The Human Layer Security Summit is back. Save your spot today.

Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.
Human Layer Security Spear Phishing DLP
Tessian Human Layer Security Summit: Your Questions, Answered
24 June 2020
Last week, Tessian hosted the world’s first Virtual Human Layer Security Summit and, over the course of three hours, thought leaders from some of the world’s leading organizations shared insights and advice around business continuity, cybersecurity, and what the future looks like. Throughout the Summit, we asked the audience to submit questions but, with over 1,000 people tuning in, we weren’t able to address them all. Better late than never! Here are answers to some of your most pressing questions.  Did you miss the Human Layer Security Summit? You can view each session in the playlist below and you can read the key learnings from the day here: 13 Things We Learned at Tessian Virtual Human Layer Security Summit. You can also sign-up for our newsletter to ensure you’re the first to hear about upcoming events and other relevant industry and company news. 1. What is Human Layer Security? Human Layer Security (HLS) a new category of technology that secures all human-digital interactions in the workplace. Instead of protecting networks or devices, Human Layer Security protects people (employees, contractors, customers, suppliers). Why? Because people control our most sensitive systems and data. They’re the gatekeepers of information.  Tessian’s Human Layer Security technology understands human behavior and relationships, enabling it to detect and prevent dangerous activity like data exfiltration, accidental data loss, and spear phishing attacks. Importantly, Tessian’s technology learns and adapts to how people work without getting in the way or impeding productivity. You can learn more about this new category of security in our Ultimate Guide to Human Layer Security.  2. What are some of the key risk indicators used to measure human fallibility?  In the context of email security, Tessian looks at three key human vulnerabilities:  People break the rules  People make mistakes People can be easily tricked While risk indicators vary based on the vulnerability, monitoring data handling (both physical and digital) and assessing employee’s understanding of cybersecurity best practices should help you understand how risky or at-risk a particular employee is. Read: Insider Threat Indicators: 11 Ways to Recognize an Insider Threat  For example, if someone in your HR department consistently falls for phishing scams during simulations, they’re at risk of falling for one in real-life. Likewise, if someone in your finance department doesn’t change their passwords as requested, they may be more likely to break other security rules. But, keeping track of every employee and their attitudes towards security is nearly impossible, especially in large companies. That’s why solutions like Tessian are essential.  With Tessian Human Layer Security Intelligence, you’ll be able to see at a glance which employees are breaking the rules, making mistakes, and getting hacked. You’ll also be able to review historical data to see how behaviors have changed (for better or worse) in order to correct or reward individuals.  Want to learn more about how Tessian Human Layer Security Intelligence helps security teams maintain visibility of the Human Layer risks in their organizations? Read our blog, which outlines use cases, benefits, and more.
3. In the context of remote-working, how does decreased focus impact security? Over the last several months, we’ve been talking a lot about remote-working and how these new set-ups can impact cybersecurity. And, while there are a lot of technical challenges to overcome – from setting up VPNs to onboarding and offboarding employees while out of the office – we can’t ignore the more human challenges. Tessian actually took a closer look at these challenges in our latest research report, The State of Data Loss Prevention 2020, and found that 91% of employees are less likely to follow safe security practices when working from home. But why?  47% said it’s because they’re distracted. And, it makes sense. When working from home, people have other responsibilities like childcare, roommates and, more often than note, they don’t have dedicated workstations like they do in their normal office environment. That means it’s easier to make mistakes. This isn’t trivial. One misdirected email could cause a data breach. It only takes one click of a mouse.  4. Does Tessian believe that employees are always trying to “get away” with something?  The short answer: absolutely not. We believe that the average employee is just trying to do their job and, if you give people the opportunity to make smart security decisions, they will. But, too often, security policies, procedures, and tech get in the way. And that’s where you run into problems.  51% of employees say security tools or software impede their productivity and a further 54% say they’ll find a workaround if security software or policies prevent them from doing their job. So, what do you do? Find a better way! Make the easiest path the most secure path.  This is a part of Tessian’s ethos. That’s why our solutions work silently in the background, have low flag rates for false positives, and reinforce security policies with contextual warnings.   5. What are some effective ways to change human behavior?  Training, a strong security culture, and tech. Importantly, you have to have all three. You have to first educate employees on why security matters for the larger organization and then explain how individual behaviors can impact its overall security posture. Of course, one training session isn’t enough to make the message stick. Security awareness training should be ongoing.  In fact, security should be baked into the overall business. That way, you create a strong security culture (which should start from the top-down) that really values and rewards secure behavior. But, even reinforcing security best practices isn’t enough. (Read our report: Why the Threat of Phishing Can’t be ‘Trained Away’.) To err is human.  Whether accidental or malicious, data loss incidents happen – even with regular training – which means your people shouldn’t be the last line of defense. Tech should be. Ideally, that tech will bolster training by reinforcing policies and procedures.  Tessian does this via contextual warnings that empower the employee to make his or her own decision, while also giving security teams full oversight.
6. How can you teach people outside of the cybersecurity team how to spot phishing emails and other social engineering attacks?  As we’ve said, the average employee just wants to do their job. They don’t want to be a security expert. That’s why it’s so important to teach people about security risks in terms they understand and care about. We’ve found that one of the best ways to teach employees how to spot phishing emails is to use consumer examples. For example, stimulus check scams, Tax Day scams, and Census scams.  Once you have several examples, make sure you point out what’s suspicious about the email and what to do if and when an employee receives one. If you work in a highly-targeted industry, make sure you reinforce frequent training with posters, PDFs, and other resources. We put together a guide – including examples – for COVID-19 attacks, which you can download at the bottom of this blog: Coronavirus and Cybersecurity: how to Stay Safe From Phishing Attacks. Feel free to share it with your employees!  7. What is your advice for a Cybersecurity Master’s student looking to explore the job sector? There is no right (or wrong) way to break into the industry. Cybersecurity is incredibly diverse and no one job, company, or project is the same. While you’re in school, get as much work experience as you can to find out what really ignites your passion. But, don’t take our word for it! Check out the profiles of over a dozen cybersecurity professionals on our blog. Or, read our report, Opportunity in Cybersecurity 2020, for an overview of the industry and what it has to offer new entrants.  Oh, and be sure to check out our open roles, too. Do you have more questions about Tessian or cybersecurity? Email [email protected] and we’ll get back to you. You can also book a demo to see how Tessian’s solutions can help prevent data loss incidents in your organization.
Human Layer Security Spear Phishing Customer Stories DLP
13 Things We Learned at Tessian Virtual Human Layer Security Summit
18 June 2020
Tessian’s Virtual Human Layer Security Summit was an incredible success thanks to our partners, speakers, and – of course – all of those who attended. Over 1,000 security, IT, compliance, business, and HR professionals watched as we explored how business models have changed, what these changes mean for all of us, and what to expect over the next several months. If you weren’t able to tune into the Summit yesterday, don’t worry! You can watch the full video below or access it on-demand. We’ve summarized some of the key points into relevant and actionable advice. Share these with your co-workers, share them on social media, or bookmark this blog for yourself. Here’s what we learned at Tessian Virtual Human Layer Security Summit.
1. We must treat our employees with empathy and compassion.  While the event was focused on cybersecurity and tech, one of the most important takeaways from the day is about being human. The Summit kicked off with an important reminder from Bobby Ford, Vice President and Global CISO at Unilever: “We’re not just working from home, we’re working from home during a crisis.” While – yes – we’re all trying to conduct “business as usual”, all of us are dealing with unique challenges. Many parents have suddenly taken on the roles of teachers, and living rooms have been transformed into makeshift co-working spaces for partners and roommates. And this doesn’t even account for the emotional stress of a global pandemic and current social and political unrest.  There’s a lot to navigate, process, and overcome, and many of us are distracted, stressed, and anxious. And that’s okay. As leaders and as humans, we have to be empathetic and compassionate. We have to take the mental wellbeing of our employees seriously and give them the tools, resources, and support they need to thrive, wherever they’re working.
2. The secure thing to do should be the easiest thing to do.  Let’s face it. Security isn’t the average employee’s top priority. They just want to do their job. Over half (54%) of employees say they’ll find a workaround if security software or policies make it difficult or prevent them from doing their job.  That’s why it’s so important that we implement policies, procedures, and tech that’s frictionless.  Bobby put this into perspective with an example from his own life.  When you’re a parent helping your son or daughter learn how to walk, what do you do? Child-proof the house and get outta the way! That’s what we need to be doing as security leaders. Make sure the most secure path is the path of least resistance, whether that’s ensuring your employees have a secure way to print and dispose of documents or implementing flexible BYOD policies.  3. Detection and prevention alone aren’t enough.  We all work hard to detect and prevent both inbound and outbound threats. And, while even that isn’t always easy, that’s not our only job. We also have to have to maintain visibility of risks, manage teams that are often thinly stretched, move quickly from investigation to remediation, and communicate threats to executive teams.  Almost impossible, right? Not anymore.  Tessian’s Group Product Manager, Harry Wetherald and Product Marketing Manager, Shanthi Shambathkumar, announced some very exciting news during the Summit: the launch of Human Layer Security Intelligence. With HLS Intelligence, security leaders can now predict, prevent, and protect against threats with zero manual investigation. That means you can continuously and proactively downtrend risks in your organization. Want to learn more? We outline all the benefits of Human Layer Security Intelligence and explore use cases on our blog: Introducing Tessian Human Layer Security Intelligence. 4. Executive teams must invest in security now.  While cybersecurity has historically been a siloed department, it’s becoming more and more integrated with overall business functions. In fact, it can actually be a business enabler and a unique selling point for customers and prospects.  But, only if your organization is secure. And, as Clive Novis, Chief IT Risk Officer at Investec pointed out, it takes a village to ensure data is protected which means cybersecurity initiatives must get support from senior executives first. During the customer panel discussion, he said “The tone is set from the top in terms of the security culture. They help ensure not only that controls are effective, but that those controls are consistent across the globe.” Needless to say, this is more important now than ever. As we continue to adapt to new remote and hybrid working structures, many of us are introducing new policies and solutions and we need buy-in across departments for these policies and solutions to work. 5. Email is the #1 threat vector.  Over the last few months, we’ve heard a lot about the dangers of Zoombombing. But, we’ve heard even more about COVID-19 themed phishing attacks, Tax Day scams, and 2020 Census scams. (Jump to #7 for more information.) With that said, email is the threat vector most security and IT leaders are concerned about.
It makes sense. Over 124 billion business emails are sent and received every day and employees spend 40% of their time on email sharing memos, spreadsheets, invoices, and other sensitive information and unstructured data. It’s a gold mine. The bottom line: We need to be leveling up our DLP efforts on email. 6. Security incidents are happening up to 38x more than IT leaders currently estimate.  During the Summit, Tessian Co-founder and CEO Tim Sadler presented some of the key findings from our most recent report The State of Data Loss Prevention 2020. Our research reveals that data loss on email is a bigger problem than most realize, that remote-working brings new challenges around DLP, and that the solutions currently deemed most effective may actually be the least. While we addressed the frequency of misdirected emails and malicious data exfiltration, one of the most startling facts involves employees sending company data to personal email accounts.  At Tessian, we call these unauthorized emails, and according to our platform data, they’re being sent 27,500 times a year in organizations with 1,000 employees. Meanwhile, IT leaders estimate just 720 are sent. That’s a big difference and highlights the need for effective data loss prevention solutions.  Follow the links to learn more about how Tessian detects and prevents accidental data loss and data exfiltration attempts.  7. Phishing is still a big problem.  While phishing has always been a problem for organizations, we’ve seen a marked spike in incidents over the last few months. And it’s not just Tessian who has taken note. Elvis Chan, Supervisory Special Agent, National Security at the FBI has, too.  For him, phishing is the biggest risk.
What does this mean for you? Continue educating your employees about the risks associated with phishing and how to spot these attacks and ensure they’re protected with tech.  8. Security policies don’t stick unless they’re continuously reinforced.  We’ve said it before, but we’ll say it again: The average employee doesn’t care about security as much as you do. They just want to do their job. That means we have to continuously reinforce security policies, especially now that workforces are distributed.  But, repetition isn’t enough.  We have to communicate in terms our employees understand. Angela Henry, Business Information Security Officer at Rand Merchant Bank, recommends educating employees on business data privacy best practice alongside consumer data privacy best practice. Share tips that are relevant to their personal lives. Offer advice on how to keep their children secure online. Prepare resources around how to stay safe on e-commerce sites. Not only does this help foster a positive security culture in the office, but it also helps employees stay safe and secure at home.  9. …And policies aren’t effective unless they’re bolstered by technology.  While educating employees about policies is a vital part of any security strategy, it isn’t enough to prevent inbound and outbound threats and subsequent data breaches.  After all, we’re only human. We break the rules, make mistakes, and can be easily tricked. In fact, 44% of breaches are caused by human error. Elvis summed it up nicely when he said, “Even if we’re at technology 5.0, we’re still at human being 1.0.”  So, what do we do? Garrett recommends bolstering training with technology to ensure that people aren’t the last line of defense, saying “My ultimate view is that user awareness training is fine but – in mathematical terms – it’s necessary but not sufficient. I think it needs to be used in conjunction with other tools.” 10. Security needs diversity to thrive.  Throughout the Human Layer Security Summit, we talked a lot about security pre- and post-pandemic. But, Merrit Baer, Principal Security Architect at Amazon Web Services pointed out something else we shouldn’t forget.
She’s right. Cybersecurity needs diversity to thrive.  This diversity isn’t limited to gender or ethnic diversity. The field is wide open for a range of educational and professional backgrounds, from psychology majors to business analysts and just about everything in between.  You can read more about the opportunities available in cybersecurity in our report Opportunity in Cybersecurity 2020. 11. Remote working isn’t temporary. According to a recent poll by 451 Research, 38% of businesses expect work-from-home strategies will continue post-pandemic. And, when you consider companies like Facebook have already announced they’re permanently embracing remote-work, we should expect more to follow. The point? We should equip our workforces to thrive at home and ensure that we’re maintaining a strong security culture company-wide while also supporting our employees mentally and emotionally. (See #1.)  12. …And that doesn’t have to be a bad thing.  There are new and perennial challenges we must overcome in order to support a full-time remote workforce, but there are a number of benefits, too. Don’t take our word for it. Stephane Kasriel, Former CEO of Upwork – a company that has maintained a hybrid remote-working structure across 500 cities for nearly a decade – offered attendees of the Summit several reasons why this is something to look forward to, not dread.  To start, remote-working enables companies to find and work with the best talent, not just local talent. Beyond that, employees have more freedom to design their lives. They can more easily balance work and life, relocate as and when they need or want to, and create environments in which they can really thrive.  13. The Secret? Adapt, adopt, evolve. Repeat.  If there’s one thing that was made clear throughout every panel discussion, fireside chat, and interview, it’s that things have changed and will continue to change. The only way to succeed is to adapt and evolve. Adopt new technologies. Embrace new ways of working. Lean on peers and professional networks for advice.  In the spirit of change, we’ve put together a list of resources that will help you navigate security and business challenges of the present and future.  Security During Uncertainty: 6 Steps Security Leaders Can Take to Reduce Risk Cyber Culture in the Time of COVID COVID-19 and the Digital Pandemic Upwork Remote Work Resources COVID-19: Real-Life Examples of Phishing Emails 13 Cybersecurity Sins When Working Remotely Advice From Security Leaders for Security Leaders: How to Navigate New Remote-Working Challenges Remote-Worker’s Guide To: Preventing Data Loss 11 Tools to Help You Stay Secure and Productive While Working Remotely Did we miss anything? Feel free to email [email protected] with your key learnings.
Human Layer Security Spear Phishing DLP Data Exfiltration
Insider Threat Indicators: 11 Ways to Recognize an Insider Threat
By Maddie Rosenthal
12 June 2020
Detecting and preventing Insider Threats isn’t easy. Why? Because unlike external bad actors, Insiders – whether a disgruntled employee, a distracted freelancer, or a rogue business partner – have legitimate access to systems and data. That means they’re in an ideal position to exfiltrate data. So, how do you spot one? To start, you have to know what an Insider threat is and understand the different methods and motives behind these data exfiltration attempts. What is an Insider Threat? We’ve covered this in detail in this article: What is an Insider Threat? Insider Threat Definition, Examples, and Solutions. But, to summarize:
Insider Threats can be malicious or the result of negligence.  Malicious Insiders knowingly and intentionally steal data and generally do so for one of three reasons: financial incentives, a competitive edge, or because they’re dissatisfied at work. Negligent Insiders are just your average employees who have made a mistake. For example, they could send an email to the wrong person, misconfigure a system, fall for a phishing email, or lose their work device.   How often do incidents involving Insider Threats happen? More often than you might think. In fact, there’s been a 47% increase in incidents over the last two years. We discuss seven recent examples in this blog: Insider Threats: Types and Real-World Examples.   While every incident is different, there are some tell-tale signs of an Insider Threat.  Insider Threat indicators: Malicious Insiders Malicious Insiders may act suspiciously well before they actually exfiltrate any data. For example: 1. Declining performance or other signs of dissatisfaction As we’ve said, one reason why Insiders exfiltrate data is that they’re dissatisfied at work. It could be because of a poor performance appraisal, because they were denied a promotion or raise, or because of a disagreement with a co-worker or manager.  Whatever the reason, 1 in 10 Insider Threats is motivated by a grudge. Look out for a consistent or sudden decline in performance or attitude and for employees who become angry or combative. Employees who are actively looking for other jobs should also be on your radar. While they could simply be moving on to a new opportunity, they may be inclined to steal data in order to impress or bribe a new or potential employer.  Don’t believe us? 45% of employees download, save, send, or otherwise exfiltrate work-related documents before leaving a job or after being dismissed. This number nearly doubles in highly competitive industries like Financial Services and Business, Consulting, & Management.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); 2. Unusual working hours While passion and enthusiasm are generally considered positive attributes when talking about an employee, these can occasionally be early signs of bad intent. For example, if an employee consistently volunteers for extra work, regularly works in the office late, comes in early, or attempts to perform work that’s outside of the scope of their normal duties, they could be trying to gain access to sensitive systems or data.  Then, of course, there are signs of the data exfiltration attempt itself. For example: 3. Large data transfers or downloads There are a number of ways to exfiltrate data, including email, Cloud Storage, USB sticks. In fact, 23% of insiders exfiltrate data via USBs and 24% exfiltrate data via laptops/tablets. Nevertheless email is the threat vector most IT leaders are concerned about. After all, it only takes one click to transfer dozens of files.  But, monitoring data movement is a challenge. How can you realistically monitor every email sent and received within your organization? With Tessian Human Layer Security Intelligence, it’s easy.  Security, IT, and compliance leaders can get detailed insights around employee behavior in a single click. No manual investigation required. 
4. Multiple failed logins (or other abnormal login activity) Whether it’s an employee trying to access networks or systems they don’t have access to or an employee with legitimate access logging in more frequently than usual, login activity can offer security teams clues about Malicious Insiders. Certainly the employee could simply be curious and may even be going above and beyond to get their job done, but these behaviors could also be indicative of nefarious intent and should be investigated.  5. Upgraded privileges or sharing access When someone is promoted or there’s some other shift in the structure of an organization, it makes sense that access to systems and data might change. But, what about when someone’s privileges or access are escalated without a clear reason why? It could be an administrator granting him or herself more privileged access or it could be a team effort. For example, an administrator could be bribed to upgrade another employee’s access. Both are signs of a Malicious Insider. Finally, there are signs that the Insider has successfully exfiltrated data or is still successfully exfiltrating data. For example: 6. Unexpected changes in financial circumstances 86% of breaches are financially motivated.  Whether it’s a list of customer email addresses being sold on the Dark Web or trade secrets being sold to a competitor, data is valuable currency. So, if you hear of or notice an employee suddenly and unexpectedly paying off debt or making expensive purchases, you may need to investigate the source of the additional income. It could be a sign that they’re profiting from company or customer data. 7. Consistent (and unusual) overseas travel Like many of the other indicators on this list, there could be a perfectly good reason why an employee travels overseas. He or she could be going on vacation, visiting friends or family, or may be traveling for work. But, as we’ve seen, it could also be a sign of corporate or foreign espionage. Case in point: A former engineer at a massive aerospace company frequently traveled to China, claiming he was lecturing. In reality, he was acting as an agent of the People’s Republic of China and was selling trade secrets. This went on for nearly 30 years before he was caught and later convicted.  Insider Threat indicators: Negligent Insiders While certain behaviors exhibited by Malicious Insiders may set off alarm bells for security teams before exfiltration attempts occur, Negligent Insiders can be harder to preempt.  Nonetheless, there are four key things to look out for. 8. Failure to comply with basic security policies Whether it’s consistently using weak passwords, refusing to enable 2FA, or frequently downloading tools or software that haven’t been approved by security teams, an employee who disregards security policies could be more likely to accidentally exfiltrate data than one who consistently plays by the book.  That’s why reminding employees of existing policies and procedures is so important. 9. Low engagement in security awareness training Most employees (and even some security leaders!) would agree that security awareness training is “boring”. And, while that may be the case, training is absolutely essential. It could be training around how to spot a phish (see below) or training around new and existing compliance standards or data privacy laws. Employees who either don’t attend training at all or who perform poorly on assessments related to that training should be closely monitored and be re-targeted with tailored programs. You can read more about how to up-level your training and create a positive security culture here. 10. History of falling for phishing attacks Phishing and other social engineering attacks are designed for one of three reasons: to extract sensitive information or credentials, to install malware onto a network, or to initiate a wire transfer. If the attack is successful – meaning the target (an employee) falls for the scam – there could be serious consequences.  That means any employee who falls for a scam should be reminded of phishing tools and techniques and may need to be more closely monitored. 11. General carelessness or haste Accidents happen. Whether it’s firing off an email to the wrong person or accidentally leaving a computer unblocked, we all make mistakes. Nonetheless, they aren’t trivial and any employee who consistently makes mistakes will need to be reminded of security best practices and may, in some cases, need to be monitored with more stringent policies.  How can you detect and prevent Insider Threats?  When it comes to detecting and preventing Insider Threats, there are a number of solutions, including: Training Physical and Digital Monitoring  DLP tools and software  Importantly, all of these have a place in security strategies. Training should be used to reinforce existing policies, especially for those employees who consistently break the rules or make mistakes.  Security teams should be diligent in their physical and digital data monitoring and should always look out for the above warning signs. And DLP tools like rule-based solutions, endpoint scanning, firewalls, and anti-phishing software do, in some instances, help curb the problem of data loss. But, as we’ve said, incidents involving Insider Threats are on the rise which means security stacks are missing something. What they’re missing is protection for their people and at Tessian, we call it Human Layer Security. How does Tessian prevent Insider Threats? Tessian turns an organization’s email data into its best defense against inbound and outbound email security threats. Powered by machine learning, our Human Layer Security technology understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity. Tessian Enforcer detects and prevents data exfiltration attempts Tessian Guardian detects and prevents misdirected emails Tessian Defender detects and prevents spear phishing attacks Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of the organization’s email network. Oh, and it works silently in the background, meaning employees can do their jobs without security getting in the way.  Interested in learning more about how Tessian can help prevent Insider Threats in your organization? You can read some of our customer stories here or book a demo. 
Human Layer Security Spear Phishing DLP Data Exfiltration
Introducing Tessian Human Layer Security Intelligence
By Ed Bishop
11 June 2020
Attention Security, Compliance. and IT leaders: You can now continuously and proactively downtrend Human Layer risks in your organization with zero manual investigation. How? With Tessian Human Layer Security Intelligence.
Why did Tessian create Human Layer Security Intelligence? 88% of data breaches are caused by human error.  To combat that, Tessian built, created, and developed Defender to prevent spear phishing, Business Email Compromise, and other targeted impersonation attacks; Guardian to prevent accidental data loss; and Enforcer to prevent data exfiltration. But, detection and prevention are only one part of the solution. To be truly effective, solutions have to proactively and consistently improve an organization’s broader security posture.  Security leaders should be able to: Comprehensively understand the risks within their organization Benchmark those risks against peers Reduce the burden of manual investigation, especially for thinly-stretched teams  Move swiftly from investigation to remediation Easily view the outcome of remediation efforts to understand the ROI on security products   Tessian Human Layer Security Intelligence does all of the above.  We provide our customers with real-time insights into risks on email and give security teams the tools they need to downtrend those risks. 
What are the key benefits of Human Layer Security Intelligence? We’ve already mentioned some of the key challenges that security, compliance, and IT leaders are up against. So, how does Human Layer Security Intelligence make your jobs easier? Predict. Track and compare trends, preempt incidents, and influence employee behavior to improve overall security posture.
Improving security visibility is key.  With HLS Intelligence, Tessian customers can easily and automatically get detailed insights into inbound and outbound security threats and employee actions.  Why does this matter? It allows security leaders to know precisely where to focus their efforts and which corrective actions to take in order to best allocate their resources.  For example, with clear visibility of employee behavior, it will be easy to spot those employees who frequently attempt to send company data to their personal email accounts to work from home. That way, security teams can then offer additional, targeted training and issue helpful reminders of existing security policies. Beyond that, customers will also be able to benchmark their risk levels against industry peers. This will help organizations identify strengths and successes and help highlight how and where they can improve their security posture.  Prevent. Investigate and communicate risks quickly and easily with detailed event threat breakdowns.
Most solutions are a blackbox when it comes to understanding the threats detected. And, without knowing the “who, what, when, and why” behind security events, mitigation can be difficult.  In an effort to pin down the “who, what, when, and why”, security and IT teams spend countless hours aggregating data, analyzing data, and investigating incidents. But, this is a slow, manual process which means remedial response times are often longer than they should be. Not with Tessian’s HLS Intelligence.  HLS Intelligence offers a curated list of high priority events so security leaders can immediately zero in on those that are most critical. No manual investigation required.  It’s simple: View detailed breakdowns and automated analysis of security events Take immediate action Generate reports with a single click to communicate detected and prevented risks to stakeholders.  Protect. Take the burden out of remediation with robust mitigation tools. 
While the goal is to prevent incidents from happening in the first place, robust mitigation tools are an essential part of any security solution.  With email quarantine and post-delivery protection like bulk email removal and single-click clawback, it’s easier than ever for security teams to take action.  And, with shared threat intelligence across the entire Tessian ecosystem, machine learning models automatically update and protect all Tessian Defender customers from all blocked domains. That means Tessian customers automatically benefit from Tessian’s network effect and new threats can be prevented before they’re even seen in your environment. How Can I Use Human Layer Security Intelligence? The benefits of Tessian Human Layer Security Intelligence are best understood in the context of real situations. So, let’s look at three example use cases. Use Case #1: Thwart burst attack campaigns and block COVID-19-related impersonation domains.  Several employees receive an email that appears to be from a health organization with advice around COVID-19. The email automatically triggers a warning advising employees that the email is suspicious based off of the content and sender information.  Simultaneously, you’re alerted of the burst attack and are able to first delete the email from user inboxes and then block the domain. Each of these two actions requires a single click. But, it’s not just your organization that’s protected from the threat. All Tessian customers will benefit as the domain is automatically blocked across the Tessian ecosystem. Use Case #2: Reduce data loss and increase secure behavior. In reviewing outbound events, you notice two employees are frequently sending emails with attachments to their personal accounts. When presented with a warning that explains why the action is being flagged as suspicious, they opt to send the email anyway. Why? Because these exfiltration attempts aren’t intentionally malicious, they’re simply trying to ensure they have access to the documents they need to work, wherever they are.  Instead of implementing a blanket rule that blocks all emails to freemail accounts across the company, you can take a more targeted approach. You can use this as an opportunity to reinforce security awareness training and in-house policies and explain why the email is considered unauthorized despite the employees’ good intentions.  You can also offer alternatives that would enable the employees to access relevant documents without having to email attachments to themselves. Use Case #3: Predict employee exits and prevent data exfiltration. In reviewing outbound events, you notice a spike in data exfiltration attempts by an employee. In the last week, he’s sent upwards of 20 attachments to a recipient he has no previous email history with. With this information in mind, you approach his line manager and find out that two weeks ago, the employee was denied a promotion and subsequent raise. You now have oversight of the “who, what, why, and when”.  This employee is planning on resigning and is taking company data with him. To prevent any further data exfiltration attempts, you can create custom filters specifically for that user, including customized warning messages or you could create a filter that would automatically block any future exfiltration attempts. For example, you could block email communications containing attachments to specific a domain or block emails containing attachments altogether, depending on the severity of the previous incidents.  Learn more Interested in learning more about Tessian Human Layer Security Intelligence and how it can help you strengthen your defense against human error on email? Get in touch with your Customer Success contact. Not yet a Tessian customer? Book a demo! 
Human Layer Security Spear Phishing DLP Compliance Data Exfiltration
13 Cybersecurity Sins When Working Remotely
By Maddie Rosenthal
27 May 2020
Over the last eight weeks, security vendors, thought leaders, and even mainstream media have been offering employees advice on how to stay secure and productive while working from home. And, why wouldn’t they? The transition from office-to-home has been both sudden and challenging and the risks associated with data loss haven’t disappeared just because the perimeter has. At Tessian, we’ve created (and have been consistently updating) our own remote-working content hub filled with actionable advice for security, IT, and compliance professionals as well as employees. While you can find the individual articles below, we thought we’d combine all of the tips we’ve shared over the last two months into one easy-to-read article. Advice from Security Leaders for Security Leaders: How to Navigate New Remote-Working Challenges Ultimate Guide to Staying Secure While Working Remotely  Remote Worker’s Guide to: Preventing Data Loss Remote Worker’s Guide to: BYOD Policies  11 Tools to Help You Stay Secure and Productive While Working Remotely  Here are 13 things you shouldn’t do when working remotely from a cybersecurity perspective.  1. Don’t send company data to your personal email accounts. As many organizations have had to adopt new tools and systems like VPNs and Cloud Storage on the fly, some employees may have had to resort to sending company data to their personal email accounts in order to continue doing their job.  We understand that doing so may have been viewed at the “only option”, but it’s important to note that this is not wise from a security perspective. While we’ve written about this in detail on our blog The Dark Side of Sending Work Emails “Home”, the short-and-sweet version is this: Personal email accounts are less secure and more likely to be compromised than work email accounts. Why? Read point #5 to find out.  2. Don’t share Zoom links or Meeting IDs.  Zoom – like so many other remote-working tools – is enabling workforces around the world to continue collaborating despite being out-of-office. But, as we highlighted in our Ultimate Guide to Staying Secure While Working Remotely, there are precautions you must take in order to prevent attackers from infiltrating your calls. While there are plenty of lists circulating with top tips around using Zoom, the most important piece of advice we can offer is to not share your Zoom Meeting ID (or link) with anyone you don’t work with directly or otherwise trust.  Importantly, this Meeting ID appears at the top of your conference window, which means if you share a screenshot of your call, anyone who sees the screenshot can access this meeting. If you want to be proactive in locking down your Zoom calls, you should also ensure all of your meetings require a password to join. 3. Don’t ignore warnings from IT and security teams or other authoritative sources.  Since the outbreak of COVID-19, we’ve seen a spike in phishing attacks. Why? Because hackers tend to take advantage of emergencies, times of general uncertainty, and key calendar moments. IT and security teams and even organizations like the FBI have been working hard to communicate these threats and how to avoid them. But – importantly – these warnings are useless unless employees heed the advice.  Whether it’s an email outlining how to spot a phishing email or an announcement from your line manager about updating your iOS, employees should take warnings seriously and take action immediately.  4. Don’t work off of personal devices.  While it may seem harmless, using your personal devices – whether it’s a laptop, desktop computer, mobile device, or tablet – for work-related activities creates big security risks. To start, your personal devices won’t be configured with the same security software as your work device.  Whether it’s the protection offered by a simple firewall or antivirus software, you and your data are more secure when working on company-sanctioned devices. Note: Some organizations have adopted more flexible BYOD policies. You can learn how to combat the security risks associated with these policies on our blog. 5. Don’t action email requests without double-checking their legitimacy.  Phishing and other social engineering attacks are designed for one of three reasons: to extract sensitive information or credentials, to install malware onto a network, or to initiate a wire transfer. To avoid falling victim to one of these scams and potentially actioning a request that isn’t legitimate, make sure you double-check that the person making the request is who they say they are.  For example, if your CEO asks you to change an account number on an invoice, contact him or her directly – via phone call, text, Slack or a separate email – before doing so. Likewise, if someone in HR asks you to share any credentialsor other personal information, get in touch with them via phone or a separate email thread before responding.  6. Don’t use weak passwords.  Many organizations have strict password policies, including the enforcement of multi-factor authentication. It makes sense. If a bad actor gained access to your applications – whether it’s your email account or collaboration tools – they’ll have free rein over your most sensitive systems and data.  If your organization doesn’t have any policies in place, our advice is to use 6-digit PINs or complex swipe codes on mobile devices and strong passwords that utilize numbers, letters, and characters for laptops and other log-ins.  If you’re having trouble managing your passwords, discuss the use of a password manager with your IT department. 7. Don’t lose touch with your IT or security teams.  Communication – especially during periods of transition and disruption- is key.  If you’re unsure about any security policies or procedures, how to use your personal device securely, or if you believe your device or network has been compromised in any way, don’t be afraid to communicate with your IT and security teams. That’s what they’re there for. Moreover, the more information they have and the sooner they have it, the better equipped they are to keep you and your devices protected.  8. Don’t use public Wi-Fi or mobile hotspots.  Given the digital transformation, most of us rely on internet access to do our jobs. Unfortunately, we can’t connect to just any network.  The open nature of public Wi-Fi means your laptop or other device could be accessible to opportunistic hackers. Likewise, if a phone is being used as a hotspot and has already been compromised by an attacker, it’s possible it could be used to pivot to the corporate network. With that said, you should only use networks you’re absolutely confident are secure.  9. Don’t download new tools or software without approval.  IT and security teams have processes in place that help them identify which applications are and aren’t in compliance with their data and privacy protection criteria. That means that if they haven’t approved the use of a certain tool, it probably isn’t safe in their opinion. Even if a certain tool makes your job easier to do, you shouldn’t download – or even use – tools or software without express permission to use them. Whether it’s a design, writing, or project management tool, you must communicate with your in-house teams before clicking “download”.  10. Don’t leave work devices or documents in plain sight.  Your devices are gateways to sensitive information. While we’ve already covered the importance of password-protecting these devices, preventing them from being stolen is vital, too.  Avoid leaving laptops, tablets, mobile devices, and documents containing sensitive company or client information in plain sight, such as near windows at home or on a passenger seat if traveling by car. This will help prevent opportunistic theft.  Any organization that has a remote-working policy in place should also provide employees with privacy screens for their laptops, and encourage employees to always work in positions that minimize line-of-sight views of their screens by others. This has the added benefit of showing clients or other professional contacts that the business takes security seriously. 11. Don’t give hackers the information they need to execute social engineering attacks.  When planning a spear phishing attack – a type of phishing attack that is targeted at a specific individual or small set of individuals – an attacker will try to gather as much open-source intelligence about their target as they can in order to make the email as believable as possible.  Don’t make it easier for them by sharing personal information on OOO messages or on social media like LinkedIn. This includes phone numbers, alternative email addresses, travel plans, details about company structure and reporting lines, and other data points.  12. Don’t be afraid to ask questions about security policies and procedures.  When working from home or otherwise outside of the office, you have much more autonomy. But that doesn’t mean you should disregard the processes and policies your organization has in place. And, part of following processes and policies is understanding them in the first place. IT and security teams are there to help you. If anything is unclear, send them an email, pick up the phone, or file a request.   13. Don’t forget the basics of security best practice.  While we’ve offered plenty of advice that’s specific to remote-working, following general security best practices will help prevent security incidents, too.  Most employees receive annual security training or, at the very least, had some security training during their onboarding process. If you didn’t, below are some of the basics. Don’t reuse passwords. Don’t share your passwords with anyone. Stay up-to-date on compliance standards and regulations specific to your industry. Report incidents of theft. Don’t share sensitive company information with people outside of your organization.  If any of the above are unclear, refer back to point #7. Ask your IT, security, or HR teams. Communication is key! What’s next? While most organizations and individuals have started to adjust to “the new normal”, it’s important to remember that, eventually, some of us will move back to our office environments. The above tips are relevant wherever you’re working, whether that’s at home, from a cafe, on public transport, or at your desk in the office. Looking for more insights on what\s next in this new world of work? We’re hosting our first virtual Human Layer Security Summit on June 18. Find out more – including the agenda for the day – here. 
Spear Phishing
Phishing in Retail: Cybercriminals Follow The Money
07 May 2020
Retailers have always been a lucrative target for cybercriminals and their phishing scams — even more so during peak shopping times. The thing is, cybercriminals always follow the money and opportunistic hackers will find ways to cash in on spikes in consumers’ spending.  During the coronavirus lockdown, for example, global payments systems provider ACI Worldwide found that online sales for retailers dramatically increased. It reported a 74% growth in average transaction volumes in March 2020, compared to the same period the year before. However, while they saw an increase in online sales, they also saw a spike in fraudulent activity and Covid-19 phishing scams.  We see a similar trend around retailers’ busiest shopping period of the year – Black Friday.  A golden opportunity for fraudsters US shoppers spent a record $7.4bn on Black Friday in 2019, and a further $9.2bn on Cyber Monday. In the UK, Barclaycard reported that transaction value was up 16.5% in 2019, compared to Black Friday in 2018. A golden opportunity for fraudsters. When we surveyed IT decision makers at UK and US retailers, the majority told us the number of number of phishing attacks their company receives during the Black Friday weekend spikes. In fact, respondents said they receive more phishing attacks in the last three months of the year – in the lead up to the holidays – compared to the rest of the year. Consequently, one in five IT decision makers told us that phishing poses the greatest threat to their retail organization during peak shopping times. They identified phishing as a bigger threat to their business than ransomware or Point of Sale (PoS) attacks. Their reasons? They aren’t confident that their staff will be able to identify the scams that land in their inbox during these busier periods, namely because people are receiving more emails at this time and are more distracted. A third of IT decision makers in retail also told us that phishing emails are, simply, becoming harder to spot. The high price of a phishing attack The devastating consequences of falling for a phishing attack are troubling the IT leaders we surveyed. Over a third said financial damage would have the greatest impact to their business following a successful phishing attack. It’s not surprising. Today, the average cost of a phishing attack on a mid-size company is $1.6 million. For small businesses, the cost of a cyber attack stands at just over $53,000 – a devastating blow for any small retailer and one that could put them out of business. More sales, more mistakes The people-heavy nature of the retail industry is something cybercriminals prey on. Using sophisticated social engineering techniques and clever impersonation tactics, they’re counting on people making a mistake and falling for their scams.  Sadly, during busy shopping periods, mistakes are likely to happen. When faced with hundreds of orders, thousands of customers to respond to, and overwhelming sales targets, cybersecurity is rarely front of mind as people just focus on getting their jobs done. In these situations, you can’t expect people to accurately spot a phishing scam every time. New solutions needed Retailers, therefore, need to consider how they can protect their people from the growing number of phishing scams plaguing the industry — beyond training and awareness. In our report – Cashing In: How Hackers Target Retailers with Phishing Attacks – we look into the biggest threats IT leaders in the retail sector face, reveal the gaps in security that need addressing, and explain how to best protect people on email. 
Spear Phishing
How to Avoid the PPP Scams Targeting Small Businesses
By Maddie Rosenthal
01 May 2020
On April 27, the U.S government’s coronavirus relief fund for small businesses – the Payroll Protection Program – resumed lending, after an additional $320 billion in funding was authorized to help small businesses keep employees on the payroll. The program will provide much needed relief for small businesses, but it could also provide cybercriminals with another prime opportunity to cash in on Covid-19 related schemes. Over the last month, Tessian has identified ways in which criminals have taken advantage of the global pandemic to make their scams more effective – from impersonating remote working and collaboration tools to tricking people into clicking onto fake stimulus check domains.  We are now warning small businesses of the PPP and CARES Act scams that they could face.  Tessian’s latest research reveals that 645 domains related to the PPP were registered between March 30 and April 20, with the majority of the domains being registered in the week following the US government’s announcement on March 31.  While 85% of the domains are offline, it’s unclear how long they will remain offline for. Of the newly registered domains that are currently live: 35% were registered as multiple domains that lead users to the same website. The 31 of the grouped domains only lead people to eight websites. 28% were from different loan providers that have a separate PPP presence through an online form. Although these may not all be spammy, it’s important for people to be wary of what they’re signing up for, what information they’re sharing and any associated costs. 24% were law firms and consultants offering their services. Around 10% were “advisory,” giving businesses information about PPP in a blog style without any notable Call To Action or service. Worryingly, a recent survey by IBM X-Force found that only 14% of small business owners say they are very knowledgeable about how to access the SBA’s loan relief program. Cybercriminals will use this to their advantage, targeting those individuals seeking more information or guidance on the PPP. And although not every newly registered PPP domain may be malicious, it’s possible that these websites could be set up to trick people into sharing money, credentials or personal information.  Small businesses have been prime targets throughout the global pandemic. We’ve seen a number of spam campaigns whereby hackers impersonate the Small Business Administration (SBA) or well-respected banks to entice people into opening malicious attachments or sharing sensitive information. At this time, we urge small business owners and staff to think twice about what they share online and question the legitimacy of the emails they receive.  Our advice to avoiding the PPP scams: Be cautious about sharing personal information online. If it doesn’t look right, it probably isn’t. Understand the Call To Action on these PPP-related sites and emails you receive from them asking for urgent action or to click links.  Make sure any sites offering consultancy services are legitimate before sharing information or money. Always check the URL and, if you’re still not sure, verify by calling the company directly. Never share direct deposit details or your Social Security number on an unfamiliar website. Always use different passwords when setting up new accounts on websites. And enable two-factor authentication on all the services that you use.
Spear Phishing
Spotting the Stimulus Check Scams
16 April 2020
Since the US government announced that citizens who make less than $75K would receive $1,200 checks, we have found that there have been 673 newly registered domains related to the $2T stimulus package.  Unlike the domains spoofing the U.S. Census that we discovered earlier this month, these URLs aren’t intended to mimic official government websites. Rather, these domains have been set up to take advantage of the stimulus package, using common questions or key words to lure users in such as whereismystimuluscheck.com or covid-19-stimulus.com.  Where do these new domains go? When we looked at the newly registered domains more closely, we found that nearly half of the newly registered domains hosted websites offer the following services: Consultancy: helping people with the paperwork to get their checks Calculators: asking users to enter their personal information, such as their age and address, to find out how much money they are entitled to Donations: giving people the opportunity to donate their check to a Covid-19 related cause Business loans We also found that 7% of these spoofed domains were spam websites, with no clear call to action. With hackers capitalizing on this global health crisis to launch targeted phishing scams, people need to be mindful of what information they share on these sites.  The thing is that cybercriminals will always follow the money, looking for ways to take advantage of the fact people will be seeking more information or guidance on the stimulus package. Although not every domain registered in the last month may be malicious, it’s possible that these websites offering consulting and business loans could be set up to trick people into sharing money or personal information.  Our advice? Always check the URL of the domain and verify the legitimacy of the service by calling them directly before taking action.  Think twice about sharing your data It’s also important to consider what data you are being asked to share via websites offering calculators or status checks, and what the websites offer after you have taken an action. Cybercriminals could use the information you shared to craft targeted phishing emails that include the ‘results’ of your assessment, tricking you to click on malicious links with the intention of stealing money, credentials or installing malware onto your device. Earlier this week, the IRS launched a new online resource for citizens to check on their payment status. We anticipate that even more URLs will crop up as a result of this. How to avoid potential scams Think twice before sharing personal information to calculator websites. If it doesn’t look right, it probably isn’t  Make sure the educational sites offering consultancy services are legitimate before sharing information or money. Always check the URL and, if you’re still not sure, verify by calling the company directly Never share direct deposit details or your Social Security number on an unfamiliar website Take care when sharing your email address and other personal information on websites like the calculator ones and question the legitimacy of the emails sharing your results before clicking on any links Always use different passwords when setting up new accounts on these websites  
Spear Phishing DLP Compliance Data Exfiltration
Advice from Security Leaders for Security Leaders: How to Navigate New Remote-Working Challenges
15 April 2020
As a part of our ongoing efforts to help security professionals around the world manage their new remote workforces, we’ve been holding virtual panel discussions and roundtables with ethical hackers and security and compliance leaders from some of the world’s leading institutions to discuss cybersecurity best practice while working from home. Our panelists and speakers have included David Kennedy, Co-Founder and Chief Hacking Officer at TrustedSec, Jenna Franklin, Managing Counsel, Privacy & Data at Santander, Stacey Champagne, Head of Insider Threat at Blackstone, Ben Sadeghipour, Head of Hacker Education at HackerOne, Chris Turek, CIO at Evercore, Jon Washburn, CISO at Stoel Rives, Peter Keenan, CISO at Lazard, Gil Danieli, Director of Information security at Stroock, and Justin Daniels, General Counsel at Baker Donelson We’ve compiled some of the key takeaways to help IT, privacy, and security professionals and employees stay secure wherever they’re working. 
How to defend against spear phishing (inbound threats) Communicate new threats. Cybercriminals are carrying out opportunistic phishing attacks around COVID-19 and the mass transition from office-to-home. Keep employees in the loop by showing them examples of these threats. But, it’s important to not over-communicate. That means you should ensure there’s one point of contact (or source of truth) who shares updates at a regular, defined time and cadence as opposed to different people sharing updates as and when they happen. Create policies and procedures around authenticating requests. Communicating new threats isn’t enough to stop them. To protect your employees and your data, you should also set up a system for verifying and authorizing requests via a known communication channel. For example, if an employee receives an email requesting an invoice be paid, they should contact the relevant department or individual via phone before making any payments. Enable multi-factor authentication. This easy-to-implement security precaution helps prevent unauthorized individuals from accessing systems and data in the event a password is compromised.   Encourage reporting. Creating and maintaining a positive security culture is one of the best ways to help defend against phishing and spear phishing attacks. If employees make a habit of reporting new threats, security and IT teams have a better chance of remediating them and preventing future threats.  Update security awareness training. Remote-working brings with it a host of new security challenges. From the do’s and don’t of using personal devices to identifying new threat vectors for phishing, employees need to refresh their security know-how now more than ever.
How to defend against data exfiltration (outbound threats) Exercise strict control over your VPN. Whether it’s disabling split tunneling on your  VPN or limiting local admin access, it’s absolutely vital that you minimize lateral movements within your network. This will not only help prevent insider threats from stealing data, but it will also prevent hackers from moving quickly from one device to another.  Block downloads of software and applications. This is one of the easiest ways to minimize the attack vectors within your network. By preventing downloads by individual users, you’ll be able to exercise more control over the software and applications your employees use. This way, only vetted tools and solutions will be available for use.  Secure your cloud services. As workforces around the world are suddenly remote, cloud services are more important than ever. But, it’s important to ensure the infrastructure is configured properly in order to reduce risk. We recommend limiting access whenever possible (without impeding productivity) and creating policies around how to safely share documents externally. Create a system for onboarding and offboarding employees. Both negligent and malicious incidents of data exfiltration are on the rise. To prevent new starters or bad leavers from mishandling your data, make sure you create and communicate new policies for onboarding and offboarding employees. In order to be truly effective, this will need to be a joint effort between HR, IT and security teams. Update security awareness training. Again, remote-working brings with it a host of new security challenges. Give your employees the best chance of preventing data loss by updating your security awareness training. Bonus: Check your cybersecurity insurance. Organizations are now especially vulnerable to cyber attacks. While preventative measures like the above should be in place, if you have cybersecurity insurance, now is the time to review your policy to ensure you’re covered across both new and pre-existing threat vectors.  Our panelist cited two key points to review: If you are allowing employees to use personal devices for anything work-related, check whether personal devices are included in your insurance policy. Verify whether or not your policy places a cap on scams and social engineering attacks and scrutinize the language around both terms. In some instances, there may be different caps placed on these different types of attacks which means your policy may not be as comprehensive as you might have thought. For example, under your policy, what would a phishing attack fall under? 
How to stay compliant Share updated policies and detailed guides with employees. While employees may know and understand security policies in the context of an office environment, they may not understand how to apply them in the context of their homes. In order to prevent data loss (and fines), ensure your employees know exactly how to handle sensitive information. This could mean wearing a headset while on calls with clients or customers, avoiding any handwritten notes, and – in general – storing information electronically. Update security awareness training. As we’ve mentioned, organizations around the world have seen a spike in inbound attacks like phishing. And, when you consider that 91% of data breaches start with a phishing attack, you can begin to understand why it’s absolutely essential that employees in every department know how to catch a phish and are especially cautious and vigilant when responding to emails. Conduct a Data Protection Impact Assessment (DPIA). As employees have moved out of offices and into their homes, businesses need to ensure personal data about employees and customers is protected while the employees are accessing it and while it’s in transit, wherever that may be. That means compliance teams need to consider localized regulations and compliance standards and IT and security teams have to take necessary steps to secure devices with software, restricted access, and physical security. Note: personal devices will also have to be safeguarded if employees are using those devices to access work.  Remember that health data requires special care. In light of COVID-19, a lot of organizations are monitoring employee health. But, it’s important to remember that health data is a special category under GDPR and requires special care both in terms of obtaining consent and how it’s processed and stored.  This is the case unless one of the exceptions apply. For example, processing is necessary for health and safety obligations under employment law. Likewise, processing is necessary for reasons of public interest in the area of public health. An important step here is to update employee privacy notices so that they know what information you’re collecting and how you’re using it, which meets the transparency requirement under GDPR.   Revise your Business Continuity Plan (BCP). For many organizations, recent events will have been the ultimate stress test for BCPs. With that said, though, these plans should continually be reviewed. For the best outcome, IT, security, legal, and compliance teams should work cross-functionally. Beyond that, you should stay in touch with suppliers to ensure service can be maintained, consistently review the risk profile of those suppliers, and scrutinize your own plans, bearing in mind redundancies and furloughs.  Stay up-to-date with regulatory authorities. Some regulators responsible for upholding data privacy have been releasing guidance around their attitude and approach to organizations meeting their regulatory obligations during this public health emergency.  In some cases, fines may be reduced, there may be fewer investigations, they may stand down new audits, and – while they cannot alter statutory deadlines – there is an acknowledgment that there may be some delays in fulfilling certain requests such as Data Subject Access Requests (DSARs). The UK privacy regulator, the ICO, has said they will continue acting proportionately, taking into account the challenges organizations face at this time. But, regulators won’t accept excuses and they will take strong action against those who take advantage of the pandemic; this crisis should not be used as an artificial reason for not investing in security.  
Looking for more advice around remote-working and the new world of work? We’ve created a hub with curated content around remote working security which we’ll be updating regularly with more helpful guides and tips.
Spear Phishing
How to Spot and Avoid 2020 Census Scams
By Maddie Rosenthal
07 April 2020
In case you missed it, Tessian recently published a blog around the most common types of Tax Day scams in both the US and the UK.  Unfortunately, though, these aren’t the only opportunistic phishing attacks bad actors are carrying out this time of the year. They’re also launching Census scams.  As they do in Tax Day scams, cybercriminals will be impersonating government agencies. In this case, you’ll find they’re generally impersonating either the U.S. Census Bureau or an agent, or a third-party agency working for the U.S. Census Bureau. What do Census scams look like? Hackers have a range of threat vectors they can use to carry malware or gain access to sensitive information. In the past, we’ve seen attacks via email, phone, social media, job boards, and even traditional mail.  The common thread between all of these attacks is the request for sensitive personal information like home addresses, social security numbers, ethnicity and information related to the members of your household. This information could be used to make you a victim of identity theft. It’s important to remember that attacks may not ask directly for this information and may instead direct you to another webpage or portal via a link or QR code.  In this post, though, we’ll focus on email scams.  Example: Email Survey Scam
What’s wrong with this email? The US Census Bureau conducts surveys online, over the phone, via mail, or in-person, not via email.  While the Display Name looks authentic, the full email address is suspicious and inconsistent and doesn’t match the legitimate domain, which is @census.gov. Upon hovering over the link, you’ll see the URL is suspicious. Not only is the website connection not secure (remember: https indicates a secure connection), but the format and website name are both unusual.  Who will be targeted by Census scams?  Because it’s mandatory for all households to participate in the census, every US resident over 18 years of age is at risk of being targeted. That means that over the next several weeks, everyone in every state needs to exercise caution when responding to a request for personal information that appears to be coming from the U.S. Census Bureau or an affiliated individual or organization.   What do I do if I’m targeted by a phishing attack?  While it’s true that attackers use different tactics and capitalize on different moments in time to trick their targets, individuals should always follow the same guidelines if they think they’ve received a fraudulent request for information, whether by mail, email, SMS, or another online forum.  If anything seems unusual, do not follow or click links or download attachments.  The best way to avoid falling victim to one of these scams – whether over email, online, or over the phone – is to simply not provide any personal information until you verify with 100% certainty that you’re communicating with a genuine agency, organization, or agent. Visit the organization’s website via Google or your preferred search engine, find a support number, and ask them to confirm the request for information is valid. If you’ve been targeted, report the attack to the Census Bureau. Call 1-800-354-7271, in English, or 1-800-833-5625, in Spanish. More resources The best way to stay safe is to stay informed.  The Census Bureau has issued its own advice on how to stay safe from phishing scams online and over the phone. Read their tips here. 
Human Layer Security Spear Phishing DLP Compliance Data Exfiltration
Ultimate Guide to Staying Secure While Working Remotely
By Maddie Rosenthal
27 March 2020
The gradual trend towards remote working has been expedited by recent events, and now businesses and employees alike find themselves adapting to moving almost everything online to accommodate a distributed workforce. Obviously, this has a massive impact on how we behave and how we work, which inevitably has an impact on security culture. In this blog, we’ll discuss what we consider to be the main challenges and questions that arise from moving to a remote working model, and how both management teams and employees can make good decisions about security.
The risk involved in sending work emails “home” It may seem harmless to send an email containing a spreadsheet or a project proposal to your personal email address in order to have easy and quick access whenever you need it. But doing so is risky for a number of reasons.  Personal email accounts can be compromised, especially as they are often configured with weak passwords Email is not a default encrypted medium. If an attacker were in a position to intercept your email, they would be able to read them, and any attachments if not encrypted Devices used to access personal email, such as personal laptops and mobile phones, may also be more easily compromised than work devices safeguarded by your company The bottom line is, sending sensitive information to your personal email accounts increases the risk of data exfiltration, both from insider threats and outsider threats. You can read more about this – including how to prevent data exfiltration – in this article.  Public Wi-Fi vs. using a personal device as a hotspot While for now, most of the world is working from home, “working remotely” can extend to a number of places. You could be staying with a friend, catching up on emails during your commute, or getting your head down at a café. Of course, to do work, you’ll likely rely on internet access. While connecting to public Wi-Fi is not encouraged, the risks can be managed if the right systems are put in place. As an employer, you should ensure that any services an employee must connect with over the internet (such as a web portal for your email or time tracking app), are only served over HTTPS. This is the encrypted version of HTTP, which is used to transfer data over the web. Using HTTPS ensures that all data transmitted between your network and the employee’s device is encrypted. For any services that should not be offered over the internet but that employees will require access to, you should enable them to connect via a VPN.  As an employee, here’s what you can do to be safe: When connecting to a service over the internet, check the address bar to ensure the protocol used is HTTPS, not HTTP. If you’re using a service from your employer that isn’t HTTPS, avoid connecting and let alert your IT team of the oversight.  Ensure you keeping VPN software on work devices up-to-date Importantly – and despite many articles written stating the contrary – using a personal mobile phone as a hotspot to connect a work laptop to the corporate network can actually raise more concerns than connecting via public Wi-Fi.  From a security perspective, any device used to connect to your network could be a risk. Why? Because there’s no way for a company to effectively manage the software and security of devices they do not own. If a phone is being used as a hotspot and has already been compromised by an attacker, it’s possible it could be used to pivot to the corporate network. Any connections made over HTTPS will still be encrypted, of course, but it’s still important to weigh up the risks and err on the side of caution.  This may be easier to understand with an example. Let’s say you open a malicious attachment from a phishing email on your mobile device. If that malicious attachment contains spyware, hackers can (rather easily) infiltrate your phone. That means that if you then connect to your company network on your laptop via your phone’s hotspot, hackers will have a foothold into your company network, too.  Top tip: Any personal devices used in this way should fall under the domain of your corporate “Bring your own device” (BYOD) policy. Each organization’s policy will be different, so it’s best to check with your IT and security teams before you consider using a hotspot as a workaround in the case of limited access to Wi-Fi.
Best practice around using cloud storage to share documents For many organizations, cloud services have replaced company local networks to store, manage, and share information. While it’s fair to say that the transition from office-to-home is certainly easier with cloud storage, there are still some security concerns that must be addressed in order to lock down your sensitive information. Most concerns center around the perceived risks of allowing someone else to host your data. And, because it’s stored on the “cloud” it can – in theory – be accessed by anyone on the internet with the right credentials. In the worst case, this could be an attacker who comprises a user laptop or guesses a weak password. But, there are several ways to ensure your cloud system is secure. Organizations considering moving to a cloud system should consider: How the data is backed up Risks associated with denial of service (DOS) attacks  Legal complications that may arise from certain types of data being stored overseas Not sure how to navigate these considerations? Concerns about standards and support can all be worked out during the contract stage, and many companies offer secure and resilient storage. It’s no different to any risk assessment phase when purchasing a new service. At Tessian, we use Google Drive. It’s still necessary to put in the work to ensure that your data is stored in the correct places, and appropriately secured, just as you would with a local storage solution. Folders should be structured and locked down with appropriate access permissions to ensure that only users who are authorized to view the contents can do so. For example, you can restrict access to and sharing with people outside the corporate network. In addition, requiring two-factor authentication for Google accounts is very important. Conferencing and collaboration tools Remote-working means an increased reliance on conferencing, chat, and other collaboration applications to stay in touch with colleagues. All such applications come with security considerations. IT and security teams must be clear with employees about what sort of information can be shared over these applications, after assessing their suitability. Without clear guidance, employees may act in ways that are less than secure in order to do their jobs, which means comprehensive policies and procedures must be put in place and communicated clearly across an organization.  We share our criteria for vetting and onboarding new tools in our blog, 11 Tools to Help You Stay Productive and Secure While Working Remotely. You’ll also find a list of tools we use across departments to stay connected while working remotely. Additionally, it’s important to ensure employees understand which applications should be used to share which kinds of information and where the design of the application itself may lead to a compromise.  For example, a screenshot of a conference call or online meeting may reveal information that would be useful to an attacker; such as a Zoom meeting ID that allows anyone to join that meeting without a PIN. If such a screenshot were shared online, this could be exploited by an attacker and give them unlimited access to private, internal communications.   
How to physically protect your devices Working on devices outside of the office, even in a home environment, carries additional risks. There is always the potential for an attacker to get physical access to a device. In the home environment, employees should be reminded that their devices are gateways to sensitive information. They should always lock devices, and make sure they’re secured with good passwords or, in the case of mobile phones, 6-digit PINs or complex swipe codes.
Employees should also make sure that devices aren’t left in plain sight, such as near windows at home or on a passenger seat if travelling by car. This will help prevent opportunistic theft. While it may sound unlikely, you should always assume that devices might be stolen. In fact, in an organization of reasonable size, it will almost certainly happen. That means that encryption should be used to protect the data on them, and employees should know exactly when and how to report thefts to the support team. This ensures that the devices can be wiped if they are activated. Any organization that has a remote-working policy in place should also provide employees with privacy screens for their laptops, and encourage them to always work in positions that minimize line-of-sight views of their device screens by others.  This has the added benefit of showing clients or other professional contacts that the business takes security seriously. About that OOO message… “Hi, I’m on vacation right now, returning April 15th. If it’s urgent, you can contact me directly on my personal number or email below, or my line manager at…” It’s human nature to want to be helpful. When setting an out-of-office message, therefore, we often try to give the recipient as much information as possible to help them out. However, it’s important to consider whether that information really needs to be shared, and whether it might be useful to an attacker. When planning a spear phishing attack – a type of phishing attack that is targeted at a specific individual or small set of individuals – an attacker will try to gather as much open-source intelligence about their target as they can in order to make the email as believable as possible.  Phone numbers, alternative email addresses, details about company structure and reporting lines, and other data points are all things that could be useful to an attacker. Again, businesses should make sure employees are aware of these risks and should provide them with a simple template for OOO messages alongside guidance on how and when to forward important emails while away. Top tips for businesses setting up remote-working policies…. Keep policy points clear and concise and support them with similarly written procedures. Employees cannot practically absorb or retain 60+ pages of security policy, especially not overnight. When approving the use of new tools or software, always communicate the change to your employees, including guidelines on how and where to access them. Remember that users are going to make mistakes because they are human. Support them and encourage them to report issues, rather than making them afraid to admit to a mistake. Give clear channels for reporting such issues, supported by technical and human resources; for example, guidance on how to report a potential phishing email along with a method to contact support in the event of account lockout. Consider other technical challenges, such as how your support team can verify user identity when asked to reset a password or perform other remote technical support functions. Ensure your support team is trained and briefed to offer remote workers reassurance and understanding when a security issue arises. Remote workers need to feel connected with their colleagues during difficult moments. Top tips for employees working from home… Use company-approved cloud or VPN services to access work documents instead of emailing sensitive information to your personal email accounts. Don’t download new software or tools without consulting your IT team. Keep your software and operating systems up-to-date. Always lock your laptop and keep all of your devices password-protected. Avoid public Wi-Fi and don’t rely on personal hotspots; whenever possible, find a secure, stable network to connect to. Before you join that call or connect to that site – especially if it requires installing new software – stop and think about the potential implications. If you’re not sure, ask your colleagues or support team for help. If you make a mistake and find yourself alarmed or fearful, it’s important to stop, think, and get someone else involved to support you. Report near misses. If you almost make a mistake, the odds are that others have also almost done the same thing. By sharing this information, your colleagues will be better informed and your business can modify procedures or applications to help prevent the issue ever occurring. During this transitional period, we think it’s incredibly important to provide everyone – our employees, our customers, and our community – with as much information as possible. With that said, you may also find the below links helpful in getting your team set up to work remotely.  FTC online security tips for working from home NCSC issues guidance as home working increases in response to COVID-19 We’ll also continue sharing best practice tips both on our blog and on LinkedIn. 
Spear Phishing
Coronavirus and Cybersecurity: How to Stay Safe From Phishing Attacks
17 March 2020
Hackers love emergencies and times of general uncertainty. Why? Because people are scared, distracted, potentially desperate, and are therefore vulnerable—making them ideal targets. As COVID-19 continues to spread and global concern about the pandemic rises, bad actors will be impersonating trusted institutions like healthcare organizations, insurance companies, banks, and airlines in order to steal money, harvest credentials, or install malware on your computer…and that’s just on the consumer side.  When it comes to business, trusted individuals and brands will be impersonated. For example, hackers will impersonate out-of-office CxOs and popular web conferencing applications, especially as organizations encourage and rely on remote-working. Internally at Tessian, we’ve shared tips with our employees on how to spot this type of scam and what to do in case you’re targeted. We think it’s important to spread the message and raise awareness with everyone.  Consumers: What Should You Look For? Hackers will be impersonating trusted brands. Carefully inspect all emails, but be especially wary of those coming from healthcare organizations, insurance companies, banks, and airlines, especially those that ask you to “Confirm you are safe”, “Confirm you haven’t traveled to recently affected COVID-19 countries”, or anything similar.  Look beyond the Display Name and examine the full email address of every sender. While hackers can directly spoof an email address, they’ll often change, remove, or add one letter to the genuine email address, making the difference difficult to spot. The goal of a phishing attack is to steal money, harvest credentials, or install malware. That means hackers will motivate you to act, either by encouraging you to download an attachment, follow a link, transfer money, or respond with personal details. These are all red flags.   While hackers can certainly craft perfectly believable correspondence, phishing emails may contain spelling errors or branding inconsistencies either in the logo, email template, or a landing page.  Employees: What Should You Look For? Hackers will be impersonating people within your organization and third-parties like suppliers or vendors. You should be cautious when responding to any internal email that mentions the sender being out-of-office and any third-party email that comes from a source you don’t recognize or that requires urgent action. Look beyond the Display Name and examine the full email address of every sender. While hackers can directly spoof an email address, they’ll often change, remove, or add one letter to the genuine email address, making the difference difficult to spot. The goal of a phishing attack is to steal money, harvest credentials, or install malware. That means hackers will motivate you to act, either by encouraging you to download an attachment, follow a link, transfer money, or respond with personal details. These are all red flags.   While hackers can certainly craft perfectly believable correspondence, phishing emails may contain spelling errors, language or requests that are out-of-character, and branding inconsistencies. These red flags are all a bit easier to spot when you have a bit more context. Below are just a few examples of phishing emails that you may see over the next few weeks. The Fraudulent Third-Party
What’s wrong with this email? The sender’s email address contains irregular characters and doesn’t match the Display Name. Organizations should send internal communications to let their employees know they’ve implemented new tools or platforms. You shouldn’t be hearing about it from the third-party first. Upon hovering over the link, you’ll see the URL is suspicious. Please note, though: A suspicious URL can still take you to a landing page that appears legitimate. The Out-Of-Office Boss
What’s wrong with this email? The sender’s email address is from a freemail domain (@yahoo.com) and not from within the organization. The attacker is giving the email a sense of urgency. That attacker is using remote-working as a ploy to encourage the target to do something unusual. The attacker is impersonating a person in power; this is a common tactic in social engineering schemes. The Concerned Counterparty
What’s wrong with this email? The toplevel domain (.net) is unusual and inconsistent with previous emails from this supplier. The attacker is using fear and urgency to motivate the target to act. Upon hovering over the link, you’ll see the URL is suspicious. Please note, though: A suspicious URL can still take you to a landing page that appears legitimate. The “Helpful” Government Organization
What’s wrong with this email? All valid email correspondence from WHO will come from @who.int, not any other variation. The attacker is using the fear of COVID-19 to motivate the target to download the malicious attachment. Like many other organizations, WHO has stipulated they will never send unsolicited emails containing attachments. The Proactive Health Insurance Provider
What’s wrong with this SMS? The attacker is using fear to motivate the target to act. Because no health insurance provider is mentioned by name, you can assume this text has been sent to a large pool of targets. Legitimate organizations will never ask you to update your payment details via text. The text message contains a shortened link; the target can’t see the URL of the website they’re being led to. Of course, knowing what these opportunistic phishing emails look like is just the first step. Actually knowing what to do if you’re targetted is what’s really important. What to Do If You’re Targeted  If anything seems unusual, do not follow or click links or download attachments. Instead, visit the brand’s website via Google or your preferred search engine, find a support number, and ask them to confirm whether the communication is valid. If the email appears to come from someone you know and trust, like a colleague, reach out to the individual directly by phone, Slack, or a separate email thread. Rest assured, it’s better to confirm and proceed confidently than the alternative.  If you’re an employee who’s been targeted, contact your line manager and/or IT team. We’ve all heard the phrase “prevention is better than cure” and phishing attacks are no exception. While knowing what to do if and when you’re targetted is incredibly valuable, it’s also important that both individuals and organizations know how to avoid being impersonated in the first place.  How to Avoid Being Impersonated For those of you who are working remotely or are otherwise Out of Office, don’t include any personally identifiable information (PII) in your automated emails or on social media. For example, don’t provide your personal mobile number or email address. Don’t tell people to email a colleague in your absence; this information helps bad actors map connections and relationships within an organization, which can be used to make future phishing emails seem more convincing. Hackers can use this to their advantage to target your colleagues. Organizations should implement SPF, DKIM, and DMARC to help prevent hackers from directly spoofing their domain.   Both brands and senior leadership should advise customers and employees what they will and will not ask for via email, phone, or text. People will then have a better sense of what requests are out of the ordinary and therefore suspicious.  As we continue sharing best practice tips with our employees to keep them secure while working remotely, we’ll share them with you, too. Check back on our blog for the latest updates.
Page
[if lte IE 8]
[if lte IE 8]