Tessian’s mission is to secure the human layer by empowering people to do their best work, without security getting in their way.
As the virtual curtain falls on our Fall Human Layer Security Summit we’d just like to say a huge thank you to our panel and to you, our 1000+ attendees.
There were some terrific insights, advice, and examples offered in every session. If you missed one, or just want a recap, key learnings from each session are below. To give you a flavor of what to expect, we’ve pulled out some key takeaways.
Take out fact: zero payload attacks are now the new normal
We analyzed 2 million malicious emails that slipped past SEGs in a 12-month period. The results? Bad actors are getting smarter, and crafting more sophisticated attacks than ever before.
That’s why attacks are getting past organizations’ existing defenses. As James McQuiggan, Security Awareness Advocate at KnowBe4, says, “the bad guys are buying the same hardware and software configurations we’re using – they’re then testing their attacks and then see what gets through”. And what’s working, it seems, are zero payload attacks beginning with a benign email that appears to be from senior staff.
Fellow guest Jason Lang, from TrustedSec ,spoke of his frustration with current training in the industry saying, “users sit there for 30 minutes, hit next, next, next, take the test, and they’re done. So the direct answer for ‘is security awareness training accounting for zero payload attacks?’ is no, it’s not”.
Learn more about what today’s attacks have in common in our most recent research report: Spear Phishing Threat Landscape 2021
Take out fact: AI is poised to be used ‘at scale’ to design spear phishing attacks, and does better than humans
To paraphrase the German journalist, satirist, and pacifist Kurt Tucholsky “one spear phishing attack: this is a catastrophe. Hundreds of thousands of spear phishing attacks: that is a statistic!”
And, according to Eugene Lim, Glenice Tan, Tan Kee Hock and Timothy Lee from GovTech Singapore hundreds of thousands attacks are on the horizon. Although recent reports of AI-generated voice deep fakes make the headlines, the real problem is that as the cost and complexity of AI comes down, it will be used more and more at scale. Furthermore, the team’s research revealed that AI generated content is more convincing than human generated content.
As Tessian’s Ed Bishop, our co-founder and CTO noted in the session, “I can totally see bad actors measuring the click-through rate on their phishing campaigns, and then having the AI learn from what’s worked to feed into the next one”
Oh and one final takeout… no one’s really regulating this sort of stuff.
Take out fact: It’s always about the people
It can be hard to keep things personal, especially at scale. Yet that’s exactly what Kim Burton, Security Education InfoSec Manager, did when Duo Security was acquired by Cisco. “My favorite thing that I always remind everyone is ‘be kinder than necessary’”. That way, says Kim, you create a safe learning environment where people don’t feel scared, but rather empowered. Kim also gives tips and advice for security teams on how to empathize with colleagues when a breach happens.
Take out fact: don’t rely just on your SEG
In this session, Tessian’s Amelia Dunton caught up with Karl Knowles, Global Head of Cyber for HFW, to hear why you shouldn’t just rely on your SEG to protect your business. Karl details how there’s been a huge rise in impersonation attacks, accounting for more than half of the threats HFW get. With domain impersonation attacks also getting more sophisticated, SEGs alone can’t cope. Finally, Karl explains how ‘in-the-moment’ alerts help show the user that there’s a problem, and what to do about it.
Take out fact: 61% of security and risk leaders think that employee actions will cause their next data breach
We were delighted to have as a guest speaker Jess Burn, Senior Analyst at Forrester. If you’ve not heard Jess speak before, you’re in for a real treat. Her talk explains in detail a Forrester Consulting study commissioned by Tessian conducted with US and UK security and risk leaders on the types of threats they’re seeing, how they’re fighting them, and how they’ll meet them in the future.
You can get the study here, but the three quick extra take outs are; asset your current capabilities, invest in technology wisely, and put people first when it comes to security.
Take out fact: Legacy DLP is a 💩 sandwich without the bread
Traditional DLP is rule-based – and if there’s one thing humans are really, really good at, it’s breaking rules.
You simply cannot define human nature with rules, says Tessian’s Jessica Marie. As we learned at our Spring Summit, the average human makes 35,000 decisions a day, you can’t write rules for all that possibility.
Legacy DLP means complex and expensive policies, constrained data classification, limited visibility, and a huge amount of false positives. Add to this the fact that your employees really hate the experience.
After Jessica’s explainer, Tessian’s Merlin Kafka is joined by Phil Horning, Senior Information Security Analyst at PeaceHealth, and Reema Jethwa, Cyber/Insider Risk Manager at Schroders Personal Wealth. Together they outline future trends for DLP, and where the industry needs to go.
Closing out the Summit Tim Sadler, CEO and Co-Founder of Tessian, hosted Jerry Perullo CISO, ICE NYSE, and DJ Goldsworthy , Director, Aflac, to explore a range of topics. They started by offering advice on how to show value to the wider organization, and how security fits in with overall risk appetite.
They then moved on to how security teams have to work cross functionally, working with other teams like IT and operations, because as Tim says, “the biggest security team is the whole company”.
Our 2021 Summit took place just after Cyber Awareness Month, so Tim closed out by asking how far we have come since the first awareness month way back in 2004.
For DJ, the biggest difference between now and then was the sheer pace of change; how a lot of risk lies in configurations and environmental sprawl, meaning an increased attack surface.
For Jerry meanwhile, it was the professionalization of the criminal side. “We’re now seeing national state caliber tactics, techniques, and procedures, deployed against commodity targets, with high dwell time.. just so they can ransomware them,” he said.
So there you have it!
That’s us all done (until next year). We’ll no doubt see you again in 2022. Follow us on LinkedIn and Twitter, and sign up for our weekly blog digest to stay up to date with the latest intel, so you can help secure your Human Layer.