Tessian Recognized as a Representative Vendor in 2021 Gartner Market Guide for Data Loss Prevention — Read more.

Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.
Human Layer Security

90% of data breaches are caused by human error. Stay up to date on the latest tips, guides, and industry news on Human Layer Security.

Human Layer Security
November Cybersecurity News Roundup
27 November 2020
We’re back with another roundup of the biggest stories in cybersecurity in November 2020.  With phishing, hacking, and ransomware continuing to surge worldwide, there was a lot of news to choose from. We’ve selected stories representing the latest trends in cyberattacks — and demonstrating the myriad ways that cybercrime impacts businesses and consumers. UK Hit By Record Number of Serious Cyberattacks The UK’s National Cyber Security Centre (NCSC) published its 2020 annual review on November 3. The report revealed that the NCSC had defended the UK against a record-breaking 723 cyber incidents in the past year. The data covers the period between September 1, 2019 and August 31, 2020 and reveals a 20.1% increase in cyber incidents compared to the previous three-year average (602 cyber incidents). So what explains this surge in cybercrime? The NCSC chalks the increase in numbers up to its proactive approach in identifying and mitigating threats, together with tips from its “extensive network of partners” and public reports. But there’s another reason: cybercriminals’ exploitation of the COVID-19 pandemic. The NCSC’s Suspicious Email Reporting Service received an incredible 2.3 million reports in its first four months of operation, leading to the removal of 166,710 phishing URLs. In fact, phishing takes up a lot of space in the NCSC’s report, which highlights:  A spate of spear phishing attacks targeting pharmaceutical companies An “explosion” in fake ads sent via phishing emails A rise in the percentage of businesses experiencing phishing attacks — from 72% in 2017 to 86% in 2020 Want to know more about how widespread phishing has become? Read our must-know phishing statistics. Amazon Customers Targeted By Vishing Attacks Our October roundup reported an increase in Amazon-related phishing scams around Prime Day. On November 7, the Guardian revealed another Amazon scam: Amazon Prime customers are being targeted in vishing (voice phishing) attacks. Victims received calls from scammers impersonating “Amazon Prime Security” employees, who advised them that their accounts had been used to make suspicious payments.  Consumer group Which? described how one Amazon Prime customer was persuaded during a vishing call to install remote-access software on her device. The scammers then accessed her bank account and stole £6,900 (over $9,200). UK cybercrime reporting agency Action Fraud said it had received 14,893 reports of similar “computer software service fraud” incidents over the past 12 months, resulting in losses of over £16 million ($21.3 million). Vishing attacks are a massive problem for businesses as well as consumers. Read our guidance to find out more about defending against vishing attacks. WhatsApp Hoax Spreads False Phishing Claim On November 11, Naked Security reported a smishing (SMS phishing) scam that is, sadly, pretty unremarkable in the current climate. Victims received a text alerting them to an “unpaid phone bill,” and redirecting them to a fake O2 network credential-phishing login page. What’s more unusual about this widespread smishing attack is the rumors surrounding it. According to Action Fraud, WhatsApp-based “fake news” proliferated in the days following the attack, spreading confusion among consumers. The WhatsApp message, which referenced the City of London Police Fraud agency, claimed that the smishing attack was an “extremely sophisticated scam,” whereby attackers could drain money from victims’ accounts as a result of them merely “touching” the fraudulent text message. This type of disinformation serves as another attack vector for cybercriminals. It can undermine the efforts of legitimate cybersecurity authorities. Repeated hoaxes of this kind could, ultimately, lead to reduced vigilance among the targets of cybercrime. Credential phishing is a serious issue in itself — there’s no need to exaggerate the threat via phony WhatsApp chain messages. Read more about credential phishing here. Fintech Platform Attacks Unwittingly Facilitated by GoDaddy Staff Cryptocurrency trading platform Liquid reported on November 13 that its domain registrar, GoDaddy, had “incorrectly transferred control of (Liquid’s) account and domain to a malicious actor,” allowing the attacker to take control of internal email accounts.  The attack resulted in the theft of users’ email addresses, names, physical addresses, and encrypted passwords. Worse still, ID cards, selfies, and proof of address documents — collected as part of the site’s “Know Your Customer” requirements — may also have been compromised. But GoDaddy’s problems don’t end there. Just five days later, crypto-mining service NiceHash revealed that its domain had been subject to “unauthorized access” owing to “technical issues” at GoDaddy. While NiceHash reported that user data was likely safe, its domain was unavailable for some time. GoDaddy didn’t disclose details of the attacks, but Krebs on Security revealed in March that GoDaddy staff had been subject to a vishing attack that had compromised fintech website Escrow.com. Whatever the specifics, it seems GoDaddy has suffered multiple social engineering attacks in the past year. Read our six real-world examples of social engineering attacks to learn how to avoid such problems. Around 28 Million Texans’ Driver’s Licenses Compromised Fox 26 Houston reported on November 18 that hackers had stolen nearly 28 million driver’s licenses registered in Texas. Driver’s license details are highly valuable to cybercriminals, who can sell them on the dark web or use them to commit identity fraud. The attack has been blamed on weak security protocols, with data being “inadvertently” held in unsecured storage by service provider Vertafore. In addition to driver’s license numbers, names, birthdates, addresses, and vehicle registration details were also stolen.  The breach took place between March and August and affected drivers who had received their license before February 2019. Vertafore is offering victims one year of free credit monitoring. More and more US states are introducing tough new data breach notification and privacy laws. Read our guidance on US privacy laws for business leaders to find out more. Google Products “Weaponized” for Phishing Attacks Research from Armorblox, published November 19, revealed how popular Google products, including Docs, Forms, and Firebase, have been exploited by cybercriminals and used to “defraud individuals and organizations of money and sensitive data.” Why are hackers weaponizing Google products? Well, they’re typically open-source and easily-adapted. And because Google is ubiquitous and legitimate, Google-associated URLs are rarely blocked by firewalls or security software. Examples of Google-based phishing attacks uncovered by the investigation include: A Google Form used to impersonate an American Express account-recovery page A fake email login page hosted on mobile API Google Firebase A Google Doc used as a fake payslip for a payroll diversion scam Blocking your employees from accessing Google products and URLs would be undesirable and impractical. The only realistic way to avoid Google-exploit phishing scams is with effective email security software. Tessian Defender uses AI-driven technology to detect suspicious activity in your employees’ inboxes automatically. Click here to find out how Tessian helps defend against phishing and other social engineering attacks. Hedge Fund Forced to Close After $8 Million Phishing Attack On November 22, the Australian Financial Review revealed how hedge fund Levitas Capital was defrauded for nearly $8.7 million following a phishing attack. The attacker sent a fake Zoom invite link to one of the hedge fund’s co-founders. When they opened the Zoom link, malware was installed on their device. This allowed the attackers access to the fund’s corporate email account. Using Levitas Capital’s email account, the hacker launched a Business Email Compromise (BEC) attack, sending fraudulent invoices to the fund’s administrators and trustees. The attack was discovered in late September after an examination of the fund’s online banking records. All but $800,000 of the $8.7 million stolen was recovered before payments cleared. But the damage was done — following the attack, the fund lost its biggest client and was forced to close. This case shows how devastating phishing attacks can be — even when the direct losses are mitigated. To find out more, read our articles on wire transfer phishing and Business Email Compromise (BEC) attacks. South Korean Retailer Closes 23 Stores After Ransomware Attack South Korean fashion conglomerate E-Land group announced that it was closing 23 of its 50 stores following a ransomware attack, according to a November 22 report from news agency Yonhap. E-Land reportedly had to temporarily shut down part of its corporate network to contain the attack, meaning that nearly half of its NC Department Store and NewCore Outlet branches could not operate. A company spokesperson confirmed that the attack had targeted E-Land’s headquarters. It is unclear whether E-Land group chose to pay the ransom or whether files or data were exfiltrated as part of the attack. Ransomware continues to ravage the global economy. Last month we reported that US businesses could be breaching international sanctions rules if they attempt to salvage their files by paying a ransom. To help defend your business against ransomware and other cyberattacks, read our guide to choosing the right email security software. That’s all for this month. If we missed anything, please email madeline.rosenthal@tessian.com and stay tuned for the next roundup. Don’t forget: You can easily share this on social media via the buttons at the top right of this post.
Human Layer Security Compliance
10 Reasons Why CEOs Should Care About Cybersecurity
By Tim Sadler
25 November 2020
Cybersecurity is a team sport. And for strategies to be truly effective, security leaders and business leaders have to work together.  In fewer words: Cybersecurity should be on the CEO’s agenda. So, to help bridge the gap and to really highlight why privacy and data protection matter now, I put together this list of reasons why CEOs should care about cybersecurity. Here are 10 reasons why CEOs should care about cybersecurity.
1. Cybersecurity is a competitive differentiator Today, customers and clients don’t just care about privacy, they expect it. That means that a strong cybersecurity culture can actually enable businesses. At our first Human Layer Security Summit of 2020, Mark Parr, Global Director at HFW, summed it up nicely, saying “You’re only going to win more work if you’re reputable. And you’re only going to be reputable if you demonstrate you have a strong information security framework.” He’s not alone in thinking this. According to Cisco’s global survey of security professionals and business leaders, 41% of survey respondents said “competitive advantage” was a benefit of their privacy investment.  2. The biggest consequence of a data breach is lost customer trust Earlier this year, we asked security leaders what the biggest consequence of a data breach would be. The #1 answer? Not lost data. Not regulatory fines or revenue loss. Lost customer trust. Breaches damage your brand and it can be very hard to win back customers’, clients’, and even the public’s trust. That’s why organizations see (on average) 3.9% customer churn after a data breach.  3. You will inevitably empower your people to do their best work Prioritizing cybersecurity isn’t just good for the business. It’s great for your people.  Here’s why: 90% of breaches are caused by human error. But people aren’t intentionally making these errors, they’re moving fast to get their job done. Security just isn’t top of mind for them.  So, it’s our job to set them up for success and empower them to do their best work securely. How do you do that? By removing the sharp objects.  At Tessian’s second Human Layer Security Summit, Bobby Ford, Vice President and Global CISO at Unilever put this into perspective with an example from his own life.   When you’re a parent helping your son or daughter learn how to walk, what do you do? Child-proof the house and get outta the way! 4. Privacy investment can help reduce delays in sales processes and improve operational efficiency Remember that Cisco global survey I mentioned earlier? “Competitive advantage” wasn’t the only benefit security professionals and business leaders experienced as a result of their investment in privacy and cybersecurity. 41% achieved operational efficiency from having data organized and cataloged and 37% saw a reduction in sales delays due to privacy concerns from customers and prospects. It makes sense. Data protection, privacy, and cybersecurity force businesses to be more transparent. That transparency fosters customer loyalty and increases organizational alignment.  
5. The average data breach costs $3.86 million While most security leaders agree that the biggest consequence of a breach is lost customer trust and damaged reputation, we can’t ignore the financial implications. In IBM’s latest Cost of a Data Breach report, they found the average data breach costs $3.86 million. This figure includes costs associated with: Detection and Escalation Notification  Lost Business Ex-post response. And this doesn’t even account for the potential fines from regulators.  Why does this matter? If we’re talking about the ROI of cybersecurity, the cost of non-compliance is actually 2.71 times higher than the cost of compliance. Translation: Prevention is better than cure.  6. The investigation and remediation of breaches disrupts productivity On average, it takes companies 197 days to identify and 69 days to contain a breach. And this process of investigating and remediating requires time and resources from plenty of departments, teams, and people outside of IT. Legal, compliance, executive, marketing, HR, and people teams will get pulled in. Spokespeople will be appointed. External security/IT support will have to be hired and onboarded. The bottom line: you hired great people to do great things. Post-breach activities pull them away from their day-to-work, disrupt their flow and productivity, and distract them from the business’ larger mission. 7. Data protection laws are only going to get more strict  On the topic of compliance, it’s important to point out that data protection laws are only going to get more strict and enforcement agencies are only going to be given more resources to enforce data requirements. That means organizations around the world and across industries won’t just benefit from strong cybersecurity programs, but they’ll be obligated to have one.  Top tip: Industries like financial services tend to be 5+ years ahead in cybersecurity maturity. If you don’t operate in these industries, it’s worth taking note of what’s top-of-mind for the business and security leaders that do.  8. Security culture is built from the top down Just like company culture, the C-suite sets the tone for security culture and therefore must lead by example.  It’s especially important that the CEO plays an active role in not just creating the overall security strategy, but actually rolling it out. Why? The CEO can connect cybersecurity to business objectives and help employees understand what it’s such a critical component in enabling the company to achieve its mission.
But business leaders will soon have no choice but to actively contribute to their organization’s security culture…. 9. By 2024, CEOs could be held personally liable for data breaches As I’ve said, cybersecurity is mission critical. But, for now, it’s security and IT teams who shoulder the responsibility. In a few years, this could change.  According to Gartner, CEO’s will be held personally liable for data breaches by 2024. 10. You owe it to your customers We mentioned earlier that strong cybersecurity can help businesses win new customers. But it’s not just about winning new customers. It’s also about supporting the ones you have.  This is one of Tessian’s core values: Customer-Centricity. Your customers entrust you with their data, their intellectual property, their secrets. You have to keep it safe. That’s why we believe that – as a cybersecurity vendor – it’s our mission to protect every other business’ mission. If you’re looking for more insights into how security and business leaders can work together, check out our latest eBook: CEO’s Guide to Data Protection and Compliance. 
Human Layer Security
What Does 2021 Hold for Cybersecurity? Here Are Tessian’s Predictions
By Ed Bishop
25 November 2020
This time last year, no one predicted the events that have unfolded in 2020. We didn’t anticipate the world plunging into lockdown, economies collapsing, businesses closing their offices, and employees working from home.  It’s been a year of huge change and – I’ll say it – uncertainty.  It might, then, seem odd that we’re thinking about predictions once again.  But predictions are important. They help us focus on the areas that will bring the biggest opportunities and challenges for our businesses and, from that, build strategies. Of course, there’s also the fact that the events of 2020 have undeniably impacted the ways we work and how organizations are run – particularly from a security perspective.  So, what do we think will be top-of-mind for IT and security teams as we approach the new year? Here are Tessian’s top four predictions. 
1. The corporate network (as you probably guessed) will disappear Remote work – or hybrid work – will stay. Businesses simply can’t go back to the “old” ways of working. Why? Because employees expect to work both from home and in the office. In fact, 89% of employees said they no longer want to work exclusively from the office every day of the week. This shift will completely transform the concept of a network, at least as we’ve come to know it in the traditional workplace. Today, company security is very much in the hands of the employees.  That’s why CISOs need to consider how their 2021 security strategies will protect and secure their people – not just endpoints and networks. This is especially important because people make mistakes, break the rules, and can be tricked or deceived by cybercriminals.  To put it simply: Not protecting people means that company data and systems are at risk. But it’s important that security doesn’t impede employee productivity or interrupt their daily workflow.  According to Tessian research, 54% of employees say they’ll find a workaround if security software or policies prevent them from doing their job and 51% say security tools and software impede their productivity.  So, what can you do to protect your people, without getting in their way? Remove the sharp objects, protect them wherever (and however) they work, and make sure your security solutions stop threats and not business.  This is what we call Human Layer Security.  2. Account takeover attacks will spike Account takeover (ATO) – a type of attack where a hacker gains access to the email account of a trusted person or organization and impersonates them to conduct fraudulent activities – will surge in 2021 as cybercriminals look for more ways to bypass secure email gateways (SEGs) and deceive people with phishing and spear phishing attacks.  Not sure what the difference between phishing and spear phishing is? Read this article: Phishing vs. Spear Phishing: Differences and Defense Strategies.  The problem is, despite training employees on how to spot phishing attacks, targets of ATO attacks will have no idea that the person in their trusted network has been compromised. Why? Because the emails appear genuine; the domain name and display name appear as usual. There are no “red flags” which means even the most tech-savvy employee wouldn’t question its legitimacy.  ATO attacks will erode people’s trust in email in 2021, rendering IT teams powerless in stopping people from falling for the scams. This is why we predict that more businesses will adopt a zero-trust model of email security and look for solutions that address threats from their extended network.  IT teams should be looking for advanced inbound email security solutions that use behavioral analysis, natural language processing, and machine learning to: Understand communication patterns  Spot anomalous email sending patterns  Accurately detect incidents of account takeover, before they turn into breaches.  3. The supply chain will become an even weaker link in security No company has control over the security behaviors of its vendors, partners, or suppliers, nor do they have visibility into breaches that happened outside of their organization and across their network.  Cybercriminals use this to their advantage.  By infiltrating smaller companies connected to a company network — either with malware, phishing attacks, or account takeover — they can impersonate the third-party, target a larger company’s employees, and access valuable systems and data. And, the aftermath of the COVID-19 pandemic will only heighten the risks associated with third-parties.  First, people will continue to work remotely which, according to various reports this year which not only makes them more vulnerable to phishing attacks, but also makes it more difficult for them to verify requests. For example, a wire transfer.  Second, financial uncertainty in 2021 may mean IT budgets are cut. CISOs have no way of knowing whether this is the case with their company’s own suppliers or partners and whether or not they are prioritizing security.  Once again, addressing the threats from your company’s extended network will need to be a priority in 2021, as will securing the entire email ecosystem.  4. We’ll get real when it comes to AI The AI hype cycle has left some companies burned by the false promise of AI and ML.  In 2021, however, we predict that the hype will die down. We’ll see less marketing claims and industry conversations around the technology. This is great news for true AI and ML innovators. It will allow the real AI and ML use cases to shine through and companies will start to see how the technology can benefit their business.  But, we should also consider how AI will be used for malicious purposes. We think that we’ll continue to see cybercriminals leveraging AI to make their deceptions and impersonations – either on email or in the form of deepfakes – more convincing and believable.  Likewise, advancements in NLP will lead to more sophisticated attacks that closely mirror the language and tone of the person being impersonated. This will make it more difficult for people to determine what’s real and what’s fake.  This is where automated security solutions will prove invaluable to security teams. Elvis M Chan, Supervisory Special Agent at the FBI and Nina Schick, Author of “Deep Fakes and the Infocalypse: What You Urgently Need to Know”,  took a deep dive into deepfakes at Tessian Human Layer Security Summit in September. And, according to Nina, “This is not an emerging threat. This threat is here. Now.”   Learn more about this type of threat and how AI is being used both in the creation of and defense against deepfakes by watching the full session on-demand.
Looking ahead to 2021 The uncertainty from 2020 won’t disappear come January. There’s still a lot for businesses to figure out, and IT leaders will be under pressure to deliver a seamless and secure working environment for employees, despite budget cuts and under-resourced teams.  But it’s worth noting that at the heart of the challenges businesses and security teams have faced over the past year – and will continue to face as we head into 2021 – is people.  Businesses must prioritize people’s wellbeing and their security to succeed.  Greater visibility into the human layer of an organization gives IT teams insight into their riskiest and most at-risk employees, allowing them to focus and address the areas in which their company is most vulnerable.  Automated security alerts ensure that every employee is made aware of threats in their inbox – no matter where they choose to work – and real-time alerts can help people make smarter security decisions. That’s why we predict that 2021 will be the year that businesses realize the power of Human Layer Security.
Human Layer Security
Tessian Webinar Recap: Cybersecurity Insights to Influence Your 2021 Strategy
By Monica Nio
20 November 2020
As the year comes to a close (and, for many of us, 2020 is a year we want to close the book on…fast) it’s a good time to reflect back on the lessons learned and set a plan to improve in the future. Let’s look at cybersecurity specifically. What should we look out for in 2021 after all that has happened?  We answered the following two questions in our latest webinar, which you can view on-demand here. What do industry experts think the biggest learning of the year has been?  What do they think should be top-of-mind for security leaders next year?  Tessian’s VP of Information Security, Trevor Luker, led a fireside chat with two industry experts, Jesse Starks, CTO at Breckinridge Capital Advisors, and Lena Smart, CISO at MongoDB, to capture their thoughts on the matter. Curious on what insights they shared? Read our notes below for key takeaways and quotes from the panelists.  Or, if you want to learn more about our guest speakers and their companies, skip down to the bottom of the page. And, if you want to be the first to know about future virtual events, subscribe to your newsletter.  3 takeaways from 2020 1. Hackers take advantage of key calendar moments and times of general uncertainty. We saw this happen throughout 2020, with phishing scams around COVID-19, the 2020 census, stimulus checks, and even the US presidential election.  Next up: retail scams in time for the holidays.  2. Hope for the best, prepare for the worst. Both panelists pivoted quickly and easily during the transition from office to home because they already had well-thought-out contingency plans in place. When was the last time you updated your emergency action plan? To learn  more about Jesse and Lena’s contingency plans and what you should consider when making one, watch the full webinar. 
3. Hackers have power in numbers. Today, organizations are being hit by increasingly advanced threats. That’s because an entire industry has been created out of phishing and social engineering, and adversaries operate in groups. They’re experts at their craft. That means security leaders have to level-up their inbound protection.  3 insights for 2021 1. Every employee should be a security champion. Why? Because your cybersecurity is only as strong as your most vulnerable or at-risk employee. After all, it’s people who control your most sensitive systems and data. But, employees can actually be your biggest defense against threats. That’s why education, policies, and security tools are all important. 
2. Expect more data protection regulations in the future. The cost of a breach (including fines for non-compliance) is definitely a concern for security and business leaders. But it’s actually the lost customer trust and damaged reputation that’s top-of-mind. Our panelists tips? Put security controls in place to ensure compliance and make sure you have a process in place for reporting incidents if they do happen.  If you want to learn more about compliance standards like GDPR, CCPA, and HIPPA why good cybersecurity is good for business, download our CEO’s Guide to Data Protection and Compliance. 3. Email security is a long-game strategy. Email is open by default, which means it’s the attack vector of choice for hackers. Looking forward to 2021, security leaders have to have a plan for inbound, advanced impersonation attacks.  
Bonus Insight from Jesse: “You can use technology to close all your gaps, but once you have that, then how can people outside manipulate your organization? Your people – the highest success rate for an attacker. People are always joining organizations, changing teams, changing roles, and learning. The technology changes, but it’s often fixed. The Human Layer is always moving so it makes it very challenging to secure and that’s why it’s so important.” For more tips and personal anecdotes, watch the full video now.  About Jesse Jesse Starks, CISSP, is the Chief Technology Officer at Breckinridge Capital Advisors. Jesse is Breckinridge’s Chief Technology Officer, and is also a member of the firm’s Risk Committee, Information Security Committee, and Business Continuity Committee. In his role, Jesse directs the strategic integration of technology across the firm.  He has over 17 years of experience designing and managing large-scale distributed systems. About Lena Lena Smart is the Chief Information Security Officer at MongoDB. Lena joined MongoDB with more than 20 years of cybersecurity experience. Before joining, she led cybersecurity at large organizations like Tradeweb, New York Power Authority, and InfraGard. She is also a  founding partner of Cybersecurity at MIT Sloan – formerly the Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity – which helps security leaders in academia and the private sector collaborate and tackle the most challenging security issues. About Breckinridge Capital Advisors Breckinridge Capital Advisors is a Boston-based, independently owned investment advisor specializing in investment grade fixed income portfolio management. Working through a network of investment consultants and advisors, they serve a wide variety of clients ranging from high net worth individuals to large institutions. Breckinridge’s assets under management totaled more than #42 billion as of September 30, 2020 Reflecting their commitment to ESG and sustainability, Breckinridge is a Massachusetts Benefit Corporation and a certified B Corp. They believe these designations help them in their goals to create positive, long-term impact for their clients, employees and the communities in which they live, work and invest. About MongoDB MongoDB is the leading modern, general purpose database platform, designed to unleash the power of software and data for developers and the applications they build.  Headquartered in New York, MongoDB has more than 20,200 customers in over 100 countries. The MongoDB database platform has been downloaded over 125 million times and there have been more than one million MongoDB University registrations.
Human Layer Security Customer Stories
Recap: Tessian Webinar, How to Build a Security Culture in Today’s Working World
By Monica Nio
04 November 2020
In our most recent research report, Securing the Future of Hybrid Working, we revealed that 75% of IT decisions makers believe the future of work will be “remote” or hybrid” – where employees could work wherever and however they’d like. So, we wanted to find out: How that might affect an organization’s security culture Why a positive security culture is even more important when employees are remote  How automation can help ease the burden on thinly-stretched IT teams while empowering employees to make smarter security decisions We explored these topics with Rachel Beard, Principal Security Technical Architect at Salesforce, and Ray Chery, SVP and Co-Head of Security Softwares at Jefferies. The discussion was led by Trevor Luker, Tessian’s VP of Information Technology.  Want to watch the full video? You can view it on-demand here. Otherwise, read our notes below for key takeaways and quotes from the panelists.  Want to learn more about our guest speakers and their companies? Skip down to the bottom of the page. And, if you want to be the first to know about future virtual events, subscribe to our newsletter.  5 key takeaways from the Tessian webinar We have to re-learn how to communicate in a hybrid work structure. Gone are the days of just walking up to our colleagues and asking if they sent that suspicious email or tapping someone in IT on the shoulder to clarify a new security policy.  That means security and business leaders need to arm their teams with tools to collaborate and frequently check-in to make sure each and every employee feels comfortable with their new remote set-up. The key to a positive security culture is making employees feel like they play an active role in protecting the organization’s systems and data. But how? Instill the value of privacy and security from the outset with training and other programs and initiatives. Watch the full webinar for more insights into exactly what Rachel and Ray do at Salesforce and Jefferies.   There are benefits and drawbacks to hybrid work. According to Rachel and Ray, productivity is on the rise, which is great news. Teams are aligning on shared goals and initiatives, despite being physically distant. But people are missing the “human” interaction and camaraderie of an in-person office and many are finding it difficult to separate their personal and professional lives. It’s essential you tackle this problem head on and prioritize employee wellbeing.  Automated tools can make security accessible for everyone. This also contributes to a positive security culture by reducing IT teams’ workload. More on this in the summarized Q&A below. Jefferies uses Tessian to prevent misdirected emails. Ray’s team loves Tessian for its “noise-to-value ratio”. So, what makes Tessian so easy to use? Our technology is powered by machine learning, which means our solutions automatically detect and prevent threats like data exfiltration, misdirected emails, and spear phishing with accuracy and ease.  To find out more about how Rachel and Ray think about security culture, Trevor asked them both several questions about their perspective on automation and how to make employees a part of the solution.  We summarized their answers below. Remember, you can watch the full interview here. Q. Prior to COVID, Jefferies went from 5% to 99% of their employees working remote. Will this change be permanent? Ray: “We’re all more comfortable with getting things done from home; we’ve had to grow accustomed to it over the course of the last couple months. [However], our IT team is planning on going back to being in the office 2 or 3 of the 5 days every week. And part of that is driven by the fact that the interaction with the team is different virtually. Teams that really do interact more collaboratively feel the need to still be in the office. I definitely think hybrid work is here to stay.”  Q. Would you say that increased employee workload makes your organization more vulnerable? Ray: “We’re all doing a million things at once. When you’re stretched that thin all the time, folks tend to make mistakes, are more likely to click on an email that they’re not supposed to, or may not be reading things as thoroughly as they need to. The risks are definitely enhanced given that everyone is working from home now.”  Looking for more insights into why people make mistakes and how businesses can prevent errors before they turn into breaches? Check out our research, The Psychology of Human Error. Q. How can automation save your IT team’s time? Rachel: “At Salesforce, we’ve always had a lot of self-service mechanisms. We have Concierge as our service where you can go searching for the information that you need and open a ticket only if you need advanced help. But now, we’re looking at other ways that our customers can do the same. That way, IT can be more available for the highly specialized activities, and some of the more routine ones can be addressed by the employees themselves.”  Ray: “Ultimately, there’s no patch for human error. Humans are going to make mistakes. I think as much automation as we can incorporate into our security stack is really for the better. It removes repetitive errors, streamlines incident management, and reduces the boring stuff that our security analysts need to do. Instead of formally writing tickets and reaching out to me as an employee every time I violate an email rule, we can set it up as such so there’s a pop-up instead.” 
Q. Can tools add to an organization’s security culture in a positive way? Rachel: “Yes, when you have the guidelines and boundaries in a really transparent way. It makes everything more safe for everybody. You just have to think about how to implement that so that you allow your users to be able to do their work effectively and not get in their way too much or become an obstacle while protecting your sensitive data.”  Q. How has Tessian’s Guardian helped with Jefferies’ security culture in today’s working world? Ray: “We’re doing so many things now at home. And at home, we’re more exposed and more likely to make mistakes. We love Tessian because it’s very low-impact [on obstructing employees’ work]. It is a product that delivers with accuracy. Our IT team likes the noise-to-value ratio. When I think about the misaddressed email capabilities alone – we’re all sending a million emails a day – it’s very easy for us to send an email to the wrong person. The way that Tessian handles it in a seamless way is really great.”  Learn how Guardian can help your organization prevent accidental data loss. View Guardian’s page now. For more insights and personal anecdotes, watch the full video now.  About Rachel Rachel Beard is the Principal Security Technical Architect at Salesforce. Rachel joined Salesforce in 2014 and is a Principal Security Technical Architect.  Rachel’s areas of expertise are Salesforce security, data privacy, and compliance. She has over 14 years experience at Salesforce, spanning everything from System Administrator to Developer and even Product Marketing. Rachel is also the volunteer coordinator for Wet Nose Rescue, a leader of a Pride ERG at Salesforce, and a chair on the Diversity & Inclusion Committee at her local public school.  About Ray Ray Chery is the SVP and Co-Head of Security Software at Jefferies. Ray Chery is Senior Vice President and Co-Head of Security Software in Jefferies’ Technology Investment Banking Division. Based in San Francisco, Ray focuses primarily on enterprise security software. He has advised on more than $50B in transaction value over his 14-year career as a technology banker and has worked with and advised companies such as Bomgar, Carbonite, CrowdStrike, DigiCert, Forcepoint, Gigamon, Imperva, Plexxi, Sailpoint and Tufin.  He has also served on the Young Professional Advisory Council (YPAC) and continues to volunteer with Make-A-Wish Greater Bay Area. About Jefferies Jefferies, the global investment banking firm, has served companies and investors for over 55 years. Headquartered in New York, with offices in over 30 cities around the world, the firm provides clients with capital markets and financial advisory services, institutional brokerage and securities research, as well as asset and wealth management. About Salesforce Salesforce is a customer relationship management solution that brings companies and customers together. It’s one integrated CRM platform that gives all your departments — including marketing, sales, commerce, and service — a single, shared view of every customer.
Human Layer Security Customer Stories
Recap: Q&A With Chris Kovel, CTO, PJT Partners
By Maddie Rosenthal
02 November 2020
In case you missed it, Chris Kovel, Chief Technology Officer at PJT Partners, recently joined Robyn Savage, Customer Success Manager at Tessian, for a Q&A about what threats are top of mind and how Tessian helps PJT Partners keep data secure. While you can watch the full video on-demand, we’ve compiled our notes for a high-level overview of their 30-minute discussion. Want to learn more about Chris or PJT Partners? Skip down to the bottom of the page. And, if you want to be the first to know about future virtual events, subscribe to our newsletter.  4 things we learned from Chris  There are three “types” of threat actors. The outsider with intent, the insider with intent, and the well-intentioned employee. In terms of what keeps Chris up at night, it’s often the well-intentioned employee who sends misdirected emails.  While most of us have fired off an email to the wrong person, that doesn’t mean there aren’t serious consequences. There are. If data is leaked (especially in highly regulated industries like Financial Services, Healthcare, and Legal) organizations could face hefty fines for non-compliance, lose customer trust, and suffer a damaged reputation. But… 90% of emails don’t contain sensitive information. That’s why it’s so important that security and compliance leaders develop a process for classifying data as a part of their larger data loss prevention strategy.  PJT Partners uses Tessian for both inbound and outbound email security to detect and prevent misdirected emails, insider threats, and advanced impersonation attacks.  To find out a bit more about what’s top of mind for Chris and how Tessian fits into his overall security strategy, Robyn asked Chris several questions. We’ve summarized them below. Don’t forget, you can watch the full interview here. Q. Are there certain employees who you view as particularly risky or at-risk? “There are absolutely higher value targets that we have to pay more close attention to… But the controls we put in place are for the firm, right? They’re put in place to help everybody.  The leak can happen at any level. It could be a low-level junior banker, it can be someone in the technology department, it can be a partner of the firm.” Q. How has COVID affected your organization and your approach to cybersecurity? “Bankers and everyone else are using technology more than they’ve ever used it before. That means devices are a key for doing business now, whether it’s pulling up a quick video or sending documents. But email still actually accounts for the lion’s share of their communication. Fortunately, Tessian has some really great tools in place to protect users on devices in the same way they’re protected on desktop.” Want to learn more about how to keep your devices secure? Check out our Remote Worker’s Guide to BYOD Policies. Q. Shifting to inbound, what features make Tessian an especially appealing and effective solution at PJT? “Frankly, Tessian is extraordinarily clever in how it detects advanced impersonation. The amount of suspicious emails that Defender flags for us is quite staggering.” “You can spoof an email address in any way, shape, or form so having a product that basically says, “this one email doesn’t look like the others” or “this email likely isn’t actually coming from this person” is really helpful to the larger firm and individual users. In-the-moment warnings are helping our employees get better at actually recognizing which emails are legit and which aren’t and our administrators can help them work through it.”
For more insights and personal anecdotes, watch the full video now.  About Chris Chris Kovel is the Chief Technology officer at  PJT Partners. Prior to joining PJT Partners, Chris spent the previous 25 years at Morgan Stanley in the technology department. In Chris’ last role at Morgan Stanley, he was primarily focused on Artificial Intelligence, Analytics and Data for the Wealth Management division.  Over the course of the 25 years at Morgan Stanley, Chris developed significant technologies for Investment Banking, Capital Markets, Wealth Management, Research & Sales Distribution. Chris holds two patents for banking and trading technologies. Chris led the project and team that won the 2018 Banking Technology Award for Artificial Intelligence for the Next Best Action implementation. Prior to joining Morgan Stanley, Chris worked for Lotus Development Corporation. Chris received his BA from Skidmore College About PJT Partners PJT Partners is a premier global advisory-focused investment bank headquartered in New York City. Their team of senior professionals deliver a range of services to corporations, financial sponsors, institutional investors, alternative investment managers, and governments around the world. 
Human Layer Security Spear Phishing DLP Data Exfiltration
October Cybersecurity News Roundup
30 October 2020
October 2020 has been another remarkable month in cybersecurity. And, since COVID-19 sent the world indoors and made us ever-more reliant on the internet, the importance of information security and data protection has never been more apparent. October saw numerous high-profile data breaches, cyberattacks, and online scams — but also brought us one of the biggest GDPR fines yet, an innovative solution to deepfake technology, and even more jostling between the US government and Chinese big tech. Let’s take a look at the biggest cybersecurity headlines of October 2020. Paying Cyberattack Ransoms Could Breach International Sanctions Rules New guidance from the US Treasury has big implications for companies hit by ransomware attacks from certain countries. (Companies affected by ransomware find their files encrypted — replaced by useless strings of seemingly random characters — with cybercriminals promising to return the data if the company pays a ransom.) Paying up might be the least-worst option where a company’s critical data is at stake…ut according to an October 1 US Treasury advisory note, paying cyberattack ransoms could violate legal rules on international sanctions. Businesses suffering a ransomware attack by hackers from a sanctioned country — like Iran, China, or Russia (where many such attacks do originate) — now face the threat of huge fines and legal action if they choose to buy back their files.  The Treasury’s advice reiterates what cybersecurity leaders have been saying for many years: in cybersecurity, prevention is far better than cure. Amazon Prime Day Sees Huge Spike in Phishing Scams With millions of consumers confined to their homes, this year’s Amazon Prime Day was a chance for millions of shoppers to grab a bargain — and an unmissable opportunity for cybercriminals to steal their personal information. October 8 research from Bolster detected over 800 “spoof” Amazon webpages in September (up from 50 in January), as fraudsters ramped up their phishing efforts in anticipation of the two-day Amazon Prime Day event, hosted October 13-14. Some sites looked near-identical to Amazon’s genuine web properties, with perfectly duplicated branding and convincing domain names. Unwary shoppers were asked for details such as their CVV2 code and social security number. See what advice Tessian co-founder and CEO, Tim Sadler, offered consumers in Tech Radar. FBI Warns of Ransomware Attacks Targeting Healthcare Providers On October 29, the FBI and other agencies issued a warning regarding an “increased and imminent cybercrime threat to US hospitals and healthcare providers.” The threats include a new tool named anchor_dns, a backdoor that can reportedly “evade typical network defense products,” and the Ryuk Ransomware. Among other measures, the FBI is advising healthcare providers to create business continuity plans, patch networked systems, and implement multi-factor authentication in preparation for an attack. According to Associated Press, 59 US healthcare systems have been attacked via ransomware so far this year. Looking for more information on why the healthcare industry is especially vulnerable? We talk more about The State of Data Loss Prevention in Healthcare in this article. UK Public Body Unable to Provide Services Follow “Serious Cyberattack” On October 14, Hackney London Borough Council, a UK local government body, announced that it had fallen victim to a “serious cyberattack.”  In an update two days later, the council revealed the extent of the damage. Among other things, the council was unable to accept rent payments, process planning applications, or pay some social security benefits. The council said it was “working hard to restore services, protect data, and investigate the attack,” but that services could remain unavailable for “some time.” UK Data Regulator Issues $26 Million Fine to Airline UK airline British Airways received a £20 million ($26 million) fine on October 17 for “failing to protect the personal and financial details of more than 400,000 of its customers.” The fine relates to a cyberattack suffered by the company in 2018. The Information Commissioner’s Office — the UK’s data protection authority — found that the airline had failed to limit access to data, had not undertaken sufficiently rigorous testing, and should have implemented multi-factor authentication on its employee and third-party accounts. The British Airways fine amounts to the fourth-largest GDPR fine of all time — but the airline actually got off relatively lightly, considering that the fine was initially touted as £183 million ($238 million).  To learn more about compliance standards like the GDPR (including the largest breaches and fines to-date) check out The CEO’s Guide to Data Protection and Compliance. Adobe Launches Content Authenticity Initiative Tool to Fight Deepfakes As video and audio manipulation techniques become more accessible, cybersecurity and intelligence experts have been warning about a potential onslaught of deepfakes that could have an unprecedented impact on security, politics, and society. Not sure what a deepfake is? Read this article. Cybercriminals can use deepfake technology to create video or audio clips of high-profile and trusted individuals. Deepfakes have already been used in phishing attacks and could also be used for blackmail and disinformation campaigns. On October 20, Adobe’s Content Authenticity Initiative announced a new tool that will add “a secure layer of tamper-evident attribution data to photos, including the author’s name, location, and edit history” to help creatives authenticate their content. Once deepfakes are sufficiently convincing, there might be no way to distinguish them from genuine material. Adobe’s project marks a promising first step in this emerging security front. Hackers Discover 55 Vulnerabilities Across Apple’s Systems A group of hackers earned $300,000 via Apple’s bug bounty scheme after identifying 55 vulnerabilities across Apple’s infrastructure. The security issues included vulnerabilities that would have allowed an attacker to “(take) over a victim’s iCloud account,” “fully compromise an industrial control warehouse software used by Apple,” and “access management tools and sensitive resources.” The group said Apple had fully addressed the majority of vulnerabilities reported. Around 3 Million Credit Cards Compromised After Breach at US Restaurant Franchise On Oct 12, details of around 3 million credit cards were posted on the dark web following a huge data breach at US restaurant franchise Dickey’s Barbeque Pit. According to an investigation by Gemini Advisory, 156 of 469 Dickey’s outlets were involved in the breach, with the highest levels of exposure present in California. The details appear to have been stolen between July 2018 and August 2020. Given California’s strict data breach rules, including a private right of action under the California Consumer Privacy Act, Dickey’s could be liable for some eye-watering sums if the breach is found to have resulted from lax cybersecurity practices. Questions about the CCPA? We answer 13 of them in this article: CCPA FAQs: Your Guide to California’s New Privacy Law. Russia Planned to Launch 2020 Olympics Cyberattack The GRU, Russia’s military intelligence agency, “conducted cyber reconnaissance against officials and organizations” involved in the Tokyo 2020 Olympic and Paralympic Games, according to a UK government announcement on October 19. Russian cybercrime groups are alleged to have targeted “organizers, logistics services, and sponsors.” The Games were originally due to tale place this summer but were postponed due to COVID-19.  The UK government also revealed the full extent of Russia’s hacking campaign against the 2018 Winter Games, during which Russian hackers are alleged to have disguised themselves as Chinese and North Korean attackers to target the opening ceremony in Seoul, South Korea. ENISA 2020 Threat Landscape Report Shows Increase in Cyberattacks  The European Union Agency for Cybersecurity (ENISA) released its 2020 Threat Landscape Report on October 20, and cybersecurity leaders (unfortunately) won’t be surprised at its conclusion: cybercrime is on the increase. The report cites “a new norm,” triggered by the COVID-19 pandemic, in which the world is even more dependent on “a secure and reliable cyberspace.” ENISA found that the number of phishing victims “continues to grow,” that Business Email Compromise (BEC) resulted in “the loss of millions of euros,” and that state-sponsored actors are propagating “finely targeted and persistent attacks on high-value data.” If you’re a security leader looking for solutions to these problems, click here to learn more about how Tessian Defender detects advanced impersonation attacks that slip past SEGs, native features, and legacy tools. Researcher Breaches US President’s Twitter Account By Guessing Password Dutch “ethical hacker” Victor Gevers found himself in control of Donald Trump’s Twitter account on October 16 after guessing the US president’s password. Trump’s Twitter account has over 87 million followers and is frequently used to deliver messages of international importance. Gevers said he correctly guessed the password, “maga2020!”, after seven attempts. The incident reveals that the president was using a simple, easy-to-guess password, and that he had multi-factor authentication disabled. Rectifying either of these two basic security errors would have prevented unauthorized access to the account. Overruling of WeChat Ban Denied by California Judge Another month, another development in the long-running battle between the US government and Chinese tech firms. On October 23, California struck a blow to the Trump administration’s efforts to restrict WeChat — a Chinese app used for currency transfers, social networking, and instant messaging. In September, the US Department of Commerce ordered Apple and Google to stop distributing WeChat via their app stores, citing security issues. The order was blocked in California following a legal challenge by WeChat. The US Justice Department brought further evidence and asked the court to reverse its WeChat ruling. The court declined to change its decision, meaning that the Commerce Department’s banning order will remain unenforced in California — despite the federal government’s allegations regarding WeChat’s security issues.  Finnish Therapy Center Hacked, Exposing Patient Data One of the most shocking data breaches of 2020 was brought to light on October 24, when Finnish psychotherapy center Vastaamo revealed a hack that compromised hundreds of patient records. The highly sensitive nature of the breach means that it is being taken extremely seriously. Finland’s interior minister summoned a cabinet meeting to determine how best to respond to the breach, promising “speedy crisis help” to the affected individuals. The hackers are demanding a ransom in exchange for the return of the files, which were reportedly accessed between November 2018 and March 2019. The ransomware attack further suggests that businesses worldwide lack proper cybersecurity infrastructure — even when handling highly sensitive and valuable data. That’s all for this month. If we missed anything, please email madeline.rosenthal@tessian.com and stay tuned for the next roundup. Don’t forget: You can easily share this on social media via the buttons at the top right of this post. 
Human Layer Security Spear Phishing Customer Stories DLP Data Exfiltration
How Tessian Is Preventing Breaches and Influencing Safer Behavior in Healthcare
By Maddie Rosenthal
28 October 2020
Company: Cordaan Industry: Healthcare Seats: 6,300 Solutions: Guardian, Enforcer, Defender  About Cordaan Cordaan – one of the largest healthcare providers in Amsterdam – provides care to over 20,000 people from 120 locations across Amsterdam. They do this with the help of 6,000 employees and more than 2,500 volunteers. Cordaan also works in association with research institutes and social organizations.  To help protect the organization’s people, sensitive data, and networks, Cordaan has deployed Tessian Guardian, Enforcer, and Defender to protect over 6,300 employees on email.  Tessian solves three key problems for Cordaan, which we explore in detail in the video below. Keep reading for a summary of the discussion. Problem: Healthcare employees are especially vulnerable to inbound attacks  When it comes to inbound attacks like spear phishing and business email compromise, the healthcare industry is among the most targeted. It also has the highest costs associated with data breaches. Why? According to Cas de Bie, the Dutch healthcare provider’s Chief Information Officer, it’s not just because organizations operating in this industry handle highly sensitive data. It also has a lot to do with the very nature of the work: helping people. 
Combine this empathetic approach with the stress of a global pandemic, and you’re left with an incredibly vulnerable workforce. With Tessian, Cas is now confident Tessian will identify spear phishing emails before his employees respond to them and that employees’ workflow won’t be disrupted in the process.  When talking about inbound attacks, Cas said “It’s all about awareness. While people probably do know what they’re supposed to do when it comes to email security, it’s different in real life. It’s hard to decide in the moment. Of course, they don’t do it on purpose. They want to make the right decision. Tessian helps them do that.” Problem: Reactive and rule-based solutions weren’t preventing human error on email in the short or long-term To ensure GDPR-compliance, Cordaan prioritized investment in privacy and security solutions. But, according to Cas, “standard” email security, spam filtering solutions, and encryption alone just weren’t enough. They weren’t keeping malicious emails out of inboxes, and they weren’t preventing data loss from insiders. They also weren’t doing anything to improve employee security reflexes in the long-term. 
So, to level-up Cordaan’s email security, Cas was looking for a solution that was: Technologically advanced User-friendly Proactive With Tessian, he found all three. Powered by contextual machine learning and artificial intelligence, our solutions can detect and prevent threats and risky behavior before they become incidents or breaches. How? With the in-the-moment warnings – triggered by anomalous email activity – that look something like this.
These warnings help nudge well-intentioned employees towards safer behavior and ensure data stays within Cordaan’s perimeter. And, because Tessian works silently in the background and analyzes inbound and outbound emails in milliseconds, it’s invisible to employees until they see a warning.   This was incredibly important to Cas, who said that “The added value of Tessian is that it influences behavior. That really resonated with the board and helped me make a strong business case. While I can’t show how cybersecurity creates revenue, I can show – via a risk management calculation – the potential fines we could avoid because of our investment in Tessian”.  Problem: Cordaan’s security team had limited visibility into – and control over – data loss incidents on email  While Cordaan had invested in other email security solutions, Cas and his team still lacked visibility into the frequency of data loss incidents on email. But, after deploying Tessian for a Proof of Value, the scope of the problem became crystal clear.
The reality is that employees do actually send unauthorized and misdirected emails more frequently than expected. (We explore this in detail in our report, The State of Data Loss Prevention 2020.) But, the good news is that this behavior can be influenced and corrected—all without access restrictions that make it harder (or impossible) for employees to do their jobs.  Cas explained it well, saying that “Of course there are things that we have to police and prohibit. But, most of the time, people aren’t doing things maliciously. So it’s nice that – with Tessian – we can take a more nuanced approach. We can influence behavior and help our employees do the right thing.” Learn more about how Tessian prevents human error on email Powered by machine learning, Tessian’s Human Layer Security technology understands human behavior and relationships. Tessian Guardian automatically detects and prevents misdirected emails Tessian Enforcer automatically detects and prevents data exfiltration attempts Tessian Defender automatically detects and prevents spear phishing attacks Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of an organization’s email network. That means it gets smarter over time to keep you protected, wherever and however your work. Interested in learning more about how Tessian can help prevent email mistakes in your organization? You can read some of our customer stories here or book a demo.
Cordaan Case Study hbspt.cta.load(1670277, '61cef6a6-03b0-4491-a81d-6e751eb924e8', {"region":"na1"});
Human Layer Security Spear Phishing DLP Data Exfiltration
Tessian Included as a Cloud Email Security Supplement Solution in Gartner’s 2020 Market Guide for Email Security
By Maddie Rosenthal
27 October 2020
Gartner recently released its Market Guide for Email Security and Tessian is thrilled to have been included as a representative vendor for Cloud Email Security Supplement Solutions. So, what does that mean? According to the report, representative vendors offer “email security capabilities in ways that are unique, innovative, and/or demonstrate forward-looking product strategies.”  How has the threat landscape changed? According to Gartner’s guide, there are a number of factors related to the market’s direction that security leaders need to consider, including the ways in which hackers are targeting organizations and how (and where) we work. Keep reading to learn more. Email is the #1 threat vector
As noted in the report, “According to the 2020 Verizon Data Breach report, 22% of breaches involved social engineering, and 96% of those breaches came through email. In the same report, another 22% of breaches were a result of “human failure” errors, where sensitive data was accidentally sent to the wrong recipient.” “Business email compromise (BEC), the takeover or fraudulent use of a legitimate account to divert funds, continues to grow, and simple payroll diversion scams accounted for  $8 million in 2019.” The bottom line: Whether it’s protecting against inbound threats like ransomware attacks, business email compromise (BEC), or account takeover (ATO) or outbound threats like accidental and malicious data exfiltration, security leaders need to prioritize email security and reevaluate the effectiveness of current solutions. This is especially pertinent as many organizations have moved to the cloud.    Increased cloud office adoption According to Gartner, “Enterprise adoption of cloud office systems, for which cloud email is a key capability, is continuing to grow, with 71% of companies using cloud or hybrid cloud email.” We can expect these numbers to rise, especially given the sudden shift to remote working set-ups in response to COVID-19 and the steep and steady rise in the use of mobile devices for work. But, there’s a problem. Despite G Suite and O365’s basic security controls as well as anti-spam, anti-phishing, and anti-malware services; advanced attachment; and URL-based threat defenses, “email threats have become sophisticated to evade detection by common email security technologies, particularly those that rely only on standard antivirus and reputation.”
What capabilities set vendors apart?  So, what capabilities set vendors apart? In other words what capabilities should security leaders be looking for? Gartner recommends that security leaders “invest in anti-phishing technology that can accurately detect BEC and account takeover attacks. In particular, seek solutions that use AI to create a baseline for communication patterns and conversation style and detect anomalies in these patterns. For account take over attacks, seek solutions that use computer vision when reviewing suspect URLs. Adjacent technologies such as multifactor authentication are used to protect against account takeover attacks.”.   Gartner also says “the following capabilities can be used as primary differentiators and selection criteria for email”. These include the ability to: “Protect against attachment-based threats” “Protect against URL-based advanced threats”  “Protect Against Impersonation and Social Engineering Tactics Used in URL-Based, Attachment-Based and Payloadless Advanced Threats” And, to help security leaders narrow down their search, Gartner identified specific categories of vendors that provide some of the above email capabilities. Tessian is recognized as a representative vendor for CESSs.  Keep reading to learn more about our products and technology.  Why Tessian?  Tessian Human Layer Security offers both inbound and outbound protection on email and satisfies criteria outlined in the report, including display name spoof detection, lookalike domain detection, anomaly detection, data protection, post delivery protection, and offers these protection for both web and mobile devices. Here’s how. Powered by machine learning, our Human Layer Security platform understands normal email behavior by analyzing content, context, and communication patterns from historical email data to establish trusted relationship graphs. Tessian can then detect anomalies in real-time using those employee relationship graphs alongside deep content analysis, natural language processing, and behavioral analysis. Tessian Guardian automatically detects and prevents accidental data loss from misdirected emails Tessian Enforcer automatically detects and prevents data exfiltration attempts and ensures compliant email activity Tessian Defender automatically detects and prevents spear phishing, Business Email Compromise and other advanced targeted impersonation attacks. Tessian’s technology updates its understanding of human behavior and evolving relationships through continuous analysis and learning of the organization’s email network without hands-on maintenance from security teams. That means it gets smarter over time to keep you protected, wherever and however you work, whether that’s a desktop computer in the office or a mobile device, tablet, or laptop at home. But Tessian doesn’t just detect and prevent threats.  When a security threat is triggered, contextual warnings provide employees with in-the-moment training on why an email was flagged unsafe (or an impersonation attempt)  or reinforce data security policies and procedures and improve their security reflexes. This nudges employees towards safer behavior in the long-term.  And, with Human Layer Security Intelligence, security and compliance leaders can get greater visibility into the threats prevented, track trends, and benchmark their organization’s security posture against others. This way, they can continuously reduce Human Layer risks over time. To learn more about how Tessian protects world-leading organizations across G Suite, O365, and Outlook, check out our customer stories or book a demo. 
Gartner, Market Guide for Email Security, September 2020 Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Human Layer Security Spear Phishing Tessian Culture
8 Book Recommendations for Security Professionals
By Maddie Rosenthal
22 October 2020
Most security professionals rely on recommendations from their peers when it comes to vendors, solutions, and strategies. So, why not books? We asked our own cybersecurity experts what they were reading and rounded-up eight books to add to your reading list. The Cuckoo’s Egg In 1986, Clifford Stoll – a systems administrator at the Lawrence Berkeley National Laboratory – wrote this book. Based on his field notes, this is arguably one of the first documented cases of a computer hack and the subsequent investigation, which eventually led to the arrest of Markus Hess.  It’s now considered an essential read for anyone interested in cybersecurity. CISO Compass: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers  While this book covers all the fundamentals of IT security governance and risk management, it also digs deeper into people. After all, being a CISO isn’t just about technology. The insights in the book come directly from CISOs. In total, 75 security leaders contributed to the book, which means there’s plenty of actionable advice you can apply to your strategies.  Looking for more insights from security leaders? Check out Tessian’s CISO Spotlight series.  Art of Deception Written by someone pretty well-known in the security field – Kevin Mitnick – Art of Deception offers readers an insider’s view on what it takes to hack a system (and therefore what you can do to protect yourself).  Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers  Politics play a big role in cybercrime.  This book is focused on Sandworm, the group of Russian hackers who, over the last decade, has targeted American utility companies, NATO, and electric grids in Eastern Europe and paralyzed some of the world’s largest businesses with malware. But the author, Wired senior writer Andy Greenberg, also provides plenty of background on both the technology and the relationships between various countries. Social Engineering: The Art of Human Hacking If you want a breakdown of every aspect of social engineering – from elicitation, protecting, influence, and manipulation – this one’s for you. Written by Christopher Hadnagy – the lead developer of the world’s first social engineering framework – this book is a sort of intro to hacking humans that could help you level-up your phishing awareness program and defenses.   We take a deep dive into the psychology of human error in this report, with insights from Stanford Psychology and Communications professor Jeff Hancock.  The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats In the same vein as Sandworm, this book explores cyberwar, nation-state hackers, and the future. While it doesn’t offer highly technical insights, there is plenty of practical advice on how organizations and individual people can avoid being hacked.  Cult of the Dead Cow Cult of the Dead Cow explores some of the world’s most infamous hacking groups – particularly the cDc – and explains how technology, data, and – well – the world has changed because of them.  CISM Certified Information Security Manager All-in-One Exam Guide Yes, this is an exam guide…and yes you should add it to your reading list. If nothing else, to have on-hand as a reference. Why? It covers everything. Security governance, risk management, security program development, and security incident management. Curious as to whether or not other security professionals have their CISM certification? We interviewed 12 women about their journeys in cybersecurity. Read their profiles here and the full report, Opportunity in Cybersecurity Report 2020.
Human Layer Security
20 Virtual Cybersecurity Events To Attend in 2020 (Updated September)
27 September 2020
Now that 2020 is behind us, let’s look forward to 2021. Check out our new list: 21 Virtual Cybersecurity Events to Attend in 2021. Why do people attend conferences and industry-specific events? Because they’re valuable opportunities for professionals to network, develop or learn new skills, and gain valuable insights from leading experts. That’s one reason why, instead of canceling or postponing their events this year, many event organizers have opted to take them online.  We’ve rounded up the best virtual events (including webinars!) over the next several months and have highlighted why you should attend, what to expect, and the cost (if any).  Note: While, yes, a lot of these events are targeted at security vendors or leaders, non-technical executives like CEOs, CFOs, and COOs also have a lot to gain by tuning in. Keep reading to find out why.  Virtual Cybersecurity Events for 2020 The following 20 events are going ahead virtually and are listed in date order.  For the most up-to-date and/or specific event information, including registration details, be sure to visit the event’s website. All information is correct at the time of writing. 1. [Webinar] Developing and Sustaining an Effective Security Culture Date: October 6 at 11am (BST)  Over the last several months, the Security Awareness Special Interest Group (SASIG) has been live streaming a webinar every. single. day. It’s fair to say they’ve mastered it. While you can check out their full calendar of events here, we wanted to highlight this one in particular. Martin Smith, Chairman and Founder of SASIG will be joined by Gaynore Rich, the Global Director of Cybersecurity Strategy & Transformation at Unilever, Zsuzsanna Berenyi, Head of Cybersecurity Awareness and Culture at London Stock Exchange Group, Vic Djondo, Director of Cyber Targeted Training and Awareness at Standard Chartered Bank, and Imogen Verret, Senior Behavioural Insights and Security Awareness Manager at Vodafone Group. They’ll all be discussing their strategies for building a strong security culture while also offering tips to their peers.  Cost to Attend: Free, but you must be a member. Cybersecurity frontliners can become members by registering (for free) here. 2. [Panel] Security 101: Back to the Basics Date: October 6 at 10 am (PST)  As a part of their Remote Session series, SecureWorld – whose mission is to connect, inform, and develop leaders in cybersecurity – is hosting a panel to remind us all that we still need to do the little things.  Speakers include Roy Wattanasin, Information Security Leader at the Association for Computing Machinery, Advait Deodhar, Solutions Architect, CISSP at ForgeRock, and Ryan Swimm,Senior Security Analyst at BitSight Technologies Cost to Attend: Free 3. Cyber Security Digital Summit: EMEA 2020 Date: October 13 This summit – which is being put on by The Cyber Security Hub – is focused on educating CISOs and other security professionals about how to handle today’s threats and tomorrow’s breaches. This 2-day EMEA event is coming after a deep dive into the APAC region and will feature speakers from around the world including Lucy Payne, Security Education and Training Manager at Aviva, Mohamad Mahjoub, CISO at Veolia, and many more. Bonus: Attendees will be able to download slides after the event to reference later on. Cost to Attend: Free 4. Security@ Date: October 20-23 Security@ is the only security conference powered by hackers brought to you by – you guessed it! – HackerOne. The theme? The critical role of hackers in your cybersecurity strategy.  This will be the fourth consecutive year the event has been held and attendees can once again expect to hear from thoughts leaders in the public and private sectors, security industry influencers, and – of course – some of the world’s most elite hackers.  While you can access the full agenda here, here are some highlights: Engaging Hackers to Help Secure Elections Beyond the Checkbox: Leveraging Compliance Frameworks to Improve Security Postures  How a Bug Becomes a Fix Cost to Attend: Free 5. [Panel] Social Engineering, BEC Attacks, and Other ‘Fun’ Scams Date: October 20 at 10 am (PST)  Yep, that’s right. Another one of SecureWorld’s remote sessions has made our list of must-attend events. Why attend? We’ll tell you. Business Email Compromise has increased by over 100% in the last two years and – as you may have noticed – social engineering has been making headlines more and more frequently. Looking for real-world examples of both? Check out this article. While panelists haven’t yet been announced, SecureWorld has said that guest speakers will be fielding questions live and that attendees will walk away with a better idea of how to keep their organization secure.   Cost to Attend: Free 6. [Webinar] Adapting Cybersecurity For a Hybrid Workforce  Date: October 21 Security strategies changed quickly with the move from office to home and now, as many organizations around the world are adopting hybrid remote working structures, they’ll have to change again. That’s why Tessian is hosting this webinar. More information including speakers and how to register coming soon! To be the first to get updates, sign-up for our newsletter. Cost to Attend: Free 7. Open Data Science Conference West Date: October 26-30 This is one to invite your larger security team to, including engineers. Why? There are over a dozen different topics and training areas, over 200 speakers, and it’s the only applied data science conference in the world. You can also sign-up for pre-conference training and a hackathon. Cost to Attend: $129-$859 (Click here to see which pass is right for you.) 8. FutureCon – London Date: October 27 FutureCon Events brings together security leaders to discuss new approaches to managing risk. Attendees can expect panels with C-level executives who have effectively mitigated risks associated with cyber attacks and several other learning opportunities that will help you build cyber resilient organizations. Can’t make it on October 27? That’s okay! FutureCon is hosting virtual events in several different cities, all spreading the same message: “Cybersecurity is no longer just an IT problem.” Cost to Attend: $100 9. InfoSec Connect Virtual Summit  Date: October 28-29 If you’re a security leader working in Financial Services, you don’t want to miss this. While it is a virtual event, the set-up will mirror what people have come to expect from Connet’s in-person events.  That means 1:1 meetings, in-depth discussions, exclusive networking, and content that’s been created and tailored specifically for the audience.  Note: This event is invite-only, so if you’re interested in attending, make sure you request an invitation ASAP.  Cost to Attend: Free 10. CISO Healthcare Exchange Date: October 28 This is another event targeted at a specific industry and, again, is invite-only. This time, though, it’s Healthcare. Attendees will discuss some of the most critical challenges CISOs are facing and how to make sure security strategies are evolving in tandem with the changing threat landscape. While you can view the full agenda here, below is a sneak peek. Living on the Edge: Meeting Emerging Cybersecurity Challenges in Digital Health Healthcare 2.0: Securing the Brave New World of the IoMT Championing Cybersecurity as a Critical Component of the Consumerization of Healthcare If you’re interested, make sure you register for your invitation soon. Cost to Attend: Free 11.National HealthSec eForum  Date: November 5 A perfect follow-up to the above event is The National HealthSec eFourm (which is being put on by the Cybersecurity Collaboration Forum). While the agenda hasn’t been shared yet, we do know that board members recommend and vet topics, speakers and industry partners, ensuring each event will address the industry’s most significant concerns. Bonus: Sessions are interactive, peer driven, and limited in size for maximum learning and networking. Make sure you register now; space is limited and you must qualify to attend. A member of your local leadership board will reach out once you’ve been approved to attend with a confirmation. Cost to Attend: Free 12. Global Talent: What your Workplace & Workforce of the Future will Look Like Date: November 10 As we’ve already mentioned, the workplace is changing. Many organizations are adopting flexible, hybrid, and even fully remote structures which means cybersecurity leaders need to adapt and evolve their strategies. This event in particular is for security leaders in Financial Services. Here’s what you should expect: A panel session where experts will share advice, wisdom, and best practices on the evolving workplace and workforce A closer look at how emerging collaboration paradigms may affect strategies A deep dive into data privacy across geographical boundaries Members can sign-up here. And, if you’re not a member, you can register to become one now. Cost to Attend: Free 13. Cybersecurity Digital Summit – Fall 2020 Date: November 10-12 This 3-day virtual event promises to help you chart the course for 2021 with the help of expert opinions and advice. And – spoiler alert – the speaker line-up is first-class and includes Ramy Housssaini, Chief Cyber and Technology Risk Officer at BNP Paribas, Brian Robinson, Senior Director of Product Marketing at Blackberry, and many (many) more.  Check out the full agenda here and decide which of the sessions you’re going to attend.  Cost to Attend: Free 14.ISF Digital Congress 2020  Date: November 15-19 This is the Information Security Forum’s flagship event which means it’s perfectly aligned with the organization’s overall mission, which is to”….[help] members overcome the wide-running information security challenges that impact business today.” ISF is promoting this as a sort of “live broadcast”, which means members (and non-members, so long as you register now!) from a variety of timezones can tune in. To learn more about what to expect and why you should attend, watch this video featuring Steve Durbin, Managing Director at ISF, and Nicholas Witchell, renowned journalist and Master of Ceremonies for Digital 2020. Cost to Attend: Free 15. PrivSec Global (Q4) Date: November 30-December 3 While we certainly will provide a bit more context about this event, this one-liner (in many ways) tells you everything you need to know. This is the largest data protection, privacy, and security event of 2020.  Spread across four days and sponsored by Microsoft and The Wall Street Journal, attendees can choose from one of eight tracks including privacy, security, industry, and region. That means that the content will be highly curated. And, with over 200 speakers and 90 sessions, it won’t be hard to find a topic that’s relevant specifically to you.  Cost to Attend: Free 16. Chief Information Security Officer Exchange Date: December 8-9 CISO’s, here’s another one just for you. At this 2-day virtual event, attendees will learn how to empower their organization to navigate through the changing landscape. How? Through a variety of topics, including: How to use strategic storytelling to provide clear benchmarks and metrics How to dissolve the gender and workforce gap on cybersecurity leadership teams How to prioritize and revise the definition of your organization’s risk appetite For a full list of speakers, click here. And make sure you register now!  Cost to Attend: Free 17. 2020 HMG Live! Financial Services CIO Executive Leadership Summit  Date: December 10 Last but not least, at HMG’s live virtual event – which is specifically designed for security leaders in Financial Services – top technology executives will share their advice on the roles that CIOs and tech leaders can play in driving innovation and reshaping the future of work. While there will no doubt be a focus on security, many of the topics will actually cover the more human aspect of being a leader, including how to keep employees inspired and how to strengthen employee engagement and motivation.  You can view the agenda, speaker line-up, and partners here. Cost to Attend: Free 18. Accounting & Finance Show When: October 20 – October 21, 2020 Cost to Attend: Free  The Accounting & Finance Show is the USA’s largest virtual accounting and finance exhibition. With over 150 speakers and 3,000 attendees, the exhibition features online networking, virtual workshops, and CPE education. Content tracks include HCM & Payroll, Tax, Technology, and Practice Management. Why attend? If you’re a security leader in Financial Services, this is a great opportunity to connect with your peers and understand what they’re doing to overcome current challenges.  19. Futurist Virtual Conference When: November 11 – 12, 2020 Cost to Attend: Free Futurist Virtual Conference is Canada’s largest blockchain and emerging tech conference. Over 100 world-class speakers are attending this year to discuss emerging industries and their trends, and attendees have the option to sit in on over 60 panel sessions, workshops, and roundtables.  20. NewStatesman Virtual Cyber Security in Financial Services Conference When: November 24, 2020 Cost to Attend: Free for senior-level delegates from financial institutions. At this year’s virtual conference, senior figures and thought leaders will lead presentations that examine current regulations and key trends. Some of the presentations include: How the COVID-19 pandemic has changed the cybersecurity landscape Building cyber resilience in the new decade How biometric innovation is shaping the future Are there any other events you think we should add to this list? Email madeline.rosenthal@tessian.com
Human Layer Security Spear Phishing
Tim Sadler on Hacking Humans Podcast: Ep 117 “It’s Human Nature”
24 September 2020
Tessian’s CEO and co-founder Tim Sadler joined Dave Bittner from the CyberWire and Joe Carrigan from the Johns Hopkins University Information Security Institute to talk about why people make mistakes and the importance of developing a strong security culture. While you can listen to the episode here, you can read a full transcript below. And, for more insights about The Psychology of Human Nature, read our report.
Dave Bittner: Joe, I recently had the pleasure of speaking with Tim Sadler. He’s been on our show before. He’s from an organization called Tessian, and they recently published a report called “The Psychology of Human Error.” Here’s my conversation with Tim Sadler. Tim Sadler: We commissioned this report because we believe that it’s human nature to make mistakes. The people control more sensitive data than ever before in the enterprise. So there’s customer data, financial information, employee information. And what this means is that even the smallest mistakes – like accidentally sending an email to the wrong person, clicking on a link in a phishing email – can cause significant damage to a company’s reputation and also cause major security issues for them. So we felt that businesses first need to understand why people make mistakes so that, in the future, they can prevent them from happening before these errors turn into things like data breaches. Dave Bittner: Well, let’s go through some of the findings together. I mean, it’s interesting to me that, you know, right out of the gate, the first thing that you emphasize here is that people do make mistakes. Tim Sadler: Absolutely, they do make mistakes, and I think that is human nature. We think about our daily lives and the things that we do; we factor in human error, and we factor in that we will make mistakes. And something I always come back to is if we think about something we do, you know, many of us do on a daily basis, which is, you know, driving a car, and we think about all of the assistive technology that we have in that car to protect us in the event that we do make a mistake because, of course, mistakes are expected. It’s kind of in our human nature. Dave Bittner: Well, let’s dig into some of the details here because there are some fascinating things that you all have presented. One of the things you dig into is the age factor. Now, this was interesting to me because I think we probably have some biases about who we think would be more likely to make mistakes, but you all uncovered some interesting numbers here. Tim Sadler: Yeah, completely. And, you know, just sharing some of those statistics that we found from this report, 65% of 18- to 30-year-olds admit to sending a misdirected email comparing to 34% who are over the age of 51. And we also found that younger workers were five times more likely to admit to errors that compromised their company’s cybersecurity than older generations, with 60% of 18- to 30-year-olds saying they’ve made such mistakes versus 10% of workers who are over 51. Dave Bittner: Now, what do you suppose is the disparity there? Do you have any insights as to what’s causing the spread? Tim Sadler: I think it is just speculation that I think there’s something interesting in just maybe thinking about the comfort level that younger workers might have with actually admitting mistakes or sharing that with others in the enterprise. You know, I think there’s something encouraging here, which is actually we’re seeing that if you were running a security team, you want your employees to come forward and tell you something has gone wrong, whether that’s a mistake that’s led to a bad thing or it’s a near miss. And I think that you also might find that, generally, younger people may tend to be less senior in the organization and, you know, may not have the same sense of stigma that maybe the older generations, who are more senior, may think there is. So if I tell my boss that, you know, I’ve just done something and there was a potentially bad outcome, they might feel like they may be in danger of compromising their position in the organization. Dave Bittner: Yeah, it’s a really interesting insight. I mean, that whole notion of the benefits of having a company culture that encourages the reporting of these sorts of things.
Tim Sadler: I think it’s so important. You know, I think – somebody, you know, correctly advised me, you almost need an everything’s-OK alarm in your business when you’re thinking about security. You know, if you have a risk register or if you are responsible for taking care of these incident reports, if you don’t see people reporting anything, it’s usually a more concerning sign than you have people coming forward who are openly admitting to the errors they’ve made that could lead to these security issues. It’s highly unlikely that you’ve got nothing on your risk register. That you’ve completely eliminated risk from your business. It’s more likely that actually you haven’t created the right culture that feels like it’s suitable or acceptable to actually come forward and admit mistakes. Tim Sadler: And I think this is really, really important. I think now more than ever, during this time where, you know, we have a global pandemic, a lot of people are working from home, and they’re kind of juggling the demands of their jobs with their personal lives – maybe they’re having to figure out childcare – there are lots of other things weighing in to an employee’s life right now. It’s really important to actually, I think, extend empathy and create an environment where your employees do feel comfortable actually sharing things, mistakes they’ve made or things that could pose security incidents. I think that’s how you make a stronger company, through that security culture. Dave Bittner: But let’s move on and talk about phishing, which your report digs into here. And then this was surprising to me as well. You found that 1 in 4 employees say that they’ve clicked on phishing emails. But interesting to me, there was a gap between men and women and, again, older folks and younger folks.  Tim Sadler: Yes, so we found in the report that men are twice as likely as women to click on links in a phishing email, which again I think is – I think we were as surprised as you are that that was something that came from the research that we conducted. Dave Bittner: And a much lower percentage of folks over 51 say that they’d clicked on phishing links. Tim Sadler: Yes. And, again, you know, because of the research, of course, we’re relying on people’s honesty about these kinds of things. Dave Bittner: Right. Tim Sadler: But it does seem that there are clear kind of demographic splits in terms of things like age and also gender in terms of, actually, the security outcomes that took place. Dave Bittner: I mean, that in particular seems counterintuitive to me, but when I read your report, I suppose it makes sense that, you know, people who have more life experience, they may be more wary than some of the folks who are just out of the gate. Tim Sadler: I think that does play into things. I think that younger generations who are coming into the workplace, who are maybe even used to – you know, they’ve had an email account maybe for most of their lives. In fact, I would say that they’re probably less used to using email because they’ve advanced to other communication platforms before they enter the workplace. But I do think that, you know, if you think about people who have had email accounts, you know, at school or at college, they’re going to be used to being faced with potential scams, potential phishing. They’ve maybe already been through many kind of forms of education training awareness, those kinds of things, before they’ve actually entered the world of work. Dave Bittner: Yeah, another thing that caught my eye here was that you found that tech companies were most fallible. And it seemed to be that the pace at which those companies run had something to do with it. Tim Sadler: Yeah, I think there’s something interesting here. And, again, just would say that this is speculation because we don’t have the specific data to dig further into this. But I think there’s something interesting with the concept that technology companies, as you say, if they’re, you know, high-growth startups, they tend to be maybe moving faster, where these kinds of things can slip off the radar in terms of the security focus or the security awareness culture they create. Tim Sadler: But the other thing – and I think something to be aware of – is sometimes technology companies have that kind of false sense of security that it’s all in check, right? ‘Cause they – you know, this is kind of their domain. They feel that it’s within their comfort zone, and then maybe they neglect, actually, how serious something like this could be, where they feel that, OK, we’ve actually – even if we’ve got an email system in place, in the instance of phishing – we’ve got an email system in place. We feel like it has the appropriate security controls. But then we miss out the elements of actually making sure that the person is aware or is trained, is provided with the assistive technology around them and then also feels that they’re part of a security culture where they can report these things. So I think that’s also an important factor, too. Dave Bittner: So one of the interesting results that came through your research here is the impact that stress and fatigue have on workers’ ability to kind of detect these things. Tim Sadler: Yeah, and this is a really, really important point. So 47% of employees cited distraction as the top reason for falling for a phishing scam. And 41% said that they sent an email to the wrong person because they were distracted. The interesting thing, I think, there is that – another stat that came out from this – 57% of people admitted that they were more distracted when working from home, which is, of course, a huge part of the population now. So this point about distraction seems to play a really important factor in actually the fallibility of people with regard to phishing. Tim Sadler: And then a further 93% of employees said that they were either tired or stressed at some point during the week. And 1 in 10 actually said that they feel tired every day. And then the sort of partner stat to that, which is important, is that 52% of employees said that they make more mistakes when they’re stressed. And of course, tiredness and being stressed play hand-in-hand. So these are really, really important things for companies to take note of, which is, you have to also think about the well-being of your employees with regard to how that impacts your security posture and your ability to actually prevent these kinds of human errors and mistakes from taking place. Dave Bittner: Right. Giving the employees the time they need to recharge and making sure that they’re properly tasked with things where they can meet those requirements that you have for them – I mean, that’s an investment in security as well. Tim Sadler: Completely. And I think what’s really difficult is that security is serious business. No one would doubt or question its importance. It is literally mission critical for companies to get right. Some companies take a draconian approach when it comes to security, and they penalize or they’re very heavy-handed with employees when they get things wrong. I think, again, it is really important to consider the security culture of an organization. And actually, creating a safe space for people to share their vulnerability from a security perspective – things that they may have done wrong – and actually then having a security team or security culture that helps that person with the error or the issue that may arise versus just creating a environment where if you do the wrong thing, then, you know, your job, your role might be in jeopardy. Tim Sadler: And again, it is a balance because you need to make sure that people are never being careless, and there is a responsibility that we all have in terms of the security posture of our organization. But what this report shows is that those elements are really important. You know, we don’t want to contribute to the distraction. We don’t want to contribute to the stress and tiredness of our employees. And even outside the security domain, if you do have an environment that doesn’t create a balance for your employees, you are at a higher risk of suffering from a security breach because of the likelihood of human error with your employees. Dave Bittner: All right, Joe, what do you think?
Joe Carrigan: I really liked that interview. Tim makes some really great points. The first thing he says is at Tessian, they believe that people are prone to mistakes, right? Of course we are, right? But why, in the real world, do we act like we’re not? That is what struck out to me immediately – the fact that Tim even needs to say this or that somebody needs to say this, that people are prone to mistakes. We act as if we’re not prone to mistakes. And then the driving analogy is a great analogy, right? If everybody does everything right in a car, nobody would ever have an accident. But as we all know, that is not the case. Dave Bittner: Accidents happen (laughter). Yeah. I think in public health, too – you know, I often use the example of, you can do everything right. You can wash your hands. You can, you know, be careful when you sneeze and clean surfaces and all that stuff. But still, no matter what, every now and then, you’re still going to get a cold. Joe Carrigan: Younger people are more likely to say that they’ve made mistakes than older people, and I agree with Tim’s speculation on the disparity of responses across age groups. Younger people have less to lose than an older person who might be more senior in the organization. I also think that an older person might be more experienced with what happens when you admit your mistakes. Joe Carrigan: And that comes to my next point, which is culture. And that is probably the single-most important thing in a company. And this is my opinion, of course – but this is so much more important when we get to security. It needs to be open and honest, and people need to absolutely not fear coming forward about their mistakes in security. This is something that I’ve dealt with throughout my career, even before I was doing security, with people making mistakes. If somebody tries to cover up a mistake, that makes the cleanup effort a lot more difficult. And it’s totally natural to try to do that. You’re like, oh, I made the mistake. I better correct it. If you don’t have the technical expertise to correct it, you’re actually making more work for the people who have to actually correct it. Dave Bittner: Yeah. I also – I think there’s that impulse to sort of try to ignore it and hope it goes away. Joe Carrigan: Right (laughter). That happens, too. I find this is interesting. Men are twice as likely to click on a link than women. Older users are less likely to click on a link. I think that comes from nothing but experience. You and I are older. We’ve had email addresses for years and years and years. I’ve been on the Internet longer than a lot of people have been alive. I know how this works. And younger people may not have that level of experience. Plus, I think younger people are just more trusting of other people. And as we get older, we, of course, become more jaded. Joe Carrigan: Tech companies have a false sense of security because this is their domain. That’s one of the things Tim said. I think that’s right. You know, that’s not going to happen to us; we’re a tech company. Things are still going to happen to you because, like Tim says very early in the interview, people make mistakes. Dave Bittner: All right. Well, again, our thanks to Tim Sadler from Tessian for joining us this week. We appreciate him taking the time. Again, the report is titled “The Psychology of Human Error.” And that is our show. Of course, we want to thank all of you for listening. Dave Bittner: We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The “Hacking Humans” podcast is proudly produced in Maryland at the startup studios of DataTribe, where they’re co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I’m Dave Bittner. Joe Carrigan: And I’m Joe Carrigan. Dave Bittner: Thanks for listening.
Page
[if lte IE 8]
[if lte IE 8]