DLP, Spear Phishing
December Cybersecurity News Roundup
Wednesday, December 30th, 2020
December 2020 might have been the most significant month in cybersecurity history.  Private companies continued to be used as attack vectors in the ongoing international cyberwar. The plague of COVID-19-related phishing scams showed no signs of stopping. And yet another big tech company faced a fine following a data breach. This month, we’ve split our cybersecurity roundup into two parts. Part 1 deals with the SolarWinds hack and the subsequent fallout, affecting tens of thousands of companies worldwide. Part 2 looks at some of December’s other major cybersecurity headlines. Part 1: SolarWinds Hack The cybersecurity headlines this month have been dominated by the discovery that US software company SolarWinds had been hacked by state-sponsored Russian hackers.  The SolarWinds story will continue to develop throughout 2021. Part 1 of our December cybersecurity news roundup sets out the major developments so far, to help you understand how this major cybersecurity incident is unfolding. FireEye’s “red team” tools compromised in cyberattack December’s cybersecurity saga begins with an announcement from security firm FireEye, made via a December 8 blog post.  FireEye reported that a “highly sophisticated state-sponsored adversary” had stolen “red team” tools, used to mimic the sorts of attacks and exploits carried out by malicious actors. When such tools fall into the wrong hands, they can be used to carry out real-life attacks. FireEye sought to reassure its clients in a further blog post on the same day, noting that none of the compromised tools contained zero-day exploits. We explored the danger of zero-day vulnerabilities in our article: What is a Zero-Day Vulnerability? Blame for the attack fell on the Russian cybercrime group known as “Cozy Bear.” FireEye’s revelations were newsworthy in themselves, but the full implications of the company’s announcement remained unclear until a few days later. SolarWinds discloses “highly-sophisticated, targeted and manual” attack On December 13, Texas-based IT company SolarWinds said that some of the software it released between March and June had been subject to a “highly-sophisticated, targeted and manual supply chain attack by a nation state.” SolarWinds’ announcement was the first clear indication that one of the biggest cyberattacks of all time might be underway. But why was SolarWinds’ announcement so significant?  SolarWinds software is used by thousands of organizations —  including many US governments organizations. The company’s announcement revealed that many of SolarWinds’ clients had had malware embedded in their systems for up to nine months. US government reveals massive data breach The next chapter in 2020’s biggest cybersecurity story came on December 13, when Reuters reported that internal email traffic had been compromised at the US Treasury and Department of Commerce. Just like FireEye, who had reported its breach five days earlier, these US government departments used the IT-monitoring software platform Orion. Orion is created by — you guessed it — SolarWinds.  When the organizations updated their Orion software back in March, they unwittingly installed malware. The blame for the hack continued to fall on Russia, which denied involvement via a statement on Facebook. Emergency directive urges US agencies to disconnect Orion products Shortly after the SolarWinds hack was announced, the US Cybersecurity and Infrastructure Agency (CISA) issued Emergency Directive 21-01. The directive’s full name is “Mitigate SolarWinds Orion Code Compromise,” and it instructs federal agencies to “immediately disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their network.” Agencies were also told to “block all traffic to and from hosts, external to the enterprise, where any version of SolarWinds Orion software has been installed.” The severity of CISA’s directive stood in stark contrast to SolarWinds’ reassuring press releases. SolarWinds attack thought to impact over 18,000 customers The full extent of the SolarWinds hack became clearer on December 14, when the company filed a report with the US Securities and Exchange Commission revealing that around 18,000 organizations may have installed the malicious Orion update. To put this in context, SolarWinds has roughly 300,000 customers in total. Around 33,000 of these use Orion, and more than half of these Orion users are believed to have been compromised by the hack. But these aren’t just any customers. According to SolarWinds’ website, Orion users include US public bodies such as the Department of Defense, Secret Service, and Airforce — not to mention private firms like Symantec, AT&T, and — crucially — Microsoft. CISA announces APT compromise of public institutions and infrastructure The SolarWinds saga continued on December 17, when US cybersecurity agency CISA announced an “advanced persistent threat compromise of government agencies, critical infrastructure, and private sector organizations.” CISA described the attacker as a “patient, well-resourced, and focused adversary that has sustained long duration activity on victim networks” that, among other activities, was “targeting email accounts belonging to key personnel, including IT and incident response personnel.” Once a hacker gains control of a target email account, it can use it to carry out advanced phishing operations. Read our articles on Business Email Compromise (BEC) and Account Takeover (ATO) attacks to learn how to avoid falling victim to these sorts of scams. US National Nuclear Security Administration confirms breach One of the more shocking threads of the SolarWinds story was revealed by Politico on December 17, when the US National Nuclear Security Administration (NNSA) and Department of Energy (DoE) revealed they had been affected by the hack. For many, this took an already deeply concerning event into “borderline terrifying” territory, as the NNSA maintains the world’s most powerful stockpile of nuclear weapons. However, a DoE spokesperson said that only business networks had been affected. The revelations came shortly after reports that CISA had been “overwhelmed” by the attacks, owing in part to staff shortages. CISA director Chris Krebs was fired by President Trump last month after Krebs defended the integrity of the 2020 election. Microsoft customers in at least seven countries affected by cyberattack In a December 17 blog post, Microsoft President Brad Smith claimed that the SolarWinds attack had impacted more than 40 Microsoft customers located across seven countries.  While 80 percent of Microsoft’s affected customers were in the US, others were located in Canada, Mexico, Belgium, Spain, the UK, Israel, and the UEA. Smith also said it was “certain” that more locations and victims would emerge. Smith’s blog post also called for “a more effective national and global strategy to protect against cyberattacks,” underpinned by better information sharing, stricter cybersecurity rules, and stronger accountability of nation-state cyber actors. NSA Cybersecurity Advisory warns of Microsoft exploits December 17 saw yet another newsworthy cybersecurity event when the US National Security Agency (NSA) issued a rare Cybersecurity Advisory, warning that “malicious cyber actors are abusing trust in federated authentication environments to access protected data.” The issue originated in Microsoft’s Active Directory Federation Services (ADFS) software, which provides single sign-on access across organizations, including via multi-factor authentication. The NSA’s Microsoft advisory followed a December 14 report by Volexity, revealing that an attacker had bypassed Duo’s multi-factor authentication service to gain access to a Microsoft Outlook Web App (OWA) inbox. These incidents serve as a stark reminder that while multi-factor authentication might be a crucial component of your cybersecurity ecosystem, you cannot rely on it to keep your email accounts safe. Part 2: Other Important Cybersecurity News While the SolarWinds hack generated the most headlines, December saw many other important, unrelated cybersecurity news stories. Part 2 of our December cybersecurity news roundup presents some of the month’s other big cybersecurity events. FBI warns of threats against ransomware victims The US Federal Bureau of Investigation (FBI) published a Private Industry Notification (PIN) on December 10, advising businesses to take steps to improve cybersecurity safeguards against ransomware attacks.  Perhaps most interestingly, the PIN warns that cybercriminals have been following up ransomware attacks with phone calls attempting to “extort payments through intimidation” and “threatening to release exfiltrated data.” The FBI does not advocate paying a ransom after falling victim to a ransomware attack. It suggests taking steps to mitigate or prevent attacks, including creating secure backups, monitoring network traffic, and enabling multi-factor authentication. Since many ransomware attacks occur via email, it’s essential to protect your business using email security software. Read our article on How to Choose the Right Email Security Software for more information. Research reveals COVID-19 phishing remains a serious problem Research reported by Health IT Security on December 11 showed that cyberattackers continue to exploit the COVID-19 pandemic through phishing scams. The report cites research by KnowBe4, which reveals a new batch of spear phishing emails relating to vaccinations. Armorblox also reports emails impersonating the US Internal Revenue Service (IRS) and purporting to offer COVID-19 financial relief.  The majority of COVID-19 phishing attacks target credentials — a common strategy which we discuss in our article What is Credential Phishing? You can also check out four real-world examples of other COVID-19 phishing attacks in this article.  These phishing scams are a new variant on the COVID-19 phishing theme started hitting inboxes in March — and, like all social engineering attacks, they seek to exploit people’s trust in authority. Want to learn how to avoid falling victim to these sorts of scams? See our article: How to Identify and Prevent Phishing Attacks. Irish regulator fines Twitter over data breach Ireland’s data protection authority, the Data Protection Commission (DPC) , issued a €450,000 fine against Twitter on December 15 over the company’s handling of a 2018 data breach affecting Android users. Twitter’s violations of the EU’s General Data Protection Regulation (GDPR) included failing to notify the DPC about a data breach within the required 72 hour period, and failing to document the breach properly. While nearly half a million euro is a lot of money, it’s fairly small beer for a company as large as Twitter. The GDPR allows fines of up to 2% of global turnover for this type of violation, which could have led to a maximum fine of around €60 million in Twitter’s case. We outline the biggest GDPR fines of 2020 in this article.  But the DPC originally proposed an even smaller fine of €135,000 and €275,000. This proposal was seen as excessively lenient by other EU data protection authorities, who disputed it under the first ever use of the GDPR’s Article 65 procedure. Other DPAs, such as Germany’s BfDI, argued that a higher fine of up to €22 million would be more appropriate. These arguments were put forward in a binding decision of the European Data Protection Board (EDPB) which required the DPC to reconsider its proposed fine. The regulator’s response — raising the fine to just 0.1% of Twitter’s 2019 turnover — will lead many to suggest that the social media giant got off lightly. Contact details of 270,000 cryptocurrency users leaked On December 22, BleepingComputer reported that the contact details of over 270,000 users of cryptocurrency wallet Ledger were being offered for sale on the dark web, following a data breach that occurred in July. Two text files were reportedly for sale, one containing 1,075,382 people’s email addresses, and the other containing 272,853 people’s names, mailing addresses, and phone numbers. Although this type of personal data is not considered sensitive, it is highly valuable to hackers as it can be used to launch phishing attacks against the users. Earlier this month, Ledger users reported receiving phishing emails from an actor impersonating Ledger’s security team. That’s all for this month. If we missed anything, please email [email protected] and stay tuned for the next roundup. Don’t forget: You can easily share this on social media via the buttons at the top right of this post.
Human Layer Security, Podcast
Podcast Episode 1: Why Culture Trumps Strategy, With Howard Schultz
By Laura Brooks
Sunday, December 27th, 2020
Welcome to the RE:Human Layer Security podcast. This is the show that flips the script on cybersecurity and in each episode, Tim Sadler, Tessian’s CEO and co-founder, will be speaking world-class business, tech and security leaders about why businesses need to protect people – not just data and machines – to stop breaches and make businesses thrive. Tim Sadler: For our first episode, we’re kicking things off by talking about the importance of culture to build a resilient business. I think we can all agree 2020 has been a turbulent time, a year of many firsts. And like many other leaders, managing a suddenly remote company has forced me to adapt my ways of working and think deeply about how this huge change would affect the people within Tessian.  How would it impact their mental wellbeing? Do they have the tools in place to work both productively and securely? And how do you build and maintain a culture when everybody is working in isolation? So when I had the chance to speak to the brilliant Howard Schultz, the former chairman and CEO Starbucks earlier in the year, I wanted to ask for his advice on how to lead during times of extreme difficulty. With stories from his days leading Starbucks, how to explain why managers mislead with humanity to help keep people motivated and inspired. And if you want to hear more Human Layer Security insights, all podcast episodes can be found here.  TS: Howard, it is a great honor to have you with us here today. Howard Schultz: Honored to be with you, Tim.  TS: Howard, like so many others, I’ve been really lucky to learn from your leadership lessons as the CEO of Starbucks. And for anybody who does an ounce of research on that company, they will hear that it was all about the people. Why do you think it’s so important that leaders invest in their people? HS: Well I think, regardless of what business you’re in, whether you’re in the consumer business, the tech business, or the security business, it’s always all about the people and the culture and values and guiding principles of an organization. When we began at Starbucks, in 1987, when we had 11 stores and 100 employees, we actually framed a unique way to look at the business. And that was to try and achieve the fragile balance between the fiduciary responsibility of building shareholder value in the conscience and the benevolence necessary to share success with our people.  I think in the environment that we’re living in today, perhaps more than any other time, certainly in my lifetime, you can’t build a company or attract and retain great people, unless people recognize that they are part of something larger than themselves, and that they believe 100% with great trust and confidence in the management team, their leaders, their managers and the mission of the enterprise. And so this is a time when leaders must recognize the importance of truth, transparency, being vulnerable in the moment, and bringing your people along with you.
TS: And for you, I know that you’ve said this a number of times, and it’s something I picked up on. It’s not just about being good enough, though, I think you have this saying, which is you’ve got to exceed the expectations of your people. How do you go about achieving that as a leader? HS: Well, actually, we took it a step further than that. We said, if you want to exceed the expectations of your customers, you have to first exceed the expectations of your people. And in the environment, again, that we’re living in today. It’s not only exceeding the expectations of your people in terms of compensation, but also their values and value of the enterprise.  And I think any environment that we are all trying to navigate through today, people are coming to work with a tremendous level of anxiety and uncertainty, because there are, in my view, three pandemics going on at once. Not only the pandemic of COVID, but the pandemic of our political system here in America, where we’ve lost trust and confidence in our institutions. And third, the third pandemic is the unbelievable level. I think there’s a lack of understanding of racial inequality, racism, and in terms of our election here in America, the possibility of voter oppression. And so those three pandemics are colliding at once. And so if you are building a business or managing people, it’s not just managing and leading your business, because that isn’t the only thing your people and your employees are dealing with. They are living and dealing with many other aspects of their life and their life experience and their personal situation. They are bringing that to work, whether they are on Zoom calls at home or not. And as a manager and a leader, you must understand with great sensitivity and compassion. Then if we want to exceed the expectations of our people, then as managers and leaders, we need to walk in the shoes of our people. And that is what I mean by exceeding expectations of our people at a time like this.
TS: I think that’s so important. And again, that was another thing that that really stuck with me this, this, this notion that actually, the role of a company is, you know, it’s no longer just a place where people show up come to work, maybe they’re here 9-5, it is, it has to be so much more, especially given this this turbulent time where actually, people, you know, they can’t I think we spoke about it previously, Howard, where you said, if you can’t put your faith in the work that you’re doing, and you can’t be proud of that, then, there are so many other things that well, there are, there are so few other places where you can you can put that pride or you can find that pride right?  TS: Now, when you were building Starbucks, you were a young leader yourself, I think you were in your early 30s, when you bought the company, what guided you or what helped you in establishing this great culture for that company as you built it? HS: Well, I think all of us have a life experience and a personal story. Having grown up in public housing, where I saw firsthand the fracturing of the American dream with my parents, I understood at an early age, what can happen when you are your family and the resources of the family are left behind. And so in building Starbucks, I wanted to really create a company in which we were managing and leading the company through the lens of humanity. Now, it’s easy to say that it’s very hard to do. What do I mean by that?  Well, when you’re leading a company that’s growing at 50-100% a year, and you’ve got the wind at your back, it’s very easy to be humane. But the challenge for leaders in starting a company and dealing with adversity is what happens when the challenges are difficult. And the wind is in your face, are you going to compromise your values and your integrity and your ethics for a short term game?  And now, everyone who works in a company remembers the actions of what leaders do in good times and bad. And what you want to do as a leader is ensure the fact that you’re imprinting the organization with the values that people will remember during bad times. And so in terms of your question, I was trying to build the kind of company that my father and an uneducated blue collar worker who didn’t get respect in the workforce could work for, and in effect, trying to build the kind of company regardless of your station in life, that you would be valued and respected.  And that’s why we gave ownership to everybody, comprehensive health care to everybody, free college education, all of those things; we felt were important in terms of the company’s responsibility. And I think the question for all of us today is, what is the role and responsibility of a for profit company in today’s world? TS: I think there’s so much that to unpack when talking here, about leading through times of adversity. And one of the things you said there was, you know, when it’s easy to live up to your values when the winds, you know, the winds at your back. And I wanted to draw on a point of history at Starbucks, which is when you returned as a CEO, which I think was in January 2008. And the financial crisis was in full swing and from what I understand, Starbucks was in some financial difficulty at the time. And one of the first things that you wanted to do on your return. And to me, this really speaks to that notion of you know, you have to live your values in good times, and you have to live your values in bad times. One of the first things that you did was to take 11,000 store managers to New Orleans at a cost of $33 million. And share the news that your company was seven months away from insolvency. Why was it so important that you did this? HS: Tim, I have to commend you on your research. Well, the company was in dire straits. And I wanted to be in front of the most important person at Starbucks, which is the store manager. And I said we’ve got to get everybody in one room. And believe it or not, we went to New Orleans for three days. And this was not a getaway. This was not a retreat. This was a come to Jesus for the company. Now before we had one minute of our meeting, every single person who came to New Orleans devoted hours of work in the community in the 90s toward post Katrina, and we contributed 55,000 hours of community service – again, demonstrating the values of the company.  Now, the story you bring up is this, I had an opportunity on the third day to give a $30 million speech, the cost of the event. And before I gave the speech, my colleagues and a couple of board members asked me, what was I going to share with the people? What was the rallying cry? And I laid it out for them that I was going to tell them the dire condition that we were in. And in fact, if we went seven more months, like this.  Starbucks was going to be insolvent. That’s how bad it was. And the people around me were so afraid, basically saying, “You can’t tell them this, you will scare the crap out of them, they won’t be able to handle this kind of information.” And the question at that moment is, do you trust your people enough to have the same information that you have? And the answer has to be yes, you can’t leave people by hiding information. You can’t be a pentagon General, you’ve got to be in them on the battlefield in the mud with them. And they have to send the same information you did. So I stood up in front of 11,000 people. And I asked them two things: one as I laid out the problem, I asked them to join with me to lock arms, to all of us facing in the same direction to be aligned against what we have to do. And don’t do it for me. Do it for your, your people you work with and do it for your family. 
And the speech did not turn Starbucks around. But we wrote we roared out of New Orleans, like a tidal wave. And seven months passed, and we never looked back. And of course, today, Starbucks has 32,000 stores in 83 countries, and one of the most recognised brands in the world. But we have challenges just like everybody else.  But the HR issue in every company, the human condition, human behaviour, if you can unlock that. And I’ll let me say it this way, if you separate the culture from the strategy, i.e. you have a great strategy, but a bad culture, I think nine times out of 10, you are not going to achieve the aspiration of that strategy. The execution is going to be flawed. You have a world class culture, where there is a currency of trust throughout the organization where everyone believes in the mission of each other, and we’re going to take the hill together, you link that with an average strategy.  With a lot of competition, you give me that scenario. And I tell you, you are going to win. Because culture, and I hate to use this word, trumps strategy. TS: And I think that’s so important. When we think about also leading, leading teams, leading our people and protecting the company, something you told me how which was, you know, vulnerability can actually help you build stronger bonds with your people. Sharing vulnerability, being vulnerable with those around us actually allows us to get closer and people come closer when they see that, you know, where we will have the right world working on something.  HS: Yeah, and especially for men, you know. We’re not taught to be vulnerable. We’re not taught to be sensitive. And I think the more you can reveal to your people about who you are, and take the defenses off, and be real and be authentic, the better off we will be. TS: I want to go to something that he said over a year ago now, but I think it was January 2019. I’m quoting you, but it really struck me. When I heard this, you said that the elephant in the room of the country today is humanity. And it really resonated, I think with many of the challenges that we’re facing right now, you know, in society, but also, we see this in many companies. And I wanted to get your thoughts on how is that quote aged for you, given where we are today? HS: You know, as I said to you earlier, I really believe we’re living through three pandemics at once all colliding with one another. And I think, especially for young people. It’s very easy for young people today to lose trust and confidence in the future. And when I speak about humanity as the issue in the room, the elephant in the room, I just think people are living with tremendous anxiety and uncertainty and are so hungry to be lifted up by something that’s real. That’s something that’s truthful. And, and no integrity, if you’re trying to build a great enduring company, you’re trying to provide a much needed service to your customers. If you can do that, while at the same time, building an organization in which people are truly valued for who they are, and people are seen and understood, and really feel like they are part of an organization where they, they themselves feel as if they are not only contributors, but they are being valued in a way that’s so unusual.  If you can lift humanity, and integrate humanity into the core purpose and reason for being, and if everyone on the call, can integrate and lift up their people, and recognise the importance of humanity, in their business, every single business on this call will be better for it. Because we, as people, in the US and all over the world, we are hungry longing for humanity, for truth, and for people and organizations that we can believe. TS: And I think that’s something that’s so it’s such a powerful statement that something we can all take away into our practice, whether we’re leading a company, we’re leading a team, or we are serving our company. And again, I think something that’s so unique and special about the security community is that leadership is your, it’s your team, it’s the people who report to you, but you’re having to show leadership for the whole company, you know, there is a huge task ahead every single day, you’re tasked with the security and the protection of the whole company.  And one thing I wanted us to finish on Howard. There is often so much pressure in our day to day lives, or you know, we are tasked with really important initiatives and really important things. And I think the remarkable, or one of the remarkable moments that again, you’ve shared with us today and is, you know, for anyone who does any research they will see is those moments when faced with extreme difficulty or uncertainty, you are able to deeply not only live your values, but I think go back to your values and embrace your values.  And the question I have, or the advice that I would love to finish on is what can you offer? What advice would you share with people who are on the call today thinking, you know, this sounds great, but actually, I’ve got the pressure of my day to day job just to get through? How can I ensure that I am constantly living those values, the values I have for myself and the values that my company has to me? What advice would you give to them? HS: That’s a very big question, Tim. I try my best! TS: I’ve saved the best for last. HS: When each of us goes home at night, and we’re sitting with our wife or husband or partner or family. And we have an opportunity to talk about the company that we are part of, or the work we did today. The rhetorical question is, did you as a leader provide the people who work within for you an opportunity to speak about their work in the company with pride? And if the answer is yes, then you know that you can start your day tomorrow realising that what you did today was really, really good. The challenge we have as leaders, is we got to do it more often than not. And I think what we’ve always tried to do at Starbucks is answer the question in the affirmative. Are we making our customers and our people proud of the equity of our brand, the values of our company, and the guiding principles of what is our core purpose or core purpose and reason for being? And let me let me say in a week or two is the 50th anniversary of Milton Friedman’s famous essay about the role and responsibility of a company. Now, Milton Friedman was a god in terms of his economic acuity.  But I disagree with humility. That Milton Friedman’s theory, that a business his primary responsibility was to its shareholders and to make a profit. I don’t think that applies today. It goes back to what I said earlier. We all have to be in the business of improving the lives of our people, the communities we serve, and I bet you that your customers and the customers of theirs want to do business with companies and management teams who are values based.
Never, it’s never been more important to me and to recognise the critical importance of business today to lead with his heart and with his conscience. TS: I think that’s a fantastic note to finish on. And again, Howard, thank you so much for your time today and sharing all of this insight and guidance with us.  TS: It was amazing speaking with Howard. I think one of the things that stuck out for me was if you have a great strategy, but a bad culture, it’s very likely you’re going to be unsuccessful.  A company’s culture is built on that currency of trust with values that inspire people to do great work. And also leaders shouldn’t be afraid to be vulnerable. As Howard points out, it can lead to stronger bonds with people and then foster that trust. Join the next episode of RE: Human Layer Security, where we talk with Stephane Kasriel, the former CEO of Upwork, and a future of work visionary. Stefan and I will be talking about the topic of remote work, and why it really isn’t something that’s going away anytime soon.  And that just leads me to say thank you very much for listening. We have more Human Layer Security insights in our next episode. But if you can’t wait that long, you can visit our blog, where you’ll find lots of amazing content, advice and tips. And if you enjoyed our show, please rate and review it on Apple, Spotify, Google Play or wherever you get your podcasts.
Tessian Culture
Why Shutting Down Tessian Was The Best Decision We Ever Made
By Sabrina Castiglione
Thursday, December 24th, 2020
When we set out to define our values, we asked our people what being a Tessian meant to them. The value that was born out of this – now our first and foremost value – is Human First.  Human First is the value we’d always had but never captured in words. As soon as it crystallized, it was everywhere. Within weeks you would hear it in every other meeting, it would be the first question in every decision that touched our people, and it merged completely into how we think about our mission; even more than being a cutting-edge technology company, we’re a cutting-edge human company, building for human beings as they are, not how security standards want them to be. So what does it mean to be a Human First company in the age of coronavirus? Like many companies a lifetime ago (March 2020) we went remote overnight. A formerly office-first company, we’d naively expected lower productivity & that everyone would be more relaxed not having to travel to and from the office every day. We were so wrong.
A couple of weeks in, once the novelty of an extra hour in bed had worn off and we had realized that being remote wasn’t stopping work getting done, we started to pick up on themes – people working later and later, more and more questions in our employee engagement platform about mental health, self care, and dealing with stress.  We talked a lot more about our Employee Assistance Program and we told people they should still try & take their paid leave. But compounded by being confined at home, those who managed to take leave found that they couldn’t help but gravitate back to their phone & laptop, with email & messaging pinging throughout the day (and night, since we’re an international team). Our Tessians couldn’t switch off with no-where to go and the spectre of their inboxes piling up and up. We knew we needed to stop saying things, and needed to do something big, fast. So we shut down the Company. (For a day.) Why? Let’s roll back a moment. We asked people why they were struggling to switch off, and we listened to their fears of letting their teammates down with so much work going on, and the creep in hours to find overlap time with their international colleagues.  We realized that unless all our Tessians – from the CEO, to our newest graduates – were all offline, it was hard for anyone to be offline. Enter Refreshian Day.
Refreshian Day is not a vacation or holiday day. It’s a paid day we give to our Tessians, to do what they need to do to take care of themselves, when all Tessians are offline, together. When we know our people have been, or will be, working even harder than usual to bring our vision to life, it’s important to give something back. Our first Refreshian was in July; our second, October. And today we’ve announced our third in February 2021.  We ask only two things of our people on Refreshian day: Don’t work Take time to take care of you Being human means one size never fits all, and our Tessians have variously taken long walks, spa days, watched sunsets, crafted pottery and baked a lot (lot, lot) of bread. Being a human first company means giving our people the space and time to revel in what makes them unique – even if it means shutting everything down from time to time.
How would you spend your Refreshian day? Join us and find out.
Spear Phishing
What Is Account Takeover (ATO)?
Monday, December 21st, 2020
Today, security leaders aren’t just worried about securing their own networks, email environments, and users. They’re also concerned about how secure the email accounts of their partners, suppliers, vendors, and customers are. Why? Because more and more often, hackers are compromising impersonating these trusted contacts to gain access to an organization’s systems and data. This is called account takeover.  What is account takeover?
That means ATO involves two companies. A third-party (i.e. vendor, partner, or customer) The target company
How does ATO work? Imagine you work in an accounts department.  You get an email invoice from Syed at ComputerCo, a vendor that supplies your company with computer parts. Syed is polite and friendly (as always!) and tells you that ComputerCo’s account details have changed.  You’re a careful person, so you double-check the invoice with your IT team. They confirm that they made the order. You compare the invoice to ComputerCo’s previous invoices, and it looks identical. The new bank account is located in Boston, where ComputerCo is based.  Due diligence conducted, you go ahead and pay the invoice.  You just fell victim to ATO, and unwittingly paid money to cybercriminals.  In this case, because the attack was carried out via email, it can also be referred to as Vendor Email Compromise (VEC).  Think you would never fall for a scam like this? Remember, everything looks totally normal:  The attackers are using the vendor’s regular email address The invoice looks authentic There’s no perceptible difference in the vendor employee’s email signature or communication style Perhaps most importantly — the payment they are requesting is actually due  The only difference is that the vendor’s bank details have changed. So, how do hackers gain access to the networks of trusted third parties? Credential theft, which normally involves one of the following: A non-targeted phishing attack A targeted spear phishing email Brute force attack Password compromise  Leaked credentials We cover credential phishing in more detail in this article: What is Credential Phishing and How Does it Work? Why is ATO so effective? When it comes to solving the problem of ATO, organizations face several challenges.  To start – and as we saw in our example above – they’re incredibly difficult to detect and can evade detection entirely. Why? Because the emails originate from trusted sources and are 100% “real” in terms of sender credentials and metadata.  This means legacy email security tools, which rely on previously known attack signatures to stop threats, cannot detect them. As these emails originate from a legitimate, trusted email account, they will also pass email authentication (DMARC, DKIM and SPF).  The second challenge organizations face is that protecting their own email applications and users just isn’t enough. Security leaders have to address threats from their extended networks too.  The problem is, no organization can control the security of their extended network and they have no visibility of the breaches that happen across their trusted network. That’s why strong cybersecurity and having the right email security tool can actually be a competitive differentiator, help businesses win more clients and customers, and retain the ones they already have.   But, if strong email security helps build trust, a breach will certainly destroy it.  When asked what the number #1 consequence of a data breach is, 21% of IT leaders said lost customer trust.  Examples of ATO In an interview by NPR, one victim of ATO said he was emailing back-and-forth with a vendor about a $50,000 transfer. What he didn’t know was that the vendor’s email was compromised part-way through the conversation.  Take a look at this excerpt from the interview: “The cadence and the timing and the email was so normal that it wasn’t suspicious at all. It was just like we were continuing to have a conversation, but I just wasn’t having it with the person I thought I was.”  This small business owner only found out that he’d been scammed when the vendor told him he hadn’t received the transfer, by which time the $50,000 was long gone. But the stakes can be much higher than this.  For example, between 2013 and 2015, a team of cybercriminals scammed Facebook and Google out of around $121 million by impersonating a trusted vendor.  The scammers in the Facebook and Google attacks used spoof accounts, rather than compromising the vendor’s email account.  Nonetheless, this colossal social engineering attack shows that even the world’s largest companies can fail to spot fraudulent vendor emails.  You can read more about email spoofing here. How to prevent ATO Although ATO scams can be highly convincing and evade detection from legacy solutions,  there are steps your organization can take to protect itself from being targeted by ATO. Remember that it’s equally important for vendors and other third parties to reduce risks with email security solutions, policies, and procedures.  Email security  Ensuring that you have the right email security tool  is a crucial measure all companies should take against ATO and VEC. Tessian Defender, for example, is an email security solution that uses machine learning (ML) to protect accounts against inbound threats.  Here’s how: Tessian’s machine learning algorithms analyze your company’s email data, learns every employee’s normal communication patterns. and maps their trusted email relationships — both inside and outside your organization. Tessian inspects both the content and metadata of inbound emails for any suspicious or unusual signals pointing to a potential ATO threat. For example, payloads, anomalous geophysical locations, IP addresses, email clients, or sending patterns. Once it detects a threat, Tessian alerts employees that an email might be unsafe, explaining the threat in easy-to-understand language. ATO is rarely perceptible to humans. But Tessian’s Human Layer Security technology spots these irregularities automatically and instantly to keep your team, your resources, and your reputation safe. Payment validation You should implement internal procedures so employees can validate invoices and payment requests. For example, if a vendor asks you to make a payment to a new account, you may wish to insist upon telephone verification of this request. Again, these procedures are important, but they aren’t enough on their own. No security policy should rely on human intervention — even the smartest, most diligent employees can be tricked. If you’re looking for insights into how other security leaders are preventing ATO and other advanced impersonation attacks, check out Tessian’s recent webinar: Spear phishing evolution. How to stay ahead of hackers in 2021. You can also read our customer’s stories or book a demo to learn more about how Tessian Defender can help protect your organization’s reputation.
Tessian Culture
Our Journey Towards Diversity and Inclusion
By Jade Jarvis
Friday, December 18th, 2020
Over the past few months, Tessian has been taking steps towards creating a more diverse and more inclusive place to work.  Why? Because We’ve acknowledged that we’re not as diverse as we want to be. But, we’re committed to making a change.  Why is this so important to us?  Of course, there are many reasons (just a few mentioned by our very own Tessians) but the two main drivers are for:  The individual: it’s the right thing to do. Diversity is infinite and everyone should feel valued for who they are and have the opportunity to bring this to work.  Our future: With diversity of thought, we can be a better Tessian. This will enable us to not only challenge the status quo and stay ahead of innovations, but also create opportunities for more people to be a part of our journey.  We know this isn’t something we can change overnight, but we’re already making small positive moves in the short-term as we work towards those bigger, long-term changes.  Most importantly, we simply want to make a difference where we can. This is an industry-wide problem. That means it involves every single one of our Tessians. So, where do we start? We believe the first step is understanding and awareness, combined with action and change. This is what prompted us to begin our Diversity and Inclusion learning journey.  The Journey  We partnered with Jeff Turner to build and deliver our D&I learning journey for everyone to experience together – to learn, connect and come together as one company.  Two key aims for the program were:  Shared understanding: Part of the training was to socialize D&I terms; to not only get everyone ‘speaking the same language’, but also to create a safe environment for people to ask questions and learn about each other’s different perspectives.  Building connections: We chat to some of our colleagues every day. But, how many times do you get the response ‘Good, thanks’ when you ask someone how they are? I bet almost every time! We wanted to give people the chance to build connections across departments at Tessian and encourage people to share deep experiences that they otherwise might not have.  The program consisted of three sessions (described very high-level below) and each were delivered two weeks apart:  Diversity: Appreciating our differences and knowing that everyone brings value to the workplace.  Unconscious Bias: Accepting that everyone naturally has their own biases which have formed over time based on our life experiences, preferences, education – all the things that make us who we are. And importantly, recognizing that we can make the unconscious, conscious by challenging our own biases when making decisions.  Building Inclusion: Consciously ensuring our behavior is inclusive and learning how to appropriately call out exclusive behavior including microaggressions.  There were 25+ people involved in each session. Importantly, these people dialed in from all around the world. This enabled the sessions to be interactive. We also learned from feedback that these smaller, diverse groups made people feel safe and encouraged everyone to share their personal experiences. No judgement.  But we didn’t want these sessions to be the only place where people talked about Diversity and Inclusion.  To ensure the conversation continued throughout the business, we sent out pre-reads with three key learning objectives and three things to think about ahead of the session and post-reads with the top three takeaways and suggested follow up actions. 
What did we learn?  We’ve had exceptional feedback following the completion of this program and already feel like it has had a positive impact on our company culture.  The essence of the feedback is that the program genuinely encouraged deep self-reflection and learning. People have told us that not only have they already learned things that will change how they behave going forward, but that it’s been an amazing bonding experience with their colleagues – which means even more in this period of remote worklife.  A few direct quotes from our employees: “Best D&I session I’ve had – it didn’t focus on the more obvious points of diversity but delved much more deeply into what makes each of us different.” “IT WAS BLOODY AWESOME.” “I love these sessions, they challenge your perceptions and make you know other people you work with better. I am honestly sad that there’s only one left.” It doesn’t end there… As we’ve said, there’s no quick fix here. We have to keep working together to enable change.  Our culture is highly collaborative and that’s why it’s so important to us that we’re co-creating solutions and actions with Tessians as we go – to find out what they want, what they need, and how we can learn together along the way.  Here are a few ways we’re continuing to push forward:  Inclusion competition: We’ve asked people to submit their ideas for what we can do to create a more inclusive place to work. Ideas will be judged based on potential impact, scalability, and originality. We’ve already received some great entries so far. Watch this space!  ‘Managing Inclusively’: In 2021, Jeff will be back to deliver an additional session exclusively for our managers. Here we will go even deeper – talking about privilege and the power that we disproportionately hold as managers, and how to use this power to create change. D&I report: For the first time ever, we’ll be internally publishing a D&I report to share key metrics and what these metrics mean. Transparency is an essential component. We expect to uncover a lot of home truths that will lead us to building the right solutions for Tessian. We have a long way to go on this journey of creating a better Tessian and a better world. We will continue to share as we go along, and would love to hear from anyone interested in coming on this journey with us.
Data Exfiltration, DLP
2020 in Review: Top 17 Insights From Tessian Research
By Maddie Rosenthal
Thursday, December 17th, 2020
This year, Tessian released four research reports, covering topics like the cybersecurity skills gap, social engineering, insider threats, and remote-working.  Now, looking back on the year, we wanted to highlight some of the most relevant insights for security leaders and the larger industry.  If you want more information about any individual insight, download the full report or check out the other suggested resources listed throughout.  Opportunity in Cybersecurity Report 2020 If the number of women working in cybersecurity rose to equal that of men, we’d see a $30.4 billion boost to the industry’s economic contribution in the US and a £12.6 billion boost in the UK. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); 66% of women agree there is a gender bias problem in the cybersecurity industry. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); 51% of women say that a more accurate representation of the industry in the media would encourage new entrants. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");
93% of women in cybersecurity feel secure in their roles. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); In addition to surveying hundreds of women currently working in cybersecurity, we also interviewed over a dozen female practitioners with titles ranging from CISO to backend Python engineer. Read their profiles here. 
The State of Data Loss Prevention 2020  Employees exfiltrate data on email 38x more than IT leaders estimate. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); 91% of IT leaders trust their employees to follow safe data practices while working from home….but nearly half (48%) of employees say they’re less likely to follow safe data practices when working from home. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); IT leaders say that the #1 consequence of a data breach is lost customers/lost customer trust. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); At least 800 emails are sent to the wrong person every year in organizations with 1,000+ employees. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Looking for industry-specific information about DLP? Read At a Glance: Data Loss Prevention in Healthcare and DLP in Financial Services.
The Psychology of Human Error 43% of people have made mistakes at work that compromise cybersecurity…
And younger workers are 5x times more likely to make such mistakes. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); A third of workers (33%) rarely or never think about cybersecurity when at work. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); 58% have sent an email to the wrong person at work, and 1/5 companies have lost a customer following a misdirected email. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Wondering why people make mistakes? Jeff Hancock, Professor of Communication at Stanford University and contributor to this report, discusses the psychology of human error in this panel discussion: Why People Fall for Social Engineering in a Crisis. 
The Future of Hybrid Work Phishing was the leading cause of security incidents when employees worked remotely (and email traffic increased by 129% at the start of lockdown). !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); 75% of IT decision makers believe the future of work will be “remote” or “hybrid”. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); 78% of IT decision makers believe their company is at greater risk of insider threats when employees work remotely. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); To learn more about the challenges security and IT leaders will have to overcome in hybrid-remote environments, read this article: 7 Concerns IT Leaders Have About Permanent Remote Working. 
Make sure you don’t miss the release of new research next year.  Connect with us on LinkedIn, follow us on Twitter, and subscribe to our newsletter to be the first to see new content and get invited to industry events.
Tessian Culture
Customer Success: Lessons Learned in 2020
By Henry Trevelyan Thomas
Wednesday, December 16th, 2020
What a year! As 2020 draws to a close, we wanted to take some time to reflect on some awesome wins and what we’ve learned through a tumultuous year. I’ll try my best to not mention “Zoom fatigue”, “the new normal” or “unprecedented”.  Here goes nothing. 2020 in numbers 👨‍👨‍👧‍👧 We spent more time with our customers than ever before with >1000 customer review meetings taking place 💻 We onboarded our 200,000th employee on to the Tessian platform  ❌ We detected or prevented 450,000 misdirected emails and advanced spear phishing attacks, and over 2,000,000 data exfiltration attempts for our customers  🌍 We started working with some incredible new customers across the world – Cordaan, GoCardless, and Schroders PW to name just a few 📣 35 customers took to the stage at various Tessian events to speak about their approach to Human Layer Security and security culture
Agility is key The security challenges the pandemic created for our customers were far greater than navigating the overnight transition to remote working. Email sending was up 129%, attackers pivoted quickly to COVID-related attacks, and employee uncertainty led to unconventional (and non-compliant) sending behaviors. We all had to pivot quickly. At Tessian, our CSMs ran consultative health checks with all customers, our Product and Data Science teams updated our end-user warnings to raise employees’ awareness of COVID-related attacks, and our Marketing team launched our remote-working content hub filled with blogs, guides and reports for customers to consult and share with employees. A true embodiment of craft at speed. Security came to the forefront 2020 was another year of security grabbing the attention of boardrooms, investors and mainstream media outlets. Specifically, the trend of having empathy for employees accelerated. This has led to the rise of technologies that work in the background – making employees’ lives easier and unburdening them from the expectation that they must also be security experts. As Tim Fitzgerald (CISO @ Arm) and I reflected on, everyone has gone through so much this year (personally and professionally), that security teams need to lead with an approach that helps empower rather than restrict their employees. What’s more, it was the year that Human Layer Security became widely recognized as the obvious and necessary direction enterprise security is headed, with Tessian being recognized by both Gartner and Forrester for the work we’ve been doing with our customers.  In short, when times got tough, our goal “to stop breaches, not business” became more important than ever.  Visibility of risk takes a whole new meaning in a remote world As we’ve touched on before, security teams have gone from managing a handful of offices around the world to thousands of home offices around the world. In this decentralized working model, visibility is more important than ever before. We identified that early and worked incredibly hard to bring our customers more visibility into their human layer security risks. From our customer conversations it became apparent that security teams were more stressed and stretched than ever. Rather than throwing more data at them, we needed to focus on surfacing the most relevant trends and actionable insights so that security teams could be more effective and efficient in reducing risk. And that led to our launch of our Human Layer Security Intelligence platform.  The best CISOs are culture champions The role of a CISO continues to evolve. No longer is it enough to implement top-down technology and hope for the best. The most forward-thinking security teams are building positive security cultures by appointing security ambassadors and asking management to drive awareness in their teams. More on that with my conversation with Kevin Storli (Partner @ PwC) here and from Mark Logsdon (Head of Cyber Assurance and Oversight @ Prudential) here. Your suppliers’ risk is your risk As Kevin and I also discussed, it’s no longer enough to inwardly think about your risk. You need to engage with your supplier ecosystem to ensure you’re on the same page. We’ve all seen the headlines about a recent high-profile supply-chain attack, and it’s likely that we’ll see more of these in the future. Security is a team sport and we need to all be vested in the security of others. 
Putting the “human” in Human Layer Security Finally, being human-first is one of the core values we live by at Tessian, I’m proud of how my team carried this with them day-to-day.  Before every interaction we asked ourselves two key questions: 1) Are we being genuinely helpful? and 2) Are we being deeply empathetic to our customers’ circumstances?  It’s about recognizing that each new customer win for us has been underpinned by forward-thinking security folks who are fighting to protect their employees against yesterday’s, today’s, and tomorrow’s risks. Each Quarterly Business Review is a story of helping those people who invested in Tessian do a great job and get the recognition they deserve. Each internal meeting is about understanding how we can support each other to succeed together. As a result, our relationships are stronger, and more people are protected by Tessian.  (Shout-out to Nick Mehta, CEO @ Gainsight, for his words of wisdom at our Q2 Town Hall and to Howard Schultz, former CEO at Starbucks,  at our Human Layer Security Summit – two leaders who are truly human-first and always lead by example.) Goodbye 2020, hello 2021 👋 From being hit by a pandemic to developing a more human-first approach to our customer relationships, it’s been a different kind of year. We’ve formed some amazing partnerships and been pushed in all the right ways by our customers. It’s important to reflect on how much we accomplished and learned, and of course, to say thank you to those who helped us along the way. Now, onward to 2021.
Human Layer Security
A Year in Review: 2020 Product Updates
By Harry Wetherald
Tuesday, December 15th, 2020
Throughout this year, we saw just how quickly the threat landscape can change.  We all transitioned from the office to our homes overnight. Employees relied on email and other communication and collaboration tools more than ever. And hackers took advantage of the general fear and uncertainty around the pandemic and impersonated health care providers and government organizations.  But, at the same time, Tessian rolled out a number of important product updates to help keep our customers safe, wherever they worked.  Here are the most important product updates to Tessian’s Human Layer Security platform for 2020. 1. Human error, visualized. The new Human Layer Security Intelligence platform gives customers unprecedented visibility into their users’ risk Tessian customers now have unprecedented visibility into their Human Layer risks. For example, breaking the rules, making mistakes, and being tricked. The new HLS Intelligence (HLSI) platform automatically surfaces insights about risky employee behavior and high-risk security events, allowing security leaders to know where to focus their efforts. Customers can also benchmark their risk levels against industry peers to help them identify how and where they can improve their security posture.  Investigation and remediation are also effortless. Security teams can take immediate action, from the platform. Finally, customers can use the Tessian API to receive real-time security events directly into their chosen SIEM or SOAR platform.  Want to learn more about HLSI? We outline all the key features of our new platform in this article.
2. Effortless insider threat detection. Automatically detect high-risk data exfiltration activities.  Thanks to new features within Tessian Enforcer, customers can now automatically detect users who suddenly exfiltrate an unusually high amount of data. This allows security and compliance teams to easily spot bad leavers and insider threats, without spending time viewing and investigating individual cases of data exfiltration.
Instead, Enforcer automatically analyzes patterns and spot trends that deviate from what’s considered “normal” for a particular employee.  For example, every month, an employee might send their paycheck to their personal email account. Enforcer tracks this behavior, but no action is needed. Why? Because this data isn’t sensitive. But, one day, the employee sends fifteen sensitive emails to his personal account. Enforcer recognizes that this is unusual for the user, and alerts the compliance team, who can take appropriate action.  No manual investigation required.
3. Easily identify and remediate attacks. Tessian Defender now provides extensive analysis and remediation tools to security teams Email attacks are becoming more and more advanced and it’s increasingly complicated for security teams to decide if a suspicious email is a real attack, or a legitimate business email.  Defender now surfaces insights like the geolocation of a suspicious email’s sender to help security teams identify more threats, faster.  Security teams can also speed up their workflows with advanced remediation and prevention capabilities. For example, customers can now delete malicious emails in employees’ mailboxes – directly from the Tessian portal – saving precious time and reducing risk.  And, with Defender Quarantine, customers can also use Defender to proactively prevent threats with a single-click before they enter an employee’s mailbox.
4. Leveling up Tessian’s machine learning. Tessian’s modules detect more risks than ever before, with record-low business interruptions Throughout 2020, Tessian Defender’s machine learning improved to detect an ever-broader spectrum of advanced email attacks that evade legacy security systems.  Defender now protects against threats like brand impersonations and attacks where threat actors exploit Sendgrid vulnerabilities to send spoofed emails.  Tessian Enforcer also received a major upgrade, using a new Natural Language Processing (NLP) model that accurately classifies sensitive content in emails and detects topics such as financial, health, or HR data without needing to manually configure keywords or rules.  This means that customers receive significantly better protection against sensitive data-exfiltration attempts with fewer interruptions to their workflow.
5. In-the-moment learning opportunities. Customers can raise security awareness in their company with contextual warnings Tessian doesn’t just prevent breaches in real-time. Our platform also educates users to improve their security reflexes and continually drive risk down.  Tessian customers can now educate, raise security awareness, and reinforce training and policies among their employees better than ever before, all while minimizing business interruptions.
With Tessian Defender, organizations can now educate employees who receive unusual emails that meet specified conditions. For example, security teams might choose to alert employees who receive an email from a new sender that requests money.  Although these kinds of emails aren’t necessarily malicious, you may want to make your user aware of the fact that the sender is new.  With Tessian Enforcer, companies can also choose to show users a custom warning message whenever they try to exfiltrate data, whether done maliciously or accidentally. This allows businesses to easily educate employees or remind them of existing IT policies.
Protect your most valuable asset: your people Tessian has created the world’s first Human Layer Security platform and exciting developments lie ahead as we build out a holistic platform to protect people using email and, eventually, other interfaces frequently used in the workplace. Not yet a Tessian customer? Across four modules, Tessian protects the Human Layer by detecting and preventing both inbound and outbound threats. This includes advanced spear phishing attacks, accidental data loss, and data exfiltration.  Tessian is quickly and easily deployed to Office 365, Exchange, and G-Suite, product updates are seamlessly rolled out for users and administrators, and the technology – which doesn’t disrupt workflow – was built with security and productivity in mind. To understand how Tessian can fit into your existing security framework, check out our customer stories or request a demo now.
Data Exfiltration, DLP
Insider Threats: Types And Real-World Examples
By Maddie Rosenthal
Tuesday, December 8th, 2020
Insider threats are a big problem for organizations across industries, especially now with mass layoffs and new remote-working arrangements. Why? Because they’re so hard to detect. After all, insiders have legitimate access to systems and data, unlike the external bad actors many security policies and tools help defend against. It could be anyone, from a careless employee to a rogue business partner. That’s why we’ve put together this list of Insider Threat types and examples. By exploring different methods and motives, security, compliance, and IT leaders (and their employees) will be better equipped to spot Insider Threats before a data breach happens. Types of Insider Threats First things first, let’s define what exactly an Insider Threats is. Insider threats are people – whether employees, former employees, contractors, business partners, or vendors – with legitimate access to an organization’s networks and systems who deliberately exfiltrate data for personal gain or accidentally leak sensitive information. The key here is that there are two distinct types of Insider Threats:  The Malicious Insider: Malicious Insiders knowingly and intentionally steal data. For example, an employee or contractor may exfiltrate valuable information (like Intellectual Property (IP), Personally Identifiable Information (PII), or financial information) for some kind of financial incentive, a competitive edge, or simply because they’re holding a grudge for being let go or furloughed.  The Negligent Insider: Negligent insiders are just your average employees who have made a mistake. For example, an employee could send an email containing sensitive information to the wrong person, email company data to personal accounts to do some work over the weekend, fall victim to a phishing or spear phishing attack, or lose their work device.  We cover these different types of Insider Threats in detail in this article: What is an Insider Threat? Insider Threat Definition, Examples, and Solutions.
11 Examples of Insider Threats  1. The employee who exfiltrated data after being fired or furloughed Since the outbreak of COVID-19, 81% of the global workforce have had their workplace fully or partially closed. And, with the economy grinding to a halt, employees across industries have been laid off or furloughed.  This has caused widespread distress. When you combine this distress with the reduced visibility of IT and security teams while their teams work from home, you’re bound to see more incidents of Malicious Insiders.  One such case involves a former employee of a medical device packaging company who was let go in early March 2020  By the end of March – and after he was given his final paycheck – Dobbins hacked into the company’s computer network, granted himself administrator access, and then edited and deleted nearly 120,000 records.  This caused significant delays in the delivery of medical equipment to healthcare providers. 2. The employee who sold company data for financial gain In 2017, an employee at Bupa accessed customer information via an in-house customer relationship management system, copied the information, deleted it from the database, and then tried to sell it on the Dark Web.  The breach affected 547,000 customers and in 2018 after an investigation by the ICO, Bupa was fined £175,000. 3. The employee who stole trade secrets In July 2020, further details emerged of a long-running insider job at General Electric (GE) that saw an employee steal valuable proprietary data and trade secrets. The employee, named Jean Patrice Delia, gradually exfiltrated over 8,000 sensitive files from GE’s systems over eight years — intending to leverage his professional advantage to start a rival company. The FBI investigation into Delia’s scam revealed that he persuaded an IT administrator to grant him access to files and that he emailed commercially-sensitive calculations to a co-conspirator. Having pleaded guilty to the charges, Delia faces up to 87 months in jail. What can we learn from this extraordinary inside job? Ensure you have watertight access controls and that you can monitor employee email accounts for suspicious activity. 4. The employee who fell for a phishing attack While we’ve seen a spike in phishing and spear phishing attacks since the outbreak of COVID-19, these aren’t new threats. One example involves an email that was sent to a senior staff member at Australian National University. The result? 700 Megabytes of data were stolen. This data was related to both staff and students and included details like names, addresses, phone numbers, dates of birth, emergency contact numbers, tax file numbers, payroll information, bank account details, and student academic records. 5. The work-from-home employees duped by a vishing scam Cybercriminals saw an opportunity when many of Twitter’s staff started working from home. One cybercrime group conducted one of the most high-profile hacks of 2020 — knocking 4% off Twitter’s share price in the process. In July 2020, after gathering information on key home-working employees, the hackers called them up and impersonated Twitter IT administrators. During these calls, they successfully persuaded some employees to disclose their account credentials. Using this information, the cybercriminals logged into Twitter’s admin tools, changed the passwords of around 130 high-profile accounts — including those belonging to Barack Obama, Joe Biden, and Kanye West — and used them to conduct a Bitcoin scam. This incident put “vishing” (voice phishing) on the map, and it reinforces what all cybersecurity leaders know — your company must apply the same level of cybersecurity protection to all its employees, whether they’re working on your premises or in their own homes. Want to learn more about vishing? We cover it in detail in this article: Smishing and Vishing: What You Need to Know About These Phishing Attacks. 6. The employee who took company data to a new employer for a competitive edge This incident involves two of the biggest tech players: Google and Uber. In 2015, a lead engineer at Waymo, Google’s self-driving car project, left the company to start his own self-driving truck venture, Otto. But, before departing, he exfiltrated several trade secrets including diagrams and drawings related to simulations, radar technology, source code snippets, PDFs marked as confidential, and videos of test drives.  How? By downloading 14,000 files onto his laptop directly from Google servers. Otto was acquired by Uber after a few months, at which point Google executives discovered the breach. In the end, Waymo was awarded $245 million worth of Uber shares and, in March, the employee pleaded guilty. 7. The employees leaking customer data  Toward the end of October 2020, an unknown number of Amazon customers received an email stating that their email address had been “disclosed by an Amazon employee to a third-party.” Amazon said that the “employee” had been fired — but the story changed slightly later on, according to a statement shared by Motherboard which referred to multiple “individuals” and “bad actors.” So how many customers were affected? What motivated the leakers? We still don’t know. But this isn’t the first time that the tech giant’s own employees have leaked customer data. Amazon sent out a near-identical batch of emails in January 2020 and November 2018. If there’s evidence of systemic insider exfiltration of customer data at Amazon, this must be tackled via internal security controls. 8. The employee offered a bribe by a Russian national In September 2020, a Nevada court charged Russian national Egor Igorevich Kriuchkov with conspiracy to intentionally cause damage to a protected computer. The court alleges that Kruichkov attempted to recruit an employee of Tesla’s Nevada Gigafactory. Kriochkov and his associates reportedly offered a Tesla employee $1 million to “transmit malware” onto Tesla’s network via email or USB drive to “exfiltrate data from the network.” The Kruichkov conspiracy was disrupted before any damage could be done. But it wasn’t the first time Tesla had faced an insider threat. In June 2018, CEO Elon Musk emailed all Tesla staff to report that one of the company’s employees had “conducted quite extensive and damaging sabotage to [Tesla’s] operations.” With state-sponsored cybercrime syndicates wreaking havoc worldwide, we could soon see further attempts to infiltrate companies. That’s why it’s crucial to run background checks on new hires and ensure an adequate level of internal security. 9. The employee who accidentally sent an email to the wrong person Misdirected emails happen more than most think. In fact, Tessian platform data shows that at least 800 misdirected emails are sent every year in organizations with 1,000 employees. But, what are the implications? It depends on what data has been exposed.  In one incident in mid-2019, the private details of 24 NHS employees were exposed after someone in the HR department accidentally sent an email to a team of senior executives. This included: Mental health information Surgery information While the employee apologized, the exposure of PII like this can lead to medical identity theft and even physical harm to the patients. We outline even more consequences of misdirected emails in this article.  10. The employee who accidentally misconfigured access privileges Just last month, NHS coronavirus contact-tracing app details were leaked after documents hosted in Google Drive were left open for anyone with a link to view. Worse still, links to the documents were included in several others published by the NHS.  These documents – marked “SENSITIVE” and “OFFICIAL” contained information about the app’s future development roadmap and revealed that officials within the NHS and Department of Health and Social Care are worried about the app’s reliance and that it could be open to abuse that leads to public panic. 11. The employee who sent company data to a personal email account We mentioned earlier that employees oftentimes email company data to themselves to work over the weekend.  But, in this incident, an employee at Boeing shared a spreadsheet with his wife in hopes that she could help solve formatting issues. While this sounds harmless, it wasn’t. The personal information of 36,000 employees were exposed, including employee ID data, places of birth, and accounting department codes.
How common are Insider Threats? Incidents involving Insider Threats are on the rise, with a marked 47% increase over the last two years. This isn’t trivial, especially considering the global average cost of an Insider Threat is $11.45 million. This is up from $8.76 in 2018. Who’s more culpable, Negligent Insiders or Malicious Insiders?  Negligent Insiders (like those who send emails to the wrong person) are responsible for 62% of all incidents Negligent Insiders who have their credentials stolen (via a phishing attack or physical theft) are responsible for 25% of all incidents Malicious Insiders are responsible for 14% of all incidents It’s worth noting, though, that credential theft is the most detrimental to an organization’s bottom line, costing an average of $2.79 million.  Which industries suffer the most? The “what, who, and why” behind incidents involving Insider Threats vary greatly by industry.  For example, customer data is most likely to be compromised by an Insider in the Healthcare industry, while money is the most common target in the Finance and Insurance sector. But, who exfiltrated the data is just as important as what data was exfiltrated. The sectors most likely to experience incidents perpetrated by trusted business partners are: Finance and Insurance Federal Government Entertainment Information Technology Healthcare State and Local Government Overall, though, when it comes to employees misusing their access privileges, the Healthcare and Manufacturing industries experience the most incidents. On the other hand, the Public Sector suffers the most from lost or stolen assets and also ranks in the top three for miscellaneous errors (for example misdirected emails) alongside Healthcare and Finance. You can find even more stats about Insider Threats (including a downloadable infographic) here.  The bottom line: Insider Threats are a growling problem. We have a solution.
How does Tessian prevent Insider Threats? Tessian turns an organization’s email data into its best defense against inbound and outbound email security threats. Powered by machine learning, our Human Layer Security technology understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity. Tessian Enforcer detects and prevents data exfiltration attempts Tessian Guardian detects and prevents misdirected emails Tessian Defender detects and prevents spear phishing attacks Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of the organization’s email network.  Curious how frequently these incidents are happening in your organization? Click here for a free threat report.
Tessian Culture
Introducing Tessian’s New Hybrid Remote Model: Choice First
By Paige Rinke
Friday, December 4th, 2020
We certainly won’t be the first to have made this claim in the last nine months but…the world has changed. Yes – we’ll say it – these are unprecedented times.  That’s why companies around the world are reinventing their approach to engaging with and supporting their people. How has Tessian adapted so far this year? So, what have we done at Tessian? A lot.  We’ve reimagined how we socialize and connect with Tessians all over the world (yes, there’s been bingo!). We’ve set up fully remote onboarding for the first time ever. We’ve even ever-so-briefly re-opened our London office, with super safe protocol and measures put in place to protect those of us who wished to return. We’ve done it all. But undoubtedly the biggest challenge we’ve had to grapple with – and therefore the question we’ve had to answer – is this: What should the new world of work look like for Tessians when things start to return to “normal”?  We know for sure that our office of the future will be very different from our office of the past, but what exactly does it look like? And, more importantly, how do we support  Tessians while the future is still so unclear? It’s been a journey, but we’re excited to finally share Tessian’s plans for the future. It’s looking bright – and full of choice. What does the new world of work look like at Tessian? Some companies pride themselves on being entirely remote. And there are no doubt benefits to this simplified approach. No office politics. And, decisions don’t get made “where the action is” (in the office) because, well, there isn’t one! Others are still trying to retain an office that puts culture first. They want to create a space that fosters collaboration and offers the social benefits that are synonymous with a bustling office.  But we believe that both of these approaches – while possibly easier and with fewer risks to manage – miss out on one of the most important determinants of happiness and wellbeing in our lives: Choice. So, at Tessian, we’re excited to announce our new approach to the future of work: Choice First What is Choice First? Choice First enables Tessians and future Tessians to do their best work, in whatever way is best for them. Put simply, we will be giving our team three options to choose from, with as few caveats as possible:
Why have we landed here (and not remote first, or office first)? We have done extensive internal and external research, and there are three core reasons we believe this is the way forward.  1. Attract (and keep!) world-class talent  We know that the best companies in the world will be adopting remote options for employees while keeping hubs for those employees who prefer being able to work and socialize in the office. It’s about getting the best of both.  We want to be amongst these companies. That way, we can continue to attract and retain the best people.  Internally, having heard from our people (our Culture Council has done some great work here), some Tessians can’t wait to get back to the office.  We want to ensure that we still have this option in the future. In fact, some have even said they wouldn’t want to work for a company that didn’t have this as an option! But some Tessians have experienced an enormously positive change in their lives since skipping the commute to the office every day. We need to ensure that we offer both. Just look at the results of our most recent research report, Securing the Future of Hybrid Working. You can see employees really do want to be able to work from anywhere. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); 2. Diversity catalyst  This will open doors to new pools of diverse talent and will make room for every potential Tessian. We believe this will support us in creating a more diverse “place” to work by:  Opening up talent pools in different locations around the country (and world!) Allowing those who need to work from home for health reasons, or due to caring or other responsibilities, will be able to join the Tessian experience Enabling those who do want to enjoy the social elements of an office to do so Learn more about why diversity is important at Tessian…from Tessians. Watch the video now. 3. Take care of Tessians and support wellbeing Choice First allows people to be in control of their own working lives.  Which is a good thing. Why? Because what works for one person may not work for another.  Studies have shown that when employees are given the freedom to make the right choices for their career and their life outside of work, their holistic wellbeing will be greater.  Surprisingly, given how difficult this period of working from home has been, our own engagement data is backing up how not being in the office can increase wellbeing. We’ve had a significant (over 10%!) uplift in our company engagement scores against the “health” driver (which measures things like mental and physical wellbeing) since leaving the office back in March.  So, for people to do their best work, and have good holistic wellbeing, we need to enable choice around work locations and preferences. What about the risks?  We all know that introducing a hybrid culture is not without its challenges. So we’re dedicating significant time and resources over the coming months to counteract these. Just some of the key things we’re thinking about are below.  Culture Inclusivity – How do we make sure people aren’t left out because they do or don’t work in the office? Communication – How do we make sure people feel connected to what’s happening at Tessian? Fun – How do we keep things interesting in a hybrid environment? Fairness – How do we make sure no one is positively or negatively impacted due to their choice? Ways of working Communication – When do we use synchronous vs asynchronous communication? How we work – Are hybrid working patterns different from office-based patterns? Security – How can we continue leveraging technology, policies, and training to keep our people safe, wherever and however they work?  Amplifying performance – How can we provide in-the-moment feedback and help Tessians do their best work, even when we’re not all together? Effectiveness – Does hybrid make it harder to get stuff done? Do we have the right tools in place to support everyone? What’s next? There is still a lot of work to be done. We will be mobilizing our internal teams to make sure our current employees and future Tessians have clarity about their options. Of course, decisions don’t need to be made just yet. Watch this space for more insights about our journey – we can’t wait to share it with you.
Spear Phishing
Spam vs. Phishing: The Difference Between Spam and Phishing
Wednesday, December 2nd, 2020
While email does make it easier for all of us to communicate both in our work and personal lives, there are two major issues with email communication: spam and phishing.  That means the average person needs to know how to spot these illegitimate emails and businesses need to know not just how to protect their employees, but how to avoid inadvertently sending spam.  In this article, you’ll learn the difference between spam and phishing, how common they are, and how to avoid each of them.
What is spam? You may know spam as junk mail. But, what’s that? Unsolicited bulk email means that the recipient didn’t ask for it (unsolicited) and that many people were sent the email at once (bulk). These two elements are essential to the definition of “spam.”  Unsolicited emails can be legitimate, e.g., job inquiries, customer service inquiries, any first-contact correspondence. Bulk emails can be legitimate, e.g., newsletters, marketing to existing customers, transactional emails. But emails that are both unsolicited and bulk are almost always spam. As well as being sent via email, spam can also be sent via SMS or instant messaging. Unsolicited sales and marketing calls (also known as nuisance calls) can also be considered spam.
Spam is generally commercial (meaning from businesses) but it can also serve more nefarious purposes, such as fraud. However, when a spam email uses social engineering techniques to trick the recipient, we call it a “phishing” email. Not sure what social engineering is? Examples will help. We’ve rounded up 6 recent, real-world examples of social engineering attacks here.  What is phishing? Phishing is essentially a more targeted version of spam.  A hacker impersonates a trusted brand or person and sends a fraudulent message in an attempt to steal information or money, commit fraud, or install malware on a target’s device.  But, there are many types of phishing. Here are a few examples: Spear phishing: A phishing attack on a specific individual Whaling: A phishing attack targeting a company executive Business Email Compromise (BEC): A phishing attack originating from a hacked or spoofed corporate email account Vendor Email Compromise (VEC): A phishing attack targeting a business using one of its vendors’ email accounts It’s important to note that a phishing attack can be delivered via several different communications channels: Email: The big one — 96 percent of phishing attacks take place via email. When people say “phishing,” they’re generally referring to email-based social engineering attacks Smishing: Phishing via SMS Vishing: Voice-phishing, via phone or Voice over Internet Protocol (VoIP) software Phishing attacks can also have different aims, for example: Stealing credentials, e.g., social media, email, or internet banking login details Installing malware, e.g., keylogger software, ransomware, or viruses Stealing money, e.g., by sending fraudulent invoices (known as “wire transfer phishing”) Now, let’s take a closer look at spam and phishing.
How common is spam? According to 2019 research from PreciseSecurity:  Spam accounts for around 55 percent of global email activity. Around 295 billion spam emails are sent and received every day. China generates the most spam (20.43 percent), followed by the U.S. (13.37 percent) and then Russia (5.6 percent). However, bear in mind that — despite these statistics — people’s experience of using email is generally improving. This is because: Rates of spam are lower now than they have been previously — in 2014, data from M3AAWG estimated that spam accounted for 90 percent of email traffic. Email providers are getting better at detecting spam, which means that more spam is being blocked or sent to junk folders.  How common is phishing? Phishing is the most prevalent example of cybercrime. Let’s look at some of the best data we have covering the past few years: Verizon’s 2020 Data Breach Investigations Report cites phishing as the most common cause of data breaches in 2019 —  22% of all data breaches involved phishing.  The FBI’s Internet Crime Complaint Centre (IC3) 2019 Internet Crime Report cites phishing as the leading cause of cybercrime complaints. The U.K.’s National Cyber Security Centre (NCSC) Annual Review 2020 reported that 85% of U.K. businesses experienced one or more phishing attack in 2020 (up from 72% in 2017). For up-to-date data on phishing, see our Must-Know Phishing Statistics: Updated 2020. Risks associated with spam While – yes – there certainly are some risks associated with receiving spam, most email providers like Gmail and Outlook have gotten pretty good at filtering these emails out. Don’t believe us? Check your spam folder!  A bigger risk – specifically to businesses – is accidentally (or negligently) sending “spam” as part of a direct-marketing campaign. Businesses sending spam (including those who are perceived to be sending spam) run the following risks: They could alienate their customers — which, ultimately, could damage their reputation and lose them business. Their legitimate email correspondence could end up in people’s junk folders. They could be fined or prosecuted under the various national laws regulating spam. Consequences of phishing attacks Phishing is one of the most damaging forms of cybercrime. But, as we’ve discussed, there are a lot of different types of phishing.  Wire transfer phishing causes direct, quantifiable losses when businesses pay fake invoices sent to them by fraudsters. The FBI’s data shows that U.S. businesses lost $1.7 billion in 2019 to wire transfer phishing via email. Ransomware attacks are frequently delivered by email. Clicking the link in a phishing email can lead to your documents, databases, other files becoming encrypted. Emsisoft estimates that ransomware cost organizations $7.5 billion in 2019. But what about the impact caused to individual companies? A single phishing attack can be devastating for a business.  The biggest known phishing scam of all time targeted tech giants Facebook and Google. This example of wire transfer phishing cost the companies around $121 million over two years. But the indirect losses caused by phishing can be even greater. When Australian hedge fund Levitas Capital was defrauded for nearly $8.7 million in November 2020, the firm recovered 90% of the money. But the fund was forced to close after losing its biggest client as a result of the attack. Unfortunately, Levitas Capital isn’t the only organization to have lost customers after a breach. After a breach, companies see an average of 3.9% customer churn. It makes sense, then, that “losing a customer/their trust” is the biggest consequence of a data breach according to security leaders.  So, how can businesses reduce the risk of being successfully targeted by a phishing attack? How to avoid phishing attacks Staff training Much of the traditional guidance on phishing focuses on staff training — helping your employees to identify phishing emails and manually delete them. The classic “telltale” signs of a phishing email are often said to be:  Spelling mistakes  A sense of urgency An unprofessional tone This might have been good advice when phishing emails were sent out in “spray and pray” bulk attacks. But now, it’s unfair and unrealistic for organizations to expect their employees to be able to spot phishing attacks, especially those using advanced impersonations techniques. Today, effective phishing emails look like any other email. They don’t carry these “telltale signs.” They carry the branding and tone of voice you’re used to seeing from trusted senders. They can arrive from a colleague or friend’s email address. They might even look like part of an ongoing conversation (“email thread hijacking”). That means staff training — while important — must not be your primary defense against phishing. As the National Cyber Security Centre (NCSC) says:
Want to learn more about why phishing training alone just isn’t enough? Read our blog: Pros and Cons of Phishing Awareness Training. Email security software The only truly reliable way to root out phishing emails is by implementing an email security solution like Tessian Defender.  Here’s how Tessian protects your people and prevents inbound threats like phishing Tessian ingests historial email data from employees’ inboxes to learn what “normal” looks like and map their trusted relationships with other employees and third-parties outside the organization. This way, it automatically knows when an employee receives an email from an unexpected sender. Inbound emails are also analyzed in real-time for anomalies. Anomalies might include barely noticeable irregularities in the sender’s email address and IP address, potentially malicious links, or suspicious changes to the sender’s communication patterns. If an email is suspicious, Tessian alerts employees with contextual warnings that explain why the email has been flagged. Tessian also alerts security teams, who can quickly and easily investigate the attack and – to prevent future attacks – can add the sender’s domain to a denylist in a single click. : Importantly, solutions like Tessian Defender prevent the most advanced attacks. Specifically, those that slip past legacy solutions, Secure Email Gateways, and spam filters. 
Human Layer Security
November Cybersecurity News Roundup
Friday, November 27th, 2020
We’re back with another roundup of the biggest stories in cybersecurity in November 2020.  With phishing, hacking, and ransomware continuing to surge worldwide, there was a lot of news to choose from. We’ve selected stories representing the latest trends in cyberattacks — and demonstrating the myriad ways that cybercrime impacts businesses and consumers. UK Hit By Record Number of Serious Cyberattacks The UK’s National Cyber Security Centre (NCSC) published its 2020 annual review on November 3. The report revealed that the NCSC had defended the UK against a record-breaking 723 cyber incidents in the past year. The data covers the period between September 1, 2019 and August 31, 2020 and reveals a 20.1% increase in cyber incidents compared to the previous three-year average (602 cyber incidents). So what explains this surge in cybercrime? The NCSC chalks the increase in numbers up to its proactive approach in identifying and mitigating threats, together with tips from its “extensive network of partners” and public reports. But there’s another reason: cybercriminals’ exploitation of the COVID-19 pandemic. The NCSC’s Suspicious Email Reporting Service received an incredible 2.3 million reports in its first four months of operation, leading to the removal of 166,710 phishing URLs. In fact, phishing takes up a lot of space in the NCSC’s report, which highlights:  A spate of spear phishing attacks targeting pharmaceutical companies An “explosion” in fake ads sent via phishing emails A rise in the percentage of businesses experiencing phishing attacks — from 72% in 2017 to 86% in 2020 Want to know more about how widespread phishing has become? Read our must-know phishing statistics. Amazon Customers Targeted By Vishing Attacks Our October roundup reported an increase in Amazon-related phishing scams around Prime Day. On November 7, the Guardian revealed another Amazon scam: Amazon Prime customers are being targeted in vishing (voice phishing) attacks. Victims received calls from scammers impersonating “Amazon Prime Security” employees, who advised them that their accounts had been used to make suspicious payments.  Consumer group Which? described how one Amazon Prime customer was persuaded during a vishing call to install remote-access software on her device. The scammers then accessed her bank account and stole £6,900 (over $9,200). UK cybercrime reporting agency Action Fraud said it had received 14,893 reports of similar “computer software service fraud” incidents over the past 12 months, resulting in losses of over £16 million ($21.3 million). Vishing attacks are a massive problem for businesses as well as consumers. Read our guidance to find out more about defending against vishing attacks. WhatsApp Hoax Spreads False Phishing Claim On November 11, Naked Security reported a smishing (SMS phishing) scam that is, sadly, pretty unremarkable in the current climate. Victims received a text alerting them to an “unpaid phone bill,” and redirecting them to a fake O2 network credential-phishing login page. What’s more unusual about this widespread smishing attack is the rumors surrounding it. According to Action Fraud, WhatsApp-based “fake news” proliferated in the days following the attack, spreading confusion among consumers. The WhatsApp message, which referenced the City of London Police Fraud agency, claimed that the smishing attack was an “extremely sophisticated scam,” whereby attackers could drain money from victims’ accounts as a result of them merely “touching” the fraudulent text message. This type of disinformation serves as another attack vector for cybercriminals. It can undermine the efforts of legitimate cybersecurity authorities. Repeated hoaxes of this kind could, ultimately, lead to reduced vigilance among the targets of cybercrime. Credential phishing is a serious issue in itself — there’s no need to exaggerate the threat via phony WhatsApp chain messages. Read more about credential phishing here. Fintech Platform Attacks Unwittingly Facilitated by GoDaddy Staff Cryptocurrency trading platform Liquid reported on November 13 that its domain registrar, GoDaddy, had “incorrectly transferred control of (Liquid’s) account and domain to a malicious actor,” allowing the attacker to take control of internal email accounts.  The attack resulted in the theft of users’ email addresses, names, physical addresses, and encrypted passwords. Worse still, ID cards, selfies, and proof of address documents — collected as part of the site’s “Know Your Customer” requirements — may also have been compromised. But GoDaddy’s problems don’t end there. Just five days later, crypto-mining service NiceHash revealed that its domain had been subject to “unauthorized access” owing to “technical issues” at GoDaddy. While NiceHash reported that user data was likely safe, its domain was unavailable for some time. GoDaddy didn’t disclose details of the attacks, but Krebs on Security revealed in March that GoDaddy staff had been subject to a vishing attack that had compromised fintech website Escrow.com. Whatever the specifics, it seems GoDaddy has suffered multiple social engineering attacks in the past year. Read our six real-world examples of social engineering attacks to learn how to avoid such problems. Around 28 Million Texans’ Driver’s Licenses Compromised Fox 26 Houston reported on November 18 that hackers had stolen nearly 28 million driver’s licenses registered in Texas. Driver’s license details are highly valuable to cybercriminals, who can sell them on the dark web or use them to commit identity fraud. The attack has been blamed on weak security protocols, with data being “inadvertently” held in unsecured storage by service provider Vertafore. In addition to driver’s license numbers, names, birthdates, addresses, and vehicle registration details were also stolen.  The breach took place between March and August and affected drivers who had received their license before February 2019. Vertafore is offering victims one year of free credit monitoring. More and more US states are introducing tough new data breach notification and privacy laws. Read our guidance on US privacy laws for business leaders to find out more. Google Products “Weaponized” for Phishing Attacks Research from Armorblox, published November 19, revealed how popular Google products, including Docs, Forms, and Firebase, have been exploited by cybercriminals and used to “defraud individuals and organizations of money and sensitive data.” Why are hackers weaponizing Google products? Well, they’re typically open-source and easily-adapted. And because Google is ubiquitous and legitimate, Google-associated URLs are rarely blocked by firewalls or security software. Examples of Google-based phishing attacks uncovered by the investigation include: A Google Form used to impersonate an American Express account-recovery page A fake email login page hosted on mobile API Google Firebase A Google Doc used as a fake payslip for a payroll diversion scam Blocking your employees from accessing Google products and URLs would be undesirable and impractical. The only realistic way to avoid Google-exploit phishing scams is with effective email security software. Tessian Defender uses AI-driven technology to detect suspicious activity in your employees’ inboxes automatically. Click here to find out how Tessian helps defend against phishing and other social engineering attacks. Hedge Fund Forced to Close After $8 Million Phishing Attack On November 22, the Australian Financial Review revealed how hedge fund Levitas Capital was defrauded for nearly $8.7 million following a phishing attack. The attacker sent a fake Zoom invite link to one of the hedge fund’s co-founders. When they opened the Zoom link, malware was installed on their device. This allowed the attackers access to the fund’s corporate email account. Using Levitas Capital’s email account, the hacker launched a Business Email Compromise (BEC) attack, sending fraudulent invoices to the fund’s administrators and trustees. The attack was discovered in late September after an examination of the fund’s online banking records. All but $800,000 of the $8.7 million stolen was recovered before payments cleared. But the damage was done — following the attack, the fund lost its biggest client and was forced to close. This case shows how devastating phishing attacks can be — even when the direct losses are mitigated. To find out more, read our articles on wire transfer phishing and Business Email Compromise (BEC) attacks. South Korean Retailer Closes 23 Stores After Ransomware Attack South Korean fashion conglomerate E-Land group announced that it was closing 23 of its 50 stores following a ransomware attack, according to a November 22 report from news agency Yonhap. E-Land reportedly had to temporarily shut down part of its corporate network to contain the attack, meaning that nearly half of its NC Department Store and NewCore Outlet branches could not operate. A company spokesperson confirmed that the attack had targeted E-Land’s headquarters. It is unclear whether E-Land group chose to pay the ransom or whether files or data were exfiltrated as part of the attack. Ransomware continues to ravage the global economy. Last month we reported that US businesses could be breaching international sanctions rules if they attempt to salvage their files by paying a ransom. To help defend your business against ransomware and other cyberattacks, read our guide to choosing the right email security software. That’s all for this month. If we missed anything, please email [email protected] and stay tuned for the next roundup. Don’t forget: You can easily share this on social media via the buttons at the top right of this post.