Seven Things We Learned at Our Fall Human Layer Security Summit
Andrew Webb •
Wednesday, November 3rd 2021
Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises.
As the virtual curtain falls on our Fall Human Layer Security Summit we’d just like to say a huge thank you to our panel and to you, our 1000+ attendees.
There were some terrific insights, advice, and examples offered in every session. If you missed one, or just want a recap, key learnings from each session are below. To give you a flavor of what to expect, we’ve pulled out some key takeaways.
🎣 Fighting Phishing: Everything We Learned From Analyzing 2 Million Malicious Emails
Take out fact: zero payload attacks are now the new normal
We analyzed 2 million malicious emails that slipped past SEGs in a 12-month period. The results? Bad actors are getting smarter, and crafting more sophisticated attacks than ever before.
That’s why attacks are getting past organizations’ existing defenses. As James McQuiggan, Security Awareness Advocate at KnowBe4, says, “the bad guys are buying the same hardware and software configurations we’re using – they’re then testing their attacks and then see what gets through”. And what’s working, it seems, are zero payload attacks beginning with a benign email that appears to be from senior staff.
Fellow guest Jason Lang, from TrustedSec,spoke of his frustration with current training in the industry saying, “users sit there for 30 minutes, hit next, next, next, take the test, and they’re done. So the direct answer for ‘is security awareness training accounting for zero payload attacks?’ is no, it’s not”.
🤖 Threats Of The Future Are Here: Hacking Humans with AI-as-a-Service
Take out fact: AI is poised to be used ‘at scale’ to design spear phishing attacks, and does better than humans
To paraphrase the German journalist, satirist, and pacifist Kurt Tucholsky “one spear phishing attack: this is a catastrophe. Hundreds of thousands of spear phishing attacks: that is a statistic!”
And, according to Eugene Lim, Glenice Tan, Tan Kee Hock and Timothy Lee from GovTech Singapore hundreds of thousands attacks are on the horizon. Although recent reports of AI-generated voice deep fakes make the headlines, the real problem is that as the cost and complexity of AI comes down, it will be used more and more at scale. Furthermore, the team’s research revealed that AI generated content is more convincing than human generated content.
As Tessian’s Ed Bishop, our co-founder and CTO noted in the session, “I can totally see bad actors measuring the click-through rate on their phishing campaigns, and then having the AI learn from what’s worked to feed into the next one”
Oh and one final takeout… no one’s really regulating this sort of stuff.
🏗 How to Build A High-Impact Security Culture For ‘Oh Sh*t’ Moments
Take out fact: It’s always about the people
It can be hard to keep things personal, especially at scale. Yet that’s exactly what Kim Burton, Security Education InfoSec Manager, did when Duo Security was acquired by Cisco. “My favorite thing that I always remind everyone is ‘be kinder than necessary’”. That way, says Kim, you create a safe learning environment where people don’t feel scared, but rather empowered. Kim also gives tips and advice for security teams on how to empathize with colleagues when a breach happens.
“If we forget that we’re building products, culture, and trust between people, everything falls apart – including security!”
Kim Burton
Security Education InfoSec Manager, Cisco
👷♀️ Building beyond your SEG: what to do when attacks slip through
Take out fact: don’t rely just on your SEG
In this session, Tessian’s Amelia Dunton caught up with Karl Knowles, Global Head of Cyber for HFW, to hear why you shouldn’t just rely on your SEG to protect your business. Karl details how there’s been a huge rise in impersonation attacks, accounting for more than half of the threats HFW get. With domain impersonation attacks also getting more sophisticated, SEGs alone can’t cope. Finally, Karl explains how ‘in-the-moment’ alerts help show the user that there’s a problem, and what to do about it.
👮Why Human Layer Security is the Missing Link in Enterprise Security
Take out fact: 61% of security and risk leaders think that employee actions will cause their next data breach
We were delighted to have as a guest speaker Jess Burn, Senior Analyst at Forrester. If you’ve not heard Jess speak before, you’re in for a real treat. Her talk explains in detail a Forrester Consulting study commissioned by Tessian conducted with US and UK security and risk leaders on the types of threats they’re seeing, how they’re fighting them, and how they’ll meet them in the future.
You can get the study here, but the three quick extra take outs are; asset your current capabilities, invest in technology wisely, and put people first when it comes to security.
😩 DLP Has Failed The Enterprise. What Now?
Take out fact: Legacy DLP is a 💩 sandwich without the bread
You simply cannot define human nature with rules, says Tessian’s Jessica Marie. As we learned at our Spring Summit, the average human makes 35,000 decisions a day, you can’t write rules for all that possibility.
Legacy DLP means complex and expensive policies, constrained data classification, limited visibility, and a huge amount of false positives. Add to this the fact that your employees really hate the experience.
After Jessica’s explainer, Tessian’s Merlin Kafka is joined by Phil Horning, Senior Information Security Analyst at PeaceHealth, and Reema Jethwa, Cyber/Insider Risk Manager at Schroders Personal Wealth. Together they outline future trends for DLP, and where the industry needs to go.
“In the healthcare industry, there are a lot of labs and doctor’s offices that are there own entities, they love to use a lot of different types of email systems, and sometimes personal emails too – those are some of the unique challenges we face.
”
Phil Horning
Senior Information Security Analyst at PeaceHealth
💭 Security Philosophies from Trailblazers; Q&A with Leading CISOs
Closing out the Summit Tim Sadler, CEO and Co-Founder of Tessian, hosted Jerry PerulloCISO, ICE NYSE, and DJ Goldsworthy, Director, Aflac, to explore a range of topics. They started by offering advice on how to show value to the wider organization, and how security fits in with overall risk appetite.
They then moved on to how security teams have to work cross functionally, working with other teams like IT and operations, because as Tim says, “the biggest security team is the whole company”.
Our 2021 Summit took place just after Cyber Awareness Month, so Tim closed out by asking how far we have come since the first awareness month way back in 2004.
For DJ, the biggest difference between now and then was the sheer pace of change; how a lot of risk lies in configurations and environmental sprawl, meaning an increased attack surface.
For Jerry meanwhile, it was the professionalization of the criminal side. “We’re now seeing national state caliber tactics, techniques, and procedures, deployed against commodity targets, with high dwell time.. just so they can ransomware them,” he said.
So there you have it!
That’s us all done (until next year). We’ll no doubt see you again in 2022. Follow us on LinkedIn and Twitter, and sign up for our weekly blog digest to stay up to date with the latest intel, so you can help secure your Human Layer.
Andrew WebbSenior Content Manager
Subscribe to our blog
Industry insights, straight to your inbox every week
By clicking "Accept all" or closing this banner you will allow use of cookies as outlined in our Cookie Policy.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
By clicking "Accept all" or closing this banner you will allow use of cookies as outlined in our Cookie Policy.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.