Our research report into security culture reveals a startling disconnect between security leaders’ views and those of employees when it comes to cybersecurity. Our survey of 2,000 employees in the UK and US revealed that just 39% say they’re very likely to report a security incident, making investigation and remediation even more challenging and time-consuming for security teams. When asked why, over two-fifths (42%) of employees said they wouldn’t know if they had caused an incident in the first place, and 25% say they just don’t care enough about cybersecurity to mention it – a sentiment that should set alarm bells ringing for security leaders.  What’s more, for some staff, this attitude is bleeding into their home life. 20% of employees say they don’t care about cybersecurity at work – over 1 in 10 say they don’t care about it in their personal lives! It’s clear then, that a significant percentage of employees are simply not engaged with the organization’s cybersecurity procedures and how they play their part in keeping their company secure.

Turning to IT and security leaders, virtually all of the 500 leaders we surveyed (99%) agreed that a strong security culture is important in maintaining a strong security posture. And yet despite rating their organization’s security 8 out 10, on average, three-quarters of organizations experienced a security incident in the last 12 months.  There’s clearly a disconnect here between the views of the SOC team, and those in other teams around the business, and one reason for that could be the reliance on traditional training programs. 48% of security leaders say training is one the most important influences on building a positive security posture. But the reality is that employees aren’t engaged; just 28% of UK and US workers say security awareness training is engaging and only 36% say they’re paying full attention. Of those who are, only half say it’s helpful, while another 50% have had a negative experience with a phishing simulation. 1 in 5 employees don’t even show up for SAT sessions.  As indicated above, the report also reveals a disconnect when it comes to actually reporting security risks and incidents. Eighty percent of security leaders believe robust feedback loops are in place to report incidents, but less than half of employees feel the same, suggesting clearer processes are needed so that security teams have greater visibility of risk in their organization.

Boomers v Gen Z: The Generational Divide  The report also revealed stark generational differences when it comes to cybersecurity culture perceptions. The youngest generation (18- 24 year olds) is almost three times as likely to say they’ve had a negative experience with phishing simulations when compared to the oldest generation (55+). In contrast, older employees are four times more likely to have a clear understanding of their company’s cybersecurity policies compared to their younger colleagues, and are five times more likely to follow those policies.  When it comes to risky cybersecurity practices such as reusing passwords, exfiltrating company data and opening attachments from unknown sources, younger employees are the least likely to see anything wrong with these practices. 

October is Cyber Awareness Month, and this year’s theme is “Do your part. #BeCyberSmart.”   Fun fact: Cyber Awareness Month started back in 2004, the same year a former AOL software engineer stole 92 million screen names and email addresses and sold them to spammers. Sadly, that’s peanuts compared to more recent breaches. Incidents involving insider threats are at an all-time high, phishing incidents are doubling and even tripling in frequency year-on-year, and the cost of a breach is now over $4 million. This is all to say that cybersecurity is more important than ever. And at Tessian, we live by the motto that cybersecurity is a team sport. So, to help you educate and empower your employees, we’ve put together a toolkit with over a dozen resources, including:

You can download them all for free, no email address or other information required. But, that’s far from the only content we have to share… CEO’s Guide to Data Protection and Compliance By 2024, CEOs will be personally responsible for data breaches. So it’s essential they (and other execs) understand the importance of privacy, data protection and cybersecurity best practices. To help you out, we’ve published an eBook which breaks down: How different regulations have changed how businesses operate How cybersecurity and compliance can be leveraged as a business enabler The financial and operational costs of data breaches OOO Templates OOO emails can contain everything a hacker needs to know to craft a targeted spear phishing attack… Where you are How long you’ll be gone Who to get in touch with while you’re away Your personal phone number Use these templates as a guide to make sure you don’t give too much away👇🏼

Human Layer Security Knowledge Hub Cyber Awareness Month is all about raising awareness and sharing best practices, and we know the #1 source of trusted information and advice for CISOs are…other CISOs…. That’s why we’ve created a hub filled with dozens of fireside chats and panel discussions about enterprise security, spear phishing, data loss prevention, leadership, and the human element. Sign-up for free and hear from some of the biggest names in the industry. You Sent an Email to the Wrong Person. Now What? Did you know at least 800 emails are sent to the wrong person in organizations with 1,000 employees every year. While it’s easy to shrug something like this off as a simple mistake, the consequences can be far-reaching and long-term. Learn more, including how to prevent mistakes like this. 6 Best Cybersecurity Podcasts While we’re partial to our own podcast – RE: Human Layer Security – we’ve learned from the best in the business. To get our fix of cybersecurity breaking news, threat intel, and inspiring interviews, we regularly tune into these podcasts: The CyberWire Daily The Many Hats Club WIRED Security Get the full breakdown here. How to Get Buy-In For Security Solutions As a security or IT leader, researching and vetting security solutions is step one. Step two involves convincing key stakeholders like the CEO, CFO, and the board that the product needs to be implemented, that it needs to be implemented now, and that it’s worth the cost. This is easier said than done… So, how do you communicate risk and make a compelling case to (eventually) get buy-in from executives? We talked to security leaders from some of the world’s most trusted and innovative organizations to find out what they do to get buy-in from CxOs. Here’s a summary of their tips. Ultimate Guide to Staying Secure While Working Remotely While most of us have been working remotely or in a hybrid environment for well over a year, we know that more than half of IT leaders believe employees have picked up bad cybersecurity behaviors since working remotely. This eBook offers plenty of helpful reminders, including: The risk involved in sending work emails “home” Why using public Wi-Fi and/or your personal device as a hotspot aren’t good ideas Best practice around using cloud storage to share documents How to physically protect your devices Top tips for businesses setting up remote-working policies What Does a Spear Phishing Email Look Like? We know you’re working hard to train employees to spot advanced impersonation attacks…but every email looks different. A hacker could be impersonating your CEO or a client. They could be asking for a wire transfer or a spreadsheet. And malware can be distributed via a link or an attachment. But it’s not all bad news. While – yes – each email is different, there are four commonalities in virtually all spear phishing emails. Download the infographic now to help your employees spot the phish. The Risks of Sending Data to Your Personal Email Accounts  Whether it’s done to work from home (or outside of the office), to print something, or to get a second opinion from a friend or partner, most of us have sent “work stuff” to our personal email accounts. And, while we might think it’s harmless…it’s not. In this article, we explore the reasons why employees might send emails to personal accounts, why sending these emails can be problematic, and how security leaders can solve the problem. Looking for more helpful content? Sign-up to our weekly newsletter, or follow us on LinkedIn and Twitter (or do all three!).

New research from Tessian reveals just how deep The Great Resignation is, and how it’s continuing to increase work for security teams.   The Great Resignation of 2021 continues well into 2022, with record high numbers of people quitting their jobs and seeking opportunities for better positions, better pay, better work/life balance and even exploring a career in a completely new industry.   According to our latest survey of 2,000 employees in UK and US businesses, 55% are considering leaving their current employer this year, with two in five (39%) workers currently working their notice or actively looking for a new job in the next six months.    HR departments are under pressure to retain employees and replace the talent they lost. But they’re not the only team feeling the strain.    Our survey also revealed that 71% of IT decision makers in US and UK organizations told us the Great Resignation has increased security risks in their company. What’s more, 45% of IT leaders say incidents of data exfiltration have increased in the last year, as people took data when they left their jobs.    They’re not wrong. One in three (29%) UK and US employees admitted to having taken data with them when they quit. The figures were much higher in the US, with two fifths of US employees (40%) saying they’d taken data with them when they left their job.

Which employees are taking the data?   We see noticeable differences in behaviors across various departments. Employees in marketing were the most likely to data with them when they leave, with a staggering 63% of respondents in this department admitting to doing so. Employees in HR (37%) and IT (37%) followed.    Interestingly, rates of data exfiltration are much lower in highly regulated functions like accounting and finance, operations and legal. With employees in these departments having to comply with strict data regulations on a daily basis, the findings suggest that this impacts their data sharing behaviors and the security cultures in these departments. Just 16% of workers in operations and 22% in accounting and finance say they have taken data with them when they’ve left a job.

Why do employees take data with them?  The majority of employees are not taking data for malicious purposes. The most common reason for taking data, cited by 58% of respondents, was because the information would help them in their new job. In addition, 53% believe that because they worked on the document, it belongs to them.    A significant percentage of employees (44%) said they took the information to share with their new employer, while 40% said they intended to make money from the information.

The consequences of doing nothing   With 70% of US employees and 40% of UK employees thinking about leaving their employer this year, the pressure is on to protect the organization from insider risk.    Even if a company experiences one data exfiltration attack, the consequences can be huge. There’s a lot at stake when it comes to the data in your company’s control, particularly when you consider that the average cost of a data breach now stands at $4.24 million.    What are the causes of these phenomenal costs? Here are three factors:   Containment: Hiring cybersecurity and identity fraud companies to contain a data breach is expensive —not to mention the thousands of hours that can be lost trying to determine the cause.  Lawsuits: Many companies face enormous lawsuits for losing customer data.  Penalties: Laws such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) enable regulators to impose significant fines for personal data breaches.

What can IT and security leaders do to minimize the risk of data exfiltration during the Great Resignation period?   Taking data when leaving an organization has become one of those culturally-accepted things that people feel they can get away with. Let’s be clear, though, this is not a reason to blame and shame employees for their actions.    Rather this is an opportunity to see how we got to this point, assess where there are gaps in our data protection policies, and determine whether policies and guidelines are being communicated effectively to employees – both company-wide and in specific departments.    By defining and communicating the company’s expectations around data sharing and data handling in the organization, and training employees on safe cybersecurity practices, security leaders can start to build stronger security cultures that reduce insider risk.   As well as greater education and training, IT and security teams also need to ensure they have visibility of the risk across all channels, particularly email. A quarter of IT leaders we surveyed said they do not have visibility into incidents of data exfiltration, and this is an important first step.    The Great Resignation shows no sign of slowing down, and people will continue to move around looking for new opportunities throughout 2022. But this is also an opportunity for IT and security teams to build a more robust data loss prevention strategy, streamline defenses against insider risk, and put a safety net in place to stop the company’s most valuable and sensitive data from falling into the wrong hands.    How does Tessian prevent data exfiltration attempts?   Prevent unauthorized emails  Whether it’s an employee sending sensitive information to less secure, personal accounts or a bad leaver maliciously exfiltrating data, Tessian automatically prevents data exfiltration over email. Learn more   Deeply understand your risk Whether careless, negligent, or malicious, insider threats are difficult to combat and even harder to detect. But with Tessian, you can quickly find and report the key areas of insider risk, use insights to predict future behavior, and take remedial action to prevent exfiltrations attempts.  Learn more   In-the-moment educational warnings Tessian warnings act as in-the-moment training for employees, continuously educating them about treats, reinforcing your policies, and nudging them toward safe email behavior. Automatically build individualized policies at scale to reduce high-risk email use and track trends in unsafe activity over time. Learn more

The future and nature of work is changing. So here’s all you need to know about how to keep your people secure in the ‘new normal’.

Remote working, hybrid working, anywhere-working, flexible-working, 4-day-week working, and everything in between – if the pandemic has done one thing, it seems to have destroyed nine-to-five in the office.   Saying so long to the stationary cupboard and “auf wiedersehen” to the water cooler might have been great for staff, but presented a serious challenge for security leaders back in 2020. And while, way back then, many thought the situation was temporary – a few months at most – and would be mitigated by vaccines, that clearly hasn’t been the case   Indeed Forrester’s Predictions 2022 anticipates the following set up:   10% of firms will shift to a fully remote model 🏡 30% will go back to a fully in-office model 🏢 The remaining 60% of firms will shift to a hybrid model 🏡 + 🏢   Those that insist on a fully in-office model, will find that employees simply won’t have it. Attrition at these firms will rise above their industry averages — monthly quit rates will rise to as high as 2.5% for as much of 2022 as needed until executives feel the pain and finally commit to making hybrid work … work.   Our own research bore this out too.    According to our Securing the Future of Hybrid Working report , just 11% of employees said they’d want to work exclusively in the office post-pandemic, with the average employee wanting to work from home at least two days a week. And, over a third of people said they wouldn’t even consider working for a company if it didn’t offer remote working in the future. That represents a lot of employee churn and HR headaches for you and your security team, which we’ll explore shortly. But first, given we are in security, let’s recap the current risks.

What are the security risks with remote working? The majority of IT leaders we surveyed believe permanent remote or hybrid work will put more pressure on their teams, while over a third (34%) were worried about their team becoming stretched too far in terms of time and resources.     While hybrid or flexi-working is great for employees, it’s the worst of both worlds for IT teams who have to simultaneously manage and mitigate security risks that occur in and out of the office, while providing a seamless experience that enables employees to work from anywhere. So if that’s the environment you’re having to work in, what are the risks?

Unsurprisingly, topping the charts is the classic phishing attack. 82% of IT leaders we surveyed believed employees are at greater risk of phishing attacks when working remotely. The pandemic saw a surge in these, with CISA specifically warning of attacks targeting remote workers back in Jan 2021.   Those threats haven’t gone anywhere in the meantime. Indeed, they’ve only increased with our reliance on delivery companies for shopping. But brand impersonations have expanded beyond the usual logistics and utility companies to software providers like Microsoft, Adobe and Zoom.

There’s a strong probability that, as we move forward in this new hybrid environment, remote work blindspots will be exploited.    This begs the question: How do you ensure people’s home networks are secure? There’s also concerns around liability. If company A faces a ransomware attack, it spreads to an employee, their home network, and then their partner’s company device to infect Company B…. Is Company A now liable for the losses Company B suffers?

This scenario is only exacerbated by having a Bring Your Own Device policy. Of course the benefits of BYOD are lower costs, increased flexibility for staff and a more productive workforce. But there are downsides around physical and network security.    An August 2021 survey conducted by Palo Alto Networks found that 83% of companies with relaxed bring-your-own-device (BYOD) usage led to increased security issues. We explore those for both security teams and workers themselves in this post.

How new habits become bad habits  That same Palo Alto survey also found that 35% of companies reported that their employees either circumvented or disabled remote security measures.  Our State of Data Loss Prevention report backs this up with the following alarming stats.   48% of employees say they’re less likely to follow safe data practices when working from home.    84% of IT leaders report DLP is more challenging when their workforce is working remotely.   52% of employees feel they can get away with riskier behavior when working outside of the office.   When asked why they were less likely to follow safe data practices when working from home, employees cited not working on their usual devices (50%) and being distracted (47%) as two of the top three reasons.    We’ve listed the 13 worst cybersecurity sins below. So take a moment to see if people in your organization are making these security errors. 

Evaluate and evolve your current process So, we’ve understood the risks, and are aware of some less-than-perfect security habits. Now we need to examine our processes. You’ve probably implemented some form of remote security processes since the start of the pandemic. But you should always be looking to evolve it to stay on top of your game and in light of new threats and changing circumstances.   Education in security has a huge part to play in making people aware of the risks associated with working remotely, and dispelling some of those new, bad habits. Our views on security awareness training are well-known. An hour-long ‘test quiz’ once a year just isn’t going to cut it. Instead you need to bake security into your organization’s daily operations.

As Bobby Ford, Global Chief Security Officer at Hewlett Packard Enterprise says in this video, how can you get a little bit of cyber into other programs in your organization? And don’t just stop at events, town halls, intranets, or staff newsletters. These are all places to continually beat the drum for good security. So work with your people and comms teams to help enable that. We have a bunch of tips, resources and best practice information in this post that you can use as part of your cyber security refresher training. And if you need support from the C-Suite, here’s how to get it.

We have a bunch of tips, resources and best practice information in this post that you can use as part of your cyber security refresher training. And if you need support from the C-Suite, here’s how to get it. What’s perhaps most remarkable about the switch to remote working is that it happened almost overnight. The efforts and tools IT and security teams put in place quickly ensured that many companies stayed operating – jobs and lives were no doubt saved.   

Now, however, those tools and processes are a permanent part of your business, and reviewing your security stack to ensure it’s fit for purpose in a remote world is critical. So what to look for? Well ask yourself questions like    👩‍💻 Does the application process personal data? If so, why and in what volume? 🌏 Where is the data processed?  📚 Does the application take back-ups of data? If so, how often? 🚫 Who has access to the data in the platform? 📱 Is access conditional upon Multi-Factor Authentication (2FA, for example)?  We’ve fully explored how to onboard remote Collaboration and productivity tools here

The Great Re-Evaluation and the future of remote work Finally, there’s one other aspect of remote working to address, and that’s people themselves. The pandemic caused a lot of soul searching in many employees about their future and the sort of companies they wanted to work for.    The past 18 months has seen unprecedented demand for highly skilled roles, and many people are using this to turbo charge their careers. The person in this BBC article increased her salary by £10,000 in six months, she surely can’t be the only one.  So as well as dealing with protecting your people from external threats, there’s also potential dangers from within. If people are leaving, what better way to make a great impression on the first day at their new gig than by bringing a juicy file of customer data, source code, or other highly valuable IP.    Again, our State of Data Loss Prevention Report found that 45% of employees admit to downloading, saving, or sending work-related documents to their personal accounts before leaving or after being dismissed from a job. Assuming your USB ports are disabled, staff will often extract these assets by emailing them to their personal accounts. This is a particular problem in sectors such as legal, financial services, and entertainment, where a client base and extensive networks are crucial.    We’ve explored in detail how to keep your data safe in The Great Re-Evaluation below

At Tessian, we know being an InfoSec leader is hard. The threats are relentless and the landscape is constantly changing. The halcyon days of rows of desktop PCs in an office block protected by on-prem Secure Email Gateway (SEG) are confined to the history books. Remote work, an infinite perimeter, and sophisticated attacks by email are here to stay.    The only question is, how are you going to deal with them?   To find out how Tessian can help secure your remote teams, get in touch for a demo

Like Gandalf The Grey, it goes by many names.   Fast Company calls it the Great Reprioritization. LinkedIn prefers the Great Reshuffle, while Thrive Global opts for Great Re-evaluation. But whatever it’s called, it’s clearly a movement that’s broadened out from people quitting their jobs and moving to your competitors, to something much bigger around company culture, work/life balance, and job flexibility.   So what does this mean for your organization? How do you keep your data secure when your perimeter is over the horizon, your people are remotely distributed, and you’re facing threats that are increasing in both frequency and complexity?   What is the great re-evaluation?   The first wave of Great Resignation in 2021 saw an initial rush of people deciding they wanted a change, and quickly leaving their jobs. We covered the knock-on effects of keeping your data safe back then in this article.

And while much of those concerns are still valid, we’re now in a new space where other issues are starting to reveal themselves, too.    Those initial leavers were the “early adopters” who probably had itchy feet anyway, COVID was just the push they needed. But what about those who stayed? Having weathered the storm for the last two years and seen that it’s showing no signs of abating, people are looking around for companies that offer better remuneration, flexibility, and an exciting mission. Things they’re (likely) sorely missing in their current companies.   As the CISO, those things might not be in your power to grant to the entire company. But as your company’s security leader, you own the security impact of when people leave, when their replacements arrive, as well as those who choose to stay.

Who’s leaving? First off, let’s look at those who are (still) leaving. Resignation rates are highest among mid-career employees; that is those between 30 and 45 years old. And according to Harvard Business Review, the greatest churn was in Tech companies. Ah tech in the Bay Area. Where it's easier to just get a new job, than to stay long enough for a laptop refresh. — Bea Hughes (@beajammingh) January 5, 2022

They’re often highly experienced at their role and unlike younger employees, don’t need a lot of training. What’s more, they’re not leaving to ‘drop out’ and start a lifestyle project or go traveling, they’re leaving for a better, more flexible package.   These are staff who ‘know where the bodies are buried’. They have a highly detailed knowledge of your organization and its processes, products, and customers. This group has the highest probability of attempting to exfiltrate sensitive data – IP, clients or other corporate information – from your organization.   But the problem isn’t limited to mid-career employees in the tech industry. The Verizon Data Breach Investigations Report found that 72% of staff take some company data with them when they move on, whether intentionally or not. They also found that 70% of intellectual property theft occurs within the 90 days before an employee’s resignation announcement.   Even worse, a whitepaper published by Osterman Research found that a further 28% of employees admitted to taking data created by others when they leave – cheeky! Things to look out for include fluctuations in email activity, accessing documents or files at unusual times such as evenings or weekends, and spikes in data transfers.

If you’ve disabled your USB ports, email remains one of the most popular conduits for exfiltration attempts, so securing that channel now – before they hand in their resignation – is critical.    Once that’s in place, you need a structured and effective offboarding process in conjunction with your People team to disable methods of data exfiltration. (There’s some great advice on designing that process as a whole over on Security Intelligence and on AT&T Business.)   Why high attrition is a threat to your data security   A data breach has a number of financial consequences. First and foremost, there’s the time it takes you to handle the incident. There’s potential compliance violations and regulatory fines, legal costs pursuing the ex-employee, and loss of reputation and competitive  advantage that will affect your bottom line long-term.    The situation can be even worse when staff are let go as companies trim to stay afloat. One former credit union employee deleted 21GB of data after being fired, and one business collapsed entirely after an angry ex-employee deleted every single file.

Who’s arriving? The good news – enthusiastic new staff are brought in to replace those who have left, so aren’t likely to exfiltrate any data. The bad news? They’re also vulnerable to external attacks, and have yet to get up to speed on your security processes and familiarize themselves with the company as a whole.    What’s more, they’ve probably announced their new role on social media. Our How to Hack a Human Report found that an overwhelming 93% of workers also update their job status on social media, while 36% share information about their job. Hackers know this,  and do their research before hitting an organization with a spear phishing attack. Consequently, new starters are prime targets.    

But it’s not just role replacement staff, it’s entirely new staff too. After all, the pandemic has been very good for certain industries (infomation security for example) and some businesses are growing off the back of this and expanding their teams.   Who’s staying? When a team changes, there’s always disruption of some sort, and that problem is only exacerbated in today’s remote world. However, that disruption can also be an opportunity to refresh and remind people what a good security culture looks like and correct any bad habits that might have formed during remote working.   This is important as our ‘Back to Work’ research report found the following alarming statistics:   56% of IT leaders believe employees have picked up bad cybersecurity behaviors since working from home 40% of employees plan to bring their personal device into the office to work on 69% of IT leaders think that ransomware attacks will be a greater concern in a hybrid workplace 27% of workers are afraid to tell IT they’ve made a security mistake

Hybrid is here to stay – act accordingly  

Why the office is done The halcyon days of on prem servers and a load of desktop PCs all protected by a shiny new Secure Email Gateway (SEG) are long gone. And now, the office that once housed them is on the way out, too. According to one study, 79% of the C-suite say they will permit their staff to split their time between corporate offices and remote working, if their job allows for it.   There was the assumption in late 2021 that, once a vaccine was developed and staff afforded some sort of protection, things would soon return to normal – or at least something like it. Omicron has blown that notion to smithereens. And as this article suggests, maybe it’s time to admit defeat.

Remote working isn’t going anywhere anytime soon, and staff are still subject to the same distractions and security threats they were in March 2020.   The enemy here is complacency: bad habits as much as bad actors. People are once again distracted, angry, and anxious. Here’s some quick tips to help remind the team about good security practices (see more here) Use company-approved cloud or VPN services to access work documents instead of emailing sensitive information to your personal email accounts. Don’t download new software or tools without consulting your IT team. Keep your software and operating systems up-to-date. Always lock your laptop and keep all of your devices password-protected. If you make a mistake and find yourself alarmed or fearful, it’s important to stop, think, and get someone else involved to support you.

Look after yourself   Like an airplane oxygen mask, you can’t look after others until you’ve looked after yourself first. It’s been a tough few years and CISOs are burnt out, really burnt out. Our Lost Hours report found that CISOs, on average, worked 11 hours a week in unpaid overtime, and that 25% of CISOs spend 9-12 hours investigating and remediating each threat caused by human error. What’s more, the average time a CISO is in post is as little as 26 months.

A commissioned study conducted by Forrester Consulting on behalf of Tessian identified that organizations spend up to 600 hours per month resolving employee-related email security incidents. That is not healthy and it’s not sustainable, for either staff or the business. And your team As our 2022 trends post highlighted, hiring and keeping a diverse team will be one of your biggest priorities… and challenges. After all, at the end of 2021 there were nearly 500,000 unfilled cybersecurity roles in the US. The Department for Homeland Security was looking to hire 1800 but the end of 2021 alone Dealing with the rising security risks of the Great Re-evaluation needs a great team backed up by great tools that streamline defenses against phishing attacks and data exfiltration. That’s where we come in. So if you need some help we’d love to talk.   How does Tessian prevent data exfiltration attempts?   Prevent unauthorized emails Whether it’s an employee sending sensitive information to less secure, personal accounts or a bad leaver maliciously exfiltrating data, Tessian automatically prevents data exfiltration over email. Learn more   Deeply understand your risk Whether careless, negligent, or malicious, insider threats are difficult to combat and even harder to detect. But with Tessian, you can quickly find and report the key areas of insider risk, use insights to predict future behavior, and take remedial action to prevent exfiltrations attempts. Learn more   In-the-moment educational warnings Tessian warnings act as in-the-moment training for employees, continuously educating them about treats, reinforcing your policies, and nudging them toward safe email behavior. Automatically build individualized policies at scale to reduce high-risk email use and track trends in unsafe activity over time. Learn more

The pandemic has changed people and society in ways we wouldn’t have thought imaginable just 24 months ago.  Lockdown restrictions and remote working allowed many employees to reflect on what they want to do with their lives and the sort of companies they want to work for, as well as those they don’t.  Consequently, in April 2021 four million US workers quit their jobs, and according to recent research by Microsoft, over 40% of employees are considering leaving their employer this year. It’s being called ‘#TheGreatResignation’, and it presents a whole pile of problems for CISOs and other security leaders.  Here are some of the common problems you might face in keeping data secure when staff move on.  Staff burnout Let’s face it, everyone’s a little frazzled round the edges right now.  Our 2020 report, The Psychology Of Human Error, revealed that a shocking 93% of US and UK employees feel tired and stressed at some point during their working week. Staff burnout was real before the pandemic, and it’s only got worse during it as the months have turned into years.  Over half the employees (52%) we surveyed said they make more mistakes at work when they’re stressed. And we know that as some employees move on, others are left to pick up the slack, adding to their stress and further increasing the potential for human error. This goes to show that this isn’t just a cyber security issue, it’s a people issue, so get your COO and HR team involved and start exploring ways to improve company well-being. Mentally, they’ve already left Staff who are leaving will have ‘mentally uncoupled’ from your organization and its processes well before they actually make their exit. They’re distracted – perhaps even excited – about their new future and where they’re going. Our survey found that 47% of employees surveyed cited distraction as a top reason for falling for a phishing scam, while two-fifths said they sent an email to the wrong person because they were distracted.  This is made worse by the next problem…  “Hi, it’s Mark from HR, we haven’t met…” Changing jobs can bring staff into contact with people they might not have had much contact with before. In a big multinational, we doubt many staff can name every member of the payroll team – they might even be in another country! Our How to Hack a Human report found that an overwhelming 93% of workers also update their job status on social media, while 36% share information about their job.  If an employee has announced their imminent departure on social media, they can potentially be targets of spear phishing by hackers impersonating HR or operations staff. These could contain seemingly innocuous requests for key card returns, contract documents, and even IT hardware. We’ve seen it before! Check out our Threat Catalogue to see real examples of phishing attacks targeting (and impersonating!) new starters.  Notice period exfiltration Unless they’re leaving for a complete lifestyle change, like being a warden on a deserted Scottish island, many people tend to stay in the same sector or industry.  This means there’s a high probability of staff going to one of your competitors.  Our research reveals an increase in data exfiltration during an employee’s notice period. In fact, 45% of employees admit to “stealing” data before leaving or after being dismissed from a job. You can see the temptation – what better way to make a great impression on your first day than by bringing a juicy file of customer data, source code, or other highly valuable IP. People will often extract these assets by emailing them to their personal accounts. This is a particular problem in sectors such as legal, financial services, and entertainment, where a client base and extensive networks are crucial.  New staff So far all these problems have focused on leaving staff or those that remain, but another potential weak spot is the new hire that will replace them.  They’ve yet to undertake security awareness training on your systems and processes. They may have also announced their new role on social media (which means they could be victim to the same problem we explained in point 3).  It all comes back to one crucial point: 85% of data breaches are caused by human error.  How Tessian helps Security leaders have a big job; they have to secure networks, endpoints, and platforms like Slack and Microsoft Teams. But email remains the #1 threat vector. So how do you lock down email and prevent data exfiltration and successful phishing attacks? By empowering your people to do their best work, without security getting in the way. We believe employees should be experts in their respective fields, not in cybersecurity. Tessian’s suite of products secure the human layer, so that staff can concentrate on their roles and be empowered to do their best work.  Tessian Defender: Automatically prevents spear phishing, account takeover, business email compromise, and other targeted email attacks. Tessian Enforcer: Automatically prevents data exfiltration over email. Tessian Guardian: Automatically prevents accidental data loss caused by misdirected emails and misattached files.

It’s been a whirlwind of a year and now – at last – employees around the world are heading back to the office. Well, at least some of them, some of the time. As we all well know, the future of work is hybrid.  In fact, employees demand it with 89% of employees wanting to work remotely part of the week. That means organizations have to adapt quickly and adopt new policies, collaboration tools, and ways of working.  They’ll also have to evolve their cybersecurity strategies. In our new research, Back to Work: Security Behaviors Report, we explore how employees’ security behaviors have changed and what security pitfalls IT teams need to address ASAP. You can access the report here or, if you need a bit of convincing to click, keep reading Here are 5 reasons to download the report. 1. You’ll get actionable advice and insights from other security leaders We surveyed 200 IT decision makers to understand what’s top of mind and how they’re tackling challenges related to remote and hybrid working. That means this report is packed with helpful insights that will help guide your cybersecurity strategy.  For example: 69% of IT leaders believe ransomware will be a greater concern in a hybrid workplace 54% of IT decision makers are worried remote workers will being infected devices and malware into the office 56% of IT leaders believe employees have picked up bad cybersecurity behaviors while working from home (more on that below…) 2. You’ll have access to tons of additional resources  Because this report was written to help security professionals, we’ve included four additional resources related to hybrid working, getting buy-in, phishing, and data loss prevention (DLP). Download the report for easy access! 3. We share threat intelligence related to phishing scams in the last 6 months Between January and June, we saw a huge uptick in suspicious and malicious emails containing one specific term….

Find out what it is on page 16. 4. You’ll gain a better understanding of employees’ security behavior To get the big picture, we surveyed 4,000 employees in addition to the IT decision makers we mentioned in point 1. We found out that: 1 in 3 employees think they can get away with riskier security behaviors when working remotely 27% of workers are afraid to tell IT they’ve made a security mistake Just 51% of employees say they always report when they receive a phishing email or click on a phishing link How will you incorporate these insights into your hybrid security strategy?  5. There’s plenty of good news While the report is focused on how the threat landscape will change in a hybrid working environment, we also wanted to understand how the role of the CISO has changed (and is changing!) as a result. We have good news! We found out that 59% of IT leaders think their roles and responsibilities have been recognized as more important over the last year and that 67% say they have a seat at the table when it comes to office reopening plans.  Download the report to see how these sentiments vary by industry.

tl;dr: The Cybersecurity and Infrastructure Security Agency (CISA) has warned of a string of successful phishing attacks exploiting weak cyber hygiene in remote work environments to access companies’ cloud services via employees’ corporate laptops and personal devices.*  According to the report, “the cyber actors designed emails that included a link to what appeared to be a secure message and also emails that looked like a legitimate file hosting service account login. After a targeted recipient provided their credentials, the threat actors then used the stolen credentials to gain Initial Access to the user’s cloud service account. … A variety of tactics and techniques—including phishing, brute force login attempts, and possibly a “pass-the-cookie” attack—to attempt to exploit weaknesses in the victim organizations’ cloud security practices.” 

Once the hackers had access an employee’s account, they were able to: Send other phishing emails to contacts in the employee’s network.  Modify existing forwarding rules so that emails that would normally automatically be forwarded to personal accounts were instead forwarded directly to the hacker’s inbox.  Create new mailbox rules to have emails containing specific keywords (i.e. finance-related terms) forwarded to the hacker’s account. This type of malicious activity targeting remote workers isn’t new. Henry Trevelyan Thomas, Tessian’s VP of Customer Success has seen many instances this year. “The shift to remote work has resulted in people needing more flexibility, and personal accounts provide that—for example, access to home printers or working from a partner’s computer. Personal accounts are easier to compromise as they almost always have less security controls, are outside organizations’ secure environments, and your guard is down when logging on to your personal account. Attackers have realized this and are seeing it as a soft underbelly and entry point into a full corporate account takeover.” Learn more about Account Takeover (ATO), and take a look at some real-life examples of phishing attacks we spotted last year.  CISA recommends the following steps for organizations to strengthen their cloud security practices: Establish a baseline for normal network activity within your environment Implement MFA for all users, without exception Routinely review user-created email forwarding rules and alerts, or restrict forwarding Have a mitigation plan or procedures in place; understand when, how, and why to reset passwords and to revoke session tokens Consider a policy that does not allow employees to use personal devices for work. At a minimum, use a trusted mobile device management solution. Consider restricting users from forwarding emails to accounts outside of your domain Focus on awareness and training. Make employees aware of the threats—such as phishing scams—and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities. Establish blame-free employee reporting and ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently. For more practical advice on how to avoid falling for a phishing scam, download Tessian’s guide to Remote Work and Cybersecurity. What Tessian’s Experts Say

Free resources to help keep your employees and organization secure.

*Note: the activity and information in this Analysis Report is not explicitly tied to any one threat actor or known to be specifically associated with the advanced persistent threat actor attributed with the compromise of SolarWinds Orion Platform software and other recent activity.

According to Tessian research, 75% of IT leaders and 89% of employees believe the future of work will be “remote” or “hybrid” – a combination of working in the office and remotely.  This will have a significant impact on companies’ IT departments, who will be under pressure to deliver a seamless experience and create strategies that empower employees to work remotely and securely. In fact, 85% of IT leaders think they and their team will be under more pressure if their organization were to adopt a permanent remote working structure.  In this blog, we look at their top 7 concerns and explain how to overcome them.  1. Employee wellbeing Half of IT leaders’ are worried about staff’s wellbeing when they work remotely – making it the top concern among IT professionals.  Remote work can be incredibly stressful for employees. A survey by online employment platform Monster reported that over two-thirds of U.S. workers have experienced burnout symptoms while working from home. Why? Because people are more distracted, they’re taking less time off work, and they’re working longer hours. 61% of employees in another Tessian report said a culture of presenteeism in their organization makes them work longer hours than they need to.  The problem is that when people are stressed, tired and distracted, they make more mistakes that could compromise cybersecurity. In fact, 46% of employees say make more mistakes when they feel burned out.  IT professionals must recognize the correlation between employee wellbeing, their productivity, and security if they want to keep data and systems safe in a remote work world. Lead with empathy and find ways to prevent stressed and distracted employees from making costly cybersecurity mistakes.  2.Unsafe data practices 46% of IT leaders are also worried about employees practicing unsafe cybersecurity behaviors.  Their concerns are valid. A report published by Tessian in May 2020 revealed that 48% of employees feel they can get away with riskier cybersecurity behaviors when working from home, namely because they are working from unfamiliar devices and because they aren’t being watched by IT teams. A further 54% said they’ll find a workaround if security software or policies prevent them from doing their job. Educating employees on safe cybersecurity practices is a necessary first step. However, only 57% of companies implemented additional training at the start of the remote working period in March 2020. This isn’t trivial; businesses must continually educate staff on safe data practices because cybersecurity is rarely at the front of mind for every employee.  Businesses should also ensure that security solutions or policies do not stand in the way of people getting their jobs done. Workers will find the easiest or most convenient path, and this can often involve skirting around security rules. Security should, therefore, be as flexible as people’s working practices in order to mitigate unsafe behaviors online.

3. More data breaches Half of organizations we surveyed said they experienced a data breach or security incident between March and July 2020 – the period in which mandatory remote work arrangements were enforced. Consequently, 40% of IT leaders are worried their company will experience more data breaches if people continue to work remotely.  The causes of these data breaches included phishing attacks (49%), malware (45%) and malicious insider attacks (43%). In addition, 78% of IT leaders said they think their organization is at greater risk of insider threats when staff work from home.  To prevent data breaches caused by insider threats – and other threats caused by human error – IT teams need greater visibility into their riskiest and most at-risk employees. Only by understanding employees’ behaviors, can businesses tailor policies and training to prevent people’s actions from compromising company security and breaching sensitive data.  4. More phishing attacks Half of the security incidents reported between March-July 2020 were caused by successful phishing attacks – making phishing the top attack vector during this period of remote working.  Of the 78% of remote workers that received phishing emails while working on their personal devices, an overwhelming 68% clicked a link or downloaded an attachment from the malicious messages they received. It’s not surprising, then, that 82% of IT leaders think their organization is at greater risk of phishing attacks when people work remotely.  But why is phishing a greater risk for remote workers?  Because it is not uncommon for an employee to receive information about a new software update for a video conferencing app, or an email from a healthcare organization providing tips on how to stay safe, or a request from a supplier asking them to update payment details.  In fact, 43% of IT professionals said their staff had received phishing emails with hackers impersonating software brands, while 34% said they’d received emails from cybercriminals pretending to be an external supplier.  If the sender’s email domain looks legitimate and if hackers have used the correct logos in the body of the email, there’s very little reason why an employee would suspect they were the target of a scam. And, when working remotely, employees can’t easily verify the email with a colleague. They may, then, click the link to “join the meeting”, download the “new update” or share account credentials. To learn more about how to spot a spear phishing email, read our blog here.

5. The IT team’s bandwidth With organizations facing the threat of more data breaches and security incidents caused by unsafe cybersecurity behaviors, over a third (34%) of IT leaders worry that their teams will be stretched too far in terms of time and resource.  Security solutions powered by machine learning can help alleviate the strain. Solutions like Tessian use machine learning algorithms to understand human behaviors in order to automatically detect and prevent threats caused by human error – such as accidental data loss, data exfiltration or phishing attacks. When a potential threat is detected, the individual is alerted in real-time and a record of the incident is logged in a simple and accessible dashboard. IT professionals no longer have to spend hours manually looking back through logs to find incidents – the proverbial ‘needle in a haystack’.  When you consider that 55% of IT teams spend more time navigating manual processes than responding to vulnerabilities, finding ways to take away the manual, labor-intensive tasks will be critical in freeing up IT professionals’ time.  6. An increase to IT leaders’ workload In addition to concerns over their teams’ workloads increasing, IT leaders also fear they’ll face even longer to-do lists in a hybrid or remote working world. Why? To name a few: The majority of IT leaders will be implementing new BYOD policies, additional training programs, upgrades to endpoint protection as well as new VPNs in order to address employees’ expectations and safety.  They have to overcome challenges like data loss prevention (DLP), something 84% of IT leaders say is more difficult in distributed workforces.  They have to address and mitigate more security risks such as employees bringing infected devices or documents into the office, potentially compromising the company’s entire network.  According to Nominet’s 2020 report – The CISO Stress Report: Life Inside the Perimeter: One Year On – 88% of CISOs are moderately or tremendously stressed. What’s more, 95% work more than their contracted hours amounting to an extra 10 hours per week, on average.  As the pressure increases, businesses must find ways to alleviate stress and empower IT leaders to work effectively and efficiently in order to protect their company and employees.

7. Non-compliance with data protection regulations Nearly a third of IT leaders said that remote working could compromise compliance with data protection regulations.  In the last year, misdirected emails have been the number one cause of data breach incidents reported to the Information Commissioner’s Office. A previous Tessian report found that 58% of employees have sent an email to the wrong person during their career and, of these misdirected emails, nearly a fifth (17%) were sent to the wrong external party.  Their reasons? Nearly half said it was because they were tired and 41% said the error was made because they were distracted. Given that studies have shown people are feeling more fatigued and more distracted while working remotely, there is cause for concern that data breaches, caused by human error, will only increase.  Instead of expecting people to do the right thing 100% of the time while working away from the office, invest in security solutions that preempt these errors by detecting and preventing them from happening in the first place. That way, IT leaders can proactively stop sensitive information from leaving their environment, company IP stays secure, compliance standards are met, and customer trust is maintained. To find out more, read the full report – Securing the Future of Hybrid Work – here.

When the world went into lockdown, ways of working changed forever.  Mandatory remote work arrangements meant people had to find ways to get their jobs done in their homes and most of us quickly settled into a new rhythm of work. Now, after months of being away from the office, the so-called “new normal” is starting to feel, well, just normal. Employees don’t want to give up the level of flexibility and autonomy they’ve come to experience.   In fact, according to our latest report, Securing the Future of Hybrid Working, just 11% of UK and US employees said they’d want to work exclusively in the office post-pandemic, with the average employee wanting to work from home at least two days a week. And, over a third of people said they wouldn’t even consider working for a company if it didn’t offer remote working in the future. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Keep reading to find out: How IT leaders think remote and hybrid working will affect cybersecurity What these new set-ups will do to IT teams’ workloads How business’ can balance flexibility and security Remote, office-based, or a bit of both?  Businesses have some big decisions to make. Do they encourage employees to come back to the office post-pandemic, or opt for a fully remote workforce?  For many, a hybrid model – where employees can split their time between working in the office and anywhere else they’d like – appears to be the best option for the long-term future of their company. Google, for example, has already announced that this is the approach it’ll take.  This way of working requires companies to completely transform the way their companies have previously run – and it may come at the IT department’s expense. The majority of IT leaders surveyed believe permanent remote work will put more pressure on their teams, while over a third (34%) are worried about their workers becoming stretched too far in terms of time and resource. This is because, while it is great for employees, a hybrid way of working actually offers the worst of both worlds for IT teams who have to simultaneously manage and mitigate security risks that occur in and out of the office, while providing a seamless experience that enables employees to work-from-anywhere. Why would permanent remote working arrangements increase IT teams’ workload?  One of IT teams’ biggest concerns is the risk of phishing attacks, with 82% of IT leaders believing employees are at greater risk of phishing attacks when working remotely. Their concerns are valid; over three-quarters of employees said they received a phishing email while working on their personal device between March and July 2020, and 68% admitted to clicking a link or downloading an attachment within that email. In fact, our report shows that nearly half of companies experienced a data breach or security incident between March and July 2020 – the remote working period enforced by the global pandemic – and half of these incidents (49%) were caused by phishing attacks.  This made phishing the leading cause of security incidents during this time.

Insider threats are another concern. Over three-quarters of IT leaders (78%) think their organization is at greater risk of insider threats if their company adopts a permanent hybrid working structure. Such risks include employees bringing infected devices or documents into the office after working remotely and sharing sensitive information with their personal accounts.  It’s also worrying that 43% of the security incidents reported between March – July 2020 were caused by malicious insiders. For more information about the different “types” of insiders and real-world examples of each, visit our blog. The problem is that insider threats are much more difficult to detect and mitigate when workforces are distributed. Why? A lack of visibility.  A previous Tessian report revealed that nearly half of employees feel like they can get away with unsafe cybersecurity practices when working away from the office because they aren’t being watched by their IT team.   Then, there are the security risks associated with Bring Your Own Device (BYOD) practices.  Half of employees we surveyed have been working on their personal devices since the world went into lockdown in March 2020. The top BYOD security risks cited by IT professionals included: The downloading of unsafe apps Malware infections Software updates.  It’s not surprising, then, that 1 in 3 IT leaders are worried about their teams being too stretched in terms of time and resource in a permanent remote working structure. 

How can businesses balance flexibility and security without draining IT teams’ resources?  Securing distributed workforces isn’t going to be easy. Why? Because businesses must transform and reinvent ways of working but IT teams are under-resourced and budgets are getting smaller and smaller. Failure to transform and deliver a seamless hybrid experience, though, could threaten companies’ security posture and see businesses losing out on talent.  Education on the threats people can be exposed to and the threats they pose to company security when working away from the office is, therefore, an important first step. So, it is encouraging to see that 58% of IT leaders are planning to introduce more security training should their company adopt a permanent remote working structure.  But approaches to training may need a rethink so that it resonates with employees and isn’t seen as “just another thing” on people’s to-do list. According to our report, despite 57% of IT departments implementing more education and security training for their employees during the pandemic, nearly 1 in 5 workers said they didn’t even take part. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); This brings us to our second recommendation – security solutions shouldn’t hinder people’s productivity.  It’s clear people want to be able to work flexibly, so tools need to be flexible, too. Solutions like Tessian are invisible to employees until threats are detected, which means we cause minimal disruption to people’s workflow. Our warnings are helpful and educational, not annoying. We give people the information they need to make safer cybersecurity decisions and improve their behaviors over time.  Lastly, IT teams need greater visibility into their riskiest and most at-risk employees – regardless of where they’re working – in order to tailor training and policies and improve cybersecurity behaviors over time. Getting this level of visibility shouldn’t be a burden to the IT team, though. IT teams have enough going on, so solutions that leverage machine learning can take away labor-intensive tasks and help free up IT professionals’ time.  The way people work is quickly changing. But one thing will stay the same; you need to protect your organization’s most important asset – your people.  Businesses that protect their people from security threats and empower them to do great work, without security getting in their way, will set themselves for long-term success.  Read the full report – Securing The Future of Hybrid Working – today.

Over the last eight weeks, security vendors, thought leaders, and even mainstream media have been offering employees advice on how to stay secure and productive while working from home. And, why wouldn’t they? The transition from office-to-home has been both sudden and challenging and the risks associated with data loss haven’t disappeared just because the perimeter has. At Tessian, we’ve created (and have been consistently updating) our own remote-working content hub filled with actionable advice for security, IT, and compliance professionals as well as employees. While you can find the individual articles below, we thought we’d combine all of the tips we’ve shared over the last two months into one easy-to-read article. Advice from Security Leaders for Security Leaders: How to Navigate New Remote-Working Challenges Ultimate Guide to Staying Secure While Working Remotely  Remote Worker’s Guide to: Preventing Data Loss Remote Worker’s Guide to: BYOD Policies  11 Tools to Help You Stay Secure and Productive While Working Remotely  Here are 13 things you shouldn’t do when working remotely from a cybersecurity perspective.  1. Don’t send company data to your personal email accounts. As many organizations have had to adopt new tools and systems like VPNs and Cloud Storage on the fly, some employees may have had to resort to sending company data to their personal email accounts in order to continue doing their job.  We understand that doing so may have been viewed at the “only option”, but it’s important to note that this is not wise from a security perspective. While we’ve written about this in detail on our blog The Dark Side of Sending Work Emails “Home”, the short-and-sweet version is this: Personal email accounts are less secure and more likely to be compromised than work email accounts. Why? Read point #5 to find out.  2. Don’t share Zoom links or Meeting IDs.  Zoom – like so many other remote-working tools – is enabling workforces around the world to continue collaborating despite being out-of-office. But, as we highlighted in our Ultimate Guide to Staying Secure While Working Remotely, there are precautions you must take in order to prevent attackers from infiltrating your calls. While there are plenty of lists circulating with top tips around using Zoom, the most important piece of advice we can offer is to not share your Zoom Meeting ID (or link) with anyone you don’t work with directly or otherwise trust.  Importantly, this Meeting ID appears at the top of your conference window, which means if you share a screenshot of your call, anyone who sees the screenshot can access this meeting. If you want to be proactive in locking down your Zoom calls, you should also ensure all of your meetings require a password to join. 3. Don’t ignore warnings from IT and security teams or other authoritative sources.  Since the outbreak of COVID-19, we’ve seen a spike in phishing attacks. Why? Because hackers tend to take advantage of emergencies, times of general uncertainty, and key calendar moments. IT and security teams and even organizations like the FBI have been working hard to communicate these threats and how to avoid them. But – importantly – these warnings are useless unless employees heed the advice.  Whether it’s an email outlining how to spot a phishing email or an announcement from your line manager about updating your iOS, employees should take warnings seriously and take action immediately.  4. Don’t work off of personal devices.  While it may seem harmless, using your personal devices – whether it’s a laptop, desktop computer, mobile device, or tablet – for work-related activities creates big security risks. To start, your personal devices won’t be configured with the same security software as your work device.  Whether it’s the protection offered by a simple firewall or antivirus software, you and your data are more secure when working on company-sanctioned devices. Note: Some organizations have adopted more flexible BYOD policies. You can learn how to combat the security risks associated with these policies on our blog. 5. Don’t action email requests without double-checking their legitimacy.  Phishing and other social engineering attacks are designed for one of three reasons: to extract sensitive information or credentials, to install malware onto a network, or to initiate a wire transfer. To avoid falling victim to one of these scams and potentially actioning a request that isn’t legitimate, make sure you double-check that the person making the request is who they say they are.  For example, if your CEO asks you to change an account number on an invoice, contact him or her directly – via phone call, text, Slack or a separate email – before doing so. Likewise, if someone in HR asks you to share any credentialsor other personal information, get in touch with them via phone or a separate email thread before responding.  6. Don’t use weak passwords.  Many organizations have strict password policies, including the enforcement of multi-factor authentication. It makes sense. If a bad actor gained access to your applications – whether it’s your email account or collaboration tools – they’ll have free rein over your most sensitive systems and data.  If your organization doesn’t have any policies in place, our advice is to use 6-digit PINs or complex swipe codes on mobile devices and strong passwords that utilize numbers, letters, and characters for laptops and other log-ins.  If you’re having trouble managing your passwords, discuss the use of a password manager with your IT department. 7. Don’t lose touch with your IT or security teams.  Communication – especially during periods of transition and disruption- is key.  If you’re unsure about any security policies or procedures, how to use your personal device securely, or if you believe your device or network has been compromised in any way, don’t be afraid to communicate with your IT and security teams. That’s what they’re there for. Moreover, the more information they have and the sooner they have it, the better equipped they are to keep you and your devices protected.  8. Don’t use public Wi-Fi or mobile hotspots.  Given the digital transformation, most of us rely on internet access to do our jobs. Unfortunately, we can’t connect to just any network.  The open nature of public Wi-Fi means your laptop or other device could be accessible to opportunistic hackers. Likewise, if a phone is being used as a hotspot and has already been compromised by an attacker, it’s possible it could be used to pivot to the corporate network. With that said, you should only use networks you’re absolutely confident are secure.  9. Don’t download new tools or software without approval.  IT and security teams have processes in place that help them identify which applications are and aren’t in compliance with their data and privacy protection criteria. That means that if they haven’t approved the use of a certain tool, it probably isn’t safe in their opinion. Even if a certain tool makes your job easier to do, you shouldn’t download – or even use – tools or software without express permission to use them. Whether it’s a design, writing, or project management tool, you must communicate with your in-house teams before clicking “download”.  10. Don’t leave work devices or documents in plain sight.  Your devices are gateways to sensitive information. While we’ve already covered the importance of password-protecting these devices, preventing them from being stolen is vital, too.  Avoid leaving laptops, tablets, mobile devices, and documents containing sensitive company or client information in plain sight, such as near windows at home or on a passenger seat if traveling by car. This will help prevent opportunistic theft.  Any organization that has a remote-working policy in place should also provide employees with privacy screens for their laptops, and encourage employees to always work in positions that minimize line-of-sight views of their screens by others. This has the added benefit of showing clients or other professional contacts that the business takes security seriously. 11. Don’t give hackers the information they need to execute social engineering attacks.  When planning a spear phishing attack – a type of phishing attack that is targeted at a specific individual or small set of individuals – an attacker will try to gather as much open-source intelligence about their target as they can in order to make the email as believable as possible.  Don’t make it easier for them by sharing personal information on OOO messages or on social media like LinkedIn. This includes phone numbers, alternative email addresses, travel plans, details about company structure and reporting lines, and other data points.  12. Don’t be afraid to ask questions about security policies and procedures.  When working from home or otherwise outside of the office, you have much more autonomy. But that doesn’t mean you should disregard the processes and policies your organization has in place. And, part of following processes and policies is understanding them in the first place. IT and security teams are there to help you. If anything is unclear, send them an email, pick up the phone, or file a request.   13. Don’t forget the basics of security best practice.  While we’ve offered plenty of advice that’s specific to remote-working, following general security best practices will help prevent security incidents, too.  Most employees receive annual security training or, at the very least, had some security training during their onboarding process. If you didn’t, below are some of the basics. Don’t reuse passwords. Don’t share your passwords with anyone. Stay up-to-date on compliance standards and regulations specific to your industry. Report incidents of theft. Don’t share sensitive company information with people outside of your organization.  If any of the above are unclear, refer back to point #7. Ask your IT, security, or HR teams. Communication is key! What’s next? While most organizations and individuals have started to adjust to “the new normal”, it’s important to remember that, eventually, some of us will move back to our office environments. The above tips are relevant wherever you’re working, whether that’s at home, from a cafe, on public transport, or at your desk in the office. Looking for more insights on what\s next in this new world of work? We’re hosting our first virtual Human Layer Security Summit on June 18. Find out more – including the agenda for the day – here. 

With the outbreak of COVID-19, workforces around the world have transitioned from secure office environments to their homes.  While some companies already had the infrastructure and policies in place to support a remote workforce, other smaller organizations and even some large enterprises are facing a number of challenges in getting their teams set up, starting with access to secure devices like laptops and phones. One way to empower your employees to work safely wherever they are is to implement BYOD (Bring Your Own Device) policies. What is a BYOD Policy?

While BYOD policies are something of a necessity now – especially with delays and even cancellations in global supply chains for the devices virtual workers rely on – they were formerly an answer to IT consumerization.  Consumerization of IT refers to the cycle of technology first being built for personal, consumer use and then later being adopted by businesses and other organizations at an enterprise level. It’s often the result of employees using popular consumer apps or devices at work, because they are better than the legacy tech used by the organization. What are the benefits of a BYOD policy? There’s a reason why the BYOD market was booming pre-COVID-19. In fact, the market is expected to be valued at more than $366.95 by 2020, a big jump from its valuation of $30 billion in 2014. Note: This forecast was made three years ago, which means the sudden and global transition to remote-working will likely drive more growth. So, what are some of the benefits for businesses? You’ll Enable a Productive Remote Workforce  This is no doubt the most important reason to adopt BYOD policies, especially now. If your employees have historically worked on desktops and you’re struggling to set each person up with a laptop, BYOD policies will enable your people to keep working, despite hardware shortages and other challenges. Beyond that, though, you’ll also enable your people to work freely from wherever they need to, whether that be in transit, at home, or in the office. You’ll Reduce Burden on IT Teams Employees tend to be more comfortable and confident using their own personal devices and their native interfaces. For example, someone who has worked on a Windows computer for 15 years may struggle to suddenly start working on a Mac. That means there will be less dependence on IT teams to train or otherwise set-up employees on new devices. But, it’s important to consider the security risks along with the benefits so that your employees and data stay safe while working from personal devices.  What are the security risks involved in using personal devices? Physical security Loss or theft of a personal device is one of the biggest concerns around BYOD policies, especially when you consider that people tend to carry their mobile phones and even laptops with them at all times. If a device fell into the wrong hands and adequate security measures weren’t in place, sensitive data could be at risk.  Network security If a cybercriminal was able to gain access to a personal device, they could maneuver from one device to another and move through an organization’s network quickly. Once inside, they could install malware, steal sensitive information, or simply maintain a foothold to control systems later. Information security Data is currency and personal devices hold a lot of information not just about an organization and its clients, vendors, and suppliers, but also about the individual. If you imagine all the sensitive data contained in Outlook or Gmail accounts, you can begin to see the magnitude of the risks if this data were exposed. Physical and network security risks are threats to information security, which proves how important securing devices really is. Tips for employers To minimize the risk associated with BYOD policies, we recommend that you: Enforce strict password policies. Mobile phones should be locked down with 6-digit PINs or complex swipe codes, and laptops should be secured with strong passwords that utilize numbers, letters, and characters. Your best bet is to enforce MFA or SSO and provide your employees with a password manager to keep track of their details securely. Equip devices with reliable security solutions. From encryption to antivirus software, personal devices need to have the same security solutions installed as work devices. Ideally, solutions will operate on both desktop and mobile ensuring protection across the board. For example, Tessian defends against both inbound and outbound email threats on desktop and mobile. Read more about our solutions here.  Restrict data access. Whether your organization uses a VPN or cloud services, it’s important to ensure the infrastructure is configured properly in order to reduce risk. We recommend limiting access through stringent access controls whenever possible (without impeding productivity) and creating policies around how to safely share documents externally. Limit or block downloads of software and applications. IT and security teams can use either blacklisting or whitelisting to ensure employees are only downloading and using vetted software and applications. Alternatively, IT and security teams could exercise even more control by preventing downloads altogether. Educate your employees. Awareness training is an essential part of any security strategy. But, it’s important that the training is relevant to your organization. If you do implement a BYOD policy, ensure every employee is educated about the rules and risks.  Tips for employees  To minimize the risk associated with BYOD policies, we recommend that you: Password-protect your personal devices. Adhere to internal security policies around password-protection or, alternatively, use 6-digit PINs or complex swipe codes on mobile devices and strong passwords that utilize numbers, letters, and characters for laptops. If you’re having trouble managing your passwords, discuss the use of a password manager with your IT department. Avoid public Wi-Fi and hotspotting. The open nature of public Wi-Fi means your laptop or other device could be accessible to opportunistic hackers. Likewise, if a phone is being used as a hotspot and has already been compromised by an attacker, it’s possible it could be used to pivot to the corporate network. Put training into practice. While security training is notoriously boring, it’s incredibly important and effective if put into practice. Always pay attention during training sessions and action the advice you’re given. Report loss or theft. In the event your device is lost or stolen, file a report internally immediately. If you’re unfamiliar with procedures around reporting, check with your line manager or IT team ASAP. They’ll be able to better mitigate risks around data loss the sooner they’re notified.  Communicate with IT and security teams. If you’re unsure about how to use your personal device securely or if you think your device has been compromised in some way, don’t be afraid to communicate with your IT and security teams. That’s what they’re there for. Moreover, the more information they have, the better equipped they are to keep you and your device protected.  BYOD policies offer organizations and employees much-needed flexibility. But, in order to be effective as opposed to detrimental, strict security policies must be in place. It’s not just up to security teams. Employees must do their part to make smart security decisions in order to protect their devices, personal data and sensitive business information. Looking for more tips on staying secure while working remotely? We’re here to help! Check out these blogs: Ultimate Guide to Staying Secure While Working Remotely Remote Worker’s Guide To: Preventing Data Loss 11 Tools to Help You Stay Secure and Productive While Working Remotely