Step Into The Future of Cybersecurity — Save your spot at the Human Layer Security Summit for free.

Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.
Customer Stories, DLP
Customer Story: How Tessian Combines Data Loss Prevention With Education in Financial Services
Monday, September 20th, 2021
Having deployed Tessian at the end of 2020, Israel Bryski, Head of Information Security at an investment management firm headquartered in NYC, shared how Tessian has helped him and his team improve their security posture while changing employee behavior long-term.  The firm, which was formed in the early 1980s, has offices across Spain, Germany, the UK, and Singapore, and currently has 200 employees managing retirement plans and investments for roughly 30,000 current and former Mckinsey employees. Their journey to Tessian Before working with Tessian, the firm had their developers build a custom Outlook add-in to prevent accidental data loss via misdirected emails  Every time someone would send an outbound email to an external domain, they would get a pop-up asking them, “Are you sure to send to this domain?” But, because there was no context in the pop-up, it wasn’t as effective as it could have been immediately following roll-out. Employees were still blindly ignoring the warning, and accidentally sending emails to the wrong person.  At the same time, the security team was also struggling to make security awareness training engaging and relevant to employees Solution Guardian: Automatically prevents accidental data loss via misdirected emails and misattached files. No rules required. Human Layer Risk Hub: Enables security and risk management teams to deeply understand their organization’s email security posture, including individual user risk levels and drivers
Security Environment After Deploying Tessian Explaining the “why” behind policies to change behavior For Israel and his team, education is key.  Having learned from their custom-built Outlook Add-In which warned employees when an email was being sent to the wrong email address, but didn’t offer insight into the “why”, the team wanted to find a solution that offered context and that would bolster their security awareness training programs. They found that in Tessian and, since deployment, they’ve actually seen a change in behavior and a reduction in data loss incidents. 
Learn more about why in-the-moment warnings are so effective. Because Tessian is powered by machine learning instead of rules, it’s able to detect data exfiltration attempts and misdirected emails with incredible accuracy. In fact, on average, employees receive just two warning messages per month. That means when an email is flagged, they pay attention. Better still, Tessian gets smarter over time and evolves in tandem with changing relationships. As data becomes more accurate, false positives decrease. And with a decrease in false positives, comes an increase in trust.
Preventing accidental data loss without impeding productivity  Since deploying Tessian, over 100 data loss incidents have been prevented.  Israel shared an example:  Someone at the firm created a goodbye video for a senior exec who was retiring; they meant to send it to a colleague for them to play the video in the goodbye meeting. When the sender put the address in the To field, they typed in the first letters, and another external vendor’s email popped up that was cached. They didn’t pay attention, added that address to the email, and tried to send it.  When he went to send the email, he got the Guardian pop-up asking him if that vendor’s address was really meant to be part of the group of recipients. He read the contextualized warning, removed that particular vendor, and added the correct recipient.  It goes to show: Tessian does more than prevent breaches. It also saves employees from red-faced embarrassment. Israel and his team have gotten kudos from quite a few people in the firm. One exec in particular was always casting a shadow over the different security tools that had been deployed. He explained, saying “When we got kudos from him, that was a big win in my book! He actually sees the value of Tessian, why we’re purchasing new technology, and why we’re constantly evaluating new solutions on the market that can augment and complement our security program.” 
Interested in learning more about how Tessian can help prevent accidental data loss in your organization? You can read some of our customer stories here or book a demo.
Read Blog Post
Spear Phishing
What is a Software Supply Chain Attack?
Friday, September 17th, 2021
A cybersecurity breach on a single company is bad, but when an attack affects potentially hundreds of businesses in that firm’s supply chain, the results can be catastrophic.  Known as ‘software supply chain attacks’ these types of threats hit hard, spread quickly, and can devastate thousands of organizations simultaneously. Broadly speaking, a software supply chain attack involves inserting malicious code into a piece of software that is then distributed among multiple organizations, usually the customers of the software company that owns the software. This article will look at some recent examples of software supply chain attacks, consider the different forms such attacks can take, and explore how both software vendors and their customers can avoid falling victim to this especially damaging security threat. Examples of software supply chain attacks First, to understand how software supply chain attacks work, let’s consider two recent high-profile examples. The SolarWinds attack The SolarWinds attack was first discovered in December 2020, after a cybersecurity company, FireEye, discovered that some of its software tools had been stolen.  When investigating the theft, FireEye learned that the attackers had gained access to its systems via a third-party software product called Orion; a network monitoring tool supplied by Texas-based software company SolarWinds. An update to Orion, released nine months earlier, in March 2020, had granted the attackers access to FireEye’s systems. This update enabled the cybercriminals full access to FireEye’s private data, enabling them to exfiltrate the company’s security tools. But FireEye wasn’t the only company affected by the hack. FireEye reported its discovery to the National Security Agency (NSA), the U.S. intelligence service tasked with defending the country against cyber threats. This was when the devastating impact of the SolarWinds attack became apparent. The NSA revealed that it also used SolarWinds—together with the U.S. Treasury, the Department for Homeland Security, and the National Nuclear Security Administration. In fact, twelve U.S. Federal Government departments were compromised by the malicious SolarWinds update, along with thousands of other organizations around the world.  All the attackers had to do was insert malicious code into SolarWinds’ software update, and let SolarWinds distribute the malware among the companies downstream in its supply chain. This ease of distribution is what makes supply chain attacks so effective for the attackers, and so devastating for the victims. The Kaseya attack  In response to SolarWinds, President Biden enacted his Executive Order on Improving the Nation’s Cybersecurity. But in July 2021, less than two months after Biden’s order passed, another colossal software supply chain attack occurred, this time originating from Miami-based software firm Kaseya. Like SolarWinds, Kaseya provides network monitoring tools and it sits at the start  of a very long supply chain. The Kaseya attack started when ransomware gang REvil inserted malicious code into an update for Kaseya’s Virtual System Administrator (VSA) software. After updating VSA with the malicious code, Kaseya’s customers found their systems were inaccessible due to ransomware. REvil claimed that over one million companies had been affected, whereas Kaseya put the number between 800 and 15,000. Either way, the attack caused havoc for thousands of people, and its effects were felt far and wide. Even a Swedish supermarket chain had to temporarily close when its payment processing equipment malfunctioned due to the attack. The Kaseya ransomware is another example of how software supply chain attacks can grow almost exponentially around the globe. Hack one Miami-based software company, and the next day a Swedish supermarket could be considering whether to pay you a ransom to decrypt its files. Types of software supply chain attacks Software supply chain attacks are just one type of supply chain attack (we’ll look at another type of supply chain attack below). But there are also different subtypes of software supply chain attacks that security-conscious organizations need to understand. The National Institute of Standards and Technology (NIST) identifies six types of software supply chain attacks: Design: Malicious actors can hijack a product’s initial design process to install or corrupt software. In 2016, a U.S. manufacturer shipped phones with malicious software that recorded users’ phone calls and texts. Development and production: Threat actors persist in an upstream company’s networks and infiltrate its downstream customers. The SolarWinds attack is an example of this type of supply chain attack. Distribution: The initial attack occurs between the manufacture of a product and its acquisition by end-users. For example, a 2012 investigation found pre-installed malware apps on retail desktop and laptop computers. Acquisition and deployment: Software companies can be acquired or influenced by malicious actors to spy directly on end-users. NIST cites a 2017 incident involving Kaspersky Antivirus. Maintenance: Backdoors can be embedded in routine updates, allowing cybercriminals to access the computers that install them. Both SolarWinds and Kaseya attacks leveraged this technique. Disposal: Improper wiping of hardware can lead to “data spillage,” enabling downstream actors purchasing or disposing of the equipment to access software or information on the device. How to prevent software supply chain attacks Two main actors in the supply chain can help detect and prevent software supply chain attacks:  The upstream companies who distribute software into the supply chain (vendors) The downstream organizations who purchase and use that software (customers) Here’s how each of these parties can defend against this type of threat. Vendors Vendors developing commercial software must be extremely diligent before releasing their products into the supply chain. Apply strong security standards at every stage of production as well as across your organization. Ensure your systems aren’t vulnerable to cyberattacks like phishing, SQL injection, or man-in-the-middle attacks. Carefully vet and document any third-party code employed in your development process. Maintain a library of any open-source code libraries you use. Carefully monitor any changes or security updates to the code. Implement a cyber security framework to ensure your organization meets good cybersecurity standards. Customers Once compromised software is installed on a company’s systems, there’s little they can do to stop the damage. As such, organizations must do everything reasonably possible to avoid installing compromised software or acquiring compromised hardware. Here’s some of the things you can do to mitigate that risk. Implement a cyber supply chain risk management (C-SCRM) program so you can fully account for all suppliers and products in your supply chain. Engage with your software suppliers to understand how they identify vulnerabilities and prevent cyber risks. Request a software component inventory from your software suppliers and consider changing suppliers if they cannot provide one. Monitor and defend endpoints to contain the spread of any malware infections. Implement a cyber security framework to ensure your organization meets good cybersecurity standards and can respond effectively to email supply chain attacks. Software supply chain attacks: just one type of supply chain attack Attacking software is just one of several ways cybercriminals can leverage the interconnected nature of supply chains. Another is email-based supply chain attacks, this is when cybercriminals hack vendors’ email accounts to deliver highly convincing phishing emails. Email-based supply chain attacks are sometimes called Account Takeover attacks. The Nobelium email campaign, conducted by the same actors who hit SolarWinds, is an example of an email supply chain attack: 150 government agencies, think tanks, and NGOs, received phishing emails after the cybercriminal hacked email provider Constant Contact. The good news is that email-based supply chain attacks, while potentially devastating, are avoidable by using an effective email security tool like Tessian. Tessian scans inbound emails to detect anomalies such as malicious links, inauthentic sender addresses, and signs of inconsistent language or behavior that suggest an email’s sender is not who they say they are. Read more about how Tessian’s machine learning-powered technology helps detect and defend against email-based supply chain attacks and other phishing threats.
Read Blog Post
Human Layer Security, Spear Phishing
Must-Know Phishing Statistics: Updated 2021
By Maddie Rosenthal
Thursday, September 16th, 2021
Looking for something more visual? Check out this infographic with key statistics.
The frequency of phishing attacks According to the FBI, phishing was the most common type of cybercrime in 2020—and phishing incidents nearly doubled in frequency, from 114,702 incidents in 2019, to 241,324 incidents in 2020.  The FBI said there were more than 11 times as many phishing complaints in 2020 compared to 2016. According to Verizon’s 2021 Data Breach Investigations Report (DBIR), phishing is the top “action variety” seen in breaches in the last year and 43% of breaches involved phishing and/or pretexting. The frequency of attacks varies industry-by-industry (click here to jump to key statistics about the most phished). But 75% of organizations around the world experienced some kind of phishing attack in 2020. Another 35% experienced spear phishing, and 65% faced BEC attacks. But, there’s a difference between an attempt and a successful attack. 74% of organizations in the United States experienced a successful phishing attack. This is 30% higher than the global average, and 14% higher than last year. ESET’s Threat Report reveals that malicious email detections rose 9% between Q2 and Q3, 2020. This followed a 9% rise from Q1 to Q2, 2020. ⚡  Want to learn how to prevent successful attacks? Check out this page all about BEC prevention. How phishing attacks are delivered 96% of phishing attacks arrive by email. Another 3% are carried out through malicious websites and just 1% via phone. When it’s done over the telephone, we call it vishing and when it’s done via text message, we call it smishing. The increase in phishing attacks means email communications networks are now riddled with cybercrime. Symantec research suggests that throughout 2020, 1 in every 4,200 emails was a phishing email. According to Sonic Wall’s 2020 Cyber Threat report, in 2019, PDFs and Microsoft Office files (sent via email) were the delivery vehicles of choice for today’s cybercriminals. Why? Because these files are universally trusted in the modern workplace.  When it comes to targeted attacks, 65% of active groups relied on spear phishing as the primary infection vector. This is followed by watering hole websites (23%), trojanized software updates (5%), web server exploits (2%), and data storage devices (1%). 
The most common subject lines According to Symantec’s 2019 Internet Security Threat Report (ISTR), the top five subject lines for business email compromise (BEC) attacks: Urgent Request Important Payment Attention Analysis of real-world phishing emails revealed these to be the most common subject lines in Q4, 2020: IT: Annual Asset Inventory Changes to your health benefits Twitter: Security alert: new or unusual Twitter login Amazon: Action Required | Your Amazon Prime Membership has been declined Zoom: Scheduled Meeting Error Google Pay: Payment sent Stimulus Cancellation Request Approved Microsoft 365: Action needed: update the address for your Xbox Game Pass for Console subscription RingCentral is coming! Workday: Reminder: Important Security Upgrade Required
The prevalence of phishing websites Google Safe Browsing uncovers unsafe URLs across the web. The latest data shows a world-wide-web rife with phishing websites. Since 2016, phishing has replaced malware as the leading type of unsafe website. While there were once twice as many malware sites as phishing sites, there are now nearly 75 times as many phishing sites as there are malware sites. Google has registered 2,145,013 phishing sites as of Jan 17, 2021. This is up from 1,690,000 on Jan 19, 2020 (up 27% over 12 months). This compares to malware sites rising from 21,803 to 28,803 over the same period (up 32%). Here you can see how phishing sites have rocketed ahead of malware sites over the years.
Research from Cofense suggests phishing emails are slightly more like to contain a link to a malicious website (38%) than a malicious attachment (36%). Further reading: ⚡ How to Identify a Malicious Website The most common malicious attachments Many phishing emails contain malicious payloads such as malware files. ESET’s Threat Report reports that in Q3 2020, these were the most common type of malicious files attached to phishing emails: Windows executables (74%) Script files (11%) Office documents (5%) Compressed archives (4%) PDF documents (2%) Java files (2%) Batch files (2%) Shortcuts (>1%) Android executables (>1%) You can learn more about malicious payloads here. The data that’s compromised in phishing attacks The top three “types” of data that are compromised in a phishing attack are: Credentials (passwords, usernames, pin numbers) Personal data (name, address, email address) Medical (treatment information, insurance claims) When asked about the impact of successful phishing attacks, security leaders around the world cited the following consequences:  60% of organizations lost data 52% of organizations had credentials or accounts compromised 47% of organizations were infected with ransomware 29% of organizations were infected with malware 18% of organizations experienced financial losses
The cost of a breach RiskIQ estimates that businesses worldwide lose $17,700 every minute due to phishing attacks—and that top companies lose $25 per minute to cybercrime. IBM’s 2021 research into the cost of a data breach ranks the causes of data breaches according to the level of costs they impose on businesses.  Phishing ranks as the second most expensive cause of data breaches—a breach caused by phishing costs businesses an average of $4.65 million, according to IBM. And Business Email Compromise (BEC)—a type of phishing whereby the attackers hijack or spoof a legitimate corporate email account—ranks at number one, costing businesses an average of $5.01 million per breach. That’s not the only way phishing can lead to a costly breach—attacks using compromised credentials were ranked as the fifth most costly cause of a data breach (averaging $4.37 million). And how do credentials get compromised? More often than not, due to phishing. On the plus side, IBM found that businesses with AI-based security solutions experienced a significant reduction in the costs associated with a data breach. In fact, AI security solutions were found to be the biggest factor in cutting breach costs, from $6.71 million to $2.90 million. According to Verizon, organizations also see a 5% drop in stock price in the 6 months following a breach. Losses from business email compromise (BEC) have skyrocketed over the last year. The FBI’s Internet Crime Report shows that in 2020, BEC scammers made over $1.8 billion—far more than via any other type of cybercrime. And, this number is only increasing. According to the Anti-Phishing Working Group’s Phishing Activity Trends Report, the average wire-transfer loss from BEC attacks in the second quarter of 2020 was $80,183. This is up from $54,000 in the first quarter. This cost can be broken down into several different categories, including: Lost hours from employees Remediation Incident response Damaged reputation Lost intellectual property Direct monetary losses Compliance fines Lost revenue Legal fees Costs associated remediation generally account for the largest chunk of the total.  Importantly, these costs can be mitigated by cybersecurity policies, procedures, technology, and training. Artificial Intelligence platforms can save organizations $8.97 per record.  The most targeted industries Last year, Public Administration saw the most breaches from social engineering (which caused 69% of the industry’s breaches), followed by Mining and Utilities and Professional Services. But, according to another report, employees working in Wholesale Trade are the most frequently targeted by phishing attacks, with 1 in every 22 users being targeted by a phishing email last year.  According to yet another data set, the most phished industries vary by company size. Nonetheless, it’s clear Manufacturing and Healthcare are among the highest risk industries. The industries most at risk in companies with 1-249 employees are: Healthcare & Pharmaceuticals Education Manufacturing The industries most at risk in companies with 250-999 employees are: Construction Healthcare & Pharmaceuticals Business Services The industries most at risk in companies with 1,000+ employees are: Technology Healthcare & Pharmaceuticals Manufacturing But there’s another way in which phishing impacts organizations differently across industries—resilience. Some industries are more susceptible to phishing than others. By considering factors like awareness, susceptibility, and reporting rate Cofense estimates the following ranking of industries according to their resilience to phishing attacks: Agriculture Mining Professional services Finance Utilities Retail Trade Construction Public Entertainment Information Manufacturing Transport Education Other services Real estate Healthcare Management Administrative Accommodation As noted, healthcare has been hit particularly hard by phishing and other cybercrimes throughout the pandemic. According to the HIPAA Journal, an average of 58.8 data breaches occurred among U.S. healthcare providers between August 2020 and July 2021—around 3.70 million records were breached per month. Many of these breaches were caused, directly or indirectly, by phishing. In July 2021, one phishing attack on an Orlando-based family physicians’ practice affected nearly half a million individuals. Phishing by country Not all countries and regions are impacted by phishing to the same extent, or in the same way. Here are some statistics from another source showing the percentage of companies that experienced a successful phishing attack in 2020, by country: United States: 74% United Kingdom: 66% Australia: 60% Japan: 56% Spain: 51% France: 48% Germany: 47% Phishing awareness also varies geographically. Here’s the percentage of people who correctly answered the question: “What is phishing?”, by country: United Kingdom: 69% Australia: 66% Japan: 66% Germany: 64% France: 63% Spain: 63% United States: 52% As you can see, there’s no direct correlation between phishing awareness and phishing susceptibility, which is why security training isn’t enough to prevent cybercrime. The most impersonated brands New research found the brands below to be the most impersonated brands used in phishing attacks throughout Q4, 2020. In order of the total number of instances the brand appeared in phishing attacks: Microsoft (related to 43% of all brand phishing attempts globally) DHL (18%) LinkedIn (6%) Amazon (5%) Rakuten (4%) IKEA (3%) Google (2%) Paypal (2%) Chase (2%) Yahoo (1%) The common factor between all of these consumer brands? They’re trusted and frequently communicate with their customers via email. Whether we’re asked to confirm credit card details, our home address, or our password, we often think nothing of it and willingly hand over this sensitive information. But it’s not just consumer brands that scammers impersonate. Public bodies are also commonly mimicked in phishing scams. Between August 2020 and July 2021, the UK’s tax authority (HMRC) reported: Over than 450 COVID-19-related financial support scams More than one million reports of “suspicious contact” (namely, phishing attempts) More than 13,000 malicious web pages (used as part of phishing attacks) The rates of phishing and other scams reported by HMRC more than doubled in this period.
Facts and figures related to COVID-19 scams Because hackers tend to take advantage of key calendar moments (like Tax Day or the 2020 Census) and times of general uncertainty, individuals and organizations saw a spike in COVID-19 phishing attacks starting in March. But, according to one report, COVID-19 related scams reached their peak in the third and fourth weeks of April. And, it looks like hackers were laser-focused on money. Incidents involving payment and invoice fraud increased by 112% between Q1 2020 and Q2 2020. It makes sense, then, that finance employees were among the most frequently targeted employees. In fact, attacks on finance employees increased by 87% while attacks on the C-Suite decreased by 37%. Further reading: ⚡ COVID-19: Screenshots of Phishing Emails ⚡How Hackers Are Exploiting the COVID-19 Vaccine Rollout ⚡ Coronavirus and Cybersecurity: How to Stay Safe From Phishing Attacks. Phishing and the future of work The move to remote work has presented many challenges to business—and the increased range, frequency, and probability of security incidents are among the most serious. New working habits have contributed to the recent surge in phishing because IT teams have less oversight over how colleagues are using their devices and can struggle to provide support when things go wrong. According to Microsoft’s New Future of Work Report:  80% of security professionals surveyed said they had encountered increased security threats since the shift to remote work began.  Of these, 62% said phishing campaigns had increased more than any other type of threat. Employees said they believed IT departments would be able to mitigate these phishing attacks if they had been working in the office Furthermore, an August 2021 survey conducted by Palo Alto Networks found that: 35% of companies reported that their employees either circumvented or disabled remote security measures Workers at organizations that lacked effective remote collaboration tools were more than eight times as likely to report high levels of security evasion 83% of companies with relaxed bring-your-own-device (BYOD) usage led to increased security issue Further reading: ⚡ The Future of Hybrid Work  ⚡ 7 Concerns Security Leaders Have About Permanent Remote Working
What can individuals and organizations do to prevent being targeted by phishing attacks? While you can’t stop hackers from sending phishing or spear phishing emails, you can make sure you (and your employees) are prepared if and when one is received. You should start with training. Educate employees about the key characteristics of a phishing email and remind them to be scrupulous and inspect emails, attachments, and links before taking any further action. Review the email address of senders and look out for impersonations of trusted brands or people (Check out our blog CEO Fraud Email Attacks: How to Recognize & Block Emails that Impersonate Executives for more information.) Always inspect URLs in emails for legitimacy by hovering over them before clicking Beware of URL redirects and pay attention to subtle differences in website content Genuine brands and professionals generally won’t ask you to reply divulging sensitive personal information. If you’ve been prompted to, investigate and contact the brand or person directly, rather than hitting reply But, humans shouldn’t be the last line of defense. That’s why organizations need to invest in technology and other solutions to prevent successful phishing attacks. But, given the frequency of attacks year-on-year, it’s clear that spam filters, antivirus software, and other legacy security solutions aren’t enough. That’s where Tessian comes in. By learning from historical email data, Tessian’s machine learning algorithms can understand specific user relationships and the context behind each email. This allows Tessian Defender to not only detect, but also prevent a wide range of impersonations, spanning more obvious, payload-based attacks to subtle, social-engineered ones. Further reading: ⚡ Tessian Defender: Product Data Sheet  
Read Blog Post
DLP
How to Close Critical Data Loss Prevention (DLP) Gaps in Microsoft 365
By Jessica Cooper
Wednesday, September 15th, 2021
Over a million businesses worldwide use Microsoft 365, with 731,000 companies in the United States alone. That represents a big juicy audience for hackers, bad actors and others.  And although Microsoft 365 provides foundational rule-based data loss prevention (DLP) and data classification to address compliance requirements, it falls short when protecting against data loss caused by people.  That’s why many of our customers choose Tessian to layer on top of 365, to stop complex, targeted attacks most SEGs just can’t stop. Tessian complements Microsoft 365 with a behavioral analytics layer and offers enhanced data protection by closing critical DLP use case gaps such as inadvertent or accidental data loss, sensitive data exfiltration to unauthorized or personal accounts, and insider risks. Tessian also has more robust investigation, reporting, and remediation tools. In this article, we’ll explore three DLP challenges, identify where Microsoft 365 falls short, and describe how Tessian helps security teams overcome them. Want to explore this topic in greater detail? Download the Solution Brief: How Tessian Closes Critical DLP Gaps in Microsoft 365.  Microsoft 365 can’t stop accidental data loss  Misdirected emails are the number one data security incident reported to data protection regulators across the world.  Every day, inadvertent human error on email leads to organizations putting their customer’s data at risk, breaching mandatory industry and data protection regulations and losing highly sensitive intellectual property. In fact, according to Tessian research, 800 misdirected emails are sent every year in organizations with 1,000 employees. You can check out 11 data breaches caused by misdirected emails here. Microsoft’s capabilities here are limited to files on Sharepoint and OneDrive sites, where you can allow or block specific domains. It cannot detect if you shared an email or files (including files in Sharepoint) to a wrong party.  In addition, Microsoft 365 Email DLP capabilities are not context-aware. What that means in practice is that it lacks context between parties exchanging email and hence cannot proactively identify wrong recipients or wrong attachments.  Microsoft 365 detection is purely based on DLP policies and data classification – Regex pattern matches, proximity of certain keywords to the matching patterns, exact data matching and Fingerprinting. These techniques cannot be applied to detect wrong recipients or wrong attachments.
How does Tessian prevent accidental data loss? Stop Misdirected Emails Tessian’s behavioral approach ensures that emails reach the right recipients, preventing accidental data breaches over email. Leveraging historical data to map email relationships with context, deep content inspection, and behavioral analysis, Tessian identifies first-time contacts, flags recipient anomalies, and stops misdirected emails in real-time. Prevent Wrong Attachments Tessian uses a combination of attachment scanning, natural language processing (NLP), and deep content inspection to map email content to users, entities, and projects. This helps detect a variety of anomalies and warns when employees are about to send a wrong attachment. Easy and Accurate Reporting Insights and analytics with the Human Layer Security Platform makes compliance and reporting easy. Admins can readily filter, view, and track accidental data loss events prevented by type, as either misdirected emails or misattached files using the HLS intelligence portal to mitigate events. Learn more about Tessian Guardian. 
Microsoft 365 can’t prevent exfiltration of sensitive data to unauthorized or personal accounts  Whether it’s an employee negligently sending emails to unauthorized or personal accounts, or individuals maliciously stealing company intellectual property for personal gain while exiting the company, sensitive data exfiltration is a major problem in today’s organizations. Don’t believe us? 27,500 unauthorized emails are sent every year in organizations with 1,000 employees.  Unfortunately, Microsoft 365 DLP capabilities do not effectively detect when unstructured data leaves the organization. This is because it’s not able to identify the unique context of each employee at a granular level. Traditional approaches to prevent data exfiltration on email rely on a litany of pre-defined rules and denylists, and retrospective incident response.  Tackling the problem of data exfiltration by manually maintaining denylists in a world of innumerable new freemail and personal domains is a losing game. Relying on users to manually classify documents puts organizations at risk, while relying on machine based RegEx classification for sensitive content detection or human-in-the-loop quarantine leads to false positives, false negatives and significant administrative burden.
How does Tessian prevent data exfiltration?  Automatically Detect Non-business Email Accounts with Historical Email Data Tessian analyzes historical email data to understand normal content, context and communication patterns, enabling a comprehensive mapping of every employee’s business and non-business email contacts. Relationship graphs are continuously updated as email behavior changes over time after Tessian is deployed.  Perform Real-time Analysis of Emails Before They’re Sent to Detect Data Exfiltration Tessian’s Human Layer Security Engine analyzes all outbound emails in real-time and uses machine intelligence to automatically predict data exfiltration based on insights from the relationship graph, deep inspection of the email content, and previous user behavior.  Automatically Detect and Prevent Data Exfiltration Over Email With Tessian, you can automatically detect anomalous patterns of exfiltration. Real-time warnings are shown to employees when data exfiltration threats are detected and guides them towards secure behavior. Warning triggers can be tailored to suit your company’s security policies and workflow requirements; employees can be warned, emails can be blocked, or activity can be silently tracked. Employee interactions are also logged for inspection in the Tessian dashboard.  Learn more about Tessian Enforcer.  Microsoft 365 can’t measure and report impact of human layer risk Insider threats are often perceived to only include those who may have malicious intent, such as disgruntled employees or employees who hack into the organization to gain access to credentials. However, employees exfiltrating data via email are often simply careless or negligent as well.  Microsoft 365 monitoring and reporting capabilities, including insider risk capabilities, are content detection and triage focused and does not provide any type of holistic visibility into employee risk profiles, high risk users in order for security and risk management leaders to take specific actions to improve their employee’s data handling practices and strengthen their security posture. 
How does Tessian approach insider risk management? Tessian’s approach is human-centric and behavioral, and is able to detect intent and the unique context of the particular employee’s situation. The Human Layer Security Platform maps employee email activity and builds unique security identities for every individual. Dashboards and analytics surface these insights and give full visibility into threats you’ve never been able to detect before. With Tessian, you can predict and preempt security risks caused by human behavior. Superior Risk Analytics Enriched individual risk profiles that are modeled with a broad range of signals from email usage patterns, relationship graphs, job role, security decisions in real time as well as from 12 months of historical emails and calculates individual risk scores. Because of this unique data modeling, Tessian provides a profile that is contextually rich with granular visibility into risk drivers. Dynamic Risk Scoring Security risk scores are dynamically updated to represent an accurate individual risk profile in real time. The risk scores trend down when the user makes positive security decisions and trend up when poor security decisions are made, or if the user exhibits high-risk email security behavior. These scores and risk drivers are also aggregated at the user, department, and company level and are benchmarked against the Tessian network. Defend Against Data Breaches with Defensible Audit Detailed reporting and audit logs provide defensible proof against data breaches. If risk is identified, Tessian’s Human Layer Risk Hub enables you to formally document all associated events such as exposure, owner, mitigation decisions and actions. Learn more about Tessian Human Layer Risk Hub.
Read Blog Post
Human Layer Security, DLP
Legacy Data Loss Prevention vs. Human Layer Security
By Jessica Cooper
Thursday, September 9th, 2021
Email is the threat vector security leaders are most worried about protecting.  It’s the most common channel for data exfiltration, fraud, and targeted attacks such as impersonation and phishing, and it’s the major point of egress for sensitive data. And, in most cases, the root cause of these incidents is human error.  Employees break the rules, make mistakes, and can easily be tricked or hacked. This begs the question: what’s the best solution? This blog evaluates legacy data loss prevention (DLP) solutions and is based on an extensive whitepaper available for download. The whitepaper provides greater depth and compares human layer security (HLS) with the legacy security solutions discussed here.   Why Aren’t Legacy Data Loss Prevention (DLP) Solutions Effective? While DLP provides value in certain cases, it does not solve the fundamental problem facing organizations – how to keep data secure in the real world where the information and attachments in emails move and are always accessible to anyone.  Once data leaves the point of control, whether at the endpoint or the network, DLP no longer has control over that content.  If your emails contain information and files that are forwarded and accidentally exposed to the wrong people, there is very little that DLP can do. In this blog, we’ll focus on the five biggest problems with legacy DLP solutions. Remember: you can download the whitepaper for a more detailed analysis. Does Not Protect Against Accidental Data Loss Rules-based approaches simply cannot detect accidental data loss – for example, when emails are sent to the wrong people or the wrong file is attached – because there are no regex or pattern matches that can be applied. This level of protection requires context that DLP just doesn’t have. But, it’s important, especially when research shows at least 800 emails are sent to the wrong person every year in organizations with 1,000+ employees. The HLS Difference: Tessian Guardian automatically detects and prevents misdirected emails and misattached files.  DLP Focuses on a Negative Control Model Legacy DLP is very strict with a binary approach to protecting data. It either allows it or blocks it. In a post-perimeter architecture, this is highly disruptive to business and unsustainable. The HLS Difference: Tessian is frictionless; it’s invisible until you need it, which has helped enterprise customers across industries prevent data loss, without impeding productivity. Read our customer stories to learn more.   Slow, Cumbersome and Non-adaptive 85% of security leaders say DLP is admin-intensive.  Legacy DLP must analyze all content and try to match it to block lists. This requires extensive analysis and the matching can be wrong as enterprise email content is constantly changing.  As content and locations get more complex, legacy DLP can develop problems very quickly.  The HLS Difference: Tessian uses contextual machine learning, and our ML models have been trained on more than two billion emails – rich in information on the kind of data people send and receive every day. Importantly, they continue to automatically adapt and learn as human relationships evolve over time. Learn more about our technology.  Difficult and Expensive to Implement While DLP may be regarded as a check-the-box solution for compliance, it is incredibly cumbersome, complex, and expensive to deploy, often requiring huge spend in professional services to implement and maintain.  Typical deployments are at least 12 months which makes it hard to justify the return on investment vs. the security it provides. The HLS Difference: With Tessian, there is no pre-configuration required, and the platform starts preventing threats within 24 hours of deployment.
Limited Threat Visibility Legacy DLP, including Email DLP, Endpoint DLP, and Network DLP offer little to no visibility into employee risk is one of the biggest challenges security and risk management leaders face.  Worse still, when insights around risk are available, it’s siloed and hard to interpret.  Insights around security awareness training exist in separate systems from insights related to threats that have been detected and prevented. There’s no integration which means security leaders can’t get a full view of their risk profile. Without integration and visibility, it’s impossible to take a tailored, proactive approach to preventing threats.  The HLS Difference: With Tessian Human Layer Risk Hub, our customers can now deeply understand their organization’s security posture with granular visibility into employee risk and insights into individual user risk levels and drivers. Learn more about Human Layer Security Tessian uses contextual machine learning to address the problem of accidental or deliberate data loss by applying human understanding to email behavior. Guardian: Automatically prevents accidental data loss via misdirected emails and misattached files. No rules required. Enforcer: Automatically prevents data exfiltration and other non-compliant activities on email  Human Layer Security Intelligence: Comprehensive visibility into employee risks, threat insights, and tools that enable rapid threat investigation and proactive risk mitigation Human Layer Risk Hub: Enables security and risk management teams to deeply understand their organization’s email security posture, including individual user risk levels and drivers
Read Blog Post
DLP, Compliance
20 Biggest GDPR Fines of 2019, 2020, and 2021 (So Far)
Monday, September 6th, 2021
The EU General Data Protection Regulation (GDPR) is among the world’s toughest data protection laws.  Under the GDPR, the EU’s data protection authorities can impose fines of up to up to €20 million (roughly $20,372,000), or 4 percent of worldwide turnover for the preceding financial year—whichever is higher. Since the GDPR took effect in May 2018, we’ve seen over 800 fines issued across the European Economic Area (EEA) and the U.K. Enforcement started off somewhat slow. But between July 18, 2020, and July 18, 2021, there was a significant increase in the size and quantity of fines, with total penalties surging by around 113.5%. And that was before the record-breaking fine against Amazon—announced by the company in its July 30 earnings report—which dwarfed the cumulative total of all GDPR fines up until that date. Let’s take a look at the biggest GDPR fines of 2019, 2020, 2021, explore what caused them, and consider how you can avoid being fined for similar violations. Looking for information about achieving and maintaining compliance? We explore solutions for reducing email risk (the #1 threat vector according to security leaders) on this page.
The biggest GDPR fines of 2019, 2020, and 2021 (so far) 1. Amazon — €746 million ($877 million) Amazon’s gigantic GDPR fine, announced in the company’s July 2021 earnings report, is nearly 15 times bigger than the previous record. The full reasons behind the fine haven’t yet been confirmed, but we know the cause has to do with cookie consent. And this isn’t the first time Amazon has been punished due to the way it collects and shares personal data via cookies. In late 2020, France fined Amazon €35 million after the tech giant allegedly failed to get cookie consent on its website. How the fine could have been avoided: It’s tempting to force users to “agree” to cookies—or make opting out of cookies difficult—to collect as much personal data as possible. But regulators have shown some serious appetite for enforcing the EU’s cookie rules recently. If Amazon had obtained “freely given”, informed, and unambiguous opt-in consent before setting cookies on its users’ devices, the company probably could have avoided this huge GDPR fine. 2. Google – €50 million ($56.6 million)  Google’s fine, levied in 2019 and finalized after an unsuccessful appeal in March 2020, was the largest on record until August 2021.  The case related to how Google provided privacy notice to its users—and how the company requested their consent for personalized advertising and other types of data processing. How the fine could have been avoided: Google should have provided more information to users in consent policies and granted them more control over how their personal data is processed. 3. H&M — €35 million ($41 million) On October 5, 2020 the Data Protection Authority of Hamburg, Germany, fined clothing retailer H&M €35,258,707.95 — the second-largest GDPR fine ever imposed at the time. H&M’s GDPR violations involved the “monitoring of several hundred employees.” After employees took vacation or sick leave, they were required to attend a return-to-work meeting. Some of these meetings were recorded and accessible to over 50 H&M managers. Senior H&M staff gained ”a broad knowledge of their employees’ private lives… ranging from rather harmless details to family issues and religious beliefs.” This “detailed profile” was used to help evaluate employees’ performance and make decisions about their employment. How the fine could have been avoided: H&M appears to have violated the GDPR’s principle of data minimization — don’t process personal information, particularly sensitive data about people’s health and beliefs, unless you need to for a specific purpose. H&M should also have placed strict access controls on the data, and the company should not have used this data to make decisions about people’s employment. 4. TIM – €27.8 million ($31.5 million) On January 15, 2020, Italian telecommunications operator TIM (or Telecom Italia) was stung with a €27.8 million GDPR fine from Garante, the Italian Data Protection Authority, for a series of infractions and violations that have accumulated over the last several years.  TIM’s infractions include a variety of unlawful actions, most of which stem from an overly aggressive marketing strategy. Millions of individuals were bombarded with promotional calls and unsolicited communications, some of whom were on non-contact and exclusion lists.   How the fine could have been avoided: TIM should have managed lists of data subjects more carefully and created specific opt-ins for different marketing activities. 5. British Airways – €22 million ($26 million) In October, the ICO hit British Airways with a $26 million fine for a breach that took place in 2018. This is considerably less than the $238 million fine that the ICO originally said it intended to issue back in 2019.   So, what happened back in 2018? British Airway’s systems were compromised. The breach affected 400,000 customers and hackers got their hands on log-in details, payment card information, and travelers’ names and addresses.   How the fine could have been avoided: According to the ICO, the attack was preventable, but BA didn’t have sufficient security measures in place to protect their systems, networks, and data. In fact, it seems BA didn’t even have basics like multi-factor authentication in place at the time of the breach.  Going forward, the airline should take a security-first approach, invest in security solutions, and ensure they have strict data privacy policies and procedures in place. 6. Marriott – €20.4 million ($23.8 million) While this is an eye-watering fine, it’s actually significantly lower than the $123 million fine the ICO originally said they’d levy. So, what happened?  383 million guest records (30 million EU residents) were exposed after the hotel chain’s guest reservation database was compromised. Personal data like guests’ names, addresses, passport numbers, and payment card information was exposed.  Note: The hack originated in Starwood Group’s reservation system in 2014. While Marriott acquired Starwood in 2016, the hack wasn’t detected until September 2018. How the fine could have been avoided: The ICO found that Marriott failed to perform adequate due diligence after acquiring Starwood. They should have done more to safeguard their systemswith a stronger data loss prevention (DLP) strategy and utilized de-identification methods.  7. Wind — €17 million ($20 million) On July 13, Italian Data Protection Authority imposed a fine of €16,729,600 on telecoms company Wind due to its unlawful direct marketing activities. The enforcement action started after Italy’s regulator received complaints about Wind Tre’s marketing communications. Wind reportedly spammed Italians with ads — without their consent — and provided incorrect contact details, leaving consumers unable to unsubscribe. The regulator also found that Wind’s mobile apps forced users to agree to direct marketing and location tracking and that its business partners had undertaken illegal data-collection activities.  How the fine could have been avoided: Wind should have established a valid lawful basis before using people’s contact details for direct marketing purposes. This probably would have meant getting consumers’ consent — unless it could  demonstrate that sending marketing materials was in its “legitimate interests.” For whatever reason you send direct marketing, you must ensure that consumers have an easy way to unsubscribe. And you must always ensure that your company’s Privacy Policy is accurate and up-to-date. 8. Vodafone Italia — €12.3 million ($14.5 million) Vodafone Italia’s November 2020 fine was issued in relation to a vast range of alleged GDPR violations, including provisions within Articles 5, 6, 7, 16, 21, 25, 32, and 33. So what did Vodafone do that resulted in so many GDPR violations?  The company’s data processing issues included failing to properly secure customer data, sharing personal data with third-party call centers, and processing without a legal basis—all brought to light after complaints about the company’s telemarketing campaign. How the fine could have been avoided: Vodafone’s marketing operations may have triggered the Italian DPA’s investigation, but the company’s data management and security were the fundamental issues here. Vodafone might have avoided this large fine by conducting regular audits of its data and properly documenting all relationships with third-party data processors. 9. Notebooksbilliger.de — €10.4 million ($12.5 million) German electronics retailer notebooksbilliger.de (NBB) received this significant GDPR fine on January 8, 2021. The penalty relates to how NBB used CCTV cameras to monitor its employees and customers. The CCTV system ran for two years, and NBB reportedly kept recordings for up to 60 days. NBB said it needed to record its staff and customers to prevent theft. The Lower Saxony DPA said the monitoring was an intrusion on its employees’ and customers’ privacy. How the fine could have been avoided: The NBB’s fine reflects strict attitudes towards CCTV monitoring in parts of Germany. The regulator said NBB’s CCTV program was not limited to a specific person or period. Using CCTV isn’t prohibited under the GDPR, but you must ensure it is a legitimate and proportionate response to a specific problem. The UK’s ICO has some guidance on using CCTV in a GDPR-compliant way. 10. Eni — €8.5 million ($10 million) Eni Gas e Luce (Eni) is an Italian gas and oil company that was found to have made marketing phone calls without a proper legal basis. While telemarketing is covered by the ePrivacy Directive, this is another example of how any processing of personal data without a proper legal basis can lead to a GDPR fine. How the fine could have been avoided: Eni should have ensured it had a proper legal basis for telemarketing before calling any of its customers or leads. In this case, the Italian DPA said that the proper lawful basis would have been consent. 11. Vodafone Spain — €8.15 million ($9.72 million) Vodafone’s €8.15 million fine, issued by the Spanish DPA (the AEPD) on March 11, 2021, is actually made up of four fines for violating the GDPR and other Spanish laws covering telecommunications and cookies. The Vodafone fine stands as Spain’s biggest yet—in a year that has seen the AEPD issue several substantial GDPR penalties. The fine results from 191 separate complaints regarding Vodafone’s marketing activity. Vodafone was alleged not to have taken sufficient organizational measures to ensure it was processing people’s personal data lawfully. How the fine could have been avoided: Vodafone’s complex series of legal violations all appear to have one thing in common: a lack of organization and control over personal data used for marketing purposes. Whenever you outsource any processing activity to a third party—for example, a marketing agency—you must ensure you have a clear legal basis for doing so.  Keep clear records, maintain data processing agreements with contractors, and regularly audit your processing activities to ensure they are lawful. 12. Google – €7 million ($8.3 million) From a GDPR enforcement perspective, 2020 was not a good year for Google.  Along with the company losing its appeal against French DPA in January, March saw the Swedish Data Protection Authority of Sweden (SDPA) fining Google for neglecting to remove a pair of search result listings under Europe’s GDPR “right to be forgotten” rules.  How the fine could have been avoided: Google should have fulfilled the rights of data subjects, primarily their right to be forgotten. This is also known as the right to erasure. How? By “ensuring a process was in place to respond to requests for erasure without undue delay and within one month of receipt.”  You can find more information about how to comply with requests for erasure from the ICO here.  13. Caixabank — €6 million ($7.2 million) This fine against financial services company Caixabank is the largest fine ever issued by the Spanish DPA (the AEPD).  The AEPD finalized Caixabank’s penalty on January 13, 2021, breaking Spain’s previous record GDPR fine, against BBVA — issued just one month earlier. This suggests a significant toughening of approach from the Spanish DPA. The first issue, which accounts for €4 million of the total fine, related to how Caixabank established a “legal basis” for using consumers’ personal data under Article 6. Second, Caixabank was fined €2 million for violating the GDPR’s transparency requirements at Articles 13 and 14.  How the fine could have been avoided: The AEPD said Caixabank relied on the legal basis of “legitimate interests” without proper justification. Before you rely on “legitimate interests,” you must conduct and document a “legitimate interests assessment.”  The company also failed to obtain consumers’ consent in a GDPR-compliant way. If you’re relying on “consent,” make sure it meets the GDPR’s strict “opt in” standards. The AEPD criticized Caixabank’s privacy policy as providing vague and inconsistent information about its data processing practices. Make sure you use clear language in your privacy notices and keep them consistent across websites and platforms. 14. BBVA (bank) — €5 million ($6 million) This fine against financial services giant BBVA (Banco Bilbao Vizcaya Argentaria) dates from December 11, 2020.  The BBVA’s penalty is the second biggest that the Spanish DPA (the AEPD) has ever imposed, and it shares many similarities with the AEPD’s largest-ever penalty, against Caixabank, issued the following month. Taken together with the record fine against Caixabank, it’s tempting to conclude that the Spanish DPA has its eye on the GDPR compliance of financial institutions. How the fine could have been avoided: The AEPD fined BBVA €3 million for sending SMS messages without obtaining consumers’ consent. In most circumstances, you must ensure you have GDPR-valid consent for sending direct marketing messages. The remaining €2 million of the penalty related to BBVA’s privacy policy, which failed to properly explain how the bank collected and use its customers’ personal data. Make sure you include all the necessary information under Articles 13 and 14 in your privacy policy. 15. Fastweb — €4.5 million ($5.5 million) Italy’s DPA (the Garante) fined telecoms company Fastweb €4.5 million on April 2 2021 for engaging in unsolicited telephone marketing without consent. In particular, the Garanta noted that Fastweb was using “fraudulent” telephone numbers that the company had not registered with Italy’s Register of Communication Operators. How the fine could have been avoided: Fastweb’s fine derives from telemarketing rules that are set out in Italy’s implementation of the ePrivacy Directive, rather than the GDPR. However, the company still appears to have violated the GDPR by failing to obtain valid consent. It’s important to remember this interplay between the EU’s main privacy laws. The ePrivacy Directive requires you to obtain consent for certain activities, but the GDPR sets the standard of consent—and the standard is very high. 16. Eni Gas e Luce — €3 million ($3.6 million) This fine is one of two imposed on the Italian gas and oil company Eni in December 2019. This is a complicated case involving the creation of new customer accounts—but it boils down to the failure of Eni to obey the GDPR’s principle of accuracy. How the fine could have been avoided: Data protection is about more than just privacy—it also covers issues like records management. Eni should have ensured its customer records were kept accurate and up-to-date. 17. Capio St. Göran AB — €2.9 million ($3.4 million) Capio St. Goran is a Swedish healthcare provider that received a GDPR fine following an audit of one of its hospitals by the Swedish DPA. The audit revealed that the company had failed to carry out appropriate risk assessments and implement effective access controls. As a result, too many employees had access to sensitive personal data. How the fine could have been avoided: Conducting a data protection impact assessment (DPIA) is mandatory under the GDPR for controllers undertaking certain risky activities or handling large-scale sensitive data. Eni should have conducted such an assessment to determine which staff required access to medical records. Access to sensitive personal data should be restricted to those who strictly require it. 18. Iren Mercato — €2.85 million ($3.4 million) In June 2021, the Italian DPA fined energy company Iren Mercato for carrying out a telephone marketing campaign without obtaining proper consent. The phone calls were conducted by a third party marketing company acting as a data processor. How the fine could have been avoided: Many of the fines on our list relate to telemarketing and the failure to obtain GDPR-valid consent. Remember that even when using third-party services to conduct marketing campaigns, you could still be directly liable under the GDPR if you fail to establish a valid legal basis for processing personal data. 19. Foodinho — €2.6 million ($3 million) Groceries delivery service Foodinho received this substantial fine in June 2021, after the Italian DPA found the company had failed to obey the GDPR’s rules on “automated processing,” in this case the use of an algorithm to determine employees’ wages and workflow. The company was also found to have violated the GDPR’s principle of “lawfulness, fairness, and transparency” by failing to provide employees with adequate information. How the fine could have been avoided: Foodinho’s fine mainly relates to a relatively niche area of GDPR compliance—”solely automated processing with legal or similarly significant effects.”  In short, if you’re making purely AI-driven decisions about people that could impact on their finances, employment, or access to services, you must ensure you provide a human review of such decisions. 20. National Revenue Agency (Bulgaria) — €2.6 million ($3 million) This August 2019 fine against Bulgaria’s National Revenue Agency was issued after the organization suffered a data breach affecting 5 million people. The breached data included people’s names, contact details, and tax information. The Bulgarian DPA found that the agency failed to take effective technical and organizational measures to protect the personal data under its control. How the fine could have been avoided: The Bulgarian National Revenue should have conducted a thorough risk assessment of its processing operations and taken effective steps to safeguard personal data. While it’s not clear what caused this data breach, it’s worth noting that the FBI’s Internet Crime Control Center cites email as the number one threat vector in cybercrime.  By securing your company’s email systems, you’re cutting off one of your major vulnerabilities and significantly reducing the likelihood of a data breach.
What else can organizations be fined for under GDPR?  While the biggest fines involve marketing activities, failure to remove personal data when requested by EU citizens, and unlawfully requiring employees to have their biometric data recorded, there are a number of ways in which a breach can occur.  In fact, so far this year, misdirected emails have been the primary cause of data loss reported to the ICO. But, how do you prevent an accident? By focusing on people rather than systems and networks. How does Tessian help organizations stay GDPR compliant?
Powered by machine learning, Tessian’s Human Layer Security technology understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity, including misdirected emails. Tessian also detects and prevents spear phishing attacks and data exfiltration attempts on email.  Importantly, though, Tessian doesn’t just prevent breaches. Tessian’s key features – which are both proactive and reactive – align with the GDPR requirement “to implement appropriate technical and organizational measures together with a process for regularly testing, assessing and evaluating the effectiveness of those measures to ensure the security of processing” (Article 32). To learn more about how Tessian helps with GDPR compliance, you can check out this page, our customer stories or book a demo. 
Read Blog Post
Human Layer Security, Spear Phishing
Legacy Phishing Prevention Solutions vs. Human Layer Security
By Jessica Cooper
Friday, August 27th, 2021
Phishing – in its many varieties – is the threat most security leaders are concerned about protecting their organizations against. Why? Because attacks are frequent, hard-to-spot, time-consuming to investigate, and expensive to recover from.  And legacy solutions like Secure Email Gateways (SEGs), sandboxes, DMARC, and security awareness training out there just aren’t enough. With these methods, users aren’t engaged in a meaningful way and unknown anomalies aren’t accounted for. But there’s a better way.  This blog evaluates the shortcomings of legacy phishing prevention solutions, and proposes a different approach: Human Layer Security. Note: This article is based on an extensive whitepaper available for download. The whitepaper provides greater depth as it compares Human Layer Security with the legacy security solutions discussed here. The problem with SEGs & native tools SEGs lack the intelligence to learn user behavior or rapidly adapt.  The backbone of a SEG is traditional email security approaches – static rules, signature based detection, library of known threats, etc. Meanwhile, attackers consistently evolve their techniques, email networks are dynamic in nature, and human behavior is inconsistent and unpredictable. That means rules are out of date as soon as they are created and signature-based approaches are ineffective. They can’t detect advanced impersonation, account takeover (ATO), third-party supply chain risk, or wire fraud. Worse still, SEGs don’t address other entry points like Microsoft SharePoint, OneDrive, and ShareFile, which are some of the most hacked cloud tools.  What about native controls like Microsoft ATP? O365’s native security controls do protect users against bulk phishing scams, spam, malware, and domain spoofing. And these tools are great when it comes to stopping broad-based, high-volume, low-effort attacks – they offer a baseline protection.  But, today’s email attacks have mutated to become more sophisticated and targeted.  Attackers use automation to make small, random modifications to existing malware signatures and use transformation techniques to bypass these native O365 security tools. Unsuspecting – and often untrained – users fall prey to socially engineered attacks that would be hard for even a security expert to spot.  To learn more about why Office 365 accounts are vulnerable to attack, click here. Why sandboxes fail to detect phishing attacks One of the primary ways sandboxes can fail is in phishing attempts.  Any detection made by the sandbox is dependent on a file exhibiting malicious behavior. This is easy to work around. Hackers will often send a PDF that contains a link to a malicious form to avoid detection.  Likewise, documents with a URI (Uniform Resource Identifier) have an extremely low footprint for sandboxes to detect. And the short TTL domain doesn’t leave much evidence for event analysis or threat intelligence. There are issues with latency, too. Emails, communications, downloads, and important files can take several minutes to reach their destination because of the bottleneck sandboxes can create. This is not an option in today’s modern enterprises where real-time communication and collaboration is paramount. Why DMARC isn’t enough Domain-Based Message Authentication Reporting and Conformance (DMARC), is an added authentication method that uses both SPF and DKIM to verify whether or not an email was actually sent by the owner of the domain that the user sees.  In order for DMARC to pass, both SPF and DKIM must pass, and at least one of them must be aligned. While impersonating a given domain is a common method used for phishing and other malicious activities, there are other attack vectors that DMARC does not address. For example, DMARC does not address domain impersonation attacks (i.e. sending from a domain that looks like the target being abused – e.g. exampl3.com vs. example.com), or display name impersonation (i.e. modifying the “From” field to look as if it comes from the target being abused). The other misunderstood aspect of DMARC is that enabling DMARC on your domain protects your domain from being used in a phishing attack. But to protect your organization against phishing and spear phishing attacks, all domains used in communication with your employees should have DMARC enabled on them.  But still, only one-third of businesses employ DMARC.  This makes the security of your organization dependent on other companies communicating with your organization and vulnerable to supply chain risk, especially since DMARC records are publicly available, meaning attackers can easily identify and target domains that are not registered, and thus are vulnerable to impersonation. Finally, in addition to their own internal domains, organizations are likely to use some combination of Office 365, Gmail, MailChimp, Salesforce.com and other third-party email services. But it’s a challenge to then retrofit them all with DMARC. Want to learn more? We explore the limitations of DMARC in more detail here. The limitations of security awareness training Security Awareness Training (SAT) is seen as a “quick win” when it comes to security – a box-ticking exercise that companies can do in order to tell their shareholders, regulators and customers that they’re taking security seriously.  Sadly, the evidence of these initiatives being conducted is much more important than the effectiveness of them.  And engagement is a big problem. Too many SAT programs are delivered once or twice a year in lengthy sessions. This makes it really hard for employees to remember the training they were given, and the sessions themselves have to cram in too much content to be memorable.  It’s also difficult for security leaders to trains their employees to spot today’s sophisticated attacks. That’s because SAT platforms rely on simulating phishing threats by using pre-defined templates of common threats. This is a fair approach for generic phishing awareness (e.g. beware the fake O365 password login page), but it’s ineffective at driving awareness and preparing employees for the highly targeted and continuously evolving phishing threats they’re increasingly likely to see today (e.g. an email impersonating their CFO with a spoofed domain). We explore the pros and cons of phishing awareness training here. What is Human Layer Security?  The only question left to answer is: When legacy solutions and training programs aren’t enough, how can we prevent employees from interacting with the malicious emails that land in their inbox? The answer is Human Layer Security (HLS). SEGS and native tools like O365 provide basic phishing protection, but organizations need an intelligent solution like Tessian to detect and prevent advanced inbound attacks like BEC, ATO, and CEO Fraud that make it through inbuilt bulk phishing and spam filters. Tessian Defender uses machine learning (ML) to protect your people from even the most advanced inbound threats.  Here’s how: Tessian’s machine learning algorithms analyze your company’s email data, learn employees’ normal communication patterns, and map their trusted email relationships — both inside and outside your organization. Tessian inspects both the content and metadata of inbound emails for any suspicious or unusual signals pointing to a potential impersonation, ATO, or BEC threat. For example, payloads, anomalous geophysical locations, IP addresses, email clients, and sending patterns.  Once it detects a threat, Tessian alerts employees that an email might be unsafe, explaining the threat in easy-to-understand language via an interactive notification.
Read Blog Post
Spear Phishing, DLP, Compliance
5 Cyber Risks In Manufacturing Supply Chains
Thursday, August 26th, 2021
When it comes to supply chain risks, cybersecurity and data loss are top of mind for security analysts and other professionals.  The EU Agency for Cybersecurity (ENISA) notes that there has been a marked increase in such attacks since early 2020—and that most supply chain attacks target data (mainly personal information and intellectual property). Manufacturers are typically involved in long and complex supply chains with many actors, making them particularly vulnerable to disruption and malicious activity in the supply chain.  You must protect against these risks. Keep reading to learn more, including prevention tips.  5 manufacturing supply chain cyber risks First, let’s look at five crucial supply chain cyber risks for manufacturers.  We’ll then consider how manufacturers can improve their supply chain cybersecurity, referencing some real-life examples. 1. Intellectual property theft One major concern for manufacturers is that third parties in their supply chain may abuse their access to intellectual property and other valuable or sensitive data. According to research by Kroll, guarding against supply chain IP theft is a priority for nearly three-quarters of companies. Even if all your supply chain partners are legitimate, there is always the possibility that a rogue employee could steal your IP or trade secrets and pass them on to your competitors. Don’t believe us? Check out these 17 examples of real-world insider threats.  2. Supply chain attacks Supply chain attacks leverage security vulnerabilities to steal data and spread malware such as ransomware. Some recent high-profile supply chain attacks include the attacks on software companies Solarwinds and Kaseya. These incidents involved software vendors pushing compromised updates to their customers, resulting in widespread malware infections. There’s a reason that supply chains are particularly vulnerable to cyberattacks. The more organizations are involved in a manufacturing process, the greater the likelihood that one of the members will fall victim to a cyberattack and spread malware to their business partners. But that doesn’t mean that the chain is “only as strong as its weakest link.” A well-defended organization can stop a supply chain attack in its tracks.  Case study: supply chain attack Here’s an example of a supply chain attack that leveraged email in an attempt to undermine a company’s security defenses. This type of threat is known as an “account take over” (ATO) attack. The cybercriminals targeted a medium-sized construction firm by first infiltrating one of the company’s trusted vendors. The attackers managed to take over the email account of one of this vendor’s employees. By reading the employee’s emails, the criminals learned that the employee was in contact with several high-ranking staff members at the construction firm. After observing the employee’s communication patterns and email style, the attackers then used the mailbox to send phishing emails to a targeted group of individuals at the construction firm. The phishing emails encouraged the recipients to click a link to a cloud storage folder, claiming that the folder contained a request for a proposal. Clicking the link would have downloaded malware onto the recipient’s device. Protecting against supply chain attacks Protecting against supply chain attacks requires a comprehensive cybersecurity policy, including staff training, network defenses, and security software. Implementing email security software is a vital part of your defensive strategy in the case of email-based supply chain attacks, such as the one above. The case study above is a real-life example of how Tessian, a comprehensive email security solution driven by machine learning, can help thwart supply chain attacks.  Tessian Defender scans inbound emails for suspicious activity. The software also learns your employees’ communication patterns to understand what constitutes “normal” email activity. In the attack described above, Tessian noted several subtle signs—including the sender’s location and choice of cloud storage platform—suggesting that the email could be part of a supply chain attack. Tessian alerted the employee to the potential danger, and the supply chain attack was averted.  It’s important to note that legacy email security software, which normally operates on a “rule-based” basis, can fall short when it comes to sophisticated account take-over attacks like this.  Tessian was not the only security product this construction firm was running. But it was the only one to spot the attack. 3. Compromised hardware and software Malicious actors can compromise hardware and software during the manufacturing process, creating vulnerabilities that are passed on down the supply chain or to equipment end-users. Hardware can be tampered with at any stage in the supply chain. As a manufacturer, you might obtain compromised hardware—or malicious actors could interrupt the manufacturing process downstream, tampering with products to install rootkits or other technologies. But as a manufacturer, you must also protect against threats in your own portion of the supply chain—where internal or external actors could interfere with the products or components you create. Case study: compromised software In August 2020, reports emerged that Chinese phone manufacturer Transsion had shipped thousands of mobile devices containing pre-installed malware that signed users up to subscription services without their consent. The pre-installed malware, known as Triada, automatically downloads and installs a trojan called “xHelper” that cannot be easily removed by users. The program covertly submits requests for subscription products at the user’s expense. Transsion blamed a malicious actor in its supply chain for installing Triada on its devices—but the culprit has yet to be discovered. Defending against software compromise One step towards to avoiding any type of malicious actor in your supply chain is conducting thorough due diligence. Identify and document all supply chain partners—as mentioned, you could be accountable for their malicious or negligent activity. Integrating cybersecurity measures into your quality assurance regime may also be a way to prevent upstream malicious actors from tampering with firmware before your manufacturing process takes place. And as we’ve seen, it’s crucial to protect your own systems from cyberattacks—which means ensuring the security of key communications channels like email. 4. Downstream software or hardware security vulnerabilities It’s vital to protect data against access by other parties in your supply chain. But even if you could trust your supply chain partners not to steal your data, you must also ensure that they don’t make it accessible to unauthorized third parties. No matter how much work you put into protecting your own systems from unauthorized access, your efforts could be rendered futile due to software or hardware vulnerabilities among other parties downstream. 5. Legal non-compliance In addition to maintaining poor cybersecurity practices that directly impact your own organization’s security, third parties in the supply chain may follow poor information security practices for which you could be liable. Case study: third-party legal non-compliance In 2019 a U.K. pharmaceuticals company was fined after a third-party contractor left documents containing personal information publicly accessible in unsecured containers.  Under the GDPR, “data controllers” are responsible for many of the actions of their service providers. As such, the pharmaceuticals company was deemed liable for the error. The firm received a fine and engaged in a drawn-out legal battle with the U.K.’s data regulator. Mitigating poor security practices among third parties Research is crucial to ensure you’re working with reputable third parties that will undertake compliant and responsible data protection practices. Contracts stipulating particular security measures are also important. Such agreements can also contain contractual clauses that serve to indemnify your company against legal violations by the other party. Under some data protection laws, including the GDPR and the upcoming Colorado Privacy Act, service providers processing personal information on another company’s behalf are required to submit to audits and inspections. Routinely inspecting the data security practices of your vendors and other service providers is an excellent way to ensure they are meeting their compliance obligations on your behalf. How to prevent manufacturing supply chain risks   In general, manufacturers can manage cyber risks in supply chains via a robust and comprehensive cybersecurity program. Here are some key cybersecurity principles for supply chain management from the National Institute for Standards and Technology (NIST): Assume your systems will be breached. This means considering not only how to defend against breaches, but determining how you will mitigate breaches once they have occurred. Think beyond technology. Cybersecurity is also about people, processes, and knowledge. Cybersecurity also means physical security. Threat actors can use physical security vulnerabilities to launch cyberattacks. Implementing a cybersecurity framework is key to defending against supply chain threats. Manufacturers of any size can work towards cybersecurity framework compliance, implementing controls according to their resources and priorities. The NIST Cybersecurity Framework Version Manufacturing Profile: NISTIR 8183 Revision 1 is an excellent starting point for manufacturers. For more information about the NIST framework, read our article on NIST and email security. More specifically, manufacturers should be taking the following steps to protect their data and systems in supply chains: Identify and document all supply chain members Conduct careful due diligence on parties in the supply chain Require supply chain partners to contractually agree to maintain good cybersecurity and data protection practices Ensure inbound communications (particularly via email) are scanned for signs of phishing and other social engineering attacks Scan outbound communications to prevent data loss Ensure all employees are aware of the risks and their responsibilities Email is a key supply chain vulnerability Of all the risks inherent to working in a supply chain, cyberattacks are perhaps the most critical in the current climate.  As ENISA notes, most supply chain attacks use malware to target company data. We also know that 96% of phishing attacks—which are the primary means of infecting business networks with malware—take place via email. The bottom line: email security is a crucial step for manufacturers to defend against supply chain cyber risks.  Find out more about how Tessian can help with the resources below. ⚡ Tessian Platform Overview ⚡ Customer Stories ⚡ Book a Demo
Read Blog Post
Compliance
NIST Cybersecurity Framework and Email Security
Wednesday, August 25th, 2021
If you’re looking to improve your organization’s cybersecurity, the NIST Cybersecurity Framework provides an excellent starting point. Compliance with the NIST Cybersecurity Framework enables you to: Describe your current cybersecurity posture (“Current Profile”) Identify your target cybersecurity state (“Target Profile”) Continuously identify and prioritize vulnerabilities While email security isn’t the only component, it is a vital component of your organization’s overall cybersecurity program. So how can levelling up your email security bring you closer towards your NIST Target Profile? First, let’s look at the overall structure of the Framework. Then we’ll consider how developing your organization’s email security is a key step towards NIST Cybersecurity Framework compliance. NIST Cybersecurity Framework Structure At its broadest level, the NIST Cybersecurity Framework consists of three parts: Core, Profile, and Tiers (or “Implementation Tiers”). Core: Functions, Categories, Subcategories Think of the Core of the NIST Framework as a three-layered structure. At its topmost level, the Core consists of five Functions: Identify: Develops an organizational understanding to manage cybersecurity Protect: Outlines appropriate cybersecurity safeguards Detect: Outlines cybersecurity activities designed to detect incidents Respond: Outlines cybersecurity activities to take during an incident Recover: Outlines cybersecurity activities to take after an incident Then, at the next level down, each Function consists of Categories focusing on business outcomes. There are 23 Categories split across the five Functions. Here are a few examples of some of the NIST Framework’s Categories: Risk Assessment (ID.RA) Data Security (PR.DS) Detection Processes (DE.DP) Mitigation (RS.MI) Improvements (RC.IM) At the bottom level, each Category consists of a set of Subcategories and Informative References.  Subcategories are more specific statements of an intended business outcome, while Informative References provide further technical detail available outside of the Framework. For example, under the Data Security (PR.DS) Category sit eight Subcategories, including the following: PR.DS-1: Data-at-rest is protected PR.DS-2: Data-in-transit is protected PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition And here are some of the Informative References accompanying PR.DS-1: Data-at-rest is protected: Center for Internet Security (CIS) Controls 13 and 14 COBIT 5 Management Practices APO01.06, BAI02.01, and BAI06.01, ISO/IEC 27001:2013 A.8.2.3 Check out the full framework for reference.  Tiers The Tiers represent different degrees to which organizations may implement the NIST Cybersecurity Framework. There are four Tiers: Tier 1: Partial — Security controls are implemented on an “ad hoc” or sometimes reactive basis. External partners often assist with the cybersecurity program. Tier 2: Risk Informed — Implementation of controls is informed by risk objectives. Security awareness may not be standardized across the entire organization. Not all threats are proactively met. Tier 3: Repeatable — Risk management practices are formal organizational policy. Employees are well-informed about security in the context of their roles. The organization’s security is understood in the broader context of supply chains and partnerships. Tier 4: Adaptive — The organization can adapt its cybersecurity practices based on priorities and past experience. Security risks are taken seriously by senior management on par with financial risks. Formalized security processes are integrated into workflows. You can choose the Tier most appropriate to you, depending on factors such as your resource level, organizational maturity, and compliance demands. Profiles Profiles allow you to adapt the Framework to meet the needs of your organization.  Establishing your Current Profile and determining a Target Profile provides a systematic way for you to work through the Functions, implementing the Categories and Subcategories that are most relevant to your organization. Your organization’s size and resource levels may help to determine an appropriate Target Profile. But you can also consider the business context in which you operate — or the cybersecurity threats that are most likely to impact you.  NIST recently released a preliminary draft profile for managing the threat of ransomware, which we’ll look at later in this article.  Email security in the NIST Framework In the current cybersecurity climate, email security is a key consideration for business leaders. In fact, email is the attack vector security leaders are most worried about. We know that email serves as a key vector for ransomware, phishing, data exfiltration, and other increasingly widespread attacks and incidents.   Around 96% of phishing attacks start via email Spear phishing emails are the most common delivery method for ransomware Other email-based threats, such as Business Email Compromise, cost organizations billions each year. As such, you can mitigate some of the most serious and destructive security threats by ensuring your organization operates a highly secure email system. Now we’re going to look at some of the Categories from across the NIST Cybersecurity Framework’s five Functions, and identify how maintaining robust email security can help you meet NIST Cybersecurity Framework outcomes. Asset Management (ID.AM) Asset Management (ID.AM): “The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy.” Effective asset management means ensuring you have overall knowledge and understanding of your organization’s inventory, information flows, and personnel. How is asset management relevant to email security? Well, understanding your organization’s communication networks and data flows is a vital part of asset management, and email is the primary means of communication for most companies. The ID.AM-3 Subcategory requires that “organizational communication and data flows are mapped.” Mapping communication flows is the first step in detecting email cybersecurity events and creating a data loss prevention (DLP) strategy. An effective email security solution will use machine learning technology to establish employees’ communications networks. Want to learn more about DLP? Check out these resources: ⚡ [Research] The State of Data Loss Prevention ⚡ Why is Email DLP So Important? Awareness and Training (PR.AT) Awareness and Training: “The organization’s personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity related duties and responsibilities consistent with related policies, procedures, and agreements.” Security awareness training should always feature extensive information about social engineering attacks.  Phishing, spear phishing, Business Email Compromise (BEC) — social engineering attacks that occur almost exclusively via email — rely on manipulating people into taking certain actions that expose data or compromise security. Therefore, email security training is essential to meet the outcome associated with the PR.AT-1 Subcategory: “All users are informed and trained.” But we know that, while essential, security training is not enough to tackle serious cybersecurity threats. Data Security (PR:DS) Data Security: “Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.” Preventing data loss via email is a core requirement in maintaining data security. Email is at the root of most data breaches, whether due to phishing and other social engineering attacks, or “accidental” breaches involving misdirected emails or misattached files. Preventing data loss via email is a key step towards meeting the outcome for Subcategory PR.DS 5: “Protections against data leaks are maintained.” Unless there is an operational requirement for data to leave your organization, your email security software should prevent it from doing so. Effective email security software can detect and prevent unauthorized data transfers. Learn more about how Tessian prevents data loss below.  Anomalies and Events (DE.AE) Anomalies and Events: “Anomalous activity is detected and the potential impact on events is understood.” How does this Category tie in with email security? Well, most cyberattacks rely on email as the route through an organization’s defenses. So detecting and analyzing anomalous activity across your email activity is essential. Within the “Anomalies and Events” Category, the following Subcategories are particularly relevant to email security: DE.AE-1: “A baseline of network operations and expected data flows for users and systems is established and managed” — To detect anomalous email activity, your email security solution must understand what “normal” email looks like relative to each of your users. DE.AE-3: “Event data are collected and correlated from multiple sources and sensors” — Email attacks can be particularly sophisticated, relying on social engineering techniques to manipulate users. Effective email security software requires a large amount of data. Security Continuous Monitoring (DE.CM) Security Continuous Monitoring: “The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures.” Monitoring your organization’s email activity is a crucial element in your overall security continuous monitoring efforts. The following “Security Continuous Monitoring” Subcategories are of particular relevance to email security: DE.CM-3: “Personnel activity is monitored to detect potential cybersecurity events” — External emails are only part of your email security battle. Compromised or spoofed corporate email accounts should also be monitored as they can be used for internal phishing attacks. DE.CM-7: “Monitoring for unauthorized personnel, connections, devices, and software is performed” — Implementing email security software that scans email communication for suspicious text and attachments could help meet this outcome. Detection Processes (DE:DP) Detection Processes: “Detection processes and procedures are maintained and tested to ensure awareness of anomalous events.” This means any email security solution must be continuously monitored and improved to ensure it can defend against the latest cyberattacks. Here are some relevant “Detection Processes” Subcategories: DE.DP-4: “Event detection information is communicated” — Your email security software should notify both the affected user and IT administrators when a suspicious event occurs. DE.DP-5: “Detection processes are continuously improved” — Email security systems should be continuously learning and updating to adapt to emerging threats. NIST Preliminary Draft Ransomware Profile In June 2021, NIST published Preliminary Draft NISTIR 8374 — Cybersecurity Framework Profile for Ransomware Risk Management. Ransomware is becoming the most severe cybersecurity threat in the current threat landscape. Because many, if not most, ransomware attacks start via email, improving your organization’s email security and its ransomware defense posture go hand-in-hand. As mentioned above, setting a Target Profile is an important step in implementing the NIST Cybersecurity Framework. To defend against the increasingly serious ransomware threat, you may choose to work towards the Ransomware Risk Management Profile. Implementing the draft Profile means achieving numerous Category outcomes from across all five Functions. We won’t go into the full details of the Profile here, but we recommend checking it out — particularly in the current threat climate.  Learn more about Tessian Human Layer Security  Tessian is a modern email security solution driven by machine learning. As well as monitoring inbound and outbound emails for signs of phishing, malicious attachments, data exfiltration, and accidental data loss, Tessians scans your employees’ email activity to learn how they “normally” act, and flags suspicious behavior. This intelligent, context-driven approach means Tessian will allow your employees to work uninterrupted, and access the legitimate files and links they need across devices — while being alerted to anomalous and suspicious email content.  Tessian’s in-the-moment warnings help reinforce training and nudge employees towards safer behavior over time. Tessian’s Human Layer Security platform uses machine learning (ML), anomaly detection, behavioral analysis, and natural language processing (NLP) to detect a variety of suspicious signals:  Unusual sender characteristics: This includes anomalous geophysical locations, IP addresses, email clients, and reply-to addresses. Anomalous email sending patterns: Based on historical email analysis, Tessian can identity unusual recipients, unusual send times, and emails sent to an unusual number of recipients in order to detect malicious inbound emails and suspicious outbound emails. Malicious payloads: Tessian uses URL match patterns to spot suspicious URLs and ML to identify red flags indicative of suspicious attachments. Deep content inspection: Looking at the email content – for example, language that conveys suspicious intent – Tessian can detect zero-payload attacks, too. Learn more about how Tessian can transform your organization’s cybersecurity program.
Read Blog Post
Human Layer Security
Tessian Partners with Optiv Security and Moves to a 100% Channel Model
By Tessian
Tuesday, August 24th, 2021
Today, we announce the news that Tessian is moving to a 100% channel model, partnering with leading cybersecurity partners like Optiv Security to help enterprises secure the human layer and protect against threats caused by human error. There’s currently a gap in enterprise email security. Nearly 50% of advanced phishing emails bypass secure email gateways while legacy email solutions and data loss prevention (DLP) controls aren’t stopping employees from leaking data, accidentally or otherwise. Using machine learning, Tessian is solving these problems in a way that current technology providers can’t – opening up a huge opportunity for security-focused partners. 
Led by the company’s Chief Strategy Officer, Matt Smith, and the team who successfully built and scaled the Duo Security channel program, Tessian’s channel team has launched a best of breed, invite-only partner program and has also signed partnerships with the likes of Altinet and CTS in the UK, Asystec and Kontex in Ireland, and Nclose in South Africa. It is now looking to bring more security-centric and strategic go-to-market partners onboard to help holistically solve one of the biggest problems in enterprise security today.
“A 100% channel model means the Tessian team is ‘all-in’ on partners,” says Smith. “We’re committed to helping our partners differentiate their offerings, design new service packages and increase their profitability. Channel partners play a critical role in advising and helping CISOs and CIOs solve major security challenges – which today includes data loss and breaches caused by people. With trusted partners like Optiv, we can truly accelerate our mission of securing the human layer in the enterprise.”  “A solid cybersecurity infrastructure is a core asset to every organization. As companies become increasingly vulnerable to security threats, both intentional and unintentional, it’s vital that tested and trusted security solutions are in place,” says Ahmed Shah, senior vice president of alliances and strategic partnerships at Optiv. “We welcome the opportunity to partner with companies like Tessian that provide these types of services to enterprise clients.” To find out more about Tessian’s channel program, click here. 
Read Blog Post
Human Layer Security, Customer Stories, DLP
16 Ways to Get Buy-In For Cybersecurity Solutions
By Maddie Rosenthal
Friday, August 20th, 2021
As a security or IT leader, researching and vetting security solutions is step one. What’s step two, then? Convincing key stakeholders like the CEO, CFO, and the board that the product needs to be implemented, that it needs to be implemented now, and that it’s worth the cost.  This is easier said than done, but security is business-critical.   So, how do you communicate risk and make a compelling case to (eventually) get buy-in from executives? We talked to security leaders from some of the world’s most trusted and innovative organizations to find out what they do to get buy-in from CxOs. Here’s a summary of their tips. You can download this infographic with a quick summary of all of the below tips. This is perfect for sharing with peers or colleagues. Or, download this eBook. 1. Familiarize yourself with overall business objectives While cybersecurity has historically been a siloed department, today, it’s an absolutely essential function that supports and enables the overall business. Think about the consequences of a data breach beyond lost data. Organizations experience higher rates of customer churn, reputations are damaged, and, with regulatory fines and the cost of investigation and remediation, there can be significant revenue loss.  The key, then, is to attach cybersecurity initiatives to key business objectives. The security leaders we interviewed recommended starting by reviewing annual reports and strategic roadmaps. Then, build your business case. If customer retention and growth are KPIs for the year, insist that cybersecurity builds customer trust and is a competitive differentiator. If the organization is looking for higher profits, make it clear how much a breach would impact the company’s bottom line. (According to IBM’s latest Cost of a Data Breach, the average cost of a data breach is $4.24 million.) 2. Create specific “what-if” scenarios A lot of security solutions are bought reactively (after an incident occurs), but security leaders need to take a proactive approach. The problem is, it’s more challenging for CxOs and the board to see the value of a solution when they haven’t yet experienced any consequences without it.  As the saying goes, “If it ain’t broke, don’t fix it”.  That’s why security leaders have to preempt push-back to proactive pitches by outlining what the consequences would be if a solution isn’t implemented so that stakeholders can understand both probability and impact. For example, if you’re trying to get buy-in for an outbound email security solution, focus on the “what-ifs” associated with sending misdirected emails  which – by the way- are sent 800 times a year in organizations with 1,000 employees. Ask executives to imagine a situation in which their biggest clients’ most sensitive data lands in the wrong inbox.  What would happen?  Make sure you identify clear, probable consequences. That way, the situation seems possible (if not likely) instead of being an exaggerated “worst-case scenario”.  3. Work closely with the security vendor You know your business. Security vendors know their product. If you combine each of your expertise – and really lean on each other – you’ll have a much better chance of making a compelling case for a particular solution. Ask the vendor for specific resources (if they don’t exist, ask them to create them!), ask for product training, ask if you can speak with an existing customer. Whatever you need to get buy-in, ask for it. Rest assured, they’ll be happy to help.  4. Collaborate and align with other departments It takes a village and cybersecurity is a “people problem”.  That means you should reach out to colleagues in different departments for advice and other input. Talk to the folks from Risk and Compliance, Legal, HR, Operations, and Finance early on.  Get their opinion on the product’s value. Find out how it might be able to help them with their goals and initiatives. In doing so, you might even be able to pool money from other budgets. Win-win! 5. Consider how much the executive(s) really know about security To communicate effectively, you have to speak the same language. And, we don’t just mean English versus French. We mean really getting on the same level as whomever you’re in conversation with. But, to do that, you have to first know how much your audience actually knows about the topic you’re discussing. For example, if you look into your CEO’s background and find out that he or she studied computer science, you’ll be able to get away with some technical jargon. But, if their background is limited to business studies, you’ll want to keep it simple. Avoid security-specific acronyms and – whatever you do – don’t bury the point underneath complex explanations of processes.  In short: Don’t succumb to the Curse of Knowledge. 
6. Use analogies to put costs into perspective  One of the best ways to avoid the Curse of Knowledge and give abstract ideas a bit more context is to use analogies. It could be the ROI of a product or the potential cost of a breach. Either way, analogies can make big, somewhat meaningless numbers more tangible and impactful. For example, imagine you’re trying to convince your CFO that the cost of a solution is worth it. But, the 6-digit, one-time cost is a hard sell. What do you do? Break the overall cost down by the product’s lifespan. Then, divide that number by the number of employees it will protect during that same period.  Suddenly, the cost will seem more manageable and worth the investment. 7. Invite key stakeholders to events or webinars  Before you even start pitching a particular solution, warm-up executives with educational webinars or events that aren’t product-specific. This will give CxOs a chance to better understand the problem, how it might apply to them, and how other people/organizations are finding solutions. Bear in mind: most vendors will have at least 1 (generally 2+) webinars or events during the standard sales cycle.  8. Prepare concise and personalized briefing materials Individual stakeholders will be more likely to consider a particular solution if the problem it solves is directly relevant to them. How? Combine tips #1, #2, #3, and #5. After taking some time to understand the business’ overall objectives, take a closer look at individual peoples’ roles and responsibilities in meeting those objectives. Then, dig a bit deeper into how much they know about cybersecurity. Imagine you’re meeting with a COO with some technical experience whose focus is on maintaining relationships with customers. His or her briefing documents should contain minimal technical jargon and should focus on how a data breach affects customer churn.  The bottom line: make it about them. 9. Share these documents in advance of any formal meetings While this may seem obvious, the security leaders we spoke to made it clear that this is an essential step in getting buy-in. No one wants to feel caught off guard, unprepared, or rushed.  To avoid all of the above, make sure you share any documents relevant to the solution well in advance of any formal meetings. But, don’t just dump the documents on their desk or in their inbox. Outline exactly what each document is, why it’s relevant to the meeting, and what the key takeaways are. You want to do whatever you can to help them absorb the information, so make sure you make yourself available after sharing the documents and before the meeting, just in case they have any questions or need additional information. 10. Build a strong security culture Before we dive into why building a strong security culture can help you get buy-in, we want to make it clear that this isn’t something that can happen overnight. This is a long-term goal that requires the help of the entire organization. Yes, everyone. So, how do you build a strong security culture? Start by ensuring that security and IT teams are committed to helping – not blaming – employees. There has to be a certain level of mutual trust and respect.  Beyond that, employees have to accept responsibility for the overall security of the organization. They have to understand that their actions – whether it’s clicking on a phishing email or using a weak password – have consequences.  If they do accept this responsibility, and if they genuinely care about following policies and procedures and helping secure data and networks, high-level executives will care, too. They’ll therefore be more likely to sign-off on solutions. 11. Keep an eye on security trends outside of your industry  Some industries – specifically Healthcare, Financial Services, and Legal – are bound to compliance standards that formalize the need for effective security solutions. That means that, compared to other industries like Retail or Manufacturing, they’ll be required to have more robust strategies in place. What they’re doing now, the rest of us will be doing in 12 months. Keep this in mind. If you notice that organizations operating in the most highly regulated industries are all taking data loss prevention (DLP) seriously, you’ll be able to make a strong case that this is something that should be on your radar, too. 12. Approach non-executive stakeholders early on While – yes – getting buy-in from CxOs and the board is important, security leaders also need to get buy-in from non-executive stakeholders working in IT, infrastructure, etc.  After all, those are the people who will actually be responsible for deploying the solution and maintaining it.By approaching them early on (and assuming they’re interested in the solution, too) you’ll be able to paint a clear picture of the process after the solution has been signed off on.  How long will it take? Who’s involved? Will employees’ workflow be disrupted? These are all important questions to answer.  13. Match like-for-like people from both sides If you’re scheduling a meeting with executives from your side and key people from the vendor’s side, make sure you’re bringing in people that “match” in terms of function and seniority level. For example, if you work at a start-up and the founder of your company wants to be involved in the buying process, ask the vendor’s founders to join, too. Likewise, if the Head of Infrastructure is joining from your side, ask someone in a similar function to join from the other side. Why? Like-for-like people will be best placed to answer one another’s questions.  And, with that in mind…. 14. Preempt questions and prepare answers No one likes to be put on the spot. To avoid being asked a question that you don’t know the answer to, spend a good amount of time considering all the questions different stakeholders may ask and drafting well-thought-out answers. (Better yet, fit the answers into briefing documents or the presentation itself!) Remember, people are generally concerned with how a problem/solution affects them directly. That means the CEO will have different questions than the CFO, who will have different questions than the Head of IT.  15. Get specific customer references from the vendor We mentioned in tip #3 that you should lean on the vendor, especially when it comes to specific resources and customer references. And, we mentioned in tip #11 that you should match like-for-like people in meetings. It should make sense, then, that specific customer references will be more powerful than generic ones. For example, if you’re the CISO at a 4,000-person tech firm in North America, and you’re trying to convince you’re CTO that you need to implement a new solution, you should share a case study (or customer reference) from the vendor that outlines how their product has helped an organization in the same industry, that’s the same size, and in the same region. Ideally, it will also feature quotes from the CTO. Why? Professionals trust and rely on their peers when making difficult decisions. 16. Be conscious (and considerate of) peoples’ time  Decisions about security solutions can involve a lot of different people. That means you’ll have to balance several conflicting schedules and fight for time. Your best bet? Book meetings with all relevant people at once and get the vendor involved at the same time. Ahead of the meeting, share an agenda along with any relevant documents (see tip #8).  Are you a security leader who wants to offer advice to your peers? We’d love to hear from you! Please get in touch with madeline.rosenthal@tessian.com. And, if you’re looking for more advice, check out these blogs: How to Communicate Cybersecurity ROI Advice from Security Leaders for Security Leaders: How to Navigate New Remote-Working Challenges How to Create an Enduring and Flexible Cybersecurity Strategy
Read Blog Post
Human Layer Security, DLP
What is Email DLP? Overview of DLP on Email
Thursday, August 19th, 2021
Data loss prevention (DLP) and insider threat management are both top priorities for security leaders to protect data and meet compliance requirements.  And, while there are literally thousands of threat vectors – from devices to file sharing applications to physical security – email is the threat vector security leaders are most concerned about protecting. It makes sense, especially with remote or hybrid working environments. According to Tessian platform data, employees send nearly 400 emails a month. When you think about the total for an organization with 1,000+ employees, that’s 400,000 emails, many of which contain sensitive data. That’s 400,000 opportunities for a data breach.  The solution? Email data loss prevention.
This article will explain how email DLP works, consider the different types of email DLP, and help you decide whether you need to consider it as a part of your overall data protection strategy.  Looking for information about DLP more broadly? Check out this article instead: A Complete Overview of Data Loss Prevention. 
➡ What is email data loss prevention? Essentially, email DLP tools monitor a company’s email communications to determine whether data is at risk of loss or theft. There are several methods of email DLP, which we’ll look at below. But they all attempt to: Monitor data sent and received via email Detect suspicious email activity Flag or block email activity that leads to data loss ➡ Do I need email data loss prevention? Unless you’re working with a limitless security budget (lucky you!), it’s important to prioritize your company’s resources and target areas that represent key security vulnerabilities.  Implementing security controls is mandatory under data protection laws and cybersecurity frameworks, like the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and Health Insurance Portability and Accountability Act (HIPAA). And there’s a good reason to prioritize preventing data loss on email. As we’ve said, email is the threat vector security leaders are most concerned about. We’ll explain why.  📩 Inbound email security threats How can malicious external actors use email to steal data? There are many methods. Phishing—social engineering attacks designed to trick your employees into handing over sensitive data. According to the FBI, phishing is the leading cause of internet crime, and the number of phishing incidents doubled in 2020. Spear phishing—like phishing, but targeted at a specific individual. Spear phishing attacks are more sophisticated than the “bulk” phishing attacks many employees are used to. Malware—phishing emails can contain a “malicious payload”, such as a trojan, that installs itself on a user’s device and exfiltrates or corrupts data. Email DLP can help prevent criminals from exfiltrating your company’s data. 🏢 Internal email security threats While it’s crucial to guard against external security threats, security teams are increasingly concerned with protecting company data from internal actors. There are two types of internal security threats: accidental and malicious. 🙈 Accidental data loss Accidents happen. Don’t believe us?  Human error is the leading cause of data breaches. Tessian platform data shows that in organizations with 1,000 or more employees, people send an average of 800 misdirected emails (emails sent to the wrong recipient) every year. That’s two every day.  How can a misdirected email cause data loss? Misspelling the recipient’s address, attaching the wrong file, accidental “reply-all”—any of these common issues can lead to sensitive company data being emailed to the wrong person.  And remember—if the email contains information about an individual (personal data), this might be a data breach. Misdirected emails are the top cause of information security incidents according to the UK’s data regulator. We can’t forget that misattached files are also a big problem. In fact, nearly half (48%) of employees say they’ve attached the wrong file to an email. Worse will, according to survey data: 42% of documents sent in error contained company research and data 39% contained security information like passwords and passcodes 38% contained financial information and client information 36% contained employee data But, not all data loss incidents are an accident.  🕵 Insider threats  Employees or contractors can steal company data from the inside. While less common than accidental data loss, employees that steal data—or simply overstep the mark—are more common than you might think. Some employees steal company data to gain a competitive advantage in a new venture—or for the benefit of a third party. We covered some of these incidents in our article, 11 Real Insider Threats. But more commonly, employees are breaking the rules for less nefarious reasons. For example, employees send company data to a personal email address for convenience. For example, to work on a project at home or on another device. Sending unauthorized emails is a security risk, though. Tessian platform data shows that it occurs over 27,500 times per year in companies with 1,000 employees or more. And, while – yes – it’s often not done maliciously, the consequences are no less dire, especially in highly regulated industries.  So, how do you prevent these things from happening?  ➡ Email DLP solutions to consider Research shows that the majority of security leaders say that security awareness training and the implementation of policies and procedures are the best ways to prevent data loss. And both are very important.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); But – as well-intentioned as most employees are – mistakes still happen despite frequent training and despite stringent policies. That means a more holistic approach to email DLP – including technology – is your best bet.  Broadly, there are two “types” of DLP technology: ruled-based DLP and machine learning DLP. 📏 Rule-based email DLP Using rule-based DLP, IT administrators can tag sensitive domains, activities, or types of data. When the DLP software detects blacklisted data or behavior, it can flag it or block it. Like training and policies, rule-based DLP certainly has its place in security strategies. But there are limitations of ruled-based DLP. This “data-centric” model does not fully account for the range of behavior that is appropriate in different situations. For example, say an IT administrator asks email DLP software to block all correspondence arriving from “freemail” domains (such as gmail.com), which are often used to launch cyberattacks. What happens when you need to communicate with a contractor or customer using a freemail address? What’s more, rule-based DLP is very admin-intensive. Creating and managing rules and analyzing events takes a lot of time, which isn’t ideal for thinly-stretched security teams.  Want to learn more? We explore situations where rule-based DLP falls short. For more information, read The Drawbacks of Traditional DLP on Email. 🤖 Machine learning email DLP Machine learning email DLP is a “human-centric” approach. By learning how every member of your company communicates, machine learning DLP understands the context behind every human interaction with data. How does machine learning email DLP work? This DLP model processes large amounts of data and learns your employees’ communications patterns.  The software understands when a communication is anomalous or suspicious by constantly reclassifying data according to the relationship between a business and customers, suppliers, and other third parties. No rules required.  This type of DLP solution enables employees to work unimpeded until something goes wrong, and makes preventing data loss effortless for security teams.
💡 Learn more about how Tessian’s email DLP solutions Tessian uses contextual machine learning to address the problem of accidental or deliberate data loss by applying human understanding to email behavior. Our contextual machine learning models have been trained on more than two billion emails – rich in information on the kind of data people send and receive every day. And they continue to adapt and learn as human relationships evolve over time. This enables Tessian Guardian to look at email communications and determine in real-time if particular emails look like they’re about to be sent to the wrong person or if an employee has attached the wrong file. Tessian Enforcer, meanwhile, can identify when sensitive data is about to be sent to an unsafe place outside an organization’s email network. And, finally, Tessiden Defender prevents inbound threats, like spear phishing, business email compromise, and CEO fraud.  To learn more about data exfiltration and how Tessian uses machine learning to keep data safe, check out our customer stories or talk to one of our experts today. You can also subscribe to our monthly newsletter below to get more updates about DLP, compliance, spear phishing, industry trends, and more. 
Read Blog Post
Page