Tessian Spotlight: Thomas Tschersich, Senior Vice President, Internal Security and Cyber Defense at Telekom Group
Tuesday, March 26th, 2019
Thomas is the Senior Vice President of Internal Security and Cyber Defense at Telekom Group with over 20 of cybersecurity experience. His wide-ranging role involves managing all aspects of security for Telekom Group from personal and physical security to cybersecurity. What are the greatest challenges you have overcome since you became SVP for Internal Security & Cyber Defense? The biggest challenge has been to drive a new mindset into the security teams. At most companies, security teams operate in such a way that they hinder rather than empower others. For example, setting policies in place but leaving the responsibility of security ultimately to the commercial and operational teams. Then, when something goes wrong, they blame others rather than their own practices. This is not how it should be and needs to change. The best way of doing this is having security work directly with the other teams to find a solution where everyone is involved in shaping it. However, this initiative should come from the security teams as they carry responsibility for this. How should senior cybersecurity executives ideally work with the board? In most organizations, you typically see CISOs reporting to CIOs. The problem with this is that you are always relying on the priorities of the CIO to accommodate your information security concerns. When the CISO is mostly driven by the agenda of the IT team (ie. the CIO) then the likelihood of failure increases because the priorities of the CIO and CISO are ultimately different. For example, a CIO might want to cut down costs but a CISO will realize this could increase your security risk. To create an effective cybersecurity strategy, you need to be an independent advisor or be on the same level as the CIO or CTO and ideally report directly to the board. This allows you to align the security strategy more independently and adapt to the needs of the company. You need a direct relationship with the board to ensure security is a priority. What needs to change about how most organizations are handling their information security strategy? When a cybersecurity team is not acting as a barrier to other teams but is instead working together, the business will see an increase in efficiency. It is crucial for cybersecurity to become a business enabler rather than just a pure cost factor. This is what modern organizations have to understand to become successful. Other than that, keeping your infrastructure up-to-date is key. Many of the most successful cyber attacks happen partially because of a missing software update. Do you have any advice for new CISOs to help set them up for success? First of all, listen to the business and understand how it works. Then you can set up security measures that will really help the business achieve their goals and keep practices safe rather than just providing commercial teams with a security target and writing out policies. This is the most essential aspect to understand: with just a policy you are protecting nobody. Also, make sure to network with your peers and talk about breaches openly so no industry ever falls victim to the same threat twice. From time to time, you might be the first victim but other times you won’t be a victim at all because someone told you about the threat beforehand. What role do you think human error plays in data breaches? I would say most data breaches come from disruptive security measures. If I only implement procedures that are a burden to people and their productivity then they will obviously try to find a way around them. For example, if a policy required people to change their password once a week you would almost certainly have more people writing their passwords down and so the risks actually increase. Security executives need to focus on security measures that support rather than burden the user. This consequently reduces the number of threats as people are not motivated to find a way around measures anymore.  
Tessian Spotlight: Pierre-Yves Geffe, Chief Information Officer for Swedbank Luxembourg
Thursday, March 21st, 2019
Pierre-Yves has been the Chief Information Officer for Swedbank Luxembourg for over a decade. Originally hired to restructure the bank’s IT operations, he overhauled the IT teams into a highly agile workforce and successfully led numerous IT implementations and migrations. Before joining Swedbank, Pierre-Yves worked in IT at both the Luxembourg Stock Exchange and IBM. What are the greatest challenges you have overcome since you became CIO? The greatest challenge is hiring and attracting the best employees. My strategy from the beginning was to automate as many processes as possible so that I could hire the best people. Steve Jobs once said “It doesn’t make sense to hire smart people and tell them what to do; we hire smart people so they can tell us what to do.”. I couldn’t agree more with this and that is how we try to attract people here. We are committed to automating processes and staying on the edge of innovation. Slowly, the bank has started to change and become much more flexible and efficient. It was a difficult process but I think we have managed to do it. What are the specific tactics you use to engage the board? Chief Information Officers sometimes have difficulty getting complex ideas across to the rest of the board. The board is made up of mainly commercial, financial and legal executives so I find that the best way to express my ideas is through analogies. It is more effective to break down technical aspects into fundamental analogies as this helps them understand the IT perspective much better. This also helps us justify spending on IT initiatives, showing how they will help the business. What are the most important security indicators that banks should care about? I pay most attention to human resources because keeping talent is a factor that almost every other IT goal depends on. A company, especially a bank, needs to make sure that employees are happy to work there because the nature of the job cannot allow for mistakes to happen. Unhappy employees are much more likely to make a mistake which could lead to something like a data breach. Because of this, I have no problem allowing them to focus on any personal issues first so that when they come into work they are as happy and effective as possible. The cost of employee mistakes will be much higher than the cost of letting them focus on any personal challenges first. What needs to change about how most organizations are handling their IT? Most organizations do not think about how happy their employees are. They don’t understand that if you take good care of your employees, then they will take good care of the organization, especially in IT and cybersecurity. Happy employees are much more likely to behave in a compliant and secure manner. What are the greatest information security threats to the banking industry? A lack of employee education when it comes to cybersecurity risks is a very big threat. Lots of employees tend to get phishing emails and many click on the links included in the email without knowing the risks involved. One way of tackling this could be to be very close to the users and remain up-to-date with how users are treating these threats. However, this can only take you so far. Luckily, we have been able to escape any major risks for now but it is an ongoing process. Do you have any advice for new CIOs to help set them up for success? You have to get out of the office. Meet with your peers and industry experts, go to workshops and networking events. You should also read blogs and articles constantly to remain on top of the newest technologies, solutions and threats. Ultimately, if you are curious and flexible in your approach to solving a problem in IT then you have the right tools to get started.    
Compliance
GDPR: 13 Most Asked Questions + Answers
Friday, March 15th, 2019
1. Who’s enforcing GDPR? In May 2018, the GDPR came into force across the whole of the European Union. The GDPR applies equally to all EU member states, but that doesn’t mean each country will enforce its requirements equally. Each member state handles enforcement and will have a regulatory body called a supervisory authority that will be in charge of auditing and enforcement. 28 different countries will handle enforcement. That means Germany, for example, is expected to be tougher on enforcement of GDPR than elsewhere on the continent given data protection is conducted at a state level. Conversely, the U.K. has traditionally been the member state to push back against any overtly data-privacy regime that could impede global trade. 2. What are the penalties for non-compliance with GDPR? Penalties can be a fine up to €20 million or 4 percent of a company’s annual revenue, whichever is higher. The latter is the steeper penalty and the assumption is that it will be levied in severe cases when a company has totally disregarded data privacy. The supervisory authority decides the fine’s amount based on the circumstances and the violation level. 3. What is a GDPR Data Processing Operation? A data subject is the person about whom data is being collected. The data controller is the person or organization that decides why personal data is held or used, and how it is held or used. Any person or organization that holds or uses data on behalf of the data controller is a data processor. The good news is that organizations have become significantly better at containing breaches, with the average time dropping from 70 days in 2016 to 55 days. However, on average companies take nearly 200 days to detect a breach. The good news is that organizations have become significantly better at containing breaches, with the average time dropping from 70 days in 2016 to 55 days. However, on average companies take nearly 200 days to detect a breach. The good news is that organizations have become significantly better at containing breaches, with the average time dropping from 70 days in 2016 to 55 days. However, on average companies take nearly 200 days to detect a breach. The good news is that organizations have become significantly better at containing breaches, with the average time dropping from 70 days in 2016 to 55 days. However, on average companies take nearly 200 days to detect a breach. 4. How does the GDPR handle this? GDPR refers to the time between detecting a breach to the time of notifying impacted parties about it. However, part of the security for privacy concept is about being able to detect breaches and have best-practice tools and processes in place to do so. 5. What documentation do we need to prove that we’re GDPR compliant? GDPR, compared to the Data Protection Act that it replaces, states there is a need to demonstrate compliance. According to Article 5(2) of the regulation, “The controller [i.e. your company] shall be responsible for, and be able to demonstrate compliance”. It is a good idea to document everything about your GDPR process, so it is clear that you have taken the right investigative steps and have made reasonable steps to fix any issues. You then have a document you can point to if you’re ever asked any questions. 6. What are the data requirements for GDPR? Data can only be processed for the reasons it was collected Data must be accurate and kept up-to-date or else should be otherwise erased Data must be stored such that a subject is identifiable no longer than necessary Data must be processed securely 7. Is GDPR training mandatory for staff and management? Anyone whose job involves processing personal data undertakes data protection and data handling training. This includes full-time staff, third-party contractors, temporary employees, and volunteers. 8. Does GDPR compliance differ based on the number of employees a company has? GDPR doesn’t differentiate between the size of organizations. 9. What type of language should be included in a consent policy? Check out the Tessian privacy policy, which shows you how detailed consent needs to be. 10. Is appointing a DPO mandatory? GDPR requires appointing a DPO when an organisation performs data processing on a large scale, processes certain types of data or processes data on an ongoing basis as opposed to a one-time process. 11. What happens if some data is processed outside the EU? The GDPR allows for data transfers to countries deemed by the European Commission to provide an adequate level of personal data protection. In the absence, transfers are also allowed outside non-EU states under certain circumstances like standard contractual clauses or binding corporate rules. 12. Does GDPR affect US-based companies? Any U.S. company that has a web presence and markets their products over the web will have to take notice. Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR. 13. If we are based in the US, have EU citizen data and experience a breach, who do we notify? There are rules around what authority should be notified based on criteria like the situation, the organization and where the processing occurs. How can Tessian make you GDPR Compliant? Under GDPR, an organization is most likely to suffer a fine or penalty due to data loss through a misdirected email. Misdirected emails were the number one form of data loss reported to the Information Commissioner’s Office (ICO) in 2017. Some notable examples of penalties issued by the ICO for misaddressed emails include 56 Dean Street Clinic who were fined £180,000 for inadvertently disclosing the identities of HIV positive patients and also Dyfed-Powys Police who were fined £150,000 for inadvertently disclosing the identities of registered sex offenders to a member of the public. GDPR forces organizations to report all personal data breaches to the appropriate governing body and maintain a register of these internally. Under GDPR, organizations have an obligation to report misaddressed emails to the ICO and face fines of up to 4% of global turnover depending on the severity of the breach. Given that misdirected emails are the number one type of data security incident currently reported to the ICO, this should be of significant concern for all organizations in the transitioning years toward GDPR. Tessian uses machine learning to automatically detect when emails are being sent to the wrong person, allowing organizations to both prevent information being sent to the wrong person and crucially, retain an audit log of warning messages shown to users when sending emails and the response that the user made on the warning that was shown. The audit feature and preventative nature of Tessian align with the GDPR requirement “to implement appropriate technical and organizational measures together with a process for regularly testing, assessing and evaluating the effectiveness of those measures to ensure the security of processing” (Article 32). Furthermore, with increasing numbers of firms adopting Tessian’s technology and their role in helping advising other companies in their transition to GDPR, simply relying on staff being as careful as possible and internal training, becomes an untenable posture when protecting personal data.
Careers: Adding Rocket Fuel to our Rocket Ship
By Abhirukt Sapru
Tuesday, March 12th, 2019
Picture this: It’s 4pm on a Wednesday. While the rest of the working world is going through their midweek slump – clock watching and/or waiting for their boss to turn comments before burning the midnight oil – you are stepping in to the boardroom of a leading London law firm. In front of you, as you pour yourself a glass of sparkling water with a postcard panorama of the city skyline behind you, are the Managing Partner and Head of IT. They usher you into your seat. As you scramble to connect the various adapters into your MacBook, your mind is 100% focused on delivering a pitch on why their firm should today solve their biggest problem. You need to educate, persuade and ultimately introduce this organization to machine learning (sometimes, for the first time). As you load up your slides on Keynote, it’s show time. At Tessian, this is not a what-if scenario, this is just one of the daily occurrences as a Business Development Manager (BDM). I had the rare opportunity to be ‘patient zero’ for the Business Development function at Tessian. And it was – and continues to be – an unbelievably exhilarating experience. Every single exercise has value: multiple introductory emails to prospective customers, pitching and ultimately navigating organizations to implementation all help our company achieve our goals.
As a BDM, you are experiencing entrepreneurship in its most raw, gritty form. You are your own rapid-growth business within a rapid-growth business. You get to experience the glamorous highs – as detailed above – alongside the excruciating lows, all at breakneck pace. Industry-defining deals are the norm, and your targets have a direct impact on the products our team can ship, the services we can offer to our customers, and our ultimate mission to protect enterprises from threats executed by humans in order to keep the world’s most sensitive data and systems secure.
Given the nature of the role – a discipline in process, a fervent desire to do things faster and better, creative and strategic thinking, and collaboration through external stakeholder management – BD has become a natural breeding ground for commercial leadership at Tessian. It’s not just here, but across organizations: 20% of Fortune 500 CEOs have come from a selling/marketing background and there is a common adage in start-up world that an overwhelming amount of successful entrepreneurs have first built careers in sales. It’s true here as well – our CEO, founders, Head of US, Enterprise and Finance Directors, and myself (Chief Revenue Officer) have effectively all built our careers in some way as BDMs at Tessian.
Tessian is hoping to redefine sales and business development. We don’t believe in nor hire those who portray the negative stereotypes around sales. BDMs at Tessian are some of the brightest, hardest-working and most upstanding people I have interacted with in my career. It’s humbling to come in and work with these people on a daily basis and I am incredibly grateful that our team’s constant ambition is to outperform. I sometimes think of the famous Sheryl Sandberg quote to Harvard Business School grads: “If you’re offered a seat on a rocket ship, don’t ask what seat! Just get on.” As a member of the Business Development team at Tessian, we get to be right in the control room. And from our window, there’s an incredible view.
Autocomplete Mistake on Email
Tuesday, March 12th, 2019
  What is Autocomplete? How does Autocomplete work? Autocomplete / auto-fill is a feature which displays suggestions for names and email addresses as you start to type them. These suggestions are possible matches from a list of names and email addresses from the email messages that you have sent. As you start typing a name in the To box, based on the characters you enter, Outlook’s Autocomplete feature displays a list of possible choices. As you enter more characters, Outlook narrows the list. How common are Autocomplete Mistakes? Autocomplete updates its suggested list as quickly as you type each character so it’s very easy to select the wrong email address. Outlook / other mail providers maintain a history of all the email addresses you enter, not just the ones you store in the Address book. Due to this, these names make their way onto the Autocomplete list. Autocomplete mistakes can happen when you’re in a hurry or distracted. For example you may type a name into the ‘To’ box, choose the first option and send — without realizing that Outlook’s Autocomplete feature chose the wrong recipient. Autocomplete is a highly useful and productive feature in a workplace, helping to save time, however it is prone to making mistakes and can cause you to accidentally send emails to the wrong person. Should I switch Autocomplete off? As the risk of misdirected emails is becoming a key issue for leadership, informations security, risk and operating teams, organisations are often taking an impulsive approach to solving this problem. Upon identifying that one of the main culprits for this growing challenge is the auto-complete function over email, the knee-jerk solution by management is to switch the function off, which ends up causing far more problems than it solves. The truth is, Autocomplete is helpful and you shouldn’t disable it. “After identifying the risk of misdirected emails, we explored the option of disabling Autocomplete however it became incredibly clear that this was not the solution. Instead, we needed something that complemented rather than prohibiting work flows, hence we opted for Tessian’s Guardian product” —  David Smith, Partner and Head of Operations, Anthony Gold Solicitors What happens if I disable Autocomplete? There are a number of reasons that firms should strive to keep auto-complete on. It is imperative to take a holistic approach rather than act in what can be perceived in an impetuous manner when dealing with risks such as misdirected emails. Why you shouldn’t disable Autocomplete: 1. Misdelivery risk increases due to manual input 2. Tessian research found that productivity decreases by 30% 3. Increase in non-authorised, non-controlled communication channels to send messages 4. Misaddressed Emails do not decrease 6. Negative experience with technology Tessian’s low user disruption and intelligent predictions have proved to be a sophisticated and risk attractive improvement to disabling autocorrect in Outlook —  Duncan Eadie, IT and Business Services Director at Foot Anstey About Tessian Tessian is building the world’s first Human Layer Security platform to fulfil our mission to keep the world’s most sensitive data and systems private and secure. Using stateful machine learning to analyze historical email data, Tessian’s Parallax Engine can predict for this user, at this point in time, does this email look like a security threat?
Human Layer Security
Email: Information Security’s Leaky Pipeline
Tuesday, March 12th, 2019
Email is the most widely used method of communication in the world. The number of emails sent and received daily will reach almost 300 billion in 2019, and the number of active email users will reach almost 4 billion in the same year, according to technology research company Radicati. There’s a reason the ageing protocol is so entrenched in how we communicate: it’s simple, works in every browser, and most importantly, everyone has an address. But many of the things that make email great, also make it a difficult avenue to secure from an information security perspective. Many use cases Email is used for both professional and non-professional communications: a highly classified email to a client may be immediately followed by one to a spouse about dinner. Add to this that these two emails can often be sent from the same work email account for the sake of convenience, and the likelihood of confidential data being leaked due to a slip up increase exponentially. Truly platform agnostic Slack messages can be sent to slack users, Signal messages to Signal users, and Whatsapp to Whatsapp. Unlike most other messaging platforms, there’s no need for two people to be using the same email client, protocol, or provider for communication to be possible. Of course, this seamlessness comes at a cost: it is much more difficult to develop a complete security solution for a channel with as many front-end standards and configurations as email has. “The protocol now suffers from being ‘too big to change’ – there are core features missing from the technology that more modern communication platforms now have as standard(…)” Well established protocols Since its inception in the 1970s, the underlying technology behind email has remained the same, which makes it very easy to develop for and implement. It also means the protocol now suffers from being ‘too big to change’ – there are core features missing from the technology that more modern communication platforms now have as standard, including the ability to easily redact or recall, and encryption-by-default. To make any major changes to how the email protocols function would require a near-global consensus. Accessible from anywhere Gone are the days when people accessed their email solely from their desk. Employees manage their emails on laptops, smartphones, tablets, watches, even car dashboards. This ease of access has exponentially increased the volume of emails exchanged, as well as changed how people treat emails, sending emails on the go. This, in turn, raises the risk of emails being misaddressed, as people type addresses out in a rush on their phones. Centrally stored An inbox often contains a wealth of information spanning an employee’s entire time spent at an organization. While much of this may not be confidential, the fact of being able to access huge amounts of information from a single source exponentially increases the likelihood of a “careless forward”. Recent statistics on data security highlight that individual human error accounts for most data breaches, and show that the current school of thought surrounding information security is incomplete. Email offers numerous benefits – namely speed, ubiquity and simplicity – but it’s also one of the single biggest threats to an organization and its data. In addition to this, the ICO in the UK recently reported that misaddressed emails were the number one type of data security incident reported to them. While a growing number of enterprise processes are now being automated, email communication is currently still almost entirely reliant on people, which makes it vulnerable to human error. No matter how well established the organization, and how experienced and security conscious it’s employees, it will still be run entirely by people. And people are fallible.
Customer Stories
Safeguarding a Reputation with Intelligent Data Loss Prevention
Tuesday, March 12th, 2019
Boult Wade Tennant is a leading patent and trademark attorneys firm with offices in London, Madrid, Munich, Cambridge, Reading and Oxford, specializing in intellectual property law. Their patent, trademark, and design teams specialise in advising clients over the full life-cycle of brands, products or systems; from acquisition, exploitation and protection to commercial use, infringement or contentious issues. Boult Wade Tenannt is protecting employees with Tessian Guardian.
Working with their clients’ proprietary information and other confidential data as a matter of course, the firm wanted to augment the protection they provide their clients, and further safeguard any confidential information they may process on clients’ behalf. Boult Wade Tennant picked Tessian because it was easy to install, required minimal configuration, and is unobtrusive to employees. Tessian has allowed Boult Wade Tennant to mitigate the risk of misaddressed emails and inadvertent IP loss, safeguarding their reputation as one of the best in the business. Learn more about how Tessian prevents human error on email Tessian is building the world’s first Human Layer Security platform to automatically secure all human-digital interactions within the enterprise. Today, our filters use stateful machine learning to protect people using email and to prevent threats like spear phishing, accidental data loss, data exfiltration and other non-compliant email activity. To book a demo and learn more about how we can help your organization, click here.
Customer Stories
Ensuring Data Loss Protection
Tuesday, March 12th, 2019
Com Laude, an ICANN accredited registrar, is a specialist domain name management company that helps businesses manage their domain name portfolios throughout the full life cycle. Com Laude is protecting employees with Tessian Guardian, Tessian Enforcer and Tessian Constructor.
The problem As a trusted strategic partner of leading global brands, Com Laude recognized that there was a direct correlation between the security of their clients’ information and the security of their business – something that they were keen not only to protect but enhance, so as to facilitate further growth. Having identified the significance of the threat at hand, they were keen to find a solution – and with misdirected emails being the most common type of data security incident, there was no time to waste. Attracted by the intelligence of our AI and machine learning based software, the Com Laude team actively sought out Tessian Guardian, combining this with the additional protection provided by Tessian Constructor to implement an effective regulatory framework for their internal communication policies. The solution Tessian was rolled out to 30 employees across a number of departments at Com Laude. After an initial period of time exploring Tessian’s functionality, Com Laude built a variety of rules specifically for their organisation using Constructor and had Guardian successfully running in the background. Soon after, Com Laude were presented with a detailed threat report from Tessian, including a high-level overview of their email statistics along with a deep-dive analysis of the specific threats identified via the Guardian – specifically, flagged misdirected emails. The results from this report provided Com Laude with “proof” not only of the value of their investment, but of the scale of the problem. Having indicated that Guardian was able to detect and prevent email threats in the form of misdirected emails, the report also provided the company with some significant insights via these email statistics. This had a direct impact on Com Laude’s business model, allowing the firm to use these findings to set key rules designed to further protect their customers. Learn more about how Tessian prevents human error on email Tessian is building the world’s first Human Layer Security platform to automatically secure all human-digital interactions within the enterprise. Today, our filters use stateful machine learning to protect people using email and to prevent threats like spear phishing, accidental data loss, data exfiltration and other non-compliant email activity. To book a demo and learn more about how we can help your organization, click here.
Customer Stories
Securing the Email Environment from Human Error
Tuesday, March 12th, 2019
Travers Smith is a leading corporate law firm headquartered in London. It advises national and multinational companies across the full range of corporate and commercial matters. Travers Smith is protecting employees with Tessian Guardian and Tessian Constructor.
Given the highly sensitive nature of the work performed and the client confidentiality requirements outlined by the Solicitors Regulation Authority, securing their email environment from human error was a key priority for the firm. Risk and IT teams were acutely aware of the potential risks from misdirected emails and chose Tessian Guardian because of the admin – free nature of the product and minimal disruption and effort that it requires from end users at the organization. Travers Smith successfully deployed Tessian firm wide with minimal effort from the firm’s IT team. After a set period of time using the software, Travers Smith was presented with a comprehensive report containing details of Tessian’s performance and examples of misdirected emails that had been prevented. Thanks to Tessian, Travers Smith is now better equipped to protect clients’ sensitive information and avoid the scenario of confidential information accidentally being sent to the wrong people. Moreover, Tessian allows the firm to demonstrate diligence to clients and regulators by showing that the risk is being measured and managed appropriately. Learn more about how Tessian prevents human error on email Tessian is building the world’s first Human Layer Security platform to automatically secure all human-digital interactions within the enterprise. Today, our filters use stateful machine learning to protect people using email and to prevent threats like spear phishing, accidental data loss, data exfiltration and other non-compliant email activity. To book a demo and learn more about how we can help your organization, click here.
Customer Stories
Seamlessly Implementing Email Security
Tuesday, March 12th, 2019
Grosvenor Law is a specialist personal and business dispute resolution firm based in Mayfair, London. They work on significant and complex disputes worldwide across a range of business sectors, on behalf of corporate clients and high net worth individuals. Grosvenor Law is protecting employees with Tessian Guardian and Tessian Constructor.
Given the highly sensitive nature of the work performed and the client confidentiality requirements outlined by the Solicitors Regulation Authority, securing their email environment from human error is a key priority for the firm. There has been an increasing number of high profile losses of confidential data in the legal sector in recent years and months. The Chief Executive of Grosvenor Law had already taken a number of measures to reduce the risk of inadvertent data loss over email, but chose to add to their existing risk management measures by working with Tessian given the unique machine learning intelligence of the system. The firm opted to use Guardian to prevent and detect misdirected emails, as well as Constructor to implement some of their own custom communication policies. After some time, Tessian issued the Chief Executive with a report detailing the findings of how the software had successfully prevented misaddressed emails for Grosvenor Law. It also showed how Tessian’s machine learning algorithms had developed an understanding of the organization’s regular email patterns and behavior in order to accurately detect anomalies. By having outgoing email content from their organization automatically checked by Tessian software, Grosvenor Law is able to protect their client data from one of the most common causes of data loss. They are also able to demonstrate diligence to clients and regulators that this risk is being measured and controlled. Learn more about how Tessian prevents human error on email Tessian is building the world’s first Human Layer Security platform to automatically secure all human-digital interactions within the enterprise. Today, our filters use stateful machine learning to protect people using email and to prevent threats like spear phishing, accidental data loss, data exfiltration and other non-compliant email activity. To book a demo and learn more about how we can help your organization, click here.
Tessian Spotlight: Johan Kestens, former Chief Information Officer at ING Belgium and Luxembourg
Tuesday, March 12th, 2019
As the former Chief Information Officer for ING Belgium and Luxembourg, Johan was, until September 2018, responsible for the complete IT stack and was part of the Executive Committee. An engineer by training, Johan has worked with a number of organizations before joining ING, including McKinsey, SWIFT, SAP and A.T. Kearney. What are the greatest challenges you overcame while you were CIO at ING? There were several challenges. Firstly, we increased collaboration between the Belgian and Dutch IT operations to create a single IT organization and adopted the same agile way of working. We also brought IT professionals much closer to other teams in the business and removed as many coordination barriers as possible, which made the IT team more efficient and cost-effective. Another challenge was gaining more control of the IT change portfolio. There is always more demand than there is capacity so we changed it from a demand-driven organization to a capacity-driven one. This helped get many more things done and we had some very positive results in areas such as big data. The final challenge was creating better risk awareness and control in the business and enhancing the level of discipline in the organization. What needs to change about how most organizations are handling their IT strategy? I noticed that in many companies there is sometimes a distance between the business and IT people. This might be because of the different business jargon, personalities and delivery goals but this divide needs to disappear. Many parts of the economy are being disrupted through digital businesses and IT is increasingly becoming the main driver of business. The IT strategy for many is starting to become the strategy. For this to work effectively, you need to bring non-technical teams and IT teams closer. Improving communication and understanding between teams will help them work together most effectively. How should CIOs ideally work with the rest of the board? If you look at most company boards, I would say a lot of them are likely struggling to understand what is going on in IT. Many of them know that their digital business is becoming more important but it is like watching a soccer game; it is different when you are sitting in the stadium than when you are playing in the field. I have also sensed a mixture of fear and distrust regarding IT because some people feel that they do not have the expertise to really assess it. Most boards are made up of professionals with a commercial or finance background. An area where this is especially clear is cybersecurity, it is very frightening for board members to ultimately carry responsibility but not understand all techniques used to attack their business. Constantly reading about the newest data breaches in the news will likely do little to assure them. CIOs should do their best to address all of these concerns. What are the greatest information security issues to the banking industry and how would you address these? The biggest security incidents often happen from within, so integrity of staff must be a prerequisite. At the larger organizations, security becomes much more of a numbers game. Even with very good employee screening procedures, data breaches will likely happen either by accident or through malicious employee intent. Another important issue is adopting the right mindset when dealing with information security. I think about it in a similar way to healthcare, a new variant of flu comes out every winter and the medical industry is quite fast to respond to this but it never goes away completely. You have to adopt a framework where you understand you are never going to be completely immune as cyberattacks are always evolving. Even if you have never had a data breach before, you can never be completely sure that an employee will never fall prey to a spear phishing email. The best you can do is remain vigilant and constantly stay abreast with the newest developments. This is why I am a big fan of collaboration between industry participants or even governments. Cybercrime is like a virus, it tends to go from country to country, so by working together, you can be aware of it ahead of its arrival. All parties benefit when they collaborate together against a problem like cybercrime. What do you read/listen to stay on top of advancements in IT? Gartner reports are a very good source of information as they cover different trends well. I also follow a few networks such as CIONET to understand what is going on in the industry right now. Finally, small CIO events like dinners or breakfasts with only 10-12 participants is amazing for knowledge sharing. The size of the audience allows everyone to participate and every once in a while you get a nugget of gold. Keeping in mind that what might be very esoteric today could become very important tomorrow is key.  
Human Layer Security
Human Error is Incredibly Difficult to Understand, Let Alone Predict
Monday, March 4th, 2019
Email still remains the main communication channel for enterprises. Despite its incredible efficiencies and economies of scale, email as a communication tool is reliant on human interaction and judgement. This makes human error particularly prevalent on email. One example of a mistake that can occur over email due to human error is an email being directed to the wrong person. A misdirected email might happen for any number of reasons, just a few of which include stress, alertness, being in a hurry or simply bad luck. For example, staff members at a major Australian bank mistakenly sent emails that contained data from over 10,000 customers to the wrong recipient due to an error that changed the email’s domain name. Over the past few years the workforce has become more mobile, meaning that more data now exits organizations’ premises and networks. Many employees manage their inbox on the move, replying to an urgent email after work while commuting or messaging international clients in the early hours of the morning. While this flexibility is advantageous for employees and businesses, different diligence levels outside working hours and on mobile devices raise the chance of a misdirected email being sent. Let’s take a small-scale example. Even for a small organization where each employee sends a moderate number of emails per day, Tessian data shows that the likelihood of a misdirected email leaving the organization in a given month is high. That risk increases dramatically with the size of an organization. No matter how many Secure Email Gateways and firewalls you employ, failing to address this risk could mean your organization’s data being compromised. Mistakes due to human error are not limited only to outbound email. Over the past few years, inbound attacks such as spear phishing have become more frequent and more sophisticated. For example, someone may receive an email from an attacker impersonating a supplier requesting a transfer for an outstanding payment. The degree of urgency included in the email and the fact that the attacker utilizes a legitimate relationship makes the likelihood of the recipient falling for the attack more likely. In order to stay vigilant in this changing environment, security officers and business leaders should focus on two simple questions: 1. What’s the most likely cause of data loss for our organization? 2. What’s the maximum damage that a human error could cause? This awareness can help security leaders gain a better understanding of the risks they need to manage on an ongoing basis. Ultimately, this awareness could help mitigate the likelihood of data loss, and associated consequences like financial penalties or reputational damage. Mistakes due to human error are inevitable, but the negative consequences are not. Tessian’s machine-intelligent email filters use machine learning to understand relationships and behaviors on email, identifying in real time when people are about to make a mistake – whether it’s entering the wrong reply-to address or potentially falling for a spear phishing attack. Thoughtful, intelligent notifications located within the email client stop the threat before it can cause damage to your organization. Take action against misdirected emails and spear phishing today.  
Page