Get Your Complimentary Copy of the Gartner Market Guide For Email Security 2021 – Don’t miss out on the recommendations here

Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.
Spear Phishing, DLP, Compliance
5 Cyber Risks In Manufacturing Supply Chains
Thursday, August 26th, 2021
When it comes to supply chain risks, cybersecurity and data loss are top of mind for security analysts and other professionals.  The EU Agency for Cybersecurity (ENISA) notes that there has been a marked increase in such attacks since early 2020—and that most supply chain attacks target data (mainly personal information and intellectual property). Manufacturers are typically involved in long and complex supply chains with many actors, making them particularly vulnerable to disruption and malicious activity in the supply chain.  You must protect against these risks. Keep reading to learn more, including prevention tips.  5 manufacturing supply chain cyber risks First, let’s look at five crucial supply chain cyber risks for manufacturers.  We’ll then consider how manufacturers can improve their supply chain cybersecurity, referencing some real-life examples. 1. Intellectual property theft One major concern for manufacturers is that third parties in their supply chain may abuse their access to intellectual property and other valuable or sensitive data. According to research by Kroll, guarding against supply chain IP theft is a priority for nearly three-quarters of companies. Even if all your supply chain partners are legitimate, there is always the possibility that a rogue employee could steal your IP or trade secrets and pass them on to your competitors. Don’t believe us? Check out these 17 examples of real-world insider threats.  2. Supply chain attacks Supply chain attacks leverage security vulnerabilities to steal data and spread malware such as ransomware. Some recent high-profile supply chain attacks include the attacks on software companies Solarwinds and Kaseya. These incidents involved software vendors pushing compromised updates to their customers, resulting in widespread malware infections. There’s a reason that supply chains are particularly vulnerable to cyberattacks. The more organizations are involved in a manufacturing process, the greater the likelihood that one of the members will fall victim to a cyberattack and spread malware to their business partners. But that doesn’t mean that the chain is “only as strong as its weakest link.” A well-defended organization can stop a supply chain attack in its tracks.  Case study: supply chain attack Here’s an example of a supply chain attack that leveraged email in an attempt to undermine a company’s security defenses. This type of threat is known as an “account take over” (ATO) attack. The cybercriminals targeted a medium-sized construction firm by first infiltrating one of the company’s trusted vendors. The attackers managed to take over the email account of one of this vendor’s employees. By reading the employee’s emails, the criminals learned that the employee was in contact with several high-ranking staff members at the construction firm. After observing the employee’s communication patterns and email style, the attackers then used the mailbox to send phishing emails to a targeted group of individuals at the construction firm. The phishing emails encouraged the recipients to click a link to a cloud storage folder, claiming that the folder contained a request for a proposal. Clicking the link would have downloaded malware onto the recipient’s device. Protecting against supply chain attacks Protecting against supply chain attacks requires a comprehensive cybersecurity policy, including staff training, network defenses, and security software. Implementing email security software is a vital part of your defensive strategy in the case of email-based supply chain attacks, such as the one above. The case study above is a real-life example of how Tessian, a comprehensive email security solution driven by machine learning, can help thwart supply chain attacks.  Tessian Defender scans inbound emails for suspicious activity. The software also learns your employees’ communication patterns to understand what constitutes “normal” email activity. In the attack described above, Tessian noted several subtle signs—including the sender’s location and choice of cloud storage platform—suggesting that the email could be part of a supply chain attack. Tessian alerted the employee to the potential danger, and the supply chain attack was averted.  It’s important to note that legacy email security software, which normally operates on a “rule-based” basis, can fall short when it comes to sophisticated account take-over attacks like this.  Tessian was not the only security product this construction firm was running. But it was the only one to spot the attack. 3. Compromised hardware and software Malicious actors can compromise hardware and software during the manufacturing process, creating vulnerabilities that are passed on down the supply chain or to equipment end-users. Hardware can be tampered with at any stage in the supply chain. As a manufacturer, you might obtain compromised hardware—or malicious actors could interrupt the manufacturing process downstream, tampering with products to install rootkits or other technologies. But as a manufacturer, you must also protect against threats in your own portion of the supply chain—where internal or external actors could interfere with the products or components you create. Case study: compromised software In August 2020, reports emerged that Chinese phone manufacturer Transsion had shipped thousands of mobile devices containing pre-installed malware that signed users up to subscription services without their consent. The pre-installed malware, known as Triada, automatically downloads and installs a trojan called “xHelper” that cannot be easily removed by users. The program covertly submits requests for subscription products at the user’s expense. Transsion blamed a malicious actor in its supply chain for installing Triada on its devices—but the culprit has yet to be discovered. Defending against software compromise One step towards to avoiding any type of malicious actor in your supply chain is conducting thorough due diligence. Identify and document all supply chain partners—as mentioned, you could be accountable for their malicious or negligent activity. Integrating cybersecurity measures into your quality assurance regime may also be a way to prevent upstream malicious actors from tampering with firmware before your manufacturing process takes place. And as we’ve seen, it’s crucial to protect your own systems from cyberattacks—which means ensuring the security of key communications channels like email. 4. Downstream software or hardware security vulnerabilities It’s vital to protect data against access by other parties in your supply chain. But even if you could trust your supply chain partners not to steal your data, you must also ensure that they don’t make it accessible to unauthorized third parties. No matter how much work you put into protecting your own systems from unauthorized access, your efforts could be rendered futile due to software or hardware vulnerabilities among other parties downstream. 5. Legal non-compliance In addition to maintaining poor cybersecurity practices that directly impact your own organization’s security, third parties in the supply chain may follow poor information security practices for which you could be liable. Case study: third-party legal non-compliance In 2019 a U.K. pharmaceuticals company was fined after a third-party contractor left documents containing personal information publicly accessible in unsecured containers.  Under the GDPR, “data controllers” are responsible for many of the actions of their service providers. As such, the pharmaceuticals company was deemed liable for the error. The firm received a fine and engaged in a drawn-out legal battle with the U.K.’s data regulator. Mitigating poor security practices among third parties Research is crucial to ensure you’re working with reputable third parties that will undertake compliant and responsible data protection practices. Contracts stipulating particular security measures are also important. Such agreements can also contain contractual clauses that serve to indemnify your company against legal violations by the other party. Under some data protection laws, including the GDPR and the upcoming Colorado Privacy Act, service providers processing personal information on another company’s behalf are required to submit to audits and inspections. Routinely inspecting the data security practices of your vendors and other service providers is an excellent way to ensure they are meeting their compliance obligations on your behalf. How to prevent manufacturing supply chain risks   In general, manufacturers can manage cyber risks in supply chains via a robust and comprehensive cybersecurity program. Here are some key cybersecurity principles for supply chain management from the National Institute for Standards and Technology (NIST): Assume your systems will be breached. This means considering not only how to defend against breaches, but determining how you will mitigate breaches once they have occurred. Think beyond technology. Cybersecurity is also about people, processes, and knowledge. Cybersecurity also means physical security. Threat actors can use physical security vulnerabilities to launch cyberattacks. Implementing a cybersecurity framework is key to defending against supply chain threats. Manufacturers of any size can work towards cybersecurity framework compliance, implementing controls according to their resources and priorities. The NIST Cybersecurity Framework Version Manufacturing Profile: NISTIR 8183 Revision 1 is an excellent starting point for manufacturers. For more information about the NIST framework, read our article on NIST and email security. More specifically, manufacturers should be taking the following steps to protect their data and systems in supply chains: Identify and document all supply chain members Conduct careful due diligence on parties in the supply chain Require supply chain partners to contractually agree to maintain good cybersecurity and data protection practices Ensure inbound communications (particularly via email) are scanned for signs of phishing and other social engineering attacks Scan outbound communications to prevent data loss Ensure all employees are aware of the risks and their responsibilities Email is a key supply chain vulnerability Of all the risks inherent to working in a supply chain, cyberattacks are perhaps the most critical in the current climate.  As ENISA notes, most supply chain attacks use malware to target company data. We also know that 96% of phishing attacks—which are the primary means of infecting business networks with malware—take place via email. The bottom line: email security is a crucial step for manufacturers to defend against supply chain cyber risks.  Find out more about how Tessian can help with the resources below. ⚡ Tessian Platform Overview ⚡ Customer Stories ⚡ Book a Demo
Read Blog Post
Compliance
NIST Cybersecurity Framework and Email Security
Wednesday, August 25th, 2021
If you’re looking to improve your organization’s cybersecurity, the NIST Cybersecurity Framework provides an excellent starting point. Compliance with the NIST Cybersecurity Framework enables you to: Describe your current cybersecurity posture (“Current Profile”) Identify your target cybersecurity state (“Target Profile”) Continuously identify and prioritize vulnerabilities While email security isn’t the only component, it is a vital component of your organization’s overall cybersecurity program. So how can levelling up your email security bring you closer towards your NIST Target Profile? First, let’s look at the overall structure of the Framework. Then we’ll consider how developing your organization’s email security is a key step towards NIST Cybersecurity Framework compliance. NIST Cybersecurity Framework Structure At its broadest level, the NIST Cybersecurity Framework consists of three parts: Core, Profile, and Tiers (or “Implementation Tiers”). Core: Functions, Categories, Subcategories Think of the Core of the NIST Framework as a three-layered structure. At its topmost level, the Core consists of five Functions: Identify: Develops an organizational understanding to manage cybersecurity Protect: Outlines appropriate cybersecurity safeguards Detect: Outlines cybersecurity activities designed to detect incidents Respond: Outlines cybersecurity activities to take during an incident Recover: Outlines cybersecurity activities to take after an incident Then, at the next level down, each Function consists of Categories focusing on business outcomes. There are 23 Categories split across the five Functions. Here are a few examples of some of the NIST Framework’s Categories: Risk Assessment (ID.RA) Data Security (PR.DS) Detection Processes (DE.DP) Mitigation (RS.MI) Improvements (RC.IM) At the bottom level, each Category consists of a set of Subcategories and Informative References.  Subcategories are more specific statements of an intended business outcome, while Informative References provide further technical detail available outside of the Framework. For example, under the Data Security (PR.DS) Category sit eight Subcategories, including the following: PR.DS-1: Data-at-rest is protected PR.DS-2: Data-in-transit is protected PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition And here are some of the Informative References accompanying PR.DS-1: Data-at-rest is protected: Center for Internet Security (CIS) Controls 13 and 14 COBIT 5 Management Practices APO01.06, BAI02.01, and BAI06.01, ISO/IEC 27001:2013 A.8.2.3 Check out the full framework for reference.  Tiers The Tiers represent different degrees to which organizations may implement the NIST Cybersecurity Framework. There are four Tiers: Tier 1: Partial — Security controls are implemented on an “ad hoc” or sometimes reactive basis. External partners often assist with the cybersecurity program. Tier 2: Risk Informed — Implementation of controls is informed by risk objectives. Security awareness may not be standardized across the entire organization. Not all threats are proactively met. Tier 3: Repeatable — Risk management practices are formal organizational policy. Employees are well-informed about security in the context of their roles. The organization’s security is understood in the broader context of supply chains and partnerships. Tier 4: Adaptive — The organization can adapt its cybersecurity practices based on priorities and past experience. Security risks are taken seriously by senior management on par with financial risks. Formalized security processes are integrated into workflows. You can choose the Tier most appropriate to you, depending on factors such as your resource level, organizational maturity, and compliance demands. Profiles Profiles allow you to adapt the Framework to meet the needs of your organization.  Establishing your Current Profile and determining a Target Profile provides a systematic way for you to work through the Functions, implementing the Categories and Subcategories that are most relevant to your organization. Your organization’s size and resource levels may help to determine an appropriate Target Profile. But you can also consider the business context in which you operate — or the cybersecurity threats that are most likely to impact you.  NIST recently released a preliminary draft profile for managing the threat of ransomware, which we’ll look at later in this article.  Email security in the NIST Framework In the current cybersecurity climate, email security is a key consideration for business leaders. In fact, email is the attack vector security leaders are most worried about. We know that email serves as a key vector for ransomware, phishing, data exfiltration, and other increasingly widespread attacks and incidents.   Around 96% of phishing attacks start via email Spear phishing emails are the most common delivery method for ransomware Other email-based threats, such as Business Email Compromise, cost organizations billions each year. As such, you can mitigate some of the most serious and destructive security threats by ensuring your organization operates a highly secure email system. Now we’re going to look at some of the Categories from across the NIST Cybersecurity Framework’s five Functions, and identify how maintaining robust email security can help you meet NIST Cybersecurity Framework outcomes. Asset Management (ID.AM) Asset Management (ID.AM): “The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy.” Effective asset management means ensuring you have overall knowledge and understanding of your organization’s inventory, information flows, and personnel. How is asset management relevant to email security? Well, understanding your organization’s communication networks and data flows is a vital part of asset management, and email is the primary means of communication for most companies. The ID.AM-3 Subcategory requires that “organizational communication and data flows are mapped.” Mapping communication flows is the first step in detecting email cybersecurity events and creating a data loss prevention (DLP) strategy. An effective email security solution will use machine learning technology to establish employees’ communications networks. Want to learn more about DLP? Check out these resources: ⚡ [Research] The State of Data Loss Prevention ⚡ Why is Email DLP So Important? Awareness and Training (PR.AT) Awareness and Training: “The organization’s personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity related duties and responsibilities consistent with related policies, procedures, and agreements.” Security awareness training should always feature extensive information about social engineering attacks.  Phishing, spear phishing, Business Email Compromise (BEC) — social engineering attacks that occur almost exclusively via email — rely on manipulating people into taking certain actions that expose data or compromise security. Therefore, email security training is essential to meet the outcome associated with the PR.AT-1 Subcategory: “All users are informed and trained.” But we know that, while essential, security training is not enough to tackle serious cybersecurity threats. Data Security (PR:DS) Data Security: “Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.” Preventing data loss via email is a core requirement in maintaining data security. Email is at the root of most data breaches, whether due to phishing and other social engineering attacks, or “accidental” breaches involving misdirected emails or misattached files. Preventing data loss via email is a key step towards meeting the outcome for Subcategory PR.DS 5: “Protections against data leaks are maintained.” Unless there is an operational requirement for data to leave your organization, your email security software should prevent it from doing so. Effective email security software can detect and prevent unauthorized data transfers. Learn more about how Tessian prevents data loss below.  Anomalies and Events (DE.AE) Anomalies and Events: “Anomalous activity is detected and the potential impact on events is understood.” How does this Category tie in with email security? Well, most cyberattacks rely on email as the route through an organization’s defenses. So detecting and analyzing anomalous activity across your email activity is essential. Within the “Anomalies and Events” Category, the following Subcategories are particularly relevant to email security: DE.AE-1: “A baseline of network operations and expected data flows for users and systems is established and managed” — To detect anomalous email activity, your email security solution must understand what “normal” email looks like relative to each of your users. DE.AE-3: “Event data are collected and correlated from multiple sources and sensors” — Email attacks can be particularly sophisticated, relying on social engineering techniques to manipulate users. Effective email security software requires a large amount of data. Security Continuous Monitoring (DE.CM) Security Continuous Monitoring: “The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures.” Monitoring your organization’s email activity is a crucial element in your overall security continuous monitoring efforts. The following “Security Continuous Monitoring” Subcategories are of particular relevance to email security: DE.CM-3: “Personnel activity is monitored to detect potential cybersecurity events” — External emails are only part of your email security battle. Compromised or spoofed corporate email accounts should also be monitored as they can be used for internal phishing attacks. DE.CM-7: “Monitoring for unauthorized personnel, connections, devices, and software is performed” — Implementing email security software that scans email communication for suspicious text and attachments could help meet this outcome. Detection Processes (DE:DP) Detection Processes: “Detection processes and procedures are maintained and tested to ensure awareness of anomalous events.” This means any email security solution must be continuously monitored and improved to ensure it can defend against the latest cyberattacks. Here are some relevant “Detection Processes” Subcategories: DE.DP-4: “Event detection information is communicated” — Your email security software should notify both the affected user and IT administrators when a suspicious event occurs. DE.DP-5: “Detection processes are continuously improved” — Email security systems should be continuously learning and updating to adapt to emerging threats. NIST Preliminary Draft Ransomware Profile In June 2021, NIST published Preliminary Draft NISTIR 8374 — Cybersecurity Framework Profile for Ransomware Risk Management. Ransomware is becoming the most severe cybersecurity threat in the current threat landscape. Because many, if not most, ransomware attacks start via email, improving your organization’s email security and its ransomware defense posture go hand-in-hand. As mentioned above, setting a Target Profile is an important step in implementing the NIST Cybersecurity Framework. To defend against the increasingly serious ransomware threat, you may choose to work towards the Ransomware Risk Management Profile. Implementing the draft Profile means achieving numerous Category outcomes from across all five Functions. We won’t go into the full details of the Profile here, but we recommend checking it out — particularly in the current threat climate.  Learn more about Tessian Human Layer Security  Tessian is a modern email security solution driven by machine learning. As well as monitoring inbound and outbound emails for signs of phishing, malicious attachments, data exfiltration, and accidental data loss, Tessians scans your employees’ email activity to learn how they “normally” act, and flags suspicious behavior. This intelligent, context-driven approach means Tessian will allow your employees to work uninterrupted, and access the legitimate files and links they need across devices — while being alerted to anomalous and suspicious email content.  Tessian’s in-the-moment warnings help reinforce training and nudge employees towards safer behavior over time. Tessian’s Human Layer Security platform uses machine learning (ML), anomaly detection, behavioral analysis, and natural language processing (NLP) to detect a variety of suspicious signals:  Unusual sender characteristics: This includes anomalous geophysical locations, IP addresses, email clients, and reply-to addresses. Anomalous email sending patterns: Based on historical email analysis, Tessian can identity unusual recipients, unusual send times, and emails sent to an unusual number of recipients in order to detect malicious inbound emails and suspicious outbound emails. Malicious payloads: Tessian uses URL match patterns to spot suspicious URLs and ML to identify red flags indicative of suspicious attachments. Deep content inspection: Looking at the email content – for example, language that conveys suspicious intent – Tessian can detect zero-payload attacks, too. Learn more about how Tessian can transform your organization’s cybersecurity program.
Read Blog Post
Human Layer Security
Tessian Partners with Optiv Security and Moves to a 100% Channel Model
By Tessian
Tuesday, August 24th, 2021
Today, we announce the news that Tessian is moving to a 100% channel model, partnering with leading cybersecurity partners like Optiv Security to help enterprises secure the human layer and protect against threats caused by human error. There’s currently a gap in enterprise email security. Nearly 50% of advanced phishing emails bypass secure email gateways while legacy email solutions and data loss prevention (DLP) controls aren’t stopping employees from leaking data, accidentally or otherwise. Using machine learning, Tessian is solving these problems in a way that current technology providers can’t – opening up a huge opportunity for security-focused partners. 
Led by the company’s Chief Strategy Officer, Matt Smith, and the team who successfully built and scaled the Duo Security channel program, Tessian’s channel team has launched a best of breed, invite-only partner program and has also signed partnerships with the likes of Altinet and CTS in the UK, Asystec and Kontex in Ireland, and Nclose in South Africa. It is now looking to bring more security-centric and strategic go-to-market partners onboard to help holistically solve one of the biggest problems in enterprise security today.
“A 100% channel model means the Tessian team is ‘all-in’ on partners,” says Smith. “We’re committed to helping our partners differentiate their offerings, design new service packages and increase their profitability. Channel partners play a critical role in advising and helping CISOs and CIOs solve major security challenges – which today includes data loss and breaches caused by people. With trusted partners like Optiv, we can truly accelerate our mission of securing the human layer in the enterprise.”  “A solid cybersecurity infrastructure is a core asset to every organization. As companies become increasingly vulnerable to security threats, both intentional and unintentional, it’s vital that tested and trusted security solutions are in place,” says Ahmed Shah, senior vice president of alliances and strategic partnerships at Optiv. “We welcome the opportunity to partner with companies like Tessian that provide these types of services to enterprise clients.” To find out more about Tessian’s channel program, click here. 
Read Blog Post
Spear Phishing
Phishing vs Spear Phishing: Phishing and Spear Phishing Examples
Monday, August 23rd, 2021
Phishing and spear phishing are both “social engineering” cyberattacks. In both types of attacks, a cybercriminal impersonates a trustworthy person and tricks their target into revealing login credentials, installing malware, or making a wire transfer.
Think of it this way:  Phishing is like catching fish using a line — you cast your rod into the water and see what bites.  With spear phishing, you choose the fish you want and aim the spear right at it. Note: This distinction is a big deal, affecting how you detect, mitigate, and prevent both types of attacks.
What is phishing? As we explained in our article “What Is Phishing?,” the term “phishing” can mean two things: An umbrella term covering many types of cyberattacks A specific type of cyberattack: an untargeted social engineering attack, conducted via email In the first instance, “phishing” can refer to cyberattacks including: Business Email Compromise: A phishing attack utilizing an impersonated, spoofed, or hacked business email address Wire transfer phishing: A phishing attack that attempts to trick the target into making a fraudulent transfer to the attacker Smishing: Phishing via SMS Vishing: Phishing via voice, e.g., phone or VoIP software In the second, specific sense, phishing means a social engineering attack (conducted via email) with no specific target. We sometimes call this “spray-and-pray” phishing. The cybercriminal sends as many emails as they can in the hope that someone falls for their scam. But don’t be fooled: phishing attacks aren’t necessarily amateurish operations.  What is spear phishing? Spear phishing is a targeted phishing attack. The target receives an email that addresses them directly — by name.  Any type of targeted phishing attack is a “spear phishing” attack, including: Whaling: A spear phishing attack targeting company executive CEO fraud: A spear phishing attack where the fraudster impersonates a company’s CEO and targets another of the company’s employees. But spear phishing is broader than this: if a Business Email Compromise attack, wire transfer phishing attack — or any other type of phishing attack — targets a specific individual, it’s a spear phishing attack. Looking for more information about spear phishing? Check out this article: What is Spear Phishing? Targeted Phishing Attacks Explained. Phishing vs. spear phishing examples Now we’re going to look at some phishing attacks and spear phishing attacks side-by-side so you can understand the differences. The two emails below demonstrate the essential difference between phishing and spear phishing:
This is an example of a “bulk” phishing email. It doesn’t address the target by name and doesn’t contain any personal information. But, because it appears to come from a trusted brand (Netflix) someone is likely to click the link. 
This is an example of a spear phishing email: CEO fraud, to be precise. The attacker has exploited a professional relationship to elicit feelings of urgency and trust — the CEO urgently needs a favor and requests an employee to pay an invoice to an unknown account. But the “CEO” is a cybercriminal who controls the “new account.” These examples should help you better understand the difference between phishing and spear phishing: Phishing succeeds by sheer volume: send a fraudulent email out to enough people and someone will fall for it eventually. Spear phishing succeeds through more sophisticated methods: send one fraudulent email containing personal information to a specific individual. Looking for more resrouces? We explore  phishing, spear phishing, and other social engineering attacks in greater detail in the following articles: Phishing 101: What is Phishing? What is Spear Phishing? Targeted Phishing Attacks Explained Spear Phishing Examples: Real Examples of Email Attacks How to Hack a Human: How Attackers Use Social Media to Craft Targeted Spear Phishing Campaigns
Read Blog Post
Human Layer Security, Customer Stories, DLP
16 Ways to Get Buy-In For Cybersecurity Solutions
By Maddie Rosenthal
Friday, August 20th, 2021
As a security or IT leader, researching and vetting security solutions is step one. What’s step two, then? Convincing key stakeholders like the CEO, CFO, and the board that the product needs to be implemented, that it needs to be implemented now, and that it’s worth the cost.  This is easier said than done, but security is business-critical.   So, how do you communicate risk and make a compelling case to (eventually) get buy-in from executives? We talked to security leaders from some of the world’s most trusted and innovative organizations to find out what they do to get buy-in from CxOs. Here’s a summary of their tips. You can download this infographic with a quick summary of all of the below tips. This is perfect for sharing with peers or colleagues. Or, download this eBook. 1. Familiarize yourself with overall business objectives While cybersecurity has historically been a siloed department, today, it’s an absolutely essential function that supports and enables the overall business. Think about the consequences of a data breach beyond lost data. Organizations experience higher rates of customer churn, reputations are damaged, and, with regulatory fines and the cost of investigation and remediation, there can be significant revenue loss.  The key, then, is to attach cybersecurity initiatives to key business objectives. The security leaders we interviewed recommended starting by reviewing annual reports and strategic roadmaps. Then, build your business case. If customer retention and growth are KPIs for the year, insist that cybersecurity builds customer trust and is a competitive differentiator. If the organization is looking for higher profits, make it clear how much a breach would impact the company’s bottom line. (According to IBM’s latest Cost of a Data Breach, the average cost of a data breach is $4.24 million.) 2. Create specific “what-if” scenarios A lot of security solutions are bought reactively (after an incident occurs), but security leaders need to take a proactive approach. The problem is, it’s more challenging for CxOs and the board to see the value of a solution when they haven’t yet experienced any consequences without it.  As the saying goes, “If it ain’t broke, don’t fix it”.  That’s why security leaders have to preempt push-back to proactive pitches by outlining what the consequences would be if a solution isn’t implemented so that stakeholders can understand both probability and impact. For example, if you’re trying to get buy-in for an outbound email security solution, focus on the “what-ifs” associated with sending misdirected emails  which – by the way- are sent 800 times a year in organizations with 1,000 employees. Ask executives to imagine a situation in which their biggest clients’ most sensitive data lands in the wrong inbox.  What would happen?  Make sure you identify clear, probable consequences. That way, the situation seems possible (if not likely) instead of being an exaggerated “worst-case scenario”.  3. Work closely with the security vendor You know your business. Security vendors know their product. If you combine each of your expertise – and really lean on each other – you’ll have a much better chance of making a compelling case for a particular solution. Ask the vendor for specific resources (if they don’t exist, ask them to create them!), ask for product training, ask if you can speak with an existing customer. Whatever you need to get buy-in, ask for it. Rest assured, they’ll be happy to help.  4. Collaborate and align with other departments It takes a village and cybersecurity is a “people problem”.  That means you should reach out to colleagues in different departments for advice and other input. Talk to the folks from Risk and Compliance, Legal, HR, Operations, and Finance early on.  Get their opinion on the product’s value. Find out how it might be able to help them with their goals and initiatives. In doing so, you might even be able to pool money from other budgets. Win-win! 5. Consider how much the executive(s) really know about security To communicate effectively, you have to speak the same language. And, we don’t just mean English versus French. We mean really getting on the same level as whomever you’re in conversation with. But, to do that, you have to first know how much your audience actually knows about the topic you’re discussing. For example, if you look into your CEO’s background and find out that he or she studied computer science, you’ll be able to get away with some technical jargon. But, if their background is limited to business studies, you’ll want to keep it simple. Avoid security-specific acronyms and – whatever you do – don’t bury the point underneath complex explanations of processes.  In short: Don’t succumb to the Curse of Knowledge. 
6. Use analogies to put costs into perspective  One of the best ways to avoid the Curse of Knowledge and give abstract ideas a bit more context is to use analogies. It could be the ROI of a product or the potential cost of a breach. Either way, analogies can make big, somewhat meaningless numbers more tangible and impactful. For example, imagine you’re trying to convince your CFO that the cost of a solution is worth it. But, the 6-digit, one-time cost is a hard sell. What do you do? Break the overall cost down by the product’s lifespan. Then, divide that number by the number of employees it will protect during that same period.  Suddenly, the cost will seem more manageable and worth the investment. 7. Invite key stakeholders to events or webinars  Before you even start pitching a particular solution, warm-up executives with educational webinars or events that aren’t product-specific. This will give CxOs a chance to better understand the problem, how it might apply to them, and how other people/organizations are finding solutions. Bear in mind: most vendors will have at least 1 (generally 2+) webinars or events during the standard sales cycle.  8. Prepare concise and personalized briefing materials Individual stakeholders will be more likely to consider a particular solution if the problem it solves is directly relevant to them. How? Combine tips #1, #2, #3, and #5. After taking some time to understand the business’ overall objectives, take a closer look at individual peoples’ roles and responsibilities in meeting those objectives. Then, dig a bit deeper into how much they know about cybersecurity. Imagine you’re meeting with a COO with some technical experience whose focus is on maintaining relationships with customers. His or her briefing documents should contain minimal technical jargon and should focus on how a data breach affects customer churn.  The bottom line: make it about them. 9. Share these documents in advance of any formal meetings While this may seem obvious, the security leaders we spoke to made it clear that this is an essential step in getting buy-in. No one wants to feel caught off guard, unprepared, or rushed.  To avoid all of the above, make sure you share any documents relevant to the solution well in advance of any formal meetings. But, don’t just dump the documents on their desk or in their inbox. Outline exactly what each document is, why it’s relevant to the meeting, and what the key takeaways are. You want to do whatever you can to help them absorb the information, so make sure you make yourself available after sharing the documents and before the meeting, just in case they have any questions or need additional information. 10. Build a strong security culture Before we dive into why building a strong security culture can help you get buy-in, we want to make it clear that this isn’t something that can happen overnight. This is a long-term goal that requires the help of the entire organization. Yes, everyone. So, how do you build a strong security culture? Start by ensuring that security and IT teams are committed to helping – not blaming – employees. There has to be a certain level of mutual trust and respect.  Beyond that, employees have to accept responsibility for the overall security of the organization. They have to understand that their actions – whether it’s clicking on a phishing email or using a weak password – have consequences.  If they do accept this responsibility, and if they genuinely care about following policies and procedures and helping secure data and networks, high-level executives will care, too. They’ll therefore be more likely to sign-off on solutions. 11. Keep an eye on security trends outside of your industry  Some industries – specifically Healthcare, Financial Services, and Legal – are bound to compliance standards that formalize the need for effective security solutions. That means that, compared to other industries like Retail or Manufacturing, they’ll be required to have more robust strategies in place. What they’re doing now, the rest of us will be doing in 12 months. Keep this in mind. If you notice that organizations operating in the most highly regulated industries are all taking data loss prevention (DLP) seriously, you’ll be able to make a strong case that this is something that should be on your radar, too. 12. Approach non-executive stakeholders early on While – yes – getting buy-in from CxOs and the board is important, security leaders also need to get buy-in from non-executive stakeholders working in IT, infrastructure, etc.  After all, those are the people who will actually be responsible for deploying the solution and maintaining it.By approaching them early on (and assuming they’re interested in the solution, too) you’ll be able to paint a clear picture of the process after the solution has been signed off on.  How long will it take? Who’s involved? Will employees’ workflow be disrupted? These are all important questions to answer.  13. Match like-for-like people from both sides If you’re scheduling a meeting with executives from your side and key people from the vendor’s side, make sure you’re bringing in people that “match” in terms of function and seniority level. For example, if you work at a start-up and the founder of your company wants to be involved in the buying process, ask the vendor’s founders to join, too. Likewise, if the Head of Infrastructure is joining from your side, ask someone in a similar function to join from the other side. Why? Like-for-like people will be best placed to answer one another’s questions.  And, with that in mind…. 14. Preempt questions and prepare answers No one likes to be put on the spot. To avoid being asked a question that you don’t know the answer to, spend a good amount of time considering all the questions different stakeholders may ask and drafting well-thought-out answers. (Better yet, fit the answers into briefing documents or the presentation itself!) Remember, people are generally concerned with how a problem/solution affects them directly. That means the CEO will have different questions than the CFO, who will have different questions than the Head of IT.  15. Get specific customer references from the vendor We mentioned in tip #3 that you should lean on the vendor, especially when it comes to specific resources and customer references. And, we mentioned in tip #11 that you should match like-for-like people in meetings. It should make sense, then, that specific customer references will be more powerful than generic ones. For example, if you’re the CISO at a 4,000-person tech firm in North America, and you’re trying to convince you’re CTO that you need to implement a new solution, you should share a case study (or customer reference) from the vendor that outlines how their product has helped an organization in the same industry, that’s the same size, and in the same region. Ideally, it will also feature quotes from the CTO. Why? Professionals trust and rely on their peers when making difficult decisions. 16. Be conscious (and considerate of) peoples’ time  Decisions about security solutions can involve a lot of different people. That means you’ll have to balance several conflicting schedules and fight for time. Your best bet? Book meetings with all relevant people at once and get the vendor involved at the same time. Ahead of the meeting, share an agenda along with any relevant documents (see tip #8).  Are you a security leader who wants to offer advice to your peers? We’d love to hear from you! Please get in touch with madeline.rosenthal@tessian.com. And, if you’re looking for more advice, check out these blogs: How to Communicate Cybersecurity ROI Advice from Security Leaders for Security Leaders: How to Navigate New Remote-Working Challenges How to Create an Enduring and Flexible Cybersecurity Strategy
Read Blog Post
Human Layer Security, DLP
What is Email DLP? Overview of DLP on Email
Thursday, August 19th, 2021
Data loss prevention (DLP) and insider threat management are both top priorities for security leaders to protect data and meet compliance requirements.  And, while there are literally thousands of threat vectors – from devices to file sharing applications to physical security – email is the threat vector security leaders are most concerned about protecting. It makes sense, especially with remote or hybrid working environments. According to Tessian platform data, employees send nearly 400 emails a month. When you think about the total for an organization with 1,000+ employees, that’s 400,000 emails, many of which contain sensitive data. That’s 400,000 opportunities for a data breach.  The solution? Email data loss prevention.
This article will explain how email DLP works, consider the different types of email DLP, and help you decide whether you need to consider it as a part of your overall data protection strategy.  Looking for information about DLP more broadly? Check out this article instead: A Complete Overview of Data Loss Prevention. 
➡ What is email data loss prevention? Essentially, email DLP tools monitor a company’s email communications to determine whether data is at risk of loss or theft. There are several methods of email DLP, which we’ll look at below. But they all attempt to: Monitor data sent and received via email Detect suspicious email activity Flag or block email activity that leads to data loss ➡ Do I need email data loss prevention? Unless you’re working with a limitless security budget (lucky you!), it’s important to prioritize your company’s resources and target areas that represent key security vulnerabilities.  Implementing security controls is mandatory under data protection laws and cybersecurity frameworks, like the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and Health Insurance Portability and Accountability Act (HIPAA). And there’s a good reason to prioritize preventing data loss on email. As we’ve said, email is the threat vector security leaders are most concerned about. We’ll explain why.  📩 Inbound email security threats How can malicious external actors use email to steal data? There are many methods. Phishing—social engineering attacks designed to trick your employees into handing over sensitive data. According to the FBI, phishing is the leading cause of internet crime, and the number of phishing incidents doubled in 2020. Spear phishing—like phishing, but targeted at a specific individual. Spear phishing attacks are more sophisticated than the “bulk” phishing attacks many employees are used to. Malware—phishing emails can contain a “malicious payload”, such as a trojan, that installs itself on a user’s device and exfiltrates or corrupts data. Email DLP can help prevent criminals from exfiltrating your company’s data. 🏢 Internal email security threats While it’s crucial to guard against external security threats, security teams are increasingly concerned with protecting company data from internal actors. There are two types of internal security threats: accidental and malicious. 🙈 Accidental data loss Accidents happen. Don’t believe us?  Human error is the leading cause of data breaches. Tessian platform data shows that in organizations with 1,000 or more employees, people send an average of 800 misdirected emails (emails sent to the wrong recipient) every year. That’s two every day.  How can a misdirected email cause data loss? Misspelling the recipient’s address, attaching the wrong file, accidental “reply-all”—any of these common issues can lead to sensitive company data being emailed to the wrong person.  And remember—if the email contains information about an individual (personal data), this might be a data breach. Misdirected emails are the top cause of information security incidents according to the UK’s data regulator. We can’t forget that misattached files are also a big problem. In fact, nearly half (48%) of employees say they’ve attached the wrong file to an email. Worse will, according to survey data: 42% of documents sent in error contained company research and data 39% contained security information like passwords and passcodes 38% contained financial information and client information 36% contained employee data But, not all data loss incidents are an accident.  🕵 Insider threats  Employees or contractors can steal company data from the inside. While less common than accidental data loss, employees that steal data—or simply overstep the mark—are more common than you might think. Some employees steal company data to gain a competitive advantage in a new venture—or for the benefit of a third party. We covered some of these incidents in our article, 11 Real Insider Threats. But more commonly, employees are breaking the rules for less nefarious reasons. For example, employees send company data to a personal email address for convenience. For example, to work on a project at home or on another device. Sending unauthorized emails is a security risk, though. Tessian platform data shows that it occurs over 27,500 times per year in companies with 1,000 employees or more. And, while – yes – it’s often not done maliciously, the consequences are no less dire, especially in highly regulated industries.  So, how do you prevent these things from happening?  ➡ Email DLP solutions to consider Research shows that the majority of security leaders say that security awareness training and the implementation of policies and procedures are the best ways to prevent data loss. And both are very important.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); But – as well-intentioned as most employees are – mistakes still happen despite frequent training and despite stringent policies. That means a more holistic approach to email DLP – including technology – is your best bet.  Broadly, there are two “types” of DLP technology: ruled-based DLP and machine learning DLP. 📏 Rule-based email DLP Using rule-based DLP, IT administrators can tag sensitive domains, activities, or types of data. When the DLP software detects blacklisted data or behavior, it can flag it or block it. Like training and policies, rule-based DLP certainly has its place in security strategies. But there are limitations of ruled-based DLP. This “data-centric” model does not fully account for the range of behavior that is appropriate in different situations. For example, say an IT administrator asks email DLP software to block all correspondence arriving from “freemail” domains (such as gmail.com), which are often used to launch cyberattacks. What happens when you need to communicate with a contractor or customer using a freemail address? What’s more, rule-based DLP is very admin-intensive. Creating and managing rules and analyzing events takes a lot of time, which isn’t ideal for thinly-stretched security teams.  Want to learn more? We explore situations where rule-based DLP falls short. For more information, read The Drawbacks of Traditional DLP on Email. 🤖 Machine learning email DLP Machine learning email DLP is a “human-centric” approach. By learning how every member of your company communicates, machine learning DLP understands the context behind every human interaction with data. How does machine learning email DLP work? This DLP model processes large amounts of data and learns your employees’ communications patterns.  The software understands when a communication is anomalous or suspicious by constantly reclassifying data according to the relationship between a business and customers, suppliers, and other third parties. No rules required.  This type of DLP solution enables employees to work unimpeded until something goes wrong, and makes preventing data loss effortless for security teams.
💡 Learn more about how Tessian’s email DLP solutions Tessian uses contextual machine learning to address the problem of accidental or deliberate data loss by applying human understanding to email behavior. Our contextual machine learning models have been trained on more than two billion emails – rich in information on the kind of data people send and receive every day. And they continue to adapt and learn as human relationships evolve over time. This enables Tessian Guardian to look at email communications and determine in real-time if particular emails look like they’re about to be sent to the wrong person or if an employee has attached the wrong file. Tessian Enforcer, meanwhile, can identify when sensitive data is about to be sent to an unsafe place outside an organization’s email network. And, finally, Tessiden Defender prevents inbound threats, like spear phishing, business email compromise, and CEO fraud.  To learn more about data exfiltration and how Tessian uses machine learning to keep data safe, check out our customer stories or talk to one of our experts today. You can also subscribe to our monthly newsletter below to get more updates about DLP, compliance, spear phishing, industry trends, and more. 
Read Blog Post
Spear Phishing
How Does Tessian Help Prevent Ransomware Attacks?
By Negin Aminian
Wednesday, August 18th, 2021
Before we dig into how Tessian can help prevent ransomware attacks, let’s first define what exactly ransomware is, and explain the scope of the problem. What is ransomware? Ransomware is a type of malware that threatens to publish a victim’s data (or perpetually block access to it) unless a ransom is paid.  Most ransomware and their variants have multiple attack vectors and often the ransomware (and other malware) is distributed using email spam campaigns, or through targeted attacks. For example, a phishing  email may contain a link to a website hosting a malicious download or an attachment. If the email recipient falls for the phish, then the ransomware is downloaded and executed on their computer.  After a successful ransomware attack, security professionals and business executives are faced with conflicting options. Paying the ransom encourages future attacks. Yet the recovery could be far more costly than  the original demand.  You can learn more about what ransomware is in this article: What is Ransomware? How is it Delivered?  How big of a problem is ransomware?  In a word: BIG. You can’t go a day without seeing a headline related to ransomware. That’s because ransomware continues to evolve and can halt businesses, slow down productivity, and destroy an organization’s reputation overnight. These types of attacks are often subtle and highly effective, using social engineering attacks until users are tricked into clicking a phishing link or opening a file attachment. Worse still, the majority of organizations are unable to prevent ransomware early in the email cyberattack kill chain and remain vulnerable against these highly sophisticated attacks. Why? Because legacy solutions don’t effectively detect and prevent this type of threat and there can be multiple threat vectors attacking a single organization in several different ways. The chances of success (for the hacker) are high. Want to see examples of email cyber attack kills chains for ransomware? Download our Solution Brief.  To paint a more clear picture of the impact, check out these stats: A new organization will fall victim to ransomware every 14 seconds in  2019, and every 11 seconds by 2021 Ransomware damage costs will rise to $20 billion by 2021 and a  business will fall victim to a ransomware attack every 11 seconds at that  time The ransomware attack on Universal Health Services (UHS) cost them $67 million. (This is mostly due to the operational problems post attack — diverting patients to competing facilities for urgent care.)  If you’re looking for real-world examples of ransomware attacks, we share seven here: 7 (Recent) Examples of Ransomware Attacks. How does Tessian help prevent ransomware? Unlike legacy solutions, Tessian Defender is powered by machine learning and automatically detects and prevents advanced forms of phishing attacks – including those that deliver ransomware – by default.  Importantly, this happens early in the kill chain to prevent credential theft, lateral movement, exfiltration, and more. In addition to detecting and preventing threats, Tessian also provides in-the-moment training to help employees identify malicious emails, and nudge them towards safer behavior. Solution highlights include:  Threat detection Tessian’s algorithms continuously analyze and learn from email communications across its global network to build profiles and models of companies and their employees, to understand what their normal email communication looks like.  This helps catch even the most advanced forms of phishing attacks that could lead to ransomware.  Learn more about Tessian’s technology here. Rapid remediation Real-time alerts of inbound email threats to  dedicated mailboxes. Explainable machine  learning helps SOC teams understand quickly why an email has been classified  as malicious.  By aggregating similar events and grouping emails from the same compromised account, Tessian allows administrators to clawback/delete multiple  events with a single click.  Learn more about Tessian’s robust remediation tools here.  In-the-moment training Non-disruptive in-the-moment training and  awareness is provided to employees through  contextualized, easy to understand warning  messages that continually drive them  towards secure behavior.  Learn more about Tessian in the moment warnings here.  Flexible deployment and seamless integrations  Defender deploys in minutes and automatically prevents data breaches through email within 24 hours of  deployment, across all devices, desktop and mobile.  Learn more about Tessian’s integrations, compatibility, and partnerships here and see what customers have to say about deployment here.
Read Blog Post
Spear Phishing, Compliance
Where Does Email Security Fit Into the MITRE ATT&CK Framework?
Friday, August 13th, 2021
If you’re aiming to achieve compliance with the MITRE ATT&CK Framework, email security will be among your top priorities. Why? Because securing your organization’s email is critical to detect, mitigate, and defend against some of the most widespread and harmful online threats. In this article, we’ll offer a brief overview of the MITRE ATT&CK framework, then consider which attack techniques you can mitigate by improving your organization’s email security. MITRE ATT&CK Framework 101 Here’s a brief introduction to the MITRE ATT&CK framework.  Outlining the framework is important as it’ll help you see how its components tie in with your email security program. But feel free to skip ahead f you already know the basics. ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. The ATT&CK framework has three iterations—ATT&CK for Enterprise, ATT&CK for Mobile, and Pre-ATT&CK. We’re focusing on ATT&CK for Enterprise, covering threats to Windows, macOS, Linux, AWS, GCP, Azure, Azure AD, Office 365, SaaS, and Network environments. You can check out the Mobile Matrices here, and the PRE Matric here. MITRE ATT&CK tactics, techniques, sub-techniques, and mitigations At the core of the framework is the ATT&CK matrix—a set of “Tactics” and corresponding “Techniques” used by “Adversaries” (threat actors). The ATT&ACK for Enterprise matrix includes 14 Tactics: TA0043: Reconnaissance TA0042: Resource Development TA0001: Initial Access TA0002: Execution TA0003: Persistence TA0004: Privilege Escalation TA0005: Defense Evasion TA0006: Credential Access TA0007: Discovery TA0008: Lateral Movement TA0009: Collection TA0011: Command and Control TA0010: Exfiltration TA0040: Impact Think of these Tactics as the Adversary’s main objectives. For example, under the “Collection” Tactic (TA0009), the adversary is “trying to gather data of interest to their goal.” If you want to learn more about these tactics, or see a full list of the Techniques, Sub-Techniques, and Mitigations we mention below, click here.  A set of Techniques and sometimes “Sub-Techniques” is associated with each Tactic. Techniques are the methods an Adversary uses to achieve their tactical objectives. Sub-Techniques are variations on certain Techniques. We won’t list all the MITRE ATT&CK Techniques here, but we’ll identify some relevant to email security in just a second. But first (and finally) there are “Mitigations”—methods of preventing or defending against adversaries. Examples of Mitigations include M1041: “Encrypt Sensitive Information,” and M1027: “Password Policies.” Back to email security… MITRE and Email Security Now we’ll identify the MITRE ATT&CK framework Tactics and Techniques that are relevant to email security specifically. We’ll consider MITRE’s recommended Mitigations and look at how you can align your email security program to meet the framework’s requirements. Technique T1566: Phishing “Phishing” is a MITRE ATT&CK Technique associated with the “Initial Access” Tactic (TA0001). As you’ll probably know, phishing is a type of social engineering attack—usually conducted via email—where an adversary impersonates a trusted person and brand and attempts to trick their target into divulging information, downloading malware, or transferring money. Want more information about phishing? Start by checking out What is Phishing? The MITRE ATT&CK framework identifies both targeted phishing attacks (a technique known as “spear phishing”) and more general phishing attacks (conducted in bulk via spam emails). Now let’s look at the three Sub-Techniques associated with the Phishing Technique. 📎 T1566.001: Spearphishing Attachment Sub-Technique T1566.001 involves sending a spear phishing email with a malicious attachment. The attachment is malware, such as a virus, spyware, or ransomware file that enables the adversary to harm or gain control of the target device or system. A spear phishing attachment is usually disguised as a harmless Office, PDF, or ZIP file, and legacy email security software and spam filters can struggle to determine whether an attachment is malicious. The spear phishing email itself will usually try to persuade the target to open the file. The Adversary may impersonate a trusted person and can even provide the target with instructions on opening the file that will bypass system protections. For more information about malicious email attachments, read What is a Malicious Payload? 🔗  T1566.002: Spearphishing Link Alternatively to using a malicious attachment, a spear phishing email can include a link that leads to a malicious site such as a fraudulent account login page or a webpage that hosts a malicious download. Like with the “Spearphishing Attachment” Sub-Technique, the “Spearphishing Link” Sub-Technique will normally employ social engineering methods—this time as a way to persuade the target to click the malicious link. For example, the spear phishing email may be disguised as a “security alert” email from Microsoft, urging the target to log into their account. Upon following the link and “logging in,” the target’s login credentials will be sent to the adversary. We’ve written in detail about this type of attack in our article What is Credential Phishing? 📱T1566.003: Spearphishing via Service The “Spearphishing via Service” Sub-Technique uses platforms other than email to initiate a spearphishing attack—for example, a LinkedIn job post or WhatsApp message. This Sub-Technique is not directly related to email security—but email security is still relevant here. For example, if an Adversary is able to establish rapport with their target via social media, then they might follow up with a spear phishing email. ❌ Phishing Detection and Mitigation Now let’s look at which Mitigations MITRE recommends for dealing with the Phishing Technique and its three associated Sub-Techniques: M1049: Antivirus/Antimalware — Quarantine suspicious files arriving via email. M1031: Network Intrusion Prevention — Monitor inbound email traffic for malicious attachments and links. M1021: Restrict Web-Based Content — Block access to web-based content and file types that are not necessary for business activity. M1054: Software Configuration — Use anti-spoofing methods to detect invalid Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) signatures. M1017: User Training — Educate employees to help them detect signs of a phishing attack. Note: None of MITRE’s recommended Phishing Mitigations is sufficient on its own.  Antivirus Software, for example, can quarantine malicious files but is less likely to detect suspicious links. User Training helps embed a security-focused workplace culture—but you can’t expect employees to recognize sophisticated social engineering scenarios. To prevent phishing attacks, it’s vital security leaders take a layered approach, including training, policies, and technology. Your best bet when it comes to technology? A next-gen email security solution that can automatically scan internal and external email communication for signs of malicious activity based on historical analysis.  Email security software can use several methods of detecting phishing attacks. Older solutions rely on techniques such as labeling and filtering—an administrator manually inputs the domain names, file types, and subject lines that the software should block. Tessian is a modern email security solution driven by machine learning. As well as monitoring inbound emails for signs of phishing, the software scans your employees’ email activity to learn how they “normally” act, and flags suspicious behavior. This intelligent, context-driven approach means Tessian will allow your employees to work uninterrupted, access the legitimate files and links they need— while being alerted to anomalous and suspicious email content. 
These in-the-moment warnings help reinforce training, and nudges employees towards safer behavior over time.  Download the Tessian Platform Overview to learn more.  Technique T1534: Internal Spearphishing The “Internal Spearphishing” Technique is associated with the “Lateral Movement” Tactic (TA0008) and is distinct from the “Phishing” Technique. Internal Spearphishing takes place once an adversary has already penetrated your system or account. The adversary leverages existing account access to conduct an internal spear phishing campaign. Internal Spearphishing is particularly damaging because the emails come from a genuine (albeit compromised) account. This makes them virtually impossible to spot, and therefore very persuasive. Internal Spearphishing Detection and Mitigations MITRE notes that detecting an Internal Spearphishing attack (also known as Account Takeover) can be difficult. There are no mitigations associated with the “Internal Spearphishing” Technique in the MITRE ATT&CK framework. According to MITRE, the main difficulty associated with detecting and mitigating Internal Spearphishing attacks is that “network intrusion detection systems do not usually scan internal email.” The main hallmarks of a spear phishing email—such as email impersonation or spoofing—are not present once an adversary has successfully compromised an internal email account. This means legacy email security software may be unable to detect Internal Spear Phishing attacks. However, an AI-driven email security solution such as Tessian can scan internal email and will pick up on small inconsistencies in the sender’s email behavior and communication patterns. If a sender is communicating outside of their normal internal networks or writing in an uncharacteristic style, Tessian can flag this unusual behavior and notify the recipient of any suspicious emails.  Learn more about how Tessian Defender defends against internal spear phishing. Technique T1598: Phishing for Information T1598: Phishing for Information is a MITRE ATT&CK Technique associated with the “Reconnaissance” Tactic (TA0043). While Phishing involves an attempt to penetrate an organization’s defenses, Phishing for Information is a way to gather information about the target for use in an attack. As such, Phishing for Information may occur via email—or via other communications channels, such as instant messaging applications or social media. Phishing for Information Detection and Mitigations To detect Phishing for Information, MITRE suggests monitoring for suspicious email activity. Email security software can monitor signs of a phishing attack, including DKIM misconfiguration, suspicious language, or erratic communication methods. But legacy email security programs can only detect the more obvious indicators of phishing. On the other hand, Tessian is uniquely equipped to identify the subtle but distinctive signs that a sender is not who they say they are.  Tessian Defender uses machine learning (ML), anomaly detection, behavioral analysis, and natural language processing (NLP) to detect a variety of suspicious signals:  Unusual sender characteristics: This includes anomalous geophysical locations, IP addresses, email clients, and reply-to addresses  Anomalous email sending patterns: Based on historical email analysis, Tessian can identity unusual recipients, unusual send times, and emails sent to an unusual number of recipients Malicious payloads: Tessian uses URL match patterns to spot suspicious URLs and ML to identify red flags indicative of suspicious attachments  Deep content inspection: Looking at the email content – for example, language that conveys suspicious intent – Tessian can detect zero-payload attacks, too Leveraging email security for MITRE ATT&CK framework compliance We’ve seen how email security is a major factor in meeting the MITRE ATT&CK framework requirements. To recap, Tessian can serve as a key Mitigation in respect of the following Techniques and Sub-Techniques: T1566: Phishing T1566.01: Spearphishing Attachment T1566.02: Spearphishing Link T1566.03: Spearphishing via Service T1534: Internal Spearphishing T1598: Phishing for Information Learn more about how Tessian can transform your organization’s cybersecurity program.
Read Blog Post
Spear Phishing
What is Whaling? Whaling Email Attacks Explained
Wednesday, August 11th, 2021
Let’s jump straight into it…
Wondering why cybercriminals often target the boss, rather than someone lower down the chain of command? The answer is simple: Senior staff members staff have the greatest power, access, and influence in a company. This article will look at how whaling works, and how it fits into the broader cybercrime landscape. Then we’ll take a look at some real examples of whaling attacks. How whaling works First, it’s important to understand that whaling is a type of phishing attack. And, broadly speaking, there are two types of phishing attacks.  Phishing “in bulk” is like using a trawl net. Cast your net wide — by sending as many phishing emails as you can — and you’re likely to catch quite a few unfortunate minnows. With spear phishing, you aim your spear — or email — at a specific fish (er, person). Targets are carefully chosen, and emails are carefully crafted with the specific target in mind. Be patient, be smart, and you might catch something valuable. So what about whaling? Well, whaling is a type of spear phishing.  Whales — or company executives — are the biggest fish in the sea: They’re hard to catch, but if you manage to harpoon one, you could make a lot of money. Scroll down the page for examples of whaling, and you’ll see what we mean.  Okay — whales are mammals, not fish… but you get our point.  A company executive is the ultimate prize for cybercriminals. The boss can access information and resources that no other employee can reach.  Why target company executives? Ultimately, a CEO or CFO is just as likely to fall victim to a social engineering attack as any other employee. In fact, they’re arguably even more likely to do so. A whaling attack email usually asks the target to make a high-pressure decision. Here’s an example of the type of email a company executive might receive as part of a whaling attack:
If the boss is busy, stressed, or overworked (and hopefully they’re busy, at least), they’re more vulnerable to these types of cyberattacks. Tessian research suggests that more than half of employees felt they were more likely to make mistakes at work when they were stressed. Furthermore, higher-level employees have greater access to money and data: the two things cybercriminals want most. Whaling vs. other types of cyberattack How does whaling fit into the cybercrime landscape?  There are many types of cybercrime. Some are interrelated; others frequently get conflated.  As we mentioned, whaling is a type of spear phishing: a phishing attack targeted at a specific individual — in this case, a company executive. Here are some types of cyberattacks that can involve whaling, if they specifically target a company executive: Business Email Compromise (BEC): A phishing attack that uses a compromised corporate email address. Wire transfer phishing: A phishing attack involving invoice fraud. Credential phishing: A phishing attack aiming to steal login credentials Smishing: Phishing via SMS Vishing: Phishing via voice (e.g., via phone or VoIP software) In other words, a whaling attack can also be a wire transfer phishing attack, for example, — if the attacker aims to persuade the target to transfer money into a bank account they control. Whaling sometimes gets conflated with another important type of cybercrime: CEO fraud. Here’s the difference: In a CEO fraud attack, the attacker impersonates a company executive and targets someone less senior. In a whaling attack, the company executive is the target. Of course, there can be some crossover between these two phishing techniques, too — where a cybercriminal impersonates one company executive and targets another. This occurred in 2017, in a scam that resulted in a $17 million loss for commodities trading company Scoular. Examples of whaling Here are some examples of businesses that fell victim to whaling attacks, to give you an idea of how damaging this type of cybercrime can be. Hedge fund co-founder targeted via Zoom In November 2020, the co-founder of Australian hedge fund Levitas Capital followed a fake Zoom link that installed malware on its network. The attackers attempted to steal $8.7 million using fraudulent invoices. In the event, they only got away with $800,000. But the reputational damage was enough to lose Levitas its biggest client, forcing the hedge fund to close. Aerospace firm fires CEO after $58 million whaling loss The CEO of Austrian aerospace company, FACC, was fired for his part in a whaling attack that cost the company around $58 million in 2016. A statement from the company said the CEO, Walter Stephen, had “severely violated his duties” by allowing the attack to occur. Small business owner loses $50,000 Whaling doesn’t just mean big companies losing millions of dollars — small businesses are affected, too. In an interview with NPR, “Mark,” the owner of a small real-estate firm, discussed how he fell victim to a targeted account takeover attack. In this sophisticated cyberattack, a hacker interrupted Mark’s email conversation with his partner, seizing the opportunity to divert a bank transfer for $50,000. How to Prevent Whaling Now you understand the dangers of whaling, you might be wondering how you can avoid falling for whaling attacks or – better yet – prevent whaling attacks from landing in your inbox in the first place.  Your best bet? In addition to security awareness training, intelligent email security software.  To learn more about how Tessian solves the problem, check out our customer stories or book a demo. Or, if you’d rather learn more about whaling and be the first to hear about the latest attacks, sign up for our newsletter. (Just fill in the short form below.)  
Read Blog Post
Tessian Culture
Tessian Adds New Strategic Investors to Advance Security at the Human Layer
By Tessian
Tuesday, August 10th, 2021
Following our Series C fundraise in May 2021, we are delighted to announce that we have received strategic investment from Okta Ventures, Citi Ventures and Sozo Ventures as part of a Series C extension.  With the additional funding, we are accelerating our journey to achieve our mission of mitigating and preventing human risk in the enterprise, and empowering people to do their best work without security getting in the way.  Human error is the leading cause of data breaches in organizations today. This is because cybersecurity software has typically focused on the machine layer of a company and not the people – the gatekeepers to the most sensitive systems and data in an organization. The so-called ‘people problem’ in security has been exacerbated as businesses move to a remote or hybrid way of working, in the wake of the Covid-19 pandemic. To overcome this, Tessian has pioneered a new approach to cybersecurity and defined a new category of security software called Human Layer Security. Ultimately, we want help companies replace their secure email gateways and legacy data loss prevention solutions. This means we will expand our platform’s capabilities beyond email, securing other interfaces like messaging, web and collaboration platforms from incidents of human error. 
On the investment, Austin Arensberg, Director at Okta Ventures said, “The biggest threat to enterprise security today is people’s identities and behaviors. “With more people working remotely, it’s never been more important for companies to know who their most high risk employees are, the threats they pose to company security, and how to keep them safe – without disrupting their workflow. We saw a huge opportunity with Tessian; by securing the human layer, businesses can stop threats and keep operations running.” Our CEO and co-founder Tim Sadler also added, “For too long, cybersecurity software has focused on securing technology and neglected the security of the people who run the organization. “It just takes one wrong decision, or one instance of human error, for an employee to cause a catastrophic security breach – and businesses are starting to realize that they now must do something to stop this. With backing from best-in-class investors and executives from some of the world’s most innovative security companies, we are truly on our way to fulfilling our mission of securing the human layer and helping businesses overcome one of the biggest threats to enterprise security.” As with every fundraise, this is just the beginning. It takes a village and we’re only just getting started. If you know anyone looking to take the next step in their career and to join a company solving the biggest problem in enterprise security today, please get in touch, we are hiring! 🚀
Read Blog Post
Spear Phishing, DLP, Data Exfiltration
Mergers and Acquisitions: Why Email Security Must Be a Priority
Thursday, August 5th, 2021
The buying and selling of companies is big business, but there are a lot of moving parts to manage. One area you don’t want to overlook is email security.  Why? Because email is the primary communication channel for M&A communications, and throughout the event, dozens of stakeholders will send thousands of emails containing personnel information, board documents, private equity, and other top secret merger and acquisition intelligence. If just one email lands in the wrong hands, or if one employee goes rogue, the entire transaction could be disrupted, compliance standards could be violated, and your organization could lose customer trust.    Keep reading to learn why M&A events introduce added risk to organizations, and how to overcome new security challenges.  Why do Mergers and Acquisition events create more security risks for organizations? According to Gartner analyst Paul Furtado, there are four key reasons M&A events create more security complexity for organizations: Mergers and acquisitions (M&A) are driven by potential synergies, which can be gained in cost efficiencies, growth opportunities or market share increases. But, these may lead to conflicts among long-held security paradigms by either party The disruption of the M&A transaction, along with the postclose technical changes required, can expand the current attack surface significantly Following transaction close, at least temporarily, security must be maintained in three separate operating environments: sunset, future-mode, and transition processes Potential M&A outcomes and the secrecy surrounding them also leads to employee angst and uncertainty, which may lead to rogue or damaging employee actions or a loss of key employees What are the key email security challenges in Mergers and Acquisitions? In order to understand how to prevent data loss, security leaders first need to understand where they’re most vulnerable. Both inbound and outbound email security should be a priority, and threat visibility is essential. 1. Increased Risk of Accidental Disclosure of Sensitive Information During M&A transactions, it’s important that organizations be able to control where sensitive information is being sent and to whom. Often, emails and attachments can be sent to the wrong people, resulting in accidental data loss. 2. Inbound Email Attacks Such as Phishing, Impersonation and Account Takeover Email is typically the first to deliver initial URLs, in the form of an exploit kit or phishing website, attachments in the form of payloads, or a starting point for social engineering attacks. This puts sensitive information within organizations at tremendous risk of a data breach. Tessian covers these attacks using three proven and differentiated approaches — threat prevention, education and awareness, and reducing the overall burden on security operations centers. 3. Increased Risk of Data Exfiltration by Internal Stakeholders M&A transactions significantly increase the number of people exchanging information through email. This increases the attack surface and the risk of more sensitive information being sent outside the organization. Whether it’s an employee sending sensitive M&A data to less secure, personal accounts, or a bad leaver maliciously exfiltrating information, Tessian automatically detects any kind of data exfiltration and non-compliant activity on emails.  4. Difficulty in Maintaining Control and Visibility of the Email Environment With many new stakeholders becoming included during M&A transactions, it can be difficult to obtain visibility into which employees and third-parties are exchanging information through emails. Organizations need to be able to identify all the people-centric security threats related to your email environment and view them in a single dashboard for easy remediation. This includes complete insight into accidental data loss, insider threats, advanced phishing attacks, and zero-day threats facing your organization. How does Tessian help protect information and communications related to Mergers and Acquisitions? Stop outbound data loss: Tessian Guardian is the industry’s only solution that automatically prevents accidental data loss from misdirected emails and misattached files (sending wrong attachments over email).  Guardian compares millions of data points for every outbound email and detects anomalies that indicate whether the email is being sent to the wrong person or if a wrong document is being attached and alerts the user before the email is sent. Learn more. Stop data exfiltration: Tessian Enforcer is the industry’s first solution that uses machine learning to automatically prevent data exfiltration via email to employee personal, unauthorized and non-business accounts.  Powered by Tessian’s proprietary Human Layer Security Engine, Enforcer analyzes millions of data points for every outbound email and detects anomalies that indicate data exfiltration before it leaves your organization. Tessian Enforcer notification messages can be customized to reinforce security awareness and data protection policies through in-the-moment training.  Learn more. Prevent inbound email attacks: Tessian Defender is a comprehensive inbound email security solution that automatically prevents a wide range of attacks that bypass Secure Email Gateways (SEGs), while providing in-the-moment training to drive employees toward secure email behavior.  Defender protects against both known and unknown email attacks, including business email compromise, account takeover, spear phishing, and all impersonation attacks that bypass SEGs, M365, and G Suite. Learn more. Threat visibility: With the Human Layer Risk Hub, SRM leaders will be able to quantify risk levels, pinpoint their high risk user groups, perform targeted remediation at scale, measure impact, and demonstrate progress in lowering risks posed by employees. Learn More.
Read Blog Post
Key Findings: IBM Cost of a Data Breach 2021 Report
By Maddie Rosenthal
Tuesday, August 3rd, 2021
If you work in cybersecurity, follow breaches in the news, or if you’re involved in managing your company’s finances, you’ve likely been (patiently) waiting for IBM’s latest Cost of a Data Breach report. Alas! The 2021 report was released on July 28 and we’ve summarized the key findings for you here. Note: In this case, we’re just here to deliver the cold, hard facts, not offer commentary. We have, however, offered additional resources for you to check out if you’re interested in exploring a specific threat type, industry, or solution further.  The overall cost of a breach Data breach costs rose from $3.86 million to $4.24 million, the highest average total cost in the history of this report  There was a 10% increase in the average total cost of a breach between 2020 and 2021. This was the largest single year cost increase in the last seven years. The average cost of a breach at organizations with 81-100% of employees working remotely was $5.54 million Lost business represented 38% of the overall average total breach costs and increased slightly from $1.52 million in the 2020 study.  Lost business costs include increased customer turnover, lost revenue due to system downtime, and the increasing cost of acquiring new business due to diminished reputation  Other resources ⚡ How to Communicate Cybersecurity ROI ⚡ 16 Ways to Prove the Value of Cybersecurity Solutions ⚡ 7 Ways CFOs Can Support Cybersecurity  Remote working and the cost of a breach where remote work was a factor in causing the breach, the cost difference was $1.07 million  Remote work was a factor in breaches at 17.5% of companies   Organizations that had more than 50% of their workforce working remotely took 58 days longer to identify and contain breaches than those with 50% or less working remotely  Other resources ⚡ 7 Concerns IT Leaders Have About Permanent Remote Working ⚡ Report: Have Employees Picked Up Bad Security Behaviors While Working From Home? ⚡ How to Navigate Remote Working Challenges The cost of a breach by industry  Healthcare has had the highest industry cost of a breach for 11 consecutive years  Healthcare data breach costs increased from an average total cost of $7.13 million in 2020 to $9.23 million in 2021, a 29.5% increase. Learn how Tessian helps organizations in healthcare prevent breaches. Costs in the energy sector decreased from $6.39 million in 2020 to an average $4.65 million in 2021 Costs surged in the public sector, which saw a 78.7% increase in average total cost from $1.08 million to $1.93 million  Other resources ⚡ State of Data Loss Prevention in the Legal Sector ⚡ State of Data Loss Prevention in Financial Services ⚡ State of Data Loss Prevention in Healthcare The cost of a breach by threat type Business email compromise (BEC) was responsible for only 4% of breaches, but had the highest average total cost of the 10 initial attack vectors in the study, at $5.01 million The second costliest was phishing ($4.65 million), followed by malicious insiders ($4.61 million), social engineering ($4.47 million), and compromised credentials ($4.37 million) Compromised credentials was the most common initial attack vector, responsible for 20% of breaches.  Ransomware attacks cost an average of $4.62 million, more expensive than the average data breach ($4.24 million). These costs included escalation, notification, lost business, and response costs… but did not include the cost of the ransom.  Other resources ⚡ What is Email The #1 Threat Vector? ⚡ 7 Examples of Ransomware Attacks ⚡ How Does Tessian Prevent Inbound Email Attacks? ⚡ How Does Tessian Prevent Insider Threats? How can cybersecurity solutions help? Security AI and automation had the biggest positive cost impact. Organizations with fully deployed security AI and automation experienced breach costs of $2.90 million, compared to $6.71 million at organizations without security AI and automation.  Security AI/automation was associated with a faster time to identify and contain the breach Want to learn how Tessian leverages AI and ML to detect and prevent inbound and outbound threats legacy solutions can’t? Check out this whitepaper.
Read Blog Post
Page