Step Into The Future of Cybersecurity — Save your spot at the Human Layer Security Summit for free.

Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.
Spear Phishing
How Does Tessian Help Prevent Ransomware Attacks?
By Negin Aminian
Wednesday, August 18th, 2021
Before we dig into how Tessian can help prevent ransomware attacks, let’s first define what exactly ransomware is, and explain the scope of the problem. What is ransomware? Ransomware is a type of malware that threatens to publish a victim’s data (or perpetually block access to it) unless a ransom is paid.  Most ransomware and their variants have multiple attack vectors and often the ransomware (and other malware) is distributed using email spam campaigns, or through targeted attacks. For example, a phishing  email may contain a link to a website hosting a malicious download or an attachment. If the email recipient falls for the phish, then the ransomware is downloaded and executed on their computer.  After a successful ransomware attack, security professionals and business executives are faced with conflicting options. Paying the ransom encourages future attacks. Yet the recovery could be far more costly than  the original demand.  You can learn more about what ransomware is in this article: What is Ransomware? How is it Delivered?  How big of a problem is ransomware?  In a word: BIG. You can’t go a day without seeing a headline related to ransomware. That’s because ransomware continues to evolve and can halt businesses, slow down productivity, and destroy an organization’s reputation overnight. These types of attacks are often subtle and highly effective, using social engineering attacks until users are tricked into clicking a phishing link or opening a file attachment. Worse still, the majority of organizations are unable to prevent ransomware early in the email cyberattack kill chain and remain vulnerable against these highly sophisticated attacks. Why? Because legacy solutions don’t effectively detect and prevent this type of threat and there can be multiple threat vectors attacking a single organization in several different ways. The chances of success (for the hacker) are high. Want to see examples of email cyber attack kills chains for ransomware? Download our Solution Brief.  To paint a more clear picture of the impact, check out these stats: A new organization will fall victim to ransomware every 14 seconds in  2019, and every 11 seconds by 2021 Ransomware damage costs will rise to $20 billion by 2021 and a  business will fall victim to a ransomware attack every 11 seconds at that  time The ransomware attack on Universal Health Services (UHS) cost them $67 million. (This is mostly due to the operational problems post attack — diverting patients to competing facilities for urgent care.)  If you’re looking for real-world examples of ransomware attacks, we share seven here: 7 (Recent) Examples of Ransomware Attacks. How does Tessian help prevent ransomware? Unlike legacy solutions, Tessian Defender is powered by machine learning and automatically detects and prevents advanced forms of phishing attacks – including those that deliver ransomware – by default.  Importantly, this happens early in the kill chain to prevent credential theft, lateral movement, exfiltration, and more. In addition to detecting and preventing threats, Tessian also provides in-the-moment training to help employees identify malicious emails, and nudge them towards safer behavior. Solution highlights include:  Threat detection Tessian’s algorithms continuously analyze and learn from email communications across its global network to build profiles and models of companies and their employees, to understand what their normal email communication looks like.  This helps catch even the most advanced forms of phishing attacks that could lead to ransomware.  Learn more about Tessian’s technology here. Rapid remediation Real-time alerts of inbound email threats to  dedicated mailboxes. Explainable machine  learning helps SOC teams understand quickly why an email has been classified  as malicious.  By aggregating similar events and grouping emails from the same compromised account, Tessian allows administrators to clawback/delete multiple  events with a single click.  Learn more about Tessian’s robust remediation tools here.  In-the-moment training Non-disruptive in-the-moment training and  awareness is provided to employees through  contextualized, easy to understand warning  messages that continually drive them  towards secure behavior.  Learn more about Tessian in the moment warnings here.  Flexible deployment and seamless integrations  Defender deploys in minutes and automatically prevents data breaches through email within 24 hours of  deployment, across all devices, desktop and mobile.  Learn more about Tessian’s integrations, compatibility, and partnerships here and see what customers have to say about deployment here.
Read Blog Post
Spear Phishing, Compliance
Where Does Email Security Fit Into the MITRE ATT&CK Framework?
Friday, August 13th, 2021
If you’re aiming to achieve compliance with the MITRE ATT&CK Framework, email security will be among your top priorities. Why? Because securing your organization’s email is critical to detect, mitigate, and defend against some of the most widespread and harmful online threats. In this article, we’ll offer a brief overview of the MITRE ATT&CK framework, then consider which attack techniques you can mitigate by improving your organization’s email security. MITRE ATT&CK Framework 101 Here’s a brief introduction to the MITRE ATT&CK framework.  Outlining the framework is important as it’ll help you see how its components tie in with your email security program. But feel free to skip ahead f you already know the basics. ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. The ATT&CK framework has three iterations—ATT&CK for Enterprise, ATT&CK for Mobile, and Pre-ATT&CK. We’re focusing on ATT&CK for Enterprise, covering threats to Windows, macOS, Linux, AWS, GCP, Azure, Azure AD, Office 365, SaaS, and Network environments. You can check out the Mobile Matrices here, and the PRE Matric here. MITRE ATT&CK tactics, techniques, sub-techniques, and mitigations At the core of the framework is the ATT&CK matrix—a set of “Tactics” and corresponding “Techniques” used by “Adversaries” (threat actors). The ATT&ACK for Enterprise matrix includes 14 Tactics: TA0043: Reconnaissance TA0042: Resource Development TA0001: Initial Access TA0002: Execution TA0003: Persistence TA0004: Privilege Escalation TA0005: Defense Evasion TA0006: Credential Access TA0007: Discovery TA0008: Lateral Movement TA0009: Collection TA0011: Command and Control TA0010: Exfiltration TA0040: Impact Think of these Tactics as the Adversary’s main objectives. For example, under the “Collection” Tactic (TA0009), the adversary is “trying to gather data of interest to their goal.” If you want to learn more about these tactics, or see a full list of the Techniques, Sub-Techniques, and Mitigations we mention below, click here.  A set of Techniques and sometimes “Sub-Techniques” is associated with each Tactic. Techniques are the methods an Adversary uses to achieve their tactical objectives. Sub-Techniques are variations on certain Techniques. We won’t list all the MITRE ATT&CK Techniques here, but we’ll identify some relevant to email security in just a second. But first (and finally) there are “Mitigations”—methods of preventing or defending against adversaries. Examples of Mitigations include M1041: “Encrypt Sensitive Information,” and M1027: “Password Policies.” Back to email security… MITRE and Email Security Now we’ll identify the MITRE ATT&CK framework Tactics and Techniques that are relevant to email security specifically. We’ll consider MITRE’s recommended Mitigations and look at how you can align your email security program to meet the framework’s requirements. Technique T1566: Phishing “Phishing” is a MITRE ATT&CK Technique associated with the “Initial Access” Tactic (TA0001). As you’ll probably know, phishing is a type of social engineering attack—usually conducted via email—where an adversary impersonates a trusted person and brand and attempts to trick their target into divulging information, downloading malware, or transferring money. Want more information about phishing? Start by checking out What is Phishing? The MITRE ATT&CK framework identifies both targeted phishing attacks (a technique known as “spear phishing”) and more general phishing attacks (conducted in bulk via spam emails). Now let’s look at the three Sub-Techniques associated with the Phishing Technique. 📎 T1566.001: Spearphishing Attachment Sub-Technique T1566.001 involves sending a spear phishing email with a malicious attachment. The attachment is malware, such as a virus, spyware, or ransomware file that enables the adversary to harm or gain control of the target device or system. A spear phishing attachment is usually disguised as a harmless Office, PDF, or ZIP file, and legacy email security software and spam filters can struggle to determine whether an attachment is malicious. The spear phishing email itself will usually try to persuade the target to open the file. The Adversary may impersonate a trusted person and can even provide the target with instructions on opening the file that will bypass system protections. For more information about malicious email attachments, read What is a Malicious Payload? 🔗  T1566.002: Spearphishing Link Alternatively to using a malicious attachment, a spear phishing email can include a link that leads to a malicious site such as a fraudulent account login page or a webpage that hosts a malicious download. Like with the “Spearphishing Attachment” Sub-Technique, the “Spearphishing Link” Sub-Technique will normally employ social engineering methods—this time as a way to persuade the target to click the malicious link. For example, the spear phishing email may be disguised as a “security alert” email from Microsoft, urging the target to log into their account. Upon following the link and “logging in,” the target’s login credentials will be sent to the adversary. We’ve written in detail about this type of attack in our article What is Credential Phishing? 📱T1566.003: Spearphishing via Service The “Spearphishing via Service” Sub-Technique uses platforms other than email to initiate a spearphishing attack—for example, a LinkedIn job post or WhatsApp message. This Sub-Technique is not directly related to email security—but email security is still relevant here. For example, if an Adversary is able to establish rapport with their target via social media, then they might follow up with a spear phishing email. ❌ Phishing Detection and Mitigation Now let’s look at which Mitigations MITRE recommends for dealing with the Phishing Technique and its three associated Sub-Techniques: M1049: Antivirus/Antimalware — Quarantine suspicious files arriving via email. M1031: Network Intrusion Prevention — Monitor inbound email traffic for malicious attachments and links. M1021: Restrict Web-Based Content — Block access to web-based content and file types that are not necessary for business activity. M1054: Software Configuration — Use anti-spoofing methods to detect invalid Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) signatures. M1017: User Training — Educate employees to help them detect signs of a phishing attack. Note: None of MITRE’s recommended Phishing Mitigations is sufficient on its own.  Antivirus Software, for example, can quarantine malicious files but is less likely to detect suspicious links. User Training helps embed a security-focused workplace culture—but you can’t expect employees to recognize sophisticated social engineering scenarios. To prevent phishing attacks, it’s vital security leaders take a layered approach, including training, policies, and technology. Your best bet when it comes to technology? A next-gen email security solution that can automatically scan internal and external email communication for signs of malicious activity based on historical analysis.  Email security software can use several methods of detecting phishing attacks. Older solutions rely on techniques such as labeling and filtering—an administrator manually inputs the domain names, file types, and subject lines that the software should block. Tessian is a modern email security solution driven by machine learning. As well as monitoring inbound emails for signs of phishing, the software scans your employees’ email activity to learn how they “normally” act, and flags suspicious behavior. This intelligent, context-driven approach means Tessian will allow your employees to work uninterrupted, access the legitimate files and links they need— while being alerted to anomalous and suspicious email content. 
These in-the-moment warnings help reinforce training, and nudges employees towards safer behavior over time.  Download the Tessian Platform Overview to learn more.  Technique T1534: Internal Spearphishing The “Internal Spearphishing” Technique is associated with the “Lateral Movement” Tactic (TA0008) and is distinct from the “Phishing” Technique. Internal Spearphishing takes place once an adversary has already penetrated your system or account. The adversary leverages existing account access to conduct an internal spear phishing campaign. Internal Spearphishing is particularly damaging because the emails come from a genuine (albeit compromised) account. This makes them virtually impossible to spot, and therefore very persuasive. Internal Spearphishing Detection and Mitigations MITRE notes that detecting an Internal Spearphishing attack (also known as Account Takeover) can be difficult. There are no mitigations associated with the “Internal Spearphishing” Technique in the MITRE ATT&CK framework. According to MITRE, the main difficulty associated with detecting and mitigating Internal Spearphishing attacks is that “network intrusion detection systems do not usually scan internal email.” The main hallmarks of a spear phishing email—such as email impersonation or spoofing—are not present once an adversary has successfully compromised an internal email account. This means legacy email security software may be unable to detect Internal Spear Phishing attacks. However, an AI-driven email security solution such as Tessian can scan internal email and will pick up on small inconsistencies in the sender’s email behavior and communication patterns. If a sender is communicating outside of their normal internal networks or writing in an uncharacteristic style, Tessian can flag this unusual behavior and notify the recipient of any suspicious emails.  Learn more about how Tessian Defender defends against internal spear phishing. Technique T1598: Phishing for Information T1598: Phishing for Information is a MITRE ATT&CK Technique associated with the “Reconnaissance” Tactic (TA0043). While Phishing involves an attempt to penetrate an organization’s defenses, Phishing for Information is a way to gather information about the target for use in an attack. As such, Phishing for Information may occur via email—or via other communications channels, such as instant messaging applications or social media. Phishing for Information Detection and Mitigations To detect Phishing for Information, MITRE suggests monitoring for suspicious email activity. Email security software can monitor signs of a phishing attack, including DKIM misconfiguration, suspicious language, or erratic communication methods. But legacy email security programs can only detect the more obvious indicators of phishing. On the other hand, Tessian is uniquely equipped to identify the subtle but distinctive signs that a sender is not who they say they are.  Tessian Defender uses machine learning (ML), anomaly detection, behavioral analysis, and natural language processing (NLP) to detect a variety of suspicious signals:  Unusual sender characteristics: This includes anomalous geophysical locations, IP addresses, email clients, and reply-to addresses  Anomalous email sending patterns: Based on historical email analysis, Tessian can identity unusual recipients, unusual send times, and emails sent to an unusual number of recipients Malicious payloads: Tessian uses URL match patterns to spot suspicious URLs and ML to identify red flags indicative of suspicious attachments  Deep content inspection: Looking at the email content – for example, language that conveys suspicious intent – Tessian can detect zero-payload attacks, too Leveraging email security for MITRE ATT&CK framework compliance We’ve seen how email security is a major factor in meeting the MITRE ATT&CK framework requirements. To recap, Tessian can serve as a key Mitigation in respect of the following Techniques and Sub-Techniques: T1566: Phishing T1566.01: Spearphishing Attachment T1566.02: Spearphishing Link T1566.03: Spearphishing via Service T1534: Internal Spearphishing T1598: Phishing for Information Learn more about how Tessian can transform your organization’s cybersecurity program.
Read Blog Post
Spear Phishing
What is Whaling? Whaling Email Attacks Explained
Wednesday, August 11th, 2021
Let’s jump straight into it…
Wondering why cybercriminals often target the boss, rather than someone lower down the chain of command? The answer is simple: Senior staff members staff have the greatest power, access, and influence in a company. This article will look at how whaling works, and how it fits into the broader cybercrime landscape. Then we’ll take a look at some real examples of whaling attacks. How whaling works First, it’s important to understand that whaling is a type of phishing attack. And, broadly speaking, there are two types of phishing attacks.  Phishing “in bulk” is like using a trawl net. Cast your net wide — by sending as many phishing emails as you can — and you’re likely to catch quite a few unfortunate minnows. With spear phishing, you aim your spear — or email — at a specific fish (er, person). Targets are carefully chosen, and emails are carefully crafted with the specific target in mind. Be patient, be smart, and you might catch something valuable. So what about whaling? Well, whaling is a type of spear phishing.  Whales — or company executives — are the biggest fish in the sea: They’re hard to catch, but if you manage to harpoon one, you could make a lot of money. Scroll down the page for examples of whaling, and you’ll see what we mean.  Okay — whales are mammals, not fish… but you get our point.  A company executive is the ultimate prize for cybercriminals. The boss can access information and resources that no other employee can reach.  Why target company executives? Ultimately, a CEO or CFO is just as likely to fall victim to a social engineering attack as any other employee. In fact, they’re arguably even more likely to do so. A whaling attack email usually asks the target to make a high-pressure decision. Here’s an example of the type of email a company executive might receive as part of a whaling attack:
If the boss is busy, stressed, or overworked (and hopefully they’re busy, at least), they’re more vulnerable to these types of cyberattacks. Tessian research suggests that more than half of employees felt they were more likely to make mistakes at work when they were stressed. Furthermore, higher-level employees have greater access to money and data: the two things cybercriminals want most. Whaling vs. other types of cyberattack How does whaling fit into the cybercrime landscape?  There are many types of cybercrime. Some are interrelated; others frequently get conflated.  As we mentioned, whaling is a type of spear phishing: a phishing attack targeted at a specific individual — in this case, a company executive. Here are some types of cyberattacks that can involve whaling, if they specifically target a company executive: Business Email Compromise (BEC): A phishing attack that uses a compromised corporate email address. Wire transfer phishing: A phishing attack involving invoice fraud. Credential phishing: A phishing attack aiming to steal login credentials Smishing: Phishing via SMS Vishing: Phishing via voice (e.g., via phone or VoIP software) In other words, a whaling attack can also be a wire transfer phishing attack, for example, — if the attacker aims to persuade the target to transfer money into a bank account they control. Whaling sometimes gets conflated with another important type of cybercrime: CEO fraud. Here’s the difference: In a CEO fraud attack, the attacker impersonates a company executive and targets someone less senior. In a whaling attack, the company executive is the target. Of course, there can be some crossover between these two phishing techniques, too — where a cybercriminal impersonates one company executive and targets another. This occurred in 2017, in a scam that resulted in a $17 million loss for commodities trading company Scoular. Examples of whaling Here are some examples of businesses that fell victim to whaling attacks, to give you an idea of how damaging this type of cybercrime can be. Hedge fund co-founder targeted via Zoom In November 2020, the co-founder of Australian hedge fund Levitas Capital followed a fake Zoom link that installed malware on its network. The attackers attempted to steal $8.7 million using fraudulent invoices. In the event, they only got away with $800,000. But the reputational damage was enough to lose Levitas its biggest client, forcing the hedge fund to close. Aerospace firm fires CEO after $58 million whaling loss The CEO of Austrian aerospace company, FACC, was fired for his part in a whaling attack that cost the company around $58 million in 2016. A statement from the company said the CEO, Walter Stephen, had “severely violated his duties” by allowing the attack to occur. Small business owner loses $50,000 Whaling doesn’t just mean big companies losing millions of dollars — small businesses are affected, too. In an interview with NPR, “Mark,” the owner of a small real-estate firm, discussed how he fell victim to a targeted account takeover attack. In this sophisticated cyberattack, a hacker interrupted Mark’s email conversation with his partner, seizing the opportunity to divert a bank transfer for $50,000. How to Prevent Whaling Now you understand the dangers of whaling, you might be wondering how you can avoid falling for whaling attacks or – better yet – prevent whaling attacks from landing in your inbox in the first place.  Your best bet? In addition to security awareness training, intelligent email security software.  To learn more about how Tessian solves the problem, check out our customer stories or book a demo. Or, if you’d rather learn more about whaling and be the first to hear about the latest attacks, sign up for our newsletter. (Just fill in the short form below.)  
Read Blog Post
Tessian Culture
Tessian Adds New Strategic Investors to Advance Security at the Human Layer
By Tessian
Tuesday, August 10th, 2021
Following our Series C fundraise in May 2021, we are delighted to announce that we have received strategic investment from Okta Ventures, Citi Ventures and Sozo Ventures as part of a Series C extension.  With the additional funding, we are accelerating our journey to achieve our mission of mitigating and preventing human risk in the enterprise, and empowering people to do their best work without security getting in the way.  Human error is the leading cause of data breaches in organizations today. This is because cybersecurity software has typically focused on the machine layer of a company and not the people – the gatekeepers to the most sensitive systems and data in an organization. The so-called ‘people problem’ in security has been exacerbated as businesses move to a remote or hybrid way of working, in the wake of the Covid-19 pandemic. To overcome this, Tessian has pioneered a new approach to cybersecurity and defined a new category of security software called Human Layer Security. Ultimately, we want help companies replace their secure email gateways and legacy data loss prevention solutions. This means we will expand our platform’s capabilities beyond email, securing other interfaces like messaging, web and collaboration platforms from incidents of human error. 
On the investment, Austin Arensberg, Director at Okta Ventures said, “The biggest threat to enterprise security today is people’s identities and behaviors. “With more people working remotely, it’s never been more important for companies to know who their most high risk employees are, the threats they pose to company security, and how to keep them safe – without disrupting their workflow. We saw a huge opportunity with Tessian; by securing the human layer, businesses can stop threats and keep operations running.” Our CEO and co-founder Tim Sadler also added, “For too long, cybersecurity software has focused on securing technology and neglected the security of the people who run the organization. “It just takes one wrong decision, or one instance of human error, for an employee to cause a catastrophic security breach – and businesses are starting to realize that they now must do something to stop this. With backing from best-in-class investors and executives from some of the world’s most innovative security companies, we are truly on our way to fulfilling our mission of securing the human layer and helping businesses overcome one of the biggest threats to enterprise security.” As with every fundraise, this is just the beginning. It takes a village and we’re only just getting started. If you know anyone looking to take the next step in their career and to join a company solving the biggest problem in enterprise security today, please get in touch, we are hiring! 🚀
Read Blog Post
Spear Phishing, DLP, Data Exfiltration
Mergers and Acquisitions: Why Email Security Must Be a Priority
Thursday, August 5th, 2021
The buying and selling of companies is big business, but there are a lot of moving parts to manage. One area you don’t want to overlook is email security.  Why? Because email is the primary communication channel for M&A communications, and throughout the event, dozens of stakeholders will send thousands of emails containing personnel information, board documents, private equity, and other top secret merger and acquisition intelligence. If just one email lands in the wrong hands, or if one employee goes rogue, the entire transaction could be disrupted, compliance standards could be violated, and your organization could lose customer trust.    Keep reading to learn why M&A events introduce added risk to organizations, and how to overcome new security challenges.  Why do Mergers and Acquisition events create more security risks for organizations? According to Gartner analyst Paul Furtado, there are four key reasons M&A events create more security complexity for organizations: Mergers and acquisitions (M&A) are driven by potential synergies, which can be gained in cost efficiencies, growth opportunities or market share increases. But, these may lead to conflicts among long-held security paradigms by either party The disruption of the M&A transaction, along with the postclose technical changes required, can expand the current attack surface significantly Following transaction close, at least temporarily, security must be maintained in three separate operating environments: sunset, future-mode, and transition processes Potential M&A outcomes and the secrecy surrounding them also leads to employee angst and uncertainty, which may lead to rogue or damaging employee actions or a loss of key employees What are the key email security challenges in Mergers and Acquisitions? In order to understand how to prevent data loss, security leaders first need to understand where they’re most vulnerable. Both inbound and outbound email security should be a priority, and threat visibility is essential. 1. Increased Risk of Accidental Disclosure of Sensitive Information During M&A transactions, it’s important that organizations be able to control where sensitive information is being sent and to whom. Often, emails and attachments can be sent to the wrong people, resulting in accidental data loss. 2. Inbound Email Attacks Such as Phishing, Impersonation and Account Takeover Email is typically the first to deliver initial URLs, in the form of an exploit kit or phishing website, attachments in the form of payloads, or a starting point for social engineering attacks. This puts sensitive information within organizations at tremendous risk of a data breach. Tessian covers these attacks using three proven and differentiated approaches — threat prevention, education and awareness, and reducing the overall burden on security operations centers. 3. Increased Risk of Data Exfiltration by Internal Stakeholders M&A transactions significantly increase the number of people exchanging information through email. This increases the attack surface and the risk of more sensitive information being sent outside the organization. Whether it’s an employee sending sensitive M&A data to less secure, personal accounts, or a bad leaver maliciously exfiltrating information, Tessian automatically detects any kind of data exfiltration and non-compliant activity on emails.  4. Difficulty in Maintaining Control and Visibility of the Email Environment With many new stakeholders becoming included during M&A transactions, it can be difficult to obtain visibility into which employees and third-parties are exchanging information through emails. Organizations need to be able to identify all the people-centric security threats related to your email environment and view them in a single dashboard for easy remediation. This includes complete insight into accidental data loss, insider threats, advanced phishing attacks, and zero-day threats facing your organization. How does Tessian help protect information and communications related to Mergers and Acquisitions? Stop outbound data loss: Tessian Guardian is the industry’s only solution that automatically prevents accidental data loss from misdirected emails and misattached files (sending wrong attachments over email).  Guardian compares millions of data points for every outbound email and detects anomalies that indicate whether the email is being sent to the wrong person or if a wrong document is being attached and alerts the user before the email is sent. Learn more. Stop data exfiltration: Tessian Enforcer is the industry’s first solution that uses machine learning to automatically prevent data exfiltration via email to employee personal, unauthorized and non-business accounts.  Powered by Tessian’s proprietary Human Layer Security Engine, Enforcer analyzes millions of data points for every outbound email and detects anomalies that indicate data exfiltration before it leaves your organization. Tessian Enforcer notification messages can be customized to reinforce security awareness and data protection policies through in-the-moment training.  Learn more. Prevent inbound email attacks: Tessian Defender is a comprehensive inbound email security solution that automatically prevents a wide range of attacks that bypass Secure Email Gateways (SEGs), while providing in-the-moment training to drive employees toward secure email behavior.  Defender protects against both known and unknown email attacks, including business email compromise, account takeover, spear phishing, and all impersonation attacks that bypass SEGs, M365, and G Suite. Learn more. Threat visibility: With the Human Layer Risk Hub, SRM leaders will be able to quantify risk levels, pinpoint their high risk user groups, perform targeted remediation at scale, measure impact, and demonstrate progress in lowering risks posed by employees. Learn More.
Read Blog Post
Key Findings: IBM Cost of a Data Breach 2021 Report
By Maddie Rosenthal
Tuesday, August 3rd, 2021
If you work in cybersecurity, follow breaches in the news, or if you’re involved in managing your company’s finances, you’ve likely been (patiently) waiting for IBM’s latest Cost of a Data Breach report. Alas! The 2021 report was released on July 28 and we’ve summarized the key findings for you here. Note: In this case, we’re just here to deliver the cold, hard facts, not offer commentary. We have, however, offered additional resources for you to check out if you’re interested in exploring a specific threat type, industry, or solution further.  The overall cost of a breach Data breach costs rose from $3.86 million to $4.24 million, the highest average total cost in the history of this report  There was a 10% increase in the average total cost of a breach between 2020 and 2021. This was the largest single year cost increase in the last seven years. The average cost of a breach at organizations with 81-100% of employees working remotely was $5.54 million Lost business represented 38% of the overall average total breach costs and increased slightly from $1.52 million in the 2020 study.  Lost business costs include increased customer turnover, lost revenue due to system downtime, and the increasing cost of acquiring new business due to diminished reputation  Other resources ⚡ How to Communicate Cybersecurity ROI ⚡ 16 Ways to Prove the Value of Cybersecurity Solutions ⚡ 7 Ways CFOs Can Support Cybersecurity  Remote working and the cost of a breach where remote work was a factor in causing the breach, the cost difference was $1.07 million  Remote work was a factor in breaches at 17.5% of companies   Organizations that had more than 50% of their workforce working remotely took 58 days longer to identify and contain breaches than those with 50% or less working remotely  Other resources ⚡ 7 Concerns IT Leaders Have About Permanent Remote Working ⚡ Report: Have Employees Picked Up Bad Security Behaviors While Working From Home? ⚡ How to Navigate Remote Working Challenges The cost of a breach by industry  Healthcare has had the highest industry cost of a breach for 11 consecutive years  Healthcare data breach costs increased from an average total cost of $7.13 million in 2020 to $9.23 million in 2021, a 29.5% increase. Learn how Tessian helps organizations in healthcare prevent breaches. Costs in the energy sector decreased from $6.39 million in 2020 to an average $4.65 million in 2021 Costs surged in the public sector, which saw a 78.7% increase in average total cost from $1.08 million to $1.93 million  Other resources ⚡ State of Data Loss Prevention in the Legal Sector ⚡ State of Data Loss Prevention in Financial Services ⚡ State of Data Loss Prevention in Healthcare The cost of a breach by threat type Business email compromise (BEC) was responsible for only 4% of breaches, but had the highest average total cost of the 10 initial attack vectors in the study, at $5.01 million The second costliest was phishing ($4.65 million), followed by malicious insiders ($4.61 million), social engineering ($4.47 million), and compromised credentials ($4.37 million) Compromised credentials was the most common initial attack vector, responsible for 20% of breaches.  Ransomware attacks cost an average of $4.62 million, more expensive than the average data breach ($4.24 million). These costs included escalation, notification, lost business, and response costs… but did not include the cost of the ransom.  Other resources ⚡ What is Email The #1 Threat Vector? ⚡ 7 Examples of Ransomware Attacks ⚡ How Does Tessian Prevent Inbound Email Attacks? ⚡ How Does Tessian Prevent Insider Threats? How can cybersecurity solutions help? Security AI and automation had the biggest positive cost impact. Organizations with fully deployed security AI and automation experienced breach costs of $2.90 million, compared to $6.71 million at organizations without security AI and automation.  Security AI/automation was associated with a faster time to identify and contain the breach Want to learn how Tessian leverages AI and ML to detect and prevent inbound and outbound threats legacy solutions can’t? Check out this whitepaper.
Read Blog Post
Human Layer Security, Spear Phishing, DLP, Compliance
7 Ways CFOs Can (And Should) Support Cybersecurity
By Maddie Rosenthal
Thursday, July 29th, 2021
We’ve said it before and we’ll say it again: cybersecurity is a team sport. That means that (like it or not) the responsibility and burden sits with everyone, including the Chief Finance Officer (CFO).  That’s right: quantifying cyber risk, navigating cyber insurance policies, and negotiating ransom with hacking groups can all be part of the job spec.  If you’re a CFO who’s struggling to understand their role in cybersecurity, keep reading. We share 7 opportunities to get involved and protect your company’s assets.  Note: Every company is different. Size, revenue, industry, and reporting structures all play a role. This is general advice meant to provide a bird’s eye view of a CFO’s potential involvement in cybersecurity. 1. Quantify risk It can be hard for the C-suite to see the value of a solution when they haven’t yet experienced any consequences without it. As the saying goes, “If it ain’t broke, don’t fix it”.  That’s why it’s so important CFOs step in to quantify risk using specific “what-if” scenarios. The most basic formula is: probability x expected cost. Let’s use the example of an email being sent to the wrong person. We know at least 800 misdirected emails are sent every year in organizations with 1,000 employees. The expected cost, of course, depends on the email content and recipient, but let’s look at the worst-case scenario. What would the cost be if your press release for an upcoming, highly confidential merger and acquisition landed in a disgruntled former employee’s inbox? How would this impact the M&A itself? The company’s reputation? Revenue? Not a risk worth taking. Learn more about the key security challenges organizations face during M&A events. 2. Benchmark spending against other organizations Just like a marketing team should use a benchmark to determine whether or not their email list is engaged, CFOs should use a benchmark to determine how much they should be spending on cybersecurity. Think of it as your North Star. Fortunately, it’s relatively easy to determine how much your competitors or industry mavericks are shelling out. At least if they’re publicly traded.  A good place to start is their S-1. Here, you’ll be able to see what percentage of the company’s revenue goes towards Sales and Marketing, Research and Development, and General and Administrative.  This should give you a good idea of how to allocate your revenue.  You can also look at more general benchmark reports. For example, according to a Deloitte study, cybersecurity spending has increased YoY, from .34% of a company’s overall revenue in 2019 to .48% in 2020.  In 2020, that equated to $2,691 per full-time employee.   Bonus: Did you know you can also benchmark your security posture against your industry peers with Tessian Human Layer Security Intelligence? Learn more.  3. Vet cyber insurance policies Today, virtually every business needs cyber liability insurance. If you run a business that stores client, customer, or partner data…you need it. But it’s money wasted if you aren’t fully familiar with the policy terms. Check to make sure your first-party cyber insurance includes: Breach response recovery (including technical and legal advice) Forensic analysis for identifying the attack source Event management (including data recovery, PR services, and notification of clients) Cyber extortion Network/business interruption (including those that are the result of an attack on a third party) Dependent business interruption Credit monitoring services Consequential reputational loss or loss of income It’s also worth exploring third-party cyber insurance to protect your company’s assets from subsequent compliance penalties and settlement costs.  For example, Facebook settled a class-action lawsuit over its use of facial recognition technology. Illinois. The case reportedly settled for $550 million for a violation of the Biometric Information Privacy Act.  Third-party cyber insurance should include: Network security failures and privacy events Regulatory defense and penalties (including coverage for GDPR liabilities) PCI-DSS liabilities and costs Media content liability  4. Communicate with the board In a sentence, the CFO is responsible for the financial security of an organization. And, in the event of a breach, financial security simply isn’t guaranteed. Don’t believe us? Check out the consequences of a breach, according to IT leaders: !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); All of these will impact a company’s bottom line, including share value and rate of growth… two things the board doesn’t want to hear and news a CFO would hate to deliver.   But this isn’t a case of shooting the messenger. The responsibility and burden of cybersecurity sits with everyone, remember?  Post-breach, the board, auditors, and other third parties will be examining how effectively budgets were allocated to prevent the worst. That’s why it’s essential the CFO is actively involved in creating and implementing cybersecurity strategies; they have skin in the game.  5. Create secure processes for the finance team While – yes – the CFO holds the power of the purse and therefore influences the overall cybersecurity strategy, they also have a massive responsibility to secure their own team’s processes. After all, the finance department is one of the most targeted, specifically by invoice fraud, wire transfer fraud, and business email compromise.  Between June 2016 and July 2019, FBI statistics show that wire transfer fraud via BEC occurred 166,349 times, and cost businesses over $26 billion. In 2019, the number of bank transfer phishing scams occurring in the UK increased by 40%. In 2017, the FBI received 15,690 complaints about BEC (primarily involving wire transfer), resulting in over $675 million in losses. In 2019, this increased to 23,775 complaints and over $1.7 billion in losses. To protect against these incidents, CFOs should work with security teams to help train employees to spot scams, implement email security software to spot suspicious domains, and create fool-proof payment validation processes. For more tips, check out this article: Everything You Need to Know About Wire Transfer Phishing. 6. Negotiate ransom in the event of a ransomware attack  This is a position no CFO wants to be in. But, more and more, we’re seeing organizations being forced to comply with cyber criminals’ extortion demands. (7 Examples of Ransomware Attacks here.) While this may seem far beyond the scope of a finance director’s role, they’re heavily involved in the process. Of course, the first question to answer is: To pay? Or not to pay? This depends on an infinite number of factors, including the data being held, the hacking group who infiltrated the network, your cyber insurance policy, the company’s liquid assets….  The list goes on.  To avoid being put between a rock and a hard place, CFOs (along with the rest of the C-Suite and security team) should take prevention seriously, including anti-malware software, patching processes, and security for email, web, and other services. Tessian can help with email by preventing ransomware attacks at the source. 7. Know how to spot a phish CFO’s are generally among the most frequently targeted by phishing attacks. They’re also frequently impersonated. It makes sense. They have access to and control over the company’s money. It’s essential, then, that CFOs are especially vigilant, know how to spot a spear phishing attack, and know what to do if they suspect an email, text, or call is malicious.  Training, technology, and processes can help. If you want to learn more about how Nudge theory plays a role, check out this article about in-the-moment warnings. Looking for more resources? Check out the following: ⚡ Relationship 15: A Framework to Help Security Leaders Influence Change ⚡ CEO’s Guide to Data Protection and Compliance ⚡ Who Are the Most Likely Targets of Spear Phishing Attacks? ⚡ Why Information Security Must Be a Priority for GCs in 2021
Read Blog Post
Spear Phishing, DLP, Remote Working, Data Exfiltration
How to Keep Your Data Safe in The Great Resignation
Wednesday, July 28th, 2021
The pandemic has changed people and society in ways we wouldn’t have thought imaginable just 24 months ago.  Lockdown restrictions and remote working allowed many employees to reflect on what they want to do with their lives and the sort of companies they want to work for, as well as those they don’t.  Consequently, in April 2021 four million US workers quit their jobs, and according to recent research by Microsoft, over 40% of employees are considering leaving their employer this year. It’s being called ‘#TheGreatResignation’, and it presents a whole pile of problems for CISOs and other security leaders.  Here are some of the common problems you might face in keeping data secure when staff move on.  Staff burnout Let’s face it, everyone’s a little frazzled round the edges right now.  Our 2020 report, The Psychology Of Human Error, revealed that a shocking 93% of US and UK employees feel tired and stressed at some point during their working week. Staff burnout was real before the pandemic, and it’s only got worse during it as the months have turned into years.  Over half the employees (52%) we surveyed said they make more mistakes at work when they’re stressed. And we know that as some employees move on, others are left to pick up the slack, adding to their stress and further increasing the potential for human error. This goes to show that this isn’t just a cyber security issue, it’s a people issue, so get your COO and HR team involved and start exploring ways to improve company well-being. Mentally, they’ve already left Staff who are leaving will have ‘mentally uncoupled’ from your organization and its processes well before they actually make their exit. They’re distracted – perhaps even excited – about their new future and where they’re going. Our survey found that 47% of employees surveyed cited distraction as a top reason for falling for a phishing scam, while two-fifths said they sent an email to the wrong person because they were distracted.  This is made worse by the next problem…  “Hi, it’s Mark from HR, we haven’t met…” Changing jobs can bring staff into contact with people they might not have had much contact with before. In a big multinational, we doubt many staff can name every member of the payroll team – they might even be in another country! Our How to Hack a Human report found that an overwhelming 93% of workers also update their job status on social media, while 36% share information about their job.  If an employee has announced their imminent departure on social media, they can potentially be targets of spear phishing by hackers impersonating HR or operations staff. These could contain seemingly innocuous requests for key card returns, contract documents, and even IT hardware. We’ve seen it before! Check out our Threat Catalogue to see real examples of phishing attacks targeting (and impersonating!) new starters.  Notice period exfiltration Unless they’re leaving for a complete lifestyle change, like being a warden on a deserted Scottish island, many people tend to stay in the same sector or industry.  This means there’s a high probability of staff going to one of your competitors.  Our research reveals an increase in data exfiltration during an employee’s notice period. In fact, 45% of employees admit to “stealing” data before leaving or after being dismissed from a job. You can see the temptation – what better way to make a great impression on your first day than by bringing a juicy file of customer data, source code, or other highly valuable IP. People will often extract these assets by emailing them to their personal accounts. This is a particular problem in sectors such as legal, financial services, and entertainment, where a client base and extensive networks are crucial.  New staff So far all these problems have focused on leaving staff or those that remain, but another potential weak spot is the new hire that will replace them.  They’ve yet to undertake security awareness training on your systems and processes. They may have also announced their new role on social media (which means they could be victim to the same problem we explained in point 3).  It all comes back to one crucial point: 85% of data breaches are caused by human error.  How Tessian helps Security leaders have a big job; they have to secure networks, endpoints, and platforms like Slack and Microsoft Teams. But email remains the #1 threat vector. So how do you lock down email and prevent data exfiltration and successful phishing attacks? By empowering your people to do their best work, without security getting in the way. We believe employees should be experts in their respective fields, not in cybersecurity. Tessian’s suite of products secure the human layer, so that staff can concentrate on their roles and be empowered to do their best work.  Tessian Defender: Automatically prevents spear phishing, account takeover, business email compromise, and other targeted email attacks. Tessian Enforcer: Automatically prevents data exfiltration over email. Tessian Guardian: Automatically prevents accidental data loss caused by misdirected emails and misattached files.
Read Blog Post
Human Layer Security
5 Challenges Enterprise Customers Face With Security Vendors
By Will Patterson
Tuesday, July 27th, 2021
When our three  founders, Tim, Ed, and Tom conceived of a company initially called “CheckRecipient” in their London apartment, the path to working with the largest and most prestigious companies on the planet would have felt a long way away.  Yet here we are, 9.5 years later, already growing our base of Fortune 500 customers while plotting our journey to 50k+ employee companies and beyond.
Of course, regardless of the size of our customers, our mission is the same. We continue to empower people to do their best work, without security getting in the way. But working relationships between customers and vendors change when you go upmarket. Based on my experience of working with our largest customers, here are five challenges enterprise customers face with security vendors, and tips to help CISOs and Heads of Infosec carefully navigate the often rewarding (and always noisy) world of vendor partnerships. Vendors, vendors everywhere… So you’re a CISO at a prestigious bank, law firm, or healthcare company.  Every security vendor under the sun wants a piece of your time. This is exhausting. And frequently counterproductive. Don’t they know you also have a job to do? So, what do you do about it? Go to every meeting your vendors book in and try to work around it? Go completely quiet on all your vendors and hope that you’re getting value from the partnerships anyhow? We’ve learned with our customers that it’s worth taking control of this situation early on. 1. Categorize your vendors into a quadrant based on the current value you’re seeing and their potential value. Work with your team to sketch out a framework for current value, and then challenge your vendors to supply you with the telemetry to feed that framework. Potential value is more of a judgement call, but here are a list of questions you may want to consider.  How fast is the vendor growing?  How innovative is their roadmap?  How many of their products/services are we currently not using that we could be?  By the way, this quadrant will also be really useful when it comes to budgeting season and renewal conversations with your vendors…  Think very critically about whether you should be continuing to partner with your “Low Performers”.
2. Based on the quadrant, communicate with your vendors how often you need to connect with them. (If you want to go a step further, you can even take the lead on scheduling so meetings go in at convenient times for you.). For example, you may want to meet with your magic quadrant and high potential vendors quarterly, but the “Steady Eddies” may only require your attention once a year. Longer time to value They say that time heals all. But in SaaS, time is the biggest killer for momentum, engagement, and ultimately ROI.  That’s why the onboarding process is critical to the long-term success of a partnership.  There’s two determining steps for onboarding:  Internal Processes: For the enterprise, there is plenty of red tape and change management when it comes to deploying new tech. The most successful deployments I’ve seen involved a proactive CISO or Head of Infosec pulling as much process management forward as possible. Technical Deployment Considerations. Rome wasn’t built in a day. Likewise, enterprise tech teams will often adopt a 1-9-90 approach to deployment (e.g. a pilot 1% group of friendly users getting the tech initially, then 9%, then the rest). Those security leaders who agree on and stick to a deployment plan, encourage deployment project leads to connect regularly with the vendor, and ensure roadblocks are identified and escalated early are the most successful.  Support tickets and feature request prioritization I’ve seen support processes and feature requests work really well and in all such cases, the key is communication. Encourage your technical leads to agree up front with your vendors how best to flag high priority tickets. It’s worth keeping oversight on this to ensure it aligns with what’s strategically important to you. This is the hymn sheet that both parties can sing from when it comes to escalation and helps everyone involved avoid the old fashioned (and slightly anarchical) “who shouts the loudest” method of prioritization. The same goes for feature requests. Agree a process for tracking these and allocating a scale all the way from “deal breaker” to “nice to have” (and what’s needed now vs in the future). Strength in numbers As 1997 UK trip-hop band Olive (niche reference?) once sang: “You’re not alone”. No enterprise CISO Head of Infosec is an island. There’s often a temptation to hoard ownership of the partnership with a vendor to prevent those pesky folks running wild throughout your business. In practice, this probably achieves the opposite effect. Our most successful Tessian customers involve a broad set of stakeholders in the ownership of the vendor partnership and outsource some of the heavy lifting of demonstrating the product ROI to the vendor’s CSM. For example, at Tessian, stakeholders from the security function, IT, HR, compliance, and legal will all have a say in the successful implementation of the product. The exact same process is going on internally at Tessian, with exec sponsors, product managers, CSMs, and account executives all aligned to each enterprise account.  Integration is king (and consolidation is… prince?) Finally, the enterprise space is becoming increasingly cluttered with more and more vendors seemingly popping up every day.  You may find yourself looking at the 10s or even 100s of vendors they partner with and asking, “Do I actually feel more secure?”. It’s a fine balancing act between the skyscraper of layered defenses and the modest bungalow of a lean stack.  And the wire that connects these two buildings is – you guessed it – integration. Now, I dislike the cliche of “Make 1+1=3” (it doesn’t). But pushing your key vendors to integrate will not only improve the value you get out of them individually, it will also bring clarity to any overlap or redundancies in functionality between them. Any opportunity to trim down bulky incumbent contracts where another vendor can pick up the slack has to be considered a win. I’d emphasize that this refers to integration not just in terms of functionality, but also reporting. Over half of our enterprise clients have already enabled the SIEM API to create a “single pane of glass” view of insights that becomes tool agnostic.  For example, Investec joined us for a webinar to explain how they’re using Splunk to centralize and correlate their Tessian reporting with other tools. You can check out a summary of their tips here]. Conclusion   If you’ve made it this far I commend your ability to put up with my penchant for a metaphor… Increasingly, we’re moving away from the classic, client-vendor relationships and towards a more symbiotic model of shared goals. This is vastly more conducive to getting holistic value for what you pay for.  The bottom line: the foundation for any halfway decent partnership is good communication. That’s not “communication” in the sense of spending hours on calls with a vendor every day. What it does mean is early alignment with them on what it is you hope to achieve through working together – that way we all really are singing from the same hymn sheet 🎼
Read Blog Post
What are In-The-Moment Warnings and Why Are They Effective?
By Maddie Rosenthal
Monday, July 26th, 2021
Training is an essential part of every organization’s security strategy.  Monthly phishing simulations can help employees spot inbound attacks. Quarterly training sessions can help reinforce existing policies and procedures around data handling and password hygiene. And introducing new joiners to the cybersecurity team during onboarding is a great way to build a positive security culture. But sadly, even with all of this, employees still get phished, still ignore or workaround cybersecurity policies, and still mishandle data.  43% of employees say they’ve made a mistake at work that compromised cybersecurity 77% of employees reuse passwords  45% of employees say they’ve exfiltrated data before leaving or after being dismissed from a job Why? Because security just isn’t top of mind for the average person. That’s why security leaders have to find ways to consistently educate their people and reinforce policies. In-the-moment warnings can help.  What are in-the-moment warnings? When Tessian detects a threat (for example, a spear phishing email or an attempt at data exfiltration) employees see a warning message. It’s written in plain English, and offers context around why the email was flagged. A picture’s worth a thousand words, right? Here are a few examples.
Think of these as a sort of “yield” sign. They introduce a pause and give employees the information they need to make the right decision. If they realize “Oops! I certainly was about to send that email to the wrong person” or “Yes! This email does seem a little fishy”, they can easily change the recipient’s email address or mark the email as malicious. All it takes is a single click. Crisis (and breach) averted.  Importantly though, these in-the-moment warnings do more than just prevent threats in real-time. They help change employees’ security behavior long-term, and nudge them towards safer online behavior. Nudge theory 101 Without diving too deeply into behavioral economics, let’s look at Nudge theory.  There are 5 stages of behavior change: Precontemplation: The person is unaware of the problem. That means it’s your job to create awareness. Contemplation: The person is aware of the problem and the desired behavior change. The key here is to persuade and motivate them to act. Preparation: The person intends to take action. You just need to help them understand what to do and how. Action: If you facilitate it, the person can practice the desired behavior. Maintenance: Finally, by reinforcing the behavior regularly, the person can work to sustaining the behavior change In a sentence, Nudge theory uses indirect suggestions and positive reinforcement to influence behavior. 
So, what does this look like in the context of cybersecurity? And where do in-the-moment warnings come in? Let’s go back to the tried and tested example of phishing.  While Joe, your Accounts Payable Manager, is familiar with the term “phishing” and understands that bad actors do target people via email, he thinks the average attack is easy to spot. Poor formatting. Unpersonalized. Grammatical errors. A “too-good-to-be-true” offer.  Step 1 is to create awareness. This is generally done through “standard” training programs. (If you’re looking for a bank of spear phishing examples, check out our Threat Catalogue.) Now that Joe has a better idea of how sophisticated phishing attacks are, he’ll do his best to spot them and knows that – if he is targeted – he should report the email to the cybersecurity team.  ✅ Precontemplation ✅ Contemplation ✅ Preparation Next, you have to let Joe “practice”. A lot of security leaders rely on phishing simulations for this. The problem is, oftentimes, employees can feel like they’re being tricked instead of educated.  Take this for example. Or this. The bottom line: well-intentioned phishing simulations can have a negative impact on security culture.  It’s also worth pointing out that while phishing simulations can introduce employees to many different types of phishing attacks, they can’t possibly prepare them for every type of incident. Even the most cyber-savvy people can fall for advanced spear phishing attacks.  That’s where Tessian in-the-moment warnings come in. Tessian would enable Joe to “practice” every time he sends or receives an email – without feeling like he’s being tricked – by offering context and reinforcing phishing awareness. If Joe receives a potentially malicious email, he’s given the information he needs to determine whether to delete it, or open it. And this isn’t just once a month. Tessian is always working silently in the background to detect threats and help employees like Joe make the right decisions. Every warning is a learning opportunity. ✅ Action ✅ Maintenance How can in-the-moment warnings bolster your training program and improve your security posture? We’ll start by saying that in-the-moment warnings aren’t a silver bullet. (Silver bullets don’t exist in cybersecurity!) But, in concert with technology, policies, and processes, they’ll help you consistently improve your organization’s security posture
Tessian customers have seen click-through-rate on phishing simulations drop below 1% after deploying Tessian. And, on average, customers see an 84% reduction in data exfiltration. (For reference, according to KnowBe4’a 2021 Phishing By Industry Benchmarking Report, 31.4% of untrained employees fail phishing simulations…) But it’s not just about the numbers. It’s also about how employees interact with the tool. According to Else Ferreira, CISO at Evercore, “They say security is a thankless job. But Tessian was the first security platform that we deployed across the organization where I personally received “thank you’s” from employees who would have made a mistake with potentially dire consequences, but didn’t because of Tessian”. Looking for more customer stories? Click here.
Read Blog Post
Human Layer Security
Tessian Recognized as a Representative Vendor in 2021 Gartner Market Guide for Data Loss Prevention
By Ed Bishop
Thursday, July 22nd, 2021
Gartner has released their Market Guide for Data Loss Prevention, and we are honored to be included as a Representative Vendor. According to the latest Market Guide for Data Loss Prevention “The enterprise DLP market is mature, but integrated DLP and cloud-provider-native DLP solutions offer emerging capabilities that are much needed by security and risk management leaders starting DLP programs.” “This research offers guidance on market trends and their impact on data security strategies.”.  You can get the entire report here. Key takeaways from the Gartner Market Guide for Data Loss Prevention According to Gartner, “The market for DLP technology includes offerings that provide visibility into data usage and movement across an organization, as well as dynamic enforcement of security policies based on content and context at the time of actions on data. DLP technology seeks to address data-related threats, including the risks of inadvertent or accidental data loss and the exposure of sensitive data, using monitoring, alerting, warning, blocking and other remediation features.” Accidental data loss is a problem that was often simply considered the cost of doing business and impossible to solve — until now. With Gartner’s acknowledgment of accidental data loss, we believe that the industry is seeing a fundamental shift in this thinking, and clearly shows that more enterprises understand that it represents a massive DLP risk. In addition to this broad overview of DLP technology capabilities, Gartner recommends security and risk management leaders with a responsibility for data security and compliance should: “Define a DLP strategy, select DLP products and execute proofs of concept with the objective of supporting a process, rather than finding solutions to address narrow needs.” “Identify pre-existing DLP capabilities in the security products that their organization already owns, and use these to fulfill DLP requirements. How has the DLP vendor landscape changed over the last year?  As Gartner states, since the previous 2020 edition of the Market Guide for Data Loss Prevention, there have been several notable changes in the vendor landscape. In fact, Gartner fielded “32% more client inquiries on the topic of DLP than in 2019”. Here at Tessian, we believe that this is due to more enterprises beginning to reevaluate their DLP programs with the move to Microsoft 365 and more cloud-based applications. They also found “many DLP vendors providing managed DLP services, which remain appealing to many organizations, specifically small and midsize enterprises and those with limited resources to allocate to the implementation of a DLP program.”  Likewise, “Many DLP vendors also provide data classification services, which are essential for successful DLP implementation. The labeling and tagging of data simplifies the DLP process, as organizations can easily distinguish sensitive data from nonsensitive data”.
This fits well with our observations of the industry and aligns with what our customers express as well.  Tessian’s approach for the new era of data loss prevention Forward-thinking enterprises increasingly view legacy DLP tools as a strategic risk and are looking for alternatives. In fact, 85% of security leaders say DLP is admin-intensive.  Recent M&A activity has led to uncertainty in the market (Symantec acquired by Broadcom, Forcepoint acquired by PE firm) and enterprise DLP has seen little innovation in the last few years. For example, we see Microsoft’s strategy as providing “baseline” DLP across all interfaces in their ecosystem (Email, Chat, File-sharing, Web, Endpoint) and this is commoditizing the rule-based approach offered by legacy tools.  As a result, enterprises are phasing out irrelevant legacy DLP tools and are considering what to replicate, remove, or re-think. This includes Microsoft 365, as many organizations are now assessing Microsoft DLP overlap with their existing legacy DLP stack. Many enterprises will use some vendors’ built-in DLP to address basic use cases but look to Tessian to solve critical and advanced human-centric risks to solve the bulk of their DLP challenges, including data loss caused by human error which Legacy DLP is unable to prevent. Over time, enterprises will adopt a hybrid approach and leverage integrations to get the most out of their investments in each product. Tessian’s Data Loss Prevention in our Human Layer Security Platform offers outbound protection on email (the threat vector most security leaders are concerned about protecting) and satisfies criteria outlined in the report — anomaly detection, data protection, post delivery protection, and offers these protection for both web and mobile devices. Here’s how. Powered by machine learning, our Human Layer Security platform understands normal email behavior by analyzing content, context, and communication patterns from historical email data to establish trusted relationship graphs. Tessian can then detect anomalies in real-time using those employee relationship graphs alongside deep content analysis, natural language processing, and behavioral analysis.  Tessian Guardian automatically detects and prevents accidental data loss from misdirected emails Tessian Enforcer automatically detects and prevents data exfiltration attempts and ensures compliant email activity
Importantly, in addition to threat prevention, Tessian offers several features that help ease the burden on SOC and compliance teams, and give key stakeholders peace of mind.  Automated protection: Tessian automatically detects and prevents data loss. No rules, re-configuration, maintenance of allow/denylists, or manual investigation required.   Data-rich dashboards: With Tessian, security teams have clear visibility of data loss incidents, who triggered them, and what data was involved. This demonstrates clear ROI and makes auditing and reporting easy.  In-the-moment training: When a potential data loss incident is detected, real-time warnings are triggered that explain exactly why the email was flagged. These warnings are written in plain, easy-to-understand language which reinforce training and policies and help employees improve their security reflexes over time
Gartner, Market Guide for Data Loss Prevention, June 2021 Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Read Blog Post
DLP, Data Exfiltration
Insider Threats Examples: 17 Real Examples of Insider Threats
By Maddie Rosenthal
Wednesday, July 21st, 2021
Insider threats are a big problem for organizations across industries. Why? Because they’re so hard to detect. After all, insiders have legitimate access to systems and data, unlike the external bad actors many security policies and tools help defend against. It could be anyone, from a careless employee to a rogue business partner. That’s why we’ve put together this list of Insider Threat types and examples. By exploring different methods and motives, security, compliance, and IT leaders (and their employees) will be better equipped to spot Insider Threats before a data breach happens.
Types of Insider Threats First things first, let’s define what exactly an Insider Threats is. Insider threats are people – whether employees, former employees, contractors, business partners, or vendors – with legitimate access to an organization’s networks and systems who deliberately exfiltrate data for personal gain or accidentally leak sensitive information. The key here is that there are two distinct types of Insider Threats:  The Malicious Insider: Malicious Insiders knowingly and intentionally steal data. For example, an employee or contractor may exfiltrate valuable information (like Intellectual Property (IP), Personally Identifiable Information (PII), or financial information) for some kind of financial incentive, a competitive edge, or simply because they’re holding a grudge for being let go or furloughed.  The Negligent Insider: Negligent insiders are just your average employees who have made a mistake. For example, an employee could send an email containing sensitive information to the wrong person, email company data to personal accounts to do some work over the weekend, fall victim to a phishing or spear phishing attack, or lose their work device.  We cover these different types of Insider Threats in detail in this article: What is an Insider Threat? Insider Threat Definition, Examples, and Solutions. 17 Examples of Insider Threats 
1. The employee who exfiltrated data after being fired or furloughed Since the outbreak of COVID-19, 81% of the global workforce have had their workplace fully or partially closed. And, with the economy grinding to a halt, employees across industries have been laid off or furloughed.  This has caused widespread distress. When you combine this distress with the reduced visibility of IT and security teams while their teams work from home, you’re bound to see more incidents of Malicious Insiders.  One such case involves a former employee of a medical device packaging company who was let go in early March 2020  By the end of March – and after he was given his final paycheck – Dobbins hacked into the company’s computer network, granted himself administrator access, and then edited and deleted nearly 120,000 records.  This caused significant delays in the delivery of medical equipment to healthcare providers.
2. The employee who sold company data for financial gain In 2017, an employee at Bupa accessed customer information via an in-house customer relationship management system, copied the information, deleted it from the database, and then tried to sell it on the Dark Web.  The breach affected 547,000 customers and in 2018 after an investigation by the ICO, Bupa was fined £175,000.
3. The employee who stole trade secrets In July 2020, further details emerged of a long-running insider job at General Electric (GE) that saw an employee steal valuable proprietary data and trade secrets. The employee, named Jean Patrice Delia, gradually exfiltrated over 8,000 sensitive files from GE’s systems over eight years — intending to leverage his professional advantage to start a rival company. The FBI investigation into Delia’s scam revealed that he persuaded an IT administrator to grant him access to files and that he emailed commercially-sensitive calculations to a co-conspirator. Having pleaded guilty to the charges, Delia faces up to 87 months in jail. What can we learn from this extraordinary inside job? Ensure you have watertight access controls and that you can monitor employee email accounts for suspicious activity.
4. The employees who exposed 250 million customer records Here’s an example of a “negligent insider” threat. In December 2019, a researcher from Comparitech noticed that around 250 million Microsoft customer records were exposed on the open web. This vulnerability meant that the personal information of up to 250 million people—including email addresses, IP addresses, and location—was accessible to anyone with a web browser. This incident represents a potentially serious breach of privacy and data protection law and could have left Microsoft customers open to scams and phishing attacks—all because the relevant employees failed to secure the databases properly. Microsoft reportedly secured the information within 24 hours of being notified about the breach.
5. The nuclear scientists who hijacked supercomputer to mine Bitcoin Russian secret services reported in 2018 that they had arrested employees of the country’s leading nuclear research lab on suspicion of using a powerful supercomputer for bitcoin mining. Authorities discovered that scientists had abused their access to some of Russia’s most powerful supercomputers by rigging up a secret bitcoin-mining data center. Bitcoin mining is extremely resource-intensive and some miners are always seeking new ways to outsource the expense onto other people’s infrastructure. This case is an example of how insiders can misuse company equipment.
6. The employee who fell for a phishing attack While we’ve seen a spike in phishing and spear phishing attacks since the outbreak of COVID-19, these aren’t new threats. One example involves an email that was sent to a senior staff member at Australian National University. The result? 700 Megabytes of data were stolen. This data was related to both staff and students and included details like names, addresses, phone numbers, dates of birth, emergency contact numbers, tax file numbers, payroll information, bank account details, and student academic records.
7. The work-from-home employees duped by a vishing scam Cybercriminals saw an opportunity when many of Twitter’s staff started working from home. One cybercrime group conducted one of the most high-profile hacks of 2020 — knocking 4% off Twitter’s share price in the process. In July 2020, after gathering information on key home-working employees, the hackers called them up and impersonated Twitter IT administrators. During these calls, they successfully persuaded some employees to disclose their account credentials. Using this information, the cybercriminals logged into Twitter’s admin tools, changed the passwords of around 130 high-profile accounts — including those belonging to Barack Obama, Joe Biden, and Kanye West — and used them to conduct a Bitcoin scam. This incident put “vishing” (voice phishing) on the map, and it reinforces what all cybersecurity leaders know — your company must apply the same level of cybersecurity protection to all its employees, whether they’re working on your premises or in their own homes. Want to learn more about vishing? We cover it in detail in this article: Smishing and Vishing: What You Need to Know About These Phishing Attacks.
8. The ex-employee who got two years for sabotaging data The case of San Jose resident Sudhish Kasaba Ramesh serves as a reminder that it’s not just your current employees that pose a potential internal threat—but your ex-employees, too. Ramesh received two years imprisonment in December 2020 after a court found that he had accessed Cisco’s systems without authorization, deploying malware that deleted over 16,000 user accounts and caused $2.4 million in damage. The incident emphasizes the importance of properly restricting access controls—and locking employees out of your systems as soon as they leave your organization.
9. The employee who took company data to a new employer for a competitive edge This incident involves two of the biggest tech players: Google and Uber. In 2015, a lead engineer at Waymo, Google’s self-driving car project, left the company to start his own self-driving truck venture, Otto. But, before departing, he exfiltrated several trade secrets including diagrams and drawings related to simulations, radar technology, source code snippets, PDFs marked as confidential, and videos of test drives.  How? By downloading 14,000 files onto his laptop directly from Google servers. Otto was acquired by Uber after a few months, at which point Google executives discovered the breach. In the end, Waymo was awarded $245 million worth of Uber shares and, in March, the employee pleaded guilty.
10. The employee who stole a hard drive containing HR data Coca-Cola was forced to issue data breach notification letters to around 8,000 employees after a worker stole a hard drive containing human resources records. Why did this employee steal so much data about his colleagues? Coca-Cola didn’t say. But we do know that the employee had recently left his job—so he may have seen an opportunity to sell or misuse the data once outside of the company. Remember—network and cybersecurity are crucial, but you need to consider whether insiders have physical access to data or assets, too.
11. The employees leaking customer data  Toward the end of October 2020, an unknown number of Amazon customers received an email stating that their email address had been “disclosed by an Amazon employee to a third-party.” Amazon said that the “employee” had been fired — but the story changed slightly later on, according to a statement shared by Motherboard which referred to multiple “individuals” and “bad actors.” So how many customers were affected? What motivated the leakers? We still don’t know. But this isn’t the first time that the tech giant’s own employees have leaked customer data. Amazon sent out a near-identical batch of emails in January 2020 and November 2018. If there’s evidence of systemic insider exfiltration of customer data at Amazon, this must be tackled via internal security controls.
12. The employee offered a bribe by a Russian national In September 2020, a Nevada court charged Russian national Egor Igorevich Kriuchkov with conspiracy to intentionally cause damage to a protected computer. The court alleges that Kruichkov attempted to recruit an employee of Tesla’s Nevada Gigafactory. Kriochkov and his associates reportedly offered a Tesla employee $1 million to “transmit malware” onto Tesla’s network via email or USB drive to “exfiltrate data from the network.” The Kruichkov conspiracy was disrupted before any damage could be done. But it wasn’t the first time Tesla had faced an insider threat. In June 2018, CEO Elon Musk emailed all Tesla staff to report that one of the company’s employees had “conducted quite extensive and damaging sabotage to [Tesla’s] operations.” With state-sponsored cybercrime syndicates wreaking havoc worldwide, we could soon see further attempts to infiltrate companies. That’s why it’s crucial to run background checks on new hires and ensure an adequate level of internal security.
13. The ex-employee who offered 100 GB of company data for $4,000 Police in Ukraine reported in 2018 that a man had attempted to sell 100 GB of customer data to his ex-employer’s competitors—for the bargain price of $4,000. The man allegedly used his insider knowledge of the company’s security vulnerabilities to gain unauthorized access to the data. This scenario presents another challenge to consider when preventing insider threats—you can revoke ex-employees’ access privileges, but they might still be able to leverage their knowledge of your systems’ vulnerabilities and weak points.
14. The employee who accidentally sent an email to the wrong person Misdirected emails happen more than most think. In fact, Tessian platform data shows that at least 800 misdirected emails are sent every year in organizations with 1,000 employees. But, what are the implications? It depends on what data has been exposed.  In one incident in mid-2019, the private details of 24 NHS employees were exposed after someone in the HR department accidentally sent an email to a team of senior executives. This included: Mental health information Surgery information While the employee apologized, the exposure of PII like this can lead to medical identity theft and even physical harm to the patients. We outline even more consequences of misdirected emails in this article. 
15. The employee who accidentally misconfigured access privileges NHS coronavirus contact-tracing app details were leaked after documents hosted in Google Drive were left open for anyone with a link to view. Worse still, links to the documents were included in several others published by the NHS.  These documents – marked “SENSITIVE” and “OFFICIAL” contained information about the app’s future development roadmap and revealed that officials within the NHS and Department of Health and Social Care are worried about the app’s reliance and that it could be open to abuse that leads to public panic.
16. The security officer who was fined $316,000 for stealing data (and more!) In 2017, a California court found ex-security officer Yovan Garcia guilty of hacking his ex-employer’s systems to steal its data, destroy its servers, deface its website, and copy its proprietary software to set up a rival company. The cybercrime spree was reportedly sparked after Garcia was fired for manipulating his timesheet. Garcia received a fine of over $316,000 for his various offenses. The sheer amount of damage caused by this one disgruntled employee is pretty shocking. Garcia stole employee files, client data, and confidential business information; destroyed backups; and even uploaded embarrassing photos of his one-time boss to the company website.
17. The employee who sent company data to a personal email account We mentioned earlier that employees oftentimes email company data to themselves to work over the weekend.  But, in this incident, an employee at Boeing shared a spreadsheet with his wife in hopes that she could help solve formatting issues. While this sounds harmless, it wasn’t. The personal information of 36,000 employees were exposed, including employee ID data, places of birth, and accounting department codes.
How common are Insider Threats? Incidents involving Insider Threats are on the rise, with a marked 47% increase over the last two years. This isn’t trivial, especially considering the global average cost of an Insider Threat is $11.45 million. This is up from $8.76 in 2018. Who’s more culpable, Negligent Insiders or Malicious Insiders?  Negligent Insiders (like those who send emails to the wrong person) are responsible for 62% of all incidents Negligent Insiders who have their credentials stolen (via a phishing attack or physical theft) are responsible for 25% of all incidents Malicious Insiders are responsible for 14% of all incidents It’s worth noting, though, that credential theft is the most detrimental to an organization’s bottom line, costing an average of $2.79 million.  Which industries suffer the most? The “what, who, and why” behind incidents involving Insider Threats vary greatly by industry.  For example, customer data is most likely to be compromised by an Insider in the Healthcare industry, while money is the most common target in the Finance and Insurance sector. But, who exfiltrated the data is just as important as what data was exfiltrated. The sectors most likely to experience incidents perpetrated by trusted business partners are: Finance and Insurance Federal Government Entertainment Information Technology Healthcare State and Local Government Overall, though, when it comes to employees misusing their access privileges, the Healthcare and Manufacturing industries experience the most incidents. On the other hand, the Public Sector suffers the most from lost or stolen assets and also ranks in the top three for miscellaneous errors (for example misdirected emails) alongside Healthcare and Finance. You can find even more stats about Insider Threats (including a downloadable infographic) here.  The bottom line: Insider Threats are a growling problem. We have a solution.
Read Blog Post
Page