Human Layer Security, Spear Phishing
Why We Click: The Psychology Behind Phishing Scams and How to Avoid Being Hacked
Monday, September 7th, 2020
We all know the feeling, that awful sinking in your stomach when you realize you’ve clicked a link that you shouldn’t have. Maybe it was late at night, or you were in a hurry. Maybe you received an alarming email about a problem with your paycheck or your taxes. Whatever the reason, you reacted quickly and clicked a suspicious link or gave away personal information only to realize you made a dangerous mistake.  You’re not alone. In a recent survey conducted by my company Tessian, two-fifths (43%) of people admitted to making a mistake at work that had security repercussions, while nearly half (47%) of people working in the tech industry said they’ve clicked on a phishing email at work. In fact, most data breaches occur because of human error. Hackers are well aware of this and know exactly how to manipulate people into slipping up. That’s why emails scams — also known as phishing — are so successful.  Phishing has been a persistent problem during the COVID-19 pandemic. In April, Google alone saw more than 18 million daily email scams related to COVID-19 in a single week. Hackers are taking advantage of psychological factors like stress, social relationships and uncertainty that affect people’s decision-making. Here’s a look at some of the psychological factors that make people vulnerable and what to look out for in a scam. 
Stress and Anxiety Take A Toll Hackers thrive during times of uncertainty and unrest, and 2020 has been a heyday for them. In the last few months they’ve posed as government officials, urging recipients to return stimulus checks or unemployment benefits that were “overpaid” and threatening jail time. They’ve also impersonated health officials, prompting the World Health Organization to issue an alert warning people not to fall for scams implying association with the organization. Other COVID scams have lured users by offering antibody tests, PPE and medical equipment. Where chaos leads, hackers follow. The stressful events of this year mean that cybersecurity is not top-of-mind for many of us. But foundational principles of human psychology also suggest that these same events can easily lead to poor or impulsive decisions online. More than half (52%) of those in our survey said that stress causes them to make more mistakes. The reason for this has to do with how stress impacts our brains, specifically our ability to weigh risk and reward. Studies have shown that anxiety can disrupt neurons in the brain’s prefrontal cortex that help us make smart decisions, while stress can cause people to weigh the potential reward of a decision over possible risks, to the point where they even ignore negative information. When confronted with a potential scam, it’s important to stop, take a breath, and weigh the potential risks and negative information like suspicious language or misspelled words. Urgency can also add stress to an otherwise normal situation — and hackers know to take advantage of this. Look out for emails, texts or phone calls that demand money or personal information within a very short window. Hacking Your Network Some of the most common phishing scams impersonate someone in your “known” network, but your “unknown” network can also be manipulated. Your known network consists of your friends, family and colleagues — people you know and trust. Hackers exploit these relationships, betting they can sway someone to click on a link if they think it’s coming from someone they know. These impersonation scams can be quite effective because they introduce emotion to the decision-making progress. If a phone call or email claims your family member needs money for a lawyer or a medical procedure, fear or worry replace logic. Online scams promising money add greed into the equation, while phishing emails impersonating someone in authority or someone you admire, like a boss or colleague, cloud deductive reasoning with our desire to be liked. The difference between clicking a dangerous link or deleting the email can involve simply recognizing the emotions being triggered and taking a second look with logic in mind.  Meanwhile, the rise of social media and the abundance of personal information online has allowed hackers to impersonate your “unknown” network as well — people you might know. Hackers can easily find out where you work or where you went to school and use that information to send an email posing as a college alumnus to seek money or personal information. An easy way to check a suspicious email is by looking beyond the display name to examine the full email address of the sender by clicking the name. Scammers will often change, delete or add on a letter to an email address. 
The Impact of Distraction and New Surroundings The rise of remote work brought on by COVID-19 can also impact people’s psychological states and make them vulnerable to scams. Remote work can bring an overwhelming combination of video call fatigue, an “always on” mentality and household responsibilities like childcare. In fact, 57% of those surveyed in our report said they feel more distracted when working from home. Why is this a problem from a cybersecurity standpoint? Distraction can impair our decision-making abilities. Forty-seven percent of employees cited distraction as the top reason for falling for a phishing scam. While many people tend to have their guard up in a physical office, we tend to relax at home and may let our guard down, even if we’re working. With an estimated 70% of employees working from home part or full-time due to COVID-19, this creates an opportunity for hackers.  It’s also more difficult to verify a legitimate request from an impersonation when you’re not in the same office as a colleague. One common scam impersonates an HR staff member to request personal information from employees at home. When in doubt, don’t click any links, download attachments or provide sensitive data like passwords, financial information or a social security number until you can confirm a request with a colleague directly. Self-Care and Awareness  These scams will always be out there, but that doesn’t mean people should constantly worry and keep their guard up — that would be exhausting. A simple combination of awareness and self-care when online can make a big difference.  Once you know the tactics a hacker might use and the psychological factors like stress, emotions and distraction to look out for, it will be easier to spot an email scam without the anxiety. It’s also important to take breaks and prioritize self-care when you’re feeling stressed or tired. Step away from the computer when you can and have a conversation with your manager about why the pressure to be “always-on” when working remotely can have a negative impact psychologically and create cybersecurity risks. By understanding why people fall for these scams, we can start to find ways to easily identify and avoid them.  This article was originally published in Fast Company and was co-authored by Tim Sadler, CEO of Tessian and Jeff Hancock, Harry and Norman Chandler Professor of Communication at Stanford University 
Compliance, DLP
Ultimate Guide to The POPIA – South Africa’s Privacy Law
Thursday, September 3rd, 2020
Over the last several years, there have been a number of generally applicable data privacy and protection laws rolled out around the world, starting with Europe’s General Data Protection Regulation back in 2018.  Earlier this year, California released The California Consumer Privacy Act (CCPA), which took an even broader view than the GDPR of what’s considered private data.  The most recent privacy law? South Africa’s Protection of Personal Information Act (POPIA). Note: The POPIA initially passed in 2013 but spent seven years in limbo, until it finally came into effect on July 1, 2020. It’s essential that security and business leaders understand which of these compliance standards they’re bound to comply with, how to comply, and the consequences of a compliance breach.
What businesses does the POPIA apply to? The POPIA applies to every type of company, regardless of size, sector, or location, so long as it is either: Based in South Africa, or Based outside of South Africa, but processes personal information within South Africa (unless it is only forwarding personal information through South Africa) That means that non-South African companies doing business in South Africa should comply with the POPIA, whether or not they have any physical presence in the country. We have good news, though. POPIA has a one-year transition period, so all affected businesses have until July 1, 2021 to ensure compliance. After this day, the South African Information Regulator will begin enforcing the law and fining non-compliant companies. Wondering how to ensure compliance? You can click the link to jump down the page to our section on “How to stay compliant with POPIA”. Otherwise, keep reading to find out what information is considered personal under POPIA.
What’s considered “personal information” under the POPIA? You have to remember, compliance is all about consumer privacy. So, POPIA, like the GDPR and CCPA, mandates that businesses properly “process” personal information. This includes collecting it, erasing it, and disclosing it to any third-parties.  So, what is “personal information”? The POPIA defines “personal information” as: “Information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person” Within this definition: A “natural person” means an individual. An “existing juristic person” means a “legal person,” such as a corporation or charity. Importantly, by extending the definition of “personal information” to “juristic (legal) persons,” the POPIA gains a very broad scope that would cover certain business-to-business communications, too. Below is a non-exhaustive list of examples of personal information provided within the POPIA: Information relating to: Race  Gender  Physical or mental health  Belief Information about a person’s  Education Medical history Financial history An ID number, email address, phone number, or online identifier Biometric information A person’s opinions or preferences Private correspondence Opinions about a person A name, if the context in which the name is disclosed would reveal something about a person This data could be related to a business’ customers, employees, business contacts, prospective customers, and even visitors to their website. 
Who’s liable under the POPIA? We’ve already outlined which businesses need to comply with the POPIA. But, what about liability? The two main players are the “responsible party” and the “operator.” What is a “responsible party”? A “responsible party” is a public or private body that decides why and how to process personal information. A similar concept is the “data controller” under the GDPR and the “business” under the CCPA. What is an “operator” An “operator” is “a person who processes personal information for a responsible party” but is not under the responsible party’s direct authority. A similar concept is the “data processor” under the GDPR and the “service provider” under the CCPA. Operators are directly liable under the POPIA and must treat the personal information they process as confidential and should never disclose it without the responsible parties authorization. In the event of a data breach, they must notify the responsible party immediately.  Responsible parties, on the other hand, must ensure they only engage with operators under a written contract (which should ensure that the operator meets the POPIA’s data security obligations).  They must also monitor the operator’s activities to ensure that it meets its data security operations. In fewer words: everyone is responsible on some level for ensuring safe (and compliant) data processing.
You may need to adjust your service contracts so that they include a requirement to safeguard personal information. Now that you know who must comply with the POPIA, who’s liable, and what data is considered “personal”, we’ll explore perhaps the most important concept: How to lawfully process data under the POPIA. How do I lawfully process data under the POPIA? The POPIA provides a set of eight conditions businesses must satisfy when processing personal information.  To be truly effective (and ultimately ensure compliance) these principles must be baked into your overall business operations, from cybersecurity to HR.  In brief, the eight conditions for lawful processing are: Accountability: You must ensure POPIA compliance in respect of all the personal information in your control. Lawfulness: You must only collect personal information if it is adequate and non-excessive. You must have a legally justifiable reason for collecting personal information. Where possible, you must collect personal information directly from the data subject. Purpose specification: You must only collect personal information for a specific purpose, and you must not store it for longer than necessary to meet that purpose. Further processing limitation: You may only process personal information for further purposes if they are compatible with the reason you collected it. Information quality: You must ensure the personal information you maintain is accurate and complete. Openness: You must be transparent about how you provide personal information and provide consumers with notice about how and why you process their personal information. Security safeguards: You must take reasonable steps to secure the personal information in your control, and you must report any data breaches as soon as reasonably possible. Data subject participation: You must allow data subjects to access their personal information and correct or erase any inaccurate personal information. But, there are additional requirements for particularly sensitive information.
What types of information are considered “special” under the POPIA? Under the POPIA, particularly sensitive types of personal information are called “special personal information.” The categories of special personal information include: Religious or philosophical beliefs  Race or ethnic origin  Trade union membership  Political persuasion  Health or sex life  Biometric information Information about criminal behavior, including: Alleged offenses that have been committed by the individual Proceedings that may have taken place regarding the alleged offenses Like the GDPR, the POPIA places a general prohibition on the processing of special personal information. However, it is possible to process special personal information on the following grounds: With the consent of the data subject To exercise or defend your legal rights or obligations To comply with an obligation under international public law For historical, statistical, or research purposes in the public interest Where the information has been made public by the data subject
How can cybersecurity help me stay compliant with the POPIA? We know what you’re thinking: what steps can I actually take to ensure every individual, team, and department across my organization safely processes data? Like other compliance standards, the POPIA mandates “appropriate, reasonable technical and organizational measures” to prevent the loss of, damage to, and unauthorized access to personal information. The POPIA sets out four broad ways in which responsible parties must secure personal information: Identify internal and external risks Establish and maintain safeguards Regularly verify safeguards Continually update safeguards The POPIA also requires responsible parties to keep up-to-date with any sector-specific security standards and professional regulations, and ensure any operators also apply security safeguards to personal information. There’s a lot to unpack here. But, it all comes down to data loss prevention (DLP). While you can read all about DLP in this article: What is Data Loss Prevention – A Complete Guide to DLP, we’ll outline the different “types” of DLP below. Note: DLP does more or less the same thing wherever it is deployed – it looks for sensitive information crossing boundaries. But different DLP solutions operate in different ways depending on which “perimeter” is being guarded. Network DLP Network DLP protects data in motion by monitoring the traffic that enters and leaves the organization’s network. These solutions are mostly cloud-based and are designed to monitor network traffic between users and other endpoints connected through the Internet; every byte of data transmitted through a network will go through the cloud-based DLP solution.  Endpoint DLP Endpoint DLP protects data in use on employee’s devices (computers, mobile phones) by preventing unauthorized access. How? By ensuring information isn’t taken off work devices and sent or copied to unauthorized devices by allowing or denying certain tasks to be performed on the computer.  It is also able to detect and block viruses and other malware that could be transferred into your computer system from external sources, like a USB. Email DLP Email is the threat vector security and IT leaders are most concerned about, Why? Because both inbound and outbound traffic pose serious security threats.  According to data from Verizon, email is the main entry point for social engineering attacks like phishing and incidents involving Insider Threats have increased by 47% over the last two years. And, we can’t forget about accidental data loss – like misdirected emails – which is actually the most frequently reported security incident under the GDPR. Learn more about how Tessian detects and prevents both inbound and outbound threats on email to help organizations around the world stay compliant.  But organizations need more than security solutions. Under the POPIA, every public and private organization must also have an Information Officer. What are their responsibilities?  Encouraging the organization to comply with the conditions for lawful processing Assisting data subjects with requests to access their personal information Working with the Information Regulator in the event of an investigation Otherwise ensuring that the organization complies with the POPIA Once you have appointed your Information Officer, you must register them with the Information Regulator. But, what happens if DLP solutions (and your Information Officer) don’t successfully prevent data loss and a breach occurs? You have to notify relevant bodies.
What do I do in the event of a breach? If personal information is subject to unauthorized access, (i.e., a data breach occurs), responsible parties must notify: The Information Regulator, and The affected data subjects  Importantly, this must happen “as soon as reasonably possible” and should include: A description of the consequences of the breach An explanation of what the responsible party has done to contain the breach Advice to the data subjects regarding how to mitigate the impact of the breach The identity of anyone who may have accessed the personal information (if known) This is a lot of work and one of the reasons why investigation and remediation are generally the costliest categories in an overall data breach. Which, by the way, cost organizations $3.92 million on average according to IBM’s latest Cost of a Data Breach Report.
What are the penalties under the POPIA? Breaches of the POPIA can lead to harsh penalties brought by the Information Regulator, including: A fine of between 1 million and 10 million ZAR (approximately $60,000 – $600,000 USD) Imprisonment for a term of up to ten years Both a fine and a prison term The POPIA also contains a private right of action, meaning that individual data subjects can bring a private legal claim against a responsible party. A case brought under the POPIA could lead to: “Actual damages,” to compensate data subjects for any losses they have incurred “Aggravated damages,” to compensate data subjects for the distress they have experienced Fines, imprisonment, and lawsuits are not the only concerns for businesses processing people’s personal information in South Africa. Even small-scale data breaches can lead to a complaint being lodged with the Information Regulator. For more information about how much business’ have been fined under other data protection laws, check out this article: 4 Biggest GDPR Fines of 2020 (So Far). If you take nothing else away from this article, it should be that compliance and security go hand-in-hand. Businesses in South Africa and beyond must take necessary steps to safeguard the data their organizations process and hold, which requires dedicated security and IT teams and a strong data loss prevention strategy. Wondering what’s top-of-mind for other security leaders when it comes to DLP? Download the report below.
Compliance
Security vs. Compliance: What’s The Difference?
Tuesday, September 1st, 2020
Security vs. Compliance: What’s the Difference? Businesses across industries and continents are now obligated to satisfy various compliance standards, from GDPR to CCPA. But, how do you actually ensure compliance? By securing the information your organization handles. This – of course – is easier said than done and requires cross-team collaboration. In this article, we’ll explain: What Information Security means What compliance means How these concepts differ Why you can’t neglect one in favor of the other Looking for more information about specific data privacy laws? Visit our compliance content hub.  Security and Compliance: The Difference “Security” is the infrastructure, tools, and policies you put in place to protect your company’s information and equipment.  “Compliance” is the act of meeting a required set of security and regulatory standards. As you might have guessed, security and compliance are very closely linked, and each should drive the other. Keep reading to learn more about the key concepts you need to consider to ensure your organization’s information systems are up to scratch.  Security: Key Concepts When it comes to information security, organizations have to safeguard every vector that stores and transfers data. In this article, we’ll cover network, device, and employee security.  Network Security While every organization is different, most IT leaders are concerned with protecting network security. Why? Because employees access company data via various networks, including:  Your company’s own network — which can be as secure as you are prepared to make it. Your employees’ home networks — which you can’t assume will be secure. Public networks — such as on public transport and in coffee shops, which are notoriously not secure. Importantly, data can be intercepted or exfiltrated across all of the above networks. But, there are several steps you can take to mitigate network security threats: Email security software — Email security software is a critical requirement in most compliance regimes and should protect against both inbound threats like spear phishing and outbound threats like misdirected emails. Check out this blog to learn How to Choose the Right Email Security Software.  A firewall  — Firewalls can be either hardware or software-based. Certain regulations, such as PCI DSS, require both hardware and software firewalls to be in place. Access controls — Access controls allow you to restrict network access only to authorized actors. Generally applicable laws, such as the EU GDPR, treat access control as a basic tenet of reasonable security. Looking for advice on how to secure data while employees are working remotely? Check out this article: Ultimate Guide to Staying Secure While Working Remotely. Device Security Your organization is responsible for devices that store and handle vast amounts of data, including the personal information of your customers and the confidential information of your company. This applies to any devices that process company data — whether they belong to your company or your employees — including: Desktop computers Laptops Mobile phones Tablets USB storage devices You can protect these devices in multiple ways, including: Antivirus software Multi-factor authentication (MFA) Device encryption Endpoint security Anti-theft tools Employee Security 88% of data breaches are caused by human error. That’s why employee training is an essential component of any security strategy and a requirement under compliance standards.  A security training program should teach employees: How to identify and respond to threats such as phishing, smishing,  and vishing Why security policies exist and how to follow them  How to safely handle and dispose of data You can learn more about the pros (and cons) of security training in this article: Pros and Cons of Phishing Awareness Training. Compliance: Types of Standards There are several types of laws, regulations, and certifications that businesses must comply with and they all outline minimum security standards. So, what happens if your security measures don’t comply with relevant standards?  Your organizations will either be in breach of the law, in danger of being reprimanded by your industry’s regulator (which could include a hefty fine), or unable to obtain or maintain a particular certification. Generally-Applicable Laws  Some laws apply to every business operating in a given jurisdiction, regardless of sector. Compliance with these laws generally requires the implementation of “reasonable” security measures specific to their industry and proportionate to their size. Let’s look at two examples. General Data Protection Regulation (GDPR) The EU General Data Protection Regulation (GDPR) applies to every person and organization operating in the EU or targeting EU residents. It sets down minimum requirements for information security and privacy. In particular, covered organizations must: Analyze and mitigate security risks Encrypt, pseudonymize, or anonymize personal information as appropriate Control access to premises, equipment, and digitized personal information You can learn more about the GDPR in this blog: GDPR: 13 Most Asked Questions + Answers The GDPR offers some flexibility, accounting for the current state of technology, and the costs involved in securing personal information. However, all organizations must implement “appropriate technical and organizational measures.” California Consumer Privacy Act (CCPA)  The California Consumer Privacy Act (CCPA) applies to certain businesses that collect California residents’ personal information. It requires that businesses take “reasonable security measures” to secure personal information in their control. For CCPA-covered businesses, implementing a minimum reasonable security level means complying with the 20 Critical Security Controls from the Center for Internet Security (CIS). The controls include: Email and web browser protection Account monitoring and controls Penetration testing A business’s security measures may be “appropriate to the nature of the information” that business controls — so highly sensitive personal information will require stronger security measures to protect it. You can learn more about the CCPA in this blog: CCPA FAQs: Your Guide to California’s New Privacy Law. Sector-Specific Regulations Certain industries handle particularly sensitive information, and there are rules that govern how they protect and store that data. Health Insurance Portability and Accountability Act (HIPAA) The US Health Insurance Portability and Accountability Act (HIPAA) applies to healthcare providers and businesses that handle protected health information (PHI).  The HIPAA “security rule” requires covered entities to implement administrative, technical, and physical safeguards over the PHI they control, including: Ensuring PHI remains confidential  Identifying and protecting against “reasonably anticipated threats” Ensuring all employees comply with HIPAA Organizations may vary in the extent to which they implement such security measures, accounting for: The size, complexity, and capabilities of the organization Its technical, hardware, and software infrastructure The costs of implementing security measures The likelihood and potential impact of risks to PHI Payment Card Industry Data Security Standard (PCI DSS) The Payment Card Industry Data Security Standard (PCI DSS) regulates how organizations handle credit and debit card data. Among other measures, PCI DSS requires organizations to: Maintain secure networks Encrypt cardholder data Regularly review security measures The number of annual transactions a card handler processes dictates the level of security measures they must implement. Level 1 — Over 6 million transactions per year Level 2 — 1-6 million transactions per year Level 3 —  20,000-1 million transactions per year Level 4 — Under 20,000 transactions per year Certification Programs Businesses wishing to demonstrate their security standards to their customers and business partners can undergo auditing with a certifying body.  ISO/IEC 27K Series The ISO/IEC 27K series provides standards for information security management, with programs covering network security, cybersecurity, and intrusion prevention.  ISO/IEC 27K is not a certification process in itself, but certain bodies are licensed to certify ISO/IEC 27K compliance. The series consists of a family of different standards that businesses can adopt as appropriate, such as: ISO/IEC 27000 — Information security management systems (overview) ISO/IEC 27005 — Information security risk management ISO/IEC 27033 — IT network security ISO/IEC 27040 — Storage security GDPR Certification GDPR certification is available for organizations that wish to publicize their GDPR compliance. Certification schemes must be approved by the European Data Protection Board or a national Data Protection Authority, such as the UK Information Commissioner’s Office. GDPR certification schemes can be general, applying to all areas of an organization’s GDPR compliance, or specific to an area of GDPR compliance, such as: Secure storage of personal information Access controls Internal policies and procedures You can see Tessian’s certifications on this page: Tessian Integrations, Compatibility, and Partnerships. 
What’s More Important: Security or Compliance? It’s not possible to say whether security is more important than compliance, or vice-versa. Security and compliance go hand-in-hand. If you neglect compliance, you may find your company is in breach of data security law — even if you take reasonable steps to secure sensitive information. Without understanding your compliance obligations, you can never be sure you’ve got everything covered. Likewise, suppose you neglect security, and take a mechanical, “bare minimum” approach to compliance. In that case, you’re putting your company at risk of data breaches, reputational damage, and private legal claims from your customers and employees. Our advice? Take an overarching approach to security and compliance by understanding the risks to your company’s information and your legal and regulatory obligations.
Spear Phishing
How to Avoid Falling Victim to Voting Scams in the 2020 U.S. Election
By Laura Brooks
Friday, August 28th, 2020
Scammers thrive in times of crisis and confusion. This is perhaps why the controversy surrounding mail-in voting could prove to be another golden opportunity for cybercriminals.  Throughout 2020, we’ve seen a surge of cybercriminals capitalizing on key and newsworthy moments in the COVID-19 crisis, creating scams that take advantage of the stimulus checks, the Paycheck Protection Program and students heading back to school.  Knowing that people are seeking answers during uncertain times, hackers craft scams – usually in the form of phishing emails – that appear to provide the information people are looking for. Instead, victims are lured to fake websites that are designed to steal their valuable personal or financial information.  Hackers are creating websites related to mail-in voting Given the uncertainties surrounding election security and voters’ safety during the pandemic, fueled further by President Trump’s recent attacks against the US Postal Service, it’s highly likely that scammers could set their sights on creating scams associated with mail-in voting.  In fact, our researchers discovered that around 75 domains spoofing websites related to mail-in voting were registered between July 2 to August 6.  Some of these websites tout information about voting-by-mail, such as mymailinballot.com and mailinyourvote.com. Others encourage voters to request or track their ballot, such as requestmailinballot.com and myballotracking.com.  Anyone accessing these websites should be wary, though. Keep reading to find out why. What risks do these spoofed domains pose?  To understand the risks these spoofed domains pose, consider why hacker’s create them. They’re after sensitive information like your name, address, and phone number as well as financial information like your credit card details. For example, if a malicious website claims to offer visitors a way to register to vote or cast their vote – which several of these newly created domains did – there will be a form that collects personally identifiable information (PII). Likewise, if a malicious website is asking for donations, visitors will be asked to enter credit card details.  If any of this information falls into the wrong hands, it could be sold on the dark web, resulting in identity theft or payment card fraud.  Of course, not every domain that our researchers discovered can be deemed malicious. But, it’s important you stay vigilant and never provide personal information unless you trust the domain.
So, how can voters avoid falling for mail-in voting scams?  Here are some tips to help you avoid falling victim to voting scams in the upcoming election:  1. Find answers online, but don’t trust everything you read It’s perfectly reasonable to look online for answers about how to vote. There’s a lot of useful information about ordering absentee ballots and locating local secure ballot boxes. However, be aware that there is a lot of misinformation online, particularly around this year’s election. Source information from trusted websites like https://www.usa.gov/how-to-vote.  2. Think twice before sharing personal details Before entering any personal or financial details, always check the URL of the domain and verify the legitimacy of the service by calling them directly. Question domains or pop-ups that request personal information from you, especially as it relates to your voting preference or other personal information. 3. Never share direct deposit details, credit card information, or your Social Security number on an unfamiliar website This information should be kept private and confidential. If a website asks you to share details like this, walk away.  Keep up with our blog for more insights, analysis, and tips for staying safe online. 
Who Are the Most Likely Targets of Spear Phishing Attacks?
By Maddie Rosenthal
Friday, August 28th, 2020
Last year, 88% of organizations around the world experienced spear phishing attacks. But some industries and departments are more likely to be targeted than others. In this article, we’ll identify examples of vulnerable employees, why they’re targeted, and what tactics hackers use to trick them into handing over sensitive information or initiating money transfers. 
But, before we get started, it’s important you understand the difference between phishing and spear phishing. The difference between phishing and spear phishing There are three key differences between phishing and spear phishing. Phishing attacks are high-volume, most often targeting hundreds or thousands of people while spear phishing attacks are low-volume, meaning only one person or a small group of people are targeted. Phishing attacks are non-personalized while spear phishing attacks are highly personalized. Phishing emails more often employ malicious links or attachments (called “payloads”) to deliver malware or capture sensitive information, while spear phishing emails don’t always carry payloads; these are called “zero-payload attacks” For more information, including an infographic and real-world examples, read this article: Phishing vs. Spear Phishing: Differences and Defense Strategies. Who are the most likely targets of spear phishing attacks? When we talk about spear phishing attacks, we’re talking about a number of highly targeted attacks, including: CEO Fraud Business Email Compromise Whaling Email Spoofing For more information about these different types of attacks, click the links above.  If you’re already familiar with these terms, keep reading to find out the four “types” of employees who are most likely to be targeted by spear phishing attacks in 2020.
An executive assistant (new-starter) at a Technology company
In companies with over 1,000 people, employees working in Technology are the most likely to fall for a social engineering scam. In fact, according to research, 1 out of every 2 employees will click on a suspicious link or email or obey a fraudulent request in this industry.  These aren’t great odds. Of course, when we’re talking about spear phishing, it’s a targeted attack. That means hackers won’t just send out bulk emails to thousands of employees. Instead, they’ll select individuals who have access to sensitive systems and data and who they think are more likely to fall for a scam. So, who has access to sensitive systems and data? While you may immediately think of the C-Suite or someone in HR, Executive Assistants are actually a prime target. It makes sense. They have access to executives’ email accounts They are privy to private meetings They often make travel arrangements They have credit card details on file They will likely be able to quickly find PII for employees They will be looped in on emails containing Intellectual Property like product roadmaps and business strategies They also generally have quite a bit of autonomy  A hacker’s dream. You may be asking yourself: Why identify this person specifically as a new-starter? Because new-starters are especially vulnerable to advanced impersonation attacks.  They aren’t yet familiar with policies or people. They probably haven’t had security training yet. That means they’ll be less likely to confidently distinguish between a normal email and a suspicious request. They’ll also be eager to show initiative and may be less likely to push back when asked to do something unusual like emailing across bank account details or changing passwords. And, depending on the security culture in the company, they may be apprehensive to report the suspicious email, especially if they were tricked into following a link or downloading an attachment.
An office administrator working in Healthcare
While Technology is among the most vulnerable in companies with over 1,000 employees, Healthcare is among the most vulnerable across all company sizes and is also the industry most likely to experience a data loss incident involving employee misuse of access privileges. Worse still, Healthcare has the highest costs associated with a data breaches – 65% higher than the average across all industries – and has for nine years running. Unfortunately, this doesn’t stop hackers from targeting employees like office administrators who – like executive assistants – have access to sensitive systems and data. The data an office administrator working in Healthcare might handle includes: Health records Clinical trials Insurance information Credit card details PII of patients PII of employees Payroll information And, because a lot of Healthcare professionals work in the public sector, they may have limited budgets for email security solutions that detect and prevent advanced inbound threats that use domain spoofing to trick targets.  An accounts payable manager at a Manufacturing company
Last year, the Manufacturing industry saw the most breaches from social attacks like spear phishing. They’re also among the most at risk companies with 1,000+ employees.  Why?  Organizations operating in this industry tend to be a part of long supply chains. That means there will be a lot of invoices being paid in and out.  Employees who deal with invoices are even more likely to be targeted now than they were a few months ago. Incidents involving payment and invoice fraud have increased by 112% since Q1 and Q2 2020. Attacks on finance employees have increased by 87% during the same period. It’s also important to note that, unlike other industries like Healthcare, Financial Services, and Legal, the Manufacturing industry isn’t obligated to comply with strict compliance standards. That means many don’t have safeguards in place to protect against threats like spear phishing and business email compromise.  A senior partner at a law firm 
While we’ve outlined why mid-level employees are vulnerable to attacks, it’s important to note that high-ranking employees are high-risk, too.  Not only do they have access to sensitive information like client data and Intellectual Property, but, according to new research into the Psychology of Human Error, employees like Senior Partners may be among the most likely to click on a phishing email.  That’s because survey respondents cite distraction as the number one reason they’ve clicked on phishing emails. They also say they’re more likely to make mistakes when they’re stressed or tired. Senior partners tend to work across several projects, are generally time-poor, and are under tremendous pressure to perform.  But, senior partners are even more vulnerable than other C-level executives because, well, the larger Legal sector is vulnerable. In fact, it’s in the top three most targeted industries, with 80% of firms saying they’ve been targeted by a phishing attack.   How can employees detect spear phishing attacks? While we go into more detail about defense strategies for spear phishing in this article, here are a few top tips to help you spot social engineering attacks like BEC, CEO Fraud, and more. Review the email address of senders and look out for impersonations of trusted brands and people (like your CEO or Finance Director) including display name impersonation and domain impersonation. Always inspect URLs in emails for legitimacy by hovering over links before clicking on them Pay attention to differences – that may be very subtle – in website content if you follow a URL after inspecting it Never divulge personal information if you don’t trust or recognize the sender or if you have any doubts about the legitimacy of the email. If you’ve been prompted to, investigate and contact the brand or person directly, rather than hitting reply But, it’s important organizations don’t leave their people as the last line of defense. Technology is critical, especially as threats become more and more sophisticated and harder to detect.  But, spam filters, antivirus software, and other legacy security solutions just aren’t enough. How does Tessian prevent spear phishing attacks? Tessian’s machine learning algorithms are trained on historical email data. This enables Tessian Defender to understand a company’s complex network of relationships and the context behind each email. From there, it can flag emails that look suspicious.   In layman’s terms: Tessian Defender detects and prevents what other solutions can’t, including CEO Fraud, Whaling, Business Email Compromise, and more.  To learn more, book a demo or download the data sheet.
Compliance, Data Exfiltration, DLP, Spear Phishing
August Cybersecurity News Roundup
By Maddie Rosenthal
Friday, August 28th, 2020
The end of the month means another roundup of the top cybersecurity headlines. Keep reading for a summary of the top 12 stories from August. Bonus: We’ve included links to extra resources in case anything piques your interest and you want to take a deeper dive. Did we miss anything? Email [email protected] Russian charged with trying to recruit Tesla employee to plant malware  Earlier this week, news broke that the FBI had arrested Egor Igorevich Kriuchkov – a 27-year-old Russian citizen – for trying to recruit a fellow Tesla employee to plant malware inside the Gigafactory Nevada. The plan? Insert malware into the electric car maker’s system, causing a distributed denial of service (DDos) attack to occur. This would essentially give hackers free rein over the system.  But, instead of breaching the network, the Russian-speaking employee turned down Egor’s million-dollar offer (to be paid in cash or bitcoin) and instead worked closely with the FBI to thwart the attack. Feds warn election officials of potentially malicious ‘typosquatting’ websites Stories of election fraud have dominated headlines over the last several months. The latest story involves suspicious “typosquatting” websites that may be used for credential harvesting, phishing, and influence operations.
While the FBI hasn’t yet identified any malicious incidents, they have found dozens of illegitimate websites that could be used to interfere with the 2020 vote.   To stay safe, make sure you double-check any URLs you’ve typed in and never input any personal information unless you trust the domain.  Former Google engineer sent to prison for stealing robocar secrets An Insider Threat at Google who exfiltrated 14,000 files five years ago has been sentenced to 18 months in prison. The sentencing came four months after Anthony Levandowski plead guilty to stealing trade secrets, including diagrams and drawings related to simulations, radar technology, source code snippets, PDFs marked as confidential, and videos of test drives.  He’s also been ordered to pay more than $850,000. Looking for more information about the original incident? Check out this article: Insider Threats: Types and Real-World Examples. All the information you need is under Example #4. For six months, security researchers have secretly distributed an Emotet vaccine across the world Emotet – one of today’s most skilled malware groups – has caused security and IT leaders headaches since 2014.  But, earlier this year, James Quinn, a malware analyst working for Binary Defense, discovered a bug in Emotet’s code and was able to put together a PowerShell script that exploited the registry key mechanism to crash the malware. According to ZDNet, he essentially created “both an Emotet vaccine and killswitch at the same time.” Working with Team CYMRU, Binary Defense handed over the “vaccine” to national Computer Emergency Response Teams (CERTs), which then spread it around the world to companies in their respective jurisdictions. Online business fraud down, consumer fraud up New research from TransUnion shows that between March and July, hackers have started to change their tactics. Instead of targeting businesses, they’re now shifting their focus to consumers. Key findings include: Consumer fraud has increased 10%, while business fraud has declined 9% since the beginning of the pandemic Nearly one-third of consumers have been targeted by COVID-19 related fraud Phishing is the most common method used in fraud schemes You can read the full report here. FBI and CISA issue warning over increase in vishing attacks A joint warning from the Federal Bureau of Investigations (FBI) and Cybersecurity Infrastructure Security Agency (CISA) was released in mid-August, cautioning the public that they’ve seen a spike in voice phishing attacks (known as vishing).  They’ve attributed the increase in attacks to the shift to remote working. Why? Because people are no longer able to verify requests in-person. Not sure what vishing is? Check out this article, which outlines how hackers are able to pull off these attacks, how you can spot them, and what to do if you’re targeted.  TikTok sues U.S. government over Trump ban In last month’s cybersecurity roundup, we outlined why India had banned TikTok and why America might be next. 30 days later, we have a few updates. On August 3, President Trump said TikTok would be banned in the U.S. unless it was bought by Microsoft (or another company) before September 15. Three days later, Trump signed an executive order barring US businesses from making transactions with TikTok’s parent company, ByteDance. The order will go into effect 45 days after it was signed. A few weeks later, ByteDance filed a lawsuit against the U.S. government, arguing the company was denied due process to argue that it isn’t actually a national security threat. In the meantime, TikTok is continuing its sales conversations with Microsoft and Oracle. Stay tuned next month for an update on what happens in the next 30 days. A Stanford deception expert and cybersecurity CEO explain why people fall for online scams According to a new research report – The Psychology of Human Error – nearly half of employees have made a mistake at work that had security repercussions. But why? Employees say stress, distraction, and fatigue are part of the problem and drive them to make more mistakes at work, including sending emails to the wrong people and clicking on phishing emails.  And, as you might expect, the sudden transition to remote work has only added fuel to the fire. 57% of employees say they’re even more distracted when working from home.  To avoid making costly mistakes, Jeff Hancock, a professor at Stanford, recommends taking breaks and prioritizing self-care. Of course, cybersecurity solutions will help prevent employees from causing a breach, too. University of Utah pays $457,000 to ransomware gang On August 21, the University of Utah posted a statement on its website saying that they were the victim of a ransomware attack and, to avoid hackers leaking sensitive student information, they paid $457,000. But, according to the statement, the hackers only managed to encrypt .02% of the data stored on their servers. While the University hasn’t revealed which ransomware gang was behind the attack, they have confirmed that the attack took place on July 19, that it was the College of Social and Behavioral Sciences that was hacked, and that the university’s cyber insurance policy paid for part of the ransom. Verizon analyzed the COVID-19 data breach landscape This month, Verizon updates its annual Data Breach Landscape Report to include new facts and figures related to COVID-19. Here some of the trends to look out for based on their findings: Breaches caused by human error will increase. Why? Many organizations are operating with fewer staff than before due to either illness or layoffs. Some staff may also have limitations because of new remote working set-ups. When you combine that with larger workloads and more distractions, we’re bound to see more mistakes. Organizations should be especially wary of stolen-credential related hacking, especially as many IT and security teams are working to lock down and maintain remote access.  Ransomware attacks will increase in the coming months. SANS Institute Phishing Attack Leads to Theft of 28,000 Records  The SANS institute – a global cybersecurity training and certifications organization – revealed that nearly 30,000 accounts of PII were compromised in a phishing attack that convinced an end-user to install a self-hiding and malicious Office 365 add-on. While no passwords or financial information were compromised and all the affected individuals have been notified, the breach goes to show that anyone – even cybersecurity experts – can fall for phishing scams. The cybersecurity skills shortage is getting worse In March, Tessian released its Opportunity in Cybersecurity Report which set out to answer one (not-so-simple) question: Why are there over 4 million unfilled positions in cybersecurity and why is the workforce twice as likely to be male than female? The answer is multi-faceted and has a lot to do with a lack of knowledge of the industry and inaccurate perceptions of what it means to work in cybersecurity.  The bad news is, it looks like the problem is getting worse. A recent report, The Life and Times of Cybersecurity Professionals 2020, shows that only 7% of cybersecurity professionals say their organization has improved its position relative to the cybersecurity skills shortage in the last several years. Another 58% say their organizations should be doing more to bridge the gap. What do you think will help encourage more people to join the industry?  That’s all for this month! Keep up with us on social media and check our blog for more updates.
Human Layer Security, Tessian Culture
Why Customer Centricity is So Important At Tessian
By Samantha Holt
Thursday, August 27th, 2020
We believe this whole-heartedly at Tessian. That’s why we’ve made Customer Centricity one of our six company values, and why we’re making it – along with being Human-First – our focus going into Q4.  So, what does “Customer Centricity” actually mean?  It means that our customer’s success doesn’t sit with one functional team. Instead, it’s the entire company’s responsibility. It’s embedded into every role, across every team. It’s a part of Tessian’s company culture. Whether we’re launching a feature, or pursuing a partnership, we always ask “How does this help our current and future customers?”  Keep reading to find out why customer-centricity is more important now than ever, what we’re doing internally to ensure we’re being guided by this value every day, and what we learned from Nick Mehta, a guru of Customer Success and the CEO of Gainsight, during his live discussion with Tessian CEO and Co-Founder, Tim Sadler.  Why are we focusing on customer-centricity now? It’s been a tumultuous few months for businesses around the world which means that two of our values are especially relevant: Customer Centricity and Human First. They go hand-in-hand. Nick explained why.
Instead of just looking at the effects of COVID-19 and the economic downturn from our perspective, we’ve stayed laser-focused on what our customers are going through. The ultimate question that we’ve asked ourselves – and will continue asking ourselves – is “How can we best support our customers through this period?” How can we help? How can we show real value?  As we’ve said, we believe this is the responsibility of all Tessians. Nick does, too. “It’s not just about the customer success function or customer-facing roles. It’s all roles. Customer Success if about end-to-end customer experience, but everyone in the company touches that. In Finance, part of the customer experience is the invoice you send them and the collection emails you send. Those things matter a lot.  If you’re in Legal, the terms in your contract affect the customer experience. Are they friendly? Are they easy to understand? Even if you’re not talking to a customer every day, you can still look at customer data to help you do your job better,” he said. What are we doing internally to make sure we’re being guided by these values?  Here are steps we’re taking this quarter to show our commitment to our customers: We’re creating a more human experience for our customers. We’ve been thinking deeply about our customer journey during this period, in particular the AE-CSM holdover. We want our customer’s experience to be as seamless – and as human – as possible. This influences how we communicate, when we communicate, and the ways in which we demonstrate value. It all comes back to being human-first and, as Nick said, “treating customers not just as a transaction or a deal, but as a group of human beings”. We’re empowering all Tessians to understand their role in customer success. During our Town Hall, we asked everyone at Tessian to take this quarter to reflect on this question: How does your role impact our customers? We’re encouraging even those employees who aren’t in customer-facing roles to explore the challenges our customers are facing and what we can do to best support them. We’re also kicking off a Customer Success Book Club. Our first pick? Nick’s latest book “The Customer Success Economy”. This way, all Tessians can understand how to apply customer-centric principals to their specific role.  We’re immersed in customer feedback. We are taking the time to find even more ways to communicate with our customers during COVID, even without face-to-face meetings. We want to make sure we understand – at all times – how their priorities are shifting. That way, we can anticipate their needs and continue delivering an amazing customer experience. We’re setting company-level OKRs focusing on Customer Centricity. While creating all of these initiatives and putting them into action are steps one and two, we have to somehow hold ourselves accountable. That’s why we’ve set company-level OKRs. Now, individuals, teams, and entire departments across Tessian have goals set around Customer Centricity. These will be reviewed throughout the quarter to make sure we’re always demonstrating this value and putting our customers first. The bottom line is: We’re guided by our customers and we want to support them today and in the future, wherever and however they’re working.  What can other organizations do to make sure they’re focusing on their customers? COVID has impacted all of us and while customers are certainly looking for value, they’re also looking for a human touch. Empathy goes a long way. Here are some questions to reflect on: How can we break down silos in our company to ensure customers are at the forefront of every decision? In what areas of the business could we show more empathy to our customers, and err away from treating them as a transaction or deal? How can we reach out more frequently and regularly to our customers in a human-first way to ensure we are showing value?
Human Layer Security, Spear Phishing
Must-Know Phishing Statistics: Updated 2020
By Maddie Rosenthal
Tuesday, August 25th, 2020
Phishing attacks aren’t a new threat. In fact, these scams have been circulating since the mid-’90s. But, over time, they’ve become more and more sophisticated, have targeted larger numbers of people, and have caused more harm to both individuals and organizations. That means that this year – despite a growing number of vendors offering anti-phishing solutions – phishing is a bigger problem than ever. The problem is so big, in fact, that it’s hard to keep up with the latest facts and figures. That’s why we’ve put together this article. We’ve rounded up the latest phishing statistics, including: The frequency of phishing attacks The tactics employed by hackers The data that’s compromised by breaches The cost of a breach The most targeted industries The most impersonated brands  Facts and figures related to COVID-19 scams Looking for something more visual? Check out this infographic with key statistics.
If you’re familiar with phishing, spear phishing, and other forms of social engineering attacks, skip straight to the first category of 2020 phishing statistics. If not, we’ve pulled together some of our favorite resources that you can check out first to learn more about this hard-to-detect security threat.  How to Identify and Prevent Phishing Attacks What is Spear Phishing? Spear Phishing Demystified: The Terms You Need to Know Phishing vs. Spear Phishing: Differences and Defense Strategies How to Catch a Phish: A Closer Look at Email Impersonation CEO Fraud Email Attacks: How to Recognize & Block Emails that Impersonate Executives Business Email Compromise: What it is and How it Happens Whaling Attacks: Examples and Prevention Strategies  The frequency of phishing attacks According to Verizon’s 2020 Data Breach Investigations Report (DBIR), 22% of breaches in 2019 involved phishing. While this is down 6.6% from the previous year, it’s still the “threat action variety” most likely to cause a breach.  The frequency of attacks varies industry-by-industry (click here to jump to key statistics about the most phished). But 88% of organizations around the world experienced spear phishing attempts in 2019. Another 86% experienced business email compromise (BEC) attempts.  But, there’s a difference between an attempt and a successful attack. 65% of organizations in the United States experienced a successful phishing attack. This is 10% higher than the global average.  The tactics employed by hackers 96% of phishing attacks arrive by email. Another 3% are carried out through malicious websites and just 1% via phone. When it’s done over the telephone, we call it vishing and when it’s done via text message, we call it smishing. According to Symantec’s 2019 Internet Security Threat Report (ISTR), the top five subject lines for business email compromise (BEC) attacks: Urgent Request Important Payment Attention Hackers are relying more and more heavily on the credentials they’ve stolen via phishing attacks to access sensitive systems and data. That’s one reason why breaches involving malware have decreased by over 40%.
According to Sonic Wall’s 2020 Cyber Threat report, in 2019, PDFs and Microsoft Office files were the delivery vehicles of choice for today’s cybercriminals. Why? Because these files are universally trusted in the modern workplace.  When it comes to targeted attacks, 65% of active groups relied on spear phishing as the primary infection vector. This is followed by watering hole websites (23%), trojanized software updates (5%), web server exploits (2%), and data storage devices (1%).  The data that’s compromised by breaches The top five “types” of data that are compromised in a phishing attack are: Credentials (passwords, usernames, pin numbers) Personal data (name, address, email address) Internal data (sales projections, product roadmaps)  Medical (treatment information, insurance claims) Bank (account numbers, credit card information) While instances of financially-motivated social engineering incidents have more than doubled since 2015, this isn’t a driver for targeted attacks. Just 6% of targeted attacks are motivated by financial incentives, while 96% are motivated by intelligence gathering. The other 10% are simply trying to cause chaos and disruption. While we’ve already discussed credential theft, malware, and financial motivations, the consequences and impact vary. According to one report: Nearly 60% of organizations lose data Nearly 50% of organizations  have credentials or accounts compromised Nearly 50% of organizations are infected with ransomware Nearly 40% of organizations are infected with malware Nearly 35% of organizations experience financial losses
The cost of a breach According to IBM’s Cost of a Data Breach Report, the average cost per compromised record has steadily increased over the last three years. In 2019, the cost was $150. For some context, 5.2 million records were stolen in Marriott’s most recent breach. That means the cost of the breach could amount to $780 million. But, the average breach costs organizations $3.92 million. This number will generally be higher in larger organizations and lower in smaller organizations.  Losses from business email compromise (BEC) have skyrocketed over the last year. The FBI’s Internet Crime Report shows that in 2019, BEC scammers made nearly $1.8 billion. That’s over half of the total losses reported by organizations. And, this number is only increasing. According to the Anti-Phishing Working Group’s Phishing Activity Trends Report, the average wire-transfer loss from BEC attacks in the second quarter of 2020 was $80,183. This is up from $54,000 in the first quarter. This cost can be broken down into several different categories, including: Lost hours from employees Remediation Incident response Damaged reputation Lost intellectual property Direct monetary losses Compliance fines Lost revenue Legal fees Costs associated remediation generally account for the largest chunk of the total.  Importantly, these costs can be mitigated by cybersecurity policies, procedures, technology, and training. Artificial Intelligence platforms can save organizations $8.97 per record.  The most targeted industires While the Manufacturing industry saw the most breaches from social attacks (followed by Healthcare and then Professional services), employees working in Wholesale Trade are the most frequently targeted by phishing attacks, with 1 in every 22 users being targeted by a phishing email last year.   According to a different data set, the most phished industries vary by company size. Nonetheless, it’s clear Manufacturing and Healthcare are among the highest risk industries. The industries most at risk in companies with 1-249 employees are: Healthcare & Pharmaceuticals Education Manufacturing The industries most at risk in companies with 250-999 employees are: Construction Healthcare & Pharmaceuticals Business Services The industries most at risk in companies with 1,000+ employees are: Technology Healthcare & Pharmaceuticals Manufacturing The most impersonated brands Earlier this year, Check Point released its list of the most impersonated brands. These vary based on whether the attempt was via email or mobile, but the most impersonated brands overall for Q1 2020 were: Apple Netflix Yahoo WhatsApp PayPal Chase Facebook Microsoft eBay Amazon The common factor between all of these consumer brands? They’re trusted and frequently communicate with their customers via email. Whether we’re asked to confirm credit card details, our home address, or our password, we often think nothing of it and willingly hand over this sensitive information. But, after the outbreak of COVID-19 at the end of Q1, hackers changed their tactics and, by the end of Q2, Zoom was the most impersonated brand in email attacks. Read on for more COVID-related phishing statistics.
Facts and figures related to COVID-19 scams Because hackers tend to take advantage of key calendar moments (like Tax Day or the 2020 Census) and times of general uncertainty, individuals and organizations saw a spike in COVID-19 phishing attacks starting in March. But, according to one report, COVID-19 related scams reached their peak in the third and fourth weeks of April. And, it looks like hackers were laser-focused on money. Incidents involving payment and invoice fraud increased by 112% between Q1 2020 and Q2 2020. It makes sense, then, that finance employees were among the most frequently targeted employees. In fact, attacks on finance employees increased by 87% while attacks on the C-Suite decreased by 37%.
What can individuals and organizations do to prevent being targeted by phishing attacks? While you can’t stop hackers from sending phishing or spear phishing emails, you can make sure you (and your employees) are prepared if and when one is received. You should start with training. Educate employees about the key characteristics of a phishing email and remind them to be scrupulous and inspect emails, attachments, and links before taking any further action. Review the email address of senders and look out for impersonations of trusted brands or people (Check out our blog CEO Fraud Email Attacks: How to Recognize & Block Emails that Impersonate Executives for more information.) Always inspect URLs in emails for legitimacy by hovering over them before clicking Beware of URL redirects and pay attention to subtle differences in website content Genuine brands and professionals generally won’t ask you to reply divulging sensitive personal information. If you’ve been prompted to, investigate and contact the brand or person directly, rather than hitting reply We’ve created several resources to help employees identify phishing attacks. You can download a shareable PDF with examples of phishing emails and tips at the bottom of this blog: Coronavirus and Cybersecurity: How to Stay Safe From Phishing Attacks. But, humans shouldn’t be the last line of defense. That’s why organizations need to invest in technology and other solutions to prevent successful phishing attacks. But, given the frequency of attacks year-on-year, it’s clear that spam filters, antivirus software, and other legacy security solutions aren’t enough. That’s where Tessian comes in. By learning from historical email data, Tessian’s machine learning algorithms can understand specific user relationships and the context behind each email. This allows Tessian Defender to not only detect, but also prevent a wide range of impersonations, spanning more obvious, payload-based attacks to subtle, social-engineered ones. To learn more about how tools like Tessian Defender can prevent spear phishing attacks, speak to one of our experts and request a demo today.
Customer Stories, DLP, Human Layer Security
9 Questions That Will Help You Choose The Right Email Security Solution
Tuesday, August 25th, 2020
When it comes to creating a cybersecurity strategy, security leaders have a lot to consider. There are various threat vectors, dozens of “types” of data to secure, thousands of products on the market, and oftentimes limited budget to work with. But, in this article, we’re going to focus on email security. Why? Because 90% of data breaches start on email. Data could be compromised via a spear phishing attack. Malware contained in one malicious attachment could infect an entire organization’s network. Insider threats could easily exfiltrate data for financial gain simply by emailing spreadsheets to their personal email accounts.   That’s why email is the threat vector security and IT leaders are most concerned about, and it’s why choosing the right email security software is so critically important. Keep reading to learn: What nine questions you should ask when choosing an email security solution  The solutions other security leaders across industries use to protect their people on email Why Tessian may be the right email security software for you How to get buy-in from your CEO after you’ve decided what the best solution is for your organization 1. Is it easy to deploy? Cybersecurity solutions should make life easier for your employees and your IT department. And, the bottom line is, a complicated setup process wastes time and resources. Worse still, it could lead to errors in deployment which may leave your company vulnerable. That’s why email security software must be easy to deploy across your organization and it should seamlessly integrate with a variety of email clients, all without any administrative burden. Before getting too far into the sales process, make sure you find out what support the vendor will provide, how long deployment takes, and – whenever possible – talk to an existing customer to find out how their deployment was.  2. Is it scalable and customizable? As your company grows and changes, your business tools must adapt. This includes email security software, which should work for you consistently, regardless of your company’s size. If you scale up or down, your email security software should change with you. Email security software must also allow customization so that it really aligns with your risk appetite, your employees’ preferences, and your specific business context. Too little flexibility is stifling — but too much choice is overwhelming (and could be resource-intensive).  3. Does it prevent a wide range of threats? Today, cybersecurity solutions must detect and prevent a broader range of threats than ever before. And, when it comes to email security software, you have to consider both inbound and outbound threats, including: Spear phishing: A sophisticated phishing attack in which the attacker emails a specific, named target. Verizon’s 2020 data breach report shows that 96% of social attacks (like spear phishing) occur via email. Check out more statistics related to social engineering attacks on our blog. Misdirected emails: An employee accidentally emails personal or sensitive data to the wrong recipient. This happens more often than you might think. The UK’s privacy regulator cited misdirected emails as the number one cause of data breaches in quarter four of 2019-20 and, according to Tessian platform data, over 800 emails are sent to the wrong person every year in organizations with 1,000 people.  Insider Threats: A trusted employee sends confidential or sensitive data to an unauthorized recipient. This recipient can be a third-party to whom a malicious insider is leaking intellectual property — or merely an employee forwarding correspondence to their personal email. Looking for more examples? We’ve rounded up 7 real-world Insider Threat examples here. 4. Can it keep up with the evolving threat landscape? Online threats are rapidly evolving and email security software is only as good as its ability to keep pace with these threats. Whether it’s vishing, smishing, or a new type of malware, hackers are always looking for new ways to take advantage of security vulnerabilities and unsuspecting (and often untrained) employees.  Can your email security software keep up? Tessian can. Scroll down to learn how Tessian uses machine learning to automatically “learn” and evolve in tandem with the threat landscape.  5. Are employees (and data) protected across devices? Businesses are increasingly reliant on cloud computing, remote working, and home offices — particularly since the outbreak of COVID-19. It’s hard enough to protect a set of company workstations located on company premises. Trying to manage security on any number of desktop, laptop, and mobile devices — located in offices, public places, and your employees’ homes — is even harder. But, unprotected devices represent a critical vulnerability in your company’s security. That’s why the right email security solution will work on any device that employees can use to access company data. 6. Is it easy to see (and communicate) ROI? It can be tough for security leaders to communicate the ROI of cybersecurity solutions. Why? Because it’s hard to put a value on something that hasn’t happened. But, a strong email security solution will make it easy for IT teams to assess risk, review trends over time, and create reports that demonstrate how risk is downtrending over time. This way, key stakeholders can really see the impact.  Unfortunately, a lot of solutions today are a black box when it comes to investigating incidents and garnering insights. So, when choosing an email security solution, consider what reporting tools the solution offers and whether or not any manual investigation is required. Most security teams are already thinly stretched; communicating ROI shouldn’t be an added burden. 7. Is it easy for employees to use? According to new research, 51% of employees say security tools and software impede their productivity. Likewise, 54% of employees say they’ll find a workaround if security software or policies prevent them from doing their job. This proves that the most secure path also has to be the path of least resistance. If the security solution you’re considering has high flag rates, creates extra work for your employees, or isn’t user-friendly, it will go unused. This is a security risk.  In layman’s terms: security shouldn’t get in the way. 8. Does it help ensure compliance?  Increasingly strict data privacy laws are setting new standards for companies handling personal information.  Businesses are accountable for taking a proactive approach to data security. You must take every reasonable step to ensure that the personal information in your control is kept safe and you must be able to demonstrate your security measures to regulators on demand.  That means that, when evaluating potential email security solutions, you should not only understand what data loss incidents they prevent, but also which security certifications they’ve earned.  9. Has it been vetted by relevant customers and industry leaders? Before selecting an email security software provider, you must ensure that it is well-established and has testimonials from previous customers, preferably in your company’s sector. Cybersecurity is a vast industry, and too many players are inexperienced, disreputable, or downright untrustworthy. You cannot afford to take any risks in choosing an email security software provider: reputation is everything in this field. Is Tessian the right email security solution for you?
Tessian is easy to deploy Deploying Tessian couldn’t be simpler. The software integrates with all email environments, including Office 365, Microsoft Exchange, and GSuite. And, plug-and-play intelligent filters make individual customization easy. Setup is also extremely fast. Within 24 hours, Tessian analyzes an entire year’s worth of your organization’s historic email data. Immediately afterward, you’re protected.  No rules are required.  Tessian is scalable and customizable Tessian’s stateful machine learning technology is always evolving, designed to suit your business’s needs as it scales and changes over time. Tessian automatically (and continuously) analyzes each employee’s historic email behavior to learn what is and isn’t “normal” for them. That way, it knows which emails to flag as anomalous.  But, we also understand how important customization is. With Tessian Constructor, you can create and implement security rules specific to your organization. Tessian prevents a wide range of threats Across three solutions, Tessian’s Human Layer Security platform can detect and prevent inbound and outbound threats, including advanced impersonation attacks, Insider Threats, and accidental data loss via misdirected emails. Tessian keeps pace with the evolving threat landscape Tessian doesn’t rely on a list of signatures of known malware and scams. Our machine learning algorithms are actively learning all the time, which enables Tessian Defender, Guardian, and Enforcer to spot unusual activity and discover new threats. And, with Human Layer Security Intelligence, Tessian customers benefit from a sort of “herd immunity”. If a threat is detected in another environment – for example, a never-before-seen social engineering attack – Tessian’s entire community of users will automatically be protected. How? The suspicious domain will automatically be placed on a “denylist” and blocked.  Tessian protects employees and data across devices Tessian is an ideal solution for remote or hybrid work environments. It protects your employees and your company’s data on laptops, desktops, and mobile devices. Tessian makes it easy to see ROI Tessian Human Layer Security Intelligence provides security leaders with detailed, easy-to-understand and – best of all – automated threat reports. In a single click, you’ll be able to see how your risk profile has improved over a certain period of time.
Security and IT teams can also get detailed information about specific incidents. Zero manual investigation required. Want to learn more about how Tessian customers can use HLSI to improve their security posture and communicate ROI? Read this: Introducing Tessian Human Layer Security Intelligence. Tessian is easy for employees to use Tessian is incredibly easy for anyone in your company to use. In fact, Tessian barely requires any “use” at all. The software runs silently in the background without any impediment to your employees’ productivity whatsoever. Flag rates are low, warnings – when triggered – are helpful, not annoying, and our customers see a very low number of false positives. With Tessian, the most secure path is the path of least resistance. It’s one piece of security software your employees will thank you for adopting.
Tessian helps ensure compliance The key to compliance with privacy law is assessing risks to privacy and taking reasonable steps to mitigate these risks. Email represents a critical risk area in any company’s data security architecture. Tessian can assist with compliance in a way that other email security software cannot. Tessian Guardian is unique in its ability to prevent misdirected emails, which are the leading cause of data breach, according to reports by the ICO and the California Attorney-General. Given that misdirected email is such a common cause of data breaches, you must take steps to safeguard against this risk.  But, it’s also important to note that Tessian was designed with security and privacy in mind. You can learn more about our security certifications and how we ensure data privacy and protection here.  Tessian has been vetted by industry leaders Leading organizations across industries rely on Tessian to protect their people and data on email.  Here are just some of the many businesses that endorse Tessian, by sector: Legal Customers Hill Dickinson (case study) Dentons (case study) Caplin and Drysdale (case study) Financial Services Customers Webb Henderson (case study) Man Group (case study) Evercore (case study) Tech Customers Rightmove (case study) Gubra (case study) Com Lauda (case study) Insurance Customers North (case study) Healthcare Customers Laya Healthcare (case study) Tessian has also received recognition and plaudits from industry bodies and tech experts.  In May 2020, Tessian was recognized as a Cool Vendor in the Gartner Cool Vendors in Cloud Office Security report, which recognizes security solutions that “focus specifically upon securing applications, communication and data that occur within cloud office environments.” Tessian has also been independently tested by IT analyst firm 451 Research, which assessed how the software fared against its competitors in data-loss prevention. According to 451 Research’s report, Tessian’s machine learning algorithms allow it to succeed in preventing data loss where rule-based solutions fall short. 
And, most recently, Tessian was included in Forrester’s Now Tech: Report for Enterprise Email Security Providers. You can read more about why Tessian was selected here.  While there is no one-size-fits-all approach to email security, this guide should help you research and vet which solution is right for you. If you’re considering Tessian, why not book a demo to have these questions (and more) answered by one of our experts.
Not ready to book a demo yet? Learn more about your products, our customers, and our Human Layer Security vision via the links below: Why Tessian? Our Technology What is Human Layer Security? Customer Stories  Bonus: If you have decided which email security solution is right for you but you’re struggling to get buy-in from your CEO, read this guide with tips from the world’s most innovative and trusted organizations.
Spear Phishing
Deepfakes: What are They and Why are They a Threat?
By Ed Bishop
Friday, August 21st, 2020
According to a recent Tessian survey, 74% of IT leaders think deepfakes are a threat to their organizations’ and their employees’ security. Are they right to be worried? We take a look. What is a deepfake?
How could deepfakes compromise security? “Hacking humans” is a tried and tested method of attack used by cybercriminals to breach companies’ security, access valuable information and systems, and steal huge sums of money.  In the world of cybersecurity, attempts to “hack humans” are known as social engineering attacks. In layman’s terms, social engineering is simply an attempt to trick people. These tactics and techniques have been around for years and they are constantly evolving.  For example, cybercriminals have realized that the “spray-and-pray” phishing campaigns they previously used were losing their efficacy. Why? Because companies have strengthened their defenses against these bulk attacks and people have begun to recognize the cues that signalled a scam, such as poor grammar or typos.  As a result, hackers have moved to crafting more sophisticated and targeted spear phishing attacks, impersonating senior executives, third party suppliers, or other trusted authorities in emails to deceive employees.  Some even play the long game, building rapport with their targets over time before asking them to wire money or share credentials. Attackers will also directly spoof the sender’s domain and add company logos to their messages to make them look more legitimate. It’s working.  Last year alone, scammers made nearly $1.8 billion through Business Email Compromise attacks. While spear phishing attacks take more time and effort to create, they are more effective and the ROI for an attacker is much higher. So, what does this have to do with deep fakes? Deepfakes – either as videos or audio recordings – are the next iteration of advanced impersonation techniques malicious actors can use to abuse trust and manipulate people into complying with their requests.  These attacks have proven even more effective than targeted email attacks. As the saying goes, seeing – or hearing – is believing. If an employee believes that the person on the video call in front of them is the real deal – or if the person calling them is their CEO – then it’s unlikely that they would ignore the request. Why would they question it?
Examples of deepfakes In 2019, cybercriminals mimicked the voice of a CEO at a large energy firm, demanding a fraudulent transfer of £220,000. And, just last month, Twitter also experienced a major security breach after employees were targeted by a “phone spear phishing attack” or “vishing” attack. Targeted employees received phone calls from hackers posing as IT staff, tricking them into sharing passwords for internal tools and systems.  While it’s still early days and, in some cases, the deepfake isn’t that convincing, there’s no denying that deepfake technology will continue to get better, faster, and cheaper in the near future.  You just have to look at advanced algorithms like GPT-3 to see how quickly it can become a reality.  Earlier this year, OpenAI released GPT-3—an advanced natural language processing (NLP) algorithm that uses deep learning to produce human-like text. It’s so convincing, in fact, that a student used the tool to produce a fake blog post that landed in the top spot on Hacker News—proving that AI-written content can pass as human-authored.
It’s easy to see why the security community is scared about the potential impact of deepfakes.. Gone are the days of hackers drafting poorly written emails, full of typos and grammatical errors. Using AI, they can craft highly convincing messages that actually look like they’ve been written by the people they’re impersonating.  This is something we will explore further at the Tessian HLS Summit on September 9th. Register here. Who is most likely to be targeted by deepfake scams? The truth is, anyone could be a target. There is no one group of people more likely than another to be targeted by deepfakes.  Within your organization, though, it is important to identify who might be most vulnerable to these types of advanced impersonation scams and make them aware of how – and on what channels – they could be targeted.  For example, a less senior employee may have no idea what their CEO sounds like or even looks like. That makes them a prime target.  It’s a similar story for new joiners. Hackers will do their homework, trawl through LinkedIn, and prey on new members of staff, knowing that it’s unlikely they would have met senior members of the organization. New joiners, therefore, would not recognize their voices if they receive a call from them.  Attackers may also pretend to be someone from the IT team who’s carrying out a routine set-up exercise. This would be an opportune time to ask their targets to share account credentials.  As new joiners have no reference points to verify whether the person calling them is real or fake, -or if the request they’re being asked to carry out is even legitimate – it’s likely that they’ll fall for the scam. 
How easy are deepfakes to make? Researchers have shown that you only need about one minute of audio to create an audio deepfake, while “talking head” style fake videos require around 40 minutes of input data.  If your CEO has spoken at an industry conference, and there’s a recording of it online, hackers have the input data they need to train its algorithms and create a convincing deepfake. But crafting a deepfake can take hours or days, depending on the hacker’s skill level. For reference, Timothy Lee, a senior tech reporter at Ars Technica was able to create his own deepfake in two weeks and he spent just $552 doing it.  Deepfakes, then, are a relatively simple but effective way to hack an organization. Or even an election.
How could deepfakes compromise election security? There’s been a lot of talk about how deepfakes could be used to compromise the security of the 2020 U.S. presidential election. In fact, an overwhelming 76% of IT leaders believe deepfakes will be used as part of disinformation campaigns in the election.  Fake messages about polling site disruptions, opening hours, and voting methods could affect turnout or prevent groups of people from voting. Worse still, disinformation and deepfake campaigns -whereby criminals swap out the messages delivered by trusted voices like government officials or journalists – threaten to cause even more chaos and confusion among voters.  Elvis Chan, a Supervisory Special Agent assigned to the FBI who will be speaking at the Tessian HLS Summit in September, believes that people are right to be concerned.  “Deepfakes may be able to elicit a range of responses which can compromise election security,” he said. “On one end of the spectrum, deepfakes may erode the American public’s confidence in election integrity. On the other end of the spectrum, deepfakes may promote violence or suppress turnout at polling locations,” he said. So, how can you spot a deepfake and how can you protect your people from them? 
How to protect yourself and your organization from deepfakes Poorly-made video deepfakes are easy to spot – the lips are out of sync, the speaker isn’t blinking, or there may be a flicker on the screen. But, as the technology improves over time and NLP algorithms become more advanced, it’s going to be more difficult for people to spot deepfakes and other advanced impersonation scams.  Ironically, AI is one of the most powerful tools we have to combat AI-generated attacks.  AI can understand patterns and automatically detect unusual patterns and anomalies – like impersonations – faster and more accurately than a human can.  But, we can’t just rely on technology. Education and awareness amongst people is also incredibly important. It’s therefore encouraging to see that 61% of IT leaders are already educating their employees on the threat of deepfakes and another 27% have plans to do so.  To help you out, we’ve put together some of our top tips which you and your employees can follow if you are being targeted by a deepfake or vishing attack:  Pause and question whether it seems right for a colleague – senior or otherwise – to ask you to carry out the request. Verify the request with the person directly via another channel of communication, such as email or instant messaging. People will not mind if you ask.  Ask the person requesting an action something only you and they would know, to verify their identity. For example, ask them what their partner’s name is or what the office dog is called.  Report incidents to the IT team. With this knowledge, they will be able to put in place measures to prevent similar attacks in the future. Looking for more advice? At the Tessian HLS Summit on September 9th, the FBI’s Elvis Chan will discuss tactics such as reporting, content verification, and critical thinking training in order to help employees avoid deepfakes or advanced impersonation.  You can register for the event here. 
Human Layer Security, Spear Phishing
Is Your Office 365 Email Secure?
By Subha Rama
Thursday, August 20th, 2020
In July this year, Microsoft took down a massive fraud campaign that used knock-off domains and malicious applications to scam its customers in 62 countries around the world.  But this wasn’t the first time a successful phishing attack was carried out against Office 365 (O365) customers. In December 2019, the same hackers gained unauthorized access to hundreds of Microsoft customers’ business email accounts.  According to Microsoft, this scheme “enabled unauthorized access without explicitly requiring the victims to directly give up their login credentials at a fake website…as they would in a more traditional phishing campaign.” Why are O365 accounts so vulnerable to attacks? Exchange Online/Outlook – the cloud email application for O365 users – has always been a breeding ground for phishing, malware, and very targeted data breaches.  Though Microsoft has been ramping up its O365 email security features with Advanced Threat Protection (ATP) as an additional layer to Exchange Online Protection (EOP), both tools have failed to meet expectations because of their inability to stop newer and more innovative social engineering attacks, business email compromise (BEC), and impersonations.  One of the biggest challenges with ATP in particular is its time-of-click approach, which requires the user to click on URLs within emails to activate analysis and remediation.   Is O365 ATP enough to protect my email? We believe that O365’s native security controls do protect users against bulk phishing scams, spam, malware, and domain spoofing. And these tools are great when it comes to stopping broad-based, high-volume, low-effort attacks – they offer a baseline protection.  For example, you don’t need to add signature-based malware protection if you have EOP/ATP for your email, as these are proven to be quite efficient against such attacks. These tools employ the same approach used by network firewalls and email gateways – they rely on a repository of millions of signatures to identify ‘known’ malware.  But, this is a big problem because the threat landscape has changed in the last several years.  Email attacks have mutated to become more sophisticated and targeted and  hackers exploit user behavior to launch surgical and highly damaging campaigns on people and organizations. Attackers use automation to make small, random modifications to existing malware signatures and use transformation techniques to bypass these native O365 security tools. Unsuspecting – and often untrained – users fall prey to socially engineered attacks that mimic O365 protocols, domains, notifications, and more.  See below for a convincing example.
It is because such loopholes exist in O365 email security that Microsoft continues to be one of the most breached brands in the world.  What are the consequences of a compromised account? There is a lot at stake if an account is compromised.  With ~180 million O365 active email accounts, organizations could find themselves at risk of data loss or a breach, which means revenue loss, damaged reputation, customer churn, disrupted productivity, regulatory fines, and penalties for non-compliance. This means they need to quickly move beyond relying on largely rule- and reputation-based O365 email filters to more dynamic ways of detecting and mitigating email-originated risks. Enter machine learning and behavioral analysis. There has been a surge in the availability of platforms that use machine learning algorithms. Why? Because these platforms detect and mitigate threats in ways other solutions can’t and help enterprises improve their overall security posture. Instead of relying on static rules to predict human behavior, solutions powered by machine learning actually adapt and evolve in tandem with relationships and circumstances. Machine learning algorithms “study” the email behavior of users, learn from it, and – finally – draw conclusions from it.  But, not all of ML platforms are created equal. There are varying levels of complexity (going beyond IP addresses and metadata to natural language processing); algorithms learn to detect behavior anomalies at different speeds (static vs. in real-time); and they can achieve different scales (the number of data points they can simultaneously study and analyze). How does Tessian prevent threats that O365 security controls miss? Tessian’s Human Layer Security platform is designed to offset the rule-based and sandbox approaches of O365 ATP to detect and stop newer and previously unknown attacks from external sources, domain / brand / service impersonations, and data exfiltration by internal actors.  Learn more about why rule-based approaches to spear phishing attacks fail. By dynamically analyzing current and historical data, communication styles, language patterns, and employee project relationships both within and outside the organization, Tessian generates contextual employee relationship graphs to establish a baseline normal behavior. By doing this, Tessian turns both your employees and the email data into an organization’s biggest defenses against inbound and outbound email threats.  Conventional tools focus on just securing the machine layer – the network, applications, and devices. By uniquely focusing on the human layer, Tessian can make clear distinctions between legitimate and malicious email interactions and warn users in real-time to reinforce training and policies to promote safer behavior.  How can O365 ATP and Tessian work together?  Often, customers ask us which approach is better: the conventional, rule-based approach of the O365 native tools, or Tessian’s powered by machine learning? The answer is, each has their unique place in building a comprehensive email security strategy for O365. But, no organization that deals with sensitive, critical, and personal data can afford to overlook the benefits of an approach based on machine learning and behavioral analysis.  A layered approach that leverages the tools offered by O365 for high-volume attacks, reinforced with next-gen tools for detecting the unknown and evasive ones, would be your best bet.  A very short implementation time coupled with the algorithm’s ability to ‘learn’ from historical email data over the last year – all within 24 hours of deployment – means Tessian could give O365 users just the edge they need to combat modern day email threats. 
Customer Stories, DLP, Human Layer Security
Prove the Value of Cybersecurity Solutions: 16 Tips From Security Leaders
By Maddie Rosenthal
Tuesday, August 18th, 2020
As a security or IT leader, researching and vetting security solutions is step one. What’s step two, then? Convincing key stakeholders like the CEO, CFO, and the board that the product needs to be implemented, that it needs to be implemented now, and that it’s worth the cost.  This is easier said than done, especially now that organizations around the world are facing budget cuts in the wake of COVID-19. But, security is business-critical.   So, how do you communicate risk and make a compelling case to (eventually) get buy-in from executives? We talked to security leaders from some of the world’s most trusted and innovative organizations to find out what they do to get buy-in from CxOs. Here’s a summary of their tips. You can also download this infographic with a quick summary of all of the below tips. This is perfect for sharing with peers or colleagues. 1. Familiarize yourself with overall business objectives While cybersecurity has historically been a siloed department, today, it’s an absolutely essential function that supports and enables the overall business. Think about the consequences of a data breach beyond lost data. Organizations experience higher rates of customer churn, reputations are damaged, and, with regulatory fines and the cost of investigation and remediation, there can be significant revenue loss.  The key, then, is to attach cybersecurity initiatives to key business objectives. The security leaders we interviewed recommended starting by reviewing annual reports and strategic roadmaps. Then, build your business case. If customer retention and growth are KPIs for the year, insist that cybersecurity builds customer trust and is a competitive differentiator. If the organization is looking for higher profits, make it clear how much a breach would impact the company’s bottom line. (According to IBM’s latest Cost of a Data Breach, the average cost of a data breach is $3.86 million.) 2. Create specific “what-if” scenarios A lot of security solutions are bought reactively (after an incident occurs), but security leaders need to take a proactive approach. The problem is, it’s more challenging for CxOs and the board to see the value of a solution when they haven’t yet experienced any consequences without it.  As the saying goes, “If it ain’t broke, don’t fix it”.  That’s why security leaders have to preempt push-back to proactive pitches by outlining what the consequences would be if a solution isn’t implemented so that stakeholders can understand both probability and impact. For example, if you’re trying to get buy-in for an outbound email security solution, focus on the “what-ifs” associated with sending misdirected emails  which – by the way- are sent 800 times a year in organizations with 1,000 employees. Ask executives to imagine a situation in which their biggest clients’ most sensitive data lands in the wrong inbox.  What would happen?  Make sure you identify clear, probable consequences. That way, the situation seems possible (if not likely) instead of being an exaggerated “worst-case scenario”.  3. Work closely with the security vendor You know your business. Security vendors know their product. If you combine each of your expertise – and really lean on each other – you’ll have a much better chance of making a compelling case for a particular solution. Ask the vendor for specific resources (if they don’t exist, ask them to create them!), ask for product training, ask if you can speak with an existing customer. Whatever you need to get buy-in, ask for it. Rest assured, they’ll be happy to help.  4. Collaborate and align with other departments It takes a village and cybersecurity is a “people problem”.  That means you should reach out to colleagues in different departments for advice and other input. Talk to the folks from Risk and Compliance, Legal, HR, Operations, and Finance early on.  Get their opinion on the product’s value. Find out how it might be able to help them with their goals and initiatives. In doing so, you might even be able to pool money from other budgets. Win-win! 5. Consider how much the executive(s) really know about security To communicate effectively, you have to speak the same language. And, we don’t just mean English versus French. We mean really getting on the same level as whomever you’re in conversation with. But, to do that, you have to first know how much your audience actually knows about the topic you’re discussing. For example, if you look into your CEO’s background and find out that he or she studied computer science, you’ll be able to get away with some technical jargon. But, if their background is limited to business studies, you’ll want to keep it simple. Avoid security-specific acronyms and – whatever you do – don’t bury the point underneath complex explanations of processes.  In short: Don’t succumb to the Curse of Knowledge. 
6. Use analogies to put costs into perspective  One of the best ways to avoid the Curse of Knowledge and give abstract ideas a bit more context is to use analogies. It could be the ROI of a product or the potential cost of a breach. Either way, analogies can make big, somewhat meaningless numbers more tangible and impactful. For example, imagine you’re trying to convince your CFO that the cost of a solution is worth it. But, the 6-digit, one-time cost is a hard sell. What do you do? Break the overall cost down by the product’s lifespan. Then, divide that number by the number of employees it will protect during that same period.  Suddenly, the cost will seem more manageable and worth the investment. 7. Invite key stakeholders to events or webinars  Before you even start pitching a particular solution, warm-up executives with educational webinars or events that aren’t product-specific. This will give CxOs a chance to better understand the problem, how it might apply to them, and how other people/organizations are finding solutions. Bear in mind: most vendors will have at least 1 (generally 2+) webinars or events during the standard sales cycle. Looking for events to attend? We’ve put together this list of 20 cybersecurity and business events – including Tessian Human Layer Security Summit – perfect for inviting your non-technical colleagues to.  8. Prepare concise and personalized briefing materials Individual stakeholders will be more likely to consider a particular solution if the problem it solves is directly relevant to them. How? Combine tips #1, #2, #3, and #5. After taking some time to understand the business’ overall objectives, take a closer look at individual peoples’ roles and responsibilities in meeting those objectives. Then, dig a bit deeper into how much they know about cybersecurity. Imagine you’re meeting with a COO with some technical experience whose focus is on maintaining relationships with customers. His or her briefing documents should contain minimal technical jargon and should focus on how a data breach affects customer churn.  The bottom line: make it about them. 9. Share these documents in advance of any formal meetings While this may seem obvious, the security leaders we spoke to made it clear that this is an essential step in getting buy-in. No one wants to feel caught off guard, unprepared, or rushed.  To avoid all of the above, make sure you share any documents relevant to the solution well in advance of any formal meetings. But, don’t just dump the documents on their desk or in their inbox. Outline exactly what each document is, why it’s relevant to the meeting, and what the key takeaways are. You want to do whatever you can to help them absorb the information, so make sure you make yourself available after sharing the documents and before the meeting, just in case they have any questions or need additional information. 10. Build a strong security culture Before we dive into why building a strong security culture can help you get buy-in, we want to make it clear that this isn’t something that can happen overnight. This is a long-term goal that requires the help of the entire organization. Yes, everyone. So, how do you build a strong security culture? Start by ensuring that security and IT teams are committed to helping – not blaming – employees. There has to be a certain level of mutual trust and respect.  Beyond that, employees have to accept responsibility for the overall security of the organization. They have to understand that their actions – whether it’s clicking on a phishing email or using a weak password – have consequences.  If they do accept this responsibility, and if they genuinely care about following policies and procedures and helping secure data and networks, high-level executives will care, too. They’ll therefore be more likely to sign-off on solutions. 11. Keep an eye on security trends outside of your industry  Some industries – specifically Healthcare, Financial Services, and Legal – are bound to compliance standards that formalize the need for effective security solutions. That means that, compared to other industries like Retail or Manufacturing, they’ll be required to have more robust strategies in place. What they’re doing now, the rest of us will be doing in 12 months. Keep this in mind. If you notice that organizations operating in the most highly regulated industries are all taking data loss prevention (DLP) seriously, you’ll be able to make a strong case that this is something that should be on your radar, too. 12. Approach non-executive stakeholders early on While – yes – getting buy-in from CxOs and the board is important, security leaders also need to get buy-in from non-executive stakeholders working in IT, infrastructure, etc.  After all, those are the people who will actually be responsible for deploying the solution and maintaining it.By approaching them early on (and assuming they’re interested in the solution, too) you’ll be able to paint a clear picture of the process after the solution has been signed off on.  How long will it take? Who’s involved? Will employees’ workflow be disrupted? These are all important questions to answer.  13. Match like-for-like people from both sides If you’re scheduling a meeting with executives from your side and key people from the vendor’s side, make sure you’re bringing in people that “match” in terms of function and seniority level. For example, if you work at a start-up and the founder of your company wants to be involved in the buying process, ask the vendor’s founders to join, too. Likewise, if the Head of Infrastructure is joining from your side, ask someone in a similar function to join from the other side. Why? Like-for-like people will be best placed to answer one another’s questions.  And, with that in mind…. 14. Preempt questions and prepare answers No one likes to be put on the spot. To avoid being asked a question that you don’t know the answer to, spend a good amount of time considering all the questions different stakeholders may ask and drafting well-thought-out answers. (Better yet, fit the answers into briefing documents or the presentation itself!) Remember, people are generally concerned with how a problem/solution affects them directly. That means the CEO will have different questions than the CFO, who will have different questions than the Head of IT.  15. Get specific customer references from the vendor We mentioned in tip #3 that you should lean on the vendor, especially when it comes to specific resources and customer references. And, we mentioned in tip #11 that you should match like-for-like people in meetings. It should make sense, then, that specific customer references will be more powerful than generic ones. For example, if you’re the CISO at a 4,000-person tech firm in North America, and you’re trying to convince you’re CTO that you need to implement a new solution, you should share a case study (or customer reference) from the vendor that outlines how their product has helped an organization in the same industry, that’s the same size, and in the same region. Ideally, it will also feature quotes from the CTO. Why? Professionals trust and rely on their peers when making difficult decisions. 16. Be conscious (and considerate of) peoples’ time  Decisions about security solutions can involve a lot of different people. That means you’ll have to balance several conflicting schedules and fight for time. Your best bet? Book meetings with all relevant people at once and get the vendor involved at the same time. Ahead of the meeting, share an agenda along with any relevant documents (see tip #8).  Are you a security leader who wants to offer advice to your peers? We’d love to hear from you! Please get in touch with [email protected] And, if you’re looking for more advice, check out these blogs: How to Communicate Cybersecurity ROI Advice from Security Leaders for Security Leaders: How to Navigate New Remote-Working Challenges How to Create an Enduring and Flexible Cybersecurity Strategy
Page