Businesses have found themselves in a world where data is a form of currency. Their biggest successes rely on leveraging and exchanging vast volumes of data such as company IP, customer PII data, payment information, or confidential business intel. In nearly every case, this is sensitive data. While businesses would not thrive without data, they would also not run without their people. People and data working in harmony, enabled by technology, and driven by processes are the key ingredients for what powers a business.  The increasingly interconnected nature of the global business network demands a universally accepted and standardized method of communication. Unsurprisingly, this is email by default, making it the most utilized channel for sending and receiving sensitive data, with nearly 350 billion emails sent daily.  But as Spiderman’s Aunt May said, with great power comes great responsibility. As much as data can serve as a competitive advantage, it can also be the cause of the downfall of a business. The average cost of a data breach in 2022 stands at $4.35 million according to IBM Security’s “The Cost of a Data Breach Report“. Rules don’t work Preventing breaches is paramount, but it’s only possible to truly secure the data by understanding the people. And it isn’t possible to understand people with static, stagnant rules and a one-size-fits, rigid approach because everyone is different. People work in many roles and functions, interacting with varying types of sensitive data in their own way. Subsequently, the rise of remote working and migration to the cloud has allowed people to work “in their own way” more than ever before.   Everyone has a unique behavior on email, from the way different individuals address their recipients to the distinct set of initiatives they are working on and the typical associated stakeholders and data of each of those.   So it follows that today, one of the biggest challenges of protecting data on email is insider risk, whereby an employee accidentally, negligently, or maliciously leaks sensitive data.  Why we’ve published this guide With current DLP solutions, you would have to configure endless rules to account for the countless different email behaviors unique to each employee to address the majority of data loss events arising from insider risks such as misdirected emails, miss-attached files, and data exfiltration.   The issue of insider risk and data loss on email requires a tailored approach to every employee’s unique, risky behaviors on email, driven by a deep understanding of their normal behavior to identify anomalies, mistakes, and malicious actions effectively.  Insider risk can cause real harm to your business. What’s more, many security leaders are unaware how many incidents actually happen, as many are unreported. Tessian has created a guide for addressing the problem of insider risk on email, covering what you need to know about today’s threats and what it takes to solve the problem. Download our guide to find out how. 

Anyone can make a simple mistake. Attach the wrong file, click a bad link, or send an email to the wrong person. Tessian’s own research found that for an organization of around 1000 people, 800 misdirected emails were sent in 12 months. What’s more, employees also receive an average of 14 malicious emails per year, with some industries such as retail receiving an average of 49. Here then, are real life examples of when someone made a simple mistake, as well as the fall out from that. Read more about different types of insider threats, and why inside threat management matters here.

The employee who fell for a phishing attack The Anti-Phishing Working Group’s new Phishing Activity Trends Report reveals that in the third quarter of 2022, they observed 1,270,883 total phishing attacks — the worst quarter for phishing that the APWG has ever observed. While shocking in numbers, these aren’t particularly new threats. One example involves an email that was sent to a senior staff member at Australian National University. The result? 700 Megabytes of data were stolen. That might not sound like a lot, but the data was related to both staff and students and included details like names, addresses, phone numbers, dates of birth, emergency contact numbers, tax file numbers, payroll information, bank account details, and student academic records. The employee who accidentally sent an email to the wrong person Misdirected emails happen more than most think. In fact, Tessian platform data shows that at least 800 misdirected emails are sent every year in organizations with 1,000 employees. But, what are the implications? It depends on what data has been exposed. In one incident in mid-2019, the private details of 24 NHS employees were exposed after someone in the HR department accidentally sent an email to a team of senior executives. This included mental health information and surgery information. While the employee apologized, the exposure of PII like this can lead to medical identity theft and even physical harm to the patients. We outline even more consequences of misdirected emails in this article. The employee who sent company data to a personal email account We mentioned earlier that employees oftentimes email company data to themselves to work over the weekend. But, in this incident, an employee at Boeing shared a spreadsheet with his wife in hopes that she could help solve formatting issues. While this sounds harmless, it wasn’t. The personal information of 36,000 employees were exposed, including employee ID data, places of birth, and accounting department codes. The employees who exposed 250 million customer records Here’s an example of a “negligent insider” threat. In December 2019, a researcher from Comparitech noticed that around 250 million Microsoft customer records were exposed on the open web. This vulnerability meant that the personal information of up to 250 million people—including email addresses, IP addresses, and location—was accessible to anyone. This incident represents a potentially serious breach of privacy and data protection law and could have left Microsoft customers open to scams and phishing attacks—all because the relevant employees failed to secure the databases properly. Microsoft reportedly secured the information within 24 hours of being notified about the breach.

The work-from-home employees duped by a vishing scam Cybercriminals saw an opportunity when many of Twitter’s staff started working from home. One cybercrime group conducted one of the most high-profile hacks of 2020 — knocking 4% off Twitter’s share price in the process. In July 2020, after gathering information on key home-working employees, the hackers called them up and impersonated Twitter IT administrators. During these calls, they successfully persuaded some employees to disclose their account credentials.   Using this information, the cybercriminals logged into Twitter’s admin tools, changed the passwords of around 130 high-profile accounts — including those belonging to Barack Obama, Joe Biden, and Kanye West — and used them to conduct a Bitcoin scam. This incident put “vishing” (voice phishing) on the map, and it reinforces what all cybersecurity leaders know — your company must apply the same level of cybersecurity protection to all its employees, whether they’re working on your premises or in their own homes. The employee offered a bribe by a Russian national In September 2020, a Nevada court charged Russian national Egor Igorevich Kriuchkov with conspiracy to intentionally cause damage to a protected computer. The court alleges that Kruichkov attempted to recruit an employee of Tesla’s Nevada Gigafactory. Kriochkov and his associates reportedly offered a Tesla employee $1 million to “transmit malware” onto Tesla’s network via email or USB drive to “exfiltrate data from the network.” The Kruichkov conspiracy was disrupted before any damage could be done. But it wasn’t the first time Tesla had faced an insider threat. In June 2018, CEO Elon Musk emailed all Tesla staff to report that one of the company’s employees had “conducted quite extensive and damaging sabotage to [Tesla’s] operations.” With state-sponsored cybercrime syndicates wreaking havoc worldwide, we could soon see further attempts to infiltrate companies. That’s why it’s crucial to run background checks on new hires and ensure an adequate level of internal security. The employee who accidentally misconfigured access privileges NHS coronavirus contact-tracing app details were leaked after documents hosted in Google Drive were left open for anyone with a link to view. Worse still, links to the documents were included in several others published by the NHS. These documents – marked “SENSITIVE” and “OFFICIAL” contained information about the app’s future development roadmap and revealed that officials within the NHS and Department of Health and Social Care are worried about the app’s reliance and that it could be open to abuse that leads to public panic. Read more on how Tessian stops misdirected emails here, or download the data sheet with more information.

Revenge, or sometimes, just plain old greed, can lead former or current employees to harm your organization by exfiltrating data, customer information, or sensitive intellectual property. Here are real world examples of people who have done just that, as well as what happened to them. Read more about different types of insider threats, and why inside threat management matters here. The employee who deleted data after being fired Since the outbreak of COVID-19, 81% of the global workforce have had their workplace fully or partially closed. And 2022’s tech layoffs have added 121,000 tech workers to that list. Unsurprisingly this has caused widespread distress, it’s also led to an increase in malicious insider threats, particularly when you combine this distress with the reduced visibility of IT and security teams. One such case involves a former employee of a medical device packaging company who was let go in early March 2020. After he was given his final paycheck, Christopher Dobbins hacked into the company’s computer network, granted himself administrator access, and then edited and deleted nearly 120,000 records. This caused significant delays in the delivery of medical equipment to healthcare providers.

The employee who sold company data for financial gain An older one this, but it checks out. In 2017, an employee at Bupa accessed customer information via an in-house customer relationship management system, copied the information, deleted it from the database, and then tried to sell it on the Dark Web. The breach affected 547,000 customers and in 2018 after an investigation by the ICO, Bupa was fined £175,000. The employee who stole trade secrets In July 2020, further details emerged of a long-running insider job at General Electric (GE) that saw an employee steal valuable proprietary data and trade secrets. The employee, Jean Patrice Delia, gradually exfiltrated over 8,000 sensitive files from GE’s systems over eight years — intending to leverage his professional advantage to start a rival company. The FBI investigation into Delia’s scam revealed that he persuaded an IT administrator to grant him access to files and that he emailed commercially-sensitive calculations to a co-conspirator. Having pleaded guilty to the charges, Delia was sentenced to 24 months in jail. What can we learn from this extraordinary inside job? Delia hacked the human to gain access controls, which is why ensuring you have robust email threat protection is vital.

The ex-employee who got two years for sabotaging data The case of San Jose resident Sudhish Kasaba Ramesh serves as a reminder that it’s not just your current employees that pose a potential internal threat—but your ex-employees, too. Ramesh received two years imprisonment in December 2020 after a court found that he had accessed Cisco’s systems without authorization, deploying malware that deleted over 16,000 user accounts and caused $2.4 million in damage. The incident emphasizes the importance of properly restricting access controls—and locking employees out of your systems as soon as they leave your organization.   The employees leaking customer data  Toward the end of October 2020, an unknown number of Amazon customers received an email stating that their email address had been “disclosed by an Amazon employee to a third-party.” Amazon said that the “employee” had been fired — but the story changed slightly later on, according to a statement shared by Motherboard which referred to multiple “individuals” and “bad actors”. So how many customers were affected? What motivated the leakers? We still don’t know. But this isn’t the first time that the tech giant’s own employees have leaked customer data. Amazon sent out a near-identical batch of emails in January 2020 and November 2018. If you want to prevent a data breach, insider threats management of email is critical.

The ex-employee who offered 100 GB of company data for $4,000 Police in Ukraine reported in 2018 that a man had attempted to sell 100 GB of customer data to his ex-employer’s competitors—for the bargain price of $4,000. The man allegedly used his insider knowledge of the company’s security vulnerabilities to gain unauthorized access to the data. This scenario presents another challenge to consider when preventing insider threats—you can revoke ex-employees’ access privileges, but they might still be able to leverage their knowledge of your systems’ vulnerabilities and weak points. The security officer who was fined $316,000 for stealing data (and more!) In 2017, a California court found ex-security officer Yovan Garcia guilty of hacking his ex-employer’s systems to steal its data, destroy its servers, deface its website, and copy its proprietary software to set up a rival company. The cybercrime spree was reportedly sparked after Garcia was fired for manipulating his timesheet. Garcia received a fine of over $316,000 for his various offenses. The sheer amount of damage caused by this one disgruntled employee is pretty shocking. Garcia stole employee files, client data, and confidential business information; destroyed backups; and even uploaded embarrassing photos of his one-time boss to the company website. Read more on who Tessian stops insider threats by email, or download the data sheet for more information.

Healthcare organizations handle some of our most sensitive and personal data, which makes them highly vulnerable to cyber attacks. Here’s how to prevent them. Electronic protected health information (ePHI) breaches over email occur when sensitive patient information is transmitted or stored through unsecured email communication. The cause of this type of breach can be unauthorized access, hacking, human error, and technological malfunction.  Healthcare organizations are complex with employees and contractor stakeholders across medical records teams, practitioners in clinic settings, non-technical employees, medical officers, and patients themselves accessing data. This diverse set of users and use cases makes managing ePHI and understanding when a breach has occurred that much more challenging. In the US, the Health Insurance Portability and Accountability Act’s Breach Notification Rule (45 CFR §§ 164.400-414) requires covered entities and their business associates to provide notification of a breach that involves unsecured protected health information. For breaches that affect over 500 individuals, organizations must notify the Department of Health & Human Services (HHS) and prominent media outlets within their state within 60 days following a breach. Additionally, many states including California, Michigan, Florida, and Arizona have similar or more stringent reporting requirements.

Impact of ePHI Breaches Breaches not only cause reputational damage, but the HHS’ Office for Civil Rights (OCR) imposes fines based on the severity of a breach and an organization’s compliance with recommended security controls. For example in 2022, Oklahoma State University Center for Health Sciences was fined $875,000 for a breach affecting 279k records. To help reduce these large fines and to drive the right security controls, the recent amendment to the HITECH Act in 2021 incentivizes HIPAA-regulated organizations to adopt “recognized security practices” to better protect patient data.  There are 18 HIPAA Identifiers considered ePHI. These identifier elements include: Name, Address, Dates related to an individual (e.g., DOB, discharge date), telephone number, email address, social security number, medical record numbers, health plan beneficiary numbers, account numbers, IP addresses or web URLs, biometrics, and photographs. 

A common breach scenario is when an employee or contractor sends an email with ePHI to the wrong recipient. This can occur when an incorrect email address is entered, autocorrect selects a different email, a recipient forwards an email to another person, or the recipient’s email account is compromised. Privacy and GRC leaders in healthcare struggle with user error and user accidents with ePHI as it is a top cause of data breaches.   Let’s look at the numbers. The HIPAA Journal Breach report has been documenting breaches for the last 23 years. To date, there have been 5,150 data breaches reported between October 21, 2009, and December 31, 2022. What’s more, 882 of these breachers are still under investigation

The HHS’ Office for Civil Rights reports show a sharp increase in business associate reported breaches. These are the business partners and counterparties to healthcare providers who access ePHI. Many larger healthcare organizations now require security audits and data protection reviews for their business counterparties to mitigate this risk. Why? Because In 2022, nearly 90% of healthcare breaches involved third party vendors. In one example, a large health plan provider recently mandated stricter email data loss controls with one of their business partners (and subsequent acquisition) to ensure the ePHI shared between the parties was closely monitored and accidental sharing was eliminated.

Preventing ePHI Data Loss Over Email There are few solutions that can effectively prevent cases of ePHI data loss via email without implementing complex and time-consuming policies and rulesets. Tessian is used today at many large healthcare organizations to protect ePHI data loss over email by:  Ensuring confidentiality that ePHI data being is being sent to the correct, authorized recipient via email (preventing misdirected emails)  Preventing impermissible disclosure of sensitive or unauthorized data from leaving the org (i.e. data exfiltration)  Enforcing proper classification and compliance of emails being sent out (data labeling, keyword matching, etc.) Tessian protects ePHI data over email in 3 main ways:   Historical analysis of email activity, behavioral context, and natural language processing to create a Behavioral Intelligence Model for each employee  Understanding the working relationships between individuals and their external contacts to detect anomalous activity  Classifying email content and warning users with in-the-moment training or automatic blocking of ePHI data Through historical email analysis of an organization’s email activity as well as constant email monitoring and threat intelligence, Tessian applies advanced machine learning techniques such as content analysis (URLs/Attachments), Behavioral Context, Natural Language Processing, Linguistic Styles (sense of urgency), Intent Analysis (payment request/fake invoice) to form a customer-specific Behavioral Intelligence Model that detects and filters unintentional and malicious data loss events on email. By forming an understanding of the expected working relationships between individuals and baselining normal end-user behavior on email,  Tessian can detect anomalous activity such as misdirected emails as well as identify end-users who have the riskiest behaviors. Often ePHI breaches result in data being accidentally shared with the wrong party which often results in a reportable event. Tessian’s ML Algorithm identifies the level of sensitivity of email content (e.g., containing social security numbers) while warning users with in-the-moment training or blocking exfiltration attempts where required.  Within the Tessian portal, administrators can automatically detect data leaving the organization that contains ePHI. Admins can choose to just monitor, warn, or automatically block emails that contain sensitive data. These controls are automatic and do not require building extensive policies using regex or other lists

With Tessian’s reporting capability a security team can provide a clear summary of potential breach events to share with the Data Protection or Compliance Officer for further investigation. Using the unique anomaly detection reporting, analysts can see these reports in seconds as opposed to the content search in Microsoft or other platforms that can take hours.

Within the Risk Hub, Tessian automatically identifies the personal email addresses associated with all employees in an organization. This is useful in determining the risk level of a potential breach. HIPAA allows an organization to conduct a risk assessment to “demonstrate a low probability that the protected health information has been compromised by the impermissible use or disclosure.” see this link for details. For example, if an employee emails ePHI to their personal email account for printing at home or to conduct work from a home device, an organization can (a) identify that this was a personal email address for an employee and (b) require the employee to delete this data from the personal device. This example is a risk mitigation practice used by a current Tessian healthcare customer.

Here’s how Tessian can automatically detect and monitor of data sent to personal email addresses

Want to find out more about how Tessian can help protect your organization? Find out more here

 As our recent research revealed, 71% of security leaders told us that resignations increase security risks for their organization, and 45% said incidents of data exfiltration increased in 2022, as people took data when they left their jobs. As we head into 2023, the current economic climate coupled with restructuring in most sectors can only add to these concerns. There’s also the security strain felt by everyone who remains the organization as they try to backfill roles and do their jobs under what might be sometimes difficult circumstances. Other challenges include users being more remote, security teams having too many incidents to investigate, and in the colder months – plain old flu. Misdirected #email today (fortunately not at all sensitive – phew) driven by flu-brain 🤒 served as a near miss to remind me why the #security work being done by the team at @Tessian is so important — Sabrina Castiglione (@Castiglione_S) January 9, 2023

Tessian can help remedy insider risks such as these, both malicious exfiltration and accidental data loss, in several ways. Let’s deal with the malicious ones first. As an integrated cloud email security solution, Tessian comes with a variety of policies straight out of the box. Or you can design your own custom policies based on specific actions, teams or data points. 

For example, you might want a policy to flag for severe data exfiltration from staff who you know are leaving. Not only that, you can decide what action to take and simply track exfiltration attempts, warn the user or require justification from their manager before releasing the email. Different teams might have different levels of controls; teams that handle highly sensitive information like sales data or company code or IP, might have more sensitive controls than say marketing. 

How to stop accidental data loss Then of course there’s accidental data loss. Despite training, turning off auto-complete, and Accidental data loss remains a problem for organizations. According to our  Psychology of Human Error report  two in five respondents (40%) have sent work emails to the wrong person. This isn’t just embarrassing, it can result in a loss of business. The same report found that nearly a third (29%) of businesses have lost a client or customer as a result of email recipient errors. Tessian can stop these misdirected emails too, providing in the moment alerts to warn users that something’s not quite right. At Tessian, we’ve built a comprehensive and intelligent cloud email security platform that deploys in seconds via a single API. Using deep content inspection and your historical email data. Tessian forms a behavioral intelligence model that understands how your people use email. We know who they contact, what they send and receive, and what projects they’re working on. Simply put, we know when an incident occurs because we understand how your people usually behave.

Fact: email is responsible for up to 90% of breaches, consequently email security is at the core of keeping your organization and its data safe and secure. As cyber risk continues to increase, having robust email threat prevention in place can mean the difference of preventing threat actors from gaining a foothold and establishing initial access. It can also provide critical visibility and control over data within the organization, significantly reducing insider risk. Why email security deserves greater attention It might seem like a basic question, but when you drill into what email security is and what it entails, it is fundamentally about data security. With the typical organization sending and receiving hundreds and thousands of emails on a monthly basis, explains why email is regarded as the lifeblood of organizations.  From a security standpoint, given the critical data transportation role played by email, helps explain why email security is increasingly being regarded as one of the cornerstones of data security.  Another security consideration is the open architecture character of email – making email an accessible attack vector. Anyone can send an email to any individual or organization making the threat vector extremely attractive to exploit. Want to email the CEO of a company? Their name is probably in the public domain and so their email is likely to be firstname.lastname@companyname.com  or some combination thereof.

Email cyber risks are increasing  The open nature of email explains why threat actors are continuously at work in developing email-based social engineering campaigns. These campaigns are developed by using open-source information sources such as social media accounts, company PR statements and news mentions.  Recent research also points to threat actors mining dark web data dumps obtained from previous breaches for personally identifiable information (PII) to be used in impersonation campaigns.  Another attack vector that is gaining prominence is credential related compromises. A credential compromise that leads to an account takeover (ATO) of a vendor in the supply chain or even an internal email account is particularly challenging to detect.  Threat actors typically leverage ATO for purposes of carrying out second stage attacks that can include email requests for invoices to be paid (invoice fraud), or delivering a malicious payload via email. Insider threats within organizations present another threat vector on email. In fact, until the recent roll-out of behavioral-based data loss prevention (DLP), being able to detect and prevent data loss on email was near impossible. The challenge with data loss on email is that it can occur in a multitude of seemingly innocuous ways, for example, an employee attaching the incorrect file and sending this out via email, or sending the email to the unintended recipient. More malicious acts of insider threat could include a disgruntled employee that exfiltrates sensitive company data via email, or a threat actor that has gained access via an impersonation or ATO attack.

Rule-based solutions no longer provide adequate protection Threat actors can bypass rule-based email security controls like Secure Email Gateways (SEGs) that rely on a threat detection engine of already documented indicators of compromise. This results in effectively chancing your email security on threat detection approach of established indicators of compromise – with no protective capability against zero day attacks. We know that threat actors don’t work this way.  Threat actors are continuously refining their attack campaigns. The result is that attack social engineering campaigns are becoming ever-more sophisticated and are increasingly able to bypass rule-based detection systems.  Some of the tried and tested methods for compromise include creating spoofed domains, leveraging compromised accounts, as well as procuring a wide-array of exploit kits on the dark web.  Phishing-as-a-Service (PhaaS) is now sold alongside Ransomware-as-a-Service (RaaS) on the dark web. The commercialization of these exploit kits and threat actors services are removing the barriers to entry for carrying out attacks.  On the PhaaS front, the most recent offering is the so-called Caffeine PhaaS exploit kit that enables anyone to procure the kit and launch phishing attacks against targets. The service offering includes pre-built phishing templates, available in multiple languages. 

The time for advanced email protection is now  No organization can afford to neglect increasing email security risk. Only by leveraging behavioral based cybersecurity solutions will advanced email attacks be detected and prevented. This includes insider threats that leads to data loss.  Tessian’s Intelligent Cloud Email Security Platform has behavioral intelligence at its core – using Natural Language Processing (NLP) and Natural Language Understanding (NLU) – to detect advanced external and internal threats, as they manifest and in real-time. This includes threats that have been able to circumvent rule-based security controls such as SEGs.

October is Cyber Awareness Month, and this year’s theme is “Do your part. #BeCyberSmart.”   Fun fact: Cyber Awareness Month started back in 2004, the same year a former AOL software engineer stole 92 million screen names and email addresses and sold them to spammers. Sadly, that’s peanuts compared to more recent breaches. Incidents involving insider threats are at an all-time high, phishing incidents are doubling and even tripling in frequency year-on-year, and the cost of a breach is now over $4 million. This is all to say that cybersecurity is more important than ever. And at Tessian, we live by the motto that cybersecurity is a team sport. So, to help you educate and empower your employees, we’ve put together a toolkit with over a dozen resources, including:

You can download them all for free, no email address or other information required. But, that’s far from the only content we have to share… CEO’s Guide to Data Protection and Compliance By 2024, CEOs will be personally responsible for data breaches. So it’s essential they (and other execs) understand the importance of privacy, data protection and cybersecurity best practices. To help you out, we’ve published an eBook which breaks down: How different regulations have changed how businesses operate How cybersecurity and compliance can be leveraged as a business enabler The financial and operational costs of data breaches OOO Templates OOO emails can contain everything a hacker needs to know to craft a targeted spear phishing attack… Where you are How long you’ll be gone Who to get in touch with while you’re away Your personal phone number Use these templates as a guide to make sure you don’t give too much away👇🏼

Human Layer Security Knowledge Hub Cyber Awareness Month is all about raising awareness and sharing best practices, and we know the #1 source of trusted information and advice for CISOs are…other CISOs…. That’s why we’ve created a hub filled with dozens of fireside chats and panel discussions about enterprise security, spear phishing, data loss prevention, leadership, and the human element. Sign-up for free and hear from some of the biggest names in the industry. You Sent an Email to the Wrong Person. Now What? Did you know at least 800 emails are sent to the wrong person in organizations with 1,000 employees every year. While it’s easy to shrug something like this off as a simple mistake, the consequences can be far-reaching and long-term. Learn more, including how to prevent mistakes like this. 6 Best Cybersecurity Podcasts While we’re partial to our own podcast – RE: Human Layer Security – we’ve learned from the best in the business. To get our fix of cybersecurity breaking news, threat intel, and inspiring interviews, we regularly tune into these podcasts: The CyberWire Daily The Many Hats Club WIRED Security Get the full breakdown here. How to Get Buy-In For Security Solutions As a security or IT leader, researching and vetting security solutions is step one. Step two involves convincing key stakeholders like the CEO, CFO, and the board that the product needs to be implemented, that it needs to be implemented now, and that it’s worth the cost. This is easier said than done… So, how do you communicate risk and make a compelling case to (eventually) get buy-in from executives? We talked to security leaders from some of the world’s most trusted and innovative organizations to find out what they do to get buy-in from CxOs. Here’s a summary of their tips. Ultimate Guide to Staying Secure While Working Remotely While most of us have been working remotely or in a hybrid environment for well over a year, we know that more than half of IT leaders believe employees have picked up bad cybersecurity behaviors since working remotely. This eBook offers plenty of helpful reminders, including: The risk involved in sending work emails “home” Why using public Wi-Fi and/or your personal device as a hotspot aren’t good ideas Best practice around using cloud storage to share documents How to physically protect your devices Top tips for businesses setting up remote-working policies What Does a Spear Phishing Email Look Like? We know you’re working hard to train employees to spot advanced impersonation attacks…but every email looks different. A hacker could be impersonating your CEO or a client. They could be asking for a wire transfer or a spreadsheet. And malware can be distributed via a link or an attachment. But it’s not all bad news. While – yes – each email is different, there are four commonalities in virtually all spear phishing emails. Download the infographic now to help your employees spot the phish. The Risks of Sending Data to Your Personal Email Accounts  Whether it’s done to work from home (or outside of the office), to print something, or to get a second opinion from a friend or partner, most of us have sent “work stuff” to our personal email accounts. And, while we might think it’s harmless…it’s not. In this article, we explore the reasons why employees might send emails to personal accounts, why sending these emails can be problematic, and how security leaders can solve the problem. Looking for more helpful content? Sign-up to our weekly newsletter, or follow us on LinkedIn and Twitter (or do all three!).

Between 2018 and 2020, there was a 47% increase in the frequency of incidents involving Insider Threats. This includes malicious data exfiltration and accidental data loss. The latest research, from the Verizon 2021 Data Breach Investigations Report, suggests that Insiders are responsible for around 22% of security incidents. Why does this matter? Because these incidents cost organizations millions, are leading to breaches that expose sensitive customer, client, and company data, and are notoriously hard to prevent. In this article, we’ll explore: How often these incident are happening What motivates Insider Threats to act The financial  impact Insider Threats have on larger organizations The effectiveness of different preventive measures   If you know what an Insider Threat is, click here to jump down the page. If not, you can check out some of these articles for a bit more background. What is an Insider Threat? Insider Threat Definition, Examples, and Solutions Insider Threat Indicators: 11 Ways to Recognize an Insider Threat Insider Threats: Types and Real-World Examples

How frequently are Insider Threat incidents happening? As we’ve said, incidents involving Insider Threats have increased by 47% between 2018 and 2020. A 2021 report from Cybersecurity Insiders also suggests that 57% of organizations feel insider incidents have become more frequent over the past 12 months. But the frequency of incidents varies industry by industry. The Verizon 2021 Breach Investigations Report offers a comprehensive overview of different incidents in different industries, with a focus on patterns, actions, and assets. Verizon found that: The Healthcare and Finance industries experience the most incidents involving employees misusing their access privileges The Healthcare and Finance industries also suffer the most from lost or stolen assets The Finance and Public Administration sectors experience the most “miscellaneous errors” (including misdirected emails)—with Healthcare in a close third place !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");

There are also several different types of Insider Threats and the “who and why” behind these incidents can vary. According to one study: Negligent Insiders are the most common and account for 62% of all incidents. Negligent Insiders who have their credentials stolen account for 25% of all incidents Malicious Insiders are responsible for 14% of all incidents. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Looking at Tessian’s own platform data, Negligent Insiders may be responsible for even more incidents than most expected. On average, 800 emails are sent to the wrong person every year in companies with 1,000 employees. This is 1.6x more than IT leaders estimate. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Malicious Insiders are likely responsible for more incidents than expected, too. Between March and July 2020, 43% of security incidents reported were caused by malicious insiders. We should expect this number to increase. Around 98% of organizations say they feel some degree of vulnerability to Insider Threats. Over three-quarters of IT leaders (78%) think their organization is at greater risk of Insider Threats if their company adopts a permanent hybrid working structure. Which, by the way, the majority of employees would prefer.   What motivates Insider Threats to act? When it comes to the “why”, Insiders – specifically Malicious Insiders – are often motivated by money, a competitive edge, or revenge. But, according to one report, there is a range of reasons malicious Insiders act. Some just do it for fun. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); But, we don’t always know exactly “why”. For example, Tessian’s own survey data shows that 45% of employees download, save, send, or otherwise exfiltrate work-related documents before leaving a job or after being dismissed.  While we may be able to infer that they’re taking spreadsheets, contracts, or other documents to impress a future or potential employer, we can’t know for certain. Note: Incidents like this happen the most frequently in competitive industries like Financial Services and Business, Consulting, & Management. This supports our theory. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); How much do incidents involving Insider Threats cost? The cost of Insider Threat incidents varies based on the type of incident, with incidents involving stolen credentials causing the most financial damage. But, across the board, the cost has been steadily rising. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Likewise, there are regional differences in the cost of Insider Threats, with incidents in North America costing the most and almost twice as much as those in Asia-Pacific. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); But, overall, the average global cost has increased 31% over the last 2 years, from $8.76 million in 2018 to $11.45 in 2020 and the largest chunk goes towards containment, remediation, incident response, and investigation. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); But, what about prevention?   How effective are preventative measures? As the frequency of Insider Threat incidents continues to increase, so does investment in cybersecurity. But, what solutions are available and which solutions do security, IT, and compliance leaders trust to detect and prevent data loss within their organizations? A 2021 report from Cybersecurity Insiders suggests that a shortfall in security monitoring might be contributing to the prevalence of Insider Threat incidents. Asked whether they monitor user behavior to detect anomalous activity: Just 28% of firms responded that they used automation to monitor user behavior 14% of firms don’t monitor user behavior at all 28% of firms said they only monitor access logs 17% of firms only monitor specific user activity under specific circumstances 10% of firms only monitor user behavior after an incident has occurred And, according to Tessian’s research report, The State of Data Loss Prevention, most rely on security awareness training, followed by following company policies/procedures, and machine learning/intelligent automation. But, incidents actually happen more frequently in organizations that offer training the most often and, while the majority of employees say they understand company policies and procedures, comprehension doesn’t help prevent malicious behavior. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");   That’s why many organizations rely on rule-based solutions. But, those often fall short. Not only are they admin-intensive for security teams, but they’re blunt instruments and often prevent employees from doing their jobs while also failing to prevent data loss from Insiders. So, how can you detect incidents involving Insiders in order to prevent data loss and eliminate the cost of remediation? Machine learning. How does Tessian detect and prevent Insider Threats? Tessian turns an organization’s email data into its best defense against inbound and outbound email security threats. Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises. It understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity. Tessian Enforcer detects and prevents data exfiltration attempts Tessian Guardian detects and prevents misdirected emails Tessian Defender detects and prevents spear phishing attacks Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of the organization’s email network. Oh, and it works silently in the background, meaning employees can do their jobs without security getting in the way. Interested in learning more about how Tessian can help prevent Insider Threats in your organization? You can read some of our customer stories here or book a demo.

Insider threat management is something every security leader should have a plan for. Why? Verizon’s 2022 Data Breaches Investigations Report found that 82% of data breaches involved a human element, either exposing or exfiltrating data directly, or by a mistake that enabled cyber criminals to access the organization’s systems.  Digital insider threats can be incredibly disruptive, and see your data, IP or other sensitive company information leave your organization with just a few clicks. That can be either maliciously exfiltrating information for some sort of financial or gain, or just simple carelessness and neglectfully sending something to the wrong person.

Different types of insider risks Malicious Insider risks: According to the Ponemon Institute’s Cost of Insider Threats Report, malicious insider risks account for 13.8% of insider threats in 2020. Malicious threats usually attempt to exfiltrate critical company data, such as customer records, sales information, intellectual property, or financial records. The type of data stolen, often depends on the individual’s circumstances. If they’re leaving for a rival firm, they might take sales information or internal pricing intel to sweeten their arrival at the new role. Sometimes the gain is monetary, selling company intel to third parties or even nation states. And finally, there’s good old fashioned vengeance – disgruntled employees who’ve been let go from a company but still have access to systems can sometimes resort to sabotages. See real examples of malicious insider risks here, as well as how to stop them.

Negligent insider risks: The Ponemon report cited above found negligent Insiders are the most common types of threat, and account for 62% of all incidents. After all, not everyone has malicious intent, but everyone is capable of making a mistake on email. While both types of insider risks are dangerous, Malicious insider threats can sometimes be much harder to detect, as employees try and cover their tracks. So how common are misdirected emails? Tessian’s own research reveals that, on average, 800 emails are sent to the wrong person every year in companies with around 1,000 employees. This is 1.6x more than IT leaders estimate.

There’s also a blend of the two, where someone knowingly sends information out of the company, but misguidedly believes they’re allowed to do so, for example, wanting to work on something over the weekend. While not malicious in the traditional sense, it’s still probably a breach of company policy.  What makes responding to any insider risks difficult is that they’re often hard to detect. And while you might have locked down laptops, USB ports and filing cabinets, there’s always email. Email is the primary way nearly every company communicates with its customers, supplies, and partners. The average worker receives over 100 emails a day, and sends around 40.  Stopping insider threats by email is made harder as employees often have legitimate access to systems and data, as well as the means to exfiltrate it, via email. Indeed, for some teams like finance, moving data in and out of the organization via email is a large part of their actual job. Stop that and you stop the business from functioning.  It’s important to understand insider threat types, and by exploring different methods and motives, security, compliance, and IT leaders (and their employees) will be better equipped to detect and prevent insider threats and prevent a data breach. Why insider threat management matters What’s noteworthy about any insider threat is the human aspect. People make mistakes, either knowingly or accidentally, but with intelligent cloud email security that understands human behavior, identifies and surfaces unusual patterns, and increases visibility for security teams, organizations can begin to tackle insider threats head on, save time and stop  insider threats turning from simple mistakes or malicious intent into full blown incidents. 

Data is valuable currency. Don’t believe us? Data brokering is a $200 billion industry…and this doesn’t even include the data that’s sold on the dark web.   This data could include anything from email addresses to financial projections, and the consequences of this data being leaked can be far-reaching. Data can be leaked in a number of ways, but when it’s stolen, we call it data exfiltration. You may also hear it referred to as data theft, data exportation, data extrusion, and data exfil.

  This article will explore what data exfiltration is, how it works, and how you can avoid the fines, losses, and reputational damage that can result from it.   Types of data exfiltration   Data exfiltration can involve the theft of many types of information, including:   Usernames, passwords, and other credentials Confidential company data, such as intellectual property or business strategy documents Personal data about your customers, clients, or employees b Keys used to decrypt encrypted information Financial data, such as credit card numbers or bank account details Software or proprietary algorithms   To understand how data exfiltration works, let’s consider a few different ways it can be exfiltrated.  Email    According to IT leaders, email is the number one threat vector. It makes sense.    Over 124 billion business emails are sent and received every day and employees spend 40% of their time on email, sharing memos, spreadsheets, invoices, and other sensitive information and unstructured data with people both in and outside of their organization.    Needless to say, it’s a treasure trove of information, which is why it’s so often used in data exfiltration attempts. But how?   Insider threats can email data to their own, personal accounts or third-parties External bad actors targeting employees with phishing, spear phishing, or ransomware attacks. Note:96% of phishing attacks start via email.   Remote access   Gaining remote access to a server, device, or cloud storage platform is another data exfiltration technique.   An attacker can gain remote access to a company’s data assets via several methods, including: Hacking to exploit access vulnerabilities Using a “brute force” attack to determine the password Installing malware, whether via phishing or another method Using stolen credentials, whether obtained via a phishing attack or purchased on the dark web   According to 2020 Verizon data, over 80% of “hacking” data exfiltration incidents involve brute force techniques or compromised user credentials. That’s why keeping passwords strong and safe is essential.   Remote data exfiltration might occur without a company ever noticing. Consider the now infamous 2020 SolarWinds hack: the attackers installed malware on thousands of organizations’ devices, which silently exfiltrated data for months before being detected.   Physical access    As well as using remote-access techniques, such as phishing and malware, attackers can simply upload sensitive data onto a laptop, USB drive, or another portable storage device, and walk it out of a company’s premises..   Physically stealing data from a business requires physical access to a server or device. That’s why this method of exfiltration is commonly associated with current or former employees.   And it happens more frequently than you might think. One report shows that:   15% of all insiders exfiltrate data via USBs and 8% of external bad actors do the same 11% of all insiders exfiltrate data via laptops/tablets and 13% of external bad actors do the same   Here’s an example: in 2020, a Russian national tried to persuade a Tesla employee to use a USB drive to exfiltrate insider data from the company’s Nevada premises.  

How common is data exfiltration?   So how significant a problem is data exfiltration, and why should your company take steps to prevent it? It’s hard to say how often data is successful exfiltrated from a company’s equipment or network. But we know that the cybercrime methods used to carry out data exfiltration are certainly on the increase.   For example, phishing was the leading cause of complaints to the FBI’s Internet Crime Complaint Centre (IC3) in 2020. The FBI’s data suggests that phishing incidents more than doubled compared to the previous year. The FBI also reported that the number of recorded personal data breaches increased from around 38,000 to over 45,000 in 2020.   Verizon’s 2020 data suggests that companies with more than 1000 employees were more likely to experience data exfiltration attempts—but that attacks against smaller companies were much more likely to succeed.   Verizon also noted that “the time required to exfiltrate data has been getting smaller,” but “the time required for an organization to notice that they have been breached is not keeping pace.” In other words, cybercriminals are getting quicker and harder to detect.   Consequences of data exfiltration   We’ve seen how data exfiltration, and cybercrime more generally, is becoming more common. But even if a company experiences one data exfiltration attack, the consequences can be devastating. There’s a lot at stake when it comes to the data in your company’s control.   Here are some stats from IBM about the cost of a data breach:   The average data breach costs $3.6 million The cost is highest for U.S. companies, at $8.6 million Healthcare is the hardest-hit sector, with companies facing an average loss of $7.1 million   What are the causes of these phenomenal costs? Here are three factors:   Containment: Hiring cybersecurity and identity fraud companies to contain a data breach is an expensive business—not to mention the thousands of hours that can be lost trying to determine the cause of a breach. Lawsuits: Many companies face enormous lawsuits for losing customer data. Trends suggest a continuing increase in data-breach class action cases through 2021. Penalties: Laws such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) enable regulators to impose significant fines for personal data breaches.

How to prevent data exfiltration Understanding the form, causes, and consequences of data exfiltration is important. But what’s the best way to prevent data exfiltration? 🎓 Staff training Business leaders know the importance of helping their employees understand information security.  Staff training can help your staff spot some of the less sophisticated phishing attacks and learn the protocol for reporting a data breach. However, while staff training is important, it’s not sufficient to prevent data exfiltration. Remember these words from the U.K.’s National Cyber Security Centre (NCSC): “No training package (of any type) can teach users to spot every phish. Spotting phishing emails is hard.” 🚫 Blocking or denylisting To prevent data exfiltration attempts, some organizations block or denylist certain domains or activities. This approach involves blocking certain email providers (like Gmail), domains, or software (like DropBox) that are associated with cyberattacks. However, this blunt approach impedes employee productivity. Denylisting fails to account for the dynamic nature of modern work, where employees need to work with many different stakeholders via a broad variety of mediums. 💬 Labeling and tagging sensitive data Another data loss prevention (DLP) strategy is to label and tag sensitive data. When DLP software notices tagged data moving outside of your company’s network, this activity can be flagged or prevented. However, this approach relies entirely on employees tagging data correctly. Given how much data organizations handle, the manual process of tagging isn’t viable—employees may label incorrectly or not label sensitive at all. 🔒 Email data loss prevention (DLP) Email is a crucial communication method for almost every business. But, as we’ve seen, it’s also a key way for fraudsters and criminals to gain access to your company’s valuable data. According to Tessian platform data, employees send nearly 400 emails a month. In an organization with 1,000 employees, that’s 400,000 possible data breaches each month. That’s why security-focused organizations seek to lock down this critical vulnerability by investing in email-specific DLP software. ⚡ Want to learn more about email DLP? We cover everything you need to know here: What is Email DLP? Complete Overview of DLP on Email. How does Tessian prevent data exfiltration? Tessian uses stateful machine learning to prevent data exfiltration on email by turning an organization’s own data into its best defense against inbound and outbound email security threats.   Our Human Layer Security platform understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity like data exfiltration attempts and targeted phishing attacks.  To learn more about how Tessian detects and prevents data exfiltration attempts, check out our customer stories or talk to one of our experts today.

Our latest research into The Great Resignation contains some startling statistics from IT security leaders. 71% told us the Great Resignation has increased security risks in their company. What’s more, 45% say incidents of data exfiltration have increased in the last year, as people took data when they left their jobs. But we also got the employees’ perspective. And it was clear that many staff thought that at least some of the work that they did while at their employer belonged to them. Not only that, it was okay to take that work with them when they moved on from the organization.  In fact one in three (29%) employees surveyed admitted to having taken data with them when they quit. And when you isolate employees in the US, this jumps to two-fifths (40%). So here’s the question ‘does your work belong to you?

Who’s taking data?  We saw noticeable differences in behaviors across typical departments found in most organizations. And the number one team to exfiltrate data? Marketing. A whopping 63% of respondents in this department admitted to taking data when they move on.  After marketing, employees in HR (37%) and IT (37%) had the next highest levels of exfiltration. Incidentally, rates of data exfiltration are much lower in highly regulated functions like accounting and finance, operations and legal, as these sectors have to comply with strict data regulations on a daily basis. Just 16% of workers in operations and 22% in accounting and finance say they have taken data with them when they’ve left a job. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");  

Why are people taking data on their way out?  According to Infosecurity magazine, 70% of intellectual property (IP) theft occurs within the 90 days before an employee’s resignation announcement.  But why are people taking data when they leave? Here are some of the most common reasons.  Competitive advantage  Maliciously-minded insiders can steal company data to get a competitive edge in their new role. 58% of workers we surveyed told us the information would help them in their new job. Think customer lists, software, project documents, frameworks and methodologies, and ultimately, IP.. This is more common than you might think. For example, a General Electric employee was imprisoned in 2020 for stealing the company’s trade secrets for his own business in China.  A belief they own it Many employees have a mentality that if they worked on that presentation, source code, or project, it’s theirs. In fact 53% of respondents to our survey felt this way, saying that because they worked on the document, and they believed the information belonged to them. Financial gain The right sort of data in the wrong hands can be extremely valuable. Former staff can sell customer’s information on the dark web. There’s a huge market for personal information—research suggests you can steal a person’s identity for around $1,100. 40% of the people we surveyed said they intended to make money from the information.

So who does own your work? But back to our original question. Does your work belong to you? Well, chances are – no. In nearly all sectors and jurisdictions, if you’re fully employed by the company they own the output of your endeavors. The situation might be slightly different if you’re a freelance contractor. In the end it all comes down to the contract.  But there are exceptions. Obviously personal items that belonged to you prior to starting employment remain yours. Secondly, you can leave with items that you have permission to take. There’s also knowledge that you obtained during the role – such as the names of the firm’s five biggest customers. This is why many senior roles in firms have non-compete clauses built into their employment contracts.

What does The Great Resignation mean for security teams?  With 55% of respondents revealing that they’re thinking about leaving their jobs in 2022, and two in five (39%) currently working their notice or actively looking for a new job in the next 6 months, it’s clear IT and security teams are under pressure to keep company data safe during the Great Resignation. But this research shouldn’t be used to berate employees – as an security leader, that’s not your job. Rather it should be used to refresh the dialogue about security culture, and weave it into broader discussion about data loss prevention.  Josh Yavor, Chief Information Security Officer at Tessian comments, “It’s a rather common occurrence for employees in certain roles and teams to take data when they quit their job. While some people do take documents with malicious intent, many don’t even realize that what they are doing is wrong. Organizations have a duty to clearly communicate expectations regarding data ownership, and we need to recognize where there might be a breakdown in communication which has led to a cultural acceptance of employees taking documents when they leave. “The Great Resignation, and the sharp increase in employee turnover, has exposed an opportunity for security and business leaders to consider a more effective way of addressing insider risk. It comes down to building better security cultures, gaining greater visibility into data loss threats, and defining and communicating expectations around data sharing to employees – both company-wide and at departmental level. Being proactive in setting the right policies and expectations is How does Tessian prevent data exfiltration attempts? Prevent unauthorized emails Whether it’s an employee sending sensitive information to less secure, personal accounts or a bad leaver maliciously exfiltrating data, Tessian automatically prevents data exfiltration over email. Learn more Deeply understand your risk Whether careless, negligent, or malicious, insider threats are difficult to combat and even harder to detect. But with Tessian, you can quickly find and report the key areas of insider risk, use insights to predict future behavior, and take remedial action to prevent exfiltrations attempts. Learn more In-the-moment educational warnings Tessian warnings act as in-the-moment training for employees, continuously educating them about treats, reinforcing your policies, and nudging them toward safe email behavior. Automatically build individualized policies at scale to reduce high-risk email use and track trends in unsafe activity over time. Learn more

New research from Tessian reveals just how deep The Great Resignation is, and how it’s continuing to increase work for security teams.   The Great Resignation of 2021 continues well into 2022, with record high numbers of people quitting their jobs and seeking opportunities for better positions, better pay, better work/life balance and even exploring a career in a completely new industry.   According to our latest survey of 2,000 employees in UK and US businesses, 55% are considering leaving their current employer this year, with two in five (39%) workers currently working their notice or actively looking for a new job in the next six months.    HR departments are under pressure to retain employees and replace the talent they lost. But they’re not the only team feeling the strain.    Our survey also revealed that 71% of IT decision makers in US and UK organizations told us the Great Resignation has increased security risks in their company. What’s more, 45% of IT leaders say incidents of data exfiltration have increased in the last year, as people took data when they left their jobs.    They’re not wrong. One in three (29%) UK and US employees admitted to having taken data with them when they quit. The figures were much higher in the US, with two fifths of US employees (40%) saying they’d taken data with them when they left their job.

Which employees are taking the data?   We see noticeable differences in behaviors across various departments. Employees in marketing were the most likely to data with them when they leave, with a staggering 63% of respondents in this department admitting to doing so. Employees in HR (37%) and IT (37%) followed.    Interestingly, rates of data exfiltration are much lower in highly regulated functions like accounting and finance, operations and legal. With employees in these departments having to comply with strict data regulations on a daily basis, the findings suggest that this impacts their data sharing behaviors and the security cultures in these departments. Just 16% of workers in operations and 22% in accounting and finance say they have taken data with them when they’ve left a job.

Why do employees take data with them?  The majority of employees are not taking data for malicious purposes. The most common reason for taking data, cited by 58% of respondents, was because the information would help them in their new job. In addition, 53% believe that because they worked on the document, it belongs to them.    A significant percentage of employees (44%) said they took the information to share with their new employer, while 40% said they intended to make money from the information.

The consequences of doing nothing   With 70% of US employees and 40% of UK employees thinking about leaving their employer this year, the pressure is on to protect the organization from insider risk.    Even if a company experiences one data exfiltration attack, the consequences can be huge. There’s a lot at stake when it comes to the data in your company’s control, particularly when you consider that the average cost of a data breach now stands at $4.24 million.    What are the causes of these phenomenal costs? Here are three factors:   Containment: Hiring cybersecurity and identity fraud companies to contain a data breach is expensive —not to mention the thousands of hours that can be lost trying to determine the cause.  Lawsuits: Many companies face enormous lawsuits for losing customer data.  Penalties: Laws such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) enable regulators to impose significant fines for personal data breaches.

What can IT and security leaders do to minimize the risk of data exfiltration during the Great Resignation period?   Taking data when leaving an organization has become one of those culturally-accepted things that people feel they can get away with. Let’s be clear, though, this is not a reason to blame and shame employees for their actions.    Rather this is an opportunity to see how we got to this point, assess where there are gaps in our data protection policies, and determine whether policies and guidelines are being communicated effectively to employees – both company-wide and in specific departments.    By defining and communicating the company’s expectations around data sharing and data handling in the organization, and training employees on safe cybersecurity practices, security leaders can start to build stronger security cultures that reduce insider risk.   As well as greater education and training, IT and security teams also need to ensure they have visibility of the risk across all channels, particularly email. A quarter of IT leaders we surveyed said they do not have visibility into incidents of data exfiltration, and this is an important first step.    The Great Resignation shows no sign of slowing down, and people will continue to move around looking for new opportunities throughout 2022. But this is also an opportunity for IT and security teams to build a more robust data loss prevention strategy, streamline defenses against insider risk, and put a safety net in place to stop the company’s most valuable and sensitive data from falling into the wrong hands.    How does Tessian prevent data exfiltration attempts?   Prevent unauthorized emails  Whether it’s an employee sending sensitive information to less secure, personal accounts or a bad leaver maliciously exfiltrating data, Tessian automatically prevents data exfiltration over email. Learn more   Deeply understand your risk Whether careless, negligent, or malicious, insider threats are difficult to combat and even harder to detect. But with Tessian, you can quickly find and report the key areas of insider risk, use insights to predict future behavior, and take remedial action to prevent exfiltrations attempts.  Learn more   In-the-moment educational warnings Tessian warnings act as in-the-moment training for employees, continuously educating them about treats, reinforcing your policies, and nudging them toward safe email behavior. Automatically build individualized policies at scale to reduce high-risk email use and track trends in unsafe activity over time. Learn more