How Tessian is helping Coastal Housing prevent mistakes turning into data breaches
We all know that we should protect our email systems against the onslaught of spam, malware and sophisticated spear-phishing attacks. It’s practically a career in itself to stay abreast of the latest trends in email compromise techniques, vulnerabilities and zero-day exploits. But what about the threats that outgoing messages pose to our companies’ security?
In a matter of seconds, an employee could expose company-sensitive information just by entering the wrong name into the ‘to’ field of an email. This information could end up in the hands of the wrong client or even a journalist (Housing Technology: heaven forfend!). Leavers, too, could be exfiltrating commercially-sensitive data to their personal accounts with the intention of taking it to a competitor.
Several studies by Tessian, a human-layer security platform that automatically protects people from threats on email, reveal that the majority (58 per cent) of employees in organisations have sent an email to the wrong person, either internally or externally.
And the consequences go far beyond just red-faced embarrassment. Emails being sent to the wrong person is one of the leading causes of data breaches reported to the Information Commissioner’s Office (ICO) every year. As well as reporting these breaches to regulators, businesses must report such data-loss incidents to customers, causing significant damage to the trust and relationship that had been built. In fact, one in five companies told Tessian that they’ve lost customers as a result of this simple error, while one in ten workers said they’d lost their job.
What’s more, Tessian found that incidents of data exfiltration are happening in businesses almost 40 times more often than the IT leaders think.
The other day, I saw an excellent illustration which explained this very well. It’s a boxing ring: in one corner there are your ‘firewalls, encryption, anti-virus software’; in the other corner, a smiling ‘Dave’ with ‘human error’ written on his shirt. It depicts the problem that IT teams face every day; human error can obliterate any technology-based security approach you implement, especially if said technology doesn’t take account of how humans think or, more importantly, how sometimes they don’t think.
Since the introduction of GDPR, organisations have become acutely aware of how expensive and reputationally damaging an email breach can be. Protecting against outgoing breaches usually involves a mixed bag of DLP, message rules, mail tips, disabling recipient suggestion lists and so on. Each are separate, hand-made solutions, acting together as a manually-constructed, rigid, clunky obstacle course.
But that wasn’t going to work for Coastal Housing. We wanted a solution that was automated, adaptable and elegant. We wanted something that would help us protect against the very real risk of emails, and the sensitive information they might contain, inadvertently ending up in the wrong mailboxes, and we wanted the experience to be seamless for our employees.
After scoping the market, we found what we were looking for in Tessian.
Tessian understands when Dave is about to send an extremely sensitive message to the wrong recipient, or when he has added the wrong attachment to a legitimately-addressed message because he’s having a busy day, or when Dave forgets corporate policies and sends work to a personal account so that he can work on it outside the work environment. And Tessian intervenes, using real-time alerts, to prevent these ‘mistakes’ from turning into serious breaches.
Yes, Tessian understands what Dave meant to do rather than what he did do and, as such, we quickly moved away from thinking about ‘human error’, to instead thinking about ‘human-layer security’.
Tessian’s co-founder and chief technology officer, Ed Bishop, said, “In every digital interaction people make, there’s always the possibility that they’ll make a mistake, break the rules or be deceived. And as people handle and control more data than ever before, businesses have to think about securing the human layer of their organisation, not just the machines and the networks.”
Automated, adaptable and elegant… remember the three words I used earlier as the criteria for what we were looking for? I’ll now describe how Tessian met each of them with ease.
Tessian offers four modules to stop data breaches and security threats caused by human error such as data exfiltration, accidental data loss, business email compromise and phishing attacks.
You’d think with this much on offer, onboarding would be a challenge but it’s extremely straightforward and, yes, automated. Within hours, Tessian’s advanced machine-learning algorithms were analysing the historical and real-time email communications of each user to understand the ‘typical’ behaviours and relationships for that individual, with no rules or interventions required.
Tessian continually learns about everyone’s messaging habits, and the intelligence behind the scenes is astonishing. To give an extreme example, consider that Dave (as a housing officer) knows two people called Jane Smith; one is a tenant and the other is a business contact at a partner organisation.
By understanding the language Dave typically uses with each of these contacts, Tessian can detect when Dave is about to send an email containing confidential information to Tenant Jane that was actually intended for Business Jane and alert him to remedy the error before the email is sent. A potentially embarrassing situation prevented, especially if Dave was corresponding with Business Jane about Tenant Jane! A potentially expensive situation prevented too, should that email expose tenants’ personal information.
Tessian also performs the same checks with attachments. Housing providers send an abundance of property-related correspondence to an array of recipients, most typically contractors. Using attachment scanning, deep content inspection and natural language processing, Tessian’s algorithm can determine in real-time whether someone is about to make an attachment error.
For example, imagine a development officer is inadvertently attempting to send commercially-sensitive data to a contractor who is actually a competitor of the contractor he’s using for a development. Tessian warns the development officer of the error, thereby avoiding both professional embarrassment and potential legal implications.
I should also add that Tessian’s ability to detect advanced phishing attacks is equally astonishing. It not only protects against the usual spoofing attempts but by truly understanding a person’s typical behaviours and relationships on email, Tessian can automatically detect the advanced and hard-to-spot impersonation attacks that bypass secure email gateways – the phishing attempts that sit at the top of the bad-actor’s phishing pyramid (or phishamid, if you will). When a suspicious email is detected, the employee is alerted to the threat; you have to see it yourself to believe it.
Lastly, the rigid, clunky interceptions of DLP, mail tips and message rules are transcended by Tessian’s human-centred language that is designed to educate the end-user and improve their security behaviours over time.
When a human-layer risk is detected, employees are not only gently prompted to consider the action they’re about to take but Tessian also explains why it has intervened, inviting the employee to make the right security decision. This could be to either correct the error, discard the whole message or instruct Tessian that the action they are about to take is in fact correct. Tessian will then take account of this new behaviour in the picture it builds of them.
Security – our biggest business advantage
With Tessian, our administrators are empowered to understand how people in the organisation are interacting with the software. For the first time, they have visibility into the threats that were previously undetectable. They can see the decisions people make when Tessian prompts them, surfacing opportunities to improve behavioural, corporate and cultural activities within the business, such as policy improvements, security training and awareness campaigns.
For example, here at Coastal Housing we see the data in Tessian’s ‘human-layer risk hub’ align with the expectations we have around our most technically-adept staff and also our least adept. Having data instead of anecdotes really helps us approach training constructively. With insight into data exfiltration incidents, for example, we can understand what is driving certain people to send work to a personal email account and, consequently, deliver bespoke training sessions to those individuals about the use of business tools while reinforcing company policies around data sharing.
Tessian’s Bishop said, “It’s clear that the most forward-thinking IT leaders not only want visibility of the human-layer risks in their organisation but they also want to know how they can continuously lower that risk over time. With greater visibility of these risks at an individual, departmental and organisational level, teams like Mark’s can quickly and easily identify employees or groups who require a refresh of security policies, extra training or tighter access controls.”
Businesses can’t run without people. And because people will always make mistakes, we need to make sure we have the technology to help stop those mistakes from turning into serious security threats that could compromise the future of the business.
To now have technology embedded in Coastal’s environment that understands this and helps prevent such errors through forewarning truly is divine.
Mark Elias is the infrastructure manager at Coastal Housing Group and Ed Bishop is the co-founder and chief technology officer of Tessian.