Data Loss Prevention, Human Layer Security
451 Research: Tessian Uses Machine Learning for Better DLP
Monday, May 11th, 2020
According to a new report from 451 Research, “the DLP market is ripe for change” and Tessian could be the next-generation solution organizations need to detect and prevent both inbound email attacks and outbound email threats.  Key findings from the report include: DLP is ranked at the top of a list of over 20 security categories that are expected to see a “significant” increase in spending in the next 12 months Tessian uses stateful machine learning across four different products to prevent human error on email with use cases for both inbound and outbound email threats including anti-phishing and advanced impersonation attacks, accidental data loss, and malicious data exfiltration Tessian is both complementary and competitive to traditional DLP offerings 
DLP: An Unsolvable Problem While the DLP market is saturated with products – from traditional DLP vendors like Broadcom, McAfee, Forcepoint, and Digital Guardian to newer entrants like ArmorBlox, Altitude Networks, and Code42, the consensus is that DLP is, in many ways, failing. According to the report, “DLP technology has developed a reputation as much for inaccuracy, false positives, and poor performance as it has for protecting data.” That may be why DLP remains one of the top spending priorities for IT leaders, with 13% of those surveyed by 451 Research saying they expect to see a “significant increase” in spending over the next 12 months and a further 11% saying they expect to see a “slight increase.” It’s clear organizations need a better way to prevent data loss.  Tessian believes it’s because DLP efforts aren’t addressing the real problem, which is that 88% of data breaches are caused by human error.   Tessian’s Approach to Data Loss Prevention Instead of focusing on the machine layer, Tessian focuses on the human layer and, in doing so, has developed the world’s first Human Layer Security platform.
Our Human Layer Security platform consists of four main products: Tessian Defender, which prevents advanced inbound attacks like spear phishing, Tessian Guardian, which prevents accidental data loss caused by misdirected emails, Tessian Enforcer, which prevents data exfiltration attempts on email. Organizations that implement any of these solutions also get Tessian Constructor, which allows admins to create blacklists, whitelists, and custom filters to ensure email usage remains compliant.  Each of these products applies stateful machine learning techniques to historical email messages (headers, body, and attachments) to understand relationships and establish normal behavior profiles that can be used to distinguish between safe and unsafe emails.  No rules required. According to 451 Research, Tessian succeeds in preventing data loss where others fall short.  “While [most existing DLP tools] are good at finding personally identifiable information (PII), finding and blocking actions such as employees sending files to a personal email account are surprisingly challenging and are quickly out-of-date, so predefined rules are not that effective.” You can read the full report here. Book a Demo By leveraging new capabilities in AI and machine learning, Tessian, according to 451 Research,“delivers more effective DLP” by preventing human error on email.  To learn more about how we prevent inbound and outbound email threats and why world-leading businesses like Arm, Man Group, Evercore, and Schroders trust Tessian to protect their people on email, book a demo.
Our Journey To Revamp The Tessian Values
By Tim Sadler
Monday, May 11th, 2020
As a founder, I knew from Day 1 how important our values were going to be in order to build the company we dreamed of creating. So when I began to hear murmurs late last year that not everyone at Tessian was understanding what our values meant for them, I knew it was time to investigate how our people were feeling and what we might need to do to revamp our values. To me this listening exercise was vital because our values guide everything. They aren’t aspirational words hanging on a wall that no one understands; they’re the backbone of a company. With this in mind, we went on a month-long journey of listening to our employees, and created values which are a true reflection of Tessian today. They’re actionable, intuitive and central to everything we do, from our recruitment process through to performance and development.  You can check them out in more detail below. But before I get to our revamped values, I want to tell you more about the journey we went on to make sure they truly reflected what Tessians care about. Why do company values matter in the first place? Values aren’t just a corporate thing; values are crucial for both our personal and professional lives. They’re a code we live by, they define what’s important to us, and they help us make decisions day to day. Sometimes our values are so deeply ingrained, we don’t realize we’re using them every day to make choices.  At Tessian, we’ve seen our values as a North star from the beginning. They steer our decision making, serving as a code to help us make choices, especially when it’s not obvious what we should do. They help us hire the right people, individuals who care about the things we care about and can take Tessian in the right direction.  Our values also inform our performance reviews, development conversations, and how we reward, recognize and promote our people. Our values underpin our culture.  Why did we decide to revamp our values at Tessian? We use Peakon, a tool that helps companies build and maintain engaged teams and great company cultures. It does this through employee surveys, which provide insights into how our employees feel about different things. Late last year, our Peakon data revealed a theme: our values weren’t understood by all our people.  We saw that:  People were being rewarded for different behaviors underlying our values (and these were in conflict with each other); and  Behaviors that were really important to us weren’t reflected in our values. In other words, we had a gap in our values. I wanted to do something to fix this. We ask Tessians to show up every day, living and breathing these values. If there’s confusion over what they look like in practice, we’ll all be rowing in different directions. Equally, as people join the team, if there are things that are important to us that aren’t explicitly reflected in our values, we run the risk of losing or diluting those things over time.
How did we revamp our values? We knew we needed to re-work our values. The question was: how?  The most important thing was to get input from as many people as possible from all across the business: different genders, backgrounds, functions, tenures, and levels of seniority. That was the only way we’d get the values that accurately reflect Tessian.  We started by sending out a questionnaire to the whole company to understand from a high level what was most important to us. It included questions like:  What do you think of our current values (what values do and don’t resonate)? If you could add a value, what would it be? What do you value in yourself and your colleagues?  We received a high response rate, but we wanted to dig deeper. Next, we set up 1-1s with about half of the respondents to delve deeper into their answers. We then aggregated all of this information into a pre-read to run a workshop with our Values Focus Group (this consisted of 15 people who had signed up to be our “Values advocates”). We followed this up with additional 1-1s with each of our Values Focus Group members. All of this work meant that the whole of Tessian went on this journey together; our values were crafted from the top-down and bottom-up, so had a great chance of being “sticky”.  Having gathered so much input from across the business, we then started to reformulate our values with a clear view of what was truly important to our people. Here’s an illustration of the words that came up the most during our journey that guided us in our reformulation.  
Our new values A lot of interesting things came out of the listening tour. First and foremost was the fact that there was a “gap” in our values—this became a new value called “Human First”.  This value was the most prominent finding in all of our work; time and again people said how important treating each other with kindness, respect and inclusion is at Tessian. It was so clearly part of the fabric of Tessian. It also seemed like a huge miss to not have this as we are a Human Layer Security company which believes people are the most important part of every organization. With all this in mind, we knew we had to codify it as its own value. Here are some tips we found worked for us when writing our new values: Focus on the actual words your employees are using during the discovery process, and not words that are “hot” right now in your industry or the public generally. Staying true to your employees’ language when writing your new values will help them better resonate in the end. Observe how the value is being embodied around you because so much understanding comes from the values in action; and Don’t be limited by what you think your values are, or what you think they should be. Go in with an open mind and candidly narrate the values you uncover. Without further ado, here’s the entire set of revamped values. They make me proud to be a Tessian, because I know that they reflect the real values and aspirations of all of our people. 
Human first. We approach everything with empathy and we look out for each other alongside our own wellbeing. Respect, kindness and inclusion are at the core of our company because our people are what make us Tessian. 
Customer centricity. We fixate on our customers’ success. They’re the lifeblood of our business and guide our daily decision-making. Whether we’re launching a feature, or pursuing a partnership, we always ask “How does this help our current and future customers?” 
Positive mindset. Solution oriented. We lead with a curious, positive mindset, and go above and beyond to find solutions when problems arise. When our solutions fail, they fail fast — we embrace the failure and keep learning, iterating, and improving.
Grit and perseverance. We have sustained passion for achieving long-term goals. We see setbacks as opportunities to adapt and grow. We’re committed to building resilience and have the motivation to tackle big challenges that others might give up on.
We do the right thing. We’re always honest and guided by integrity in every decision we make; with one another, with our customers, with everyone. We do what we believe is right, even when it means making difficult decisions.
Craft at speed. We work with great care and skill, sometimes at an uncomfortably fast pace. Rather than aim for perfection in one at the expense of the other, we balance attention to detail with speed of delivery.
Spear Phishing
Phishing in Retail: Cybercriminals Follow The Money
Thursday, May 7th, 2020
Retailers have always been a lucrative target for cybercriminals and their phishing scams — even more so during peak shopping times. The thing is, cybercriminals always follow the money and opportunistic hackers will find ways to cash in on spikes in consumers’ spending.  During the coronavirus lockdown, for example, global payments systems provider ACI Worldwide found that online sales for retailers dramatically increased. It reported a 74% growth in average transaction volumes in March 2020, compared to the same period the year before. However, while they saw an increase in online sales, they also saw a spike in fraudulent activity and Covid-19 phishing scams.  We see a similar trend around retailers’ busiest shopping period of the year – Black Friday.  A golden opportunity for fraudsters US shoppers spent a record $7.4bn on Black Friday in 2019, and a further $9.2bn on Cyber Monday. In the UK, Barclaycard reported that transaction value was up 16.5% in 2019, compared to Black Friday in 2018. A golden opportunity for fraudsters. When we surveyed IT decision makers at UK and US retailers, the majority told us the number of number of phishing attacks their company receives during the Black Friday weekend spikes. In fact, respondents said they receive more phishing attacks in the last three months of the year – in the lead up to the holidays – compared to the rest of the year. Consequently, one in five IT decision makers told us that phishing poses the greatest threat to their retail organization during peak shopping times. They identified phishing as a bigger threat to their business than ransomware or Point of Sale (PoS) attacks. Their reasons? They aren’t confident that their staff will be able to identify the scams that land in their inbox during these busier periods, namely because people are receiving more emails at this time and are more distracted. A third of IT decision makers in retail also told us that phishing emails are, simply, becoming harder to spot. The high price of a phishing attack The devastating consequences of falling for a phishing attack are troubling the IT leaders we surveyed. Over a third said financial damage would have the greatest impact to their business following a successful phishing attack. It’s not surprising. Today, the average cost of a phishing attack on a mid-size company is $1.6 million. For small businesses, the cost of a cyber attack stands at just over $53,000 – a devastating blow for any small retailer and one that could put them out of business. More sales, more mistakes The people-heavy nature of the retail industry is something cybercriminals prey on. Using sophisticated social engineering techniques and clever impersonation tactics, they’re counting on people making a mistake and falling for their scams.  Sadly, during busy shopping periods, mistakes are likely to happen. When faced with hundreds of orders, thousands of customers to respond to, and overwhelming sales targets, cybersecurity is rarely front of mind as people just focus on getting their jobs done. In these situations, you can’t expect people to accurately spot a phishing scam every time. New solutions needed Retailers, therefore, need to consider how they can protect their people from the growing number of phishing scams plaguing the industry — beyond training and awareness. In our report – Cashing In: How Hackers Target Retailers with Phishing Attacks – we look into the biggest threats IT leaders in the retail sector face, reveal the gaps in security that need addressing, and explain how to best protect people on email. 
Spear Phishing
How to Avoid the PPP Scams Targeting Small Businesses
By Maddie Rosenthal
Friday, May 1st, 2020
On April 27, the U.S government’s coronavirus relief fund for small businesses – the Payroll Protection Program – resumed lending, after an additional $320 billion in funding was authorized to help small businesses keep employees on the payroll. The program will provide much needed relief for small businesses, but it could also provide cybercriminals with another prime opportunity to cash in on Covid-19 related schemes. Over the last month, Tessian has identified ways in which criminals have taken advantage of the global pandemic to make their scams more effective – from impersonating remote working and collaboration tools to tricking people into clicking onto fake stimulus check domains.  We are now warning small businesses of the PPP and CARES Act scams that they could face.  Tessian’s latest research reveals that 645 domains related to the PPP were registered between March 30 and April 20, with the majority of the domains being registered in the week following the US government’s announcement on March 31.  While 85% of the domains are offline, it’s unclear how long they will remain offline for. Of the newly registered domains that are currently live: 35% were registered as multiple domains that lead users to the same website. The 31 of the grouped domains only lead people to eight websites. 28% were from different loan providers that have a separate PPP presence through an online form. Although these may not all be spammy, it’s important for people to be wary of what they’re signing up for, what information they’re sharing and any associated costs. 24% were law firms and consultants offering their services. Around 10% were “advisory,” giving businesses information about PPP in a blog style without any notable Call To Action or service. Worryingly, a recent survey by IBM X-Force found that only 14% of small business owners say they are very knowledgeable about how to access the SBA’s loan relief program. Cybercriminals will use this to their advantage, targeting those individuals seeking more information or guidance on the PPP. And although not every newly registered PPP domain may be malicious, it’s possible that these websites could be set up to trick people into sharing money, credentials or personal information.  Small businesses have been prime targets throughout the global pandemic. We’ve seen a number of spam campaigns whereby hackers impersonate the Small Business Administration (SBA) or well-respected banks to entice people into opening malicious attachments or sharing sensitive information. At this time, we urge small business owners and staff to think twice about what they share online and question the legitimacy of the emails they receive.  Our advice to avoiding the PPP scams: Be cautious about sharing personal information online. If it doesn’t look right, it probably isn’t. Understand the Call To Action on these PPP-related sites and emails you receive from them asking for urgent action or to click links.  Make sure any sites offering consultancy services are legitimate before sharing information or money. Always check the URL and, if you’re still not sure, verify by calling the company directly. Never share direct deposit details or your Social Security number on an unfamiliar website. Always use different passwords when setting up new accounts on websites. And enable two-factor authentication on all the services that you use.
Data Loss Prevention
6 Examples of Data Exfiltration
By Maddie Rosenthal
Thursday, April 30th, 2020
Over the past two years, 90% of the world’s data has been generated. And, as the sheer volume of data continues to grow, organizations are becoming more and more susceptible to data exfiltration.  But, why would someone want to exfiltrate data? Data is valuable currency. From an e-commerce business to a manufacturing company, organizations across industries hold sensitive information about the business, its employees, customers, and clients. What is data exfiltration? Simply put, data exfiltration indicates the movement of sensitive data from inside the organization to outside without authorization. This can either be done accidentally or deliberately. The consequences of data exfiltration aren’t just around lost data. A breach means reputational damage, lost customer trust, and fines. The best way to illustrate the different types of data exfiltration and the impact these incidents have on businesses is with examples. Examples of data exfiltration  When it comes to data exfiltration, there are countless motives and methods. But, you can broadly group attempts into two categories: data exfiltration by someone within the organization, for example, a disgruntled or negligent employee, and data exfiltration by someone outside the organization; for example, a competitor.  Data exfiltration by insiders Data exfiltration by an insider indicates that company data has been shared by a member of the company to people (or organizations) outside of the company.   While most organizations have security software and policies in place to prevent insider threats from moving data outside of the office environment and outside of company control, insiders have easy access to company data, may know workarounds, and may have the technical know-how to infiltrate “secure” systems.  Here are three examples of data exfiltration by insiders:  Over the course of 9 months, an employee at Anthem Health Insurance forwarded 18,500 members records’ to a third-party vendor. These records included Personally Identifiable Information (PII) like social security numbers, last names, and dates of birth. After exfiltrating nearly 100 GB of data from an unnamed financial company that offered loan services to Ukraine citizens, an employee’s computer equipment was seized. Police later found out the suspect was planning on selling the data to a representative of one of his former employer’s competitors for $4,000.  Not all examples of data exfiltration are malicious, though. Some breaches happen inadvertently, like when an employee leaving the Federal Deposit Insurance Corporation (FDIC) accidentally downloaded data for 44,000 FDIC customers onto a personal storage device and took it out of the agency.  Exfiltration by outsiders Unlike exfiltration by insiders, exfiltration by outsiders indicates that someone from outside an organization has stolen valuable company data.  Here are three examples of data exfiltration by outsiders:  In 2014, eBay suffered a breach that impacted 145 million users. In this case, cybercriminals gained unauthorized access to eBay’s corporate network through a handful of compromised employee log-in credentials. At the time, it was the second-biggest breach of a U.S. company based on the number of records accessed by hackers.  Stealing login credentials isn’t the only way bad actors can gain access to a network. In 2019, malware was discovered on Wawa payment processing servers. This malware harvested the credit card data of over 30 million customers, including card number, expiration date, and cardholder name.  91% of data breaches start with a phishing email. While many phishing emails direct targets to wire money, pay an invoice, or provide bank account details, some request sensitive employee or client information, for example, W-2 forms. You can read more about Tax Day scams on our blog.  Looking for more information about data exfiltration or data loss prevention? Follow these links: What is Data Exfiltration? Tips for Preventing Data Exfiltration Attacks What is Data Loss Prevention (DLP)? A Complete Overview of DLP on Email
3 Reasons Hackers Could Help Bridge the Cybersecurity Skills Gap
By Maddie Rosenthal
Tuesday, April 28th, 2020
There are currently over 4 million unfilled positions in cybersecurity. The question is: Why? To find out, Tessian released the Opportunity in Cybersecurity Report 2020. Based on interviews with over a dozen practitioners from some of the world’s biggest and most innovative organizations (including Google, KPMG, and IBM), survey results from hundreds of female cybersecurity professionals, and quantitative research from the Centre for Economics and Business Research, we revealed that: There’d be a $30.4 billion boost to the industry’s economic contribution in the US and a £12.6 billion boost in the UK if the number of women working in cybersecurity rose to equal that of men A lack of awareness/knowledge about the industry is the biggest challenge female cybersecurity professionals face at the start of their career The industry has a major image problem. Women working in cybersecurity believe a more accurate perception of the industry in the media would be the biggest driver of new entrants  A different perspective of the same problem While we examined the growing skills gap in cybersecurity through the lens of the disproportionately low percentage of women currently working in the field, we were recently introduced to a different perspective. Hackers’.  HackerOne released The 2020 Hacker Report earlier this year and, on April 21, Tessian welcomed Ben Sadeghipour, the platform’s Head of Hacker Education, to present the key findings from the report during one of our Human Layer Security Virtual Roundtables. The message was simple: Hackers can (and do) help bridge the cybersecurity skills gap.  Now, by combining highlights from The 2020 Hacker Report with our own Opportunity in Cybersecurity Report 2020, we’ve identified 3 key reasons why hackers have the potential to make a positive impact on the industry. 
1. Hackers have the skills the cybersecurity industry needs When asked why there’s a skills gap in the industry, 47% of those women surveyed said it’s because there’s a lack of qualified talent. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Likewise, 33% of women currently working in cybersecurity say that a lack of requisite skills was the biggest challenge they faced at the start of their career. This came behind a lack of clear career development paths (43%) and a lack of awareness/knowledge of the industry (43%). !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); While a greater emphasis on STEM subjects in primary/high school, more apprenticeship programs, and cybersecurity-specific curriculums at universities would certainly help, we need to look beyond formal education. According to HackerOne’s report, “Most [43%] hackers consider themselves self-taught… since formalized cybersecurity engineering educations have yet to become common, bug bounty programs and public VDPs give promising hackers the ability to quickly learn, grow, and contribute to everyone’s increased security.” What’s more, hackers are putting these self-taught skills to use, with 78% of hackers saying they’ve used or plan to use their hacking experience to help them land a job. On top of that, the majority of hackers (59%) say they hack as a hobby or in their free time and 27% describe themselves as students.  That means a large percentage of hackers could, in theory, transition into cybersecurity. It’s important to note, too, that different cybersecurity roles attract different types of talent. We asked our survey respondents to identify the skills needed to thrive in different roles, and the results demonstrate how diverse the opportunities are. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");  
2. All hackers aren’t “bad” While a lack of requisite skills is perpetuating the skills gap, 51% of the women surveyed in Tessian’s Opportunity in Cybersecurity Report 2020 said that a more accurate perception of the industry in the media would encourage more women into cybersecurity roles. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Hillary Benson, Director, Product at StackRox and one of the contributors to our report summed it up nicely when she said, “People hear ‘cybersecurity’ and think of hackers in hoodies. That’s a bit of a caricature, maybe with some legitimacy to it—and that was even part of my own experience—but that’s not all there is.” Unfortunately, this “caricature” of hackers tends to be negative as pop culture and headlines about nation-state hacking groups have conditioned us to associate hackers with criminal or solitary activity. HackerOne even commissioned a survey of over 2,000 US adults to gauge their perception of hackers.  The survey found that 82% of Americans believe hackers can help expose system weaknesses to improve security in future versions. However, a nearly identical share said they believe hacking to be an illegal activity.  But, hackers feel confident this perception is changing for the better, with:  55% saying they see a more positive perception from friends and family 47% saying they see a more positive perception from the general public 38% saying they see a more positive perception from businesses 35% saying they see a more positive perception from the media
3. Hackers already have a strong community 23% of Tessian’s respondents said that a lack of role models was a challenge they faced at the start of their career, and a further 26% said that more diverse role models would encourage more women to enter cybersecurity roles. The impact of role models is even more important for the younger generations. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Hackers already have a strong community. Katie (@Insider_PHD) was quoted in HackerOne’s report saying “The community is super encouraging. The community is super willing to help out. It’s, as far as I’m concerned, my home.”  Likewise, Corben (@CDL) was quoted as saying “Being part of the hacker community means the world to me. I’ve met a ton of people. I’ve made a ton of friends through it. It’s really become a big part of my identity. Everyone who is a part of the community is bringing something important.” Beyond that, 15% of those surveyed got interested in ethical hacking because of online forums or chatrooms.  The bottom line is: Mentorship is important. Role models are important. Community is important. Unlike cybersecurity professionals – specifically female cybersecurity professionals – hackers have these things in abundance. Cybersecurity is more important now than ever Data has become valuable currency and ransomware attacks, phishing scams, and network breaches are costing businesses and governments billions every year. And now, with new security challenges around remote-working and a marked spike in COVID-19-related phishing attacks, cybersecurity is more business-critical than ever before. While we should continue encouraging gender diversity in cybersecurity, we should also encourage other types of diversity as well. The field is wide open for a range of educational and professional backgrounds…including hackers.  Challenge perceptions, make an impact.  Learn how cybersecurity professionals kick-started their career   So, what is cybersecurity actually like? It depends on your role within the field. And contrary to popular belief, the opportunities available are incredibly diverse.  To learn more about how the 12 women we interviewed broke into the industry, read their profiles. #TheFutureIsCyber
Human Layer Security
Ed Bishop Joins SecureWorld “Emerging Threats” Panel
Monday, April 27th, 2020
The number of cybersecurity threats is growing every day, increasing the need for comprehensive security monitoring, analysis, and communication. With the sudden explosion of remote workers, we are encountering even more challenges and reasons for concern. The attackers are taking full advantage in these trying times, and it is critical for the security community to pool our collective intel on the shifting threat landscape. On April 16 2020, Ed Bishop, co-founder and Chief Technology Officer of Tessian, joined a SecureWorld panel of industry leaders — Erich Kron, Security Awareness Advocate for KnowBe4, Elvis Chan, Supervisory Special Agent from the FBI, and Mark Lance, Senior Director of Cyber Defense for GuidePoint Security — to discuss emerging threats being experienced in the wild, and strategies for staying ahead of cybercriminals. The panel was hosted by Bruce Sussman, Director of Content and host of weekly podcast, The SecureWorld Sessions. Listen to the full session below:
Below is a truncated transcript of Ed’s responses to Bruce’s questions. Bruce Sussman:  What do you see as new or growing security vulnerabilities in the rush to work remotely? Ed Bishop:  Yeah, I was just going to chip in and just say with the work from home I think it’s really important to highlight how much of a change this is for the individuals as well. It’s not just about the technology. People’s lives have been turned upside down and everything is super uncertain. And what we’re seeing is people are just trying to take advantage of that with COVID-19-related attacks. They’re specifically targeting that uncertainty and the fact that people’s technology stacks are changing and that they’re expecting to get emails about new video conferencing or VPN software, and I just think it’s important to bring it back to thinking about the people or the end users and not just focusing on the technology and really this is where we’re going to stop getting security vulnerabilities. People just attacking that uncertainty and taking advantage of it. Bruce Sussman:  What do you see as current or emerging human-caused security risks on email? Ed Bishop:  We’re seeing a lot of emerging threats. I actually think it’s interesting because I think maybe a lot of these threats have existed for a long time, and it’s just been considered the cost of doing email. If you want to send email, you need to open yourself up to phishing attacks and you need to open yourself up to data exfiltration etcetera. And it’s only recently in the last five years that we’ve been thinking about this as the real threat and then we’re seeing these threats get more and more advanced. And that’s why I think we’re seeing the emergence of the term emerging. So yeah I think you break it down into how to think about a new threat… it’s about the Human Layer. People make mistakes on email so that means you can basically just accidentally send an email to absolutely anyone with very sensitive information. That’s one of the number one reported data incidents to Information Commissioner’s office in the UK. People break the rules and this is around all kinds of data exfiltration. It’s about doing things on email that they’re not supposed to do. And then finally what we’ve just been discussing is people can get tricked into this and we’re seeing this a lot with COVID-19 attacks. But specifically this is all about Human Layer problems. It’s about understanding how people work, it’s about understanding their behaviors, it’s understanding their historical email data sets. Really it’s the only way that you can actually go about starting to tackle these emerging trends. We believe that kind of rule-based technologies play a good job at tackling standard threats, but for the emerging threats, the advanced threats, that we’re seeing today. You really need to take a different approach and that’s about understanding people, understanding their data points and really using and leveraging technologies like machine learning to be able to tackle these advanced threats. Bruce Sussman:  What role will Artificial Intelligence play in cybersecurity and any ideas on how criminals also use AI? Ed Bishop:  Tessian obviously is a machine learning company on the defense side so we think there’s a huge role to play for AI in detecting some of these emerging threats if we just bring it back to one of the core topics of this panel: email. I would say that there’s just so much work still to be done on the defense side that attackers don’t even need to be thinking about AI on the offense side. It is quite frankly far, far too easy to send very convincing impersonation emails taking advantage of COVID-19 and just bypass existing technologies and get straight to the end user to take advantage of those human vulnerabilities and social engineering. Although we’re seeing very interesting things, I think DeepFake is a great example of where it’s truly being used on the offensive side. If we take it back to email where 91 percent of all cyberattacks originate, I think we’re going to see a lot of work on the defense side where attackers can just be using really simple phishing kits to bypass existing solutions. Bruce Sussman:  Interesting and so that’s why we have to have to the machine learning in an AI on defense. Is that what you’re saying? Ed Bishop: Exactly. I think the legacy approach to tackling things like phishing and business email compromise is really predominately like Blacklist Space, where you have to assume the attack in a number of accounts or using basic respects or rules and quite frankly it seems if you introduce rules people are going to break those rules. Rules are made to be broken and attackers are constantly playing this game of cat and mouse. So yeah it’s all about defense, it’s understanding people, it’s understanding how they operate, what normal looks like for those end users and training machine learning models then that can detect people sending advanced impersonation emails. Bruce Sussman:  Are insider threats becoming more of a danger with the pandemic? Ed Bishop:  Yeah, I think that’s a great point that’s been mentioned. Obviously data exfiltration has been painted with quite a negative kind of brush and rightly so. But data exfiltration also covers people who aren’t necessarily being malicious, but they’re just trying to do that job and accidentally essentially breaking that IT policy.  So to give you an example you’re working from home, how you’re going to print something? Are you going to go through the headache of trying to set up your home printer with your work computer even though USB is disabled, Bluetooth disabled? You know what you’re probably going to do is you’re just going to forward that email to your freemail account, go onto your personal device and print it. You just exfiltrated data. Your data maybe travel to another jurisdiction just due to that event. We are seeing a trend of not necessarily malicious data exfiltration but definitely an increase in data exfiltration because people are trying to do their job effectively. And their workforce hasn’t provided them with the technology to do that so they’re always going to just go to the path of least resistance, which is often exfiltrate data to their personal email accounts. Bruce Sussman:  There are plenty of examples where the traditional cybersecurity methods prove ineffective. Why is this and will attackers always be a step ahead? Ed Bishop:  I think it’s a great point like why does it always feel like that they’re a step ahead. Remember that I think we always try and think of it at Tessian as a numbers game for the attacker: they can send 1000 emails and they only need one email for you to click that link, or for you to wire that money. Don’t forget that they probably sent 9999 other emails that were unsuccessful. But the point is all they need is one email to be successful and that’s why you will always hear about data breaches in the news and in the press. I think bringing it back to why traditional data security methods are ineffective, it really just comes down to this the game of cat and mouse. Putting myself in the shoes of the attacker, if I can go onto a security vendor’s website and go on to that WIKI and see how to set up policies that are rule-based, what are the attackers going to do going to? They’re going to send an attack that just flies past those rules because they just got an expose what that technology is looking for and how they can prevent it. I just also highlighted another kind of, I guess, traditional cybersecurity method, which is effective to some degree: Training and Awareness. But I think far too many companies rely on that as a silver bullet and again attackers know this. They know what people are trained against, they know the types of threats that people are trained against but there are just such sophisticated attacks out there that we cannot rely on people to detect. We need technology to do a better job and really understand kind of what normal looks like and be able to spot those anomalies.
Data Loss Prevention, Human Layer Security
A Complete Overview of DLP on Email
By Maddie Rosenthal
Monday, April 27th, 2020
Data Loss Prevention is a vital part of security frameworks across industries, from Healthcare and Legal to Real Estate and Financial Services. There are dozens of different DLP solutions on the market, each of which secures data differently depending on the perimeter it is protecting. There are three main types of DLP, including: Network DLP Endpoint DLP Email DLP While we’ve covered the topic of Data Loss Prevention broadly in our blog What is DLP?, we think it’s important for individuals and larger organizations to understand why email is the most important threat vector to secure and how Tessian approaches the problem of data loss on email differently.  
Why is DLP on email important? Billions of email messages are sent every day to and from organizations. Contained within many of these emails is highly sensitive information including personal details, medical records, intellectual property, and financial projections. Businesses, institutions, and governments rely on being able to share sensitive data with the right people how and when they want. But, at the same time, they also need to ensure data isn’t put at risk, whether through careless mistakes or intentional exfiltration.  Once data leaves your organization, you lose control of it and now, with compliance standards like HIPPA, GDPR, and CCPA, organizations face greater consequences in the event of a data breach, including:  Lost data Lost intellectual property Revenue loss Losing customers and/or their trust Regulatory fines Damaged reputation  And, with employees being busier than ever, it’s easier to make mistakes, for example typing the wrong email address when sending an email, or emailing a document to a personal account and raising the chance of that data being compromised. Interested in Why People Make Mistakes? Click the link to read our report. Importantly, though, mistakes are just one of the main causes of data loss on email.
What are the main causes of data loss on email? The biggest risk to data security usually comes from within organizations. While few employees mean their company harm, the transfer of huge amounts of information every day by busy people means that mistakes happen, some with great cost to organizations’ reputations and balance sheets. People pose three main risks to their employers: they make mistakes, they can be hacked or tricked, and they can choose to break the rules. Mistakes People regularly send the wrong thing to the right person or, alternatively, the right thing to the wrong person. This is known as misdirected email. For example, an employee who means to send a spreadsheet of financial projections to Jean Smith who works for the firm’s accounting partner, but accidentally sends it to John Smith who works for a different firm entirely. Being tricked “Bulk” phishing, malware and ransomware scams, where employees are deceived or coerced into sending data or money, are increasingly common. But a bigger threat comes from spear phishing emails; these are targeted attempts by sophisticated attackers who have researched genuine business relationships to launch highly convincing attacks. This could manifest, for example, in a cybercriminal impersonating a real supplier claiming to need urgent payment to process an order. Breaking the rules At the extreme end, this could be an employee deliberately selling company secrets to competitors. But it may also be the result of ignorance: for example, the lawyer who sends a spreadsheet to his personal email on a Friday to get some work done over the weekend. Some cases may need disciplinary procedures, others a simple reminder that this is not allowed. But every instance places data at risk and must be stopped before the information leaves the organization. All of these circumstances pose tremendous risks. Even if 99% of information sharing is secure, it only takes one rushed email to the wrong person to expose sensitive data and raise the chance of data loss or data exfiltration. DLP aims to minimize the chance of any of the above happening by catching sensitive information before it reaches the wrong person.
How can DLP for email protect an organization? Based on the main causes of data loss on email, there are two threats DLP must account for: Accidental Data Loss: To err is human. For example, an employee might fat finger an email and send it to the wrong person. While unintentional, this mistake could and has led to a costly data breach. DLP solutions need to be able to flag the email as misdirected before it’s sent, either by warning the individual or automatically quarantining or blocking it. Malicious Exfiltration: Whether it’s a bad leaver or someone hoping to sell trade secrets, some employees do, unfortunately, have malicious intent. DLP solutions need to be able to identify data exfiltration attempts over email before they happen in order to prevent breaches.
The limitations of rule-based DLP Unfortunately, DLP – especially rule-based DLP – can be a blunt instrument. These solutions include: Blocking accounts/domains Blacklisting email addresses Tagging data Not only is creating and maintaining the rules that police data within an organization time-consuming for administrators, but, oftentimes, these rules don’t succeed in preventing data exfiltration or accidental data loss. Why? New threats can evade pre-existing rules and employees or hackers can find workarounds. Rules simply don’t reflect the limitless nuances of human behavior and data loss is a human problem: it is people that share data and it is their actions that lead to data getting lost. To accurately detect when data loss is about to happen, you actually need to understand the context behind the action an employee is taking, rather than just the content that’s being shared. You can read more about the Drawbacks of Traditional DLP on Email here. How does Tessian’s email DLP solution work? While IT and security teams could work tirelessly to properly deploy and maintain rule-based DLP solutions to detect potential threats and limit the exposure of sensitive data, there’s a better, smarter way. Human Layer Security. Tessian uses contextual machine learning to address the problem of accidental or deliberate data loss by applying human understanding to email behavior. Our contextual machine learning models analyze historical email data to understand how people work and communicate. They have been trained on more than two billion emails – rich in information on the kind of data people send and receive every day. And they continue to adapt and learn as human relationships evolve over time. This enables Tessian Guardian to look at email communications and determine in real-time if particular emails look like they’re about to be sent to the wrong person. Tessian Enforcer, meanwhile, can identify when sensitive data is about to be sent to an unsafe place outside an organization’s email network. Do I need an email DLP solution? Each organization has different needs when it comes to DLP. But, email DLP is more important now than ever, especially with misdirected emails being the number one incident reported under GDPR.  But, it’s important to consider the biggest problems in your own organization, ease-of-deployment, and internal resources when choosing a solution. If your biggest concern is data exfiltration and you’re looking for a solution that’s easy and quick to deploy and that doesn’t require heavy maintenance from an administrator, Tessian Enforcer may be right for you. If your biggest concern is accidental data loss and – again – you’re looking for a solution that’s easy and quick to deploy and that doesn’t require heavy maintenance from an administrator, Tessian Guardian might be for you.
Data Loss Prevention
The Drawbacks of Traditional DLP on Email
By Maddie Rosenthal
Friday, April 24th, 2020
For many organizations, Data Loss Prevention (DLP) is at once one of the most important components of their security framework and the biggest headache for administrators. Why? Because most risks to data security actually come from within an organization, which means security teams have to classify and monitor data across hundreds – even thousands – of different entry and exit points of a corporate network. This includes user devices like laptops and mobile devices, email clients, servers, and gateways within the network. While “DLP” applies to more than email, email has become one of the most important vectors to safeguard.
Why is email the number one threat vector for data loss? Employees spend 40% of their digital time on email sending memos, spreadsheets, invoices, and other sensitive information and data (structured and unstructured alike). When you combine this with the fact that the underlying technology behind email hasn’t evolved since its inception and its ease-of-access – email accounts today are accessible on laptops, smartphones, tablets, smartwatches and even cars – it’s easy to see why 90% of data breaches start on email. A major US health insurance provider had to pay out $115 million in a class-action lawsuit after an employee stole the data of over 18,000 members over the course of nine months. How? Via email. The data exfiltrated included the members’ ID numbers, names, social security numbers, and other personal information.  Of course, not all incidents of data loss make headlines. According to Tessian data, over 700 misdirected emails are sent in organizations with 1,000 people every year.  This goes to show that businesses must be vigilant in assessing risk around both data loss and data exfiltration and, in doing so, must implement security measures that decrease their likelihood of suffering a breach. Unfortunately, that’s easier said than done. Data sent through email is hard to regulate As security leaders know, preventing data loss requires not only advanced security tools but also buy-in from the entire organization. Here are three reasons why data sent through email is hard to regulate:  Billions of emails are sent and received every day. According to research, over 124 billion business emails are sent and received every day. That means it’s virtually impossible for IT teams – often resource-constrained themselves – to monitor all of those emails for incidents that could (or do) result in data loss.  Organizations hold a lot of data. Whether it’s employees’ social security numbers, insurance policies for clients, or bank account details for suppliers, organizations across industries deal with more data than most of us can imagine. What’s more, it’s stored in various ways, from spreadsheets to project proposals. Limiting access to this data is one solution, but IT teams run the risk of limiting employee productivity in doing so. People make mistakes and break the rules. Human error is the number one cause of breaches under GDPR. Whether it’s an employee sending an email to the wrong person or a disgruntled employee intentionally exfiltrating data, there are numerous ways in which sensitive data can fall into the wrong hands. Unfortunately, to err is human and even training can’t eliminate this risk entirely.  Data vs. human behavior When you consider the objective of DLP, you realize there are two distinct approaches to take. Data-centric approach: Rule-based solutions use the content of an email to perform analysis. These rules consider keywords, attachments, seniority level, and even the role or department of an employee to identify sensitive information and keep it within the organization. Human-centric approach: Instead of focusing only on the data, human-centric approaches like those offered by Tessian seek to understand complex and ever-evolving human relationships in order to protect sensitive information. While both approaches have their merits, there are some clear shortcomings to a data-centric approach.
Why current DLP solutions are failing There are several different approaches organizations can take in preventing data loss. But, given the fact that security breaches have increased by 67% in the last five years, it’s worth noting the drawbacks of each solution.  Blocking accounts/domains: In this approach, particular domains (particularly free mail domains like @gmail.com or @yahoo.com) are blocked by the company. Why? These emails will undoubtedly be attached to people outside of the organization and, oftentimes, are actually the personal email accounts of employees themselves. Drawbacks: There are legitimate reasons to send and receive emails from people or organizations outside of your company’s network and with “freemail” domains. Employees might need to communicate with a client or manage freelancers. They may also simply be trying to send documents “home” to work after hours or over the weekend. Unfortunately, it’s not difficult for employees to find workarounds, regardless of their intentions.  Blacklisting email addresses: Security teams can create a list of non-authorized email addresses and simply block all emails sent or received.  Drawbacks: Because blacklisting requires constant updating, it’s very time- and resource-intensive. Beyond that, though, this is a very reactive measure. Email addresses will only be added to a blacklist after they’ve been known to be associated with unauthorized communications, which means data exfiltration attempts may be successful before IT and security teams are able to take steps towards remediation.  Focusing on Keywords: This method uses words and phrases to alert administrators of suspicious email activity. For example, IT and security teams can create rules to identify keywords like “social security numbers” or “bank account details”, which will then signal an email should be quarantined or blocked before sent. Drawbacks: The person trying to exfiltrate data – like social security numbers or bank account details – can circumvent keyword tracking tools by sending the email and the attached data in an encrypted form. Tagging Data: After classifying data, an organization may attempt to tag sensitive data, allowing administrators to track it as it moves within and outside of a network.  Drawbacks: Again, this system is time- and resource-intensive and relies on employees accurately identifying and tagging all sensitive data. Data could be misclassified or simply overlooked, allowing it to move freely within and out of a network. Additionally, employees often get fatigued with enforced tagging which could lead to default tagging everything as sensitive.  You can find more information about email tagging in this guide. The challenge with all of the above is that they are based on rules. But human behavior can’t be predicted or controlled by rules. That means that the more effective solution is one that’s adaptable and can discern the variations in human behavior over time. A solution like this relies on machine-intelligent software that learns from historical email data to determine what is and isn’t anomalous in real-time. What’s the best solution? Tessian uses contextual machine learning to prevent data exfiltration. Our machine learning models look at evolving patterns in data and constantly reclassifies email addresses based on changing relationships between employees and third-parties like vendors and suppliers.  This way, Tessian can determine whether a communication is legitimate information sharing or exfiltration. To learn more about data exfiltration and how Tessian is helping organizations like Arm keep data safe, talk to one of our experts today.
Compliance, Data Loss Prevention
5 Things Every CISO Should Know About CCPA’s Impact on Their InfoSec Programs
Friday, April 24th, 2020
The California Consumer Privacy Act (or “the CCPA” for short) is California’s new data privacy law that came into effect on January 1, 2020.   This is the first of its kind in the US, and it’s going to impact your InfoSec program.  The purpose of this new law from a privacy perspective is to give consumers greater control over their personal information (PI). How? By giving consumers key privacy rights. You may be familiar with some of these rights, including: The right to know what PI a business is collecting about you  The right to know what these businesses do with that PI (via a privacy notice) The right to request access to that data  The right to have PI deleted  But, some rights are new, including: The right to request a business stops “selling” your PI The right to not be treated differently when making such a request While it’s essential consumers know their rights, security and compliance leaders need to pay attention, too. After all, failure to comply will result in fines up to $7,500 per violation.  So, if you’re a CISO, here’s everything you need to know about CCPA. The CCPA is one of the strictest consumer privacy laws in the US and it’s become the new standard Unlike Europe, the US doesn’t have a federal consumer privacy law. Instead, the US privacy landscape is made up of a smattering of both state and sectoral laws. As the CCPA ties enforcement to “California residents”, it may apply to services provided outside of California to Californians. Because it’s virtually impossible to know with absolute certainty who or where your customers are, it can become tricky to determine who you offer CCPA rights to and who you don’t. The result? Many companies have given CCPA rights to everyone.
The CCPA includes an obligation for your infosec program Indeed, when it comes to security, the CCPA only specifies that a business must “implement and maintain reasonable security procedures and practices appropriate to the nature of the information” it processes.   Importantly, though, what those “reasonable” security procedures are and how they differ based on the information involved remains undefined.   But, what we do know is that if your business experiences a data breach and a Californian consumer’s PI is taken by an unauthorized person, your business could be on the hook for failing to implement reasonable security procedures. In addition to fines, the CCPA grants Californian consumers the right to sue you. This is called a private right of action.  While there is still much to be determined as to what “reasonable” means, the onus rests on you, as CISO, to review your infosec program and make sure you’re comfortable you’re doing your best to reach this “reasonable” standard. Looking at the NIST (800-53 or CSF), ISO 27001, and CIS controls are a great place to start.  The bottom line: businesses need to protect their data. Implementing a DLP solution is a necessary step all businesses need to take.
If a data breach happens on your watch, you may be held responsible for damages Statutory damages are new for Californian data privacy law.  Now, consumers can sue you for a data breach and they don’t have to show harm, meaning we could see a rise in data privacy class actions.   This CCPA private right of action promises to shake up the data breach class action landscape in which such actions have generally been settled for small amounts or dismissed due to lack of injury. Because, demonstrating and quantifying damages caused by a data breach can be difficult to show. With the CCPA, companies are vulnerable to potentially staggering damages in relation to a breach. Of course, this is in addition to revenue loss, damaged reputation, and lost customer trust. The CCPA allows consumers to seek statutory damages of between $100 and $750 (or actual damages if greater) against a company in the event of a data breach of PI that results from the company’s failure to implement reasonable security procedures. Putting this into context, a data breach affecting the PI of 100 California consumers may result in statutory damages ranging from $10,000 to $75,000, and a data breach affecting the PI of one million California consumers may result in statutory damages ranging from $100 million to $750 million.  These potential statutory damages dwarf almost every previous large data breach settlement in the US, and have the potential to see higher awards than we’ve seen with GDPR. It’s worth noting, though, that there is a 30-day cure period in which businesses can in some way remedy a data breach after receiving written notice from the consumer.  But, because the CCPA doesn’t define “cure,” it’s unclear how a business can successfully “cure” data security violations.  Prevention is better than cure. Your best chance of avoiding a breach and/or hefty fines afterward is to ensure your business has ‘reasonable’ security procedures implemented, including policies and other DLP solutions. While cybersecurity ROI is notoriously hard to measure, it’ll no doubt pale in comparison to the cost of a breach.  Learn how to communicate cybersecurity ROI to your CEO here. A successful private right of action by a consumer only applies to certain PI A couple of things need to happen before a Californian consumer can pursue this private right of action, including: The right only applies to data that is not encrypted or redacted. In other words, de-identified data or encrypted data is not subject to the private right of action or class action lawsuit.   The right only applies to limited types of PI – not the expansive definition found in the CCPA. This is a much more limited definition of PI than contemplated by the CCPA and, in practice, the majority of businesses’ data stores will not include this level of sensitive data.  The right does not apply if there has only been unauthorized access to data. There must also be exfiltration. This means that unsecured access to a cloud storage system on its own will not give rise to the right. There must also have been theft and unauthorized disclosures. For example, by an insider threat or nefarious third-party.   The harm to the consumer must flow from a violation of the business’s duty to implement reasonable security procedures. It will, therefore, be key for businesses to show a documented assessment of their security procedures in light of CCPA and to ensure a robust security program is in place to protect against data loss. If you are GDPR compliant, your infosec program is likely compliant The GDPR, somewhat similar to the CCPA, is vague when it comes to cybersecurity.  It makes data security a general obligation for all companies processing personal data from the European Union (EU) by requiring controllers and processors to implement “appropriate technical and organizational measures to ensure a level of security appropriate to the risk”.  This means that companies controlling or processing EU personal data should have implemented comprehensive internal policies and procedures to be in compliance with the GDPR. This likely makes them CCPA-ready, but IT leaders should still review their security programs. The most important thing to know is that businesses affected by the CCPA will now be responsible for not only knowing what data they hold, but also how it’s controlled. In order to ensure compliance, the first step should be revisiting your cybersecurity program. And, while it may be surprising to some, cybercriminals actually aren’t your biggest threat when it comes to data loss. It’s actually your own employees. After all, it’s your people who control all of the data within your organization. But, you can empower them to work securely and prevent data loss with Tessian.
Prevent data loss with Tessian To err is human which means your employees may make mistakes that could lead to a potential breach under CCPA.  Traditionally legacy technology has leveraged hardware and software focused on the machine layer to fight cybersecurity risks. This, of course, doesn’t address the biggest problem, though: The Human Element.  Tessian leverages intelligent machine learning to secure the Human Layer in order to understand human relationships and communication patterns. Once Tessian knows what “normal” looks like, Tessian can automatically predict and prevent dangerous activity, including accidental data loss and data exfiltration.  People shouldn’t have to be security experts to do their job. Taking advantage of Tessian solutions can help your organization mitigate your employee’s mistakes and keep them productive which is a key component of a robust security program.
Customer Stories
Keeping Sensitive Client Data Safe
Monday, April 20th, 2020
With a strong focus on protecting client data, leading international legal business, DAC Beachcroft LLP has adopted Tessian’s machine intelligent email security platform to support the firm’s new cyber security strategy. Being deployed across its offices in Europe, Asia Pacific and Latin America, the platform will help prevent the firm’s 2,500 employees from sending misdirected emails that could potentially lead to loss of confidential client data. DAC Beachcroft LLP is leading the move towards legal firms becoming more digitally focused with security being at the forefront of that movement. It looked to Tessian to offer a platform that would not only give employees peace of mind when handling sensitive client data but allowed staff to be more flexible when using email on the move across any device or operating system (OS). The platform also delivered a solution that was quick to install with minimal disruption and was easy to use for busy lawyers and support teams alike. “Our staff deal with highly sensitive client data on a daily basis and we wanted to be able to support the teams to work with that personal information confidently without the fear of a data breach,” comments, Andrew Keith, COO, DAC Beachcroft LLP. “Just by having the Tessian platform in place has significantly reduced risks at DAC Beachcroft LLP within just four weeks. It captures what could potentially be a massive data breach, and the benefits have been almost immediately recognized by all at the firm.” David Aird, IT Director DAC Beachcroft LLP, continues; “Our lawyers are busy with client work, and the simplicity of the platform has meant they and their support staff don’t have to worry about simple human errors such as entering the wrong email address.  The Tessian platform stood out from other solutions on the market because its machine learning approach meant we could automatically protect the firm from misdirected emails, unauthorized emails and non-compliance on the network.” Tessian uses machine intelligence to understand normal email communication patterns in order to automatically identify email security threats, without the need for end user behavior change or pre-defined rules and policies. “DAC Beachcroft LLP is one of the leading legal firms to create a digital environment for its network. The firm has invested time and money in the best security solutions to protect client data and its staff from potential serious email breaches. We’re delighted to be part of that move to become a secure digital business and see a long partnership ahead,” comments Tim Sadler, CEO of Tessian. Learn more about how Tessian prevents human error on email Tessian is building the world’s first Human Layer Security platform to automatically secure all human-digital interactions within the enterprise. Today, our filters use stateful machine learning to protect people using email and to prevent threats like spear phishing, accidental data loss, data exfiltration and other non-compliant email activity. To book a demo and learn more about how we can help your organization, click here.
Data Loss Prevention
How to Communicate Cybersecurity ROI to Your CEO
Monday, April 20th, 2020
CIOs, CISOs, and other IT leaders have a long list of internal and external factors to consider when putting together a cybersecurity strategy. If the ever-evolving threat landscape wasn’t challenging enough to keep up with on its own, there’s also a growing number of privacy regulations and compliance standards to satisfy and a market that’s more saturated with products than ever before. There’s also the issue of budgets. Oftentimes, it’s difficult to measure and communicate cybersecurity ROI which means justifying security investment can be challenging, especially when most organizations are facing significant budget cuts in light of COVID-19. Cybersecurity is, however, a business-critical function. It’s not a nice-to-have, but a must-have.  We’ve put together 3 tips to help you demonstrate the business value of cybersecurity solutions and get buy-in from your CEO.
Reframe cybersecurity solutions as business enablers While cybersecurity has historically been a siloed department, it’s becoming more and more integrated with overall business functions.  To see how far-reaching the implications of a cybersecurity strategy are, let’s consider the consequences of a data breach:  Lost data Lost intellectual property Revenue loss Losing customers and/or their trust Regulatory fines Damaged reputation These consequences directly affect a business’s bottom line.  But, cybersecurity solutions don’t have to be limited to prevention or remediation. In fact, cybersecurity can actually enable businesses and become a unique selling point in and of itself.  With regulations like HIPAA, CCPA, and GDPR dictating how organizations handle sensitive data, your cybersecurity framework can actually support growth by being a strong competitive differentiator. By investing in cybersecurity tools and personnel and being transparent about how your organization protects data, you’ll actually bolster credibility and trust amongst prospects and existing customers and clients.
Lead with facts and figures specific to your organization A critical aspect of communicating ROI is evidence. It’s important you come armed with the right evidence and, whenever possible, quantify the threats and the risk.  For example, you could start with the more general statistics that 90% of data breaches start on email and that misdirected emails were the number one incident reported under GDPR. Then you could use Tessian’s Breach Calculator to determine your organization’s potential exposure. According to our data, on average, 707 misdirected emails are sent every year in businesses with 1,000 people. Referencing this specific number will make the risk more tangible and the need for a solution more urgent.  Likewise, if you’re pitching for new inbound email security solutions, a phishing simulation could help demonstrate the likelihood of a successful attack. Or, if you need to make a case for network vulnerabilities, hiring a penetration tester could help prove that there are, in fact, chinks in your armor.  Curious how many misdirected or unauthorized emails are sent in your organization? Book a demo to find out. 
Engage with the larger organization Communicating the value (and necessity) of cybersecurity measures to your larger organization isn’t easy. Not only are technical risks hard to translate across departments, but policies and procedures can often be seen as a hindrance to employee productivity.  But, if you can engage with the larger organization and create a positive security culture, you’ll have a better chance of getting buy-in from C-level executives. How? More and more, CISOs are relying on gamification, positive reinforcement, and interactive content like videos and podcasts to promote their strategies. Whatever the method or medium, the most important thing is that risks and responsibilities – which the entire organization bears the burden of – are communicated so that everyone, regardless of department or level of seniority, can understand.  The benefits of this are two-fold. Not only will you demonstrate the value of cybersecurity via in-house evangelists, but you’ll also empower security-aware employees to become your biggest cybersecurity asset. (You can read more about the importance of empowering your people and protecting the Human Layer here.) This, in turn, helps your overall objective to prevent data loss and data exfiltration. Get more advice from security leaders for security leaders Ultimately, communicating security ROI relies on translating cyber risk to business risk, and making security a guiding principle for your larger organization. This is more important today than ever with new risks and challenges related to remote-working.  Looking for more advice? We constantly update our blog with new tips and best practices around security. We also found this article: The 5-Step Framework for CISOs Starting in a New Company very helpful, especially when it comes to negotiating budgets and delegating risk owners.
Page