13 Things We Learned at Tessian Virtual Human Layer Security Summit

  • 18 June 2020

Tessian’s Virtual Human Layer Security Summit was an incredible success thanks to our partners, speakers, and – of course – all of those who attended.

Over 1,000 security, IT, compliance, business, and HR professionals watched as we explored how business models have changed, what these changes mean for all of us, and what to expect over the next several months.

If you weren’t able to tune into the Summit yesterday, don’t worry! You can watch the full video below or access it on-demand.

We’ve summarized some of the key points into relevant and actionable advice. Share these with your co-workers, share them on social media, or bookmark this blog for yourself.

Here’s what we learned at Tessian Virtual Human Layer Security Summit.

1. We must treat our employees with empathy and compassion. 

While the event was focused on cybersecurity and tech, one of the most important takeaways from the day is about being human. The Summit kicked off with an important reminder from Bobby Ford, Vice President and Global CISO at Unilever: “We’re not just working from home, we’re working from home during a crisis.”

While – yes – we’re all trying to conduct “business as usual”, all of us are dealing with unique challenges. Many parents have suddenly taken on the roles of teachers, and living rooms have been transformed into makeshift co-working spaces for partners and roommates. And this doesn’t even account for the emotional stress of a global pandemic and current social and political unrest. 

There’s a lot to navigate, process, and overcome, and many of us are distracted, stressed, and anxious. And that’s okay.

As leaders and as humans, we have to be empathetic and compassionate. We have to take the mental wellbeing of our employees seriously and give them the tools, resources, and support they need to thrive, wherever they’re working.

“This is not normal remote-work. People may be sick, they may be scared of being sick, they may have people close to them who are sick, they may have children at home, they may have multiple people on Zoom at any given time and not enough bandwidth to connect. Rule number one is empathy. This is a tough time for everyone and leading with care and love is one of the best things we can do.”
Stephane Kasriel Former CEO of Upwork

2. The secure thing to do should be the easiest thing to do. 

Let’s face it. Security isn’t the average employee’s top priority. They just want to do their job. Over half (54%) of employees say they’ll find a workaround if security software or policies make it difficult or prevent them from doing their job. 

That’s why it’s so important that we implement policies, procedures, and tech that’s frictionless. 

Bobby put this into perspective with an example from his own life.  When you’re a parent helping your son or daughter learn how to walk, what do you do? Child-proof the house and get outta the way! That’s what we need to be doing as security leaders.

Make sure the most secure path is the path of least resistance, whether that’s ensuring your employees have a secure way to print and dispose of documents or implementing flexible BYOD policies

3. Detection and prevention alone aren’t enough. 

We all work hard to detect and prevent both inbound and outbound threats. And, while even that isn’t always easy, that’s not our only job. We also have to have to maintain visibility of risks, manage teams that are often thinly stretched, move quickly from investigation to remediation, and communicate threats to executive teams. 

Almost impossible, right? Not anymore. 

Tessian’s Group Product Manager, Harry Wetherald and Product Marketing Manager, Shanthi Shambathkumar, announced some very exciting news during the Summit: the launch of Human Layer Security Intelligence.

With HLS Intelligence, security leaders can now predict, prevent, and protect against threats with zero manual investigation. That means you can continuously and proactively downtrend risks in your organization.

Want to learn more? We outline all the benefits of Human Layer Security Intelligence and explore use cases on our blog: Introducing Tessian Human Layer Security Intelligence.

4. Executive teams must invest in security now.

 While cybersecurity has historically been a siloed department, it’s becoming more and more integrated with overall business functions. In fact, it can actually be a business enabler and a unique selling point for customers and prospects

But, only if your organization is secure. And, as Clive Novis, Chief IT Risk Officer at Investec pointed out, it takes a village to ensure data is protected which means cybersecurity initiatives must get support from senior executives first.

During the customer panel discussion, he said “The tone is set from the top in terms of the security culture. They help ensure not only that controls are effective, but that those controls are consistent across the globe.”

Needless to say, this is more important now than ever. As we continue to adapt to new remote and hybrid working structures, many of us are introducing new policies and solutions and we need buy-in across departments for these policies and solutions to work.

5. Email is the #1 threat vector. 

Over the last few months, we’ve heard a lot about the dangers of Zoombombing. But, we’ve heard even more about COVID-19 themed phishing attacks, Tax Day scams, and 2020 Census scams. (Jump to #7 for more information.)

With that said, email is the threat vector most security and IT leaders are concerned about.

“We have all these new communication and collaboration platforms, but it’s still good ol’ email that’s causing the majority of our problems. It’s widely used and it’s certainly an easy way to attack folks.”
Garrett Bekker Principal Analyst, Information Security at 451 Research

It makes sense. Over 124 billion business emails are sent and received every day and employees spend 40% of their time on email sharing memos, spreadsheets, invoices, and other sensitive information and unstructured data. It’s a gold mine.

The bottom line: We need to be leveling up our DLP efforts on email.

6. Security incidents are happening up to 38x more than IT leaders currently estimate. 

During the Summit, Tessian Co-founder and CEO Tim Sadler presented some of the key findings from our most recent report The State of Data Loss Prevention 2020. Our research reveals that data loss on email is a bigger problem than most realize, that remote-working brings new challenges around DLP, and that the solutions currently deemed most effective may actually be the least.

While we addressed the frequency of misdirected emails and malicious data exfiltration, one of the most startling facts involves employees sending company data to personal email accounts. 

At Tessian, we call these unauthorized emails, and according to our platform data, they’re being sent 27,500 times a year in organizations with 1,000 employees. Meanwhile, IT leaders estimate just 720 are sent. That’s a big difference and highlights the need for effective data loss prevention solutions. 

Follow the links to learn more about how Tessian detects and prevents accidental data loss and data exfiltration attempts

7. Phishing is still a big problem. 

While phishing has always been a problem for organizations, we’ve seen a marked spike in incidents over the last few months. And it’s not just Tessian who has taken note. Elvis Chan, Supervisory Special Agent, National Security at the FBI has, too. 

For him, phishing is the biggest risk.

“There are a lot of bad people out there looking to take advantage of you. They’re using COVID-19 as a social engineering tactic and a lure for spear phishing, phishing, and for making fraudulent websites.”
Elvis Chan Supervisory Special Agent, National Security at the FBI

What does this mean for you? Continue educating your employees about the risks associated with phishing and how to spot these attacks and ensure they’re protected with tech

8. Security policies don’t stick unless they’re continuously reinforced. 

We’ve said it before, but we’ll say it again: The average employee doesn’t care about security as much as you do. They just want to do their job. That means we have to continuously reinforce security policies, especially now that workforces are distributed. 

But, repetition isn’t enough. 

We have to communicate in terms our employees understand. Angela Henry, Business Information Security Officer at Rand Merchant Bank, recommends educating employees on business data privacy best practice alongside consumer data privacy best practice.

Share tips that are relevant to their personal lives. Offer advice on how to keep their children secure online. Prepare resources around how to stay safe on e-commerce sites.

Not only does this help foster a positive security culture in the office, but it also helps employees stay safe and secure at home

9. …And policies aren’t effective unless they’re bolstered by technology.

 While educating employees about policies is a vital part of any security strategy, it isn’t enough to prevent inbound and outbound threats and subsequent data breaches. 

After all, we’re only human. We break the rules, make mistakes, and can be easily tricked. In fact, 44% of breaches are caused by human error.

Elvis summed it up nicely when he said, “Even if we’re at technology 5.0, we’re still at human being 1.0.” 

So, what do we do? Garrett recommends bolstering training with technology to ensure that people aren’t the last line of defense, saying “My ultimate view is that user awareness training is fine but – in mathematical terms – it’s necessary but not sufficient. I think it needs to be used in conjunction with other tools.”

10. Security needs diversity to thrive. 

Throughout the Human Layer Security Summit, we talked a lot about security pre- and post-pandemic. But, Merrit Baer, Principal Security Architect at Amazon Web Services pointed out something else we shouldn’t forget.

“Security is a process. It’s a human-level endeavor, and technology is human-made. That’s why we need diverse development and security teams.”
Merrit Baer Principal Security Architect at Amazon Web Services

She’s right. Cybersecurity needs diversity to thrive. 

This diversity isn’t limited to gender or ethnic diversity. The field is wide open for a range of educational and professional backgrounds, from psychology majors to business analysts and just about everything in between. 

You can read more about the opportunities available in cybersecurity in our report Opportunity in Cybersecurity 2020.

11. Remote working isn’t temporary.

According to a recent poll by 451 Research, 38% of businesses expect work-from-home strategies will continue post-pandemic. And, when you consider companies like Facebook have already announced they’re permanently embracing remote-work, we should expect more to follow.

The point? We should equip our workforces to thrive at home and ensure that we’re maintaining a strong security culture company-wide while also supporting our employees mentally and emotionally. (See #1.) 

12. …And that doesn’t have to be a bad thing. 

There are new and perennial challenges we must overcome in order to support a full-time remote workforce, but there are a number of benefits, too.

Don’t take our word for it. Stephane Kasriel, Former CEO of Upwork – a company that has maintained a hybrid remote-working structure across 500 cities for nearly a decade – offered attendees of the Summit several reasons why this is something to look forward to, not dread. 

To start, remote-working enables companies to find and work with the best talent, not just local talent. Beyond that, employees have more freedom to design their lives. They can more easily balance work and life, relocate as and when they need or want to, and create environments in which they can really thrive. 

13. The Secret? Adapt, adopt, evolve. Repeat. 

If there’s one thing that was made clear throughout every panel discussion, fireside chat, and interview, it’s that things have changed and will continue to change. The only way to succeed is to adapt and evolve.

Adopt new technologies. Embrace new ways of working. Lean on peers and professional networks for advice. 

In the spirit of change, we’ve put together a list of resources that will help you navigate security and business challenges of the present and future. 

Did we miss anything? Feel free to email [email protected] with your key learnings.