DLP
The Risks of Sending Data to Your Personal Email
Tuesday, April 2nd, 2019
Across all industries, people routinely send work from their corporate email account to their personal account to more easily work from home, or outside of office hours. On the surface, this may not pose any great threat to your organization, be it because your employees are careful, or because the data they handle isn’t sensitive enough. The main reason employees send work home is that it’s easier. Easier than accessing files through the corporate VPN, easier than digging out the randomly generated password to their work email for use at home, easier than printing off everything they need and taking it home with them. They send an email, go home, and the documents are ready and waiting. In earlier 2017, an airline employee sent a spreadsheet containing approximately 36,000 employee records home so his wife could help with a formatting problem. Based on data from the Ponemon Institute, this single spreadsheet may have cost the company as much as $5.7m. While bad practice, a security breach like this (because it doesn’t have to be damaging, or even publicized to constitute a breach) will most of the time not result in damage or require clean up, but the one time it does, the financial and reputation risk can be high. There is also the possibility that disgruntled employees may deliberately send information to their personal email to more easily disseminate it to competitors or the press, as happened in 2016. A former employee at a UK law firm was pronounced liable by the ICO and prosecuted under the Data Protection Act for sending confidential client data to their personal account, which they hope to use as leverage in their new role at a rival company. Loss of data through personal email could mean: • Breach of contracts or non-disclosure agreements • Loss of IP and proprietary research • Breach of data protection regulations • Heavy fines imposed by regulators and clients (GDPR, in particular will greatly increase fines for all manner of data breaches) In brief: something as seemingly insignificant as sending sensitive company data to a personal email account can be devastating. “Nearly 75% of office employees send work files to a personal email account, a majority of whom say it’s because they prefer using their own computer, while 14% say it’s because it’s too much work to bring their work laptop home.” How do you fix the problem? 1. Educate your workforce Make sure your employees know how to observe best data security practices. Make sure they understand how best to secure the data they work with, especially confidential data, and ensure they adhere to company data security policies, hosting refresher courses if necessary. The ICO has released some posters to help you on your way. 2. Ease of access Try as much as possible to ensure that your employees don’t feel the need to send work to their personal emails. Implement secure file storage platforms they can access from home (SharePoint, GSuite, etc) or a corporate VPN so they can securely access the company network from anywhere. You need to strike that happy middle ground between “easy to use but insecure” and “airtight but really disruptive”. 3. Be proactive, not reactive Choose email security platforms that offer the most complete protection against sending to unauthorized email accounts before it becomes a problem, instead of being left scrambling for a solution in the aftermath. Find a solution that tracks and logs attempts to send data to a personal email address, and use the metrics to open a conversation with employees about data protection.
Human Layer Security
Tessian Wins Best Cybersecurity Service at Prestigious Hedge Fund Awards
Friday, March 29th, 2019
Tessian was named the Best Cybersecurity Service at the HMF European Hedge Fund Services Awards, in light of our innovative work to secure the human layer and prevent data breaches in hedge funds. Hosted at the Natural History Museum, the spectacular awards ceremony celebrated hedge fund service providers that have demonstrated exceptional client service, innovative product development and strong and sustainable business growth over the past 12 months. Tessian was shortlisted along with six other cybersecurity comapnies that provide solutions to protect hedge funds from cyber attacks.
We were thrilled to be rewarded by the judges – a panel of leading hedge fund COOs, CFOs, GCs and CTOs – as the best-in-class cybersecurity solution for this industry. The award recognized how Tessian has fundamentally changed the way hedge funds approach cybersecurity – focusing on protecting the human layer, rather than just securing a company’s networks and devices. This is incredibly important because 86% of data breaches can be attributed to human error, whether that’s accidentally sending an email containing sensitive data to the wrong person or falling victim to a phishing attack. When you consider that 60% of the organizations hit with phishing attacks during Q4 of 2017 were financial institutions, the threat in this particular industry is not one to be ignored. By using machine learning to analyze historical email data – the leading indicator of human behavior in the enterprise – our technology can automatically understand relationships, context and communication patterns of people. By understanding normal communication, we can automatically identify and prevent email threats before they occur.  
Tessian Spotlight: Craig Walker, Global Chief Information Officer for Shell Downstream at Shell International Petroleum Company
Tuesday, March 26th, 2019
Craig Walker has nearly 30 years of experience with Shell spanning locations such as the US, Colombia, South Africa, Saudi Arabia, UAE and the UK. Originally joining Shell as a programmer in 1981, and after a 6-year stint at KPMG in the early 2000s, Craig is now the global CIO for the Shell Downstream business. This includes trading, manufacturing and refinery as well as the B2B businesses such as marine, aviation and retail. What are the greatest challenges you have overcome since you became CIO for the Downstream business? I was originally brought in to put the IT processes right as Shell was not doing the best it could have been at the time, it wasn’t moving quickly enough or being very agile. I managed to cut down my budget by 44% by the end of 2018 all at a time when digital transformation is one of the hottest topics in the board room. It was a difficult process, but we ultimately managed to do this through various initiatives to increase talent and reduce the number of outsourced employees. I also restructured my team to make sure that everyone had the skills, such as agility and speed, to thrive in a modern IT department. Another key action I did when I arrived was to outline the 3 themes that my team would cover: 1. We focused on commerciality. If you don’t understand how the business makes money, then you cannot be an effective IT person. You have no accurate framework of how to prioritise your work. Everyone at Shell is a business person, it just so happens that IT people come to work with an IT toolkit. 2. We established one true team. You cannot have a high performing team if people cannot work effectively with each other. 3. The team became very results-oriented. It’s all about putting a dollar on the bottom line of the business ultimately, that’s why you are doing it. Another challenge is keeping up-to-date with all of the tech nowadays which, as an IT leader, you absolutely must do. You have to have the 101 knowledge to engage the business effectively and understand the possibilities of the tech. Ideally, 10% of your time should be spent learning about new topics. How should CIOs ideally work with the rest of the board? The CIO has to use the same business speak as anyone else does, you have to take your speciality up to a level that colleagues understand why it is relevant to them and their bottom line. Otherwise, it will not have an impact. Another very important aspect is having the ability to tell a story and bring a vision to life. For example, I use clips from JFK’s Moonshot speech a lot and, at one point, he says that they are going to build a rocket out of material that hasn’t been invented yet. Well, I’m trying to build a business model with technology that people are just beginning to understand. You have to be able to convey all of this in a convincing way and show the rest of the board the art of the possible without overselling. You have to show up as a business person which is not easy for a lot of CIOs as they come from a highly technical background. This is why I say that one of my greatest learnings at KPMG was the ability to tell an engaging story to a client. What needs to change about how most organizations are handling their information strategy? One of the largest issues right now is that many organizations are swamped with data. For us, the amount of data coming from plants etc. is immense. However, it is important to capture and use as much of that data as possible. In essence, the change in strategy nowadays is that, because nobody knows what the data will be used for yet, you better make sure to capture as much of it as possible. It used to be very prescriptive whereas now, companies such as ours, are much more open-minded. What are the greatest information security threats to the oil & energy industry and how would you address these? There seem to be two levels of threat nowadays: you have people who want your data because it costs a lot to get and then you have people who want to do you harm. Because of the new regulations in place (e.g. GDPR), information security now has to be much more encompassing in protecting the consumers and the brand. The main threat is damage to the brand because any company that has a high level of trust and then suffers something like a data breach will immediately lose that trust. This will affect your business. At the same time, the amount of data is growing, so it is now becoming much more difficult to keep it safe. Ultimately, nobody can create a perfectly safe environment but you have to do your best and this is not unique to our industry. Do you have any advice for new CIOs to help set them up for success? Whenever I am in a new position, I always write myself a 30-, 60- and 90-day plan. In the first 30 days, you should just listen to everyone and build up your own picture of what is going on. Be sure to test your opinions by playing it back to people constantly and listen to the business team a lot. You need to understand what they want to achieve. Once you have a picture of the business, don’t be afraid to make difficult decisions about people. Have a vision in place and see who fundamentally buys into it and who doesn’t. Whenever I delayed decisions about people, I almost always regretted it. Somewhere within those 90 days, you should set out your plan of action and learn who is going to give you unbiased feedback. Finally, try to network with your fellow CIOs in your and other industries to keep exchanging knowledge.  
Tessian Spotlight: Thomas Tschersich, Senior Vice President, Internal Security and Cyber Defense at Telekom Group
Tuesday, March 26th, 2019
Thomas is the Senior Vice President of Internal Security and Cyber Defense at Telekom Group with over 20 of cybersecurity experience. His wide-ranging role involves managing all aspects of security for Telekom Group from personal and physical security to cybersecurity. What are the greatest challenges you have overcome since you became SVP for Internal Security & Cyber Defense? The biggest challenge has been to drive a new mindset into the security teams. At most companies, security teams operate in such a way that they hinder rather than empower others. For example, setting policies in place but leaving the responsibility of security ultimately to the commercial and operational teams. Then, when something goes wrong, they blame others rather than their own practices. This is not how it should be and needs to change. The best way of doing this is having security work directly with the other teams to find a solution where everyone is involved in shaping it. However, this initiative should come from the security teams as they carry responsibility for this. How should senior cybersecurity executives ideally work with the board? In most organizations, you typically see CISOs reporting to CIOs. The problem with this is that you are always relying on the priorities of the CIO to accommodate your information security concerns. When the CISO is mostly driven by the agenda of the IT team (ie. the CIO) then the likelihood of failure increases because the priorities of the CIO and CISO are ultimately different. For example, a CIO might want to cut down costs but a CISO will realize this could increase your security risk. To create an effective cybersecurity strategy, you need to be an independent advisor or be on the same level as the CIO or CTO and ideally report directly to the board. This allows you to align the security strategy more independently and adapt to the needs of the company. You need a direct relationship with the board to ensure security is a priority. What needs to change about how most organizations are handling their information security strategy? When a cybersecurity team is not acting as a barrier to other teams but is instead working together, the business will see an increase in efficiency. It is crucial for cybersecurity to become a business enabler rather than just a pure cost factor. This is what modern organizations have to understand to become successful. Other than that, keeping your infrastructure up-to-date is key. Many of the most successful cyber attacks happen partially because of a missing software update. Do you have any advice for new CISOs to help set them up for success? First of all, listen to the business and understand how it works. Then you can set up security measures that will really help the business achieve their goals and keep practices safe rather than just providing commercial teams with a security target and writing out policies. This is the most essential aspect to understand: with just a policy you are protecting nobody. Also, make sure to network with your peers and talk about breaches openly so no industry ever falls victim to the same threat twice. From time to time, you might be the first victim but other times you won’t be a victim at all because someone told you about the threat beforehand. What role do you think human error plays in data breaches? I would say most data breaches come from disruptive security measures. If I only implement procedures that are a burden to people and their productivity then they will obviously try to find a way around them. For example, if a policy required people to change their password once a week you would almost certainly have more people writing their passwords down and so the risks actually increase. Security executives need to focus on security measures that support rather than burden the user. This consequently reduces the number of threats as people are not motivated to find a way around measures anymore.  
Tessian Spotlight: Pierre-Yves Geffe, Chief Information Officer for Swedbank Luxembourg
Thursday, March 21st, 2019
Pierre-Yves has been the Chief Information Officer for Swedbank Luxembourg for over a decade. Originally hired to restructure the bank’s IT operations, he overhauled the IT teams into a highly agile workforce and successfully led numerous IT implementations and migrations. Before joining Swedbank, Pierre-Yves worked in IT at both the Luxembourg Stock Exchange and IBM. What are the greatest challenges you have overcome since you became CIO? The greatest challenge is hiring and attracting the best employees. My strategy from the beginning was to automate as many processes as possible so that I could hire the best people. Steve Jobs once said “It doesn’t make sense to hire smart people and tell them what to do; we hire smart people so they can tell us what to do.”. I couldn’t agree more with this and that is how we try to attract people here. We are committed to automating processes and staying on the edge of innovation. Slowly, the bank has started to change and become much more flexible and efficient. It was a difficult process but I think we have managed to do it. What are the specific tactics you use to engage the board? Chief Information Officers sometimes have difficulty getting complex ideas across to the rest of the board. The board is made up of mainly commercial, financial and legal executives so I find that the best way to express my ideas is through analogies. It is more effective to break down technical aspects into fundamental analogies as this helps them understand the IT perspective much better. This also helps us justify spending on IT initiatives, showing how they will help the business. What are the most important security indicators that banks should care about? I pay most attention to human resources because keeping talent is a factor that almost every other IT goal depends on. A company, especially a bank, needs to make sure that employees are happy to work there because the nature of the job cannot allow for mistakes to happen. Unhappy employees are much more likely to make a mistake which could lead to something like a data breach. Because of this, I have no problem allowing them to focus on any personal issues first so that when they come into work they are as happy and effective as possible. The cost of employee mistakes will be much higher than the cost of letting them focus on any personal challenges first. What needs to change about how most organizations are handling their IT? Most organizations do not think about how happy their employees are. They don’t understand that if you take good care of your employees, then they will take good care of the organization, especially in IT and cybersecurity. Happy employees are much more likely to behave in a compliant and secure manner. What are the greatest information security threats to the banking industry? A lack of employee education when it comes to cybersecurity risks is a very big threat. Lots of employees tend to get phishing emails and many click on the links included in the email without knowing the risks involved. One way of tackling this could be to be very close to the users and remain up-to-date with how users are treating these threats. However, this can only take you so far. Luckily, we have been able to escape any major risks for now but it is an ongoing process. Do you have any advice for new CIOs to help set them up for success? You have to get out of the office. Meet with your peers and industry experts, go to workshops and networking events. You should also read blogs and articles constantly to remain on top of the newest technologies, solutions and threats. Ultimately, if you are curious and flexible in your approach to solving a problem in IT then you have the right tools to get started.  
Compliance
GDPR: 13 Most Asked Questions + Answers
Friday, March 15th, 2019
1. Who’s enforcing GDPR? In May 2018, the GDPR came into force across the whole of the European Union. The GDPR applies equally to all EU member states, but that doesn’t mean each country will enforce its requirements equally. Each member state handles enforcement and will have a regulatory body called a supervisory authority that will be in charge of auditing and enforcement. 28 different countries will handle enforcement. That means Germany, for example, is expected to be tougher on enforcement of GDPR than elsewhere on the continent given data protection is conducted at a state level. Conversely, the U.K. has traditionally been the member state to push back against any overtly data-privacy regime that could impede global trade. 2. What are the penalties for non-compliance with GDPR? Penalties can be a fine up to €20 million or 4 percent of a company’s annual revenue, whichever is higher. The latter is the steeper penalty and the assumption is that it will be levied in severe cases when a company has totally disregarded data privacy. The supervisory authority decides the fine’s amount based on the circumstances and the violation level. 3. What is a GDPR Data Processing Operation? A data subject is the person about whom data is being collected. The data controller is the person or organization that decides why personal data is held or used, and how it is held or used. Any person or organization that holds or uses data on behalf of the data controller is a data processor. The good news is that organizations have become significantly better at containing breaches, with the average time dropping from 70 days in 2016 to 55 days. However, on average companies take nearly 200 days to detect a breach. The good news is that organizations have become significantly better at containing breaches, with the average time dropping from 70 days in 2016 to 55 days. However, on average companies take nearly 200 days to detect a breach. The good news is that organizations have become significantly better at containing breaches, with the average time dropping from 70 days in 2016 to 55 days. However, on average companies take nearly 200 days to detect a breach. The good news is that organizations have become significantly better at containing breaches, with the average time dropping from 70 days in 2016 to 55 days. However, on average companies take nearly 200 days to detect a breach. 4. How does the GDPR handle this? GDPR refers to the time between detecting a breach to the time of notifying impacted parties about it. However, part of the security for privacy concept is about being able to detect breaches and have best-practice tools and processes in place to do so. 5. What documentation do we need to prove that we’re GDPR compliant? GDPR, compared to the Data Protection Act that it replaces, states there is a need to demonstrate compliance. According to Article 5(2) of the regulation, “The controller [i.e. your company] shall be responsible for, and be able to demonstrate compliance”. It is a good idea to document everything about your GDPR process, so it is clear that you have taken the right investigative steps and have made reasonable steps to fix any issues. You then have a document you can point to if you’re ever asked any questions. 6. What are the data requirements for GDPR? Data can only be processed for the reasons it was collected Data must be accurate and kept up-to-date or else should be otherwise erased Data must be stored such that a subject is identifiable no longer than necessary Data must be processed securely 7. Is GDPR training mandatory for staff and management? Anyone whose job involves processing personal data undertakes data protection and data handling training. This includes full-time staff, third-party contractors, temporary employees, and volunteers. 8. Does GDPR compliance differ based on the number of employees a company has? GDPR doesn’t differentiate between the size of organizations. 9. What type of language should be included in a consent policy? Check out the Tessian privacy policy, which shows you how detailed consent needs to be. 10. Is appointing a DPO mandatory? GDPR requires appointing a DPO when an organisation performs data processing on a large scale, processes certain types of data or processes data on an ongoing basis as opposed to a one-time process. 11. What happens if some data is processed outside the EU? The GDPR allows for data transfers to countries deemed by the European Commission to provide an adequate level of personal data protection. In the absence, transfers are also allowed outside non-EU states under certain circumstances like standard contractual clauses or binding corporate rules. 12. Does GDPR affect US-based companies? Any U.S. company that has a web presence and markets their products over the web will have to take notice. Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR. 13. If we are based in the US, have EU citizen data and experience a breach, who do we notify? There are rules around what authority should be notified based on criteria like the situation, the organization and where the processing occurs. How can Tessian make you GDPR Compliant? Under GDPR, an organization is most likely to suffer a fine or penalty due to data loss through a misdirected email. Misdirected emails were the number one form of data loss reported to the Information Commissioner’s Office (ICO) in 2017. Some notable examples of penalties issued by the ICO for misaddressed emails include 56 Dean Street Clinic who were fined £180,000 for inadvertently disclosing the identities of HIV positive patients and also Dyfed-Powys Police who were fined £150,000 for inadvertently disclosing the identities of registered sex offenders to a member of the public. GDPR forces organizations to report all personal data breaches to the appropriate governing body and maintain a register of these internally. Under GDPR, organizations have an obligation to report misaddressed emails to the ICO and face fines of up to 4% of global turnover depending on the severity of the breach. Given that misdirected emails are the number one type of data security incident currently reported to the ICO, this should be of significant concern for all organizations in the transitioning years toward GDPR. Tessian uses machine learning to automatically detect when emails are being sent to the wrong person, allowing organizations to both prevent information being sent to the wrong person and crucially, retain an audit log of warning messages shown to users when sending emails and the response that the user made on the warning that was shown. The audit feature and preventative nature of Tessian align with the GDPR requirement “to implement appropriate technical and organizational measures together with a process for regularly testing, assessing and evaluating the effectiveness of those measures to ensure the security of processing” (Article 32). Furthermore, with increasing numbers of firms adopting Tessian’s technology and their role in helping advising other companies in their transition to GDPR, simply relying on staff being as careful as possible and internal training, becomes an untenable posture when protecting personal data.
Careers: Adding Rocket Fuel to our Rocket Ship
By Abhirukt Sapru
Tuesday, March 12th, 2019
Picture this: It’s 4pm on a Wednesday. While the rest of the working world is going through their midweek slump – clock watching and/or waiting for their boss to turn comments before burning the midnight oil – you are stepping in to the boardroom of a leading London law firm. In front of you, as you pour yourself a glass of sparkling water with a postcard panorama of the city skyline behind you, are the Managing Partner and Head of IT. They usher you into your seat. As you scramble to connect the various adapters into your MacBook, your mind is 100% focused on delivering a pitch on why their firm should today solve their biggest problem. You need to educate, persuade and ultimately introduce this organization to machine learning (sometimes, for the first time). As you load up your slides on Keynote, it’s show time. At Tessian, this is not a what-if scenario, this is just one of the daily occurrences as a Business Development Manager (BDM). I had the rare opportunity to be ‘patient zero’ for the Business Development function at Tessian. And it was – and continues to be – an unbelievably exhilarating experience. Every single exercise has value: multiple introductory emails to prospective customers, pitching and ultimately navigating organizations to implementation all help our company achieve our goals.
As a BDM, you are experiencing entrepreneurship in its most raw, gritty form. You are your own rapid-growth business within a rapid-growth business. You get to experience the glamorous highs – as detailed above – alongside the excruciating lows, all at breakneck pace. Industry-defining deals are the norm, and your targets have a direct impact on the products our team can ship, the services we can offer to our customers, and our ultimate mission to protect enterprises from threats executed by humans in order to keep the world’s most sensitive data and systems secure.
Given the nature of the role – a discipline in process, a fervent desire to do things faster and better, creative and strategic thinking, and collaboration through external stakeholder management – BD has become a natural breeding ground for commercial leadership at Tessian. It’s not just here, but across organizations: 20% of Fortune 500 CEOs have come from a selling/marketing background and there is a common adage in start-up world that an overwhelming amount of successful entrepreneurs have first built careers in sales. It’s true here as well – our CEO, founders, Head of US, Enterprise and Finance Directors, and myself (Chief Revenue Officer) have effectively all built our careers in some way as BDMs at Tessian.
Tessian is hoping to redefine sales and business development. We don’t believe in nor hire those who portray the negative stereotypes around sales. BDMs at Tessian are some of the brightest, hardest-working and most upstanding people I have interacted with in my career. It’s humbling to come in and work with these people on a daily basis and I am incredibly grateful that our team’s constant ambition is to outperform. I sometimes think of the famous Sheryl Sandberg quote to Harvard Business School grads: “If you’re offered a seat on a rocket ship, don’t ask what seat! Just get on.” As a member of the Business Development team at Tessian, we get to be right in the control room. And from our window, there’s an incredible view.
Autocomplete Mistake on Email
Tuesday, March 12th, 2019
  What is Autocomplete? How does Autocomplete work? Autocomplete / auto-fill is a feature which displays suggestions for names and email addresses as you start to type them. These suggestions are possible matches from a list of names and email addresses from the email messages that you have sent. As you start typing a name in the To box, based on the characters you enter, Outlook’s Autocomplete feature displays a list of possible choices. As you enter more characters, Outlook narrows the list. How common are Autocomplete Mistakes? Autocomplete updates its suggested list as quickly as you type each character so it’s very easy to select the wrong email address. Outlook / other mail providers maintain a history of all the email addresses you enter, not just the ones you store in the Address book. Due to this, these names make their way onto the Autocomplete list. Autocomplete mistakes can happen when you’re in a hurry or distracted. For example you may type a name into the ‘To’ box, choose the first option and send — without realizing that Outlook’s Autocomplete feature chose the wrong recipient. Autocomplete is a highly useful and productive feature in a workplace, helping to save time, however it is prone to making mistakes and can cause you to accidentally send emails to the wrong person. Should I switch Autocomplete off? As the risk of misdirected emails is becoming a key issue for leadership, informations security, risk and operating teams, organisations are often taking an impulsive approach to solving this problem. Upon identifying that one of the main culprits for this growing challenge is the auto-complete function over email, the knee-jerk solution by management is to switch the function off, which ends up causing far more problems than it solves. The truth is, Autocomplete is helpful and you shouldn’t disable it. “After identifying the risk of misdirected emails, we explored the option of disabling Autocomplete however it became incredibly clear that this was not the solution. Instead, we needed something that complemented rather than prohibiting work flows, hence we opted for Tessian’s Guardian product” —  David Smith, Partner and Head of Operations, Anthony Gold Solicitors What happens if I disable Autocomplete? There are a number of reasons that firms should strive to keep auto-complete on. It is imperative to take a holistic approach rather than act in what can be perceived in an impetuous manner when dealing with risks such as misdirected emails. Why you shouldn’t disable Autocomplete: 1. Misdelivery risk increases due to manual input 2. Tessian research found that productivity decreases by 30% 3. Increase in non-authorised, non-controlled communication channels to send messages 4. Misaddressed Emails do not decrease 6. Negative experience with technology Tessian’s low user disruption and intelligent predictions have proved to be a sophisticated and risk attractive improvement to disabling autocorrect in Outlook —  Duncan Eadie, IT and Business Services Director at Foot Anstey About Tessian Tessian is building the world’s first Human Layer Security platform to fulfil our mission to keep the world’s most sensitive data and systems private and secure. Using stateful machine learning to analyze historical email data, Tessian’s Parallax Engine can predict for this user, at this point in time, does this email look like a security threat?  
Human Layer Security
Email: Information Security’s Leaky Pipeline
Tuesday, March 12th, 2019
Email is the most widely used method of communication in the world. The number of emails sent and received daily will reach almost 300 billion in 2019, and the number of active email users will reach almost 4 billion in the same year, according to technology research company Radicati. There’s a reason the ageing protocol is so entrenched in how we communicate: it’s simple, works in every browser, and most importantly, everyone has an address. But many of the things that make email great, also make it a difficult avenue to secure from an information security perspective. Many use cases Email is used for both professional and non-professional communications: a highly classified email to a client may be immediately followed by one to a spouse about dinner. Add to this that these two emails can often be sent from the same work email account for the sake of convenience, and the likelihood of confidential data being leaked due to a slip up increase exponentially. Truly platform agnostic Slack messages can be sent to slack users, Signal messages to Signal users, and Whatsapp to Whatsapp. Unlike most other messaging platforms, there’s no need for two people to be using the same email client, protocol, or provider for communication to be possible. Of course, this seamlessness comes at a cost: it is much more difficult to develop a complete security solution for a channel with as many front-end standards and configurations as email has. “The protocol now suffers from being ‘too big to change’ – there are core features missing from the technology that more modern communication platforms now have as standard(…)” Well established protocols Since its inception in the 1970s, the underlying technology behind email has remained the same, which makes it very easy to develop for and implement. It also means the protocol now suffers from being ‘too big to change’ – there are core features missing from the technology that more modern communication platforms now have as standard, including the ability to easily redact or recall, and encryption-by-default. To make any major changes to how the email protocols function would require a near-global consensus. Accessible from anywhere Gone are the days when people accessed their email solely from their desk. Employees manage their emails on laptops, smartphones, tablets, watches, even car dashboards. This ease of access has exponentially increased the volume of emails exchanged, as well as changed how people treat emails, sending emails on the go. This, in turn, raises the risk of emails being misaddressed, as people type addresses out in a rush on their phones. Centrally stored An inbox often contains a wealth of information spanning an employee’s entire time spent at an organization. While much of this may not be confidential, the fact of being able to access huge amounts of information from a single source exponentially increases the likelihood of a “careless forward”. Recent statistics on data security highlight that individual human error accounts for most data breaches, and show that the current school of thought surrounding information security is incomplete. Email offers numerous benefits – namely speed, ubiquity and simplicity – but it’s also one of the single biggest threats to an organization and its data. In addition to this, the ICO in the UK recently reported that misaddressed emails were the number one type of data security incident reported to them. While a growing number of enterprise processes are now being automated, email communication is currently still almost entirely reliant on people, which makes it vulnerable to human error. No matter how well established the organization, and how experienced and security conscious it’s employees, it will still be run entirely by people. And people are fallible.
Customer Stories
Safeguarding a Reputation with Intelligent Data Loss Prevention
Tuesday, March 12th, 2019
Boult Wade Tennant is a leading patent and trademark attorneys firm with offices in London, Madrid, Munich, Cambridge, Reading and Oxford, specializing in intellectual property law. Their patent, trademark, and design teams specialise in advising clients over the full life-cycle of brands, products or systems; from acquisition, exploitation and protection to commercial use, infringement or contentious issues. Boult Wade Tenannt is protecting employees with Tessian Guardian.
Working with their clients’ proprietary information and other confidential data as a matter of course, the firm wanted to augment the protection they provide their clients, and further safeguard any confidential information they may process on clients’ behalf. Boult Wade Tennant picked Tessian because it was easy to install, required minimal configuration, and is unobtrusive to employees. Tessian has allowed Boult Wade Tennant to mitigate the risk of misaddressed emails and inadvertent IP loss, safeguarding their reputation as one of the best in the business. Learn more about how Tessian prevents human error on email Tessian is building the world’s first Human Layer Security platform to automatically secure all human-digital interactions within the enterprise. Today, our filters use stateful machine learning to protect people using email and to prevent threats like spear phishing, accidental data loss, data exfiltration and other non-compliant email activity. To book a demo and learn more about how we can help your organization, click here.
Customer Stories
Ensuring Data Loss Protection
Tuesday, March 12th, 2019
Com Laude, an ICANN accredited registrar, is a specialist domain name management company that helps businesses manage their domain name portfolios throughout the full life cycle. Com Laude is protecting employees with Tessian Guardian, Tessian Enforcer and Tessian Constructor.
The problem As a trusted strategic partner of leading global brands, Com Laude recognized that there was a direct correlation between the security of their clients’ information and the security of their business – something that they were keen not only to protect but enhance, so as to facilitate further growth. Having identified the significance of the threat at hand, they were keen to find a solution – and with misdirected emails being the most common type of data security incident, there was no time to waste. Attracted by the intelligence of our AI and machine learning based software, the Com Laude team actively sought out Tessian Guardian, combining this with the additional protection provided by Tessian Constructor to implement an effective regulatory framework for their internal communication policies. The solution Tessian was rolled out to 30 employees across a number of departments at Com Laude. After an initial period of time exploring Tessian’s functionality, Com Laude built a variety of rules specifically for their organisation using Constructor and had Guardian successfully running in the background. Soon after, Com Laude were presented with a detailed threat report from Tessian, including a high-level overview of their email statistics along with a deep-dive analysis of the specific threats identified via the Guardian – specifically, flagged misdirected emails. The results from this report provided Com Laude with “proof” not only of the value of their investment, but of the scale of the problem. Having indicated that Guardian was able to detect and prevent email threats in the form of misdirected emails, the report also provided the company with some significant insights via these email statistics. This had a direct impact on Com Laude’s business model, allowing the firm to use these findings to set key rules designed to further protect their customers. Learn more about how Tessian prevents human error on email Tessian is building the world’s first Human Layer Security platform to automatically secure all human-digital interactions within the enterprise. Today, our filters use stateful machine learning to protect people using email and to prevent threats like spear phishing, accidental data loss, data exfiltration and other non-compliant email activity. To book a demo and learn more about how we can help your organization, click here.
Customer Stories
Securing the Email Environment from Human Error
Tuesday, March 12th, 2019
Travers Smith is a leading corporate law firm headquartered in London. It advises national and multinational companies across the full range of corporate and commercial matters. Travers Smith is protecting employees with Tessian Guardian and Tessian Constructor.
Given the highly sensitive nature of the work performed and the client confidentiality requirements outlined by the Solicitors Regulation Authority, securing their email environment from human error was a key priority for the firm. Risk and IT teams were acutely aware of the potential risks from misdirected emails and chose Tessian Guardian because of the admin – free nature of the product and minimal disruption and effort that it requires from end users at the organization. Travers Smith successfully deployed Tessian firm wide with minimal effort from the firm’s IT team. After a set period of time using the software, Travers Smith was presented with a comprehensive report containing details of Tessian’s performance and examples of misdirected emails that had been prevented. Thanks to Tessian, Travers Smith is now better equipped to protect clients’ sensitive information and avoid the scenario of confidential information accidentally being sent to the wrong people. Moreover, Tessian allows the firm to demonstrate diligence to clients and regulators by showing that the risk is being measured and managed appropriately. Learn more about how Tessian prevents human error on email Tessian is building the world’s first Human Layer Security platform to automatically secure all human-digital interactions within the enterprise. Today, our filters use stateful machine learning to protect people using email and to prevent threats like spear phishing, accidental data loss, data exfiltration and other non-compliant email activity. To book a demo and learn more about how we can help your organization, click here.
Page