Compliance, Data Exfiltration, DLP
A Beginner’s Guide to Cybersecurity Frameworks
Monday, October 5th, 2020
As rates of cybersecurity incidents rise and data security laws become stricter, organizations must take steps to protect the information under its control. But safeguarding your company’s information can be a daunting task.  So, where do you start? You can start by implementing a cybersecurity framework. In this article, we’ll look at four of the most prevalent cybersecurity frameworks — to help you get started on your journey toward better information security.  But first, let’s define what a cybersecurity framework is. What is a cybersecurity framework?
What are the benefits of implementing a cybersecurity framework? Running a business is a time-consuming and complicated task and many business leaders – especially those without any background in cybersecurity – worry that implementing a cybersecurity framework will create extra work. And, while it does take time and effort to follow a cybersecurity framework through to completion, it’s almost certainly going to save you time, stress — and money — in the long-term. Here’s how: It will strengthen your network protection, reducing your risk of a cybersecurity attack. It will help ensure better data security practices among staff, reducing the risk of accidental data loss, such as via misdirected email. It increases awareness of cybersecurity among staff, leading to a reduced risk from social engineering attacks. It improves your reputation among consumers and business partners. Implementing a cybersecurity framework is also a fundamental way of meeting your legal obligations under data privacy laws, such as:  The EU General Data Protection Regulation (GDPR)  The California Consumer Privacy Act (CCPA) The South Africa Protection of Personal Information Act (POPIA)  Under these laws — and many others worldwide — it is necessary for businesses to maintain a reasonable level of data security. Implementing a cybersecurity framework is an excellent way to achieve this. Looking for more information about regional and industry-specific data protection laws? Visit our compliance content hub. 
What sorts of organizations should implement a cybersecurity framework? Implementing a cybersecurity framework is mandatory in some industries. For example, organizations that handle cardholder data must comply with the PCI DSS framework. However, a business of virtually any size — and in any industry — can adopt a cybersecurity framework at relatively low cost.  One way that a small business can achieve cybersecurity compliance is by choosing a flexible framework —  such as the CIS Controls or NIST Cybersecurity Framework, and prioritizing the implementation of controls according to its business needs and operating context. Now, let’s look at four of the best-known cybersecurity frameworks.
Introduction to CIS Controls The Center for Internet Security (CIS) Controls framework can help you mitigate and defend against the most basic cyberattacks.  Here are the 20 CIS Controls: Basic CIS Controls Inventory and Control of Hardware Assets Inventory and Control of Software Assets Continuous Vulnerability Management Controlled Use of Administrative Privileges Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers Maintenance, Monitoring, and Analysis of Audit Logs Foundational CIS Controls Email and Web Browser Protections Malware Defenses Limitation and Control of Network Ports, Protocols, and Services Data Recovery Capabilities Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches Boundary Defense Data Protection Controlled Access Based on the Need to Know Wireless Access Control Account Monitoring and Control Organizational CIS Controls Implement a Security Awareness and Training Program Application Software Security Incident Response and Management Penetration Tests and Red Team Exercises
CIS Control 13: Data Protection  To give you an idea of what the CIS controls require, we’ll take a closer look at Control 13: Data Protection. CIS Control 13 provides some practical steps to help you protect data from exfiltration and cyberattacks. At its core, Control 13 requires organizations to: Use a combination of encryption, integrity protection, and data loss prevention (DLP) methods to ensure the security of data Limit and report on data exfiltration attempts Mitigate the effects of data compromise Control 13 contains nine sub-controls. Some of these are achievable for businesses of all sizes, such as: 13.1: Maintain an Inventory of Sensitive Information 13.2: Remove Sensitive Data or Systems Not Regularly Accessed by Organization 13.6: Encrypt Mobile Device Data If your organization has “moderate” or “significant” resources, it can implement further sub-controls, such as: 13.3: Monitor and Block Unauthorized Network Traffic 13.4: Only Allow Access to Authorized Cloud Storage or Email Providers 13.5: Monitor and Detect Any Unauthorized Use of Encryption By implementing the CIS controls and sub-controls on a priority basis, businesses can implement a reasonably effective cybersecurity program.  Looking for a straightforward way to implement multiple sub-controls across several CIS controls? implement email security software. Email is the entry-point for 96% of phishing attacks.
Introduction to the NIST Cybersecurity Framework The NIST Cybersecurity Framework (full title: Framework for Improving Critical Infrastructure Cybersecurity) is a comprehensive set of security controls and guidance for private sector organizations. Currently, at version 1.1, the framework aims to improve the general level of cybersecurity among US organizations. The framework is guidance — it’s entirely voluntary  — and it can be customized according to a company’s sector, resources, and risk profile. The framework’s “core” consists of cybersecurity activities and outcomes — written in accessible language that should be understandable to non-technical teams. (Phew!) The core activities and outcomes are sorted into five functions, which are further divided into categories. We’ve listed them below.  Identify: The “Identify” function provides the essential, foundational activities and outcomes necessary to use the framework. Outcomes categories associated with this function include: ID.AM: Asset Management ID.BE: Business Environment ID.RA: Risk Assessment Protect: The “Protect” function activities help mitigate the impact of a potential cyberattack or data breach. Protect outcome categories include: PR.AC: Identity Management and Access Control PR.AT: Awareness and Training PR.DS: Data Security Detect: The “Detect” function enables businesses to quickly detect that a cybersecurity event has occurred. Detect outcome categories include: DE.AE: Anomalies and Events  DE.CM: Security Continuous Monitoring DE.DP: Detection Processes Respond: Implementing the “Respond” function will ensure your business takes appropriate action during a cybersecurity event. Outcome categories in this function include: RS.RP: Response Planning  RS.CO: Communications  RS.AN: Analysis Recover: The “Recover” function allows an organization to return to normal functioning after a cyberattack. Recover function outcome categories include: RC.RP: Recovery Planning  RC.IM: Improvements RC.CO: Communications Each function’s categories are, in turn, divided into subcategories. For example: ID.AM (function: Identity, category: Asset Management): ID.AM-1: Physical devices and systems within the organization are inventoried ID.AM-2: Software platforms and applications within the organization are inventoried ID.AM-3: Organizational communication and data flows are mapped The subcategories all come with “informative references”, which are practical resources to help businesses achieve the outcomes.  For example, ID.AM-1 (Identify: Asset Management) includes the following references: CIS Control 1  ISO 27001:2013 Annexes A.8.1.1 and A.8.1.2 NIST Special Priority (SP) 800-53 (revision 4) CM-8 and PM-5 Introduction to ISO 27000 Series
The ISO 27000 Series (sometimes called the ISO/IEC 27000 Series) is a family of information security standards published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The ISO 27000 Series is extensive, covering information security requirements, guidelines, and sector-specific standards. Examples of some of the published standards in the ISO 27000 Series include: ISO 27000: Information Security Management Systems — Overview and Vocabulary ISO 27003: Information Security Management System Implementation Guidance ISO 27018: Code of Practice for Protection of Personally Identifiable Information (PII) in Public Clouds Acting as PII Processors ISO 27019: Information Security for Process Control in the Energy Industry ISO 27032: Guideline for cybersecurity ISO 27033: IT network security Businesses of all sizes can implement one or more of the ISO 27000 Series standards. These are internationally recognized standards and are well-respected around the world.  While implementing ISO 27000 controls is not legally mandatory, there is an expectation of ISO-compliance in many industries and contexts. For example, for public cloud storage service providers that process personal information, achieving ISO 27018 compliance is crucial. ISO 27001 To give you a feel for ISO 27000 implementation, we’re going to take a closer look at one of the more popular standards in the series: ISO 27001, full name “Information technology — Security techniques — Information security management systems — Requirements.” ISO 20071 aims to enable businesses to establish, implement, maintain, and continually improve an information security management system (ISMS). Unlike the CIS Controls or the NIST Cybersecurity Framework, ISO 20071 is not available for free. The ISO 27001 standard consists of ten “clauses,” and an annex containing 114 controls, sorted into 14 sets. A business can prioritize its implementation of these controls according to its operational requirements. An essential part of complying with ISO 27001 is risk assessment. An ISO 27001 risk assessment can be broken down into several stages: Creating a risk assessment methodology that accounts for: Your operating context Risk criteria Risk tolerance Identifying information assets, such as: Digital documents Paper files Storage devices Mobile devices Identifying threats: Social engineering attacks, such as spear phishing Exfiltration of data by trusted employees Weak passwords leading to hacked employee accounts ISO 27001 compliance is an ongoing process that requires the commitment of employees across your whole organization. Once a company has implemented sufficient controls, it can undergo an audit and obtain ISO 27001 certification. Tessian is ISO 27001 certified. You can read more about your integrations, compatibility, and partnerships here. 
Introduction to PCI DSS The PCI DSS applies to all organizations that accept, transmit, or store information associated with payment cards (known as “merchants”). The PCI DSS sits alongside the PCI PTS (for manufacturers) and the PCI PA-DSS (for software developers). Unlike the other frameworks we’ve looked at, the PCI DSS is mandatory for any business that qualifies as a merchant. The Payment Card Industry Council enforces PCI DSS compliance, and — in some jurisdictions — it is incorporated into law. The framework’s requirements differ according to how many Visa transactions a merchant processes per year. There are four levels of PCI DSS requirements: Level 1: Any merchant that:  Processes more than 6 million Visa transactions per year, or Is determined by Visa as needing to meet level 1 requirements Level 2: Any merchant that processes 1-6 million Visa transactions per year Level 3: Merchants that process 20,000-1 million eCommerce Visa transactions per year Level 4: Any merchant that: Processes fewer than 20,000 Visa transactions per year, or Processes fewer than 1 million non-eCommerce Visa transactions per year As you can see, eCommerce merchants have slightly stricter requirements due to the risks of transacting online.  If a merchant suffers a data breach, it might be required to move up a level to continue making card transactions. This is one of many reasons you should take a “security-first” approach and implement as many cybersecurity controls as your budget allows. The PCI DSS consists of 12 requirements, which can be summarized as: Use a firewall Change default passwords and other security parameters Protect cardholder data in storage Encrypt cardholder in transit Implement and update antivirus software  Ensure systems and applications are secure Restrict access to cardholder data Assign unique user IDs  Maintain physical safeguards over cardholder data Monitor access to cardholder data and network resources  Test security systems  Maintain an information security policy In fewer words: Merchants must protect cardholder data from internal and external threats.  How can Tessian help with cybersecurity framework implementation? As we’ve seen, all cybersecurity frameworks require businesses to protect the information in their control from threats such as: Social engineering attacks  Accidental data loss Insider threats Across three solutions, Tessian detects and prevents email-based cybersecurity threats. Why email? Read more about why email is the threat vector cybersecurity leaders are most concerned about on our blog.  You can also learn why rule-based DLP solutions are failing and why the world’s top organizations (in some of the most regulated industries) trust Tessian.
Compliance, Data Exfiltration, Spear Phishing
September Cybersecurity News Roundup
Wednesday, September 30th, 2020
We’re back with another monthly roundup of cybersecurity news. Cybercriminals have once again been busy, with several high-profile data breaches and ransomware attacks occurring throughout September. And – rather unsurprisingly – social media platforms Twitter and TikTok have made the cut for the third month running. Here are the top cybersecurity stories from September 2020, including links to further information. Need to catch-up? Check out headlines from July and top stories from August on our blog. Researchers Predict That CEOs Will Be Personally Liable for Cyber-Physical Attacks Research and advisory firm Gartner (who recently named Tessian a Cool Vendor) predicted this month that 75% of CEOs could hold personal liability for “cyber-physical” attacks by 2024. Cyber-physical attacks aim to impact the “real world,” including critical infrastructure, internet of things devices, and healthcare equipment. Such attacks can result in physical injury and death. Gartner predicts that that cyber-physical attacks will cause up to $50 billion of damage by 2023 So what if Gartner is right? It would mean that if a company suffers a cyberattack resulting in physical harm — and it turns out that the company has not implemented appropriate cybersecurity measures — the company’s CEO could have to pay fines with their own money. 
Gartner’s research tells us what every effective business leader already knows — an effective cybersecurity program is an essential requirement for every organization. If a cyberattack occurs, the buck stops with the company’s senior executives. Argentinian Government Faces $4 Million Ransom Following Cyberattack On September 6, Argentina temporarily stopped allowing people to cross its borders after the Netwalker ransomware hit the country. The attackers encrypted government migration data and demanded 355 Bitcoins (around $4 million) to unencrypt it. This cyberattack led to chaos across border checkpoints — but the Argentinian government told domestic news website Infobae that it had no intention of negotiating with the hackers. Ransomware continues to cause havoc worldwide, and it appears the problem is only getting worse. Research by SonicWall recorded approximately 121 million ransomware attacks in the first half of 2020. Personal Information of 46,000 US Military Veterans Breached The US Veterans Association (VA) announced this month that the personal information of around 46,000 military veterans had been “accessed by unauthorized users.” The cybercriminals aimed to “divert payments” intended for healthcare providers. The VA’s financial services team wrote to the affected individuals to advise on how to mitigate the effects of the breach and offer free access to credit monitoring services. The VA serves veterans all over the US. Strict new data breach laws in several jurisdictions — including New York, Washington DC, and Oregan — mean that the VA could face huge fines given the breach’s context. Want to know more about US data security laws? Read our guidance for security leaders. 75% of IT leaders believe the future of work is hybrid In a new report – The Future of Hybrid Working – Tessian reveals that IT leaders and employees both believe the future of work will be remote or hybrid. But, it’s clear this shift won’t be easy. Check out some of the key stats below: 82% of IT leaders believe employees are at greater risk of phishing attacks when working remotely Over a third of IT leaders are worried about their teams will stretched too far in terms of time and resource Half of emoployees have been working on their personal devices since March 2020 Nearly 75% of employees said they received a phishing email while working on a personal device between March and July 2020….and 68% admitted to clicking a link or downloading an attachment within that email 78% of IT leaders think their organization is at greater risk of insider threats if their company adopts a permanent hybrid working structure Read the full report to learn more and to understand how business can balance flexibility and security without draining IT teams’ resources. Thousands of COVID-19 Patients’ Data Leaked Due to “Human Error” A massive data breach occurred in Wales this month when the personal information of 18,105 coronavirus patients was leaked following an “individual human error.” The breach affected every Welsh resident who tested positive for COVID-19 between February 27 and August 30. Public Health Wales said that the data included the “initials, date of birth, geographical area, and sex” of the affected individuals. In nearly 11% of people, though, the data also included the name of the nursing home or other healthcare setting in which the individual lived. The data was uploaded onto a public server, where it was accessible and searchable for around 20 hours. It was viewed 56 times throughout this period.  Human error is a key cause of data breaches. Statistics show that around 88% of data breaches start with human error, and almost half of all employees believe they have made an error at work leading to security repercussions. Chinese Company Holds Data About 2.4 million Influential People An academic at Fulbright University, Vietnam, has uncovered a vast Chinese database containing personal information of around 2.4 million people and their families. It looks like these individuals are “people of interest” to the Chinese Communist Party (CCP). The company responsible for maintaining this huge database “provides big data analytics as well as other functionality to support Chinese military and intelligence analysts,” according to a research paper. The research also suggests that the CCP uses the data for “intelligence, military, security, and state operations in information warfare and influence targeting.”  The database is believed to provide a way for the CCP to influence people in target sectors. It may be one of many such databases maintained by Chinese companies. Much of the information in the database has been gleaned from publicly-available sources. The Chinese database is yet another important reason you should consider limiting the amount of personal information you put online. You can learn more about how hackers are using open-source recon for deepfakes and other social engineering attacks from Elvis M. Chan, Supervisory Special Agent at the FBI and Nina Schick, Author of “Deep Fakes and the Infocalypse: What You Urgently Need to Know”, who both joined us at Tessian Human Layer Security Summit. You can access their session “Safeguarding the 2020 Elections, Disarming Deepfakes via HLS On-Demand.  Twitter Provides Enhanced Security For US Election Following its spear phishing incident this July, Twitter has announced enhanced account security for certain “high-profile accounts” throughout the US election. Twitter said that various types of accounts, including those belonging to US politicians, campaign officials, and political journalists, would receive the security enhancements from September 17. So what’s changing? First, affected users must create “strong passwords,” of at least ten characters in length. They will need to confirm password reset requests via email. The affected users will also be “strongly encouraged” to enable two-factor authentication (2FA). But that’s not all. Recall that the July spear phishing incident involved “internal support tools” — it wasn’t primarily an issue with users’ account passwords. To address this, Twitter also states that it will improve internal monitoring of the affected accounts, including by using “more sophisticated detections and alerts,” “increased login defenses,” and “expedited account recovery” processes. Want to know how to avoid the issues Twitter faced this July? Read our guidance on “vishing” attacks. UHS Hospitals Hit by Reported Country-Wide Ryuk Ransomware Attack On September 27, Universal Health Services (UHS) – a Fortune 500 hospital and healthcare services provider that serves 3.5 million patients a year – was the target of a cyberattack that disable multiple antivirus programs and left hospitals around the country without access to computer and phone systems. According to employees, files were being renamed to include the .ryk extenstion, computers’ screens changed, and – eventually – shut down, leaving them without access to anything computer-based. And, in response to the attack, employees were told to shut down all systems to block attackers’ from reaching more devices on the network. While UHS hasn’t made a statement, the logistics of the incident suggest ransomware. That means patient and employee data is at risk. Energy Companies Advised to Create Cyberattack Response Plans The US Federal Energy Regulatory Commission (FERC) and the North American Electricity Reliability Corporation (NERC) have released a report advising energy providers on creating an Incident Response and Recovery (IRR) plan for cyberattacks. The report is based around an existing cybersecurity framework: the National Institute of Standards and Technology (NIST) Special Publication 800-61, also known as the Computer Security Incident Handling Guide.  Governments appear to be increasingly concerned about the cybersecurity of critical infrastructure. This concern is well-founded — in 2019, 90% of security professionals surveyed across the utilities, energy, health, and transport sectors reported that their organizations had faced at least one successful cyberattack. Much of the advice to energy providers is good practice across all sectors. FERC and NERC recommend a four-part framework, consisting of security controls relating to preparation, detection and analysis, containment and eradication, and post-incident activity.
UK Agency Warns Schools and Universities About Ransomware Attacks As students worldwide return to schools, colleges, and universities, education providers are most concerned with defending against a COVID-19 outbreak. But the UK’s National Cyber Security Centre (NCSC) gave a stark warning about a different type of threat: ransomware. The NCSC’s alert describes “recent trends observed in ransomware attacks” targeting the education sector, which the agency says are increasingly common. The guidance follows a series of ransomware attacks against universities in the UK, US, and Canada this July. The agency warns that cybercriminals are exploiting out-of-date software and are accessing remote desktop protocol (RDP) software using credentials stolen via phishing attacks. It also warns that phishing emails are being used to deploy ransomware. So how does the NCSC recommend education providers protect themselves? The same ways all cyber-secure organizations protect themselves — including ”disrupting ransomware attack vectors” by implementing phishing defenses, and “enabling effective recovery” by keeping backups of data. Implementing DMARC is also essential to prevent brand impersonation and successful spear phishing attacks. And, according to Tessian research, 40% of the top 20 US universities aren’t using DMARC records.  TikTok Ban Delayed Following ByteDance Sale On September 21, US President Trump said he had approved the sale of part of ByteDance, the parent company of video-sharing platform TikTok, to Oracle and Wal-Mart. The deal temporarily averts harsh restrictions on TikTok set out by the US Department of Commerce three days earlier. The sale results from an executive order issued by President Trump in August, stating that the TikTok app “captures vast swaths of information from its users, including… location data and browsing and search histories.” TikTok maintains that this activity is standard industry practice. The US companies could take a collective 20% stake in ByteDance, with Oracle hosting TikTok user data in Oracle Cloud. Some analyses suggest that security-conscious nations and businesses are increasingly likely to implement these sorts of “data localization” measures. Trump had previously assured the public that TikTok would be “totally controlled” by the US firms. However, the president assured a press conference that the companies would be using “separate clouds and very, very powerful security.” That’s all for this month. If we missed anything, please email [email protected] and stay tuned for the next roundup. Don’t forget: You can easily share this on social media via the buttons at the top right of this post. 
Data Exfiltration, DLP, Human Layer Security
7 Examples of Data Breaches Caused By Misdirected Emails
By Maddie Rosenthal
Tuesday, September 29th, 2020
While phishing, ransomware, and brute force attacks tend to make headlines, misdirected emails (emails sent to the wrong person) are actually a much bigger problem. In fact, a report from the UK’s Information Commissioner’s Office (ICO) attributed 266 data breaches to this perennial issue… and that’s just between January-March of 2020. This number has no doubt increased as people around the world have been forced to work remotely; Tessian saw a 129% increase in email traffic when employees transitioned from office to home. More emails = more mistakes. Are you surprised? Most people are. That’s why we’ve rounded up this list of 7 real-world (recent) examples of data breaches caused by misdirected emails. And, if you skip down to the bottom, you’ll see how you can prevent misdirected emails (and breaches!) in your organization.  If you’re looking for a bit more background, check out these two articles: Behind the “Fat Finger”: All You Need to Know About Misdirected Emails  Consequences of Sending an Email to the Wrong Person 7 examples of data breaches caused by misdirected emails  Before we dive into the who, what, and how of these examples, it’s important to note that these incidents – and those reported to regulatory bodies like the ICO – are just the tip of the iceberg.  The truth is, most employees who fire off emails to the wrong people never let their IT or security teams know. That means many security leaders underestimate the frequency (and impact) of this easy-to-make mistake. How do we know? We asked them! (We also analyzed Tessian platform data.) Here’s what we found out: 58% of employees say they’ve sent an email to the wrong person at work At least 800 misdirected emails are sent every year in organizations with 1,000 employees IT leaders working at organizations with 1,000+ employees estimate that just 480 emails are sent to the wrong person every year 1.6x more misdirected emails are sent than IT leaders expect 43% of employees say they’ve made a mistake at work that comprised cybersecurity You can find more insights in The Psychology of Human Error and The State of Data Loss Prevention 2020. Now, on to the real-world examples! You’ll find the most recent examples listed first. Australia’s Department of Foreign Affairs and Trade  leaked 1,000 citizens’ email addresses On September 30, 2020, Australia’s Department of Foreign Affairs and Trade (DFAT) announced that the personal details of over 1,000 citizens were exposed after an employee failed to use BCC. So, who were the citizens Australians who have been stuck in other countries since inbound flights have been limited (even rationed) since the outbreak of COVID-19. The plan was to increase entry quotas and start an emergency loans scheme for those in dire need. Those who had their email addresses exposed were among the potential recipients of the loan. Immediately after the email was sent, employees at DFAT tried to recall the email, and event requested that recipients delete the email from their IT system and “refrain from any further forwarding of the email to protect the privacy of the individuals concerned.” Serco exposes contact traces’ data in email error  In May 2020, an employee at Serco, a business services and outsourcing company, accidentally cc’d instead of bcc’ing almost 300 email addresses. Harmless, right? Unfortunately not.  The email addresses – which are considered personal data – belonged to newly recruited COVID-19 contact tracers. While a Serco spokesperson has apologized and announced that they would review and update their processes, the incident nonetheless has put confidentiality at risk and could leave the firm under investigation with the ICO.  Sonos accidentally exposes the email addresses of hundreds of customers in email blunder  In January 2020, 450+ email addresses were exposed after they were (similar to the example above) cc’d rather than bcc’d.  Here’s what happened: A Sonos employee was replying to customers’ complaints. Instead of putting all the email in BCC, they were CC’d, meaning that every customer who received the email could see the personal email addresses of everyone else on the list.  The incident was reported to the ICO and is subject to potential fines.
Gender identity clinic leaks patient email addresses In September 2019, a gender identity clinic in London exposed the details of close to 2,000 people on its email list after an employee cc’d recipients instead of bcc’ing them. Two separate emails were sent, with about 900 people cc’d on each.  While email addresses on their own are considered personal information, it’s important to bear in mind the nature of the clinic. As one patient pointed out, “It could out someone, especially as this place treats people who are transgender.”  The incident was reported to the ICO who is currently assessing the information provided. But, a similar incident may offer a glimpse of what’s to come.  In 2016, the email addresses of 800 patients who attended HIV clinics were leaked because they were – again – cc’d instead of bcc’d. An NHS Trust was £180,000. Bear in mind, this fine was issued before the introduction of GDPR. University mistakenly emails 430 acceptance letters, blames “human error” In January 2019, The University of South Florida St. Petersburg sent nearly 700 acceptance emails to applicants. The problem? Only 250 of those students had actually been accepted. The other 400+ hadn’t. While this isn’t considered a breach (because no personal data was exposed) it does go to show that fat fingering an email can have a number of consequences.  In this case, the university’s reputation was damaged, hundreds of students were left confused and disappointed, and the employees responsible for the mistake likely suffered red-faced embarrassment on top of other, more formal ramifications. The investigation and remediation of the incident also will have taken up plenty of time and resources.  Union watchdog accidentally leaked secret emails from confidential whistleblower In January 2019, an official at Australia’s Registered Organisations Commission (ROC) accidentally leaked confidential information, including the identity of a whistleblower. How? The employee entered an incorrect character when sending an email. It was then forwarded to someone with the same last name – but different first initial –  as the intended recipient.  The next day, the ROC notified the whistleblower whose identity was compromised and disclosed the mistake to the Office of the Australian Information commissions as a potential privacy breach. Major Health System Accidentally Shares Patient Information Due to Third-Party Software for the Second Time This Year In May 2018 Dignity Health – a major health system headquartered in San Francisco that operates 39 hospitals and 400 care centers around the west coast – reported a breach that affected 55,947 patients to the U.S. Department of Health and Human Services.  So, how did it happen? Dignity says the problem originated from a sorting error in an email list that had been formatted by one of its vendors. The error resulted in Dignity sending emails to the wrong patients, with the wrong names. Because Dignity is a health system, these emails also often contained the patient’s doctor’s name. That means PII and Protect health information (PHI) was exposed. 
Prevent misdirected emails (and breaches) with Tessian Guardian Regardless of your region or industry, protecting customer, client, and company information is essential. But, to err is human. So how do you prevent misdirected emails? With machine learning.  Tessian turns an organization’s email data into its best defense against human error on email. Our Human Layer Security technology understands human behavior and relationships and automatically detects and prevents emails from being sent to the wrong person. Yep, this includes typos, accidental “reply alls” and cc’ing instead of bcc’ing.  Interested in learning more about how Tessian can help prevent accidental data loss and data exfiltration in your organization? You can read some of our customer stories here or book a demo.
Data Exfiltration, Human Layer Security, Spear Phishing
How Hybrid-Remote Working Will Affect Cybersecurity
By Laura Brooks
Tuesday, September 29th, 2020
When the world went into lockdown, ways of working changed forever.  Mandatory remote work arrangements meant people had to find ways to get their jobs done in their homes and most of us quickly settled into a new rhythm of work. Now, after months of being away from the office, the so-called “new normal” is starting to feel, well, just normal. Employees don’t want to give up the level of flexibility and autonomy they’ve come to experience.   In fact, according to our latest report, Securing the Future of Hybrid Working, just 11% of UK and US employees said they’d want to work exclusively in the office post-pandemic, with the average employee wanting to work from home at least two days a week. And, over a third of people said they wouldn’t even consider working for a company if it didn’t offer remote working in the future. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Keep reading to find out: How IT leaders think remote and hybrid working will affect cybersecurity What these new set-ups will do to IT teams’ workloads How business’ can balance flexibility and security Remote, office-based, or a bit of both?  Businesses have some big decisions to make. Do they encourage employees to come back to the office post-pandemic, or opt for a fully remote workforce?  For many, a hybrid model – where employees can split their time between working in the office and anywhere else they’d like – appears to be the best option for the long-term future of their company. Google, for example, has already announced that this is the approach it’ll take.  This way of working requires companies to completely transform the way their companies have previously run – and it may come at the IT department’s expense. The majority of IT leaders surveyed believe permanent remote work will put more pressure on their teams, while over a third (34%) are worried about their workers becoming stretched too far in terms of time and resource. This is because, while it is great for employees, a hybrid way of working actually offers the worst of both worlds for IT teams who have to simultaneously manage and mitigate security risks that occur in and out of the office, while providing a seamless experience that enables employees to work-from-anywhere. Why would permanent remote working arrangements increase IT teams’ workload?  One of IT teams’ biggest concerns is the risk of phishing attacks, with 82% of IT leaders believing employees are at greater risk of phishing attacks when working remotely. Their concerns are valid; over three-quarters of employees said they received a phishing email while working on their personal device between March and July 2020, and 68% admitted to clicking a link or downloading an attachment within that email. In fact, our report shows that nearly half of companies experienced a data breach or security incident between March and July 2020 – the remote working period enforced by the global pandemic – and half of these incidents (49%) were caused by phishing attacks.  This made phishing the leading cause of security incidents during this time.
Insider threats are another concern. Over three-quarters of IT leaders (78%) think their organization is at greater risk of insider threats if their company adopts a permanent hybrid working structure. Such risks include employees bringing infected devices or documents into the office after working remotely and sharing sensitive information with their personal accounts.  It’s also worrying that 43% of the security incidents reported between March – July 2020 were caused by malicious insiders. For more information about the different “types” of insiders and real-world examples of each, visit our blog. The problem is that insider threats are much more difficult to detect and mitigate when workforces are distributed. Why? A lack of visibility.  A previous Tessian report revealed that nearly half of employees feel like they can get away with unsafe cybersecurity practices when working away from the office because they aren’t being watched by their IT team.   Then, there are the security risks associated with Bring Your Own Device (BYOD) practices.  Half of employees we surveyed have been working on their personal devices since the world went into lockdown in March 2020. The top BYOD security risks cited by IT professionals included: The downloading of unsafe apps Malware infections Software updates.  It’s not surprising, then, that 1 in 3 IT leaders are worried about their teams being too stretched in terms of time and resource in a permanent remote working structure. 
How can businesses balance flexibility and security without draining IT teams’ resources?  Securing distributed workforces isn’t going to be easy. Why? Because businesses must transform and reinvent ways of working but IT teams are under-resourced and budgets are getting smaller and smaller. Failure to transform and deliver a seamless hybrid experience, though, could threaten companies’ security posture and see businesses losing out on talent.  Education on the threats people can be exposed to and the threats they pose to company security when working away from the office is, therefore, an important first step. So, it is encouraging to see that 58% of IT leaders are planning to introduce more security training should their company adopt a permanent remote working structure.  But approaches to training may need a rethink so that it resonates with employees and isn’t seen as “just another thing” on people’s to-do list. According to our report, despite 57% of IT departments implementing more education and security training for their employees during the pandemic, nearly 1 in 5 workers said they didn’t even take part. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); This brings us to our second recommendation – security solutions shouldn’t hinder people’s productivity.  It’s clear people want to be able to work flexibly, so tools need to be flexible, too. Solutions like Tessian are invisible to employees until threats are detected, which means we cause minimal disruption to people’s workflow. Our warnings are helpful and educational, not annoying. We give people the information they need to make safer cybersecurity decisions and improve their behaviors over time.  Lastly, IT teams need greater visibility into their riskiest and most at-risk employees – regardless of where they’re working – in order to tailor training and policies and improve cybersecurity behaviors over time. Getting this level of visibility shouldn’t be a burden to the IT team, though. IT teams have enough going on, so solutions that leverage machine learning can take away labor-intensive tasks and help free up IT professionals’ time.  The way people work is quickly changing. But one thing will stay the same; you need to protect your organization’s most important asset – your people.  Businesses that protect their people from security threats and empower them to do great work, without security getting in their way, will set themselves for long-term success.  Read the full report – Securing The Future of Hybrid Working – today.
Human Layer Security
20 Virtual Cybersecurity Events To Attend in 2020 (Updated September)
Sunday, September 27th, 2020
Why do people attend conferences and industry-specific events? Because they’re valuable opportunities for professionals to network, develop or learn new skills, and gain valuable insights from leading experts. That’s one reason why, instead of canceling or postponing their events this year, many event organizers have opted to take them online.  We’ve rounded up the best virtual events (including webinars!) over the next several months and have highlighted why you should attend, what to expect, and the cost (if any).  Note: While, yes, a lot of these events are targeted at security vendors or leaders, non-technical executives like CEOs, CFOs, and COOs also have a lot to gain by tuning in. Keep reading to find out why.  Virtual Cybersecurity Events for 2020 The following 20 events are going ahead virtually and are listed in date order.  For the most up-to-date and/or specific event information, including registration details, be sure to visit the event’s website. All information is correct at the time of writing. 1. [Webinar] Developing and Sustaining an Effective Security Culture Date: October 6 at 11am (BST)  Over the last several months, the Security Awareness Special Interest Group (SASIG) has been live streaming a webinar every. single. day. It’s fair to say they’ve mastered it. While you can check out their full calendar of events here, we wanted to highlight this one in particular. Martin Smith, Chairman and Founder of SASIG will be joined by Gaynore Rich, the Global Director of Cybersecurity Strategy & Transformation at Unilever, Zsuzsanna Berenyi, Head of Cybersecurity Awareness and Culture at London Stock Exchange Group, Vic Djondo, Director of Cyber Targeted Training and Awareness at Standard Chartered Bank, and Imogen Verret, Senior Behavioural Insights and Security Awareness Manager at Vodafone Group. They’ll all be discussing their strategies for building a strong security culture while also offering tips to their peers.  Cost to Attend: Free, but you must be a member. Cybersecurity frontliners can become members by registering (for free) here. 2. [Panel] Security 101: Back to the Basics Date: October 6 at 10 am (PST)  As a part of their Remote Session series, SecureWorld – whose mission is to connect, inform, and develop leaders in cybersecurity – is hosting a panel to remind us all that we still need to do the little things.  Speakers include Roy Wattanasin, Information Security Leader at the Association for Computing Machinery, Advait Deodhar, Solutions Architect, CISSP at ForgeRock, and Ryan Swimm,Senior Security Analyst at BitSight Technologies Cost to Attend: Free 3. Cyber Security Digital Summit: EMEA 2020 Date: October 13 This summit – which is being put on by The Cyber Security Hub – is focused on educating CISOs and other security professionals about how to handle today’s threats and tomorrow’s breaches. This 2-day EMEA event is coming after a deep dive into the APAC region and will feature speakers from around the world including Lucy Payne, Security Education and Training Manager at Aviva, Mohamad Mahjoub, CISO at Veolia, and many more. Bonus: Attendees will be able to download slides after the event to reference later on. Cost to Attend: Free 4. [email protected] Date: October 20-23 [email protected] is the only security conference powered by hackers brought to you by – you guessed it! – HackerOne. The theme? The critical role of hackers in your cybersecurity strategy.  This will be the fourth consecutive year the event has been held and attendees can once again expect to hear from thoughts leaders in the public and private sectors, security industry influencers, and – of course – some of the world’s most elite hackers.  While you can access the full agenda here, here are some highlights: Engaging Hackers to Help Secure Elections Beyond the Checkbox: Leveraging Compliance Frameworks to Improve Security Postures  How a Bug Becomes a Fix Cost to Attend: Free 5. [Panel] Social Engineering, BEC Attacks, and Other ‘Fun’ Scams Date: October 20 at 10 am (PST)  Yep, that’s right. Another one of SecureWorld’s remote sessions has made our list of must-attend events. Why attend? We’ll tell you. Business Email Compromise has increased by over 100% in the last two years and – as you may have noticed – social engineering has been making headlines more and more frequently. Looking for real-world examples of both? Check out this article. While panelists haven’t yet been announced, SecureWorld has said that guest speakers will be fielding questions live and that attendees will walk away with a better idea of how to keep their organization secure.   Cost to Attend: Free 6. [Webinar] Adapting Cybersecurity For a Hybrid Workforce  Date: October 21 Security strategies changed quickly with the move from office to home and now, as many organizations around the world are adopting hybrid remote working structures, they’ll have to change again. That’s why Tessian is hosting this webinar. More information including speakers and how to register coming soon! To be the first to get updates, sign-up for our newsletter. Cost to Attend: Free 7. Open Data Science Conference West Date: October 26-30 This is one to invite your larger security team to, including engineers. Why? There are over a dozen different topics and training areas, over 200 speakers, and it’s the only applied data science conference in the world. You can also sign-up for pre-conference training and a hackathon. Cost to Attend: $129-$859 (Click here to see which pass is right for you.) 8. FutureCon – London Date: October 27 FutureCon Events brings together security leaders to discuss new approaches to managing risk. Attendees can expect panels with C-level executives who have effectively mitigated risks associated with cyber attacks and several other learning opportunities that will help you build cyber resilient organizations. Can’t make it on October 27? That’s okay! FutureCon is hosting virtual events in several different cities, all spreading the same message: “Cybersecurity is no longer just an IT problem.” Cost to Attend: $100 9. InfoSec Connect Virtual Summit  Date: October 28-29 If you’re a security leader working in Financial Services, you don’t want to miss this. While it is a virtual event, the set-up will mirror what people have come to expect from Connet’s in-person events.  That means 1:1 meetings, in-depth discussions, exclusive networking, and content that’s been created and tailored specifically for the audience.  Note: This event is invite-only, so if you’re interested in attending, make sure you request an invitation ASAP.  Cost to Attend: Free 10. CISO Healthcare Exchange Date: October 28 This is another event targeted at a specific industry and, again, is invite-only. This time, though, it’s Healthcare. Attendees will discuss some of the most critical challenges CISOs are facing and how to make sure security strategies are evolving in tandem with the changing threat landscape. While you can view the full agenda here, below is a sneak peek. Living on the Edge: Meeting Emerging Cybersecurity Challenges in Digital Health Healthcare 2.0: Securing the Brave New World of the IoMT Championing Cybersecurity as a Critical Component of the Consumerization of Healthcare If you’re interested, make sure you register for your invitation soon. Cost to Attend: Free 11.National HealthSec eForum  Date: November 5 A perfect follow-up to the above event is The National HealthSec eFourm (which is being put on by the Cybersecurity Collaboration Forum). While the agenda hasn’t been shared yet, we do know that board members recommend and vet topics, speakers and industry partners, ensuring each event will address the industry’s most significant concerns. Bonus: Sessions are interactive, peer driven, and limited in size for maximum learning and networking. Make sure you register now; space is limited and you must qualify to attend. A member of your local leadership board will reach out once you’ve been approved to attend with a confirmation. Cost to Attend: Free 12. Global Talent: What your Workplace & Workforce of the Future will Look Like Date: November 10 As we’ve already mentioned, the workplace is changing. Many organizations are adopting flexible, hybrid, and even fully remote structures which means cybersecurity leaders need to adapt and evolve their strategies. This event in particular is for security leaders in Financial Services. Here’s what you should expect: A panel session where experts will share advice, wisdom, and best practices on the evolving workplace and workforce A closer look at how emerging collaboration paradigms may affect strategies A deep dive into data privacy across geographical boundaries Members can sign-up here. And, if you’re not a member, you can register to become one now. Cost to Attend: Free 13. Cybersecurity Digital Summit – Fall 2020 Date: November 10-12 This 3-day virtual event promises to help you chart the course for 2021 with the help of expert opinions and advice. And – spoiler alert – the speaker line-up is first-class and includes Ramy Housssaini, Chief Cyber and Technology Risk Officer at BNP Paribas, Brian Robinson, Senior Director of Product Marketing at Blackberry, and many (many) more.  Check out the full agenda here and decide which of the sessions you’re going to attend.  Cost to Attend: Free 14.ISF Digital Congress 2020  Date: November 15-19 This is the Information Security Forum’s flagship event which means it’s perfectly aligned with the organization’s overall mission, which is to”….[help] members overcome the wide-running information security challenges that impact business today.” ISF is promoting this as a sort of “live broadcast”, which means members (and non-members, so long as you register now!) from a variety of timezones can tune in. To learn more about what to expect and why you should attend, watch this video featuring Steve Durbin, Managing Director at ISF, and Nicholas Witchell, renowned journalist and Master of Ceremonies for Digital 2020. Cost to Attend: Free 15. PrivSec Global (Q4) Date: November 30-December 3 While we certainly will provide a bit more context about this event, this one-liner (in many ways) tells you everything you need to know. This is the largest data protection, privacy, and security event of 2020.  Spread across four days and sponsored by Microsoft and The Wall Street Journal, attendees can choose from one of eight tracks including privacy, security, industry, and region. That means that the content will be highly curated. And, with over 200 speakers and 90 sessions, it won’t be hard to find a topic that’s relevant specifically to you.  Cost to Attend: Free 16. Chief Information Security Officer Exchange Date: December 8-9 CISO’s, here’s another one just for you. At this 2-day virtual event, attendees will learn how to empower their organization to navigate through the changing landscape. How? Through a variety of topics, including: How to use strategic storytelling to provide clear benchmarks and metrics How to dissolve the gender and workforce gap on cybersecurity leadership teams How to prioritize and revise the definition of your organization’s risk appetite For a full list of speakers, click here. And make sure you register now!  Cost to Attend: Free 17. 2020 HMG Live! Financial Services CIO Executive Leadership Summit  Date: December 10 Last but not least, at HMG’s live virtual event – which is specifically designed for security leaders in Financial Services – top technology executives will share their advice on the roles that CIOs and tech leaders can play in driving innovation and reshaping the future of work. While there will no doubt be a focus on security, many of the topics will actually cover the more human aspect of being a leader, including how to keep employees inspired and how to strengthen employee engagement and motivation.  You can view the agenda, speaker line-up, and partners here. Cost to Attend: Free 18. Accounting & Finance Show When: October 20 – October 21, 2020 Cost to Attend: Free  The Accounting & Finance Show is the USA’s largest virtual accounting and finance exhibition. With over 150 speakers and 3,000 attendees, the exhibition features online networking, virtual workshops, and CPE education. Content tracks include HCM & Payroll, Tax, Technology, and Practice Management. Why attend? If you’re a security leader in Financial Services, this is a great opportunity to connect with your peers and understand what they’re doing to overcome current challenges.  19. Futurist Virtual Conference When: November 11 – 12, 2020 Cost to Attend: Free Futurist Virtual Conference is Canada’s largest blockchain and emerging tech conference. Over 100 world-class speakers are attending this year to discuss emerging industries and their trends, and attendees have the option to sit in on over 60 panel sessions, workshops, and roundtables.  20. NewStatesman Virtual Cyber Security in Financial Services Conference When: November 24, 2020 Cost to Attend: Free for senior-level delegates from financial institutions. At this year’s virtual conference, senior figures and thought leaders will lead presentations that examine current regulations and key trends. Some of the presentations include: How the COVID-19 pandemic has changed the cybersecurity landscape Building cyber resilience in the new decade How biometric innovation is shaping the future Are there any other events you think we should add to this list? Email [email protected]
Human Layer Security, Spear Phishing
Tim Sadler on Hacking Humans Podcast: Ep 117 “It’s Human Nature”
Thursday, September 24th, 2020
Tessian’s CEO and co-founder Tim Sadler joined Dave Bittner from the CyberWire and Joe Carrigan from the Johns Hopkins University Information Security Institute to talk about why people make mistakes and the importance of developing a strong security culture. While you can listen to the episode here, you can read a full transcript below. And, for more insights about The Psychology of Human Nature, read our report.
Dave Bittner: Joe, I recently had the pleasure of speaking with Tim Sadler. He’s been on our show before. He’s from an organization called Tessian, and they recently published a report called “The Psychology of Human Error.” Here’s my conversation with Tim Sadler. Tim Sadler: We commissioned this report because we believe that it’s human nature to make mistakes. The people control more sensitive data than ever before in the enterprise. So there’s customer data, financial information, employee information. And what this means is that even the smallest mistakes – like accidentally sending an email to the wrong person, clicking on a link in a phishing email – can cause significant damage to a company’s reputation and also cause major security issues for them. So we felt that businesses first need to understand why people make mistakes so that, in the future, they can prevent them from happening before these errors turn into things like data breaches. Dave Bittner: Well, let’s go through some of the findings together. I mean, it’s interesting to me that, you know, right out of the gate, the first thing that you emphasize here is that people do make mistakes. Tim Sadler: Absolutely, they do make mistakes, and I think that is human nature. We think about our daily lives and the things that we do; we factor in human error, and we factor in that we will make mistakes. And something I always come back to is if we think about something we do, you know, many of us do on a daily basis, which is, you know, driving a car, and we think about all of the assistive technology that we have in that car to protect us in the event that we do make a mistake because, of course, mistakes are expected. It’s kind of in our human nature. Dave Bittner: Well, let’s dig into some of the details here because there are some fascinating things that you all have presented. One of the things you dig into is the age factor. Now, this was interesting to me because I think we probably have some biases about who we think would be more likely to make mistakes, but you all uncovered some interesting numbers here. Tim Sadler: Yeah, completely. And, you know, just sharing some of those statistics that we found from this report, 65% of 18- to 30-year-olds admit to sending a misdirected email comparing to 34% who are over the age of 51. And we also found that younger workers were five times more likely to admit to errors that compromised their company’s cybersecurity than older generations, with 60% of 18- to 30-year-olds saying they’ve made such mistakes versus 10% of workers who are over 51. Dave Bittner: Now, what do you suppose is the disparity there? Do you have any insights as to what’s causing the spread? Tim Sadler: I think it is just speculation that I think there’s something interesting in just maybe thinking about the comfort level that younger workers might have with actually admitting mistakes or sharing that with others in the enterprise. You know, I think there’s something encouraging here, which is actually we’re seeing that if you were running a security team, you want your employees to come forward and tell you something has gone wrong, whether that’s a mistake that’s led to a bad thing or it’s a near miss. And I think that you also might find that, generally, younger people may tend to be less senior in the organization and, you know, may not have the same sense of stigma that maybe the older generations, who are more senior, may think there is. So if I tell my boss that, you know, I’ve just done something and there was a potentially bad outcome, they might feel like they may be in danger of compromising their position in the organization. Dave Bittner: Yeah, it’s a really interesting insight. I mean, that whole notion of the benefits of having a company culture that encourages the reporting of these sorts of things.
Tim Sadler: I think it’s so important. You know, I think – somebody, you know, correctly advised me, you almost need an everything’s-OK alarm in your business when you’re thinking about security. You know, if you have a risk register or if you are responsible for taking care of these incident reports, if you don’t see people reporting anything, it’s usually a more concerning sign than you have people coming forward who are openly admitting to the errors they’ve made that could lead to these security issues. It’s highly unlikely that you’ve got nothing on your risk register. That you’ve completely eliminated risk from your business. It’s more likely that actually you haven’t created the right culture that feels like it’s suitable or acceptable to actually come forward and admit mistakes. Tim Sadler: And I think this is really, really important. I think now more than ever, during this time where, you know, we have a global pandemic, a lot of people are working from home, and they’re kind of juggling the demands of their jobs with their personal lives – maybe they’re having to figure out childcare – there are lots of other things weighing in to an employee’s life right now. It’s really important to actually, I think, extend empathy and create an environment where your employees do feel comfortable actually sharing things, mistakes they’ve made or things that could pose security incidents. I think that’s how you make a stronger company, through that security culture. Dave Bittner: But let’s move on and talk about phishing, which your report digs into here. And then this was surprising to me as well. You found that 1 in 4 employees say that they’ve clicked on phishing emails. But interesting to me, there was a gap between men and women and, again, older folks and younger folks.  Tim Sadler: Yes, so we found in the report that men are twice as likely as women to click on links in a phishing email, which again I think is – I think we were as surprised as you are that that was something that came from the research that we conducted. Dave Bittner: And a much lower percentage of folks over 51 say that they’d clicked on phishing links. Tim Sadler: Yes. And, again, you know, because of the research, of course, we’re relying on people’s honesty about these kinds of things. Dave Bittner: Right. Tim Sadler: But it does seem that there are clear kind of demographic splits in terms of things like age and also gender in terms of, actually, the security outcomes that took place. Dave Bittner: I mean, that in particular seems counterintuitive to me, but when I read your report, I suppose it makes sense that, you know, people who have more life experience, they may be more wary than some of the folks who are just out of the gate. Tim Sadler: I think that does play into things. I think that younger generations who are coming into the workplace, who are maybe even used to – you know, they’ve had an email account maybe for most of their lives. In fact, I would say that they’re probably less used to using email because they’ve advanced to other communication platforms before they enter the workplace. But I do think that, you know, if you think about people who have had email accounts, you know, at school or at college, they’re going to be used to being faced with potential scams, potential phishing. They’ve maybe already been through many kind of forms of education training awareness, those kinds of things, before they’ve actually entered the world of work. Dave Bittner: Yeah, another thing that caught my eye here was that you found that tech companies were most fallible. And it seemed to be that the pace at which those companies run had something to do with it. Tim Sadler: Yeah, I think there’s something interesting here. And, again, just would say that this is speculation because we don’t have the specific data to dig further into this. But I think there’s something interesting with the concept that technology companies, as you say, if they’re, you know, high-growth startups, they tend to be maybe moving faster, where these kinds of things can slip off the radar in terms of the security focus or the security awareness culture they create. Tim Sadler: But the other thing – and I think something to be aware of – is sometimes technology companies have that kind of false sense of security that it’s all in check, right? ‘Cause they – you know, this is kind of their domain. They feel that it’s within their comfort zone, and then maybe they neglect, actually, how serious something like this could be, where they feel that, OK, we’ve actually – even if we’ve got an email system in place, in the instance of phishing – we’ve got an email system in place. We feel like it has the appropriate security controls. But then we miss out the elements of actually making sure that the person is aware or is trained, is provided with the assistive technology around them and then also feels that they’re part of a security culture where they can report these things. So I think that’s also an important factor, too. Dave Bittner: So one of the interesting results that came through your research here is the impact that stress and fatigue have on workers’ ability to kind of detect these things. Tim Sadler: Yeah, and this is a really, really important point. So 47% of employees cited distraction as the top reason for falling for a phishing scam. And 41% said that they sent an email to the wrong person because they were distracted. The interesting thing, I think, there is that – another stat that came out from this – 57% of people admitted that they were more distracted when working from home, which is, of course, a huge part of the population now. So this point about distraction seems to play a really important factor in actually the fallibility of people with regard to phishing. Tim Sadler: And then a further 93% of employees said that they were either tired or stressed at some point during the week. And 1 in 10 actually said that they feel tired every day. And then the sort of partner stat to that, which is important, is that 52% of employees said that they make more mistakes when they’re stressed. And of course, tiredness and being stressed play hand-in-hand. So these are really, really important things for companies to take note of, which is, you have to also think about the well-being of your employees with regard to how that impacts your security posture and your ability to actually prevent these kinds of human errors and mistakes from taking place. Dave Bittner: Right. Giving the employees the time they need to recharge and making sure that they’re properly tasked with things where they can meet those requirements that you have for them – I mean, that’s an investment in security as well. Tim Sadler: Completely. And I think what’s really difficult is that security is serious business. No one would doubt or question its importance. It is literally mission critical for companies to get right. Some companies take a draconian approach when it comes to security, and they penalize or they’re very heavy-handed with employees when they get things wrong. I think, again, it is really important to consider the security culture of an organization. And actually, creating a safe space for people to share their vulnerability from a security perspective – things that they may have done wrong – and actually then having a security team or security culture that helps that person with the error or the issue that may arise versus just creating a environment where if you do the wrong thing, then, you know, your job, your role might be in jeopardy. Tim Sadler: And again, it is a balance because you need to make sure that people are never being careless, and there is a responsibility that we all have in terms of the security posture of our organization. But what this report shows is that those elements are really important. You know, we don’t want to contribute to the distraction. We don’t want to contribute to the stress and tiredness of our employees. And even outside the security domain, if you do have an environment that doesn’t create a balance for your employees, you are at a higher risk of suffering from a security breach because of the likelihood of human error with your employees. Dave Bittner: All right, Joe, what do you think?
Joe Carrigan: I really liked that interview. Tim makes some really great points. The first thing he says is at Tessian, they believe that people are prone to mistakes, right? Of course we are, right? But why, in the real world, do we act like we’re not? That is what struck out to me immediately – the fact that Tim even needs to say this or that somebody needs to say this, that people are prone to mistakes. We act as if we’re not prone to mistakes. And then the driving analogy is a great analogy, right? If everybody does everything right in a car, nobody would ever have an accident. But as we all know, that is not the case. Dave Bittner: Accidents happen (laughter). Yeah. I think in public health, too – you know, I often use the example of, you can do everything right. You can wash your hands. You can, you know, be careful when you sneeze and clean surfaces and all that stuff. But still, no matter what, every now and then, you’re still going to get a cold. Joe Carrigan: Younger people are more likely to say that they’ve made mistakes than older people, and I agree with Tim’s speculation on the disparity of responses across age groups. Younger people have less to lose than an older person who might be more senior in the organization. I also think that an older person might be more experienced with what happens when you admit your mistakes. Joe Carrigan: And that comes to my next point, which is culture. And that is probably the single-most important thing in a company. And this is my opinion, of course – but this is so much more important when we get to security. It needs to be open and honest, and people need to absolutely not fear coming forward about their mistakes in security. This is something that I’ve dealt with throughout my career, even before I was doing security, with people making mistakes. If somebody tries to cover up a mistake, that makes the cleanup effort a lot more difficult. And it’s totally natural to try to do that. You’re like, oh, I made the mistake. I better correct it. If you don’t have the technical expertise to correct it, you’re actually making more work for the people who have to actually correct it. Dave Bittner: Yeah. I also – I think there’s that impulse to sort of try to ignore it and hope it goes away. Joe Carrigan: Right (laughter). That happens, too. I find this is interesting. Men are twice as likely to click on a link than women. Older users are less likely to click on a link. I think that comes from nothing but experience. You and I are older. We’ve had email addresses for years and years and years. I’ve been on the Internet longer than a lot of people have been alive. I know how this works. And younger people may not have that level of experience. Plus, I think younger people are just more trusting of other people. And as we get older, we, of course, become more jaded. Joe Carrigan: Tech companies have a false sense of security because this is their domain. That’s one of the things Tim said. I think that’s right. You know, that’s not going to happen to us; we’re a tech company. Things are still going to happen to you because, like Tim says very early in the interview, people make mistakes. Dave Bittner: All right. Well, again, our thanks to Tim Sadler from Tessian for joining us this week. We appreciate him taking the time. Again, the report is titled “The Psychology of Human Error.” And that is our show. Of course, we want to thank all of you for listening. Dave Bittner: We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The “Hacking Humans” podcast is proudly produced in Maryland at the startup studios of DataTribe, where they’re co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I’m Dave Bittner. Joe Carrigan: And I’m Joe Carrigan. Dave Bittner: Thanks for listening.
Spear Phishing
6 Real-World Examples of Social Engineering Attacks
Tuesday, September 22nd, 2020
Over the last several months, “social engineering” has been making headlines more and more frequently. But, before we dive into real-world examples of social engineering attacks, let’s define exactly what social engineering is. Social engineering attacks are a type of cybercrime wherein the attacker fools the target through impersonation. They might pretend to be your boss, your supplier, someone from our IT team, or your delivery company. Regardless of who they’re impersonating, their motivation is always the same — extracting money or data. So, what’s the biggest threat vector for social engineering attacks? Email. Why do hackers do it? According to Verizon’s 2020 data breach report, money. In fact, the rates of financially-motivated social engineering attacks doubled between 2018 and 2019 and continued to increase after the outbreak of COVID-19. In this article, we’ll look at six real-world examples of social engineering attacks — some big and some recent — all using different techniques. We’ll also tell you how to avoid falling victim to these sorts of attacks. 1.  $100 Million Google and Facebook Spear Phishing Scam The biggest social engineering attack of all time (as far as we know) was perpetrated by Lithuanian national Evaldas Rimasauskas against two of the world’s biggest companies: Google and Facebook. Rimasauskas and his team set up a fake company, pretending to be a computer manufacturer that worked with Google and Facebook. Rimsauskas also set up bank accounts in the company’s name. The scammers then sent phishing emails to specific Google and Facebook employees, invoicing them for goods and services that the manufacturer had genuinely provided — but directing them to deposit money into their fraudulent accounts. Between 2013 and 2015, Rimasauskas and his associates cheated the two tech giants out of over $100 million. How to Prevent Spear Phishing The Rimasauskas case is a classic example of a spear phishing scam. The attacker hacks or impersonates a trusted person and then “spears” specific individuals.  Spear phishing is more convincing than regular, “spray and pray” phishing because they’re highly targeted. An attacker might also be impersonating someone with whom the target communicates regularly. They may have a near-identical email address, with a very subtle change in the domain name (for example, [email protected] becomes [email protected]–name.com).  You can read more about email impersonation on our blog. Unfortunately, humans — even those working at the world’s most powerful tech firms — sometimes don’t spot small changes. It could be because they’re distracted or over-worked, or it could simply be because the email was a convincing fake. Whatever the reason, it’s important people aren’t left as the last line of defense.  The best thing you can do to prevent spear phishing scams, then, is to implement technology that protects against advanced impersonation attacks like spear phishing.  Tessian Defender’s stateful machine learning technology understands each employee’s inbox inside-out and can detect anomalies in email addresses, body copy, and more. That’s how it distinguishes between safe emails and suspicious ones, alerting the target when a phishing attack occurs. Looking for more resources? These might help.  What is Spear Phishing? Defending Against Targeted Email Attacks What Does a Spear Phishing Email Look Like? Phishing vs. Spear Phishing: Differences and Defense Strategies  2. Deepfake Attack on UK Energy Company In March 2019, the CEO of a UK energy provider received a phone call from someone who sounded exactly like his boss. The call was so convincing that the CEO ended up transferring $243,000 to a “Hungarian supplier” — a bank account that actually belonged to a scammer. This “cyber-assisted” attack might sound like something from a sci-fi movie, but, according to Nina Schick, Author of “Deep Fakes and the Infocalypse: What You Urgently Need to Know”, “This is not an emerging threat. This threat is here. Now.”   To learn more about how hackers use AI to mimic speech patterns, listen to Nina’s discussion about deepfakes with Elvis Chan, Supervisory Special Agent at the FBI at Tessian Human Layer Security Summit. How to Prevent Deepfake Attacks Deepfakes are an emerging threat that could soon become a widespread problem. 74% of IT leaders think deepfakes threaten their organizations’ and their employees’ security. But there are some steps you can take to protect your business from this new type of fraud. Make a habit of verifying telephone requests via another medium, e.g., email or SMS. This is a type of 2-Factor Authentication (2FA) — a security step that you should implement across all channels. If a caller insists that the request is urgent, try to verify their identity in another way —  such as by asking them some specific detail about the office or an event you both attended. Work closely with your IT department to log all suspicious activity and security incidents. For more information about deepfakes, read this article: Deepfakes: What are They and Why are They a Threat? 3. $60 Million CEO Fraud Lands CEO In Court Chinese plane parts manufacturer FACC lost nearly $60 million in a so-called “CEO fraud scam” where scammers impersonated high-level executives and tricked employees into transferring funds. After the incident, FACC then spent more money trying to sue its CEO and finance chief, alleging that they had failed to implement adequate internal security controls. While the case failed, it’s an important reminder: cybersecurity is business-critical and everyone’s responsibility. In fact, Gartner predicts that by 2024, CEOs could be personally liable for breaches.  How to Prevent CEO Fraud It’s easy to see why CEO fraud is a successful type of social engineering attack. Imagine working late at the office one day. You get an email from the CEO herself, asking you to make some last-minute amendments to an invoice. The tone is urgent, the email looks genuine, and you have a chance to impress the top boss — why wouldn’t you go ahead and do it? CEO fraud is a common form of Business Email Compromise (BEC). Using impersonation techniques, scammers can send emails using your CEO’s display name, or email addresses that are nearly indistinguishable. Alternatively, hackers can hijack your CEO’s email account. Tessian’s machine learning technology knows what your CEO’s emails should look like and can alert employees to tiny differences in email addresses and even subtle deviations from their “normal” tone. Learn more about how Tessian prevents CEO Fraud at some of the world’s leading businesses. Read customer stories here. 4. $75 Million Belgian Bank Whaling Attack Perhaps the most successful social engineering attack of all time was conducted against Belgian bank Crelan. While Crelan discovered its CEO had been “whaled” after conducting a routine internal audit, the perpetrators got away with $75 million and have never been brought to justice. Crelan fell victim to “whaling” — a type of spear-phishing where the scammers target high-level executives. Cybercriminals frequently try to harpoon these big targets because they have easy access to funds. You can read more about whaling here: Whaling Email Attacks: Examples & Prevention Strategies. How to Prevent Whaling In defending against whaling attacks, the same principles apply as when defending against spear phishing and CEO Fraud. In addition to making sure employees – including senior executives – are trained on how to spot impersonation attacks, you need to implement email security solutions to detect and prevent successful inbound attacks.  To learn more about how Tessian bolsters training, reinforces policies and procedures, and stops threats – all without disrupting employee’s workflow – book a demo.  5. High-Profile Twitters Users’ Accounts Compromised After Vishing Scam In July 2020, Twitter lost control of 130 Twitter accounts, including those of some of the world’s most famous people — Barack Obama, Joe Biden, and Kanye West.  The hackers downloaded some users’ Twitter data, accessed DMs, and made Tweets requesting donations to a Bitcoin wallet. Within minutes — before Twitter could remove the tweets — the perpetrator had earned around $110,000 in Bitcoin across more than 320 transactions. Twitter has described the incident as a “phone spear phishing” attack (also known as a “vishing” attack). The calls’ details remain unclear, but somehow Twitter employees were tricked into revealing account credentials that allowed access to the compromised accounts. Following the hack, the FBI launched an investigation into Twitter’s security procedures. The scandal saw Twitter’s share price plummet by 7% in pre-market trading the following day. How to Prevent Vishing Vishing attacks typically utilize “Voice over Internet Protocol” (VoIP) technology in order to fake their caller ID. Attackers can also use “war diallers” to contact many people in a short period. The attack may start with a recorded message directing the target to call back. The key to protecting your business from vishing attacks is staff training. Ensure your employees understand what a vishing attack might sound like (the caller has an urgent tone or offers unexpected benefits), and make it clear that they should never respond to such a call. You can read more about vishing on our blog. 6. Texas Attorney-General Warns of Delivery Company Smishing Scam Nearly everyone gets the occasional text message that looks like it could be a potential scam. But in September 2020, one smishing (SMS phishing) attack became so widespread that the Texas Attorney-General put out a press release warning residents about it. Victims of this scam received a fraudulent text message purporting to be from a delivery company such as DHL, UPS, or FedEx. The SMS invited the target to click a link and “claim ownership” of an undelivered package. After following the link, the target was asked to provide personal information and credit card details. The Texas Attorney-General warned all Texans not to follow the link. He stated that delivery companies do not communicate with customers in this way, and urged anyone receiving the text message to report it to the Office of the Attorney General or the Federal Trade Commission. How to Prevent Smishing While 96% of phishing occurs via email, smishing is an increasingly serious threat to individuals and businesses. Consumer Reports claims that the Federal Trade Commission (FCC) received 93,331 complaints about fraudulent text messages in 2018 — a 30% increase from 2017. Smishing scams follow the same patterns as other social engineering attacks. Smishing text messages are typically urgent in tone, claiming that the target is in danger or a fine or have been the victim of credit card fraud. Or they may claim that the target has won a prize, or is owed a tax refund. So, how do you avoid falling victim to a scam? In the workplace, security teams should ensure employees exercise the same caution when responding to text messages as they do with emails.  Top tip: Never to respond to any suspicious message, click links within SMS messages, or reveal personal or company information via SMS. Prevent social engineering attacks in your organization While we’ve included three tips to help you detect social engineering attacks in this blog: What is Social Engineering? 4 Types of Attacks, it’s important to remember that these scams – whether delivered by email, text, or voicemail, are really, really hard to spot. That’s why technology is essential and where Tessian comes in. Powered by machine learning, Tessian Defender analyzes and learns from an organization’s current and historical email data and protects employees against inbound email security threats, including whaling, CEO Fraud, BEC, spear phishing, and other targeted social engineering attacks. Best of all, it does all of this silently in the background in real-time and, in-the-moment warnings help bolster training and reinforce policies. That means employee productivity isn’t affected and security reflexes improve over time. To learn more about how Tessian can protect your people and data against social engineering attacks on email, book a demo today.
Human Layer Security
Human Layer Security Summit On-Demand: 5 Sessions to Watch Now
By Maddie Rosenthal
Thursday, September 17th, 2020
In March, Tessian hosted its first Human Layer Security Summit. In June, we hosted our second. And, earlier this month, we hosted our third.  Combined, that’s 20 separate sessions, with nearly two dozen industry leaders from the world’s top institutions, who covered topics ranging from deepfakes and the 2020 US election to the challenges associated with remote-working and the effectiveness of people-centric security strategies.  Now, you can access all of this content on-demand in one place. Introducing Human Layer Security On-Demand. While every session is packed with valuable information, we’ve rounded up the top five videos you should watch now.  Safeguarding the 2020 Elections, Disarming Deep Fakes Watch now If you weren’t concerned about deepfakes before, you will be after watching this interview. According to  Nina Schick, Author of “Deep Fakes and the Infocalypse: What You Urgently Need to Know”, “This is not an emerging threat. This threat is here. Now.”   And, while we tend to associate deepfakes with election security, this is a threat that affects business’ too.  After watching the full session, make sure you check out this article for tips to help you and your employees spot impersonations: Deepfakes: What are They and Why are They a Threat? Why People Fall for Social Engineering in a Crisis Watch now To err is human. This is something we all know fundamentally. But, do you know why people make mistakes?  In this session, Ed Bishop, Tessian CTO and Co-founder Ed Bishop discussed The Psychology of Human Error with Jeff Hancock, Communications Professor at Stanford University and David Kennedy, Co-Founder and Chief Hacking Officer at TrustedSec.  The bottom line: people make more mistakes that compromise security (like falling for phishing scams and sending misdirected emails) when they’re stressed, distracted, anxious, or and tired. And, as you might expect, people have been even more stressed, distracted, anxious, and tired over the last several months giving the global pandemic, new working conditions, and social and political unrest.  How to Thrive in our New Normal with Stephane Kasriel Watch now In this interview, Tessian CEO and Co-founder Tim Sadler interviewed Stephane Kasriel, former CEO of Upwork. Why? Because Upwork has maintained a hybrid remote-working structure across 500 cities for 20 years, which meant (and still means!) that he’s in a better position than most to offer advice around adapting and overcoming challenges related to distributed workforces. Stephane offered incredible advice that both security and business leaders should heed now and going forward as employees continue adjusting to their new work set-ups.  Don’t have time to watch the interview? You can read seven of his tips on our blog. Interview with Glyn Wintle, Ethical Hacker and CTO of Tradecraft Watch now At Tessian’s first Human Layer Security Summit, Glyn Wintle, an Ethical Hacker and the Co-Founder and Chief Technology Officer of Tradecraft explained how hackers combine psychology and technical know-how to create highly targeted and highly effective spear phishing attacks to dupe targets.
In his presentation, he shared several tips to help people like you and me spot the phish. Check out his tips here. Perspectives on Risk Profiles From Around the World Watch now At Tessian, we know that diverse perspectives lead to diverse solutions. That’s why for this session, we brought together Elvis Chan, Supervisory Special Agent of the FBI and Bobby Ford, Global CISO of Unilever. Both shared their observations on the evolving cybersecurity risks and how to keep organizations protected.  One of the key takeaways? The secure thing to do should be the easiest thing to do.  If you’re a security leader trying to figure out how to make security more frictionless, this is a must-watch.  Don’t forget: there are 15 more sessions you can watch on-demand. Check them out now. Or, if you’re interested in learning more about Human Layer Security and Tessian’s products, book a demo.
Spear Phishing
What Does a Spear Phishing Email Look Like?
By Maddie Rosenthal
Thursday, September 17th, 2020
88% of organizations around the world experienced spear phishing attempts in 2019.  And, while security leaders are working hard to train their employees to spot these advanced impersonation attacks, every email looks different. A hacker could be impersonating your CEO or a client. They could be asking for a wire transfer or a spreadsheet. And malware can be distributed via a link or an attachment. But it’s not all bad news. While – yes – each email is different, there are four commonalities in virtually all spear phishing emails. 
Download the infographic now and help your employees spot spear phishing attacks. Before we go into more detail about these four red flags, let’s get into the mind of a hacker. What do hackers consider when creating a spear phishing attack? Hackers prey on their target’s psychological vulnerabilities.  For example, immediately after the outbreak of COVID-19, we saw a spike in spear phishing attacks impersonating health organizations, insurance companies, government agencies, and remote-access tools. Why? Because people were stressed, anxious, and distracted and therefore more likely to trust emails containing “helpful” information and take the bait. We explore this in detail in our report, The Psychology of Human Error.  While people cite distraction as the top reason for falling for phishing attacks, the perceived legitimacy of the email was a close second. Looking at real-world examples can help. Below are five articles that outline recent scams, including images of the emails.  COVID-19: Real-Life Examples of Opportunistic Phishing Emails Everything You Need to Know About Tax Day Scams 2020 Spotting the Stimulus Check Scams How to Spot and Avoid 2020 Census Scams Look Out For Back to School Scams Now that you know broadly what to look for and what makes you more vulnerable, let’s take a deeper dive into the four things you should carefully inspect before replying to an email. 4 Things to Inspect Before Replying to An Email The Display Name and Email Address The first thing you should do is look at the Display Name and the email address. Do they match? Do you recognize the person and/or organization? Have you corresponded with them before? It’s important to note that some impersonations are easier to spot than others. For example, in the example below, the Display Name ([email protected]) is vastly different from the email address ([email protected]).
But, hackers can make slight changes to the domain that can be indiscernible unless the target is really looking for it. To make it easier to understand, we’ll use FedEx as an example. In the chart below you’ll see five different types of impersonations. For more information about domain impersonations, read this article:  Inside Email Impersonation: Why Domain Name Spoofs Could Be Your Biggest Risk
The bottom line: Take the time to look closely at the sender’s information. The Subject Line As we’ve mentioned, hackers exploit the psychological vulnerabilities of their targets. It makes sense, then, that they’ll try to create a sense of urgency in the subject line.  Here is a list of the Top 5 subject lines used in spear phishing attacks: Urgent Follow up Important Are you available? Payment Status And, when it comes to Business Email Compromise attacks, the Top 5 subject lines are: Urgent Request Important Payment Attention While – yes – these subject lines can certainly appear in legitimate emails, you should exercise caution when responding. Better safe than sorry! Attachments and Links Hackers will often direct their targets to follow a link or download an attachment.  Links will direct users to a malicious website and attachments, once downloaded, will install malware on the user’s computer. These are called payloads. How can you spot one? While links may often look inconspicuous (especially when they’re hyperlinked to text) if you hover over them, you’ll be able to see the full URL. Look out for strange characters, unfamiliar domains, and redirects. 
Unfortunately, you can’t spot a malicious attachment as easily. Your best bet, then, is to avoid downloading any attachments unless you trust the source.  Note: Not all spear phishing emails contain a payload. Hackers can also request a wire transfer or simply build rapport with their target before making a request down the line. The Body Copy Just like the subject line will create a sense of urgency, the body copy of the email will generally motivate the target to act.  Look out for language that suggests there will be a consequence if you don’t act quickly. For example, a hacker may say that if a payment isn’t made within 2 hours, you’ll lose a customer. Or, if you don’t confirm your email address within 24 hours, your account will be deactivated. While spear phishing emails are generally carefully crafted, spelling errors and typos can also be giveaways. Likewise, you may notice language you wouldn’t expect from the alleged sender. For example, if an email appears to be sent from your CEO, but the copy doesn’t match previous emails from him or her, this could suggest that the email is a spear phishing attack. What to do if an email if you think an email is suspicious Now that you know what to look out for, what do you do if you think you’ve caught a phish? If anything seems unusual, do not follow or click links or download attachments.  If the email appears to be from a government organization or another trusted institution, visit their website via Google or your preferred search engine, find a support number, and ask them to confirm whether the communication is valid. If the email appears to come from someone you know and trust, like a colleague, reach out to the individual directly by phone, Slack, or a separate email thread. Rest assured, it’s better to confirm and proceed confidently than the alternative.  Contact your line manager and/or IT team immediately and report the email. But it’s not fair to leave people as the last line of defense. Even the most tech-savvy people can fall for spear phishing attacks.  Case in point: Last month, The SANS institute – a global cybersecurity training and certifications organization – revealed that nearly 30,000 accounts of PII were compromised in a phishing attack that convinced an end-user to install a self-hiding and malicious Office 365 add-on. That means organizations should invest in technology that can detect and prevent these threats. Tessian can help detect and prevent spear phishing attacks Unlike spam filters and Secure Email Gateways (SEGs) which can stop bulk phishing attacks, Tessian Defender can detect and prevent a wide range of impersonations, spanning more obvious, payload-based attacks to subtle, social-engineered ones. How? Tessian’s machine learning algorithms learn from historical email data to understand specific user relationships and the context behind each email. When an email lands in your inbox, Tessian Defender automatically analyzes millions of data points, including the email address, Display Name, subject line and body copy.  If anything seems “off”, it’ll be flagged. 
To learn more about how tools like Tessian Defender can prevent spear phishing attacks, speak to one of our experts and request a demo today. 
Compliance, Data Exfiltration, DLP, Spear Phishing
Compliance in the Legal Sector: Laws & How to Comply
Wednesday, September 16th, 2020
Thanks to the digital transformation and increasingly strict data security obligations, law firms’ business priorities are changing. Today, data protection, transparency, and privacy are top-of-mind.  It makes sense.  Keep reading to find out… Why the legal sector is bound to such strict compliance standards Which regulations govern law firms How cybersecurity can help ensure compliance Interested in learning more about regional compliance standards or those that impact other industries? Check out our Compliance Hub to find articles, tips, guides, and more.
Why is the legal sector bound to strict compliance standards? Lawyers’ hard drives, email accounts, and smartphones can contain anything from sensitive intellectual property and trade secrets to the Personally Identifiable Information (PII) of clients.  Unfortunately, hackers and cybercriminals are all too aware of this. It’s no surprise, then, that the legal sector is amongst the most targeted by social engineering attacks like spear phishing. Ransomware is a big problem, too. In fact, just a few months ago, Grubman Shire Meiselas & Sacks, a prominent media law firm, had its client information compromised.  Those behind the attack later threatened to auction some of these files concerning major celebrities for as much as $1.5 million unless the firm paid a $42 million ransom.  But, it’s not just inbound attacks that law firms have to worry about. Because the legal sector is highly competitive, incidents involving Insider Threats are a concern, too.  96% of IT leaders working in the legal sector say they’re worried that someone within the organization will cause a breach, either accidentally (via a misdirected email, for example) or maliciously.  The regulations governing law firms When it comes to data protection and privacy, the legal sector is subject to a relatively strict regulatory framework both under the law and rules imposed by professional bodies. Depending on where a firm is based and what its practice areas are, it can be subject to several stringent laws and regulations. This is especially true for firms operating in major markets like the United States, the United Kingdom, and the European Union. In this article, we’ll focus on some of the more general regulations and standards that all firms operating in these markets are expected to abide by. General Data Protection Regulation (GDPR) When the GDPR was introduced in 2018, it represented the largest change to data protection legislation in almost two decades. It also contains some of the most thorough compliance obligations for law firms and indeed any other entity that collects, stores, and processes data. The GDPR has been designed to help and guide organizations with a legitimate business interest as to how personal data should be handled and gives regulators the power to impose large fines on firms that aren’t compliant.  You can read more about the largest GDPR fines (so far) in 2020 on our blog. What is the GDPR’s purpose? The GDPR was introduced amid growing concerns surrounding the safety of personal data and the need to protect it from hackers, cybercrime, Insider Threats, unethical use, and the growing attack surface.  Essentially, it gives citizens full and complete control of their data, subject to some restrictions (for example, where data must be held by firms by law).  What is the scope of the GDPR? The legislation regulates the use of ‘personal data’ and applies to all organizations located within the EU, as well as organizations outside the EU who offer their goods or services to EU citizens. It also applies to organizations that hold data pertaining to EU citizens, regardless of their location.  What should law firms know about the GDPR? The main part of the GDPR that law firms should be paying attention to is Article 5.  This sets out the principles relating to the collection and processing of personal data. The six key principles are that personal data: Should be processed lawfully, fairly and in a transparent manner; Should only be collected for legitimate purposes; Should be limited to what’s necessary in relation to the purpose(s) it’s processed; Must be accurate and kept up to date, with any inaccurate erased or rectified; Should be held for longer than is necessary for its purposes*; and Should be held with adequate security against theft, loss, and/or damage.  The GDPR also gives your clients the right to ask for their data to be removed (‘right of erasure’) without the need for any outside authorization. Note: Data can only be kept contrary to a client’s wishes to ensure compliance with other regulations.  What should a firm do in the event of a breach? Before GDPR, law firms could follow their own protocols when dealing with a data breach. But now, the GDPR forces firms to report any data breaches, no matter how big or small they are, to the relevant regulatory authority within 72 hours. In the UK, for example, the regulatory authority is the Information Commissioner’s Office (ICO):  The notification must: Contain relevant details regarding the nature of the breach; The approximate number of people impacted; and Contact details of the firm’s Data Protection Officer (DPO).  Clients who have had their personal data compromised must also be notified of the breach, the potential outcome, and any remediation “without undue delays”.  It’s important to note that breaches aren’t always the results of malicious activity by an Insider Threat or hacker outside the organization. Even accidents can result in breaches. In fact, misdirected emails (emails sent to the wrong person) has consistently been one of the most frequently reported incidents to the ICO.  That’s why it’s essential law firms (and other organizations) have safeguards in place to prevent mistakes like these from happening. Looking for a solution? Tessian Guardian prevents misdirected emails in some of the world’s most prestigious law firms, including Dentons, Hill Dickinson, and Travers Smith What are the penalties for non-compliance? Financial penalties imposed for GDPR violations can be harsh, and they often are; regulatory authorities are keen to highlight just how important the GDPR is and how seriously it should be taken. Fines for non-compliance can be as high as 4% of annual global turnover or €20 million—whichever is higher. American Bar Association Rule 1.6 Rule 1.6 governs the confidentiality of client information. It states, “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Simply put, lawyers must make efforts to protect the data of their clients.  Two years ago, the American Bar Association issued new guidance in the form of Formal Opinion 483. This covers the importance of data protection and how firms should act when, not if, a security breach happens. This wording demonstrates that the ABA recognizes that breaches are part and parcel of firms operating in the modern world, and the statistics confirm this. 
In essence, Formal Opinion 483 states:  Lawyers have a duty of competence in implementing adequate security measures regarding technology. Lawyers must reasonably and continuously assess their systems, operating procedures, and plans for mitigating a breach. In the event of a suspected or confirmed breach, lawyers must take steps to stop the attack and prevent any further loss of data. When a breach is detected and confirmed, lawyers must inform their clients in a timely manner and with enough information for clients to make informed decisions.  The bottom line: law firms must protect data with cybersecurity. Solicitors’ Regulation Authority Code of Conduct In the UK, solicitors are obliged under the Solicitors’ Regulation Authority (SRA) Code of Conduct to maintain effective systems and mitigate risks to client confidentiality and client money. Solicitors are also obliged to ensure systems comply more broadly with the SRA’s other regulatory arrangements.  The SRA says that, although being hacked or falling victim to a data breach is not necessarily a failure to meet these requirements, firms should take proportionate steps to protect themselves and their clients while retaining the advantages of advanced IT.  Where a report of cybercrime (note: crime, not a loss that takes place due to negligence) is received, the SRA takes a constructive approach in dealing with the firm, especially if the firm:  Is proactive and immediately notifies the SRA. Has taken steps to inform the client and as a minimum make good any loss. Shows they are taking steps to improve their systems and processes to reduce the risk of a similar incident happening again.  That means that, under the SRA’s Code of Conduct, law firms should take steps to prevent inbound attacks like spear phishing and set-up policies and processes that ensure swift reporting.  The good news is, Tessian can help with both inbound attacks and Insider Threats and has a history of successfully protecting law firms around the world from both. 
How Tessian helps law firms stay compliant Across all three of the regulations listed here, there’s one commonality: law firms are responsible for ensuring that their IT systems and processes are robust and secure enough to keep data safe and mitigate the chance of a breach taking place.  But, that’s easier said than done, especially in our dynamic and digitally connected world where threats are ever-evolving. So, where should law firms start? Email. 90% of all data breaches start on email and it’s the threat vector IT leaders are most concerned about protecting. That’s why Tessian is focused on protecting this channel. Across three solutions, Tessian detects and prevents threats using machine learning, which means it’s constantly adapting, without requiring maintenance from thinly-stretched security teams. Tessian Defender detects and prevents spear phishing Tessian Guardian detects and prevents accidental data loss via misdirected email Tessian Enforcer detects and prevents data exfiltration attempts from Insider Threats Importantly, Tessian is non-disruptive. That way, partners, lawyers, and administrators can do their jobs without security getting in the way. Tessian stops threats, not business.  To learn more about how Tessian helps law firms like Dentons, Hill Dickinson, and Travers Smith protect data, maintain client trust, and satisfy compliance standards, talk to one of our experts. 
Data Exfiltration, DLP, Human Layer Security, Spear Phishing
Worst Email Mistakes at Work and How to Fix Them
By Maddie Rosenthal
Thursday, September 10th, 2020
Everyone makes mistakes at work. It could be double-booking a meeting, attaching the wrong document to an email, or misinterpreting directions from your boss. While these snafus may cause red-faced embarrassment, they generally won’t have any long-term consequences. But, what about mistakes that compromise cybersecurity? This happens more often than you might think. In fact, nearly half of employees say they’ve done it, and employees under 40 are among the most likely. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); In this article, we’ll focus on email mistakes. You’ll learn: The top five email mistakes that compromise cybersecurity How frequently these incidents happen What to do if you make a mistake on email
I sent an email to the wrong person At Tessian, we call this a misdirected email. If you’ve sent one, you’re not alone. 58% of people say they’ve done it and, according to Tessian platform data, at least 800 are fired off every year in organizations with over 1,000 people. It’s also the number one security incident reported to the Information Commissioner’s Office (ICO) under the GDPR. (More on the consequences related to data privacy below.) Why does it happen so often? Well, because it’s incredibly easy to do. It could be a simple typo (for example, sending an email to [email protected] instead of [email protected]) or it could be an incorrect suggestion from autocomplete.  What are the consequences of sending a misdirected email? While we’ve written about the consequences of sending an email to the wrong person in this article, here’s a high-level overview:  Embarrassment  Fines under compliance standards like GDPR and CCPA Lost customer trust and increased churn Job loss Revenue loss Damaged reputation
Real-world example of a misdirected email In 2019, the names of 47 claimants who were the victims of sexual abuse were leaked in an email from the program administrator after her email client auto-populated the wrong email address.  While the program administrator is maintaining that this doesn’t qualify as a data leak or breach, the recipient of the email – who worked in healthcare and understands data privacy requirements under HIPAA – continues to insist that the 47 individuals must be notified.  As of September 2020, they still haven’t been. I accidentally hit “reply all” or cc’ed someone instead of bcc’ing them Like sending a misdirected email, accidentally hitting “reply all” or cc instead of bcc are both easy mistakes to make.  What are the consequences of hitting “reply all” or cc instead of bcc? As you may have guessed, the consequences are the same as the consequences of sending a misdirected email. And, importantly, the consequences depend entirely on what information was contained in, or attached to, the email. For example, if you drafted a snarky response to a company-wide email and intended to send it to a single co-worker but ended up firing it off everyone, you’ll be embarrassed and may worry about your professional credibility.  But, if you replace that snarky response with a spreadsheet containing medical information about employees, you’ll have to report the data loss incident which could have long-term consequences. Real-world example of hitting “reply all” In 2018, an employee at the Utah Department of Corrections accidentally sent out a calendar invite for her division’s annual potluck. Harmless, right? Wrong. Instead of sending the invite to 80 people, it went to 22,000; nearly every employee in Utah government. While there were no long-term consequences (i.e., it wasn’t considered a data loss incident or breach) it does go to show how easily data can travel and land in the wrong hands.  Real-world example of cc’ing someone instead of bcc’ing them On January 21, 2020, 450 customer email addresses were inadvertently exposed after they were copied, rather than blind copied, into an email. The email was sent by an employee at speaker-maker Sonos and, while it was an accident, under GDPR, the mistake is considered a potential breach.  I fell for a phishing scam According to Tessian research, 1 in 4 employees has clicked on a phishing email. But, the odds aren’t exactly in our favor. In 2019, 22% of breaches in 2019 involved phishing…and 96% of phishing attacks start on email. (You can find more Phishing Statistics here.) Like sending an email to the wrong person, it’s easy to do, especially when we’re distracted, stressed, or tired. But, it doesn’t just come down to psychology. Phishing scams are getting harder and harder to detect as hackers use increasingly sophisticated techniques to dupe us.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); What are the consequences of falling for a phishing scam? Given the top five “types” of data that are compromised in phishing attacks (see below), the consequences of a phishing attack are virtually limitless. Identify theft. Revenue loss. Customer churn. A wiped hardrive. But, the top five “types” of data that are compromised in a phishing attack are: Credentials (passwords, usernames, pin numbers) Personal data (name, address, email address) Internal data (sales projections, product roadmaps)  Medical (treatment information, insurance claims) Bank (account numbers, credit card information) Real-world example of a successful phishing attack In August 2020, The SANS institute – a global cybersecurity training and certifications organization – revealed that nearly 30,000 accounts of PII were compromised in a phishing attack that convinced an end-user to install a self-hiding and malicious Office 365 add-on. While no passwords or financial information were compromised and all the affected individuals have been notified, the breach goes to show that anyone – even cybersecurity experts – can fall for phishing scams. But, most phishing attacks have serious consequences. According to one report, 60% of organizations lose data. 50% have credentials or accounts compromised. Another 50% are infected with ransomware. 35% experience financial losses. I sent an unauthorized email As a part of a larger cybersecurity strategy, most organizations will have policies in place that outline what data can be moved outside the network and how it can be moved outside the network. Generally speaking, sending data to personal email accounts or third-parties is a big no-no. At Tessian, we call these emails “unauthorized” and they’re sent 38x more than IT leaders estimate. Tessian platform data shows that nearly 28,000 unauthorized emails are sent in organizations with 1,000 employees every year.  So, why do people send them? It could be well-intentioned. For example, sending a spreadsheet to your personal email address to work over the weekend. Or, it could be malicious. For example, sending trade secrets to a third-party in exchange for a job opportunity.  What are the consequences of sending an unauthorized email Whether well-intentioned or malicious, the consequences are the same: if the email contains data, it could be considered a data loss incident or even a breach. In that case, the consequences include: Lost data Lost intellectual property Revenue loss Losing customers and/or their trust Regulatory fines Damaged reputation No sensitive data involved? The consequences will depend on the organization and existing policies. But, you should (at the very least) expect a warning.  Real-world example of an unauthorized email In 2017, an employee at Boeing shared a spreadsheet with his wife in hopes that she could help solve formatting issues. While this sounds harmless, it wasn’t. The personal information of 36,000 employees was exposed, including employee ID data, places of birth, and accounting department codes. You can find more real-word examples of “Insider Threats” in this article: Insider Threats: Types And Real-World Examples How can I avoid making mistakes on email? The easiest answer is: be vigilant. Double-check who you’re sending emails to and what you’re sending. Make sure you understand your company’s policies when it comes to data. Be cautious when responding to requests for information or money.  But vigilance alone isn’t enough. To err is human and, as we said at the beginning of this article, everyone makes mistakes.  That’s why to prevent email mistakes, data loss, and successful targeted attacks, organizations need to implement email security solutions that prevent human error. That’s exactly what Tessian does. Powered by machine learning, our Human Layer Security technology understands human behavior and relationships. Tessian Guardian automatically detects and prevents misdirected emails Tessian Enforcer automatically detects and prevents data exfiltration attempts Tessian Defender automatically detects and prevents spear phishing attacks Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of the organization’s email network. That means it gets smarter over time to keep you protected, always.  Interested in learning more about how Tessian can help prevent email mistakes in your organization? You can read some of our customer stories here or book a demo.
Compliance, Customer Stories, Data Exfiltration, DLP, Human Layer Security, Spear Phishing
18 Actionable Insights From Tessian Human Layer Security Summit
By Maddie Rosenthal
Wednesday, September 9th, 2020
In case you missed it, Tessian hosted its third (and final) Human Layer Security Summit of 2020 on September 9. This time, we welcomed over a dozen security and business leaders from the world’s top institutions to our virtual stage, including: Jeff Hancock from Stanford University David Kennedy, Co-Founder and Chief Hacking Officer at TrustedSec Merritt Baer, Principal Security Architect at AWS Rachel Beard, Principal Security Technical Architect at Salesforce  Tim Fitzgerald, CISO at Arm  Sandeep Amar, CPO at MSCI  Martyn Booth, CISO at Euromoney  Kevin Storli, Global CTO and UK CISO at PwC Elvis M. Chan, Supervisory Special Agent at the FBI  Nina Schick, Author of “Deep Fakes and the Infocalypse: What You Urgently Need to Know” Joseph Blankenship, VP Research, Security & Risk at Forrester Howard Shultz, Former CEO at Starbucks  While you can watch the full event on YouTube below, we’ve identified 18 valuable insights that security, IT, compliance, and business leaders should apply to their strategies as they round out this year and look forward to the next.
Here’s what we learned at Tessian’s most recent Human Layer Security Summit. Not sure what Human Layer Security is? Check out this guide which covers everything you need to know about this new category of protection.  1. Cybersecurity is mission-critical Security incidents – whether it’s a ransomware attack, brute force attack, or data leakage from an insider threat – have serious consequences. Not only can people lose their jobs, but businesses can lose customer trust, revenue, and momentum. While this may seem obvious to security leaders, it may not be so obvious to individual departments, teams, and stakeholders. But it’s essential that this is communicated (and re-communicated).  Why? Because a company that’s breached cannot fulfill its mission. Keep reading for insights and advice around keeping your company secure, all directly from your peers in the security community. 2. Most breaches start with people People control our most sensitive systems and data. It makes sense, then, that most data breaches start with people. But, that doesn’t mean employees are the weakest link. They’re a business’ strongest asset! So, it’s all about empowering them to make better security decisions. That’s why organizations have to adopt people-centric security solutions and strategies.
The good news is, security leaders don’t face an uphill battle when it comes to helping employees understand their responsibility when it comes to cybersecurity… 3. Yes, employees are aware of their duty to protect data Whether it’s because of compliance standards, cybersecurity headlines in mainstream media, or a larger focus on privacy and protection at work, Martyn Booth, CISO at Euromoney reminded us that most employees are actually well aware of the responsibility they bear when it comes to safeguarding data.  This is great news for security leaders. It means the average employee will be more likely to abide by policies and procedures, will pay closer attention during awareness training, and will therefore contribute to a more positive security culture company-wide. Win-win. 4. But, employees are more vulnerable to phishing scams outside of their normal office environment  While – yes – employees are more conscious of cybersecurity, the shift to remote working has also left them more vulnerable to attacks like phishing scams.  “We have three “places”: home, work, and where we have fun. When we combine two places into one, it’s difficult psychologically. When we’re at home sitting at our coffee table, we don’t have the same cues that remind us to think about security that we do in the office. This is a huge disruption,” Jeff Hancock, Professor at Stanford University explained.  Unfortunately, hackers are taking advantage of these psychological vulnerabilities. And, as David Kennedy, Co-Founder and Chief Hacking Officer at TrustedSec pointed out, this isn’t anything new. Cybercriminals have always been opportunistic in their attacks and therefore take advantage of chaos and emotional distress.  To prevent successful opportunistic attacks, he recommends that you: Reassess what the new baseline is for attacks Educate employees on what threats look like today, given recent events Identify which brands, organizations, people, and departments may be impersonated (and targeted) in relation to the pandemic But, it’s not just inbound email attacks we need to be worried about.  5. They’re more likely to make other mistakes that compromise cybersecurity, too This change to our normal environment doesn’t just affect our ability to spot phishing attacks. It also makes us more likely to make other mistakes that compromise cybersecurity. Across nearly every session, our guest speakers said they’ve seen more incidents involving human error and that security leaders should expect this trend to continue. That’s why training, policies, and technology are all essential components of any security strategy. More on this below. 6. Security awareness training has to be ongoing and ever-evolving At our first Human Layer Security Summit back in March, Mark Logsdon, Head of Cyber Assurance and Oversight at Prudential, highlighted three key flaws in security awareness training: It’s boring It’s often irrelevant It’s expensive What he said is still relevant six months on and it’s a bigger problem than ever, especially now that the perimeter has disappeared, security teams are short-handed, and individual employees are working at home and on their own devices. So, what can security leaders do?  Kevin Storli, Global CTO and UK CISO at PwC highlighted the importance of tailoring training to ensure it’s always relevant. That means that instead of just reminding employees about compliance standards and the importance of a strong password, we should also be focusing on educating employees about remote access, endpoints, and BYOD policies. But one training session isn’t enough to make security best practice really stick. These lessons have to be constantly reinforced through gamification, campaigns, and technology.  Tim Fitzgerald, CISO at Arm highlighted how Tessian’s in-the-moment warnings have helped his employees make the right decisions at the right time.  “Warnings help create that trigger in their brain. It makes them pause and gives them that extra breath before taking the next potentially unsafe step. This is especially important when they’re dealing with data or money. Tessian ensures they question what they’re doing,” he said.
7. You have to combine human policies with technical controls to ensure security  It’s clear that technology and training are both valuable. That means your best bet is to combine the two. In discussion with Ed Bishop, Tessian Co-Founder and CTO, Merritt Baer, Principal Security Architect at AWS and Rachel Beard, Principal Security Technical Architect at Salesforce, both highlighted how important it is for organizations to combine policies with technical controls. But security teams don’t have to shoulder the burden alone. When using tools like Salesforce, for example, organizations can really lean on the vendor to understand how to use the platform securely. Whether it’s 2FA, customized policies, or data encryption, many security features will be built-in.  8. But…Zero Trust security models aren’t always the answer While – yes – it’s up to security teams to ensure policies and controls are in place to safeguard data and systems, too many policies and controls could backfire. That means that “Zero Trust” security models aren’t necessarily the best way to prevent breaches.
9. Security shouldn’t distract people from their jobs  Security teams implement policies and procedures, introduce new software, and make training mandatory for good reason. But, if security becomes a distraction for employees, they won’t exercise best practice.  The truth is, they just want to do the job they were hired to do!  Top tip from the event: Whenever possible, make training and policies customized, succinct, and relevant to individual people or departments.  10. It also shouldn’t prevent them from doing their jobs  This insight goes back to the idea that “Zero Trust” security models may not be the best way forward. Why? Because, like Rachel, Merrit, Sandeep, and Martyn all pointed out: if access controls or policies prevent an employee from doing their job, they’ll find a workaround or a shortcut. But, security should stop threats, not flow. That’s why the most secure path should also be the path of least resistance. Security strategies should find a balance between the right controls and the right environment.  This, of course, is a challenge, especially when it comes to rule-based solutions. “If-then” controls are blunt instruments. Solutions powered by machine learning, on the other hand, detect and prevent threats without getting in the way. You can learn more about the limitations of traditional data loss prevention solutions in our report The State of Data Loss Prevention 2020.  11. Showing downtrending risks helps demonstrate the ROI of security solutions  Throughout the event, several speakers mentioned that preemptive controls are just as important as remediation. And it makes sense. Better to detect risky behavior before a security incident happens, especially given the time and resources required in the event of a data breach.  But tracking risky behavior is also important. That way, security leaders can clearly demonstrate the ROI of security solutions. Martyn Booth, CISO at Euromoney, explained how he uses Tessian Human Layer Security Intelligence to monitor user behavior, influence safer behavior, and track risk over time. “We record how many alerts are sent out and how employees interact with those alerts. Do they follow the acceptable use policy or not? Then, through our escalation workflows that ingest Tessian data, we can escalate or reinforce. From that, we’ve seen incidents involving data exfiltration trend downwards over time. This shows a really clear risk reduction,” he said. 12. Targeted attacks are becoming more difficult to spot and hackers are using more sophisticated techniques As we mentioned earlier, hackers take advantage of psychological vulnerabilities. But, social media has turbo-charged cybercrime, enabling cybercriminals to create more sophisticated attacks that can be directed at larger organizations. Yes, even those with strong cybersecurity. Our speakers mentioned several examples, including Garmin and Twitter. So, how do they do it? Research! LinkedIn, company websites, out-of-office messages, press releases, and news articles all provide valuable information that a hacker could use to craft a believable email. But, there are ways to limit open-source recon. See tips from David Kennedy, Co-Founder and Chief Hacking Officer at TrustedSec, below. 
13. Deepfakes are a serious concern Speaking of social media, Elvis M Chan, Supervisory Special Agent at the FBI and Nina Schick, Author of “Deep Fakes and the Infocalypse: What You Urgently Need to Know”,  took a deep dive into deepfakes. And, according to Nina, “This is not an emerging threat. This threat is here. Now.” While we tend to associate deepfakes with election security, it’s important to note that this is a threat that affects businesses, too.  In fact, Tim Fitzgerald, CISO at Arm, cited an incident in which his CEO was impersonated in a deepfake over Whatsapp. The ask? A request to move money. According to Tim, it was quite compelling.  Unfortunately, deepfakes are surprisingly easy to make and generation is outpacing detection. But, clear policies and procedures around authenticating and approving requests can ensure these scams aren’t successful. Not sure what a deepfake is? We cover everything you need to know in this article: Deepfakes: What Are They and Why Are They a Threat? 14. Supply chain attacks are, too  In conversation with Henry Treveleyan Thomas, Head of Customer Success at Tessian, Kevin Storli, Global CTO and UK CISO at PwC discussed how organizations with large supply chains are especially vulnerable to advanced impersonation attacks like spear phishing. “It’s one thing to ensure your own organization is secure. But, what about your supply chain? That’s a big focus for us: ensuring our supply chain has adequate security controls,” he said. Why is this so important? Because hackers know large organizations like PwC will have robust security strategies. So, they’ll look for vulnerabilities elsewhere to gain a foothold. That’s why strong cybersecurity can actually be a competitive differentiator and help businesses attract (and keep) more customers and clients.  15. People will generally make the right decisions if they’re given the right information 88% of data breaches start with people. But, that doesn’t mean people are careless or malicious. They’re just not security experts. That’s why it’s so important security leaders provide their employees with the right information at the right time. Both Sandeep Amar, CPO at MSCI and Tim Fitzgerald, CISO at Arm talked about this in detail.  It could be a guide on how to spot spear phishing attacks or – as we mentioned in point #6 – in-the-moment warnings that reinforce training.   Check out their sessions for more insights.  16. Success comes down to people While we’ve talked a lot about human error and psychological vulnerabilities, one thing was made clear throughout the Human Layer Security Summit. A business’s success is completely reliant on its people. And, we don’t just mean in terms of security. Howard Shultz, Former CEO at Starbucks, offered some incredible advice around leadership which we can all heed, regardless of our role. In particular, he recommended: Creating company values that really guide your organization Ensuring every single person understands how their role is tied to the goals of the organization Leading with truth, transparency, and humility
17. But people are dealing with a lot of anxiety right now Whether you’re a CEO or a CISO, you have to be empathetic towards your employees. And, the fact is, people are dealing with a lot of anxiety right now. Nearly every speaker mentioned this. We’re not just talking about the global pandemic.  We’re talking about racial and social inequality. Political unrest. New working environments. Bigger workloads. Mass lay-offs.  Joseph Blankenship, VP Research, Security & Risk at Forrester, summed it up perfectly, saying “We have an anxiety-ridden user base and an anxiety-ridden security base trying to work out how to secure these new environments. We call them users, but they’re actually human beings and they’re bringing all of that anxiety and stress to their work lives.” That means we all have to be human first. And, with all of this in mind, it’s clear that….. 18. The role of the CISO has changed  Sure, CISOs are – as the name suggests – responsible for security. But, to maintain security company-wide, initiatives have to be perfectly aligned with business objectives, and every individual department, team, and person has to understand the role they play. Kevin Storli, Global CTO and UK CISO at PwC touched on this in his session. “To be successful in implementing security change, you have to bring the larger organization along on the journey. How do you get them to believe in the mission? How do you communicate the criticality? How do you win the hearts and minds of the people? CISOs no longer live in the back office and address just tech aspects. It’s about being a leader and using security to drive value.” That’s a tall order and means that CISOs have to wear many hats. They need to be technology experts while also being laser-focused on the larger business. And, to build a strong security culture, they have to borrow tactics from HR and marketing.  The bottom line: The role of the CISO is more essential now than ever. It makes sense. Security is mission-critical, remember? If you’re looking for even more insights, make sure you watch the full event, which is available on-demand. You can also check out previous Human Layer Security Summits on YouTube.
Page