When the COVID-19 pandemic became a global crisis in March, the shift by companies to a work-from-home environment changed the security posture for nearly all companies. The notion of having a security perimeter had all but been obliterated as CISOs and their teams suddenly found themselves defending a digital footprint that had exponentially expanded.

The transition to a work-from-home environment also underscored how employees can make businesses vulnerable from within.

It’s not a recent development. Research from Kroll reveals that human error was the cause of approximately 90 percent of data breaches in 2017 and 2018.

“Everything that we stand to do as a company is amplified by this global work-from-home environment as people are security endpoints themselves,” said Tim Sadler, CEO of Tessian.

Tessian uses machine learning to address email security threats - like accidental data loss and spear phishing attacks - by developing a deep understanding of normal and anomalous human behavior.

“Security controls act as guard rails,” notes Sadler. “They stop things from happening that could be bad for enterprises. With work-from-home, the things you would have relied on in the past – such as the presence of an IT team or the ability to ask John from accounting whether he really sent you this invoice – isn’t done as easily as it was in the office. We need technology to provide an additional layer of protection for people as they work remotely.”

Tessian’s mission is to secure the human layer. “We want to be a layer of technology that takes the complexity of security away from the employee, enabling them to work safely, wherever and however they want,” says Sadler.

Part of the current challenge that cyber teams are facing is that employees who are working from home are distracted by health, financial and other concerns which could make them more vulnerable to phishing and other email scams.

“People are vulnerable at this time; they’re distracted, they might not be in the right headspace and, consequently, they may miss the cues that signal a threat. This is when mistakes happen and sadly, hackers prey on this,” says Sadler. “By understanding what normal behavior on email looks like for each and every employee, our solution alerts the person when an email looks abnormal, or malicious, and helps them make the right cybersecurity decision, before they do something they might regret.”

This is one of the reasons why Tessian recently released a new report called the Psychology of Human Error. “By gaining an understanding behind the psychology of human error, security leaders can better understand how to prevent mistakes from happening before they turn into breaches,” says Sadler.

The Problem with Email

Launching a phishing campaign is a much easier and more cost-effective way for bad actors to break into an organization than hacking an enterprise server, for example. The inherently open nature of email means that attackers can contact anyone with an inbox and, by impersonating a trusted brand or a senior executive, trick their victims into complying with their malicious requests.

A people-first approach to security is a potential solution to this, says Sadler. “We can’t blame people for falling for phishing scams. Attacks are getting harder to spot and not every employee is a cybersecurity expert. Organizations, instead, need to empower people to make them feel like they are a security asset to the company. Reduce the risk and build a strong security culture by tailoring training and educating staff on the ways an attacker might target them. We shouldn’t discourage people by forcing them to participate in phishing tests and if they don’t respond well, their bonus gets taken away.”

Because the human layer of security is so critical, it’s essential for CISOs and other security stakeholders to think through the security journey for employees. “You also need to think about the end-to-end security journey for employees. If security solutions or policies prevent people from getting their jobs done, they will find workarounds,,” says Sadler. “So as a CISO, ask yourself what security decisions are you making and how is that impacting employees in other parts of the business?”

Key Takeaways

  • While the network perimeter and endpoint security are important elements to address in cybersecurity strategies, don’t overlook the criticality of securing the human layer.
  • Research shows that human error is behind 90 percent of the data breaches that occur. CISOs and their cyber teams need to take a proactive, hands-on approach to addressing the human component in cybersecurity in order to protect their company’s and their customers’ data  effectively.
  • CISOs should also evaluate the full scope of vulnerabilities that are presented in the work-from-home environment and apply technology to seamlessly protect employees and their organizations.