How is your organization addressing insider threats caused by misrouted email?
A UK study released in CISO Magazine in December 2019 revealed that, “44 percent of employees admit that they’ve mistakenly exposed personally identifiable information (PII) or business-sensitive information using their corporate email accounts. Over 70 percent of respondents have experienced this type of breach during the last five years. …”
Another study from 2018 suggested that 88% of data breaches are caused by human factors and only 12% by malicious attacks. In that study, “The most common error was to send sensitive data to the wrong recipient, which was the cause of 37% of reported data breaches.”
While clicking on links that may bring malicious malware has received the majority of email security attention over the past year, especially during this current pandemic, various responses to phishing have also received the greatest level of investment from technology and security industry leaders who address email threats.
But what can be done to better protect sensitive information sent from public and private sector inboxes? Can AI help?
Allow me to introduce you to a new security industry category called “human layer security” with cutting edge AI solutions to address these email routing problems. But before I bring in the top industry expert that I could find on human layer security, I want to emphasize that we are NOT addressing security awareness training programs – which my readers know I like to write about. No, this is technology that works with MS Outlook or other email.
To understand the differences and how they work together – please read my interview below.
Introducing Tony Pepper
Recently, I had the distinct pleasure to meet a global security industry leader who really impressed me with his knowledge, passion and stories told with that unique British (dry) humor. Best of all, Tony Pepper can take complex cyber problems and explain solutions in everyday practical language.
Tony Pepper co-founded Egress Software Technologies in 2007 and currently serves as Chief Executive Officer (CEO) for the company. Tony has overseen the company’s rapid expansion, driving innovation and worldwide sales.
Pepper has an in-depth understanding of the data security market and prior to Egress held executive management and integration roles at Reflex Magnetics Ltd, Pointsec Mobile Technologies, and Check Point Software Technologies.
Over the years, he has presented on a variety of data security-related issues and strategies for mobile computing and best practices surrounding secure data exchange. Pepper holds a Bachelor of Arts honors degree in Politics from Nottingham Trent University. He also holds a Masters degree in Software Engineering from Liverpool University.
Exclusive Interview On Human Layer Security With Tony Pepper and Dan Lohrmann
Dan Lohrmann: How do you define “human layer security?”
Tony Pepper: The “human layer” in any business is its people and, unfortunately, people cause data breaches every day.
Importantly, CISOs actually know this is true. In our recent Insider Data Breach Survey, 97% of CISOs said they were concerned about insider risk. What’s more, 78% said employees had put data at risk accidentally in the last 12 months, and 75% said they’d done so intentionally.
There’s traditionally always been a tradeoff between productivity and security. The perception and reality for many organizations using legacy security solutions is that they bring with them complexity and friction for the user. In today’s world, customers are no longer prepared to make such compromises, but demand both the highest levels of protection and engaging end user experiences that drive efficiency.
The workplace has also changed. We store and share more data digitally, accessing it from a range of locations globally, and consequently the risk to that data has evolved. The greatest threat to security and compliance for any organization now is what we call “human-activated breaches” – and those traditional, cumbersome technologies simply can’t mitigate this threat, if they’ve even been deployed at all. At the same time, we’re experiencing the greatest shift in data privacy ever seen, as countries globally adopt new laws designed to enhance the rights of individual data subjects, and organizations need a new way to mitigate the risk their own people pose to sensitive information.
This has given rise to a new category of security – “human layer security”. We like to describe this technology as wrapping a protective layer around your organization’s people, to detect when they might be about to breach security policy and, dynamically, ensure that doesn’t happen. And it’s not just about data privacy; it’s about recognizing the business’ needs and ensuring people can continue to work productively yet securely.
Why do traditional cybersecurity solutions struggle to solve these problems?
Pepper: Essentially, traditional technologies haven’t been able to dynamically respond to human behavior and, therefore, as risks to sensitive data have evolved, these technologies have been unable to keep up.
Let’s take, for example, Data Loss Prevention (DLP) for email. It uses static rules to define what “is” and “isn’t” compliant with known security policies and then makes decisions using this information. So, you can set a rule to force encryption of emails that contain credit card numbers or dates of birth, or you can block them from being sent altogether. And there remains a place for rules like this to help reduce a certain level of risk – but at best, these technologies might only reduce your risk of a breach by, say, 10%.
One of the more obvious reasons for this limited effectiveness is the knowledge and overhead required to manage these policies. Because if the rules don’t evolve with the business or with the security threats you face, you can’t ensure sensitive information is protected. Beyond time management, there’s also the problem that “you don’t know what you don’t know” – if you haven’t detected and mapped an area of risk, then you simply can’t update the policies.
But the second, and much larger problem, is that these technologies don’t mitigate the “human-activated breaches” I mentioned before. In today’s digitized and connected world, the biggest threat organizations face comes from people handling, processing and sharing data. The decisions people make, the errors that creep in, or how they’re feeling on a particular day – all these factors impact data security and create an extremely large surface area for risk.
Put simply, complex problems need sophisticated solutions and without the ability to analyze context within any given situation, breaches of security will continue to slip under the radar without detection.
For example, Employee A might be allowed to share client financial details via email – but one day, they send the report for Client X to Client Y by mistake. Static technology can’t look at that scenario playing out to dynamically analyze the risk and proactivity warn the user – it can only say whether something is or isn’t allowed, does or doesn’t require encryption; it can’t tell you that you don’t normally send that particular document to that specific client.
How can artificial intelligence and/or machine learning help? Any simple examples of how it works in real life?
Pepper: Machine learning and artificial intelligence have transformed the technology landscape. As a result, we can now tackle complex problems deemed almost impossible previously. If the old ways of working dealt in black and white, the new world leverages intelligent technology that can respond dynamically to an individual’s behaviors, looking at the gray areas where people make questionable security decisions and providing a safety net that protects sensitive data in real-time.
So, what’s simpler than sending an email?
It’s something the vast majority of us do every single day. In fact, it’s reported that 124.5 billion business emails are sent every day – so even if only 10% of these contain sensitive data, there’s such a statistically significant chance that at some point, every day, data will be breached.
This risk comes in various forms. I typically find not everyone is willing to admit to sending an email in error; but everyone is happy to say they’ve received an Outlook recall or been told to disregard a previous email! So, we all have experience of misdirected emails – even if we don’t want to admit to doing it ourselves. And in most cases, the senders are simply trying to do their jobs, and they make a mistake. Maybe they’re tired or rushing, and Outlook auto-complete suggests the wrong recipient. It can happen in a heartbeat.
Alternatively, we know people frequently find workarounds to avoid using cumbersome email encryption tools imposed upon regulated businesses that share sensitive content. Typically, they do this because of pushback from recipients due to the level of friction created – often resulting in sensitive information being shared in plaintext. However, this means the data isn’t protected in transit or at rest in the recipient’s mailbox, and the organization loses control over what the recipient can do with the data. They’re free, for example, to print any attachments and subsequently lose them on the subway, or forward the entire email onto someone else, who might not be authorized to receive it.
Human layer security is about analyzing the risk as someone sends an email, determining whether it’s going to the right person, with the right content attached, and then applying an appropriate level of protection.
This is achieved by the technology learning what “good security behavior” looks like for each individual employee and alerting them and/or administrators to any abnormal behavior, such as including a wrong recipient or not using encryption.
This all adds up to making people more productive – because their emails are going to the right people – and automating security to keep data safe.
What stories or case studies show the value of human layer security in a midsize or large enterprise? What were the results?
Pepper: Last year, I met with a Chief Privacy Officer of a Fortune 500 business in the US. Now, they were fully aware of the risks posed by misdirected emails. In fact, they had over 100 reported incidents in the previous 12 months of which three had been serious breaches of security policy. Each of those incidents had to be reported to the data protection regulator, resulting in significant cost to remediate.
So, they reached out to us, as they knew this is a problem we could solve. As part of the process to address the risk within their organization, we plugged our technology into their environment to determine the extent of the misdirected email problem. Now, the Chief Privacy Officer believed he knew about every incident that had put data at risk – but unfortunately that wasn’t the case. We found that the scale of the problem was actually 15-20 times worse!
That’s because people can’t report a breach if they don’t know it’s happened, which is sometimes the case with misdirected emails, but frequently, they’re also afraid of the ramifications of reporting incidents, so they hope they go undiscovered.
Using our technology, we were able to reduce this risk by 98%. Firstly, that’s a win for data privacy and compliance; but importantly, it’s also a win for business productivity and the money saved from remediation efforts.
When most users hear “human layer,” they think of security training programs. Is that part of your recommended solution, or is security awareness training a completely different discipline?
Pepper: Although there’s always a place for training and awareness programs, they’re not, and shouldn’t ever become, the main focus of human layer security.
That’s because training has a natural ceiling. Let’s take the misdirected email again as our example. You can tell someone why it’s good to remember to check they’ve added the correct recipients to an email – but on a daily basis, how many people are going to actually do this for every single email they send?
The psychology behind data breaches like this is extremely interesting. You might find that someone carries out these checks initially, but as time goes on, they become complacent – because so far, they’ve never made a mistake or, when auto-complete has suggested the wrong recipient, they’ve immediately caught it. Eventually they’re going to stop checking every email, which means the next time auto-complete adds the wrong person to an email, they might not notice.
Alternatively, if the person is in a rush to go on their lunchbreak or to head home after work, they might not bother checking their recipients as the process slows them down and they want to enjoy their free time. And the problem is, in this cost-benefit analysis, the cost is borne solely by the employee (they’re the ones delayed leaving for their lunch) but the benefit is seen to belong entirely to the organization (it’s their data that’s being protected).
Again, that’s where human layer security technology comes in to analyze the decisions they’re making – decisions motivated by a range of behaviors and complex psychology – and help ensure breaches are mitigated before data is put at risk. We need technology to step into this process because, as history has shown us, training alone isn’t enough to stop the rise in email data breaches.
More importantly, human layer security should be used alongside frequent simulation exercises and awareness training. As we’ve seen, just knowing the theory isn’t enough to stop data breaches from happening – but alerting users to risky behavior in real-time will help them to see how these scenarios play out in day-to-day life.
Egress was the first company to address this challenge. When did your team see this growing concern? Who does your solution help?
Pepper: Egress has been operating in the email security space for over a decade. As a result, we’ve known for a long time that inbound and outbound security breaches are a major problem – and that problem has grown exponentially over the last five years, as more people rely on email to share sensitive data.
We started enhancing our platform using machine learning in 2016 and are now proud to help Government agencies, Fortune 500 and FTSE 100 organizations solve these complex insider threats.
Where is this technology heading? Will everything I do online (one day) be evaluated by AI for the risk – with possible alternatives offered?
Pepper: Human layer security definitely has a broader application than email alone. We like to say that we’ve chosen to start with email – but we’re always examining where else this technology can go.
In the immediate future, that’s about understanding where it can bring the greatest benefit to solve other organizational challenges and mitigate risk. So, logically, the first place to explore is other channels that employees use to share data – such as file sharing, collaboration, instant messaging, SMS, etc. Naturally, there are technical considerations to think about when integrating contextual machine learning into these applications, but prioritization should target the most at-risk applications first. In our experience, that’s when employees need to share large files.
And as we develop and deploy this technology, they’ll always be room for advancement as the technology grows, so we’ll continue to build out the core functionality across email and any other applications, so it brings even greater benefits to security and productivity.
Beyond the integration with existing technologies, there’s no real limit to where this could go – but obviously there are some areas where it’ll be more useful than others. Wherever it’s possible for people to put data at risk – whether that’s their own data or someone else’s – we should be examining how we can wrap human layer security around them to keep this information safe.
Is there anything else you want to add?
Tony Pepper: Just that now more than ever, we can really see the need for human layer security technologies that keep people and the data they share safe. Approximately one-quarter of the global population is currently being told to stay at home due to the COVID-19 pandemic, and as a result, wherever possible, organizations are enforcing remote working for their employees.
As a result, we’re living in our inboxes right now. And we’re doing it from dining tables, spare bedrooms and, for the lucky few, home offices! Many people are working on smaller screens than they’re used to, some are even working primarily on mobile devices while they wait for laptops to be issued to them, so the chance of an email data breach is even higher.
Now more than ever, it’s important that we empower our employees to work productively, while also ensuring data is always kept safe.
Dan Lohrmann: I’d like to thank Tony Pepper for answering my questions and for educating all of us on how this new category of human layer security can stop data breaches emanating for our inboxes.
I often get asked how artificial intelligence and/or machine learning can help stop data breaches in practical ways. This solution seems like a practical example with some amazing ROI numbers that surprised me and led me to do this blog. Tony recently wrote this article for Forbes which describes how Business Email Compromise (also called CEO fraud by some) can be prevented using this new technology. I encourage all my readers to put human layer security on your cybersecurity roadmaps for the next year.
I see this as technology expanding and becoming commonplace in our mailboxes over the next few years and answering the challenges that most enterprises face with implementing and maintaining complex data loss prevention (DLP) solutions.