That’s a wrap! Thanks to our incredible line-up of speakers and panelists, the first Human Layer Security Summit of 2021 was jam-packed with insights and advice that will help you level-up your security strategy, connect with your employees, and thrive in your role.

Looking for a recap? We’ve rounded up the top seven things we learned.

1. CISOs can’t succeed without building cross-functional relationships 

Today, security leaders are responsible for communicating risk, enabling individuals and teams, and influencing change at all levels of the organization.

That’s easier said than done, though…especially when research shows less than 50% of employees (including executives) can identify their CISO. 

The key is building relationships with the right people. But how?

Patricia Patton, Human Capital Strategist and Executive Coach, Annick O’Brien, Data Protection Officer and Cyber Risk Officer, and Gaynor Rich, Global Director Cybersecurity Strategy & Transformation at Unilever tackled this topic head-on and introduced a new framework for security leaders to use: Relationship 15.

Find out more by watching the full session below or check out this blog to download a template for the Relationship 15 Framework.

Further reading:

1. Relationship 15: A Framework to Help Security Leaders Influence Change
2. CEO’s Guide to Data Protection and Compliance 
3. 16 Tips From Security Leaders: How to Get Buy-In For Cybersecurity
4. How to Communicate Cybersecurity ROI to Your CEO

2. Securing your own organization isn’t enough. You have to consider your supply chain’s attack surface and risk profile, too

We often talk about how cybersecurity is a team sport. And it is. But, today your “team” needs to extend beyond your own network. 

Why? Because more and more often, bad actors are gaining access to the email accounts of trusted senders (suppliers, customers, and other third-parties) to breach a target company in account takeover (ATO) attacks.

The problem is, you’re only as strong as the weakest (cybersecurity) link in your supply chain, and these sophisticated attacks slip right past Secure Email Gateways (SEGs), legacy tools, and rule-based solutions.

Marie Measures, CTO, at Sanne Group, and Joe Hancock, Head of Cyber at Mishcon de Reya explain how firms in both the legal sector and financial services are preventing these threats by consulting enterprise risk management frameworks, partnering with customers, and leveraging technology.

Further reading:

1. What is Account Takeover?
2. How to Defend Against Account Takeover

3. If you want to understand and reduce risk, you need data (and smart tech)

Throughout the Human Layer Security Summit, one word was repeated over, and over, and over again. Visibility.

It makes sense. Clear visibility of threats is the first step in effectively reducing risk. But, because so many security solutions are black boxes that make investigation, remediation, and reporting admin-intensive, this can be a real challenge.

We have a solution, though. Tessian Human Layer Risk Hub. This game-changing product (coming soon!) enables security and risk management leaders to deeply understand their organization’s security posture by providing granular visibility and reporting into individual user risk levels.

How? Each user is assigned a risk score based on dozens of factors and risk drivers, including email behavior, training track record, and access to sensitive information. This clearly shows administrators who needs help (on an individual level and a team level). 

The tool also intelligently recommends actions to take within and outside the Tessian portal to mitigate risk. Finally, with industry benchmarking and dashboards that show how risk changes over time, you’ll be able to easily track and report progress.

Want to learn more about Tessian Human Layer Risk Hub? Sign-up for our newsletter to get an alert on launch day or book a demo.

Further reading:

1. Ultimate Guide to Human Layer Security
2. Worst Email Mistakes at Work (And How to Fix Them)

4. Rule-based solutions aren’t enough to prevent data exfiltration 

If you’re interested in learning more about Human Layer Security, this is the session for you.

David Aird, IT Director at DAC Beachcroft, and Elsa Ferreira, CISO at Evercore take a deep dive into why people make mistakes, what the consequences of those mistakes are, and how they – as security leaders – can support their employees while protecting the organization.

Spoiler alert: blunt rules, blocking by default, and one-and-done training sessions aren’t enough.

To learn how they’re using Tessian to automatically prevent data exfiltration and reinforce training/policies – and to hear what prompted Elsa to say “They say security is a thankless job. But Tessian was the first security platform that we deployed across the organization where I personally received ‘thank you’s’ from employees…”– watch the full session.

Further reading: 

1. Research Report: Why DLP Has Failed and What the Future Looks Like
2. 12 Examples of Data Exfiltration

5. When it comes to security awareness training, one size doesn’t fit all 

Security awareness training is an essential part of every cybersecurity strategy. But, when it comes to phishing prevention, are traditional simulation techniques effective?

According to Joe Mancini, VP Enterprise Risk at BankProv, and Ian Schneller, CISO, at RealPage they’re important… but not good enough on their own.

Their advice:

1. Find ways to make training more engaging and tailored to your business initiatives and employees’ individual risk levels 
2. Focus on education and awareness versus “catching” people
3. Make sure training is continuously reinforced (Tessian in-the-moment warnings can help with that)
4. Don’t just consider who clicks; pay attention to who reports the phish, too
5. Consider what happens if an employee fails a phishing test once, twice, or three times

Want more tips? Watch the full session.

Further reading:

1. Why The Threat of Phishing Can’t be Trained Away
2. Why Security Awareness Training is Dead
3. Phishing Statistics (Updated 2021)

6. The future will be powered by AI

Nina Schick, Deepfakes expert, Dan Raywood, Former deputy-editor at Infosec Magazine, and Samy Kamkar, Privacy and Security Researcher and Hacker went back and forth, discussing the biggest moments in security over the last year, what’s top of mind today, and what we should prepare for in the next 5-10 years.

Insider threats, state-sponsored threats, and human error made everyone’s lists…and so did AI.

Watch the full session to hear more expert insights.

Further reading:

1. 2021 Cybersecurity Predictions 
2. 21 Cybersecurity Events to Attend in 2021

7. Hackers can – and do – use social media and OOO messages to help them craft targeted social engineering attacks against organizations 

Spear phishing, Business Email Compromise (BEC), and other forms of social engineering attacks are top of mind for security leaders. And, while most organizations have a defense strategy in place – including training, policies, and technology – there’s one vulnerability most of us aren’t accounting for. Our digital footprints.

Every photo we post, status we update, person we tag, and place we check-in to reveals valuable information about our personal and professional lives. With this information, hackers are able to craft more targeted, more believable, and – most importantly – more effective social engineering attacks.

So, what can you do to level-up your defenses? Jenny Radcliffe, Host of The Human Factor, and James McQuiggan, CISSP Security Awareness Advocate, KnowBe4, share personal anecdotes and actionable advice in the first session of the Human Layer Security Summit. 

Watch it now.

Further reading:

1. New Research: How to Hack a Human 
2. 6 Real-World Social Engineering Examples

Want to join us next time? Subscribe to our blog below to be the first to hear about events, product updates, and new research.