Step Into The Future of Cybersecurity — Save your spot at the Human Layer Security Summit for free.

Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.
Customer Stories
Proactively Protecting Customer Data
Thursday, April 11th, 2019
Armstrong Watson have been supporting, advising and protecting clients across the North of England and Scotland for over 150 years, providing a full range of unbiased specialist services and financial advice to businesses. The firm provides invaluable advice to companies operating across a range of sectors, and as such requires that client data be handled with discretion. Armstrong Watson is protecting employees with Tessian Guardian and Tessian Constructor.
Having curated a loyal customer base of trusting clients, Armstrong Watson were keen to proactively protect customer data. After identifying misaddressed emails as a key risk vector, the firm set out to find an intelligent solution to secure their clients’ data and ensure compliance with GDPR. Armstrong Watson chose Tessian to help mitigate the risk of misaddressed emails as it is simple to install and offers seamless protection, while also allowing employees to communicate unimpeded. The platform’s logging and auditing features also allow the firm to prove diligence, and demonstrate that appropriate organisational and technical measures are being taken to prevent data loss as required by the GDPR. The rigour and efficiency of Tessian’s client support team provided the firm with additional value and peace of mind.
Armstrong Watson Case Study hbspt.cta.load(1670277, 'c3c8adb7-689f-460e-b6a1-45320ddec8c3', {"region":"na1"});
Read Blog Post
Tessian Spotlight: Full Archive
Wednesday, April 10th, 2019
  Earlier this year we started a new series of interviews called “Tessian Spotlight”—an exploration into the world of cutting-edge enterprise innovation and cybersecurity. In this series, we interview inspiring technology and security leaders across different sectors in order to learn about their backgrounds and accomplishments, the challenges they foresee in the future and their top insights that have helped them succeed in their respective fields. Mark Ramsey, CISO, Americas Division, ASSA ABLOY Mark Ramsey has over 30 years’ experience in software engineering and security. He is committed to education around cybersecurity, and teaches masters-level students at Fairfield University where he has been a Professor for the past 33 years. Read full interview here Company Profile Giampiero Astuti, Group CIO, Astaldi Giampiero Astuti has served as Group Chief Information Officer at global construction company Astaldi since 2003. Before joining Astaldi, he worked as CIO in different industries (Financial Services, IT, and Pharma / Biotech) both in Italy and abroad. Read full interview here Company Profile Jaya Baloo, CISO, KPN Telecom Jaya Baloo joined KPN Telecom 6 years ago, as the Chief Information Security Officer, to build up the Cybersecurity department, which currently has over 100 employees. Jaya was recognized as one of the top 100 CISO’s globally by The CISO Platform in 2017, won the Cyber Security Executive of the Year Award in 2015 and is also a well-known speaker at security conferences across the world. Read full interview here Company Profile Kevin Delange, CISO, International Game Technology Kevin has an extensive background in information security, systems architecture and communications. As Chief Information Security Officer at International Game Technology, he holds global responsibility for information security as well as governance, compliance and threat intelligence. Read full interview here Company Profile Richard Wakefield, CTO, Salford Royal NHS Foundation Trust Richard is the Chief Technical Officer at Salford Royal NHS Foundation Trust, which he joined in 1998. His responsibilities range from infrastructure provision and digital equipment to cybersecurity. Read full interview here Company Profile Craig Walker, Global CIO, Shell International Petroleum Company Craig Walker has nearly 30 years of experience with Shell spanning locations such as the US, Colombia, South Africa, Saudi Arabia, UAE and the UK. Originally joining Shell as a programmer in 1981, and after a 6-year stint at KPMG in the early 2000s, Craig is now the global CIO for the Shell Downstream business. This includes trading, manufacturing and refinery as well as the B2B businesses such as marine, aviation and retail. Read full interview here Company Profile Thomas Tschersich, Senior Vice President, Internal Security and Cyber Defense, Telekom Group Thomas is the Senior Vice President of Internal Security and Cyber Defense at Telekom Group with over 20 of cybersecurity experience. His wide-ranging role involves managing all aspects of security for Telekom Group from personal and physical security to cybersecurity. Read full interview here Company Profile Johan Kestens, former Chief Information Officer at ING Belgium and Luxembourg As the former Chief Information Officer for ING Belgium and Luxembourg, Johan was, until September 2018, responsible for the complete IT stack and was part of the Executive Committee. An engineer by training, Johan has worked with a number of organizations before joining ING, including McKinsey, SWIFT, SAP and A.T. Kearney. Read full interview here Company Profile Michael Mrak, Head of Department Compliance & Information Security at Casinos Austria Michael has been with Casinos Austria for 26 years. He started in the IT department and eventually took over the role of Data Privacy Officer in 2001. Responsible for overall information security strategy and, working closely with the CEO, Michael establishes policies relating to compliance and anti-money laundering. As well as overseeing all the activities related to the development, implementation, maintenance and adherence to the organization’s privacy policies, he is also the link between his organization and the Austrian Ministry of Finance. Read full interview here Company Profile Don Welch, Chief Information Security Officer at Penn State University As Chief Information Security Officer for Penn State University, Don is in charge of a range of things including identity and access management, security operations, privacy and compliance. This involves overseeing the unique responsibilities of each of those teams. Read full interview here Company Profile Sarat Muddu, IT Security Director, Kelley Drye & Warren Kelley Drye & Warren’s IT Security Director Sarat Muddu talks about the process of implementing change in this Tessian Spotlight Series. According to Sarat, it’s important to embrace innovation in order to ward off threats. Read full interview here Company Profile Graham Thomson, CISO, Irwin Mitchell Graham Thomson is the Chief Information Security Officer at leading law firm Irwin Mitchell. In this Tessian Spotlight Series, Graham talks about his career in information security and why he uses Tessian to keep Irwin Mitchell’s employees safe on email. Read full interview here Company Profile Duncan Eadie, IT Director, Charles Russell Speechlys As IT Director, Duncan Eadie is responsible for designing and delivering the IT strategy at Charles Russell Speechlys. In this Spotlight Series, Duncan speaks about the risks law firms face from cyberattacks, and the importance of embracing technological innovation. Read full interview here Company Profile Craig Hopkins, Chief Information Officer, City of San Antonio Craig Hopkins has been Chief Information Officer and IT Director for the City of San Antonio for over two years after spending more than 20 years in financial services. As CIO Craig also manages systems integration, user experience, cyber and physical security, and portfolio prioritization for the city. This includes aligning the City of San Antonio’s 42 departments and almost 13,000 employees and developing a business strategy to ensure that each department accomplishes their mission, takes care of their employees, and remains secure. Read full interview here Company Profile Helen Rabe, Global Chief Security Officer, Abcam Helen Rabe is a distinguished security leader, with wide reaching experience across banking, telecoms, food and drink and more recently life sciences. As Global Chief Security Officer at Abcam, we spoke with Helen to understand her core driving principles when it comes to leading enterprise security programs and what impact cybersecurity technology can truly have on an organization. Read full interview here Company Profile Bridget Kenyon, Global Chief Information Security Officer, Thales eSecurity Bridget Kenyon is the Global CISO for Thales eSecurity where she manages operational information security across the organization. Previously, Bridget has served as the Head of Information Security at University College London where she built and matured the information security governance function for the university. Bridget is a member and editor for the International Organization for Standardization where she has edited and developed the management standards in the 27001 series. Additionally, Bridget has published a book on ISO 27001, which serves as an ideal guide for organizations preparing for the certification. Read full interview here Company Profile
Read Blog Post
Interviews With CISOs
Tessian Spotlight: Jaya Baloo, Chief Information Security Officer at KPN Telecom
Tuesday, April 9th, 2019
Jaya Baloo joined KPN Telecom 6 years ago, as the Chief Information Security Officer, to build up the Cybersecurity department, which currently has over 100 employees. Jaya was recognized as one of the top 100 CISO’s globally by The CISO Platform in 2017, won the Cyber Security Executive of the Year Award in 2015 and is also a well-known speaker at security conferences across the world. What are the greatest challenges you have overcome since you became CISO? The one thing I keep telling my team that I can guarantee is we are going to get hacked. It’s because we are such a big network and also because we are an intermediate target to get to other targets. Obviously, we try to prevent as much as we can, respond as quickly as possible and verify as many actions as possible. The main challenge is to always keep thinking of new ways that we could improve our existing security measures in novel ways. We recently set up a new unit that invents new security solutions which we cannot find in the market, for example a post-quantum VPN tool. How should CISOs work with the rest of the board? People need to realize that security is actually sticky in that it is something very relatable to each and every role. You inherently realise that if you do not address a security issue then you will be exposing yourself to a risk. As a CISO, you should use this to your advantage, relate your cybersecurity objectives to the motives of the board and make it as relevant to them as possible. I also don’t believe that support for cybersecurity ends with the board, effective storytelling might work for senior leadership but you ultimately need every employee on your side to realise how they can best defend the company within their role in order for this to work. What needs to change about how most organizations are handling their information security? A lot of companies are quite relaxed about their cybersecurity, almost too relaxed. This is usually because they are not measuring what is actually going on in their company. They tend to generally want to trust their employees, partners and vendors. The issue is that trust is ultimately just a social contract and the health of this contract needs to be checked. So only if you monitor the behavior of your employees, partners and vendors can you give your trust to them freely. This is not a well-known threat for many of the larger companies. How much of a role does human error play in data breaches? Human error plays a huge role in data breaches. Whenever I talk about employees being a threat, I don’t simply mean the malicious ones who want to wreak havoc across your organization. A lot of accidental actions create many of these problems. That’s why creating cybersecurity awareness across a company is so difficult to scale. All forms of attacks tend to begin with some form of targeted phishing which is very challenging because of the social engineering aspect. That’s why you need a system in place that takes these issues into account and why the best solutions a company can have is a mix of technology and user awareness. Do you have any advice for new CISOs to help set them up for success? CISOs typically come from a very technical background and tend to think that they need to develop their metaskills such as presentation or storytelling. Obviously this is not a bad thing but it does become an issue when they invest in these new skills at the detriment of those core technical skills that got them there in the first place. So I would recommend obviously investing in those metaskills but also doing a technical training session once a year with your team. Try to stay abreast of the newest technical trends as well by networking and speaking to other CISOs.  
Read Blog Post
Interviews With CISOs
Tessian Spotlight: Kevin Delange, Chief Information Security Officer at International Game Technology
Friday, April 5th, 2019
Kevin has an extensive background in information security, systems architecture and communications. As Chief Information Security Officer at International Game Technology, he holds global responsibility for information security as well as governance, compliance and threat intelligence. What are the greatest challenges you have overcome since you became CISO? Most of the challenges you tend to face as CISO are people challenges like understanding how different areas work and what their state of security is. This is critical, but can be difficult especially when you are trying to integrate all the different operations into a single security unit. What are specific tactics you use to engage the board? The two main functions of my job are to communicate updates to the board and keep a finger on the pulse of the business. This means that I need to translate tech speak into business speak for the board, because if I can’t communicate it well, then nobody will listen. Therefore, the art of presentation is key and you should avoid communicating anything too technical. Ultimately, when speaking to the CISO, the board is interested in understanding our risk profile. If the profile is acceptable and you can communicate that clearly, they will be happy. What are the most important KPIs or security indicators that gaming companies should care about? From a high level, the two most important security aspects that every company should care about — not just gaming companies — are knowing what your attack surface is (i.e., the different attack points) and what your defences are. Based on those two, you can then determine what your KPIs should be. Other than that, understanding how well you are implementing governance, risk and compliance requirements and meeting your regulatory obligations should be on every company’s mind. You need to make sure you are operating in line with the regulatory requirements. If you are compliant and you understand what your attack profile and defences are, you can solve a huge portion of what the board is concerned about. What needs to change about how most organizations are handling their information security? Companies should accept that it is just a matter of time before something happens, and they need to be prepared for attacks to get through their defences. I’ve been exposed to a lot of organizations that focus entirely on preventing attacks and do not have a plan for dealing with successful attacks. It is important to be prepared for every scenario, and this is not something that many companies are doing. The key is understanding that technology is ultimately a means to achieving an acceptable risk profile. What are the greatest information security threats to the gaming industry and how would you address these? The biggest threat is phishing, and this is not unique to the gaming industry. Being able to deal with phishing attacks and reacting to successful ones should be at the top of everyone’s mind. Phishing attacks are basically 90% of the way people are attacking you; all other attack vectors are significantly smaller. Many threats can be dealt with quite well, but addressing the social engineering aspect that makes phishing attacks hyper-targeted is extremely difficult. What do you read/listen to stay on top of advancements in information security? Information security is all about being up-to-date. The joke used to be that technology changes in dog years; now it’s more in the mayfly territory, where every single day something new comes up. I take advantage of any article that highlights new possible attack vectors, or helps me understand how I could deal with these attacks. If you don’t know what you are dealing with, then you will simply not be able to deal with it. Another option is to go to tradeshows or networking events that involve a lot of knowledge sharing.  
Read Blog Post
Interviews With CISOs
Tessian Spotlight: Richard Wakefield, Chief Technical Officer at Salford Royal NHS Foundation Trust
Friday, April 5th, 2019
Richard is the Chief Technical Officer at Salford Royal NHS Foundation Trust, which he joined in 1998. His responsibilities range from infrastructure provision and digital equipment to cybersecurity. What are the greatest challenges you have overcome since you became Chief Technical Officer? The most difficult challenge was initially dealing with cybersecurity, but there has been a huge transition in how we view it. It used to be seen as something we did alongside the ‘day job’, but now it has taken a much more central role. The main challenge is embedding cybersecurity culture and awareness into teams, and ensuring that security is dealt with in the right way at all levels. Part of my role is to introduce cybersecurity topics to the board, to make sure leadership are aware of the risks that the organization is presented with. How these risks are perceived will then influence our strategic direction when it comes to cybersecurity. How should security executives ideally work with the rest of the board? Security executives should first become aware of the language they are using, and change it if necessary to suit their audience. Many of them come from a technical background and speak in highly technical terms. People from other backgrounds will struggle to understand cybersecurity if it is presented in a highly technical manner, and they may consequently fail to realize its importance. Analogies are powerful ways to help translate to a non-technical audience. It comes down to understanding your audience, including their backgrounds and motivations. This has been one of the most important things I have understood in the last couple of years. How are most organizations handling their information security, and what should ideally change? I think a lot of people don’t understand cybersecurity and how it could impact on them personally or on the organization they work in. People tend to view it as something that restricts people, rather than being an area that protects them. Most organizations need to do a better job of embedding their security team into the wider business culture. Security measures should be viewed as coming from within the organization, rather than as something alien. Another important aspect is to foster a transparent culture between employees about cyber risks, and have everyone be willing to report their mistakes. What are the greatest information security threats to the healthcare industry? Medical devices now have far more digital capabilities than ever before, but with this comes a higher risk of these capabilities being exploited. Hacking groups are aware of the value of the information held in these devices. Unfortunately, I see this risk increasing over the coming years as everything becomes far more digitally integrated. Another risk unique to the public healthcare sector is that funding tends to be very tight. Usually, cybersecurity is viewed as a cost-avoidance tool by decision-makers and is not prioritized enough as a result. This makes attracting and retaining cybersecurity talent, as well as having the right level of security in place, important challenges. The Salford Royal NHS Foundation Trust is fortunate enough to have a great team, but many other organizations struggle to retain talent. Do you have any advice for new cybersecurity executives to help set them up for success? It’s all about the relationships you have with the key influencers in your organization. You could be doing all of the right things but if you don’t have the right support at the right level then you won’t achieve anything. It is also extremely important that you establish a cybersecurity performance baseline when you are just starting out. A lot of people start changing things as soon as they start, but if you can’t compare your changes to anything, then you won’t know if you’re improving. Therefore, the first thing you should do is simply observe and establish a baseline for yourself of what is going on.  
Read Blog Post
Tessian recognized as “2018 Market Leader” for Email and Data Protection
Thursday, April 4th, 2019
Tessian, a email security platform powered by machine learning algorithms, has been named a market leading product by leading cyber-security website Expert Insights. Tessian utilizes powerful technologies to help businesses protect their sensitive data. Tessian works within the inbox, learning communication habits so that it can identify security threats. This means that Tessian offers strong protection against phishing attacks, misdirected emails and data loss. Expert Insights, a B2B IT security review website, has named Tessian a ‘Market leader’ in this area. They state that Tessian gives businesses excellent protection against phishing. They recommend the service highly to businesses looking to protect themselves against misdirected emails and data loss. Misdirected emails are one of the biggest challenges facing businesses. Sensitive emails being sent to the wrong people can have damaging effects on companies. Services such as Tessian offer a unique solution to this problem. By getting to know an individual user’s communication habits, the product can tell when users have misdirected an email. The service will then alert the user and stop the email being sent. This also allows for strong phishing protection from within the inbox, as the service can tell when an email isn’t legitimate and automatically delete it. Tessian’s sophisticated features allow businesses to go beyond traditional email security methods and provide multi-layered protection against data loss. The risks of data loss for business will continue to grow and this product offers an intelligent solution. To learn more about Tessian, contact us here.
Read Blog Post
Human Layer Security
Tessian Wins Best Cybersecurity Service at Prestigious Hedge Fund Awards
Friday, March 29th, 2019
Tessian was named the Best Cybersecurity Service at the HMF European Hedge Fund Services Awards, in light of our innovative work to secure the human layer and prevent data breaches in hedge funds. Hosted at the Natural History Museum, the spectacular awards ceremony celebrated hedge fund service providers that have demonstrated exceptional client service, innovative product development and strong and sustainable business growth over the past 12 months. Tessian was shortlisted along with six other cybersecurity comapnies that provide solutions to protect hedge funds from cyber attacks.
We were thrilled to be rewarded by the judges – a panel of leading hedge fund COOs, CFOs, GCs and CTOs – as the best-in-class cybersecurity solution for this industry. The award recognized how Tessian has fundamentally changed the way hedge funds approach cybersecurity – focusing on protecting the human layer, rather than just securing a company’s networks and devices. This is incredibly important because 86% of data breaches can be attributed to human error, whether that’s accidentally sending an email containing sensitive data to the wrong person or falling victim to a phishing attack. When you consider that 60% of the organizations hit with phishing attacks during Q4 of 2017 were financial institutions, the threat in this particular industry is not one to be ignored. By using machine learning to analyze historical email data – the leading indicator of human behavior in the enterprise – our technology can automatically understand relationships, context and communication patterns of people. By understanding normal communication, we can automatically identify and prevent email threats before they occur.  
Read Blog Post
Interviews With CISOs
Tessian Spotlight: Craig Walker, Global Chief Information Officer for Shell Downstream at Shell International Petroleum Company
Tuesday, March 26th, 2019
Craig Walker has nearly 30 years of experience with Shell spanning locations such as the US, Colombia, South Africa, Saudi Arabia, UAE and the UK. Originally joining Shell as a programmer in 1981, and after a 6-year stint at KPMG in the early 2000s, Craig is now the global CIO for the Shell Downstream business. This includes trading, manufacturing and refinery as well as the B2B businesses such as marine, aviation and retail. What are the greatest challenges you have overcome since you became CIO for the Downstream business? I was originally brought in to put the IT processes right as Shell was not doing the best it could have been at the time, it wasn’t moving quickly enough or being very agile. I managed to cut down my budget by 44% by the end of 2018 all at a time when digital transformation is one of the hottest topics in the board room. It was a difficult process, but we ultimately managed to do this through various initiatives to increase talent and reduce the number of outsourced employees. I also restructured my team to make sure that everyone had the skills, such as agility and speed, to thrive in a modern IT department. Another key action I did when I arrived was to outline the 3 themes that my team would cover: 1. We focused on commerciality. If you don’t understand how the business makes money, then you cannot be an effective IT person. You have no accurate framework of how to prioritise your work. Everyone at Shell is a business person, it just so happens that IT people come to work with an IT toolkit. 2. We established one true team. You cannot have a high performing team if people cannot work effectively with each other. 3. The team became very results-oriented. It’s all about putting a dollar on the bottom line of the business ultimately, that’s why you are doing it. Another challenge is keeping up-to-date with all of the tech nowadays which, as an IT leader, you absolutely must do. You have to have the 101 knowledge to engage the business effectively and understand the possibilities of the tech. Ideally, 10% of your time should be spent learning about new topics. How should CIOs ideally work with the rest of the board? The CIO has to use the same business speak as anyone else does, you have to take your speciality up to a level that colleagues understand why it is relevant to them and their bottom line. Otherwise, it will not have an impact. Another very important aspect is having the ability to tell a story and bring a vision to life. For example, I use clips from JFK’s Moonshot speech a lot and, at one point, he says that they are going to build a rocket out of material that hasn’t been invented yet. Well, I’m trying to build a business model with technology that people are just beginning to understand. You have to be able to convey all of this in a convincing way and show the rest of the board the art of the possible without overselling. You have to show up as a business person which is not easy for a lot of CIOs as they come from a highly technical background. This is why I say that one of my greatest learnings at KPMG was the ability to tell an engaging story to a client. What needs to change about how most organizations are handling their information strategy? One of the largest issues right now is that many organizations are swamped with data. For us, the amount of data coming from plants etc. is immense. However, it is important to capture and use as much of that data as possible. In essence, the change in strategy nowadays is that, because nobody knows what the data will be used for yet, you better make sure to capture as much of it as possible. It used to be very prescriptive whereas now, companies such as ours, are much more open-minded. What are the greatest information security threats to the oil & energy industry and how would you address these? There seem to be two levels of threat nowadays: you have people who want your data because it costs a lot to get and then you have people who want to do you harm. Because of the new regulations in place (e.g. GDPR), information security now has to be much more encompassing in protecting the consumers and the brand. The main threat is damage to the brand because any company that has a high level of trust and then suffers something like a data breach will immediately lose that trust. This will affect your business. At the same time, the amount of data is growing, so it is now becoming much more difficult to keep it safe. Ultimately, nobody can create a perfectly safe environment but you have to do your best and this is not unique to our industry. Do you have any advice for new CIOs to help set them up for success? Whenever I am in a new position, I always write myself a 30-, 60- and 90-day plan. In the first 30 days, you should just listen to everyone and build up your own picture of what is going on. Be sure to test your opinions by playing it back to people constantly and listen to the business team a lot. You need to understand what they want to achieve. Once you have a picture of the business, don’t be afraid to make difficult decisions about people. Have a vision in place and see who fundamentally buys into it and who doesn’t. Whenever I delayed decisions about people, I almost always regretted it. Somewhere within those 90 days, you should set out your plan of action and learn who is going to give you unbiased feedback. Finally, try to network with your fellow CIOs in your and other industries to keep exchanging knowledge.  
Read Blog Post
Interviews With CISOs
Tessian Spotlight: Thomas Tschersich, Senior Vice President, Internal Security and Cyber Defense at Telekom Group
Tuesday, March 26th, 2019
Thomas is the Senior Vice President of Internal Security and Cyber Defense at Telekom Group with over 20 of cybersecurity experience. His wide-ranging role involves managing all aspects of security for Telekom Group from personal and physical security to cybersecurity. What are the greatest challenges you have overcome since you became SVP for Internal Security & Cyber Defense? The biggest challenge has been to drive a new mindset into the security teams. At most companies, security teams operate in such a way that they hinder rather than empower others. For example, setting policies in place but leaving the responsibility of security ultimately to the commercial and operational teams. Then, when something goes wrong, they blame others rather than their own practices. This is not how it should be and needs to change. The best way of doing this is having security work directly with the other teams to find a solution where everyone is involved in shaping it. However, this initiative should come from the security teams as they carry responsibility for this. How should senior cybersecurity executives ideally work with the board? In most organizations, you typically see CISOs reporting to CIOs. The problem with this is that you are always relying on the priorities of the CIO to accommodate your information security concerns. When the CISO is mostly driven by the agenda of the IT team (ie. the CIO) then the likelihood of failure increases because the priorities of the CIO and CISO are ultimately different. For example, a CIO might want to cut down costs but a CISO will realize this could increase your security risk. To create an effective cybersecurity strategy, you need to be an independent advisor or be on the same level as the CIO or CTO and ideally report directly to the board. This allows you to align the security strategy more independently and adapt to the needs of the company. You need a direct relationship with the board to ensure security is a priority. What needs to change about how most organizations are handling their information security strategy? When a cybersecurity team is not acting as a barrier to other teams but is instead working together, the business will see an increase in efficiency. It is crucial for cybersecurity to become a business enabler rather than just a pure cost factor. This is what modern organizations have to understand to become successful. Other than that, keeping your infrastructure up-to-date is key. Many of the most successful cyber attacks happen partially because of a missing software update. Do you have any advice for new CISOs to help set them up for success? First of all, listen to the business and understand how it works. Then you can set up security measures that will really help the business achieve their goals and keep practices safe rather than just providing commercial teams with a security target and writing out policies. This is the most essential aspect to understand: with just a policy you are protecting nobody. Also, make sure to network with your peers and talk about breaches openly so no industry ever falls victim to the same threat twice. From time to time, you might be the first victim but other times you won’t be a victim at all because someone told you about the threat beforehand. What role do you think human error plays in data breaches? I would say most data breaches come from disruptive security measures. If I only implement procedures that are a burden to people and their productivity then they will obviously try to find a way around them. For example, if a policy required people to change their password once a week you would almost certainly have more people writing their passwords down and so the risks actually increase. Security executives need to focus on security measures that support rather than burden the user. This consequently reduces the number of threats as people are not motivated to find a way around measures anymore.  
Read Blog Post
Tessian Spotlight: Pierre-Yves Geffe, Chief Information Officer for Swedbank Luxembourg
Thursday, March 21st, 2019
Pierre-Yves has been the Chief Information Officer for Swedbank Luxembourg for over a decade. Originally hired to restructure the bank’s IT operations, he overhauled the IT teams into a highly agile workforce and successfully led numerous IT implementations and migrations. Before joining Swedbank, Pierre-Yves worked in IT at both the Luxembourg Stock Exchange and IBM. What are the greatest challenges you have overcome since you became CIO? The greatest challenge is hiring and attracting the best employees. My strategy from the beginning was to automate as many processes as possible so that I could hire the best people. Steve Jobs once said “It doesn’t make sense to hire smart people and tell them what to do; we hire smart people so they can tell us what to do.”. I couldn’t agree more with this and that is how we try to attract people here. We are committed to automating processes and staying on the edge of innovation. Slowly, the bank has started to change and become much more flexible and efficient. It was a difficult process but I think we have managed to do it. What are the specific tactics you use to engage the board? Chief Information Officers sometimes have difficulty getting complex ideas across to the rest of the board. The board is made up of mainly commercial, financial and legal executives so I find that the best way to express my ideas is through analogies. It is more effective to break down technical aspects into fundamental analogies as this helps them understand the IT perspective much better. This also helps us justify spending on IT initiatives, showing how they will help the business. What are the most important security indicators that banks should care about? I pay most attention to human resources because keeping talent is a factor that almost every other IT goal depends on. A company, especially a bank, needs to make sure that employees are happy to work there because the nature of the job cannot allow for mistakes to happen. Unhappy employees are much more likely to make a mistake which could lead to something like a data breach. Because of this, I have no problem allowing them to focus on any personal issues first so that when they come into work they are as happy and effective as possible. The cost of employee mistakes will be much higher than the cost of letting them focus on any personal challenges first. What needs to change about how most organizations are handling their IT? Most organizations do not think about how happy their employees are. They don’t understand that if you take good care of your employees, then they will take good care of the organization, especially in IT and cybersecurity. Happy employees are much more likely to behave in a compliant and secure manner. What are the greatest information security threats to the banking industry? A lack of employee education when it comes to cybersecurity risks is a very big threat. Lots of employees tend to get phishing emails and many click on the links included in the email without knowing the risks involved. One way of tackling this could be to be very close to the users and remain up-to-date with how users are treating these threats. However, this can only take you so far. Luckily, we have been able to escape any major risks for now but it is an ongoing process. Do you have any advice for new CIOs to help set them up for success? You have to get out of the office. Meet with your peers and industry experts, go to workshops and networking events. You should also read blogs and articles constantly to remain on top of the newest technologies, solutions and threats. Ultimately, if you are curious and flexible in your approach to solving a problem in IT then you have the right tools to get started.    
Read Blog Post
Compliance
GDPR: 13 Most Asked Questions + Answers
Friday, March 15th, 2019
1. Who’s enforcing GDPR? In May 2018, the GDPR came into force across the whole of the European Union. The GDPR applies equally to all EU member states, but that doesn’t mean each country will enforce its requirements equally. Each member state handles enforcement and will have a regulatory body called a supervisory authority that will be in charge of auditing and enforcement. 28 different countries will handle enforcement. That means Germany, for example, is expected to be tougher on enforcement of GDPR than elsewhere on the continent given data protection is conducted at a state level. Conversely, the U.K. has traditionally been the member state to push back against any overtly data-privacy regime that could impede global trade. 2. What are the penalties for non-compliance with GDPR? Penalties can be a fine up to €20 million or 4 percent of a company’s annual revenue, whichever is higher. The latter is the steeper penalty and the assumption is that it will be levied in severe cases when a company has totally disregarded data privacy. The supervisory authority decides the fine’s amount based on the circumstances and the violation level. 3. What is a GDPR Data Processing Operation? A data subject is the person about whom data is being collected. The data controller is the person or organization that decides why personal data is held or used, and how it is held or used. Any person or organization that holds or uses data on behalf of the data controller is a data processor. The good news is that organizations have become significantly better at containing breaches, with the average time dropping from 70 days in 2016 to 55 days. However, on average companies take nearly 200 days to detect a breach. 4. How does the GDPR handle this? GDPR refers to the time between detecting a breach to the time of notifying impacted parties about it. However, part of the security for privacy concept is about being able to detect breaches and have best-practice tools and processes in place to do so. 5. What documentation do we need to prove that we’re GDPR compliant? GDPR, compared to the Data Protection Act that it replaces, states there is a need to demonstrate compliance. According to Article 5(2) of the regulation, “The controller [i.e. your company] shall be responsible for, and be able to demonstrate compliance”. It is a good idea to document everything about your GDPR process, so it is clear that you have taken the right investigative steps and have made reasonable steps to fix any issues. You then have a document you can point to if you’re ever asked any questions. 6. What are the data requirements for GDPR? Data can only be processed for the reasons it was collected Data must be accurate and kept up-to-date or else should be otherwise erased Data must be stored such that a subject is identifiable no longer than necessary Data must be processed securely 7. Is GDPR training mandatory for staff and management? Anyone whose job involves processing personal data undertakes data protection and data handling training. This includes full-time staff, third-party contractors, temporary employees, and volunteers. 8. Does GDPR compliance differ based on the number of employees a company has? GDPR doesn’t differentiate between the size of organizations. 9. What type of language should be included in a consent policy? Check out the Tessian privacy policy, which shows you how detailed consent needs to be. 10. Is appointing a DPO mandatory? GDPR requires appointing a DPO when an organization performs data processing on a large scale, processes certain types of data or processes data on an ongoing basis as opposed to a one-time process. 11. What happens if some data is processed outside the EU? The GDPR allows for data transfers to countries deemed by the European Commission to provide an adequate level of personal data protection. In the absence, transfers are also allowed outside non-EU states under certain circumstances like standard contractual clauses or binding corporate rules. 12. Does GDPR affect US-based companies? Any U.S. company that has a web presence and markets their products over the web will have to take notice. Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR. 13. If we are based in the US, have EU citizen data and experience a breach, who do we notify? There are rules around what authority should be notified based on criteria like the situation, the organization and where the processing occurs. How can Tessian make you GDPR Compliant? Under GDPR, an organization is most likely to suffer a fine or penalty due to data loss through a misdirected email. Misdirected emails were the number one form of data loss reported to the Information Commissioner’s Office (ICO) in 2017. Some notable examples of penalties issued by the ICO for misaddressed emails include 56 Dean Street Clinic who were fined £180,000 for inadvertently disclosing the identities of HIV positive patients and also Dyfed-Powys Police who were fined £150,000 for inadvertently disclosing the identities of registered sex offenders to a member of the public. GDPR forces organizations to report all personal data breaches to the appropriate governing body and maintain a register of these internally. Under GDPR, organizations have an obligation to report misdirected emails to the ICO and face fines of up to 4% of global turnover depending on the severity of the breach. Given that misdirected emails are the number one type of data security incident currently reported to the ICO, this should be of significant concern for all organizations in the transitioning years toward GDPR. Tessian uses machine learning to automatically detect when emails are being sent to the wrong person, allowing organizations to both prevent information being sent to the wrong person and crucially, retain an audit log of warning messages shown to users when sending emails and the response that the user made on the warning that was shown. The audit feature and preventative nature of Tessian align with the GDPR requirement “to implement appropriate technical and organizational measures together with a process for regularly testing, assessing and evaluating the effectiveness of those measures to ensure the security of processing” (Article 32). Furthermore, with increasing numbers of firms adopting Tessian’s technology and their role in helping advising other companies in their transition to GDPR, simply relying on staff being as careful as possible and internal training, becomes an untenable posture when protecting personal data.
Read Blog Post
Page