Industry: Financial Services
Solutions: Guardian, Enforcer, Defender
As a global active asset manager, Schroders has over 200 years of experience in investment and innovation and remains committed to creating a better future by investing responsibly for their clients.
Across five business areas – including Private Assets & Alternatives, Solutions, Mutual Funds, Institutional and Wealth Management, Schroders invests in a wide range of assets and geographies and is responsible for £574.4 billion (€641.7 billion/$785.1 billion) in client assets, managed locally by 42 investment teams worldwide.
As a global business with over 5,500 talented staff across 35 locations, Schroders is able to stay close to their clients and understand their needs.
Schroders was an early adopter of Tessian, having first deployed the platform back in 2016. Since then, they’ve been using Tessian Guardian, Enforcer, and Defender for both inbound and outbound email security to help prevent accidental data loss, malicious data exfiltration, and inbound threats like spear phishing and Business Email Compromise (BEC).
We talked to Rob Hyde, Chief Information Security Officer, and Mike Vieira, Perimeter and Cloud Security Capability Lead, to find out why Schroders initially chose Tessian, how the solution has evolved over the years, and how their security posture has improved as a result.
1. There is no “silver bullet” when it comes to email security
When we asked security leaders what threat vector they’re most concerned about protecting, nearly half said email. For Rob, this isn’t a surprise.
“All big financial firms recognize that email-based processes are prone to human error. But we can’t take email out of the equation. There’s training, but people of course make mistakes despite being advised not to. So, what can you do? You either stop using email, or you find a product like Tessian that removes some of the risk,” he explained.
As a part of their DLP strategy, Schroders uses Tessian Guardian to prevent employees from sending emails to the wrong person and from attaching the wrong files to emails; they use Tessian Enforcer to prevent employees from sharing sensitive information outside of the company network.
For Rob and Mike, Tessian Enforcer has been invaluable, especially once employees made the switch to remote working in early 2020.
Mike explained, “Tessian Enforcer proved incredibly valuable after we made the shift to remote working. It allowed us to get a bird’s eye view of how employees were handling data and helped us understand what policies we needed to reinforce, what policies we needed to change altogether, and even gave us a better idea of what tools and technology would help our employees do their jobs more efficiently outside of the office”.
Importantly, though, when it comes to locking down email, there is no silver bullet.
Training is necessary. Policies are essential. And rule-based DLP solutions have their place. So, what makes a solution really stand out? Its ability to complement and bolster other solutions, while also filling in the gaps.
Tessian is that solution for Schroders.
“Tessian stops the threats that you just can’t make a rule for. The platform really has evolved along with our own security stack and with the risk environment. It reinforces our training and complements Microsoft DLP.”
2. Rule-based and legacy solutions are admin-intensive with a low ROI
While the static nature of rules has been a pain point for Schroders, it isn’t the only drawback of legacy DLP solutions.
“Traditional DLP has a low return on investment, and it’s expensive to run. It does stop some malicious emails, but it’s very low volume,” Rob explained. Tessian is different, though.
“On the other end of the spectrum, you have Tessian. If you look at Guardian, for example, it’s stopping data loss every day. Now, misdirected emails aren’t malicious activity, but the consequences are no less severe and the ROI is clear and easy to calculate. All we have to do is look at the number of employees who were going to do something – like send an email to the wrong person, move sensitive data outside of the company – but didn’t because of the solution.” he said.
This is an admin's view of Tessian Guardian's dashbaord. You can see exactly how many incidents have been prevented over time.
For Rob and Mike, the ROI of Tessian is compounded by the fact that it’s effortless for their team to maintain. Because it’s proactive in preventing data loss and detecting inbound threats, there’s virtually no intervention or investigation required.
“We trust Tessian’s technology to flag when an email is malicious or anomalous, and we trust our employees to interact with the warnings and do the right thing. And, we can actually see that threats are being prevented. We can see it works. But, without any investigation and no noise.”
3. Security solutions should enable employees, not restrict them
As one of the most successful asset management companies in Europe, it’s incredibly important to Rob and Mike that cybersecurity doesn’t come at the cost of reduced productivity or employee disruption.
“It’s a fine line. You want to give employees the freedom and flexibility to do their job. You don’t want to restrict too much, especially on email. But, equally, you have to help them understand their responsibility and the role they play in keeping the company secure,” Rob explained.
Tessian satisfies both needs.
In-the-moment warnings are helpful, not annoying and, because the platform is powered by machine learning, threats are detected with incredible accuracy; flag rates and false positives are much lower than other solutions, with just 1-2 emails emailed flagged per employee, per month.
“Tessian prompts the right behavior without being too restrictive. That’s hugely valuable and is especially important for us because we really do treat our peoples’ time as a precious commodity.”
Better still, this supports Schroders’ ethos of trust and enables Rob to support the organization. He explained, saying that “we trust our employees. They want to do the right thing. But we have to support them. Tessian helps us do that. The warning messages are well-written and give our users a chance to make better, more informed decisions”.
This is an example of a warning that an employee would see if Tessian Guardian detected that they might be attaching the wrong file to an email.
Learn more about how Tessian prevents human error on email
Powered by machine learning, Tessian’s Human Layer Security technology understands human behavior and relationships.
Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of an organization’s email network. That means it gets smarter over time to keep you protected, wherever and however your work.
Interested in learning more about how Tessian can help prevent email mistakes in your organization? You can read some of our customer stories here or book a demo.
Schroders Case Study