The cost of a data breach is up 13% from 2020 totalling $4.35 million, according to IBM’s Cost of a Data Breach Report for 2022. IBM’s annual report also revealed that compromised credentials, phishing and cloud misconfiguration are the top three attack vectors. Phishing related breaches is the costliest form of attack, costing businesses $4.91 million in damages per breach.  IBM recommends investing in security tools that leverage artificial intelligence (AI) and machine learning. These next generation security tools represent the biggest breach cost mitigation measure organizations can take, reducing the overall cost of a breach by an average of $3.05 million.  Keep reading for key findings from the report. Key findings The cost of a breach continues to creep up year-over-year. The cost of a breach has increased to $4.35m in 2022 –  representing a nearly 13% increase from 2020. Top 3 attack vectors were identified as: compromised credentials (19%), phishing (16%) and cloud misconfiguration (15%). Phishing is the costliest form of a breach. Although compromised credentials is the leading cause of a breach, phishing is the costliest with the fallout averaging $4.91m per breach.  Business Email Compromise (BEC) is expensive. BEC attacks are the second costliest, totalling on average $4.89m per breach.  

Healthcare remains the most adversely impacted vertical. Costs of healthcare breaches have reached a record high of $10.1m. According to HIPAA, there were over 680,000 healthcare breaches in 2021, resulting in close to 45 million healthcare records being compromised. Million dollar savings. Investing in security AI and machine learning tools is the greatest breach cost mitigation organizations can take, reducing the overall cost of a breach by an average of $3.05m compared to organizations that do not have these tools in place.   The increasing frequency and costs associated with breaches is adding to inflationary pressure for goods and services. Companies that have suffered a breach are typically raising their prices for goods and services. Breaches are still taking an inordinate amount of time to contain. On average breaches are resolved within 277 days from discovery. Paying ransoms does not lead to significant cost savings for victims of a breach. Those that chose to pay ransoms saw on average $610, 000 less in breach costs than those that chose not to pay. Critical infrastructure remains vulnerable and lags in zero trust adoption. 80% of critical infrastructure organizations have not adopted zero trust strategies. The result is +$1m more costly breaches, totalling an average of $5.4m per breach. 

The importance of cloud adoption maturity and cloud security Hybrid cloud represents a hedge against cyber risk. The study found hybrid cloud adopters discovered breaches 15 days sooner than companies that relied solely on a single public or private cloud operating model. Hybrid cloud reduces breach cost. Companies that rely on a  hybrid cloud operating model also experienced the lowest costs associated with a breach. On average breach costs for hybrid cloud adopters were $3.8 million. Cloud security adoption is lagging breaches. Almost half (45%) of all breaches originated in cloud environments, with 43% of organizations stating that they are only in the early stages of implementing security across their cloud environments.  A lack of cloud security adoption increases time to resolve a breach. On average organizations that failed to adopt adequate or any cloud security for their cloud environments required +108 days to resolve a breach.

Phishing and Business Email Compromise (BEC) are the costliest attack vectors BEC and credential compromise breaches are insidious and difficult to discover. Email breaches have the second highest mean time to discovery at 308 days (+16% on the overall mean time), with compromised credentials topping the list with a mean time for discovery 327 days (+19%). Phishing is a lucrative scam. Phishing is the second leading attack vector for breaches (16%), and is also the costliest at $4.91m. BEC attacks come a close second, costing businesses $4.89m. 

Recommendations Some of the key IBM recommendations include: Adopt a zero trust security strategy and security model. Zero trust is particularly well-suited to hybrid cloud environments and hybrid and remote work operating models, protecting data by limiting accessibility and requiring context to grant access. Adopt security tools that can share and centralize data between disparate systems. Implement security tools that can centralize data security operations across multiple environments to enable security teams to detect incidents across complex hybrid multi-cloud environments. Invest in cloud native security automation tools. This includes security orchestration, automation and response (SOAR), security information and event management (SIEM), managed detection and response (MDR) tools and XDR to accelerate incident response through automation. Use best-of-breed security tools that help protect and monitor endpoints and remote employees. Remote work related breaches cost an average of $1 million more than non-remote work breaches. Leveraging endpoint and end-user focussed security solutions including endpoint protection platforms (EPP), identity and access management (IAM) and email security solutions are essential. Create and test incident response plans and playbooks. This includes creating incident response teams that are well rehearsed on testing the IR plan. Additional measures include red teaming and finding solutions that manage attack surface risk.  

To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn.

Each year it seems we are met with new complex challenges and risks that few could have predicted. In turbulent times, it is prudent to take stock of what business and security leaders can control. Allocating dedicated resources to more effectively manage both known and unknown risk is fast becoming essential to shore-up organizational resiliency.   Turning the focus to the sector that is germane to what we do at Tessian, effectively managing cybersecurity risk is now more critical than ever. In fact, cybersecurity risk is now considered the number 1 risk faced by businesses according to Allianz’s 2022 Global Risk Barometer, followed by business interruption (2) and natural disasters (3).   Read on to learn more about some of the key cyber risks organizations are faced with today, and how best to mitigate it.

Cybersecurity risk is increasing The costs associated with breaches are increasing each year. The global cost and impact of cybercrime damages is expected to reach $10.5 trillion in damages by 2025 – representing a 350%+ increase from 2015.    A sign of the worsening cyber risk can be seen in the cybersecurity insurance industry. Given the high number of recent claims, up by 500% in 2021, has resulted in cyber insurance premiums seeing significant escalations – essentially doubling over the past year. And as a result of recent developments in Ukraine, leading insurers are now excluding suspected nation-state cyber attacks from coverage provisions.  

Persistent and increasing email security risk   Due to its open nature, email remains the preferred method for delivering a malicious payload, including ransomware – responsible for up to 95% of breaches. Email also attracts the greatest investment in the attacker value chain and is the riskiest channel for data loss.    Until recently, detecting and preventing email threats relied on static, rule-based solutions like Secure Email Gateways (SEGs). These solutions are only able to detect known threats because they rely on a threat detection engine of already documented threat campaigns. But threats have become more advanced and are proliferating at an alarming rate, with the net result these threats are going undetected by SEGs and are reaching victims’ mailboxes.   According to Verizon’s DBIR 2022, email-delivered social engineering attacks are growing in complexity, with phishing responsible for 60% of these attacks. In addition, the FBI reported that $43 billion has been lost globally due to Business Email Compromises (BEC) in the past 5 years, with a 65% increase in BEC fraud related losses reported globally in the period 2019 to 2021.  

The growing ransomware challenge   Advanced cyber threats like ransomware are also trending in the wrong direction. Ransomware related damages exceeded $20 billion for 2021 – representing a 57x fold increase from 2015. By 2031 ransomware damages are expected to reach $265 billion. Responsible for 75% of cybersecurity insurance claims, Ransomware-as-a-Service offerings are mainstreaming the ability to carry out devastating ransomware attacks.    Russia-based Conti ransomware gang aka Wizard Spider has been linked to 50 incidents in April 2022 alone, including attacks on the Costa Rican and Peruvian governments. Currently there is a $15million bounty on Conti from the US government – indicative of the scale of the problem. The FBI estimates that over 1,000 Conti ransomware victims have paid in excess of $150 million in ransom in the past year.    Also concerning is the increasing proliferation of wiper-malware seen in 2022 in cyber attacks against the Ukraine in 2022. Disguised as ransomware, wiper-malware essentially wipes all data from infected hosts. In response to the growing ransomware threat, CISA announced the formation of a ransomware taskforce at the end of May 2022.   

Software supply chain vulnerability   Software supply chain cyber risk is another leading concern for CIOs and CISOs. The acceleration of digital transformation and cloud adoption, and increased speed of deployment through DevOps processes, have resulted in dramatically expanding the attack surface area with vulnerable code and applications exposed online.    Software supply chain attacks remain a vulnerable element given the high impact and high reward for the attackers as has been demonstrated in the SolarWinds and Kaseya attacks. 

Final thoughts for staying safe in a volatile cybersecurity environment   Prioritizing cybersecurity program development is now a core aspect of effective organizational risk management. There however remains a collective need in the vendor and the broader business community to elevate and educate executives particularly at the board level, on the importance of proactive cybersecurity risk management.    Assume you will suffer a breach. From this risk-aware position think about the proactive steps you can take to improve your cyber resilience. The escalating email, ransomware, wiper malware and supply chain vulnerability risks underscore the imperative for investing in intelligent and agile cybersecurity defenses.   Continuously seek out innovative solutions that keep your environment safe, while at the same time ensure high degrees of employee engagement on the importance of security awareness.  

To see how the Tessian Intelligent Cloud Email Security platform  prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn

In recent years, the shift away from on-prem email platforms to cloud-based platforms has been dramatic, with Gartner estimating that 70% of organizations now use cloud productivity suites like Microsoft 365 and Google Workspace. But as email migrates from legacy on-prem approaches to the cloud, securing these cloud based services becomes the next big challenge. Enter Integrated Cloud Email Security.

What is an Integrated Cloud Email Security (ICES) Solution? The term ‘Integrated Cloud Email Security (ICES)’ was coined in the Gartner 2021 Market Guide for Email Security. ICES solutions were introduced as a new category, and positioned as the best defense against advanced phishing threats that evade traditional email security controls.   ICES solutions are cloud-based, and use APIs to detect anomalies in emails with advanced techniques such as natural language understanding (NLU), natural language processing (NLP) and image recognition. Using API access to the cloud email provider, these solutions have much faster deployment and time to value, analyzing email content without the need to change the Mail Exchange (MX) record. Taking it one step further, ICES solutions can also provide in-the-moment prompts that can help reinforce security awareness training (SAT), and are able to detect compromised internal accounts. In the report, Gartner reflected on the future of ICES solutions, suggesting that they would eventually render SEGs redundant: “Initially, these solutions are deployed as a supplement to existing gateway solutions, but increasingly the combination of the cloud email providers’ native capabilities and an ICES is replacing the traditional SEG.”

Gartner predicts that by 2023, at least 40% of all organizations will use built-in protection capabilities from cloud email providers rather than a secure email gateway (SEG)… But why? In short, legacy SEGs are no match for the cyber threats of tomorrow. Email is responsible for 96% of cybersecurity breaches, making it the greatest threat vector. In fact, in the 12 months between July 2020 and July 2021, Tessian detected 2 million malicious emails that had bypassed SEGs. So why are traditional SEGs not fit for today’s cybersecurity landscape?

Rule-based approaches don’t cut it SEGs were developed in 2004 with on-premise email servers in mind and use a rule-based approach to threat detection. They use deny lists, allow lists and signatures for message authentication to help stop attacks – with these lists created using threat intelligence. They are reactive by design, and protect email data against threats that are already known. This means that SEGs offer no protection against zero-day attacks (a significant and growing threat vector), and are easily evaded by attackers using advanced social engineering campaigns. SEGs also fail to detect business email compromise (BEC), account takeover (ATO) and advanced spear phishing attacks.

The migration to the cloud More and more, organizations are adopting SaaS offerings like Microsoft 365 – which have SEG capabilities natively included. This shift was well underway before the pandemic, but has since been accelerated with data suggesting that ICES solutions are here to stay and will displace SEGs from the cybersecurity stack.. The rise of offerings like Microsoft 365 and Google Workspace and the move away from SEGs comes as no surprise, with enhanced functionality at the platform level that can include: Blocking emails from known bad senders Scanning attachments with AV Blocking emails with known bad URLs Content analysis to identify SPAM Given these native SEG-like capabilities in cloud productivity suites, makes ICES solutions the perfect supplement to ensuring comprehensive email protection. ICES solutions are so effective because they  provide protection against many of the threats SEGs fail to detect – when used in combination with SaaS offerings like Microsoft 365.

What are the benefits of ICES solutions? ICES solutions offer more than just threat detection. Key features of ICES solutions  can include: BEC and ATO Attack detection using NLU, NLP, social graph analysis and image recognition Context-aware banners to warn users Phish Reporting Mail Security Orchestration, Automation and Response (MSOAR) capabilities to assist in automatic reclassification of emails and removal from inboxes

How to evaluate ICES vendors The number of  ICES solutions available on the market is continually growing. There are a few key things you should consider when evaluating which ICES solution to use. Taking a look at your current email security framework and comparing it to your end goal, the following elements should be analyzed: Time-to-value, return-on-investment time horizon Cost of effort to install and manage False positive rate ML- and AI-based technology to detect advanced social engineering attacks including BEC and ATO attacks Ability to analyze and map conversation history Computer vision to analyze suspicious data and links in emails User education controls to reinforce training, including context-aware banners and/or in-line prompts Ability to analyze emails prior to delivery to the end user API integration  of email events into Extended Detection and Response (XDR) or Security Information and Event Management/Security Orchestration, Automation and Response (SIEM/SOAR) solutions Still struggling to decide? Have a look at the 2021 Gartner Market Guide to Email Security, which contains further information on ICES vendors, including Tessian.

Why choose Tessian? Tessian was recognized as a Representative Vendor for Integrated Cloud Email Security (ICES) in the recently released 2021 Gartner Market Guide for Email Security.   What sets Tessian apart from other ICES solutions is its advanced email security and email data loss prevention (DLP) capability, including: Advanced Spear Phishing Protection Advanced Attachment and URL Protection   Internal Impersonation & CEO Fraud Advanced Spoof Detection Counterparty & Vendor Impersonation  Brand Impersonation External Account Takeover  Invoice Fraud Bulk Remediation Automated Quarantine  Threat Intelligence Tessian also offers protection against both malicious and accidental data loss, in-the-moment security awareness training for suspected phishing emails and in-the-moment security awareness notifications. 

To summarize, there are four key Tessian differentiators: Threat prevention: Tessian protects against both known and unknown email attacks, including business email compromise, account takeover, spear-phishing, and all impersonation attacks that bypass SEGs, M365, and G Suite. Protection also includes class leading email DLP. Education and awareness: With Tessian’s in-the-moment training, organizations can educate and empower users to build continuous email security awareness  Reduced admin overhead: Tessian removes the burden on SOC and admins by automating repetitive tasks such as maintaining triage and review. This eliminates the need for human verification of email threats, reducing FTE requirements. Data-rich dashboards: With Tessian, security teams have clear visibility and the ability to demonstrate clear ROI   To find out more about Tessian as an ICES solution, and the key findings listed in the 2021 Gartner® Market Guide for Email Security, click here. 

Most people – we hope – can smell a rat when supposedly African Royalty offers us several thousand dollars as a ‘gift’ to help them get money out of the country, but what about when a well known brand you love offers you free samples or invites you to enter a competition?    The recent Heineken Father’s Day beer contest on WhatsApp is just the latest in a long line of seasonal or topical attacks that are run almost like marketing campaigns. Like all phishing attempts there are a few common themes. One is a sense of urgency, in this case the fact that there are only a certain number of freebies available. There’s also nudging text like ‘don’t miss out’ ‘exclusive’ and ‘enter now’.

The Threat Actor’s Editorial Calendar   But what’s also interesting is that this attack came on Father’s Day, when a brand like Heineken might legitimately launch such a campaign and when people are thinking about last minute gifts for Dad – it feels legit because it plugs into where your employees’ heads are at. Heineken wasn’t the only ‘Dad brand’ that suffered a scam, UK hardware stores ScrewFix and B&Q also had exclusive Father’s Day competition prizes that were actually scams.    That topicality and seasonality is played out throughout the year, on national awareness days, public holidays and yearly events like tax deadlines and Black Friday. As one attendee at our October Human Layer Security Summit told us “in the Fall, someone is always going to click on FREE STARBUCKS PUMPKIN SPICED LATTE”. We’ve seen this in the world of entertainment too. In November 2021, fans were promised early access to the new season of Squid Games, only after filling in a short ‘survey document’.

Cost of Living Scams   Having targeted tech and finance brands for years, as well as logistics and delivery brands during the pandemic, it seems scammers are teeing up a summer of cyberattacks on consumer brands and retailers. The cost of living crisis, rising inflation and surge in food and energy costs now makes grocery stores, food companies and energy companies prime targets for scams. In June, we saw a scam featuring UK supermarket Tesco, with the promise of a £500 gift card.    In May the UK energy regulator, Ofgem, alerted consumers to a new energy rebate scam as energy prices soared. Meanwhile in the US fuel company Shell highlighted a gas card phishing scam involving their Fuel Rewards program. And with some US employers offering to pay towards employees’ gas costs, you can see why things are getting confusing. The brand and sector may change but the scam is always the same; the promise of something for free coupled with a sense of urgenc

Education and awareness These new threat vectors join the long queue of existing ones that your staff and organization are already vulnerable to. As we saw with Covid bad actors thrive in times of confusion and uncertainty. And after global pandemics, global economic turbulence and spiraling cost of living is the next theater on which bad actors like to strut their stuff. So what to do?      As Bobby Ford said at our Human Layer Security summit, the way you ‘crack the nut’ is putting a little piece of cybersecurity awareness in all your other programs, projects and meetings happening across your organization. That can be a quick update at the all-hands or creating material, updates and awareness within your team that you don’t just push out, but people actively come and seek out.    Work with your allies. Who else in the company can you form an alliance with? Perhaps you can bring in your internal comms or PR team’s experience? Getting the people team involved to make cybersecurity part of the onboarding process helps new joiners orient themselves before they touch your network.    Finally, the C-suite is critical to supporting any initiative you design, which matters because as Mike Privitte notes in this Linkedin post, “Phishing doesn’t have “work life balance.” Company executives and their families will only see increased attempts outside of the 9-5 space”.

Summary Tessian Threat Intel is issuing a threat advisory on cyber threat actors requesting payment from unsuspecting victims using fraudulent invoices issued via PayPal. We have alerted PayPal.   Overview Tessian Threat Intel analysts have observed scammers, on numerous occasions, sending emails with fake invoice payment requests. Historically many of these sorts of attempts would be detected by traditional spam filters and end up in the junk folder or in quarantine. This is due to the email senders being repeat offenders with the same template and text – easily detected as spam or malicious by rule based email security solutions.    Since early March 2022, Tessian identified ways in which threat actors have been adapting their techniques to reach victim’s inboxes by abusing the legitimate capability of sending invoices to 3rd parties using PayPal’s email-delivered invoicing services.    To be clear, this is not a vulnerability within PayPal. Nor is it an example of an account takeover (ATO).  Rather, threat actors are creating invoices in PayPal and then issuing them to victims through PayPal’s service.     Technically, an email  from PayPal would pass some of the most fundamental checks in email security like SPF, DMARC and DKIM. This would ensure with a high degree of probability that similar emails would avoid detection by rule based email security solutions, as well as giving an air of legitimacy to the email.    An email sent from a financial services provider like PayPal, would increase the probability of  the victim seeing and interacting with the email, including acquiescing to its demands for payment. 

Examples of fraudulent PayPal invoices   The screenshot below is a legitimate email from PayPal containing a fraudulent invoice. In this example, the attacker has created a paypal account with the profile name “bit-coins payments,” which is displayed as the sender display name.    The threat actor has then created an invoice using the invoicing service available in PayPal (see Fig 2), and has then sent it with a message added by the attacker for the recipient. Grammatical style errors can also be observed, similar to what we have seen in common   phishing emails.

The below screenshot shows the PayPal invoicing service.

In the example below, we can see the actual link addresses which would redirect the recipient to the PayPal generated invoice if clicked.

Technical breakdown of the message headers As you can see below, both SPF and SKIM are a pass, and the sender IP ties back to PayPal directly. This sort of email has a high probability of passing rule based email security solutions and being delivered into a victim’s inbox.   Authentication-Results: spf=pass (sender IP is 173.0.84.227)  smtp.mailfrom=paypal.com; dkim=pass (signature was verified)  header.d=paypal.com;dmarc=pass action=none  header.from=paypal.com;compauth=pass reason=100 Received-SPF: Pass (protection.outlook.com: domain of paypal.com designates  173.0.84.227 as permitted sender) receiver=protection.outlook.com;  client-ip=173.0.84.227; helo=mx2.slc.paypal.com;

Threat Mitigation Steps   Once PayPal was informed, Tessian found that the invoice was taken offline and no longer accessible. Thank you PayPal for your quick engagement.   In order to not fall victim to similar types of email-delivered invoice fraud we recommend:   Be careful of unsolicited emails, especially those containing requests for payment or including links to invoices. Always verifying the authenticity of an invoice with the actual purchase order.  If necessary, contact PayPal or any vendor requesting payment via independent method i.e. telephone to verify the authenticity of the request. Have a failsafe system in place in your accounting department that requires two members of staff to verify the authenticity of invoices matched against purchase orders. Adopt intelligent cloud email security solutions like Tessian that use behavioral intelligence to detect and prevent advanced email attacks, including increasingly sophisticated email-delivered invoice and wire fraud.

To see how the Tessian Intelligent Cloud Email Security platform  prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn

The subject of prioritizing cybersecurity spending often arises in periods of economic uncertainty. As most security professionals will admit, the challenge of security budget justification is challenging in many organizations, regardless of the economic cycle. But in a recession, the challenge of cybersecurity budget allocation and spending can be compounded because, too often, cybersecurity is viewed as an auxiliary and non-critical IT program.   This blog sets out some core tenets essential for building a recession proof cybersecurity program. Spoiler: Building a resilient cybersecurity program starts with a mind shift

Cultivating a positive organizational cybersecurity culture   Many security leaders struggle to make the case for cybersecurity spending allocation, regardless of the economic environment. This is due to an out of touch mindset, with certain leaders failing to understand the importance of cybersecurity to their company’s overall business operations and objectives.     This poorly informed view was evidenced in a recent survey conducted by Tessian, with only 58% of employees thinking that senior executives at their company value cybersecurity. This explains why 1 in 3 employees don’t understand the value of cybersecurity, and why 30% of employees believe they play no role in cybersecurity threat prevention.   The mixed attitude towards cybersecurity could also explain why security leaders often find it challenging to justify cybersecurity program spend, which can become even more challenging in an economic downturn. The tide is slowly starting to turn, due in a large part to increasing cybersecurity risk and the catastrophic fallout associated with breaches, which can result in business failure.    Beyond an organization’s self-interest to keep their information systems and data secure, investors are starting to exert pressure on their portfolio companies to maintain an industry baseline of cybersecurity protection. Evidence of this shift in attitudes is reflected in the fact that environmental, social and governance (ESG) reporting now includes an assessment of an organization’s cybersecurity program and defenses.   It needn’t break the bank. Developing a positive cybersecurity culture in an organization is something that can be achieved on a relatively low cost basis. The key elements to achieve this include clear communication from the executive leadership on the importance of maintaining good cybersecurity hygiene. Creating a positive employee experience in relation to cybersecurity is essential. This entails developing engaging and context-based security awareness training programs that drive cybersecurity awareness – empowering employees to become part of the cyber defense.   

Using open source resources and frameworks to build cybersecurity resilience   While there is no singular approach to building out a cybersecurity program, there are a trove of freely available resources and best practice guides to assist with building information governance systems and cybersecurity programs. View cybersecurity program development as a work in progress. Many unique factors and characterics will come into play in shaping your cybersecurity program development.   By establishing a dedicated team to tackle enterprise security architecture and using well established enterprise architecture frameworks such as COBIT and TOGAF,  in conjunction with cybersecurity frameworks such as NIST Cybersecurity Framework, ISO 27001/02 and the CIS Critical Controls, organizations can start putting the building blocks in place for developing well-integrated and robust information governance systems.    Enterprise architecture frameworks such as COBIT are useful to build an information governance system that proactively identifies areas of risk or IT capabilities that need improvement to ensure that business objectives are achieved.

Ensuring compliance with industry and geo-specific regulations   Cyber risk is increasing year-over-year. In the latest FBI IC3 report, Business Email Compromise (BEC) fraud related losses increased by 65% globally in the period 2019 to December 2021. In the latest Verizon DBIR, ransomware attacks increased by 13% year-over-year, representing the largest increase in over 5 years.   Prioritize your cybersecurity technology budget from the assumption that there is a very strong likelihood that you will at some point suffer a breach. On this basis, focus on the fundamental threat vectors relative to your accepted risk threshold.    In US states such as California and many jurisdictions around the world, regulatory authorities are establishing minimum levels of cybersecurity preparedness that need to be met to ensure compliance.    The California Attorney General under the California Consumer Privacy Act (CCPA), has for instance established the requirement that businesses over a certain revenue threshold have to have a reasonable level of security in place. Reasonable security according to the CCPA is defined as having the CIS Controls implemented.   In the EU’s General Data Protection Regulation (GDPR), key stipulations include having data privacy and data security safeguards in place to ensure the confidentiality, integrity and availability of information processing systems and services. Other security controls include having the ability to restore availability and access to personal data, as well as having a process in place to regularly test, assess and evaluate the effectiveness of technical and organizational measures that ensure the security of data.  

Going beyond the minimum   Threat actors are continuously advancing their abilities. This is why cybersecurity and business leaders cannot afford to rest. Continuously testing your cybersecurity defenses through regular audits and penetration testing will help you identify areas for improvement. This includes practicing incident response and business continuity preparedness.   Cybersecurity is not a tick box compliance exercise.   Cybersecurity is everyone’s responsibility. Many of the core components that encompass a cybersecurity program do not require significant budget, but rather effective leadership, time and effort. Most importantly it requires adopting a mindset that recognizes the importance of being cyber resilient as essential to the organization’s overall success.

To see how the Tessian Intelligent Cloud Email Security platform  prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn

Verizon just released its annual Data Breach Investigation Report for 2022. Some highlights include the most targeted industries, the role of human error, insight on social engineering and the devastating impact that insider risk poses to your organization. The report also reveals email as a significant attack vector, and the preferred method for delivering malicious payloads. Ransomware is becoming a protracted security challenge, so too is the role of supply chains and the risk posed by misconfiguration.   Keep reading for key findings from the report.

Industries and attacks vectors   Top 3 industry verticals that suffered a breach. Finance, Professional Services and Healthcare suffered the highest proportion of breaches for the year.   Human error remains a significant breach risk factor. 82% of breaches involved the human element – either due to compromised credentials, phishing, misuse or error.   Securing end-users and systems should be prioritized equally. The 4 main paths to a breach include:   Credential compromise Phishing Exploiting vulnerabilities Botnets Top 2 targeted IT assets. Web applications (56% of breaches) and mail servers (28%) are the two most targeted IT assets by threat actors.

Social engineering, insider risk and attack motivations   Social engineering attacks are growing in complexity. Phishing (+60%) remains the dominant method for executing social engineering attacks, followed by the use of stolen credentials (+30%) and pretexting (27%).   Protecting against threat actors is a complex challenge. External threat actors account for 80% of breaches, and insiders 20%.   Insider breaches are the most devastating from a records exposure perspective. Insider breaches result in 10:1 more compromised records being exposed than external breaches do.   Money heist. Financial or personal gain is the key motive for over 80% of external threat actors.

Email is a significant attack vector   Email is the most preferred channel for threat actors. Email remains the #1 delivery mechanism for malware, including ransomware.   Email attracts the greatest investment in the attacker value chain. Email development, email addresses and email distribution see the highest share of investment from threat actors for carrying out a breach.   Office docs are the preferred trojan horse. Office docs are the preferred file for delivering malicious payloads, usually delivered via email.   BEC attacks come in different flavors. Phishing was responsible for 41% of BEC attacks, while credential theft was responsible for 43%. And pretexting, a component of phishing, is becoming increasingly prominent, responsible for 27% of social engineering breaches.   Don’t take solace in low phish rates. Even low phish rates of less than 3% can have devastating impacts on large organizations in terms of total records compromised.

Additional key findings   Ransomware attacks are trending in the wrong direction. The scourge of ransomware is accelerating at an unprecedented pace, up 13% YoY, representing the equivalent annual increase of the past 5 years combined.   The integrity of supply chains is in sharp focus. Supply chains are responsible for 62% of system intrusions.   As IT complexity increases so too does misconfiguration risk.  In a cloud based world, misconfiguration remains a mainstay vulnerability, responsible for 13% of breaches.

To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo.   For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn

Over the last decade, phishing – a type of social engineering attack – has transformed from something more like spam to the threat most likely to cause a breach. During that same period, the number of adults on social media platforms like Facebook increased by almost 1,300%.   Every photo we post, status we update, person we tag, and place we check into reveals valuable information about our personal and professional lives. And hackers use this information to craft targeted – and effective – attacks at scale.

How big are our digital footprints?    Our digital footprints are bigger than ever. There are over: 2,701,000,000 users on Facebook 1,158,000,000 users on Instagram 722,000,000 users on LinkedIn 353,000,000 users on Twitter And it shouldn’t surprise you that, according to research, 90% of people post information related to their personal and professional lives online. This number is even higher among 18-34 year olds. And, across LinkedIn, Instagram, and Facebook, 55% of people have publicly visible accounts.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");

When an account is public, anyone can see the information you post online, whether it’s a photo of your boarding pass, or a birthday shout-out to a colleague. Harmless, right? Unfortunately not.   This information is gold dust to hackers and makes reconnaissance impossibly easy.    Take the former Australian Prime Minister, Tony Abbott. He posted a picture of his boarding pass on Instagram. From the booking reference, hackers found his passport number and phone number – information that could have helped them gain access to other accounts, including sensitive personal and government information.   It didn’t take much work. According to an ethical hacker we spoke to, “Anyone who saw that Instagram post could also have [his passport number and phone number].”   Mr. Abbott isn’t the only person who posts this kind of information online…

32% of employees post business travel photos and updates. Nearly 72% mention birthday celebrations. 36% share information about their jobs. And don’t forget about all the information we share about our pets, partners, and children.     Hackers use all of it. Yep, even that photo of your pup.    How do bad actors use this information?   To understand exactly how hackers leverage all of this information, we have to look at a social engineering attack from start to finish.   First, a hacker identifies a target organization.    Depending on their motivations, they could choose an asset management firm with hopes of initiating a wire transfer or a pharmaceutical company with hopes of getting their hands on R&D. From there, they’ll research supply chains and vendors, study company org. charts, map employee relationships, and monitor individual behavior. And, by running scripts, they can do this automatically and at scale.     Why do all this reconnaissance? To pinpoint potential entry points, identify viable third-parties to impersonate, and to collect information (however subtle) that’ll help them nudge their targets towards unconscious (and conscious) confirmation and – eventually – trust and compliance. 

While behavior varies by region, most of us eagerly announce when we start a new job. In the US, almost everyone does – with 93% of employees in the US saying they update their job status on social media.   We share press releases about new clients and mergers and acquisitions. We post photos of our employee IDs and screenshots of Zoom calls. We tag our colleagues and customers in our updates and comment on theirs. We share all of this information regularly.    Almost half (43%) of us post every day, giving hackers up-to-date intelligence about where we’re working, who we’re working with, and what we’re working on.   Passwords play a role, too   When it comes to Business Email Compromise, information related to your professional life is important. But your personal information can be just as valuable.   Hackers can use information about your pets, partner, children, and even your interests to crack passwords and answer security questions, giving them full access to personal and work accounts, including password managers and even your email.    Don’t believe us? 21% of people use information like their favorite football team, their pet’s name, or birthdays when creating passwords and some of the most common security questions include: What is your mother’s maiden name? What was your first car? What elementary school did you attend? What year were you married?    This is all readily available online. 34% of people share the names of their pets, 34% mention their children/partner, and 40% share information about their interests.     People may even unwittingly share this information via gimmicks or memes that make their rounds on social media. For example, “name generators” that ask you to combine your pet’s name with your childhood street address. Sound familiar?

An example of a social engineering attack leveraging social media In this example of a social engineering attack, hackers use an OOO message and other publicly available information to initiate a wire transfer.   Type of Attack: CEO/CXO Fraud Industry: Financial Services Hacker Motivation: (Quick) Financial Gain

The hacker group monitors news wires for up-to-date information about banks in the United States to find their target, an asset management firm called SoBank.  They see that the company’s CFO – Andrew Neal – is OOO at a conference. Thanks to his OOO message, they’re able to identify their target, Tristan Porter. They also learn that Andrew goes by “Andy” at work. The hacker group sends a fabricated email chain that appears to be between Andy and Gregory Ellwood, Senior Partner at Dorling Clayton – SoBank’s advising firm – urging Tristan to make a wire transfer.

Cybersecurity best practice   Want to better manage your digital footprint and avoid being targeted by (and falling for) a social engineering attack?   Here’s a list of do’s and don’ts.

Phishing awareness training is an essential part of any cybersecurity strategy. But is it enough on its own? This article will look at the pros and cons of phishing awareness training—and consider how you can make your security program more effective.

✅ Pros of phishing awareness training   Employees learn how to spot phishing attacks   While people working in security, IT, or compliance are all too familiar with phishing, spear phishing, and social engineering, the average employee isn’t. The reality is, they might not have even heard of these terms, let alone know how to identify them.   But, by showing employees examples of attacks – including the subject lines to watch out for, a high-level overview of domain impersonation, and the types of requests hackers will generally make – they’ll immediately be better placed to identify what is and isn’t a phishing attack.     Looking for resources to help train your employees? Check out this blog with a shareable PDF. It includes examples of phishing attacks and reasons why the email is suspicious.    It’s a good chance to remind employees of existing policies and procedures   Enabling employees to identify phishing attacks is important. But you have to make sure they know what to do if and when they receive one, too. Training is the perfect opportunity to remind employees of existing policies and procedures. For example, who to report attacks to within the security or IT team.   Training should also reinforce the importance of other policies, specifically around creating strong passwords, storing them safely, and updating them frequently. After all, credentials are the number one “type” of data hackers harvest in phishing attacks.    Security leaders can identify particularly risky and at-risk employees   By getting teams across departments together for training sessions and phishing simulations, security leaders will get a birds’ eye view of employee behavior. Are certain departments or individuals more likely to click a malicious link than others? Are senior executives skipping training sessions? Are new-starters struggling to pass post-training assessments?    These observations will help security leaders stay ahead of security incidents, can inform subsequent training sessions, and can help pinpoint gaps in the overall security strategy.

Training satisfies compliance standards   While you can read more about various compliance standards – including GDPR, CCPA, HIPAA, and GLBA – on our compliance hub, they all include a clause that outlines the importance of implementing proper data security practices.   What are “proper data security practices?” This criterion has – for the most part – not been formally defined. But, phishing awareness training is certainly a step in the right direction and demonstrates a concerted effort to secure data company-wide.     It helps organizations foster a strong security culture   In the last several years (due in part to increased regulation) cybersecurity has become business-critical. But, it takes a village to keep systems and data safe, which means accountability is required from everyone to make policies, procedures, and tech solutions truly effective.    That’s why creating and maintaining a strong security culture is so important. While this is easier said than done, training sessions can help encourage employees – whether in finance or sales – to become less passive in their roles as they relate to cybersecurity, especially when gamification is used to drive engagement.   You can read more about creating a positive security culture on our blog.

❌ Cons of phishing awareness training   Training alone can’t prevent human error   People make mistakes. Even if you hold a three-hour-long cybersecurity training session every day of the week, you’ll never be able to eliminate the possibility of human error. Don’t believe us? Take it from the U.K.’s National Cyber Security Centre (NCSC) “Spotting phishing emails is hard, and spear phishing is even harder to detect. Even experts from the NCSC struggle. The advice given in many training packages, based on standard warnings and signs, will help your users spot some phishing emails, but they cannot teach everyone to spot all phishing emails.”   That’s right, even the U.K.’s top cybersecurity experts can’t always spot a phishing scam. Social engineering incidents—attacks that play on people’s emotions and undermine their trust—are becoming increasingly sophisticated.   For example, using Account Takeover techniques, cybercriminals can hack your vendors’ email accounts and intercept email conversations with your employees. The signs of an account take-over attack, such as minor changes in the sender’s writing style, are imperceptible to humans.   Phishing awareness training is always one step behind   Hackers think and move quickly and are constantly crafting more sophisticated attacks to evade detection. That means that training that was relevant three months may not be today. In the last year, we’ve seen bad actors leverage COVID-19, Tax Day, furlough schemes, unemployment checks, and the vaccine roll-out to trick unsuspecting targets.   What could be next?   Training is expensive   According to Mark Logsdon, Head of Cyber Assurance and Oversight at Prudential, there are three fundamental flaws in training: it’s boring, often irrelevant, and expensive. We’ll cover the first two below but, for now, let’s focus on the cost.   Needless to say, the cost of training and simulation software varies vendor-by-vendor. But, the solution itself is far from the only cost to consider. What about lost productivity?   Imagine you have a 1,000-person organization and, as a part of an aggressive inbound strategy, you’ve opted to hold training every quarter. Training lasts, on average, three hours. That’s 12,000 lost hours a year.   While – yes – a successful attack would cost more, we can’t forget that training alone doesn’t work. (See point 1: Phishing awareness training can’t prevent human error.)

Phishing awareness training isn’t targeted (or engaging) enough   Going back to what Mark Logsdon said: Training is boring and often irrelevant. It’s easy to see why. You can’t apply one lesson to an entire organization – whether it’s 20 people or 20,0000 – and expect it to stick. It has to be targeted based on age, department, and tech-literacy. Age is especially important.   According to Tessian’s latest research, nearly three-quarters of respondents who admitted to clicking a phishing email were aged between 18-40 years old. In comparison, just 8% of people over 51 said they had done the same. However, the older generation was also the least likely to know what a phishing email was.   !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");   Jeff Hancock, the Harry and Norman Chandler Professor of Communication at Stanford University and expert in trust and deception, explained how tailored training programs could help.

Should I create a phishing awareness training program? The short answer: “Yes”. These programs can help teach employees what phishing is, how to spot phishing emails, what to do if they’re targeted, and the implications of falling for an attack. But, as we’ve said, training isn’t a silver bullet. It will curb the problem, but it won’t prevent mistakes from happening. That’s why security leaders need to bolster training with technology that detects and prevents inbound threats. That way, employees aren’t the last line of defense. But, given the frequency of attacks year-on-year, it’s clear that spam filters, antivirus software, and other legacy security solutions aren’t enough. That’s where Tessian comes in.   How does Tessian detect and prevent targeted phishing attacks?   Tessian fills a critical gap in security strategies that SEGs, spam filters, and training alone can’t.   By learning from historical email data, Tessian’s machine learning algorithms can understand specific user relationships and the context behind each email. This allows Tessian Defender to detect a wide range of impersonations, spanning more obvious, payload-based attacks to difficult-to-spot social-engineered ones like CEO Fraud and Business Email Compromise.   Once detected, real-time warnings are triggered and explain exactly why the email was flagged, including specific information from the email. Best of all? These warnings are written in plain, easy-to-understand language.

These in-the-moment warnings reinforce training and policies and help employees improve their security reflexes over time.  To learn more about how tools like Tessian Defender can prevent spear phishing attacks, speak to one of our experts and request a demo today.   Not ready for a demo? Sign-up for our weekly blog digest to get more cybersecurity content, straight to your inbox.  Just fill out the form below.

Tessian, an intelligent cloud email security solution for the enterprise, prevents advanced email threats and protects against data loss. With email responsible for up to 90% of all breaches, rule based security solutions like Secure Email Gateways (SEGs) no longer cut it. This explains why 58% of cybersecurity leaders are actively looking to displace SEGs for the next generation of email security. Next gen solutions like Tessian ensure significantly improved threat detection and prevention capabilities thanks to machine learning and behavioral user intelligence, and offer a simplified approach to solution integration and management.

Removing the pain from security management Tessian’s API integration into both Microsoft 365 and Google Workspace cloud email environments enables deployment in seconds, and provides unparalleled protection within hours. No manual updates, complex mail rerouting, or MX record re-configuration is needed. And, when customers integrate Tessian’s security event feed with other solutions, they’re able to streamline processes and workflows and get a more contextualized and complete risk profile of their environment, down to the employee level. To help you better understand the value of Tessian with products like Splunk, Okta, and KnowBe4, let’s explore real use cases from our customers. 

Tessian + Splunk Customer: Financial Services Employees: 7,000 Tessian Products Deployed:  Enforcer and Guardian  Use case:  For one of our financial services customers, the integration of Tessian with Splunk has been essential in addressing insider threats and preventing data loss. The client ingests, triages and remediates Tessian’s alerts in its SOC which runs on Splunk. By sending data to Splunk, the SOC is empowered to create dashboards for the key security events that they care about, for example users with the most flags, or top recipients of flagged emails. This data can be combined with metrics from other cybersecurity tools in the environment to form a more comprehensive risk profile. For example, correlating the data from Tessian with endpoint security alerts enabled the client to get a deeper level of risk understanding viewed from a single pane of glass. From here the client is able to create workflows through ServiceNow, which allows streamlining of Tessian’s security feeds into existing security workflows. Some of the key benefits of Tessian and Splunk integration include: Setting up custom alerts Triaging security events Identifying risky users Easy reporting of risk to the risk committee

Tessian + Sumo Logic Customer: Financial Services Employees: 3,100 Tessian Products Deployed:  Defender, Enforcer, and Guardian Use Case: Sumo Logic is a central source for log analysis and is often a starting point for remediation workflows. Tessian has a native app built to Sumo Logic’s Modern Enterprise Security Architecture (MESA). With this native app, Sumo Logic users can ingest Tessian alerts and correlate them with other events.  One of our financial services clients uses Sumo Logic for log correlation and analysis. By feeding logs and alerts into Sumo Logic, enables the client to quickly identify spikes in anomalous email activity, for example:  misdirected email (Guardian), unauthorized email (Enforcer) and phishing emails (Defender).  Once a verdict has been delivered on an email, the SecOps team is in a position to take mitigating actions. 

Tessian + Okta  Customer: Financial Services Employees: 1, 200 Tessian Products Deployed: Defender, Enforcer, and Guardian  Use case:  The Tessian integration with Okta enables clients to use Okta’s Universal Directory to set specific email security policies for user groups based on risk. For example, one client in financial services leverages the integration to enforce more stringent email security rules for the finance department – responsible for sending and receiving sensitive financial data.  Tessian is leveraged to target these specific user groups with email security policies that ensure safe email behavior and prevents email related data loss.  The integration with Okta enables greater security flexibility for user groups, rather than a standard one-size fits all approach to security policy orchestration.

Tessian + CrowdStrike + Netskope Customer: Healthcare Employees: 16,500 Tessian Products Deployed: Defender, Enforcer, and Guardian  Use case: A growing number of Tessian clients, such as one in healthcare, is using Tessian as an integral security pillar to keep their enterprise safe from external and insider threats, particularly concerning data loss. Tessian is seen as one of core security pillars keeping employees and the email ecosystem safe. Other key security pillars and best-in-breed solutions include CrowdStrike for endpoint and Netskope for cloud security – deployed alongside Tessian.  By leveraging Tessian in combination with these tools enables a defense in depth approach, giving security practitioners peace of mind that they have the best tools in place to keep their employees and their data safe.

Tessian + KnowBe4 Customer: Pharmaceuticals Employees: 650 Tessian Products Deployed: Defender Use case: The Tessian integration with Knowbe4 gives organizations more visibility into phishing risk by identifying the employees who are most likely to fall for phishing attacks. Tessian ingests KnowBe4’s Phish Prone Score and combines it with our own Risk Score, presenting a more comprehensive risk profile for each employee. This way, security teams can customize security policies and training programs for more targeted and engaging security awareness for specific employees rather than a blanketed approach – that often lacks context.  After deploying Tessian to bolster KnowBe4, one pharmaceutical company saw click through rate drop significantly from 20% to below the industry benchmark of 3%. Another Tessian client in the financial services sector summed up the value of the Tessian and KnowBe4 integration:

Click here to book a demo of our market leading cloud email security and DLP platform.

Many organizations spend significant time and effort on counter-phishing programs and training. The emphasis of these mitigation is always preventing the click; how to see it, how to stop it, and how to report it in a timely manner.   Rarely though, does anyone ask why the end user clicks on a malicious email. There’s a variety of psychological triggers that prompt a bad outcome of clicking on malspam, but an interesting one is that you might have trained them to do it.

And if you think email is dead, think again. A 2019 study by Adobe Analytics found US-based workers spend an average of 3 hours a day managing work email. Practically speaking, no one can directly engage with that much email using 100% of their critical thinking capacity.     As a result, users tend to rely on heuristics to manage the cognitive load, such as rules sorting content into different folders, only reading subject lines, or sometimes ignoring some types of messages altogether.   In somewhat of an escalating arms race for attention, corporate comms teams can often add things like “ACTION REQUIRED”, “URGENT”, highlight portions of text, or load up the email with HTML and various trackers. Many people view those sorts of messages as just petty annoyances, but let’s take a look at some actual phishes to see why they might actually be dangerous.

As we can see, two scammers attempting to impersonate Tessian executives rely very heavily on a sense of urgency to short circuit critical thinking skills that would easily catch out these phishes.     While on their own they’re not very sophisticated at all, when sent to an organization that bombards their users with urgent action required emails, the environment has already trained the users to look out for and at least open such messages.  As a result, false urgency is very frequently found in almost any malicious email. Let’s look at how formatting can abuse user trust as well.

This looks pretty good for the average phish, but we can mark it as malicious due to poor language skills alone. However, IT teams will commonly use formatting very similar to this to announce server upgrades and request user action.     Organizations will hide links behind buttons to be “friendly’, use red text to highlight a tl;dr, or use bolding liberally to draw the eye. While a deep read will reveal the above phish as fraudulent fairly easily, a user inundated with email is not going to deep read anything – especially if their IT team uses similar formatting on a regular basis.

A positive counterexample   Microsoft, once renowned for the most inscrutable error messages of all time in earlier versions of Windows (see above), has been putting increasing thought into how to communicate in effective ways with the end user. Let’s see how they communicate that a user’s operating system is at end of life for support.    

This can serve as a reasonable guide to how to communicate facts to the end user and request an action be taken. The negative outcome is centered, at the top, and large enough to be read first, but without any highlights or red text to suggest undue urgency.     Consequences of this outcome are listed clearly in idiomatically correct and simple English.  Lastly, the recommended action (clicking to be guided to an upgrade page) is gently highlighted but not required, and other options are presented to the user to avoid any pressure for a particular action.    Going against the grain of most corporate communications that tend to be quite directive, Microsoft is presenting simple facts in a clean, unhurried way, and providing options for action at the end user’s preferred pace.     Taking design cues from this error message can prompt a harried employee relying on heuristics rather than close reading to slow down and only take action when they have the resources to do so in a considered manner.  

Lessons learned   Sending messages to your employees that share design cues with phishes is not a great security outcome.  So how do we do better?  Comprehensive phishing solutions can catch a lot of nastiness on the front end and keep it out of the inbox.  But empowering users to spot and flag malicious content on their own can be a great adjunct strategy to catch threats that never make it to security staff.  We can help them do that by taking a deep look at what sort of information handling environment the user lives in and designing communication that makes full use of critical thinking easier rather than harder.  The above attacks were all caught via Tessian’s Defender module, with end user warnings like the one here.  Breaking up the user’s typical email experience and providing clear, simple information necessary to make a good judgment on the emails’ authenticity.    In these instances, augmenting technical controls by giving the user timely guidance helped us enable good outcomes for the attacks.  As with most email attacks, focusing on human factors has been a very effective force multiplier in keeping the organization safe.

Cybercrime is big business. But just how big? Well, big. A recent report from Cybercrime Magazine predicted cybercrime would cost the world $10.5 trillion annually by 2025. Bear in mind that estimates in 2020 were just over half that, at $6 trillion, and up from $2.9 trillion in 2015. So ,why is there a cybercriminal gold rush? And why are attacks getting increasingly more sophisticated, more numerous, and more successful?

Legacy solutions are no match for today’s attacks   As we noted in our recent Spear Phishing Threat Landscape Report, attacks are getting more sophisticated and are bypassing traditional defense systems like rule-based Secure Email Gateways (SEGs). We know this because we examined platform data and found that between July 2020 and July 2021, Tessian scanned nearly 4 billion emails and flagged nearly 2 million as malicious. These emails sailed right past our customers’ Secure Email Gateways (SEGs) and native tools and would have left employees as the last line of defense if it wasn’t for Tessian. Not only that, attacks are getting more frequent. Cybersecurity Magazine estimated a new ransomware attack hits every 11 seconds.    Oftentimes, big problems (like paying out millions for a ransom) can be traced back to small oversights. Like not using Multi-Factor Authentication (MFA). This is particularly common in mid-market SMEs, despite the fact that Microsoft Research found that MFA blocks 99.9% of all automated attacks. As Dave Kennedy, Founder of TrustedSec said at our Spring 2022 Human Layer Security Summit, just 22% of O365 users have MFA enabled. And so attackers can target these firms much more easily. SMEs also have smaller budgets and headcount allocated to cyber compared to the enterprise. The result: 60% of SMEs file for bankruptcy within six months of a breach. 

https://www.tessian.com/wp-content/uploads/2022/04/MFA-quote-Dave-Kennedy-Trusted-Sec.m4v

Email is inherently flawed   If someone broke into your office, chances are you’d know about it quickly and do something about it. Unfortunately, the same doesn’t apply to many organizations’ networks and inboxes. From a simple way of sending asynchronous ASCII messages between user accounts on an academic network in the 1970s, email has grown into a world-devouring beast that is the very backbone of commerce and information exchange. Over 7 billion users globally send and receive 333.2 billion emails a day. Such a vast user base means email is the number one threat vector. 

After all, for many, moving data via email IS their job. What’s more, email is on all our devices: desktops, tablets, and phones. But as Will Patterson, Enterprise Customer Success Lead, notes in this webinar, email has some inherent problems when it comes to security. Firstly, it’s open (in that you can email anyone) and secondly, email attacks are cheap to deploy; they’re effective and can be launched from anywhere. A big audience and low entry bar make it the ideal medium in which to conduct attacks.   It’s no wonder 90% of phishing occurs via email.

Cybercrime pays out – big time   Cybercriminals continue to attack because those attacks continue to be successful, netting potentially hundreds of thousands of dollars from companies for little effort and risk (compared with other types of crime).    The international nature of cybercrime adds another layer of complexity and helps shield attackers from law enforcement. According to the FBI, in 2021, BEC scammers made over $2.4 billion – far more than via any other type of cybercrime. Of course, the cost to the company isn’t just these initial losses, it’s the further costs of containing, reporting, and remediating the breach. IBM currently puts the cost to businesses at $4.24 million per breach. 

It’s faster, easier, and cheaper than ever to execute attacks   With such a big potential target group, attackers are using automation and off-the-shelf tools to not only launch attacks but process the data they exfiltrate in the process. And as James McQuiggan, Security Awareness Advocate at KnowBe4, said at our Fall Human Layer Security Summit, “the bad guys are buying the same hardware and software configurations we’re using – they’re then testing their attacks and then see what gets through”. So if criminals are automating many of their repetitive processes, you should too.   Not only that, but it’s also easier and cheaper than ever to execute attacks, and technical skills are no longer required. There are numerous tools, platforms, and services that make executing attacks as easy as building a webpage. The following open-source intelligence (OSINT) apps and tools can be used to gather precise information about a person’s social media details, location, and their work email address, making it impossibly easy to identify and manipulate a target.  

Security teams are burned out   Against this cybercrime tsunami stands the CISO and the company’s security team, and the daily battle to keep employees and the organization safe. That’s taking its toll on security teams, who are often stressed and burned out. Our Lost Hours Report found CISOs regularly working extra hours and overtime to keep the company secure from threats.    The CISOs we surveyed worked, on average, 11 hours more than they’re contracted to each week. Nearly 1 in 10 work 20-24 hours more a week. What’s eating up that time is dealing with potential breaches. A quarter of respondents say they spend 9-12 hours investigating and remediating each threat caused by human error, while more than 1 in 10 spend more than a day.    A global study by The Ponemon Institute found that the average amount of time required to identify a data breach is 197 days. that’s over six months. It then takes another 69 days on average to contain and deal with the fallout of that breach. Better alerts and warning systems, as well as swift procedures in place to respond to them, are a must. Over six months is more than enough time to wreak havoc in a network. In medicine, there’s the concept of ‘the golden hour’, security needs to aim for a golden 24 hours because the faster an organization can respond the better and faster its recovery will be. 

Employees are busy, stressed, and distracted   The modern workplace is a fuzzy blend of devices (laptop/phone) and locations (home/office/coffee shop etc) with people constantly switching between them trying to juggle, on average, around 100 emails a day. You can see why our Psychology of Human Error report found that 26% of people fell for a phishing email at work in the last 12 months alone. People are maxed out trying to do their jobs, and it’s exactly this pressure that attackers are looking to exploit and manipulate, which underscores the important of building a positive security culture alongside HR.   So, as cybercrime is becoming more and more profitable, here’s what you need to do to strengthen your security stack and keep your people and organization safe:   Layer up your security stack with Integrated Cloud Email Security (ICES) to augment your SEG Implement better email monitoring Automate repetitive security tasks Improve your response time and processes Work with the people team on fostering a positive security culture and engaging security awareness training programs And don’t forget to switch on MFA ASAP!