-in, ask for it. Rest assured, they’ll be happy to help.    4. Collaborate and align with other departments   It takes a village and cybersecurity is a “people problem”.  That means you should reach out to colleagues in different departments for advice and other input. Talk to the folks from Risk and Compliance, Legal, HR, Operations, and Finance early on.    Get their opinion on the product’s value. Find out how it might be able to help them with their goals and initiatives. In doing so, you might even be able to pool money from other budgets. Win-win!

5. Consider how much the executive(s) really know about security   To communicate effectively, you have to speak the same language. And, we don’t just mean English versus French. We mean really getting on the same level as whomever you’re in conversation with.   But, to do that, you have to first know how much your audience actually knows about the topic you’re discussing.   For example, if you look into your CEO’s background and find out that he or she studied computer science, you’ll be able to get away with some technical jargon. But, if their background is limited to business studies, you’ll want to keep it simple. Avoid security-specific acronyms and – whatever you do – don’t bury the point underneath complex explanations of processes.    In short: Don’t succumb to the Curse of Knowledge.

6. Use analogies to put costs into perspective   One of the best ways to avoid the Curse of Knowledge and give abstract ideas a bit more context is to use analogies. It could be the ROI of a product or the potential cost of a breach. Either way, analogies can make big, somewhat meaningless numbers more tangible and impactful.   For example, imagine you’re trying to convince your CFO that the cost of a solution is worth it. But, the 6-digit, one-time cost is a hard sell. What do you do? Break the overall cost down by the product’s lifespan. Then, divide that number by the number of employees it will protect during that same period.   Suddenly, the cost will seem more manageable and worth the investment.   7. Invite key stakeholders to events or webinars   Before you even start pitching a particular solution, warm-up executives with educational webinars or events that aren’t product-specific. This will give CxOs a chance to better understand the problem, how it might apply to them, and how other people/organizations are finding solutions.   Bear in mind: most vendors will have at least 1 (generally 2+) webinars or events during the standard sales cycle.   8. Prepare concise and personalized briefing materials   Individual stakeholders will be more likely to consider a particular solution if the problem it solves is directly relevant to them. How? Combine tips #1, #2, #3, and #5.   After taking some time to understand the business’ overall objectives, take a closer look at individual peoples’ roles and responsibilities in meeting those objectives. Then, dig a bit deeper into how much they know about cybersecurity.   Imagine you’re meeting with a COO with some technical experience whose focus is on maintaining relationships with customers. His or her briefing documents should contain minimal technical jargon and should focus on how a data breach affects customer churn.   The bottom line: make it about them.   9. Share these documents in advance of any formal meetings   While this may seem obvious, the security leaders we spoke to made it clear that this is an essential step in getting buy-in. No one wants to feel caught off guard, unprepared, or rushed.   To avoid all of the above, make sure you share any documents relevant to the solution well in advance of any formal meetings.   But, don’t just dump the documents on their desk or in their inbox. Outline exactly what each document is, why it’s relevant to the meeting, and what the key takeaways are. You want to do whatever you can to help them absorb the information, so make sure you make yourself available after sharing the documents and before the meeting, just in case they have any questions or need additional information.   10. Build a strong security culture   Before we dive into why building a strong security culture can help you get buy-in, we want to make it clear that this isn’t something that can happen overnight. This is a long-term goal that requires the help of the entire organization. Yes, everyone.   So, how do you build a strong security culture? Start by ensuring that security and IT teams are committed to helping – not blaming – employees. There has to be a certain level of mutual trust and respect.   Beyond that, employees have to accept responsibility for the overall security of the organization. They have to understand that their actions – whether it’s clicking on a phishing email or using a weak password – have consequences.   If they do accept this responsibility, and if they genuinely care about following policies and procedures and helping secure data and networks, high-level executives will care, too. They’ll therefore be more likely to sign-off on solutions.   11. Keep an eye on security trends outside of your industry S ome industries – specifically Healthcare, Financial Services, and Legal – are bound to compliance standards that formalize the need for effective security solutions. That means that, compared to other industries like Retail or Manufacturing, they’ll be required to have more robust strategies in place. What they’re doing now, the rest of us will be doing in 12 months.   Keep this in mind.   If you notice that organizations operating in the most highly regulated industries are all taking data loss prevention (DLP) seriously, you’ll be able to make a strong case that this is something that should be on your radar, too.   12. Approach non-executive stakeholders early on   While – yes – getting buy-in from CxOs and the board is important, security leaders also need to get buy-in from non-executive stakeholders working in IT, infrastructure, etc.   After all, those are the people who will actually be responsible for deploying the solution and maintaining it.By approaching them early on (and assuming they’re interested in the solution, too) you’ll be able to paint a clear picture of the process after the solution has been signed off on.   How long will it take? Who’s involved? Will employees’ workflow be disrupted? These are all important questions to answer.   13. Match like-for-like people from both sides   If you’re scheduling a meeting with executives from your side and key people from the vendor’s side, make sure you’re bringing in people that “match” in terms of function and seniority level.   For example, if you work at a start-up and the founder of your company wants to be involved in the buying process, ask the vendor’s founders to join, too. Likewise, if the Head of Infrastructure is joining from your side, ask someone in a similar function to join from the other side. Why? Like-for-like people will be best placed to answer one another’s questions.   And, with that in mind…. 14. Preempt questions and prepare answers   No one likes to be put on the spot. To avoid being asked a question that you don’t know the answer to, spend a good amount of time considering all the questions different stakeholders may ask and drafting well-thought-out answers. (Better yet, fit the answers into briefing documents or the presentation itself!)   Remember, people are generally concerned with how a problem/solution affects them directly. That means the CEO will have different questions than the CFO, who will have different questions than the Head of IT.   15. Get specific customer references from the vendor   We mentioned in tip #3 that you should lean on the vendor, especially when it comes to specific resources and customer references. And, we mentioned in tip #11 that you should match like-for-like people in meetings.   It should make sense, then, that specific customer references will be more powerful than generic ones. For example, if you’re the CISO at a 4,000-person tech firm in North America, and you’re trying to convince you’re CTO that you need to implement a new solution, you should share a case study (or customer reference) from the vendor that outlines how their product has helped an organization in the same industry, that’s the same size, and in the same region. Ideally, it will also feature quotes from the CTO.   Why? Professionals trust and rely on their peers when making difficult decisions. 16. Be conscious (and considerate of) peoples’ time   Decisions about security solutions can involve a lot of different people. That means you’ll have to balance several conflicting schedules and fight for time. Your best bet? Book meetings with all relevant people at once and get the vendor involved at the same time. Ahead of the meeting, share an agenda along with any relevant documents (see tip #8).

Ben Aung is the Chief Risk Officer at SAGE, formerly served as a Deputy Government Chief Security Officer in the UK government, and is a Tessian customer. He discussed insider threats, fear uncertainty and doubt (FUD), and the Great Resignation with Tessian CEO and Co-Founder, Tim Sadler, on the RE: Human Layer Security podcast. Listen here, or read the Q&A below.   Tessian: How has this year been for you and your team at SAGE?   Ben: I’m surprised how much we’ve managed to achieve under challenging circumstances.    We’ve managed to get to a “business-as-usual” state much faster than I would have expected, and many of the kind of “doomsday” threats that we might have been anticipating as a result of COVID haven’t really materialized for me.   Tessian: What are your thoughts on insider threats? Could you share a bit about how you’ve been focused on insider threats throughout your career? Ben: Most of my career in government has been in information security, computer security, or cybersecurity—depending on which term was de rigueur at the time—but when I joined the Cabinet Office in 2012, my first gig I got there was as the Senior Policy Adviser in the National Security Secretariat for insider threats.

Soon after I joined, we were dealing with the aftermath of the Edward Snowden disclosures, which—as many people will remember—were a seismic event in the insider threat world, and caused a great deal of reflection and introspection around how much confidence we could have in some of the very long-standing controls that we’d had around mitigating the most severe insider incidents, particularly in the national security context.   That was a real “baptism by fire” for me in the insider world. I was working across the Five Eyes countries and trying to join up what we all thought was a fairly consistent understanding of how to fight insider threats, but I found out we were all doing things in slightly different ways.    My experience of working with the intelligence community in that very high threat, high impact context was that—in amongst all of the complexity, and “smoke and mirrors,” and spookery—many of the issues were just fundamental people issues or control issues that I expect nearly every organization to face, in one way or another.   Tessian: According to stats, insider threats have risen almost about 50% in the past two years. Why do you think it’s such a challenging problem to solve?   Ben: I think we overcomplicate it, would be my headline. We don’t think holistically about the interventions we can make in the lifecycle of an individual or an insider incident that might reduce both the opportunity and the impact.   We often put too much emphasis on hard technical controls. We lock systems down, so they become unusable, and people just find ways to circumvent them.    We put too many eggs in one basket, and we don’t think about all the little things we can do that cumulatively, or in aggregate, can support us.   The other thing I’d say is—cybersecurity, as an area of risk, is too populated with anecdotes and an absence of data. And it’s too driven by the worst-case scenarios, rather than the everyday, which I think are too often the starting point for the more severe events that happen later down the line.    Tessian: How do we take steps towards that more data-driven approach, and what’s your advice to people who may agree that they find themselves swayed by headlines and the “fear factor”?   Ben: As security professionals, we sometimes have quite thankless roles in an organization. And actually bringing a bit of excitement and interest—it’s an interesting part of the job, and sometimes adds a bit of “mythology.”

The point is that the most effective interventions are some of the most boring and the most mundane. By that, I mean—if you look across all of the most severe insider incidents of the last “x” years, effective line management would have been one of the key mitigations.   Effect line management, good pastoral care, good understanding of employee wellbeing, good performance management processes, basic controls around access, audit, and monitoring.    I think because these things have existed for such a long time, and we don’t associate them with insider risks, then they’re either overlooked, they’ve degraded, they’re boring—they don’t attract investment in the same way that other things do.   The goal is to bank all of that stuff, get that foundation in place, and then supplement with some of the specialist tools that are available on the market—like Tessian—where you can say, “I’ve got confidence in some of these fundamentals, now I want to take that step and really understand my enterprise and what’s happening in and out of it in a much more sophisticated way.”

Tessian: There have been a number of incidents reported in the news where disgruntled employees are being targeted by cybercriminals to assist in malicious activities. Is this something that concerns you?   Ben: I used to think about this a lot in government, where the notion of a “blended attack”—particularly in the nation-state context—is very relevant.   There’s often a misconception that a hostile state actor says, “I’m going to launch a cyberattack on the UK,” or “I’m going to compromise ‘x’ system”—they have an objective, and often cyber or remote attacks are the cheapest way to achieve that objective.   But in some cases, they won’t be. And a blended attack, where you use some kind of close-access technology that’s deployed by a compromised individual as a precursor to a remote attack, is a threat model that governments have to deal with.

And some of the techniques that governments can deploy against one another are absolutely crazy… the level of creativity and imagination at play… That is a very real risk in that context, and I think it’s inevitable that elements of it are going to find their way out into the commercial world.   The key consideration is: what is the cost/benefit equation that the actor is going to be relying on? And as soon as you start including vulnerable individuals, you do increase operational risks as an attacker. The ransomware groups wouldn’t care too much about that, but it’s about whether they get the pay-off they need for the level of effort they put in. And I guess, in many cases, they would. 

If you just look, in more of a social context, about how teenagers and children can be blackmailed by people on the other side of the world, then there’s no reason why someone seeking monetary gain—through a ransomware attack or otherwise—wouldn’t do the same.   I haven’t seen any real evidence that it’s happening at any sort of scale, but I think having people in your organization—like we try and achieve at SAGE—who will report early… there’s a sort of “no consequence” reporting rule in SAGE and in many organizations, where we just want to know. I think that’s one of the most effective mitigations.   This Q&A was adapted from our RE: Human Layer Security podcast. You can hear the full interview here,

Ah, the holidays. As we roll up to the end of the year, one thing’s certain as the office party and failed New Year’s resolutions – cybersecurity 2022 trend articles.    And like festive holiday merch in stores, trends pieces seem to appear earlier and earlier each year.    Well this year, we’re taking a stand against ‘trends for 2022’ articles. Why? Here’s just a flavor of what real InfoSec leaders like you said when we talked trends.

And on Twitter, the feeling is similar… My prediction? The majority of 2022 cybersecurity predictions will again be “More of the same, packaged a bit differently” because that is how evolution works. It is only from an appreciable vantage point that one sees the scale of incremental change. 1/x — Rik Fërgüson (@rik_ferguson) November 1, 2021 My 2022 Cybersecurity Predictions: pic.twitter.com/7r4AC328q2 — c🎃e (@caseyjohnellis) November 2, 2021

So while someone, somewhere might fall for a high profile deepfake attack or AI generated breach, the main issues faced by the vast majority of InfoSec for next year will be… the same as last year, and similar to the years before that.    We like to call these The Infinity Trends, so pass the eggnog, throw another yule log on the fire, and let’s explore the five gems that’ll be taking up 91.4% of your time in the next 365 days.   Infinity Trend One: People are (still ) gonna fall for the same ol’ sh*t Year in, year out, there’s always a risk that someone is going to click on a malicious link. And when bad actors are using sweet, juicy bait like early access to Series 2 of Squid Games, you can see why. You're only as strong as your weakest link. Human error wins every time. Awareness training is key. #InfoSec pic.twitter.com/tPD9yBEse3 — Khalil (@sehnaoui) June 21, 2017 You can’t stop people clicking links any more than you can prevent them from sending or receiving them in the first place; for many people, that’s their job. Their inbox is a revolving door of links to documents, webpages, forms, and databases.   Infinity Trend Two: You’ll (still ) have to explain why cybersecurity matters to the CEO An important "soft skill" as you move up in leadership roles is brevity, the ability to not only be succinct but also flexible when presenting; knowing how to adjust your content on the fly. This is crucial when presenting to higher level business leaders. Practice this! — Alyssa Miller 👑 Duchess of Hackington (@AlyssaM_InfoSec) October 28, 2021 Looking back to the ‘before times’ circa 2012, a predicted trend was cybersecurity moving from being solely an IT department issue, to a C-suite issue. (Here’s Phil Gardner, founder of IANS, talking about exactly this back in the day.) Yet here we are, 10 years later, and despite the 2021 PwC Annual Global CEO Survey, revealing chief executives see cyber threats as the number one risk, the same report goes on to note that the majority of CISOs overall — 63% of organizations — don’t get the kind of support they need from their CEO. If you’ve got a CEO who gets security in all its forms, you’re one of the lucky ones. For everyone else, here’s the only three metrics they care about.  

Infinity Trend Three: Attacks will (still ) come after lunch or at the end of the day (on a Tuesday) Bad actors have a preferred time to strike. We know this because we analyzed four billion emails in a 12-month period and found that 2 million of them were malicious, and slipped past secure email gateways (SEGs). Further examination found that mid-afternoon, or just before the end of the day, is when most attacks occur. Why? Because our research shows that 45% of employees say they’ve clicked on a phishing email because they were distracted.

Interestingly, Tuesday – not Friday – was the time employees sent and received the most emails, and that’s also the preferred time for spear phishing. One particular Friday does rank the very highest however, Black Friday. So if you’re reading this….  incoming! It’s not all bad news, though. Our research also showed that, like everyone else, even the bad guys take a break over New Year, perhaps to make their own New Year’s resolutions? Infinity Trend Four: Your biggest risks will (still ) come from ‘inside the house’ The spear phishing of staff was an exotic emerging threat trend in 2012, and it’ll still be your number one threat a decade later. Then there’s the risk from misdirected emails, sending the wrong attachments, and deliberate exfiltration. You can see why Forrester’s recent report of over a 1,000 security professionals found that 61% think an employee will cause their next data breach.

  Infinity Trend Five: Hiring a diverse team will (still ) be one of your biggest priorities… and challenges Back in 2016, 72% of Black Hat attendees were saying that “they do not have enough staff to meet current threats”, and those trends have only gotten worse with 2021’s Great Resignation.    Add to this the fact that the average CISO is in post for a little over 26 months (plus a doesn’t-get-it-CEO), and you can see why it can be hard to foster a solid security culture.    InfoSec has a high turnover rate, too; keeping your people together, focused, and motivated was a challenge in 2012, and it’s still a challenge now.    So despite a decade passing, the problems most InfoSec, SOC teams, CISOs, and CTOs face daily haven’t really changed. What has changed is that everything has gotten bigger and more complicated – from the frequency and sophistication of attacks, to your attack surface and perimeter, to the sums of money and number of people involved.    So our number one cybersecurity trend’ for 2022?    Same as it ever was: cybersecurity is still primarily a people problem. This time of year we all make resolutions: get fit, quit that bad habit, be better at what we do. If you’re thinking about one more, why not make 2022 the year you secure your Human Layer?   Until then, Happy Holidays!

From the CEO to that new intern, everyone in the company email directory is a potential risk for sending misdirected emails. Misdirected emails are common — sending an email to the wrong person is an easy mistake. Who hasn’t done it? But they can also be disastrous, potentially damaging a company’s reputation, revealing its confidential data, and breaching its customers’ privacy.   One new group, however, can potentially present more of a risk than most – Sales Engineers (SEs)  and Tech Ops (TOs) teams. SEs and TOs are mainly found in enterprise-level, technology-focused *aaS businesses in sectors such as software systems, manufacturing, or telecoms, where the product is some form of data handling solution.    According to the Bureau of Labor Statistics Occupational Outlook Handbook, there were 63,800 SEs in the US in 2020. Their role is like a SWAT team, called in by the sales team to help ‘seal the deal’, either when a lead is deep into the process and needs extra clarity, or when they have too many technical obstacles for the sales rep to handle. SEs have a sales mentality, but couple that with a deeper understanding of the form and function of the product, processes, or service.    Here’s five reasons why they might be at higher risk, and how you can mitigate that risk.

They support several salespeople In a typical large enterprise, one SE might support several sales reps. Numbers vary depending on the size and scope of the business in question, but a typical ratio might be one SE to four or more sales people. The higher the number, the higher the potential risks, because they now touch four times the amount of data and contacts flowing through an organization compared to their colleagues.   

…And several other teams. SEs not only work hand in hand with salespeople on new leads, they might also help Customer Success teams move existing customers to higher plans or additional services – again, more potential risk. Of course, being deep in the workings of the product means they also interact regularly with the product or engineering team. They might even work with marketing on case studies and testimonial content. So as you can see, they occupy a highly central function within large, complex matrix organizations.  

Meaning they have access to lots and lots of data… SEs not only have access to leads’ personal details, they might also have access to that company’s critical data such as customer information, financial data, or intellectual property. Many firms conduct proof of concept (PoC) and proof of value (PoV) tests, where the solution is prototyped with the lead’s firm. Depending on the solution and the customer firm, this can involve actual company data, assets, or information.  All of this data is highly attractive to bad actors who can ransom it back to you, sell it to others, mine bitcoin using your systems, and generally trash your processes and reputation. As one security analyst from our friends at KnowBe4 put it, we’re in the age of the ‘quintuple extortion’.  

…and highly sensitive information. They They could be privy to what the company’s employees are doing, where they are, or their Personally Identifiable Information (PII) such as staff’s social security numbers, bank details, and personal email addresses. There’s also sensitive details on business structure things, like potential mergers and acquisitions, reorganizations, or redundancies. In short, SEs have access to a wide group, and interact with that group at a higher frequency.   Which means they’re severely time pressured. Reps might call in an SE as a last ditch effort to save a deal from potentially falling through. Perhaps the lead is thinking of walking away because they have several technical questions that the rep can’t answer. The SE is needed fast and plunged deep into the deal to try to save it.    That creates a time sensitivity pressure for the SE. As this blog post by GoConsensus says, the problem supporting several sales people is that at times, a sales rep may not have access to a sales engineer to provide the support they need.    That can mean the SE is under pressure from both their colleagues to save the deal, as well as the lead who might be cooling on the idea because it doesn’t appear to fit their needs. As the time ticks down and the pressure increases, so do the potential risks of making mistakes.     We know this because our Psychology of Human Error Report revealed that working in tech doesn’t necessarily make you cybersecurity savvy. Employees in the technology industry were the most likely to click on links in phishing emails, with nearly half of respondents in this sector (47%) admitting they had done so. This was closely followed by employees in banking and finance (45%).   The tech industry also had the highest percentage of employees that agree there is an expectation in their organization to respond to emails quickly (85%), while 77% in the financial sector said the same. This suggests that quick-to-click and fast-paced working cultures could result in employees mistakenly clicking on phishing emails.   Why? Because nearly half of respondents (45%) cited distraction as the top reason for falling for a phishing scam. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");

So how does this threat manifest itself at enterprise level? In many ways, these issues at enterprise level are a double edge sword. On the one hand, enterprises can have great software and processes, as well as the budget and teams to support it. On the other hand they’re larger and more complex, so the potential for danger is greater.    So how many people are we talking about here? Take a big global company like Salesforce for example, with 64,000 employees according to LinkedIn. A quick search for ‘Sales Engineers’ in their people section returns 3,955 people. For Amazon (868,467 employees) it’s even bigger – 5,792.    Yet our State of Data Loss Prevention report revealed an average of 800 emails are misdirected in organizations with 1,000 employees during a single year. What’s more, Forrester Consulting’s recent Take Control Of Email Security With Human Layer Security Protection report, commissioned by Tessian, found that the percentage of employee-related email security incidents by company size was significantly higher in companies with more than 20,000 employees.    With all that it’s clear why 61% of security and risk leaders surveyed in the Forrester Consulting report believed that an employee’s actions will cause their organization’s next data breach. They’ve simply done the math.     How can enterprise organizations secure themselves against these dangers? The consequences and fall out of any potential misdirected email can be mundane, or they can be utterly catastrophic (as these real world examples reveal). We spoke to one CISO on condition of anonymity, who told us, “For the C-Suite, the most important thing is understanding risk scoring – who’s the most targeted departments and what data do they handle?” – SEs and TOs fall into this category.   That risk has to be balanced more broadly with having processes that still let employees do their jobs in highly dynamic environments. A process where a deal is lost because an email is in a quarantine outbox with several thousand others waiting for the IT department to approve it isn’t going to help your team hit their quarterly targets.    This ‘human first’ approach centers on two things: using great tools that don’t hamper the workflow, and flagging when potentially moving data with the communication chain.    Both these things drive what we do at Tessian. Our Human Layer Security platform detects and prevents advanced inbound and outbound threats on email, automatically stopping data breaches and security threats caused by employees. Powered by machine learning, Tessian provides unparalleled visibility into human security risks, detects and prevents accidental data loss, data exfiltration, and advanced phishing attacks while continuously driving employees toward secure email behavior through in-the-moment training.    Built as a cloud-native platform, Tessian integrates seamlessly with O365, Google Workspace, and MS Exchange environments within minutes, learns in hours, and starts protecting in a day closing the critical gaps in the email security stack   The Tessian differentiators: Threat prevention: Tessian protects against both known and unknown email attacks, including business email compromise, account takeover, spear-phishing, and all impersonation attacks that bypass SEGs, M365, and G Suite Education and awareness: With Tessian’s in-the-moment training, organizations can educate and empower users to build continuous email security awareness  Reduced admin overhead: Tessian removes the burden on SOC and admins by automating repetitive tasks such as maintaining triage and review. This eliminates the need for human verification of email threats, reducing FTE requirements. Data-rich dashboards: With Tessian, security teams have clear visibility and the ability to demonstrate clear ROI   So if you want to ensure your Sales Engineers can do what they do best – be that SWAT Team for your sales reps – rather than a higher risk to your business, get in touch today and see how we can help you secure your organization’s Human Layer.  

Tessian is honored to be recognized as a Representative Vendor for Integrated Cloud Email Security (ICES) in the recently released 2021 Gartner Market Guide for Email Security. According to Gartner the “continued increases in the volume and success of phishing attacks and migration to cloud email require a reevaluation of email security controls and processes. Security and risk management leaders must ensure that their existing solution remains appropriate for the changing landscape.”

The key findings listed in this Market Guide for Email Security    According to this report, “the adoption of cloud email systems continues to grow, forcing security and risk management leaders to evaluate the native capabilities offered by these providers”. The report further states “solutions that integrate directly into cloud email via an API, rather than as a gateway, ease evaluation and deployment and improve detection accuracy, while still taking advantage of the integration of the bulk of phishing protection with the core platform.”    The report also states that “ransomware, impersonation, and account takeover attacks are increasing and causing direct financial loss, as users place too much trust in the identities associated with email inherently vulnerable to deception and social engineering.”    Gartner recommends that the security and risk managers for email security should:   “Use email security solutions that include anti-phishing technology for business email compromise (BEC), protection that uses AI to detect communication patterns and conversation-style anomalies, as well as computer vision for inspecting suspect URLs.”  “Consider products that also include context-aware banners to help reinforce security awareness training.” “Invest in user education and implement standard operating procedures for handling financial and sensitive data transactions commonly targeted by impersonation attacks. Remove as many targeted ad hoc processes from email as possible.”   This report highlights trends that we believe Tessian is also seeing.    Historically, companies around the globe were deploying the Tessian platform to augment the shortcomings of their Secure Email Gateways (SEGs). Customers needed a more comprehensive solution that would stop the real nasty stuff like zero-day attacks and ransomware, and that was able to detect and stop the threats that often slip past their SEGs such as business email compromise (BEC), account takeover (ATO), spear phishing, and impersonation attacks.   Tessian’s recent Spear Phishing Threat Landscape 2021 Report examined emails from July 2020 – July 2021, and discovered nearly 2,000,000 emails slipped through SEGs.   An interesting shift we’ve observed over the past nine months is that we’re seeing more and more customers leveraging the enhancements made by Microsoft along with the Tessian platform to replace their SEG. We expect that trend to accelerate in 2022.   Gartner predicts that “by 2023, at least 40% of all organizations will use built-in protection capabilities from cloud email providers rather than a secure email gateway (SEG), up from 27% in 2020.”     Tessian’s approach Tessian is a leading cloud email security platform that intelligently protects organizations against advanced threats and data loss on email, while coaching people about security threats in-the-moment. Using machine learning and behavioral data science, Tessian automatically stops threats that evade legacy Secure Email Gateways, including advanced phishing attacks, business email compromise, accidental data loss and insider threats. Tessian’s intelligent approach not only strengthens email security but also builds smarter security cultures in the modern enterprise. Built as a cloud-native platform, Tessian integrates seamlessly with O365, Google Workspace, and MS Exchange environments within minutes, learns in hours, and starts protecting in a day closing the critical gaps in the email security stack.      

Tessian is honored to be recognized as a Representative Vendor for Integrated Cloud Email Security (ICES) in the recently released 2021 Gartner Market Guide for Email Security. According to Gartner the “continued increases in the volume and success of phishing attacks and migration to cloud email require a reevaluation of email security controls and processes. Security and risk management leaders must ensure that their existing solution remains appropriate for the changing landscape.”

The Tessian differentiators:  Threat prevention: Tessian protects against both known and unknown email attacks, including business email compromise, account takeover, spear-phishing, and all impersonation attacks that bypass SEGs, M365, and G Suite Education and awareness: With Tessian’s in-the-moment training, organizations can educate and empower users to build continuous email security awareness  Reduced admin overhead: Tessian removes the burden on SOC and admins by automating repetitive tasks such as maintaining triage and review. This eliminates the need for human verification of email threats, reducing FTE requirements. Data-rich dashboards: With Tessian, security teams have clear visibility and the ability to demonstrate clear ROI  

Tessian solutions: Tessian Defender is a comprehensive inbound email security solution that automatically prevents a wide range of attacks that bypass Secure Email Gateways (SEGs) while providing in-the-moment training to drive employees toward secure email behavior.  Tessian Guardian automatically detects and prevents accidental data loss from misdirected emails. Tessian Enforcer automatically detects and prevents data exfiltration attempts and ensures compliant email activity. Tessian Architect is a powerful policy engine for real-time email data loss prevention. It features a combination of classic elements of DLP policies that provide custom protection against sensitive data loss. To learn more about how Tessian can help strengthen your email security posture, book a demo now.    

Gartner, “Market Guide For Email Security”, Mark Harris, Peter Firstbrook, Ravisha Chugh, Mario de Boer, October 7, 2021. Gartner Disclaimer: GARTNER is registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Data is the lifeblood of a successful business, and email systems are the veins through which it travels. But new Forrester Consulting research commissioned by Tessian shows legacy solutions aren’t enough to protect this vital business organ…   Key insights from the study include:   Nearly 40% of organizations report 10+ employee-related email security incidents per month 61% of our survey respondents think an employee will cause their next data breach Over 75% of  firms report that 20% or more email security incidents get past their existing security controls One-third say they lack visibility into threats and risky behaviors Organizations spend up to 600 hours per month resolving employee-related email security incidents 42% of security and risk leaders are looking to improve their email security postures  

To err is human…   While security and risk leaders have a lot to worry about, human error tops the list.    That’s because, on average, organizations experience between one and fifty employee-related email security incidents per month, depending on the company size. Nearly 40% report 10+ incidents a month.   Accidental data loss and business email compromise are most common, with nearly half of respondents saying they’ve experienced an incident in the past 12 months.   It’s no wonder 61% of our survey respondents think an employee will cause their next data breach.    So, how are they trying to solve the problem?   Trying to solve the “people problem”   One thing is for sure: security leaders are trying to bolster their defenses, and they know email is every bit as crucial an environment to protect as network and databases. The problem is, built-in security controls and legacy technology alone aren’t enough to prevent human error. In fact, these solutions are actually creating more work for thinly-stretched security teams.   Over a third of firms say they’re wasting a precious amount of time, money, and effort combating email security challenges.    How much time? According to Forrester’s research, organizations spend up to 600 hours per month resolving employee-related email security incidents.   Alas, despite so much time and effort, over 75% of firms report that 20% or more email security incidents get past their existing security controls and, despite phishing simulations and ongoing security awareness training, roughly one-quarter report that 21% or more of employees have failed a phishing test in the past year.    Accidental data loss is a big problem, too with 24% saying they simply don’t have controls in place to prevent misdirected emails.    That’s a lot of risk, but it could be just the tip of the iceberg…One-third say they lack visibility into threats and risky behaviors, proving traditional security solutions have inherent limitations when it comes to solving for risks posed by people.    In fact, according to Tessian’s State of Data Loss Prevention report, IT leaders working at organizations with 1,000+ people in the US estimate 480 emails are sent to the wrong person every year. In reality, Tessian found that an average of 800 emails are misdirected in organizations with 1,000 employees during a single year.   That’s a big difference…

The solution?   Based on all of the above, it’s no wonder 42% of security and risk leaders are looking to improve their email security postures, and are specifically seeking solutions that allow them to gain visibility into risky human behaviors and build unique security identity and risk scores for each employee.    They then want to use this information to feed automated, ML-based threat detection systems to help them predict and protect against unknown threats.  Download the full study.   You can also book a demo to see Tessian’s  platform in action. 

As the virtual curtain falls on our Fall Human Layer Security Summit we’d just like to say a huge thank you to our panel and to you, our 1000+ attendees.  There were some terrific insights, advice, and examples offered in every session. If you missed one, or just want a recap, key learnings from each session are below. To give you a flavor of what to expect, we’ve pulled out some key takeaways.

🎣 Fighting Phishing: Everything We Learned From Analyzing 2 Million Malicious Emails Take out fact: zero payload attacks are now the new normal  We analyzed 2 million malicious emails that slipped past SEGs in a 12-month period. The results? Bad actors are getting smarter, and crafting more sophisticated attacks than ever before.   That’s why attacks are getting past organizations’ existing defenses. As James McQuiggan, Security Awareness Advocate at KnowBe4, says, “the bad guys are buying the same hardware and software configurations we’re using – they’re then testing their attacks and then see what gets through”. And what’s working, it seems, are zero payload attacks beginning with a benign email that appears to be from senior staff.  Fellow guest  Jason Lang, from TrustedSec ,spoke of his frustration with current training in the industry saying, “users sit there for 30 minutes, hit next, next, next, take the test, and they’re done. So the direct answer for ‘is security awareness training accounting for zero payload attacks?’ is no, it’s not”. Learn more about what today’s attacks have in common in our most recent research report: Spear Phishing Threat Landscape 2021

🤖 Threats Of The Future Are Here: Hacking Humans with AI-as-a-Service Take out fact: AI is poised to be used ‘at scale’ to design spear phishing attacks, and does better than humans To paraphrase the German journalist, satirist, and pacifist Kurt Tucholsky “one spear phishing attack: this is a catastrophe. Hundreds of thousands of spear phishing attacks: that is a statistic!” And, according to Eugene Lim, Glenice Tan, Tan Kee Hock and Timothy Lee from GovTech Singapore hundreds of thousands attacks are on the horizon. Although recent reports of AI-generated voice deep fakes make the headlines, the real problem is that as the cost and complexity of AI comes down, it will be used more and more at scale. Furthermore, the team’s research revealed that AI generated content is more convincing than human generated content.  As Tessian’s Ed Bishop, our co-founder and CTO noted in the session, “I can totally see bad actors measuring the click-through rate on their phishing campaigns, and then having the AI learn from what’s worked to feed into the next one”  Oh and one final takeout… no one’s really regulating this sort of stuff.

 🏗 How to Build A High-Impact Security Culture For ‘Oh Sh*t’ Moments Take out fact: It’s always about the people It can be hard to keep things personal, especially at scale. Yet that’s exactly what Kim Burton, Security Education InfoSec Manager, did when Duo Security was acquired by Cisco. “My favorite thing that I always remind everyone is ‘be kinder than necessary’”. That way, says Kim, you create a safe learning environment where people don’t feel scared, but rather empowered.  Kim also gives tips and advice for security teams on how to empathize with colleagues when a breach happens.

👷‍♀️ Building beyond your SEG: what to do when attacks slip through Take out fact: don’t rely just on your SEG In this session, Tessian’s Amelia Dunton caught up with Karl Knowles, Global Head of Cyber for HFW,  to hear why you shouldn’t just rely on your SEG to protect your business. Karl details how there’s been a huge rise in impersonation attacks, accounting for more than half of the threats HFW get. With domain impersonation attacks also getting more sophisticated, SEGs alone can’t cope. Finally, Karl explains how ‘in-the-moment’ alerts help show the user that there’s a problem, and what to do about it.

👮Why Human Layer Security is the Missing Link in Enterprise Security Take out fact: 61% of security and risk leaders think that employee actions will cause their next data breach We were delighted to have as a guest speaker Jess Burn, Senior Analyst at Forrester. If you’ve not heard Jess speak before, you’re in for a real treat. Her talk explains in detail a Forrester Consulting study commissioned by Tessian conducted with US and UK security and risk leaders on the types of threats they’re seeing, how they’re fighting them, and how they’ll meet them in the future.  You can get the study here, but the three quick extra take outs are; asset your current capabilities, invest in technology wisely, and put people first when it comes to security.

😩 DLP Has Failed The Enterprise. What Now? Take out fact: Legacy DLP is a 💩 sandwich without the bread Traditional DLP is rule-based – and if there’s one thing humans are really, really good at, it’s breaking rules.  You simply cannot define human nature with rules, says Tessian’s Jessica Marie. As we learned at our Spring Summit, the average human makes 35,000 decisions a day, you can’t write rules for all that possibility.  Legacy DLP means complex and expensive policies, constrained data classification, limited visibility, and a huge amount of false positives. Add to this the fact that your employees really hate the experience.  After Jessica’s explainer, Tessian’s Merlin Kafka is joined by Phil Horning, Senior Information Security Analyst at PeaceHealth, and Reema Jethwa, Cyber/Insider Risk Manager at Schroders Personal Wealth. Together they outline future trends for DLP, and where the industry needs to go.

💭 Security Philosophies from Trailblazers; Q&A with Leading CISOs Closing out the Summit Tim Sadler, CEO and Co-Founder of Tessian, hosted Jerry Perullo CISO, ICE NYSE, and DJ Goldsworthy , Director, Aflac, to explore a range of topics. They started by offering advice on how to show value to the wider organization, and how security fits in with overall risk appetite.  They then moved on to how security teams have to work cross functionally, working with other teams like IT and operations, because as Tim says, “the biggest security team is the whole company”. Our 2021 Summit took place just after Cyber Awareness Month, so Tim closed out by asking how far we have come since the first awareness month way back in 2004.  For DJ, the biggest difference between now and then was the sheer pace of change; how a lot of risk lies in configurations and environmental sprawl, meaning an increased attack surface.  For Jerry meanwhile, it was the professionalization of the criminal side. “We’re now seeing national state caliber tactics, techniques, and procedures, deployed against commodity targets, with high dwell time.. just so they can ransomware them,” he said.

So there you have it!  That’s us all done (until next year). We’ll no doubt see you again in 2022. Follow us on LinkedIn and Twitter, and sign up for our weekly blog digest to stay up to date with the latest intel, so you can help secure your Human Layer.