New research from Tessian reveals just how deep The Great Resignation is, and how it’s continuing to increase work for security teams.   The Great Resignation of 2021 continues well into 2022, with record high numbers of people quitting their jobs and seeking opportunities for better positions, better pay, better work/life balance and even exploring a career in a completely new industry.   According to our latest survey of 2,000 employees in UK and US businesses, 55% are considering leaving their current employer this year, with two in five (39%) workers currently working their notice or actively looking for a new job in the next six months.    HR departments are under pressure to retain employees and replace the talent they lost. But they’re not the only team feeling the strain.    Our survey also revealed that 71% of IT decision makers in US and UK organizations told us the Great Resignation has increased security risks in their company. What’s more, 45% of IT leaders say incidents of data exfiltration have increased in the last year, as people took data when they left their jobs.    They’re not wrong. One in three (29%) UK and US employees admitted to having taken data with them when they quit. The figures were much higher in the US, with two fifths of US employees (40%) saying they’d taken data with them when they left their job.

Which employees are taking the data?   We see noticeable differences in behaviors across various departments. Employees in marketing were the most likely to data with them when they leave, with a staggering 63% of respondents in this department admitting to doing so. Employees in HR (37%) and IT (37%) followed.    Interestingly, rates of data exfiltration are much lower in highly regulated functions like accounting and finance, operations and legal. With employees in these departments having to comply with strict data regulations on a daily basis, the findings suggest that this impacts their data sharing behaviors and the security cultures in these departments. Just 16% of workers in operations and 22% in accounting and finance say they have taken data with them when they’ve left a job.

Why do employees take data with them?  The majority of employees are not taking data for malicious purposes. The most common reason for taking data, cited by 58% of respondents, was because the information would help them in their new job. In addition, 53% believe that because they worked on the document, it belongs to them.    A significant percentage of employees (44%) said they took the information to share with their new employer, while 40% said they intended to make money from the information.

The consequences of doing nothing   With 70% of US employees and 40% of UK employees thinking about leaving their employer this year, the pressure is on to protect the organization from insider risk.    Even if a company experiences one data exfiltration attack, the consequences can be huge. There’s a lot at stake when it comes to the data in your company’s control, particularly when you consider that the average cost of a data breach now stands at $4.24 million.    What are the causes of these phenomenal costs? Here are three factors:   Containment: Hiring cybersecurity and identity fraud companies to contain a data breach is expensive —not to mention the thousands of hours that can be lost trying to determine the cause.  Lawsuits: Many companies face enormous lawsuits for losing customer data.  Penalties: Laws such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) enable regulators to impose significant fines for personal data breaches.

What can IT and security leaders do to minimize the risk of data exfiltration during the Great Resignation period?   Taking data when leaving an organization has become one of those culturally-accepted things that people feel they can get away with. Let’s be clear, though, this is not a reason to blame and shame employees for their actions.    Rather this is an opportunity to see how we got to this point, assess where there are gaps in our data protection policies, and determine whether policies and guidelines are being communicated effectively to employees – both company-wide and in specific departments.    By defining and communicating the company’s expectations around data sharing and data handling in the organization, and training employees on safe cybersecurity practices, security leaders can start to build stronger security cultures that reduce insider risk.   As well as greater education and training, IT and security teams also need to ensure they have visibility of the risk across all channels, particularly email. A quarter of IT leaders we surveyed said they do not have visibility into incidents of data exfiltration, and this is an important first step.    The Great Resignation shows no sign of slowing down, and people will continue to move around looking for new opportunities throughout 2022. But this is also an opportunity for IT and security teams to build a more robust data loss prevention strategy, streamline defenses against insider risk, and put a safety net in place to stop the company’s most valuable and sensitive data from falling into the wrong hands.    How does Tessian prevent data exfiltration attempts?   Prevent unauthorized emails  Whether it’s an employee sending sensitive information to less secure, personal accounts or a bad leaver maliciously exfiltrating data, Tessian automatically prevents data exfiltration over email. Learn more   Deeply understand your risk Whether careless, negligent, or malicious, insider threats are difficult to combat and even harder to detect. But with Tessian, you can quickly find and report the key areas of insider risk, use insights to predict future behavior, and take remedial action to prevent exfiltrations attempts.  Learn more   In-the-moment educational warnings Tessian warnings act as in-the-moment training for employees, continuously educating them about treats, reinforcing your policies, and nudging them toward safe email behavior. Automatically build individualized policies at scale to reduce high-risk email use and track trends in unsafe activity over time. Learn more

The future and nature of work is changing. So here’s all you need to know about how to keep your people secure in the ‘new normal’.

Remote working, hybrid working, anywhere-working, flexible-working, 4-day-week working, and everything in between – if the pandemic has done one thing, it seems to have destroyed nine-to-five in the office.   Saying so long to the stationary cupboard and “auf wiedersehen” to the water cooler might have been great for staff, but presented a serious challenge for security leaders back in 2020. And while, way back then, many thought the situation was temporary – a few months at most – and would be mitigated by vaccines, that clearly hasn’t been the case   Indeed Forrester’s Predictions 2022 anticipates the following set up:   10% of firms will shift to a fully remote model 🏡 30% will go back to a fully in-office model 🏢 The remaining 60% of firms will shift to a hybrid model 🏡 + 🏢   Those that insist on a fully in-office model, will find that employees simply won’t have it. Attrition at these firms will rise above their industry averages — monthly quit rates will rise to as high as 2.5% for as much of 2022 as needed until executives feel the pain and finally commit to making hybrid work … work.   Our own research bore this out too.    According to our Securing the Future of Hybrid Working report , just 11% of employees said they’d want to work exclusively in the office post-pandemic, with the average employee wanting to work from home at least two days a week. And, over a third of people said they wouldn’t even consider working for a company if it didn’t offer remote working in the future. That represents a lot of employee churn and HR headaches for you and your security team, which we’ll explore shortly. But first, given we are in security, let’s recap the current risks.

What are the security risks with remote working? The majority of IT leaders we surveyed believe permanent remote or hybrid work will put more pressure on their teams, while over a third (34%) were worried about their team becoming stretched too far in terms of time and resources.     While hybrid or flexi-working is great for employees, it’s the worst of both worlds for IT teams who have to simultaneously manage and mitigate security risks that occur in and out of the office, while providing a seamless experience that enables employees to work from anywhere. So if that’s the environment you’re having to work in, what are the risks?

Unsurprisingly, topping the charts is the classic phishing attack. 82% of IT leaders we surveyed believed employees are at greater risk of phishing attacks when working remotely. The pandemic saw a surge in these, with CISA specifically warning of attacks targeting remote workers back in Jan 2021.   Those threats haven’t gone anywhere in the meantime. Indeed, they’ve only increased with our reliance on delivery companies for shopping. But brand impersonations have expanded beyond the usual logistics and utility companies to software providers like Microsoft, Adobe and Zoom.

There’s a strong probability that, as we move forward in this new hybrid environment, remote work blindspots will be exploited.    This begs the question: How do you ensure people’s home networks are secure? There’s also concerns around liability. If company A faces a ransomware attack, it spreads to an employee, their home network, and then their partner’s company device to infect Company B…. Is Company A now liable for the losses Company B suffers?

This scenario is only exacerbated by having a Bring Your Own Device policy. Of course the benefits of BYOD are lower costs, increased flexibility for staff and a more productive workforce. But there are downsides around physical and network security.    An August 2021 survey conducted by Palo Alto Networks found that 83% of companies with relaxed bring-your-own-device (BYOD) usage led to increased security issues. We explore those for both security teams and workers themselves in this post.

How new habits become bad habits  That same Palo Alto survey also found that 35% of companies reported that their employees either circumvented or disabled remote security measures.  Our State of Data Loss Prevention report backs this up with the following alarming stats.   48% of employees say they’re less likely to follow safe data practices when working from home.    84% of IT leaders report DLP is more challenging when their workforce is working remotely.   52% of employees feel they can get away with riskier behavior when working outside of the office.   When asked why they were less likely to follow safe data practices when working from home, employees cited not working on their usual devices (50%) and being distracted (47%) as two of the top three reasons.    We’ve listed the 13 worst cybersecurity sins below. So take a moment to see if people in your organization are making these security errors. 

Evaluate and evolve your current process So, we’ve understood the risks, and are aware of some less-than-perfect security habits. Now we need to examine our processes. You’ve probably implemented some form of remote security processes since the start of the pandemic. But you should always be looking to evolve it to stay on top of your game and in light of new threats and changing circumstances.   Education in security has a huge part to play in making people aware of the risks associated with working remotely, and dispelling some of those new, bad habits. Our views on security awareness training are well-known. An hour-long ‘test quiz’ once a year just isn’t going to cut it. Instead you need to bake security into your organization’s daily operations.

As Bobby Ford, Global Chief Security Officer at Hewlett Packard Enterprise says in this video, how can you get a little bit of cyber into other programs in your organization? And don’t just stop at events, town halls, intranets, or staff newsletters. These are all places to continually beat the drum for good security. So work with your people and comms teams to help enable that. We have a bunch of tips, resources and best practice information in this post that you can use as part of your cyber security refresher training. And if you need support from the C-Suite, here’s how to get it.

We have a bunch of tips, resources and best practice information in this post that you can use as part of your cyber security refresher training. And if you need support from the C-Suite, here’s how to get it. What’s perhaps most remarkable about the switch to remote working is that it happened almost overnight. The efforts and tools IT and security teams put in place quickly ensured that many companies stayed operating – jobs and lives were no doubt saved.   

Now, however, those tools and processes are a permanent part of your business, and reviewing your security stack to ensure it’s fit for purpose in a remote world is critical. So what to look for? Well ask yourself questions like    👩‍💻 Does the application process personal data? If so, why and in what volume? 🌏 Where is the data processed?  📚 Does the application take back-ups of data? If so, how often? 🚫 Who has access to the data in the platform? 📱 Is access conditional upon Multi-Factor Authentication (2FA, for example)?  We’ve fully explored how to onboard remote Collaboration and productivity tools here

The Great Re-Evaluation and the future of remote work Finally, there’s one other aspect of remote working to address, and that’s people themselves. The pandemic caused a lot of soul searching in many employees about their future and the sort of companies they wanted to work for.    The past 18 months has seen unprecedented demand for highly skilled roles, and many people are using this to turbo charge their careers. The person in this BBC article increased her salary by £10,000 in six months, she surely can’t be the only one.  So as well as dealing with protecting your people from external threats, there’s also potential dangers from within. If people are leaving, what better way to make a great impression on the first day at their new gig than by bringing a juicy file of customer data, source code, or other highly valuable IP.    Again, our State of Data Loss Prevention Report found that 45% of employees admit to downloading, saving, or sending work-related documents to their personal accounts before leaving or after being dismissed from a job. Assuming your USB ports are disabled, staff will often extract these assets by emailing them to their personal accounts. This is a particular problem in sectors such as legal, financial services, and entertainment, where a client base and extensive networks are crucial.    We’ve explored in detail how to keep your data safe in The Great Re-Evaluation below

At Tessian, we know being an InfoSec leader is hard. The threats are relentless and the landscape is constantly changing. The halcyon days of rows of desktop PCs in an office block protected by on-prem Secure Email Gateway (SEG) are confined to the history books. Remote work, an infinite perimeter, and sophisticated attacks by email are here to stay.    The only question is, how are you going to deal with them?   To find out how Tessian can help secure your remote teams, get in touch for a demo

Cybersecurity frameworks play an integral role in ensuring organizations have adopted the latest and best practice standards and strategies to safeguard their information systems and data. The most commonly adopted industry standard frameworks include the NIST Cybersecurity Framework, the CIS Controls, and ISO/IEC 27001/2. But, of these industry frameworks, only the ISO/IEC 27001/2 standard can be certified.    For organizations with well-developed cybersecurity strategies, often led by industry-leading CISOs, email security controls form a core control in preventing unauthorized information system access.    But the relationship between industry standard cybersecurity frameworks and the importance of email security can often appear to be subsumed by higher order security controls. For example only the CIS Controls explicitly mentions email security (control 09).    Read on to see why email security deserves higher priority in your security controls environment.

The market is once again signaling email security as a priority security control    Email security has, until recently, been seen as a low-priority “solved-for” cybersecurity challenge. Many of the analyst firms even stopped providing market coverage on the email security vendorscape, with market maturity cited as the leading reason. This world view saw a handful of legacy email security monoliths, built for an on-premise world, dominating the market on what appeared to be a rather straightforward cybersecurity challenge – filtering unsophisticated phishing attempts and spam.   The threat landscape however did not stop evolving. In fact, over the past 12-24 months there has been a marked shift in the sophistication of social engineering based attacks, which is placing renewed emphasis on email security as a high priority security control.    In spite of mature email security vendor offerings, breaches continue to proliferate. Phishing, Business Email Compromise (BEC) and account takeover (ATO) incidence are growing year-over-year and are responsible for 70 to 90% of all cybersecurity breaches. Malicious emails were also responsible for 54% of successful ransomware attacks in 2020. A further cybersecurity threat vector that has until recently been unaddressed, is unauthorized data exfiltration, either accidental or malicious – seen as a leading reported incident.   The growing threat reality of poorly secured email has called into question legacy email security vendors and approaches, with increasing displacement taking place by a new breed of advanced email security solutions.

Cybersecurity Frameworks    Given this evolving threat landscape, it’s worthwhile revisiting the mainstream adopted cybersecurity frameworks and the centrality of email security as a core element of cybersecurity resilience.   CIS Controls    Dating back to 2008, the CIS Controls dating back is seen by many in the industry as the gold standard of cybersecurity controls. In fact the NIST Cybersecurity Framework references the CIS Controls as an “informative resource,” with most practioners using the CIS Controls in conjunction with the NIST Cybersecurity Framework.   The CIS  Controls undergo periodic review; currently there are 18 controls:    CIS Control 1: Inventory and Control of Enterprise Assets   CIS Control 2: Inventory and Control of Software Assets   CIS Control 3: Data Protection  CIS Control 4: Secure Configuration of Enterprise Assets and Software  CIS Control 5: Account Management  CIS Control 6: Access Control Management  CIS Control 7: Continuous Vulnerability Management  CIS Control 8: Audit Log Management  CIS Control 9: Email Web Browser and Protections  CIS Control 10: Malware Defenses  CIS Control 11: Data Recovery  CIS Control 12: Network Infrastructure Management  CIS Control 13: Network Monitoring and Defense  CIS Control 14: Security Awareness and Skills Training  CIS Control 15: Service Provider Management  CIS Control 16: Application Software Security  CIS Control 17: Incident Response Management  CIS Control 18: Penetration Testing Control 9 is of specific relevance to this discussion, calling for the hardening of email and web browser protections, and underscores the susceptibility of falling victim to successful social engineering attacks:.

NIST Cybersecurity Framework    First introduced in 2014 and revised in 2018, the NIST Cybersecurity framework version 1.1 is premised on five key security controls:   Identify – developing an organizational understanding of cybersecurity risk to systems, people, assets, data and capabilities. Activities include Asset Management, Governance, Risk Assessment, Risk Management Strategy, and Supply Chain Risk Management.   Protect – developing and implementing safeguards to ensure the safe delivery of critical services. Activities include Identity and Access Management, Security Awareness Training, Data Security, Information Protection Processes and Procedures, Maintenance, and Protective Technology.  Detect – develop and implement capabilities that enable early cybersecurity event detection. Activities include detecting Anomalies and Events, Security Continuous Monitoring, and Detection Processes. Respond – develop and implement capabilities that enable a well-managed response after an incident has occured. Activities include Incident Response Planning, Communications, Analysis, Mitigation, and Improvements. Recover – develop and implement capabilities that enable the ability to recover after a cybersecurity incident has occured. Activities include Recovery Planning, Improvements, and Communications.   The hardening of email security controls relates directly to: Security controls 2 (Protect): Providing advanced Data Security and Information Protection Technology Security control 3 (Detect): Providing Anomalies and Events, Continuous Monitoring and Detection Processes capabilities

ISO/IEC 27001 and ISO27002   ISO 27001:2005 Information Technology – Security Techniques – Information Security Management Systems – Requirements, commonly referred to as ISO 27001, is used in conjunction with ISO 27002:2013 Code of Practice for Information Security Management, commonly referred to as ISO 27002.    ISO 27001/2 is the only cybersecurity framework that can be certified internationally by the ISO  standards body. To achieve ISO 27001/2 certification requires that organizations build an Information Security Management System that among other requirements, entails adopting all 14 of the Security Control categories listed under Annex A.    In total there are 114 security controls in the 14 categories. The CIS Controls and NIST Cybersecurity  Framework can also be mapped to the ISO 27001 controls.    The 14 security control categories include:     Annex A. 5 Information Security Policies   Annex A. 6 Organization of Information Security   Annex A. 7 Human Resource Security   Annex A. 8 Asset Management    Annex A. 9 Access Control   Annex A. 10 Cryptography   Annex A. 11 Physical and Environmental Security   Annex A. 12 Operations Security   Annex A. 13 Communications Security   Annex A. 14 System Acquisition, Development and Maintenance   Annex A. 15 Supplier Relationships   Annex A. 16 Information Security Incident Management    Annex A. 17 Information Security Aspects of Business Continuity Management   Annex. 18 Compliance    Of the 14 security control categories, control A12 Operations Security and A13 Communications Security underscore the importance of having robust email security in place. The two sub-controls under A12 and A13 that have direct relevance to email security are:   A. 12.2.1 Controls Against Malware – detection, prevention and recovery controls that protect against malware and also entail appropriate user security awareness. A. 13.2.3 Electronic Messaging – any information that is involved in any form of electronic messaging needs to be appropriately protected to prevent unauthorized access.

General Data protection Regulation (GDPR)   Although not a cybersecurity control framework, GDPR does outline legal processes and procedures to protect the data of European Union member countries’ citizens. Other similar data privacy and security legislation is being enacted around the world, calling for similar controls to be put in place. GDPR however is notorious for imposing the most stringent interpretations of its data privacy and data security regulations, along with handing out record setting financial penalties for infringements.   Chapter 4, Articles 25-43 set out the necessary legal stipulations for data controllers and processors, essentially calling for data protection by design and default.    Key information security principles listed in chapter 4  (Article 32) include:   Pseudonymisation and encryption of personal data. The ability to ensure the confidentiality, integrity, availability and resilience of processing systems and services. Ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident. A process for regular testing, assessing and evaluating the effectiveness of technical, and organizational measures for ensuring the security of the data processing.   Data loss, phishing, unauthorized access and ransomware are among the top reported incidents to the UK’s Information Commissioner Office (ICO) – the UK’s enforcing body for GDPR. Inadequate and ineffective email security controls is the leading cause of these incidents.  

MITRE ATT&CK Framework   Popular with threat intelligence, security operations centers, as well as the cybersecurity vendor community, the MITRE ATT&CK Framework is starting to gain mainstream recognition in the enterprise. Developed in 2013 and also referred to as the ATT&CK Framework, its utility for benchmarking the effectiveness of security controls is becoming increasingly apparent as attacks grow in sophistication and scope.   Although consisting of three matrices, the MITRE ATT&CK Framework for Enterprise is the most commonly used matrix. By offering an adversarial perspective on threat and attack vectors aka attack chain – starting with reconnaissance, resource development, initial access and ending with impact – enables security and risk leaders to gauge the robustness and breadth of controls in place.    According to the ATT&CK framework, social engineering based attacks, including phishing, remain one of the most common attack vectors enabling unauthorized access to information systems. The full matrix is available here.

Email security as a core control   Email security vulnerability remains a significant threat vector and features as a core cybersecurity control in all of the most widely adopted cybersecurity frameworks. And, given the increasing sophistication of email-based attacks, the importance of having industry leading email security protection in place must be reemphasized. Only by prioritizing email security will the risk of an email-related breach be significantly mitigated.

How can Tessian help you lock down email?    This is why enterprises are replacing legacy email security solutions for the next-generation of intelligent email security protection from Tessian. Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises.   By using industry leading machine learning the dynamic real time protection is enhanced with each threat mitigated, guaranteeing unparalleled protection against all email-based attack vectors, including insider threats.   Key features include:   Advanced Spear Phishing Protection Advanced Attachment and URL Protection   Internal Impersonation & CEO Fraud Advanced Spoof Detection Counterparty & Vendor Impersonation  Brand Impersonation External Account Takeover  Invoice Fraud Bulk Remediation Automated Quarantine  Threat Intelligence Insider Threat Management Accidental & Malicious DLP

I was recently scrolling through a forum where the inevitable topic of creating perfect data loss prevention (DLP) regular expression (regex) queries began to simmer.   It started along the lines of this: “I need to build a regex query to look for credit card numbers within email or documents – how do I do this without an exorbitant amount of false positives?”    Turns out, many folks relate to this exact situation, and the discussion caught fire. Some are building the rules so tight and applying them to such specific users, they risk missing events that don’t fit the fold. Others are casting the net too wide and don’t have the manpower or the stamina to triage the alerts. Others have put an approval process in place, but this process slows down business. Managers end up having to approve all emails…but who has time for that?   So how can we both mitigate risk and reduce the amount of alerts DLP administrators are triaging?  Food for thought from a wise man: “If you are going to eat s*t, do not nibble…”

If you make it personal AND relevant, the employee will listen   When implementing policies that encourage employees towards positive behavior and are actually relevant to them, they will be more inclined to understand and listen.    For example, you may have a company policy that prohibits employees from sending sensitive company data to their personal email. Employees will typically take this approach because they want to access documents conveniently from another location that has less security; one less hurdle to jump through when on a plane, at a hotel, or working from home.    Other times, users literally do not know that this isn’t secure, or maybe they have just come into the organization via M&A and are unaware of the policy. Instead of reactively catching this after the fact and having HR or management punish the employee, what if you could eliminate it in the first place with a prompt?   Imagine employees saw this upon sending the email:

Which brings us to point #2…. We have to tell employees why this is important for them to personally consider. They will relate, understand, and heed the advice the next time they are thinking about sending sensitive data to unsecure places.    You can imagine sharing additional tips on your organization’s internal Wiki or Intranet to help really drive the point home:    Home tip: This policy should be followed when you’re sending personal, sensitive information about yourself to anyone. Not just when you’re at work. Make sure you are always sending personal information like credit card numbers and social security numbers through secure methods (like sites that have a lock located by the URL) and always ask if items like social security numbers are required. You would be surprised by how many places do not need this type of information yet ask for it!

Most employees are not malicious… they just aren’t enabled to make better decisions   More and more often, we’re hearing that people are responsible for breaches:   85% of data breaches are caused by human error 61% of security leaders think an employee will cause their next data breach   But the problem isn’t malicious employees.    For example, if we isolate the financial services industry, the majority of breaches were caused by an accident, like sending an email to the wrong person, which represents a whopping 55% of all error-based breaches (and 13% of all breaches for the year).   This all goes to show that most employees aren’t malicious; if they were asked to take an alternative, more secure route, they would! They just don’t know how.    Well-documented tutorials can help reduce unintentional data loss and IT tickets, which means security teams are only left with tickets that are actually worth triaging.

There is data outside of your regex queries that is worth protecting. Do you know what that data is?   Although there is tablestake data like social security numbers and account numbers that need to be protected due to regulations and mandates, there is also business data that is critical to protect.    What is your vital business data? Think: M&A confidential projects, clientele lists, portfolio company research and earnings, company budget information, case strategy documents….  This is just a small list of things that  – if in the wrong hands – could be very bad news for the business. Can you possibly create regex queries to identify and protect all of these types of data?   Considering the fact that organizations spend up to 600 hours a month resolving employee-related security incidents like data exfiltration or accidental data loss, I’d say no.   The bottom line is: your talented team members don’t want to spend their days combing through DLP alerts that could be eliminated in the first place. But, until we begin to enable our employees to be secure at work and at home, we will forever be salmon swimming upstream.  I encourage you to take a look at what Tessian can offer to build this positive, security-enabled culture. Check out the below resources, or book a demo to see the product in action.

Read research into the State of Data Loss Prevention See what Tessian customers are saying Download our platform overview datasheet

Like Gandalf The Grey, it goes by many names.   Fast Company calls it the Great Reprioritization. LinkedIn prefers the Great Reshuffle, while Thrive Global opts for Great Re-evaluation. But whatever it’s called, it’s clearly a movement that’s broadened out from people quitting their jobs and moving to your competitors, to something much bigger around company culture, work/life balance, and job flexibility.   So what does this mean for your organization? How do you keep your data secure when your perimeter is over the horizon, your people are remotely distributed, and you’re facing threats that are increasing in both frequency and complexity?   What is the great re-evaluation?   The first wave of Great Resignation in 2021 saw an initial rush of people deciding they wanted a change, and quickly leaving their jobs. We covered the knock-on effects of keeping your data safe back then in this article.

And while much of those concerns are still valid, we’re now in a new space where other issues are starting to reveal themselves, too.    Those initial leavers were the “early adopters” who probably had itchy feet anyway, COVID was just the push they needed. But what about those who stayed? Having weathered the storm for the last two years and seen that it’s showing no signs of abating, people are looking around for companies that offer better remuneration, flexibility, and an exciting mission. Things they’re (likely) sorely missing in their current companies.   As the CISO, those things might not be in your power to grant to the entire company. But as your company’s security leader, you own the security impact of when people leave, when their replacements arrive, as well as those who choose to stay.

Who’s leaving? First off, let’s look at those who are (still) leaving. Resignation rates are highest among mid-career employees; that is those between 30 and 45 years old. And according to Harvard Business Review, the greatest churn was in Tech companies. Ah tech in the Bay Area. Where it's easier to just get a new job, than to stay long enough for a laptop refresh. — Bea Hughes (@beajammingh) January 5, 2022

They’re often highly experienced at their role and unlike younger employees, don’t need a lot of training. What’s more, they’re not leaving to ‘drop out’ and start a lifestyle project or go traveling, they’re leaving for a better, more flexible package.   These are staff who ‘know where the bodies are buried’. They have a highly detailed knowledge of your organization and its processes, products, and customers. This group has the highest probability of attempting to exfiltrate sensitive data – IP, clients or other corporate information – from your organization.   But the problem isn’t limited to mid-career employees in the tech industry. The Verizon Data Breach Investigations Report found that 72% of staff take some company data with them when they move on, whether intentionally or not. They also found that 70% of intellectual property theft occurs within the 90 days before an employee’s resignation announcement.   Even worse, a whitepaper published by Osterman Research found that a further 28% of employees admitted to taking data created by others when they leave – cheeky! Things to look out for include fluctuations in email activity, accessing documents or files at unusual times such as evenings or weekends, and spikes in data transfers.

If you’ve disabled your USB ports, email remains one of the most popular conduits for exfiltration attempts, so securing that channel now – before they hand in their resignation – is critical.    Once that’s in place, you need a structured and effective offboarding process in conjunction with your People team to disable methods of data exfiltration. (There’s some great advice on designing that process as a whole over on Security Intelligence and on AT&T Business.)   Why high attrition is a threat to your data security   A data breach has a number of financial consequences. First and foremost, there’s the time it takes you to handle the incident. There’s potential compliance violations and regulatory fines, legal costs pursuing the ex-employee, and loss of reputation and competitive  advantage that will affect your bottom line long-term.    The situation can be even worse when staff are let go as companies trim to stay afloat. One former credit union employee deleted 21GB of data after being fired, and one business collapsed entirely after an angry ex-employee deleted every single file.

Who’s arriving? The good news – enthusiastic new staff are brought in to replace those who have left, so aren’t likely to exfiltrate any data. The bad news? They’re also vulnerable to external attacks, and have yet to get up to speed on your security processes and familiarize themselves with the company as a whole.    What’s more, they’ve probably announced their new role on social media. Our How to Hack a Human Report found that an overwhelming 93% of workers also update their job status on social media, while 36% share information about their job. Hackers know this,  and do their research before hitting an organization with a spear phishing attack. Consequently, new starters are prime targets.    

But it’s not just role replacement staff, it’s entirely new staff too. After all, the pandemic has been very good for certain industries (infomation security for example) and some businesses are growing off the back of this and expanding their teams.   Who’s staying? When a team changes, there’s always disruption of some sort, and that problem is only exacerbated in today’s remote world. However, that disruption can also be an opportunity to refresh and remind people what a good security culture looks like and correct any bad habits that might have formed during remote working.   This is important as our ‘Back to Work’ research report found the following alarming statistics:   56% of IT leaders believe employees have picked up bad cybersecurity behaviors since working from home 40% of employees plan to bring their personal device into the office to work on 69% of IT leaders think that ransomware attacks will be a greater concern in a hybrid workplace 27% of workers are afraid to tell IT they’ve made a security mistake

Hybrid is here to stay – act accordingly  

Why the office is done The halcyon days of on prem servers and a load of desktop PCs all protected by a shiny new Secure Email Gateway (SEG) are long gone. And now, the office that once housed them is on the way out, too. According to one study, 79% of the C-suite say they will permit their staff to split their time between corporate offices and remote working, if their job allows for it.   There was the assumption in late 2021 that, once a vaccine was developed and staff afforded some sort of protection, things would soon return to normal – or at least something like it. Omicron has blown that notion to smithereens. And as this article suggests, maybe it’s time to admit defeat.

Remote working isn’t going anywhere anytime soon, and staff are still subject to the same distractions and security threats they were in March 2020.   The enemy here is complacency: bad habits as much as bad actors. People are once again distracted, angry, and anxious. Here’s some quick tips to help remind the team about good security practices (see more here) Use company-approved cloud or VPN services to access work documents instead of emailing sensitive information to your personal email accounts. Don’t download new software or tools without consulting your IT team. Keep your software and operating systems up-to-date. Always lock your laptop and keep all of your devices password-protected. If you make a mistake and find yourself alarmed or fearful, it’s important to stop, think, and get someone else involved to support you.

Look after yourself   Like an airplane oxygen mask, you can’t look after others until you’ve looked after yourself first. It’s been a tough few years and CISOs are burnt out, really burnt out. Our Lost Hours report found that CISOs, on average, worked 11 hours a week in unpaid overtime, and that 25% of CISOs spend 9-12 hours investigating and remediating each threat caused by human error. What’s more, the average time a CISO is in post is as little as 26 months.

A commissioned study conducted by Forrester Consulting on behalf of Tessian identified that organizations spend up to 600 hours per month resolving employee-related email security incidents. That is not healthy and it’s not sustainable, for either staff or the business. And your team As our 2022 trends post highlighted, hiring and keeping a diverse team will be one of your biggest priorities… and challenges. After all, at the end of 2021 there were nearly 500,000 unfilled cybersecurity roles in the US. The Department for Homeland Security was looking to hire 1800 but the end of 2021 alone Dealing with the rising security risks of the Great Re-evaluation needs a great team backed up by great tools that streamline defenses against phishing attacks and data exfiltration. That’s where we come in. So if you need some help we’d love to talk.   How does Tessian prevent data exfiltration attempts?   Prevent unauthorized emails Whether it’s an employee sending sensitive information to less secure, personal accounts or a bad leaver maliciously exfiltrating data, Tessian automatically prevents data exfiltration over email. Learn more   Deeply understand your risk Whether careless, negligent, or malicious, insider threats are difficult to combat and even harder to detect. But with Tessian, you can quickly find and report the key areas of insider risk, use insights to predict future behavior, and take remedial action to prevent exfiltrations attempts. Learn more   In-the-moment educational warnings Tessian warnings act as in-the-moment training for employees, continuously educating them about treats, reinforcing your policies, and nudging them toward safe email behavior. Automatically build individualized policies at scale to reduce high-risk email use and track trends in unsafe activity over time. Learn more

Punit Rajpara is Head of IT and Business Systems at GoCardless. In this Q&A he tells us how GoCardless won over the entire organization—from employees to board members—with their forward-thinking data loss prevention (DLP) program. Dig deep into the intuitive and effective user warnings, powerful analytics, and reporting tools that helped prove their business case.   Could you please give us a quick introduction to yourself and your role at GoCardless?   I’m the Head of Business Systems at GoCardless. I’ve been here just over a year—joined at the crazy pandemic time so it’s been an interesting year. Plus, prior to GoCardless, I was at WeWork and Uber, so I clearly love the hot startup journey and putting in core tools. GoCardless is in the space solving for payments—so whether that’s recurring or one-time payments.   We’ve just really done some really cool stuff at the Urban Bank and you should check it out. We service payments across 30 different countries and we process about 20 billion in revenue for other merchants every year. DLP can be a really daunting project, for many. At GoCardless, was your starting point in DLP?   Yeah, I think I’d say boring and daunting. It’s one of those things that just kind of there, and it can be disruptive to users. So, I guess our starting point was we… like I said, it was kind of just there. We used Google DLP to kick off, and the inbuilt DLP tools, and we found those a little bit complex to configure.   So we’re coming to this realization—just when everything just happened and we went to market—to look for somebody better. We realized it needs an admin of its own—it’s just configured a bunch of policies that just block stuff for our users all the time. And it didn’t seem very “user-in-mind.” So that’s our starting point: Google-based DLP tools. A bit boring, a bit daunting, like you said, and just… there. What was it that instigated you to start thinking: “OK, we need a new approach”?   We had an incident where somebody sent a file to a friend, instead of to the right recipient. And we got a bit lucky, where the friend said: “Oh, did you really mean to send me this file?” and it was an important file that probably shouldn’t have gone to the friend. And the person that caught that and came straight to us and said, “Hey—do we have a way of stopping me from sending things I shouldn’t to the wrong people?” And we’re like: “Maybe… Let’s go and have a look at it.”    So, we weren’t intentionally looking at DLP, but it’s one of these things where it allows us to be used a little as well, so users will come and talk to the problem, and go: “Hey, I’ve made this stupid mistake—what should I do?” and “Can you do anything to help me not make that mistake again?”   So, that’s what really led us down the road of going: “We should look at this problem. We should look at inbound and outbound DLP and see if we can make it easy for our users not to do things that are going to be harmful to them and the business.” How have you got your employees to that state, where they’re actually coming forward and saying “Hey, how can we stop it going forward?” I think it’s part of that kind of scale-up workforce culture, where people are expecting not to do things by themselves constantly. If you look at all aspects of… mostly business systems and IT, there’s a huge focus today on ultimate automation and self-service. So people are used to working in organizations where you’re not having to report things, you’re not being blocked by things, you’re really being enabled to just go on with your work. And the expectation is that IT teams and business teams and security teams are becoming more and more “self-service,” and putting the control in the hands of the users. And that just really allows people to not worry about these things, and just get on and just be productive and work. What were you looking for when you set out to try to find a security partner? When we went looking for the right partner, the things that were front-of-mind were: whatever we chose had to be easy to use, it had to be easy to implement, and it had to be easy to administer. I was managing a small team last year, so it couldn’t be anything that required tons and tons of work for my team to implement. It couldn’t be something that required tons and tons of documentation to be written. It couldn’t be something that required using huge amounts of user training.  It had to be quick, easy to use, quick to deploy, easy to deploy, with a lot of support from the vendor will be required to get it out if we need that support, and it had to be self-service. It will have to be really really intuitive. So that’s our approach to how we were looking for the right partner. I think it actually hit the nail on the head with Tessian…  How was the feedback when you implemented Tessian? How did you garner that feedback and how did it change their perception of what security controls can be like? I’d say overwhelmingly, there was a positive response to our deployment of Tessian at the business. People—especially the exec team—would come into us quite quickly and say: “Hey, this is really cool. We’re going to stop data leakage.”  We were able to catch a couple of incidents that we maybe wouldn’t have otherwise, so overwhelmingly there was this really really positive response: “Hey, this tool is really awesome, didn’t know we could do this kind of stuff.”  

Looking back at the last 12 months, Tessian’s Human Layer Security platform has scanned nearly 5 billion emails, identified over half a million malicious emails, stopped close to 30,000 account takeover attempts, and prevented over 100,000 data breaches due to a misdirected email…   At the same time, we rolled out a number of important product updates to help keep our customers safe. Here are the most important product updates to Tessian’s Human Layer Security platform from 2021.   We built world’s first Intelligent Data Loss Prevention Engine   We believe that the next generation of Data Loss Prevention is fundamentally about shifting away from entirely rule-based techniques towards a dynamic, behavioral approach. That’s why we built Guardian and Enforcer, to automatically prevent both accidental data loss and sensitive data exfiltration to unauthorized accounts.    But we have also seen that, when combined with dynamic behavioral analysis, custom DLP policies, play an important role in an organization’s data security strategy.   With the launch of Tessian Architect in October 2021, enterprises can now deploy powerful, intelligent DLP policies. Architect is a perfect complement to Tessian Guardian and Enforcer and provides the market’s best-in-class Email DLP platform:   Architect was built together with leading security teams – it’s intuitive, quick-to-learn and comes with a library of prebuilt policies Architect has built-in machine learning capabilities and features a powerful logic engine to address even the most complex DLP use cases Architect is designed to educate users about data security practices in-the-moment and guide people towards better behavior Want to learn more about Tessian Architect? Read more about it here.

We now protect customers from compromised external counterparties   This year, we saw a record number of bad actors compromising email accounts of trusted external senders (suppliers, customers, and other third-parties) to breach a target company. These attacks are canned external Account Takeovers (ATO), and they’re one of the main pathways to Business Email Compromise (BEC).   Because these malicious emails don’t just appear to have come from a trusted vendor or supplier’s legitimate email address, but actually do come from it, external ATOs are incredibly hard to spot, meaning organizations are exceptionally vulnerable to them.    Tessian Defender now automatically detects and stops external Account Takeover attacks.    By using machine learning to understand a sender’s normal email sending patterns (like where they usually send from, what they talk about, what services they use, and more), it can identify suspicious deviations from the norm and detect malicious emails.    When this happens, Defender can either block these attacks, or show educational alerts to end-users, helping them identify and self-triage attacks.   Learn more about External Account Takeover protection here.

We now stop more threats, with better accuracy, with less admin overhead   In-the-moment warnings are one of the features that set Tessian apart from the competition. When Tessian Defender detects a potentially malicious email, it warns users with a pop-up, explaining exactly why the email was flagged.   But, we know that sometimes, it’s better to automatically block phishing emails.   Tessian Defender now automatically blocks attacks, before they reach a user’s mailbox. This gives security teams an  additional layer of email security, preventing end-users from receiving emails that are highly likely to be phishing attacks.    Defender can also adapt the response it takes to remediate a threat. If our machine learning is close to certain an email is malicious, it can quarantine it. Otherwise, it can deliver it to the end-user with an educational warning. This adaptive approach is so powerful because it strikes a balance between disrupting end-users and protecting them.   Finally, this year, Tessian Defender’s detection algorithm made some big strides. In particular, improvements in our risk confidence model allowed us to reduce false positives by significantly providing a better experience to end-users and security teams.

We now stop employees from accidentally sending the wrong attachment   Accidental data loss is the number one security incident reported to the Information Commissioner’s Office, and sending an incorrect attachment is part of that problem. In fact, 1 in 5 external emails contain an attachment, and research shows nearly half (48%) of employees have attached the wrong file to an email.    42% of documents sent in error contained company research and data 39% contained security information like passwords and passcodes 38% contained financial information and client information.  36% of mistakenly attached documents contained employee data   Thanks to an upgrade to Tessian Guardian, organizations can now prevent employees from accidentally sending the wrong attachment in an email.    The upgrade uses historical learning, deep content inspection, natural language processing (NPL), and heuristics to detect counterparty anomalies, name anomalies, context anomalies, and file type anomalies to understand whether an employee is attaching the correct file or not. If a misattached file is detected, the sender is immediately alerted to the error before the email is sent. This is completely automated, requiring no overhead from IT teams.   Best of all, the warnings are helpful, and flag rates are extremely low. This means employees can do their jobs without security getting in the way.   Learn more about misattached file protection here.

We can now quantify and measure human layer risk   Comprehensive visibility into employee risk is one of the biggest challenges security leaders face. With the Tessian Human Layer Risk Hub, our customers can now deeply understand their organization’s security posture, with granular visibility into employee risk, and insights into their risk levels and drivers.   How does it work? Tessian creates risk profiles for each employee, modelled from a range of signals like email usage patterns, indirect risk indicators, and employee security decisions (both historic and in real-time). Because of this unique data modelling, Tessian can gauge employees’ risk level, including whether or not they’re careful, careless, frequently attacked, and more.   This offers organizations protection, training, and risk analytics all in one platform, providing a clear picture of risk and the tools needed to reduce it.   Learn more about the Human Layer Risk Hub here.

We now integrate with KnowBe4, Sumo Logic, Okta, and more… Tessian is even more powerful when integrated with other security solutions that help address the risk posed by employees. That’s why, in the last 12 months, we’ve announced exciting integrations with Okta, Sumo Logic, and KnowBe4, each with their own unique benefits for joint customers. With Sumo Logic + Tessian, security and risk team can understand their risk through out-of-the-box monitoring and analytics capabilities.

With Okta + Tessian, security and risk management teams geet granular visibility into their organization’s riskiest and most at-risk employees and consequently enable them to deploy policies that can help protect particular groups of users from threats like advanced spear phishing and account compromise and prevent accidental data leaks.

And with KnowBe4 + Tessian, security and risk management teams get more visibility into phishing risk than ever before.

Want to help us solve more challenges across use cases? Come build with us.

As a security or IT leader, researching and vetting security solutions is step one. What’s step two, then? Convincing key stakeholders like the CEO, CFO, and the board that the product needs to be implemented, that it needs to be implemented now, and that it’s worth the cost.   This is easier said than done, but security is business-critical.   So, how do you communicate risk and make a compelling case to (eventually) get buy-in from executives?   We talked to security leaders from some of the world’s most trusted and innovative organizations to find out what they do to get buy-in from CxOs. Here’s a summary of their tips.   You can download this infographic with a quick summary of all of the below tips. This is perfect for sharing with peers or colleagues. Or, download this eBook.   1. Familiarize yourself with overall business objectives   While cybersecurity has historically been a siloed department, today, it’s an absolutely essential function that supports and enables the overall business. Think about the consequences of a data breach beyond lost data. Organizations experience higher rates of customer churn, reputations are damaged, and, with regulatory fines and the cost of investigation and remediation, there can be significant revenue loss.   The key, then, is to attach cybersecurity initiatives to key business objectives. The security leaders we interviewed recommended starting by reviewing annual reports and strategic roadmaps. Then, build your business case.   If customer retention and growth are KPIs for the year, insist that cybersecurity builds customer trust and is a competitive differentiator. If the organization is looking for higher profits, make it clear how much a breach would impact the company’s bottom line. (According to IBM’s latest Cost of a Data Breach, the average cost of a data breach is $4.24 million.)

2. Create specific “what-if” scenarios   A lot of security solutions are bought reactively (after an incident occurs), but security leaders need to take a proactive approach. The problem is, it’s more challenging for CxOs and the board to see the value of a solution when they haven’t yet experienced any consequences without it.    As the saying goes, “If it ain’t broke, don’t fix it”.    That’s why security leaders have to preempt push-back to proactive pitches by outlining what the consequences would be if a solution isn’t implemented so that stakeholders can understand both probability and impact.   For example, if you’re trying to get buy-in for an outbound email security solution, focus on the “what-ifs” associated with sending misdirected emails  which – by the way- are sent 800 times a year in organizations with 1,000 employees. Ask executives to imagine a situation in which their biggest clients’ most sensitive data lands in the wrong inbox.  What would happen?    Make sure you identify clear, probable consequences. That way, the situation seems possible (if not likely) instead of being an exaggerated “worst-case scenario”.    3. Work closely with the security vendor   You know your business. Security vendors know their product. If you combine each of your expertise – and really lean on each other – you’ll have a much better chance of making a compelling case for a particular solution.   Ask the vendor for specific resources (if they don’t exist, ask them to create them!), ask for product training, ask if you can speak with an existing customer. Whatever you need to get buy-in, ask for it. Rest assured, they’ll be happy to help.    4. Collaborate and align with other departments   It takes a village and cybersecurity is a “people problem”.  That means you should reach out to colleagues in different departments for advice and other input. Talk to the folks from Risk and Compliance, Legal, HR, Operations, and Finance early on.    Get their opinion on the product’s value. Find out how it might be able to help them with their goals and initiatives. In doing so, you might even be able to pool money from other budgets. Win-win!

5. Consider how much the executive(s) really know about security   To communicate effectively, you have to speak the same language. And, we don’t just mean English versus French. We mean really getting on the same level as whomever you’re in conversation with.   But, to do that, you have to first know how much your audience actually knows about the topic you’re discussing.   For example, if you look into your CEO’s background and find out that he or she studied computer science, you’ll be able to get away with some technical jargon. But, if their background is limited to business studies, you’ll want to keep it simple. Avoid security-specific acronyms and – whatever you do – don’t bury the point underneath complex explanations of processes.    In short: Don’t succumb to the Curse of Knowledge.

6. Use analogies to put costs into perspective   One of the best ways to avoid the Curse of Knowledge and give abstract ideas a bit more context is to use analogies. It could be the ROI of a product or the potential cost of a breach. Either way, analogies can make big, somewhat meaningless numbers more tangible and impactful.   For example, imagine you’re trying to convince your CFO that the cost of a solution is worth it. But, the 6-digit, one-time cost is a hard sell. What do you do? Break the overall cost down by the product’s lifespan. Then, divide that number by the number of employees it will protect during that same period.   Suddenly, the cost will seem more manageable and worth the investment.   7. Invite key stakeholders to events or webinars   Before you even start pitching a particular solution, warm-up executives with educational webinars or events that aren’t product-specific. This will give CxOs a chance to better understand the problem, how it might apply to them, and how other people/organizations are finding solutions.   Bear in mind: most vendors will have at least 1 (generally 2+) webinars or events during the standard sales cycle.   8. Prepare concise and personalized briefing materials   Individual stakeholders will be more likely to consider a particular solution if the problem it solves is directly relevant to them. How? Combine tips #1, #2, #3, and #5.   After taking some time to understand the business’ overall objectives, take a closer look at individual peoples’ roles and responsibilities in meeting those objectives. Then, dig a bit deeper into how much they know about cybersecurity.   Imagine you’re meeting with a COO with some technical experience whose focus is on maintaining relationships with customers. His or her briefing documents should contain minimal technical jargon and should focus on how a data breach affects customer churn.   The bottom line: make it about them.   9. Share these documents in advance of any formal meetings   While this may seem obvious, the security leaders we spoke to made it clear that this is an essential step in getting buy-in. No one wants to feel caught off guard, unprepared, or rushed.   To avoid all of the above, make sure you share any documents relevant to the solution well in advance of any formal meetings.   But, don’t just dump the documents on their desk or in their inbox. Outline exactly what each document is, why it’s relevant to the meeting, and what the key takeaways are. You want to do whatever you can to help them absorb the information, so make sure you make yourself available after sharing the documents and before the meeting, just in case they have any questions or need additional information.   10. Build a strong security culture   Before we dive into why building a strong security culture can help you get buy-in, we want to make it clear that this isn’t something that can happen overnight. This is a long-term goal that requires the help of the entire organization. Yes, everyone.   So, how do you build a strong security culture? Start by ensuring that security and IT teams are committed to helping – not blaming – employees. There has to be a certain level of mutual trust and respect.   Beyond that, employees have to accept responsibility for the overall security of the organization. They have to understand that their actions – whether it’s clicking on a phishing email or using a weak password – have consequences.   If they do accept this responsibility, and if they genuinely care about following policies and procedures and helping secure data and networks, high-level executives will care, too. They’ll therefore be more likely to sign-off on solutions.   11. Keep an eye on security trends outside of your industry S ome industries – specifically Healthcare, Financial Services, and Legal – are bound to compliance standards that formalize the need for effective security solutions. That means that, compared to other industries like Retail or Manufacturing, they’ll be required to have more robust strategies in place. What they’re doing now, the rest of us will be doing in 12 months.   Keep this in mind.   If you notice that organizations operating in the most highly regulated industries are all taking data loss prevention (DLP) seriously, you’ll be able to make a strong case that this is something that should be on your radar, too.   12. Approach non-executive stakeholders early on   While – yes – getting buy-in from CxOs and the board is important, security leaders also need to get buy-in from non-executive stakeholders working in IT, infrastructure, etc.   After all, those are the people who will actually be responsible for deploying the solution and maintaining it.By approaching them early on (and assuming they’re interested in the solution, too) you’ll be able to paint a clear picture of the process after the solution has been signed off on.   How long will it take? Who’s involved? Will employees’ workflow be disrupted? These are all important questions to answer.   13. Match like-for-like people from both sides   If you’re scheduling a meeting with executives from your side and key people from the vendor’s side, make sure you’re bringing in people that “match” in terms of function and seniority level.   For example, if you work at a start-up and the founder of your company wants to be involved in the buying process, ask the vendor’s founders to join, too. Likewise, if the Head of Infrastructure is joining from your side, ask someone in a similar function to join from the other side. Why? Like-for-like people will be best placed to answer one another’s questions.   And, with that in mind…. 14. Preempt questions and prepare answers   No one likes to be put on the spot. To avoid being asked a question that you don’t know the answer to, spend a good amount of time considering all the questions different stakeholders may ask and drafting well-thought-out answers. (Better yet, fit the answers into briefing documents or the presentation itself!)   Remember, people are generally concerned with how a problem/solution affects them directly. That means the CEO will have different questions than the CFO, who will have different questions than the Head of IT.   15. Get specific customer references from the vendor   We mentioned in tip #3 that you should lean on the vendor, especially when it comes to specific resources and customer references. And, we mentioned in tip #11 that you should match like-for-like people in meetings.   It should make sense, then, that specific customer references will be more powerful than generic ones. For example, if you’re the CISO at a 4,000-person tech firm in North America, and you’re trying to convince you’re CTO that you need to implement a new solution, you should share a case study (or customer reference) from the vendor that outlines how their product has helped an organization in the same industry, that’s the same size, and in the same region. Ideally, it will also feature quotes from the CTO.   Why? Professionals trust and rely on their peers when making difficult decisions. 16. Be conscious (and considerate of) peoples’ time   Decisions about security solutions can involve a lot of different people. That means you’ll have to balance several conflicting schedules and fight for time. Your best bet? Book meetings with all relevant people at once and get the vendor involved at the same time. Ahead of the meeting, share an agenda along with any relevant documents (see tip #8).

What is DLP? Decades of digital technology transformation have given employees amazing powers. But with that power also comes the ability to send millions of dollars in just a few clicks, or share an entire customer database in a single emailed file. Today, your people are often the gatekeepers to your company’s most sensitive systems IP and data. Enter data loss prevention (DLP).  Your DLP tools and strategy are critical to the safe running of your business. At its core, DLP aims to minimize the risk of confidential or business-critical data leaving an organization.

How much business-critical data do you handle?   Different people within your organization handle a variety of data types. Sales for example might have customer names and emails, whereas Finance would have staff payroll details. The product and dev team would probably have sensitive IP information, and roles like sales engineers and tech ops might handle your customers’ data. Regardless of the role though, it’s all information, it’s all valuable to you (and bad actors), and it can all be lost.    Take a moment to ask yourself if your business as a whole routinely handles any of the following: company IP credit card details medical records insurance details legal case notes sensitive financial data personally identifiable information (PII).  Chances are, if your business has customers or clients, you’re handling business-critical sensitive data.    Why email is your greatest DLP threat    Now let’s consider how data gets ‘lost’ in the first place… There are several ways, but nearly all of them come down to one thing: people make mistakes, either accidentally or on purpose.

Successful businesses are, by their very nature, porous. Information flows in and out at a near endless rate from staff, customers, prospects, suppliers, trade bodies, local authorities, and government.   While recent tools like Slack and Teams have eaten email’s dominance of internal communication, the main method for external communication remains email, and it is the primary way that most firms conduct business today.   In fact, an Adobe Email Usage Study found that employees routinely spend 40% of their work time reading, writing and sending emails.   Let’s stop pretending there are different jobs. There’s only one job and it’s emails. — Kate Helen Downey (@katehelendowney) July 13, 2021   How big is your problem? How big is your firm?   According to data from Tessian’s own platform, employees send nearly 400 emails a month. If your organization has 1000 employees, that’s 400,000 emails, or around 13,000 a day. And if you’re routinely handling and emailing sensitive data, each of those is a data breach waiting to happen..   We don’t want to fearmonger (because Fear, Uncertainty, and Doubt (FUD) doesn’t fudging work…) but it’s clear email remains your number one threat vector.    The big challenge is that people make around 35,000 decisions every single day; that’s 35,000 chances to make a mistake..In the context of email, that means not always identifying phishing emails correctly, and sometimes attaching the wrong file.   This is why, in 2021, an overwhelming 85% of data breaches involved human error.  

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Find more statistics at Statista  

Insider threats (and how to spot and stop them)   You can secure your perimeter against external attack, but what about the ones that come from ‘inside the house’? The fact is, people break the rules way more often than IT leaders think, both intentionally and accidentally.  

Insider threats are an organization’s biggest hidden security problem.   With attention directed externally, internal issues are typically under-resourced and under-addressed. What’s more, unlike bad actors or state sponsored hackers, your staff have legitimate access to systems and data. That means they’re in an ideal position to exfiltrate data. You can see why for some companies, it’s a difficult conversation to have.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Yet our State of Data Loss Prevention report found that 45% of all employees download, save, send, or otherwise exfiltrate work related documents before leaving or after being dismissed from a job. So what can be done? Well firstly, you need to recognize what data exfiltration looks like. There are two distinct types of insider threats, malicious (those that set out to deliberately cause harm) and negligent (those that cause harm by accident).   Spotting malicious insider threats   So how do you recognize if you have malicious or negligent staff within your organization? Well, there are several telltale signs. Malicious actors, for example, might display declining performance or other signs of dissatisfaction. They might start logging in at unusual hours, have multiple failed logins, or other abnormal login activity.

Spotting negligent insider threats   Negligent staff meanwhile might repeatedly fall for phishing attacks, or fail to comply with basic security policies such as consistently misdirecting emails, or miss attaching files. There could be several reasons for this, from burnout, to boredom.    Remember also, that staff often have genuine reasons to send documents externally. Sending things like plane tickets, restaurant reservations, pay slips, and other digital ‘pocket litter’ home isn’t going to cripple your business – but it will generate false positives in your SEG.

Stopping Insider Threats    What’s critical in stopping these events is real time oversight of when they happen. In the case of malicious intent, you need to know instantly when someone has attempted an exfiltration to prevent data loss.With negligent staff, on the other hand, it can help to have a build up of data over time to inform your actions.    Exfiltration types and methods What is Data Exfiltration? Tips for Preventing Data Exfiltration Webinar: How to Reduce Data data Exfiltration by 84% Within 30 Days How to Keep Your Data Safe in The Great Resignation   The silver lining to this cloud is it isn’t all on you – it’s as much a people issue as a technology issue. As your organization’s cybersecurity leader, you need to work with your people team and other senior leaders on addressing this. Why? Because the costs of an insider threat breach are getting bigger.

The repercussions of a breach   Insider or external, a data breach can create significant fallout for your organization. First, there’s the financial cost. This isn’t a one-off fee – it can come in several forms. There’s the loss of revenue in the turbulence as customers churn or take their business elsewhere. Then, depending on your sector, there’s the increasing regulatory fines and legal actions. In the EU, GDPR has meant these costs have skyrocketed. Fines are particularly large in sectors like financial services and healthcare.    There’s also the time and resources you’ll spend dealing with a breach, not only the loss incurred by your own staff who have to now deal with this, but any external expertise you have to bring in to help repair or restore systems. But like an end-of-level boss in a video game, by far the biggest and most expensive repercussion is the reputational damage your organization suffers – this can last years.    When we asked security leaders what the biggest consequence of a breach is, here’s what they replied. See more at Why DLP Has Failed and What the Future Looks Like. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");   Every year, IBM publishes their Cost of a Data Breach report. You can get key findings from the 2021 version, as well as the report itself below, but the key findings regarding breach costs are:   Data breach costs rose from $3.86 million to $4.24 million, the highest average total cost in the history of this report  There was a 10% increase in the average total cost of a breach between 2020 and 2021. This was the largest single year cost increase in the last seven years. The average cost of a breach at organizations with 81-100% of employees working remotely was $5.54 million

The problems with legacy DLP   Early DLP solutions from the ‘00s were designed to filter bulk spam. Then Internet Service Providers, Secure Email Gateways, and antivirus software added pattern and keyword recognition to identify potentially threatening emails. And today’s DLP solutions added rules and a host of other technical measures… but they’re just not up to the job anymore.

Watch now: DLP Has Failed The Enterprise. What Now?

Blocking domains: Particular domains, often ‘freemail’, are blocked. But there are plenty of legitimate reasons to send and receive emails from people with ‘freemail’ domains. Many small businesses and freelancers use Gmail, for example.    Blacklisting: Security teams create a list of non-authorized email addresses and simply block all emails sent or received. This requires constant updating and is very time/resource intensive. It’s also reactive; you only know an address is bad after they’ve been known to be associated with unauthorized communications.   Keywords: This method uses words and phrases to alert administrators of suspicious email activity. For example, IT and security teams can create rules to identify keywords like “social security numbers” or “bank account details”. But anyone trying to exfiltrate data can circumvent keyword tracking tools by sending the email and the attached data in an encrypted form.   Tagging Data: After classifying data, an organization may attempt to tag sensitive data, allowing administrators to track it as it moves within and outside of a network. The drawback here is that, again, this is time and resource intensive and relies on employees accurately identifying and tagging all sensitive data. Miss a tag, and data is misclassified or simply overlooked.   The challenge with all of the above is that they are based on rules. But human behavior can’t be predicted or controlled by rules, and human’s often subvert, side step, or break the rules, even when they know they shouldn’t.

How to bend not break the rules   -51% of staff say security tools and software impede their productivity at work -54% of staff say that if security software or policies make it difficult or prevent them from doing their job, they’ll find a workaround Read: Tessian’s State of Data Loss Protection Report But workarounds aren’t the only problem with rules…   Binary, rule-based DLP solutions offer blunt protection and limited visibility into complex human behavior and data movement. This leaves security leaders in the dark, trawling through logs of flagged and self-reported incidents after they’ve occurred.    There’s also the problem of false positives, and genuine, important emails are often buried in quarantine along with potentially harmful ones.    And with most risks to data security actually coming from within an organization, security teams have to classify and monitor data across hundreds – even thousands – of different entry and exit points of a corporate network.    The result is that legacy DLP has gotten way more expensive, complicated, and requires more and more administration and fire-fighting from InfoSec teams. 

Is it time to re-think your DLP strategy?   It’s clear that traditional DLP can’t prevent all data loss.   This is where Tessian comes in. Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises. it automatically detects accidental data loss, malicious exfiltration, and phishing attacks in real-time, before sensitive data leaves your environment. Crucially, it doesn’t stop your employees from doing what they do best – their actual jobs, yet still provides you with clear visibility of threats.   Indeed, a recent Forrester Consulting report found that the security and risk leaders who have adopted Human Layer Security feel more prepared to face security and data loss incidents and to face a hybrid workforce than those who haven’t.   They believe their email security posture is extremely effective at alerting the organization to potential attacks/threats from users’ risky behaviors or poor security decisions. Meanwhile, those who don’t take a Human Layer approach feel less control over business disruptions.”

We’re seeing more and more industry pioneers explore this option, layering a tool like Tessian on top of Microsoft 356’s native tools. We take a deep dive into this new approach in our recent webinar ‘DLP Blindspots: Next Gen DLP’.

Ultimately, you know what stage of the journey your organization is on. But if you need further resources to comprehensively compare Tessian’s Human Layer Security alongside legacy DLP, Microsoft 365 DLP capabilities, legacy file encryption, and network and Perimeter Security, we’ve covered all that in forensic detail in this white paper.   In it, you’ll learn the pros and cons of different email security solutions, and how they stack up against Human Layer Security. This will help you evaluate a solution that works for you, and that best protects sensitive data in your organization.   Read now: Human Layer Security vs. Legacy Email Security Solutions white paper

DLP and Microsoft 365   So what does a smart, fit-for-the-21century DLP solution look like? Well, many organizations are now retiring their SEGs in favor of a Microsoft 365 solution, with Tessian layered on top as an EDR.    Over a million businesses worldwide use Microsoft 365, with 731,000 companies in the United States alone. Of course, because it’s the most popular solution on the planet, it also makes it a target for bad actors.    Although Microsoft 365 provides foundational rule-based data loss prevention (DLP) and data classification to address compliance requirements, it falls short when protecting against data loss caused by people.    Tessian complements Microsoft 365 with a behavioral analytics layer and offers enhanced data protection by closing critical DLP use case gaps such as inadvertent or accidental data loss, sensitive data exfiltration to unauthorized or personal accounts, and insider risks.

More on Microsoft 365 !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");

How Tessian helps secure your Human Layer   We’ve come to the point where you’re considering how best to stop DLP in your organization. From working with our customers over the years, we’ve found that it’s best to think the following three ways    Research You’ve already started the research phase – simply be reading this page. Continue that process by auditing your estate, consulting team members, and identifying solutions. This is also the time to consult your network, join those webinars and read those whitepapers.    Rethink Any change in your DLP strategy needs to be able to face not only current threats, but future developments in those threats and their impact too. Maybe now really is the time to upgrade that legacy SEG with Microsoft 365 and Tessian. Perhaps you want to stay with a rule based DLP but are looking for something smarter? In which case Tessian Architect might be the right solution.    Part of the re-thinking phase is also re-training. With the average human makes 35,000 decisions every single day, we know that a morning of cybersecurity training every six months isn’t as effective as ‘in the moment’ training provided by Tessian. So now’s the time to rethink your training and awareness processes too.   Resource  This is where the rubber hits the road, you can’t do anything of the above without the right resources – time, people and budget – but you’re not going to get those without first showing that you’ve done the previous two phases to arrive at a road map to securing your Human Layer. Introducing Tessian Architect: The Industry’s Only Intelligent Data Loss Prevention Policy Engine

Encryption of data, whether in transit or at rest, is seen as a cornerstone of data loss prevention best practice. But when it comes to the encryption of data sent via email, the efficacy of legacy approaches to email encryption are increasingly being called into question. This is largely due to the rigid and binary nature of legacy email encryption solutions.    Increasingly, email security solutions that rely on encryption to prevent data loss are unable to meet the demands for frictionless and time-sensitive communication. An even greater challenge, however, is the declining effectiveness of this approach to preventing data loss, especially in the face of increasingly sophisticated cyber adversaries and the growing prominence of insider threats.    The fundamental challenge of legacy email encryption solutions hinges on its inability to address the root cause of email related breaches and data loss: human error.   In this article, we’ll explore the pros and cons of encryption, and more effective alternatives.   What is encryption?   Encryption is a method of data protection that encodes data so that it can’t be accessed by unauthorized parties. File encryption solutions, in particular, often use AES-256 bit encryption to secure unstructured data, usually with a long list of policies and access rights that the end user must choose before sending an attachment through email.   This has a negative impact on real-time communication and collaboration in organizations and their legitimate business partners.   Is encryption useful in specific cases?   The short answer? Yes.    When the first order of business is simply to secure a particular asset, like an email or the attachment in that email, encryption can provide immediate protection of that sensitive information. Depending on the solution, it can work at rest or in-transit. It’s also a long-standing technology that’s widely used, especially when fulfilling particular compliance mandates. Finally, it tends to be inexpensive compared to other solutions, simply because it’s providing a very targeted and specific technology, as opposed to a more comprehensive data loss prevention solution.   However, we’ve learned from our customers and based on where the market is headed in terms of preventing sensitive data exfiltration that more and more, organizations are actually shifting away from encryption for a variety of reasons (more on this below).   Industry experts also see the severe limitations of encryption in email security.    As Gartner® states in the 2021 Email Security Market Guide, “Although email encryption has been available for many years, the workflow is often very poor, meaning open rates of encrypted emails are historically low. Authenticating the recipient has always been the challenge, requiring users to create new accounts on messaging portals and leading to very poor open rates. With the widespread adoption of cloud email, authenticating users that are on the same platform (e.g. Microsoft 365) has simplified the process, but as soon as recipients are on different platforms, the issue remains.   A number of vendors focused on email data protection are looking to address this with simplified workflows and second-factor authentication. Secure messaging portals that store sensitive information separate from email is one solution, but that raises questions over data residency and where the keys are stored.”

Looking at Encryption? Consider these issues first…   Encryption can give a false sense of security   Back in 2011, Lockhead Martin’s servers were hacked. It was reported extensively in the press and was characterized as “significant and tenacious”. The press reported that hackers gained access using stolen SecurID tokens from the security company, RSA.    In other words, hackers simply gained access to the private keys so they could access Lockheed Martin’s servers. Encryption is only as strong as the solution used to secure the credentials to those encrypted assets.   Encryption does NOT solve for accidental data loss   Encryption itself doesn’t prevent sharing emails to wrong parties or sending wrong attachments. It also doesn’t solve the root cause of many data loss incidents — sending information to unauthorized or unintended recipients. The recipients of encrypted emails, including incorrect recipients, are free to decrypt encrypted emails by requesting a one time password to view the information. Encryption requires end users to set policies and access rights which can be error prone and disruptive   File encryption requires that the end user define the policies and access rights to every file they attach to their emails. This is often a huge list of options, including view only, block printing, block sending, and time bombs, and many other policies.Naturally, users find this process cumbersome as it hinders their ability to collaborate and communicate through email effectively.   Encryption doesn’t work for Insider Threats Just as we saw in the Lockheed Martin example, the viability of encryption is often dependent on the security of the credentials used to access the encrypted assets. This is exactly what Edward Snowden did:He simply compromised the credentials of the admins who had access to the encrypted assets.    The bottom line   While security leaders have to consider the loop holes above, perhaps the most important aspect to consider with legacy encryption is its inability to engage the end user in any meaningful way. In other words, the context of the data and attachments in emails is never thoroughly examined, so it’s not addressing the root cause of data loss.    Instead, cumbersome solutions like encryption are used, which don’t account for unknown anomalies, or consider the friction and latency it produces when implemented. To prevent today’s email security incidents, your security controls must address the root cause of data loss — human behavior. This is why Gartner recommends adopting cloud native email security solutions that address data loss, by leveraging context-aware machine learning (ML) — able to detect threats and anomalies, while at the same time educating the end-user on email security best practice.   Tessian was included in the report as a Representative vendor. Here’s why:   Threat prevention: Tessian protects against both known and unknown email attacks, including business email compromise, account takeover, spear phishing, and all impersonation attacks that bypass SEGs, M365, and G Suite Education and awareness: With Tessian’s in-the-moment training, organizations can educate and empower users to build continuous email security awareness  Reduced admin overhead: Tessian removes the burden on SOC and admins by automating repetitive tasks such as maintaining triage and review. This eliminates the need for human verification of email threats, reducing FTE requirements. Data-rich dashboards: With Tessian, security teams have clear visibility and the ability to demonstrate clear ROI     Want to learn more about how Tessian compares to legacy solutions? This whitepaper provides an extensive comparison document that covers a variety of legacy security solutions, including encryption, Secure Email Gateways (SEGs), Legacy Data Loss Prevention, Network and Perimeter Security, DMARC, and many others. 

Tessian is honored to be recognized as a Representative Vendor for Integrated Cloud Email Security (ICES) in the recently released 2021 Gartner Market Guide for Email Security. According to Gartner the “continued increases in the volume and success of phishing attacks and migration to cloud email require a reevaluation of email security controls and processes. Security and risk management leaders must ensure that their existing solution remains appropriate for the changing landscape.”

The key findings listed in this Market Guide for Email Security    According to this report, “the adoption of cloud email systems continues to grow, forcing security and risk management leaders to evaluate the native capabilities offered by these providers”. The report further states “solutions that integrate directly into cloud email via an API, rather than as a gateway, ease evaluation and deployment and improve detection accuracy, while still taking advantage of the integration of the bulk of phishing protection with the core platform.”    The report also states that “ransomware, impersonation, and account takeover attacks are increasing and causing direct financial loss, as users place too much trust in the identities associated with email inherently vulnerable to deception and social engineering.”    Gartner recommends that the security and risk managers for email security should:   “Use email security solutions that include anti-phishing technology for business email compromise (BEC), protection that uses AI to detect communication patterns and conversation-style anomalies, as well as computer vision for inspecting suspect URLs.”  “Consider products that also include context-aware banners to help reinforce security awareness training.” “Invest in user education and implement standard operating procedures for handling financial and sensitive data transactions commonly targeted by impersonation attacks. Remove as many targeted ad hoc processes from email as possible.”   This report highlights trends that we believe Tessian is also seeing.    Historically, companies around the globe were deploying the Tessian platform to augment the shortcomings of their Secure Email Gateways (SEGs). Customers needed a more comprehensive solution that would stop the real nasty stuff like zero-day attacks and ransomware, and that was able to detect and stop the threats that often slip past their SEGs such as business email compromise (BEC), account takeover (ATO), spear phishing, and impersonation attacks.   Tessian’s recent Spear Phishing Threat Landscape 2021 Report examined emails from July 2020 – July 2021, and discovered nearly 2,000,000 emails slipped through SEGs.   An interesting shift we’ve observed over the past nine months is that we’re seeing more and more customers leveraging the enhancements made by Microsoft along with the Tessian platform to replace their SEG. We expect that trend to accelerate in 2022.   Gartner predicts that “by 2023, at least 40% of all organizations will use built-in protection capabilities from cloud email providers rather than a secure email gateway (SEG), up from 27% in 2020.”     Tessian’s approach Tessian is a leading cloud email security platform that intelligently protects organizations against advanced threats and data loss on email, while coaching people about security threats in-the-moment. Using machine learning and behavioral data science, Tessian automatically stops threats that evade legacy Secure Email Gateways, including advanced phishing attacks, business email compromise, accidental data loss and insider threats. Tessian’s intelligent approach not only strengthens email security but also builds smarter security cultures in the modern enterprise. Built as a cloud-native platform, Tessian integrates seamlessly with O365, Google Workspace, and MS Exchange environments within minutes, learns in hours, and starts protecting in a day closing the critical gaps in the email security stack.      

Tessian is honored to be recognized as a Representative Vendor for Integrated Cloud Email Security (ICES) in the recently released 2021 Gartner Market Guide for Email Security. According to Gartner the “continued increases in the volume and success of phishing attacks and migration to cloud email require a reevaluation of email security controls and processes. Security and risk management leaders must ensure that their existing solution remains appropriate for the changing landscape.”

The Tessian differentiators:  Threat prevention: Tessian protects against both known and unknown email attacks, including business email compromise, account takeover, spear-phishing, and all impersonation attacks that bypass SEGs, M365, and G Suite Education and awareness: With Tessian’s in-the-moment training, organizations can educate and empower users to build continuous email security awareness  Reduced admin overhead: Tessian removes the burden on SOC and admins by automating repetitive tasks such as maintaining triage and review. This eliminates the need for human verification of email threats, reducing FTE requirements. Data-rich dashboards: With Tessian, security teams have clear visibility and the ability to demonstrate clear ROI  

Tessian solutions: Tessian Defender is a comprehensive inbound email security solution that automatically prevents a wide range of attacks that bypass Secure Email Gateways (SEGs) while providing in-the-moment training to drive employees toward secure email behavior.  Tessian Guardian automatically detects and prevents accidental data loss from misdirected emails. Tessian Enforcer automatically detects and prevents data exfiltration attempts and ensures compliant email activity. Tessian Architect is a powerful policy engine for real-time email data loss prevention. It features a combination of classic elements of DLP policies that provide custom protection against sensitive data loss. To learn more about how Tessian can help strengthen your email security posture, book a demo now.    

Gartner, “Market Guide For Email Security”, Mark Harris, Peter Firstbrook, Ravisha Chugh, Mario de Boer, October 7, 2021. Gartner Disclaimer: GARTNER is registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Legacy Data Loss Prevention is quickly becoming an antiquated technology that isn’t evolving to meet the needs of enterprise organizations. Most of these solutions rely heavily on rules, create massive overhead for admin teams, and typically require constant manual fine-tuning to manage the myriad of false alerts.  And even with legacy DLP in place, data breaches continue to happen.  Perhaps the most important aspect to consider with legacy data loss prevention, is that static policies are often not as effective as we need them to be. They tend to be severely limited, and often restrict employees far more than what is necessary. These cumbersome solutions are based on known signatures, which don’t account for unknown anomalies, or consider the friction and latency they produce when implemented.  Here at Tessian, we believe that the next generation of Data Loss Prevention is fundamentally about shifting away from a static, rules-based approach, to a dynamic, behavioral approach that can address the specific context of each potential incident.  We have seen first hand how Data Loss Prevention has become too reliant on static rules and places far too much burden on admin to identify, investigate and remediate sensitive data loss. That’s why we built Guardian and Enforcer, to automatically prevent both accidental data loss and sensitive data exfiltration to unauthorized accounts.  However, we have also seen that custom policies, when combined with dynamic behavioral analysis, plays an important role for an organization’s DLP strategy. When policies are used, they should be intelligent where applicable, be easy to configure and manage, and leverage end-user remediation to reduce administrative burden. Now with Tessian Architect, enterprises can now deploy powerful intelligent DLP policies. Architect completes Tessian Guardian and Enforcer and provides the market’s best-in-class Email DLP platform.

Here Are Some of the Top Use Cases Architect Can Address Detect hidden content in Excel spreadsheets to prevent accidental disclosure of sensitive data Use regular expressions to detect specific data types and identify high severity breaches by defining unique match thresholds (e.g. more than 5 unique records) Warn on sensitive attachments without Microsoft Information Protection labels, and detect when attachments labelled as ‘Confidential’ are sent to unauthorized accounts Educate and remind users when a sensitive attachment has been labelled as ‘Public’ or ‘General’  Set up intelligent information barriers to prevent sensitive data sharing between teams Detect PII/PHI shared externally in bulk Detect financial data such as credit card numbers and bank account numbers Detect unencrypted personal health information shared externally Block attachments containing high volumes of PII from being sent to unauthorized accounts Use Architect to migrate and simplify DLP policies from legacy tools and consolidate related policies using powerful logic blocks. Use Architect to enhance rule-based legacy DLP policies with machine learning such as Tessian’s sensitivity algorithm and minimise the number of false positives

How Does Tessian Architect Work? Let’s take a deeper look at the product.  Create Custom Policies or Deploy Pre-built Tessian DLP Policies These new DLP capabilities allow administrators to quickly and easily build DLP policies to meet basic and advanced data loss requirements, including establishing and maintaining regulatory compliance.  Choose from pre-built policies that solve for your specific use cases or industry requirements, or build your own policies to meet your unique organization’s needs. Use community policies to adopt best practices sources from industry leaders in the Tessian Network. Policies may contain any number of DLP conditions and can be simple or complex, rely entirely on machine learning, basic rules, or both. Testing, tuning and rolling out policies can be done within hours, not days, weeks, or months. Test a policy change in production in as little as one minute. 

Analyze Email DLP Policy Performance Across Your Security Environment Quickly view real-time policy performance and determine what types of data loss are most prevalent in your organization. Insights are provided such as the number of data loss events detected, as well as information about those data loss incidents within specified time periods.

Policy Editor Provides Maximum Protection for Sensitive Data Build advanced, nested-logic policies and consolidate multiple policies that are related to similar topics. This is needed for advanced use cases to allow companies to consolidate and simplify policies as they’re migrating legacy DLP policies.

Integrate with Any Data Classification System, including Microsoft Information Protection (MIP)  Combine the machine learning and behavioral approach of Tessian with Microsoft Information Protection and data classification to further protect against sensitive data loss. Tessian detects sensitive attachments without Microsoft Information Protection labels. In addition, Tessian will also detect when data labeled “confidential” is about to be sent to unauthorized parties.

In-the-Moment Educational Warnings to Stop Accidental Data Loss and Sensitive Data Exfiltration in Real-Time Tessian warnings act as in-the-moment training for employees, continuously educating them about exfiltration, reinforcing your policies, and nudging them toward safe email behavior. Automatically build individualized policies at scale to reduce high-risk email use and track trends in unsafe activity over time.

Benefits of Tessian Architect 1. Automatically Stop Sensitive Data Exfiltration to Unauthorized Parties: Whether it’s an employee negligently sending emails to unauthorized or personal accounts, or individuals maliciously stealing company intellectual property, Tessian automatically stops sensitive data from being sent to any unauthorized recipients. 2. Automated and Pre-built DLP Policies: Take the guesswork out of building DLP policies with Tessian’s policy library, with the flexibility to build your own to adhere to your organization’s unique data protection requirements. 3. Reduce Admin Burden by Order of Magnitude: Reduce admin overhead with end-user remediation and powerful policy logic that simplifies DLP configurations. Cut through noisy DLP alerts and gain new visibility of high severity incidents and anomalous activity. 4. Ensure Regulatory Compliance: Protect against non-compliant activity and prevent users from sharing confidential data with non-business, personal addresses /unauthorized recipients; track and block compliance breaches in real-time. 5. Clear ROI: Many solutions simply report on data loss events; they don’t actually reduce sensitive data exfiltration and risk to the organization. Tessian is different. Security leaders can easily build and deploy DLP policies and show how those policies are proactively helping to improve the organization’s security posture. The benefit? You’ll become a trusted partner across your organization.

Learn more about Data Loss Prevention for the Human Layer  Tessian uses behavioral analysis to address the problem of accidental or intentional data loss by applying human understanding to data exfiltration incidents. Guardian: Automatically prevents accidental data loss via misdirected emails and misattached files. No rules required. Enforcer: Automatically prevents data exfiltration and other non-compliant activities on email  Human Layer Security Intelligence: Comprehensive visibility into employee risks, threat insights, and tools that enable rapid threat investigation and proactive risk mitigation Human Layer Risk Hub: Enables security and risk management teams to deeply understand their organization’s email security posture, including individual user risk levels and drivers Learn more about Tessian Interested in learning more about Tessian Architect? Current Tessian customers can get in touch with their Customer Success Manager. Not yet a Tessian customer? Learn more about Tessian Architect, or book a demo now.