Request a Demo of Tessian Today.

Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

Move beyond your SEG with Tessian’s SEG Consolidation Wizard  | Generate Report Now →

Insider Risks, Compliance, Advanced Email Threats
September Cybersecurity News Roundup
Wednesday, September 30th, 2020
We’re back with another monthly roundup of cybersecurity news. Cybercriminals have once again been busy, with several high-profile data breaches and ransomware attacks occurring throughout September. And – rather unsurprisingly – social media platforms Twitter and TikTok have made the cut for the third month running. Here are the top cybersecurity stories from September 2020, including links to further information. Need to catch-up? Check out headlines from July and top stories from August on our blog. Researchers Predict That CEOs Will Be Personally Liable for Cyber-Physical Attacks Research and advisory firm Gartner (who recently named Tessian a Cool Vendor) predicted this month that 75% of CEOs could hold personal liability for “cyber-physical” attacks by 2024. Cyber-physical attacks aim to impact the “real world,” including critical infrastructure, internet of things devices, and healthcare equipment. Such attacks can result in physical injury and death. Gartner predicts that that cyber-physical attacks will cause up to $50 billion of damage by 2023 So what if Gartner is right? It would mean that if a company suffers a cyberattack resulting in physical harm — and it turns out that the company has not implemented appropriate cybersecurity measures — the company’s CEO could have to pay fines with their own money. 
Gartner’s research tells us what every effective business leader already knows — an effective cybersecurity program is an essential requirement for every organization. If a cyberattack occurs, the buck stops with the company’s senior executives. Argentinian Government Faces $4 Million Ransom Following Cyberattack On September 6, Argentina temporarily stopped allowing people to cross its borders after the Netwalker ransomware hit the country. The attackers encrypted government migration data and demanded 355 Bitcoins (around $4 million) to unencrypt it. This cyberattack led to chaos across border checkpoints — but the Argentinian government told domestic news website Infobae that it had no intention of negotiating with the hackers. Ransomware continues to cause havoc worldwide, and it appears the problem is only getting worse. Research by SonicWall recorded approximately 121 million ransomware attacks in the first half of 2020. Personal Information of 46,000 US Military Veterans Breached The US Veterans Association (VA) announced this month that the personal information of around 46,000 military veterans had been “accessed by unauthorized users.” The cybercriminals aimed to “divert payments” intended for healthcare providers. The VA’s financial services team wrote to the affected individuals to advise on how to mitigate the effects of the breach and offer free access to credit monitoring services. The VA serves veterans all over the US. Strict new data breach laws in several jurisdictions — including New York, Washington DC, and Oregan — mean that the VA could face huge fines given the breach’s context. Want to know more about US data security laws? Read our guidance for security leaders. 75% of IT leaders believe the future of work is hybrid In a new report – The Future of Hybrid Working – Tessian reveals that IT leaders and employees both believe the future of work will be remote or hybrid. But, it’s clear this shift won’t be easy. Check out some of the key stats below: 82% of IT leaders believe employees are at greater risk of phishing attacks when working remotely Over a third of IT leaders are worried about their teams will stretched too far in terms of time and resource Half of emoployees have been working on their personal devices since March 2020 Nearly 75% of employees said they received a phishing email while working on a personal device between March and July 2020….and 68% admitted to clicking a link or downloading an attachment within that email 78% of IT leaders think their organization is at greater risk of insider threats if their company adopts a permanent hybrid working structure Read the full report to learn more and to understand how business can balance flexibility and security without draining IT teams’ resources. Thousands of COVID-19 Patients’ Data Leaked Due to “Human Error” A massive data breach occurred in Wales this month when the personal information of 18,105 coronavirus patients was leaked following an “individual human error.” The breach affected every Welsh resident who tested positive for COVID-19 between February 27 and August 30. Public Health Wales said that the data included the “initials, date of birth, geographical area, and sex” of the affected individuals. In nearly 11% of people, though, the data also included the name of the nursing home or other healthcare setting in which the individual lived. The data was uploaded onto a public server, where it was accessible and searchable for around 20 hours. It was viewed 56 times throughout this period.  Human error is a key cause of data breaches. Statistics show that around 88% of data breaches start with human error, and almost half of all employees believe they have made an error at work leading to security repercussions. Chinese Company Holds Data About 2.4 million Influential People An academic at Fulbright University, Vietnam, has uncovered a vast Chinese database containing personal information of around 2.4 million people and their families. It looks like these individuals are “people of interest” to the Chinese Communist Party (CCP). The company responsible for maintaining this huge database “provides big data analytics as well as other functionality to support Chinese military and intelligence analysts,” according to a research paper. The research also suggests that the CCP uses the data for “intelligence, military, security, and state operations in information warfare and influence targeting.”  The database is believed to provide a way for the CCP to influence people in target sectors. It may be one of many such databases maintained by Chinese companies. Much of the information in the database has been gleaned from publicly-available sources. The Chinese database is yet another important reason you should consider limiting the amount of personal information you put online. You can learn more about how hackers are using open-source recon for deepfakes and other social engineering attacks from Elvis M. Chan, Supervisory Special Agent at the FBI and Nina Schick, Author of “Deep Fakes and the Infocalypse: What You Urgently Need to Know”, who both joined us at Tessian Human Layer Security Summit. You can access their session “Safeguarding the 2020 Elections, Disarming Deepfakes via HLS On-Demand.  Twitter Provides Enhanced Security For US Election Following its spear phishing incident this July, Twitter has announced enhanced account security for certain “high-profile accounts” throughout the US election. Twitter said that various types of accounts, including those belonging to US politicians, campaign officials, and political journalists, would receive the security enhancements from September 17. So what’s changing? First, affected users must create “strong passwords,” of at least ten characters in length. They will need to confirm password reset requests via email. The affected users will also be “strongly encouraged” to enable two-factor authentication (2FA). But that’s not all. Recall that the July spear phishing incident involved “internal support tools” — it wasn’t primarily an issue with users’ account passwords. To address this, Twitter also states that it will improve internal monitoring of the affected accounts, including by using “more sophisticated detections and alerts,” “increased login defenses,” and “expedited account recovery” processes. Want to know how to avoid the issues Twitter faced this July? Read our guidance on “vishing” attacks. UHS Hospitals Hit by Reported Country-Wide Ryuk Ransomware Attack On September 27, Universal Health Services (UHS) – a Fortune 500 hospital and healthcare services provider that serves 3.5 million patients a year – was the target of a cyberattack that disable multiple antivirus programs and left hospitals around the country without access to computer and phone systems. According to employees, files were being renamed to include the .ryk extenstion, computers’ screens changed, and – eventually – shut down, leaving them without access to anything computer-based. And, in response to the attack, employees were told to shut down all systems to block attackers’ from reaching more devices on the network. While UHS hasn’t made a statement, the logistics of the incident suggest ransomware. That means patient and employee data is at risk. Energy Companies Advised to Create Cyberattack Response Plans The US Federal Energy Regulatory Commission (FERC) and the North American Electricity Reliability Corporation (NERC) have released a report advising energy providers on creating an Incident Response and Recovery (IRR) plan for cyberattacks. The report is based around an existing cybersecurity framework: the National Institute of Standards and Technology (NIST) Special Publication 800-61, also known as the Computer Security Incident Handling Guide.  Governments appear to be increasingly concerned about the cybersecurity of critical infrastructure. This concern is well-founded — in 2019, 90% of security professionals surveyed across the utilities, energy, health, and transport sectors reported that their organizations had faced at least one successful cyberattack. Much of the advice to energy providers is good practice across all sectors. FERC and NERC recommend a four-part framework, consisting of security controls relating to preparation, detection and analysis, containment and eradication, and post-incident activity.
UK Agency Warns Schools and Universities About Ransomware Attacks As students worldwide return to schools, colleges, and universities, education providers are most concerned with defending against a COVID-19 outbreak. But the UK’s National Cyber Security Centre (NCSC) gave a stark warning about a different type of threat: ransomware. The NCSC’s alert describes “recent trends observed in ransomware attacks” targeting the education sector, which the agency says are increasingly common. The guidance follows a series of ransomware attacks against universities in the UK, US, and Canada this July. The agency warns that cybercriminals are exploiting out-of-date software and are accessing remote desktop protocol (RDP) software using credentials stolen via phishing attacks. It also warns that phishing emails are being used to deploy ransomware. So how does the NCSC recommend education providers protect themselves? The same ways all cyber-secure organizations protect themselves — including ”disrupting ransomware attack vectors” by implementing phishing defenses, and “enabling effective recovery” by keeping backups of data. Implementing DMARC is also essential to prevent brand impersonation and successful spear phishing attacks. And, according to Tessian research, 40% of the top 20 US universities aren’t using DMARC records.  TikTok Ban Delayed Following ByteDance Sale On September 21, US President Trump said he had approved the sale of part of ByteDance, the parent company of video-sharing platform TikTok, to Oracle and Wal-Mart. The deal temporarily averts harsh restrictions on TikTok set out by the US Department of Commerce three days earlier. The sale results from an executive order issued by President Trump in August, stating that the TikTok app “captures vast swaths of information from its users, including… location data and browsing and search histories.” TikTok maintains that this activity is standard industry practice. The US companies could take a collective 20% stake in ByteDance, with Oracle hosting TikTok user data in Oracle Cloud. Some analyses suggest that security-conscious nations and businesses are increasingly likely to implement these sorts of “data localization” measures. Trump had previously assured the public that TikTok would be “totally controlled” by the US firms. However, the president assured a press conference that the companies would be using “separate clouds and very, very powerful security.” That’s all for this month. If we missed anything, please email madeline.rosenthal@tessian.com and stay tuned for the next roundup. Don’t forget: You can easily share this on social media via the buttons at the top right of this post. 
Read Blog Post
Insider Risks, Email DLP, Compliance, Advanced Email Threats
Compliance in the Legal Sector: Laws & How to Comply
Wednesday, September 16th, 2020
Thanks to the digital transformation and increasingly strict data security obligations, law firms’ business priorities are changing. Today, data protection, transparency, and privacy are top-of-mind.  It makes sense.  Keep reading to find out… Why the legal sector is bound to such strict compliance standards Which regulations govern law firms How cybersecurity can help ensure compliance Interested in learning more about regional compliance standards or those that impact other industries? Check out our Compliance Hub to find articles, tips, guides, and more or download our CEO’s Guide to Data Protection and Compliance to learn more about how cybersecurity enables business and drives revenue. 
Why is the legal sector bound to strict compliance standards? Lawyers’ hard drives, email accounts, and smartphones can contain anything from sensitive intellectual property and trade secrets to the Personally Identifiable Information (PII) of clients.  Unfortunately, hackers and cybercriminals are all too aware of this. It’s no surprise, then, that the legal sector is amongst the most targeted by social engineering attacks like spear phishing. Ransomware is a big problem, too. In fact, just a few months ago, Grubman Shire Meiselas & Sacks, a prominent media law firm, had its client information compromised.  Those behind the attack later threatened to auction some of these files concerning major celebrities for as much as $1.5 million unless the firm paid a $42 million ransom.  But, it’s not just inbound attacks that law firms have to worry about. Because the legal sector is highly competitive, incidents involving Insider Threats are a concern, too.  96% of IT leaders working in the legal sector say they’re worried that someone within the organization will cause a breach, either accidentally (via a misdirected email, for example) or maliciously.  The regulations governing law firms When it comes to data protection and privacy, the legal sector is subject to a relatively strict regulatory framework both under the law and rules imposed by professional bodies. Depending on where a firm is based and what its practice areas are, it can be subject to several stringent laws and regulations. This is especially true for firms operating in major markets like the United States, the United Kingdom, and the European Union. In this article, we’ll focus on some of the more general regulations and standards that all firms operating in these markets are expected to abide by. General Data Protection Regulation (GDPR) When the GDPR was introduced in 2018, it represented the largest change to data protection legislation in almost two decades. It also contains some of the most thorough compliance obligations for law firms and indeed any other entity that collects, stores, and processes data. The GDPR has been designed to help and guide organizations with a legitimate business interest as to how personal data should be handled and gives regulators the power to impose large fines on firms that aren’t compliant.  You can read more about the largest GDPR fines (so far) in 2020 on our blog. What is the GDPR’s purpose? The GDPR was introduced amid growing concerns surrounding the safety of personal data and the need to protect it from hackers, cybercrime, Insider Threats, unethical use, and the growing attack surface.  Essentially, it gives citizens full and complete control of their data, subject to some restrictions (for example, where data must be held by firms by law).  What is the scope of the GDPR? The legislation regulates the use of ‘personal data’ and applies to all organizations located within the EU, as well as organizations outside the EU who offer their goods or services to EU citizens. It also applies to organizations that hold data pertaining to EU citizens, regardless of their location.  What should law firms know about the GDPR? The main part of the GDPR that law firms should be paying attention to is Article 5.  This sets out the principles relating to the collection and processing of personal data. The six key principles are that personal data: Should be processed lawfully, fairly and in a transparent manner; Should only be collected for legitimate purposes; Should be limited to what’s necessary in relation to the purpose(s) it’s processed; Must be accurate and kept up to date, with any inaccurate erased or rectified; Should be held for longer than is necessary for its purposes*; and Should be held with adequate security against theft, loss, and/or damage.  The GDPR also gives your clients the right to ask for their data to be removed (‘right of erasure’) without the need for any outside authorization. Note: Data can only be kept contrary to a client’s wishes to ensure compliance with other regulations.  What should a firm do in the event of a breach? Before GDPR, law firms could follow their own protocols when dealing with a data breach. But now, the GDPR forces firms to report any data breaches, no matter how big or small they are, to the relevant regulatory authority within 72 hours. In the UK, for example, the regulatory authority is the Information Commissioner’s Office (ICO):  The notification must: Contain relevant details regarding the nature of the breach; The approximate number of people impacted; and Contact details of the firm’s Data Protection Officer (DPO).  Clients who have had their personal data compromised must also be notified of the breach, the potential outcome, and any remediation “without undue delays”.  It’s important to note that breaches aren’t always the results of malicious activity by an Insider Threat or hacker outside the organization. Even accidents can result in breaches. In fact, misdirected emails (emails sent to the wrong person) has consistently been one of the most frequently reported incidents to the ICO.  That’s why it’s essential law firms (and other organizations) have safeguards in place to prevent mistakes like these from happening. Looking for a solution? Tessian Guardian prevents misdirected emails in some of the world’s most prestigious law firms, including Dentons, Hill Dickinson, and Travers Smith What are the penalties for non-compliance? Financial penalties imposed for GDPR violations can be harsh, and they often are; regulatory authorities are keen to highlight just how important the GDPR is and how seriously it should be taken. Fines for non-compliance can be as high as 4% of annual global turnover or €20 million—whichever is higher. American Bar Association Rule 1.6 Rule 1.6 governs the confidentiality of client information. It states, “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Simply put, lawyers must make efforts to protect the data of their clients.  Two years ago, the American Bar Association issued new guidance in the form of Formal Opinion 483. This covers the importance of data protection and how firms should act when, not if, a security breach happens. This wording demonstrates that the ABA recognizes that breaches are part and parcel of firms operating in the modern world, and the statistics confirm this. 
In essence, Formal Opinion 483 states:  Lawyers have a duty of competence in implementing adequate security measures regarding technology. Lawyers must reasonably and continuously assess their systems, operating procedures, and plans for mitigating a breach. In the event of a suspected or confirmed breach, lawyers must take steps to stop the attack and prevent any further loss of data. When a breach is detected and confirmed, lawyers must inform their clients in a timely manner and with enough information for clients to make informed decisions.  The bottom line: law firms must protect data with cybersecurity. Solicitors’ Regulation Authority Code of Conduct In the UK, solicitors are obliged under the Solicitors’ Regulation Authority (SRA) Code of Conduct to maintain effective systems and mitigate risks to client confidentiality and client money. Solicitors are also obliged to ensure systems comply more broadly with the SRA’s other regulatory arrangements.  The SRA says that, although being hacked or falling victim to a data breach is not necessarily a failure to meet these requirements, firms should take proportionate steps to protect themselves and their clients while retaining the advantages of advanced IT.  Where a report of cybercrime (note: crime, not a loss that takes place due to negligence) is received, the SRA takes a constructive approach in dealing with the firm, especially if the firm:  Is proactive and immediately notifies the SRA. Has taken steps to inform the client and as a minimum make good any loss. Shows they are taking steps to improve their systems and processes to reduce the risk of a similar incident happening again.  That means that, under the SRA’s Code of Conduct, law firms should take steps to prevent inbound attacks like spear phishing and set-up policies and processes that ensure swift reporting.  The good news is, Tessian can help with both inbound attacks and Insider Threats and has a history of successfully protecting law firms around the world from both. 
How Tessian helps law firms stay compliant Across all three of the regulations listed here, there’s one commonality: law firms are responsible for ensuring that their IT systems and processes are robust and secure enough to keep data safe and mitigate the chance of a breach taking place.  But, that’s easier said than done, especially in our dynamic and digitally connected world where threats are ever-evolving. So, where should law firms start? Email. 90% of all data breaches start on email and it’s the threat vector IT leaders are most concerned about protecting. That’s why Tessian is focused on protecting this channel. Across three solutions, Tessian detects and prevents threats using machine learning, which means it’s constantly adapting, without requiring maintenance from thinly-stretched security teams. Tessian Defender detects and prevents spear phishing Tessian Guardian detects and prevents accidental data loss via misdirected email Tessian Enforcer detects and prevents data exfiltration attempts from Insider Threats Importantly, Tessian is non-disruptive. That way, partners, lawyers, and administrators can do their jobs without security getting in the way. Tessian stops threats, not business.  To learn more about how Tessian helps law firms like Dentons, Hill Dickinson, and Travers Smith protect data, maintain client trust, and satisfy compliance standards, talk to one of our experts. 
Read Blog Post
Integrated Cloud Email Security, Customer Stories, Insider Risks, Email DLP, Compliance, Advanced Email Threats
18 Actionable Insights From Tessian Human Layer Security Summit
by Tessian Wednesday, September 9th, 2020
In case you missed it, Tessian hosted its third (and final) Human Layer Security Summit of 2020 on September 9. This time, we welcomed over a dozen security and business leaders from the world’s top institutions to our virtual stage, including: Jeff Hancock from Stanford University David Kennedy, Co-Founder and Chief Hacking Officer at TrustedSec Merritt Baer, Principal Security Architect at AWS Rachel Beard, Principal Security Technical Architect at Salesforce  Tim Fitzgerald, CISO at Arm  Sandeep Amar, CPO at MSCI  Martyn Booth, CISO at Euromoney  Kevin Storli, Global CTO and UK CISO at PwC Elvis M. Chan, Supervisory Special Agent at the FBI  Nina Schick, Author of “Deep Fakes and the Infocalypse: What You Urgently Need to Know” Joseph Blankenship, VP Research, Security & Risk at Forrester Howard Shultz, Former CEO at Starbucks  While you can watch the full event on YouTube below, we’ve identified 18 valuable insights that security, IT, compliance, and business leaders should apply to their strategies as they round out this year and look forward to the next.
Here’s what we learned at Tessian’s most recent Human Layer Security Summit. Not sure what Human Layer Security is? Check out this guide which covers everything you need to know about this new category of protection.  1. Cybersecurity is mission-critical Security incidents – whether it’s a ransomware attack, brute force attack, or data leakage from an insider threat – have serious consequences. Not only can people lose their jobs, but businesses can lose customer trust, revenue, and momentum. While this may seem obvious to security leaders, it may not be so obvious to individual departments, teams, and stakeholders. But it’s essential that this is communicated (and re-communicated).  Why? Because a company that’s breached cannot fulfill its mission. Keep reading for insights and advice around keeping your company secure, all directly from your peers in the security community. 2. Most breaches start with people People control our most sensitive systems and data. It makes sense, then, that most data breaches start with people. But, that doesn’t mean employees are the weakest link. They’re a business’ strongest asset! So, it’s all about empowering them to make better security decisions. That’s why organizations have to adopt people-centric security solutions and strategies.
The good news is, security leaders don’t face an uphill battle when it comes to helping employees understand their responsibility when it comes to cybersecurity… 3. Yes, employees are aware of their duty to protect data Whether it’s because of compliance standards, cybersecurity headlines in mainstream media, or a larger focus on privacy and protection at work, Martyn Booth, CISO at Euromoney reminded us that most employees are actually well aware of the responsibility they bear when it comes to safeguarding data.  This is great news for security leaders. It means the average employee will be more likely to abide by policies and procedures, will pay closer attention during awareness training, and will therefore contribute to a more positive security culture company-wide. Win-win. 4. But, employees are more vulnerable to phishing scams outside of their normal office environment  While – yes – employees are more conscious of cybersecurity, the shift to remote working has also left them more vulnerable to attacks like phishing scams.  “We have three “places”: home, work, and where we have fun. When we combine two places into one, it’s difficult psychologically. When we’re at home sitting at our coffee table, we don’t have the same cues that remind us to think about security that we do in the office. This is a huge disruption,” Jeff Hancock, Professor at Stanford University explained.  Unfortunately, hackers are taking advantage of these psychological vulnerabilities. And, as David Kennedy, Co-Founder and Chief Hacking Officer at TrustedSec pointed out, this isn’t anything new. Cybercriminals have always been opportunistic in their attacks and therefore take advantage of chaos and emotional distress.  To prevent successful opportunistic attacks, he recommends that you: Reassess what the new baseline is for attacks Educate employees on what threats look like today, given recent events Identify which brands, organizations, people, and departments may be impersonated (and targeted) in relation to the pandemic But, it’s not just inbound email attacks we need to be worried about.  5. They’re more likely to make other mistakes that compromise cybersecurity, too This change to our normal environment doesn’t just affect our ability to spot phishing attacks. It also makes us more likely to make other mistakes that compromise cybersecurity. Across nearly every session, our guest speakers said they’ve seen more incidents involving human error and that security leaders should expect this trend to continue. That’s why training, policies, and technology are all essential components of any security strategy. More on this below. 6. Security awareness training has to be ongoing and ever-evolving At our first Human Layer Security Summit back in March, Mark Logsdon, Head of Cyber Assurance and Oversight at Prudential, highlighted three key flaws in security awareness training: It’s boring It’s often irrelevant It’s expensive What he said is still relevant six months on and it’s a bigger problem than ever, especially now that the perimeter has disappeared, security teams are short-handed, and individual employees are working at home and on their own devices. So, what can security leaders do?  Kevin Storli, Global CTO and UK CISO at PwC highlighted the importance of tailoring training to ensure it’s always relevant. That means that instead of just reminding employees about compliance standards and the importance of a strong password, we should also be focusing on educating employees about remote access, endpoints, and BYOD policies. But one training session isn’t enough to make security best practice really stick. These lessons have to be constantly reinforced through gamification, campaigns, and technology.  Tim Fitzgerald, CISO at Arm highlighted how Tessian’s in-the-moment warnings have helped his employees make the right decisions at the right time.  “Warnings help create that trigger in their brain. It makes them pause and gives them that extra breath before taking the next potentially unsafe step. This is especially important when they’re dealing with data or money. Tessian ensures they question what they’re doing,” he said.
7. You have to combine human policies with technical controls to ensure security  It’s clear that technology and training are both valuable. That means your best bet is to combine the two. In discussion with Ed Bishop, Tessian Co-Founder and CTO, Merritt Baer, Principal Security Architect at AWS and Rachel Beard, Principal Security Technical Architect at Salesforce, both highlighted how important it is for organizations to combine policies with technical controls. But security teams don’t have to shoulder the burden alone. When using tools like Salesforce, for example, organizations can really lean on the vendor to understand how to use the platform securely. Whether it’s 2FA, customized policies, or data encryption, many security features will be built-in.  8. But…Zero Trust security models aren’t always the answer While – yes – it’s up to security teams to ensure policies and controls are in place to safeguard data and systems, too many policies and controls could backfire. That means that “Zero Trust” security models aren’t necessarily the best way to prevent breaches.
9. Security shouldn’t distract people from their jobs  Security teams implement policies and procedures, introduce new software, and make training mandatory for good reason. But, if security becomes a distraction for employees, they won’t exercise best practice.  The truth is, they just want to do the job they were hired to do!  Top tip from the event: Whenever possible, make training and policies customized, succinct, and relevant to individual people or departments.  10. It also shouldn’t prevent them from doing their jobs  This insight goes back to the idea that “Zero Trust” security models may not be the best way forward. Why? Because, like Rachel, Merrit, Sandeep, and Martyn all pointed out: if access controls or policies prevent an employee from doing their job, they’ll find a workaround or a shortcut. But, security should stop threats, not flow. That’s why the most secure path should also be the path of least resistance. Security strategies should find a balance between the right controls and the right environment.  This, of course, is a challenge, especially when it comes to rule-based solutions. “If-then” controls are blunt instruments. Solutions powered by machine learning, on the other hand, detect and prevent threats without getting in the way. You can learn more about the limitations of traditional data loss prevention solutions in our report The State of Data Loss Prevention 2020.  11. Showing downtrending risks helps demonstrate the ROI of security solutions  Throughout the event, several speakers mentioned that preemptive controls are just as important as remediation. And it makes sense. Better to detect risky behavior before a security incident happens, especially given the time and resources required in the event of a data breach.  But tracking risky behavior is also important. That way, security leaders can clearly demonstrate the ROI of security solutions. Martyn Booth, CISO at Euromoney, explained how he uses Tessian Human Layer Security Intelligence to monitor user behavior, influence safer behavior, and track risk over time. “We record how many alerts are sent out and how employees interact with those alerts. Do they follow the acceptable use policy or not? Then, through our escalation workflows that ingest Tessian data, we can escalate or reinforce. From that, we’ve seen incidents involving data exfiltration trend downwards over time. This shows a really clear risk reduction,” he said. 12. Targeted attacks are becoming more difficult to spot and hackers are using more sophisticated techniques As we mentioned earlier, hackers take advantage of psychological vulnerabilities. But, social media has turbo-charged cybercrime, enabling cybercriminals to create more sophisticated attacks that can be directed at larger organizations. Yes, even those with strong cybersecurity. Our speakers mentioned several examples, including Garmin and Twitter. So, how do they do it? Research! LinkedIn, company websites, out-of-office messages, press releases, and news articles all provide valuable information that a hacker could use to craft a believable email. But, there are ways to limit open-source recon. See tips from David Kennedy, Co-Founder and Chief Hacking Officer at TrustedSec, below. 
13. Deepfakes are a serious concern Speaking of social media, Elvis M Chan, Supervisory Special Agent at the FBI and Nina Schick, Author of “Deep Fakes and the Infocalypse: What You Urgently Need to Know”,  took a deep dive into deepfakes. And, according to Nina, “This is not an emerging threat. This threat is here. Now.” While we tend to associate deepfakes with election security, it’s important to note that this is a threat that affects businesses, too.  In fact, Tim Fitzgerald, CISO at Arm, cited an incident in which his CEO was impersonated in a deepfake over Whatsapp. The ask? A request to move money. According to Tim, it was quite compelling.  Unfortunately, deepfakes are surprisingly easy to make and generation is outpacing detection. But, clear policies and procedures around authenticating and approving requests can ensure these scams aren’t successful. Not sure what a deepfake is? We cover everything you need to know in this article: Deepfakes: What Are They and Why Are They a Threat? 14. Supply chain attacks are, too  In conversation with Henry Treveleyan Thomas, Head of Customer Success at Tessian, Kevin Storli, Global CTO and UK CISO at PwC discussed how organizations with large supply chains are especially vulnerable to advanced impersonation attacks like spear phishing. “It’s one thing to ensure your own organization is secure. But, what about your supply chain? That’s a big focus for us: ensuring our supply chain has adequate security controls,” he said. Why is this so important? Because hackers know large organizations like PwC will have robust security strategies. So, they’ll look for vulnerabilities elsewhere to gain a foothold. That’s why strong cybersecurity can actually be a competitive differentiator and help businesses attract (and keep) more customers and clients.  15. People will generally make the right decisions if they’re given the right information 88% of data breaches start with people. But, that doesn’t mean people are careless or malicious. They’re just not security experts. That’s why it’s so important security leaders provide their employees with the right information at the right time. Both Sandeep Amar, CPO at MSCI and Tim Fitzgerald, CISO at Arm talked about this in detail.  It could be a guide on how to spot spear phishing attacks or – as we mentioned in point #6 – in-the-moment warnings that reinforce training.   Check out their sessions for more insights.  16. Success comes down to people While we’ve talked a lot about human error and psychological vulnerabilities, one thing was made clear throughout the Human Layer Security Summit. A business’s success is completely reliant on its people. And, we don’t just mean in terms of security. Howard Shultz, Former CEO at Starbucks, offered some incredible advice around leadership which we can all heed, regardless of our role. In particular, he recommended: Creating company values that really guide your organization Ensuring every single person understands how their role is tied to the goals of the organization Leading with truth, transparency, and humility
17. But people are dealing with a lot of anxiety right now Whether you’re a CEO or a CISO, you have to be empathetic towards your employees. And, the fact is, people are dealing with a lot of anxiety right now. Nearly every speaker mentioned this. We’re not just talking about the global pandemic.  We’re talking about racial and social inequality. Political unrest. New working environments. Bigger workloads. Mass lay-offs.  Joseph Blankenship, VP Research, Security & Risk at Forrester, summed it up perfectly, saying “We have an anxiety-ridden user base and an anxiety-ridden security base trying to work out how to secure these new environments. We call them users, but they’re actually human beings and they’re bringing all of that anxiety and stress to their work lives.” That means we all have to be human first. And, with all of this in mind, it’s clear that….. 18. The role of the CISO has changed  Sure, CISOs are – as the name suggests – responsible for security. But, to maintain security company-wide, initiatives have to be perfectly aligned with business objectives, and every individual department, team, and person has to understand the role they play. Kevin Storli, Global CTO and UK CISO at PwC touched on this in his session. “To be successful in implementing security change, you have to bring the larger organization along on the journey. How do you get them to believe in the mission? How do you communicate the criticality? How do you win the hearts and minds of the people? CISOs no longer live in the back office and address just tech aspects. It’s about being a leader and using security to drive value.” That’s a tall order and means that CISOs have to wear many hats. They need to be technology experts while also being laser-focused on the larger business. And, to build a strong security culture, they have to borrow tactics from HR and marketing.  The bottom line: The role of the CISO is more essential now than ever. It makes sense. Security is mission-critical, remember? If you’re looking for even more insights, make sure you watch the full event, which is available on-demand. You can also check out previous Human Layer Security Summits on YouTube.
Read Blog Post
Email DLP, Compliance
Ultimate Guide to The POPIA – South Africa’s Privacy Law
Thursday, September 3rd, 2020
Over the last several years, there have been a number of generally applicable data privacy and protection laws rolled out around the world, starting with Europe’s General Data Protection Regulation back in 2018.  Earlier this year, California released The California Consumer Privacy Act (CCPA), which took an even broader view than the GDPR of what’s considered private data.  The most recent privacy law? South Africa’s Protection of Personal Information Act (POPIA). Note: The POPIA initially passed in 2013 but spent seven years in limbo, until it finally came into effect on July 1, 2020. It’s essential that security and business leaders understand which of these compliance standards they’re bound to comply with, how to comply, and the consequences of a compliance breach.
What businesses does the POPIA apply to? The POPIA applies to every type of company, regardless of size, sector, or location, so long as it is either: Based in South Africa, or Based outside of South Africa, but processes personal information within South Africa (unless it is only forwarding personal information through South Africa) That means that non-South African companies doing business in South Africa should comply with the POPIA, whether or not they have any physical presence in the country. We have good news, though. POPIA has a one-year transition period, so all affected businesses have until July 1, 2021 to ensure compliance. After this day, the South African Information Regulator will begin enforcing the law and fining non-compliant companies. Wondering how to ensure compliance? You can click the link to jump down the page to our section on “How to stay compliant with POPIA”. Otherwise, keep reading to find out what information is considered personal under POPIA.
What’s considered “personal information” under the POPIA? You have to remember, compliance is all about consumer privacy. So, POPIA, like the GDPR and CCPA, mandates that businesses properly “process” personal information. This includes collecting it, erasing it, and disclosing it to any third-parties.  So, what is “personal information”? The POPIA defines “personal information” as: “Information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person” Within this definition: A “natural person” means an individual. An “existing juristic person” means a “legal person,” such as a corporation or charity. Importantly, by extending the definition of “personal information” to “juristic (legal) persons,” the POPIA gains a very broad scope that would cover certain business-to-business communications, too. Below is a non-exhaustive list of examples of personal information provided within the POPIA: Information relating to: Race  Gender  Physical or mental health  Belief Information about a person’s  Education Medical history Financial history An ID number, email address, phone number, or online identifier Biometric information A person’s opinions or preferences Private correspondence Opinions about a person A name, if the context in which the name is disclosed would reveal something about a person This data could be related to a business’ customers, employees, business contacts, prospective customers, and even visitors to their website. 
Who’s liable under the POPIA? We’ve already outlined which businesses need to comply with the POPIA. But, what about liability? The two main players are the “responsible party” and the “operator.” What is a “responsible party”? A “responsible party” is a public or private body that decides why and how to process personal information. A similar concept is the “data controller” under the GDPR and the “business” under the CCPA. What is an “operator” An “operator” is “a person who processes personal information for a responsible party” but is not under the responsible party’s direct authority. A similar concept is the “data processor” under the GDPR and the “service provider” under the CCPA. Operators are directly liable under the POPIA and must treat the personal information they process as confidential and should never disclose it without the responsible parties authorization. In the event of a data breach, they must notify the responsible party immediately.  Responsible parties, on the other hand, must ensure they only engage with operators under a written contract (which should ensure that the operator meets the POPIA’s data security obligations).  They must also monitor the operator’s activities to ensure that it meets its data security operations. In fewer words: everyone is responsible on some level for ensuring safe (and compliant) data processing.
You may need to adjust your service contracts so that they include a requirement to safeguard personal information. Now that you know who must comply with the POPIA, who’s liable, and what data is considered “personal”, we’ll explore perhaps the most important concept: How to lawfully process data under the POPIA. How do I lawfully process data under the POPIA? The POPIA provides a set of eight conditions businesses must satisfy when processing personal information.  To be truly effective (and ultimately ensure compliance) these principles must be baked into your overall business operations, from cybersecurity to HR.  In brief, the eight conditions for lawful processing are: Accountability: You must ensure POPIA compliance in respect of all the personal information in your control. Lawfulness: You must only collect personal information if it is adequate and non-excessive. You must have a legally justifiable reason for collecting personal information. Where possible, you must collect personal information directly from the data subject. Purpose specification: You must only collect personal information for a specific purpose, and you must not store it for longer than necessary to meet that purpose. Further processing limitation: You may only process personal information for further purposes if they are compatible with the reason you collected it. Information quality: You must ensure the personal information you maintain is accurate and complete. Openness: You must be transparent about how you provide personal information and provide consumers with notice about how and why you process their personal information. Security safeguards: You must take reasonable steps to secure the personal information in your control, and you must report any data breaches as soon as reasonably possible. Data subject participation: You must allow data subjects to access their personal information and correct or erase any inaccurate personal information. But, there are additional requirements for particularly sensitive information.
What types of information are considered “special” under the POPIA? Under the POPIA, particularly sensitive types of personal information are called “special personal information.” The categories of special personal information include: Religious or philosophical beliefs  Race or ethnic origin  Trade union membership  Political persuasion  Health or sex life  Biometric information Information about criminal behavior, including: Alleged offenses that have been committed by the individual Proceedings that may have taken place regarding the alleged offenses Like the GDPR, the POPIA places a general prohibition on the processing of special personal information. However, it is possible to process special personal information on the following grounds: With the consent of the data subject To exercise or defend your legal rights or obligations To comply with an obligation under international public law For historical, statistical, or research purposes in the public interest Where the information has been made public by the data subject
How can cybersecurity help me stay compliant with the POPIA? We know what you’re thinking: what steps can I actually take to ensure every individual, team, and department across my organization safely processes data? Like other compliance standards, the POPIA mandates “appropriate, reasonable technical and organizational measures” to prevent the loss of, damage to, and unauthorized access to personal information. The POPIA sets out four broad ways in which responsible parties must secure personal information: Identify internal and external risks Establish and maintain safeguards Regularly verify safeguards Continually update safeguards The POPIA also requires responsible parties to keep up-to-date with any sector-specific security standards and professional regulations, and ensure any operators also apply security safeguards to personal information. There’s a lot to unpack here. But, it all comes down to data loss prevention (DLP). While you can read all about DLP in this article: What is Data Loss Prevention – A Complete Guide to DLP, we’ll outline the different “types” of DLP below. Note: DLP does more or less the same thing wherever it is deployed – it looks for sensitive information crossing boundaries. But different DLP solutions operate in different ways depending on which “perimeter” is being guarded. Network DLP Network DLP protects data in motion by monitoring the traffic that enters and leaves the organization’s network. These solutions are mostly cloud-based and are designed to monitor network traffic between users and other endpoints connected through the Internet; every byte of data transmitted through a network will go through the cloud-based DLP solution.  Endpoint DLP Endpoint DLP protects data in use on employee’s devices (computers, mobile phones) by preventing unauthorized access. How? By ensuring information isn’t taken off work devices and sent or copied to unauthorized devices by allowing or denying certain tasks to be performed on the computer.  It is also able to detect and block viruses and other malware that could be transferred into your computer system from external sources, like a USB. Email DLP Email is the threat vector security and IT leaders are most concerned about, Why? Because both inbound and outbound traffic pose serious security threats.  According to data from Verizon, email is the main entry point for social engineering attacks like phishing and incidents involving Insider Threats have increased by 47% over the last two years. And, we can’t forget about accidental data loss – like misdirected emails – which is actually the most frequently reported security incident under the GDPR. Learn more about how Tessian detects and prevents both inbound and outbound threats on email to help organizations around the world stay compliant.  But organizations need more than security solutions. Under the POPIA, every public and private organization must also have an Information Officer. What are their responsibilities?  Encouraging the organization to comply with the conditions for lawful processing Assisting data subjects with requests to access their personal information Working with the Information Regulator in the event of an investigation Otherwise ensuring that the organization complies with the POPIA Once you have appointed your Information Officer, you must register them with the Information Regulator. But, what happens if DLP solutions (and your Information Officer) don’t successfully prevent data loss and a breach occurs? You have to notify relevant bodies.
What do I do in the event of a breach? If personal information is subject to unauthorized access, (i.e., a data breach occurs), responsible parties must notify: The Information Regulator, and The affected data subjects  Importantly, this must happen “as soon as reasonably possible” and should include: A description of the consequences of the breach An explanation of what the responsible party has done to contain the breach Advice to the data subjects regarding how to mitigate the impact of the breach The identity of anyone who may have accessed the personal information (if known) This is a lot of work and one of the reasons why investigation and remediation are generally the costliest categories in an overall data breach. Which, by the way, cost organizations $3.92 million on average according to IBM’s latest Cost of a Data Breach Report.
What are the penalties under the POPIA? Breaches of the POPIA can lead to harsh penalties brought by the Information Regulator, including: A fine of between 1 million and 10 million ZAR (approximately $60,000 – $600,000 USD) Imprisonment for a term of up to ten years Both a fine and a prison term The POPIA also contains a private right of action, meaning that individual data subjects can bring a private legal claim against a responsible party. A case brought under the POPIA could lead to: “Actual damages,” to compensate data subjects for any losses they have incurred “Aggravated damages,” to compensate data subjects for the distress they have experienced Fines, imprisonment, and lawsuits are not the only concerns for businesses processing people’s personal information in South Africa. Even small-scale data breaches can lead to a complaint being lodged with the Information Regulator. For more information about how much business’ have been fined under other data protection laws, check out this article: 4 Biggest GDPR Fines of 2020 (So Far). If you take nothing else away from this article, it should be that compliance and security go hand-in-hand. Businesses in South Africa and beyond must take necessary steps to safeguard the data their organizations process and hold, which requires dedicated security and IT teams and a strong data loss prevention strategy. Wondering what’s top-of-mind for other security leaders when it comes to DLP? Download the report below.
Read Blog Post
Compliance
Security vs. Compliance: What’s The Difference?
Tuesday, September 1st, 2020
Security vs. Compliance: What’s the Difference? Businesses across industries and continents are now obligated to satisfy various compliance standards, from GDPR to CCPA. But, how do you actually ensure compliance? By securing the information your organization handles. This – of course – is easier said than done and requires cross-team collaboration. In this article, we’ll explain: What Information Security means What compliance means How these concepts differ Why you can’t neglect one in favor of the other Looking for more information about specific data privacy laws? Visit our compliance content hub.  Security and Compliance: The Difference “Security” is the infrastructure, tools, and policies you put in place to protect your company’s information and equipment.  “Compliance” is the act of meeting a required set of security and regulatory standards. As you might have guessed, security and compliance are very closely linked, and each should drive the other. Keep reading to learn more about the key concepts you need to consider to ensure your organization’s information systems are up to scratch.  Security: Key Concepts When it comes to information security, organizations have to safeguard every vector that stores and transfers data. In this article, we’ll cover network, device, and employee security.  Network Security While every organization is different, most IT leaders are concerned with protecting network security. Why? Because employees access company data via various networks, including:  Your company’s own network — which can be as secure as you are prepared to make it. Your employees’ home networks — which you can’t assume will be secure. Public networks — such as on public transport and in coffee shops, which are notoriously not secure. Importantly, data can be intercepted or exfiltrated across all of the above networks. But, there are several steps you can take to mitigate network security threats: Email security software — Email security software is a critical requirement in most compliance regimes and should protect against both inbound threats like spear phishing and outbound threats like misdirected emails. Check out this blog to learn How to Choose the Right Email Security Software.  A firewall  — Firewalls can be either hardware or software-based. Certain regulations, such as PCI DSS, require both hardware and software firewalls to be in place. Access controls — Access controls allow you to restrict network access only to authorized actors. Generally applicable laws, such as the EU GDPR, treat access control as a basic tenet of reasonable security. Looking for advice on how to secure data while employees are working remotely? Check out this article: Ultimate Guide to Staying Secure While Working Remotely. Device Security Your organization is responsible for devices that store and handle vast amounts of data, including the personal information of your customers and the confidential information of your company. This applies to any devices that process company data — whether they belong to your company or your employees — including: Desktop computers Laptops Mobile phones Tablets USB storage devices You can protect these devices in multiple ways, including: Antivirus software Multi-factor authentication (MFA) Device encryption Endpoint security Anti-theft tools Employee Security 88% of data breaches are caused by human error. That’s why employee training is an essential component of any security strategy and a requirement under compliance standards.  A security training program should teach employees: How to identify and respond to threats such as phishing, smishing,  and vishing Why security policies exist and how to follow them  How to safely handle and dispose of data You can learn more about the pros (and cons) of security training in this article: Pros and Cons of Phishing Awareness Training. Compliance: Types of Standards There are several types of laws, regulations, and certifications that businesses must comply with and they all outline minimum security standards. So, what happens if your security measures don’t comply with relevant standards?  Your organizations will either be in breach of the law, in danger of being reprimanded by your industry’s regulator (which could include a hefty fine), or unable to obtain or maintain a particular certification. Generally-Applicable Laws  Some laws apply to every business operating in a given jurisdiction, regardless of sector. Compliance with these laws generally requires the implementation of “reasonable” security measures specific to their industry and proportionate to their size. Let’s look at two examples. General Data Protection Regulation (GDPR) The EU General Data Protection Regulation (GDPR) applies to every person and organization operating in the EU or targeting EU residents. It sets down minimum requirements for information security and privacy. In particular, covered organizations must: Analyze and mitigate security risks Encrypt, pseudonymize, or anonymize personal information as appropriate Control access to premises, equipment, and digitized personal information You can learn more about the GDPR in this blog: GDPR: 13 Most Asked Questions + Answers The GDPR offers some flexibility, accounting for the current state of technology, and the costs involved in securing personal information. However, all organizations must implement “appropriate technical and organizational measures.” California Consumer Privacy Act (CCPA)  The California Consumer Privacy Act (CCPA) applies to certain businesses that collect California residents’ personal information. It requires that businesses take “reasonable security measures” to secure personal information in their control. For CCPA-covered businesses, implementing a minimum reasonable security level means complying with the 20 Critical Security Controls from the Center for Internet Security (CIS). The controls include: Email and web browser protection Account monitoring and controls Penetration testing A business’s security measures may be “appropriate to the nature of the information” that business controls — so highly sensitive personal information will require stronger security measures to protect it. You can learn more about the CCPA in this blog: CCPA FAQs: Your Guide to California’s New Privacy Law. Sector-Specific Regulations Certain industries handle particularly sensitive information, and there are rules that govern how they protect and store that data. Health Insurance Portability and Accountability Act (HIPAA) The US Health Insurance Portability and Accountability Act (HIPAA) applies to healthcare providers and businesses that handle protected health information (PHI).  The HIPAA “security rule” requires covered entities to implement administrative, technical, and physical safeguards over the PHI they control, including: Ensuring PHI remains confidential  Identifying and protecting against “reasonably anticipated threats” Ensuring all employees comply with HIPAA Organizations may vary in the extent to which they implement such security measures, accounting for: The size, complexity, and capabilities of the organization Its technical, hardware, and software infrastructure The costs of implementing security measures The likelihood and potential impact of risks to PHI Payment Card Industry Data Security Standard (PCI DSS) The Payment Card Industry Data Security Standard (PCI DSS) regulates how organizations handle credit and debit card data. Among other measures, PCI DSS requires organizations to: Maintain secure networks Encrypt cardholder data Regularly review security measures The number of annual transactions a card handler processes dictates the level of security measures they must implement. Level 1 — Over 6 million transactions per year Level 2 — 1-6 million transactions per year Level 3 —  20,000-1 million transactions per year Level 4 — Under 20,000 transactions per year Certification Programs Businesses wishing to demonstrate their security standards to their customers and business partners can undergo auditing with a certifying body.  ISO/IEC 27K Series The ISO/IEC 27K series provides standards for information security management, with programs covering network security, cybersecurity, and intrusion prevention.  ISO/IEC 27K is not a certification process in itself, but certain bodies are licensed to certify ISO/IEC 27K compliance. The series consists of a family of different standards that businesses can adopt as appropriate, such as: ISO/IEC 27000 — Information security management systems (overview) ISO/IEC 27005 — Information security risk management ISO/IEC 27033 — IT network security ISO/IEC 27040 — Storage security GDPR Certification GDPR certification is available for organizations that wish to publicize their GDPR compliance. Certification schemes must be approved by the European Data Protection Board or a national Data Protection Authority, such as the UK Information Commissioner’s Office. GDPR certification schemes can be general, applying to all areas of an organization’s GDPR compliance, or specific to an area of GDPR compliance, such as: Secure storage of personal information Access controls Internal policies and procedures You can see Tessian’s certifications on this page: Tessian Integrations, Compatibility, and Partnerships. 
What’s More Important: Security or Compliance? It’s not possible to say whether security is more important than compliance, or vice-versa. Security and compliance go hand-in-hand. If you neglect compliance, you may find your company is in breach of data security law — even if you take reasonable steps to secure sensitive information. Without understanding your compliance obligations, you can never be sure you’ve got everything covered. Likewise, suppose you neglect security, and take a mechanical, “bare minimum” approach to compliance. In that case, you’re putting your company at risk of data breaches, reputational damage, and private legal claims from your customers and employees. Our advice? Take an overarching approach to security and compliance by understanding the risks to your company’s information and your legal and regulatory obligations.
Read Blog Post
Insider Risks, Email DLP, Compliance, Advanced Email Threats
August Cybersecurity News Roundup
by Tessian Friday, August 28th, 2020
The end of the month means another roundup of the top cybersecurity headlines. Keep reading for a summary of the top 12 stories from August. Bonus: We’ve included links to extra resources in case anything piques your interest and you want to take a deeper dive. Did we miss anything? Email madeline.rosenthal@tessian.com Russian charged with trying to recruit Tesla employee to plant malware  Earlier this week, news broke that the FBI had arrested Egor Igorevich Kriuchkov – a 27-year-old Russian citizen – for trying to recruit a fellow Tesla employee to plant malware inside the Gigafactory Nevada. The plan? Insert malware into the electric car maker’s system, causing a distributed denial of service (DDos) attack to occur. This would essentially give hackers free rein over the system.  But, instead of breaching the network, the Russian-speaking employee turned down Egor’s million-dollar offer (to be paid in cash or bitcoin) and instead worked closely with the FBI to thwart the attack. Feds warn election officials of potentially malicious ‘typosquatting’ websites Stories of election fraud have dominated headlines over the last several months. The latest story involves suspicious “typosquatting” websites that may be used for credential harvesting, phishing, and influence operations.
While the FBI hasn’t yet identified any malicious incidents, they have found dozens of illegitimate websites that could be used to interfere with the 2020 vote.   To stay safe, make sure you double-check any URLs you’ve typed in and never input any personal information unless you trust the domain.  Former Google engineer sent to prison for stealing robocar secrets An Insider Threat at Google who exfiltrated 14,000 files five years ago has been sentenced to 18 months in prison. The sentencing came four months after Anthony Levandowski plead guilty to stealing trade secrets, including diagrams and drawings related to simulations, radar technology, source code snippets, PDFs marked as confidential, and videos of test drives.  He’s also been ordered to pay more than $850,000. Looking for more information about the original incident? Check out this article: Insider Threats: Types and Real-World Examples. All the information you need is under Example #4. For six months, security researchers have secretly distributed an Emotet vaccine across the world Emotet – one of today’s most skilled malware groups – has caused security and IT leaders headaches since 2014.  But, earlier this year, James Quinn, a malware analyst working for Binary Defense, discovered a bug in Emotet’s code and was able to put together a PowerShell script that exploited the registry key mechanism to crash the malware. According to ZDNet, he essentially created “both an Emotet vaccine and killswitch at the same time.” Working with Team CYMRU, Binary Defense handed over the “vaccine” to national Computer Emergency Response Teams (CERTs), which then spread it around the world to companies in their respective jurisdictions. Online business fraud down, consumer fraud up New research from TransUnion shows that between March and July, hackers have started to change their tactics. Instead of targeting businesses, they’re now shifting their focus to consumers. Key findings include: Consumer fraud has increased 10%, while business fraud has declined 9% since the beginning of the pandemic Nearly one-third of consumers have been targeted by COVID-19 related fraud Phishing is the most common method used in fraud schemes You can read the full report here. FBI and CISA issue warning over increase in vishing attacks A joint warning from the Federal Bureau of Investigations (FBI) and Cybersecurity Infrastructure Security Agency (CISA) was released in mid-August, cautioning the public that they’ve seen a spike in voice phishing attacks (known as vishing).  They’ve attributed the increase in attacks to the shift to remote working. Why? Because people are no longer able to verify requests in-person. Not sure what vishing is? Check out this article, which outlines how hackers are able to pull off these attacks, how you can spot them, and what to do if you’re targeted.  TikTok sues U.S. government over Trump ban In last month’s cybersecurity roundup, we outlined why India had banned TikTok and why America might be next. 30 days later, we have a few updates. On August 3, President Trump said TikTok would be banned in the U.S. unless it was bought by Microsoft (or another company) before September 15. Three days later, Trump signed an executive order barring US businesses from making transactions with TikTok’s parent company, ByteDance. The order will go into effect 45 days after it was signed. A few weeks later, ByteDance filed a lawsuit against the U.S. government, arguing the company was denied due process to argue that it isn’t actually a national security threat. In the meantime, TikTok is continuing its sales conversations with Microsoft and Oracle. Stay tuned next month for an update on what happens in the next 30 days. A Stanford deception expert and cybersecurity CEO explain why people fall for online scams According to a new research report – The Psychology of Human Error – nearly half of employees have made a mistake at work that had security repercussions. But why? Employees say stress, distraction, and fatigue are part of the problem and drive them to make more mistakes at work, including sending emails to the wrong people and clicking on phishing emails.  And, as you might expect, the sudden transition to remote work has only added fuel to the fire. 57% of employees say they’re even more distracted when working from home.  To avoid making costly mistakes, Jeff Hancock, a professor at Stanford, recommends taking breaks and prioritizing self-care. Of course, cybersecurity solutions will help prevent employees from causing a breach, too. University of Utah pays $457,000 to ransomware gang On August 21, the University of Utah posted a statement on its website saying that they were the victim of a ransomware attack and, to avoid hackers leaking sensitive student information, they paid $457,000. But, according to the statement, the hackers only managed to encrypt .02% of the data stored on their servers. While the University hasn’t revealed which ransomware gang was behind the attack, they have confirmed that the attack took place on July 19, that it was the College of Social and Behavioral Sciences that was hacked, and that the university’s cyber insurance policy paid for part of the ransom. Verizon analyzed the COVID-19 data breach landscape This month, Verizon updates its annual Data Breach Landscape Report to include new facts and figures related to COVID-19. Here some of the trends to look out for based on their findings: Breaches caused by human error will increase. Why? Many organizations are operating with fewer staff than before due to either illness or layoffs. Some staff may also have limitations because of new remote working set-ups. When you combine that with larger workloads and more distractions, we’re bound to see more mistakes. Organizations should be especially wary of stolen-credential related hacking, especially as many IT and security teams are working to lock down and maintain remote access.  Ransomware attacks will increase in the coming months. SANS Institute Phishing Attack Leads to Theft of 28,000 Records  The SANS institute – a global cybersecurity training and certifications organization – revealed that nearly 30,000 accounts of PII were compromised in a phishing attack that convinced an end-user to install a self-hiding and malicious Office 365 add-on. While no passwords or financial information were compromised and all the affected individuals have been notified, the breach goes to show that anyone – even cybersecurity experts – can fall for phishing scams. The cybersecurity skills shortage is getting worse In March, Tessian released its Opportunity in Cybersecurity Report which set out to answer one (not-so-simple) question: Why are there over 4 million unfilled positions in cybersecurity and why is the workforce twice as likely to be male than female? The answer is multi-faceted and has a lot to do with a lack of knowledge of the industry and inaccurate perceptions of what it means to work in cybersecurity.  The bad news is, it looks like the problem is getting worse. A recent report, The Life and Times of Cybersecurity Professionals 2020, shows that only 7% of cybersecurity professionals say their organization has improved its position relative to the cybersecurity skills shortage in the last several years. Another 58% say their organizations should be doing more to bridge the gap. What do you think will help encourage more people to join the industry?  That’s all for this month! Keep up with us on social media and check our blog for more updates.
Read Blog Post
Compliance
Ultimate Guide to Data Protection and Compliance in Financial Services
Monday, August 3rd, 2020
Over the last few decades – and driven by the digital transformation – compliance has become a core part of the financial services sector. But, today, security, compliance, and legal teams aren’t just ensuring that regulatory obligations are met because they’re legally compelled to. Compliance plays an important role in protecting firms’ reputations. The problem is, compliance is broad and multi-faceted. There are many ways in which a firm can fall out of compliance, especially in sensitive industries such as finance. Why? Because one of the leading causes of non-compliance is data loss and, according to one report, 62% of breached data came from financial services in 2019.  You can learn more about the frequency of data loss incidents in financial services here: The State of Data Loss Prevention in the Financial Services Sector.  The regulatory framework When it comes to privacy and data security, the financial services sector has a pretty strict regulatory environment, especially when compared to other sectors and in major markets like the United States, the European Union, and the United Kingdom, where financial services compliance is governed by intricate regulatory frameworks.  That’s why we’ve put this article together. We’ve compiled a list of the three compliance standards most relevant to those working in financial services and have outlined the key requirements of each, as well as exactly what organizations are affected.  Looking for something specific? Click the text below to jump down the page. 
Gramm-Leach-Bliley Act (GLBA) The US arguably has the most complex regulatory regime for financial products and services. Why? There’s a long list of reasons, including national politics and the country’s federalist nature. But, the federal GLBA is the “big one” that covers all “financial institutions,” a broad definition that includes any business that is “significantly engaged in providing financial products or services.”  These include: Banks and related services; Investment firms; Non-bank lenders (e.g. interest-free finance, payday loans); Mortgage brokers; and Real estate appraisers. What are the main compliance obligations under the GLBA?  The primary compliance obligation for firms under the GLBA is the requirement to develop a written security program that outlines how they safeguard consumer information. It is a fairly flexible obligation that requires firms to: Designate an employee to manage the program; Identify risks in operational areas and assess relevant security safeguards; and Adjust the program as risk factors develop.  Although the GLBA is flexible, financial services firms are expected to implement basic protections against cybersecurity risks. These include encrypting customer information and implementing solutions that prevent inbound and outbound threats. Find out why protecting data on email is especially important.  What are the penalties for non-compliance? GLBA violations can attract hefty penalties, including fines of up to $100,000 per violation and prison time of up to five years.  Financial Services and Markets Act 2000 (FSMA) In the UK, the primary piece of legislation that governs the regulated financial services market is the Financial Services and Markets Act 2000. This piece of legislation also establishes regulatory bodies like the Financial Conduct Authority (FCA), which is responsible for the regulation of conduct in wholesale financial markets.  The FCA’s objectives include: Ensuring market confidence and financial stability; Promoting public awareness; Protecting consumers (i.e. from instances of data loss); and Reducing financial crime.  Prior to the FSMA, compliance was viewed as a low priority within firms. The FSMA was introduced to act as a full, accurate, and accessible document that outlines the roles and responsibilities of the financial services and market industries.  Who does the FSMA apply to? Any authorized firm conducting regulated financial activities such as deposit taking, insurance-related activities, financing activities, and consumer credit activities.  What requirements exist concerning compliance under the FSMA? Regulated firms must have systems in place to ensure they are compliant with applicable laws. Like many other compliance standards though, The Act does not specify which systems. But, if we’re talking specifically about firms’ obligation to prevent data loss, DLP solutions are a good place to start. We have plenty of DLP resources, including an overview of what data loss prevention is, how it works, and an overview of current DLP solutions.  Controls, systems, and compliance programs can vary depending on the size of the firm and its regulated activities.  There are several ways that compliance best practice can be conveyed to firms, including through thematic reviews by the FCA.  General Data Protection Regulation (GDPR) If you hadn’t heard of the other two compliance standards on this list, you’ve almost certainly heard of this one. At the time of the GDPR’s introduction in 2018, it was the largest change to data protection legislation in almost 20 years and it’s where financial services firms around the world can find some of the most thorough guidance on their compliance obligations.  It gives regulators the power to impose hefty fines to organizations that are not compliant, and it has shaken up many industries where wide-scale privacy changes are required to achieve compliance.  Read more about the biggest fines issues so far in 2020 on our blog. What is the GDPR for? The GDPR was established amid growing concerns around the safety of personal data and the need to protect it from hackers, Insider Threats, and unethical use. It effectively puts individuals back in control of their data, giving them the power to control how businesses use it. You must be able to move or dispose of this data if requested.  Still scratching your head? We’ve answered 13 FAQs about GDPR.  How does the GDPR impact the financial services industry?  The GDPR impacts the sector in a few distinct ways.  You must have client consent The GDPR says that you must explicitly gain consent to gather personal data and say why you are collecting it. You must also gain additional consent if you wish to share this information. Personal information refers to anything that could be used to identify an individual, such as: Names Email addresses Social media profiles IP addresses You have end-to-end accountability for data IT systems are at the core of any financial firm and constantly have data passing through them.  The GDPR requires firms to understand all the dataflow across their organization and reduce exposure to external vendors and parties. Firms must also ensure vigilance when sharing data, particularly across borders. In layman’s terms: the GDPR holds businesses accountable for safeguarding customer data. Organizations are obligated to take steps to ensure data isn’t disclosed, either intentionally or accidentally, where there isn’t a legitimate reason.  Did you know that misdirected emails are the number one data loss incident reported to the Information Commissioner’s Office (ICO)? Learn more about the consequences of “fat fingering” an email here. Your clients have a right to erasure GDPR gives your clients the right to ask for their data to be removed without the need for any outside authorization. Financial institutions can keep some data to ensure compliance with other regulations (for example, information relevant to credit records) but in all other circumstances, data must be destroyed when requested.  You are bound by strict protocols in the event of a loss Before GDPR, firms could adopt their own protocols in the event of a data breach. Now, GDPR compels firms to report any data breaches, no matter how big or small, to the relevant regulatory or supervisory authority within 72 hours, such as the ICO. The notification must: Contain relevant details regarding the nature of the breach; The approximate number of people impacted; and Contact details of the firm’s Data Protection Officer (DPO).  Impacted clients must also be notified of the breach, the potential outcome, and any remediation “without undue delays”. That’s one reason why a data breach can negatively impact reputation and customer trust. But, those are the only consequences.  What are the penalties for non-compliance? Penalties for non-compliance are very harsh and can be as severe as a fine of 4% of annual global turnover or €20 million—whichever is higher. And they’re being handed out more often now too, with over 36 fines issued in March 2020 alone. That’s a new record.  That means ensuring compliance is essential.  Tessian helps financial services firms stay compliant Financial services firms are under increased pressure to monitor and control their data and restrict the movement of it to prevent both accidental and deliberate loss.  Of all the places where data can be lost, email represents one of the most common. In fact, 90% of data breaches begin with email. Why? Because it’s a threat vector for both inbound and outbound threats like phishing, data exfiltration, and misdirected emails.  Tessian prevents all these threats using machine learning by monitoring and applying human understanding to email behavior. Across three solutions, Tessian analyzes email data to understand and interpret communications and steps in when it detects that something’s “off”. For example, if an employee sends company data to a personal email account or if someone receives an email with a suspicious domain that could be a phish. Best of all, Tessian works quietly in the background, doesn’t disrupt workflow, and helpful, in-the-moment warnings reinforce training and remind employees of existing policies. That means it’s good for everyone. Learn more about how Tessian has been used by financial institutions such as Evercore, Man Group, and Premier Asset Management to proactively protect customer data and achieve full compliance. You can read more customer stories here.
Read Blog Post
Email DLP, Compliance, Advanced Email Threats
July Cybersecurity News Roundup
by Tessian Friday, July 24th, 2020
If you keep up with cybersecurity news, you’ll know it’s been a busy month. We’ve seen headlines around social engineering attacks, the CCPA, coronavirus vaccine data, critical patches, and banned social media applications.  We’ve rounded up some of the top stories from July, including must-know information and links to various supporting resources.  Coronavirus: Russian Spies Target COVID-19 Vaccine Research After pharmaceutical companies and research centers in Great Britain were hacked, four agencies in the US, UK and Canada issued a joint warning, saying that Cozy Bear – a group that “almost certainly operate as a part of Russian intelligence services” – was responsible and that they were targeting organizations trying to develop a coronavirus vaccine. While the UK’s National Cyber Security Centre (NCSC) hasn’t revealed which organizations were targeted or whether any information had been stolen, they have made it clear that vaccine research wasn’t compromised.  In their warning, the US, UK, and Canadian agencies said that hackers not only exploited software flaws to gain access to computer systems, but they also used malware, and tricked employees into handing over login credentials with phishing and spear phishing attacks. Check out our guide: Coronavirus and Cybersecurity: How to Stay Safe From Phishing Attacks. Twitter Accounts Hacked in Bitcoin Scam On July 15, the official accounts of Barack Obama, Joe Biden, Elon Musk, Bill Gates and other celebrities and politicians were hacked in an apparent Bitcoin scam. 
According to Twitter, it was a coordinated social engineering attack involving an Insider that targeted employees who had access to internal systems and tools. This access was then used to take control of various accounts. And, in an update from the social media giant on Wednesday, July 22, it was announced that cybercriminals didn’t just tweet from hacked accounts, they also accessed the direct messages of around 36 people, including a Dutch politician.  The Federal Bureau of Investigation (FBI) is now involved and other lawmakers (on both sides of the political spectrum) are asking Twitter for transparency into what happened and how it can be prevented in the future. Emotet Spam Trojan Surges Back to Life After 5 Months of Silence After going dark five months ago, 2019’s most active malware – Emotet botnet – is back. The latest campaign (the first attack was spotted on July 17) is firing off spam emails, trying to infect users in the US and the UK with its malware. According to one researcher, the campaign is “ongoing” and reached 250,000 messages in just one day.  Here’s how it works: malicious Word attachments or URLs are contained within emails and, if clicked by targets, Emotet will be downloaded and installed. This initial foothold is then used to deploy other malware. What do you do if you’re infected? Isolate the infected system and take the entire network offline.  15 Billion Usernames and Passwords are For Sale on The Dark Web We often say that data is valuable currency but, after a report was released in early July, we can see just how much our personal information is worth. The report, From Exposure to Takeover, found that 100,000 data breaches over a two-year period have yielded a 300% increase in stolen credentials. That means that, today, there are fifteen billion usernames and passwords for sale on the dark web. These compromised credentials are being sold for an average price of $15.43. But, hackers can “rent” an identity for as little as $10. So, how are hackers getting their hands on this data? Phishing, credential-stealing malware, and credit-card skimmers are three of the most popular ways. Research Shows How to Prevent Mistakes Before They Become Breaches  The Psychology of Human Error, the latest report from Tessian, examines not only the mistakes people make at work, but why they make those mistakes. These are important questions to answer, especially when the research shows that nearly half (43%) of employees say they’ve made a mistake at work that had security repercussions for themselves or their company. The findings reveal that younger employees are more likely to make mistakes, that men are more likely than women to fall for phishing scams, and that fast-paced company cultures are driving employees to make more mistakes. The research also outlines that those employees who are distracted (which many people are when working from home) or tired are more likely to fall for phishing scams.  Read the full report to learn more, including what security leaders can do to combat the problem. In a rush? You can read an overview of the key findings here. Microsoft Patches Critical 17-year-old DNS Bug in Windows Server As a part of Microsoft’s monthly security update – called Patch Tuesday – 123 security flaws across 13 products were fixed. The most severe? The flaw is known as CVE-2020-1350 Windows DNS Server Remote Code Execution Vulnerability, and points to a problem with Microsoft’s implementation of DNS that can result in a server improperly handling domain name resolutions requests.  Researchers say hackers can exploit this vulnerability and weaponize it to create wormable malware that would allow them to gain Domain Administrator rights and take control of an entire network. Patches are available for several versions of Windows Server, going back as far as 2003 and Microsoft has advised that organizations install the patch as soon as possible. Note: The vulnerability is limited to Microsoft’s Windows DNS Server implementation, so Windows DNS clients are not affected.   Biden Ups the Cybersecurity Game Ahead of Elections The 2016 election made it clear how important cybersecurity is in politics.  As a preventive measure, some (although very few) candidates’ in this year’s election have brought on Chief Information Security Officers (CISOs). The latest announcement came from Joe Biden who announced Chris DeRush – former CISO for the State of Michigan who has also served as a cybersecurity advisor in the White House and Department of Homeland Security – would fill the position for his presidential campaign.  Learn more about why political campaigns need CISOs on our blog.  India Has Banned TikTok. US May be Next TikTok – the popular social media application – has generated a lot of buzz throughout July. Why? According to a press release from India’s Ministry of Electronics & IT, it’s because the app (and 58 other Chinese-owned apps) are “hostile to national security” and “pose a threat to sovereignty”.  These concerns arose after a military stand-off between China and India in mid-June. Other countries are following suit. Both US and Australian authorities banned the use of the app for military personnel as more and more questions are being asked about the security of data and potential breaches of privacy.     Most recently, The House of Representatives voted 336-71 in favor of the National Defense Authorization Act, which includes an amendment banning TikTok from all federal devices. Meanwhile, TikTok  – who has recently hired an American CEO – has maintained that it doesn’t share data from its app with the Chinese government.  Walmart Accused of Mishandling Data in CCPA Lawsuit July 1 was the official enforcement data of the CCPA and, less than two weeks later, Walmart was sued in a class-action lawsuit. Why? A San Francisco man claims that his personal information – including his credit card – was sold on the dark web after the superstore was hacked.  Under the CCPA, companies can be fined up to $750 “per consumer per incident” and, because the man alleges that hundreds more customers were affected, Walmart could be hit with a big fine. For now, Walmart says it wasn’t hacked, maintaining that “Protecting our customers’ data is a top priority and something we take very seriously. We dispute the plaintiff’s allegations that the failure of our systems played any role in the public disclosure of his personally identifiable information (PII)”. That’s all for this month! Did we miss anything? Email madeline.rosenthal@tessian.com. You can also keep up with us on social media and check our blog for more updates. 
Read Blog Post
Compliance
US Data Privacy Laws 2020: What Security Leaders Need to Know
Monday, July 13th, 2020
When it comes to privacy and data security, the United States has a less strict regulatory environment than many other major economies, such as the European Union. However, several states have passed laws in recent years that impose significant requirements on businesses handling the personal information of US residents.There are also some tough sector-specific federal privacy laws that you might not realize you need to comply with. This guide will help you understand: Which US state and federal privacy laws apply to your business What the laws require The consequences of a violation Let’s start with state laws.  State Laws While these are “US state privacy laws”, they actually apply to businesses around the world. Why? Because it doesn’t matter where your business is located, it matters whose personal information you’re handling. We’ll give examples below, with a focus on the three broadest and strictest US state privacy laws.  California Consumer Privacy Act (CCPA) The California Consumer Privacy Act (CCPA) came into full force in 2020 and is California’s state law that many people are (justifiably) comparing to the European Union’s world-leading General Data Protection Regulation (GDPR). If you’re interested, you can read the full text here.  Important Note: The California Privacy Rights Act (CPRA) – also known as Proposition 24 – passed on November 3, 2020. The CPRA amends the CCPA, pushing the state statute closer to the GDPR. The CPRA creates a general purpose limitation on personal information use, limiting a business’s use and sharing of personal information to the purposes for which it was collected and for purposes of which the consumer has been informed. While – yes- the CCPA already contains similar notice requirements with respect to the purposes for which personal information will be processed, the CPRA offers California regulators additional enforcement options. What does this mean for you? Organizations must ensure compliance with the CPPA – integrating the demands of the CPRA – before it takes effect on January 1, 2023. Who Does the CCPA Apply to? Although the CCPA was written with big tech companies in mind, it affects businesses across sectors.  The CCPA covers any business handling the personal information of California residents (regardless of whether the business has any physical presence in the state) that meets one of the following three thresholds: It has gross revenues in excess of $25 million per year, It buys, sells, receives or shares for commercial purposes the personal information of at least 50,000 California consumers or households per year, OR It derives 50 percent or more of its annual revenues from selling consumers’ personal information Note that, due to the CCPA’s broad definition “personal information” — and of what constitutes “selling” personal information — a company may fall under threshold “B” if: It operates a website or app that uses third-party cookies for advertising or analytics, and  The website or app attracts at least 50,000 California visitors or users per year. 
What Are the Main Requirements Under the CCPA? The CCPA’s main obligations include: Notice: Businesses must provide consumers with notice of how they collect, use, and share personal information. This necessitates a comprehensive Privacy Policy. Control: Businesses must allow consumers to access and delete their personal information. How? By allowing consumers to opt out of the sale of their personal information. Security: Businesses must apply reasonable security procedures and practices to safeguard the personal information they store. This may include malware protection, staff training, and email security.  Violating any part of the CCPA can lead to civil penalties of: Up to $2,500 per unintentional incident (such as failing to implement proper security protections, leading to a data breach). Up to $7,500 per intentional incident (such as deliberately selling the personal information of consumers who have “opted out”). Data breaches can be particularly heavily penalized under the CCPA’s private right of action, with statutory damages of up to $750 per consumer, per incident.  Failing to implement proper data security practices could, therefore, lead to class action lawsuits in the billions of dollars, depending on the severity and extent of the breach. That’s why it’s so important organization’s level-up their cybersecurity. Still have questions? We answered 13 FAQs about the CCPA in this article. We also outline the 5 Things CISOS Should Know About The CCPA here.  New York SHIELD Act The New York Stop Hacks and Improve Electronic Data Security Act (NY SHIELD Act) is a New York State Act that came into full force in 2020. Again, if you want to read the full text, you can find it here. In a sentence, it’s a data breach notification law that imposes data security standards on covered businesses. Who Does the NY SHIELD Act Apply to? The NY SHIELD Act applies to “any person or business that owns or licenses computerized data which includes private information of a resident of New York.”  This includes businesses with no physical presence in the state. So, what’s “private information”? The Act’s definition is complex, but, broadly, it includes: A person’s full name, or first initial and last name, plus  At least one of the following unencrypted (or compromised) data elements: Social security number,  Driver’s license or other ID number,  Bank account or credit card number (plus security code or PIN),  Biometric data. OR: An email address or username, plus  A password, “secret question” answer, or any other means of access. It’s important to note that gaining access to these data points is easier than you might think. Just look at your mailing list. What Are the Main Requirements Under the NY SHIELD Act? The NY SHIELD Act consists of two parts: Data breach notification: Businesses must report any breach of the private information of New York residents to the affected persons and to various New York authorities “in the most expedient time possible and without unreasonable delay.” Data security program: Businesses must implement reasonable administrative, technical, and physical security measures to safeguard the private information of New York residents. This must include: Risk assessment of how employees transfer and communicate private information,  Appropriate software protection such as email security, Staff training on privacy and data security. Violating the SHIELD Act’s data breach notification requirements can lead to a civil penalty of up to $250,000. Oregon Consumer Identity Theft Protection Act (OCIPA) The Oregon Consumer Identity Theft Protection Act (OCIPA) (previously the Oregon Consumer Identity Theft Protection Act) is an Oregon state law that received significant amendments in 2019 (available here). It is a data breach notification law that imposes data security standards on covered businesses. Who Does OCIPA Apply to? OCIPA law applies to “any person that owns, maintains or otherwise possesses” the personal information of Oregon residents. OCIPA defines “personal information” in much the same way as the NY SHIELD Act, with two additional types of information included: Health insurance policy numbers and other health-related identifiers, Information about a person’s physical or mental diagnoses or history. This means that those working in healthcare have to be especially careful. You can read more about the frequency of data loss incidents in this specific sector in our blog: Data Loss Prevention in Healthcare.  What Are the Main Requirements Under the OCIPA? Like the NY SHIELD Act, OCIPA requires businesses to implement a “data security program” to maintain administrative, technical, and physical safeguards over the personal information they possess.  An OCIPA data security program must include measures such as: Designating an employee to oversee the program, Safeguarding against and and responding to cyberattacks Implementing anti-malware and email protection software Any data breach must be reported to the individuals affected “without unreasonable delay, but not later than 45 days” after discovering the breach. If the breach affects 250 or more Oregon residents, it must be reported to the Oregon Department of Justice. The maximum fine for failing to properly report a breach is $25,000 per violation. Next up: three of the most important US federal privacy laws. These are sector-specific, but they each apply more broadly than you might expect. Federal Laws Children’s Online Privacy Protection Act (COPPA) The Children’s Online Privacy Protection Act (COPPA) is a federal law first passed in 1998 and it covers the provision of goods and services to children. You can read the full text here, but we’ve answered key questions below.  Who Does COPPA Apply to? COPPA applies to anyone who operates a commercial website, online service, or mobile app that is: Directed at minors under the age of 13, or  Knowingly collecting the personal information of minors under the age of 13. While we can’t write an extensive list of all the different websites, services, or apps that meet these requirements, think of brands like Disney, Hasbro, and Mattel. Importantly, COPPA applies to non-US companies and content creators using platforms such as YouTube and TikTok.  Personalized advertising is a big target of COPPA enforcement. IP addresses and device IDs qualify as “personal information” under the Act. Most websites and apps collect this type of information. What Are the Main Requirements Under COPPA? Under COPPA, businesses are required to: Provide privacy notices to parents, Obtain parental consent before collecting, using, or sharing children’s personal information, Allow parents to opt out of the processing of children’s personal information, Allow parents to access their children’s personal information, Collect the minimum personal information necessary from children, Protect the confidentiality, security, and integrity of children’s personal information by maintaining reasonable security practices.  Violating COPPA can lead to fines of up to $43,280 per incident. In 2019, Google settled an alleged COPPA violation with the FTC for $170 million Health Insurance Portability and Accountability Act (HIPAA) The Health Insurance Portability and Accountability Act (HIPAA) is a federal law first passed in 1996. As the name suggests, it covers the healthcare sector. Who Does HIPAA Apply to? HIPAA applies to “covered entities,” including: Healthcare providers (e.g. doctors, physiotherapists, nursing homes, pharmacists, dentists, etc.) Health plans (e.g. health insurance companies, employee-sponsored health plans) Healthcare clearinghouses (e.g. billing services, community health information systems) Covered entities process “protected health information” (PHI), which covers 18 categories of personal information including: Names Email addresses IP addresses Medical record numbers IP addresses While “covered entities” deal directly with health information, HIPAA also applies to subcontractors of covered entities that require access to PHI. Such subcontractors are known as “business associates.” Some common types of companies that act as “business associates” include: Third-party claims management administrators Lawyers Medical transcriptionists Data analysts What Are the Main Requirements Under HIPAA? HIPAA places strict obligations on how covered entities and business associates process PHI, with rules covering: Privacy: Providing access to PHI to individuals (this is optional, unlike “the right to access” under the CCPA) Providing Privacy Notices when collecting or disclosing PHI, Training employees on matters of patient privacy. Security:  Assessing the risk to PHI from cybersecurity threats, Implementing anti-malware and email protection software, Reporting actual or suspected cyberattacks to the Office for Civil Rights as soon as possible, and within 60 days. Remember that privacy and security threats can come from outside or inside your organization.  In 2017, the Department for Health and Human Services settled an investigation with a HIPAA covered entity for $5.5 million after a trusted employee leaked the PHI of 80,000 individuals. You can read more about incidents involving Insider Threats (including two instances involving the NHS) in this blog: Insider Threat Types and Real-World Examples.) Penalties under HIPAA can range from $100 to $50,000 per violation. Gramm-Leach-Bliley Act (GLBA) The Gramm-Leach-Bliley Act (GLBA) is a federal law first passed in 1999 (available here). It covers the financial sector. Who Does the GLBA Apply to? The GLBA covers “financial institutions,” but this definition is broader than you might expect. The FTC defines a “financial institutional” as any business that is “significantly engaged in providing financial products or services.” So, alongside banks and investment firms, the GLBA covers following types of businesses: Check-cashing businesses  Payday and other non-bank lenders Mortgage brokers Real estate appraisers Professional tax preparers Certain courier services What Are the Main Requirements Under the GLBA? One of the chief obligations under the GLBA is to develop a written security program explaining how your business safeguards consumer information.  When it comes to creating a security program, GLBA’s requirements are fairly flexible, and include: Designating an employee to oversee the program, Identifying risks in each area of operation, and assessing the security safeguards relevant to that area, Adjusting the program in light of relevant risk factors and technological developments. While the GLBA’s security program requirement leaves plenty of room for maneuver, covered businesses would be expected to implement basic cybersecurity protections such as the encryption of consumer information and company-wide installation of security software, including data loss prevention solutions. GLBA violations incur particularly heavy penalties, including fines of up to $100,000 per violation and/or up to five years in prison. But, that isn’t deterring professionals working in Financial Services from mishandling data. According to Tessian research, the majority of employees have accidentally or intentionally exfiltrated data. How can I stay compliant? 
While every data privacy law is slightly different, each is consistent in saying that businesses must implement and maintain a cybersecurity program.  Tessian helps organizations across sectors stay compliant by protecting data on email.  Powered by machine learning, our Human Layer Security technology understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity. Tessian Enforcer detects and prevents data exfiltration attempts Tessian Guardian detects and prevents misdirected emails Tessian Defender detects and prevents spear phishing attacks Learn more by booking a demo. Or, you can read through our customer stories, including those operating in Healthcare and Financial Services.
Read Blog Post
Integrated Cloud Email Security, Compliance
Two Years Later: 3 Ways GDPR Has Affected Cybersecurity
by Tessian Thursday, May 14th, 2020
This month we celebrate the two year anniversary of the General Data Protection Regulation (GDPR). While the road to compliance hasn’t been easy for organizations in Europe and beyond, it’s clear this benchmark legislation has been a step in the right direction for data rights, privacy, and protection.  It’s also had a big impact on cybersecurity. Not only is cybersecurity now considered business-critical – which is big news for an industry that has historically struggled to communicate its value and ROI – but we’ve seen incredible innovation in security solutions, too. Read on to learn more about how GDPR has affected cybersecurity or, for more context around GDPR and its implications, read GDPR: 13 Most Asked Questions + Answers.  1. Cybersecurity is now a business enabler  While cybersecurity has historically been a siloed department, data privacy regulations and compliance standards like GDPR have helped prove the business value of a strong cybersecurity strategy.  To start, cybersecurity solutions help organizations stay compliant by preventing data breaches. This isn’t trivial. While the fines under these new compliance standards are hefty (GDPR fines totaled nearly €50 million in the first quarter of 2020 alone), the implications of a breach extend far beyond regulatory penalties to include: Lost data Lost intellectual property Revenue loss Losing customers and/or their trust Regulatory fines Damaged reputation It’s no surprise, then, that the UK’s cybersecurity sector has grown by 44% since GDPR was rolled out. But, cybersecurity solutions don’t have to be limited to prevention or remediation. In fact, cybersecurity can actually enable businesses and become a unique selling point in and of itself. Now that data protection is top of mind, those organizations that are transparent about their policies and procedures will have a competitive advantage over those that aren’t and will gain credibility and trust from prospects and existing customers or clients. 
2. IT leaders are engaging with (and depending on) employees more often While cybersecurity teams are responsible for creating and implementing effective policies, procedures, and tech solutions, data protection is the responsibility of the entire organization. Why? Because data loss is a human problem with 88% of breaches being caused by human error, not cyberattacks. The fact is, employees control business’ most sensitive systems and data, and one mistake – whether it’s a misdirected email or a misconfigured firewall – could have tremendous consequences. That means accountability is required company-wide in order to truly keep data secure and stay compliant.  But, education is the first step in prevention which is why there’s express advice contained within the GDPR to train employees. Importantly, though, training has to actually cut through and stick, which means IT leaders are working hard to effectively communicate risks and responsibilities. Of course, anyone in a cybersecurity leadership position knows this is no easy task.  The key is to ensure training is aligned to the individual business, starting with the people in it and their attitudes towards security. Not sure where to start? Watch Mark Lodgson, Head of Cyber Assurance and Oversight at Prudential, talk about how he measures cyber culture within his organization. 3. The DLP market is booming  Post-GDPR, organizations are spending more than ever to protect their systems and data, and, unsurprisingly, one of the top spending priorities for IT leaders is data loss prevention (DLP). While the DLP market is keeping up with demand (DLP market revenues are projected to double from $1.24 billion in 2019 to $2.28 by the end of 2023), data loss prevention remains a pain point for most senior executives because, well, most DLP solutions don’t work. According to a new report from 451 Research “DLP technology has developed a reputation as much for inaccuracy, false positives, and poor performance as it has for protecting data.” The shortcomings of DLP solutions are reflected in the number of incidents of data loss and data exfiltration being reported, too, up 47% over the last two years. The problem is that most DLP solutions rely on rules to detect and prevent incidents and most rules cannot effectively be managed by people. It’s too time consuming and complex to update them in tandem with evolving human relationships and compliance standards. But, there’s a better way: machine learning. In fact, Tessian was recently recognized as a Cool Vendor in Gartner’s Cool Vendors in Cloud Office Security report. Why? Because, through a combination of machine intelligence, deep content inspection of email, and stateful mapping of human relationships, Tessian’s Human Layer Security Platform turns your email data into your biggest defense against email security threats.  To learn more about how Tessian uses machine learning to prevent data loss on email, click here.  What’s next? GDPR is just the beginning and the CCPA enforcement date is looming. Are you prepared? Find out on our blog: 5 Things Every CISO Should Know About CCPA’s Impact on Their InfoSec Programs.
Read Blog Post
Email DLP, Compliance
5 Things Every CISO Should Know About CCPA’s Impact on Their InfoSec Programs
Friday, April 24th, 2020
The California Consumer Privacy Act (or “the CCPA” for short) is California’s new data privacy law that came into effect on January 1, 2020.   This is the first of its kind in the US, and it’s going to impact your InfoSec program.  The purpose of this new law from a privacy perspective is to give consumers greater control over their personal information (PI). How? By giving consumers key privacy rights. You may be familiar with some of these rights, including: The right to know what PI a business is collecting about you  The right to know what these businesses do with that PI (via a privacy notice) The right to request access to that data  The right to have PI deleted  But, some rights are new, including: The right to request a business stops “selling” your PI The right to not be treated differently when making such a request While it’s essential consumers know their rights, security and compliance leaders need to pay attention, too. After all, failure to comply will result in fines up to $7,500 per violation.  So, if you’re a CISO, here’s everything you need to know about CCPA. Important Note: The California Privacy Rights Act (CPRA) – also known as Proposition 24 – passed on November 3, 2020. The CPRA amends the CCPA, pushing the state statute closer to the GDPR. The CPRA creates a general purpose limitation on personal information use, limiting a business’s use and sharing of personal information to the purposes for which it was collected and for purposes of which the consumer has been informed. While – yes- the CCPA already contains similar notice requirements with respect to the purposes for which personal information will be processed, the CPRA offers California regulators additional enforcement options. What does this mean for you? Organizations must ensure compliance with the CPPA – integrating the demands of the CPRA – before it takes effect on January 1, 2023. The CCPA is one of the strictest consumer privacy laws in the US and it’s become the new standard Unlike Europe, the US doesn’t have a federal consumer privacy law. Instead, the US privacy landscape is made up of a smattering of both state and sectoral laws. As the CCPA ties enforcement to “California residents”, it may apply to services provided outside of California to Californians. Because it’s virtually impossible to know with absolute certainty who or where your customers are, it can become tricky to determine who you offer CCPA rights to and who you don’t. The result? Many companies have given CCPA rights to everyone.
The CCPA includes an obligation for your infosec program Indeed, when it comes to security, the CCPA only specifies that a business must “implement and maintain reasonable security procedures and practices appropriate to the nature of the information” it processes.   Importantly, though, what those “reasonable” security procedures are and how they differ based on the information involved remains undefined.   But, what we do know is that if your business experiences a data breach and a Californian consumer’s PI is taken by an unauthorized person, your business could be on the hook for failing to implement reasonable security procedures. In addition to fines, the CCPA grants Californian consumers the right to sue you. This is called a private right of action.  While there is still much to be determined as to what “reasonable” means, the onus rests on you, as CISO, to review your infosec program and make sure you’re comfortable you’re doing your best to reach this “reasonable” standard. Looking at the NIST (800-53 or CSF), ISO 27001, and CIS controls are a great place to start.  The bottom line: businesses need to protect their data. Implementing a DLP solution is a necessary step all businesses need to take.
If a data breach happens on your watch, you may be held responsible for damages Statutory damages are new for Californian data privacy law.  Now, consumers can sue you for a data breach and they don’t have to show harm, meaning we could see a rise in data privacy class actions.   This CCPA private right of action promises to shake up the data breach class action landscape in which such actions have generally been settled for small amounts or dismissed due to lack of injury. Because, demonstrating and quantifying damages caused by a data breach can be difficult to show. With the CCPA, companies are vulnerable to potentially staggering damages in relation to a breach. Of course, this is in addition to revenue loss, damaged reputation, and lost customer trust. The CCPA allows consumers to seek statutory damages of between $100 and $750 (or actual damages if greater) against a company in the event of a data breach of PI that results from the company’s failure to implement reasonable security procedures. Putting this into context, a data breach affecting the PI of 100 California consumers may result in statutory damages ranging from $10,000 to $75,000, and a data breach affecting the PI of one million California consumers may result in statutory damages ranging from $100 million to $750 million.  These potential statutory damages dwarf almost every previous large data breach settlement in the US, and have the potential to see higher awards than we’ve seen with GDPR. It’s worth noting, though, that there is a 30-day cure period in which businesses can in some way remedy a data breach after receiving written notice from the consumer.  But, because the CCPA doesn’t define “cure,” it’s unclear how a business can successfully “cure” data security violations.  Prevention is better than cure. Your best chance of avoiding a breach and/or hefty fines afterward is to ensure your business has ‘reasonable’ security procedures implemented, including policies and other DLP solutions. While cybersecurity ROI is notoriously hard to measure, it’ll no doubt pale in comparison to the cost of a breach.  Learn how to communicate cybersecurity ROI to your CEO here. A successful private right of action by a consumer only applies to certain PI A couple of things need to happen before a Californian consumer can pursue this private right of action, including: The right only applies to data that is not encrypted or redacted. In other words, de-identified data or encrypted data is not subject to the private right of action or class action lawsuit.   The right only applies to limited types of PI – not the expansive definition found in the CCPA. This is a much more limited definition of PI than contemplated by the CCPA and, in practice, the majority of businesses’ data stores will not include this level of sensitive data.  The right does not apply if there has only been unauthorized access to data. There must also be exfiltration. This means that unsecured access to a cloud storage system on its own will not give rise to the right. There must also have been theft and unauthorized disclosures. For example, by an insider threat or nefarious third-party.   The harm to the consumer must flow from a violation of the business’s duty to implement reasonable security procedures. It will, therefore, be key for businesses to show a documented assessment of their security procedures in light of CCPA and to ensure a robust security program is in place to protect against data loss. If you are GDPR compliant, your infosec program is likely compliant The GDPR, somewhat similar to the CCPA, is vague when it comes to cybersecurity.  It makes data security a general obligation for all companies processing personal data from the European Union (EU) by requiring controllers and processors to implement “appropriate technical and organizational measures to ensure a level of security appropriate to the risk”.  This means that companies controlling or processing EU personal data should have implemented comprehensive internal policies and procedures to be in compliance with the GDPR. This likely makes them CCPA-ready, but IT leaders should still review their security programs. The most important thing to know is that businesses affected by the CCPA will now be responsible for not only knowing what data they hold, but also how it’s controlled. In order to ensure compliance, the first step should be revisiting your cybersecurity program. And, while it may be surprising to some, cybercriminals actually aren’t your biggest threat when it comes to data loss. It’s actually your own employees. After all, it’s your people who control all of the data within your organization. But, you can empower them to work securely and prevent data loss with Tessian.
Prevent data loss with Tessian To err is human which means your employees may make mistakes that could lead to a potential breach under CCPA.  Traditionally legacy technology has leveraged hardware and software focused on the machine layer to fight cybersecurity risks. This, of course, doesn’t address the biggest problem, though: The Human Element.  Tessian leverages intelligent machine learning to secure the Human Layer in order to understand human relationships and communication patterns. Once Tessian knows what “normal” looks like, Tessian can automatically predict and prevent dangerous activity, including accidental data loss and data exfiltration.  People shouldn’t have to be security experts to do their job. Taking advantage of Tessian solutions can help your organization mitigate your employee’s mistakes and keep them productive which is a key component of a robust security program.
Read Blog Post
Compliance
The Impact of POPI on Your Organization
Monday, September 30th, 2019
The Protection of Personal Information (POPI) Act is a piece of South African legislation that aims to ensure effective management of any personal data processed by both private and public bodies. The POPI Act became law in November 2013, but the Act has not yet been fully enacted. Once the implementation date is confirmed, organizations operating business in South Africa will have one year to ensure that they are POPI compliant. Personal data under POPI is defined as information that relates to an individual or juristic person. Gender, employment history and email address are a few examples of what POPI defines as personal information. Since there are different criteria for how organizations classify personal and non personal information, POPI will affect the way that organizations manage this. For example, organizations will have to take any consumer data that they may hold and classify what type of information it is. In the instance that a data breach occurs, organizations will have to report the breach to the Information Regulator as well as the affected parties. Under POPI, organizations could be fined up to R10 million (approximately £538k), and sentences could even could include jail time of up to 10 years depending on the seriousness of the breach. Finally, organizations could face significant reputational damage in the form of customer loss and limited ability to attract new clients. POPI and GDPR POPI makes it imperative for businesses based in and dealing with South Africa to comply with newly stringent data protection regulations, but South African businesses may be wondering how the Act intersects with other global data legislation. Rulings like he European Union’s General Data Protection Regulation (GDPR) also has ramifications for organizations around the world, of course. Businesses in South Africa that process customer data from the European Union must also ensure they are fully compliant with GDPR. How to remain POPI compliant Acknowledging the ever-present risk of data breaches is an essential part of the role for security leaders. Traditionally, data controllers tend to focus on malicious threats such as ransomware or brute force cyberattacks. However, human error is increasingly putting organizations at risk. For example, human error was the root cause of 30% of data breaches in South Africa, which is higher than the global average of 26%. Mistakes made due to human error could include an employee accidentally sending a misdirected email to the wrong recipient or hitting the “reply all” or “cc” field instead of “bcc.” In both cases, the employee is not acting maliciously, but the impact is that sensitive information is still exposed. POPI will have an impact on all companies in South Africa, but it will be particularly important for organizations that hold large amounts of personal information to take the right steps early on to ensure that they are POPI compliant. Implementing the right technology will help your organization stay proactive with your security strategy. Forward-thinking firms in all sectors are choosing Tessian to manage the way in which data moves on email. Enforcer and Constructor’s machine learning allows organizations to prevent data from being transferred to non-compliant destinations. With cutting-edge technology, businesses can ensure that they remain compliant amid changing regulations. To learn more about how Tessian could help you become POPI compliant, contact us here. 
Read Blog Post