Everyone makes mistakes at work. It could be double-booking a meeting, attaching the wrong document to an email, or misinterpreting directions from your boss. While these snafus may cause red-faced embarrassment, they generally won’t have any long-term consequences. But, what about mistakes that compromise cybersecurity? This happens more often than you might think. In fact, nearly half of employees say they’ve done it, and employees under 40 are among the most likely. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); In this article, we’ll focus on email mistakes. You’ll learn: The top five email mistakes that compromise cybersecurity How frequently these incidents happen What to do if you make a mistake on email

I sent an email to the wrong person At Tessian, we call this a misdirected email. If you’ve sent one, you’re not alone. 58% of people say they’ve done it and, according to Tessian platform data, at least 800 are fired off every year in organizations with over 1,000 people. It’s also the number one security incident reported to the Information Commissioner’s Office (ICO) under the GDPR. (More on the consequences related to data privacy below.) Why does it happen so often? Well, because it’s incredibly easy to do. It could be a simple typo (for example, sending an email to jon.doe@gmail.com instead of jan.doe@gmail.com) or it could be an incorrect suggestion from autocomplete.  What are the consequences of sending a misdirected email? While we’ve written about the consequences of sending an email to the wrong person in this article, here’s a high-level overview:  Embarrassment  Fines under compliance standards like GDPR and CCPA Lost customer trust and increased churn Job loss Revenue loss Damaged reputation

Real-world example of a misdirected email In 2019, the names of 47 claimants who were the victims of sexual abuse were leaked in an email from the program administrator after her email client auto-populated the wrong email address.  While the program administrator is maintaining that this doesn’t qualify as a data leak or breach, the recipient of the email – who worked in healthcare and understands data privacy requirements under HIPAA – continues to insist that the 47 individuals must be notified.  As of September 2020, they still haven’t been. I attached the wrong file to an email Employees can do more than just send an email to the wrong person. They can also send the wrong file(s) to the right person. We call this a misattached file and, like fat fingering an email, it’s easy to do. Two files could have similar names, you may not attach the latest version of a document, or you might click on the wrong file entirely.  What are the consequences of sending a misattached file? As you may have guessed, the consequences are the same as the consequences of sending a misdirected email. Of course, the consequences depend entirely on what information was contained in the attachment. If it’s a presentation containing financial projections for the wrong client or a spreadsheet containing the PII of customers, you have a problem.  Real-world example of sending the wrong attachment A customer relations advisor at Caesars Entertainment UK – a part of Caesars Entertainment – was sending emails to the casino’s VIPs. In the emails, the employee was meant to attach a customized invitation to an event. But, in one email, the employee accidentally attached the wrong document, which was a spreadsheet containing personal information related to some of their top 100 customers.   Luckily, they also spelled the email address incorrectly, so it was never actually sent.  Charles Rayer, Group IT Director, details the incident – and explains why this prompted him to invest in Tessian Guardian – in a Q&A.  You can watch the interview here. I accidentally hit “reply all” or cc’ed someone instead of bcc’ing them Like sending a misdirected email, accidentally hitting “reply all” or cc instead of bcc are both easy mistakes to make.  What are the consequences of hitting “reply all” or cc instead of bcc? As you may have guessed, the consequences are the same as the consequences of sending a misdirected email. And, importantly, the consequences depend entirely on what information was contained in, or attached to, the email. For example, if you drafted a snarky response to a company-wide email and intended to send it to a single co-worker but ended up firing it off everyone, you’ll be embarrassed and may worry about your professional credibility.  But, if you replace that snarky response with a spreadsheet containing medical information about employees, you’ll have to report the data loss incident which could have long-term consequences. Real-world example of hitting “reply all” In 2018, an employee at the Utah Department of Corrections accidentally sent out a calendar invite for her division’s annual potluck. Harmless, right? Wrong. Instead of sending the invite to 80 people, it went to 22,000; nearly every employee in Utah government. While there were no long-term consequences (i.e., it wasn’t considered a data loss incident or breach) it does go to show how easily data can travel and land in the wrong hands.  Real-world example of cc’ing someone instead of bcc’ing them On January 21, 2020, 450 customer email addresses were inadvertently exposed after they were copied, rather than blind copied, into an email. The email was sent by an employee at speaker-maker Sonos and, while it was an accident, under GDPR, the mistake is considered a potential breach.  I fell for a phishing scam According to Tessian research, 1 in 4 employees has clicked on a phishing email. But, the odds aren’t exactly in our favor. In 2019, 22% of breaches in 2019 involved phishing…and 96% of phishing attacks start on email. (You can find more Phishing Statistics here.) Like sending an email to the wrong person, it’s easy to do, especially when we’re distracted, stressed, or tired. But, it doesn’t just come down to psychology. Phishing scams are getting harder and harder to detect as hackers use increasingly sophisticated techniques to dupe us.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); What are the consequences of falling for a phishing scam? Given the top five “types” of data that are compromised in phishing attacks (see below), the consequences of a phishing attack are virtually limitless. Identify theft. Revenue loss. Customer churn. A wiped hardrive. But, the top five “types” of data that are compromised in a phishing attack are: Credentials (passwords, usernames, pin numbers) Personal data (name, address, email address) Internal data (sales projections, product roadmaps)  Medical (treatment information, insurance claims) Bank (account numbers, credit card information) Real-world example of a successful phishing attack In August 2020, The SANS institute – a global cybersecurity training and certifications organization – revealed that nearly 30,000 accounts of PII were compromised in a phishing attack that convinced an end-user to install a self-hiding and malicious Office 365 add-on. While no passwords or financial information were compromised and all the affected individuals have been notified, the breach goes to show that anyone – even cybersecurity experts – can fall for phishing scams. But, most phishing attacks have serious consequences. According to one report, 60% of organizations lose data. 50% have credentials or accounts compromised. Another 50% are infected with ransomware. 35% experience financial losses. I sent an unauthorized email As a part of a larger cybersecurity strategy, most organizations will have policies in place that outline what data can be moved outside the network and how it can be moved outside the network. Generally speaking, sending data to personal email accounts or third-parties is a big no-no. At Tessian, we call these emails “unauthorized” and they’re sent 38x more than IT leaders estimate. Tessian platform data shows that nearly 28,000 unauthorized emails are sent in organizations with 1,000 employees every year.  So, why do people send them? It could be well-intentioned. For example, sending a spreadsheet to your personal email address to work over the weekend. Or, it could be malicious. For example, sending trade secrets to a third-party in exchange for a job opportunity.  What are the consequences of sending an unauthorized email Whether well-intentioned or malicious, the consequences are the same: if the email contains data, it could be considered a data loss incident or even a breach. In that case, the consequences include: Lost data Lost intellectual property Revenue loss Losing customers and/or their trust Regulatory fines Damaged reputation No sensitive data involved? The consequences will depend on the organization and existing policies. But, you should (at the very least) expect a warning.  Real-world example of an unauthorized email In 2017, an employee at Boeing shared a spreadsheet with his wife in hopes that she could help solve formatting issues. While this sounds harmless, it wasn’t. The personal information of 36,000 employees was exposed, including employee ID data, places of birth, and accounting department codes. You can find more real-word examples of “Insider Threats” in this article: Insider Threats: Types And Real-World Examples How can I avoid making mistakes on email? The easiest answer is: be vigilant. Double-check who you’re sending emails to and what you’re sending. Make sure you understand your company’s policies when it comes to data. Be cautious when responding to requests for information or money.  But vigilance alone isn’t enough. To err is human and, as we said at the beginning of this article, everyone makes mistakes.  That’s why to prevent email mistakes, data loss, and successful targeted attacks, organizations need to implement email security solutions that prevent human error. That’s exactly what Tessian does. Powered by machine learning, our Human Layer Security technology understands human behavior and relationships. Tessian Guardian automatically detects and prevents misdirected emails Tessian Enforcer automatically detects and prevents data exfiltration attempts Tessian Defender automatically detects and prevents spear phishing attacks Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of the organization’s email network. That means it gets smarter over time to keep you protected, always.  Interested in learning more about how Tessian can help prevent email mistakes in your organization? You can read some of our customer stories here or book a demo.

Tim Sadler: In this episode, I’m speaking with Stephane Kasriel, the former CEO of Upwork, and a future of work visionary. Now, some companies have been practising remote working for many years. But for others, the Covid-19 pandemic has forced a remote work environment almost overnight.  In my research for this discussion, I was amazed to find that last year 44% of companies didn’t allow remote work at all. And globally, only 52% of people worked from home at least once a week. We’re fast forward now to 2020. And things couldn’t look more different. And as Stephane says, in our upcoming discussion, it’s likely will never go fully back to our old ways of working. Stephane shares his tips on how to build a remote working strategy for the long term, his opinions on what the future holds, and explains why he believes flexible working is a win-win for everyone.  And, by the way, you can find all our podcast episodes here. TS: Stephane, can you tell us a bit more about how distributed working was built into upwards DNA? Stephane Kasriel: You know, there’s an expression here. So first of all, thank you for having me, Tim, this is fantastic. But really, you know, one of the expressions that people use in the Bay Area is eating your own dog food. And so Upwork is a website and a mobile app that helps people work from home, and helps companies engage with people that work from home. And so we decided from day one, that we couldn’t convince our customers to do this if we didn’t do it ourselves.  And so Upwork today has about 2000 people. There’s about 300 of them who work in an office, two offices in the Bay Area, one in Chicago, but the vast majority of people are working from home. I think we have people in something like 500 different cities in the world. And some of them have been working with a company for a decade or longer. So this is not just short term gigs for low value work. A lot of these core software development, legal services, financial services for the company, just people that are not physically present in the office. TS: 500 offices, that is a huge achievement to have that kind of scale of remote workforce. What have you actually learned along the way about making remote work a success with your team? SK: You know, there’s a lot of different learnings. I would say increasingly, people have documented those learnings. So Upwork has an entire website, and it’s been updated for the pandemic. You know, obviously to say the obvious, there’s a lot more people that are working from home right now than ever in the past, many of whom were not prepared for this, and their companies were not prepared for this. So Upwork has published a pretty meaningful set of recommendations. But it’s not the only company that has done it. GitLab has an amazing set of documents, Zapier, Trello – which is part of Atlassian. And there’s probably half a dozen different companies that have done remote that scale, you know, automatic. The people behind WordPress, are the people behind Basecamp.  So I would say like at the very highest level, I would just say treat people the way you want to be treated, right? Like, put yourself in the shoes of one of your people working from home, particularly in a time like today where this is not normal remote work. This is remote work where people may be sick, people may be scared of being sick, they may have people close to them that are sick, they may have children at home, they may have multiple people on zoom at any point in time and not enough bandwidth to connect.  And so just I would say rule number one is empathy, realize that this is a tough time for everybody. And leading with care and love is probably one of the best things you can do. The second one – which is probably pretty obvious if you manage people in different time zones – realize that they have different working hours from you. Switch from a very synchronous model, where everybody’s on Zoom all day long, or everybody’s meeting at the same time, to something that’s more asynchronous – where you you do more writing, or you do more things on Loom – which is kind of the the offline version of Zoom, if you will.  And you know, and I would say that the third thing is just realize that you need to communicate even more when people are distributed than when they’re local. So, you know, repeat yourself, set up meetings, when meetings need to be set up, document more than you would otherwise and don’t assume that everybody knows what’s in your head. Because that’s really not true even when they work close to you. But it’s even harder for them to get into your head if they’re remote. And there’s a long long list beyond that. But I would say those are like the high level ones.

TS: Yeah, and I love that point about leading with empathy. I think it’s so important during this time, and obviously these are… You know, we’re seeing the kind of the key takeaways from years and years of trial and error. What have been some of the lessons learned along the way? And, you know, you’ve outlined some really important practices here for companies who are just getting to grips with this with this new normal. But it’d be really interesting to understand, you know, what hasn’t worked out in the way that you thought it might have? And what approach would you encourage companies to take so that they can have a continual cycle of learning with how they’re improving their remote work initiative? SK: I think like, that’s the key, right is a continuous cycle of learning, like, get feedback on what’s working and not document the best practices, share them to the organization, especially if you’re a bigger company, there might be part of your organization that’s doing it really well, and other parts of their organization not so much. And sharing best practices is absolutely essential. But you know, I would, I would say, there’s probably two things. One is, learn about time zones, you know, if people are in multiple different countries, work life balance matters, and expecting somebody to be always awake from 2am to 5am, because that’s what you need. Unless that’s truly what they were signing up for. Initially, it’s probably not a good idea. So when we assembled teams within Upwork, we were always cognizant of having people and potentially two different time zones that were compatible with each other, but really on three, so for instance, us plus Asia plus Europe, somebody does not sleep. So that’s, that’s one component of it. The second one, which actually is what companies are being forced to do right now. So that’s helpful, is when you’re switching from a very local model to a very distributed model, the easiest way to do it is not to hire a bunch of people from the outside that are working remotely. But instead to allow your current employees, especially the people that are the most tenured, that really know how to get things done. When they give you feedback, you’re going to listen to the feedback, let them work remotely. And by the way, that doesn’t just mean working from home in San Francisco, that means if they choose to relocate to another part of the country, let them do that, in fact, encourage them to do it. We have a relocation package, we actually call it the relocation package, which is, if you’re based in San Francisco, and you want to move to another part of the country, we will actually pay for your moving expenses. It’s hard enough, if you’re not a remote first company, it’s hard enough for your existing employees to work remotely, it’s even harder for new people to come in and work remotely.  And so the challenge with a lot of companies is they try to go from one extreme, which is, you know, everybody’s in the same office to the other where you hire a bunch of new people who know nothing about the company, and don’t know anybody, and have them be successful. And I think the intermediate plan is to take your existing people and allow them to work from home. Check this is happening right now. Step two is allow your existing people to relocate to another part of the country if they choose to. And, then, step three, start to open up hiring, probably first in places where you have local employees already, because you’re going to have that, you know, face to face connection from time to time, which is really helpful to build a sense of community. TS: And this leads me on nicely. I think that the relocation pack – I like that terminology. And there are a lot of people who are, I think rethinking where they have to be based in terms of, you know, their location to actually now work for the companies they do. You describe flexible working as a win-win scenario, I guess, for employees, and also for the employer. Could you maybe unpack that a little bit and just share a bit more of your thinking around that with us? SK: Yeah, and I would say there’s even a third component, which is society as a whole. Right? So why is it a good thing for employers? Well, you know, the main downside, which is the myth is people are going to be working less, it’s bad for your culture, you’re going to have retention issues, all that stuff, none of which is true, right in, in companies that are good at measuring worker productivity, and most of them are not. There is no data that shows that worker productivity goes down when people are working remotely. In fact, there’s tonnes of data that shows the opposite. The idea that it’s bad for retention, like employee loyalty, I can give you the example of Upwork the people that work remotely stay at the company at least twice as long as the people that are based in San Francisco. And it’s pretty obvious why, you know, if you’re based in San Francisco, you’ve got all the other tech companies that are trying to poach you all the time. When you live in the middle of Sacramento or Stockton, Modesto or even outside of California, there’s a lot less competition for talent, right, so it’s good for companies. employee retention, obviously cost, you know, like the cost of living in San Francisco is so high that you can find equally talented talent for significantly less money elsewhere.  Right. So that’s the company point and I would say more than cost savings. For the most part. It’s about attraction of talent and retention of the talent on the employee side, you know, like, I think we’ve done many, many surveys over the years at Upwork. And most people would prefer to have more flexibility in their life, and to be able to potentially relocate to another part of the country. You know, the San Jose Mercury News does a study every year, and they just updated it and went up again. But last year, more than 50% of the tech employees who live in the Bay Area said that they would choose to leave the Bay Area if they could keep the same job and the same thing. And so there’s a meaningful number of people who live in places like New York and London and San Francisco and Shanghai, not because they really enjoy the lifestyle of the cost of living, but because that’s where the jobs are. So that’s, that’s how it helps people.  But secondly, it also helps people that are excluded from the current workforce to participate in the workforce. So one of the studies that Upwork does every year is called Freelancing in America. We asked freelancers, would you ever choose to work for a regular employer? And 50% of freelancers say no. And when you ask them why, usually the answers are care duties. If physical or mental disability makes it hard for them to contribute to a regular office environment, or living in a part of the country where there’s no job. So you’re really allowing lots and lots of people, who otherwise can’t get access to great jobs, to have access to them.  And then the third piece is society as a whole. So one thing that’s, you know, pretty well documented by economists. If you have a highly paid worker, moved to a part of the country that is economically challenged, it creates, on average, an extra four jobs. And it’s pretty obvious why right? You put a highly paid software developer in the middle of the country, and they’re going to start to consume goods and services, which further creates more jobs and restarts the new economy, as opposed to today. I mean, if you look at the situation here in San Francisco, almost all of the people whose jobs truly require them to be in San Francisco, can’t afford to live anywhere nearby. And meanwhile, the people whose jobs can be done from anywhere only live in San Francisco. So it’s kind of the opposite of where it needs to be. And I think this distributed work approach can really be a win-win for society, for the workers and for the employers as well.

TS: Yeah, yeah. There’s some fascinating stats there as well. I’d seen a few, a few of those recently. It does, you know, it seems obvious when you say it, that there are so many other benefits that come from this kind of setup. And I guess from the company’s perspective, it’s, it’s really, really important that you’re empowering your workforce and your employees to be successful in this environment. And there are certain things, when you’re running a company that you still have to get right, whether you’re a remote work environment, or whether you are in physical offices around the world.  And obviously, a topic very close to our heart is security and thinking about how you keep people secure with the data they’re handling, whether they’re working from their home office, or their front room. And it’d be good to hear your perspective, some of the things that you’ve done to empower your workforce overall from a technology perspective. And then, when it comes to actually security specifically, what do you think companies need to have in mind? SK: Yeah, absolutely. So there’s definitely several, you know, components to allowing a distributed workforce to be successful. There are human resources related matters. There are legal related matters, right? Employment is regulated in just about every country. So you need to understand what you’re getting yourself into. Usually, there’s tax and accounting implications, if you have Nexus in multiple states in the US, let alone if you have people in multiple countries, and you employ them directly, this might create financial tax and accounting matters that you need to resolve.  And then to your point, there’s huge security considerations that you need to take into account. And I would say, like in the case of Upwork, specifically, there’s two different natures of the issue, if you will. One is bring your own device, right? Most of the people on Upwork are freelancers. We don’t send them a laptop, we don’t send them an iPhone, we don’t control their environment. But then they get access to the secure environment of the network infrastructure. So securing a Bring Your Own Device type of environment, absolutely critical.  The second one is we don’t know where they are. You can’t assume that, right? So you need to design systems and policies to make sure that the intellectual property of the company and the security of the company is not compromised. To give you one example, very early on Upwork, we decided that anything that needs to be secure, should be behind the VPN, irrespective of whether you’re working from home, or working from the office. So from day one we said, location should not matter. There’s nothing magical about the office, we should always assume that you are in a non trusted environment, and make sure that we build systems to accommodate for that. TS: Yeah, and this also comes down to the point, I imagine, of the culture that you create as a remote work company. And you know, we can be used to building culture or certainly as a CEO, I’ve been used to building culture, when you have people in the office. You can get people together, you can do socials together, and those kinds of things. What are some of the tips that you have for organizations who are thinking about how you actually create a really, really amazing culture as a remote company, and, you know, having to consider all of these other things like the practices? And you ran through some of them HR legal security? SK: Yeah, well, you know, I would say other than right now, where everybody’s stuck at home and really can’t meet face to face. In general, I think most remote-first companies tend to do lots and lots of face to face meetings. At Upwork, we had a meaningful travel budget where we would do meet ups. So not 2,000 people in the same place, which, you know, doesn’t work for most people, but we would give agile teams a small budget every year so that they could meet up in a cool city. And every time we’d have meetings in, you know, Budapest, and Madrid and Chile and where have you. And it’s a great perk for people. For a couple of weeks, they would be in an Airbnb, and they’d be coding during the day. And they’d be, you know, socialising in the evenings and weekends, and people tend to really like that, right? So, face to face does matter.  I think we’re going to go from a world where we organize off-sites to a world where we organize on-sites, if you will. But this, you know, is really true. Like there is a social connection network, that is how to do a Zoom. And regularly you need to, you know, updated by having face to face meetings. Now, that’s not really possible right now. But I would say the second part of your answer is, culture is bigger than just, you know, free coffee in the office or ping pong table, or what have you. Culture is a set of values and a shared purpose. You’re widening the talent pool so much that you can find people that are really passionate about what you do. And so as a result, you can find people who really live the values, live the purpose of the company, they’re here, because they truly believe in the mission of what you’re trying to do. And that, to me, is really what culture is about.

TS: Yeah, it’s so important. I couldn’t agree more. And I think as well, for many companies there, it’s also a good thing that we’re being stretched, and they’re being challenged to think deeper than just some of the kind of superficial skin deep perks, maybe that you know, otherwise would have substituted something that is altogether so much more important for for companies. And I have to ask you, we’ve spoken a lot about remote work, this is something you’ve been practising for a long time. Now, what is your thesis? What’s your opinion on the future of work? And I guess I’m specifically interested as well, this change, I guess, nobody saw coming in this way that we, you know, we’ve been accelerated to remote working, what do you think it means for, you know, the next five years in terms of companies and technology, but also outside of our sector? SK: You know, I think it just accelerated the future by a decade. The sobering fact is, I think, the virus has done more in three months than I’ve been able to do in 10 years. But we’ve really gone into the future in a really big way. And I think what really matters here is to understand what’s not working and fix it quickly. There are plenty of things that you can do wrong. This is the time where we can improve diversity, we can improve inclusion, and we can improve efficiency, and have more efficient companies. And so I think it’s really important for companies to pull their managers, to pull their employees, and to figure out, you know, very quickly, like, what are we not doing well, and to optimise for it. Because that train has left the station, and it’s moving fast right now. TS: So you think that the, I guess this change will show companies a way of working, that means that you know, whether they like it or not, we’re not going back to the way things were, you know, this is something that’s here to stay. And whether we go to hybrid environments, or fully remote environments, we now have to adapt to this new way of working. SK: Yeah, I mean, I doubt that every company is going to be fully distributed anytime soon, right? I mean, there’s definitely going to be a hybrid model, which is one thing that companies need to figure out is how you become inclusive of the remote workforce when there’s a lot of people still in the office. But I think there’s a lot of misconceptions companies had about remote work that are being disproved right now.  Now, to be fair, I think there’s also a concern right now that because people are working from home in conditions that are not ideal, you know, as I said earlier, people that are sick, and people that have kids that are. I think some companies may come to the wrong conclusion, which is why this was really a failed experiment. We can’t wait to have everybody back in the office. But the reality, though, is the workforce has moved on. So if you as an employer think you can go back to the old ways, you’re going to lose a lot of your team members because they’re not moving back. In fact, the place they’re moving to might be outside of where they live right now, in a place where they can have a much better lifestyle.  Frankly, I think the workforce is going to be voting with their feet. If you don’t allow people to work more flexibly post COVID. There’s a lot of employers who will and they’ll attract the best talent. TS: That’s a really interesting way of looking at it, which actually, it’s the overall market for employment and flexibility. As you say, as soon as it’s there with one set of employers, it’s going to become something that people prioritise.  So there you have it. Remote work has its benefits for employers, employees and society. And, so, in Stephane’s opinion, we’ve accelerated the future by a decade. And it’s time for businesses to consider what the long term strategy for a hybrid or remote way of working will be. Whatever their decision, securing people and empowering them to work both productively and safely has to be a priority as employees can now work from anywhere.  If you want to learn more about securing your hybrid workforce, we have plenty of great content and actionable advice on the Tessian blog. And if you enjoyed our show, please rate and review it on Apple, Spotify, Google Play or wherever you get your podcasts. Remember, you can find all of the RE:Human Layer Security podcast episodes here.

Welcome to the RE:Human Layer Security podcast. This is the show that flips the script on cybersecurity and in each episode, Tim Sadler, Tessian’s CEO and co-founder, will be speaking world-class business, tech and security leaders about why businesses need to protect people – not just data and machines – to stop breaches and make businesses thrive. Tim Sadler: For our first episode, we’re kicking things off by talking about the importance of culture to build a resilient business. I think we can all agree 2020 has been a turbulent time, a year of many firsts. And like many other leaders, managing a suddenly remote company has forced me to adapt my ways of working and think deeply about how this huge change would affect the people within Tessian.  How would it impact their mental wellbeing? Do they have the tools in place to work both productively and securely? And how do you build and maintain a culture when everybody is working in isolation? So when I had the chance to speak to the brilliant Howard Schultz, the former chairman and CEO Starbucks earlier in the year, I wanted to ask for his advice on how to lead during times of extreme difficulty. With stories from his days leading Starbucks, how to explain why managers mislead with humanity to help keep people motivated and inspired. And if you want to hear more Human Layer Security insights, all podcast episodes can be found here.  TS: Howard, it is a great honor to have you with us here today. Howard Schultz: Honored to be with you, Tim.  TS: Howard, like so many others, I’ve been really lucky to learn from your leadership lessons as the CEO of Starbucks. And for anybody who does an ounce of research on that company, they will hear that it was all about the people. Why do you think it’s so important that leaders invest in their people? HS: Well I think, regardless of what business you’re in, whether you’re in the consumer business, the tech business, or the security business, it’s always all about the people and the culture and values and guiding principles of an organization. When we began at Starbucks, in 1987, when we had 11 stores and 100 employees, we actually framed a unique way to look at the business. And that was to try and achieve the fragile balance between the fiduciary responsibility of building shareholder value in the conscience and the benevolence necessary to share success with our people.  I think in the environment that we’re living in today, perhaps more than any other time, certainly in my lifetime, you can’t build a company or attract and retain great people, unless people recognize that they are part of something larger than themselves, and that they believe 100% with great trust and confidence in the management team, their leaders, their managers and the mission of the enterprise. And so this is a time when leaders must recognize the importance of truth, transparency, being vulnerable in the moment, and bringing your people along with you.

TS: And for you, I know that you’ve said this a number of times, and it’s something I picked up on. It’s not just about being good enough, though, I think you have this saying, which is you’ve got to exceed the expectations of your people. How do you go about achieving that as a leader? HS: Well, actually, we took it a step further than that. We said, if you want to exceed the expectations of your customers, you have to first exceed the expectations of your people. And in the environment, again, that we’re living in today. It’s not only exceeding the expectations of your people in terms of compensation, but also their values and value of the enterprise.  And I think any environment that we are all trying to navigate through today, people are coming to work with a tremendous level of anxiety and uncertainty, because there are, in my view, three pandemics going on at once. Not only the pandemic of COVID, but the pandemic of our political system here in America, where we’ve lost trust and confidence in our institutions. And third, the third pandemic is the unbelievable level. I think there’s a lack of understanding of racial inequality, racism, and in terms of our election here in America, the possibility of voter oppression. And so those three pandemics are colliding at once. And so if you are building a business or managing people, it’s not just managing and leading your business, because that isn’t the only thing your people and your employees are dealing with. They are living and dealing with many other aspects of their life and their life experience and their personal situation. They are bringing that to work, whether they are on Zoom calls at home or not. And as a manager and a leader, you must understand with great sensitivity and compassion. Then if we want to exceed the expectations of our people, then as managers and leaders, we need to walk in the shoes of our people. And that is what I mean by exceeding expectations of our people at a time like this.

TS: I think that’s so important. And again, that was another thing that that really stuck with me this, this, this notion that actually, the role of a company is, you know, it’s no longer just a place where people show up come to work, maybe they’re here 9-5, it is, it has to be so much more, especially given this this turbulent time where actually, people, you know, they can’t I think we spoke about it previously, Howard, where you said, if you can’t put your faith in the work that you’re doing, and you can’t be proud of that, then, there are so many other things that well, there are, there are so few other places where you can you can put that pride or you can find that pride right?  TS: Now, when you were building Starbucks, you were a young leader yourself, I think you were in your early 30s, when you bought the company, what guided you or what helped you in establishing this great culture for that company as you built it? HS: Well, I think all of us have a life experience and a personal story. Having grown up in public housing, where I saw firsthand the fracturing of the American dream with my parents, I understood at an early age, what can happen when you are your family and the resources of the family are left behind. And so in building Starbucks, I wanted to really create a company in which we were managing and leading the company through the lens of humanity. Now, it’s easy to say that it’s very hard to do. What do I mean by that?  Well, when you’re leading a company that’s growing at 50-100% a year, and you’ve got the wind at your back, it’s very easy to be humane. But the challenge for leaders in starting a company and dealing with adversity is what happens when the challenges are difficult. And the wind is in your face, are you going to compromise your values and your integrity and your ethics for a short term game?  And now, everyone who works in a company remembers the actions of what leaders do in good times and bad. And what you want to do as a leader is ensure the fact that you’re imprinting the organization with the values that people will remember during bad times. And so in terms of your question, I was trying to build the kind of company that my father and an uneducated blue collar worker who didn’t get respect in the workforce could work for, and in effect, trying to build the kind of company regardless of your station in life, that you would be valued and respected.  And that’s why we gave ownership to everybody, comprehensive health care to everybody, free college education, all of those things; we felt were important in terms of the company’s responsibility. And I think the question for all of us today is, what is the role and responsibility of a for profit company in today’s world? TS: I think there’s so much that to unpack when talking here, about leading through times of adversity. And one of the things you said there was, you know, when it’s easy to live up to your values when the winds, you know, the winds at your back. And I wanted to draw on a point of history at Starbucks, which is when you returned as a CEO, which I think was in January 2008. And the financial crisis was in full swing and from what I understand, Starbucks was in some financial difficulty at the time. And one of the first things that you wanted to do on your return. And to me, this really speaks to that notion of you know, you have to live your values in good times, and you have to live your values in bad times. One of the first things that you did was to take 11,000 store managers to New Orleans at a cost of $33 million. And share the news that your company was seven months away from insolvency. Why was it so important that you did this? HS: Tim, I have to commend you on your research. Well, the company was in dire straits. And I wanted to be in front of the most important person at Starbucks, which is the store manager. And I said we’ve got to get everybody in one room. And believe it or not, we went to New Orleans for three days. And this was not a getaway. This was not a retreat. This was a come to Jesus for the company. Now before we had one minute of our meeting, every single person who came to New Orleans devoted hours of work in the community in the 90s toward post Katrina, and we contributed 55,000 hours of community service – again, demonstrating the values of the company.  Now, the story you bring up is this, I had an opportunity on the third day to give a $30 million speech, the cost of the event. And before I gave the speech, my colleagues and a couple of board members asked me, what was I going to share with the people? What was the rallying cry? And I laid it out for them that I was going to tell them the dire condition that we were in. And in fact, if we went seven more months, like this.  Starbucks was going to be insolvent. That’s how bad it was. And the people around me were so afraid, basically saying, “You can’t tell them this, you will scare the crap out of them, they won’t be able to handle this kind of information.” And the question at that moment is, do you trust your people enough to have the same information that you have? And the answer has to be yes, you can’t leave people by hiding information. You can’t be a pentagon General, you’ve got to be in them on the battlefield in the mud with them. And they have to send the same information you did. So I stood up in front of 11,000 people. And I asked them two things: one as I laid out the problem, I asked them to join with me to lock arms, to all of us facing in the same direction to be aligned against what we have to do. And don’t do it for me. Do it for your, your people you work with and do it for your family. 

And the speech did not turn Starbucks around. But we wrote we roared out of New Orleans, like a tidal wave. And seven months passed, and we never looked back. And of course, today, Starbucks has 32,000 stores in 83 countries, and one of the most recognised brands in the world. But we have challenges just like everybody else.  But the HR issue in every company, the human condition, human behaviour, if you can unlock that. And I’ll let me say it this way, if you separate the culture from the strategy, i.e. you have a great strategy, but a bad culture, I think nine times out of 10, you are not going to achieve the aspiration of that strategy. The execution is going to be flawed. You have a world class culture, where there is a currency of trust throughout the organization where everyone believes in the mission of each other, and we’re going to take the hill together, you link that with an average strategy.  With a lot of competition, you give me that scenario. And I tell you, you are going to win. Because culture, and I hate to use this word, trumps strategy. TS: And I think that’s so important. When we think about also leading, leading teams, leading our people and protecting the company, something you told me how which was, you know, vulnerability can actually help you build stronger bonds with your people. Sharing vulnerability, being vulnerable with those around us actually allows us to get closer and people come closer when they see that, you know, where we will have the right world working on something.  HS: Yeah, and especially for men, you know. We’re not taught to be vulnerable. We’re not taught to be sensitive. And I think the more you can reveal to your people about who you are, and take the defenses off, and be real and be authentic, the better off we will be. TS: I want to go to something that he said over a year ago now, but I think it was January 2019. I’m quoting you, but it really struck me. When I heard this, you said that the elephant in the room of the country today is humanity. And it really resonated, I think with many of the challenges that we’re facing right now, you know, in society, but also, we see this in many companies. And I wanted to get your thoughts on how is that quote aged for you, given where we are today? HS: You know, as I said to you earlier, I really believe we’re living through three pandemics at once all colliding with one another. And I think, especially for young people. It’s very easy for young people today to lose trust and confidence in the future. And when I speak about humanity as the issue in the room, the elephant in the room, I just think people are living with tremendous anxiety and uncertainty and are so hungry to be lifted up by something that’s real. That’s something that’s truthful. And, and no integrity, if you’re trying to build a great enduring company, you’re trying to provide a much needed service to your customers. If you can do that, while at the same time, building an organization in which people are truly valued for who they are, and people are seen and understood, and really feel like they are part of an organization where they, they themselves feel as if they are not only contributors, but they are being valued in a way that’s so unusual.  If you can lift humanity, and integrate humanity into the core purpose and reason for being, and if everyone on the call, can integrate and lift up their people, and recognise the importance of humanity, in their business, every single business on this call will be better for it. Because we, as people, in the US and all over the world, we are hungry longing for humanity, for truth, and for people and organizations that we can believe. TS: And I think that’s something that’s so it’s such a powerful statement that something we can all take away into our practice, whether we’re leading a company, we’re leading a team, or we are serving our company. And again, I think something that’s so unique and special about the security community is that leadership is your, it’s your team, it’s the people who report to you, but you’re having to show leadership for the whole company, you know, there is a huge task ahead every single day, you’re tasked with the security and the protection of the whole company.  And one thing I wanted us to finish on Howard. There is often so much pressure in our day to day lives, or you know, we are tasked with really important initiatives and really important things. And I think the remarkable, or one of the remarkable moments that again, you’ve shared with us today and is, you know, for anyone who does any research they will see is those moments when faced with extreme difficulty or uncertainty, you are able to deeply not only live your values, but I think go back to your values and embrace your values.  And the question I have, or the advice that I would love to finish on is what can you offer? What advice would you share with people who are on the call today thinking, you know, this sounds great, but actually, I’ve got the pressure of my day to day job just to get through? How can I ensure that I am constantly living those values, the values I have for myself and the values that my company has to me? What advice would you give to them? HS: That’s a very big question, Tim. I try my best! TS: I’ve saved the best for last. HS: When each of us goes home at night, and we’re sitting with our wife or husband or partner or family. And we have an opportunity to talk about the company that we are part of, or the work we did today. The rhetorical question is, did you as a leader provide the people who work within for you an opportunity to speak about their work in the company with pride? And if the answer is yes, then you know that you can start your day tomorrow realising that what you did today was really, really good. The challenge we have as leaders, is we got to do it more often than not. And I think what we’ve always tried to do at Starbucks is answer the question in the affirmative. Are we making our customers and our people proud of the equity of our brand, the values of our company, and the guiding principles of what is our core purpose or core purpose and reason for being? And let me let me say in a week or two is the 50th anniversary of Milton Friedman’s famous essay about the role and responsibility of a company. Now, Milton Friedman was a god in terms of his economic acuity.  But I disagree with humility. That Milton Friedman’s theory, that a business his primary responsibility was to its shareholders and to make a profit. I don’t think that applies today. It goes back to what I said earlier. We all have to be in the business of improving the lives of our people, the communities we serve, and I bet you that your customers and the customers of theirs want to do business with companies and management teams who are values based.

Never, it’s never been more important to me and to recognise the critical importance of business today to lead with his heart and with his conscience. TS: I think that’s a fantastic note to finish on. And again, Howard, thank you so much for your time today and sharing all of this insight and guidance with us.  TS: It was amazing speaking with Howard. I think one of the things that stuck out for me was if you have a great strategy, but a bad culture, it’s very likely you’re going to be unsuccessful.  A company’s culture is built on that currency of trust with values that inspire people to do great work. And also leaders shouldn’t be afraid to be vulnerable. As Howard points out, it can lead to stronger bonds with people and then foster that trust. Join the next episode of RE: Human Layer Security, where we talk with Stephane Kasriel, the former CEO of Upwork, and a future of work visionary. Stefan and I will be talking about the topic of remote work, and why it really isn’t something that’s going away anytime soon.  And that just leads me to say thank you very much for listening. We have more Human Layer Security insights in our next episode. But if you can’t wait that long, you can visit our blog, where you’ll find lots of amazing content, advice and tips. And if you enjoyed our show, please rate and review it on Apple, Spotify, Google Play or wherever you get your podcasts.

Throughout this year, we saw just how quickly the threat landscape can change.  We all transitioned from the office to our homes overnight. Employees relied on email and other communication and collaboration tools more than ever. And hackers took advantage of the general fear and uncertainty around the pandemic and impersonated health care providers and government organizations.  But, at the same time, Tessian rolled out a number of important product updates to help keep our customers safe, wherever they worked.  Here are the most important product updates to Tessian’s Human Layer Security platform for 2020. 1. Human error, visualized. The new Human Layer Security Intelligence platform gives customers unprecedented visibility into their users’ risk Tessian customers now have unprecedented visibility into their Human Layer risks. For example, breaking the rules, making mistakes, and being tricked. The new HLS Intelligence (HLSI) platform automatically surfaces insights about risky employee behavior and high-risk security events, allowing security leaders to know where to focus their efforts. Customers can also benchmark their risk levels against industry peers to help them identify how and where they can improve their security posture.  Investigation and remediation are also effortless. Security teams can take immediate action, from the platform. Finally, customers can use the Tessian API to receive real-time security events directly into their chosen SIEM or SOAR platform.  Want to learn more about HLSI? We outline all the key features of our new platform in this article.

2. Effortless insider threat detection. Automatically detect high-risk data exfiltration activities.  Thanks to new features within Tessian Enforcer, customers can now automatically detect users who suddenly exfiltrate an unusually high amount of data. This allows security and compliance teams to easily spot bad leavers and insider threats, without spending time viewing and investigating individual cases of data exfiltration.

Instead, Enforcer automatically analyzes patterns and spot trends that deviate from what’s considered “normal” for a particular employee.  For example, every month, an employee might send their paycheck to their personal email account. Enforcer tracks this behavior, but no action is needed. Why? Because this data isn’t sensitive. But, one day, the employee sends fifteen sensitive emails to his personal account. Enforcer recognizes that this is unusual for the user, and alerts the compliance team, who can take appropriate action.  No manual investigation required.

3. Easily identify and remediate attacks. Tessian Defender now provides extensive analysis and remediation tools to security teams Email attacks are becoming more and more advanced and it’s increasingly complicated for security teams to decide if a suspicious email is a real attack, or a legitimate business email.  Defender now surfaces insights like the geolocation of a suspicious email’s sender to help security teams identify more threats, faster.  Security teams can also speed up their workflows with advanced remediation and prevention capabilities. For example, customers can now delete malicious emails in employees’ mailboxes – directly from the Tessian portal – saving precious time and reducing risk.  And, with Defender Quarantine, customers can also use Defender to proactively prevent threats with a single-click before they enter an employee’s mailbox.

4. Leveling up Tessian’s machine learning. Tessian’s modules detect more risks than ever before, with record-low business interruptions Throughout 2020, Tessian Defender’s machine learning improved to detect an ever-broader spectrum of advanced email attacks that evade legacy security systems.  Defender now protects against threats like brand impersonations and attacks where threat actors exploit Sendgrid vulnerabilities to send spoofed emails.  Tessian Enforcer also received a major upgrade, using a new Natural Language Processing (NLP) model that accurately classifies sensitive content in emails and detects topics such as financial, health, or HR data without needing to manually configure keywords or rules.  This means that customers receive significantly better protection against sensitive data-exfiltration attempts with fewer interruptions to their workflow.

5. In-the-moment learning opportunities. Customers can raise security awareness in their company with contextual warnings Tessian doesn’t just prevent breaches in real-time. Our platform also educates users to improve their security reflexes and continually drive risk down.  Tessian customers can now educate, raise security awareness, and reinforce training and policies among their employees better than ever before, all while minimizing business interruptions.

With Tessian Defender, organizations can now educate employees who receive unusual emails that meet specified conditions. For example, security teams might choose to alert employees who receive an email from a new sender that requests money.  Although these kinds of emails aren’t necessarily malicious, you may want to make your user aware of the fact that the sender is new.  With Tessian Enforcer, companies can also choose to show users a custom warning message whenever they try to exfiltrate data, whether done maliciously or accidentally. This allows businesses to easily educate employees or remind them of existing IT policies.

Protect your most valuable asset: your people Tessian has created the world’s first Human Layer Security platform and exciting developments lie ahead as we build out a holistic platform to protect people using email and, eventually, other interfaces frequently used in the workplace. Not yet a Tessian customer? Across four modules, Tessian protects the Human Layer by detecting and preventing both inbound and outbound threats. This includes advanced spear phishing attacks, accidental data loss, and data exfiltration.  Tessian is quickly and easily deployed to Office 365, Exchange, and G-Suite, product updates are seamlessly rolled out for users and administrators, and the technology – which doesn’t disrupt workflow – was built with security and productivity in mind. To understand how Tessian can fit into your existing security framework, check out our customer stories or request a demo now.

We’re back with another roundup of the biggest stories in cybersecurity in November 2020.  With phishing, hacking, and ransomware continuing to surge worldwide, there was a lot of news to choose from. We’ve selected stories representing the latest trends in cyberattacks — and demonstrating the myriad ways that cybercrime impacts businesses and consumers. UK Hit By Record Number of Serious Cyberattacks The UK’s National Cyber Security Centre (NCSC) published its 2020 annual review on November 3. The report revealed that the NCSC had defended the UK against a record-breaking 723 cyber incidents in the past year. The data covers the period between September 1, 2019 and August 31, 2020 and reveals a 20.1% increase in cyber incidents compared to the previous three-year average (602 cyber incidents). So what explains this surge in cybercrime? The NCSC chalks the increase in numbers up to its proactive approach in identifying and mitigating threats, together with tips from its “extensive network of partners” and public reports. But there’s another reason: cybercriminals’ exploitation of the COVID-19 pandemic. The NCSC’s Suspicious Email Reporting Service received an incredible 2.3 million reports in its first four months of operation, leading to the removal of 166,710 phishing URLs. In fact, phishing takes up a lot of space in the NCSC’s report, which highlights:  A spate of spear phishing attacks targeting pharmaceutical companies An “explosion” in fake ads sent via phishing emails A rise in the percentage of businesses experiencing phishing attacks — from 72% in 2017 to 86% in 2020 Want to know more about how widespread phishing has become? Read our must-know phishing statistics. Amazon Customers Targeted By Vishing Attacks Our October roundup reported an increase in Amazon-related phishing scams around Prime Day. On November 7, the Guardian revealed another Amazon scam: Amazon Prime customers are being targeted in vishing (voice phishing) attacks. Victims received calls from scammers impersonating “Amazon Prime Security” employees, who advised them that their accounts had been used to make suspicious payments.  Consumer group Which? described how one Amazon Prime customer was persuaded during a vishing call to install remote-access software on her device. The scammers then accessed her bank account and stole £6,900 (over $9,200). UK cybercrime reporting agency Action Fraud said it had received 14,893 reports of similar “computer software service fraud” incidents over the past 12 months, resulting in losses of over £16 million ($21.3 million). Vishing attacks are a massive problem for businesses as well as consumers. Read our guidance to find out more about defending against vishing attacks. WhatsApp Hoax Spreads False Phishing Claim On November 11, Naked Security reported a smishing (SMS phishing) scam that is, sadly, pretty unremarkable in the current climate. Victims received a text alerting them to an “unpaid phone bill,” and redirecting them to a fake O2 network credential-phishing login page. What’s more unusual about this widespread smishing attack is the rumors surrounding it. According to Action Fraud, WhatsApp-based “fake news” proliferated in the days following the attack, spreading confusion among consumers. The WhatsApp message, which referenced the City of London Police Fraud agency, claimed that the smishing attack was an “extremely sophisticated scam,” whereby attackers could drain money from victims’ accounts as a result of them merely “touching” the fraudulent text message. This type of disinformation serves as another attack vector for cybercriminals. It can undermine the efforts of legitimate cybersecurity authorities. Repeated hoaxes of this kind could, ultimately, lead to reduced vigilance among the targets of cybercrime. Credential phishing is a serious issue in itself — there’s no need to exaggerate the threat via phony WhatsApp chain messages. Read more about credential phishing here. Fintech Platform Attacks Unwittingly Facilitated by GoDaddy Staff Cryptocurrency trading platform Liquid reported on November 13 that its domain registrar, GoDaddy, had “incorrectly transferred control of (Liquid’s) account and domain to a malicious actor,” allowing the attacker to take control of internal email accounts.  The attack resulted in the theft of users’ email addresses, names, physical addresses, and encrypted passwords. Worse still, ID cards, selfies, and proof of address documents — collected as part of the site’s “Know Your Customer” requirements — may also have been compromised. But GoDaddy’s problems don’t end there. Just five days later, crypto-mining service NiceHash revealed that its domain had been subject to “unauthorized access” owing to “technical issues” at GoDaddy. While NiceHash reported that user data was likely safe, its domain was unavailable for some time. GoDaddy didn’t disclose details of the attacks, but Krebs on Security revealed in March that GoDaddy staff had been subject to a vishing attack that had compromised fintech website Escrow.com. Whatever the specifics, it seems GoDaddy has suffered multiple social engineering attacks in the past year. Read our six real-world examples of social engineering attacks to learn how to avoid such problems. Around 28 Million Texans’ Driver’s Licenses Compromised Fox 26 Houston reported on November 18 that hackers had stolen nearly 28 million driver’s licenses registered in Texas. Driver’s license details are highly valuable to cybercriminals, who can sell them on the dark web or use them to commit identity fraud. The attack has been blamed on weak security protocols, with data being “inadvertently” held in unsecured storage by service provider Vertafore. In addition to driver’s license numbers, names, birthdates, addresses, and vehicle registration details were also stolen.  The breach took place between March and August and affected drivers who had received their license before February 2019. Vertafore is offering victims one year of free credit monitoring. More and more US states are introducing tough new data breach notification and privacy laws. Read our guidance on US privacy laws for business leaders to find out more. Google Products “Weaponized” for Phishing Attacks Research from Armorblox, published November 19, revealed how popular Google products, including Docs, Forms, and Firebase, have been exploited by cybercriminals and used to “defraud individuals and organizations of money and sensitive data.” Why are hackers weaponizing Google products? Well, they’re typically open-source and easily-adapted. And because Google is ubiquitous and legitimate, Google-associated URLs are rarely blocked by firewalls or security software. Examples of Google-based phishing attacks uncovered by the investigation include: A Google Form used to impersonate an American Express account-recovery page A fake email login page hosted on mobile API Google Firebase A Google Doc used as a fake payslip for a payroll diversion scam Blocking your employees from accessing Google products and URLs would be undesirable and impractical. The only realistic way to avoid Google-exploit phishing scams is with effective email security software. Tessian Defender uses AI-driven technology to detect suspicious activity in your employees’ inboxes automatically. Click here to find out how Tessian helps defend against phishing and other social engineering attacks. Hedge Fund Forced to Close After $8 Million Phishing Attack On November 22, the Australian Financial Review revealed how hedge fund Levitas Capital was defrauded for nearly $8.7 million following a phishing attack. The attacker sent a fake Zoom invite link to one of the hedge fund’s co-founders. When they opened the Zoom link, malware was installed on their device. This allowed the attackers access to the fund’s corporate email account. Using Levitas Capital’s email account, the hacker launched a Business Email Compromise (BEC) attack, sending fraudulent invoices to the fund’s administrators and trustees. The attack was discovered in late September after an examination of the fund’s online banking records. All but $800,000 of the $8.7 million stolen was recovered before payments cleared. But the damage was done — following the attack, the fund lost its biggest client and was forced to close. This case shows how devastating phishing attacks can be — even when the direct losses are mitigated. To find out more, read our articles on wire transfer phishing and Business Email Compromise (BEC) attacks. South Korean Retailer Closes 23 Stores After Ransomware Attack South Korean fashion conglomerate E-Land group announced that it was closing 23 of its 50 stores following a ransomware attack, according to a November 22 report from news agency Yonhap. E-Land reportedly had to temporarily shut down part of its corporate network to contain the attack, meaning that nearly half of its NC Department Store and NewCore Outlet branches could not operate. A company spokesperson confirmed that the attack had targeted E-Land’s headquarters. It is unclear whether E-Land group chose to pay the ransom or whether files or data were exfiltrated as part of the attack. Ransomware continues to ravage the global economy. Last month we reported that US businesses could be breaching international sanctions rules if they attempt to salvage their files by paying a ransom. To help defend your business against ransomware and other cyberattacks, read our guide to choosing the right email security software. That’s all for this month. If we missed anything, please email madeline.rosenthal@tessian.com and stay tuned for the next roundup. Don’t forget: You can easily share this on social media via the buttons at the top right of this post.

Cybersecurity is a team sport. And for strategies to be truly effective, security leaders and business leaders have to work together.  In fewer words: Cybersecurity should be on the CEO’s agenda. So, to help bridge the gap and to really highlight why privacy and data protection matter now, I put together this list of reasons why CEOs should care about cybersecurity. Here are 10 reasons why CEOs should care about cybersecurity.

1. Cybersecurity is a competitive differentiator Today, customers and clients don’t just care about privacy, they expect it. That means that a strong cybersecurity culture can actually enable businesses. At our first Human Layer Security Summit of 2020, Mark Parr, Global Director at HFW, summed it up nicely, saying “You’re only going to win more work if you’re reputable. And you’re only going to be reputable if you demonstrate you have a strong information security framework.” He’s not alone in thinking this. According to Cisco’s global survey of security professionals and business leaders, 41% of survey respondents said “competitive advantage” was a benefit of their privacy investment.  2. The biggest consequence of a data breach is lost customer trust Earlier this year, we asked security leaders what the biggest consequence of a data breach would be. The #1 answer? Not lost data. Not regulatory fines or revenue loss. Lost customer trust. Breaches damage your brand and it can be very hard to win back customers’, clients’, and even the public’s trust. That’s why organizations see (on average) 3.9% customer churn after a data breach.  3. You will inevitably empower your people to do their best work Prioritizing cybersecurity isn’t just good for the business. It’s great for your people.  Here’s why: 90% of breaches are caused by human error. But people aren’t intentionally making these errors, they’re moving fast to get their job done. Security just isn’t top of mind for them.  So, it’s our job to set them up for success and empower them to do their best work securely. How do you do that? By removing the sharp objects.  At Tessian’s second Human Layer Security Summit, Bobby Ford, Vice President and Global CISO at Unilever put this into perspective with an example from his own life.   When you’re a parent helping your son or daughter learn how to walk, what do you do? Child-proof the house and get outta the way! 4. Privacy investment can help reduce delays in sales processes and improve operational efficiency Remember that Cisco global survey I mentioned earlier? “Competitive advantage” wasn’t the only benefit security professionals and business leaders experienced as a result of their investment in privacy and cybersecurity. 41% achieved operational efficiency from having data organized and cataloged and 37% saw a reduction in sales delays due to privacy concerns from customers and prospects. It makes sense. Data protection, privacy, and cybersecurity force businesses to be more transparent. That transparency fosters customer loyalty and increases organizational alignment.  

5. The average data breach costs $3.86 million While most security leaders agree that the biggest consequence of a breach is lost customer trust and damaged reputation, we can’t ignore the financial implications. In IBM’s latest Cost of a Data Breach report, they found the average data breach costs $3.86 million. This figure includes costs associated with: Detection and Escalation Notification  Lost Business Ex-post response. And this doesn’t even account for the potential fines from regulators.  Why does this matter? If we’re talking about the ROI of cybersecurity, the cost of non-compliance is actually 2.71 times higher than the cost of compliance. Translation: Prevention is better than cure.  6. The investigation and remediation of breaches disrupts productivity On average, it takes companies 197 days to identify and 69 days to contain a breach. And this process of investigating and remediating requires time and resources from plenty of departments, teams, and people outside of IT. Legal, compliance, executive, marketing, HR, and people teams will get pulled in. Spokespeople will be appointed. External security/IT support will have to be hired and onboarded. The bottom line: you hired great people to do great things. Post-breach activities pull them away from their day-to-work, disrupt their flow and productivity, and distract them from the business’ larger mission. 7. Data protection laws are only going to get more strict  On the topic of compliance, it’s important to point out that data protection laws are only going to get more strict and enforcement agencies are only going to be given more resources to enforce data requirements. That means organizations around the world and across industries won’t just benefit from strong cybersecurity programs, but they’ll be obligated to have one.  Top tip: Industries like financial services tend to be 5+ years ahead in cybersecurity maturity. If you don’t operate in these industries, it’s worth taking note of what’s top-of-mind for the business and security leaders that do.  8. Security culture is built from the top down Just like company culture, the C-suite sets the tone for security culture and therefore must lead by example.  It’s especially important that the CEO plays an active role in not just creating the overall security strategy, but actually rolling it out. Why? The CEO can connect cybersecurity to business objectives and help employees understand what it’s such a critical component in enabling the company to achieve its mission.

But business leaders will soon have no choice but to actively contribute to their organization’s security culture…. 9. By 2024, CEOs could be held personally liable for data breaches As I’ve said, cybersecurity is mission critical. But, for now, it’s security and IT teams who shoulder the responsibility. In a few years, this could change.  According to Gartner, CEO’s will be held personally liable for data breaches by 2024. 10. You owe it to your customers We mentioned earlier that strong cybersecurity can help businesses win new customers. But it’s not just about winning new customers. It’s also about supporting the ones you have.  This is one of Tessian’s core values: Customer-Centricity. Your customers entrust you with their data, their intellectual property, their secrets. You have to keep it safe. That’s why we believe that – as a cybersecurity vendor – it’s our mission to protect every other business’ mission. If you’re looking for more insights into how security and business leaders can work together, check out our latest eBook: CEO’s Guide to Data Protection and Compliance. 

This time last year, no one predicted the events that have unfolded in 2020. We didn’t anticipate the world plunging into lockdown, economies collapsing, businesses closing their offices, and employees working from home.  It’s been a year of huge change and – I’ll say it – uncertainty.  It might, then, seem odd that we’re thinking about predictions once again.  But predictions are important. They help us focus on the areas that will bring the biggest opportunities and challenges for our businesses and, from that, build strategies. Of course, there’s also the fact that the events of 2020 have undeniably impacted the ways we work and how organizations are run – particularly from a security perspective.  So, what do we think will be top-of-mind for IT and security teams as we approach the new year? Here are Tessian’s top four predictions. 

1. The corporate network (as you probably guessed) will disappear Remote work – or hybrid work – will stay. Businesses simply can’t go back to the “old” ways of working. Why? Because employees expect to work both from home and in the office. In fact, 89% of employees said they no longer want to work exclusively from the office every day of the week. This shift will completely transform the concept of a network, at least as we’ve come to know it in the traditional workplace. Today, company security is very much in the hands of the employees.  That’s why CISOs need to consider how their 2021 security strategies will protect and secure their people – not just endpoints and networks. This is especially important because people make mistakes, break the rules, and can be tricked or deceived by cybercriminals.  To put it simply: Not protecting people means that company data and systems are at risk. But it’s important that security doesn’t impede employee productivity or interrupt their daily workflow.  According to Tessian research, 54% of employees say they’ll find a workaround if security software or policies prevent them from doing their job and 51% say security tools and software impede their productivity.  So, what can you do to protect your people, without getting in their way? Remove the sharp objects, protect them wherever (and however) they work, and make sure your security solutions stop threats and not business.  This is what we call Human Layer Security.  2. Account takeover attacks will spike Account takeover (ATO) – a type of attack where a hacker gains access to the email account of a trusted person or organization and impersonates them to conduct fraudulent activities – will surge in 2021 as cybercriminals look for more ways to bypass secure email gateways (SEGs) and deceive people with phishing and spear phishing attacks.  Not sure what the difference between phishing and spear phishing is? Read this article: Phishing vs. Spear Phishing: Differences and Defense Strategies.  The problem is, despite training employees on how to spot phishing attacks, targets of ATO attacks will have no idea that the person in their trusted network has been compromised. Why? Because the emails appear genuine; the domain name and display name appear as usual. There are no “red flags” which means even the most tech-savvy employee wouldn’t question its legitimacy.  ATO attacks will erode people’s trust in email in 2021, rendering IT teams powerless in stopping people from falling for the scams. This is why we predict that more businesses will adopt a zero-trust model of email security and look for solutions that address threats from their extended network.  IT teams should be looking for advanced inbound email security solutions that use behavioral analysis, natural language processing, and machine learning to: Understand communication patterns  Spot anomalous email sending patterns  Accurately detect incidents of account takeover, before they turn into breaches.  3. The supply chain will become an even weaker link in security No company has control over the security behaviors of its vendors, partners, or suppliers, nor do they have visibility into breaches that happened outside of their organization and across their network.  Cybercriminals use this to their advantage.  By infiltrating smaller companies connected to a company network — either with malware, phishing attacks, or account takeover — they can impersonate the third-party, target a larger company’s employees, and access valuable systems and data. And, the aftermath of the COVID-19 pandemic will only heighten the risks associated with third-parties.  First, people will continue to work remotely which, according to various reports this year which not only makes them more vulnerable to phishing attacks, but also makes it more difficult for them to verify requests. For example, a wire transfer.  Second, financial uncertainty in 2021 may mean IT budgets are cut. CISOs have no way of knowing whether this is the case with their company’s own suppliers or partners and whether or not they are prioritizing security.  Once again, addressing the threats from your company’s extended network will need to be a priority in 2021, as will securing the entire email ecosystem.  4. We’ll get real when it comes to AI The AI hype cycle has left some companies burned by the false promise of AI and ML.  In 2021, however, we predict that the hype will die down. We’ll see less marketing claims and industry conversations around the technology. This is great news for true AI and ML innovators. It will allow the real AI and ML use cases to shine through and companies will start to see how the technology can benefit their business.  But, we should also consider how AI will be used for malicious purposes. We think that we’ll continue to see cybercriminals leveraging AI to make their deceptions and impersonations – either on email or in the form of deepfakes – more convincing and believable.  Likewise, advancements in NLP will lead to more sophisticated attacks that closely mirror the language and tone of the person being impersonated. This will make it more difficult for people to determine what’s real and what’s fake.  This is where automated security solutions will prove invaluable to security teams. Elvis M Chan, Supervisory Special Agent at the FBI and Nina Schick, Author of “Deep Fakes and the Infocalypse: What You Urgently Need to Know”,  took a deep dive into deepfakes at Tessian Human Layer Security Summit in September. And, according to Nina, “This is not an emerging threat. This threat is here. Now.”   Learn more about this type of threat and how AI is being used both in the creation of and defense against deepfakes by watching the full session on-demand.

Looking ahead to 2021 The uncertainty from 2020 won’t disappear come January. There’s still a lot for businesses to figure out, and IT leaders will be under pressure to deliver a seamless and secure working environment for employees, despite budget cuts and under-resourced teams.  But it’s worth noting that at the heart of the challenges businesses and security teams have faced over the past year – and will continue to face as we head into 2021 – is people.  Businesses must prioritize people’s wellbeing and their security to succeed.  Greater visibility into the human layer of an organization gives IT teams insight into their riskiest and most at-risk employees, allowing them to focus and address the areas in which their company is most vulnerable.  Automated security alerts ensure that every employee is made aware of threats in their inbox – no matter where they choose to work – and real-time alerts can help people make smarter security decisions. That’s why we predict that 2021 will be the year that businesses realize the power of Human Layer Security.

As the year comes to a close (and, for many of us, 2020 is a year we want to close the book on…fast) it’s a good time to reflect back on the lessons learned and set a plan to improve in the future. Let’s look at cybersecurity specifically. What should we look out for in 2021 after all that has happened?  We answered the following two questions in our latest webinar, which you can view on-demand here. What do industry experts think the biggest learning of the year has been?  What do they think should be top-of-mind for security leaders next year?  Tessian’s VP of Information Security, Trevor Luker, led a fireside chat with two industry experts, Jesse Starks, CTO at Breckinridge Capital Advisors, and Lena Smart, CISO at MongoDB, to capture their thoughts on the matter. Curious on what insights they shared? Read our notes below for key takeaways and quotes from the panelists.  Or, if you want to learn more about our guest speakers and their companies, skip down to the bottom of the page. And, if you want to be the first to know about future virtual events, subscribe to your newsletter.  3 takeaways from 2020 1. Hackers take advantage of key calendar moments and times of general uncertainty. We saw this happen throughout 2020, with phishing scams around COVID-19, the 2020 census, stimulus checks, and even the US presidential election.  Next up: retail scams in time for the holidays.  2. Hope for the best, prepare for the worst. Both panelists pivoted quickly and easily during the transition from office to home because they already had well-thought-out contingency plans in place. When was the last time you updated your emergency action plan? To learn  more about Jesse and Lena’s contingency plans and what you should consider when making one, watch the full webinar. 

3. Hackers have power in numbers. Today, organizations are being hit by increasingly advanced threats. That’s because an entire industry has been created out of phishing and social engineering, and adversaries operate in groups. They’re experts at their craft. That means security leaders have to level-up their inbound protection.  3 insights for 2021 1. Every employee should be a security champion. Why? Because your cybersecurity is only as strong as your most vulnerable or at-risk employee. After all, it’s people who control your most sensitive systems and data. But, employees can actually be your biggest defense against threats. That’s why education, policies, and security tools are all important. 

2. Expect more data protection regulations in the future. The cost of a breach (including fines for non-compliance) is definitely a concern for security and business leaders. But it’s actually the lost customer trust and damaged reputation that’s top-of-mind. Our panelists tips? Put security controls in place to ensure compliance and make sure you have a process in place for reporting incidents if they do happen.  If you want to learn more about compliance standards like GDPR, CCPA, and HIPPA why good cybersecurity is good for business, download our CEO’s Guide to Data Protection and Compliance. 3. Email security is a long-game strategy. Email is open by default, which means it’s the attack vector of choice for hackers. Looking forward to 2021, security leaders have to have a plan for inbound, advanced impersonation attacks.  

Bonus Insight from Jesse: “You can use technology to close all your gaps, but once you have that, then how can people outside manipulate your organization? Your people – the highest success rate for an attacker. People are always joining organizations, changing teams, changing roles, and learning. The technology changes, but it’s often fixed. The Human Layer is always moving so it makes it very challenging to secure and that’s why it’s so important.” For more tips and personal anecdotes, watch the full video now.  About Jesse Jesse Starks, CISSP, is the Chief Technology Officer at Breckinridge Capital Advisors. Jesse is Breckinridge’s Chief Technology Officer, and is also a member of the firm’s Risk Committee, Information Security Committee, and Business Continuity Committee. In his role, Jesse directs the strategic integration of technology across the firm.  He has over 17 years of experience designing and managing large-scale distributed systems. About Lena Lena Smart is the Chief Information Security Officer at MongoDB. Lena joined MongoDB with more than 20 years of cybersecurity experience. Before joining, she led cybersecurity at large organizations like Tradeweb, New York Power Authority, and InfraGard. She is also a  founding partner of Cybersecurity at MIT Sloan – formerly the Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity – which helps security leaders in academia and the private sector collaborate and tackle the most challenging security issues. About Breckinridge Capital Advisors Breckinridge Capital Advisors is a Boston-based, independently owned investment advisor specializing in investment grade fixed income portfolio management. Working through a network of investment consultants and advisors, they serve a wide variety of clients ranging from high net worth individuals to large institutions. Breckinridge’s assets under management totaled more than #42 billion as of September 30, 2020 Reflecting their commitment to ESG and sustainability, Breckinridge is a Massachusetts Benefit Corporation and a certified B Corp. They believe these designations help them in their goals to create positive, long-term impact for their clients, employees and the communities in which they live, work and invest. About MongoDB MongoDB is the leading modern, general purpose database platform, designed to unleash the power of software and data for developers and the applications they build.  Headquartered in New York, MongoDB has more than 20,200 customers in over 100 countries. The MongoDB database platform has been downloaded over 125 million times and there have been more than one million MongoDB University registrations.

In our most recent research report, Securing the Future of Hybrid Working, we revealed that 75% of IT decisions makers believe the future of work will be “remote” or hybrid” – where employees could work wherever and however they’d like.   So, we wanted to find out:   How that might affect an organization’s security culture Why a positive security culture is even more important when employees are remote  How automation can help ease the burden on thinly-stretched IT teams while empowering employees to make smarter security decisions   We explored these topics with Rachel Beard, Principal Security Technical Architect at Salesforce, and Ray Chery, SVP and Co-Head of Security Softwares at Jefferies. The discussion was led by Trevor Luker, Tessian’s VP of Information Technology.  Want to watch the full video? You can view it on-demand here.   Otherwise, read our notes below for key takeaways and quotes from the panelists.    Want to learn more about our guest speakers and their companies? Skip down to the bottom of the page. And, if you want to be the first to know about future virtual events, subscribe to our newsletter.    5 key takeaways from the Tessian webinar We have to re-learn how to communicate in a hybrid work structure. Gone are the days of just walking up to our colleagues and asking if they sent that suspicious email or tapping someone in IT on the shoulder to clarify a new security policy.  That means security and business leaders need to arm their teams with tools to collaborate and frequently check-in to make sure each and every employee feels comfortable with their new remote set-up. The key to a positive security culture is making employees feel like they play an active role in protecting the organization’s systems and data. But how? Instill the value of privacy and security from the outset with training and other programs and initiatives. Watch the full webinar for more insights into exactly what Rachel and Ray do at Salesforce and Jefferies. There are benefits and drawbacks to hybrid work. According to Rachel and Ray, productivity is on the rise, which is great news. Teams are aligning on shared goals and initiatives, despite being physically distant. But people are missing the “human” interaction and camaraderie of an in-person office and many are finding it difficult to separate their personal and professional lives. It’s essential you tackle this problem head on and prioritize employee wellbeing. Automated tools can make security accessible for everyone. This also contributes to a positive security culture by reducing IT teams’ workload. More on this in the summarized Q&A below. Jefferies uses Tessian to prevent misdirected emails. Ray’s team loves Tessian for its “noise-to-value ratio”. So, what makes Tessian so easy to use? Our technology is powered by machine learning, which means our solutions automatically detect and prevent threats like data exfiltration, misdirected emails, and spear phishing with accuracy and ease. To find out more about how Rachel and Ray think about security culture, Trevor asked them both several questions about their perspective on automation and how to make employees a part of the solution.  We summarized their answers below. Remember, you can watch the full interview here.   Q. Prior to COVID, Jefferies went from 5% to 99% of their employees working remote. Will this change be permanent?   Ray: “We’re all more comfortable with getting things done from home; we’ve had to grow accustomed to it over the course of the last couple months. [However], our IT team is planning on going back to being in the office 2 or 3 of the 5 days every week. And part of that is driven by the fact that the interaction with the team is different virtually. Teams that really do interact more collaboratively feel the need to still be in the office. I definitely think hybrid work is here to stay.”    Q. Would you say that increased employee workload makes your organization more vulnerable?   Ray: “We’re all doing a million things at once. When you’re stretched that thin all the time, folks tend to make mistakes, are more likely to click on an email that they’re not supposed to, or may not be reading things as thoroughly as they need to. The risks are definitely enhanced given that everyone is working from home now.”    Looking for more insights into why people make mistakes and how businesses can prevent errors before they turn into breaches? Check out our research, The Psychology of Human Error.   Q. How can automation save your IT team’s time?   Rachel: “At Salesforce, we’ve always had a lot of self-service mechanisms. We have Concierge as our service where you can go searching for the information that you need and open a ticket only if you need advanced help. But now, we’re looking at other ways that our customers can do the same. That way, IT can be more available for the highly specialized activities, and some of the more routine ones can be addressed by the employees themselves.”    Ray: “Ultimately, there’s no patch for human error. Humans are going to make mistakes. I think as much automation as we can incorporate into our security stack is really for the better. It removes repetitive errors, streamlines incident management, and reduces the boring stuff that our security analysts need to do. Instead of formally writing tickets and reaching out to me as an employee every time I violate an email rule, we can set it up as such so there’s a pop-up instead.” 

Q. Can tools add to an organization’s security culture in a positive way?   Rachel: “Yes, when you have the guidelines and boundaries in a really transparent way. It makes everything more safe for everybody. You just have to think about how to implement that so that you allow your users to be able to do their work effectively and not get in their way too much or become an obstacle while protecting your sensitive data.”    Q. How has Tessian’s Guardian helped with Jefferies’ security culture in today’s working world?   Ray: “We’re doing so many things now at home. And at home, we’re more exposed and more likely to make mistakes. We love Tessian because it’s very low-impact [on obstructing employees’ work]. It is a product that delivers with accuracy. Our IT team likes the noise-to-value ratio. When I think about the misaddressed email capabilities alone – we’re all sending a million emails a day – it’s very easy for us to send an email to the wrong person. The way that Tessian handles it in a seamless way is really great.”    Learn how Guardian can help your organization prevent accidental data loss. View Guardian’s page now.   For more insights and personal anecdotes, watch the full video now.  About Rachel   Rachel Beard is the Principal Security Technical Architect at Salesforce.   Rachel joined Salesforce in 2014 and is a Principal Security Technical Architect. Rachel’s areas of expertise are Salesforce security, data privacy, and compliance. She has over 14 years experience at Salesforce, spanning everything from System Administrator to Developer and even Product Marketing. Rachel is also the volunteer coordinator for Wet Nose Rescue, a leader of a Pride ERG at Salesforce, and a chair on the Diversity & Inclusion Committee at her local public school.    About Ray Ray Chery is the SVP and Co-Head of Security Software at Jefferies.   Ray Chery is Senior Vice President and Co-Head of Security Software in Jefferies’ Technology Investment Banking Division.Based in San Francisco, Ray focuses primarily on enterprise security software. He has advised on more than $50B in transaction value over his 14-year career as a technology banker and has worked with and advised companies such as Bomgar, Carbonite, CrowdStrike, DigiCert, Forcepoint, Gigamon, Imperva, Plexxi, Sailpoint and Tufin. He has also served on the Young Professional Advisory Council (YPAC) and continues to volunteer with Make-A-Wish Greater Bay Area. About Jefferies   Jefferies, the global investment banking firm, has served companies and investors for over 55 years. Headquartered in New York, with offices in over 30 cities around the world, the firm provides clients with capital markets and financial advisory services, institutional brokerage and securities research, as well as asset and wealth management.   About Salesforce   alesforce is a customer relationship management solution that brings companies and customers together. It’s one integrated CRM platform that gives all your departments — including marketing, sales, commerce, and service — a single, shared view of every customer.

In case you missed it, Chris Kovel, Chief Technology Officer at PJT Partners, recently joined Robyn Savage, Customer Success Manager at Tessian, for a Q&A about what threats are top of mind and how Tessian helps PJT Partners keep data secure. While you can watch the full video on-demand, we’ve compiled our notes for a high-level overview of their 30-minute discussion. Want to learn more about Chris or PJT Partners? Skip down to the bottom of the page. And, if you want to be the first to know about future virtual events, subscribe to our newsletter.  4 things we learned from Chris  There are three “types” of threat actors. The outsider with intent, the insider with intent, and the well-intentioned employee. In terms of what keeps Chris up at night, it’s often the well-intentioned employee who sends misdirected emails.  While most of us have fired off an email to the wrong person, that doesn’t mean there aren’t serious consequences. There are. If data is leaked (especially in highly regulated industries like Financial Services, Healthcare, and Legal) organizations could face hefty fines for non-compliance, lose customer trust, and suffer a damaged reputation. But… 90% of emails don’t contain sensitive information. That’s why it’s so important that security and compliance leaders develop a process for classifying data as a part of their larger data loss prevention strategy.  PJT Partners uses Tessian for both inbound and outbound email security to detect and prevent misdirected emails, insider threats, and advanced impersonation attacks.  To find out a bit more about what’s top of mind for Chris and how Tessian fits into his overall security strategy, Robyn asked Chris several questions. We’ve summarized them below. Don’t forget, you can watch the full interview here. Q. Are there certain employees who you view as particularly risky or at-risk? “There are absolutely higher value targets that we have to pay more close attention to… But the controls we put in place are for the firm, right? They’re put in place to help everybody.  The leak can happen at any level. It could be a low-level junior banker, it can be someone in the technology department, it can be a partner of the firm.” Q. How has COVID affected your organization and your approach to cybersecurity? “Bankers and everyone else are using technology more than they’ve ever used it before. That means devices are a key for doing business now, whether it’s pulling up a quick video or sending documents. But email still actually accounts for the lion’s share of their communication. Fortunately, Tessian has some really great tools in place to protect users on devices in the same way they’re protected on desktop.” Want to learn more about how to keep your devices secure? Check out our Remote Worker’s Guide to BYOD Policies. Q. Shifting to inbound, what features make Tessian an especially appealing and effective solution at PJT? “Frankly, Tessian is extraordinarily clever in how it detects advanced impersonation. The amount of suspicious emails that Defender flags for us is quite staggering.” “You can spoof an email address in any way, shape, or form so having a product that basically says, “this one email doesn’t look like the others” or “this email likely isn’t actually coming from this person” is really helpful to the larger firm and individual users. In-the-moment warnings are helping our employees get better at actually recognizing which emails are legit and which aren’t and our administrators can help them work through it.”

For more insights and personal anecdotes, watch the full video now.  About Chris Chris Kovel is the Chief Technology officer at  PJT Partners. Prior to joining PJT Partners, Chris spent the previous 25 years at Morgan Stanley in the technology department. In Chris’ last role at Morgan Stanley, he was primarily focused on Artificial Intelligence, Analytics and Data for the Wealth Management division.  Over the course of the 25 years at Morgan Stanley, Chris developed significant technologies for Investment Banking, Capital Markets, Wealth Management, Research & Sales Distribution. Chris holds two patents for banking and trading technologies. Chris led the project and team that won the 2018 Banking Technology Award for Artificial Intelligence for the Next Best Action implementation. Prior to joining Morgan Stanley, Chris worked for Lotus Development Corporation. Chris received his BA from Skidmore College About PJT Partners PJT Partners is a premier global advisory-focused investment bank headquartered in New York City. Their team of senior professionals deliver a range of services to corporations, financial sponsors, institutional investors, alternative investment managers, and governments around the world. 

According to new research into the future of hybrid working, 85% of IT leaders believe their security teams will be under higher pressure, feel more stretched, and need extra resources in 2021.  Could automation shoulder some of the burden?  In case you missed it, Tessian hosted Karl Knowles, Head of Cyber at HFW, and Timor Ahmad, Head of Data Governance & Privacy at Lloyd’s, for a session that took a deep dive into how organizations can utilize automation to reduce risk on email. You can watch the full video on-demand, but we’ve summarized the highlights from the session along with some actionable advice you can use to give your security posture a boost.  1. Use this shift to remote working to create a more positive security culture  Can employees work remotely? Can they maintain the same quality of work?  These are both questions security and business leaders have asked for years but have been too hesitant to actually test. But now – as we’ve all been forced to make the transition from office to home – we’ve seen how people have adapted and we now have new ways of working. These changes naturally affect your organization’s culture.

So what does this mean for security leaders? It means you have the ability to mold and shape a more positive security culture. Take time to understand how your employees are working, what their new behaviors are, and how you can support them in a safe and compliant way.  Now is the time to integrate security awareness into the foundation of your organization and prioritize privacy for employees, clients, and customers wherever and however they work.  2. Be human-first in your approach to security  Working remotely, people may feel isolated, unmotivated, and unsupported. That’s why you have to prioritize employee wellbeing and help everyone adapt.  So, to help make security more human (and yes, fun) Karl and Timor suggested using cartoons, magazines, or digital games to help get employees involved and bring them along on your journey to security maturity.  But it’s not all about fun. It’s also about meaningful connections.  Security is a team sport and employees need to feel comfortable asking questions about security, sharing feedback about new solutions or policies, and reporting incidents and near-misses. You have to foster that environment. How?  Drop into team meetings on occasion, encourage people to open up to you, and always ask questions and provide ways for employees to give feedback.  Building this connective tissue with employees across the organization will help people feel more supported in their new way of working.  3. Share your security wins  According to Karl and Timor, it can be a challenge to help employees feel like they’re actually contributing to the success of the security program. But, they had a tip. Use data.  They explained how they use Tessian’s dashboard to display key charts and statistics around the organization’s security posture both at the board and employee level. The numbers include: How many phishing attacks are reaching employees How many of those were flagged to their security team  What the outcome would have been if the attack was successful.  Everyone contributes to a safe working environment, and these dashboards can help security leaders communicate that message with both technical and non-technical audiences.

4. Make your solutions work for you  Are you spending a lot of time configuring solutions and updating rules? Most security leaders are.  That’s because rules are static, meaning they don’t change over time. But – as we all know – over the last year, organizations have undergone a lot of change. People are working on different devices, in different locations, and are using different methods to share information. Hackers have changed their attack methods accordingly.   It’s unrealistic to expect security teams to be able to update rules at pace with all of the above. At Tessian, we think solutions should work for you.  How? Automation. Across three solutions, Tessian uses machine learning to understand employee behavior and communication patterns. And, it gets smarter over time. That means it can detect and prevent threats in real-time – without any manual investigation or rules – and keeps pace with the evolving threat landscape. 

5. Understand why your employees circumvent policies  According to Tessian research, over half of employees say they’ll find a workaround for security software or policies that make their job difficult or impossible to do. It’s essential, then, that security leaders understand why. The key is visibility into employee behavior.  Both customers explained how they use Tessian to get a more granular look at how employees handle data.   In one example, Karl looked at the data provided by Tessian Enforcer to understand why employees send emails to personal devices. In this case, Karl realized a key tool used by HFW was slowing employees down and making it hard to do their jobs on their work devices. That’s why people were sending work documents to their personal accounts  — so that they could work faster on their personal devices. With this understanding, HFW was able to create new policies that empowered people to work safely without security getting in the way.  6. Leverage in-the-moment warnings to reinforce existing policies  Whether it’s data exfiltration, misdirected emails, or spear phishing attacks, humans make mistakes. But, as Karl and Timor detailed, contextual, in-the-moment notifications can help raise awareness and train employees in real-time. According to Karl, data exfiltration has always been a problem in the Legal Industry. But HFW has revolutionized the way they tackle it by implementing real-time alerts that remind employees that sending data externally is a major security risk. Tessian Enforcer warnings look something like this:

Over time, these warnings have nudged employees towards safer behavior to help HFW downtrend risk and reduce the number of emails being sent externally.  Karl explained this in more detail by showing his Tessian dashboard. “In the graph, you can see exactly where we implemented the warning and our employees’ response to that new system. So we can see data exfiltration has decreased massively,” he said. 

Now that they’ve tackled this problem, their next focus is around bad leavers and how to reduce the risk of data exfiltration after someone exits the company. Here’s their plan: Once someone has handed in their notice, HR and compliance teams will monitor the employee’s behavior and see if it deviates from the norm. Are they sending more emails to personal accounts than usual? Do those emails contain sensitive information? Are they emailing new contacts? Tessian will instantly flag any anomalous behavior to help HFW stop the exfiltration attempts.  Want to learn more about how Tessian has helped HFW and Lloyds level-up their security without burdening security teams? Watch the full interview now.

October 2020 has been another remarkable month in cybersecurity. And, since COVID-19 sent the world indoors and made us ever-more reliant on the internet, the importance of information security and data protection has never been more apparent. October saw numerous high-profile data breaches, cyberattacks, and online scams — but also brought us one of the biggest GDPR fines yet, an innovative solution to deepfake technology, and even more jostling between the US government and Chinese big tech. Let’s take a look at the biggest cybersecurity headlines of October 2020. Paying Cyberattack Ransoms Could Breach International Sanctions Rules New guidance from the US Treasury has big implications for companies hit by ransomware attacks from certain countries. (Companies affected by ransomware find their files encrypted — replaced by useless strings of seemingly random characters — with cybercriminals promising to return the data if the company pays a ransom.) Paying up might be the least-worst option where a company’s critical data is at stake…ut according to an October 1 US Treasury advisory note, paying cyberattack ransoms could violate legal rules on international sanctions. Businesses suffering a ransomware attack by hackers from a sanctioned country — like Iran, China, or Russia (where many such attacks do originate) — now face the threat of huge fines and legal action if they choose to buy back their files.  The Treasury’s advice reiterates what cybersecurity leaders have been saying for many years: in cybersecurity, prevention is far better than cure. Amazon Prime Day Sees Huge Spike in Phishing Scams With millions of consumers confined to their homes, this year’s Amazon Prime Day was a chance for millions of shoppers to grab a bargain — and an unmissable opportunity for cybercriminals to steal their personal information. October 8 research from Bolster detected over 800 “spoof” Amazon webpages in September (up from 50 in January), as fraudsters ramped up their phishing efforts in anticipation of the two-day Amazon Prime Day event, hosted October 13-14. Some sites looked near-identical to Amazon’s genuine web properties, with perfectly duplicated branding and convincing domain names. Unwary shoppers were asked for details such as their CVV2 code and social security number. See what advice Tessian co-founder and CEO, Tim Sadler, offered consumers in Tech Radar. FBI Warns of Ransomware Attacks Targeting Healthcare Providers On October 29, the FBI and other agencies issued a warning regarding an “increased and imminent cybercrime threat to US hospitals and healthcare providers.” The threats include a new tool named anchor_dns, a backdoor that can reportedly “evade typical network defense products,” and the Ryuk Ransomware. Among other measures, the FBI is advising healthcare providers to create business continuity plans, patch networked systems, and implement multi-factor authentication in preparation for an attack. According to Associated Press, 59 US healthcare systems have been attacked via ransomware so far this year. Looking for more information on why the healthcare industry is especially vulnerable? We talk more about The State of Data Loss Prevention in Healthcare in this article. UK Public Body Unable to Provide Services Follow “Serious Cyberattack” On October 14, Hackney London Borough Council, a UK local government body, announced that it had fallen victim to a “serious cyberattack.”  In an update two days later, the council revealed the extent of the damage. Among other things, the council was unable to accept rent payments, process planning applications, or pay some social security benefits. The council said it was “working hard to restore services, protect data, and investigate the attack,” but that services could remain unavailable for “some time.” UK Data Regulator Issues $26 Million Fine to Airline UK airline British Airways received a £20 million ($26 million) fine on October 17 for “failing to protect the personal and financial details of more than 400,000 of its customers.” The fine relates to a cyberattack suffered by the company in 2018. The Information Commissioner’s Office — the UK’s data protection authority — found that the airline had failed to limit access to data, had not undertaken sufficiently rigorous testing, and should have implemented multi-factor authentication on its employee and third-party accounts. The British Airways fine amounts to the fourth-largest GDPR fine of all time — but the airline actually got off relatively lightly, considering that the fine was initially touted as £183 million ($238 million).  To learn more about compliance standards like the GDPR (including the largest breaches and fines to-date) check out The CEO’s Guide to Data Protection and Compliance. Adobe Launches Content Authenticity Initiative Tool to Fight Deepfakes As video and audio manipulation techniques become more accessible, cybersecurity and intelligence experts have been warning about a potential onslaught of deepfakes that could have an unprecedented impact on security, politics, and society. Not sure what a deepfake is? Read this article. Cybercriminals can use deepfake technology to create video or audio clips of high-profile and trusted individuals. Deepfakes have already been used in phishing attacks and could also be used for blackmail and disinformation campaigns. On October 20, Adobe’s Content Authenticity Initiative announced a new tool that will add “a secure layer of tamper-evident attribution data to photos, including the author’s name, location, and edit history” to help creatives authenticate their content. Once deepfakes are sufficiently convincing, there might be no way to distinguish them from genuine material. Adobe’s project marks a promising first step in this emerging security front. Hackers Discover 55 Vulnerabilities Across Apple’s Systems A group of hackers earned $300,000 via Apple’s bug bounty scheme after identifying 55 vulnerabilities across Apple’s infrastructure. The security issues included vulnerabilities that would have allowed an attacker to “(take) over a victim’s iCloud account,” “fully compromise an industrial control warehouse software used by Apple,” and “access management tools and sensitive resources.” The group said Apple had fully addressed the majority of vulnerabilities reported. Around 3 Million Credit Cards Compromised After Breach at US Restaurant Franchise On Oct 12, details of around 3 million credit cards were posted on the dark web following a huge data breach at US restaurant franchise Dickey’s Barbeque Pit. According to an investigation by Gemini Advisory, 156 of 469 Dickey’s outlets were involved in the breach, with the highest levels of exposure present in California. The details appear to have been stolen between July 2018 and August 2020. Given California’s strict data breach rules, including a private right of action under the California Consumer Privacy Act, Dickey’s could be liable for some eye-watering sums if the breach is found to have resulted from lax cybersecurity practices. Questions about the CCPA? We answer 13 of them in this article: CCPA FAQs: Your Guide to California’s New Privacy Law. Russia Planned to Launch 2020 Olympics Cyberattack The GRU, Russia’s military intelligence agency, “conducted cyber reconnaissance against officials and organizations” involved in the Tokyo 2020 Olympic and Paralympic Games, according to a UK government announcement on October 19. Russian cybercrime groups are alleged to have targeted “organizers, logistics services, and sponsors.” The Games were originally due to tale place this summer but were postponed due to COVID-19.  The UK government also revealed the full extent of Russia’s hacking campaign against the 2018 Winter Games, during which Russian hackers are alleged to have disguised themselves as Chinese and North Korean attackers to target the opening ceremony in Seoul, South Korea. ENISA 2020 Threat Landscape Report Shows Increase in Cyberattacks  The European Union Agency for Cybersecurity (ENISA) released its 2020 Threat Landscape Report on October 20, and cybersecurity leaders (unfortunately) won’t be surprised at its conclusion: cybercrime is on the increase. The report cites “a new norm,” triggered by the COVID-19 pandemic, in which the world is even more dependent on “a secure and reliable cyberspace.” ENISA found that the number of phishing victims “continues to grow,” that Business Email Compromise (BEC) resulted in “the loss of millions of euros,” and that state-sponsored actors are propagating “finely targeted and persistent attacks on high-value data.” If you’re a security leader looking for solutions to these problems, click here to learn more about how Tessian Defender detects advanced impersonation attacks that slip past SEGs, native features, and legacy tools. Researcher Breaches US President’s Twitter Account By Guessing Password Dutch “ethical hacker” Victor Gevers found himself in control of Donald Trump’s Twitter account on October 16 after guessing the US president’s password. Trump’s Twitter account has over 87 million followers and is frequently used to deliver messages of international importance. Gevers said he correctly guessed the password, “maga2020!”, after seven attempts. The incident reveals that the president was using a simple, easy-to-guess password, and that he had multi-factor authentication disabled. Rectifying either of these two basic security errors would have prevented unauthorized access to the account. Overruling of WeChat Ban Denied by California Judge Another month, another development in the long-running battle between the US government and Chinese tech firms. On October 23, California struck a blow to the Trump administration’s efforts to restrict WeChat — a Chinese app used for currency transfers, social networking, and instant messaging. In September, the US Department of Commerce ordered Apple and Google to stop distributing WeChat via their app stores, citing security issues. The order was blocked in California following a legal challenge by WeChat. The US Justice Department brought further evidence and asked the court to reverse its WeChat ruling. The court declined to change its decision, meaning that the Commerce Department’s banning order will remain unenforced in California — despite the federal government’s allegations regarding WeChat’s security issues.  Finnish Therapy Center Hacked, Exposing Patient Data One of the most shocking data breaches of 2020 was brought to light on October 24, when Finnish psychotherapy center Vastaamo revealed a hack that compromised hundreds of patient records. The highly sensitive nature of the breach means that it is being taken extremely seriously. Finland’s interior minister summoned a cabinet meeting to determine how best to respond to the breach, promising “speedy crisis help” to the affected individuals. The hackers are demanding a ransom in exchange for the return of the files, which were reportedly accessed between November 2018 and March 2019. The ransomware attack further suggests that businesses worldwide lack proper cybersecurity infrastructure — even when handling highly sensitive and valuable data. That’s all for this month. If we missed anything, please email madeline.rosenthal@tessian.com and stay tuned for the next roundup. Don’t forget: You can easily share this on social media via the buttons at the top right of this post.