Is machine learning protecting your inbox? Leading legal technologists on why law firms are at risk from human failure on email: P.
4 Graham Thomson, CISO, Irwin Mitchell
P. P.
7 Duncan Eadie, IT Director, Charles Russell Speechlys
10 Sarat Muddu, IT Security Director, Kelley Drye & Warren
Inside a game-changing Human Layer Security company: P.
14 From the kitchen table to $60m in funding
P. P.
18 How to build a cybersecurity company in the US
28 The spear phishing threat hanging over law firms
This year the average law firm will send 7,400 emails to the wrong people. Any misdirected email is a potential data breach. Tessian’s Human Layer Security platform automatically protects law firms from reputational damage and financial penalties.
Figures derived from Tessian Breach Calculator, encompassing misdirected and unauthorized emails.
Welcome We all make mistakes – we’re only human.
mistakes. Go and ask your colleagues
timely and pertinent examples of how its
It’s especially hard to admit to others
now: how many times in the last 12
sector-leading and unique solutions for
that we messed up in a moment of
months have you have sent an email to
law firms are protecting people across
panic, complacency or sheer accident.
the wrong person? As Tessian CEO and
the world.
And what about the implications of our
co-founder Tim Sadler suggests (from
actions?
page 14), inadequate tech and patchy reporting of these errors means that even
Something seemingly small, like sending the wrong email to the wrong person
your IT team probably can’t produce an accurate answer to that question.
could be catastrophic. Hands up, I did this yesterday. You can plug protective
We all make mistakes – some we get
software into our systems, our devices
away with, others we don’t. Law firms are
and the cloud but we can’t upload
filled with people, delivering services and
software into your ‘trigger finger’.
communicating with other people. We
Thankfully, my recent ‘error’ didn’t
understand the need to kick the hackers
include a client or sensitive material
and phishers back with technology – to
(just a link to a soft play centre, sent to
remain compliant and to protect our
the wrong friend) - but it could have
clients (and our reputation) but we don’t
damaged my reputation, and worse,
always consider the human element.
resulted in loss of business or a fine.
Emma Waddingham Editor, Modern Law Magazine.
Thankfully Tessian has provided this The “human layer” in data security is
captivating supplement to explain why
significant. Law firms employ humans, and
Human Layer Security is essential for law
humans – of all levels of seniority - make
firms in particular, and to showcase some
01765 600909 emma@charltongrant.co.uk www.modernlawmagazine.com
Contents 4
Case study, featuring Graham Thomson,
Interview with Ben Freeman, Tessian Head of US.
18
Tessian introduces Human Layer Security:
24
CISO at Irwin Mitchell.
7
Case study, featuring Duncan Eadie,
a new line of defence against email threats.
IT Director at Charles Russell Speechlys. Ed Bishop, Tessian CTO and co-founder dives into the
10
Case study, featuring Sarat Muddu,
latest techniques being used by cyber criminals to infiltrate law firms and other organisations.
IT Security Director at Kelley Drye & Warren.
Interview with Tim Sadler, Tessian CEO and co-founder.
14
Co-Editor | Emma Waddingham Co-Editor | Poppy Green Modern Law Magazine is published by Charlton Grant Ltd ©2019
28
Project Manager | Martin Smith Events Sales | Kate McKittrick
All material is copyrighted both written and illustrated. Reproduction in part or whole is strictly forbidden without the written permission of the publisher. All images and information is collated from extensive research and along with advertisements is published in good faith. Although the author and publisher have made every effort to ensure that the information in this publication was correct at press time, the author and publisher do not assume and hereby disclaim any liability to any party for any loss, damage, or disruption caused by errors or omissions, whether such errors or omissions result from negligence, accident, or any other cause.
Tessian Supplement | 3
“The ability to understand an issue from the attacker’s point of view is very useful.” — Graham Thomson, CISO at Irwin Mitchell, discusses the future of the legal industry and how Tessian helps his team manage and prevent security threats.
When I was being trained initially, I remember
to readjust priorities on particular technical
learning about a KGB-initiated infiltration of
projects.
systems that was discovered pretty much To get started, can you take us through how you first got into security?
by chance: this was a real eye-opener that brought home just how important computer security was going to be in the modern economy.
I got my degree in genetics and then worked in military intelligence, where I received a grounding in computer security. After a few years, I left the military and got a job as an investigator for a global retailer. Initially I was investigating fraud and corruption, but the role evolved to cover issues relating to information security, such as insider breaches and hacking.
The people side is incredibly important: this covers my own team and the training and awareness work we do around the organisation. Our people are the first and most important line of defence.
One of the biggest changes is the focus on people. Previously, security professionals would be technical IT specialists, but today many different career paths – the military and law enforcement are just a couple of examples – can lead towards information security. The ability to understand an issue from the attacker’s point of view is very useful.
We run a ‘Security Champion’ program at Irwin Mitchell, where people from around the business with an interest in the security act as points of contact for their offices. They don’t have to have technical backgrounds at all – they’re effectively our security first aiders, with eyes and ears on the ground to help us understand the real effects of our security
Having decided that a career in information security was for me, I then obtained my CISSP qualification. I’ve since been lucky to experience many different industries, including insurance, online banking, e-commerce, and now the legal sector. I’ve been focused on purely information security for around 12 years now.
How has the industry changed since you began your career, and what has the impact of technology on security been?
Infosec has changed hugely over time, probably because the threats themselves have changed. When I started out, I think it’s fair to say the work we were doing probably wasn’t that well understood.
4 | Tessian Supplement
You can spend as much money as you want on
policies.
technology, but at the end of the day there are humans with legitimate access to your systems; if they are negligent or abuse their positions, then there’s very little that tech can do to stop that.
What are your core responsibilities at Irwin Mitchell? And what are your ambitions for your department and the team over the
It’s all well and good sitting and thinking about high-level problems, but real-world feedback really helps to crystallise the impact of what we’re doing. It’s my security policy, but I want to know how it translates across the business. What do you think the main security challenges are in the legal space?
coming years?
My core responsibility is setting the strategic security vision for the company and making sure we successfully deliver on our objectives. I refer back to this regularly to work out whether there are gaps in our present strategic framework, or whether we need
The key thing is that many people within law firms deal with very sensitive personal and company data. Our bread and butter is keeping this safe. Firms in other sectors may only have a few people dealing with sensitive data, but in law firms the proportion of people in the business who have this responsibility is far higher.
Tessian Supplement | 5
This information isn’t just internal, it comes from external parties too. For example, we might have sensitive medical records or information relating to military matters as part of the work of our solicitors. The legal space is a fairly unusual sector in that we have to think about security in a very broad sense. The very term ‘cybersecurity’ reflects the fact that more and more of the information people consume is digital. But working at a law firm, there are paper records that have to be dealt with too. So my role depends on understanding and managing all the implications of information security, not just the technical aspects. It’s important to remember that our people could be very experienced lawyers or new graduates: we have to make sure that everyone understands what their security responsibilities are. People have to know how to handle information from when it comes into our orbit right through to when we dispose of it. Security can’t just be a case of asking people to read a lengthy, technical policy document. I have to ensure the information is relayed in a way that’s meaningful, interesting and relevant, and I need to make sure the technical tools we use are easy to understand. How can new security technology help the legal sector really make strides in the years to come? The first thing to say is that the legal sector has probably not moved as fast as some other sectors when it comes to adopting technological solutions. Although there are some startups making strides in ‘legal tech’, fintech, for instance, has a higher profile and potentially more innovation happening in that space right now. Things are improving, but the sector has a whole has possibly been slightly behind the times. For me, where the sector could really benefit is access to justice: I think tech will help ordinary people engage more meaningfully with the legal system. Law is complex, and there are so many grey areas, but I’m hopeful that developments in artificial intelligence (AI) hold a lot of promise.
6 | Tessian Supplement
It’s never a good thing when someone decides not to approach a lawyer or a law firm because they’re not sure whether it’s worth it or because they think the process will be particularly laborious. Tech that allows people to ask initial questions without having to directly engage the services of a human lawyer could mean that people find it less intimidating to approach law firms. I think we’re now moving past the point where people expect to have to walk into a physical office to have meaningful conversation with a legal professional. You could easily get the same result from your own home, or on your phone, and that kind of relationship is what we need to be thinking about. I also think there could be major benefits to research. When paralegals need to sift through thousands of pages, AI could help surface the relevant information more quickly. Bots that do more labour-intensive work like reviewing long contracts could also save significant chunks of time. Next-generation technologies like AI could definitely help the legal sector move forward. The danger with AI though is that biases may still come into play, as is often the case when dealing with complex algorithms. Can you tell us about your experience bringing new technologies into a law firm? I’m fortunate that today, cybersecurity is taken very seriously at board level. If I can show that there’s a requirement and a potential benefit with a new piece of technology, the appetite to mitigate that risk is usually there. When it comes to end users, we have to think carefully about altering processes they might be used to, or telling them to stop doing
something that seems innocuous. I’ve found that as long as the training and awareness is communicated well, it’s usually accepted without too many hiccups.
Interestingly, when we implemented Tessian Guardian, which helps us combat misdirected emails within the organisation, it was one of the few security products where we had no complaints about it. In fact, people sent us screenshots thanking us for preventing emails potentially going to the wrong destination! It’s great for the team to feel like we’re making positive changes within the organisation.
Could you describe Irwin Mitchell’s attitude to information security in a couple of sentences?
Our people see information security as an absolute necessity when it comes to doing business. Everyone acknowledges that they share responsibility for the firm’s success or failure here.
So how important is Tessian to your overall security stack?
Tessian is critical for us. Misdirecting an email is very easily done: people want to be productive, and they don’t always notice when autocomplete gives them an incorrect email address. Tessian also gives us great analytics and reports that help us actually analyse the data, over and above the solution itself.
We’re soon going to be implementing Defender, which will help us address inbound spear phishing threats and make Irwin Mitchell’s security structure even more secure. Tessian is just a very clear way for us to communicate potential risks and give our colleagues additional protection.
“Our people see information security as an absolute necessity when it comes to doing business. Everyone acknowledges that they share responsibility for the firm’s success or failure here.”
“A relatively small investment in time to focus on cybersecurity could protect a reputation which has been built up over decades.” — Duncan Eadie, IT Director at Charles Russell Speechlys, speaks about the risks law firms face from cyberattacks, and the importance of embracing technological innovation.
means overseeing the development of products and services, and then successfully introducing What were some of the main threats in cybersecurity when you first moved into the sector? The first computer virus I was aware of was distributed in 1988, and in my first job we had a lunchtime session discussing it! We then had to contend with viruses distributed via floppy disk, which demonstrates just how far the industry has come. At that time, people breaking into computer systems was almost done for fun; now, cyber crime is a major global industry in its own right.
Lawyers and clients alike are now all aware of the consequences of handling data inappropriately. Today, we expect security from every organisation we deal with, not only as professionals but also in our personal lives.
these across the business.
Within the IT department, I’d say that security has had to become more of a specialist requirement in recent years, partly because criminals and tactics are becoming more sophisticated. This vertical knowledge has to be supported by core tools that help us do this more specialised work.
Law firms have to ask themselves whether they can deal with these dangerous new threats with their own knowledge and resources. If the risks are too great, the answer may lie in partnering to bring in specialist domain knowledge, while still taking accountability and responsibility for the end result. I see more law firms going
Does security permeate all aspects of your role, or is it effectively treated
in this direction now as threats and clients alike become more sophisticated.
almost as its own business unit? My role is essentially to design and deliver Charles Russell Speechlys’ IT strategy. That
Tessian Supplement | 7
“In general, customers are more willing to challenge the professions and really engage with their service providers, and that means law firms need to offer a modern experience for clients.” What are some of the challenges around
challenge the professions and really engage
The other thing for IT specialists to
driving change in a business like Charles
with their service providers, and that means
remember is that much of a law firm’s
Russell Speechlys?
law firms need to offer a modern experience
business still stems from its reputation.
for clients.
Reputation can be a very fragile entity, but it’s also why law firms will survive over the
In some ways it depends on the change you’re introducing. When we introduce products like Tessian, which doesn’t necessitate huge change to working practices and which doesn’t require lots of training, you can feel people embracing the change in a different way.
Regulatory changes are also impacting these strategic decisions. We’re now seeing more and that affects the way firms might think
So much important work carried out by
about the risks of expanding into a new
lawyers is based on their firm’s and their
practice area, for instance. All of this has
own reputation. When people or businesses
From a people perspective, the principal that everyone around the organisation is vigilant, whether you’re a lawyer, a
are in extremely sensitive situations, facing very difficult decisions, they don’t want an app, they want to talk to someone whose
What do you wish the average lawyer knew
advice they trust. In this environment, our
about cybersecurity?
duty is to preserve and enable this intimate communication as best as we can with the
secretary, a software engineer or a marketing professional.
key.
punitive penalties for breaches of regulation,
consequences for security. security challenge is really to make sure
long term. Protecting reputation is absolutely
That if their cybersecurity knowledge is not up to scratch, their firm’s reputation could
support of technology, while balancing this need with best-in-class security practices.
In a broader sense, the entire legal industry
be damaged very quickly. We’re talking about
is feeling that there’s a significant shift
a relatively small investment in time to focus
How is Tessian helping Charles Russell
happening right now. This isn’t at the
on cybersecurity best practices. In the long
Speechlys tackle threats and manage email
individual or firm level; it’s impacting the
run, this could protect a reputation that has
security?
whole sector. Firms have to decide at what point they want to catch that wave of change. For forward-thinking law firms, this is a fantastic opportunity to build on the heritage of the past and embrace the opportunities of the future, something that’s in the DNA of Charles Russell Speechlys. So why is this technological shift happening
been built up over decades. It only takes a moment to potentially destroy all that.
number of complaints to the ICO every year What would you say to a technologist or security professional thinking about a career in the legal sector? What advice do you have that would help them make an impact?
now, and what are the knock-on effects
Too often in the industry, making something
for security?
more ‘secure’ results in making it harder to interact with. Technologists coming into
I think there is some frustration on the part of clients that the legal sector isn’t changing and evolving at the same speed as other industries. Changing customer demographics are beginning to disrupt the legal market
The channel that generates the highest
the sector should empathise with legal professionals and realise that people don’t want barriers, however difficult that might be to incorporate into products. If people build products that combine security with ease of
is email. Firms can easily send hundreds of thousands of emails every month: when businesses have that volume of communication, you don’t have to be wrong very often for it to really matter.
Misdirecting an email isn’t something someone does intentionally, and I’m sure that your readers have all experienced sending an email to the wrong person at some point. With Tessian, we don’t encounter pushback from within the organisation, so it’s a great way to deliver meaningful change in the firm. Tessian proves that modern technology can
in the same way as many other industries.
use, you’re onto a winner, and that’s actually
support our lawyers and help protect their
In general, customers are more willing to
what Tessian has done.
relationships with clients.
8 | Tessian Supplement
Tessian protects tens of thousands of lawyers at some of the world’s leading law firms.
Search Book Tessian Demo to learn more.
“You don’t want to be the firm in the headlines because of a security breach. You have to preserve client relationships.” — Kelley Drye & Warren’s IT Security Director Sarat Muddu talks about the process of implementing change, and how his firm wards off security threats.
I can’t speak for other law firms, but ever since I’ve been working in the legal sector, I’ve seen significant positive movement in how people approach and value security. This is one really refreshing change. We regularly get enquiries from partners asking whether we are As an IT professional, what attracted you to
protecting ourselves against this or that new
a career in the legal sector?
threat – they pay attention and want to ensure firm and client safety. If we can continue
I’ve had experience in a wide variety of sectors, but I was fascinated by the security
developing this kind of curious mindset, I’ll be happy.
challenges of the legal space. Although I wasn’t a legal expert when I joined Kelley Drye,
It’s important to remember that a main driver
I moved across from health care, which is
of this new focus comes from partners being
another industry that is extremely sensitive
keenly aware of potential damage to a firm’s
to cybersecurity risks, so I understood the
reputation. You don’t want to be the firm in
importance of the problem.
the headlines because of a security breach, and you have to preserve client relationships,
How important is it that the top level of a
which are the bedrock of any firm.
firm is alert to the dangers of cybersecurity? Why is email a particularly high-risk activity Even at board level, there should be people
at law firms?
who understand the more nuanced technical details of a security project. At Kelley Drye
I think all industries are susceptible to engaging
we’ve been lucky to get great buy-in from our
in risky behaviours, but the kinds of data held
managing partner and CIO. They see a direct
in law firms means any unauthorised email
connection between a well-constructed
that goes to a personal address is potentially
security policy and the broader success of the
more dangerous because of the content of
business.
that email.
10 | Tessian Supplement
We all want to take the convenient path, but it’s the responsibility of a security team to manage and, if necessary, plug holes in those workflows that increase risk. Email is one of the most heavily used tools in any law firm, alongside document management systems.
Human error is always one of the big factors in any data breach report. Lawyers send and receive a lot of email, so in a sense it’s natural that they may be more likely to misdirect an email, for instance. Even IT teams are not immune to these pressures!
Is it the case that email is just an inherently risky mode of communication?
At Kelley Drye, our ‘Defence in Depth’ strategy tackles security concerns at every layer of the stack, from our perimeter down to individual devices, and people too. As a security team, we have established a number of risk management and training programs to help us avoid any sleepless nights. Email security is a critically important part of this mix.
As technologists, we have to make sure that all our communications channels allow business to function without any hindrance. If people don’t have a seamless experience in an enterprise,
“I think all industries are susceptible to engaging in risky behaviours, but the kinds of data held in law firms means any unauthorised email that goes to a personal address is potentially more dangerous because of the content of that email.” that actually raises the likelihood of people trying to evade those systems by, for instance, sending an email to their personal address so they can work on something at home. They’re not trying to be malicious, but they are putting data at risk.
That’s why when we’re thinking about bringing in a new security tool, we take into account not only how robust the product is but how it impacts the team’s work. Ease of use is incredibly important to us, and that’s actually what Tessian does very well. How does Tessian make it easier for you to learn about and act on potentially risky behaviours? It was really important to us that Tessian would improve our knowledge as a security team. The market for security products is incredibly saturated, and not every product is able to offer a rich level of detail to its administrators. Not only did Tessian give us valuable historical analysis, working retroactively, it was very easy to start using it. Out of all the security products we’ve invested in, Tessian has had the lowest amount of up-front work to do to get set up. This meant we could get started analysing the results straight away.
In general, when we’re implementing a new piece of technology, the fewer complaints we get the better, and we haven’t had a single complaint or unhappy query about Tessian. In the long run, this makes it easier for me to bring the next security project to the board and justify investment, which makes my job easier. Finally, looking a few years ahead, where would you like to see the legal sector progress? I think the legal sector is in a really interesting period as far as technology is concerned. Every time I go to a conference there are new and innovative solutions targeted at helping law firms succeed. At the same time, the business of law firms is changing. We have to evolve at the same pace as other industries, moving with the times. We’re seeing big shifts towards agile and remote working, for instance. How are legal security teams going to deal with this new dynamic, securing client data while giving professionals more flexible ways to get work done? For us, investments in products like Tessian are a great example of how much the firm values technological innovation.
We are now able to have a better dialogue with legal professionals and other end users, because rather than just being blocked from doing certain things, people know why an action could be problematic thanks to the insights Tessian displays within the email client. So do tech products like Tessian help you drive cultural change within the firm? Implementing change is only easy when it’s a team effort. When I’m making a business case for why a tool will help the firm, having productive discussions around the business – not just with the management team – is paramount. You can’t drive real cultural change with just a couple of people: it doesn’t happen overnight.
Tessian Supplement | 11
“Our mission is to protect firms against any security threat executed by a human.” — Tim Sadler, Tessian CEO and co-founder, takes Modern Law through his journey from founding Tessian to raising $60m from leading investors.
14 | Tessian Supplement
“Preserving the user experience is essential. It was imperative that the technology wouldn’t get in the way of lawyers doing their jobs.”
Tessian Supplement | 15
16 | Tessian Supplement
Tessian Supplement | 17
“If we’re honest with ourselves, lawyers are pretty hard to please when it comes to technology.” — How do you build a global cybersecurity company? Tessian’s Head of US Ben Freeman speaks to Modern Law about what he’s learned leading Tessian’s US arm.
MLM: When you joined the business, why
the last few years, and what encouraged you
were you excited by the problems Tessian is
to open a US office?
working on?
MLM: What do you find most interesting BF: The key thing in terms of our growth was
BF: I was the ninth person to join the business,
going through an extended period of R&D
so it was at a very early stage, but we were
before properly launching to the market. This
already seeing real success from the handful
allowed us to offer law firms and other clients
of legal clients we already had on board. The
a best-in-class solution right from the get-go.
big factor for me was that I really believed in the mission and in the team. There was already a sense that we were on to something, and lawyers really liked how it worked, which is a pretty rare reaction.
We’ve now been selling the product for four years, and in that time we’ve worked with well over 100 leading law firms. We protect tens of thousands of lawyers from malicious inbound
Additionally, the problems Tessian looks to
that time we’ve never lost a client. Our results
solve for law firms really resonated with me.
speak for themselves.
My dad is a lawyer and runs a boutique law every law firm has to think about when it comes to security and compliance.
about working with law firms? BF: If we look at the fundamentals of why Tessian has been so successful thus far and why law firms like it so much, then it quickly becomes apparent that the drivers are
threats and instances of human error, and in
firm, so I’ve long been familiar with the issues
important and fast-growing market for us.
remarkably similar. Firstly, all lawyers care deeply about their reputation, and the same is true for every law firm. At the same time, lawyers are hard-working and pushed for time. This makes them more prone to human error.
The majority of lawyers are dealing directly with clients, too, which makes email an vital artery
In the process, we’d already started to serve the US market from the UK. There was an instinctive, gut feel that Tessian was going to
of communication. Email is an essential tool in modern law firms, but it comes with inbuilt risks.
work just as well in the US. Law firms know Tessian’s products are designed to overcome
each other very well in each geographical
the massive disconnect between technology
region in the US, and if you do something right
and the practice of law. Legal firms need
as a supplier there’s a good chance that word
solutions that are extremely rigorous but
will spread. There’s nothing more powerful
which are simple to procure and deploy at the
than word-of-mouth in the legal sector.
same time: relatively few tech products are able to offer this combination.
18 | Tessian Supplement
balance right between being an effective security solution and not distracting from the work of the firm. If we’re honest, lawyers are pretty hard to please when it comes to interacting with technology: the attitude
That’s how we’ve been afforded this opportunity to grow, first in the UK and now
MLM: How has Tessian grown so quickly over
What I always find interesting is getting that
globally, with the US being a particularly
is definitely ‘the less, the better.’ If we can successfully strike that balance, we’re doing a good job.
“All lawyers care deeply about their reputation, and the same is true for every law firm. At the same time, lawyers are hard-working and pushed for time. This makes them more prone to human error.�
Tessian Supplement | 19
MLM: Within a given law firm, who are
Generally speaking, there are natural conflicts
importance of the service culture here. That is
the key people you typically engage with?
within law firms. Lawyers want to get on
absolutely true for the legal sector as well. Our
Does this tend to change from country to
and do their jobs with minimal interruptions
legal clients in the US talk about having sky-
country?
and complications, but the job of IT and
high expectations of their lawyers: they would
compliance teams is to push back when
possibly have lower tolerance for misdirected
particular practices pose a tangible risk to
emails than clients elsewhere in the world, for
firms’ security.
example. In the States, IT and risk mitigation is
BF: There are a wide range of people who need to participate in the conversation
dictated by what clients say they need. There
when we’re talking to law firms. At different stages, any discussion naturally encompasses
As a vendor navigating these dynamics, you
compliance and risk officers, IT and security
need to understand what each team is trying
teams, and of course, lawyers themselves.
to achieve. Tessian has been successful
are particular modules that we have created for the US that are directly related to meeting client requirements, for instance.
because our email filters actually please What’s also interesting about the legal market is that there tends to be a significant information gap between lawyers and IT within the firms. IT has to understand from lawyers what the risks are, but lawyers might not be feeding that information to IT.
lawyers as well as the IT teams! I think lawyers almost view our products as a second pair of eyes, quickly checking on what they are doing without interfering with their work or disrupting them in any negative way.
For example, financial services businesses in the US want assurances from their law firms that their information will not be sent to unauthorised accounts (such as Gmail or Hotmail accounts, or a personal account of any type). No technology could do that
When a law firm achieves a high degree of
automatically until we launched our Enforcer
information symmetry between the client-
product. We also have legal clients looking to
Let’s take misdirected emails (when a lawyer
facing and the core operational parts of the
solve this problem in the UK, but there are
accidentally sends an email to the wrong
business, that’s a really strong signal to us
many more financial services companies in the
person) as an example. If we speak to an
that this firm appreciates the severity of the
US and so the need for law firms is perhaps
in-house IT professional about that problem,
problem with human behaviour on email.
proportionally greater.
they might say “I think that could have
But before that point is reached, all the
happened once or twice,” but they definitely
stakeholders I mentioned earlier need to be
don’t have any statistics. If you then ask a
involved.
room full of partners to raise their hands if they have sent an email to the wrong address or the wrong client in the past year, almost all of them will put their hands up. They know it’s a problem; they’ve done it. The partners
MLM: What are the main security challenges that US law firms face? Does this differ drastically from other territories?
From a regulatory standpoint, the US is still playing catch-up. In Europe, GDPR is very stringent: it’s been a great catalyst for law firms to investigate technological solutions like Tessian. That’s not to say clients buy our products solely because of GDPR, but GDPR gives management teams additional incentives
see security missteps as almost inevitable, but many security teams don’t actually have that
BF: In America, client care is ingrained
to focus on email behaviours. At the same
information.
into society – you just have to look at the
time, though, regulatory shifts are happening
“Lawyers are hard-working and pushed for time. This makes them more prone to human error.”
20 | Tessian Supplement
with increasing speed in North America. In the US, we now have the California Consumer Privacy Act (CCPA), while the new Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada will also have repercussions.
In my experience, no-one really wants to wait
chaired by either the managing partner or
for regulations to evolve and then implement
perhaps a senior cybersecurity lawyer. These
important changes. It’s the job of law firms
are great vehicles for us to go in and speak
to spot shifts in the regulatory landscape and
about the products we’re building, because
establish how they can best take advantage of
there are people in the room that intimately
a new commercial environment.
understand the risks, both from a legal and a technical standpoint.
“There’s nothing more powerful than word-of-mouth in the legal sector.”
MLM: Are the threats to individuals and firms broadly the same across the world? Have you had to cater to global differences in attitudes to risk?
MLM: Are there any complicating effects created by the federal / state structure in the US? Does this impact the work of security professionals and lawyers?
BF: In a sense, there is a degree of uniformity. We’re dealing with top-tier law firms around the world who are all subject to cybersecurity threats. One prominent difference between the US and other markets, though, is that the US market in general is much more litigious. In that respect I think there’s an awareness within the legal sector that the consequences of breaches could be more severe in that
BF: The regulatory environment varies somewhat across different states. However, I don’t at all believe this defines how law firms do business. Law firms are pragmatic in their approach, they want to grow and take on new work, and this means state lines are rarely a fundamental barrier.
sense. In general, no matter what part of the Under GDPR in the UK, you might get fined and you might displease a client. In the US, if a firm ends up in that position there’s potentially a greater likelihood of those penalties actually coming to pass, because the corporate environment is more transactional and the sector, in general, is just extremely competitive.
In the US, I feel that there is also more of a
country they’re in, top-tier law firms will be at the same conferences, seeing the same technologies and sharing the same resources. This means that the impact of a firm being present in different states or working around slightly different regulatory requirements is lessened a little. The underlying drivers of business, and the need to secure one’s own reputation, is ubiquitous across different firms and around the whole country.
dedication to exploring new technologies as a solution to problems and risk mitigation.
Professionals in the US are more evangelical
Innovation committees are very popular in
than in the UK. If they believe in something,
the US, for instance: these are bodies within
they’re likely to be more vocal about it, and
the law firm made up of partners, associates,
this provides an opportunity for Tessian to
general counsels and other leadership figures
show our value. It’s an incredibly exciting time
including IT and compliance. It’s normally
for us and we’re looking forward to the future.
Tessian Supplement | 21
Human Layer Security: law firms’ new line of defence against email threats — Today, information security will impact your work. It might be visible: an email from a compliance officer reminding people to be vigilant, for instance. Perhaps more likely is that security solutions will operate invisibly, running in the background and screening for digital threats coming into (and out of) your inbox. The same is true for billions of professionals
These incumbent security systems have
machine-based rules to defend against
and consumers around the world. The
important roles to play when it comes to
machine-executed threats. This focus has to
problem? Right now, algorithms monitoring
defending against bulk spam and phishing
evolve. We must prioritise protecting the most
your devices and networks are probably
attacks. They usually catch the majority of
important component of any organisation:
limited to focusing on issues created by
simpler, unpersonalised threats testing an
people. This is what’s led to Tessian creating
machines. Here’s why that needs to change.
organisation’s defences.
a new information security category: Human Layer Security (HLS).
The dangers of outmoded technology
We are moving into a third era of cybersecurity. In the early days of computing, simply securing a network sufficed for the
But in spite of these new protections, data breaches are becoming more sophisticated all the time, with associated costs and reputational consequences increasing yearon-year.1 This has a lot to do with the sheer amount of data now being processed every
majority of people and businesses. Then,
day, but it’s also down to the ever-increasing
as cloud applications and mobile devices
speed at which attackers are able to move.
proliferated, organisations adopted what’s known as endpoint protection – securing individual nodes (sometimes many thousands of them) within an organisation’s broader ecosystem.
and behaviours especially hard to predict and interpret. Firstly, openness is right at the heart of what makes email a critical tool. Employees need to send and receive communications
The irony is that these malicious actors
any business unable to accept inbound
are enabled by the same next-generation
proposals or respond to questions from
infrastructure that brings so many modern
prospective customers is going to suffer.
conveniences into our lives. We are used
Networks and endpoints are still fundamental
default. We are, by and large, comfortable
components of most companies’ security
sharing our data with service providers in
looking for malware in attachments and links;
Core features of email make individuals’ habits
within and beyond organisations in real time:
to communication channels being open by
stacks. They are able to inspect payloads,
Email: uniquely unpredictable
exchange for access to apps, entertainment and much more.
they’re also often able to identify whether
Furthermore, people’s behaviours and habits are constantly changing. Over the course of a quarter, a lawyer might work on dozens of projects, all of which require engagement with a wide range of stakeholders inside and outside their organisation. Different people become
a bulk phishing attack has been flagged
Too many law firms – and, indeed, businesses
more or less crucial to a given individual over the
elsewhere on the web.
in every sector – are focused on creating
course of a week, never mind through a year.
24 | Tessian Supplement
Remember, people are fallible, too. They
people, while accepting that employees won’t
make mistakes, break the rules, and can be
be perfect and won’t stick to the rulebook
deceived. This is perhaps especially true at the
100% of the time. To an extent, unpredictable
biggest global enterprises: in absolute terms,
behaviour patterns help keep businesses agile
far more emails are sent and received in
and preserve competitive advantages: they are
these companies each day, while the potential
an asset to the modern enterprise.
reward from a successful cyberattack may be more lucrative.
It’s anticipated that in years to come organisations will have to contend with growing numbers of insider threats.2 No question: people remain a risk to organisational security.
This makes it difficult for IT leaders to respond intelligently to people’s workplace mistakes, though. It’s technically extremely challenging to anticipate and react to human activity in
“Remember, people are fallible, too. They make mistakes, break the rules, and can be deceived.”
real time with technology that behaves in ways intuitive to people. That’s why information security professionals have until now relied
Right now, enterprises control 30% of the world’s data. By 2025, that will have doubled
on rigid sets of rules, policed by machines, to secure enterprise data.
to 60%.3 Big businesses must recalibrate their view of data, recognising that the information held by companies has exploded beyond a scale at which it can be effectively policed with rule-based solutions.
Email authentication protocols like DMARC, SPF and DKIM are an example of a system of rules designed to prevent hackers from accessing networks. These protocols have long been available to organisations wishing to crack
Meanwhile, professional cyber criminals,
down on errant messages or rogue actors
nation-state groups, hacktivists, and malicious
impersonating executives – a practice known
insiders are becoming more determined
as social engineering.
and sophisticated. They understand that organisations’ defences are not currently designed to protect against personalised threats and human errors. As their sophistication increases, they are learning that human-led attacks such as spear phishing are the simplest way to breach the enterprise.
It’s estimated that total cyber crime damages
Even for experienced technologists, though, it can be challenging to get all three protocols working in harmony together. And to make matters worse, the three complement each other, meaning that a security operation missing one or more protocols risks being exploited by attackers.
will hit $6 trillion by 2021.4 This is not a business decision that organisations can afford to
Today’s intrusion detection systems can only
put off for another day. We need a smarter
really map and protect relatively static rules.
solution.
(These might include address and website blacklists, or signature-based systems that
People are the weak link
identify known threats to screen for similar occurrences in the future.) Even if a company has all its authentication protocols in place,
We invest immense amounts of trust in
rule-based systems have their limits.
Tessian Supplement | 25
“Compared to machines, people are far better at responding to feedback and changing their behaviours accordingly. At Tessian, we believe that the best security platforms should reduce risk to users over time.”
Simply mapping known risks can never equip
new network and endpoint security solutions
an organisation to predict and tackle the
continually coming to market, cyber threats
unknown. In part, the problem stems from
are also growing year on year?
the sheer amount of data coursing through modern organisations, and the myriad ways in which data now moves. If information continues to become more fluid, systems that rely on predictable structures and frameworks will be outmoded even more quickly.
Hackers know this. That’s why increasing numbers of cyber attacks are directed at people, not machines. Business Email Compromise is already a multi-billion dollar problem, and spear phishing attacks in
It comes down to what traditional platforms were built to do. Network and endpoint products were originally created to patrol a finite perimeter. But security professionals now need to rethink what a perimeter means. By implementing solutions geared around people, organisations can put conventional perimeters to one side by getting to the heart of what causes most breaches: people’s mistakes.
general are on the rise. People’s actions unquestionably pose enormous risks to data.
Defining the security perimeter with stateful machine learning
But at this somewhat gloomy juncture, might there just be cause for confidence?
As physical business processes have become degitised over the decades, they have created
Reasons to be cheerful
masses of data as a byproduct. Today, people share data in documents, presentations, apps,
Having discussed so many different risks to organisations, it might seem almost strange to think optimistically. But there is enormous potential in Human Layer Security.
chats, texts, emails and phone calls. People are responsible for keeping passwords safe and strong, not sharing information with the wrong people, and preventing bad actors from hacking into systems.
As we’ve seen, the main threats to any given organisation revolve around people’s
The human risk affects every organisation,
behaviour rather than specific machine-led
no matter the size or sector. A new kind of
threats. People are the biggest risk to an
perimeter is required in order to secure
organisation’s assets, whether that’s its data or
the human layer in addition to devices and
less tangible factors like the reputation of its
networks. Vitally, these frameworks must
brand. But there are solid reasons for security
revolve around intelligent use of data. Because
leaders to look at this state of affairs positively.
people’s behaviour is at the core of the human layer, it is essential that security teams
Compared to machines, people are far better at responding to feedback and changing their
plan for a future beyond static, rule-based systems.
behaviours accordingly. At Tessian, we believe that the best security platforms should reduce risk to users over time. So why is it that despite
26 | Tessian Supplement
Machine learning is fundamental to this new security model. Employing machine learning
to detect anomalies will allow HLS platforms
organisation to establish what normal looks like,
to become more sophisticated over time,
and work from there.
without disrupting end users.
This structure has scaling potential inbuilt from day one. HLS becomes exponentially more powerful as the networks it monitors grow larger. To make the matter still more pressing, industry figures now conclude that the world’s biggest enterprises are simply too labyrinthine for humans to try to monitor everything.5 In such a climate, machine learning is the
The central ingredient in this process is context. It’s not enough for machines to operate statelessly, analysing each quantum of data in isolation. A new breed of stateful security products now take account of a matrix of interactions and patterns, working to assess a plurality of factors potentially affecting any single decision.
inevitable destination for organisations serious about security.
This is where Tessian comes into its own. Tessian’s email filters learn from organisations’
When mid-sized law firms are sending millions of emails each year, enormous troves of data are being created. This data falling into the wrong hands could cause severe financial and reputational damage: these are rich seams for cyber criminals to mine. How best to prevent
data, ascertaining behavioural patterns and highlighting anomalous actions that might signify danger. Crucially, Tessian analyses historical data to learn from preexisting communications, so there’s no sluggishness as the system gets up to speed.
these issues and secure your biggest asset – your people? Simple: embrace Human Layer Security.
We know how challenging the security
“Law firms’ security infrastructure is in flux, but the teams that adopt Human Layer Security and embed it across functions have the best chance of isolating and acting on threats before they damage reputations or profits.”
landscape is for enterprises. That’s why Tessian’s HLS products work beneath email
Human Layer Security: the most important line of defence
platforms, imposing minimal disruption to daily workflows and intelligently signalling when something looks amiss.
HLS companies are different from the cybersecurity companies that came before.
The future is bright
We need to recognise that people pose risks to organisations, and that calls for a dramatically different view of security as a discipline.
Embracing future-facing technologies like machine learning is a fundamental tenet of
Law firms’ security infrastructure is in flux, but the teams that adopt Human Layer Security and embed it across functions have the best chance of isolating and acting on threats before they damage reputations or profits.
HLS companies. In HLS, machine learning is not an add-on or a ‘nice-to-have’: it’s right
Profound changes are coming, but they herald
at the core of every product and every user
a new breed of intelligent information security
interface. There is no need for professionals to
that will give organisations the tools to handle
change their behaviours in order to abide by
the next generation of cyber threats. Here’s to
new standards. Once deployed, HLS allows an
the era of Human Layer Security.
Forbes, ‘IBM’s 2018 Data Breach Study Shows Why We’re In A Zero Trust World Now’, 27th July 2018. Link: https://www.forbes.com/sites/louiscolumbus/2018/07/27/ibms-2018-data-breachstudy-shows-why-were-in-a-zero-trust-world-now/#67a59a368ede 2 Information Management, ‘Insider threats will dominate cybersecurity trends in 2019’, 15th January 2019. Link: https://www.information-management.com/opinion/insider-threats-will-dominatecybersecurity-trends-in-2019 3 Total Telecom, ‘Orange: Enterprise sector to account for 60% of data demand by 2025’, 27th 1
February 2019. Link: https://www.totaltele.com/502336/Orange-Enterprise-sector-to-accountfor-60-of-data-demand-by-2025 4 Cybersecurity Ventures, ‘Cybercrime Damages $6 Trillion By 2021’, 13th December 2018. Link: https://www.prnewswire.com/news-releases/cyberattacks-are-the-fastest-growing-crime-andpredicted-to-cost-the-world-6-trillion-annually-by-2021-300765090.html 5 Verdict, ‘Toyota data breach shows cybersecurity “no longer a human-scale problem”’, 1st April 2019. Link: https://www.verdict.co.uk/toyota-data-breach/
Tessian Supplement | 27
“In 2018, the FBI estimated that in the previous five years, Business Email Compromise had cost enterprises $12.5bn.” — Tessian co-founder and CTO, Ed Bishop, dives into the latest techniques being used by cyber criminals to infiltrate law firms and other organisations.
Email allows us to interact freely. If you know someone’s address, you can send them an email, regardless of where in the world they are located or what device they’re using. Even if you don’t know someone’s email, it’s often relatively easy to guess. Email is also open by default. This openness has taken masses of friction out of global commerce, and is vital to our businesses. But there’s a tension here. An open network
inevitably means risk to individuals and businesses alike. Organisations like law firms, which handle sensitive material every day, must be particularly vigilant. But striking a balance between empowering employees and cracking down on suspicious activity has to be done sensitively. Strong-form spear phishing is a particularly dangerous threat. It takes advantage of email’s openness using advanced impersonation techniques undetectable by most filters and safeguards, creating significant headaches for information security leaders. It is the most insidious threat to email communication, and is the number one form of attack threatening enterprises today.1 The FBI now tracks Business Email Compromise (BEC), whereby spear phishing is used to extract large sums of money through illegitimate or unauthorised wire transfers. In 2018, the FBI estimated that in the previous five years, Business Email Compromise (of which spear phishing is an important component) had cost enterprises as much as $12.5bn.2 So how did this threat emerge? It all started with spam Email was introduced in the 1970s. It didn’t take long for it to attract a parasite: spam, which arrived in 1978.
28 | Tessian Supplement
“The rewards for attackers are large, and the risk for companies still larger.” Spam allowed emails to be sent to large numbers of recipients with minimal personalisation. Originally invented for marketing purposes, it soon led to innumerable scams. By 2017, spam made up 55% of all emails received globally.3
And information security professionals have their work cut out. Targeted, personalised attacks are constantly evolving. At Tessian, we see strong-form spear phishing as the next stage in this email arms race.
High-ranking employees are most at risk Businesses scrambled to clean up their employees’ inboxes after spam proliferated. Today, almost every email provider or legacy Secure Email Gateway (a guard against malicious emails) will include a spam filter.
The birth of phishing
In response to spam detectors and blockers, attackers started to work harder. They turned to phishing.
Phishing mimics the identity of trusted people and services in order to extract sensitive information, such as passwords or account numbers.
Although they remain a threat, generic bulk phishing attacks can usually be prevented by legacy email security solutions.
The problem, though, is that attackers have refined their approach over the years. They have invested more time and energy into targeting specific individuals, and have turned to public-domain information from sites like LinkedIn to personalise emails.
As phishing has grown in popularity, other cybercrime strategies like ransomware and fraudulent online purchases have also become more prevalent. In 2017, hackers stole a staggering £130bn from consumers through these schemes.4 The SRA estimates that £11m of client money was stolen from law firms in 2016/17.5
How have Secure Email Gateway structures attempted to address spear phishing issues? n Display address irregularities
n Reply-to modification
From a technological perspective, spear phishing is much more difficult to filter out than run-of-the-mill spam or bulk phishing. This is because it is highly targeted towards particular individuals within organisations. Even the most cynical and risk-aware individuals can be foxed by a spear phishing scam if it is sent on a busy day, delivered in a particular tone, or perceived to be from an authoritative source. Indeed, some threats are confined to IP addresses hidden in email headers – undetectable by lawyers. This is not confined to mid-ranking employees: ‘whaling’ scams specifically target C-level executives, for instance. These nefarious tactics are not going away any time soon. Protecting the law firm There are generally two approaches for identifying spear phishing attacks: highlighting suspect payloads in emails, or detecting impersonation. To combat payloads, enterprises have used Secure Email Gateways to monitor attachments and URLs. However, there are always ways for attackers to get around these rule-based technologies. Cybercriminals may employ malware that evades software programs’ screening capabilities, for instance: alternately, organisations might fall victim to a zeropayload attack that doesn’t represent a threat for weeks or months.
Secure Email Gateways are designed to catch irregular display addresses. These occur when the target’s display address doesn’t exactly match the genuine address (changing an ‘n’ to ‘m’ and making ‘bank’ ‘bamk’, for instance).
This check looks for instances where a reply-to address may be different from the sender’s own address.
n Domain monitoring
Here, the Secure Email Gateway checks whether the sending domain has been recently registered, or whether it is registered as inactive.
The protective measures mentioned here can only ever be partially effective. That’s because they are focused on providing static, rule-based solutions: attackers can easily reverse engineer these rules and circumnavigate them.
So how are cybercriminals evading Secure Email Gateways? At least in part by focusing on strong-form techniques.
Attackers are becoming more subtle Attackers have a variety of ways to break down organisations’ defences, but strong-form tactics are especially hard for Secure Email Gateways and other rule-based systems to detect. We’ve already covered reply-to modifications, for instance. This is an example of weak-form phishing which relies on targets not realising that the reply-to address of an email has been changed from the original ‘sender’. With strong-form phishing tactics, the reply-to address can appear to be exactly the same as the sender’s address. This has the potential to confound simplistic rule-based systems.
Tessian Supplement | 29
A strong-form attack could be a homograph impersonation of a ‘trusted’ external counterparty, such as a law firm or an accountant. Here, other alphabets can be used to deceive targets into believing a domain or address is genuine. The English
“In industries like law, where many firms still rely on traditional technologies, the threat level is potentially even more potent.”
language ‘a’, for instance, is very similar to a Cyrillic small letter ‘a’. This visual trick can be used to create alias addresses that could well deceive targets. It might seem surprising that anybody can send an email pretending to be anyone,
defences. So what are the key components of a spear phishing attack?
n Target
but current email protocols allow for this. Email authentication methods like SPF, DKIM and DMARC have been designed to try and confirm sender identities. The problem is that this can only be truly effective when
The target could be any employee within your organisation, but attackers may focus on high-ranking executives or members of the finance department. Cybercriminals can spend significant amounts of time researching and identifying the most vulnerable individuals.
every company in the world publishes its own email authentication record. Unfortunately, this is far from being the case: many Fortune 500 companies still have not published the
This gives attackers the means to find, through public domain data, any of a law firm’s external counterparties without correct authentication records, and simply send emails pretending to be them.
subtle ways to breach organisations’ defences.
spear phishing works in practice. The tip of the spear: breaking down intelligent phishing attacks To fend off the most intelligent email threats, other information-centric organisations have to move beyond these rudimentary tactics. Understanding how spear phishing attacks are constructed is fundamentally important to the success of an information security team’s
The impersonation of another person or company is the core tenet of spear phishing attacks. Once a target is identified, the attacker may choose to impersonate a colleague or a trusted third party external to the organisation (possibly someone who works at another organisation they interact with regularly and trust).
n Intent
As such, it’s important to understand how
like strong-form spear phishing, law firms and
Successful spear phishing attacks all manage to get the email recipient to take a particular kind of action. This could be wiring money to an attacker’s bank account, divulging login details or other sensitive data, or installing malware or ransomware on a device. Often, requests for action exploit organisational pressures to maximise urgency and time sensitivity.
n Payload
The payload of a spear phishing attack is a file, link or request used in a malicious email to try and get the target to take a desired action. A few examples of this might be a request for funds, an attachment carrying malware, or a
Information Commissioner’s Office, ‘Data security incident trends’, Q2 2018. https://ico.org.uk/ action-weve-taken/data-security-incident-trends/ 2 BankInfoSecurity, ‘FBI: Global Business Email Compromise Losses Hit $12.5 Billion’, 16th July 2018. https://www.bankinfosecurity.com/fbi-alert-reported-ceo-fraud-losses-hit-125-billion-a-11206 3 Symantec, Internet Security Threat Report, March 2018. https://www.symantec.com/content/dam/ symantec/docs/reports/istr-23-2018-en.pdf 1
30 | Tessian Supplement
Hacking the human
n Impersonation
recommended email authentication records.
It’s clear that hackers are thinking about more
corrupt URL. While many spear phishing attacks still see the payload placed in the initial email, there is an increasing trend toward delayed payload attacks, when the attacker builds up a relationship with the target over many benign emails before sending an email containing a payload. These kind of attacks allow criminals to build trust with the target, potentially increasing the likelihood of success.
One successful spear phishing attack can result in the extraction of millions of dollars, devastating data loss, and incalculable reputational damage. While some enterprises are able to stop basic spear phishing, these attacks are becoming more sophisticated all the time. This isn’t surprising. The history of email security shows us that phishing attacks only become more advanced and personalised with time. In industries like law, where many firms still rely on only traditional technologies like Secure Email Gateways to operate, the threat level is potentially even more potent. The rewards for attackers are large, and the risk for companies still larger. There is much to be done before organisations can be said to have the upper hand against these bad actors. By acknowledging the people that are at the heart of this battle, and by building products that understand and protect them, I’m confident that we can make significant progress. Ed Bishop is the Co-founder and CTO at Tessian.
The Guardian, ‘Cybercrime: £130bn stolen from consumers in 2017, report says’, 23rd January 2018. https://www.theguardian.com/technology/2018/jan/23/cybercrime-130bn-stolenconsumers-2017-report-victims-phishing-ransomware-online-hacking 5 SRA, ‘Public and law firm money at risk as regulator reports cyber theft at peak levels’, 25th July 2017. Link: https://www.sra.org.uk/sra/news/press/risk-outlook-2017.page 4
One year of GDPR: is the job done? It’s never been more important for law firms to take compliance seriously. In Q1 this year, two thirds of all breaches in the legal sector concerned the disclosure of sensitive data. Take control over email: protect your firm. Source: ICO
Search Book Tessian Demo to learn more.
Graham Thomson CISO, Irwin Mitchell
“Tessian is critical for us. It’s just a very clear way for us to communicate potential risks and give our colleagues additional protection.”
Duncan Eadie IT Director, Charles Russell Speechlys
“Tessian proves that modern technology can support our lawyers and help protect their relationships with clients.”