Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

October 27 | Fwd:Thinking. The Intelligent Security Summit (Powered by Tessian). Save Your Seat →

guide icon

Tessian Blog

See All Posts
Threat Intel
Tessian Threat Intel Roundup for June
By Charles Brook
Tuesday, July 5th, 2022
The Tessian Threat Intel team continues its focus on business email compromise (BEC) campaigns. We issued a Threat Advisory for a PayPal themed campaign we have been tracking since January.   The threat actors in this campaign are seeking to illicit payment fraud and potentially compromise credentials. Other key threats that we are focussing on include increasingly advanced methods for Account Takeover (ATO) and the persistent threat of email-delivered ransomware, including a spike of wiper-malware. Sign-up for our Threat Intel update to get this monthly update straight to your inbox.
  Tessian Threat Intelligence has recently tracked and observed scammers, on numerous occasions sending emails with fake invoice payment requests from payment service providers such as PayPal. From early evidence we are seeing, online fraud campaigns are on the rise, with the potential to evolve to ATO based attacks. Although the primary targets are private consumers, we are likely to see similar attacks targeting vendors and suppliers in the enterprise. The increasing sophistication and targeted nature of attacks observed across the cybercrime landscape represent the maturation of cyber crime, with threat actors targeting specific entities rather than random targets. A number of these phishing attacks are leveraging open source information, as well as relying on information gathered from previous data breaches to identify high yield targets.
  Tessian Threat Intel continues to track BEC and payment fraud campaigns with executive impersonation observed as a consistent theme.  Cryptocurrency payment fraud has already resulted in over $1billion in losses according to the FTC and is up 60x in 2021 compared to 2018. Ransomware-as-a-Service gang activity emanating from Russia is on the rise once again, with REvil re-emerging after an initial law enforcement crackdown. Wiper-malware is surging in 2022, first seen in Russian cyber attacks against Ukraine. Russian APT groups have been observed exploiting the Follina vulnerability.  Microsoft released a patch for Follina in June but we may see a spike in attachment-themed phishing abusing the vulnerability before the fix is widely implemented. Chinese APT groups have been using ransomware as a decoy to carry out espionage campaigns. Other attack campaigns that have captured our attention include the increasing phenomenon of voicemail themed phishing campaigns observed by Zscaler. We expect email delivered ransomware, including the growing prominence of wiper-malware to remain leading threats in 2022. A recently launched carding site ‘BidenCash’ gave away a list of stolen card details for free across darkweb forums to promote their store.
  Having intelligent and layered cybersecurity defenses in place, particularly securing email and the endpoint, are critical for staying safe. Leveraging behavioral cybersecurity solutions that can detect sophisticated social engineering attempts is essential, as threat actors continually develop intelligent methods to bypass rule-based security controls. Practicing good cybersecurity hygiene and regularly testing your security controls, including business continuity and disaster resilience capabilities, are of fundamental importance to cyber resilience. Conducting in-the-moment and contextual cybersecurity awareness training on advanced email threats for your employees should be prioritized  – end-users are your first line of defense.
To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Read Blog Post
Email DLP
Product Update: Actionable Event Triage
By Dan Harrison
Friday, July 1st, 2022
Security and risk management teams are focused on detecting, investigating, and responding to cyber security incidents. Given the high number of security tools deployed in the environment of a typical organization, reviewing security events that could be actual incidents requires dedicated FTE resources and time. This creates two challenges.   1: A delayed response time in triaging security events and finding incidents can also result in worsening the fallout from a breach, thereby elevating the level of risk. 2: Security teams find it increasingly time consuming to handle this volume of events, potentially resulting in analyst burn out, loss of retention and a reduced quality in event investigation.   Improving the efficiency for event triage is essential to help security and risk leaders speed up investigations and remediate incidents. 
Working Smarter, Not Harder   A recent Tessian commissioned study by The Ponemon Institute found that “it can take an average of 72 hours to detect and remediate a data loss and exfiltration incident caused by a malicious insider on email and an average of almost 48 hours to detect and remediate an incident caused by employees’ negligence or error on email.”    This is why Tessian has focused on making the investigation process more efficient for our users with a new event triage workflow.
Enhanced security event management   Tessian has improved security efficiency for customers through enhanced event triage in the Tessian Portal for all of our data loss modules, Guardian, Enforcer and Architect. Our latest feature update includes:   The ability for security admins to view the full email body and attachment for a flagged email. The ability for users to label events within its workflow status. The event statuses can be marked as Open, Incident, Safe, False Positive, and Other.   These capabilities enable Tessian users to get more context on a security event and easily collaborate with team members, leading to a more efficient end-to-end investigation process. These enhanced capabilities extend across M365 and GSuite mailboxes.
Making the SOC more efficient   The new event triage enhancements demonstrated below, enables security analysts to view the email body and to more effectively triage the security events. The advantage this brings to security teams is being able to immediately access the event content, rather than requesting the email content often from a separate team. This speeds up the investigation workflow and reduces the dependency security teams have on other parts of the organization. Further enhancements include being able to assign security events to team members and labeling the event with its workflow status (open, incident, safe, false positive, other).
These new feature enhancements will enable:   • The ability to complete end-to-end investigations all within the Tessian Portal resulting in a more efficient response to security threats.   • Improved SecOps efficiency in dealing with actual events vs. false positives.   • The ability to more easily collaborate with team members through the assignment of events, helping teams remain focused on what matters most.   • Insight into the outcome of data loss events through event status tagging, helping the CISO gauge risk using real data and helping to measure Tessian’s Return on Investment
A note on privacy The ability for security teams to view the full body of emails and their attachments may pose a privacy concern to customers. In recognition of this, we have built in some privacy guard rails which customers can use to control and monitor data access. Only Tessian users who have the necessary permissions to view the full email body and attachments will be able to do so. In addition, whenever a user requests to view the email’s full body and attachment, an audit event will be created which can be viewed within the Tessian portal.
To see how the Tessian Intelligent Cloud Email Security platform  prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo.   For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Read Blog Post
Life at Tessian
Tessians 2022 DEI Report
By Tessian
Tuesday, June 28th, 2022
As a human first company, we want Tessian to be a place where everyone has the opportunity to bring who they are to work, and be included and valued as they are. Diversity, equity and inclusion (DEI) is so important to us, not only because it’s the right thing to do, but also because it’s essential for our success. Diversity is necessary for innovation, so prioritizing it is a really important part of our future as a company.   We recently published our second annual DEI Report, and I’ve been reflecting on our journey over the last year and the three big lessons I’ve taken into this year’s strategy.
Data. Data. Data.   We can’t just guess how we’re doing on DEI, we need data. When we first launched our 2021 DEI Strategy, it was based on analysis of a number of different kinds of data that helped act as signposts towards our DEI Focus Areas. Since then, we have improved our data set to add anonymized candidate data, and employee data about lots more personal attributes.   Anything we can explore – we do. It can be difficult to know where you’re going to find the most interesting and impactful insights before you start looking. Here’s how we do it:   We start off with a big pile of data, everything from representation to experience, to compensation to retention, all split by all the different personal attributes we collect voluntary data on. There are some standard measures we look at: pay gaps, representation vs benchmarks, significant variations in experience etc. but that often opens the door to lots of further questions, that require further data exploration We do our best to turn over every single stone and ask ourselves: is something going on here? Usually the answer is no, but it’s important that we employ that rigour everywhere, so that when the answer is yes, we don’t miss it. It’s easy to get distracted by what we assume the most significant DEI concerns are, often based on our own biases, so it’s so key to start as objectively as possible. Don’t guess or intuit where you should be focusing attention! Start with as much data as you can get, and let that guide your thinking.
If you don’t actively pay attention, anything can slip   Focus is necessary, but it’s hard. Throughout this journey, we’ve been so conscious that there are infinite dimensions of diversity to consider, and infinite topics we could focus our attention on. But resources are finite, and if we want to make an impact, we need to focus on just a few things.   As hard as it feels, focus isn’t just about deciding where you are going to focus, it’s also about deciding where you’re not going to dedicate energy. In 2021 one of those “non-focus areas” for us was gender representation. We found that we were above the benchmark compared to other companies similar to us, and there was nothing to indicate that might drop. So we put our energy into other places.   Throughout 2021, our gender representation gradually fell by 7 percentage points as we happened to hire fewer women and people from underrepresented genders. By the time the end of the year came, these few percentage points had put us below the benchmark compared to other similar companies.   Focusing on other kinds of representation, and other DEI areas meant we didn’t notice this gradual change in our gender representation, and so didn’t get ahead of it. This was a really important lesson for us this year; this time around we are paying more attention to movement in metrics even when they don’t directly relate to our focus areas for the year.   This is key to keeping focus dynamic, and adapting to the information you have today.
Working with everyone, necessity of the team activity   The final lesson I’ve taken from our DEI journey so far: DEI is necessarily a team activity. None of us can do it alone.   Once we have our focus areas, we develop tactics that we hope will address them. So far on our journey, the accountability to these tactics has been with the People & Talent team. But the more work we do, the more we realize we need the whole company 100% behind us, prioritizing this work.   Hiring is a great example of this: in a fast growing business, often representation comes down to hiring. If you’re growing but you aren’t hiring diversely, then overall representation will fall. So one of our Focus Areas this year is hiring more people from underrepresented genders and ethnicity backgrounds.   Of course, our brilliant Talent partners care so deeply about this, and are moving heaven and earth to build up a diverse pipeline of candidates. But it isn’t always easy. Building a diverse pipeline in a notoriously non-diverse industry can take time, and this is often time we feel we don’t have in such a fast-moving company. Or there might be a particular experience level we feel like a candidate should possess that limits the diversity in the candidate pool.   This is where the rest of the company comes in. In this case: the Hiring Manager and hiring team. Every single Tessian needs to be bought into our strategy so that we can resolve these challenges in the right way. One of our Tessian values is We Do The Right Thing, so it’s really important to us to take these tensions seriously and work together to make the best decisions for our people.   There are a few basic things we ask of all Tessians…   Help us reach diverse candidates by sharing our DEI work and our open roles widely…think LinkedIn, Discord, Slack. Any communities our Tessians are a part of! Continue to give us feedback on how they’re feeling, about DEI and our workplace more generally. We use an employee engagement tool, Peakon to collect this feedback so that people can stay anonymous if they choose. And most importantly: Get to know each other! Connection building is the core of belonging so we encourage lots of ways for our people to connect deeply. This is especially important in a globally distributed, hybrid team – we have to OVER deliver on opportunities to get together both in person and virtually. What’s Next?   And as with any journey like this, it’s far from over. We all have so much work to do in DEI and there are a hundred new questions swimming around our heads on where we should focus next, and how to make our DEI Strategy more effective. For example…   Goals: Right now our DEI Goals sit with the People team. Should we transition our DEI Goals to the company level, so it’s every one of us that is responsible for addressing them? We know accountability is key, but is the accountability in the right place for maximum impact?   Engagement: How much time and engagement should we be asking of our people? Do we need everyone to know every detail of our strategy? Or is it enough that they know their own role, and the WHY behind DEI at Tessian?   We’re committing to continuing to ask ourselves these hard questions and hold ourselves accountable to the very highest standards of DEI. It’s not always easy, but it is the right thing to do.   Want to join us on our journey? We’re hiring, all open roles are here. What’s it like to work at Tessian? Here’s 200 reasons you’ll love it.
Read Blog Post
How Bad Actors Are Using the Cost of Living Crisis to Launch Attacks
By Andrew Webb
Monday, June 27th, 2022
Most people – we hope – can smell a rat when supposedly African Royalty offers us several thousand dollars as a ‘gift’ to help them get money out of the country, but what about when a well known brand you love offers you free samples or invites you to enter a competition?    The recent Heineken Father’s Day beer contest on WhatsApp is just the latest in a long line of seasonal or topical attacks that are run almost like marketing campaigns. Like all phishing attempts there are a few common themes. One is a sense of urgency, in this case the fact that there are only a certain number of freebies available. There’s also nudging text like ‘don’t miss out’ ‘exclusive’ and ‘enter now’.
The Threat Actor’s Editorial Calendar   But what’s also interesting is that this attack came on Father’s Day, when a brand like Heineken might legitimately launch such a campaign and when people are thinking about last minute gifts for Dad – it feels legit because it plugs into where your employees’ heads are at. Heineken wasn’t the only ‘Dad brand’ that suffered a scam, UK hardware stores ScrewFix and B&Q also had exclusive Father’s Day competition prizes that were actually scams.    That topicality and seasonality is played out throughout the year, on national awareness days, public holidays and yearly events like tax deadlines and Black Friday. As one attendee at our October Human Layer Security Summit told us “in the Fall, someone is always going to click on FREE STARBUCKS PUMPKIN SPICED LATTE”. We’ve seen this in the world of entertainment too. In November 2021, fans were promised early access to the new season of Squid Games, only after filling in a short ‘survey document’.
Cost of Living Scams   Having targeted tech and finance brands for years, as well as logistics and delivery brands during the pandemic, it seems scammers are teeing up a summer of cyberattacks on consumer brands and retailers. The cost of living crisis, rising inflation and surge in food and energy costs now makes grocery stores, food companies and energy companies prime targets for scams. In June, we saw a scam featuring UK supermarket Tesco, with the promise of a £500 gift card.    In May the UK energy regulator, Ofgem, alerted consumers to a new energy rebate scam as energy prices soared. Meanwhile in the US fuel company Shell highlighted a gas card phishing scam involving their Fuel Rewards program. And with some US employers offering to pay towards employees’ gas costs, you can see why things are getting confusing. The brand and sector may change but the scam is always the same; the promise of something for free coupled with a sense of urgenc
Education and awareness These new threat vectors join the long queue of existing ones that your staff and organization are already vulnerable to. As we saw with Covid bad actors thrive in times of confusion and uncertainty. And after global pandemics, global economic turbulence and spiraling cost of living is the next theater on which bad actors like to strut their stuff. So what to do?      As Bobby Ford said at our Human Layer Security summit, the way you ‘crack the nut’ is putting a little piece of cybersecurity awareness in all your other programs, projects and meetings happening across your organization. That can be a quick update at the all-hands or creating material, updates and awareness within your team that you don’t just push out, but people actively come and seek out.    Work with your allies. Who else in the company can you form an alliance with? Perhaps you can bring in your internal comms or PR team’s experience? Getting the people team involved to make cybersecurity part of the onboarding process helps new joiners orient themselves before they touch your network.    Finally, the C-suite is critical to supporting any initiative you design, which matters because as Mike Privitte notes in this Linkedin post, “Phishing doesn’t have “work life balance.” Company executives and their families will only see increased attempts outside of the 9-5 space”.
Read Blog Post
Tessian Threat Intel Advisory: PayPal Email Invoice Fraud Detected
By Charles Brook
Monday, June 20th, 2022
Summary Tessian Threat Intel is issuing a threat advisory on cyber threat actors requesting payment from unsuspecting victims using fraudulent invoices issued via PayPal. We have alerted PayPal.   Overview Tessian Threat Intel analysts have observed scammers, on numerous occasions, sending emails with fake invoice payment requests. Historically many of these sorts of attempts would be detected by traditional spam filters and end up in the junk folder or in quarantine. This is due to the email senders being repeat offenders with the same template and text – easily detected as spam or malicious by rule based email security solutions.    Since early March 2022, Tessian identified ways in which threat actors have been adapting their techniques to reach victim’s inboxes by abusing the legitimate capability of sending invoices to 3rd parties using PayPal’s email-delivered invoicing services.    To be clear, this is not a vulnerability within PayPal. Nor is it an example of an account takeover (ATO).  Rather, threat actors are creating invoices in PayPal and then issuing them to victims through PayPal’s service.     Technically, an email  from PayPal would pass some of the most fundamental checks in email security like SPF, DMARC and DKIM. This would ensure with a high degree of probability that similar emails would avoid detection by rule based email security solutions, as well as giving an air of legitimacy to the email.    An email sent from a financial services provider like PayPal, would increase the probability of  the victim seeing and interacting with the email, including acquiescing to its demands for payment. 
Examples of fraudulent PayPal invoices   The screenshot below is a legitimate email from PayPal containing a fraudulent invoice. In this example, the attacker has created a paypal account with the profile name “bit-coins payments,” which is displayed as the sender display name.    The threat actor has then created an invoice using the invoicing service available in PayPal (see Fig 2), and has then sent it with a message added by the attacker for the recipient. Grammatical style errors can also be observed, similar to what we have seen in common   phishing emails.
The below screenshot shows the PayPal invoicing service.
In the example below, we can see the actual link addresses which would redirect the recipient to the PayPal generated invoice if clicked.
Technical breakdown of the message headers As you can see below, both SPF and SKIM are a pass, and the sender IP ties back to PayPal directly. This sort of email has a high probability of passing rule based email security solutions and being delivered into a victim’s inbox.   Authentication-Results: spf=pass (sender IP is; dkim=pass (signature was verified);dmarc=pass action=none;compauth=pass reason=100 Received-SPF: Pass ( domain of designates as permitted sender);  client-ip=;;
Threat Mitigation Steps   Once PayPal was informed, Tessian found that the invoice was taken offline and no longer accessible. Thank you PayPal for your quick engagement.   In order to not fall victim to similar types of email-delivered invoice fraud we recommend:   Be careful of unsolicited emails, especially those containing requests for payment or including links to invoices. Always verifying the authenticity of an invoice with the actual purchase order.  If necessary, contact PayPal or any vendor requesting payment via independent method i.e. telephone to verify the authenticity of the request. Have a failsafe system in place in your accounting department that requires two members of staff to verify the authenticity of invoices matched against purchase orders. Adopt intelligent cloud email security solutions like Tessian that use behavioral intelligence to detect and prevent advanced email attacks, including increasingly sophisticated email-delivered invoice and wire fraud.
To see how the Tessian Intelligent Cloud Email Security platform  prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Read Blog Post
Virtual Cybersecurity Events To Attend in 2022
Monday, June 20th, 2022
  SANS London – September 5-10, 2022   This series of cybersecurity courses and workshops is self-described by SANS as ‘hands-on’.  Whether you are joining in-person in London or virtually via live stream, each course includes presentations from industry experts with real-time support from GIAC-certified teaching assistants.   A detailed agenda with speaker profiles is already online, as well as a short video that gives you an idea of what the courses are like. You can find it all here.   Tickets cost between €6,000-€7,000, with a few different add-ons (e.g. certifications and ‘on demand’ access), and discounts for early birds available.   Cloudflare Connect Sydney – September 8, 2022   This hybrid event invites attendees to learn from Cloudflare executives and special guest speakers about the present and future of internet and network security. Previous events have included keynotes, demos, hands-on labs, and real-world use cases.    Details for the Sydney event aren’t out yet, but the May event in New York explored a few questions including; Where is networking going next?, How can enterprises keep their data and workforces secure as workplace needs evolve?, Is Web3 really the future for the Internet?.   The in-person price for previous Cloudfare events was about £300 and included access to exclusive breakout sessions – but you could attend the keynote virtually, free of charge.   FutureCon Cybersecurity Events – Various dates   FutureCon organizes a huge number of virtual events in cybersecurity (2-3 per month!), with each one being shaped by their belief that “Cybersecurity is no longer just an IT problem”.   Events are aimed at C-suit executives and CISOs and include high-level cybersecurity training with an appreciation for the ever-changing threat landscape. Their panels consist of C-level executives who share their experiences in mitigating attacks, and there are also opportunities to demo the newest technology.   Events are $100, with discounts for early birds and reduced access options.   UKsec Cyber Security Summit — September 12-13, 2022   The UKsec Cyber Security Summit will be held in London and will focus on helping businesses to better protect their networks, data, and infrastructure from cyberattacks.   The agenda for September has yet to be announced, but last year’s event included sessions on digital supply chain security, best practices in incident reponse, and building a strong cybersecurity culture in your organization. Registration costs £499 or £1,999 for vendors.   International Cyber Expo – September 27-28, 2022   Following on from the National event in April, this exhibition and conference in London is attended by CISOs, government officials, and policymakers alike. The agenda is created by a board of experts that is chaired by Professor Ciaran Martin CB, former CEO of the National Cyber Security Centre and Professor at Oxford University.   The gathering includes ‘CISO Roundtables, Immersive Cyber Demonstrations, and a Global Cyber Summit’ and promises world-class education combined with practical business guidance. What’s more – tickets are free!   (ISC)2 Security Congress – October 10-12, 2022   This event, taking place in Las Vegas (but also available online) includes dozens of sessions around professional development, with topics usually including cloud security; DevSecOps; governance, risk, and compliance (GRC); and career development.   Keynote announcements are still to come, but the agenda is otherwise complete and includes speakers such as Joshua Bregler (Head of Information Security, McKinsey), and Andrew Neal (Vice President Research, Gartner).   Virtual passes are $665 and onsite passes are $1,595, but there are also early bird deals and single-day passes available.   Gartner IT Symposium/Xpo – October 17-20, 2022   The Gartner IT Symposium/Xpo is a huge annual gathering of CIOs and senior IT leaders. The event is running over 4 days in Barcelona, Spain, and is tailored for a wider IT audience but includes discussion of cybersecurity, artificial intelligence, culture, and more.    There will be 40+ expert speakers and 100+ sessions, designed to help businesses improve their strategies and find future-proof technologies.   Tickets are between €4,000 and €6,000 with a public/private sector split.   ALLOWLIST Cybersecurity Conference – October 20, 2022   This conference, taking place in Leeds, England, aims to bring together solutions, industry peers, and business leaders. The event claims to be ‘the biggest of its kind in the North of England’, with speakers Alan Case (Head of Channel UK and Ireland, Heimdal Security) and Scott Riley (Founder, Cloud Nexus), and topics including real-world threats small businesses are facing, the ransomware of tomorrow, and hackers’ best-kept secrets.   Ultimately, attendees are promised that they will ‘learn something new and have a great time while doing so!’, with not only cybersecurity talks and demos but entertainment from Radio 4 comedian Alfie Moore.   Early-bird tickets are £60 until 30th June.   Executive Women’s Forum — October 24-27, 2022   The Executive Women’s Forum describes itself as a “powerful community and caring sisterhood of women professionals in the information security, risk management, privacy, and related fields.”   The 2022 agenda hasn’t been announced yet, but attendees are promised access to over 1,000 infosec thought leaders aiming to help executive women improve their professional standing and learn from their peers. The standard rate for registration is $895, with discounts for members and early birds available.   Cyber Security Summit – October 27, 2022   This one-day hybrid event began in New York City in 2013 and has grown ever since – ranking as one of the “Top 50 Must-Attend Conferences” by DigitalGuardian.   Designed to connect C-Level and Senior Executives with cutting-edge technology providers and IC experts, expert contributors include Marene Allison (CISO, Johnson & Johnson), Chad Adams (Cyber Security Advisor for DHS Region Six), and Sean Atkinson (CISO, Center for Internet Security). Attendance also earns you 8 CPE credits.   Tickets are $195 for in-person admission and $195 for virtual.   FS-ISAC 2022 Europe Summit – Postponed to November 2022   While the event was originally scheduled for May 10-12, 2022, it’s since been postponed to November 2022. This year’s presentations will all be focused our the central theme The New Cyber Era: Hyper Connected & Unbound.    Expect to hear from industry leaders about technology, cloud, application, and data security, compliance, and cross-border intelligence. You can even submit your own presentation here. It’s not too late. You must be a member of FS-ISAC to attend. Learn more about eligibility and annual dues here.   Cyber Security & Cloud Expo – December 1-2, 2022   This London-based event is set to include 5,000 attendees (56% director level and above) from around the world, 100+ speakers, and 125+ exhibitors.   The agenda looks at the issues security professionals face today and showcases innovative developments in the solutions market. Speakers have not been announced, but last year’s included Ian Hill (Global Director of Cyber Security, Royal BAM Group), David Everett (Executive Director, Cyber Assessments, JP Morgan Chase & Co), and Robin Smith (CISO, Aston Martin)   There is a huge range of pricing tiers for this event, from free to £479 with some virtual options.
Read Blog Post
Interviews With CISOs
Almost Half of Chief Information Security Officers (CISOs) Have Missed A National Holiday Due to Work
By Andrew Webb
Saturday, June 18th, 2022
Being a CISO or Security Leader in today’s InfoSec world is not for the faint hearted. CISOs are some of the hardest working people in any company, regularly working extra hours and overtime to keep the company secure from threats.   But this constant vigilance for threats can mean that CISOs miss out on everything from time with the family to getting enough down time to recharge.   We recently undertook research to see just how much time CISOs “lose” investigating potential breaches and threats and the headline is: security leaders don’t work hard, play hard. They work hard…then work harder.   In fact, 42% say they’ve missed out on a federal or national holiday like Fourth of July, Thanksgiving or Christmas because of work.   You can see the full details here. But here’s some highlights.
CISOs hard work isn’t going unnoticed   While no one wants to miss out on family time, it’s not all bad news. 89% of CISOs we surveyed believe the work they do is appreciated by employees outside their team. Furthermore 66% of employees say they understand the role of the CISO. That’s a ringing endorsement of how valuable and visible the relatively new role of CISO has become in just a few short years.   However, just because the rest of the organization knows who you are and what you do, doesn’t mean it’s plane sailing. As a result of their demanding roles, CISOs are struggling to keep up with developments that further strengthen the business like training, hiring talent, and staying on top of the latest threat intel. They’re also missing out on important personal and social things outside of work, like public holidays and family vacations. Most concerning is the fact that some CISOs are even putting their health at risk by skipping workouts or missing doctor’s appointments.
What are CISOs busy doing? So where is all the time going? What is it that’s causing CISOs to lose, on average, 11 hours a week in overtime?   According to Forrester’s research, organizations spend up to 600 hours per month resolving employee-related email security incidents.   And a quarter of CISOs say they spend 9-12 hours investigating and remediating each threat caused by human error, while more than 1 in 10 spend more than a day investigating and remediating each threat caused by human error.   On top of this, 38% believe they’re spending too much time in meetings and reporting to the board, and 33% also feel as though they’re being drained of time because of other administrative tasks.   Looking for more detail on the things that are taking up CISOs time? We’ve got you covered here, but it’s clear that investigating breaches and dealing with the fallout from them is a major drain on time, resources, and mental health.
What would you do if your schedule was cleared? We asked CISOs what they would do if they were able to claw back those Lost Hours, and it turns out their three primary objectives are:    Spending time with family/friends  Further strengthening the business   Resting
Did you know that organizations with over 1,000 employees could save as many as 26,357 hours a year by automating security with Tessian?   While Tessian’s Human Layer Security platform can help you automate your security, which would help you strengthen your email security defenses and save you time, we’d rather use this opportunity to share some mindfulness and productivity tips to help you switch off.   • Share the load: While – yes – CISOs are the Head Honcho within IT and security teams, that doesn’t mean you have to do everything. Remember that delegation is validation, it’s okay to ask for help, and your best bet is to prioritize, then divide and conquer.   • Set boundaries and stick to them: It can be difficult to establish a division between work and life. With mobile access to Slack, email, and Google Docs, “work creep” can seem inevitable. Likewise, if you’re working from home, personal tasks can take up mental space that could compromise your productivity. That’s why you need to define your work space and working hours, and try to create healthy habits that give you a chance to recharge.   • Unplug (like, actually…): This is easier said than done, especially when CISOs are considered the superheroes of any organization. “When duty calls”, right? Yes and no. If you don’t take time for yourself, you won’t be up for the job. Consider mindfulness apps for day-to-day relaxation, and limit the number of people who have access to you while you’re OOO.  
Ready to learn more?    Want to find out how your security teams and employees can reclaim their Lost Hours? Get in touch with the Tessian team today to learn how Human Layer Security can help stop “Oh Sh*t!” moments from clogging up your schedule. 
Read Blog Post
Life at Tessian
Welcoming Our New Chief People Officer
By Andrew Webb
Tuesday, June 14th, 2022
We are welcoming Kelly Sheridan as Tessian’s new Chief People Officer! Kelly will be responsible for leading Tessian’s people strategy, with a key focus on attracting and growing talent, developing and evolving the company’s culture, and providing a great employee experience as the company grows and scales.    We sat down with Kelly to ask her a few questions and get to know her a little better.
Kelly, first thing first, how did you get into the world of HR?    So, my path to Chief People Officer is certainly not the traditional route. I graduated with a liberal arts degree from Syracuse University but I didn’t really have a “what I wanted to be when I grow up”  moment. I knew I wanted to move to Boston, and it was there that I found myself landing a career in marketing. Over 12 years, I worked my way up at a variety of financial services companies and, in 2005, I joined the largest regional accounting firm in New England as their head of marketing. I loved every minute of the marketing stage of my career.   About a year after that, a new CEO came in and said he wanted to do some restructuring. He asked me to take over HR. I had zero experience, zero knowledge and, I thought, zero interest in HR. But he was certain it was where I needed to be and he promised me support, training, consultants, etc.    Here I am, 17 years later, as a Chief People Officer. Needless to say he was right; HR was my calling. He delivered on his promises and I still consider him a friend and mentor.
That’s an amazing story. So, what happened next?    The accounting firm was acquired by Grant Thornton and, as a result, HR was centralized in Chicago. So, in 2013 I left to pursue my next role as VP, Global HR at SharkNinja – a consumer goods brand which makes Shark Vacuums and Ninja Blenders. I had the chance to help grow both the People function and the global footprint, which saw me opening a design center in London and relocating to China for five months.    I later joined Bullhorn, the global leader in software for the recruitment industry, as its VP People. While I loved that role, I knew I wanted to take a step into a Chief People Officer (CPO) role and build a function from the ground up, and this is what I did at Nuvolo.   The last two and a half years have been a ride!  We grew our employee headcount from 250 to over 500, hiring 285 people globally in 10 months in 2021 all while building all of the processes, programs, and policies that go along with scaling a fast-paced tech organization.
Sounds like your experience in growing and scaling teams in fast-paced tech companies is perfectly suited for the Chief People Officer role at Tessian. So what made you decide to join our company?    There are a few reasons but I think the single most compelling was the people I met – starting with Tim, the CEO. Every conversation I had during the hiring process felt genuine, authentic, and easy.. Everyone was caring, and I could really get a sense of the energy and passion behind the work the people at Tessian do. Everyone is excited about what the future holds.    With that in mind, it’s clear that the culture at Tessian is a really strong one. I’m excited to join an organization that has already built something special already, and I also see limitless opportunities ahead.
What do you see as the biggest opportunities for Tessian?    For me, it’s about building an incredible employee experience. There is no doubt that exists here; I’ve seen it throughout the interview and onboarding process. But as we grow and scale, there will be further opportunities to evolve and innovate so that we are providing programming, initiatives, coaching, learning, and experiences that help every employee at Tessian expand their careers, the business, and our brand.    We’re so happy to have you onboard Kelly. Now you’re here, what’s going to be your focus for the next 3-6 months?   I actually look at this in smaller blocks. My first 90 days will be about meeting people and trying to learn as much as I can about Tessian, the market and our customers. Through listening and learning, I aim to find where there is room for improvement, and how we can enhance the employee experience and our business strategy.    Then, it’s about how we translate business objectives into our People strategy so that we are attracting, developing and keeping our exceptional team!
Read Blog Post
ATO/BEC, Compliance
Building a Recession Proof Cybersecurity Program
By John Filitz
Thursday, June 9th, 2022
The subject of prioritizing cybersecurity spending often arises in periods of economic uncertainty. As most security professionals will admit, the challenge of security budget justification is challenging in many organizations, regardless of the economic cycle. But in a recession, the challenge of cybersecurity budget allocation and spending can be compounded because, too often, cybersecurity is viewed as an auxiliary and non-critical IT program.   This blog sets out some core tenets essential for building a recession proof cybersecurity program. Spoiler: Building a resilient cybersecurity program starts with a mind shift
Cultivating a positive organizational cybersecurity culture   Many security leaders struggle to make the case for cybersecurity spending allocation, regardless of the economic environment. This is due to an out of touch mindset, with certain leaders failing to understand the importance of cybersecurity to their company’s overall business operations and objectives.     This poorly informed view was evidenced in a recent survey conducted by Tessian, with only 58% of employees thinking that senior executives at their company value cybersecurity. This explains why 1 in 3 employees don’t understand the value of cybersecurity, and why 30% of employees believe they play no role in cybersecurity threat prevention.   The mixed attitude towards cybersecurity could also explain why security leaders often find it challenging to justify cybersecurity program spend, which can become even more challenging in an economic downturn. The tide is slowly starting to turn, due in a large part to increasing cybersecurity risk and the catastrophic fallout associated with breaches, which can result in business failure.    Beyond an organization’s self-interest to keep their information systems and data secure, investors are starting to exert pressure on their portfolio companies to maintain an industry baseline of cybersecurity protection. Evidence of this shift in attitudes is reflected in the fact that environmental, social and governance (ESG) reporting now includes an assessment of an organization’s cybersecurity program and defenses.   It needn’t break the bank. Developing a positive cybersecurity culture in an organization is something that can be achieved on a relatively low cost basis. The key elements to achieve this include clear communication from the executive leadership on the importance of maintaining good cybersecurity hygiene. Creating a positive employee experience in relation to cybersecurity is essential. This entails developing engaging and context-based security awareness training programs that drive cybersecurity awareness – empowering employees to become part of the cyber defense.   
Using open source resources and frameworks to build cybersecurity resilience   While there is no singular approach to building out a cybersecurity program, there are a trove of freely available resources and best practice guides to assist with building information governance systems and cybersecurity programs. View cybersecurity program development as a work in progress. Many unique factors and characterics will come into play in shaping your cybersecurity program development.   By establishing a dedicated team to tackle enterprise security architecture and using well established enterprise architecture frameworks such as COBIT and TOGAF,  in conjunction with cybersecurity frameworks such as NIST Cybersecurity Framework, ISO 27001/02 and the CIS Critical Controls, organizations can start putting the building blocks in place for developing well-integrated and robust information governance systems.    Enterprise architecture frameworks such as COBIT are useful to build an information governance system that proactively identifies areas of risk or IT capabilities that need improvement to ensure that business objectives are achieved.
Ensuring compliance with industry and geo-specific regulations   Cyber risk is increasing year-over-year. In the latest FBI IC3 report, Business Email Compromise (BEC) fraud related losses increased by 65% globally in the period 2019 to December 2021. In the latest Verizon DBIR, ransomware attacks increased by 13% year-over-year, representing the largest increase in over 5 years.   Prioritize your cybersecurity technology budget from the assumption that there is a very strong likelihood that you will at some point suffer a breach. On this basis, focus on the fundamental threat vectors relative to your accepted risk threshold.    In US states such as California and many jurisdictions around the world, regulatory authorities are establishing minimum levels of cybersecurity preparedness that need to be met to ensure compliance.    The California Attorney General under the California Consumer Privacy Act (CCPA), has for instance established the requirement that businesses over a certain revenue threshold have to have a reasonable level of security in place. Reasonable security according to the CCPA is defined as having the CIS Controls implemented.   In the EU’s General Data Protection Regulation (GDPR), key stipulations include having data privacy and data security safeguards in place to ensure the confidentiality, integrity and availability of information processing systems and services. Other security controls include having the ability to restore availability and access to personal data, as well as having a process in place to regularly test, assess and evaluate the effectiveness of technical and organizational measures that ensure the security of data.  
Going beyond the minimum   Threat actors are continuously advancing their abilities. This is why cybersecurity and business leaders cannot afford to rest. Continuously testing your cybersecurity defenses through regular audits and penetration testing will help you identify areas for improvement. This includes practicing incident response and business continuity preparedness.   Cybersecurity is not a tick box compliance exercise.   Cybersecurity is everyone’s responsibility. Many of the core components that encompass a cybersecurity program do not require significant budget, but rather effective leadership, time and effort. Most importantly it requires adopting a mindset that recognizes the importance of being cyber resilient as essential to the organization’s overall success.
To see how the Tessian Intelligent Cloud Email Security platform  prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Read Blog Post
9 Key CCPA Breaches So Far (And What We Can Learn From Them)
Monday, May 30th, 2022
On July 1st, 2020 enforcement of The California Consumer Privacy Act (CCPA) officially came into effect. Similar to the European Union’s General Data Protection Regulation (GDPR), CCPA is California’s answer to personal data protection – regulating how businesses across the globe are allowed to handle the personal information (PI) of California residents.   This means that California residents have the right to opt out of having their data sold to third parties, request disclosure of data already collected, and request deletion of data collected. As a part of this, corporations are required to respond promptly to consumer requests for information regarding their data. 
Though they share overarching objectives, there are a number of differences between CCPA and GDPA, with a significant difference being in the way fines are decided on. CCPA fines for a breach can include a civil penalty of up to $7,500, and fines of anywhere from $100 to $700 per consumer.    Though these numbers may appear small in comparison with GDPR fines, companies managing high volumes of personal data (i.e. a larger company with thousands of consumers) are vulnerable to seeing these numbers multiplied significantly. CCPA also allows the individual consumer to file civil claims, giving individuals the ability to exercise their rights to privacy.
While some of the details of CCPA enforcement are still being ironed out, this article provides a summary of 9 key breaches so far and what we can learn from them.   1: Zoom – An $85 million settlement for ‘Zoombombing’   In August 2021, Zoom Video Communications reached an $85 million settlement after a number of user privacy issues including those related to ‘Zoombombing’. Zoombombing involves outsiders hijacking Zoom meetings and posting disturbing content such as pornography, or using racist language. The lawsuit claimed that Zoom had violated users’ privacy rights by sharing personal data with Facebook, Google, and LinkedIn, and letting hackers ‘Zoombomb’ meetings.    As well as paying the sum, Zoom agreed to improve its security practices to comply with the CCPA, releasing a statement saying “The privacy and security of our users are top priorities for Zoom, and we take seriously the trust our users place in us.”.
2: A data broker – A broken link, opt-out barriers, and mandatory account creation   To comply with CCPA, an unnamed data broker added a “Do Not Sell My Personal Information” (DNSMPI) link to its homepage – but the link didn’t work.    The business also made users jump through a series of hoops (including providing government ID and proof of address) before being allowed to opt-out of the sale of personal information. Thirdly, customers were required to create an account in order to make a verifiable consumer request – including a CCPA request.    After being informed of these issues, the business updated its link, removed the barriers to opt out, and no longer requires the creation of an account to make a CCPA request.
3: A digital strategy partner — A privacy policy with missing parts   In another case of DNSMPI wrongdoings, a company that partners with major corporations on digital strategies did not tell consumers about their rights under the CCPA and did not provide adequate notice on how personal information was collected, used, or sold.    This is all information that should be included in a company’s privacy policy. The company also did not offer a way to make requests over the telephone or on the company’s website.    To fix this, the privacy policy was updated, and the business now also offers a DNSMPI link, email address, and telephone number for consumers.
4: T-Mobile — The (alleged) negligence that led to a data breach   In August 2021, T-Mobile USA Inc. was hit with two class-action lawsuits accusing the telecommunications company of violating the CCPA. It was alleged that ‘T-Mobile violated the CCPA and acted negligently by failing to protect consumer data from a recent data breach that exposed millions of customers’ records’.    The allegations came after T-Mobile had suffered a data breach that compromised the personal data, including names and phone numbers, of millions of customers.   It is thought that T-Mobile violated the CCPA by failing to prevent consumers’ non encrypted personally identifiable information from unauthorized access and exfiltration, theft, or disclosure. This is alleged to have stemmed from a failure to maintain reasonable security procedures to protect such information. The company offered two years of free McAfee ID theft protection to all people who believe they may have been affected by the breach, but investigations are ongoing.
5: An electronics retailer — Selling more than just electronics   A business that sells electronics was accused of selling a bit more than just that. The company had third-party trackers on its website that shared data with advertisers about visitors’ online shopping habits. There was no service provider contractual relationship in place and consumers’ requests to opt out were not being processed.   To solve these issues the company worked with its privacy vendor to honor consumer opt-out requests and avoid selling personal information to third parties in violation of the CCPA.
6: An online classified ad platform — Death by jargon   Alongside other CCPA breaches, a business that operates an online classified advertisement platform did not display the required CCPA consumer rights or explicitly state whether or not it had sold personal information in the past year.    After being informed of this, the company updated its privacy policy to include the required notice of CCPA rights and clearly stated that it did not sell personal information.    However, a second notice was prompted after the updated privacy policy was not consumer-friendly – containing unnecessary legal jargon and being difficult to read for the average person. Significant revisions to their privacy policy updates finally address these concerns.
7: A social media app — Speed matters   A social media app business was not responding to CCPA requests by consumers fast enough. The requests included consumers wanting to know and delete personal information – which users have a right to under the CCPA. Unfortunately, consumers were left unaware of whether their requests had been effectuated, or even received.   After notification by The Office of the Attorney General (OAG), the organization responded to the outstanding requests and updated its CCPA response system to improve its timeliness.
8: An ad-tech organization — Business or service provider?   Service providers and businesses have different obligations when it comes to complying with CCPA, with privacy policy requirements differing depending on this status.    This made it difficult for an online ad-tech organization, which, though primarily a service provider, is a business in some contexts. The company’s service provider contracts also lacked the necessary restrictions on the use of processed personal information.    To align with the rules, the company modified its privacy policy (clearly stating that it did not sell personal information), provided a way for consumers to submit CCPA requests, and updated their service provider contracts.
9: A grocery chain — Customers seeking clarity   A business that operates a chain of grocery stores recently came under fire not just by OAG, but by members of the public too. The chain was accused of leaving essential information out of its privacy policy, which lacked guidance on how authorized agents may submit CCPA requests on behalf of consumers, among other things.   In response to a notice of these violations, the business updated its privacy policy accordingly – explaining how agents can submit CCPA requests on behalf of consumers, as well as the business’s requirements for verifying such requests.   If there is one thing to learn from these breaches it is that doing the right thing is not enough. You need to tell your consumers what you are doing – transparently and in language that they understand.   For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Read Blog Post
Threat Intel
Tessian Threat Intel Roundup for May
By John Filitz
Monday, May 30th, 2022
Tessian Threat Intel focussed on crypto and payment fraud campaigns for the month of May, particularly PayPal related scams which have become increasingly sophisticated over the last several months. Most recently we have identified scams relating to fraudulent email invoices requesting payment via PayPal, with some of these scams requesting payment in Bitcoin.    Keep reading for recommendations for staying safe, and sign-up for our Threat Intel update to get this monthly update straight to your inbox. 
Social engineering remains a persistent global threat that continues to evolve to evade law enforcement and cybersecurity detection and prevention efforts.   Email-delivered crypto Business Email Compromise (BEC) campaigns are increasing in volume and sophistication.   Threat actors are targeting payment providers such as PayPal and fraudulently creating email invoices to perpetrate payment fraud.   Bitcoin is the preferred payment method due to its ability to transverse geographic borders.   In their latest annual IC3 report, the FBI notes over $43 billion has been lost globally due to BEC compromises in the past 5 years. The true figure is likely significantly higher due to unreported incidents.   The FBI notes phishing is increasing and remains the most reported cyber crime incident.   To stay safe: Never click on links from suspicious emails and be on the lookout for increasingly sophisticated BEC attempts to perpetrate invoice payment/wire fraud.
Tessian Threat Intel have noted an uptick in BEC efforts, with invoice/payment fraud the primary objective of threat actors.   We have been tracking payment provider related fraud since January 2022.   Also noteworthy is the increasing sophistication of campaigns targeting victims using a range of themes including the COVID-19 pandemic and, more recently, the conflict in Ukraine.    Over the past 30 days we are still seeing an average of 45 new Ukraine themed domains registered every day. (See April’s round up on Ukraine).   Key themes of the attacks still include crypto donation scams as well as ecommerce spam, romance scams, and loans for refugees.    The donation scams are increasing in volume and expanding in variety with themes for humanitarian aid and support for children or refugees.   As the digital payment market grows, so too will the range of attacks.   Bitcoin remains the preferred medium of payment for the BEC campaigns we have been tracking.   FBI notes a 65% increase in BEC fraud related losses globally in the period 2019 to December 2021.
Be suspicious of any invoice related request, even from a trusted party.   Always verify the authenticity of the invoice by contacting the party via an independent method, for example via telephone – and never use a telephone number provided in the suspicious email.   Report suspicious emails to your security administrator.   Use an advanced email protection solution that relies on behavioral intelligence modeling vs. a static, rule based approach to threat detection.   Report all BEC related losses to your relevant law enforcement agency – only by having an accurate picture on the extent of the crime threat, can we as a community harness the required resources to effectively deal with this challenge.
To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Read Blog Post
Key Takeaways from Verizon’s 2022 Data Breach Investigation Report
By John Filitz
Thursday, May 26th, 2022
Verizon just released its annual Data Breach Investigation Report for 2022. Some highlights include the most targeted industries, the role of human error, insight on social engineering and the devastating impact that insider risk poses to your organization. The report also reveals email as a significant attack vector, and the preferred method for delivering malicious payloads. Ransomware is becoming a protracted security challenge, so too is the role of supply chains and the risk posed by misconfiguration.   Keep reading for key findings from the report.
Industries and attacks vectors   Top 3 industry verticals that suffered a breach. Finance, Professional Services and Healthcare suffered the highest proportion of breaches for the year.   Human error remains a significant breach risk factor. 82% of breaches involved the human element – either due to compromised credentials, phishing, misuse or error.   Securing end-users and systems should be prioritized equally. The 4 main paths to a breach include:   Credential compromise Phishing Exploiting vulnerabilities Botnets Top 2 targeted IT assets. Web applications (56% of breaches) and mail servers (28%) are the two most targeted IT assets by threat actors.
Social engineering, insider risk and attack motivations   Social engineering attacks are growing in complexity. Phishing (+60%) remains the dominant method for executing social engineering attacks, followed by the use of stolen credentials (+30%) and pretexting (27%).   Protecting against threat actors is a complex challenge. External threat actors account for 80% of breaches, and insiders 20%.   Insider breaches are the most devastating from a records exposure perspective. Insider breaches result in 10:1 more compromised records being exposed than external breaches do.   Money heist. Financial or personal gain is the key motive for over 80% of external threat actors.
Email is a significant attack vector   Email is the most preferred channel for threat actors. Email remains the #1 delivery mechanism for malware, including ransomware.   Email attracts the greatest investment in the attacker value chain. Email development, email addresses and email distribution see the highest share of investment from threat actors for carrying out a breach.   Office docs are the preferred trojan horse. Office docs are the preferred file for delivering malicious payloads, usually delivered via email.   BEC attacks come in different flavors. Phishing was responsible for 41% of BEC attacks, while credential theft was responsible for 43%. And pretexting, a component of phishing, is becoming increasingly prominent, responsible for 27% of social engineering breaches.   Don’t take solace in low phish rates. Even low phish rates of less than 3% can have devastating impacts on large organizations in terms of total records compromised.
Additional key findings   Ransomware attacks are trending in the wrong direction. The scourge of ransomware is accelerating at an unprecedented pace, up 13% YoY, representing the equivalent annual increase of the past 5 years combined.   The integrity of supply chains is in sharp focus. Supply chains are responsible for 62% of system intrusions.   As IT complexity increases so too does misconfiguration risk.  In a cloud based world, misconfiguration remains a mainstay vulnerability, responsible for 13% of breaches.
To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo.   For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Read Blog Post