Two major events happened last month. COVID-19 took over our lives and Tessian hosted their inaugural Human Layer Security Summit for a limited few at the Everyman in Liverpool Street and for an unlimited multitude on YouTube.
In their own words, ‘On March 5, 2020, Tessian hosted the world’s first Human Layer Security Summit where we brought together speakers from Prudential, Lloyd’s of London, Herbert Smith Freehills, Clifford Chance, HFW and Tradecraft to talk about security culture, the Human Element, and the evolving threat landscape.
While the focus of the summit centered around Human Layer Security and why we need to protect people (not just networks and devices), the speakers and panellists offered a diverse range of insights into the challenges cybersecurity professionals are up against and, importantly, how they try to solve them.’
In a nutshell, how we can utilise technology to help mitigate against human error? Tessian’s argument is that there has been a 67% increase in security breaches for the average company in the last five years (taken from Accenture’s 2019 Cost of Cybercrime Report). Fundamentally, they believe this is because the focus has been wrong – we’re continuing to focus on networks and devices, rather than humans.
Keynote 1: Tim Sadler, Tessian’s CEO and Co-Founder
**STOP PRESS** Human error is on the rise, but (and this is a big BUT), it’s not because ‘people are dumb’. In fact, it’s quite the opposite. People are incredibly complex machines and because of this:
- they make mistakes
- the break the rules (sometimes for good reason – the phrase on rules being for the guidance of the wise and obedience of fools comes to mind)
- they can be fooled into thinking they’re doing one thing when in fact they’re doing something completely different
There has also been a seismic shift in how people work. In the 1990s and through the early 2000s, the vast majority worked in offices so the security focus was to protect internal networks from external nasties. But as the 2000s rolled over into the 2010s, the focus shifted to devices as people began to increasingly work away from the corporate network. Today there’s an increasing need to protect, or at least help humans, as they’re often the common denominator to breaches rather than networks or devices.
But that in itself throws up a new set of challenges. The major one being is that the human layer has countless combined daily touchpoints or interfaces with data and systems, so how do companies deal with reducing the risks associated with human error?
1. They can remove or block access to applications
2. They can publish written policies telling users how to interact with applications and data
3. They can train their staff
4. They can use traditional rule-based tech like DLP, web security, legacy email security etc
While these solutions seem logical on the surface, it throws efficacy and user experience out of alignment, but this is where Tessian comes in.
They strongly believe in balancing effectiveness and productivity but to do so requires deep technical functionality and thought. Machine learning, in general, enables high efficacy with a positive impact on user experience (UX) and is the backbone to Tessian’s platform.
But where does one start?
According to a 2019 study from Adobe, 40% of our screen time at work is spent on email (a rather depressing stat in itself), and by design, email is the welcome mat at the open door to your business. It’s how you communicate with virtually everyone you encounter, but it’s also how the undesirables gain entry.
Since 2016, the FBI estimate that $26 billion has been lost in the US due to compromises in business email and in the UK, misdirected, misaddressed and phishing emails remain the most widely reported causes of data security incidents to the ICO. In Q4 of 2019 alone, 281 incidents were reported as a result of email phishing and 269 for misdirected emails.
This is why Tessian came to the market first with a platform to intelligently help stop people sending information by email to an unintended recipient, then added in the ability to help detect when someone was trying to send sensitive corporate information back to a personal email account and latterly, to help intelligently detect and protect against spear-phishing attacks.
Keynote 2: Mark Logsdon – Head of Cyber Assurance & Oversight, Prudential Assurance
Mark spoke about how businesses should operate when moving into the grey area that is cybersecurity and more specifically, the culture and awareness that surrounds it.
His first point was to discuss why we should bother trying to measure cybersecurity culture and he broke it down into three main areas:
- Regulators say we must! Specially to learn from past incidents
- Staff. It’s important to understand staff viewpoints as cybersecurity is crucial to every organisation. It’s important for it to not be a barrier to staff being able to work effectively
- Knowledge. Surfacing knowledge helps improve understanding of gaps in culture/awareness which in turn, helps reduce risk
Second, he discussed what he believes a risk culture to be – A system of values and behaviours present in an organisation – the same as a corporate culture and again, boiled it down to three main areas:
- Core Values. The definitions used to guide decision making
- Culture. The embodiment of the core values
- Behaviours. A doable way to make the culture achievable
He has developed his own Cyber Security Culture Survey which initially he used to survey his internal IT Security/Compliance Team and what he wanted to get to the bottom of was two main questions:
1. First and foremost, did the user have the right knowledge?
2. How confident are they that their knowledge is correct?
The second point when combined with the first provides predictive insight into user culture. For example, someone who got the knowledge right but was uncertain on their answer presents as big a risk as someone who got the answer wrong but was confident they had got it right.
It’s about being able to determine that users a) make the right decision, and b) are confident as to why they are making that decision otherwise there’s too much uncertainty in the knowledge. That is the root cause of the risk.
Through an online survey, Mark surveyed participants focussing on five key elements of cybersecurity culture:
1. Business Focus What is business critical and how do they balance security vs. productivity
2.Cyber Risk Assessment Do they understand the threat environment and anticipate the needs of their team
3. Policy & Best Practice Knowledge of the Cyber Security Policy
4. Cyber Security Advocacy Do they promote a value-based cyber security culture, as well as challenge and help educate colleagues on poor security behaviour
5. Personal Practice Do they take personal responsibility for cyber compliance
The questions were all scenario-based on situations they may face at work and all questions were designed to try and take the team out of their comfort zone. Very few answers were obviously correct and so it encouraged people to choose the ‘least bad’ option. After selecting a response/the action they would take to a scenario, they were then asked to rate how confident they were in their response from 1-100%.
The output came in the form of a red, amber green heatmap where:
- Green meant the right answer had been provided with high confidence
- Amber meant the wrong answer had been selected with low confidence (i.e. the user knew they were likely to be wrong and so there emerged a genuine knowledge gap)
- Red meant the wrong answer had been selected by the user had indicated a high percentage of confidence that they had actually picked the right answer
It allowed Mark to refine the red/amber questions (as some may well have just been too complex or ambiguous) as well as ensuring he could prioritise training for those areas.
The Best Testimonials Are Those of the Satisfied End User
The third element of the summit was an in-depth panel discussion about the cybersecurity trends for 2020, the importance of creating a positive security culture in an organisation, and the impact of human error.
The four participants were:
- Mark Parr, CIO at HFW
- Emily Fisher, Head of Data Protection at Clifford Chance
- Jamie Travis, Head of InfoSec at Herbert Smith Freehills
- Timor Ahmed, Head of Data Governance & Privacy at Lloyds of London
The key takeaways from the panel were that cybersecurity strategies must constantly evolve, privacy laws and regulation must remain front of mind, security can (and should) fuel the overall business objective, engaging with employees is hard but not impossible and accountability is required from the top to the bottom of a business.
They also all broadly agreed that they are constant demands to deliver more (improvements in cybersecurity, more rigorous governance etc) while attempting to reduce operational costs at the same time, as we reported earlier this month. A trend that is almost certainly set to be exacerbated given the expected economic impact of COVID-19.
You can read the full article here, as well as watching the panel as it was broadcast on YouTube.
A Hacker’s Eye View
Amongst many fascinating topics throughout the day, perhaps the one that was most popular was hearing from Glyn Wintle, CTO and co-founder of Tradecraft (formerly DXW Cyber), ‘a security consulting agency that uses social engineering tactics, technical work, open intelligence sources, and attacks on physical locations to breach clients’ systems.’
In other words, he’s an ‘ethical hacker’, although he prefers the term ‘friendly hacker!’
Have a read of his seven tips for avoiding phishing scams and during the interactive Q&A, our very own Stephen Dorling asked whether basic technologies would, or could have helped prevent the examples he gave from becoming an issue. They read out the question to him, the hacker smiled, let out a big sigh and basically said yes.
In fact you can see how big of a sigh he gave by watching the YouTube video here!
The Tessian Human Layer Security Summit was above all, an eye-opener. Not only did it give insight from the company standpoint, it allowed their customers to feedback on why they use Tessian and if you’ve read this far, it gives you a very clear idea as to why we have absolutely no hesitation in recommending them.
Contact us today on email@example.com or call 020 7078 0789 and we’ll talk cloud and email security, communications platforms, cutting-edge IT solutions or the disappointment you felt as a child when you discovered that Easter eggs weren’t a wonderful solid mass of chocolate but rather a thin shell disguising a hollow, empty void with a couple of fun-sized bars of Dairy Milk taped to the outside…