Following other recent integrations (Okta, Sumo Logic…) we’re adding KnowBe4 – the world’s largest integrated security awareness training and simulated phishing platform – to the list, giving organizations more  visibility into phishing risk than ever.

What are the benefits of Tessian + KnowBe4? The integration combines KnowBe4’s phishing simulation and training results with powerful insights from Tessian’s Human Layer Risk Hub, to give security and risk management teams a more comprehensive view of their riskiest employees. By identifying the employees who are most likely to fall for phishing attacks, security teams can adjust their security policies to the specific risks posed by individuals or deliver more tailored training in the areas where people are struggling most.    With Tessian + KnowBe4: Training is more relevant Employees are more engaged  Security leaders can easily report on the impact training has on improving the company’s overall security posture   This is a shift away from the traditional approach to security awareness training and is a much-needed solution to the ever-growing problem of phishing attacks. Figures show that 1 in 4 employees has clicked on a phishing email at work, while the FBI revealed that phishing was the most common type of cybercrime last year, with 11x as many phishing reports in 2020 compared to 2016.

Learn more To find out more about the Tessian and KnowBe4 integration, click here.

As a security or IT leader, researching and vetting security solutions is step one. What’s step two, then? Convincing key stakeholders like the CEO, CFO, and the board that the product needs to be implemented, that it needs to be implemented now, and that it’s worth the cost.   This is easier said than done, but security is business-critical.   So, how do you communicate risk and make a compelling case to (eventually) get buy-in from executives?   We talked to security leaders from some of the world’s most trusted and innovative organizations to find out what they do to get buy-in from CxOs. Here’s a summary of their tips.   You can download this infographic with a quick summary of all of the below tips. This is perfect for sharing with peers or colleagues. Or, download this eBook.   1. Familiarize yourself with overall business objectives   While cybersecurity has historically been a siloed department, today, it’s an absolutely essential function that supports and enables the overall business. Think about the consequences of a data breach beyond lost data. Organizations experience higher rates of customer churn, reputations are damaged, and, with regulatory fines and the cost of investigation and remediation, there can be significant revenue loss.   The key, then, is to attach cybersecurity initiatives to key business objectives. The security leaders we interviewed recommended starting by reviewing annual reports and strategic roadmaps. Then, build your business case.   If customer retention and growth are KPIs for the year, insist that cybersecurity builds customer trust and is a competitive differentiator. If the organization is looking for higher profits, make it clear how much a breach would impact the company’s bottom line. (According to IBM’s latest Cost of a Data Breach, the average cost of a data breach is $4.24 million.)

2. Create specific “what-if” scenarios   A lot of security solutions are bought reactively (after an incident occurs), but security leaders need to take a proactive approach. The problem is, it’s more challenging for CxOs and the board to see the value of a solution when they haven’t yet experienced any consequences without it.    As the saying goes, “If it ain’t broke, don’t fix it”.    That’s why security leaders have to preempt push-back to proactive pitches by outlining what the consequences would be if a solution isn’t implemented so that stakeholders can understand both probability and impact.   For example, if you’re trying to get buy-in for an outbound email security solution, focus on the “what-ifs” associated with sending misdirected emails  which – by the way- are sent 800 times a year in organizations with 1,000 employees. Ask executives to imagine a situation in which their biggest clients’ most sensitive data lands in the wrong inbox.  What would happen?    Make sure you identify clear, probable consequences. That way, the situation seems possible (if not likely) instead of being an exaggerated “worst-case scenario”.    3. Work closely with the security vendor   You know your business. Security vendors know their product. If you combine each of your expertise – and really lean on each other – you’ll have a much better chance of making a compelling case for a particular solution.   Ask the vendor for specific resources (if they don’t exist, ask them to create them!), ask for product training, ask if you can speak with an existing customer. Whatever you need to get buy-in, ask for it. Rest assured, they’ll be happy to help.    4. Collaborate and align with other departments   It takes a village and cybersecurity is a “people problem”.  That means you should reach out to colleagues in different departments for advice and other input. Talk to the folks from Risk and Compliance, Legal, HR, Operations, and Finance early on.    Get their opinion on the product’s value. Find out how it might be able to help them with their goals and initiatives. In doing so, you might even be able to pool money from other budgets. Win-win!

5. Consider how much the executive(s) really know about security   To communicate effectively, you have to speak the same language. And, we don’t just mean English versus French. We mean really getting on the same level as whomever you’re in conversation with.   But, to do that, you have to first know how much your audience actually knows about the topic you’re discussing.   For example, if you look into your CEO’s background and find out that he or she studied computer science, you’ll be able to get away with some technical jargon. But, if their background is limited to business studies, you’ll want to keep it simple. Avoid security-specific acronyms and – whatever you do – don’t bury the point underneath complex explanations of processes.    In short: Don’t succumb to the Curse of Knowledge.

6. Use analogies to put costs into perspective   One of the best ways to avoid the Curse of Knowledge and give abstract ideas a bit more context is to use analogies. It could be the ROI of a product or the potential cost of a breach. Either way, analogies can make big, somewhat meaningless numbers more tangible and impactful.   For example, imagine you’re trying to convince your CFO that the cost of a solution is worth it. But, the 6-digit, one-time cost is a hard sell. What do you do? Break the overall cost down by the product’s lifespan. Then, divide that number by the number of employees it will protect during that same period.   Suddenly, the cost will seem more manageable and worth the investment.   7. Invite key stakeholders to events or webinars   Before you even start pitching a particular solution, warm-up executives with educational webinars or events that aren’t product-specific. This will give CxOs a chance to better understand the problem, how it might apply to them, and how other people/organizations are finding solutions.   Bear in mind: most vendors will have at least 1 (generally 2+) webinars or events during the standard sales cycle.   8. Prepare concise and personalized briefing materials   Individual stakeholders will be more likely to consider a particular solution if the problem it solves is directly relevant to them. How? Combine tips #1, #2, #3, and #5.   After taking some time to understand the business’ overall objectives, take a closer look at individual peoples’ roles and responsibilities in meeting those objectives. Then, dig a bit deeper into how much they know about cybersecurity.   Imagine you’re meeting with a COO with some technical experience whose focus is on maintaining relationships with customers. His or her briefing documents should contain minimal technical jargon and should focus on how a data breach affects customer churn.   The bottom line: make it about them.   9. Share these documents in advance of any formal meetings   While this may seem obvious, the security leaders we spoke to made it clear that this is an essential step in getting buy-in. No one wants to feel caught off guard, unprepared, or rushed.   To avoid all of the above, make sure you share any documents relevant to the solution well in advance of any formal meetings.   But, don’t just dump the documents on their desk or in their inbox. Outline exactly what each document is, why it’s relevant to the meeting, and what the key takeaways are. You want to do whatever you can to help them absorb the information, so make sure you make yourself available after sharing the documents and before the meeting, just in case they have any questions or need additional information.   10. Build a strong security culture   Before we dive into why building a strong security culture can help you get buy-in, we want to make it clear that this isn’t something that can happen overnight. This is a long-term goal that requires the help of the entire organization. Yes, everyone.   So, how do you build a strong security culture? Start by ensuring that security and IT teams are committed to helping – not blaming – employees. There has to be a certain level of mutual trust and respect.   Beyond that, employees have to accept responsibility for the overall security of the organization. They have to understand that their actions – whether it’s clicking on a phishing email or using a weak password – have consequences.   If they do accept this responsibility, and if they genuinely care about following policies and procedures and helping secure data and networks, high-level executives will care, too. They’ll therefore be more likely to sign-off on solutions.   11. Keep an eye on security trends outside of your industry S ome industries – specifically Healthcare, Financial Services, and Legal – are bound to compliance standards that formalize the need for effective security solutions. That means that, compared to other industries like Retail or Manufacturing, they’ll be required to have more robust strategies in place. What they’re doing now, the rest of us will be doing in 12 months.   Keep this in mind.   If you notice that organizations operating in the most highly regulated industries are all taking data loss prevention (DLP) seriously, you’ll be able to make a strong case that this is something that should be on your radar, too.   12. Approach non-executive stakeholders early on   While – yes – getting buy-in from CxOs and the board is important, security leaders also need to get buy-in from non-executive stakeholders working in IT, infrastructure, etc.   After all, those are the people who will actually be responsible for deploying the solution and maintaining it.By approaching them early on (and assuming they’re interested in the solution, too) you’ll be able to paint a clear picture of the process after the solution has been signed off on.   How long will it take? Who’s involved? Will employees’ workflow be disrupted? These are all important questions to answer.   13. Match like-for-like people from both sides   If you’re scheduling a meeting with executives from your side and key people from the vendor’s side, make sure you’re bringing in people that “match” in terms of function and seniority level.   For example, if you work at a start-up and the founder of your company wants to be involved in the buying process, ask the vendor’s founders to join, too. Likewise, if the Head of Infrastructure is joining from your side, ask someone in a similar function to join from the other side. Why? Like-for-like people will be best placed to answer one another’s questions.   And, with that in mind…. 14. Preempt questions and prepare answers   No one likes to be put on the spot. To avoid being asked a question that you don’t know the answer to, spend a good amount of time considering all the questions different stakeholders may ask and drafting well-thought-out answers. (Better yet, fit the answers into briefing documents or the presentation itself!)   Remember, people are generally concerned with how a problem/solution affects them directly. That means the CEO will have different questions than the CFO, who will have different questions than the Head of IT.   15. Get specific customer references from the vendor   We mentioned in tip #3 that you should lean on the vendor, especially when it comes to specific resources and customer references. And, we mentioned in tip #11 that you should match like-for-like people in meetings.   It should make sense, then, that specific customer references will be more powerful than generic ones. For example, if you’re the CISO at a 4,000-person tech firm in North America, and you’re trying to convince you’re CTO that you need to implement a new solution, you should share a case study (or customer reference) from the vendor that outlines how their product has helped an organization in the same industry, that’s the same size, and in the same region. Ideally, it will also feature quotes from the CTO.   Why? Professionals trust and rely on their peers when making difficult decisions. 16. Be conscious (and considerate of) peoples’ time   Decisions about security solutions can involve a lot of different people. That means you’ll have to balance several conflicting schedules and fight for time. Your best bet? Book meetings with all relevant people at once and get the vendor involved at the same time. Ahead of the meeting, share an agenda along with any relevant documents (see tip #8).

Ben Aung is the Chief Risk Officer at SAGE, formerly served as a Deputy Government Chief Security Officer in the UK government, and is a Tessian customer. He discussed insider threats, fear uncertainty and doubt (FUD), and the Great Resignation with Tessian CEO and Co-Founder, Tim Sadler, on the RE: Human Layer Security podcast. Listen here, or read the Q&A below.   Tessian: How has this year been for you and your team at SAGE?   Ben: I’m surprised how much we’ve managed to achieve under challenging circumstances.    We’ve managed to get to a “business-as-usual” state much faster than I would have expected, and many of the kind of “doomsday” threats that we might have been anticipating as a result of COVID haven’t really materialized for me.   Tessian: What are your thoughts on insider threats? Could you share a bit about how you’ve been focused on insider threats throughout your career? Ben: Most of my career in government has been in information security, computer security, or cybersecurity—depending on which term was de rigueur at the time—but when I joined the Cabinet Office in 2012, my first gig I got there was as the Senior Policy Adviser in the National Security Secretariat for insider threats.

Soon after I joined, we were dealing with the aftermath of the Edward Snowden disclosures, which—as many people will remember—were a seismic event in the insider threat world, and caused a great deal of reflection and introspection around how much confidence we could have in some of the very long-standing controls that we’d had around mitigating the most severe insider incidents, particularly in the national security context.   That was a real “baptism by fire” for me in the insider world. I was working across the Five Eyes countries and trying to join up what we all thought was a fairly consistent understanding of how to fight insider threats, but I found out we were all doing things in slightly different ways.    My experience of working with the intelligence community in that very high threat, high impact context was that—in amongst all of the complexity, and “smoke and mirrors,” and spookery—many of the issues were just fundamental people issues or control issues that I expect nearly every organization to face, in one way or another.   Tessian: According to stats, insider threats have risen almost about 50% in the past two years. Why do you think it’s such a challenging problem to solve?   Ben: I think we overcomplicate it, would be my headline. We don’t think holistically about the interventions we can make in the lifecycle of an individual or an insider incident that might reduce both the opportunity and the impact.   We often put too much emphasis on hard technical controls. We lock systems down, so they become unusable, and people just find ways to circumvent them.    We put too many eggs in one basket, and we don’t think about all the little things we can do that cumulatively, or in aggregate, can support us.   The other thing I’d say is—cybersecurity, as an area of risk, is too populated with anecdotes and an absence of data. And it’s too driven by the worst-case scenarios, rather than the everyday, which I think are too often the starting point for the more severe events that happen later down the line.    Tessian: How do we take steps towards that more data-driven approach, and what’s your advice to people who may agree that they find themselves swayed by headlines and the “fear factor”?   Ben: As security professionals, we sometimes have quite thankless roles in an organization. And actually bringing a bit of excitement and interest—it’s an interesting part of the job, and sometimes adds a bit of “mythology.”

The point is that the most effective interventions are some of the most boring and the most mundane. By that, I mean—if you look across all of the most severe insider incidents of the last “x” years, effective line management would have been one of the key mitigations.   Effect line management, good pastoral care, good understanding of employee wellbeing, good performance management processes, basic controls around access, audit, and monitoring.    I think because these things have existed for such a long time, and we don’t associate them with insider risks, then they’re either overlooked, they’ve degraded, they’re boring—they don’t attract investment in the same way that other things do.   The goal is to bank all of that stuff, get that foundation in place, and then supplement with some of the specialist tools that are available on the market—like Tessian—where you can say, “I’ve got confidence in some of these fundamentals, now I want to take that step and really understand my enterprise and what’s happening in and out of it in a much more sophisticated way.”

Tessian: There have been a number of incidents reported in the news where disgruntled employees are being targeted by cybercriminals to assist in malicious activities. Is this something that concerns you?   Ben: I used to think about this a lot in government, where the notion of a “blended attack”—particularly in the nation-state context—is very relevant.   There’s often a misconception that a hostile state actor says, “I’m going to launch a cyberattack on the UK,” or “I’m going to compromise ‘x’ system”—they have an objective, and often cyber or remote attacks are the cheapest way to achieve that objective.   But in some cases, they won’t be. And a blended attack, where you use some kind of close-access technology that’s deployed by a compromised individual as a precursor to a remote attack, is a threat model that governments have to deal with.

And some of the techniques that governments can deploy against one another are absolutely crazy… the level of creativity and imagination at play… That is a very real risk in that context, and I think it’s inevitable that elements of it are going to find their way out into the commercial world.   The key consideration is: what is the cost/benefit equation that the actor is going to be relying on? And as soon as you start including vulnerable individuals, you do increase operational risks as an attacker. The ransomware groups wouldn’t care too much about that, but it’s about whether they get the pay-off they need for the level of effort they put in. And I guess, in many cases, they would. 

If you just look, in more of a social context, about how teenagers and children can be blackmailed by people on the other side of the world, then there’s no reason why someone seeking monetary gain—through a ransomware attack or otherwise—wouldn’t do the same.   I haven’t seen any real evidence that it’s happening at any sort of scale, but I think having people in your organization—like we try and achieve at SAGE—who will report early… there’s a sort of “no consequence” reporting rule in SAGE and in many organizations, where we just want to know. I think that’s one of the most effective mitigations.   This Q&A was adapted from our RE: Human Layer Security podcast. You can hear the full interview here,

Ah, the holidays. As we roll up to the end of the year, one thing’s certain as the office party and failed New Year’s resolutions – cybersecurity 2022 trend articles.    And like festive holiday merch in stores, trends pieces seem to appear earlier and earlier each year.    Well this year, we’re taking a stand against ‘trends for 2022’ articles. Why? Here’s just a flavor of what real InfoSec leaders like you said when we talked trends.

And on Twitter, the feeling is similar… My prediction? The majority of 2022 cybersecurity predictions will again be “More of the same, packaged a bit differently” because that is how evolution works. It is only from an appreciable vantage point that one sees the scale of incremental change. 1/x — Rik Fërgüson (@rik_ferguson) November 1, 2021 My 2022 Cybersecurity Predictions: pic.twitter.com/7r4AC328q2 — c🎃e (@caseyjohnellis) November 2, 2021

So while someone, somewhere might fall for a high profile deepfake attack or AI generated breach, the main issues faced by the vast majority of InfoSec for next year will be… the same as last year, and similar to the years before that.    We like to call these The Infinity Trends, so pass the eggnog, throw another yule log on the fire, and let’s explore the five gems that’ll be taking up 91.4% of your time in the next 365 days.   Infinity Trend One: People are (still ) gonna fall for the same ol’ sh*t Year in, year out, there’s always a risk that someone is going to click on a malicious link. And when bad actors are using sweet, juicy bait like early access to Series 2 of Squid Games, you can see why. You're only as strong as your weakest link. Human error wins every time. Awareness training is key. #InfoSec pic.twitter.com/tPD9yBEse3 — Khalil (@sehnaoui) June 21, 2017 You can’t stop people clicking links any more than you can prevent them from sending or receiving them in the first place; for many people, that’s their job. Their inbox is a revolving door of links to documents, webpages, forms, and databases.   Infinity Trend Two: You’ll (still ) have to explain why cybersecurity matters to the CEO An important "soft skill" as you move up in leadership roles is brevity, the ability to not only be succinct but also flexible when presenting; knowing how to adjust your content on the fly. This is crucial when presenting to higher level business leaders. Practice this! — Alyssa Miller 👑 Duchess of Hackington (@AlyssaM_InfoSec) October 28, 2021 Looking back to the ‘before times’ circa 2012, a predicted trend was cybersecurity moving from being solely an IT department issue, to a C-suite issue. (Here’s Phil Gardner, founder of IANS, talking about exactly this back in the day.) Yet here we are, 10 years later, and despite the 2021 PwC Annual Global CEO Survey, revealing chief executives see cyber threats as the number one risk, the same report goes on to note that the majority of CISOs overall — 63% of organizations — don’t get the kind of support they need from their CEO. If you’ve got a CEO who gets security in all its forms, you’re one of the lucky ones. For everyone else, here’s the only three metrics they care about.  

Infinity Trend Three: Attacks will (still ) come after lunch or at the end of the day (on a Tuesday) Bad actors have a preferred time to strike. We know this because we analyzed four billion emails in a 12-month period and found that 2 million of them were malicious, and slipped past secure email gateways (SEGs). Further examination found that mid-afternoon, or just before the end of the day, is when most attacks occur. Why? Because our research shows that 45% of employees say they’ve clicked on a phishing email because they were distracted.

Interestingly, Tuesday – not Friday – was the time employees sent and received the most emails, and that’s also the preferred time for spear phishing. One particular Friday does rank the very highest however, Black Friday. So if you’re reading this….  incoming! It’s not all bad news, though. Our research also showed that, like everyone else, even the bad guys take a break over New Year, perhaps to make their own New Year’s resolutions? Infinity Trend Four: Your biggest risks will (still ) come from ‘inside the house’ The spear phishing of staff was an exotic emerging threat trend in 2012, and it’ll still be your number one threat a decade later. Then there’s the risk from misdirected emails, sending the wrong attachments, and deliberate exfiltration. You can see why Forrester’s recent report of over a 1,000 security professionals found that 61% think an employee will cause their next data breach.

  Infinity Trend Five: Hiring a diverse team will (still ) be one of your biggest priorities… and challenges Back in 2016, 72% of Black Hat attendees were saying that “they do not have enough staff to meet current threats”, and those trends have only gotten worse with 2021’s Great Resignation.    Add to this the fact that the average CISO is in post for a little over 26 months (plus a doesn’t-get-it-CEO), and you can see why it can be hard to foster a solid security culture.    InfoSec has a high turnover rate, too; keeping your people together, focused, and motivated was a challenge in 2012, and it’s still a challenge now.    So despite a decade passing, the problems most InfoSec, SOC teams, CISOs, and CTOs face daily haven’t really changed. What has changed is that everything has gotten bigger and more complicated – from the frequency and sophistication of attacks, to your attack surface and perimeter, to the sums of money and number of people involved.    So our number one cybersecurity trend’ for 2022?    Same as it ever was: cybersecurity is still primarily a people problem. This time of year we all make resolutions: get fit, quit that bad habit, be better at what we do. If you’re thinking about one more, why not make 2022 the year you secure your Human Layer?   Until then, Happy Holidays!

From the CEO to that new intern, everyone in the company email directory is a potential risk for sending misdirected emails. Misdirected emails are common — sending an email to the wrong person is an easy mistake. Who hasn’t done it? But they can also be disastrous, potentially damaging a company’s reputation, revealing its confidential data, and breaching its customers’ privacy.   One new group, however, can potentially present more of a risk than most – Sales Engineers (SEs)  and Tech Ops (TOs) teams. SEs and TOs are mainly found in enterprise-level, technology-focused *aaS businesses in sectors such as software systems, manufacturing, or telecoms, where the product is some form of data handling solution.    According to the Bureau of Labor Statistics Occupational Outlook Handbook, there were 63,800 SEs in the US in 2020. Their role is like a SWAT team, called in by the sales team to help ‘seal the deal’, either when a lead is deep into the process and needs extra clarity, or when they have too many technical obstacles for the sales rep to handle. SEs have a sales mentality, but couple that with a deeper understanding of the form and function of the product, processes, or service.    Here’s five reasons why they might be at higher risk, and how you can mitigate that risk.

They support several salespeople In a typical large enterprise, one SE might support several sales reps. Numbers vary depending on the size and scope of the business in question, but a typical ratio might be one SE to four or more sales people. The higher the number, the higher the potential risks, because they now touch four times the amount of data and contacts flowing through an organization compared to their colleagues.   

…And several other teams. SEs not only work hand in hand with salespeople on new leads, they might also help Customer Success teams move existing customers to higher plans or additional services – again, more potential risk. Of course, being deep in the workings of the product means they also interact regularly with the product or engineering team. They might even work with marketing on case studies and testimonial content. So as you can see, they occupy a highly central function within large, complex matrix organizations.  

Meaning they have access to lots and lots of data… SEs not only have access to leads’ personal details, they might also have access to that company’s critical data such as customer information, financial data, or intellectual property. Many firms conduct proof of concept (PoC) and proof of value (PoV) tests, where the solution is prototyped with the lead’s firm. Depending on the solution and the customer firm, this can involve actual company data, assets, or information.  All of this data is highly attractive to bad actors who can ransom it back to you, sell it to others, mine bitcoin using your systems, and generally trash your processes and reputation. As one security analyst from our friends at KnowBe4 put it, we’re in the age of the ‘quintuple extortion’.  

…and highly sensitive information. They They could be privy to what the company’s employees are doing, where they are, or their Personally Identifiable Information (PII) such as staff’s social security numbers, bank details, and personal email addresses. There’s also sensitive details on business structure things, like potential mergers and acquisitions, reorganizations, or redundancies. In short, SEs have access to a wide group, and interact with that group at a higher frequency.   Which means they’re severely time pressured. Reps might call in an SE as a last ditch effort to save a deal from potentially falling through. Perhaps the lead is thinking of walking away because they have several technical questions that the rep can’t answer. The SE is needed fast and plunged deep into the deal to try to save it.    That creates a time sensitivity pressure for the SE. As this blog post by GoConsensus says, the problem supporting several sales people is that at times, a sales rep may not have access to a sales engineer to provide the support they need.    That can mean the SE is under pressure from both their colleagues to save the deal, as well as the lead who might be cooling on the idea because it doesn’t appear to fit their needs. As the time ticks down and the pressure increases, so do the potential risks of making mistakes.     We know this because our Psychology of Human Error Report revealed that working in tech doesn’t necessarily make you cybersecurity savvy. Employees in the technology industry were the most likely to click on links in phishing emails, with nearly half of respondents in this sector (47%) admitting they had done so. This was closely followed by employees in banking and finance (45%).   The tech industry also had the highest percentage of employees that agree there is an expectation in their organization to respond to emails quickly (85%), while 77% in the financial sector said the same. This suggests that quick-to-click and fast-paced working cultures could result in employees mistakenly clicking on phishing emails.   Why? Because nearly half of respondents (45%) cited distraction as the top reason for falling for a phishing scam. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");

So how does this threat manifest itself at enterprise level? In many ways, these issues at enterprise level are a double edge sword. On the one hand, enterprises can have great software and processes, as well as the budget and teams to support it. On the other hand they’re larger and more complex, so the potential for danger is greater.    So how many people are we talking about here? Take a big global company like Salesforce for example, with 64,000 employees according to LinkedIn. A quick search for ‘Sales Engineers’ in their people section returns 3,955 people. For Amazon (868,467 employees) it’s even bigger – 5,792.    Yet our State of Data Loss Prevention report revealed an average of 800 emails are misdirected in organizations with 1,000 employees during a single year. What’s more, Forrester Consulting’s recent Take Control Of Email Security With Human Layer Security Protection report, commissioned by Tessian, found that the percentage of employee-related email security incidents by company size was significantly higher in companies with more than 20,000 employees.    With all that it’s clear why 61% of security and risk leaders surveyed in the Forrester Consulting report believed that an employee’s actions will cause their organization’s next data breach. They’ve simply done the math.     How can enterprise organizations secure themselves against these dangers? The consequences and fall out of any potential misdirected email can be mundane, or they can be utterly catastrophic (as these real world examples reveal). We spoke to one CISO on condition of anonymity, who told us, “For the C-Suite, the most important thing is understanding risk scoring – who’s the most targeted departments and what data do they handle?” – SEs and TOs fall into this category.   That risk has to be balanced more broadly with having processes that still let employees do their jobs in highly dynamic environments. A process where a deal is lost because an email is in a quarantine outbox with several thousand others waiting for the IT department to approve it isn’t going to help your team hit their quarterly targets.    This ‘human first’ approach centers on two things: using great tools that don’t hamper the workflow, and flagging when potentially moving data with the communication chain.    Both these things drive what we do at Tessian. Our Human Layer Security platform detects and prevents advanced inbound and outbound threats on email, automatically stopping data breaches and security threats caused by employees. Powered by machine learning, Tessian provides unparalleled visibility into human security risks, detects and prevents accidental data loss, data exfiltration, and advanced phishing attacks while continuously driving employees toward secure email behavior through in-the-moment training.    Built as a cloud-native platform, Tessian integrates seamlessly with O365, Google Workspace, and MS Exchange environments within minutes, learns in hours, and starts protecting in a day closing the critical gaps in the email security stack   The Tessian differentiators: Threat prevention: Tessian protects against both known and unknown email attacks, including business email compromise, account takeover, spear-phishing, and all impersonation attacks that bypass SEGs, M365, and G Suite Education and awareness: With Tessian’s in-the-moment training, organizations can educate and empower users to build continuous email security awareness  Reduced admin overhead: Tessian removes the burden on SOC and admins by automating repetitive tasks such as maintaining triage and review. This eliminates the need for human verification of email threats, reducing FTE requirements. Data-rich dashboards: With Tessian, security teams have clear visibility and the ability to demonstrate clear ROI   So if you want to ensure your Sales Engineers can do what they do best – be that SWAT Team for your sales reps – rather than a higher risk to your business, get in touch today and see how we can help you secure your organization’s Human Layer.  

Tessian is honored to be recognized as a Representative Vendor for Integrated Cloud Email Security (ICES) in the recently released 2021 Gartner Market Guide for Email Security. According to Gartner the “continued increases in the volume and success of phishing attacks and migration to cloud email require a reevaluation of email security controls and processes. Security and risk management leaders must ensure that their existing solution remains appropriate for the changing landscape.”

The key findings listed in this Market Guide for Email Security    According to this report, “the adoption of cloud email systems continues to grow, forcing security and risk management leaders to evaluate the native capabilities offered by these providers”. The report further states “solutions that integrate directly into cloud email via an API, rather than as a gateway, ease evaluation and deployment and improve detection accuracy, while still taking advantage of the integration of the bulk of phishing protection with the core platform.”    The report also states that “ransomware, impersonation, and account takeover attacks are increasing and causing direct financial loss, as users place too much trust in the identities associated with email inherently vulnerable to deception and social engineering.”    Gartner recommends that the security and risk managers for email security should:   “Use email security solutions that include anti-phishing technology for business email compromise (BEC), protection that uses AI to detect communication patterns and conversation-style anomalies, as well as computer vision for inspecting suspect URLs.”  “Consider products that also include context-aware banners to help reinforce security awareness training.” “Invest in user education and implement standard operating procedures for handling financial and sensitive data transactions commonly targeted by impersonation attacks. Remove as many targeted ad hoc processes from email as possible.”   This report highlights trends that we believe Tessian is also seeing.    Historically, companies around the globe were deploying the Tessian platform to augment the shortcomings of their Secure Email Gateways (SEGs). Customers needed a more comprehensive solution that would stop the real nasty stuff like zero-day attacks and ransomware, and that was able to detect and stop the threats that often slip past their SEGs such as business email compromise (BEC), account takeover (ATO), spear phishing, and impersonation attacks.   Tessian’s recent Spear Phishing Threat Landscape 2021 Report examined emails from July 2020 – July 2021, and discovered nearly 2,000,000 emails slipped through SEGs.   An interesting shift we’ve observed over the past nine months is that we’re seeing more and more customers leveraging the enhancements made by Microsoft along with the Tessian platform to replace their SEG. We expect that trend to accelerate in 2022.   Gartner predicts that “by 2023, at least 40% of all organizations will use built-in protection capabilities from cloud email providers rather than a secure email gateway (SEG), up from 27% in 2020.”     Tessian’s approach Tessian is a leading cloud email security platform that intelligently protects organizations against advanced threats and data loss on email, while coaching people about security threats in-the-moment. Using machine learning and behavioral data science, Tessian automatically stops threats that evade legacy Secure Email Gateways, including advanced phishing attacks, business email compromise, accidental data loss and insider threats. Tessian’s intelligent approach not only strengthens email security but also builds smarter security cultures in the modern enterprise. Built as a cloud-native platform, Tessian integrates seamlessly with O365, Google Workspace, and MS Exchange environments within minutes, learns in hours, and starts protecting in a day closing the critical gaps in the email security stack.      

Tessian is honored to be recognized as a Representative Vendor for Integrated Cloud Email Security (ICES) in the recently released 2021 Gartner Market Guide for Email Security. According to Gartner the “continued increases in the volume and success of phishing attacks and migration to cloud email require a reevaluation of email security controls and processes. Security and risk management leaders must ensure that their existing solution remains appropriate for the changing landscape.”

The Tessian differentiators:  Threat prevention: Tessian protects against both known and unknown email attacks, including business email compromise, account takeover, spear-phishing, and all impersonation attacks that bypass SEGs, M365, and G Suite Education and awareness: With Tessian’s in-the-moment training, organizations can educate and empower users to build continuous email security awareness  Reduced admin overhead: Tessian removes the burden on SOC and admins by automating repetitive tasks such as maintaining triage and review. This eliminates the need for human verification of email threats, reducing FTE requirements. Data-rich dashboards: With Tessian, security teams have clear visibility and the ability to demonstrate clear ROI  

Tessian solutions: Tessian Defender is a comprehensive inbound email security solution that automatically prevents a wide range of attacks that bypass Secure Email Gateways (SEGs) while providing in-the-moment training to drive employees toward secure email behavior.  Tessian Guardian automatically detects and prevents accidental data loss from misdirected emails. Tessian Enforcer automatically detects and prevents data exfiltration attempts and ensures compliant email activity. Tessian Architect is a powerful policy engine for real-time email data loss prevention. It features a combination of classic elements of DLP policies that provide custom protection against sensitive data loss. To learn more about how Tessian can help strengthen your email security posture, book a demo now.    

Gartner, “Market Guide For Email Security”, Mark Harris, Peter Firstbrook, Ravisha Chugh, Mario de Boer, October 7, 2021. Gartner Disclaimer: GARTNER is registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Data is the lifeblood of a successful business, and email systems are the veins through which it travels. But new Forrester Consulting research commissioned by Tessian shows legacy solutions aren’t enough to protect this vital business organ…   Key insights from the study include:   Nearly 40% of organizations report 10+ employee-related email security incidents per month 61% of our survey respondents think an employee will cause their next data breach Over 75% of  firms report that 20% or more email security incidents get past their existing security controls One-third say they lack visibility into threats and risky behaviors Organizations spend up to 600 hours per month resolving employee-related email security incidents 42% of security and risk leaders are looking to improve their email security postures  

To err is human…   While security and risk leaders have a lot to worry about, human error tops the list.    That’s because, on average, organizations experience between one and fifty employee-related email security incidents per month, depending on the company size. Nearly 40% report 10+ incidents a month.   Accidental data loss and business email compromise are most common, with nearly half of respondents saying they’ve experienced an incident in the past 12 months.   It’s no wonder 61% of our survey respondents think an employee will cause their next data breach.    So, how are they trying to solve the problem?   Trying to solve the “people problem”   One thing is for sure: security leaders are trying to bolster their defenses, and they know email is every bit as crucial an environment to protect as network and databases. The problem is, built-in security controls and legacy technology alone aren’t enough to prevent human error. In fact, these solutions are actually creating more work for thinly-stretched security teams.   Over a third of firms say they’re wasting a precious amount of time, money, and effort combating email security challenges.    How much time? According to Forrester’s research, organizations spend up to 600 hours per month resolving employee-related email security incidents.   Alas, despite so much time and effort, over 75% of firms report that 20% or more email security incidents get past their existing security controls and, despite phishing simulations and ongoing security awareness training, roughly one-quarter report that 21% or more of employees have failed a phishing test in the past year.    Accidental data loss is a big problem, too with 24% saying they simply don’t have controls in place to prevent misdirected emails.    That’s a lot of risk, but it could be just the tip of the iceberg…One-third say they lack visibility into threats and risky behaviors, proving traditional security solutions have inherent limitations when it comes to solving for risks posed by people.    In fact, according to Tessian’s State of Data Loss Prevention report, IT leaders working at organizations with 1,000+ people in the US estimate 480 emails are sent to the wrong person every year. In reality, Tessian found that an average of 800 emails are misdirected in organizations with 1,000 employees during a single year.   That’s a big difference…

The solution?   Based on all of the above, it’s no wonder 42% of security and risk leaders are looking to improve their email security postures, and are specifically seeking solutions that allow them to gain visibility into risky human behaviors and build unique security identity and risk scores for each employee.    They then want to use this information to feed automated, ML-based threat detection systems to help them predict and protect against unknown threats.  Download the full study.   You can also book a demo to see Tessian’s  platform in action. 

As the virtual curtain falls on our Fall Human Layer Security Summit we’d just like to say a huge thank you to our panel and to you, our 1000+ attendees.  There were some terrific insights, advice, and examples offered in every session. If you missed one, or just want a recap, key learnings from each session are below. To give you a flavor of what to expect, we’ve pulled out some key takeaways.

🎣 Fighting Phishing: Everything We Learned From Analyzing 2 Million Malicious Emails Take out fact: zero payload attacks are now the new normal  We analyzed 2 million malicious emails that slipped past SEGs in a 12-month period. The results? Bad actors are getting smarter, and crafting more sophisticated attacks than ever before.   That’s why attacks are getting past organizations’ existing defenses. As James McQuiggan, Security Awareness Advocate at KnowBe4, says, “the bad guys are buying the same hardware and software configurations we’re using – they’re then testing their attacks and then see what gets through”. And what’s working, it seems, are zero payload attacks beginning with a benign email that appears to be from senior staff.  Fellow guest  Jason Lang, from TrustedSec ,spoke of his frustration with current training in the industry saying, “users sit there for 30 minutes, hit next, next, next, take the test, and they’re done. So the direct answer for ‘is security awareness training accounting for zero payload attacks?’ is no, it’s not”. Learn more about what today’s attacks have in common in our most recent research report: Spear Phishing Threat Landscape 2021

🤖 Threats Of The Future Are Here: Hacking Humans with AI-as-a-Service Take out fact: AI is poised to be used ‘at scale’ to design spear phishing attacks, and does better than humans To paraphrase the German journalist, satirist, and pacifist Kurt Tucholsky “one spear phishing attack: this is a catastrophe. Hundreds of thousands of spear phishing attacks: that is a statistic!” And, according to Eugene Lim, Glenice Tan, Tan Kee Hock and Timothy Lee from GovTech Singapore hundreds of thousands attacks are on the horizon. Although recent reports of AI-generated voice deep fakes make the headlines, the real problem is that as the cost and complexity of AI comes down, it will be used more and more at scale. Furthermore, the team’s research revealed that AI generated content is more convincing than human generated content.  As Tessian’s Ed Bishop, our co-founder and CTO noted in the session, “I can totally see bad actors measuring the click-through rate on their phishing campaigns, and then having the AI learn from what’s worked to feed into the next one”  Oh and one final takeout… no one’s really regulating this sort of stuff.

 🏗 How to Build A High-Impact Security Culture For ‘Oh Sh*t’ Moments Take out fact: It’s always about the people It can be hard to keep things personal, especially at scale. Yet that’s exactly what Kim Burton, Security Education InfoSec Manager, did when Duo Security was acquired by Cisco. “My favorite thing that I always remind everyone is ‘be kinder than necessary’”. That way, says Kim, you create a safe learning environment where people don’t feel scared, but rather empowered.  Kim also gives tips and advice for security teams on how to empathize with colleagues when a breach happens.

👷‍♀️ Building beyond your SEG: what to do when attacks slip through Take out fact: don’t rely just on your SEG In this session, Tessian’s Amelia Dunton caught up with Karl Knowles, Global Head of Cyber for HFW,  to hear why you shouldn’t just rely on your SEG to protect your business. Karl details how there’s been a huge rise in impersonation attacks, accounting for more than half of the threats HFW get. With domain impersonation attacks also getting more sophisticated, SEGs alone can’t cope. Finally, Karl explains how ‘in-the-moment’ alerts help show the user that there’s a problem, and what to do about it.

👮Why Human Layer Security is the Missing Link in Enterprise Security Take out fact: 61% of security and risk leaders think that employee actions will cause their next data breach We were delighted to have as a guest speaker Jess Burn, Senior Analyst at Forrester. If you’ve not heard Jess speak before, you’re in for a real treat. Her talk explains in detail a Forrester Consulting study commissioned by Tessian conducted with US and UK security and risk leaders on the types of threats they’re seeing, how they’re fighting them, and how they’ll meet them in the future.  You can get the study here, but the three quick extra take outs are; asset your current capabilities, invest in technology wisely, and put people first when it comes to security.

😩 DLP Has Failed The Enterprise. What Now? Take out fact: Legacy DLP is a 💩 sandwich without the bread Traditional DLP is rule-based – and if there’s one thing humans are really, really good at, it’s breaking rules.  You simply cannot define human nature with rules, says Tessian’s Jessica Marie. As we learned at our Spring Summit, the average human makes 35,000 decisions a day, you can’t write rules for all that possibility.  Legacy DLP means complex and expensive policies, constrained data classification, limited visibility, and a huge amount of false positives. Add to this the fact that your employees really hate the experience.  After Jessica’s explainer, Tessian’s Merlin Kafka is joined by Phil Horning, Senior Information Security Analyst at PeaceHealth, and Reema Jethwa, Cyber/Insider Risk Manager at Schroders Personal Wealth. Together they outline future trends for DLP, and where the industry needs to go.

💭 Security Philosophies from Trailblazers; Q&A with Leading CISOs Closing out the Summit Tim Sadler, CEO and Co-Founder of Tessian, hosted Jerry Perullo CISO, ICE NYSE, and DJ Goldsworthy , Director, Aflac, to explore a range of topics. They started by offering advice on how to show value to the wider organization, and how security fits in with overall risk appetite.  They then moved on to how security teams have to work cross functionally, working with other teams like IT and operations, because as Tim says, “the biggest security team is the whole company”. Our 2021 Summit took place just after Cyber Awareness Month, so Tim closed out by asking how far we have come since the first awareness month way back in 2004.  For DJ, the biggest difference between now and then was the sheer pace of change; how a lot of risk lies in configurations and environmental sprawl, meaning an increased attack surface.  For Jerry meanwhile, it was the professionalization of the criminal side. “We’re now seeing national state caliber tactics, techniques, and procedures, deployed against commodity targets, with high dwell time.. just so they can ransomware them,” he said.

So there you have it!  That’s us all done (until next year). We’ll no doubt see you again in 2022. Follow us on LinkedIn and Twitter, and sign up for our weekly blog digest to stay up to date with the latest intel, so you can help secure your Human Layer.

We are very pleased to welcome Allen Lieberman as Tessian’s new Chief Product Officer who will head up the continued development of the industry’s first and leading Intelligent Cloud Email Security platform. Allen joins us from VMware Carbon Black, where he worked for nearly 9 years, and held roles including Senior Director of Product Marketing and VP of Product Management. He has spent the vast majority of the last 20 years in the Software-as-a-Service space. We took a few minutes to get to know Allen and find out what he’s looking forward to in his new role.    Allen, hi! Let’s start off with an easy question: why did you decide to join Tessian?  A combination of reasons, really.  First, the mission. Tessian is set out on a compelling mission that is critical to customers’ ability to scale and defend their enterprise in the modern threat and communications landscape. People can – and should – be a security team’s best asset. By enabling the employee community to help protect and defend the enterprise, security teams are better positioned to scale and protect their organizations. Until now, securing the human layer has been underserved. But as the enterprise and communications landscape evolves, putting people first is critical to the success of modern security programs. Tessian has set out on a mission to make this a reality.   Second, the culture and team at Tessian is world class. Having been in the trenches with key members of the team, I understand the culture that is being cultivated and feel good about the high level of diverse talent we have. At Tessian, there is a focus on doing the right thing, staying positive, persevering through challenges, and keeping people at the center of what we do. Having the culture aligned to my core values was critical in my decision.  And third, the time is right. Security teams, today, are dealing with unprecedented levels of cybercrime. As organizations have become more distributed and cloud-first, as employees communicate over emerging channels and as attackers evolve to meet employees where they are, now is the time for a better solution to help enable every employee to protect the enterprise.   It’s rare to find a company that has all these three things.    What do you see as the top benefit Tessian offers to customers?  The sea change that Tessian enables is turning the employee base into a security team’s best asset, while reducing overhead on the security teams.  Tessian automates the protection of critical communications channels like email while assisting people in understanding their role of protecting the enterprise – which is unlike so many other security solutions. The ability to embed security communication and training ‘in-the-moment’, when an employee needs it most, helps build a collaborative culture between staff and security teams while reducing breach responses. It’s great when employees really feel that security teams ‘have their back’ and that’s what Tessian enables.    What do you see as the biggest opportunity for Tessian?  Our biggest opportunity is to shift our customer’s mindset from security being seen as something that security teams do, to security being something that all employees do.  When we accomplish that – i.e. when employees become part of the new perimeter and when all employees are truly extended parts of security teams – we would’ve changed the security game. I think that’s the biggest opportunity we have.    What’s your focus for the next 3-6 months?  I’ll be very much focused on learning over the next few months. While I’m coming into Tessian with many years of experience, there is so much to take in, as with I think about prioritizing and executing on the opportunity to drive change ahead.  My intent is to learn from our team, from our customers and from our partners. I’m excited to understand more about the challenges that are faced by our customers, the opportunities we have to address them and, of course, I’m interested in learning much more about our team.     And finally, can you summarize Tessian’s mission in 25 words or less? sure, Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises.

We’re thrilled to announce that Tessian is integrating with Okta to help organizations protect against the biggest threats to enterprise security – people’s identities and behaviors. The technical integration follows the strategic investment in Tessian, made by Okta Ventures. Okta will now integrate its identity platform with Tessian’s Human Layer Security platform to help enterprises better understand and manage cybersecurity risks posed and faced by employees. The integration will provide security and risk management teams granular visibility into their organization’s riskiest and most at-risk employees and consequently enable them to deploy policies that can help protect particular groups of users from threats like advanced spear phishing and account compromise and prevent accidental data leaks. Today, modern enterprises use Okta as their single source of truth for identity and access management, and the platform enables organizations to create specific security groups based on access. By combining Okta directory information and groups with the user profiles and real-time risk scores calculated by the Tessian Risk Hub, organizations can now deploy and enable specific security measures to individuals, depending on their level of risk. As a result, security and risk management teams can identify what is driving risk in their company and take proactive steps to reduce it.  The integration will bring welcomed relief to the growing number of enterprises struggling to prevent and remediate the threat posed by the rising number of advanced phishing attacks – a threat exacerbated by the COVID-19 pandemic. Last year, the FBI found that phishing attacks doubled in frequency, while 71% of businesses experienced malicious account takeover and companies reportedly lost over $1.8 billion in business email compromise attacks.  Austin Arensberg, Director, Okta Ventures said, “By integrating our solutions, customers will be able to automatically detect their most high risk employees and put in place stronger security measures and policies to keep them safe, without disrupting the normal flow of business. Securing the human layer in this way can reduce or not only stop threats like advanced phishing and account takeover, but it also improves the overall security posture of the enterprise.”  Tim Sadler, CEO and co-founder of Tessian said, “Hacking humans is the easiest way for cybercriminals to hack companies today – but not every employee carries the same level of risk. So, to fully understand and mitigate risk in your organization, you must understand the behaviors of your employees and provide additional protection to those that need it most. This is critical to securing the human layer in your organization and, with Okta and Tessian, this is now possible.”  You can find out more about the integration here.

The ground is shaking under one of cybersecurity’s favorite acronyms. Dr. Karen Renaud, Chancellor’s Fellow at the University of Strathclyde and Dr. Marc Dupuis, Assistant Professor at the University of Washington Bothell believe that fear, uncertainty and doubt (FUD) aren’t all they are cracked up to be.  In their recent Wall Street Journal Article, ‘Why Companies Should Stop Scaring Employees About Security’, they unpack the use of scaremongering in cybersecurity training and tell us how fear truly impacts decision making. Listen to the full podcast here, or read on for Dr. Karen Renaud’s & Dr. Marc Dupuis’s top three takeaways. Too much fear burns people out and makes them less responsive to fear appeals KR: The literature tells us that when people are targeted by a fear appeal they can respond in one of two ways. They can either engage in a danger-control response or a fear-control response.  A danger-control response is generally aligned with what the designer of the appeal intended. So if a fear appeal is trying to encourage a user to back up their files, a danger-control response would involve the user making the backup.  Alternatively, a fear-control response sees the user try to combat the fear. They don’t like the feeling of fear, so they act to stop feeling it – they attack the fear rather than the danger itself. This response is undesirable as the user might go into denial or become angry with the person or organisation who has exposed them to the fear appeal. Ultimately, the user is unlikely to take the recommended action. When we consider events such as the COVID-19 pandemic, you can see how adding cybersecurity fear appeals to people’s pre-existing fear runs the risk of users feeling overwhelmed and having a fear-control response. People are already seeing so many fear appeals that they are likely to go into denial and refuse to take the message on board.  Fear appeals can encourage people to take more risks MD: I have a three-and-a-half-year-old son. Unlike my daughter, if I tell him to not do something like stand on a chair, and explain that he might crack his head open if he does, he’ll do it. So, he’ll climb on the chair, and then if he doesn’t crack his head open he’ll say ‘See daddy, I didn’t crack my head open!’, and in his mind, my warning has been disproved. This scenario with my son speaks to another point on fear appeals – we scare people to try and get them to not do something, but when they do it anyway and nothing bad happens it only reinforces the idea that the consequences aren’t that bad. KR: You can see examples of this kind of thing throughout history. If you look back at the German bombings of London during the second world war, something similar happened. Though the goal of the Germans was to get Britain to capitulate, the bombings provoked a totally different response – the British people became more defiant. People get afraid of being afraid, and we need to consider this when designing cybersecurity training and messaging.

MD: We are all responsible for changing the narrative in cybersecurity away from fear, uncertainty, and doubt (FUD), and it starts with conversations like this. It is easy to criticize something, but the question we then need to answer is… what can we replace it with? We know self-efficacy is the major player – but what is that going to look like? I believe that approaches will vary between organisations but the underlying concepts will be the same, such as creating a less punitive system and building a sense of togetherness. KR: When you treat your users as a problem it informs the way you manage them. Currently, many organisations see their employees as a problem – they’ll train them, they’ll constrain them, and then they’ll blame them when things go wrong! Unfortunately, this method stops users from being part of the solution and creates the very problem you’re trying to solve.  To improve cybersecurity, it is crucial that you make everyone feel like they’re part of the defense of the organisation. My research with the Technical University of Darmstadt looked into what kind of things we could do to make this happen, and it really comes down to a few core principles: Encourage collaboration and communication between colleagues – So we can support each other. Build resilience as well as resistance – Currently, there is a huge focus on resisting security threats, but we also need to know how to bounce back when things do go wrong.  Flexible and responsive security training and awareness policies – We treat security training and awareness policies as a one-size-fits-all, but this is outdated. We need to ask people if what we are proposing is possible for them and the role that they do, and adapt accordingly.  Learn from successes, not just mistakes – What did some people spot in a phishing message that others didn’t? Teach other people those techniques. Recent examples in other industries, such as safety, have shown that putting the power into employees’ hands can be revolutionary. We are yet to see it done in cybersecurity, but I’m certain that it is right around the corner.   Want more insights like this? Make sure you subscribe to RE: Human Layer Security on Apple and Spotify.

November 4th sees Tessian’s sixth Human Layer Security Summit. Nearly 3000 people tuned in to our last summit in June, and the event is rapidly establishing itself as an industry ‘must attend’.    We started our flagship event summits with one goal in mind, to bring security leaders together to network, share learnings and discuss a new wave of security that is ‘Human First’. This Fall summit will be our biggest and best yet, and is packed with the latest insights from industry experts, all in just a few hours.    If you’ve not already reserved your place, do it now, because here’s what’s packed into just three hours on November 4th.

🎣 Fighting Phishing: Everything We Learned From Analyzing 2 Million Malicious Emails   Unless you’ve been at the beach this past month, you can’t have failed to notice Tessian’s recent Spear Phishing Threat Landscape 2021 report based on two million emails flagged by Tessian Defender as malicious.    Tessian’s CISO, Josh Yavor, is joined by two industry experts; James McQuiggan, Security Awareness Advocate at KnowBe4, and Jason Lang, from TrustedSec. Together they’ll dig into the report’s findings in greater detail, and identify the what, how, who, why, and when of today’s spear phishing landscape.    If you can only make one session, make it this one.       🏗 How to Build A High-Impact Security Culture For ‘Oh Sh*t’ Moments    You don’t have a cybersecurity issue… until you do. At Tessian, we call that an ‘Oh Sh*t’ moment.    Kim Burton, Security Education InfoSec Manager Cisco, details how the right culture in your company can help stop that from ever happening. She’ll explain how to create and enable a positive security culture so you can help people sort through information and be confident in their approach to security.    The result: your people become your greatest asset, and develop, as Kim puts it, a security spider sense!      🤖 Threats Of The Future Are Here: Hacking Humans with AI-as-a-Service   These days you can get seemingly everything as a service, and that includes Ai. Ed Bishop, our co-founder and CTO, discusses this new threat with the team from GovTech Singapore. Eugene Lim, Glenice Tan, Tan Kee Hock and Timothy Lee explain how their latest research repurposed easily-accessible personality analysis AIaaS products to generate persuasive phishing emails.   The emails were automatically personalized based on a target’s social media information and created by state-of-the-art natural language generators. The results mean that even low-skilled, limited resource actors could use these methods to execute effective AI-assisted phishing campaigns at scale.   And as Wired reported, an AI wrote better phishing emails than humans in a recent test. This is sure to be a fascinating technical session, so book your place now and learn how to protect your organisation from these emerging threats.    😩 DLP Has Failed The Enterprise. What Now?   Look someone has to say it… Legacy DLP solutions are complex, have limited visibility, give you a constant headache with false positives, and users hate it. And don’t get us started on the ROI…    In this session you’ll hear from leading experts including not-for-profit health care provider, PeaceHealth, on why now is the time to rip and replace your DLP solution.      👮Why Human Layer Security is the Missing Link in Enterprise Security    We’re thrilled to have guest speaker, Jess Burn, from Forrester joining us to offer up her insights on why human layer security is the missing link for Enterprises. She’ll offer her insights on what the top priorities for Enterprise Security and Risk Management leaders over the next 12 months, as well as tell us how Human Layer Security fits into the wider tech stack solutions. Jess brings with her a wealth of experience as a senior analyst at Forrester serving security and risk professionals. Hosted by Henry Trevelyan Thomas, VP of Customer Success at Tessian.         💭 Security Philosophies from Trailblazers; Q&A with leading CISOs   Closing out our summit, Tim Sadler, CEO and Co-Founder of Tessian, invites two security heavyweights center stage to discuss their guiding philosophies that have led them to security success in their organizations.    With decades of experience between them, Jerry Perullo (CISO, ICE NYSE) and DJ Goldsworthy (Director, Aflac) will discuss how they position security as a value driver, not a cost-center in their orgs, and how they keep their teams innovating and approaching security creatively to build agile models.      So what are you waiting for?   That’s a pretty awesome schedule full of world-class insights, advice, and experience from experts who’ve secured their people and business against attacks. We believe learning directly from others experiences’ is the best way to drive the security industry forward, so our aim is to bring as many diverse speakers together. The only thing missing is you.