Spear Phishing
Spotting the Stimulus Check Scams
Thursday, April 16th, 2020
Since the US government announced that citizens who make less than $75K would receive $1,200 checks, we have found that there have been 673 newly registered domains related to the $2T stimulus package.  Unlike the domains spoofing the U.S. Census that we discovered earlier this month, these URLs aren’t intended to mimic official government websites. Rather, these domains have been set up to take advantage of the stimulus package, using common questions or key words to lure users in such as whereismystimuluscheck.com or covid-19-stimulus.com.  Where do these new domains go? When we looked at the newly registered domains more closely, we found that nearly half of the newly registered domains hosted websites offer the following services: Consultancy: helping people with the paperwork to get their checks Calculators: asking users to enter their personal information, such as their age and address, to find out how much money they are entitled to Donations: giving people the opportunity to donate their check to a Covid-19 related cause Business loans We also found that 7% of these spoofed domains were spam websites, with no clear call to action. With hackers capitalizing on this global health crisis to launch targeted phishing scams, people need to be mindful of what information they share on these sites.  The thing is that cybercriminals will always follow the money, looking for ways to take advantage of the fact people will be seeking more information or guidance on the stimulus package. Although not every domain registered in the last month may be malicious, it’s possible that these websites offering consulting and business loans could be set up to trick people into sharing money or personal information.  Our advice? Always check the URL of the domain and verify the legitimacy of the service by calling them directly before taking action.  Think twice about sharing your data It’s also important to consider what data you are being asked to share via websites offering calculators or status checks, and what the websites offer after you have taken an action. Cybercriminals could use the information you shared to craft targeted phishing emails that include the ‘results’ of your assessment, tricking you to click on malicious links with the intention of stealing money, credentials or installing malware onto your device. Earlier this week, the IRS launched a new online resource for citizens to check on their payment status. We anticipate that even more URLs will crop up as a result of this. How to avoid potential scams Think twice before sharing personal information to calculator websites. If it doesn’t look right, it probably isn’t  Make sure the educational sites offering consultancy services are legitimate before sharing information or money. Always check the URL and, if you’re still not sure, verify by calling the company directly Never share direct deposit details or your Social Security number on an unfamiliar website Take care when sharing your email address and other personal information on websites like the calculator ones and question the legitimacy of the emails sharing your results before clicking on any links Always use different passwords when setting up new accounts on these websites  
Data Loss Prevention
Remote Worker’s Guide To: BYOD Policies
Thursday, April 16th, 2020
With the outbreak of COVID-19, workforces around the world have transitioned from secure office environments to their homes.  While some companies already had the infrastructure and policies in place to support a remote workforce, other smaller organizations and even some large enterprises are facing a number of challenges in getting their teams set up, starting with access to secure devices like laptops and phones. One way to empower your employees to work safely wherever they are is to implement BYOD (Bring Your Own Device) policies. What is a BYOD Policy?
While BYOD policies are something of a necessity now – especially with delays and even cancellations in global supply chains for the devices virtual workers rely on – they were formerly an answer to IT consumerization.  Consumerization of IT refers to the cycle of technology first being built for personal, consumer use and then later being adopted by businesses and other organizations at an enterprise level. It’s often the result of employees using popular consumer apps or devices at work, because they are better than the legacy tech used by the organization. What are the benefits of a BYOD policy? There’s a reason why the BYOD market was booming pre-COVID-19. In fact, the market is expected to be valued at more than $366.95 by 2020, a big jump from its valuation of $30 billion in 2014. Note: This forecast was made three years ago, which means the sudden and global transition to remote-working will likely drive more growth. So, what are some of the benefits for businesses? You’ll Enable a Productive Remote Workforce  This is no doubt the most important reason to adopt BYOD policies, especially now. If your employees have historically worked on desktops and you’re struggling to set each person up with a laptop, BYOD policies will enable your people to keep working, despite hardware shortages and other challenges. Beyond that, though, you’ll also enable your people to work freely from wherever they need to, whether that be in transit, at home, or in the office. You’ll Reduce Burden on IT Teams Employees tend to be more comfortable and confident using their own personal devices and their native interfaces. For example, someone who has worked on a Windows computer for 15 years may struggle to suddenly start working on a Mac. That means there will be less dependence on IT teams to train or otherwise set-up employees on new devices. But, it’s important to consider the security risks along with the benefits so that your employees and data stay safe while working from personal devices.  What are the security risks involved in using personal devices? Physical security Loss or theft of a personal device is one of the biggest concerns around BYOD policies, especially when you consider that people tend to carry their mobile phones and even laptops with them at all times. If a device fell into the wrong hands and adequate security measures weren’t in place, sensitive data could be at risk.  Network security If a cybercriminal was able to gain access to a personal device, they could maneuver from one device to another and move through an organization’s network quickly. Once inside, they could install malware, steal sensitive information, or simply maintain a foothold to control systems later. Information security Data is currency and personal devices hold a lot of information not just about an organization and its clients, vendors, and suppliers, but also about the individual. If you imagine all the sensitive data contained in Outlook or Gmail accounts, you can begin to see the magnitude of the risks if this data were exposed. Physical and network security risks are threats to information security, which proves how important securing devices really is. Tips for employers To minimize the risk associated with BYOD policies, we recommend that you: Enforce strict password policies. Mobile phones should be locked down with 6-digit PINs or complex swipe codes, and laptops should be secured with strong passwords that utilize numbers, letters, and characters. Your best bet is to enforce MFA or SSO and provide your employees with a password manager to keep track of their details securely. Equip devices with reliable security solutions. From encryption to antivirus software, personal devices need to have the same security solutions installed as work devices. Ideally, solutions will operate on both desktop and mobile ensuring protection across the board. For example, Tessian defends against both inbound and outbound email threats on desktop and mobile. Read more about our solutions here.  Restrict data access. Whether your organization uses a VPN or cloud services, it’s important to ensure the infrastructure is configured properly in order to reduce risk. We recommend limiting access through stringent access controls whenever possible (without impeding productivity) and creating policies around how to safely share documents externally. Limit or block downloads of software and applications. IT and security teams can use either blacklisting or whitelisting to ensure employees are only downloading and using vetted software and applications. Alternatively, IT and security teams could exercise even more control by preventing downloads altogether. Educate your employees. Awareness training is an essential part of any security strategy. But, it’s important that the training is relevant to your organization. If you do implement a BYOD policy, ensure every employee is educated about the rules and risks.  Tips for employees  To minimize the risk associated with BYOD policies, we recommend that you: Password-protect your personal devices. Adhere to internal security policies around password-protection or, alternatively, use 6-digit PINs or complex swipe codes on mobile devices and strong passwords that utilize numbers, letters, and characters for laptops. If you’re having trouble managing your passwords, discuss the use of a password manager with your IT department. Avoid public Wi-Fi and hotspotting. The open nature of public Wi-Fi means your laptop or other device could be accessible to opportunistic hackers. Likewise, if a phone is being used as a hotspot and has already been compromised by an attacker, it’s possible it could be used to pivot to the corporate network. Put training into practice. While security training is notoriously boring, it’s incredibly important and effective if put into practice. Always pay attention during training sessions and action the advice you’re given. Report loss or theft. In the event your device is lost or stolen, file a report internally immediately. If you’re unfamiliar with procedures around reporting, check with your line manager or IT team ASAP. They’ll be able to better mitigate risks around data loss the sooner they’re notified.  Communicate with IT and security teams. If you’re unsure about how to use your personal device securely or if you think your device has been compromised in some way, don’t be afraid to communicate with your IT and security teams. That’s what they’re there for. Moreover, the more information they have, the better equipped they are to keep you and your device protected.  BYOD policies offer organizations and employees much-needed flexibility. But, in order to be effective as opposed to detrimental, strict security policies must be in place. It’s not just up to security teams. Employees must do their part to make smart security decisions in order to protect their devices, personal data and sensitive business information. Looking for more tips on staying secure while working remotely? We’re here to help! Check out these blogs: Ultimate Guide to Staying Secure While Working Remotely Remote Worker’s Guide To: Preventing Data Loss 11 Tools to Help You Stay Secure and Productive While Working Remotely 
Spear Phishing
COVID-19: Real-Life Examples of Opportunistic Phishing Emails
Wednesday, April 15th, 2020
A few weeks ago we published the post below, which included real-world examples of opportunistic phishing attacks exploiting COVID-19. One of the phishing attacks pretended to be from “Management” and contained an attachment with guidance on how to stay safe. Another attack was designed to look like an account activation email for a remote-working tool; it was sent by “IT Support.” We have two more real-world examples, and this time the attackers are impersonating a company that has seen tremendous attention and adoption with the rise of remote-working: Zoom.  Phishing Email #1: Your CEO is Waiting for You
What’s wrong with this email? The Display Name ([email protected]) and the email address do not match. The actual sender address is [email protected] The attacker, who sent the email on a Friday afternoon, is hoping that the target will a) be motivated to respond quickly to a meeting request from the CEO and b) be less scrutinizing and security-conscious as it’s the end of the week.  The target is being encouraged to click on a seemingly legitimate Zoom link, which would likely lead to a malicious site or could deploy malware.  Upon hovering over the provided link, you’ll find the URL is actually different than the hyperlink would lead you to believe The closing of the email is suspicious: “This message is from your company’s IT.” NB: This phishing email is a direct spoof and was prevented because of DMARC; it was automatically sent to a Spam folder. If you haven’t set your DMARC records correctly, these emails will fly past existing defenses.
Phishing Email #2: Generic Zoom Spoof
What’s wrong with this email? The Display Name (tessian.com ZoomCall) and the email address do not match, but the attacker is hoping the recipient doesn’t look beyond the sender Display Name. The conference call time and date in the email subject line seem to have already passed, based on when the attack was received. Note this email was received at 3:22am, so would likely be the first email the recipient reads in the morning.  The email contains the message “Zoom will only keep this message for 48 hours.” This combined with the subject line adds a sense of urgency and could potentially convince the recipient they’ve missed something important and should quickly try to remedy it.  The target is being encouraged to click on a seemingly legitimate Zoom link, which would likely lead to a malicious site or could deploy malware.  We’ve been pulling together guidance and resources to help employees and businesses stay safe while working remotely. If you suspect you’ve been targeted by a phishing attack, do not click any links or download attachments. Instead, directly contact the sender via phone or a messaging app to confirm legitimacy of the email and immediately alert your IT or security team.
__________________________________________ Original post from Tuesday March 24, 2020 Over the last several weeks, there’s been a surge in opportunistic phishing attacks in which hackers are using the outbreak of COVID-19 to dupe targets into following links, downloading attachments, or otherwise divulging sensitive information.  We highlighted a few examples of phishing scams both consumers and employees should be aware of in our blog post, Coronavirus and Cybersecurity: How to Stay Safe from Phishing Attacks. Importantly, though, the examples were anecdotal.  Now, we want to share two real-life examples that Tessian Defender has flagged internally since the original blog was published.  Phishing Email #1: The Attacker is Capitalizing on Fear Around COVID-19
What’s wrong with this email? The Display Name (Information Unit) and the email address do not match at all. (What’s more, ‘Information Unit’ is not a genuine internal group at Tessian.) The attacker, who sent the email late-afternoon on a Friday, is no doubt hoping that the target – our marketing team –  is less scrutinizing and security-conscious as the week comes to a close, especially when employees across the globe are working from home. The target is being encouraged to download an attachment, which opens a fake login page to steal the victim’s credentials. The email is rife with spelling and grammar errors as well as formatting inconsistencies and the unconcerned, mechanical language is out-of-character for anyone in management, especially given the content of the email.  The attacker used complex encoding to try to evade traditional phishing detection tools that would scan for certain keywords in the email’s body. How? By interspacing different invisible characters between other characters so that the content looks like gibberish. Below is a screenshot of encoding in the email body for reference. Here, you see the characters marked “transparent”; those are the invisible characters.
Phishing Email #2: The Attacker Baits the Target With a Remote-Working Tool
What’s wrong with this email? The Display Name ([email protected]) and the email address are in stark contrast. This sender’s email address is a direct spoof of the domain (tessian.com). The attacker is taking advantage of the fact that many employees around the world are now suddenly working from home and in need of remote-working tools. Therefore, targets are more likely to trust that their employer has, in fact, set them up for remote connection provided by a VPN vendor. The way this email is constructed – poor grammar and impersonal – makes it obvious to a Tessian employee that this is not legitimately from our IT manager. The target is being encouraged to follow a link, which looks inconspicuous. But, upon hovering, you’ll see that the link the target will actually be led to is suspicious.
Important: Because Tessian has DMARC enabled, emails that spoof our domain are automatically sent to “quarantine”. That means the email was never actually received by the target and instead went straight to a spam folder. Unfortunately, though, a lot of companies don’t have DMARC enabled. In fact, nearly 80% of domains have no DMARC policy. Now that you know what these opportunistic phishing emails look like, what do you do if you’re targeted? That is, after all, what’s really important when it comes to preventing a data breach.  What to Do If You’re Targeted by a Phishing Attack If anything seems unusual, do not follow or click links or download attachments. Instead, visit the brand’s website via Google or your preferred search engine, find a support number, and ask them to confirm whether the communication is valid. If the email appears to come from someone you know and trust, like a colleague, reach out to the individual directly by phone, Slack, or a separate email thread. Rest assured, it’s better to confirm and proceed confidently than the alternative.  If you’re an employee who’s been targeted, contact your line manager and/or IT team. Unfortunately, hackers are taking advantage of other opportunities to target individuals and businesses, including: Tax Day The US Census Stimulus Checks  You can also find information, including the types of brands and people hackers try to impersonate and how to spot a suspicious or spoofed email address, here. 
Compliance, Data Loss Prevention, Spear Phishing
Advice from Security Leaders for Security Leaders: How to Navigate New Remote-Working Challenges
Wednesday, April 15th, 2020
As a part of our ongoing efforts to help security professionals around the world manage their new remote workforces, we’ve been holding virtual panel discussions and roundtables with ethical hackers and security and compliance leaders from some of the world’s leading institutions to discuss cybersecurity best practice while working from home. Our panelists and speakers have included David Kennedy, Co-Founder and Chief Hacking Officer at TrustedSec, Jenna Franklin, Managing Counsel, Privacy & Data at Santander, Stacey Champagne, Head of Insider Threat at Blackstone, Ben Sadeghipour, Head of Hacker Education at HackerOne, Chris Turek, CIO at Evercore, Jon Washburn, CISO at Stoel Rives, Peter Keenan, CISO at Lazard, Gil Danieli, Director of Information security at Stroock, and Justin Daniels, General Counsel at Baker Donelson We’ve compiled some of the key takeaways to help IT, privacy, and security professionals and employees stay secure wherever they’re working.  Interested in joining a future roundtable? You can register here.
How to defend against spear phishing (inbound threats) Communicate new threats. Cybercriminals are carrying out opportunistic phishing attacks around COVID-19 and the mass transition from office-to-home. Keep employees in the loop by showing them examples of these threats. But, it’s important to not over-communicate. That means you should ensure there’s one point of contact (or source of truth) who shares updates at a regular, defined time and cadence as opposed to different people sharing updates as and when they happen. Create policies and procedures around authenticating requests. Communicating new threats isn’t enough to stop them. To protect your employees and your data, you should also set up a system for verifying and authorizing requests via a known communication channel. For example, if an employee receives an email requesting an invoice be paid, they should contact the relevant department or individual via phone before making any payments. Enable multi-factor authentication. This easy-to-implement security precaution helps prevent unauthorized individuals from accessing systems and data in the event a password is compromised.   Encourage reporting. Creating and maintaining a positive security culture is one of the best ways to help defend against phishing and spear phishing attacks. If employees make a habit of reporting new threats, security and IT teams have a better chance of remediating them and preventing future threats.  Update security awareness training. Remote-working brings with it a host of new security challenges. From the do’s and don’t of using personal devices to identifying new threat vectors for phishing, employees need to refresh their security know-how now more than ever.
How to defend against data exfiltration (outbounds threats) Exercise strict control over your VPN. Whether it’s disabling split tunneling on your  VPN or limiting local admin access, it’s absolutely vital that you minimize lateral movements within your network. This will not only help prevent insider threats from stealing data, but it will also prevent hackers from moving quickly from one device to another.  Block downloads of software and applications. This is one of the easiest ways to minimize the attack vectors within your network. By preventing downloads by individual users, you’ll be able to exercise more control over the software and applications your employees use. This way, only vetted tools and solutions will be available for use.  Secure your cloud services. As workforces around the world are suddenly remote, cloud services are more important than ever. But, it’s important to ensure the infrastructure is configured properly in order to reduce risk. We recommend limiting access whenever possible (without impeding productivity) and creating policies around how to safely share documents externally. Create a system for onboarding and offboarding employees. Both negligent and malicious incidents of data exfiltration are on the rise. To prevent new starters or bad leavers from mishandling your data, make sure you create and communicate new policies for onboarding and offboarding employees. In order to be truly effective, this will need to be a joint effort between HR, IT and security teams. Update security awareness training. Again, remote-working brings with it a host of new security challenges. Give your employees the best chance of preventing data loss by updating your security awareness training. Bonus: Check your cybersecurity insurance. Organizations are now especially vulnerable to cyber attacks. While preventative measures like the above should be in place, if you have cybersecurity insurance, now is the time to review your policy to ensure you’re covered across both new and pre-existing threat vectors.  Our panelist cited two key points to review: If you are allowing employees to use personal devices for anything work-related, check whether personal devices are included in your insurance policy. Verify whether or not your policy places a cap on scams and social engineering attacks and scrutinize the language around both terms. In some instances, there may be different caps placed on these different types of attacks which means your policy may not be as comprehensive as you might have thought. For example, under your policy, what would a phishing attack fall under? 
How to stay compliant Share updated policies and detailed guides with employees. While employees may know and understand security policies in the context of an office environment, they may not understand how to apply them in the context of their homes. In order to prevent data loss (and fines), ensure your employees know exactly how to handle sensitive information. This could mean wearing a headset while on calls with clients or customers, avoiding any handwritten notes, and – in general – storing information electronically. Update security awareness training. As we’ve mentioned, organizations around the world have seen a spike in inbound attacks like phishing. And, when you consider that 91% of data breaches start with a phishing attack, you can begin to understand why it’s absolutely essential that employees in every department know how to catch a phish and are especially cautious and vigilant when responding to emails. Conduct a Data Protection Impact Assessment (DPIA). As employees have moved out of offices and into their homes, businesses need to ensure personal data about employees and customers is protected while the employees are accessing it and while it’s in transit, wherever that may be. That means compliance teams need to consider localized regulations and compliance standards and IT and security teams have to take necessary steps to secure devices with software, restricted access, and physical security. Note: personal devices will also have to be safeguarded if employees are using those devices to access work.  Remember that health data requires special care. In light of COVID-19, a lot of organizations are monitoring employee health. But, it’s important to remember that health data is a special category under GDPR and requires special care both in terms of obtaining consent and how it’s processed and stored.  This is the case unless one of the exceptions apply. For example, processing is necessary for health and safety obligations under employment law. Likewise, processing is necessary for reasons of public interest in the area of public health. An important step here is to update employee privacy notices so that they know what information you’re collecting and how you’re using it, which meets the transparency requirement under GDPR.   Revise your Business Continuity Plan (BCP). For many organizations, recent events will have been the ultimate stress test for BCPs. With that said, though, these plans should continually be reviewed. For the best outcome, IT, security, legal, and compliance teams should work cross-functionally. Beyond that, you should stay in touch with suppliers to ensure service can be maintained, consistently review the risk profile of those suppliers, and scrutinize your own plans, bearing in mind redundancies and furloughs.  Stay up-to-date with regulatory authorities. Some regulators responsible for upholding data privacy have been releasing guidance around their attitude and approach to organizations meeting their regulatory obligations during this public health emergency.  In some cases, fines may be reduced, there may be fewer investigations, they may stand down new audits, and – while they cannot alter statutory deadlines – there is an acknowledgment that there may be some delays in fulfilling certain requests such as Data Subject Access Requests (DSARs). The UK privacy regulator, the ICO, has said they will continue acting proportionately, taking into account the challenges organizations face at this time. But, regulators won’t accept excuses and they will take strong action against those who take advantage of the pandemic; this crisis should not be used as an artificial reason for not investing in security.  
Looking for more advice around remote-working and the new world of work? For more practical advice from security leaders for security leaders and privacy professionals, join us for our next virtual panel discussion on April 30. We’ve also created a hub with curated content around remote working security which we’ll be updating regularly with more helpful guides and tips.
Data Loss Prevention
Remote Worker’s Guide To: Preventing Data Loss
Thursday, April 9th, 2020
Over the last several weeks, workforces across the world have transitioned from office to home. While security teams may have struggled initially to get their teams set up to work securely outside of their normal environments, by now most organizations have introduced new software, policies, and procedures to accommodate their new distributed teams.  We spoke with former CISO of KPMG Carolann Shields along with Tess Frieswick of Kivu Consulting and Hayley Bly of Nielsen about what the shift means for cybersecurity in a webinar on March 26. Carolann summed it up nicely when she said “Remote-working introduces complexities that you just don’t have when you can have everyone sitting in an office behind a firewall. It’s a difficult task trying to keep everyone secure and behavioral change and educating folks will be really important. If those things weren’t already a part of your cybersecurity program, they’re going to need to become a part of your cybersecurity program.”  While IT departments no doubt bear the burden of protecting sensitive data, data loss prevention (DLP) is the responsibility of the entire organization. And, while this sudden move to remote-working brings a host of new challenges – from effectively collaborating to co-working with partners, roommates, and children – data security should still be top of mind for both security leaders and individual employees, too.
So, what can you do to help prevent data loss within your organization? We have some tips. 1. Don’t work from your personal devices While it may seem harmless, using your personal devices – whether it’s a laptop, desktop computer, mobile device, or tablet – for work-related activities creates big security risks. To start, your personal devices won’t be configured with the same security software as your work device.  Whether it’s the protection offered by a simple firewall or antivirus software, you’re more protected when working on company-sanctioned devices. Beyond that, though, the process to get work-related documents onto personal devices is risky on its own. We’ve written about this extensively in our blog The Dark Side of Sending Work Emails “Home”. In short, personal email accounts are more likely to be compromised than work email accounts. It may be because your personal email account is configured with a weak password or, the worst case, your personal email account may have already been infiltrated by an attacker who could easily intercept whatever sensitive data you’ve emailed to yourself.  Note: IT teams should ensure employees have a secure way to connect their authorized work devices to their personal printers in the event they need to print any documents. This will help them avoid them having to send sensitive documents to their personal accounts in order to print. 2. Be cautious whenever sending sensitive information via email Tessian has seen a 20% increase in email use with the shift to remote working. That means more sensitive data is in motion than ever.  More email traffic, unfortunately, means employees have more opportunities to make mistakes. One of the biggest mistakes an employee can make is sending an email to the wrong person and, as most of us know, it’s easy to do. So, to avoid making this costly mistake, always double-check the recipient(s) of your emails. Ensure you haven’t made any spelling mistakes, and, if you’re using autocomplete, make sure the correct email address has been added. Beyond that, you should always be vigilant when using Cc vs. Bcc and Reply vs Reply All and take time to check that you’ve attached the right documents.  3. Stay up-to-date on the latest phishing and spear phishing trends Cybercriminals use increasingly advanced technology and tactics to carry out effective phishing and spear phishing campaigns. They also tend to take advantage of emergencies, times of general uncertainty, and key calendar moments. While you should always be on the lookout for the red flags that signal phishing attacks, you should also stay up-to-date on the latest trends. We’ve written about several on our blog, including phishing attacks around COVID-19, Tax Day, and the 2020 Census. For more information on how to catch a phish, click here. 4. Use password protection, especially for conferencing and collaboration tools Zoom has made headlines over the last several weeks for the security vulnerabilities found in the platform. While the online conference tool is working on their backend, individuals must do their part, too. To start, ensure you’re using strong passwords. For an application like Zoom, this also means always password-protecting your meetings, never sharing meeting links with people you don’t know or trust, and never sharing screenshots of your meeting which include the Zoom Meeting ID.  Managing so many passwords can be difficult, though. That’s why we recommend using a Password Manager. Click here for more information about the Password Manager we use at Tessian along with other tools that help us work securely while working remotely.  Note: If you’re an employee, you shouldn’t download new software or tools without consulting your IT team.  5. Avoid public Wi-Fi and hotspots Currently most of the world is working from home, but “working remotely” can extend to a number of places. You could be staying with a friend, traveling for work, catching up on emails during your commute, or getting your head down at a café.  Of course, to do work, you’ll likely rely on internet access. Public Wi-Fi or hotspotting from your mobile device may seem like an easy (and harmless) workaround when you don’t have other access, but it’s not wise. The open nature of public Wi-Fi means your laptop or other device could be accessible to opportunistic hackers. Likewise, if a phone is being used as a hotspot and has already been compromised by an attacker, it’s possible it could be used to pivot to the corporate network. 6. Follow existing processes and policies When working from home or otherwise outside of the office, you have much more autonomy. But that doesn’t mean you should disregard the processes and policies your organization has in place. Whether it’s rules around locking your devices (see below) or procedures for sharing documents, they’re just as important – if not more important – while you’re working remotely.  This applies to training too. If your organization offers security training, do your best to keep those tips and best practices top of mind. If you’re unclear on the do’s and don’t of cybersecurity, consult your IT, security, or HR team. 7. Always lock your devices  Working outside of the office, even in a home environment, carries additional risks. That means you should always lock your devices with good passwords or, in the case of mobile phones, 6-digit PINs or complex swipe codes. 
8. Report near-misses or mistakes  Whether you’ve sent a misdirected email, fallen for a phishing scam, or had your device stolen, it’s absolutely vital that you report the incident to your IT or security team as soon as possible. The more lead time and information they have, the better the outcome of remediation.   By sharing this information, your colleagues will be better informed and your business can modify procedures or applications to help prevent the issue occurring again. It’s a two-way street, though. Organizations must build positive security cultures in order to empower employees to be open and honest. For more tips on how to stay safe while working remotely, read this Ultimate Guide. We’ll also be publishing more helpful tips weekly on both our blog and LinkedIn.
Spear Phishing
How to Spot and Avoid 2020 Census Scams
By Maddie Rosenthal
Tuesday, April 7th, 2020
In case you missed it, Tessian recently published a blog around the most common types of Tax Day scams in both the US and the UK.  Unfortunately, though, these aren’t the only opportunistic phishing attacks bad actors are carrying out this time of the year. They’re also launching Census scams.  As they do in Tax Day scams, cybercriminals will be impersonating government agencies. In this case, you’ll find they’re generally impersonating either the U.S. Census Bureau or an agent, or a third-party agency working for the U.S. Census Bureau. What do Census scams look like? Hackers have a range of threat vectors they can use to carry malware or gain access to sensitive information. In the past, we’ve seen attacks via email, phone, social media, job boards, and even traditional mail.  The common thread between all of these attacks is the request for sensitive personal information like home addresses, social security numbers, ethnicity and information related to the members of your household. This information could be used to make you a victim of identity theft. It’s important to remember that attacks may not ask directly for this information and may instead direct you to another webpage or portal via a link or QR code.  In this post, though, we’ll focus on email scams.  Example: Email Survey Scam
What’s wrong with this email? The US Census Bureau conducts surveys online, over the phone, via mail, or in-person, not via email.  While the Display Name looks authentic, the full email address is suspicious and inconsistent and doesn’t match the legitimate domain, which is @census.gov. Upon hovering over the link, you’ll see the URL is suspicious. Not only is the website connection not secure (remember: https indicates a secure connection), but the format and website name are both unusual.  Who will be targeted by Census scams?  Because it’s mandatory for all households to participate in the census, every US resident over 18 years of age is at risk of being targeted. That means that over the next several weeks, everyone in every state needs to exercise caution when responding to a request for personal information that appears to be coming from the U.S. Census Bureau or an affiliated individual or organization.   What do I do if I’m targeted by a phishing attack?  While it’s true that attackers use different tactics and capitalize on different moments in time to trick their targets, individuals should always follow the same guidelines if they think they’ve received a fraudulent request for information, whether by mail, email, SMS, or another online forum.  If anything seems unusual, do not follow or click links or download attachments.  The best way to avoid falling victim to one of these scams – whether over email, online, or over the phone – is to simply not provide any personal information until you verify with 100% certainty that you’re communicating with a genuine agency, organization, or agent. Visit the organization’s website via Google or your preferred search engine, find a support number, and ask them to confirm the request for information is valid. If you’ve been targeted, report the attack to the Census Bureau. Call 1-800-354-7271, in English, or 1-800-833-5625, in Spanish. More resources The best way to stay safe is to stay informed.  The Census Bureau has issued its own advice on how to stay safe from phishing scams online and over the phone. Read their tips here. 
Spear Phishing
Everything You Need to Know About Tax Day Scams 2020
By Maddie Rosenthal
Tuesday, April 7th, 2020
While the world’s workforce has been adjusting to remote-working over the last several weeks and has, at the same time, become aware of opportunistic phishing attacks around COVID-19, attackers have been plotting their next attack: Tax Day Scams. These phishing attacks can take many different forms and target both US and UK residents. In the US, these attacks will use the deadline to file your income tax returns as bait. In the UK, these attacks will use your potential tax refund as bait.  But we’re here to help.  Here’s what you need to look out for and what to do in case you’re targeted by Tax Day scams. 
 What do Tax Day scams look like? As is the case with other phishing and spear phishing attacks, hackers will be impersonating trusted brands and authorities and will be – in some way – motivating you to act. Let’s take a closer look at how they do both through a series of examples. Example 1: IRS Impersonation 
What’s wrong with this email? The IRS has said they never contact taxpayers by email, so any correspondence “from” them is illegitimate. There is an extra “r” in “internal” in the sender’s email address Email addresses from government agencies will contain the toplevel domain “.gov”. There are spelling errors and inconsistencies in the text that you wouldn’t expect from a government agency. Example 2: Tax-Preparation Software Impersonation
What’s wrong with this email? While the sender’s email address does contain Fast Tax, the company name, the toplevel domain name (.as) is unusual. The sender is motivating the target to follow the embedded link by claiming their tax return is incomplete. Upon hovering over the link, you’ll see the URL is suspicious. Please note, though: A suspicious URL can still take you to a landing page that appears legitimate. Example 3: HMRC Impersonation
What’s wrong with this email? While the Display Name, email template, logos, and language used in the email seem consistent with HMRC, the sender’s email address contains the toplevel domain “.net” instead of “.gov.uk” Upon hovering over the link, you’ll see the URL is suspicious.  Example 4: Client Impersonation
What’s wrong with this email? Unfortunately, in this case, there are no obvious giveaways that this is a phishing scam. However, if Joe, the tax accountant in this scenario, knew he hadn’t met or interacted with a woman named Karen Belmont, that could be a warning sign. Individuals and organizations should always be wary of attachments and should have anti-malware and/or virus protection in place. Example 5: CEO Impersonation
What’s wrong with this email? The root domain (supplier-xyz) in the sender’s email address is inconsistent with the toplevel domain (.com) in the recipient’s email address. The attacker is  impersonating the CEO in hopes that the target will be less likely to question the request.  The attacker is using urgency both in the subject line and the email copy to motivate the target to act quickly. Because this is a zero-payload attack (an attack that doesn’t rely on a link or attachment to carry malware), anti-malware or anti-virus software wouldn’t detect the scam. Who will be targeted by Tax Day scams?  From the examples above, you can see that cybercriminals will target a range of people with their Tax Day scams. Taxpayers, tax professionals, and businesses are all susceptible and savvy hackers will use different tactics for each.  Here’s what you should look out for. Taxpayers Attackers will be impersonating trusted government agencies like HMRC and IRS and third-parties like tax professionals and tax software vendors. Attackers will use coercive language and the threat of missed deadlines or promises of refunds to motivate their targets to act. Many phishing emails contain a payload; this could be in the form of a malicious link or attachment.  For more information on payloads, read this comprehensive guide to phishing scams. Tax Professionals Attackers will be impersonating either existing clients/customers or prospects. In either case, they’ll be pretending to need help with their tax return or tax refund. Attackers will use the lure of new business or the threat of losing a customer to motivate their targets to act. Many phishing emails contain a payload; this could be in the form of a malicious link or attachment.  Businesses Attackers will be impersonating CEOs, HR representatives, Finance Directors, or other individuals or agencies who need access to sensitive tax information. Attackers are strategic in their impersonations of people in positions of power; people are less likely to question their superiors.  What do I do if I’m targeted by a phishing attack? While it’s true that attackers use different tactics and capitalize on different moments in time to trick their targets, individuals and businesses should always follow the same guidelines if they think they’ve received a phishing email.
If anything seems unusual, do not follow or click links or download attachments.  The best way to avoid falling victim to one of these scams is to simply not provide any personal information until you verify with 100% certainty that you’re communicating with a genuine agency, organization, or agent. Visit the organization’s website via Google or your preferred search engine, find a support number, and ask them to confirm the request for information is valid. If the email appears to come from an individual you know and trust, like a colleague, customer, or client, reach out to the individual directly by phone, text or a separate email thread. If you’re an employee who’s been targeted, contact your line manager and/or IT team. Management should, in turn, warn the larger organization.
More resources As a security start-up, we’re committed to helping you stay safe. If you’re looking for more information on Tax Day scams, consult the following government websites. Advice from the IRS Advice from HMRC
How to protect your organization from phishing attacks year-round As we’ve mentioned, Tax Day scams are just one of the ways bad actors will try to get hold of sensitive information or infect devices with malware. The best way to avoid falling for these scams year-round is to educate your employees and stay vigilant.  If you’re an organization, it only takes one mistake, one time for your most sensitive data to fall into the wrong hands. If you’re an IT or Security professional looking for a solution that’s more effective than awareness training and SEGs at preventing advanced phishing threats, consider Tessian Defender.  Book a demo now to find out how Tessian uses contextual machine learning to detect and prevent advanced spear phishing attacks without impeding on employee’s productivity. 
Key Takeaways from Tessian’s Cybersecurity Skills Gap Webinar
By Maddie Rosenthal
Tuesday, March 31st, 2020
In case you missed it, Tessian released the Opportunity in Cybersecurity Report 2020 earlier this month. In it, we examine the growing skills gap in cybersecurity through the lens of the disproportionately low percentage of women currently working in the field.  While the report was released in time for Women’s History Month and addresses the issue of gender bias in the industry, we found that it’s actually inaccurate perceptions of cybersecurity that are preventing people from considering the opportunities available. So, how can organizations tailor recruitment efforts to help candidates overcome this barrier to entry? To find out, we invited three of the contributors to the report to join Kelli Hogan, Tessian’s Head of Marketing Communications, for a webinar: “Cybersecurity skills gap: talent shortage or image problem?” You can view the full webinar here, and we’ve compiled the key takeaways for you in this blog. Cybersecurity is an incredibly diverse field Cybersecurity isn’t limited to hackers, developers, and engineers.
This is perhaps best demonstrated by the women themselves.  Carolann Shields, the former CISO at KPMG, is something of an industry veteran, having driven more than fifteen large-scale company-wide cybersecurity initiatives throughout her career. But, she didn’t study anything related to computer science. Instead, she earned her degree in Business Studies before starting down her path to cybersecurity. On the other hand, Hayley Bly, a Cybersecurity Architect at Nielsen, earned her Bachelor’s Degree in Computer Science almost four years ago and is currently working towards her Master’s of Science in Cybersecurity. Finally, Tess Frieswick, who earned her Bachelor’s Degree in World Politics with a minor in Islamic World Studies, became interested in cybersecurity after learning about Russian bot interference in the 2016 US presidential election. She recently started a new job as a Client Success Manager at Kivu Consulting after spending a year working at Uber as a security analyst. Learn more about their backgrounds by reading their profiles on our blog.  Organizations should enable internal recruitment as well as external recruitment  While most of us think of recruitment outside of our organization when we consider growing our security teams, Carolann has, throughout her career, made a point to look internally first.
Importantly, internal recruitment was only possible because of the environment KPMG created through job shadow programs and other initiatives that encouraged cross-functional movement and communication between teams.  Internal recruitment can do more than just fill vacancies, though. It also gives other individuals and even full departments a chance to better understand the function of cybersecurity teams which, in turn, helps build a stronger, more positive security culture.  Collaborative and open environments attract new talent We know from our research that creativity and collaboration rank in the top five skills needed to thrive in a cybersecurity role, but it’s clear that these are also attractive traits in an organization to applicants. That means if you want new, diverse talent, you have to communicate the scope of the opportunity, the open-mindedness of senior executives, and the organization’s overall propensity to engage with new ideas.  COVID-19 means more for cybersecurity than just a transition from office-to-home Given the current climate, it’s no surprise that the conversation turned to COVID-19.  When asked by an audience member during the live Q&A what the outbreak meant for the future of cybersecurity, all three of the women were steadfast that the impact goes far beyond just the transition from office-to-home, especially as attackers are taking advantage of the situation with opportunistic phishing attacks. 
But, this doesn’t just impact professionals in client services. Organizations are relying more heavily on cybersecurity teams to lock down internal systems and networks. The question is: Are teams going to have to do more with the same resource? Or will teams expand as necessary? Increased remote-working could mean more opportunities in cybersecurity  According to Carolann, it’s inevitable that this sudden transition necessitates a larger security team. 
Now more than ever, organizations have to recruit new and diverse talent in order to not just fill the 4 million vacancies that already exist, but to accommodate the increased reliance on cybersecurity teams to help us all safely transition to remote-working. For more insight on how to improve your recruitment efforts, listen to the webinar. #TheFutureIsCyber
Data Loss Prevention, Human Layer Security
Ultimate Guide to Staying Secure While Working Remotely
By Maddie Rosenthal
Friday, March 27th, 2020
The gradual trend towards remote working has been expedited by recent events, and now businesses and employees alike find themselves adapting to moving almost everything online to accommodate a distributed workforce. Obviously, this has a massive impact on how we behave and how we work, which inevitably has an impact on security culture. In this blog, we’ll discuss what we consider to be the main challenges and questions that arise from moving to a remote working model, and how both management teams and employees can make good decisions about security.
The risk involved in sending work emails “home” It may seem harmless to send an email containing a spreadsheet or a project proposal to your personal email address in order to have easy and quick access whenever you need it. But doing so is risky for a number of reasons.  Personal email accounts can be compromised, especially as they are often configured with weak passwords Email is not a default encrypted medium. If an attacker were in a position to intercept your email, they would be able to read them, and any attachments if not encrypted Devices used to access personal email, such as personal laptops and mobile phones, may also be more easily compromised than work devices safeguarded by your company The bottom line is, sending sensitive information to your personal email accounts increases the risk of data exfiltration, both from insider threats and outsider threats. You can read more about this – including how to prevent data exfiltration – in this article.  Public Wi-Fi vs. using a personal device as a hotspot While for now, most of the world is working from home, “working remotely” can extend to a number of places. You could be staying with a friend, catching up on emails during your commute, or getting your head down at a café. Of course, to do work, you’ll likely rely on internet access. While connecting to public Wi-Fi is not encouraged, the risks can be managed if the right systems are put in place. As an employer, you should ensure that any services an employee must connect with over the internet (such as a web portal for your email or time tracking app), are only served over HTTPS. This is the encrypted version of HTTP, which is used to transfer data over the web. Using HTTPS ensures that all data transmitted between your network and the employee’s device is encrypted. For any services that should not be offered over the internet but that employees will require access to, you should enable them to connect via a VPN.  As an employee, here’s what you can do to be safe: When connecting to a service over the internet, check the address bar to ensure the protocol used is HTTPS, not HTTP. If you’re using a service from your employer that isn’t HTTPS, avoid connecting and let alert your IT team of the oversight.  Ensure you keeping VPN software on work devices up-to-date Importantly – and despite many articles written stating the contrary – using a personal mobile phone as a hotspot to connect a work laptop to the corporate network can actually raise more concerns than connecting via public Wi-Fi.  From a security perspective, any device used to connect to your network could be a risk. Why? Because there’s no way for a company to effectively manage the software and security of devices they do not own. If a phone is being used as a hotspot and has already been compromised by an attacker, it’s possible it could be used to pivot to the corporate network. Any connections made over HTTPS will still be encrypted, of course, but it’s still important to weigh up the risks and err on the side of caution.  This may be easier to understand with an example. Let’s say you open a malicious attachment from a phishing email on your mobile device. If that malicious attachment contains spyware, hackers can (rather easily) infiltrate your phone. That means that if you then connect to your company network on your laptop via your phone’s hotspot, hackers will have a foothold into your company network, too.  Top tip: Any personal devices used in this way should fall under the domain of your corporate “Bring your own device” (BYOD) policy. Each organization’s policy will be different, so it’s best to check with your IT and security teams before you consider using a hotspot as a workaround in the case of limited access to Wi-Fi.
Best practice around using cloud storage to share documents For many organizations, cloud services have replaced company local networks to store, manage, and share information. While it’s fair to say that the transition from office-to-home is certainly easier with cloud storage, there are still some security concerns that must be addressed in order to lock down your sensitive information. Most concerns center around the perceived risks of allowing someone else to host your data. And, because it’s stored on the “cloud” it can – in theory – be accessed by anyone on the internet with the right credentials. In the worst case, this could be an attacker who comprises a user laptop or guesses a weak password. But, there are several ways to ensure your cloud system is secure. Organizations considering moving to a cloud system should consider: How the data is backed up Risks associated with denial of service (DOS) attacks  Legal complications that may arise from certain types of data being stored overseas Not sure how to navigate these considerations? Concerns about standards and support can all be worked out during the contract stage, and many companies offer secure and resilient storage. It’s no different to any risk assessment phase when purchasing a new service. At Tessian, we use Google Drive. It’s still necessary to put in the work to ensure that your data is stored in the correct places, and appropriately secured, just as you would with a local storage solution. Folders should be structured and locked down with appropriate access permissions to ensure that only users who are authorized to view the contents can do so. For example, you can restrict access to and sharing with people outside the corporate network. In addition, requiring two-factor authentication for Google accounts is very important. Conferencing and collaboration tools Remote-working means an increased reliance on conferencing, chat, and other collaboration applications to stay in touch with colleagues. All such applications come with security considerations. IT and security teams must be clear with employees about what sort of information can be shared over these applications, after assessing their suitability. Without clear guidance, employees may act in ways that are less than secure in order to do their jobs, which means comprehensive policies and procedures must be put in place and communicated clearly across an organization.  We share our criteria for vetting and onboarding new tools in our blog, 11 Tools to Help You Stay Productive and Secure While Working Remotely. You’ll also find a list of tools we use across departments to stay connected while working remotely. Additionally, it’s important to ensure employees understand which applications should be used to share which kinds of information and where the design of the application itself may lead to a compromise.  For example, a screenshot of a conference call or online meeting may reveal information that would be useful to an attacker; such as a Zoom meeting ID that allows anyone to join that meeting without a PIN. If such a screenshot were shared online, this could be exploited by an attacker and give them unlimited access to private, internal communications.   
How to physically protect your devices Working on devices outside of the office, even in a home environment, carries additional risks. There is always the potential for an attacker to get physical access to a device. In the home environment, employees should be reminded that their devices are gateways to sensitive information. They should always lock devices, and make sure they’re secured with good passwords or, in the case of mobile phones, 6-digit PINs or complex swipe codes.
Employees should also make sure that devices aren’t left in plain sight, such as near windows at home or on a passenger seat if travelling by car. This will help prevent opportunistic theft. While it may sound unlikely, you should always assume that devices might be stolen. In fact, in an organization of reasonable size, it will almost certainly happen. That means that encryption should be used to protect the data on them, and employees should know exactly when and how to report thefts to the support team. This ensures that the devices can be wiped if they are activated. Any organization that has a remote-working policy in place should also provide employees with privacy screens for their laptops, and encourage them to always work in positions that minimize line-of-sight views of their device screens by others.  This has the added benefit of showing clients or other professional contacts that the business takes security seriously. About that OOO message… “Hi, I’m on vacation right now, returning April 15th. If it’s urgent, you can contact me directly on my personal number or email below, or my line manager at…” It’s human nature to want to be helpful. When setting an out-of-office message, therefore, we often try to give the recipient as much information as possible to help them out. However, it’s important to consider whether that information really needs to be shared, and whether it might be useful to an attacker. When planning a spear phishing attack – a type of phishing attack that is targeted at a specific individual or small set of individuals – an attacker will try to gather as much open-source intelligence about their target as they can in order to make the email as believable as possible.  Phone numbers, alternative email addresses, details about company structure and reporting lines, and other data points are all things that could be useful to an attacker. Again, businesses should make sure employees are aware of these risks and should provide them with a simple template for OOO messages alongside guidance on how and when to forward important emails while away. Top tips for businesses setting up remote-working policies…. Keep policy points clear and concise and support them with similarly written procedures. Employees cannot practically absorb or retain 60+ pages of security policy, especially not overnight. When approving the use of new tools or software, always communicate the change to your employees, including guidelines on how and where to access them. Remember that users are going to make mistakes because they are human. Support them and encourage them to report issues, rather than making them afraid to admit to a mistake. Give clear channels for reporting such issues, supported by technical and human resources; for example, guidance on how to report a potential phishing email along with a method to contact support in the event of account lockout. Consider other technical challenges, such as how your support team can verify user identity when asked to reset a password or perform other remote technical support functions. Ensure your support team is trained and briefed to offer remote workers reassurance and understanding when a security issue arises. Remote workers need to feel connected with their colleagues during difficult moments. Top tips for employees working from home… Use company-approved cloud or VPN services to access work documents instead of emailing sensitive information to your personal email accounts. Don’t download new software or tools without consulting your IT team. Keep your software and operating systems up-to-date. Always lock your laptop and keep all of your devices password-protected. Avoid public Wi-Fi and don’t rely on personal hotspots; whenever possible, find a secure, stable network to connect to. Before you join that call or connect to that site – especially if it requires installing new software – stop and think about the potential implications. If you’re not sure, ask your colleagues or support team for help. If you make a mistake and find yourself alarmed or fearful, it’s important to stop, think, and get someone else involved to support you. Report near misses. If you almost make a mistake, the odds are that others have also almost done the same thing. By sharing this information, your colleagues will be better informed and your business can modify procedures or applications to help prevent the issue ever occurring. During this transitional period, we think it’s incredibly important to provide everyone – our employees, our customers, and our community – with as much information as possible. With that said, you may also find the below links helpful in getting your team set up to work remotely.  FTC online security tips for working from home NCSC issues guidance as home working increases in response to COVID-19 We’ll also continue sharing best practice tips both on our blog and on LinkedIn. 
Human Layer Security
5 Key Takeaways Tessian’s VentureBeat Webinar
By Maddie Rosenthal
Friday, March 27th, 2020
As a follow-up to our feature in VentureBeat’s special issue AI & Security, Tessian’s Co-Founder and CTO Ed Bishop spoke with Joe Maglitta, Senior Contributor/Analyst at VentureBeat, to dive deep into how and why we need a different type of machine learning to protect people at work on email.  While you can watch and listen to the webinar on-demand here, below are some of the key takeaways from the discussion and live Q&A that followed.  The way we work has changed and will continue to change Over the last decade, business has moved – and continues to move – towards digital interfaces. That means that email is now the main artery of communication and, importantly, where an organization’s most sensitive information is shared.  Unfortunately, email isn’t secure. It wasn’t created to be secure and – the surprising truth is – it hasn’t changed much since its inception. When you compound that with the fact that people are more connected than ever, using phones, tablets, and even watches to check and respond to emails, you can see why it’s so important that we protect people – and therefore data – on email.  This evolution towards digital interfaces has come to a head over the last several weeks as most of the world’s organizations have moved to remote-working in light of the outbreak of COVID-19.  Since the outbreak, Tessian has seen a 20% increase in the number of emails sent; that means there are more opportunities for data loss on email and opportunistic phishing attacks than ever before.
Human Layer Vulnerabilities are the cause of data breaches  Employees control business’ most sensitive systems and data, whether that’s someone in your finance department who oversees billing and banking platforms or someone in your HR department who controls employee social security numbers and compensation plans. They are the first and last line of defense; the gatekeepers of digital systems and data. This is what we call the Human Layer. And people’s propensity to make mistakes, break the rules, or be hacked are Human Layer Vulnerabilities. But, these vulnerabilities don’t cause small issues. They’re responsible for big problems. They’re the number one cause of data breaches, with 88% of data breaches reported to the UK’s Information Commissioner’s Office (ICO) being caused by human error.  This fact was highlighted in a live poll conducted during the webinar in which 40% of viewers said phishing was the security breach they’re most concerned about. This came first, followed by accidental data loss (30%) and ransomware (30%).  No one cited Denial of Services or Ransomware as their biggest concern.
IT and security leaders often don’t have visibility of the problems associated with human error within their organization While human error on email is a problem in itself, the fact that many CISOs and other executives don’t know it’s a problem makes it even more of a challenge to solve. In the second poll of the webinar, viewers were asked: “How confident are you in the measures your organization has in place to prevent data breaches caused by people making mistakes, breaking rules, or being hacked?”  Respondents were split down the middle.
But, according to Ed, confidence – especially from security leaders – is the wrong way to measure it, especially when their visibility of the problem relies on their employees repointing mistakes or other breaches. “We like to look at what the data says. When we go in and do historical analysis, we’re able to show that the number of misdirected emails is as great as 20-30 times larger than CISOs think. A 10,000-person organization will send 130 misdirected emails a week, but the CISO doesn’t necessarily know that because only a few get reported to him or her a quarter.” Human Layer Security isn’t replacing machine layer security, DLP, or training There are thousands of security products on the market. That’s in addition to the policies and procedures implemented within individual organizations. Human Layer Security isn’t a replacement for your entire security stack; it’s a vital addition. Machine layer security  – often based on rules – is still effective in detecting malware. DLP solutions for physical security are still necessary. But, for those situations that can’t be defined or covered by “if this, then that” algorithms, you need something else.  Advanced threats caused by human error like spear phishing, misdirected emails, and data exfiltration all fall into that category and the only way to solve for them is by protecting the Human Layer.
Stateful machine learning is the best way to balance security, productivity, and effectiveness  Everything involving humans is dynamic and in flux. Relationships are formed during the duration of a project and then fall away. For example, you may have worked with a counterparty a lot a year ago, but now it’d be unusual for them to email you asking for an invoice to be paid. Stateful machine learning considers all of this by combining historical data with real-time analysis to answer the question: “At this exact moment in time, for this person, and their relationship, does this behavior look unusual?” Beyond this, though, stateful machine learning and Tessian’s Human Layer Security platform do not get in users’ way; this helps balance productivity and effectiveness in a way that policies, training, removal of access and rule-based technology all do. This is key; security should empower and enable your employees, not detract from their ability to do their jobs. For more information about how Tessian uses stateful machine learning to protect people on email, read the full VentureBeat article, watch the webinar, or get in touch for a demo.
Data Loss Prevention, Human Layer Security
How Can Organizations Empower People to Prevent Data Exfiltration?
By Maddie Rosenthal
Tuesday, March 24th, 2020
As data has become valuable currency, data exfiltration is a bigger issue now than ever before. And, while it’s a complex problem to solve, it’s not a losing game. Techniques and technologies have been evolving and today we are better able to control and prevent data exfiltration. To successfully prevent data exfiltration, you have to understand the various moving parts. When it comes to protecting data, there are three key challenges: People Processes Technology
Preventing Data Exfiltration With People: The Role of Training Since old-school software and keyword tracking tools have proven largely ineffective at preventing exfiltration, some security teams have proposed that rather than relying only on software, people should be trained on how to safely manage data and information.  Training allows employees to learn about internal policies, regulations like GDPR and CCPA, and other best practices around data. But, it’s important that organizations reinforce training with practical applications. Some training will reinforce company policies and compliance with data privacy regulations. but the majority of training and awareness programs center on teaching employees about inbound threats like phishing attacks and BEC. Very few training and awareness programs educate employees about outbound security risks like accidental and deliberate data loss.  Preventing Data Exfiltration With Processes: In-Situ Learning To really empower employees to work securely and prevent data exfiltration, organizations have to look beyond compliance training to in-situ learning opportunities provided by contextual warnings, triggered by suspicious activity.  Beyond preventing breaches, these warnings help promote safe behavior by asking employees to pause and think “Am I making the right decision?” But, too many warnings or pop-ups may have the opposite effect. Take, for example, pop-ups that prompt you to accept cookies on websites. Because most of us encounter these on every website we visit, we ignore them or blindly click to consent. This is called alert fatigue; the more pop-ups you see, the less you care about them. The same applies to in-situ learning. If employees encounter notifications warning against risky behavior on 25% of emails they send, they’ll stop paying attention to them. So, what’s the solution? Warnings should only trigger when there’s a genuine security risk. That means security software must be able to distinguish between normal emails and suspicious ones with the utmost accuracy. Warning notifications should also contain relevant and easy-to-comprehend information about why the email has been flagged to help reinforce security training with context.  Tessian Enforcer, Guardian, and Defender do just that. 
Preventing Data Exfiltration With Technology: Machine Learning Even with training and in-situ learning, organizations need a final line of defense against data exfiltration. For many organizations, that last line of defense is rule-based technology.  But, rule-based solutions are blunt instruments.  The best way to illustrate this is through an example.  To prevent data exfiltration on email, an organization might block communications with freemail accounts (for example, @gmail, @yahoo, etc.). But, imagine the marketing department outsources work to a freelancer. In that case, the freelance worker may use a freemail account. When the employee attempts to communicate with this trusted third-party, the email would be blocked and the employee will be unable to carry out their work. Unlike rule-based solutions, ML-based solutions like Tessian are agile.  Tessian’s machine learning algorithms are trained off of historical email data to understand evolving human relationships on email. Instead of relying on rules to flag suspicious emails, it relies on context from millions of data points from the past and present. That way, solutions like Tessian Enforcer and Tessian Guardian are able to uniquely understand every email address in an organization’s network and can, therefore, automatically (and accurately) identify whether a recipient is a trusted third-party or an unauthorized non-business account.   Learn More About How Tessian Empowers People to Work Securely Preventing data exfiltration requires well-trained employees and intelligent solutions. To learn more about how Tessian combines in-situ learning with machine learning to reinforce training and prevent data loss, request a demo.  
Data Loss Prevention
11 Tools to Help You Stay Secure and Productive While Working Remotely
Monday, March 23rd, 2020
With the outbreak of COVID-19, organizations are relying on tools and software to enable their employees to work remotely. While this transition from office-to-home may be relatively seamless for some, it can be quite a challenge for those who didn’t already have these virtual systems set-up and deployed. As a tech start-up, Tessian has had remote-working processes and security policies in place since the beginning and, as a part of that, we have a long list of fully vetted productivity tools and software that we’ve made available to our employees.  So, to help IT, security, operations, and HR teams around the world balance productivity and security, while also attempting to conduct “business as usual”, we’re sharing applications we use to ensure our people are always protected while working, whether that’s from the office or from home.
What should you consider before onboarding an application? There are a lot of collaboration and productivity tools out there. But, it’s crucial organizations only use those that have the highest standards and protocols around safeguarding data.  At Tessian, we scrutinize and vet all applications to ensure they comply with our own strict data and privacy protection criteria. While the below assessment isn’t exhaustive or applicable to all tools, software, or applications that might be useful while employees are working remotely, it should help you identify products that are sound from an information security and data protection perspective.  Does the application process personal data? If so, why and in what volume? Where is the data processed?  Does the application take back-ups of data? If so, how often? Who has access to the data in the platform? Is access conditional upon Multi-Factor Authentication (2FA, for example)?  Does the application have a policy in place that addresses Incident Response to patching and other security issues? Does the application protect data in transit between services using encryption?  Does the application protect internal data in transit? If so, how? Is the application certified with any regional or international data security standards? Not sure where to find all of this information? You should be able to find vendor’s privacy and data policies on their website. You can also contact them directly. For example, we always ask that a vendor assessment form be completed and, when solutions process a large amount of data, we’ll schedule a follow-up call.
Collaboration and productivity tools we use at Tessian Zoom Used across every department at Tessian, Zoom is a video conferencing platform that helps keep us connected with each other and our customers across continents. Now, we’re even using it for our weekly all-company meetings, which means almost 200 people are joining at once. It’s made collaboration – especially in isolation – much easier.  You can record the sessions, break larger groups into smaller teams via Breakout Rooms, and there’s an add-in for calendar systems which makes scheduling virtual meetings as easy as in-person meetings. While they’ve always offered solutions for educators, healthcare providers, and virtually every other industry, Zoom has developed even more solutions and resources in light of the pandemic. Use this resource to find out how Zoom can support businesses moving to a remote-working model. Clubhouse While we use other project management platforms like Trello, Clubhouse is a favorite amongst our product and engineering teams because it’s made specifically for developers and is deeply integrated with GitHub. It makes creating and tracking workflows for features, bugs, sprints, or long-term projects easy. GitHub For most engineers, this is an obvious one, but worth mentioning nonetheless. GitHub was built for developers and allows users to host and review code, manage projects, and build software, all in one place.  Importantly from a security and admin perspective, you can deploy it to your environment or to the cloud.  OpenVPN In any remote-working environment, secure access to network resources is the top priority. If employees can’t access their work, they can’t do their jobs. And, to prevent employees from sending work emails to personal accounts or exfiltrating data, organizations have to implement a solution that extends to different sites, devices, and users.  We use OpenVPN. In addition to extending centralized unified threat management to remote networks, encryption ensures privacy on different Wi-Fi networks.  Google Drive We also use Google’s cloud storage system, Google Drive, to enable file sharing in and out of the office. Again, the name of the game is collaboration and with integrations into other applications like Google Docs, Slides, and Sheets all available on desktop and mobile, it’s easy for different individuals and entire teams to work together.  But, it’s important that you implement security processes to ensure everything you store in your Drive stays safe. To start, you should secure access to the Drive by enabling 2FA for all Google Accounts and set-up strict policies around sharing documents externally. You should also limit access internally to different Drives. For example, each department can have its own, limited-access Drive in addition to an all-company Drive. Peakon Knowing how your employees are feeling is essential for business growth and personal development. Of course, gauging employee engagement and experience is easier said than done and is especially difficult when your entire organization is working remotely. Peakon does the heavy lifting for you via bi-weekly online surveys and enables HR, People, and Executive teams to make changes to their organization that make an actual impact. How? By gathering feedback from every employee anonymously and comparing results to industry benchmarks.  IronClad IronClad is a digital contract platform that makes workflows for legal, finance, sales, and recruitment teams seamless.  The difference between this application and other services that let people “sign” digital agreements (DocuSign, Adobe Sign, etc.) is that IronClad extracts and catalogs metadata from contracts and integrates with other systems and platforms to make information accessible and actionable.  Slack According to the brand’s tagline, Slack is “where work happens” and, while many organizations use it in an office environment on top of email, it’s especially helpful for remote-working teams.  You can create different channels for different projects or conversations, update your “status” to let your co-workers know you’re ill, in transit, or away from your computer, and even loop in contacts from outside of your organization.  The company has seen a surge in usage since the outbreak and is rolling out new features to make the app (on both mobile and desktop) easier to use. Better still, there are three different plans available depending on your needs, including a free version.  Confluence Confluence – an Atlassian product – is a knowledge management tool. We use it as an ever-evolving source of truth for our organization: our wiki. Every team inputs and updates key information – from processes to KPIs – so that internally, anyone, at any time, anywhere, can quickly and easily find answers to questions related to onboarding, our products, or internal policies.  Figma Used by our product, design, and marketing teams, Figma is a web-based all-in-one design tool that makes collaboration and iteration fast and easy. You can share projects internally or externally with a URL, which means you don’t have to continually upload, save, or sync projects.  This is huge and means you can move from design-to-code more seamlessly. Beyond that, there are built-in commenting features that can integrate with Slack so that different people can track progress and flag issues in real-time.  Astute eLearning The need for training, whether around compliance, security, or something department-specific, doesn’t go away simply because an organization has moved from an office to a virtual environment. And, unfortunately, engaging with employees for training can be hard in-person, which means it’s an even bigger challenge while they’re out-of-office. At Tessian, we’ve used Astute eLearning, a web-based learning experience platform that lets your employees complete online training. Using the platform’s bank of certified videos and skills-assessments, you can monitor your employees’ progress through courses and, from that, identify and close any skills gaps.  Top tip: To ensure your employees are enabled to sign-in to all of these different apps securely and quickly, we also recommend using a password manager and Single Sign-On tool.  Want more information? As we all try our best to adapt to the “new normal” during these uncertain and challenging times, we’ll continue sharing best practice tips to keep our employees, customers, and the general community secure while working remotely.  Check back on our blog for the latest updates.
Page