Email attacks are getting more common and more sophisticated. In the enterprise, emails are the gateway to your business, your employees and your customers. With email platforms like Office 365, one email account becoming compromised can lead to damaging data breaches.
Techniques to compromise emails can be highly sophisticated. Attackers use phishing and spear-phishing emails to try and trick users into giving up password information or click malicious links. Breaches can also occur when there’s no malicious intent at all, but a user has made a mistake by selecting the wrong contact or the wrong attachment.
Expert Insights spoke with Tim Sadler, CEO of Co-Founder of human layer security solution Tessian, to discuss the platform, why email breaches can be such a persistent threat to the enterprise, and how email security risks can be solved.
Identifying the Problem of Human Error
Sadler and his co-founders, Ed Bishop and Tom Adams, founded Tessian in 2013. Sadler had been working for one of the world’s largest financial companies, where he identified major security risks when it came to email. “I saw a massive problem, which is that banks and other large organizations use advanced technologies to secure their networks and devices, but not their people,” he tells me.
Sadler found that financial institutions were relying on training their employees to follow security best practices. But, they didn’t have technological processes in place to enforce them. Because of this, Sadler would regularly see people create security vulnerabilities when using email. “I would see people email highly sensitive information to the wrong person, I would see people email documents to their personal email accounts, and I’d see people fall for phishing scams,” he tells me.
Sadler and his co-founders saw this as a major issue that needed solving, which led them to create Tessian, an email security platform designed to solve the security risks caused by human error when it comes to interacting with email. Many of Tessian’s current customers are large financial services, and the solution is also used in legal services, technology and healthcare, among others.
How We Can Solve the Human Error Challenge?
The email security market is mature, and there are a range of products and services currently on the market. Tessian has taken a different approach to other vendors, by focusing fully on the issue of human error. “Fundamentally, the problem is human error when interacting with the email, rather than the email itself being the problem,” Sadler says.
Traditionally email gateways use rule-based controls to control the flow of inbound and outbound email, Sadler says. They identify malicious emails and spoofed email domains, stopping malicious email and spam. However, these rule-based approaches don’t work as effectively when trying to tackle the problem of human error.
Human error can cause security breaches in three distinct ways, Sadler tells me. “Human error comes in the form of humans breaking the rules, people making mistakes, and people being hacked or deceived.”
To tackle these threats, Tessian uses machine learning to analyze historical email data to learn what is normal and what is anomalous interactions for users. This then allows the systems to learn normal behavior patterns for each employee within an organization, and thus detect when users have made errors, or when emails appear malicious.
“By understanding that data, when a user sends or receives an email, we can make a conclusion about whether it looks like a security threat or not,” Sadler says. “And not only that, but we can do it in a completely automatic manner without having to involve the security team.”
Why are cyber-criminals exploiting human error?
Attacks that target the human element of the organization can be really devastating for businesses. Threats like business email compromise and phishing attacks aim to trick users into giving away sensitive information or get them to visit malicious URLS to spread ransomware.
“Fundamentally, what we need to recognize is that email is an open gateway to the enterprise. It’s possible for me to email anything I want to anyone in the world, and that makes email the go to platform for targeting people with attacks,” Sadler says.
“At the same time, people are the biggest security vulnerability in the enterprise today. Networks have firewalls, devices have anti-virus, but currently people are just being trained to spot these threats, and organizations are relying on them to do the right thing 100% of the time.”
Cyber-criminals are using social engineering attacks to exploit this lack of security. Criminals use different methods in cyber-attacks to instill a sense of fear and uncertainty into users, causing them to be more likely to fall for a malicious email scam.
“We see attackers use a sense of urgency, to try and get users to do things very quickly, before they have time to think about it,” Sadler says. “We also see people target organizations by trying to impersonate the CEO. So, the user gets an email saying “Hey, can you execute this wire transfer,” or “send me this file?” and it looks like it is from their boss. What is the likelihood someone won’t comply with that?”
Are Organizations over-relying on Security Training?
Many organizations utilize security awareness training platforms that aim to train users on how to be aware of email threats like phishing and CEO impersonation. These programs are sometimes criticised as not always being effective at stopping employees from falling for these malicious email scams.
Security and awareness training should be a core component of any cybersecurity strategy, but it’s not always enough, Sadler says. “In the past, we did not train people to be spam filters,” he says. “So, it’s absolutely crazy that we’re trying to train them to be efficient spear-phishing filters.”
“We need to use technology to remove the complexity of thinking about security away from people, so they can get back to doing their jobs. You shouldn’t have to be a security expert to use a computer.”
Sadler says the main issue with security awareness training is that often 25% of users will click on phishing links, regardless of how much training they have been given.
“That is just not enough,” he argues. “25% of 1000 users is still a huge, huge area of risk. So, we have to rely on technology to do better when it comes to protecting people.”
Is Machine Learning and AI the future of Email Security?
Machine learning and artificial intelligence will be “an important piece of the puzzle,” for email security systems going forward, Sadler tells me.
“The fact is that machine learning and heuristic models can analyze many, many more data points and retain much more information than human brains can,” he says. “We can’t rely on security awareness training to do the right thing 100% of the time.”
“Just think about yourself! How many checks do you remember to do every time you send an email? Would you remember an email you got a year ago, that looks similar to this email but maybe slightly different? Do you inspect the header of every single email to understand the IP address that sent it? Do you double check each contact every time you respond?” The answer is probably no.
“So, I think it’s a really important piece of the puzzle, and fundamentally, using machine learning to learn from previous data points, and then analyze emails going forward, is going to create much more effective security than we as humans can.”
Considering implementing an email security platform?
Sadler’s advice for organizations considering different email security solutions is to deeply consider the risks users can pose when interacting with email.
“You need to be thinking not just about business email compromise and spear-phishing, but also about those other elements of human error, like people breaking the rules and people making mistakes. This can cause data exfiltration via email, and accidental data loss, if sensitive information is sent to the wrong people,” Sadler says.
“Also, this is general advice I’d give to any security team or CISO: think about the total cost of ownership and the impact that any technology platform has on your organization. Often, organizations can get very fixated on the cost of software, without thinking about what the ramifications of implementing that software are going to be.”
“If you are implementing a security training and awareness platform, you’re probably just looking at how much it costs per license. But actually, what you should be looking at is the total cost of ownership, or how many minutes per month is this taking for employees to be trained, what disruption will it cause to your team, how long will it take you to study the results, and so on.”
“So, I would urge organizations to think about the total cost of ownership, think deeply about all the aspects of the problem we need to be solving which is human error, and then think how you can do it in a way which is empowering to the people in your organization. If you have a great security culture that empowers employees and shows them how they are making their lives better, that can be very powerful for your organization.”
Find out more about Tessian here: https://www.tessian.com/