18 Actionable Insights From Tessian Human Layer Security Summit

  • By Maddie Rosenthal
  • 09 September 2020

In case you missed it, Tessian hosted its third (and final) Human Layer Security Summit of 2020 on September 9. This time, we welcomed over a dozen security and business leaders from the world’s top institutions to our virtual stage, including:

While you can watch the full event on YouTube below, we’ve identified 18 valuable insights that security, IT, compliance, and business leaders should apply to their strategies as they round out this year and look forward to the next.

Here’s what we learned at Tessian’s most recent Human Layer Security Summit. Not sure what Human Layer Security is? Check out this guide which covers everything you need to know about this new category of protection. 

1. Cybersecurity is mission-critical

Security incidents – whether it’s a ransomware attack, brute force attack, or data leakage from an insider threat – have serious consequences. Not only can people lose their jobs, but businesses can lose customer trust, revenue, and momentum.

While this may seem obvious to security leaders, it may not be so obvious to individual departments, teams, and stakeholders. But it’s essential that this is communicated (and re-communicated). 

Why? Because a company that’s breached cannot fulfill its mission. Keep reading for insights and advice around keeping your company secure, all directly from your peers in the security community.

2. Most breaches start with people

People control our most sensitive systems and data. It makes sense, then, that most data breaches start with people. But, that doesn’t mean employees are the weakest link. They’re a business’ strongest asset! So, it’s all about empowering them to make better security decisions.

That’s why organizations have to adopt people-centric security solutions and strategies.

“The human aspect of security is the first gating mechanism to a lot of the things we do. Look at large-scale breaches. 90% of those will have a human element, whether it’s a phishing attack or credential sharing. To be successful in implementing security change, you have to bring the larger organization along on the journey.”
Kevin Stroli Global CTO and UK CISO at PwC

The good news is, security leaders don’t face an uphill battle when it comes to helping employees understand their responsibility when it comes to cybersecurity…

3. Yes, employees are aware of their duty to protect data

Whether it’s because of compliance standards, cybersecurity headlines in mainstream media, or a larger focus on privacy and protection at work, Martyn Booth, CISO at Euromoney reminded us that most employees are actually well aware of the responsibility they bear when it comes to safeguarding data. 

This is great news for security leaders. It means the average employee will be more likely to abide by policies and procedures, will pay closer attention during awareness training, and will therefore contribute to a more positive security culture company-wide. Win-win.

4. But, employees are more vulnerable to phishing scams outside of their normal office environment 

While – yes – employees are more conscious of cybersecurity, the shift to remote working has also left them more vulnerable to attacks like phishing scams

“We have three “places”: home, work, and where we have fun. When we combine two places into one, it’s difficult psychologically. When we’re at home sitting at our coffee table, we don’t have the same cues that remind us to think about security that we do in the office. This is a huge disruption,” Jeff Hancock, Professor at Stanford University explained. 

Unfortunately, hackers are taking advantage of these psychological vulnerabilities. And, as David Kennedy, Co-Founder and Chief Hacking Officer at TrustedSec pointed out, this isn’t anything new. Cybercriminals have always been opportunistic in their attacks and therefore take advantage of chaos and emotional distress. 

To prevent successful opportunistic attacks, he recommends that you:

  1. Reassess what the new baseline is for attacks
  2. Educate employees on what threats look like today, given recent events
  3. Identify which brands, organizations, people, and departments may be impersonated (and targeted) in relation to the pandemic

But, it’s not just inbound email attacks we need to be worried about. 

5. They’re more likely to make other mistakes that compromise cybersecurity, too

This change to our normal environment doesn’t just affect our ability to spot phishing attacks. It also makes us more likely to make other mistakes that compromise cybersecurity. Across nearly every session, our guest speakers said they’ve seen more incidents involving human error and that security leaders should expect this trend to continue.

That’s why training, policies, and technology are all essential components of any security strategy. More on this below.

6. Security awareness training has to be ongoing and ever-evolving

At our first Human Layer Security Summit back in March, Mark Logsdon, Head of Cyber Assurance and Oversight at Prudential, highlighted three key flaws in security awareness training:

  1. It’s boring
  2. It’s often irrelevant
  3. It’s expensive

What he said is still relevant six months on and it’s a bigger problem than ever, especially now that the perimeter has disappeared, security teams are short-handed, and individual employees are working at home and on their own devices.

So, what can security leaders do? 

Kevin Storli, Global CTO and UK CISO at PwC highlighted the importance of tailoring training to ensure it’s always relevant. That means that instead of just reminding employees about compliance standards and the importance of a strong password, we should also be focusing on educating employees about remote access, endpoints, and BYOD policies.

But one training session isn’t enough to make security best practice really stick. These lessons have to be constantly reinforced through gamification, campaigns, and technology. 

Tim Fitzgerald, CISO at Arm highlighted how Tessian’s in-the-moment warnings have helped his employees make the right decisions at the right time. 

“Warnings help create that trigger in their brain. It makes them pause and gives them that extra breath before taking the next potentially unsafe step. This is especially important when they’re dealing with data or money. Tessian ensures they question what they’re doing,” he said.

  • How does Tessian reinforce security awareness training?

    Tessian’s in-the-moment warnings provide context to help users make informed decisions. For example, if an employee is attempting to send sensitive information to their personal email account, an alert will be triggered, asking them to consider whether or not the action is aligned with company policy. This reinforces security training, reminds employees of existing policies, and improves their security reflexes over time.

7. You have to combine human policies with technical controls to ensure security 

It’s clear that technology and training are both valuable. That means your best bet is to combine the two.

In discussion with Ed Bishop, Tessian Co-Founder and CTO, Merritt Baer, Principal Security Architect at AWS and Rachel Beard, Principal Security Technical Architect at Salesforce, both highlighted how important it is for organizations to combine policies with technical controls. But security teams don’t have to shoulder the burden alone.

When using tools like Salesforce, for example, organizations can really lean on the vendor to understand how to use the platform securely. Whether it’s 2FA, customized policies, or data encryption, many security features will be built-in. 

8. But…Zero Trust security models aren’t always the answer

While – yes – it’s up to security teams to ensure policies and controls are in place to safeguard data and systems, too many policies and controls could backfire. That means that “Zero Trust” security models aren’t necessarily the best way to prevent breaches.

“Ultimately, you have to think of user experience, too. Just because you can lock down everything, doesn’t mean you should. We’ve seen that there can be negative consequences if security puts an unnecessary burden on the user.”
Merritt Baer Principal Security Architect at AWS

9. Security shouldn’t distract people from their jobs 

Security teams implement policies and procedures, introduce new software, and make training mandatory for good reason. But, if security becomes a distraction for employees, they won’t exercise best practice. 

The truth is, they just want to do the job they were hired to do! 

Top tip from the event: Whenever possible, make training and policies customized, succinct, and relevant to individual people or departments. 

10. It also shouldn’t prevent them from doing their jobs 

This insight goes back to the idea that “Zero Trust” security models may not be the best way forward. Why? Because, like Rachel, Merrit, Sandeep, and Martyn all pointed out: if access controls or policies prevent an employee from doing their job, they’ll find a workaround or a shortcut.

But, security should stop threats, not flow. That’s why the most secure path should also be the path of least resistance. Security strategies should find a balance between the right controls and the right environment. 

This, of course, is a challenge, especially when it comes to rule-based solutions. “If-then” controls are blunt instruments. Solutions powered by machine learning, on the other hand, detect and prevent threats without getting in the way. You can learn more about the limitations of traditional data loss prevention solutions in our report The State of Data Loss Prevention 2020

11. Showing downtrending risks helps demonstrate the ROI of security solutions 

Throughout the event, several speakers mentioned that preemptive controls are just as important as remediation. And it makes sense. Better to detect risky behavior before a security incident happens, especially given the time and resources required in the event of a data breach. 

But tracking risky behavior is also important. That way, security leaders can clearly demonstrate the ROI of security solutions. Martyn Booth, CISO at Euromoney, explained how he uses Tessian Human Layer Security Intelligence to monitor user behavior, influence safer behavior, and track risk over time.

“We record how many alerts are sent out and how employees interact with those alerts. Do they follow the acceptable use policy or not? Then, through our escalation workflows that ingest Tessian data, we can escalate or reinforce. From that, we’ve seen incidents involving data exfiltration trend downwards over time. This shows a really clear risk reduction,” he said.

12. Targeted attacks are becoming more difficult to spot and hackers are using more sophisticated techniques

As we mentioned earlier, hackers take advantage of psychological vulnerabilities. But, social media has turbo-charged cybercrime, enabling cybercriminals to create more sophisticated attacks that can be directed at larger organizations. Yes, even those with strong cybersecurity.

Our speakers mentioned several examples, including Garmin and Twitter.

So, how do they do it? Research! LinkedIn, company websites, out-of-office messages, press releases, and news articles all provide valuable information that a hacker could use to craft a believable email. But, there are ways to limit open-source recon. See tips from David Kennedy, Co-Founder and Chief Hacking Officer at TrustedSec, below. 

  • Tips From a Hacker: How to Limit Open-Source Recon

    1. Don’t publicly share which security solutions, technology platforms, or collaboration tools your organization uses
    2. Educate employees on what type of information hackers can use to target or impersonate them.

13. Deepfakes are a serious concern

Speaking of social media, Elvis M Chan, Supervisory Special Agent at the FBI and Nina Schick, Author of “Deep Fakes and the Infocalypse: What You Urgently Need to Know”,  took a deep dive into deepfakes. And, according to Nina, “This is not an emerging threat. This threat is here. Now.While we tend to associate deepfakes with election security, it’s important to note that this is a threat that affects businesses, too. 

In fact, Tim Fitzgerald, CISO at Arm, cited an incident in which his CEO was impersonated in a deepfake over Whatsapp. The ask? A request to move money. According to Tim, it was quite compelling. 

Unfortunately, deepfakes are surprisingly easy to make and generation is outpacing detection. But, clear policies and procedures around authenticating and approving requests can ensure these scams aren’t successful.

Not sure what a deepfake is? We cover everything you need to know in this article: Deepfakes: What Are They and Why Are They a Threat?

14. Supply chain attacks are, too 

In conversation with Henry Treveleyan Thomas, Head of Customer Success at Tessian, Kevin Storli, Global CTO and UK CISO at PwC discussed how organizations with large supply chains are especially vulnerable to advanced impersonation attacks like spear phishing.

“It’s one thing to ensure your own organization is secure. But, what about your supply chain? That’s a big focus for us: ensuring our supply chain has adequate security controls,” he said.

Why is this so important? Because hackers know large organizations like PwC will have robust security strategies. So, they’ll look for vulnerabilities elsewhere to gain a foothold.

That’s why strong cybersecurity can actually be a competitive differentiator and help businesses attract (and keep) more customers and clients. 

15. People will generally make the right decisions if they’re given the right information

88% of data breaches start with people. But, that doesn’t mean people are careless or malicious. They’re just not security experts. That’s why it’s so important security leaders provide their employees with the right information at the right time. Both Sandeep Amar, CPO at MSCI and Tim Fitzgerald, CISO at Arm talked about this in detail. 

It could be a guide on how to spot spear phishing attacks or – as we mentioned in point #6 – in-the-moment warnings that reinforce training.  

Check out their sessions for more insights

16. Success comes down to people

While we’ve talked a lot about human error and psychological vulnerabilities, one thing was made clear throughout the Human Layer Security Summit. A business’s success is completely reliant on its people.

And, we don’t just mean in terms of security.

Howard Shultz, Former CEO at Starbucks, offered some incredible advice around leadership which we can all heed, regardless of our role. In particular, he recommended:

  1. Creating company values that really guide your organization
  2. Ensuring every single person understands how their role is tied to the goals of the organization
  3. Leading with truth, transparency, and humility
“If you have a great strategy but a bad culture, 9 times out of 10 you're not going to achieve the aspiration of the strategy. The execution will be lost. But, if you have a world-class culture with a currency of trust, you're going to take the hill together. Even if you link that with an average strategy and a lot of competition, you’ll win. Culture trumps strategy.”
Howard Shultz Former CEO at Starbucks

17. But people are dealing with a lot of anxiety right now

Whether you’re a CEO or a CISO, you have to be empathetic towards your employees. And, the fact is, people are dealing with a lot of anxiety right now. Nearly every speaker mentioned this.

We’re not just talking about the global pandemic.  We’re talking about racial and social inequality. Political unrest. New working environments. Bigger workloads. Mass lay-offs. 

Joseph Blankenship, VP Research, Security & Risk at Forrester, summed it up perfectly, saying “We have an anxiety-ridden user base and an anxiety-ridden security base trying to work out how to secure these new environments. We call them users, but they’re actually human beings and they’re bringing all of that anxiety and stress to their work lives.”

That means we all have to be human first. And, with all of this in mind, it’s clear that…..

18. The role of the CISO has changed 

Sure, CISOs are – as the name suggests – responsible for security. But, to maintain security company-wide, initiatives have to be perfectly aligned with business objectives, and every individual department, team, and person has to understand the role they play.

Kevin Storli, Global CTO and UK CISO at PwC touched on this in his session. “To be successful in implementing security change, you have to bring the larger organization along on the journey. How do you get them to believe in the mission? How do you communicate the criticality? How do you win the hearts and minds of the people? CISOs no longer live in the back office and address just tech aspects. It’s about being a leader and using security to drive value.

That’s a tall order and means that CISOs have to wear many hats. They need to be technology experts while also being laser-focused on the larger business. And, to build a strong security culture, they have to borrow tactics from HR and marketing. 

The bottom line: The role of the CISO is more essential now than ever. It makes sense. Security is mission-critical, remember?

If you’re looking for even more insights, make sure you watch the full event, which is available on-demand. You can also check out previous Human Layer Security Summits on YouTube.

Maddie Rosenthal