Human Layer Security
Email: Information Security’s Leaky Pipeline
12 March 2019
Email is the most widely used method of communication in the world. The number of emails sent and received daily will reach almost 300 billion in 2019, and the number of active email users will reach almost 4 billion in the same year, according to technology research company Radicati. There’s a reason the ageing protocol is so entrenched in how we communicate: it’s simple, works in every browser, and most importantly, everyone has an address. But many of the things that make email great, also make it a difficult avenue to secure from an information security perspective. Many use cases Email is used for both professional and non-professional communications: a highly classified email to a client may be immediately followed by one to a spouse about dinner. Add to this that these two emails can often be sent from the same work email account for the sake of convenience, and the likelihood of confidential data being leaked due to a slip up increase exponentially. Truly platform agnostic Slack messages can be sent to slack users, Signal messages to Signal users, and Whatsapp to Whatsapp. Unlike most other messaging platforms, there’s no need for two people to be using the same email client, protocol, or provider for communication to be possible. Of course, this seamlessness comes at a cost: it is much more difficult to develop a complete security solution for a channel with as many front-end standards and configurations as email has. “The protocol now suffers from being ‘too big to change’ – there are core features missing from the technology that more modern communication platforms now have as standard(…)” Well established protocols Since its inception in the 1970s, the underlying technology behind email has remained the same, which makes it very easy to develop for and implement. It also means the protocol now suffers from being ‘too big to change’ – there are core features missing from the technology that more modern communication platforms now have as standard, including the ability to easily redact or recall, and encryption-by-default. To make any major changes to how the email protocols function would require a near-global consensus. Accessible from anywhere Gone are the days when people accessed their email solely from their desk. Employees manage their emails on laptops, smartphones, tablets, watches, even car dashboards. This ease of access has exponentially increased the volume of emails exchanged, as well as changed how people treat emails, sending emails on the go. This, in turn, raises the risk of emails being misaddressed, as people type addresses out in a rush on their phones. Centrally stored An inbox often contains a wealth of information spanning an employee’s entire time spent at an organization. While much of this may not be confidential, the fact of being able to access huge amounts of information from a single source exponentially increases the likelihood of a “careless forward”. Recent statistics on data security highlight that individual human error accounts for most data breaches, and show that the current school of thought surrounding information security is incomplete. Email offers numerous benefits – namely speed, ubiquity and simplicity – but it’s also one of the single biggest threats to an organization and its data. In addition to this, the ICO in the UK recently reported that misaddressed emails were the number one type of data security incident reported to them. While a growing number of enterprise processes are now being automated, email communication is currently still almost entirely reliant on people, which makes it vulnerable to human error. No matter how well established the organization, and how experienced and security conscious it’s employees, it will still be run entirely by people. And people are fallible.
Human Layer Security
Human Error is Incredibly Difficult to Understand, Let Alone Predict
04 March 2019
Email still remains the main communication channel for enterprises. Despite its incredible efficiencies and economies of scale, email as a communication tool is reliant on human interaction and judgement. This makes human error particularly prevalent on email. One example of a mistake that can occur over email due to human error is an email being directed to the wrong person. A misdirected email might happen for any number of reasons, just a few of which include stress, alertness, being in a hurry or simply bad luck. For example, staff members at a major Australian bank mistakenly sent emails that contained data from over 10,000 customers to the wrong recipient due to an error that changed the email’s domain name. Over the past few years the workforce has become more mobile, meaning that more data now exits organizations’ premises and networks. Many employees manage their inbox on the move, replying to an urgent email after work while commuting or messaging international clients in the early hours of the morning. While this flexibility is advantageous for employees and businesses, different diligence levels outside working hours and on mobile devices raise the chance of a misdirected email being sent. Let’s take a small-scale example. Even for a small organization where each employee sends a moderate number of emails per day, Tessian data shows that the likelihood of a misdirected email leaving the organization in a given month is high. That risk increases dramatically with the size of an organization. No matter how many Secure Email Gateways and firewalls you employ, failing to address this risk could mean your organization’s data being compromised. Mistakes due to human error are not limited only to outbound email. Over the past few years, inbound attacks such as spear phishing have become more frequent and more sophisticated. For example, someone may receive an email from an attacker impersonating a supplier requesting a transfer for an outstanding payment. The degree of urgency included in the email and the fact that the attacker utilizes a legitimate relationship makes the likelihood of the recipient falling for the attack more likely. In order to stay vigilant in this changing environment, security officers and business leaders should focus on two simple questions: 1. What’s the most likely cause of data loss for our organization? 2. What’s the maximum damage that a human error could cause? This awareness can help security leaders gain a better understanding of the risks they need to manage on an ongoing basis. Ultimately, this awareness could help mitigate the likelihood of data loss, and associated consequences like financial penalties or reputational damage. Mistakes due to human error are inevitable, but the negative consequences are not. Tessian’s machine-intelligent email filters use machine learning to understand relationships and behaviors on email, identifying in real time when people are about to make a mistake – whether it’s entering the wrong reply-to address or potentially falling for a spear phishing attack. Thoughtful, intelligent notifications located within the email client stop the threat before it can cause damage to your organization. Take action against misdirected emails and spear phishing today.  
Human Layer Security
Announcing our Partnership with Sequoia and a New Era of Cybersecurity
By Tim Sadler
27 February 2019
I’m delighted to officially share with the world today that Tessian’s raised $42m in Series B funding led by Sequoia and partner Matt Miller is joining the board. I got to properly know Sequoia and Matt last year after a destiny-crafting introduction from the legendary CyLon. We’ve been fortunate to have a lot of interest from investors, but I try not to take meetings unless we’re actually fundraising. Sequoia was different. Instead of spending time talking about ARR and our metrics, Matt was interested in our vision, founding story, team and challenges. Sequoia call themselves company-builders, and that’s exactly how it felt from day one. We couldn’t be more excited to welcome Matt to the Tessian board and to work with him to create a new category of enterprise cybersecurity. When Tom, Ed and I started Tessian in our apartment in 2013, we started with a grand vision but laser focus on trying to execute one thing extremely well—preventing sensitive data loss caused by human error. Over the past three years, we’ve been quietly expanding the capabilities of our machine learning engine to address other gaping holes in enterprise security. Today, we’re also delighted to share our vision with the world for the very first Human Layer Security platform for the enterprise. Enterprises have spent the past two decades protecting their networks with firewalls, their devices with endpoint security but have completely neglected the most important data processors of all—their people. The new capital raised in our Series B will allow us to leverage the technology we’ve applied to email security and expand this to provide automatic protection for the myriad platforms and applications in use everyday by people in global organizations. Of course, none of this would have been possible without our most important allies. First, I’d like to thank all of our customers for their incredible support and belief in us over the years. Cybersecurity, by definition, is a risk-averse industry. It’s been inspiring to see how many enterprises are willing to adopt new technology to solve their greatest problems. Second, and to whom we owe the greatest thanks—the employees of Tessian. It’s because of your brilliance, creativity and relentless grit that we’ve achieved what we have today. As I’m sure any founder will attest, fundraising is a necessary part of company building but not the ultimate goal. We now have a huge amount of work ahead as we execute against our plans for 2019—a year that’s shaping up to be our biggest yet.
Page