Human Layer Security
Tessian Human Layer Security Summit: Meet the Speakers
07 February 2020
On March 5, Tessian will host the first Human Layer Security Summit in London. We’ll be welcoming 10 speakers with diverse backgrounds to the stage as we take a deep dive into what exactly people-centric security means. On the day, attendees can expect thought-provoking presentations by leaders from renowned institutions, a panel discussion about Human Layer Security featuring some of Tessian’s customers, and an analysis of emerging social engineering threats from an ethical hacker.
Keynote Speakers Mark Logsdon, Head of Governance and Assurance Prudential Mark – who has held senior security positions at top-tier financial service companies for over a decade – will be highlighting the challenges and opportunities associated with creating and maintaining a positive security culture within an organization. Attendees can expect a multi-faceted presentation that covers how cybersecurity can and should enable business objectives, the value in creating a proactive security environment, and the importance of collaboration across departments for cybersecurity advocacy. Tanja Podinic, Assistant General Counsel  Dentons Working at the intersection of tech and legal, Tanja is in a unique position to highlight the implications the digital transformation has had on risk for businesses. She’s particularly interested in how innovations in technology can help mitigate the risks around people. Now, with Dentons having implemented Tessian’s solutions – Tessian Guardian and Tessian Enforcer – she’ll also be joining the panel session to discuss how machine learning has helped her organization prevent misdirected emails and data exfiltration on email. Read more about how Tessian has helped Dentons protect their data here.
Panel Session Timor Ahmad, Head of Data Governance & Privacy Lloyd’s of London Timor – who believes data should be treated as an organization’s core asset – has years of experience managing data protection, privacy, and quality. With a special interest in business enablement, Timor has seen how Human Layer Security can give businesses across industries a competitive edge. Jamie Travis, Head of Information Security Herbert Smith Freehills With a great deal of experience in leading large-scale security improvement projects, Jamie has a strong interest in understanding how risk management and human behavior go hand-in-hand. This requires that he not only create strong security policies, but also that he fosters strong internal and external relationships. He now uses Tessian to mitigate risk associated with human error and people-centric security is a key focus for 2020. Mark Parr, Global Director of Information Technology HFW After a 27-year military career delivering command and control networks and communications and information systems, Mark moved into the financial sector to focus on people operations within cybersecurity. Currently heading up Information Technology at a global law firm, he’s using his expertise in Risk Management and Information Assurance alongside Tessian to navigate challenges associated with human error. Ethical Hacker Glyn Wintle, CEO & Founder  Tradecraft  Having started his career as a penetration tester, Glyn has incredible, hands-on experience in helping organizations defend themselves against ever-evolving threats. He’ll detail how hackers combine psychology and technical know-how to create highly targeted (and highly effective) phishing attacks and other forms of social engineering. Join us at Tessian Human Layer Security Summit Over the next several weeks, we’ll be releasing even more information about Human Layer Security Summit and the speakers who will be attending. Follow us on LinkedIn to be the first to get these updates. If you haven’t yet saved your seat to join those who are putting people-centric security at the top of their agenda, do so now! Spaces are filling up quickly.
Customer Stories DLP Human Layer Security
Insights on Human Layer Security from Tim Fitzgerald, CISO of Arm
23 January 2020
In case you missed it, on January 22 Tim Sadler, Tessian’s CEO and co-founder, hosted our first webinar of the year which explored the biggest threat to an organization’s security: its employees. To understand the risk of human error in the workplace and how Tessian’s Human Layer Security platform is able to mitigate that risk, Tim S. was joined by Tim Fitzgerald, the CISO of Arm for a live Q&A. Before joining Arm over two years ago, Tim F. served as the CSO of Symantec for over five years. He has a special interest in digital data and human security. Arm is a customer of Tessian’s, and has deployed Tessian Defender,  Tessian Guardian, and Tessian Constructor. Consequently, Tim F. is not just attuned to the security risks associated with employees making mistakes, he understands how best to combat those risks. While you can listen to the full webinar and Q&A on-demand here, below are some of the key takeaways from Tim Fitzgerald. Where does risk really exist? Tim Fitzgerald: “It is very ‘sexy’ in security to talk about big hacking groups and use that as justification to invest in security. And there’s a lot of legitimacy behind that. But the other side of the narrative – which we spend more time on now than nation-state type threats – is how do we not do it to ourselves? Because now we’re more often dealing with avoidable events caused by predictable human error.” “I think, in general, not only should we be talking to our senior executives and boards more clearly about where real risk exists – which for most companies is the human layer – but we also need to be doing more to help these people combat the problem rather than just passing blame.” To err is human, but people are (generally) well-intentioned TF: “I very much chafe at the idea that we think of our employees as the weakest link. It underserves peoples’ intent and how they choose to operate. Rather than that, we try to take a look in the mirror and say ‘What are we not providing our employees to help them avoid these type of scenarios?’” “At Arm, we take the ‘people-are-people’ view. Not that they’re the weakest link; not that they don’t come with good intent; or that they don’t want to be good at their job; or that they take shortcuts just to get that extra moment of productivity. But, actually, everyone wants to do a good job and our job is to arm them with both the knowledge and the tools to be able to keep themselves secure, rather than trying to secure around them.” The role of a CISO is people-centric TF: “I view my job in human security as somewhere between a sociology and a marketing experiment. We’re really trying to change peoples’ behaviors in a moment. Not universally, not their personal viewpoints. But will they make the right decision in this moment to do something that won’t create security risk for us? Evolving that strategy relies not just on how we influence behavior in that moment of time, but actually, can we change their ethos? Can we make responsible security decision-making part of everybody’s job?” “Security is ultimately my responsibility. But, we very much rely on what we consider our extended security team, which is all of our employees. Our view is that they can undo all the good that we’ve done behind them to try to compensate for the risk that normal human beings create.” Security solutions should empower employees TF: “By far the biggest single challenge we have is Arm’s ethos around information sharing. We have a belief – that has proven to be true – that this level of information sharing has allowed Arm to be extraordinarily successful and innovative. There’s no backing up from that, and that represents a huge amount of challenge; that level of information sharing is quite difficult to manage. “Rather than saying people are an intractable problem and therefore we can’t conquer this, if we start thinking about how we can mobilize them as a part of our overall cybersecurity defense mechanism, it causes you to rethink whether or not you’re serving your populous correctly.”
Machine learning enables Human Layer Security TF: “What I liked about Tessian is that it gave us an opportunity to use the ML in the background to try and develop context about whether or not something that someone was doing was either atypical or perhaps just part of a bad process. Either way, we can get a sense of whether or not what they’re doing is causing us risk. It doesn’t require us to be completely prescriptive about what we’re looking for, but it allows us to learn with the technology – and with the people – what normal patterns of behavior look like and, therefore, intervene when it matters and not have to react every time an alarm goes off. “You have all this amazing context of what people are doing on email, which is where people spend most of their time and where most of the risk comes for most organizations. How can we turn this into more than just making sure someone doesn’t fat finger an email address or send sensitive files where they’re not supposed to go? Can we take the context that we’re gaining through how people are using email and create more of those moments in time to connect with them?” Tessian fits into a larger security framework TF: “We have a whole bunch of other mechanisms to protect against traditional insider threats – the people who are really acting against our best interest – but that instance is infrequent and high impact. The person who makes the mistake is high frequency, medium-to high-impact. We were getting hammered on that sort of stuff, which is why we came to Tessian.”
“When used correctly and in a finite environment or a finite data set, DLP solutions are very effective at keeping that data where it’s supposed to be and understanding movement in that ecosystem. When you try to deploy that broadly though…you start to run into the inability of the DLP system to understand where that data is supposed to be. Is this person supposed to have it based on their role and their function? It’s not a smart technology like that. You end up trying to write these very complex rules that are hard to manage.” The future of Human Layer Security TF: “Can we start to mesh together what we know about the technology and the machines with real human behavior? It’ll not only help us find those bad guys in our environments who we know are there, but also to get out in front of people’s behavior rather than reacting to it after it happens. That’s the holy grail of what this could become. To get – if not predictive – at least start leading us toward where we think risk exists and allowing us an opportunity to intervene before things happen.” Want to learn more about how Tessian helps Arm catch and stop accidental data loss with Tessian Guardian and prevent spear phishing attacks with Tessian Defender? Read the case study here.
DLP Human Layer Security Spear Phishing
A Year in Review: 2019 Product Updates
By Harry Wetherald
01 January 2020
2019 was a big year for email security. While the world did see a record number of data breaches (up 33% from 2018) we also saw tighter security-related policies and regulations drafted and implemented, and, in general, an increased awareness amongst businesses about the importance of proactive security strategies. While we may be biased, it seems note-worthy that human error became more and more of a talking point in the cybersecurity space. In fact, human error and the importance of machine learning and artificial intelligence in protecting people has been one of the most talked about trends by analysts going into the new year. Similarly, companies are waking up to the fact that humans are their biggest risk. It’s about time. After all, misdirected emails – emails accidentally sent to the wrong person – have been one of the top data security incidents reported under GDPR according to the Information Commissioner’s Office. We believe it’s unreasonable to expect employees to do the right thing 100% of the time when it comes to making security-related decisions; people break the rules, people make mistakes, and people can be hacked. To err is human! What’s more, we have seen how quickly the threat landscape continues to evolve, which is why throughout 2019, we rolled out a series of important product updates that have kept our user base – which saw triple digit growth over the last 12 months – safe. Here are the most important product updates to Tessian’s Human Layer Security platform for 2019.
1. Human error, quantified. The new Tessian Dashboard gives customers an at-a-glance view of breaches and near-misses on email Keen to discover trends related to the number of breaches that were prevented by Tessian over the last 30 days? Our easy-to-navigate dashboard gives administrators a complete overview of activity, including any malicious and anomalous emails detected, misdirected emails prevented, and unauthorized email attempts thwarted. Module performance for Tessian Defender, Guardian, Enforcer, and Constructor are all visible on one page, and visual representations of data make it easy to monitor and drill down on activity day-by-day. If suspicious activity is spotted, you can quickly and easily generate a report without navigating off the page. The Tessian Dashboard also allows administrators to view user health at a glance, including the percentage of users active on the Add-in and Gateway and any connection issues across the network. This will help in-house security teams ensure every employee within their organization is protected by Tessian’s modules at all times. 2. Evolving algorithms. Tessian Defender can now detect and prevent more spear phishing attempts than ever Throughout 2019, Tessian Defender was improved through a series of subtle but impactful tweaks to our algorithms to be even more adept at detecting spear phishing attempts, including advanced, difficult-to-detect direct spoof attacks. The fact is, bad actors are using increasingly sophisticated techniques to trick unsuspecting people into handing over sensitive information or granting access to controlled networks. It’s imperative that we stay ahead of the curve, hence the regular updates. Tessian Defender has improved over time – and will continue to improve – enabling the detection and prevention of even the most advanced spear phishing attempts.
3. Thwarted first-attempts. It’s now even more difficult for employees to exfiltrate sensitive data Tessian Enforcer can now detect the first attempt an employee makes to exfiltrate data over email. How? By inferring what is and isn’t likely to be authorized communication based on the vast amount of data Tessian’s ML algorithm was trained on, which doesn’t necessarily rely on prior email history of a particular email address. For example, if an employee attempts to send an email to their personal, freemail account and that email address contains the employee’s first name or surname, Tessian Enforcer presents a warning to the user advising them that the behavior is potentially unsafe and prompting them to reconsider the action. Data exfiltration remains an incredibly unwieldy problem for businesses. Tessian gives businesses much-needed oversight of the problem over email.
4. In-situ learning opportunities. Employees have an opportunity to understand why an email is unsafe with contextual warnings While Tessian prides itself on low flag rates so that security doesn’t impede productivity, we wanted to maximize the opportunity to educate users through our warnings. This way, when users do see a notification, they understand why. Improved warnings across all four modules were designed for a more user-friendly experience that seamlessly reinforces any previous or ongoing security training. With more context included, employees can now see exactly why an email is being flagged as suspicious and – importantly – they can make their own decision on how to proceed. This is at the core of Tessian’s mission. Employees should be empowered by security solutions instead of burdened by them. 5. New detection capabilities. Customers can create rules that are specific to their environment Every business or enterprise is different and IT and Infosec security leaders need some flexibility in creating filter conditions that are applicable specifically to their operations. Because we’ve introduced new detection capabilities, users can now combine more conditions to create filters for their individual use cases; for example, scanning attachment content, identifying hidden fields in spreadsheets, and reading Azure Information Protect and other DLP labels. At the most basic level, these rules look something like this: If A and B, then C, except when D or E. These variables can apply to a number of elements contained in an email, from the recipient(s) to language patterns. One way an administrator might use these new detection capabilities would be to configure a filter which only allows the finance team, for example, to share spreadsheets with people outside of their organization if the recipient’s email address is recognized as a customer, except when the attachment contains a hidden row titled “social security numbers”. Protect your most valuable asset: your people Tessian is committed to creating the world’s first Human Layer Security platform and exciting developments lie ahead as we build out a holistic platform to protect people using email and, eventually, other interfaces frequently used in the workplace. Not yet a Tessian customer? Across four modules, Tessian protects the human layer by detecting and preventing both inbound and outbound threats. This includes advanced spear phishing attacks, accidental data loss, and data exfiltration. Tessian is quickly and easily deployed to Office 365, Exchange, and G-Suite, product updates are seamlessly rolled out for users and administrators, and the technology – which doesn’t disrupt workflow – was built with productivity in mind. To understand how Tessian can fit into your existing security framework, request a demo now.
Human Layer Security Spear Phishing
It’s the Most Fraudulent Time of the Year
30 November 2019
With Black Friday just around the corner, the holiday shopping season is upon us and retailers will face their busiest time of the year. In the last six weeks of 2018, for example, UK retailers and US retailers saw sales of £79.7bn and $719.2bn, respectively, as shoppers rushed to scoop up the best deals. No wonder, this window is often referred to as the “Golden Quarter”. But retailers and their customers may get more than they bargained for as this surge of shoppers makes the “Golden Quarter” a golden time for cybercriminals to launch phishing campaigns. We often think about consumers as the main victims of retail-related phishing attacks in the holiday shopping season. And quite rightly; shoppers receive hundreds of emails from retailers promoting their latest deals around peak shopping days like Black Friday and Cyber Monday. It’s a ripe opportunity for cybercriminals, who are looking to steal personal data and payment details, to “hide” in the noise, pose as legitimate brands and prey on individuals who are not necessarily security savvy. However, it’s also important to remember that retailers themselves are at greater risk of phishing attacks during this time, as well. In fact, our latest report reveals that nearly two thirds of UK and US retailers (64%) receive more phishing attacks in the three months leading up to Christmas, compared to the rest of the year. Black Friday, in particular, is a prime time for seasonal scammers as UK retailers (56%) and US retailers (57%) saw an increase in the number of phishing attacks during the Black Friday / Cyber Monday weekend last year. Given that phishing attacks have only grown in frequency and severity since then, there is no doubt that phishing will continue to be a persistent threat for retailers this year too. It’s also concerning to see that 70% of IT decision makers at UK retailers and 65% at US retailers believe their staff are more likely to click on phishing emails during the holiday shopping season. The reason? Employees are at their busiest and working at a much faster pace, meaning they are less likely to check the legitimacy of the emails they are receiving. Hackers will take full advantage of the fact that security won’t be at the front of mind for busy and stressed retail workers, and will craft sophisticated spear phishing campaigns to encourage individuals to click on malicious links, download harmful attachments or wire huge sums of money. On top of this, staff will also receive more emails at this time. Consider how many colleagues, temporary workers, customers and third party suppliers retail workers engage with during the holiday shopping season. Knowing inboxes will be filling up with timely requests and orders, hackers can easily deceive employees and get them to comply with their requests via spear phishing emails that convincingly impersonate colleagues, senior executives or trusted suppliers. With the average phishing attack now costing a company $1.6 million, there are significant financial consequences for a retail worker being duped by a phishing attack. It’s understandable, then, that the IT decision makers we surveyed said that “data breaches caused by human error” are the number one threat to their business in the final quarter of the year. Phishing came in a close second, with one in five IT decision makers in retailers believing phishing is the greatest threat to their organization during the holiday shopping season. Given the people-heavy nature of the industry, retailers are, sadly, an easy target for cybercriminals. Our report clearly shows that retailers need to do everything they can to build robust defenses and minimize incidents of human error that could lead hackers to steal data and compromise systems this holiday season.  
Human Layer Security Spear Phishing
Types of Email Attacks Every Business Should Prepare For
14 November 2019
Corporate email continues to rule in the world of business. Today, the average office worker receives 120 emails every day.  While many of these emails pertain to business as usual, not every email is quite what it seems. Now more than ever, organizations are on the receiving end of advanced email attacks that aim to steal money, pilfer data or compromise systems.
What is an email attack?
What is the purpose of an email attack? Email attacks can take many forms but are typically deployed by cybercriminals in order to steal money or data. In order to keep organizations secure, it is important that employees are able to recognize the most common types of email attacks and understand the potential impact that they could have.
Most common types of email attacks Cybercriminals can leverage email in multiple ways to attack people and systems. There are a variety of tactics that range from being very broad to very targeted: Spam. Spam is known as a high volume commercial messaging sent over email.Despite several tools to filter out unwanted email, spam remains a significant challenge for organizations large and small. 56 percent of all email traffic is made up of spam; so while spam is not always the vector of attack, its sheer volume helps obfuscate real attacks, such as spear phishing. Phishing. Phishing is a fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by pretending to be a trusted entity.Phishing attacks are sent in high volume, and the legitimate look of the email can trick users into accidentally opening an attachment or clicking on a malicious link. However, phishing emails are not personalized and tend to start with generic greetings like “hello” or “dear sir.” What makes phishing attacks successful is that even though a small percentage of targets fall for the attack, the sheer number of people receiving the email means that the attacker is likely to have some success.
Spear phishing. Spear phishing is an advanced phishing attack that is targeted at one or a few individuals. This type of attack targets a specific individual and tries to impersonate a person or an entity that they trust. Before the attack is launched, the attacker spends time researching their target to gain information such as their name, or suppliers that the target uses in order to make the email appear legitimate. Because spear phishing emails are more sophisticated in their construction and convincing in execution, they are harder to catch.
Business Email Compromise (BEC) is when a relationship is hijacked through email – an attacker tries to trick someone into thinking they are a trusted contact in order to steal money or information. BEC can be accomplished through spear phishing or account takeover. Read more about BEC here. According to the FBI, BEC attacks cost organizations $26bn between 2018 – 2019. In fact, BEC attacks have now overtaken both ransomware and data breaches as the main reason that companies file a cyber-insurance claim according to insurance giant AIG.
Consequences of email attacks There are a variety of outcomes that can occur from the above email attacks. Here they are: Malware: Malware is a computer software that has a malicious intent. Some of the different types of malware include ransomware and spyware, which have the goal of gaining control of infrastructure, farming credentials or gaining access to passwords. Ransomware is a type of malware that essentially holds a target hostage; attackers will demand a fee in exchange for unencrypting the target’s systems. Like malware, ransomware is a payload that is often deployed by phishing or spear phishing emails. Ransomware can have a significant impact, as seen with the WannaCry attack, which was estimated to have affected more than 200,000 computers across 150 separate countries. The financial outcome of ransomware has made it attractive for attackers, with over $1 billion being racked up by criminals annually. Businesses and governments continue to get inundated with ransomware attempts and reports even suggest that more than 600 US government entities have been hit with ransomware so far this year. Credential Theft. Credential theft occurs when an attacker is able to steal the credentials of the target by executing a successful phishing or spear phishing attack. Often, the email will include a link which will take the target to a fake login page where the target’s credentials are ultimately harvested. Wire-transfer fraud. Wire-transfer fraud is when a target wires money to an attacker’s account. Wire-transfer fraud can be accomplished by the attacker including bank details in a phishing or spear phishing email, and requesting the target to pay a specific amount. Another way that this can be achieved is if the attacker tricks someone into changing the details of the bank account to which a recurring payment is paid.
Why are email attacks so successful? Phishing and BEC attacks are difficult to detect because cybercriminals are utilizing social engineering techniques in order to build trust. The attacker manipulates the target by posing as a trusted individual or organization and will oftentimes engage in a conversation over several emails, before requesting the target to divulge credentials, confidential data, or to wire money to an account they own. Social engineering is what contributes to the success of these attacks because attackers use convincing language to get people to act instinctively, not rationally. For example cybercriminals were able to access payroll information of 700 current and former employees at social media behemoth Snapchat by posing as CEO Evan Spiegel in an email and tricking a junior employee into sending them the confidential data. Email impersonation can take on a variety of forms, such as display name impersonation where the attacker sets a deceptive display name on their email account, or spoofing where an attacker forges an email to make it appear as if it’s been sent from another email address. Email authentication protocols such as DMARC, DKIM and SPF have been introduced over the years as an attempt to stop spoofing. The problem with these three protocols, though, is that many organizations have yet to adopt them and weaknesses can be exploited. For example, 80% of Fortune 500 companies do not have DMARC policies set up. As well, this email authentication only prevents an employee’s individual domain from being spoofed but it does not prevent them from receiving emails that have been spoofed. Finally, it’s easy for attackers to figure out which counterparties don’t have email authentication set up as DMARC records are publicly available.
Email attacks continue to cause sleepless nights for IT administrators everywhere. Although many organizations have implemented employee training programs into their security strategy, these programs often are not designed to account for human error. Human error is the main cause for the majority of data breaches, and it can easily occur because employees can become distracted or tired which leads to mistakes being made over email. The assumption that employees can become an effective line of defense after undertaking just a few hours of security training is unrealistic. Security teams need to implement the right technology to support employees without getting in the way of their day-to-day business.
How can machine learning help stop sophisticated email attacks? Defending against targeted email-borne threats requires superior email security. Legacy tools have not been able to keep pace with evolving email attacks. Rule-based systems may be able to block simple impersonations, but struggle to detect more complex ones. Complex impersonation attacks cause more damage for organizations. It is time for organizations to adopt a more intelligent approach to inbound threats – one that understands historical email relationships and communication patterns, and can therefore, automatically detect anomalies and threats. Tessian’s stateful machine learning engine learns the difference between normal and abnormal email communications. In real time, Tessian automatically prevents the most advanced forms of spear phishing, accidental data loss and data exfiltration. This ensures that organizations can stay ahead of attackers and protect the data that they hold most dear. To learn more about how Tessian is helping organizations like Arm keep data safe, talk to one of our experts today.
DLP Human Layer Security
The Dark Side of Sending Work Emails “Home”
By Cai Thomas
11 October 2019
This article was originally published on TechRadar Pro. In the last four years, the number of remote working jobs has more than doubled, as employers acknowledge the need to change traditional working practices. In fact, it’s expected that 50% of the UK workforce will work remotely by 2020, further blurring the lines between home and the office. This shift has huge benefits; improving people’s work-life balance, increasing employee productivity and boosting employee retention rates. However, it does also pose a problem for one very important aspect of business: data security. Data security is at a greater risk as staff are more likely to send important and, even, confidential company information to personal email accounts, with the usual intention of working on documents at home. Worryingly, many are completely unaware how risky these actions are. According to tech firm Probrand, nearly two-thirds of UK employees have forwarded customer emails to their personal email accounts and 84% of them did not feel they were doing anything wrong. So what are the risks with sending work home? And who are the workers you need to be wary of? 1. The 24/7 worker While a number of the emails sent ‘home’ contain non-sensitive information, like travel arrangements, cinema tickets or food recipes, we’ve seen that around 10-15% of emails sent to personal accounts contain company sensitive information. We’ve all been there; it’s late on a Friday, that Monday deadline is looming, and the employee thinks to themselves, “I’ll just have to finish this document at home over the weekend”. So they send the document to their, or their partner’s, personal freemail account. However, this can have devastating consequences for the company’s reputation and it could destroy customers’ trust in the business. The problem is that by sending emails ‘home’, the information the messages contain now sits in an environment that is not secured by the company, leaving the data vulnerable to cybercriminals. It’s also important to note that this simple act of sending work home means your company is now at risk of breaching data protection regulations, like GDPR, due to the fact that you, as the Data Controller, no longer have oversight as to where the data is held. Boeing, for example, faced scrutiny after an employee shared a spreadsheet containing the personal information of 36,000 co-workers with his spouse, simply because she was better at Excel formatting than him. The incident sparked an internal security investigation and was brought to the attention of the Washington state Attorney General and other officials in California because employee data had left the control of the company. 2. The leaver We often see a spike in data exfiltration during an employee’s notice period. Workers know they’re not supposed to, but the temptation to take information that will give them an advantage in their new role is hard to ignore. As such, we see people sending company IP and client data to personal accounts prior to moving to another employer. This happens most frequently in industries such as financial services, legal, healthcare and recruitment, where a person’s client base and network is king. The task of manually monitoring suspicious ‘leaver’ behaviour over email has become incredibly challenging for IT staff, due to the increased employee churn rate year on year. A study by LinkedIn found that young workers now switch jobs four times in their first 10 years after graduation. However, by not putting a stop to this act, companies could face losing their competitive advantage as well as their clients’ business due to leaked secrets, strategy and IP. 3. The malicious insider This is where employees steal data from their company for personal or financial gain. Despite being less common, the threat of the ‘malicious insider’ is something businesses have come up against more frequently in the past few years. Employees will typically steal confidential company secrets and/or client data with the intention of selling it on the dark web or handing it over to a competitor to damage their current company. Just last year, Bupa fell victim to this crime after the personal data of 500,000 customers was sold on the dark web while audit firm SRBC and Co.’s reputation was tarnished after its client’s earnings estimation was maliciously leaked over email. An intelligent solution for a flexible workforce There can be no denying that monitoring all employee email behavior is an arduous task for IT and compliance teams to undertake. With the average employee sending and receiving 124 emails a day, and with daily email traffic increasing 5% year on year, deciphering data exfiltration within email logs is like finding a needle in a haystack. To help tackle the problem of data being leaked to unauthorized accounts, some organizations opt to simply blacklist all freemail domains. However, this can impede productivity and is usually ineffective given that many clients, small businesses and contractors use freemail accounts, as do prospective applicants looking for jobs at the company. Businesses need a more intelligent approach to data exfiltration – one that can look at the emails each employee has sent and received in the past, in order to identify non-business contacts with whom each employee interacts with. Machine learning, for example, can evolve to understand the differences between authorized and unauthorized freemail accounts, and it can analyze email content to determine whether it is sensitive or non-sensitive. By doing so, machine learning can make an accurate prediction as to whether an employee is exfiltrating data and acting against company policies. There will always be reasons for people to bend the rules and leak data outside of their organization – maliciously or for convenience. The consequences for doing so, though, could be devastating for any company; huge fines, loss of competitive advantage and a damaged reputation. So as more businesses adopt remote working practices, it’s important that technologies are place to ensure company sensitive data is secure and not at risk of ‘being sent home’.
Human Layer Security
Email Security Tips for an Enterprise
16 September 2019
In today’s changing business environment, 70% of organizations believe their security risk has increased significantly. The idea of data breaches being more a question of “when” rather than “if” has become mainstream. That being said, there are a number of ways for enterprises to mitigate the security risks that they could be exposed to. 1. Educate your employees The main cause of security failure within an organization is often employees, as they are responsible for handling and sending sensitive data. Educating employees on the risks that they could be exposed to through training programs is a common strategy that organizations adopt in order to try and mitigate some of these risks. While they can be beneficial, one issue with training programs is the dangerous assumption that once training is completed, all employees retain information equally well. This is an unrealistic expectation, as even the most advanced training programs have gaps that do not account for human error. Having technology that can prevent security issues before they happen – while educating your employees in real time – is potentially a more nuanced and intelligent solution for your enterprise. With Tessian’s Guardian and Defender filters, users are shown a pop-up if an inbound email looks suspicious. The pop up explains why the email could represent a threat, leaving the employee to make the final decision on which action to take, with the benefit of having all the salient information to hand. tEmployees are educated as to the threats they face, while the industry-leading technology prevents threatening emails from causing damage to your organization. 2. Be proactive Of course, data loss over email becomes becomes much more difficult to handle once it’s already happened. Having a plan in place for what to do in the event that an employee does leak data over email is important, and having a strategy for preventing the leak from occurring in the first place is even better. Invest in technologies and platforms that will enable your organization to better understand how your employees communicate with each other, and people outside the organization. 3. Get the basics right Getting the basics right is a critical step, as it will allow you to build an information security infrastructure on a great foundation. Best security practices include utilizing encryption, being careful when using a corporate email account from public and or a shared computer, and not opening emails from unknown sources. That being said, don’t let these steps lull you into a false sense of security. Research suggests that 30% of cybersecurity incidents are caused by current employees Confidence comes hand in hand with the capability of your security stack. If you’re still using legacy security software, the extent to which your organization can guard itself against internal and external attacks is already inherently limited. With this in mind, it is no surprise that confident IT security professionals are more than twice as likely to think that C-suite involvement in email security strategy as “very appropriate” and 1.4x more likely to actually obtain that engagement. Therefore, why wait until something goes wrong to implement much-needed change? Arm’s, CISO Tim Fitzgerald wanted to perfect the firm’s email security basics and find a platform that would complement the security culture that he wanted to create. Tessian helps thousands of Arm employees get the basics right on email while ensuring that their systems remain secure. (Read the case study.) 4. Don’t forget about mobile devices Email communication has become more mobile. Using email on the go and on various devices (laptops, tablets, smartphones) greatly increases the potential for mistakes. A data breach caused by a misdirected email could very easily occur on your daily commute by accidentally picking the wrong recipient from a “helpful” autocomplete list. Many email DLP platforms can only ensure protection on desktop computers, or only for Microsoft email environments. It’s important that you find a way to secure your email network, regardless of how employees might be accessing it. It’s more difficult than ever for security leaders to feel like they’re on top of everything. Fortunately, Tessian’s solutions help organizations get the basics right, while stopping even the most sophisticated outbound and inbound email threats. To learn more about Tessian, contact us here.
Human Layer Security
Q&A: Tim Sadler, Tessian CEO
04 July 2019
Tim Sadler, Tessian CEO and co-founder, summarizes his journey from founding Tessian to raising $60m from leading investors. Why did you decide to found Tessian, and why was email security the problem you focused on? Tessian was founded in 2013 by myself, Ed Bishop and Tom Adams. We all studied engineering together at university before moving into banking. Working at these multinational organizations, we saw how much sensitive data was put at risk by people sending emails. Modern organizations process vast amounts of information, and they have a lot of controls to keep that data safe. But even with NDAs, project code names, and policies advocating security best practices, enterprises still face risks from many, many misdirected emails. Today, organizations have to allocate budget to keeping their data safe, and they understand the importance of reputation management. So we asked ourselves, ‘Why is this a problem?’ We realized that there had to be a technological solution that could help improve email security within complex organizations. When we started the company we didn’t really have security backgrounds, but we did have the first-hand knowledge of how big a problem this was. When we got in front of our first customers – predominantly law firms and banks – and started talking about the threat of human error in email communication, that was when we knew Tessian had value to offer. So why is human error such a huge threat? Email is something we all do. We send 40 emails a day, and generally speaking it feels incredibly safe. It’s a little bit like our own personal safety: we don’t think twice about getting into a car or driving a car, but statistically speaking it’s actually one of the most dangerous things that you can do in your life. We’re scared by the headline-grabbing stuff, like plane crashes or shark attacks, but it’s actually the unremarkable things we do every day without thinking that are most likely to cause harm. That’s exactly the problem with email, and in particular with misdirected emails. That why the first piece of software we built was targeted at helping enterprises automatically deal with the risk of misdirected email communications. How important is it that security products don’t disrupt people’s work? It became clear to us when we were building Tessian that employees wanted a completely automated process. Security leaders understand the risk of misdirected emails and know that a technological solution is needed. However, they want to deploy technology that doesn’t require laborious maintenance or pre-configuration. It has to work ‘as if by magic’. Preserving the user experience is essential. It was imperative that the technology wouldn’t get in the way of people doing their jobs: no-one wants a pop-up asking them to confirm the validity of every single email they send. Organizations wanted something that just completely blended in with regular workflows. These were some of the key learnings we got from those early meetings. We’ve worked hard to create something that doesn’t need an enormous IT team to implement. Tessian’s products are completely automated, and the deployment is seamless: it simply integrates with existing infrastructure. So what are the different problems Tessian solves today? Cybersecurity previously focused on computer networks before moving on to endpoints, or device-level security. In the world we’re in today, we believe that the next step is to protect people. This progress is reflected in our development of different email filters. We don’t solely focus on preventing misdirected emails with our Guardian filter any more. We also focus on other areas of security. Tessian Enforcer prevents unauthorized emails, which is where people send highly sensitive information to (for example) personal Gmail or Hotmail accounts. Our most recent launch is Tessian Defender, which focuses on preventing inbound spear phishing emails. This is a defense against malicious outsiders trying to trick humans within your enterprise, whether it’s encouraging them to click on a suspect link or to make an erroneous payment. This is why we need a security platform covering the whole human layer. Tessian’s mission (and it’s an ambitious one) is to protect firms against any security threat executed by a human. To get closer to fulfilling that mission, we’re investing in R&D and software engineering. We continue to work on new solutions that address all organizations’ human layer risks. We are constantly working on innovative ways to deal with security risks that don’t require hiring an additional 10 people to run the software or conduct analysis. This is something that we focus on very heavily at Tessian – to offer software that can be deployed simply and quickly to automatically prevent security risks to people. Tessian’s Human Layer Security platform is unique in the market. Why do you think you’re the only company offering this solution? It seems obvious, doesn’t it, to focus on Human Layer Security as the solution to the problems we’ve discussed. The issue is that these problems are incredibly difficult to solve in a manner that provides best-in-class user experience and is completely automated. That’s why machine learning lies at the core of our technology. The products and the underlying tech takes time to get right, and I think that’s why we’re out there alone at the moment. The challenges we’ve had to work to overcome require intense and rapid analysis of historical data in order to understand conventional communication patterns and behaviors. We have a very short window of time to check an email and make a conclusion about whether it’s going to be OK to send or reply to. Developing that software has taken time and R&D investment. Another benefit to Tessian – and our clients – is that we’re a relatively young company, so we’ve been able to build the entire system on very modern architecture. This has allowed us to leverage increased speed in the system and an abundance of flexible computing power. In this respect we think we’re ahead of any other company in our space. We are on a mission to bring Human Layer Security to as many enterprises around the world as possible. We want to keep the world’s most sensitive information and systems private and secure, building technology that allows enterprises to do that by delivering amazing experience both for security teams and also the people that directly interact with the product. What do you think Tessian will look like in a few years’ time? I’m currently speaking from our New York office, which we established in 2018. We’re now investing heavily in the US market, and to help us do that we raised $42 million worth of funding in a round earlier this year led by Sequoia Capital. Sequoia invests in the best security technology companies in the world. We raised the capital to move into new markets as well as significantly expand our R&D activities. Our goal at Tessian is to protect the human layer in the same way that firewalls protect the network layer and endpoint security protects the device layer. We are focused on the automatic protection of any person processing data within the enterprise. In the future, I see Human Layer Security being a concept that is brought up at board level, exactly the same way that these other concepts in cybersecurity are discussed. Ultimately, humans make mistakes, they break the rules and they are easily deceived. These three problems are huge security vulnerabilities for people and organizations. It’s also much harder to protect people, but it’s also much more important that they are protected. Every organization has some kind of firewall protection against the network. They will have some kind of endpoint security protection on their devices. We see Human Layer Security really being the third piece of the jigsaw puzzle that’s currently missing from these organizations. Tessian wants to be the layer that protects the most important part of any enterprise – your people. *Interview condensed from Modern Law Magazine supplement, May 2019.
Human Layer Security
Why Wednesday is Your Business’ Riskiest Day
24 June 2019
They call it the Hump Day for a reason; our latest research has revealed that workers feel the most tired on Wednesday afternoon and this could be putting your data and systems at risk. This is because when we are tired, we become more error-prone. In fact over three quarters of people (76%) we surveyed say that they make more mistakes when they are feeling sleepy. The problem is that is just takes one mistake – one email accidentally going to the wrong person or one click on a phishing scam – to compromise sensitive data and ruin a company’s reputation. No rest for the wicked Phishing is becoming a persistent hazard for businesses to deal with. The number of phishing attacks continue to rise year on year and today, around 6.4 billion fake emails are sent worldwide every day. Furthermore, Verizon revealed that a staggering 94% of malware is now delivered by email. Therefore, it’s never been more important for employees to spot the good from the bad to avoid falling for the scams. But given that 91% of UK workers told us they feel tired during the working week, with one in five feeling tired every day, can we really expect employees to make the right decision 100% of the time when faced with a cybersecurity threat on email? The thing is, when we are tired and stressed, we may overlook cues present in a cyber threat. This is according to cyber-psychologists Dr Helen Jones and Prof. John Towse who recently shared their insight in our latest report – Why Do People Make Mistakes. Tiredness affects our ability to question the legitimacy of messages and makes us more likely to miss something that signals a threat, simply because we have less cognitive capacity available to dedicate to evaluating new information. Tired employees also pose another risk; fatigue makes it harder for people to resist the impulsive urge to respond to a persuasive request in a potentially malicious email. A study by Washington State University, for example, found that sleep deprivation not only increases the likelihood of someone making risky decisions but also decreases a person’s awareness about why they were taking risks. With email being so quick and easy to use, tired employees may not even register the risk their inbox could pose. What’s more, it’s not hard to imagine that a smart hacker could even start to target your most tired employees at certain times of the day in a bid to trick them to click. Waking up to the threat We cannot expect people to make the right cybersecurity decisions 100% of the time; tiredness and overwhelming workloads lead to risky decisions on email and this poses a threat to your business. Rather than seeing employees as the first line of defence, you instead need to consider how to use technology to limit the number of costly mistakes that are just waiting to happen. By alerting employees to potential threats and advising them on the action to take, you can mitigate the risk and encourage people to think before they hit ‘send’ – especially during that Wednesday afternoon slump.
Human Layer Security
Tired and Overworked Employees Pose a Huge Risk to Business’ Data
12 June 2019
New Tessian report reveals that working environments stop people making safe cybersecurity decisions at work. Today’s working environments are making it impossible for employees to make the right decision 100% of the time when faced with a potential cyber threat on email, reveals a new report from cybersecurity company Tessian. The report – Why Do People Make Mistakes? – presents findings from a new survey, conducted by Tessian, in which 1,000 UK employees were asked about their working environment and practices. Additionally, the report includes insights from cyber-psychologists Dr Helen Jones, University of Central Lancashire and Professor John Towse, Lancaster University, which further explains how certain factors in the workplace can cause people to make suboptimal decisions, leading to dangerous behaviour on email. The research reveals how overwhelming workloads, office distractions, fatigue and stress affect a person’s cognitive capacity, potentially impairing an employee’s ability to identify signs of a potential cyber threat – such as a phishing scam or sending an email to the wrong address. This, Tessian argues, puts businesses’ data and systems at risk given that 52% of UK employees say they’ve accidentally sent a work email to the wrong person. Tim Sadler, CEO at Tessian said, “Every time someone sends or receives an email, they are making a decision. When you consider how much time we spend on email, it’s little wonder that sometimes those decisions result in mistakes. However, it takes just one mistake – one email being sent to the wrong person or falling for one convincing message – to compromise your company’s data and ruin its reputation. Businesses, therefore, need to consider how they can protect their employees on email.” The factors that affect people’s ability to make the right cybersecurity decisions at work include: 1. Quick-to-click cultures Over half of UK employees (58%) say there is an expectation within their organisation to respond to emails quickly. Dependency on mobile phones isn’t helping the situation; nearly six in ten (59%) respondents say they use their mobile phones to send work emails out of office hours, with nearly a third doing so at least 2-3 times a week. Two in five respondents (39%) admit they respond to emails much more quickly on their phones. Dr Helen Jones said, “Studies have repeatedly shown that time pressures significantly impact decision accuracy. Under pressure, we are more likely to rely on impulsive, low-effort behavioural responses and dedicate less attention to the situation in front of us. What’s more, an increased pressure upon employees to be constantly connected on-the-go means there is a higher likelihood of distraction and, therefore, mistakes.” 2. Tired and stressed The majority of UK employees (92%) feel tired at work, with people feeling most tired on Wednesday afternoons. In addition, 91% say they feel stressed at work, with people feeling stressed, on average, half of the working week (2.4 days). Worryingly, over three quarters of respondents (76%) say they make more mistakes when they are tired, while 71% say they make more mistakes when stressed. “Tired and stressed employees pose a real risk to email security,” explains Jones. “When we are tired and stressed, we are less likely to question the legitimacy of messages and miss the cues that signal a threat. We are also much more impulsive when we are tired, making it harder to resist the urge to respond to a tempting or persuasive request in a phishing email.” 3. Information overload More than two in five UK employees (44%) describe their current workload as either ‘overwhelming’ or ‘heavy’. On top of a never-ending to-do list, employees are faced with many distractions, including: 1. Office noise (37%) 2. Colleagues ‘dropping by’ (34%) 3. Email notifications (30%) 4. Meetings (26%) 5. Notifications on their personal phones (20%) When juggling multiple tasks at once, employees will likely rely more on habitual behaviours rather than engaging in analytical thinking. This makes businesses more vulnerable to threats over email given that a person’s ability to focus is impaired. 4. Trickery and trust Hackers are becoming smarter in their approaches to phishing, often impersonating well-known brands or senior executives within an organisation. One in 10 respondents admitted to clicking on a phishing email at work. This figure was much higher in the financial services industry where nearly one in three (29%) respondents in this sector admitted to clicking on a phishing email. Sadler concludes, “Businesses cannot rely on employees being the first line of defence. Mistakes happen, especially when people are tired, stressed and overworked. Companies need to help people make conscious and safe cybersecurity decisions on email, putting a safety net in place to prevent the inevitable. Only then, can businesses protect their data and systems from human failure on email.”
Human Layer Security
Tessian Wins Best Cybersecurity Service at Prestigious Hedge Fund Awards
29 March 2019
Tessian was named the Best Cybersecurity Service at the HMF European Hedge Fund Services Awards, in light of our innovative work to secure the human layer and prevent data breaches in hedge funds. Hosted at the Natural History Museum, the spectacular awards ceremony celebrated hedge fund service providers that have demonstrated exceptional client service, innovative product development and strong and sustainable business growth over the past 12 months. Tessian was shortlisted along with six other cybersecurity comapnies that provide solutions to protect hedge funds from cyber attacks.
We were thrilled to be rewarded by the judges – a panel of leading hedge fund COOs, CFOs, GCs and CTOs – as the best-in-class cybersecurity solution for this industry. The award recognized how Tessian has fundamentally changed the way hedge funds approach cybersecurity – focusing on protecting the human layer, rather than just securing a company’s networks and devices. This is incredibly important because 86% of data breaches can be attributed to human error, whether that’s accidentally sending an email containing sensitive data to the wrong person or falling victim to a phishing attack. When you consider that 60% of the organizations hit with phishing attacks during Q4 of 2017 were financial institutions, the threat in this particular industry is not one to be ignored. By using machine learning to analyze historical email data – the leading indicator of human behavior in the enterprise – our technology can automatically understand relationships, context and communication patterns of people. By understanding normal communication, we can automatically identify and prevent email threats before they occur.  
Human Layer Security
Email: Information Security’s Leaky Pipeline
12 March 2019
Email is the most widely used method of communication in the world. The number of emails sent and received daily will reach almost 300 billion in 2019, and the number of active email users will reach almost 4 billion in the same year, according to technology research company Radicati. There’s a reason the ageing protocol is so entrenched in how we communicate: it’s simple, works in every browser, and most importantly, everyone has an address. But many of the things that make email great, also make it a difficult avenue to secure from an information security perspective. Many use cases Email is used for both professional and non-professional communications: a highly classified email to a client may be immediately followed by one to a spouse about dinner. Add to this that these two emails can often be sent from the same work email account for the sake of convenience, and the likelihood of confidential data being leaked due to a slip up increase exponentially. Truly platform agnostic Slack messages can be sent to slack users, Signal messages to Signal users, and Whatsapp to Whatsapp. Unlike most other messaging platforms, there’s no need for two people to be using the same email client, protocol, or provider for communication to be possible. Of course, this seamlessness comes at a cost: it is much more difficult to develop a complete security solution for a channel with as many front-end standards and configurations as email has. “The protocol now suffers from being ‘too big to change’ – there are core features missing from the technology that more modern communication platforms now have as standard(…)” Well established protocols Since its inception in the 1970s, the underlying technology behind email has remained the same, which makes it very easy to develop for and implement. It also means the protocol now suffers from being ‘too big to change’ – there are core features missing from the technology that more modern communication platforms now have as standard, including the ability to easily redact or recall, and encryption-by-default. To make any major changes to how the email protocols function would require a near-global consensus. Accessible from anywhere Gone are the days when people accessed their email solely from their desk. Employees manage their emails on laptops, smartphones, tablets, watches, even car dashboards. This ease of access has exponentially increased the volume of emails exchanged, as well as changed how people treat emails, sending emails on the go. This, in turn, raises the risk of emails being misaddressed, as people type addresses out in a rush on their phones. Centrally stored An inbox often contains a wealth of information spanning an employee’s entire time spent at an organization. While much of this may not be confidential, the fact of being able to access huge amounts of information from a single source exponentially increases the likelihood of a “careless forward”. Recent statistics on data security highlight that individual human error accounts for most data breaches, and show that the current school of thought surrounding information security is incomplete. Email offers numerous benefits – namely speed, ubiquity and simplicity – but it’s also one of the single biggest threats to an organization and its data. In addition to this, the ICO in the UK recently reported that misaddressed emails were the number one type of data security incident reported to them. While a growing number of enterprise processes are now being automated, email communication is currently still almost entirely reliant on people, which makes it vulnerable to human error. No matter how well established the organization, and how experienced and security conscious it’s employees, it will still be run entirely by people. And people are fallible.