Proofpoint closes acquisition of Tessian. Read More ->

Request a demo
Request a demo
Request a demo
Request a demo
Request a demo

Seven Things We Learned at Our Fall Human Layer Security Summit

Andrew Webb • Wednesday, November 3rd 2021
Seven Things We Learned at Our Fall Human Layer Security Summit

Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises.

As the virtual curtain falls on our Fall Human Layer Security Summit we’d just like to say a huge thank you to our panel and to you, our 1000+ attendees. 

There were some terrific insights, advice, and examples offered in every session. If you missed one, or just want a recap, key learnings from each session are below. To give you a flavor of what to expect, we’ve pulled out some key takeaways.

🎣 Fighting Phishing: Everything We Learned From Analyzing 2 Million Malicious Emails

Take out fact: zero payload attacks are now the new normal 

We analyzed 2 million malicious emails that slipped past SEGs in a 12-month period. The results? Bad actors are getting smarter, and crafting more sophisticated attacks than ever before.  

That’s why attacks are getting past organizations’ existing defenses. As James McQuiggan, Security Awareness Advocate at KnowBe4, says, “the bad guys are buying the same hardware and software configurations we’re using – they’re then testing their attacks and then see what gets through”. And what’s working, it seems, are zero payload attacks beginning with a benign email that appears to be from senior staff. 

Fellow guest  Jason Lang, from TrustedSec ,spoke of his frustration with current training in the industry saying, “users sit there for 30 minutes, hit next, next, next, take the test, and they’re done. So the direct answer for ‘is security awareness training accounting for zero payload attacks?’ is no, it’s not”.

Learn more about what today’s attacks have in common in our most recent research report: Spear Phishing Threat Landscape 2021

🤖 Threats Of The Future Are Here: Hacking Humans with AI-as-a-Service

Take out fact: AI is poised to be used ‘at scale’ to design spear phishing attacks, and does better than humans

To paraphrase the German journalist, satirist, and pacifist Kurt Tucholsky “one spear phishing attack: this is a catastrophe. Hundreds of thousands of spear phishing attacks: that is a statistic!”

And, according to Eugene Lim, Glenice Tan, Tan Kee Hock and Timothy Lee from GovTech Singapore hundreds of thousands attacks are on the horizon. Although recent reports of AI-generated voice deep fakes make the headlines, the real problem is that as the cost and complexity of AI comes down, it will be used more and more at scale. Furthermore, the team’s research revealed that AI generated content is more convincing than human generated content. 

As Tessian’s Ed Bishop, our co-founder and CTO noted in the session, “I can totally see bad actors measuring the click-through rate on their phishing campaigns, and then having the AI learn from what’s worked to feed into the next one” 

Oh and one final takeout… no one’s really regulating this sort of stuff.

 🏗 How to Build A High-Impact Security Culture For ‘Oh Sh*t’ Moments

Take out fact: It’s always about the people

It can be hard to keep things personal, especially at scale. Yet that’s exactly what Kim Burton, Security Education InfoSec Manager, did when Duo Security was acquired by Cisco. “My favorite thing that I always remind everyone is ‘be kinder than necessary’”. That way, says Kim, you create a safe learning environment where people don’t feel scared, but rather empowered.  Kim also gives tips and advice for security teams on how to empathize with colleagues when a breach happens.

“If we forget that we’re building products, culture, and trust between people, everything falls apart – including security!”
Kim Burton Security Education InfoSec Manager, Cisco

👷‍♀️ Building beyond your SEG: what to do when attacks slip through

Take out fact: don’t rely just on your SEG

In this session, Tessian’s Amelia Dunton caught up with Karl Knowles, Global Head of Cyber for HFW,  to hear why you shouldn’t just rely on your SEG to protect your business. Karl details how there’s been a huge rise in impersonation attacks, accounting for more than half of the threats HFW get. With domain impersonation attacks also getting more sophisticated, SEGs alone can’t cope. Finally, Karl explains how ‘in-the-moment’ alerts help show the user that there’s a problem, and what to do about it.

👮Why Human Layer Security is the Missing Link in Enterprise Security

Take out fact: 61% of security and risk leaders think that employee actions will cause their next data breach

We were delighted to have as a guest speaker Jess Burn, Senior Analyst at Forrester. If you’ve not heard Jess speak before, you’re in for a real treat. Her talk explains in detail a Forrester Consulting study commissioned by Tessian conducted with US and UK security and risk leaders on the types of threats they’re seeing, how they’re fighting them, and how they’ll meet them in the future. 

You can get the study here, but the three quick extra take outs are; asset your current capabilities, invest in technology wisely, and put people first when it comes to security.

😩 DLP Has Failed The Enterprise. What Now?

Take out fact: Legacy DLP is a 💩 sandwich without the bread

Traditional DLP is rule-based – and if there’s one thing humans are really, really good at, it’s breaking rules. 

You simply cannot define human nature with rules, says Tessian’s Jessica Marie. As we learned at our Spring Summit, the average human makes 35,000 decisions a day, you can’t write rules for all that possibility. 

Legacy DLP means complex and expensive policies, constrained data classification, limited visibility, and a huge amount of false positives. Add to this the fact that your employees really hate the experience. 

After Jessica’s explainer, Tessian’s Merlin Kafka is joined by Phil Horning, Senior Information Security Analyst at PeaceHealth, and Reema Jethwa, Cyber/Insider Risk Manager at Schroders Personal Wealth. Together they outline future trends for DLP, and where the industry needs to go.

“In the healthcare industry, there are a lot of labs and doctor’s offices that are there own entities, they love to use a lot of different types of email systems, and sometimes personal emails too – those are some of the unique challenges we face. ”
Phil Horning Senior Information Security Analyst at PeaceHealth

💭 Security Philosophies from Trailblazers; Q&A with Leading CISOs

Closing out the Summit Tim Sadler, CEO and Co-Founder of Tessian, hosted Jerry Perullo CISO, ICE NYSE, and DJ Goldsworthy , Director, Aflac, to explore a range of topics. They started by offering advice on how to show value to the wider organization, and how security fits in with overall risk appetite. 

They then moved on to how security teams have to work cross functionally, working with other teams like IT and operations, because as Tim says, “the biggest security team is the whole company”.

Our 2021 Summit took place just after Cyber Awareness Month, so Tim closed out by asking how far we have come since the first awareness month way back in 2004. 

For DJ, the biggest difference between now and then was the sheer pace of change; how a lot of risk lies in configurations and environmental sprawl, meaning an increased attack surface. 

For Jerry meanwhile, it was the professionalization of the criminal side. “We’re now seeing national state caliber tactics, techniques, and procedures, deployed against commodity targets, with high dwell time.. just so they can ransomware them,” he said.

So there you have it!

 That’s us all done (until next year). We’ll no doubt see you again in 2022. Follow us on LinkedIn and Twitter, and sign up for our weekly blog digest to stay up to date with the latest intel, so you can help secure your Human Layer.

Andrew Webb Senior Content Manager