Step Into The Future of Cybersecurity — Save your spot at the Human Layer Security Summit for free.

Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.
Spear Phishing
7 Examples of Ransomware Attacks
Thursday, July 15th, 2021
The ransomware crisis is getting out of control. With recent attacks on critical infrastructure, supply chain IT companies, and hospitals, the world is waking up to how serious this type of cyberattack can be. IT leaders understand that ransomware is preventable—and they know how to protect against it. But still, increasingly many businesses are finding their computers locked, their files encrypted, or their customers’ personal data stolen. From the widespread chaos caused by2017’s WannaCry attack to the recent REvil supply chain infection affecting up to 1,500 organizations—these seven ransomware examples will help you understand what you’re up against. Want to learn more about what ransomware is and how it’s delivered? Check out this article instead.  2017 WannaCry attack: The world’s first taste of how bad ransomware can get Let’s start with an attack from several years ago—before “ransomware” was a household name—that shocked the world into taking cybersecurity more seriously. The incident started in May 2017, when hackers infected a computer with the WannaCry ransomware. Within a day, users of over 230,000 computers worldwide found that their files had been encrypted—and that they could only retrieve their data by making a Bitcoin payment to the attackers. How could WannaCry infect so many computers?  The original infection was initially believed to have resulted from a phishing email, but researchers later concluded that the ransomware took hold via a vulnerable SMB port.  From there, the infection spread to other computers that had not downloaded a recent Microsoft security update—the hackers used a tool called EternalBlue (developed by the U.S. National Security Agency) to exploit a zero-day vulnerability in Windows. Wannacry caused chaos across multiple sectors in more than 150 countries. The U.K.’s National Health Service (NHS) was particularly badly affected—hospitals even had to cancel operations due to the disarray caused by the attack. The actual ransom payments—between $300-$600 each—added up to a meager $130,634. But estimates of the overall costs associated with the attack range between hundreds of millions and billions of dollars. Colonial Pipeline attack: ransomware affects critical infrastructure On May 6, 2021, Ransomware gang Darkside hit the Colonial Pipeline Company, a utilities firm that operates the largest refined oil pipeline in the U.S., causing chaos at gas stations across the country and netting millions of dollars in the process. Security analysts suspect that Darkside gained access to Colonial’s systems via a single compromised password—possibly after purchasing it via the dark web. The cybercriminals targeted Colonial Pipeline’s computer systems, stealing nearly 100 gigabytes of data and impacting the company’s billing operations—but not the actual technology enabling the flow of oil through the pipeline.  Nonetheless, the company halted oil supplies throughout the duration of the attack, sparking fuel shortages and panic-buying throughout parts of the southern U.S. and prompting the Biden administration to issue a state of emergency. Colonial Pipeline paid the Bitcoin ransom of around $4.4 million. But the more significant impact was on wider society. Ransomware had affected the supply and cost of gas—the hackers had broken through to people’s everyday experiences. Fake invoice leads to Ryuk ransomware infection Wire transfer phishing—where cybercriminals commit online fraud using a fake invoice and a compromised email account—costs businesses billions each year. But in this mid-2020 case, a fake invoice led not to a fraudulent wire transfer but to a ransomware infection.  An employee at a food and drink manufacturer opened a malicious Microsoft Word file attachment to an email, unleashing the Emotet and Trickbot malware onto their computer.  The malware created a backdoor into the organization’s systems, allowing the cybercriminals to gain access and deploy the Ryuk ransomware. The company declined to pay the ransom in this case—but still incurred substantial costs. Over half of the organization’s systems were unusable for 48 hours, and the firm had to contract security experts to restore access. Kaseya supply chain attack impacts 1,500 companies The biggest ransomware attack on record occurred on July 2, 2021, when the REvil gang hit software company Kaseya. Organizations using Kaseya’s IT management software downloaded a malicious update that infected their computers with ransomware.  Victims received a ransom note informing them that their files had been encrypted. The note said users could retrieve their files by purchasing the cybercriminals’ $45,000 decryption software, payable in cryptocurrency. The attack directly affected at least 60 firms—and it had downstream consequences for at least 1,500 companies. Even a Swedish supermarket chain was forced to close its doors after its payment processing equipment malfunctioned due to the attack. A few days after the attack, a post on the cybercrime gang’s dark web page promoted a universal decryptor that could unscramble all data impacted by the attack—for the bargain price of $70 million. The Kaseya ransomware attack was reminiscent of the notorious 2020 Solarwinds attack, which. while it did not involve ransomware, exposed the vulnerability of supply chains. UK health service warns of Avaddon phishing attacks In April 2021, the digital arm of the U.K.’s National Health Service (NHS) put out a warning about Avaddon ransomware, a type of ransomware that can “both steal and encrypt files” in “double extortion attacks.” Avaddon typically arrives via a phishing email. The email contains a .jpeg or .zip file which acts as a downloader for the ransomware. In some cases, the application will terminate itself if it detects that you’re using a Russian keyboard layout. As mentioned, Avaddon not only encrypts your files—it can also steal and publicly leak them if you fail to pay the ransom.  What makes this double extortion method particularly harmful?  Getting your important files encrypted is bad enough. You lose vital data and might need to cease operations until the situation is resolved. But having your files stolen as well puts you at a heightened risk of penalties from regulators for failing to protect people’s personal data. Stolen credentials lead to $4.4 million DarkSide attack The North American division of chemicals distributor Brenntag lost around 150 gigabytes of company data in May 2021, when the DarkSide ransomware gang deployed ransomware on the company’s systems. The cybercriminals reportedly demanded $7.5 million ransom, which the chemicals company managed to negotiate down to $4.4 million—a sum it reportedly paid DarkSide on May 14 to prevent the compromised data from being published. So how did DarkSide get access to Brenntag’s systems? It appears the cybercrime gang (or one of its affiliates) purchased some of Brenntag’s user credentials on the dark web. Credentials are a prime target for cybercriminals and are one of the data types most commonly compromised in phishing campaigns. For more information, see What is Credential Phishing? COVID-19 testing delayed after Irish hospitals hit by ransomware When Irish hospitals were attacked by a ransomware gang in May 2021, patient data was put at risk, appointments were cancelled, COVID-19 testing was delayed—and the world saw once again how far cybercriminals were willing to go to make money. The hackers are believed to have targeted a zero-day vulnerability in a virtual private network (VPN) operated by the Irish Health Service Executive. The Russian cybercrime group responsible for the attack, known as Wizard Spider, reportedly demanded a $19,999,000 ransom. After the Irish prime minister publicly declared that the country would not be paying the ransom, the healthcare system was forced to resort to keeping records on paper until the situation was resolved.
Read Blog Post
Spear Phishing
What is Ransomware? How is Ransomware Delivered?
Thursday, July 15th, 2021
Ransomware is a widespread, serious threat. So far in 2021, we’ve seen ransomware attacks on hospitals, gas pipeline operators, and software firms supplying thousands of businesses. And the situation is getting worse. Research suggests that the overall cost of a ransomware attack doubled in the past year, rising from $761,106 in 2020 to $1.85 million in 2021—and that the global total cost of ransomware could exceed $265 billion per year by 2031. This article will explain what ransomware is and how ransomware spreads. We’ll then analyze a recent ransomware attack to help you understand how this serious form of cybercrime works. Types of ransomware attack There are two main types of ransomware attacks. Both involve the victim downloading a malicious ransomware program. In the first type of ransomware attack, the malicious program encrypts the victim’s files, rendering them unreadable and unusable. To decrypt their files, the victim must pay a ransom—or else they’ll never be able to access them again. In the second type of ransomware attack, the malicious program transfers the victim’s files to the attacker. In this type of attack, the victim must pay a ransom to prevent their files from being published on the open web. Either type of ransomware attack is avoidable. But ransomware can be devastating for any business, leading to extortion, recovery, and mitigation costs—not to mention a loss of your company’s time and reputation. How is ransomware delivered? For a ransomware attack to succeed, the threat actor must find a way to get the malicious ransomware program onto their target’s device. Let’s take a look at three keys ways of achieving this. Social engineering attacks Social engineering attacks—such as phishing, spear phishing, or Business Email Compromise (BEC)—are normally cited as the leading cause of ransomware infection.  In a typical social engineering attack, the target receives a malicious email encouraging them to click a download link or download an attachment. While the email may look trustworthy, it contains a payload in the form of a ransomware file. The notorious “Ryuk” strain of ransomware spreads mostly via social engineering attacks. Security experts estimate that the Ryuk ransomware has earned cybercriminals over $150 million in ransom payments from companies worldwide. Remote Desktop Protocol Remote desktop protocol (RDP) enables a third party to take remote control of a person’s computer.  RDP has legitimate uses, including enabling IT support services to troubleshoot software issues. But once a cybercriminal has admin access to your system, they can do pretty much whatever they want—including carrying out a ransomware attack. RDP was the root cause of several high-profile ransomware attacks, including the SamSam ransomware that forced Atlanta’s public authorities to pay out nearly $6 million in 2018. Drive-by website download A drive-by download attack occurs when a person downloads and installs a malicious file, for example via a website that has requested permission to download an executable file, Javascript applet, or ActiveX component. When the victim clicks “Save” or runs the malicious download—whether due to carelessness or because they believe the file is legitimate—the ransomware installs itself and takes over their computer. Analysis of a ransomware attack Here’s a recent example of a ransomware attack, to help you understand this devastating form of cybercrime works. On July 3, 2021, hours before the long Independence Day weekend started in the U.S., thousands of workers got a message on their computer screens: “Your computer has been infected!” These infected computers had recently installed an update of IT management software Kaseya—an update that had been infected with the REvil ransomware. This type of “supply chain” attack is an increasingly common vector for malware. Here’s the ransom note that workers saw (shortly before they’d planned to go home for the holidays):
Let’s break this message down. The message informs the ransomware victim that: Their computer has been infected and their files have been encrypted (rendered unreadable) They must purchase specialist decryption software from the cybercriminals. If they attempt to decrypt their files themselves, the files will be permanently deleted. They must pay in a cryptocurrency called Monero (XMR). The price is 217.29 XMR (around ~$45,000) if they pay within six days, after which the price will double. You might be surprised to see the level of sophistication involved in this attack. The victim is offered a “trial decryption”, “chat support”, and a guide to buying Monero. Ransomware is becoming a quasi-professional criminal industry. And note that $45,000 is actually a relatively modest ransom. But the Kaseya attack appears to have affected thousands of companies, directly and indirectly—so the cybercriminals are likely to make millions of dollars. The gang is also demanding $70 million for a “global” decryptor. Looking for more examples of ransomware? Check out this article.
Read Blog Post
Spear Phishing
What is Business Email Compromise (BEC)? How Does it Work?
Tuesday, July 13th, 2021
In this article, we’ll look at why cybercriminals use BEC, how it works, and why it remains a serious problem.  Looking for exampels of BEC attacks or information about how to prevent business email compromise instead? Check out these pages instead: How to overcome this multi-billion dollar threat Real-world examples of Business Email Compromise Why compromise a business email account? BEC is a tried-and-tested cyberattack method that costs consumers and businesses billions every year. So what makes BEC such a prevalent cybercrime technique?  Simply put: cybercriminals use BEC as a way to make social engineering attacks more effective.  A social engineering attack is any form of cybercrime involving impersonation. The attacker pretends to be a trusted person so that the target does what they’re told. According to Verizon’s 2021 Data Breach Investigation Report (DBIR), BEC is the second-most common type of social engineering attack. In a BEC or other social engineering attack, the threat actor pretends to be a trusted person so that the target does what they’re told. Here are some examples of social engineering attacks that can involve BEC: Phishing: A social engineering attack conducted via email (smishing and vishing are social engineering attacks conducted via SMS and voice respectively) CEO fraud: A phishing attack where the attack impersonates a company executive Whaling: A phishing attack targeting a corporate executive Wire transfer fraud: A phishing attack where the attacker persuades the target to transfer money to their account All these social engineering attacks involve some sort of impersonation. Fraudsters use every tool available to make their impersonation more convincing. And one of the best tools available is a genuine — or genuine looking — business email address. BEC attacks target both individuals and businesses and the attacker will (generally) use BEC to gain access to one of the following: Money. According to Verizon’s 2021 Data Breach Investigation Report, the vast majority of cyberattacks are financially motivated. Account credentials: A fraudulent email might contain a phishing link leading to a fake account login page. The FBI warns that this BEC variant is on the rise. Gift certificates: BEC attackers can persuade their target to purchase gift certificates rather than transferring them money. The FTC put out a warning about this increasingly common type of scam in May 2021. Now you know why cybercriminals launch BEC attacks, we’re going to look at how they do it. How does BEC work? There are various competing definitions of BEC — so before we explain the process, let’s clarify what we mean when we use this term. A BEC attack is any phishing attack where the target believes they have received an email from a genuine business. As noted by Verizon, “BEC doesn’t even have to compromise a business email address. Your.CEO@davesmailservice.com comes up all too often in our dataset.” There are several methods that a cybercriminal can use to achieve this, including:  Email impersonation Email spoofing Email account takeover Let’s look at each of these techniques. Email impersonation is where the attacker sets up an email account that looks like a business email account. Here’s an example:
In this case, we can imagine Leon Green really is Tess’ boss and that an invoice for Amazon really is due to be paid. This information is easy enough to find online. But, note that the sender’s email address is “leon.green@micrott.com”.  If you look carefully, you’ll see Microsoft is misspelled.  Many people miss small details like this. Worse still, mobile email clients typically only show the sender’s display name and hide their email address.
Email spoofing is where the attacker modifies an email’s envelope and header. The receiving mail server thinks the email came from a corporate domain and the recipient’s email client displays incorrect sender information.  You can read more about email spoofing – and see an example of a spoofed email header – in this article: What is Email Spoofing? How Does Email Spoofing Work? In account takeover (ATO), the attacker gains access to a corporate email account, whether via hacking or by using stolen account credentials. They gather information about the user’s contacts, email style, and personal data — then they use the account to send a phishing email.
Application impersonation In recent years, there’s been a rise in the number of scams that use “application impersonation”.  In an application impersonation attack, the target receives an email that appears to be an automated notification sent via a workplace application, such as Zoom, Office 365, or Gmail. Here’s an example—a phishing email masquerading as a notification from Microsoft Teams, which was detected and prevented by Tessian Defender:
Clicking the link will take the user to a sign-in page which will harvest their login credentials. Impersonation of automated business emails is an increasingly common threat. Research from GreatHorn suggests that business-related applications accounted for around 45% of impersonation-related attacks in early 2021. How serious is BEC? We know BEC is a common cyberattack method. But how many businesses are affected, and how badly? Because many BEC attacks go unnoticed — and because different organizations use different definitions of BEC —  there’s no simple answer. So what do we know about the prevalence of BEC? The best source of cybercrime statistics comes from the FBI’s Internet Crime Complaint Center (IC3), which reports that:  Between 2016 and 2020, the IC3 recorded 185,718 BEC incidents worldwide, resulting in losses totaling over $28 billion. In 2020, losses from BEC exceeded $1.8 billion—a fourfold increase since 2016. The number of BEC incidents went up by 61% between 2016 and 2020. Next steps We’ve looked at the different types of BEC, how a BEC attack works, and how serious and pervasive this form of cybercrime has become. Next, let’s look at examples of BEC attacks. This will help you learn from the experiences of other organizations. This will help you learn from the experiences of other organizations. Or you can learn how Tessian prevents BEC attacks here.
Read Blog Post
Human Layer Security
The Ultimate Guide to Human Layer Security
By Tim Sadler
Thursday, July 8th, 2021
There’s a big problem in cybersecurity. Despite stricter data compliance standards, incredible technological innovation, and more investment from businesses, data breaches are at an all-time high.  In fact, businesses are at risk of insider and outsider threats, with a reported 67% increase in the volume of security breaches over the past five years. Why is this happening? Because, historically, security solutions have focused on securing the machine layer of an organization: networks, endpoints and devices.  But the majority of these solutions provide blunt protection, rely on retroactive threat detection and remediation, and don’t protect a businesses’ most important asset: its employees.   So, when you can get a firewall to protect your network, and EDR to protect your devices, what do you get to protect your people? Human Layer Security.
What is Human Layer Security?
Tessian’s Human Layer Security technology understands human behavior and relationships, enabling it to detect and prevent dangerous activity. Importantly, Tessian’s technology learns and adapts to how people work without getting in the way or impeding productivity. We created this category over four years ago, and its been the thesis for both our Series B fundraise and, most recently, our Series C fundraise. Today, Tessian solutions are deployed at enterprise companies across industries,  detecting and preventing millions of inbound and outbound threats on email, including malicious data exfiltration attempts, accidental data loss via misdirected emails and misattached files, and spear phishing attacks. 
Why do we need Human Layer Security? Your employees now control both your systems and your data. But people make mistakes, people break the rules, and people can be deceived. 88% of data breaches are caused by human error, with AIG reporting “human errors and behavior continue to be a significant driver of cyber claims.”  It makes sense. Employees can transfer millions of dollars to a bank account in a few clicks and can share thousands of patient records in an Excel file in a single email. You can read more about The Psychology of Human Error here. So, instead of expecting people to do the right thing 100% of the time, we think it’s better to preempt these errors by detecting and preventing them from happening in the first place. Each of our solutions – Tessian Enforcer, Tessian Guardian, and Tessian Defender – is uniquely positioned to do just that. People break the rules Whether done maliciously or accidentally, people in every organization can (and do) break the rules. Those rules can be related to anything, from a password policy to how sensitive information is stored. But, what about rules related to data exfiltration? Oftentimes, employees are blissfully unaware. They’re not familiar with the policies themselves or the consequences of poor data handling. So, they think nothing of emailing company information to their personal email account to print at home, for example.  But not all employees are well-intentioned. Case in point: In late-2019, an employee at a cybersecurity and defense company sold 68,000 customer records to scammers. This isn’t an isolated incident. According to one report, 45% of employees say they’ve taken work-related documents with them after leaving or being dismissed from a job and, according to another, more than half of UK employees admitted to stealing corporate data. A quarter of those would be willing to do so for less than £1,000. Tessian Enforcer prevents data exfiltration attempts (both malicious and negligent. Looking for more real-world examples of malicious and negligent insiders? Read this article.
People make mistakes From a simple typo to a misconfigured firewall, mistakes are inevitable at work. To err is human! In fact, 43% of employees say they’ve made a mistake at work that compromised cybersecurity.  Unfortunately, though, the consequences of these mistakes can be severe. Imagine an employee sends a misdirected email. Penalties and fines could be incurred, customer trust could plummet, and reputational damage could be long-lasting. And those are just the consequences to the larger organization. Individuals will likely suffer, too.  We all know the sinking feeling of making a mistake. But, misdirected emails cause employees more than red-faced embarrassment and anxiety. These accidents put people at risk of losing their jobs.   Tessian Guardian detects and prevents misdirected emails and misattached files so that the right email and the right files are always shared with the right person.
People can be deceived  Businesses of all sizes and across industries work with a web of suppliers, contractors, and customers. And, most use email to communicate. That means it’s easy for hackers to impersonate internal and external contacts.  Business Email Compromise (BEC) attacks increased by over 100% in the last two years.  Worse still, the odds are against businesses and their employees. While a hacker only has to get it right once, we are expected to get it right every time. So, what happens if one employee is successfully tricked one time by a spear phishing email and wires money, shares credentials, or otherwise helps a hacker gain access to your network? The average breach costs organizations $3.92 million. But, these costs can be avoided with technology like Tessian Defender that detects and prevents advanced impersonation attacks.
Why focus on email? At Tessian, our mission is to secure the human layer. And we know that to be truly effective, Human Layer Security must protect people whenever and however they handle data.  But, we’re starting with email. It’s the most popular (we spend 40% of our time on it) and riskiest (most breaches happen here) communication channel. It’s also the threat vector IT leaders are most worried about.
You’re probably wondering how Tessian compares to other solutions and how our technology would fit in your larger security framework. We’ll tell you.  Tessian vs. Rule-Based Technology Traditional email security solutions are blunt instruments that tend to be disruptive for employees and admin-intensive for security teams who have to continuously create and maintain thousands of rules.  Don’t believe us? 85% of IT leaders say rule-based DLP is admin-intensive and over half of employees say they’ll find a workaround if security software or policies make it difficult or prevent them from doing their job.  The fact is, manually classifying emails, tagging emails sent to external contacts, encryption, and pesky pop-ups are roadblocks that slow the pace of business and create friction between security teams and other departments.   Worse still, these older technologies just can’t be configured to adequately defend against all the ways people make mistakes or cut corners on email. Tessian is automated. No rule-writing, manual investigation, or configuration required. Tessian vs. Training Training is a necessary part of every security strategy. But, the majority of employees aren’t trained frequently enough and lessons don’t always stick. Employees also tend to struggle applying what they’ve learned in training to real-world situations.  But we can’t blame employees. The average person isn’t a security expert and hackers are crafting more and more sophisticated attacks. It’s hard for even the most security-conscious among us to keep up. That’s why security leaders need to invest in technology that bolsters training and reinforces policies and procedures. That way, employees can improve their security reflexes over time.   That’s where Human Layer Security comes in. Tessian warnings act as in-the-moment training for employees. And, because Tessian only flags 1 in 1,000 emails on average, when a pop-up does appear, employees pay attention. Learn more about why security awareness training (SAT) alone isn’t effective enough in this article: SAT is Dead. Long Live SAT.
Tessian Human Layer Security technology Tessian deploys within minutes, learns within hours, and starts protecting in a day. Human Layer Security works by understanding and adapting to human behavior. Our machine learning algorithms analyze historical email data and build a unique security identity for every employee based on relationships and communication patterns.  The best part is: these ML models get smarter and better over time as more data is ingested. This helps the technology establish what normal (and abnormal) looks like and allows Tessian to automatically predict and prevent security breaches on email across devices.    For every inbound and outbound email, our ML algorithms analyze millions of data points, including: Relationship History: Analyzing past and real-time email data, Tessian has a historical view on all email communications and relationships. For example, we can determine in real-time if the wrong recipient has been included on an outbound email; if a sensitive attachment is being sent to a personal, non-business email account; if an inbound email with a legitimate-looking domain is a spoof Content & context: Using natural language processing to analyze historical email data, Tessian understands how people normally communicate on email and what topics they normally discuss. That way, our solutions can automatically detect anomalies in subject matter (i.e. project names) or sentiment (i.e. urgency), which might indicate a threat. Best of all, all of this analysis happens silently in the background and employees won’t know it’s there until they need it. Tessian stops threats, not business. And not flow. And, with Human Layer Risk Hub, our customers can now deeply understand their organization’s security posture with granular visibility into employee risk and insights into individual user risk levels and drivers. This is the only solution that offers protection, training, and risk analytics all in one platform, giving security and compliance leaders a clear picture of your organization’s risk and the tools needed to reduce that risk. First, you protected our networks. Then, you protected our devices. Now, you can protect your people with Tessian’s Human Layer Security.
Read Blog Post
Spear Phishing
CEO Fraud Prevention: 3 Effective Solutions
Thursday, July 8th, 2021
CEO fraud is a type of cybercrime in which the attacker impersonates a CEO or other company executive. The fraudster will most often use the CEO’s email account — or an email address that looks very similar to the CEO’s — to trick an employee into transferring them money. That means that, like other types of Business Email Compromise (BEC), CEO fraud attacks are very difficult for employees and legacy solutions like SEGs to spot. But, there are still ways to prevent successful CEO fraud attacks. The key? Take a more holistic approach by combining training, policies, and technology. If you want to learn more about BEC before diving into CEO fraud, you can check out this article: Business Email Compromise: What it is and How it Happens. You can also get an introduction to CEO Fraud in this article: What is CEO Fraud? 1. Raise employee awareness Security is everyone’s responsibility. That means everyone – regardless of department or role –  must understand what CEO fraud looks like. Using real-world examples to point out common red flags can help.
It’s important to point out the lack of spelling errors. Poor spelling and grammar can be a phishing indicator, but this is increasingly unlikely among today’s more sophisticated cybercrime environment. Also, notice the personal touches — Sam’s familiar tone, his references to Kat working from home, and his casual email sign-off. Fraudsters go to great efforts to research their subjects and their targets, whether via hacking or simply using publicly available information. These persuasive elements aside, can you spot the red flags? Let’s break them down: The sender’s email address: The domain name is “abdbank.com” (which looks strikingly similar to abcbank.com, especially on mobile). Domain impersonation is a common tactic for CEO fraudsters. The sense of urgency: The subject line, the ongoing meeting, the late invoice. Creating a sense of urgency is near-universal in social engineering attacks. Panicked people make poor decisions. The authoritative tone: “Please pay immediately”: there’s a reason cybercriminals impersonate CEOs — they’re powerful, and people tend to do what they say. Playing on the target’s trust: “I’m counting on you”. Everyone wants to be chosen to do the boss a favor. Westinghouse’s “new account details”: CEO fraud normally involves “wire transfer phishing” — this new account is controlled by the cybercriminals. Your cybersecurity staff training program should educate employees on how to recognize CEO fraud, and what to do if they detect it. Check the sender’s email address for discrepancies. This is a dead giveaway of email impersonation. But remember that corporate email addresses can also be hacked or spoofed. Feeling pressured? Take a moment. Is this really something the CEO is likely to request so urgently? New account details? Always verify the payment. Don’t pay an invoice unless you know the money’s going to the right place. Looking for a resource that you can share with your employees? We put together an infographic outlining how to spot a spear phishing email. While these are important lessons for your employees, there’s only so much you can achieve via staff training. Humans are often led by emotion, and they’re not good at spotting the small giveaways that might reveal a fraudulent email. Sometimes, even security experts can’t! More on this here: Pros and Cons of Phishing Awareness Training. 
2. Implement best cybersecurity practice Beyond staff training, every thriving company takes an all-round approach to cybersecurity that minimizes the risk of serious fallout from an attack. Here are some important security measures that will help protect your company’s assets and data from CEO fraud: Put a system in place so employees can verify large and non-routine wire transfers, ideally via phone Protect corporate email accounts and devices using multi-factor authentication (MFA) Ensure employees maintain strong passwords and change them regularly Buy domains that are similar to your company’s brand name to prevent domain impersonation Regularly patch all software Closely monitor financial accounts for irregularities such as missing deposits Deploy an email security solution All the above points are crucial cybersecurity controls. But let’s take a closer look at that final point — email security solutions. 3. Deploy intelligent inbound email security Because CEO fraud attacks overwhelmingly take place via email (along with 96% of all phishing attacks), installing email security software is one of the most effective steps you can take to prevent this type of cybercrime. But not just any email security solution. Legacy solutions like SEGs and spam filters and Microsoft and Google’s native tools generally can’t spot sophisticated attacks like CEO fraud. Why? Because they rely almost entirely on domain authentication and payload inspection. Social engineering attacks like CEO fraud easily evade these mechanisms. Tessian is different.   Tessian Defender uses machine learning (ML), anomaly detection, behavioral analysis, and natural language processing (NLP) to detect a variety of signals indicative of CEO fraud. Tessian’s machine learning algorithms analyze your company’s email data. The software learns every employee’s normal communication patterns and maps their trusted email relationships — both inside and outside your organization. Tessian inspects both the content and metadata of inbound emails for any signals suggestive of CEO fraud. For example, suspicious payloads, anomalous geophysical locations, out-of-the-ordinary IP addresses and email clients, keywords that suggests urgency, or unusual sending patterns.  Once it detects a threat, Tessian alerts employees that an email might be unsafe, explaining the threat in easy-to-understand language.
Click here to learn more about how Tessian Defender protects your team from CEO fraud and other email-based cybersecurity attacks. You can also explore our customer stories to see how they’re using Tessian Defender to protect their people on email and prevent social engineering attacks like CEO Fraud.
Read Blog Post
Human Layer Security
10 Cybersecurity Events & Webinars in July to Sign Up For
Wednesday, July 7th, 2021
With cybersecurity threats on the rise, it’s time to strengthen your organization’s defenses. In-person events and online webinars can help. They give security, compliance, and business professionals a chance to discuss what’s top of find, share advice, and network. To help you learn and level-up your cyber strategy, we’ve selected ten cybersecurity events to attend throughout July.  There’s something on our list for every niche—whether you’re a CISO, an infosec analyst, or just someone who wants to learn more about this crucially important discipline. With some pandemic restrictions still in place, many of our events are taking place online, but be sure to confirm this before you attend. Hardwear.io Security Trainings and Conference: July 5-10, 2021 Register here: https://hardwear.io/usa-2021/register.php This six-day event features in-depth training sessions on all things hardware security, including assessing and exploiting PLCs, reverse engineering integrated circuits, and attacking Secure Boot. Who should attend? Hardware security is a pretty niche field, so you won’t want to miss this event if you’re involved in this sector—it’ll be a great opportunity to learn from your peers and get in a (virtual) room with like-minded professionals. Confirmed speakers Yongdae Kim, Professor in the Department of Electrical Engineering at KAIST Colin O’Flynn, CTO, NewAE Technology Inc. Mathieu Stephan, Electronics Engineer, ViaSat Inc. The Official Cyber Security Summit, St. Louis/Oklahoma City (Online): July 7, 2021 Register here: https://cybersecuritysummit.com/summits/ Having run for nearly 30 years, this conference has earned the right to call itself The Official Cyber Security Summit. With sessions on insider threats, the future of cloud security, and the rise of ransomware, this event is a great way to learn from and engage with infosec leaders. Who should attend? The Official Cyber Security Summit is a great place for CISOs and other security professionals looking for an eclectic program to help them develop their knowledge and careers—and earn eight CPE credits in the process. Confirmed speakers Deron McElroy, Chief of Cybersecurity Services, Cybersecurity and Infrastructure Security Agency, US DHS Quinn Carman, Director of Operations, The NSA, Red Team Richmond Cyber Security Forum: July 7, 2021 Register here: https://www.richmondevents.com/ The Richmond Cyber Security Forum offers a mix of keynotes, workshops, and personal development sessions. You’ll get to meet and mingle with peers, and secure some face-to-face time with the U.K.’s cybersecurity industry leaders. Who should attend? There are two main reasons to attend this event: as a delegate—to exchange ideas with like-minded security professionals in an informal setting, or as a supplier—to gain access to 100 senior decision-makers in the cyber sector. Confirmed speakers The conference agenda is available on request. Previous speakers include: Sophie Hackford, Co-Founder, 1715 Labs Jamie Woodruff, Ethical Hacker David Rowan, former Editor, Wired UK. IAPP Asia Privacy Forum: July 12, 2021 Register here: https://iapp.org/conference/iapp-asia-privacy-forum/ The International Association of Privacy Professionals (IAPP) is the best-respected industry accreditation body for privacy—and they sure know how to put on a great conference. This IAPP event will consider how privacy regulation is developing in Asia in terms of consumer rights, privacy-enhancing tech, data management, and more. Who should attend? If your company operates in Asia, then your Data Protection Officers, privacy counsels, and any other privacy or security-focused professionals will benefit from attending this event—to keep abreast of the latest regulatory developments in the region. Confirmed speakers Tan Kiat How, Commissioner, Personal Data Protection Commission of Singapore Raymund Liboro, Chairman and Commissioner, Philippines National Privacy Commission Stephen Kai-yi Wong, Privacy Commissioner, Privacy Commissioner for Personal Data, Hong Kong, China ISMG Virtual Cybersecurity Summit: Government: July 13-14, 2021 Register here: https://www.ismgcorp.com/ismg-summit/registration Recent high-profile cyberattacks on public agencies and critical infrastructure have sharpened governments’ focus on cybersecurity. Information Security Media Group (ISMG)’s conference provides insights from the people responsible for driving public policy on decision-making. Who should attend? Most sessions at the ISMG Virtual Cybersecurity Summit: Government focus on the role of the CISO. This event is an opportunity for security leaders in your organization to gain insight into the upcoming changes and challenges that might arise from government intervention in cybersecurity. Confirmed speakers Brandon Wales, Acting Director, Cybersecurity and Infrastructure Security Agency (CISA) Jim Weaver, Secretary for Information Technology/State CIO, State of North Carolina Dave Lewis, Global Advisory CISO, Duo Security at Cisco Infosecurity Europe: July 13-15, 2021 Register here: https://rfg.circdata.com/publish/InfoSec2021/simplereg.aspx Infosecurity Europe is the meeting place for infosec’s “finest minds”, with a great range of sessions from a truly impressive line-up. The conference will feature panels on building security-awareness culture, mitigating the risk of insider threats, developing a “human-centric” approach to cybersecurity, and more. Who should attend? Infosecurity Europe will cover everything from basic security principles to advanced practice, so CISOs and IT leaders should not miss this event—and should make sure anyone in their organization with a stake in cybersecurity attends with them. Confirmed speakers Mikko Hypponen, Researcher, F-Secure Dr. Kevin Jones, Global CISO, Airbus Dr. Victoria Baines, Visiting Research Fellow, University of Oxford p.s., we’ll be there! More information about our speaking slot and (virtual) booth coming soon.  Policing Cybercrime Digital Conference: July 16, 2021 Register here: https://westminsterinsight.com/booking/3632 Nearly half of all crime in England and Wales is committed online. The Policing Cybercrime conference brings together cybercrime experts to explore how law enforcement and other stakeholders can respond to online threats. Who should attend? Attend the Policing Cybercrime Digital Conference if you want to understand how society is responding to the cybercrime epidemic—whether you’re involved in law enforcement, government, the justice system, private industry, international organizations, or academia.  Confirmed speakers Stuart Hyde QPM, Vice President Development, Society for the Policing of Cyberspace Virginia Eyre, Deputy Director Cyber Policy, Home Office Nigel Leary, T/Deputy Director, National Cyber Crime Unit, National Crime Agency International Conference on Networks and Communications (NCO 2021): July 24-25, 2021 Register here: https://icaita2021.org/nco/ The seventh International Conference on Networks and Communications (NCO 2021) is a forum for experts to share their knowledge of computer networks and data communications, including network security, cloud computing, and machine learning. Who should attend? The conference is well-suited to CISOs looking to understand the latest technical developments in their field, together with engineers, computer scientists, and academics. Confirmed speakers Haluk Altay, Turkish Aerospace, Turkey Vikas Thammanna Gowda, Wichita State University, USA Hoda Nematy, Malek-Ashtar University of Technology, Tehran RANT Radio: Mutated Cyber: July 28, 2021 Register here: https://events.rantcommunity.com/RANTRadiowithTrendMicro While many industries have suffered due to COVID-19, cybercrime has prospered. RANT Radio’s Mutated Cyber conference will explore “the ‘was’, ‘is’ and ‘will be’ of cybercrime in a post-pandemic age.” Who should attend? CISOs and CEOs with teams working from home should learn a lot from this conference, which will focus on how the pandemic has caused a rise in social engineering attacks. Confirmed speakers Donna Goddard, Director, Cyber Information Security, London Stock Exchange Group (LSEG) Kathryn Cardose, Senior Manager, Security Operations, Virgin Money Myla Pilao, Director Technical Marketing, Trend Micro Black Hat USA: July 31-August 3 2021 Register here: https://blackhat.informatech.com/2021/ Black Hat USA is 24 years old, and there’s a good reason this event has stuck around for so long. Black Hat USA provides a package of advanced training courses, on infosec topics as diverse as vulnerability research, securing Windows infrastructure, using adversarial AI for hacking—plus briefings from infosec thought leaders. Who should attend? Black Hat USA is a must-attend for any infosec professional looking to level up their skills, learn from industry leaders, or understand the latest techniques in their adversaries’ toolkits. Confirmed speakers Craig Young, Principal Security Researcher, Tripwire Qian Wenxiang, Senior Security Researcher at Tencent Blade Team Paula Januszkiewicz, CEO and Founder, CQURE Inc. p.s., we’ll be there! More information about our speaking slot and booth location coming soon.
Read Blog Post
Tessian Culture, Cyber Skills Gap
Tessian Officially Named a 2021 UK’s Best Workplaces™ for Women
By Laura Brooks
Thursday, July 1st, 2021
We’re excited to announce that Tessian has been recognized as one of the top three medium-sized companies in the UK’s Best Workplaces™ for Women for 2021.  Our Human First value, its commitment to Diversity, Equity and Inclusion (DEI), and its Employee Resource Group (ERG) for women – Tes-She-An – are just some of the reasons why people love working at the company. This recognition confirms that:  Tessian is a great workplace for all employees, including women. Tessian recognizes that women represent a valuable talent pool in increasingly talent–constrained industries such as cybersecurity and technology.  Tessian lives up to its company values of ‘Human First’ and ‘We Do the Right Thing’, as its leaders make meaningful changes to improve their ability to recruit, retain and nurture top female employees.
Education and training have been foundational first steps in Tessian’s DEI strategy. We partnered with Jeff Turner, former International Learning and Development Director for Facebook, to deliver company-wide training around diversity, unconscious bias and inclusion. We’ve also taken the time to establish our long-term DEI roadmap – which includes a diversity recruitment strategy across all hiring levels, expanding the entry-level talent pool by creating junior jobs for people entering the tech industry, and prioritizing the development of future leaders through well-defined growth frameworks across the company. 
In addition, Tessian’s ERG group – Tes-She-An – provides a space to support all employees who identify as women, celebrate their achievements, and help each other “shine even brighter” by focusing on career progression. The group runs monthly workshops for women, and invites inspiring external guests who are leading the charge in creating equal opportunities in the tech industry, to speak to employees. Importantly, these events do not operate in a closed network. They’re open to the entire company – not just women.  As a result of these initiatives and programs, 99% of Tessian employees surveyed by Great Place to Work® agreed that people at the company are treated fairly regardless of their gender.  Paige Rinke, Head of People at Tessian, says: “We are so proud to be recognized as a Best Workplace for Women and hear first-hand from our employees that our initiatives to create an inclusive workplace are resonating. One of our core values is Human First, and we’re committed to ensuring every employee feels supported and valued, and to improving gender and ethnicity representation across all levels of seniority at Tessian through our DEI efforts. “Why? Because empowering our people to thrive in an inclusive environment and challenging the status quo to create more equal opportunities in the tech industry is, ultimately, the right thing to do.”  Benedict Gautrey, Managing Director of Great Place to Work® UK, explains: “We’re delighted to recognize so many great organizations in this fourth year of the UK’s Best Workplaces™ for Women list. The issues affecting women in the workplace, particularly what we’ve witnessed in the face of the pandemic including parity of pay and advancement opportunities, continue to be important topics. “What our 2021 UK’s Best Workplaces™ for Women clearly show is the positive impact their practices have on business. As a result, they are better able to attract and retain women of talent, encouraging them to develop professionally and personally, and in turn, contribute exponentially to the success of the organizations they work for.” Want to work at Tessian? See if we have a role that interests you today.
Read Blog Post
Engineering Team
Tessian’s CSI QA Journey: WinAppDriver, Office Apps, and Sessions
By Tessian
Wednesday, June 30th, 2021
Introduction In part one, we went over the decisions that led the CSI team to start automating its UI application with a focus on the process drivers and journey.  Today we’re going to start going over the technical challenges, solutions, and learnings along the way.  It would be good if you had a bit of understanding of how to use WinAppDriver for UI testing.  As there are a multitude of beginner tutorials, this post will be more in depth. All code samples are available as a complete solution here. How We Got Here As I’m sure many others have done before, we started by adapting winappdriver samples into our own code base.  After we had about 20 tests up and running, it became clear that taking some time to better architect common operations would help in fixing tests as we targeted more versions of Outlook, Windows, etc.  Simple things like how long to wait for a window to open, or how long to wait to receive an email can be impacted by the test environment, and it quickly becomes tedious to change these in 20 different places whenever we have a new understanding/solution on the best way to do these operations. Application Sessions A good place to start when writing UI tests is just getting the tests to open the application.  There are plenty of samples online that show you how to do this, but there are a few things that the samples leave each of us to solve on our own that I think would be helpful to share with the larger Internet community. All Application Sessions are Pretty Similar And when code keeps repeating itself, it’s time to abstract this code into interfaces and classes.  So, we have both: an interface and a base class:
Don’t worry, we’ll get into the bits.  The main point of this class is it pertains to starting/stopping, or attaching/detaching to applications and that we’re storing enough information about the application under test to do those operations.   In the constructor, the name of the process is used to determine if we can attach to an already running process, whereas the path to the executable is used if we don’t find a running process and need to start a fresh instance.  The process name can be found in the Task Manager’s Details tab. Your Tests Should Run WinAppDriver I can’t tell you how many times I’ve clicked run on my tests only to have them all fail because I forgot to start the WinAppDriver process beforehand.  WinAppDriver is the application that drives the mouse and keyboard clicks, along with getting element IDs, names, classes, etc of the application under test.  Using the same solution WinAppDriver’s examples show for starting any application, you can start the WinAppDriver process as well.   Using IManageSession and BaseSession<T> above, we get:
The default constructor just calls BaseSession<WinAppDriverProcess> with the name of the process and the path to the executable. So you can see that StartSession here is implemented to be thread safe.  This ensures that only one instance can be created in a test session, and that it’s created safely in an environment where you run your tests across multiple threads.  It then queries the base class about whether the application you’re starting is already running or not.  If it is running, we attach to it.  If it’s not, we start a new instance and attach to that.  Here are those methods:
These are both named Unsafe to show that they’re not thread safe, and it’s up to the calling method to ensure thread safety.  In this case, that’s StartSession(). And for completeness, StopSession does something very similar except it queries BaseSession<T> to see if we own the process (i.e. it was started as a fresh instance and not attached to), or not.  If we own it, then we’re responsible for shutting it down, but if we only attach to it, then leave it open.
You’ll Probably Want a DesktopSession Desktop sessions can be useful ways to test elements from the root of the Windows Desktop.  This would include things like the Start Menu, sys-tray, or file explorer windows.  We use it for our sys-tray icon functionality, but regardless of what you need it for, WinAppDriver’s FAQ provides the details, but I’ve made it work here using IManageSession and BaseSession<T>:
It’s a lot simpler since we’d never be required to start the root session.  It’s still helpful to have it inherit from BaseSession<T> as that will provide us some base functionality like storing the instance in a Singleton and knowing how long to wait for windows to appear when switching to/from them. Sessions for Applications with Splash Screens This includes all the Office applications.  WinAppDriver’s FAQ has some help on this, but I think I’ve improved it a bit with the do/while loop to wait for the main window to appear.  The other methods look similar to the above, so I’ve collapsed them for brevity.
Putting it All Together So how do we put all this together and make a test run?  Glad you asked! NUnit I make fairly heavy use of NUnit’s class and method level attributes to ensure things get set up correctly depending on the assembly, namespace, or class a test is run in.  Mainly, I have a OneTimeSetup for the whole assembly that starts WinAppDriver and attaches to the Desktop root session.  
Then I separate my tests into namespaces that correspond to the application under test – in this case, it’s Outlook.  
I then use a OneTimeSetup in that namespace that starts Outlook (or attaches to it). 
Finally, I use SetUp and TearDown attributes on the test classes to ensure I start and end each test from the main application window.
The Test All that allows you to write (the somewhat verbose) test:
Wrapping It All Up For this post we went into the details on how to organize and code your Sessions for UI testing.  We showed you how to design them so you can reuse code between different application sessions.  We also enabled them to either start the application or connect to an already running application instance (and how the Session object can determine which to do itself).  Finally, we put it all together and created a basic test that drives Outlook’s UI to compose a new Email message and send it. Stay tuned for the next post where we’ll delve into how to handle all the dialog windows your UI needs – to interact with and abstract that away – so you can write a full test with something that looks like this:
Read Blog Post
Tessian Culture
A Year on from Plus, the Tessian LGBTQ+ Network
By Leon Brown
Wednesday, June 30th, 2021
This Pride month, at workplaces around the world, you would be forgiven for thinking nothing has changed — working at home, we find ourselves at the same desks looking out of the same windows. Pride celebrations still look and feel different from the ‘before times’, as the physical manifestations of our LGBTQ+ community are slowly rebuilt in digital fabric. A year on from the creation of Plus, Tessian’s LGBTQ+ employee resource group, we look back to our original mission and founding principles, what we’ve learned in these strange times, and what we can look forward to in 2021. How Plus was formed  In all of 2020’s uncertainty, there was one certainty in the transition to remote-working — digital would have to replace physical… at least for the time being.  Zoom calls replaced meeting rooms, Slack replaced coffee chats, and Tessian began to use a tool called Peakon to measure employee engagement. It was only natural, then, that Plus was started by a single Peakon message, asking: “Is Tessian doing anything for LGBTQ Pride Month?”
The answer turned out to be No — but that the opportunity presented itself with the full support of the company and executive team. Without any existing plans, a few LGBTQ+ Tessians self-organized and promoted our newly-formed group — Plus. For us, Pride has always been about celebration and amplification of LGBTQ+ voices — both inside and outside of Tessian, and to create a “safe space” for all Tessian LGBTQ+ employees to network, socialize, and share experiences behind closed doors.  But our largest reservation when starting Plus was always about critical mass.  How Plus grew at Tessian Without any visibility on LGBTQ+ employees at Tessian, we didn’t know if the group would have enough members to be successful, or if by creating a community exclusive to LGBTQ+ voices alone, we would be excluding allies of the community in a way that restricted our ability to act on our mission. Forming a small committee, we promoted the arrival of Plus during company all-hands, new employee onboardings, and relied on existing and larger employee resource groups to gather members. We were quickly impressed at the uptake, with more than 10% of the company joining Plus within the first month of launch — a significant minority and higher than the expected average. Seniority and function were both well-represented at Plus, pulling from all parts of Tessian and for the first time, providing an organized and welcoming committee of LGBTQ+ voices. Plus was formed around a core mission to:  Ensure an inclusive and respectful environment for all employees Raise awareness of, and represent the views and issues of, LGBTQ+ employees Provide a support network for LGBTQ+ employees Create opportunities to socialize with other LGBTQ+ employees Offer confidential support when needed Provide guidance to Tessian as an employer on policy and how to enhance its diversity strategy In practice, the digital certainties of our last year in remote work has led Plus to resculpt any and all ideas around community-building. Online socials over Zoom, knowledge sharing via Slack — and more recently — socially distanced gatherings at local parks, have all worked well. As Tessian began it’s formal journey on Diversity & Inclusion with the development of an internal D&I Report — again developed remotely — Plus had a seat at the table to shape the discussion around LGBTQ+ representation at the company. And sharing our message outside of Tessian, Plus was even fortunate enough to be interviewed for Infosecurity Magazine’s cover pride story alongside ERGs from Zivver and Rapid7.
That is to say, that even during a year when LGBTQ+ communities around the world have struggled to run gatherings, fundraising, or support networks, — when the importance of Pride as an LGBTQ+ institution has been validated — our approach to working directly with LGBTQ+ Tessians on the community-building activities that matter most to us has proven successful. What’s next for Plus? One of Tessian’s company values continues to be Human First. And with Plus, we’re proud to have created a private, Human First initiative for Tessians to celebrate their sexual orientation and gender identity. Plus germinated alongside Tessian’s transition to choice-first remote working, but won’t stop growing as we move forward to a hybrid workplace. Continuing to grow with new members, we’re excited to meet up in-person, campaign for positive change outside of Tessian, and work with external speakers to open up LGBTQ+ stories to the whole company. Do you lead an LGBTQ+ Employee Resource Group at your company? Get in touch and we would love to hear from you on how you’ve elevated LGBTQ+ voices during the past year, and what successes you’ve seen building healthy LGBTQ+ communities.
Read Blog Post
Human Layer Security, DLP, Data Exfiltration
What is an Insider Threat? Insider Threat Definition, Examples, and Solutions
By Tessian
Tuesday, June 29th, 2021
Organizations often focus their security efforts on threats from outside. But increasingly, it’s people inside the organization who cause data breaches. There was a 47% increase in Insider Threat incidents between 2018 and 2020, including via malicious data exfiltration and accidental data loss. And the comprehensive Verizon 2021 Data Breach Investigations Report suggests that Insiders are directly responsible for around 22% of security incidents. So, what is an insider threat and how can organizations protect themselves from their own people?
Importantly, there are two distinct types of insider threats, and understanding different motives and methods of exfiltration is key for detection and prevention. Types of Insider Threats The Malicious Insider
Malicious Insiders knowingly and intentionally steal data, money, or other assets. For example, an employee or contractor exfiltrating intellectual property, personal information, or financial information for personal gain.  What’s in it for the insider? It depends. Financial Incentives Data is extremely valuable. Malicious insiders can sell customer’s information on the dark web. There’s a huge market for personal information—research suggests you can steal a person’s identity for around $1,010. Malicious Insiders can steal leads, intellectual property, or other confidential information for their own financial gain—causing serious damage to an organization in the process. Competitive Edge Malicious Insiders can steal company data to get a competitive edge in a new venture. This is more common than you might think.  For example, a General Electric employee was imprisoned in 2020 for stealing thousands of proprietary files for use in a rival business. Unsurprisingly, stealing data to gain a competitive edge is most common in competitive industries, like finance and entertainment. The Negligent (or Unaware) Insider 
Negligent Insiders are just “average” employees doing their jobs. Unfortunately, “to err is human”… which means people can—and do—make mistakes. Sending a misdirected email Sending an email to the wrong person is one of the most common ways a negligent insider can lose control of company data. Indeed, the UK’s Information Commissioner’s Office reports misdirected emails as the number one cause of data breaches.  And according to Tessian platform data, organizations with over 1,000 employees send around 800 misdirected emails every year. We’ve put together 11 Examples of Data Breaches Caused By Misdirected Emails if you want to see how bad this type of Insider Threat can get. Phishing attacks Last year, 66% of organizations worldwide experienced spear phishing attacks. Like all social engineering attacks, phishing involves tricking a person into clicking a link, downloading malware, or taking some other action to compromise a company’s security. A successful phishing attack requires an employee to fall for it. And practically any of your employees could fall for a sophisticated spear phishing attack. Want to know more about this type of Negligent Insider threat? Read Who Are the Most Likely Targets of Spear Phishing Attacks? Physical data loss   Whether it’s a phone, laptop, or a paper file, losing devices or hard-copy data can constitute a data breach. Indeed, in June 2021, a member of the public top-secret British military documents in a “soggy heap” behind a bus stop. Looking for more examples of Insider Threats (both malicious and negligent?) Check out this article: 17 Real-World Examples of Insider Threats How can I protect against Insider Threats? As we’ve seen, common Insider Threats are common. So why is so hard to prevent them? Detecting and preventing Insider Threats is such a challenge because it requires full visibility over your data—including who has access to it. This means fully mapping your company’s data, finding all entry and exit points, and identifying all the employees, contractors, and third parties who have access to it. From there, it comes down to training, monitoring, and security. Training While security awareness training isn’t the only measure you need to take to improve security, it is important. Security awareness training can help you work towards legal compliance, build threat awareness, and foster a security culture among your employees. Looking for resources to help train your employees? Check out this blog with a shareable PDF. Monitoring Insider Threats can be difficult to detect because insiders normally leverage their legitimate access to data. That’s why it’s important to monitor data for signs of potentially suspicious activity. Telltale signs of an insider threat include: Large data or file transfers Multiple failed logins (or other unusual login activity) Incorrect software access requests Machine’s take over Abuse by Service Accounts Email Security The vast majority of data exfiltration attempts, accidental data loss incidents, and phishing attacks take place via email. Therefore, the best action you can take to prevent insider threats is to implement an email security solution. Tessian is a machine learning-powered email security solution that uses anomaly detection, behavioral analysis, and natural language processing to detect data loss. Tessian Enforcer detects data exfiltration attempts and non-compliant emails Tessian Guardian detects misdirected emails and misattached files Tessian Defender detects and prevents spear phishing attacks How does Tessian detect and prevent Insider Threats? Tessian’s machine learning algorithms analyze your company’s email data. The software learns every employee’s normal communication patterns and maps their trusted email relationships — both inside and outside your organization. Tessian inspects the content and metadata of inbound emails for any signals suggestive of phishing—like suspicious payloads, geophysical locations, IP addresses, email clients—or data exfiltration—like anomalous attachments, content, or sending patterns. Once it detects a threat, Tessian alerts employees and administrators with clear, concise, contextual warnings that reinforce security awareness training
Read Blog Post
Who Are the Most Likely Targets of Spear Phishing Attacks?
By Maddie Rosenthal
Friday, June 25th, 2021
Last year, 66% of organizations worldwide experienced spear phishing attacks. But some industries and departments are more likely to be targeted than others. In this article, we’ll identify examples of vulnerable employees, why they’re targeted, and what tactics hackers use to trick them into handing over sensitive information or initiating money transfers.
We’ll be focusing on the following spear phishing methods. CEO Fraud Business Email Compromise Whaling Email Spoofing For more information about these different types of attacks, click the links above. Unsure what exactly spear phishing is?  Read this article: Phishing vs. Spear Phishing: Differences and Defense Strategies. Let’s get started…
John: Executive Assistant (New-Starter), Tech Company
Our first spear phishing victim is John: An executive assistant working in tech. Why tech? Because it’s a highly targeted sector. Employees in tech firms are the most likely to fall for a social engineering scam, according to one study looking at companies with over 1,000 people. In fact, in medium-large tech companies, roughly half of employees will click on a malicious link or obey instructions in a phishing email. Those aren’t good odds. Within the tech industry, John is an executive assistant.  Why is John’s role relevant? Because spear phishing is a targeted attack—cybercriminals are looking for individuals with access to high-value data. And executive assistants have that in spades. Think about it. Executive assistants: Have extensive access to credit card data, employee data, and intellectual property Have access to executives’ email accounts, and know their itinerary and travel arrangements Work autonomously and have decision-making capabilities In other words, John is in a near-perfect position of access and influence. John’s also a new starter, which makes him particularly vulnerable. He isn’t familiar with company policies. He doesn’t know everyone. And, for what it’s worth, he hasn’t had security awareness training yet. And psychologically, John’s “the new guy”—he’s keen to show initiative, avoid annoying his colleagues, and might be less likely to report his own mistakes. So when John gets a CEO fraud email from someone claiming to be the boss, he’s less likely to question it. How would a hacker know if a certain employee has recently joined a company? Spear phishing attacks require meticulous research. But finding out about a company and its employees is easy. LinkedIn accounts, company websites, annual reports—everything a cybercriminal needs to know about an organization’s structure and employees is laid out in public view. Learn more about how bad actors leverage publicly available information in this research report: How to Hack a Human.
Lucy: Office Administrator, Healthcare Company
Our second spear phishing victim is Lucy: an office administrator working in healthcare. Why healthcare? Two reasons:  First, according to a sector-by-sector study, the healthcare industry is the most vulnerable to social engineering attacks overall (without taking company size into account).  Second, healthcare employees are most likely to be involved in privilege misuse incidents. And in healthcare, data breaches are particularly costly. In fact, for ten years running, healthcare has been the most expensive industry in which to experience a data breach, with the average single incident costing $7.13 million in 2020 (up 10% from 2019). Why is a healthcare breach so costly? It’s partly down to the value of patient data. Think about the types of data accessible to an office administrator working in healthcare: Health records Clinical trials Insurance information Credit card details Patient data Employee data Payroll information Lucy is vulnerable to email spoofing attacks, where a phishing email appears to come from a trusted domain. According to the FBI, spoofing attacks have risen by 81% since 2018 Healthcare firms are often poorly equipped to deal with cybersecurity incidents, as shown by the recent spate of ransomware attacks on hospitals. Therefore, they may lack software capable of identifying a spoofed email account. Adam: Accounts Payable Manager, Manufacturing Company
Our third spear phishing victim is Adam: an accounts payable manager working in manufacturing. Manufacturing is among the most targeted industries in social engineering incidents. And manufacturing firms a favorite for BEC attacks, because of the high volume of invoices being paid.  Manufacturing companies are often part of long supply chains, which can be targeted in account takeover attacks. Because his job involves processing payments, Adam is particularly vulnerable to BEC—which frequently involves persuading accounts managers to pay fake invoices. BEC remains a cybercrime “growth sector”. FBI data shows that in 2020, BEC scammers made over $1.8 billion—far more than via any other type of cybercrime. Magda: Senior Partner, Law Firm
Magda is our fourth spear phishing victim, and she’s a senior partner at a law firm. So far, we’ve looked at mid-level employees. But remember that when conducting spear phishing attacks, cybercriminals aim to get the most “bang for their buck.” That’s why they frequently target high-ranking employees through “whaling” attacks. Here’s why company executives can be the ultimate catch for a spear phishing attack: They control large budgets They have power over many employees They’re busy, often stressed, and can easily make mistakes About that last point: Tessian research suggests that more than half of employees felt they were more likely to make mistakes at work when they were stressed—and that high-ranking employees are among the most likely to fall for a phishing attack. Plus, Magda works in a law firm—and we know the legal sector is heavily targeted by spear phishing. As the U.K.’s National Cyber Security Centre reports:  “The cyber threat to the UK legal sector is significant and the number of reported incidents has grown substantially over the last few years.”  This increase in cybercrime is partly down to the rapid rate at which legal firms are adopting new technology. How can employees detect spear phishing attacks? Want to avoid ending up like our spear phishing victims? There are a few basics steps you can take: Learn to spot the signs of a spear phishing email Avoid email impersonation by checking for inconsistencies in senders’ email addresses. Hover over links to see where they lead before clicking on them. Verify non-routine payment instructions over the phone. But note that humans are often not capable of detecting the subtle differences between phishing emails and authentic emails. And spam filters, antivirus software, and other legacy security solutions just aren’t enough. How Tessian prevents spear phishing attacks Tessian Defender uses machine learning, anomaly detection, behavioral analysis, and natural language processing to detect even the most discrete phishing signals. Here’s how it works. Tessian’s machine learning algorithms analyze your company’s email data. The software learns every employee’s normal communication patterns and maps their trusted email relationships — both inside and outside your organization. Tessian inspects both the content and metadata of inbound emails for any signals suggestive of phishing, like suspicious payloads, geophysical locations, IP addresses, email clients, or sending patterns.  Once it detects a threat, Tessian alerts employees that an email might be unsafe, explaining the threat in easy-to-understand language.
Read Blog Post
Tessian Culture, Engineering Team
React Hooks at Tessian
By Luke Barnard
Wednesday, June 16th, 2021
I’d like to describe Tessian’s journey with React hooks so far, covering some technical aspects as we go. About two years ago, some of the Frontend guild at Tessian were getting very excited about a new React feature that was being made available in an upcoming version: React Hooks. React Hooks are a very powerful way to encapsulate state within a React app. In the words of the original blog post, they make it possible to share stateful logic between multiple components. Much like React components, they can be composed to create more powerful hooks that combine multiple different stateful aspects of an application together in one place. So why were we so excited about the possibilities that these hooks could bring? The answer could be found in the way we were writing features before hooks came along. Every time we wrote a feature, we would have to write extra “boilerplate” code using what was, at some point, considered by the React community to be the de facto method for managing state within a React app ─ Redux. As well as Redux, we depended on Redux Sagas, a popular library for implementing asynchronous functionality within the confines of Redux. Combined, these two(!) libraries gave us the foundation upon which to do…very simple things, mostly API requests, handling responses, tracking loading and error states for each API that our app interacted with. The overhead of working in this way showed each feature required a new set of sagas, reducers, actions and of course the UI itself, not to mention the tests for each of these. This would often come up as a talking point when deciding how long a certain task would take during a sprint planning session. Of course there were some benefits in being able to isolate each aspect of every feature. Redux and Redux Sagas are both well-known for being easy to test, making testing of state changes and asynchronous API interactions very straight-forward and very ─if not entirely─ predictable. But there are other ways to keep testing important parts of code, even when hooks get involved (more on that another time). Also, I think it’s important to note that there are ways of using Redux Sagas without maintaining a lot of boilerplate, e.g. by using a generic saga, reducer and actions to handle all API requests. This would still require certain components to be connected to the Redux store, which is not impossible but might encourage prop-drilling. In the end, everyone agreed that the pattern we were using didn’t suit our needs, so we decided to introduce hooks to the app, specifically for new feature development. We also agreed that changing everything all at once in a field where paradigms fall into and out of fashion rather quickly was a bad idea. So we settled on a compromise where we would gradually introduce small pieces of functionality to test the waters. I’d like to introduce some examples of hooks that we use at Tessian to illustrate our journey with them. Tessian’s first hook: usePortal Our first hook was usePortal. The idea behind the hook was to take any component and insert it into a React Portal. This is particularly useful where the UI is shown “above” everything else on the page, such as dialog boxes and modals. The documentation for React Portals recommends using a React Class Component, using the lifecycle methods to instantiate and tear-down the portal as the component mounts/unmounts. Knowing we could achieve the same thing with hooks, we wrote a hook that would handle this functionality and encapsulate it, ready to be reused by our myriad of modals, dialog boxes and popouts across the Tessian portal. The gist of the hook is something like this:
Note that the hook returns a function that can be treated as a React component. This pattern is reminiscent of React HOCs, which are typically used to share concerns across multiple components. Hooks enable something similar but instead of creating a new class of component, usePortal can be used by any (function) component. This added flexibility gives hooks an advantage over HOCs in these sorts of situations. Anyway, the hook itself is very simple in nature, but what it enables is awesome! Here’s an example of how usePortal can be used to give a modal component its own portal:
Just look at how clean that is! One line of code for an infinite amount of behind-the-scenes complexity including side-effects and asynchronous behaviors! It would be an understatement to say that at this point, the entire team was hooked on hooks!   Tessian’s hooks, two months later Two months later we wrote hooks for interacting with our APIs. We were already using Axios as our HTTP request library and we had a good idea of our requirements for pretty much any API interaction. We wanted: To be able to specify anything accepted by the Axios library To be able to access the latest data returned from the API To have an indication of whether an error had occurred and whether a request was ongoing Our real useFetch hook has since become a bit more complicated but to begin with, it looked something like this:
To compare this to the amount of code we would have to write for Redux sagas, reducers and actions, there’s no comparison. This hook clearly encapsulated a key functionality that we have since gone on to use dozens of times in dozens of new features. From here on out, hooks were here to stay in the Tessian portal, and we decided to phase out Redux for use in features. Today there are 72 places where we’ve used this hook or its derivatives ─ that’s 72 times we haven’t had to write any sagas, reducers or actions to manage API requests! Tessian’s hooks in 2021 I’d like to conclude with one of our more recent additions to our growing family of hooks. Created by our resident “hook hacker”, João, this hook encapsulates a very common UX paradigm seen in basically every app. It’s called useSave. The experience is as follows: The user is presented with a form or a set of controls that can be used to alter the state of some object or document in the system. When a change is made, the object is considered “edited” and must be “saved” by the user in order for the changes to persist and take effect. Changes can also be “discarded” such that the form returns to the initial state. The user should be prompted when navigating away from the page or closing the page to prevent them from losing any unsaved changes. When the changes are in the process of being saved, the controls should be disabled and there should be some indication to let the user know that: (a) the changes are being saved, (b) the changes have been saved successfully, or that (c) there was an error with their submission. Each of these aspects require the use of a few different native hooks: A hook to track the object data with the user’s changes (useState) A hook to save the object data on the server and expose the current object data (useFetch) A hook to update the tracked object data when a save is successful (useEffect) A hook to prevent the window from closing/navigating if changes haven’t been saved yet (useEffect) Here’s a simplified version:
As you can see, the code is fairly concise and more importantly it makes no mention of any UI component. This separation means we can use this hook in any part of our app using any of our existing UI components (whether old or new). An exercise for the reader: see if you can change the hook above so that it exposes a textual label to indicate the current state of the saved object. For example if isLoading is true, maybe the label could indicate “Saving changes…” or if hasChanges is true, the text could read “Click ‘Save’ to save changes”. Tessian is hiring! Thanks for following me on this wild hook-based journey, I hope you found it enlightening or inspiring in some way. If you’re interested in working with other engineers that are super motivated to write code that can empower others to implement awesome features, you’re in luck! Tessian is hiring for a range of different roles, so connect with me on LinkedIn, and I can refer you!
Read Blog Post
Page