Request a Demo of Tessian Today.

Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

Jan 31 Live Webinar | How to Keep Socially Engineered Attacks From Sneaking Into Email | Save Your Seat →

Tessian Blog

  • All
  • Customer Stories
  • Compliance
  • Email DLP
  • Integrated Cloud Email Security
  • Data Science
  • NULL
    array(14) { [0]=> object(WP_Term)#9607 (11) { ["term_id"]=> int(5) ["name"]=> string(16) "Customer Stories" ["slug"]=> string(16) "customer-stories" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(5) ["taxonomy"]=> string(8) "category" ["description"]=> string(155) "Read our latest Customer Stories, interviews and news. Learn how Tessian protects organisations in Financial Services, Legal, Technology and other markets." ["parent"]=> int(2) ["count"]=> int(46) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "2" } [1]=> object(WP_Term)#9603 (11) { ["term_id"]=> int(120) ["name"]=> string(10) "Compliance" ["slug"]=> string(10) "compliance" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(120) ["taxonomy"]=> string(8) "category" ["description"]=> string(143) "Read our latest articles, tips and news on Compliance including GDPR, CCPA and other industry-specific regulations and compliance requirements." ["parent"]=> int(0) ["count"]=> int(39) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "3" } [2]=> object(WP_Term)#11279 (11) { ["term_id"]=> int(116) ["name"]=> string(9) "Email DLP" ["slug"]=> string(20) "data-loss-prevention" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(116) ["taxonomy"]=> string(8) "category" ["description"]=> string(144) "Read our latest articles, tips and industry-specific news around Data Loss Prevention (DLP). Learn about the implications of data loss on email." ["parent"]=> int(0) ["count"]=> int(96) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "2" } [3]=> object(WP_Term)#11273 (11) { ["term_id"]=> int(2) ["name"]=> string(31) "Integrated Cloud Email Security" ["slug"]=> string(20) "human-layer-security" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(2) ["taxonomy"]=> string(8) "category" ["description"]=> string(301) "Integrated Cloud Email Security solutions were introduced as a new category, and positioned as the best defense against advanced phishing threats that evade traditional email security controls.  Learn more about what they are, the benefits of using them, and how you can best evaluate those on offer." ["parent"]=> int(0) ["count"]=> int(131) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "4" } [4]=> object(WP_Term)#10284 (11) { ["term_id"]=> int(486) ["name"]=> string(12) "Data Science" ["slug"]=> string(12) "data-science" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(486) ["taxonomy"]=> string(8) "category" ["description"]=> string(0) "" ["parent"]=> int(0) ["count"]=> int(1) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "1" } [5]=> object(WP_Term)#9581 (11) { ["term_id"]=> int(341) ["name"]=> string(17) "Data Exfiltration" ["slug"]=> string(17) "data-exfiltration" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(341) ["taxonomy"]=> string(8) "category" ["description"]=> string(154) "Access Tessian's library of free data exfiltration posts, guides and trend insights. Acidental data loss, insider threats, and misdirected emails content." ["parent"]=> int(116) ["count"]=> int(35) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "2" } [6]=> object(WP_Term)#11318 (11) { ["term_id"]=> int(433) ["name"]=> string(14) "Remote Working" ["slug"]=> string(14) "remote-working" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(433) ["taxonomy"]=> string(8) "category" ["description"]=> string(163) "Access free tips from security leaders and new research related to remote working and hybrid-remote structures. Level-up your cybersecurity for a remote workforce." ["parent"]=> int(116) ["count"]=> int(15) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "1" } [7]=> object(WP_Term)#11316 (11) { ["term_id"]=> int(384) ["name"]=> string(7) "Podcast" ["slug"]=> string(7) "podcast" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(384) ["taxonomy"]=> string(8) "category" ["description"]=> string(345) "Cybersecurity podcast series on the human factor, discussing why we need to focus on people - not just machines and data - to stop breaches and empower employees. Tim Sadler, CEO of Tessian meets with business, IT and security leaders to flip the strict on cybersecurity and share best practices, cybersecurity challenges, threat intel and more." ["parent"]=> int(2) ["count"]=> int(9) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "1" } [8]=> object(WP_Term)#11320 (11) { ["term_id"]=> int(411) ["name"]=> string(12) "Threat Intel" ["slug"]=> string(19) "threat-intelligence" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(411) ["taxonomy"]=> string(8) "category" ["description"]=> string(155) "Tessian Threat Intelligence and Research team uncovers trends and insights in email security related to phishing, social engineering, and more. Learn more!" ["parent"]=> int(2) ["count"]=> int(21) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "3" } [9]=> object(WP_Term)#11319 (11) { ["term_id"]=> int(3) ["name"]=> string(7) "ATO/BEC" ["slug"]=> string(14) "spear-phishing" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(3) ["taxonomy"]=> string(8) "category" ["description"]=> string(166) "Get up to speed on the latest tips, guides, industry news and technology developments around phishing, spear phishing, Business Email Compromise, and Account Takeover" ["parent"]=> int(0) ["count"]=> int(144) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "5" } [10]=> object(WP_Term)#11317 (11) { ["term_id"]=> int(352) ["name"]=> string(15) "Life at Tessian" ["slug"]=> string(12) "team-culture" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(352) ["taxonomy"]=> string(8) "category" ["description"]=> string(149) "Learn more about Tessian company news, events, and culture directly from different teams. Hear from engineering, product, customer success, and more." ["parent"]=> int(0) ["count"]=> int(42) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "6" } [11]=> object(WP_Term)#11311 (11) { ["term_id"]=> int(435) ["name"]=> string(21) "Interviews With CISOs" ["slug"]=> string(21) "ciso-spotlight-series" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(435) ["taxonomy"]=> string(8) "category" ["description"]=> string(164) "Learn how to navigate the threat landscape, how to get buy-in, and how to break into the industry from these cybersecurity leaders from Shell, Penn State, and more." ["parent"]=> int(0) ["count"]=> int(32) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "7" } [12]=> object(WP_Term)#11310 (11) { ["term_id"]=> int(436) ["name"]=> string(16) "Engineering Team" ["slug"]=> string(16) "engineering-team" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(436) ["taxonomy"]=> string(8) "category" ["description"]=> string(134) "Tessian's engineering team shares tips for solving complex problems. Get advice related to QAs, 502 errors, team management, and more." ["parent"]=> int(352) ["count"]=> int(17) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "1" } [13]=> object(WP_Term)#11314 (11) { ["term_id"]=> int(434) ["name"]=> string(16) "Cyber Skills Gap" ["slug"]=> string(16) "cyber-skills-gap" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(434) ["taxonomy"]=> string(8) "category" ["description"]=> string(149) "Learn more about the cybersecurity skills gap and cybersecurity gender gap. Research and interviews with industry leaders and champions of diversity." ["parent"]=> int(435) ["count"]=> int(19) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "1" } }
Customer Stories
Preventing Data Exfiltration at a FTSE 100 Tech Company
Monday, August 12th, 2019
Rightmove is the UK’s largest online real estate portal and property website. For over 15 years, the organization’s aim has been to empower the UK’s decisions around property. Rightmove is listed on the London Stock Exchange and is a constituent of the FTSE 100 Index. Rightmove is protecting 530 employees with Tessian Guardian and Tessian Enforcer.
Seeking a seamless security system For David Cray, Rightmove’s Head of Customer Experience and Product Development, making sure the UK’s number one property portal has a proactive cybersecurity strategy is vitally important. Rightmove was searching for a flexible solution to the problem of accidental data loss and unauthorized email activity. David needed a product would work across all systems and devices. Rightmove turned to Tessian for answers. Prompt deployment and threat detection Rightmove was able to quickly and easily deploy Tessian’s Guardian and Enforcer filters across all UK team members. Tessian’s machine learning enabled Rightmove to benefit from minimal disruption to staff and their day-to-day work, while still equipping the organization with best-in-class email security technology. The Guardian filter’s machine intelligence prevents emails being sent from Rightmove employees to the wrong person as a result of human error, while Enforcer identifies and stops sensitive emails from being deliberately sent to unauthorized email accounts. Building an agile security culture Email will continue to remain one of the biggest security concerns for many organizations. By deploying Tessian across the organization, David has taken the necessary steps to ensure that Rightmove is prepared to combat the most advanced email security challenges. Learn more about how Tessian prevents human error on email Tessian is building the world’s first Human Layer Security platform to automatically secure all human-digital interactions within the enterprise. Today, our filters use stateful machine learning to protect people using email and to prevent threats like spear phishing, accidental data loss, data exfiltration and other non-compliant email activity. To book a demo and learn more about how we can help your organization, click here.
Rightmove Case Study    hbspt.cta.load(1670277, '98a11710-15e1-45d6-aeae-9c7dbb3cb1bd', {"region":"na1"});
Read More
Customer Stories
Solidifying Security in Investment Management
Tuesday, August 6th, 2019
Man Group is one of the world’s largest independent alternative investment management groups with $114.4bn of client capital in liquid and private markets. Man Group’s managers (Man AHL, Man FRM, Man GLG, Man Numeric and Man GPM) have diverse long/short and long only strategies spanning equity, credit, managed futures, convertibles, emerging markets and multi-managers. Man Group is protecting 1,700 employees with Tessian Guardian, Tessian Enforcer and Tessian Constructor.
Evolving beyond data loss prevention Financial organization like Man Group encounter large quantities of highly sensitive information on a daily basis. Neil Wellard, Man Group’s Head of Information Security, recognizes that in large, complex organizations the risk of inadvertent data loss is high. The repercussions could undermine organizations’ reputations within their industries. Email is the most used communication tool within enterprises. To Neil, it was vital for Man Group to continue looking beyond its existing security technologies like Data Loss Prevention. Aware of the potential risks and the limitations of legacy email security products, Neil and his team progressed with Tessian. Best-in-class security, without disrupting business After successfully deploying Tessian across the entire firm, Man Group’s information security professionals were quickly able to familiarize themselves with Tessian’s products and access detailed organizationwide security analytics through the Tessian dashboard. Tessian’s machine learning helped Man Group automatically identify and prevent inadvertent data loss over email while ensuring minimum disruption to employees at the organization. With a low false positive rate, Tessian’s warnings effectively minimized unauthorized emails and accidental data loss without disrupting people’s regular workflows. Staying vigilant in a changing environment With Man Group and other multinational investment managers having to deal with constantly changing regulatory and commercial environments, the need to invest in agile and customizable security solutions will only grow over time. With Tessian in place, Man Group can mitigate the risk of misaddressed and unauthorized emails without disrupting business as usual. Learn more about how Tessian prevents human error on email Tessian is building the world’s first Human Layer Security platform to automatically secure all human-digital interactions within the enterprise. Today, our filters use stateful machine learning to protect people using email and to prevent threats like spear phishing, accidental data loss, data exfiltration and other non-compliant email activity. To book a demo and learn more about how we can help your organization, click here.
Read Blog Post
ATO/BEC
Why DMARC is Not Enough to Stop Impersonation Attacks
by Laura Brooks Tuesday, July 30th, 2019
The UK’s National Cyber Security Centre (NCSC) reported that in the past year, it has stopped 140,000 phishing attacks and taken down more than 190,000 fraudulent websites. In its second annual report on the Active Cyber Defence (ACD) program, the NCSC details how its use of Synthetic DMARC has stopped sophisticated phishing operations, including one in which hackers used a gov.uk domain to impersonate an airline organization. While this approach of synthesising DMARC records has proven to be effective in stopping spoof email campaigns so far, the NCSC’s report also describes it as “an evil hacky kludge,” adding that more needs to be done to express policy ownership in domain hierarchies. Here, we address the shortfalls of DMARC and email authentication records, and consider what more can be done to stop strong-form impersonation attacks. A necessary first step 95% of all attacks on enterprise networks are the result of successful spear phishing, which often involves an attacker directly impersonating the email domain of the receiver. For example, any attacker could send an email from your business email domain to an employee at your business, and the recipient would have no way to validate the sender’s authenticity in the absence of authentication records. SPF and DKIM are email authentication records that, in short, allow email clients to validate the domain name of an inbound email. DMARC enables organizations to specify how the client responds to emails that fail SPF or DKIM checks (generally reject, quarantine, or no action.) SPF, DKIM, and DMARC are essential for preventing direct impersonation of your organization’s email domain. All email domains – especially those of trusted brands – are at risk of direct domain impersonation, regardless of past threat activity. The darker side of DMARC However, DMARC has its downsides. And while the NCSC has encouraged more UK businesses and government agencies to adopt DMARC, the report doesn’t shy away from bringing these shortfalls to light. 1. DMARC configuration is time-consuming and resource intensive The NCSC report states that “for any enterprise of a decent size, implementing DMARC is often a long process”  and that “implementing DMARC is a lot harder than people will have you think.” Strict DMARC policies can, if misconfigured, block the delivery of real, legitimate emails. As a result, the ACD recommends organizations take time to digest DMARC reports and investigate the nuances of their mail infrastructure, before gradually moving to a more protective DMARC policy. Unfortunately, this process takes many organizations well over a year.
2. DMARC records are publicly available; attackers can work around them DMARC, SPF, and DKIM records are inherently public information – they need to be so that receiving mail clients can authenticate a sender’s domain. Attackers can see not only if your organization has a DMARC policy, but also how strictly you have configured it. Before trying to impersonate your email domain directly, a sophisticated attacker will check if you have a strict DMARC policy in place. If you do, the attacker can still carry out an advanced spear phishing attack. For example, DMARC doesn’t protect against indirect impersonation, or domains that are similar to yours (e.g. @tassian.com, @tessian.outbound.com, @tessian.email). There are thousands of ways an attacker can make a new domain look similar enough to your domain to fool members of your organization. These new, legitimate domains are unprotected by DMARC. Perhaps because of DMARC’s public nature and the vulnerability of indirect impersonation, ACD data has yet to establish a causal link between increased DMARC adoption and decreased phishing. 3. External domains remain a threat Configuring DMARC and other email authentication records are necessary measures for preventing attackers from directly impersonating your organization’s email domain. Unfortunately, a high percentage of the emails your employees receive likely come from the domains of other organizations, such as partners, vendors, customers, and government bodies. Given that other organizations are unlikely to have authentication records in place, employees remain vulnerable to direct impersonation of their external contacts. Email authentication records and policies, then, are only a small piece of the puzzle for protecting your organization against spear phishing attacks. Impersonation is a difficult problem to solve. To accurately detect it, you need to understand what is being impersonated. You need to be able to answer the question, “for this user, at this point in time, given this context, is the sender really who they say they are?” Tessian Defender uses stateful machine learning models to analyze historical email data and understand relationship context, which means we can automatically detect the impersonation of both internal and external parties.
Read Blog Post
Interviews With CISOs
Tessian Spotlight: Andrew Besford, former Deputy Director, Government Digital Service, UK Government
Tuesday, July 30th, 2019
Andrew Besford has over 20 years’ experience in technology-enabled business transformation. His early career was in the telecoms industry, in both in-house and consultancy roles in a number of countries, most recently at UK mobile operator O2. Andrew joined the UK Civil Service at the start of 2014, initially to set up business transformation at the Department for Work and Pensions, where he was responsible for developing a compelling vision for the future of the organization. Andrew then joined the Cabinet Office as deputy director of the Government Digital Service, and led the creation of the Government Transformation Strategy, which was published in February 2017. Andrew holds a degree in Computer Science from Cambridge. As we have a global readership, can you give a brief explanation of your work with the Department for Work and Pensions and UK government? My first job as a civil servant was in 2014, where I established the business transformation programme to modernize the Department for Work and Pensions (DWP).  DWP is the UK’s biggest public service delivery department, and has a long history of administering the state pension and a range of benefits. Its operation distributes around £167bn of benefits per year (£650m per day, in 2.8m separate payments). The business costs around £8bn per year to run, employs 95,000 people, and delivers face-to-face services through 720 Job Centres. The big themes of the transformation were around secure self-service wherever possible, intelligent use of data, and process automation. I later moved to the Government Digital Service to work on the portfolio of digitally-enabled transformation programs across UK government. Across all of these themes of transformation, we were constantly balancing the pace of technological change with the ability of the organization to adapt to new ways of working. With public services that people depend on, it’s always vital to consider how the organization will continue to serve people reliably whilst it is changing. Sometimes this means you need to make incremental changes, because a major technological overhaul and starting from the ground up would be too high risk, even though it may appear to be a better technology solution. What pressures and dynamics were unique to digital transformation in the public sector? Public sector digital transformation programs tend to be driven by a mix of three key drivers – making efficiency improvements, improving the customer/citizen/user experience, and implementing the government’s policy agenda. Sometimes a new government policy can be an opportunity to modernize the way the whole of something works. Other times the policy might stay the same but there is an opportunity to deliver it in a modern and efficient way, which means making the best use of today’s digital delivery approaches and technologies. Eventually it will also mean adopting more internet business models but we are still in the very early stages of governments thinking in this way. Some of the dynamics of this really are unique to the public sector – you have to deal with all service customers/citizens/users, some of whom may be extremely vulnerable or unable to deal with you online. You are spending public money, and the procurement rules are always a factor. A hugely positive aspect is that your colleagues are people who go to work every day to make government work better for the people who need it most. The scale may be vast, but other challenges of transformation are the same as you find anywhere else – making smart use of data, having a plan for legacy systems, getting enough people with the right skills, aligning the organization around a clear vision, establishing the basics like a common language and a focus on user needs. How does cybersecurity factor into your work? Although my job title doesn’t say cybersecurity, it is absolutely integral to leading business transformation in this environment. Different parts of the public sector have aspects in common, for example the need to handle sensitive personal data. But different areas naturally have different threat profiles – for example DWP is a unique environment in that it pays out such a big percentage of our GDP directly to citizens. One key factor when you are building new digital services in this environment is that you have to be careful with which parts need an iterative test-and-learn approach, and which parts need a high-volume, stable and auditable approach. Sometimes this experimentation is essential, for example when creating new online services which you hope will change people’s behaviors. Other times this can be risky or impossible, for example if you consider the interface to the banking system. Using appropriate methods can be very hard if there is a context of “agile everywhere”, which has sometimes been dogmatic. There is a fine trade off between making a service useful and making it safe. Often, senior leaders of organizations need help to understand the risks and the choices they face, so it was a big part of my job to clearly communicate the risks associated with projects and the mitigations that can be put in place. Are there any security principles you are guided by when approaching business transformation? The vision for business transformation needs to include security at its heart, and not just include it as an afterthought. As ever, this can be a juggle because other themes must also run strongly through the story, especially around people and technology. Of course boards will always want to know “Are we secure, and compliant?” But when you are working on transformation, they probably also want to know “Why are we not more of a “digital business yet?”. So there has to be a security perspective on the organization of the future. Frequently this means evolving the security focus so that it is not just about securing networks and endpoints, but extends to designing secure services. My view is that transformation leaders always have a role to play in security. This could be helping board members understand what good looks like, and helping them understand options and consequences. Equally it could be helping to raise colleagues’ awareness and understanding as part of a more general digital upskilling. You often refer to keeping user needs at the heart of your thinking – can you share more on this approach? The emphasis on user needs has been a real turning point in how UK government thinks about delivering digital services. In 2014 the Government Digital Service mandated the Service Standard, which includes as its first point to “Understand users and their needs”. This helped establish the thinking that without understanding users, you won’t know what problems you’re trying to solve, what to build, or if the service you create will work. From a broader cybersecurity perspective it is important to start with user needs, while acknowledging that the government has needs too, for example to protect taxpayers’ money, reduce fraud and preserve trust. How important is the human factor when it comes to digital design? It’s impossible to overstate the human factor. In government terms this applies to the people who use government services, as well as the people working within government agencies. Digital services rely on balancing a low-friction user journey, with the need for proportionate controls to limit business risk. Designing this successfully can only be done by putting the users at the center of the design. For public services this will touch on user identity, data ownership and sharing, minimizing risk and administrative errors that could cause significant damage – all while respecting people’s privacy and rights. Criminals might impersonate these services without the victim ever contacting the agency in question, so this is in part a national problem, not an organizational one. For example, the UK’s tax, payments and customs authority (HMRC) has experienced significant criminal use of their brand, highlighting the need for a national response to protect citizens and ensure that when people see an email from a .gov.uk email address they can trust it. In 2016, HMRC was the 16th most phished brand globally, but following efforts from HMRC and the UK’s National Cyber Security Centre, by the end of 2018 it was 146th in the world. Within government agencies, for those who advise on policy, build technology solutions, and deliver front-line operations, there are also threats at the human level. These could be from organized criminals, hacktivists or state actors, who may use attacks based on social engineering or spear phishing. Do you have any advice for cybersecurity practitioners on how to work effectively through digital transformation? As always this depends on the context, but there are three common themes I would highlight from recent work. Firstly, we need to help senior leaders understand cybersecurity better. Transformation is a leadership problem and sits in the realm of the boardroom; it is made possible by leaders understanding what it means, and setting out a vision for the organization. Those people generally don’t have a deep understanding of cybersecurity, but increasingly recognize how critical it is, because they have heard of WannaCry ransomware, Cambridge Analytica data mining, and British Airways/Marriott fines under GDPR. Secondly, we need to focus on creating the right conditions in the organization for delivering new services. This means enabling people and empowering teams. Someone in your organization is eventually going to end up attempting to do secure service design themselves – with or without any guidance from specialists. Cybersecurity practitioners need to collaborate across the organization, avoid creating factions, and make sure it gets done right and integrates with your other layers of defence. Finally, we need to embrace digital change and experiment. Any big organization needs to be able to operate while under persistent threats and sophisticated attacks. And you need your teams to be enabled to experiment (safely), test and learn what works, and continuously evolve services to deal with the evolving landscape they operate in. Security leaders can and should be at the heart of safely delivering the transformation ambition.  
Read Blog Post
Compliance
The Week the ICO Bared Its Teeth
Friday, July 12th, 2019
Up until now, the consequences for GDPR non-compliance have been gossiped about but perhaps not been taken particularly seriously. That all changed after the ICO imposed staggering fines of £183 million on British Airways and £99 million on Marriott, following data breaches that compromised the personal data of thousands of customers. The news clearly shocked the business world; this is the first time the ICO has bared its teeth since GDPR came into force last year and the EU regulators have made it very clear that failure to comply with the rules will result in genuinely significant penalties. At a number of customer events we hosted this week, the blockbuster fines were on everyone’s minds. In particular, people were keen to discuss why the ICO fines were so high, with many agreeing it was because there was a lack of “demonstrating diligence” around the risk prior to the breaches. Indeed, the ICO said in its investigations that Marriott should have “done more to secure its systems”, while BA reportedly lacked “appropriate technical and organizational measures to prevent such an attack”. The message from the ICO is clear – businesses have a legal duty to ensure the security of data else face fines of up to 4% of the company’s annual turnover. While BA’s imposed fine stands at 1.5% of its annual revenue, it is still a significant blow (though it could have been much worse). We must also remember that in addition to the eye-watering fines, BA and Marriott will now also face damaging long-term effects on customer trust, company reputation and its share price. With so much at stake, the news will have sparked discussions in boardrooms across the world, with companies urgently taking stock of the security measures they have in place and evaluating whether they are properly protecting the data they process and hold. Any ‘gaps’ will need addressing quickly, looking to cybersecurity solutions that protect networks, devices and people. I am certain this won’t be the last time we hear about ‘record-breaking’ fines from the ICO this year. Each will serve a reminder to companies that they cannot be complacent when it comes to compliance; protecting data must be a priority.
Read Blog Post
ATO/BEC
Why Financial Services Firms are Most Likely to Fall for Phishing Attacks
Wednesday, July 10th, 2019
Recent reports show that the number of cyber incidents reported by financial services firms to the Financial Conduct Authority (FCA) skyrocketed from 69 in 2017, to 819 in 2018. Ransomware and phishing attacks topped the list of reported cyber attacks, making the financial sector one of the most targeted industries for phishing crimes. With the threat of phishing and spear phishing attacks only growing in severity, being aware of potentially malicious emails and impersonation scams has never been more important. However, our report – Why Do People Make Mistakes? – worryingly suggests that people in financial services are the most likely to fall for phishing scams. We found that nearly one in three financial services workers has clicked on a phishing email at work, making it the sector with the highest percentage of people falling for these attacks. The problem is that people in financial services are under huge amounts of stress and pressure – and this often leads to mistakes online and puts cybersecurity at risk. For example, nearly half of the people we surveyed from financial services (49%) described their current workload is either ‘overwhelming’ or ‘heavy’, while 70% said there is an expectation within their organization to respond to emails quickly. Furthermore, an overwhelming majority 89% said they feel stressed at work, with nearly nine in 10 admitting they make more mistakes when stressed – significantly higher than the UK average of 71%. Stress and overwhelming workloads can, ultimately, increase vulnerabilities to threats given that a person’s ability to spot anomalies in a phishing email becomes influenced by other tasks requiring their attention at the same time. With so much going on, overworked employees will likely rely more on habitual behaviors that inform their decision making, rather than engaging in rational, analytical thinking. Tiredness, too, also impacts our ability to question the legitimacy of messages we receive, leading to what could be a costly mistake for any business. Mistakes are inevitable, especially when people are tired, stressed and facing a never-ending to do list. Cybersecurity is the last thing on their minds but it just takes one click on a malicious link or one response to a hacker’s request to compromise data and ruin a company’s reputation. So, as cybercriminals continue to hone their skills and make spear phishing attacks more targeted and more believable, businesses need to consider how to prevent the inevitable mistakes. Consider how best to protect your people. Alert them to potential threats and provide them with the information they need – in real-time – to think before they click.
Read Blog Post
ATO/BEC
Ed Bishop: Spear Phishing and the Dangers of Impersonation
Tuesday, July 9th, 2019
Tessian CTO Ed Bishop runs through the most dangerous forms of spear phishing and email impersonation attacks threatening organizations. Email allows us to interact freely. If you know someone’s address, you can send them an email, regardless of where in the world they are located or what device they’re using. Even if you don’t know someone’s email, it’s often relatively easy to guess. Email is also open by default. This openness has taken masses of friction out of global commerce, and is vital to our businesses. But there’s a tension here. An open network inevitably means risk to individuals and businesses alike. Organizations around the world handle sensitive material every day. Vigilance will always be important. But striking a balance between empowering employees and cracking down on suspicious activity has to be done sensitively. Strong-form spear phishing is a particularly dangerous threat. Spear phishing takes advantage of email’s openness using advanced impersonation techniques undetectable by most filters and safeguards, creating significant headaches for information security leaders. It is the most insidious threat to email communication, and is the number one form of attack threatening enterprises today. The FBI now tracks Business Email Compromise (BEC), whereby spear phishing is used to extract large sums of money through illegitimate or unauthorized wire transfers. In 2018, the FBI estimated that in the previous five years, Business Email Compromise (of which spear phishing is an important component) had cost enterprises as much as $12.5bn. So how did this threat emerge? The birth of phishing Email was introduced in the 1970s. It didn’t take long for it to attract a parasite: spam, which arrived in 1978. Spam allowed emails to be sent to large numbers of recipients with minimal personalization. Originally invented for marketing purposes, it soon led to innumerable scams. By 2017, spam made up 55% of all emails received globally.  In response to spam detectors and blockers, attackers started to work harder. They turned to phishing. Phishing mimics the identity of trusted people and services in order to extract sensitive information, such as passwords or account numbers. Although they remain a threat, generic bulk phishing attacks can usually be prevented by legacy email security solutions. The problem, though, is that attackers have refined their approach over the years. They have invested more time and energy into targeting specific individuals, and have turned to public-domain information from sites like LinkedIn to personalize emails. As phishing has grown in popularity, other cybercrime strategies like ransomware and fraudulent online purchases have also become more prevalent. In 2017, hackers stole a staggering £130bn from consumers through these schemes. And information security professionals have their work cut out. Targeted, personalized attacks are constantly evolving. At Tessian, we see impersonation-based spear phishing as the next stage in this email arms race. High-ranking employees are most at risk From a technological perspective, spear phishing is much more difficult to filter out than run-of-the-mill spam or bulk phishing. This is because it is highly targeted towards particular individuals within organizations. Even the most cynical and risk-aware individuals can be foxed by a spear phishing scam if it is sent on a busy day, delivered in a particular tone, or perceived to be from an authoritative source. Indeed, some threats are confined to IP addresses hidden in email headers – undetectable by employees. This is not confined to mid-ranking employees: ‘whaling’ scams specifically target C-level executives, for instance. These nefarious tactics are not going away any time soon. Secure Email Gateways: solving the problem? To combat attackers, enterprises have traditionally used Secure Email Gateways to monitor attachments and URLs. Today, almost every email provider or legacy Secure Email Gateway (a guard against malicious emails) will include a spam filter. However, there are always ways for attackers to get around these rule-based technologies. Cybercriminals may employ malware that evades software programs’ screening capabilities, for instance: alternately, organizations might fall victim to a zero-payload attack that doesn’t represent a threat for weeks or months. So how have Secure Email Gateway structures attempted to address spear phishing issues? Display address irregularities Secure Email Gateways are designed to catch irregular display addresses. These occur when the target’s display address doesn’t exactly match the genuine address (changing an ‘n’ to ‘m’ and making ‘bank’ ‘bamk’, for instance). This check looks for instances where a reply-to address may be different from the sender’s own address. Domain monitoring Here, the Secure Email Gateway checks whether the sending domain has been recently registered, or whether it is registered as inactive. The protective measures mentioned here can only ever be partially effective. That’s because they are focused on providing static, rule-based solutions: attackers can easily reverse engineer these rules and circumnavigate them. So how are cybercriminals evading Secure Email Gateways? At least in part by focusing on strong-form techniques. Attackers are becoming more subtle Attackers have a variety of ways to break down organizations’ defences, but strong-form tactics are especially hard for Secure Email Gateways and other rule-based systems to detect. We’ve already covered reply-to modifications, for instance. This is an example of weak-form phishing which relies on targets not realising that the reply-to address of an email has been changed from the original ‘sender’. With strong-form phishing tactics, the reply-to address can appear to be exactly the same as the sender’s address. This has the potential to confound simplistic rule-based systems. A strong-form attack could be a homograph impersonation of a ‘trusted’ external counterparty, such as a law firm or an accountant. Here, other alphabets can be used to deceive targets into believing a domain or address is genuine. The English language ‘a’, for instance, is very similar to a Cyrillic small letter ‘a’. This visual trick can be used to create alias addresses that could well deceive targets. It might seem surprising that anybody can send an email pretending to be anyone, but current email protocols allow for this. Email authentication methods like SPF, DKIM and DMARC have been designed to try and confirm sender identities. The problem is that this can only be truly effective when every company in the world publishes its own email authentication record. Unfortunately, this is far from being the case: many Fortune 500 companies still have not published the recommended email authentication records. This gives attackers the means to find, through public domain data, any external counterparties without correct authentication records, and simply send emails pretending to be them. It’s clear that hackers are thinking about more subtle ways to breach organizations’ defences. As such, it’s important to understand how spear phishing works in practice. The tip of the spear: breaking down intelligent phishing attacks Understanding how spear phishing attacks are constructed is fundamentally important to the success of an information security team’s defences. So what are the key components of a spear phishing attack? Target The target could be any employee within your organization, but attackers may focus on high-ranking executives or members of the finance department. Cybercriminals can spend significant amounts of time researching and identifying the most vulnerable individuals. Impersonation The impersonation of another person or company is the core tenet of spear phishing attacks. Once a target is identified, the attacker may choose to impersonate a colleague or a trusted third party external to the organization (possibly someone who works at another organization they interact with regularly and trust). Intent Successful spear phishing attacks all manage to get the email recipient to take a particular kind of action. This could be wiring money to an attacker’s bank account, divulging login details or other sensitive data, or installing malware or ransomware on a device. Often, requests for action exploit organizational pressures to maximize urgency and time sensitivity.
Hacking the human One successful spear phishing attack can result in the extraction of millions of dollars, devastating data loss, and incalculable reputational damage. While some enterprises are able to stop basic spear phishing, these attacks are becoming more sophisticated all the time. This isn’t surprising. The history of email security shows us that phishing attacks only become more advanced and personalized with time. In industries where many firms still rely on only traditional technologies like Secure Email Gateways to operate, the threat level is potentially even more potent. The rewards for attackers are large, and the risk for companies still larger. There is much to be done before organizations can be said to have the upper hand against these bad actors. By acknowledging the people that are at the heart of this battle, and by building products that understand and protect them, I’m confident that we can make significant progress. *Interview condensed from Modern Law Magazine supplement, May 2019.
Read Blog Post
Integrated Cloud Email Security
Q&A: Tim Sadler, Tessian CEO
Thursday, July 4th, 2019
Tim Sadler, Tessian CEO and co-founder, summarizes his journey from founding Tessian to raising $60m from leading investors. Why did you decide to found Tessian, and why was email security the problem you focused on? Tessian was founded in 2013 by myself, Ed Bishop and Tom Adams. We all studied engineering together at university before moving into banking. Working at these multinational organizations, we saw how much sensitive data was put at risk by people sending emails. Modern organizations process vast amounts of information, and they have a lot of controls to keep that data safe. But even with NDAs, project code names, and policies advocating security best practices, enterprises still face risks from many, many misdirected emails. Today, organizations have to allocate budget to keeping their data safe, and they understand the importance of reputation management. So we asked ourselves, ‘Why is this a problem?’ We realized that there had to be a technological solution that could help improve email security within complex organizations. When we started the company we didn’t really have security backgrounds, but we did have the first-hand knowledge of how big a problem this was. When we got in front of our first customers – predominantly law firms and banks – and started talking about the threat of human error in email communication, that was when we knew Tessian had value to offer. So why is human error such a huge threat? Email is something we all do. We send 40 emails a day, and generally speaking it feels incredibly safe. It’s a little bit like our own personal safety: we don’t think twice about getting into a car or driving a car, but statistically speaking it’s actually one of the most dangerous things that you can do in your life. We’re scared by the headline-grabbing stuff, like plane crashes or shark attacks, but it’s actually the unremarkable things we do every day without thinking that are most likely to cause harm. That’s exactly the problem with email, and in particular with misdirected emails. That why the first piece of software we built was targeted at helping enterprises automatically deal with the risk of misdirected email communications. How important is it that security products don’t disrupt people’s work? It became clear to us when we were building Tessian that employees wanted a completely automated process. Security leaders understand the risk of misdirected emails and know that a technological solution is needed. However, they want to deploy technology that doesn’t require laborious maintenance or pre-configuration. It has to work ‘as if by magic’. Preserving the user experience is essential. It was imperative that the technology wouldn’t get in the way of people doing their jobs: no-one wants a pop-up asking them to confirm the validity of every single email they send. Organizations wanted something that just completely blended in with regular workflows. These were some of the key learnings we got from those early meetings. We’ve worked hard to create something that doesn’t need an enormous IT team to implement. Tessian’s products are completely automated, and the deployment is seamless: it simply integrates with existing infrastructure. So what are the different problems Tessian solves today? Cybersecurity previously focused on computer networks before moving on to endpoints, or device-level security. In the world we’re in today, we believe that the next step is to protect people. This progress is reflected in our development of different email filters. We don’t solely focus on preventing misdirected emails with our Guardian filter any more. We also focus on other areas of security. Tessian Enforcer prevents unauthorized emails, which is where people send highly sensitive information to (for example) personal Gmail or Hotmail accounts. Our most recent launch is Tessian Defender, which focuses on preventing inbound spear phishing emails. This is a defense against malicious outsiders trying to trick humans within your enterprise, whether it’s encouraging them to click on a suspect link or to make an erroneous payment. This is why we need a security platform covering the whole human layer. Tessian’s mission (and it’s an ambitious one) is to protect firms against any security threat executed by a human. To get closer to fulfilling that mission, we’re investing in R&D and software engineering. We continue to work on new solutions that address all organizations’ human layer risks. We are constantly working on innovative ways to deal with security risks that don’t require hiring an additional 10 people to run the software or conduct analysis. This is something that we focus on very heavily at Tessian – to offer software that can be deployed simply and quickly to automatically prevent security risks to people. Tessian’s Human Layer Security platform is unique in the market. Why do you think you’re the only company offering this solution? It seems obvious, doesn’t it, to focus on Human Layer Security as the solution to the problems we’ve discussed. The issue is that these problems are incredibly difficult to solve in a manner that provides best-in-class user experience and is completely automated. That’s why machine learning lies at the core of our technology. The products and the underlying tech takes time to get right, and I think that’s why we’re out there alone at the moment. The challenges we’ve had to work to overcome require intense and rapid analysis of historical data in order to understand conventional communication patterns and behaviors. We have a very short window of time to check an email and make a conclusion about whether it’s going to be OK to send or reply to. Developing that software has taken time and R&D investment. Another benefit to Tessian – and our clients – is that we’re a relatively young company, so we’ve been able to build the entire system on very modern architecture. This has allowed us to leverage increased speed in the system and an abundance of flexible computing power. In this respect we think we’re ahead of any other company in our space. We are on a mission to bring Human Layer Security to as many enterprises around the world as possible. We want to keep the world’s most sensitive information and systems private and secure, building technology that allows enterprises to do that by delivering amazing experience both for security teams and also the people that directly interact with the product. What do you think Tessian will look like in a few years’ time? I’m currently speaking from our New York office, which we established in 2018. We’re now investing heavily in the US market, and to help us do that we raised $42 million worth of funding in a round earlier this year led by Sequoia Capital. Sequoia invests in the best security technology companies in the world. We raised the capital to move into new markets as well as significantly expand our R&D activities. Our goal at Tessian is to protect the human layer in the same way that firewalls protect the network layer and endpoint security protects the device layer. We are focused on the automatic protection of any person processing data within the enterprise. In the future, I see Human Layer Security being a concept that is brought up at board level, exactly the same way that these other concepts in cybersecurity are discussed. Ultimately, humans make mistakes, they break the rules and they are easily deceived. These three problems are huge security vulnerabilities for people and organizations. It’s also much harder to protect people, but it’s also much more important that they are protected. Every organization has some kind of firewall protection against the network. They will have some kind of endpoint security protection on their devices. We see Human Layer Security really being the third piece of the jigsaw puzzle that’s currently missing from these organizations. Tessian wants to be the layer that protects the most important part of any enterprise – your people. *Interview condensed from Modern Law Magazine supplement, May 2019.
Read Blog Post
Interviews With CISOs
Tessian Spotlight: Don Welch, Chief Information Security Officer at Penn State University
Thursday, July 4th, 2019
Can you give a brief overview of your background and responsibilities at Penn State? As Chief Information Security Officer for Penn State University, I am in charge of a range of things including identity and access management, security operations, privacy and compliance. This involves overseeing the unique responsibilities of each of those teams. What are your core objectives in the role? One of the main objectives I work to, is to understand who is on the network and who has access to what. This is what our privacy and security is all about, stopping people getting access to critical information that they shouldn’t. Compliance is another large objective that has a lot of overlap with security. Compliance is necessary and often the fines and other sanctions are a serious risk to Penn State. However, while the standards do support security initiatives, they’re not sufficient in themselves. That makes the distinction between what policies and programmes are compliance-led versus security-led very important for us. Have you observed any dynamics that are unique to university environments when it comes to information security? The interesting thing for large research universities is that we are affected by almost every area of compliance and information threat that exists. We have healthcare data, valuable research, financial information, student PII as well as a nuclear reactor, an airport and all the utilities cities have. This means we are subject to a range of threats like nation state actors trying to steal IP or gather information for their country, and criminals targeting us for fraudulent payments. Do you think universities are well equipped to deal with these threats? No, it’s a real challenge. Universities do great things as faculties are very entrepreneurial, working on cutting edge innovations with relative autonomy. While autonomy is an important value of the institution, it makes cybersecurity more challenging. The university has so many faculties and operations which create a diverse range of activities within the one system. Creating security alignment that works effectively across the board is therefore a big undertaking. How do you instil a cybersecurity culture in such a diverse environment? We have 17,000 regular staff members and 100,000 students who all fall prey to different kinds of attacks. We tailor our education and training approach to each different group, ensuring that people understand both the threat to them personally and to the institution. How does human error play a role in cyber vulnerabilities? Phishing and social engineering attacks are getting more sophisticated meaning that even very intelligent people can be deceived. We know people make mistakes so it’s important to maintain a combination of approaches to mitigate human error. We implement layered security strategies because you can’t depend on a single defence approach. We build security that considers everything together; people, technology and processes. With a phishing campaign for example, when a normal user has fallen victim and an attacker takes over that account we have several ways of identifying the attack and stopping it before the attacker does damage.  We look for strange account activity that indicates a compromised account.  We mandate protections on privileged accounts, changing the password every time it is used.  We separate our sensitive systems from the rest of the network.  These are some of the controls we use to protect our system in a layered and integrated manner. Where do you see the biggest risks being in future? Attackers are always innovating so we have to continually evolve our defences to keep up. This will become more challenging when adversaries begin to use AI and automated techniques to attack systems much more rapidly. We’ll have to act more quickly to match their speed. But we still have the basic challenges that we need to address – simple attacks still succeed because people continue to fall for spear phishing attacks. We cannot forget about the basics and get distracted by shiny new toys. What are the common misconceptions about the role of cybersecurity? A lot of cybersecurity professionals look at security from a risk-based approach, they’ll assess what the individual risks to the organization are. That’s important, but it has to be incorporated into a larger strategy that looks at the bigger picture of potential damage and allocates our cybersecurity resources in an efficient and effective way. We have to think how our attackers are thinking in order to understand how they will attack us.  
Read Blog Post
Interviews With CISOs
Tessian Spotlight: Graham Thomson, CISO at Irwin Mitchell
Thursday, July 4th, 2019
Tessian spoke to Graham Thomson, CISO at leading law firm Irwin Mitchell, about his career and why he uses Tessian to keep Irwin Mitchell’s employees safe on email. To get started, can you take us through how you first got into security? I got my degree in genetics and then worked in military intelligence, where I received a grounding in computer security. After a few years, I left the military and got a job as an investigator for a global retailer. Initially this was to investigate fraud and corruption, but evolved to cover issues relating to information security, such as insider breaches and hacking. Having decided that a career in information security was for me, I then obtained my CISSP qualification. I’ve since been lucky to experience many different industries, including insurance, online banking and e-commerce, and now the legal sector. I’ve been focused on purely information security for around 12 years now. How has the industry changed since you began your career, and what has the impact of technology on security been? Information security has changed hugely over time, probably because the threats themselves have changed. When I started out, I think it’s fair to say the work we were doing probably wasn’t that well understood. When I was being trained initially, I remember learning about a KGB-initiated infiltration of systems that was discovered pretty much by chance: this was a real eye-opener that brought home just how important computer security was going to be in the modern economy. One of the biggest changes is the focus on people. Previously, security professionals would be technical IT specialists, but today many different career paths – the military and law enforcement are just a couple of examples – can lead towards information security. The ability to understand an issue from the attacker’s point of view is very useful. You can spend as much money as you want on technology, but at the end of the day there are humans with legitimate access to your systems; if they are negligent or abuse their positions, then there’s very little that tech can do to stop that. What are your core responsibilities at Irwin Mitchell? And what are your ambitions for your department and the team over the coming years? My core responsibility is setting the strategic security vision for the company and making sure we successfully deliver on our objectives. I refer back to this regularly to work out whether there are gaps in our present strategic framework, or whether we need to readjust priorities on particular technical projects. It’s all well and good sitting and thinking about high-level problems, but real-world feedback really helps to crystallize the impact of what we’re doing. It’s my security policy, but I want to know how it translates across the business. The key thing is that many people within law firms deal with very sensitive personal and company data. Our bread and butter is keeping this safe. Firms in other sectors may only have a few people dealing with sensitive data, but in law firms the proportion of people in the business who have this responsibility is far higher. This information isn’t just internal, it comes from external parties too. For example, we might have sensitive medical records or information relating to military matters as part of the work our solicitors do. The legal space is a fairly unusual sector in that we have to think about security in a very broad sense. The very term ‘cybersecurity’ reflects the fact that more and more of the information people consume is digital. But working at a law firm, there are paper records that have to be dealt with too. So my role depends on understanding and managing all the implications of information security, not just the technical aspects. It’s important to remember that our people could be very experienced lawyers or new graduates: we have to make sure that everyone understands what their security responsibilities are. People have to know how to handle information from when it comes into our orbit right through to when we dispose of it. Security can’t just be a case of asking people to read a lengthy, technical policy document. I have to ensure the information is relayed in a way that’s meaningful, interesting and relevant, and I need to make sure the technical tools we use are easy to understand. How can new security technology help the legal sector really make strides in the years to come? The first thing to say is that the legal sector has probably not moved as fast as some other sectors when it comes to adopting technological solutions. Although there are some startups making strides in ‘legal tech’, fintech, for instance, has a higher profile and potentially more innovation happening in that space right now. Things are improving, but the sector has a whole has possibly been slightly behind the times. For me, where the sector could really benefit is access to justice: I think tech will help ordinary people engage more meaningfully with the legal system. Law is complex, and there are so many gray areas, but I’m hopeful that developments in artificial intelligence (AI) hold a lot of promise. It’s never a good thing when someone decides not to approach a lawyer or a law firm because they’re not sure whether it’s worth it or because they think the process will be particularly laborious. Tech that allows people to ask initial questions without having to directly engage the services of a human lawyer could mean that people find it less intimidating to approach law firms. I think we’re now moving past the point where people expect to have to walk into a physical office to have meaningful conversation with a legal professional. You could easily get the same result from your own home, or on your phone, and that kind of relationship is what we need to be thinking about. I also think there could be major benefits to research. When paralegals need to sift through thousands of pages, AI could help surface the relevant information more quickly. Bots that do more labor-intensive work like reviewing long contracts could also save significant chunks of time. Next-generation technologies like AI could definitely help the legal sector move forward. The danger with AI though is that biases may still come into play, as is often the case when dealing with complex algorithms. Can you tell us about your experience bringing new technologies into a law firm? I’m fortunate that today, cybersecurity is taken very seriously at board level. If I can show that there’s a requirement and a potential benefit with a new piece of technology, the appetite to mitigate that risk is usually there. When it comes to end users, we have to think carefully about altering processes they might be used to, or telling them to stop doing something that seems innocuous. I’ve found that as long as the training and awareness is communicated well, it’s usually accepted without too many hiccups. Interestingly, when we implemented Tessian Guardian, which helps us combat misdirected emails within the organization, it was one of the few security products where we had no complaints about it. In fact, people sent us screenshots thanking us for preventing emails potentially going to the wrong destination! It’s great for the team to feel like we’re making positive changes within the organization. Could you describe Irwin Mitchell’s attitude to information security in a couple of sentences? Our people see information security as an absolute necessity when it comes to doing business. Everyone acknowledges that they share responsibility for the firm’s success or failure here. So how important is Tessian to your overall security stack? Tessian is critical for us. Misdirecting an email is very easily done: people want to be productive, and they don’t always notice when autocomplete gives them an incorrect email address. Tessian also gives us great analytics and reports which help us actually analyze the data, over and above the solution itself. We’re soon going to be implementing Tessian Defender, which will help us address inbound spear phishing threats and make Irwin Mitchell’s security structure even more secure. Tessian is just a very clear way for us to communicate potential risks and give our colleagues additional protection. *Interview condensed from Modern Law Magazine supplement, May 2019.
Read Blog Post
Interviews With CISOs
Tessian Spotlight: Sarat Muddu, IT Security Director at Kelley Drye
Thursday, July 4th, 2019
Kelley Drye & Warren’s IT Security Director Sarat Muddu talks about the process of implementing change, and how his firm wards off threats by embracing innovation. As an IT professional, what attracted you to a career in the legal sector? I’ve had experience in a wide variety of sectors, but I was fascinated by the security challenges of the legal space. Although I wasn’t a legal expert when I joined Kelley Drye, I moved across from health care, which is another industry that is extremely sensitive to cybersecurity risks, so I understood the importance of the problem. How important is it that the top level of a firm is alert to the dangers of cybersecurity? Even at board level, there should be people who understand the more nuanced technical details of a security project. At Kelley Drye we’ve been lucky to get great buy-in from our managing partner and CIO. They see a direct connection between a well-constructed security policy and the broader success of the business. I can’t speak for other law firms, but ever since I’ve been working in the legal sector, I’ve seen significant positive movement in how people approach and value security. This is one really refreshing change. We regularly get inquiries from partners asking whether we are protecting ourselves against this or that new threat – they pay attention and want to ensure firm and client safety. If we can continue developing this kind of curious mindset, I’ll be happy. It’s important to remember that a main driver of this new focus comes from partners being keenly aware of potential damage to a firm’s reputation. You don’t want to be the firm in the headlines because of a security breach, and you have to preserve client relationships, which are the bedrock of any firm. Why is email a particularly high-risk activity at law firms? I think all industries are susceptible to engaging in risky behaviors, but the kinds of data held in law firms means any unauthorized email that goes to a personal address is potentially more dangerous because of the content of that email. We all want to take the convenient path, but it’s the responsibility of a security team to manage and, if necessary, plug holes in those workflows that increase risk. Email is one of the most heavily used tools in any law firm, alongside document management systems. Human error is always one of the big factors in any data breach report. Lawyers send and receive a lot of email, so in a sense it’s natural that they may be more likely to misdirect an email, for instance. Even IT teams are not immune to these pressures! Is it the case that email is just an inherently risky mode of communication? At Kelley Drye, our ‘Defense in Depth’ strategy tackles security concerns at every layer of the stack, from our perimeter down to individual devices, and people too. As a security team, we have established a number of risk management and training programs to help us avoid any sleepless nights. Email security is a critically important part of this mix. As technologists, we have to make sure that all our communications channels allow business to function without any hindrance. If people don’t have a seamless experience in an enterprise, that actually raises the likelihood of people trying to evade those systems by, for instance, sending an email to their personal address so they can work on something at home. They’re not trying to be malicious, but they are putting data at risk. That’s why when we’re thinking about bringing in a new security tool, we take into account not only how robust the product is but how it impacts the team’s work. Ease of use is incredibly important to us, and that’s actually what Tessian does very well. How does Tessian make it easier for you to learn about and act on potentially risky behaviors? It was really important to us that Tessian would improve our knowledge as a security team. The market for security products is incredibly saturated, and not every product is able to offer a rich level of detail to its administrators. Not only did Tessian give us valuable historical analysis, working retroactively, it was very easy to start using it. Out of all the security products we’ve invested in, Tessian has had the lowest amount of up-front work to do to get set up. This meant we could get started analyzing the results straight away. We are now able to have a better dialogue with legal professionals and other end users, because rather than just being blocked from doing certain things, people know why an action could be problematic thanks to the insights Tessian displays within the email client. So do tech products like Tessian help you drive cultural change within the firm? Implementing change is only easy when it’s a team effort. When I’m making a business case for why a tool will help the firm, having productive discussions around the business – not just with the management team – is paramount. You can’t drive real cultural change with just a couple of people: it doesn’t happen overnight. In general, when we’re implementing a new piece of technology, the fewer complaints we get the better, and we haven’t had a single complaint or unhappy query about Tessian. In the long run, this makes it easier for me to bring the next security project to the board and justify investment, which makes my job easier. Finally, looking a few years ahead, where would you like to see the legal sector progress? I think the legal sector is in a really interesting period as far as technology is concerned. Every time I go to a conference there are new and innovative solutions targeted at helping law firms succeed. At the same time, the business of law firms is changing. We have to evolve at the same pace as other industries, moving with the times. We’re seeing big shifts towards agile and remote working, for instance. How are legal security teams going to deal with this new dynamic, securing client data while giving professionals more flexible ways to get work done?  For us, investments in products like Tessian are a great example of how much the firm values technological innovation. *Interview condensed from Modern Law Magazine supplement, May 2019.
Read Blog Post
Interviews With CISOs
Tessian Spotlight: Duncan Eadie, IT Director at Charles Russell Speechlys
Thursday, July 4th, 2019
Duncan Eadie, IT Director at Charles Russell Speechlys, speaks about the risks law firms face from cyberattacks, and the importance of embracing technological innovation. What were some of the main threats in cybersecurity when you first moved into the sector? The first computer virus I was aware of was distributed in 1988, and in my first job we had a lunchtime session discussing it! We then had to contend with viruses distributed via floppy disk, which demonstrates just how far the industry has come. At that time, people breaking into computer systems was almost done for fun; now, cyber crime is a major global industry in its own right. Lawyers and clients alike are now all aware of the consequences of handling data inappropriately. Today, we expect security from every organisation we deal with, not only as professionals but also in our personal lives. Does security permeate all aspects of your role, or is it effectively treated almost as its own business unit? My role is essentially to design and deliver Charles Russell Speechlys’ IT strategy. That means overseeing the development of products and services, and then successfully introducing these across the business. Within the IT department, I’d say that security has had to become more of a specialist requirement in recent years, partly because criminals and tactics are becoming more sophisticated. This vertical knowledge has to be supported by core tools that help us do this more specialized work. What are some of the challenges around driving change in a business like Charles Russell Speechlys? In some ways it depends on the change you’re introducing. When we introduce products like Tessian, which doesn’t necessitate huge change to working practices and which doesn’t require lots of training, you can feel people embracing the change in a different way. From a people perspective, the principal security challenge is really to make sure that everyone around the organization is vigilant, whether you’re a lawyer, a secretary, a software engineer or a marketing professional. In a broader sense, the entire legal industry is feeling that there’s a significant shift happening right now. This isn’t at the individual or firm level, it’s impacting the whole sector. Firms have to decide at what point they want to catch that wave of change. For forward-thinking law firms, this is a fantastic opportunity to build on the heritage of the past and embrace the opportunities of the future, something that’s in the DNA of Charles Russell Speechlys. So why is this technological shift happening now, and what are the knock-on effects for security? I think there is some frustration on the part of clients that the legal sector isn’t changing and evolving at the same speed as other industries. Changing customer demographics are beginning to disrupt the legal market in the same way as many other industries. In general, customers are more willing to challenge the professions and really engage with their service providers, and that means law firms need to offer a modern experience for clients. Regulatory changes are also impacting these strategic decisions. We’re now seeing more punitive penalties for breaches of regulation, and that affects the way firms might think about the risks of expanding into a new practice area, for instance. All of this has consequences for security. What do you wish the average lawyer knew about cybersecurity? That if their cybersecurity knowledge is not up to scratch, their firm’s reputation could be damaged very quickly. We’re talking about a relatively small investment in time to focus on cybersecurity best practices. In the long run, this could protect a reputation which has been built up over decades. It only takes a moment to potentially destroy all that. And what would you say to a technologist or security professional thinking about a career in the legal sector? What advice do you have that would help them make an impact? Too often in the industry, making something more ‘secure’ results in making it harder to interact with. Technologists coming into the sector should empathise with legal professionals and realise that people don’t want barriers, however difficult that might be to incorporate into products. If people build products that combine security with ease of use, you’re onto a winner, and that’s actually what Tessian has done. The other thing for IT specialists to remember is that much of a law firm’s business still stems from its reputation. Reputation can be a very fragile entity, but it’s also why law firms will survive over the long term. Protecting reputation is absolutely key. So much important work carried out by lawyers is based on their firm’s and their own reputation. When people or businesses are in extremely sensitive situations, facing very difficult decisions, they don’t want an app, they want to talk to someone whose advice they trust. In this environment, our duty is to preserve and enable this intimate communication as best as we can with the support of technology, while balancing this need with best-in-class security practices. How is Tessian helping Charles Russell Speechlys tackle threats and manage email security? Well, the channel that generates the highest number of complaints to the ICO every year is email. Firms can easily send hundreds of thousands of emails every month: when businesses have that volume of communication, you don’t have to be wrong very often for it to really matter. Misdirecting an email isn’t something someone does intentionally, and I’m sure that your readers have all experienced sending an email to the wrong person at some point. With Tessian, we don’t encounter pushback from within the organisation, so it’s a great way to deliver meaningful change in the firm. Tessian proves that modern technology can support our lawyers and help protect their relationships with clients. *Interview condensed from Modern Law Magazine supplement, May 2019.
Read Blog Post