attacks are getting more common and more sophisticated. In the enterprise,
emails are the gateway to your business, your employees and your customers.
With email platforms like Office 365, one email account becoming compromised
can lead to damaging data breaches.
to compromise emails can be highly sophisticated. Attackers use phishing and
spear-phishing emails to try and trick users into giving up password
information or click malicious links. Breaches can also occur when there’s no
malicious intent at all, but a user has made a mistake by selecting the wrong
contact or the wrong attachment.
Insights spoke with Tim Sadler, CEO of Co-Founder of human layer security
solution Tessian, to discuss the platform, why email breaches can be such a persistent
threat to the enterprise, and how email security risks can be solved.
Identifying the Problem of Human Error
and his co-founders, Ed Bishop and Tom Adams, founded Tessian in 2013. Sadler
had been working for one of the world’s largest financial companies, where he
identified major security risks when it came to email. “I saw a massive problem, which is that banks
and other large organizations use advanced technologies to secure their
networks and devices, but not their people,” he tells me.
found that financial institutions were relying on training their employees to
follow security best practices. But, they didn’t have technological processes
in place to enforce them. Because of
this, Sadler would regularly see people create security vulnerabilities when
using email. “I would see people email highly sensitive information to the
wrong person, I would see people email documents to their personal email accounts,
and I’d see people fall for phishing scams,” he tells me.
and his co-founders saw this as a major issue that needed solving, which led
them to create Tessian, an email security platform designed to solve the
security risks caused by human error when it comes to interacting with email.
Many of Tessian’s current customers are large financial services, and the
solution is also used in legal services, technology and healthcare, among
How We Can Solve the Human Error Challenge?
email security market is mature, and there are a range of products and services
currently on the market. Tessian has taken a different approach to other
vendors, by focusing fully on the issue of human error. “Fundamentally, the
problem is human error when interacting with the email, rather than the email
itself being the problem,” Sadler says.
email gateways use rule-based controls to control the flow of inbound and
outbound email, Sadler says. They identify malicious emails and spoofed email
domains, stopping malicious email and spam. However, these rule-based
approaches don’t work as effectively when trying to tackle the problem of human
error can cause security breaches in three distinct ways, Sadler tells me.
“Human error comes in the form of humans breaking the rules, people making
mistakes, and people being hacked or deceived.”
tackle these threats, Tessian uses machine learning to analyze historical email
data to learn what is normal and what is anomalous interactions for users. This
then allows the systems to learn normal behavior patterns for each employee
within an organization, and thus detect when users have made errors, or when
emails appear malicious.
understanding that data, when a user sends or receives an email, we can make a
conclusion about whether it looks like a security threat or not,” Sadler says.
“And not only that, but we can do it in a completely automatic manner without
having to involve the security team.”
Why are cyber-criminals exploiting human error?
that target the human element of the organization can be really devastating for
businesses. Threats like business email compromise and phishing attacks aim to
trick users into giving away sensitive information or get them to visit
malicious URLS to spread ransomware.
what we need to recognize is that email is an open gateway to the enterprise.
It’s possible for me to email anything I want to anyone in the world, and that
makes email the go to platform for targeting people with attacks,” Sadler says.
the same time, people are the biggest security vulnerability in the enterprise
today. Networks have firewalls, devices have anti-virus, but currently people
are just being trained to spot these threats, and organizations are relying on
them to do the right thing 100% of the time.”
are using social engineering attacks to exploit this lack of security.
Criminals use different methods in cyber-attacks to instill a sense of fear and
uncertainty into users, causing them to be more likely to fall for a malicious
see attackers use a sense of urgency, to try and get users to do things very
quickly, before they have time to think about it,” Sadler says. “We also see
people target organizations by trying to impersonate the CEO. So, the user gets
an email saying “Hey, can you execute this wire transfer,” or “send me this
file?” and it looks like it is from their boss.
What is the likelihood someone won’t comply with that?”
Are Organizations over-relying on Security Training?
organizations utilize security awareness training platforms that aim to train
users on how to be aware of email threats like phishing and CEO impersonation.
These programs are sometimes criticised as not always being effective at
stopping employees from falling for these malicious email scams.
and awareness training should be a core component of any cybersecurity
strategy, but it’s not always enough, Sadler says. “In the past, we did not
train people to be spam filters,” he says. “So, it’s absolutely crazy that
we’re trying to train them to be efficient spear-phishing filters.”
need to use technology to remove the complexity of thinking about security away
from people, so they can get back to doing their jobs. You shouldn’t have to be
a security expert to use a computer.”
says the main issue with security awareness training is that often 25% of users
will click on phishing links, regardless of how much training they have been
is just not enough,” he argues. “25% of 1000 users is still a huge, huge area
of risk. So, we have to rely on technology to do better when it comes to
Is Machine Learning and AI the future of Email Security?
learning and artificial intelligence will be “an important piece of the
puzzle,” for email security systems going forward, Sadler tells me.
fact is that machine learning and heuristic models can analyze many, many more
data points and retain much more information than human brains can,” he says.
“We can’t rely on security awareness training to do the right thing 100% of the
think about yourself! How many checks do you remember to do every time you send
an email? Would you remember an email you got a year ago, that looks similar to
this email but maybe slightly different? Do you inspect the header of every
single email to understand the IP address that sent it? Do you double check
each contact every time you respond?” The answer is probably no.
I think it’s a really important piece of the puzzle, and fundamentally, using
machine learning to learn from previous data points, and then analyze emails
going forward, is going to create much more effective security than we as
Considering implementing an email security platform?
advice for organizations considering different email security solutions is to
deeply consider the risks users can pose when interacting with email.
need to be thinking not just about business email compromise and
spear-phishing, but also about those other elements of human error, like people
breaking the rules and people making mistakes. This can cause data exfiltration via email, and accidental
data loss, if sensitive information is sent to the wrong people,” Sadler says.
“Also, this is general advice I’d give to any
security team or CISO: think about the total cost of ownership and the impact
that any technology platform has on your organization. Often, organizations can
get very fixated on the cost of software, without thinking about what the
ramifications of implementing that software are going to be.”
you are implementing a security training and awareness platform, you’re
probably just looking at how much it costs per license. But actually, what you
should be looking at is the total cost of ownership, or how many minutes per
month is this taking for employees to be trained, what disruption will it cause
to your team, how long will it take you to study the results, and so on.”
“So, I would urge organizations to think about the total cost of ownership, think deeply about all the aspects of the problem we need to be solving which is human error, and then think how you can do it in a way which is empowering to the people in your organization. If you have a great security culture that empowers employees and shows them how they are making their lives better, that can be very powerful for your organization.”
out more about Tessian here: https://www.tessian.com/