Tessian Recognized as a Representative Vendor in 2021 Gartner Market Guide for Data Loss Prevention — Read more.

Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.
Human Layer Security
June Human Layer Security Summit: Meet the Speakers
By Maddie Rosenthal
Monday, May 17th, 2021
Calling all cybersecurity trailblazers! Tessian’s quarterly flagship is back on June 3 with our best agenda yet.  Hundreds of security, compliance, and business leaders have already saved their spot to  learn more about human-centric security strategies, get first-hand insights from industry heavy-weights, and engage with peers through Q&As and a live chat function. What’s on the agenda? With over a dozen speakers across six sessions, we’ll be exploring: How to scale your enterprise security programs What CISOs can do to prevent the next SolarWinds attack How to prove the ROI of security and effectively communicate value to different stakeholders And much more… Keep reading to learn more about our speakers and partners. 
Meet the speakers While we don’t want to give all the surprises away just yet, we can share a sneak peek of 7 speakers joining us on June 3.  Make sure to follow us on LinkedIn and Twitter and subscribe to our weekly newsletter for the latest updates, including detailed information about each of the nine sessions. Bobby Ford, Senior Vice President and CSO at HP: Bobby – who has joined us as a speaker once before – has an incredible wealth of experience. He’s held senior security leadership titles at organizations across industries, including government, consumer goods, healthcare, and now technology. And, having secured organizations with hundreds of thousands of employees, he truly knows how to implement successful security strategies at the enterprise level. Punit Rajpara, Global Head of IT and Business Systems at GoCardless: Having led IT and security teams at Uber, WeWork, and now GoCardless, Punit has a proven track record of scaling security at hyper-growth companies. His goal? To ensure security is a business enabler, not a blocker and to change security’s reputation amongst the C-suite and employees. He’ll be sharing insights into how he delivers IT as a partnership, and a service to the business. Ian Bishop-Laggett, CISO at Schroders Personal Wealth: Now leading InfoSec at Schroders Personal Wealth, Ian has been working in financial services in security roles for over 10 years. That means he’s in the perfect position to talk about risks unique to the industry and the specific challenges human layer risks pose.  Jerry Perullo, CISO at ICE | New York Stock Exchange: With over 25 years of experience in cybersecurity, Jerry has an impressive resume. He’s served as the CISO of NYSE: ICE for 20 years, currently sits on the Board of Directors for FS-ISAC, the Analysis and Resilience Center (ARC) for Systemic Risk, and is the Founding Vice-Chair of the Global Exchange Cybersecurity Working Group under the World Federation of Exchanges.  Katerina Sibinovska, CISO at Intertrust Group: Katerina has a background in law, a passion for tech, and holds a number of IT and compliance certifications, including the CRISC and the GDPR F. Before graduating to CISO at Intertrust Group, she was the Head of IT Change & Compliance, and has a proven track record of balancing security with business operations and strategy. James McQuiggan, Security Awareness Advocate at KnowBe4: In addition to being a Security Awareness Advocate at KnowBe4, where he trains and engages with employees and security leaders about the importance of security awareness training, James also teaches Identify Security at a collegiate level and is the Education Director for the Florida Cyber Alliance. On June 3, he’ll be identifying key strategies to help you improve your training programs. Samy Kamkar, Renowned Ethical Hacker: As a teenager, Samy released one of the fastest-spreading computer viruses of all-time. Now, he’s a compassionate advocate for young hackers, whistleblower, and privacy and security researcher.  To learn more about our speakers and their approaches to cybersecurity, save your spot now and join a community of thousands on June 3.  If you can’t make it on the day – don’t worry. You’ll be able to access all the sessions on-demand if you sign-up.  Want to get a sneak peek of what you can expect on June 3? You can watch sessions from previous Human Layer Security Summits on-demand here. 
Read Blog Post
Human Layer Security, Spear Phishing
Must-Know Phishing Statistics: Updated 2021
By Maddie Rosenthal
Monday, May 17th, 2021
Looking for something more visual? Check out this infographic with key statistics.
The frequency of phishing attacks According to the FBI, phishing was the most common type of cybercrime in 2020—and phishing incidents nearly doubled in frequency, from 114,702 incidents in 2019, to 241,324 incidents in 2020.  The FBI said there were more than 11 times as many phishing complaints in 2020 compared to 2016. According to Verizon’s 2021 Data Breach Investigations Report (DBIR), phishing is the top “action variety” seen in breaches in the last year and 43% of breaches involved phishing and/or pretexting. The frequency of attacks varies industry-by-industry (click here to jump to key statistics about the most phished). But 75% of organizations around the world experienced some kind of phishing attack in 2020. Another 35% experienced spear phishing, and 65% faced BEC attacks. But, there’s a difference between an attempt and a successful attack. 74% of organizations in the United States experienced a successful phishing attack. This is 30% higher than the global average, and 14% higher than last year. ESET’s Threat Report reveals that malicious email detections rose 9% between Q2 and Q3, 2020. This followed a 9% rise from Q1 to Q2, 2020. ⚡  Want to learn how to prevent successful attacks? Check out this page all about BEC prevention. How phishing attacks are delivered 96% of phishing attacks arrive by email. Another 3% are carried out through malicious websites and just 1% via phone. When it’s done over the telephone, we call it vishing and when it’s done via text message, we call it smishing. According to Sonic Wall’s 2020 Cyber Threat report, in 2019, PDFs and Microsoft Office files (sent via email) were the delivery vehicles of choice for today’s cybercriminals. Why? Because these files are universally trusted in the modern workplace.  When it comes to targeted attacks, 65% of active groups relied on spear phishing as the primary infection vector. This is followed by watering hole websites (23%), trojanized software updates (5%), web server exploits (2%), and data storage devices (1%). 
The most common subject lines According to Symantec’s 2019 Internet Security Threat Report (ISTR), the top five subject lines for business email compromise (BEC) attacks: Urgent Request Important Payment Attention Analysis of real-world phishing emails revealed these to be the most common subject lines in Q4, 2020: IT: Annual Asset Inventory Changes to your health benefits Twitter: Security alert: new or unusual Twitter login Amazon: Action Required | Your Amazon Prime Membership has been declined Zoom: Scheduled Meeting Error Google Pay: Payment sent Stimulus Cancellation Request Approved Microsoft 365: Action needed: update the address for your Xbox Game Pass for Console subscription RingCentral is coming! Workday: Reminder: Important Security Upgrade Required
The prevalence of phishing websites Google Safe Browsing uncovers unsafe URLs across the web. The latest data shows a world-wide-web rife with phishing websites. Since 2016, phishing has replaced malware as the leading type of unsafe website. While there were once twice as many malware sites as phishing sites, there are now nearly 75 times as many phishing sites as there are malware sites. Google has registered 2,145,013 phishing sites as of Jan 17, 2021. This is up from 1,690,000 on Jan 19, 2020 (up 27% over 12 months). This compares to malware sites rising from 21,803 to 28,803 over the same period (up 32%). Here you can see how phishing sites have rocketed ahead of malware sites over the years.
Further reading: ⚡ How to Identify a Malicious Website The most common malicious attachments Many phishing emails contain malicious payloads such as malware files. ESET’s Threat Report reports that in Q3 2020, these were the most common type of malicious files attached to phishing emails: Windows executables (74%) Script files (11%) Office documents (5%) Compressed archives (4%) PDF documents (2%) Java files (2%) Batch files (2%) Shortcuts (>1%) Android executables (>1%) You can learn more about malicious payloads here. The data that’s compromised in phishing attacks The top three “types” of data that are compromised in a phishing attack are: Credentials (passwords, usernames, pin numbers) Personal data (name, address, email address) Medical (treatment information, insurance claims) When asked about the impact of successful phishing attacks, security leaders around the world cited the following consequences:  60% of organizations lost data 52% of organizations had credentials or accounts compromised 47% of organizations were infected with ransomware 29% of organizations were infected with malware 18% of organizations experienced financial losses
The cost of a breach According to IBM’s Cost of a Data Breach Report, the average cost per compromised record has steadily increased over the last three years. In 2019, the cost was $150. For some context, 5.2 million records were stolen in Marriott’s most recent breach. That means the cost of the breach could amount to $780 million. But, the average breach costs organizations $3.92 million. This number will generally be higher in larger organizations and lower in smaller organizations.  According to Verizon, organizations also see a 5% drop in stock price in the 6 months following a breach. Losses from business email compromise (BEC) have skyrocketed over the last year. The FBI’s Internet Crime Report shows that in 2020, BEC scammers made over $1.8 billion—far more than via any other type of cybercrime. And, this number is only increasing. According to the Anti-Phishing Working Group’s Phishing Activity Trends Report, the average wire-transfer loss from BEC attacks in the second quarter of 2020 was $80,183. This is up from $54,000 in the first quarter. This cost can be broken down into several different categories, including: Lost hours from employees Remediation Incident response Damaged reputation Lost intellectual property Direct monetary losses Compliance fines Lost revenue Legal fees Costs associated remediation generally account for the largest chunk of the total.  Importantly, these costs can be mitigated by cybersecurity policies, procedures, technology, and training. Artificial Intelligence platforms can save organizations $8.97 per record.  The most targeted industries Last year, Public Administration saw the most breaches from social engineering (which caused 69% of the industry’s breaches), followed by Mining and Utilities and Professional Services. But, according to another report, employees working in Wholesale Trade are the most frequently targeted by phishing attacks, with 1 in every 22 users being targeted by a phishing email last year.  According to yet another data set, the most phished industries vary by company size. Nonetheless, it’s clear Manufacturing and Healthcare are among the highest risk industries. The industries most at risk in companies with 1-249 employees are: Healthcare & Pharmaceuticals Education Manufacturing The industries most at risk in companies with 250-999 employees are: Construction Healthcare & Pharmaceuticals Business Services The industries most at risk in companies with 1,000+ employees are: Technology Healthcare & Pharmaceuticals Manufacturing The most impersonated brands New research found the brands below to be the most impersonated brands used in phishing attacks throughout Q4, 2020. In order of the total number of instances the brand appeared in phishing attacks: Microsoft (related to 43% of all brand phishing attempts globally) DHL (18%) LinkedIn (6%) Amazon (5%) Rakuten (4%) IKEA (3%) Google (2%) Paypal (2%) Chase (2%) Yahoo (1%) The common factor between all of these consumer brands? They’re trusted and frequently communicate with their customers via email. Whether we’re asked to confirm credit card details, our home address, or our password, we often think nothing of it and willingly hand over this sensitive information.
Facts and figures related to COVID-19 scams Because hackers tend to take advantage of key calendar moments (like Tax Day or the 2020 Census) and times of general uncertainty, individuals and organizations saw a spike in COVID-19 phishing attacks starting in March. But, according to one report, COVID-19 related scams reached their peak in the third and fourth weeks of April. And, it looks like hackers were laser-focused on money. Incidents involving payment and invoice fraud increased by 112% between Q1 2020 and Q2 2020. It makes sense, then, that finance employees were among the most frequently targeted employees. In fact, attacks on finance employees increased by 87% while attacks on the C-Suite decreased by 37%. Further reading: ⚡ COVID-19: Screenshots of Phishing Emails ⚡How Hackers Are Exploiting the COVID-19 Vaccine Rollout ⚡ Coronavirus and Cybersecurity: How to Stay Safe From Phishing Attacks. Phishing and remote working According to Microsoft’s New Future of Work Report:  80% of security professionals surveyed said they had encountered increased security threats since the shift to remote work began.  Of these, 62% said phishing campaigns had increased more than any other type of threat. Employees said they believed IT departments would be able to mitigate these phishing attacks if they had been working in the offic Further reading: ⚡ The Future of Hybrid Work  ⚡ 7 Concerns Security Leaders Have About Permanent Remote Working
What can individuals and organizations do to prevent being targeted by phishing attacks? While you can’t stop hackers from sending phishing or spear phishing emails, you can make sure you (and your employees) are prepared if and when one is received. You should start with training. Educate employees about the key characteristics of a phishing email and remind them to be scrupulous and inspect emails, attachments, and links before taking any further action. Review the email address of senders and look out for impersonations of trusted brands or people (Check out our blog CEO Fraud Email Attacks: How to Recognize & Block Emails that Impersonate Executives for more information.) Always inspect URLs in emails for legitimacy by hovering over them before clicking Beware of URL redirects and pay attention to subtle differences in website content Genuine brands and professionals generally won’t ask you to reply divulging sensitive personal information. If you’ve been prompted to, investigate and contact the brand or person directly, rather than hitting reply But, humans shouldn’t be the last line of defense. That’s why organizations need to invest in technology and other solutions to prevent successful phishing attacks. But, given the frequency of attacks year-on-year, it’s clear that spam filters, antivirus software, and other legacy security solutions aren’t enough. That’s where Tessian comes in. By learning from historical email data, Tessian’s machine learning algorithms can understand specific user relationships and the context behind each email. This allows Tessian Defender to not only detect, but also prevent a wide range of impersonations, spanning more obvious, payload-based attacks to subtle, social-engineered ones. Further reading: ⚡ Tessian Defender: Product Data Sheet  
Read Blog Post
Engineering Team
How Do You Encrypt PySpark Exceptions?
By Vladimir Mazlov
Friday, May 14th, 2021
We at Tessian are very passionate about the safety of our customers. We constantly handle sensitive email data to improve the quality of our protection against misdirected emails, exfiltration attempts, spear phishing etc. This means that many of our applications handle data that we can’t afford to have leaked or compromised. As part of our efforts to keep customer data safe, we take care to encrypt any exceptions we log, as you never know when a variable that has the wrong type happens to contain an email address. This approach allows us to be liberal with the access we give to the logs, while giving us comfort that customer data won’t end up in them. Spark applications are no exception to this rule, however, implementing encryption for them turned out to be quite a journey. So let us be your guide on this journey. This is a tale of despair, of betrayal and of triumph. It is a tale of PySpark exception encryption.
Problem statement Before we enter the gates of darkness, we need to share some details about our system so that you know where we’re coming from. The language of choice for our backend applications is Python 3. To achieve exception encryption we hook into Python’s error handling system and modify the traceback before logging it. This happens inside a function called init_logging() and looks roughly like this:
We use Spark 2.4.4. Spark Jobs are written entirely in Python; consequently, we are concerned with Python exceptions here. If you’ve ever seen a complete set of logs from a YARN-managed PySpark cluster, you know that a single ValueError can get logged tens of times in different forms; our goal will be to make sure all of them are either not present or encrypted. We’ll be using the following error to simulate an exception raised by a Python function handling sensitive customer information:
Looking at this, we can separate the problem into 2 parts: the driver and the executors. The executors Let’s start with what we initially (correctly) perceived to be the main issue. Spark Executors are a fairly straightforward concept until you add Python into the mix. The specifics of what’s going on inside are not often talked about and are relevant to the discussion at hand, so let’s dive in.
All executors are actually JVMs, not python interpreters, and are implemented in Scala. Upon receiving Python code that needs to be executed (e.g. in rdd.map) they start a daemon written in Python that is responsible for forking the worker processes and supplying them with means of talking to the JVM, via sockets.  The protocol here is pretty convoluted and very low-level, so we won’t go into too much depth. What will be relevant to us are two details; both have to do with communication between the driver and the JVM: The JVM executor expects the daemon to open a listening socket on the loopback interface and communicate the port back to it via stdout The worker code contains a general try-except that catches any errors from the application code and writes the traceback to the socket that’s read by the JVM Point 2 is how the Python exceptions actually get to the executor logs, which is exactly why we can’t just use init_logging, even if we could guarantee that it was called: Python tracebacks are actually logged by Scala code! How is this information useful? Well, you might notice that the daemon controls all Python execution, as it spawns the workers. If we can make it spawn a worker that will encrypt exceptions, our problems are solved. And it turns out Spark has an option that does just that: spark.python.daemon.module. This solution actually works; the problem is it’s incredibly fragile: We now have to copy the code of the driver, which makes spark version updates difficult Remember, it communicates the port to the JVM via stdout. Anything else written to stdout (say, a warning output by one of the packages used for encryption) destroys the executor:
As you can probably tell by the level of detail here, we really did think we could do the encryption on this level. Disappointed, we went one level up and took a look at how the PythonException was handled in the Scala code. Turns out it’s just logged on ERROR level with the Python traceback received from the worker treated as the message. Spark uses log4j, which provides a number of options to extend it; Spark, additionally, provides the option to override log processing using its configuration.  Thus, we will have achieved our goal if we encrypted the messages of all exceptions on log4j level. We did it by creating a custom RealEncryptExceptionLayout class that simply calls the default one unless it gets an exception, in which case it substitutes it with the one with an encrypted message. Here’s how it broadly looks:
To make this work we shipped this as a jar to the cluster and, importantly, specified the following configuration:
And voila! The driver: executor errors by way of Py4J Satisfied with ourselves, we decided to grep the logs for the error before moving on to errors in the driver. Said moving on was not yet to be, however, as we found the following in the driver’s stdout:
This not only is incredibly readable but also not encrypted! This exception, as you can very easily tell, is thrown by the Scala code, specifically DAGScheduler, when a task set fails, in this case due to repeated task failures.  Fortunately for us, as illustrated by the diagram above, the driver simply runs python code in the interpreter that, as far as it’s concerned, just happens to call py4j APIs that, in turn, communicate with the JVM. Thus, it’s not meaningfully different from our backend applications in terms of error handling, so we can simply reuse the init_logging() function. If we do it and check the stdout we see that it does indeed work:
The driver: executor errors by way of TaskSetManager Yes, believe it or not, we haven’t escaped the shadow of the Executor just yet. We’ve seen our fair share of the driver’s stdout. But what about stderr? Wouldn’t any reasonable person expect to see some of those juicy errors there as well? We pride ourselves on being occasionally reasonable, so we did check. And lo and behold:
Turns out there is yet another component that reports errors from the executors: TaskSetManager; our good friend DAGScheduler also logs this error when a stage crashes because of it. Both of them, however, do this while processing events initially originating in the executors; where does the traceback really come from? In a rare flash of logic in our dark journey, from the Executor class, specifically the run method:
Aha, there’s a Serializer here! That’s very promising, we should be able to extend/replace it to encrypt the exception before actual serialization, right? Wrong. In fact, to our dismay, that used to be possible but was removed in version 2.0.0 (reference: https://issues.apache.org/jira/browse/SPARK-12414). Seeing as how nothing is configurable at this end, let’s go back to the TaskSetManager and DAGScheduler and note that the offending tracebacks are logged by both of them. Since we are already manipulating the logging mechanism, why not go further down that lane and encrypt these logs as well? Sure, that’s a possible solution. However, both log lines, as you can see in the snippet, are INFO. To find out that this particular log line contains a Python traceback from an executor we’d have to modify the Layout to parse it. Instead of doing that and risking writing a bad regex (a distinct possibility as some believe a good regex is an animal about as real as a unicorn) we decided to go for a simple and elegant solution. We simply don’t ship the .jar containing the Layout to the driver; like we said, elegant. That turns out to have the following effect:
And that’s all that we find in the stderr! Which suits us just fine, as any errors from the driver will be wrapped in Py4J, diligently reported in the stdout and, as we’ve established, encrypted. The driver: python errors That takes care of the executor errors in the driver. But the driver is nothing to sniff at either. It can fail and log exceptions just as well, can’t it? As you have probably already guessed, this isn’t really a problem. After all, the driver is just running python code, and we’re already calling init_logging(). Satisfyingly enough it turns out to work as one would expect. For these errors we again need to look at the driver’s stdout. If we raise the exception in the code executed in the driver (i.e. the main function) the stdout normally contains:
Calling init_logging() turns this traceback into:
Conclusion And thus our journey comes to an end. Ultimately our struggle has led us to two realizations; neither is particularly groundbreaking, but both are important to understand when dealing with PySpark: Spark is not afraid to repeat itself in the logs, especially when it comes to errors. PySpark specifically is written in such a way that the driver and the executors are very different. Before we say our goodbyes we feel like we must address one question: WHY? Why go through with this and not just abandon this complicated project?  Considering that the data our Spark jobs tend to handle is very sensitive, in most cases it is various properties of emails sent or received by our customers. If we give up on encrypting the exceptions, we must accept that this very sensitive information could end up in a traceback, at which point it will be propagated by Spark to various log files. The only real way to guarantee no personal data is leaked in this case is to forbid access to the logs altogether. And while we did have to descend into the abyss and come back to achieve error encryption, debugging Spark jobs without access to logs is inviting the abyss inside yourself.
Read Blog Post
How Tessian Reduced Click-Through Rates on Phishing Emails From 20% to Less Than 5%
Thursday, May 13th, 2021
Company: Sanne Group Industry: Financial Services Seats: 1,850 Solutions: Guardian, Enforcer, Defender  About Sanne Group Sanne is an award-winning, leading global provider of alternative asset and corporate services with 22 offices across the globe that serve nearly 2,000 clients, including leading fund managers, financial institutions, and global corporates. Today, the firm manages more than £250 billion in assets.   Sanne deployed Tessian as their complete outbound email security solution in May 2019 and, 18 months later, added Tessian Defender to prevent spear phishing attacks and other impersonation attacks. 
Problem: Despite having deployed other email solutions and training staff, phishing emails were still getting through…and staff were still clicking on them. Marie Measures, Sanne’s Chief Technology Officer, and her team take cybersecurity seriously. That means the firm was protected by other inbound security solutions – including native controls, Secure Email Gateways (SEGs), and antivirus software – before deploying Tessian Defender.  The problem was, those tools just weren’t stopping all inbound attacks and phishing and spear phishing emails were still landing in employees’ mailboxes. According to Marie, on average, 150 were being reported a month to the security team. “Even with all of these controls, emails were still getting through and we were still relying on end-users to make good decisions. We even had one solution in place that triggered a pop-up if a suspicious email was detected, simply asking employees if they wanted to continue. They’d often click “yes”. So when we were evaluating new solutions, it was important to us that users would actually interact with the warnings, ” Marie explained.  After allowing Defender to flag potentially malicious emails during a phishing simulation, Marie saw how Tessian warnings did prompt employees to engage with the warnings. “In these tests, employees typically click on links in phishing emails about 15%-20% of the time. During a trial with Defender enabled, this simulation number dropped to less than 5%,” she said. The difference between Tessian’s warnings and the other solution? Context. 
“Tessian explains the “why” which is very important for awareness. It also appears within the email itself versus employees having to click through a pop-up or link to view the warning. It’s impossible to ignore and easy to understand,” Marie said.  Employees began interacting with the warnings immediately.  Marie continued, “We did not have to send out any communications to staff explaining how to interact with the tool, which is a testament to how intuitive it is. No staff training, no staff comms, nothing. We just turned it on and employees started engaging with the warnings.” Tessian’s in-the-moment warnings explain exactly why emails are flagged in plain English. This way, training is reinforced and employee’s security reflexes improve over time.
How does Tessian Defender detect and prevent impersonation attacks?  Powered by machine learning, Tessian’s Human Layer Security technology understands human behavior and relationships to automatically prevents both known and unknown email attacks that bypass Secure Email Gateways (SEGs), while also providing in-the-moment training to educate employees and drive them towards more secure email behavior. Here’s how: Tessian’s machine learning algorithms analyze your company’s email data, learn every employee’s normal communication patterns. and map their trusted email relationships — both inside and outside your organization. Tessian inspects inbound emails for any suspicious or unusual content both in the body of the email and the metadata. For example, payloads or anomalous domains, geophysical locations, IP addresses, email clients, or sending patterns.  Tessian alerts employees when an email might be unsafe with easy-to-understand, contextual warnings. Sanne Group’s Case Study hbspt.cta.load(1670277, '2538c5e1-0639-4378-a3c5-a384204a578e', {"region":"na1"});
Read Blog Post
Tessian Culture
Why We’re Logging Off at Lunchtime This Summer
By Paige Rinke
Wednesday, May 12th, 2021
We don’t have to tell people that it’s been a hard year.  We’ve all been locked inside, unable to leave our local areas to explore the world around us. Tessians haven’t been able to see their families and friends IRL, and relationships have had to be maintained on zoom.  It’s tough, and it’s definitely weighing on all of us.  But, this summer we want to change that and hopefully give our Tessians the chance to make up for lost time. To spend time with loved ones, to take care of themselves, and (maybe, just maybe!) even board a plane again. We’ve been running what we’ve deemed “Refreshian Day” over the last year. This is a day we all take each quarter, to all be offline together, and to focus purely on taking care of ourselves.  Want to learn more? Check out this blog: Why Shutting Down Tessian Was The Best Decision We Ever Made. With the success of these days, we’re introducing something new: Refreshian Summer.  So, what exactly is Refreshian Summer? Every Friday in July and August will be a half day for Tessians – meaning we will all log off around lunchtime. No annual leave needs to be logged to take these afternoons off, it’s just time for all Tessians to spend doing whatever will bring them joy or relaxation. This seems like a lot of time off….why are we doing this?  First, we think it’s simply the right thing to do. Research has shown that in countries like the US and UK (where most Tessians are based), people are working 2 – 3 hours more per day. The line between our personal and professional lives are blurry and everyone seems to always be online. That means there’s never a delay between emails. It’s a perpetual cycle of quick responses, and persistent, intense pace. And, because people aren’t taking time off, there’s no real “break”.  While we don’t expect the pace to change (hypergrowth will always be demanding, and we like it that way!), we can change the way that we support our people.  We’ve found that on Refreshian Day, people genuinely manage to switch off, without worrying about what’s going on in their absence, or the number of emails that are coming through (because there aren’t any!). We want to create this feeling all summer. After what we’ve all been through, we really need to be able to take advantage of the sunniest days, in whatever way we like, and truly relax.  Plus, there’s some pretty cool research on how having something to look forward to bolsters our ability to cope with stress – we could all use a little of that right now!
How are we going to make this work? We appreciate that many of you will be thinking “How on earth are you going to get all your employees to reduce their working time by 10%?” or,“How are you going to manage this across multiple timezones, since you’re losing daily crossover time?” We get you, and we hear you.  But, we’re encouraging our team to remember that this is temporary. And we think that for a temporary period it’s possible to adapt and reduce our working time just one day per week, and to workout timezone issues. We don’t believe in mandating an approach (autonomy =  where the best ideas come from), and trust all Tessians to work with their team and manager to agree ways of working during this time.  But, we’ve come up with some broad suggestions on how people might work together to reduce time in meetings this summer. Here’s a look at some of these: Manage how you will communicate with team members in earlier/later time zones that you would normally have a Friday crossover with – e.g. Can you use asynchronous communication instead? Recording a short video clip is easy to do on Zoom and is a great way to communicate complex ideas.  We ask that every team scrutinize their recurring meeting and determine where you can temporarily reduce the number of meetings. For example:  Do you need to have a stand-up every day? Would 3 days per week suffice instead? Can you move your global wrap-ups to a Thursday afternoon (UK)/morning (US) instead?  Which 1 to 1s or team meetings can you reduce from weekly to bi-weekly, or can you shorten the duration? Does the idea of Sync & Maker hours work in your team and would it be worth trying out to increase efficiency? Should you block out Friday mornings on your calendar for “No Meetings” so that people have time to plan before the weekend? Do you have the right coverage/on-call approach in place if you’re in a customer facing role? There will be plenty of things we won’t have thought of, which we can’t wait to hear from our team about.  What’s next? This is an experiment – but one that we’re really excited to try. We will be seeking feedback continually from our team and adjusting where we need to as the summer goes on. We’ll also be collecting best practices from our teams who have found ways to reduce time spent in meetings (but maintain effectiveness) or communicate asynchronously.  And, we will simply be looking forward some well-earned time off this Refreshian Summer.  Want to learn more about Tessian’s values and culture? You can explore more articles here.
Read Blog Post
Compliance
Why Information Security Must Be a Priority For GCs in 2021
Tuesday, May 11th, 2021
The business world was incredibly interconnected before the pandemic. Now that COVID-19 forced five years of tech adoption in three months, and with new technologies on the horizon, this trend isn’t reversing any time soon.  And while this global upgrade has many uses, and enables you to move huge parts of your life online, it also brings an increased focus on information security. Necessarily so.  Information security (Infosec) plays a vital role for all businesses that handle customer, client, or employee data. Nowadays, that’s pretty much every business.  Security breaches can seriously damage a company’s reputation, if not end their success altogether. Conversely, good cybersecurity can be a competitive advantage. Infosec also: Enables teams to build and implement their applications safely Allows the business to build trust with their customers Enables the organization to protect the data they collect and use Protects the tech used by teams within the company What does Infosec have to do with GCs? As the CEO and Co-Founder of Juro, I know how in-house legal teams work, particularly the General Counsel. The top lawyer in a company is increasingly focused on ‘adding value to the business’ as lawyers seek to bring their commercial savvy to bear to help with strategic projects.  But the first duty of a GC is to protect the company from legal risk – and in an interconnected world, the risks associated with breaches of information security loom large, both in terms of commercial and reputational impact.  It’s imperative that General Counsel work with Chief Information Security Officers (CISOs) to protect the business from an ever-growing array of risks.
The lawyer – CISO dynamic Lawyers don’t always play well with others. Historically, lawyers and CISO have kept their distance. The IT department of a traditional business was one of the last places you’d expect to find the General Counsel.  But over the years, the need for a CISO has grown, and the dynamic between the two roles has changed, for several reasons: 1. A huge explosion in SaaS businesses Even pre-COVID, the increase in automating processes – which moved traditional industries like finance, healthcare and legal into the cloud -drove an upsurge in adoption of SaaS tools.  Sales moved into Salesforce, marketing into HubSpot, and even legal teams moved online by embracing matter management and contract negotiation tools, alongside stalwarts like Zoom and Slack which seem to be ubiquitous to every business. Since the advent of COVID and universal lockdowns, it can often seem like collaborative SaaS platforms have become the rule, rather than the exception, such is their rate of adoption. But all these exciting changes present their own unique challenges when it comes to information security.  With so many verticals becoming digital-first overnight, their exposure to malicious (and negligent) actors both in and outside of the organization has led to a corresponding increase in legal risk.  Tessian research shows that 48% of employees say they’re less likely to follow safe security practices when working from home, and 84% of security leaders data loss prevention (DLP) is more challenging when their workforce is working outside of the office. It’s vital that GCs and CISOs help the business navigate the new world safely – together. 2. The ever-changing privacy landscape Most of these applications and SaaS tools require personal information of some kind, making privacy a key concern from day one. The complexity around this challenge only grows as the business does, which is why it’s essential that lawyers work with CISOs to manage that data security risk. Layered on top of this is the regulatory environment for personal data.  GDPR was a slow-moving iceberg that many businesses still haven’t fully reckoned with; the future is set to become even more complex thanks to developments like the Schrems II decision. GCs and CISOs can and should collaborate to create a privacy framework that allows them to keep on top of these challenges, iterating as the business continues to scale. Creating a robust privacy policy shouldn’t be viewed as a concern just for legal – GCs must encourage buy-in and participation from the wider business. 
What can GCs do to protect their company’s information security? Taking a leading role in information security doesn’t need to be daunting for legal counsel – in fact, a few simple steps can make all the difference. 1. Support CISOs GCs can ensure that they’re giving information security the attention it deserves by supporting and advising on any issues that arise. Often at a smaller business, there’s a single person assigned to manage Infosec – and much like the first lawyer at a scaling business, they have a mountain of work to do. Even in larger enterprises organizations, security teams can be thinly-stretched and resource-constrained.  Supporting CISOs through proactively dedicating a set amount of time and having regular check-ins can ensure that both lawyers and CISOs aren’t buried under this work in the future, as the business continues to grow.  Tone at the top dictates how others respond – it’s important for leaders to set the right example. Looking for a framework to help you establish better relationships with the right people? Use this template. 2. Offer training It’s important to emphasize that Infosec is a shared responsibility across the whole business – while one person may have ownership of it, it’s every employee’s responsibility to ensure the information processed by the business is secure, and data isn’t vulnerable to common attacks like data exfiltration and spear phishing..  GCs can help CISOs with this task by setting up training sessions with other teams in the company, to keep everyone up to date with the latest techniques.  For better or worse, lawyers are often seen as ‘bad cops’ in the business – having their backing for, and involvement in, data compliance training should reinforce the seriousness with which colleagues should approach the issue. Training shouldn’t be a one-off, of course – it should be part of every employee’s onboarding, and revisited on a regular basis. The bottom line: as the threats in Infosec constantly adapt, so should the methods used to mitigate risk and keep data safe. GCs and CISOs should work together to review the policies, frameworks and training in place, and iterate where necessary.  Falling behind on this will expose the business to risk. By prioritizing these tasks and placing security at the heart of everything they do, lawyers can ensure that their businesses continue to handle data securely as they scale. Written by Richard Mabey, CEO and co-founder of Juro.
Read Blog Post
Human Layer Security, DLP, Compliance, Data Exfiltration
The State of Data Loss Prevention in the Financial Services Sector
By Maddie Rosenthal
Monday, May 10th, 2021
In our latest research report, we took a deep dive into Data Loss Prevention in Financial Services and revealed that data loss incidents are happening up to 38x more frequently than IT leaders currently estimate.  And, while data loss is a big problem across all industries, it’s especially problematic in those that handle highly sensitive data. One of those industries is Financial Services. Before we dive into how frequently data loss incidents are happening and why, let’s define what exactly a data loss incident is in the context of this report. We focused on outbound data loss on email. This could be either intentional data exfiltration by a disgruntled or financially motivated employee or it could be accidental data loss.  Here’s what we found out. The majority of employees have accidentally or intentionally exfiltrated data  Tessian platform data shows that in organizations with 1,000 employees, 800 emails are sent to the wrong person every year. This is 1.6x more than IT leaders estimated. Likewise, in organizations of the same size, 27,500 emails containing company data are sent to personal accounts. We call these unauthorized emails, and IT leaders estimated just 720 are sent annually. That’s a big difference.
But, what about in this particular sector? Over half (57%) of Financial Services professionals across the US and the UK admit to sending at least one misdirected email and 67% say they’ve sent unauthorized emails. But, when you isolate the US employees, the percentage almost doubles. 91% of Financial Services professionals in the US say they’ve sent company data to their personal accounts.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); And, because Financial Services is highly competitive, professionals working in this industry are among the most likely to download, save, or send company data to personal accounts before leaving or after being dismissed from a job, with 47% of employees saying they’ve done it. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); To really understand the consequences of incidents like this, you have to consider the type of data this industry handles and the compliance standards and data privacy regulations they’re obligated to satisfy. Every day, professionals working in Financial Services send and receive: Bank Account Numbers Loan Account Numbers Credit/Debit Card Numbers Social Security Numbers M&A Data In order to protect that data, they must comply with regional and industry-specific laws, including: GLBA COPPA FACTA FDIC 370 HIPAA CCPA GDPR So, what happens if there’s a breach? The implications are far-reaching, ranging from lost customer trust and a damaged reputation to revenue loss and regulatory fines.  For more information on these and other compliance standards, visit our Compliance Hub. Remote-working is making Data Loss Prevention (DLP) more challenging  The sudden transition from office to home has presented a number of challenges to both employees and security, IT, and compliance leaders.  To start, 65% of professionals working in Financial Services say they feel less secure working from home than they do in the office. It makes sense. People aren’t working from their normal work stations and likely don’t have the same equipment. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); A further 56% say they’re less likely to follow safe data practices when working remotely. Why? The most common reason was that IT isn’t watching, followed by being distracted.  Most of us can relate. When working remotely – especially from home – people have other responsibilities and distractions like childcare and roommates and, the truth is, the average employee is just trying to do their job, not be a champion of cybersecurity.  That’s why it’s so important that security and IT teams equip employees with the solutions they need to work securely, wherever they are. Current solutions aren’t empowering employees to work securely  Training, policies, and rule-based technology all have a place in security strategies. But, based on our research, these solutions alone aren’t working. In fact, 64% of professionals working in Financial Services say they’ll find a workaround to security software or policies if they impede productivity. This is 10% higher than the average across all industries. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");
How does Tessian prevent data loss on email? Tessian uses machine learning to address the problem of accidental or deliberate data loss by applying human understanding to email behavior. Our machine learning models analyze email data to understand how people work and communicate. They have been trained on more than two billion emails and they continue to adapt and learn from your own data as human relationships evolve over time. This enables Tessian Guardian to look at email communications and determine in real time if particular emails look like they’re about to be sent to the wrong person. Tessian Enforcer, meanwhile, can identify when sensitive data is about to be sent to an unsafe place outside an organization’s email network. Finally, Tessian Defender detects and prevents inbound attacks like spear phishing, account takeover (ATO), and CEO Fraud. Enforcer and Guardian do all of this silently in the background. That means workflows aren’t disrupted and there’s no impact on productivity. Employees can do what they were hired to do without security getting in the way. Tessian bolsters training, complements rule-based solutions, and helps reinforce the policies security teams have worked so hard to create and embed in their organizations. That’s why so many Financial Services firms have adopted Tessian’s technology, including: Man Group Evercore BDO Affirm Armstrong Watson JTC DC Advisory Many More
Read Blog Post
Threat Intel, Spear Phishing
How Cybercriminals Exploited The Covid-19 Vaccine Roll-Out
By Tessian
Monday, May 10th, 2021
The National Cyber Security Centre (NCSC) recently revealed that it removed more online scams in 2020 than in 2016-2019 combined, due to a surge in malicious activity related to the Covid-19 pandemic.  In a report published by the NCSC’s Active Cyber Defence program, it’s revealed that more than 120 phishing campaigns in which the NHS was impersonated were detected in 2020 – up from 36 in 2019. The lure commonly used in these scams? The vaccine roll-out. How have cybercriminals taken advantage of the Covid-19 vaccine? Tessian researchers have been monitoring phishing campaigns related to the vaccination roll-out since the start of 2021, and their findings clearly demonstrate how quickly cybercriminals will jump on milestone moments to craft convincing scams.  In fact, in the week commencing January 4th 2021, Tessian data shows that the number of scam emails related to the vaccine was 188% higher than the weekly average of such scams detected in 2021. It was during this week that the UK began distributing the AstraZeneca/Oxford vaccine. Our researchers also saw significant spikes in suspicious emails related to the vaccine during the: Week commencing 25th January, when the Biden administration promised to have enough coronavirus vaccine for the entire US population by the end of summer. During this week, the number of suspicious emails relating to vaccines increased by 585% compared to the previous week.  Week commencing February 8th, when U.S. government officials announced that around 1 in 10 Americans had received the first dose of the two-part Covid-19 vaccine. The number of suspicious emails was 148% higher than the weekly average of vaccine related scams detected by Tessian in 2021.  Week commencing February 15th, when G7 countries pledged $4 billion to global Covid-19 vaccine initiatives. Suspicious emails related to the vaccine were 133% higher than the weekly average.  Week commencing March 1st, when President Biden announced that vaccines will be available for every US adult by May. The number of suspicious emails related to vaccines during this week were up by 161% compared to the previous week.  Now that the vaccine roll-out is well and truly underway, with many people having received both doses of the jab, Tessian researchers reported a significant drop in the number of scams. This a clear indication that hackers were responding to hot topics in the news to apply a sense of urgency and timeliness to their malicious campaigns.
Why are these phishing attacks so effective?  After a year of stress and uncertainty, people were desperately waiting for the vaccine roll-out. People urgently wanted to find out things such as when they will get the vaccine, where they can receive the jab, and many more wanted to research and understand potential side effects.  In response, cybercriminals capitalized on people’s desire for more information. They created fake websites, in which people were lured to via phishing scams, and tricked their targets into sharing personal or financial data in exchange for the information they were looking for. Tying their campaigns to timely moments in the news added another layer of urgency.  In fact, additional Tessian research revealed that a significant of website domains related to the Covid-19 vaccine were registered in the early days of the roll-out, with over 2,600 new website domains being created between 5 December 2020 and 10 January 2021. Many of these domains impersonated legitimate healthcare websites, touted misinformation around injection side effects, and falsely claimed to offer guidance around timing and logistics of distribution. The reason why these phishing scams are so effective is because hackers use techniques to prey on people’s vulnerabilities during times of crisis. In a report we published with Jeff Hancock, Professor of Communication at Stanford University and expert in trust and deception, he said, “when people are stressed and distracted, they tend to make mistakes or decisions they later regret.”  What does a vaccine scam look like?  Oftentimes, cybercriminals impersonated trusted healthcare organizations or government agencies to trick their victims into thinking they’d received an email from a legitimate source, as shown in the example below. 
In other examples detected by Tessian, bad actors would impersonate Human Resource departments, urging staff to click on links or download malicious attachments that supposedly contained information about the vaccine roll-out and/or infected employees. Below is an example received by a global financial services enterprise, and detected by Tessian Defender. In this case: The attacker registered a domain to impersonate an outsourced Human Resources function in a phishing email.  The phishing email used Covid-19 as the theme and used fear and urgency tactics to announce an “Covid-19 Emergency”, seemingly providing a list of known infected persons.  The aim of this was to encourage those who received the email to click a link to a PDF which claimed to contain information about the emergency and a list of infected individuals.  The attacker used the name of the financial services organization in the name of the file which was linked to in the URL. This implies that this attack was highly targeted; the recipient would assume that the link was legitimate.  It’s likely that the PDF linked to in the URL would have contained malicious macros designed to infect the target’s device. 
How to spot a Covid-19 scam Always be wary of emails purporting to come from healthcare organizations asking you to click on links to ‘find out more’. Always check the sender name and address, particularly if you have received an email on your phone in order to verify the sender’s identity. It’s also important to question any websites that request personal data. Domains that spoof government healthcare websites, like the Centers for Disease Control and Prevention (CDC) are especially dangerous, as cyber criminals could potentially steal extremely sensitive information such as Social Security numbers and health information like insurance or medical history details.  At a time when phishing scams are only growing in frequency and sophistication, always think twice before entering your personal information online and remember, if it doesn’t look right, it probably isn’t. Remember, you can always verify any question by contacting the sender directly, via another means of communication, to check it’s the real thing. 
Read Blog Post
Spear Phishing
11 Examples of Social Engineering: Real-World Attacks
Friday, May 7th, 2021
In this article, we’ll look at 11 social engineering examples — some big and some recent — all using different techniques. We’ll also tell you how to avoid falling victim to these sorts of attacks. Did you know? Social engineering is the most commonly seen pattern in breaches last year according to Verizon’s 2021 DBIR. 
11 Social Engineering Examples 1.  $100 Million Google and Facebook Spear Phishing Scam The biggest social engineering attack of all time (as far as we know) was perpetrated by Lithuanian national Evaldas Rimasauskas against two of the world’s biggest companies: Google and Facebook. Rimasauskas and his team set up a fake company, pretending to be a computer manufacturer that worked with Google and Facebook. Rimsauskas also set up bank accounts in the company’s name. The scammers then sent phishing emails to specific Google and Facebook employees, invoicing them for goods and services that the manufacturer had genuinely provided — but directing them to deposit money into their fraudulent accounts. Between 2013 and 2015, Rimasauskas and his associates cheated the two tech giants out of over $100 million. Further reading: ⚡ What is Spear Phishing? ⚡ What Does a Spear Phishing Email Look Like? 2. Deepfake Attack on UK Energy Company In March 2019, the CEO of a UK energy provider received a phone call from someone who sounded exactly like his boss. The call was so convincing that the CEO ended up transferring $243,000 to a “Hungarian supplier” — a bank account that actually belonged to a scammer. This “cyber-assisted” attack might sound like something from a sci-fi movie, but, according to Nina Schick, Author of “Deep Fakes and the Infocalypse: What You Urgently Need to Know”, “This is not an emerging threat. This threat is here. Now.”   To learn more about how hackers use AI to mimic speech patterns, listen to Nina’s discussion about deepfakes with Elvis Chan, Supervisory Special Agent at the FBI at Tessian Human Layer Security Summit. Further reading: ⚡ Deepfakes: What are They and Why are They a Threat? 3. $60 Million CEO Fraud Lands CEO In Court Chinese plane parts manufacturer FACC lost nearly $60 million in a so-called “CEO fraud scam” where scammers impersonated high-level executives and tricked employees into transferring funds. After the incident, FACC then spent more money trying to sue its CEO and finance chief, alleging that they had failed to implement adequate internal security controls. While the case failed, it’s an important reminder: cybersecurity is business-critical and everyone’s responsibility. In fact, Gartner predicts that by 2024, CEOs could be personally liable for breaches.  Further reading: ⚡ What is CEO Fraud? (Tips for Identifying Attacks) ⚡ How to Prevent CEO Fraud
4. Microsoft 365 phishing scam steals user credentials In April 2021, security researchers discovered a Business Email Compromise (BEC) scam that tricks the recipient into installing malicious code on their device. Here’s how the attack works. Pay attention—it’s actually pretty clever, The target receives a blank email with a subject line about a “price revision.” The email contains an attachment that looks like an Excel spreadsheet file (.xlsx). However, the “spreadsheet” is actually a .html file in disguise. Upon opening the (disguised) .html file, the target is directed to a website containing malicious code. The code triggers a pop-up notification, telling the user they’ve been logged out of Microsoft 365, and inviting them to re-enter their login credentials. You can guess what happens next—the fraudulent web form sends the user’s credentials off to the cybercriminals running the scam.  This type of phishing—which relies on human error combined with weak defenses—has thrived during the pandemic. Phishing rates doubled in 2020, according to the latest FBI data. Further reading: ⚡ Is Your Office 365 Email Secure? ⚡ Most Impersonated Brands in Phishing Scams 5. Ransomware gang hijacks victim’s email account In April 2021, several employees of U.K. rail operator Merseyrail received an unusual email from their boss’s email account with the subject line “Lockbit Ransomware Attack and Data Theft.” Journalists from several newspapers and tech sites were also copied in. The email—sent by a fraudster impersonating Merseyrail’s director—revealed that the company had been hacked and had tried to downplay the incident. The email also included an image of a Merseyrail employee’s personal data. It’s not clear how Merseyrail’s email system got compromised (although security experts suspect a spear phishing attack)—but the “double extortion” involved makes this attack particularly brutal. The “Lockbit” gang not only exfiltrated Merseyrail’s personal data and demanded a ransom to release it—the scammers used their access to the company’s systems to launch an embarrassing publicity campaign on behalf of its director. 6. Phishing scam uses HTML tables to evade traditional email security Criminals are always looking for new ways to evade email security software. One BEC attack, discovered in April 2021, involves a particularly devious way of sneaking through traditional email security software like Secure Email Gateways (SEGs) and rule-based Data Loss Prevention (DLP). BEC attacks often rely on impersonating official emails from respected companies. This means embedding the company’s logos and branding into the email as image files. Some “rule-based” email security software automatically treats image files as suspicious. If a phishing email contains a .png file of the Microsoft Windows logo, the email is more likely to be detected—but without that distinctive branding, the email won’t look like it came from Microsoft. But once again, cyber criminals have found a way to exploit the rule-based security approach.  To imitate Microsoft’s branding, this attack uses a table instead of an image file—simply a four-square grid, colored to look like the Windows logo. The average employee is unlikely to closely inspect the logo and will automatically trust the contents of the email. This isn’t the first time fraudsters have used tables to evade rule-based DLP software. For example, some email security filters are set up to detect certain words, like “bitcoin.” One way around this is to create a borderless table and split the word across the columns: “bi | tc | oin.” Further reading: ⚡ What is Email DLP? 7. Google Drive collaboration scam In late 2020, a novel but simple social engineering scam emerged that exploited Google Drive’s notification system. The fraud begins with the creation of a document containing malicious links to a phishing site. The scammer then tags their target in a comment on the document, asking the person to collaborate. Once tagged, the target receives a legitimate email notification from Google containing the comment’s text and a link to the relevant document.  If the scam works, the victim will view the document, read the comments, and feel flattered at they’re being asked to collaborate. Then, the victim will click one of the malicious links, visit the phishing site, and enter their login credentials or other personal data. This scam is particularly clever because it exploits Google’s email notification system for added legitimacy. Such notifications come straight from Google and are unlikely to trigger a spam filter. But like all social engineering attacks, the Google Drive collaboration scam plays on the victim’s emotions: in this case, the pride and generosity we might feel when called upon for help. Want to see a screenshot of a similar attack? We breakdown a spear phishing attack in which the attacker impersonates Microsoft Teams. Check it out here. 8. Sharepoint phishing fraud targets home workers April 2021 saw yet another phishing attack emerge that appears specifically designed to target remote workers using cloud-based software. The attack begins when the target receives an email—written in the urgent tone favored by phishing scammers—requesting their signature on a document hosted in Microsoft Sharepoint. The email looks legitimate. It includes the Sharepoint logo and branding familiar to many office workers. But the link leads to a phishing site designed to siphon off users’ credentials. Phishing attacks increasingly aim to exploit remote collaboration software—Microsoft research suggests nearly half of IT professionals cited the need for new collaboration tools as a major security vulnerability during the shift to working from home. Further reading: ⚡ 7 Concerns IT Leaders Have About Permanent Remote Working ⚡ Ultimate Guide to Staying Security While Working Remotely
9. $75 Million Belgian Bank Whaling Attack Perhaps the most successful social engineering attack of all time was conducted against Belgian bank Crelan. While Crelan discovered its CEO had been “whaled” after conducting a routine internal audit, the perpetrators got away with $75 million and have never been brought to justice. Crelan fell victim to “whaling” — a type of spear-phishing where the scammers target high-level executives. Cybercriminals frequently try to harpoon these big targets because they have easy access to funds. Further reading: ⚡ Whaling Email Attacks: Examples & Prevention Strategies 10. High-Profile Twitters Users’ Accounts Compromised After Vishing Scam In July 2020, Twitter lost control of 130 Twitter accounts, including those of some of the world’s most famous people — Barack Obama, Joe Biden, and Kanye West.  The hackers downloaded some users’ Twitter data, accessed DMs, and made Tweets requesting donations to a Bitcoin wallet. Within minutes — before Twitter could remove the tweets — the perpetrator had earned around $110,000 in Bitcoin across more than 320 transactions. Twitter has described the incident as a “phone spear phishing” attack (also known as a “vishing” attack). The calls’ details remain unclear, but somehow Twitter employees were tricked into revealing account credentials that allowed access to the compromised accounts. Following the hack, the FBI launched an investigation into Twitter’s security procedures. The scandal saw Twitter’s share price plummet by 7% in pre-market trading the following day. Further reading: ⚡ What You Need to Know About Vishing 11. Texas Attorney-General Warns of Delivery Company Smishing Scam Nearly everyone gets the occasional text message that looks like it could be a potential scam. But in September 2020, one smishing (SMS phishing) attack became so widespread that the Texas Attorney-General put out a press release warning residents about it. Victims of this scam received a fraudulent text message purporting to be from a delivery company such as DHL, UPS, or FedEx. The SMS invited the target to click a link and “claim ownership” of an undelivered package. After following the link, the target was asked to provide personal information and credit card details. The Texas Attorney-General warned all Texans not to follow the link. He stated that delivery companies do not communicate with customers in this way, and urged anyone receiving the text message to report it to the Office of the Attorney General or the Federal Trade Commission. Top tip: Never to respond to any suspicious message, click links within SMS messages, or reveal personal or company information via SMS. Further reading: ⚡ Examples of Smishing Attacks Prevent social engineering attacks in your organization There’s one common thread through all of these attacks, whether delivered by email, text, or voicemail: they’re really, really hard to spot. That’s why technology is essential and where Tessian comes in. Powered by machine learning, Tessian Defender analyzes and learns from an organization’s current and historical email data and protects employees against inbound email security threats, including whaling, CEO Fraud, BEC, spear phishing, and other targeted social engineering attacks. To learn more about how Tessian can protect your people and data against social engineering attacks on email, book a demo today. Or, if you’d rather just stay up-to-date with the latest social engineering attacks, subscribe to our weekly blog digest. You’ll get news, threat intel, and insights from security leaders for security leaders straight to your inbox.
Read Blog Post
DLP
What is Data Loss Prevention (DLP)? Complete Overview of DLP
Thursday, May 6th, 2021
Let’s get straight to it and answer your questions.
How does DLP work? Put simply, DLP software monitors different entry and exit points (examples below) to “look” for data and keep it safe and sound inside the organization’s network.  A properly configured DLP solution can detect when sensitive or important data is leaving a company’s possession, alert the user and, ultimately, stop data loss. A DLP solution has three main jobs. DLP software: Monitors and analyzes data while at rest, in motion, and in use. Detects suspicious activity or anomalous network traffic. Blocks or flags suspicious activity, preventing data loss. Those entry and exit points we mentioned earlier include: Computers Mobile devices Email clients Servers Mail gateways Different types of DLP solutions are required to safeguard data in these environments. What are the different types of DLP? DLP software can monitor and safeguards data in three states: Data in motion (or “in transit”): Data that is being sent or received by your network Data in use: Data that a user is currently interacting with Data at rest: Data stored in a file or database that is not moving or in use There are three main types of DLP software designed to protect data in these different states. Network data loss prevention Network DLP software monitors network traffic passing through entry and exit points to protect data in motion. Network DLP scans all data passing through a company’s network. If it’s working properly, the software will detect sensitive data exiting the network and flag or block it while allowing other data to leave the network unimpeded where appropriate. Network administrators can customize network DLP software to block certain types of data from leaving the network by default or—by contrast—whitelist specific file types or URLs. Endpoint data loss prevention Endpoint DLP monitors data on devices and workstations, such as computers and mobile devices, to protect data in use. The software can monitor the device and detect a range of potentially malicious actions, including: Printing a document Creating or renaming a file Copying data to removable media (e.g. a USB drive) Such actions might be completely harmless—or they might be an attempt to exfiltrate confidential data. Effective endpoint DLP software (but not all endpoint DLP software) can distinguish between suspicious and non-suspicious activity. Email data loss prevention Email is the primary threat vector for most businesses, and the threat vector most security leaders are concerned about locking down with their DLP strategy.  Email represents a potential route straight through your company’s defenses for anyone wishing to deliver a malicious payload. And it’s also a way for insiders to send data out of your company’s network—whether by accident or on purpose. Email DLP can therefore protect against some of the most common and serious causes of data loss, including: Email-based cyberattacks, such as phishing Malicious exfiltration of data by employees (also called insider threats) Accidental data loss (for example, sending an email to the wrong person or attaching the wrong file) Further reading: ⚡ What is Email DLP? Overview of DLP on Email
Does my company need a data loss prevention solution? Almost certainly. DLP is a top priority for security leaders across industries and DLP software is a vital part of any organization’s security program.  Broadly, there are two reasons to implement an effective data loss prevention solution: Protecting your customers’ and employees’ personal information. Your business is responsible for all the personal information it controls. Cyberattacks and employee errors can put this data at risk. Protecting your company’s non-personal data. DLP can thwart attempts to steal intellectual property, client lists, or financial data. Want to learn more about how and why other organizations are leveraging DLP? We explore employee behavior, the frequency of data loss incidents, and the best (and worst) solutions in this report: The State of Data Loss Prevention. Now let’s look at the practical ways DLP software can benefit your business. What are the benefits of DLP? There are 4 main benefits of data loss prevention, which we’ll unpack below: Protecting against external threats (like spear phishing attacks) Protecting against internal threats (like insider threats) Protecting against accidental data loss (like accidentally sending an email to the wrong person) Compliance with laws and regulations Protecting against external threats External security threats are often the main driver of a company’s cybersecurity program—although, as we’ll see below, they’re far from the only type of security threat that businesses are concerned about. Here are some of the most significant external threats that can result in data loss: Phishing: Phishing is the most common online crime—and according to the latest FBI data, phishing rates doubled in 2020. Around 96% of phishing attacks take place via email. Spear phishing: A phishing attack targeting a specific individual. Spear phishing attacks are more effective than “bulk” phishing attacks and can target high-value individuals (whaling) or use advanced impersonation techniques (CEO fraud). Ransomware: A malicious actor encrypts company data and forces the company to pay a ransom to obtain the key. Cybercriminals can use various methods to undertake cyberattacks, including malicious email attachments or links and exploit kits. DLP can prevent these external threats by preventing malicious actors from exfiltrating data from your network, storage, or endpoints. Protecting against internal threats Malicious employees can use email to exfiltrate company data. This type of insider threat is more common than you might think. Verizon research shows how employees can misuse their company account privileges for malicious purposes, such as stealing or providing unauthorized access to company data. This problem is most significant in the healthcare and manufacturing industries. Why would an employee misuse their account privileges in this way? In some cases, they’re working with outsiders. In others, they’re stealing data for their own purposes. For more information, read our 11 Real Examples of Insider Threats. The difficulty is that your employees often need to send files and data outside of your company for perfectly legitimate purposes.  Thankfully, next-generation DLP can use machine learning to distinguish and block suspicious activity—while permitting data to leave your network where necessary. Preventing accidental data loss Human error is a widespread cause of data loss, but security teams sometimes overlook it. In fact, misdirected emails—where a person sends an email to the wrong recipient—are the most common cause of data breaches, according to the UK’s data protection regulator. Tessian platform data bears this out. In organizations with 1,000 or more employees, people send an average of 800 misdirected emails every year. Misdirected emails take many forms. But any misdirected email can result in data loss—whether through accidentally clicking “reply all”, attaching the wrong file, accepting an erroneous autocomplete, or simply spelling someone’s email address wrong. Compliance with laws and regulations Governments are more and more concerned about data privacy and security.  Data protection and cybersecurity regulations are increasingly demanding—and failing to comply with them can incur increasingly severe penalties. Implementing a DLP solution is an excellent way to demonstrate your organization’s compliance efforts with any of the following laws and standards:  General Data Protection Regulation (GDPR): Any company doing business in the EU, or working with EU clients or customers, must comply with the GDPR. The regulation requires all organizations to implement security measures to protect the personal data in their control. California Consumer Privacy Act (CCPA): The CCPA is one example of the many state privacy laws emerging across the U.S. The law requires businesses to implement reasonable security measures to guard against the loss or exfiltration of personal information. Sector-specific regulations: Tightly regulated sectors are subject to privacy and security standards, such as the Health Insurance Portability and Accountability Act (HIPAA), which covers healthcare providers and their business associates, and the Gramm-Leach-Bliley Act (GLBA), which covers financial institutions. Cybersecurity frameworks: Compliance with cybersecurity frameworks, such as the NIST Framework, CIS Controls, or ISO 27000 Series, is an important way to demonstrate high standards of data security in your organization. Implementing a DLP solution is one step towards certification with one of these frameworks. Bear in mind that, in certain industries, individual customers and clients will have their own regulatory requests, too.  Further reading: ⚡ The State of Data Loss Prevention in Healthcare ⚡ The State of Data Loss Prevention in Legal ⚡ The State of Data Loss Prevention in Financial Services ⚡ CCPA FAQs ⚡ GDPR FAQs Do DLP solutions work? We’ve looked at the huge benefits that DLP software can bring your organization. But does DLP actually work? Some, but not all.  Effective DLP software works seamlessly in the background, allowing employees to work uninterrupted, but stepping in to prevent data loss whenever necessary. Likewise, they’re easy for SOC teams to manage.  Unfortunately, legacy features are still present in some DLP solutions, that either fail to prevent loss effectively, create too much noise for security teams, or are too cumbersome to enable employees to work unimpeded. Let’s take a look at some DLP methods and weigh up the pros and cons of each approach. Blacklisting domains IT administrators can block certain domains associated with malicious activity, for example, “freemail” domains such as gmail.com or yahoo.com. Blacklisting entire domains, particularly popular (if problematic) domains, is not ideal. There may be good reasons to communicate with someone using a freemail address—for example, if they are a customer, contractor, or a potential client.  Tagging sensitive data  Some DLP software allows users to tag certain types of sensitive data.  For example, you may wish to block activity involving any file containing a 16-digit number (which might be a credit card number). But this rigid approach doesn’t account for the dynamic nature of sensitive data. In certain contexts, a 16 digit number might not be associated with a credit card. Or an employee may be using credit card data for legitimate purposes. Implementing rules Rule-based DLP uses “if-then” statements to block types of activities, such as “If an employee uploads a file of 10MB or larger, then block the upload and alert IT.”  The problem here is that, like the other “data-centric” solutions identified above, rule-based DLP often blocks legitimate activity and allows malicious activity to occur unimpeded. Machine learning Machine learning DLP software like Tessian’s Human Layer Security platform is a “human-centric” approach to data loss prevention. Here’s how it works: machine learning technology learns how people, teams, and customers communicate and understands the human context behind every interaction with data. By analyzing the evolving patterns of human interactions, machine learning DLP constantly reclassifies email addresses according to the relationship between a business and customers, suppliers, and other third parties. Further reading: ⚡ Learn how Tessian Guardian prevents accidental data loss ⚡ Learn how Tessian Enforcer prevents insider threats ⚡ Learn how Tessian Defender prevents inbound email attacks Was this article helpful? Subscribe for our weekly blog digest to get more insights into DLP, spear phishing, and other cybersecurity related topics.
Read Blog Post
Tessian Culture
Sumo Logic CEO Ramin Sayar Joins Tessian’s Board of Directors
By Tessian
Thursday, May 6th, 2021
Ramin Sayar, President and CEO of Sumo Logic, has joined Tessian’s Board of Directors. In his role as a board member, Sayar will advise on various go-to-market strategies, technology strategies, as well as, help drive and improve operational excellence to support Tessian’s accelerated global growth. Sayar will continue to lead Sumo Logic as the company’s President and CEO, a position he has held since 2014. Sayar brings with him over 20 years of experience in the technology industry, along with a strong track record of developing innovative products in both emerging and mature markets. Mr. Sayar, an experienced strategic and operating leader of both small and large organizations, has a strong track record of developing innovative products in both emerging and mature markets. Prior to joining Sumo Logic he served as the Senior Vice President and General Manager of VMware’s Cloud Management Business Unit at VMware, which was the company’s fastest growing billion dollar business unit. Previously, Ramin held multiple executive roles with leading companies such as HP Software, Mercury Software, Tibco Software, AOL & Netscape. Sayar has also served as advisor and on the boards of various other startup companies, helping them build product, go-to-market and business strategies. On joining Tessian’s Board of Directors, Sayar said, “It’s very exciting to join such an innovative and pioneering team like Tessian. By focusing on people first, Tessian has defined and created a new category of security software that is defining the Human Layer Security movement, and I see more companies – legacy and new – following suit. Tessian’s technology enables businesses to visualize the risks posed by employees and easily take targeted actions to reduce them. What I find most impactful and remarkable is how Tessian drives lasting behavior change in employees, which ultimately makes them not only more accountable, but also more secure in their work and personal lives.” Tim Sadler, CEO and co-founder of Tessian said, “Having Ramin join Tessian’s board is another step in reinforcing our position as the category leader in Human Layer Security. Ramin is a world-class operator and one of the most empathetic leaders I’ve met. His human-first approach to business aligns perfectly with our company values and mission, and I believe this alignment will help us solve some of the biggest challenges that enterprises face today. With his knowledge of the industry and talent for helping innovative startups grow and thrive, Ramin’s appointment is going to be game-changing for our customers and our company.”
Read Blog Post
Compliance
Cybersecurity: What Does Biden’s Executive Order Mean For Your Business?
Wednesday, May 5th, 2021
Remember last year’s SolarWinds attack? It was one of the most significant hacks in history and the fallout is ongoing. We may never know exactly how bad the attack was. But, we do know that it’s making waves and was a wake-up call for many organizations—not least the U.S. government, which has realized just how vulnerable it is to hackers targeting the countless companies in its supply chain. In response to SolarWinds, President Biden’s administration is drafting an executive order that aims to strengthen cybersecurity among both federal and private organizations. We’ve combed through the available information about the upcoming executive order to help you understand the potential implications for your business. 🕵  What information do we have about the executive order? We’ve had little communication from the White House about Biden’s upcoming executive order.  That means most of the information available derives from the following sources: The announcement that an executive order was in development, made in February by Anne Neuberger, White House deputy national security adviser for cyber and emerging technology A March speech made to the RSA Conference by Alejandro Mayorkas, secretary of homeland security  A leaked draft of the executive order seen by journalists in March An April speech to the Cybersecurity Coalition, given by Jeff Greene, acting senior director for cybersecurity at the National Security Council Further comments from Neuberger to NPR, made April 29 The order will likely tighten the rules around the procurement of private-sector software and services by government agencies—or, as Neuberger puts it: “If you’re doing business with the federal government, here’s a set of things you need to comply with in order to do business with us…” The means companies hoping to obtain or maintain government contracts, software developers, and government agencies will need to demonstrate that they have implemented certain security measures.  Don’t fall under any of the above three categories? Still worth paying attention. This executive order is a clear sign that the U.S. is taking cybersecurity seriously.  Now is the time to review your organization’s approach to cybersecurity—to ensure you have identified any vulnerabilities and can prevent or respond to attacks. 1. Breach notification  The order will likely include a breach notification rule that will impact companies supplying the federal government with software or hardware products. Of course, companies doing business with the federal government aren’t the only organizations to be obligated to breach notification rules.  Data breach notification rules are common worldwide, particularly in Europe, where the General Data Protection Regulation (GDPR) obliges organizations to notify regulators and individuals in the event of a breach of personal data within 72 hours. Further reading:  ⚡ GDPR: 13 Most Asked Questions + Answers ⚡ Biggest GDPR Fines in 2020 and 2021 There is currently no generally applicable federal breach notification law in the U.S. But, many states and some sectors have breach notification laws. We look at several of these in our article US Data Privacy Laws 2020: What Security Leaders Need to Know. The order’s breach notification rule would reportedly oblige federal contractors to notify a cyber incident response board (yet to be established) within days of a suspected hack or data breach. Organizations might also be required to cooperate with the FBI and the Cybersecurity and Infrastructure Agency (CISA) to investigate the incident. Reuters suggested that the order might also contain a public disclosure rule. Public disclosure might involve notifying any members of the public affected by a data breach, either individually or via the media. Note: Any organization operating under a data breach notification requirement must have robust and efficient procedures in place to identify and respond to a cybersecurity incident.  The sooner you can detect malicious activity, the sooner you can report it—and the sooner it can be contained or mitigated. 2. Software development security  The order will likely set out improved security requirements for software procured by federal agencies. This means developers of such software will need to implement stronger security standards in their products. Software vendors supplying the federal government may be required to create a “Software Bill of Materials” (SBOM) accompanying their products. An SBOM acts as an inventory that provides details about the components of a piece of software. Jeff Greene also reportedly suggested that National Institute of Standards and Technology (NIST) controls would play a role in providing improved security standards for government contractors. It’s not clear whether software vendors would be required to comply with an existing NIST framework, or whether the government would work with NIST to derive new standards. However, whether or not an organization supplies software to the federal government, compliance with a scheme such as the NIST Cybersecurity Framework is strongly recommended.  See our Beginner’s Guide to Cybersecurity Frameworks for more information. 3. Improved security within federal agencies  Finally, Biden’s executive order will likely include some mandatory security standards for government agencies and employees, including encryption of data and the use of multi-factor authentication (MFA). These technical controls are basic, and they are already best practice for any organization handling personal or sensitive data. But mandating such controls by law is a significant step. As we learn more, we’ll update this article. Want to be the first to know? Sign-up for our weekly blog digest, including global cybersecurity news, original research, and tips from security leaders.
Read Blog Post
Page
[if lte IE 8]
[if lte IE 8]