Tony Pepper, Egress: "insider risk comes in many forms"
Today, we know very well how to protect ourselves against most cyber attacks. Be it malware or phishing, the steps are similar: get a VPN, enable 2FA, timely update your system/network, and be conscious. But how do you address the weakest link in your defenses which might cost you millions - your employees?
Regardless of how much money you invest in cybersecurity, one employee clicking on a suspicious email link could potentially cost you as much as your business. With that in mind, it remains an ever-lasting question: how to best educate your people on cybersecurity - through training or new technology?
Tony Pepper, co-founder and CEO of Egress - a company focused on eliminating insider risk - shared why people are still considered the weakest link in cybersecurity and how Egress helps tackle that issue.
Egress has been in the cybersecurity industry for over ten years. What has your journey been like so far?
When Egress was founded in 2007, we were determined to change the way that organizations protect their data by providing highly secure solutions that didn’t get in the way of productivity and create user friction. We initially operated in ‘stealth mode’ to develop our technology before we brought our first product to the market in 2010: Egress Protect, our email encryption solution. Since then, we’ve expanded our product range to enable us to innovatively address our customers’ most complex cybersecurity challenge – insider risk.
As part of our Intelligent Email Security platform, we’ve launched Egress Prevent, which uses contextual machine learning to protect organizations from outbound risks, and most recently, Egress Defend, which detects and mitigates targeted phishing attacks. In doing so, we became the only vendor globally to utilize intelligent technology to mitigate both outbound risk and inbound threats.
In the early years of the business, our initial customer base was made up of government departments and agencies. Since then, we’ve seen rapid adoption of our products by organizations in other highly-regulated industries, such as healthcare, legal and financial services.
Organizations have realized that their people are their biggest security vulnerability – and they’re turning to us to help solve the problem.
You take great pride in your intelligent email security solution. Can you tell us more about this technology?
The Egress Intelligent Email Security platform is the only solution globally to use intelligent technology to tackle both inbound and outbound risks on email.
Egress Defend, our anti-phishing solution, utilizes a zero-trust approach to protect employees from targeted attacks. Using natural language processing (NLP) and machine learning, Defend is able to detect even the most sophisticated threats, including those using compromised accounts and open-source intelligence (OSINT) to make their attacks more convincing.
Two products provide our outbound email security. First, our DLP solution, Egress Prevent, utilizes the latest in machine learning and social graph technology, analyzing the content and context of each outbound email to understand user behavior and mitigate outbound email data breaches. Secondly, Egress Protect provides industry and government-certified email encryption, integrating seamlessly with Microsoft 365 and using intelligent risk insights to automatically encrypt sensitive content to offer the highest level of security without getting in the way of productivity.
According to one of your recent surveys, a significant number of respondents feel like VPNs, video training, and email reminders were sufficient solutions to keep their organizations safe. Do you think these measures are enough?
No. It’s not enough. Measures such as video training and email reminders are one-off, point-in-time tactics that fail to account for the sophistication of targeted attacks and for user behavior. Organizations need technology to mitigate this risk, and many still don’t have the right solutions in place to protect themselves and their people. That’s why our most recent Insider Data Breach Survey found that an overwhelming 94% of organizations have suffered an insider data breach in the last 12 months.
In particular, external threats are growing at an alarming rate. We’re seeing a gold rush on cybercrime, with hackers turning to increasingly sophisticated tactics to target organizations and exploit employees. Unfortunately, security measures like VPNs and training don’t solve the problem because they fail to adequately protect an organization’s people. Training is a necessary element of any security strategy, but it must be coupled with the right technology. Organizations must focus on closing security gaps in their existing security protocols to ensure that they don’t become the next victim of cybercrime.
Your survey also uncovered that 76% of the participants believe their company would pay a ransom in case of a ransomware attack. What are your thoughts on this approach?
I’m sympathetic to organizations that feel their only choice is to pay a ransom. For many, losing access to their systems and data is catastrophic in purely financial terms; for others, such as healthcare providers, it can be a matter of life and death.
However, as long as organizations continue to pay, ransomware will continue to be a lucrative business for cybercriminals. That’s why it’s important to ensure your organization is a difficult target, with the right layers of technology in place to ensure that attacks are halted early in the kill chain.
Which of the two are most likely to experience cyberattacks – big enterprises or small businesses? What do cybercriminals typically look for when choosing their next target?
Both are targets for cybercriminals, but for different reasons. Larger companies are theoretically harder to successfully attack, as they have the funds to invest in more robust security infrastructure. Larger cash reserves and cyber insurance make big enterprises an attractive target for attackers and a successful attack could lead to more significant financial gains – for example, hackers were able to make $19M from an invoice fraud scam involving Amazon in 2020.
While smaller companies might have less to offer attackers financially, they’re likely to be an easier target, as they have less robust security protocols in place. For attackers, it can be very profitable to execute a high volume of attacks against smaller businesses, with the bonus being that there’s less risk of being detected and stopped.
You often describe insider risk as one of the biggest challenges in cybersecurity. What’s the worst that can happen, and why do you think certain organizations fail to take this type of threat into account?
Insider risk is every organization’s most complex security challenge, as it’s driven by people’s behavior. Sadly, the cost from these incidents is high for both organizations and individuals. For organizations, these range from financial losses to business disruption and client churn. There can also be longer-term impacts, such as fines paid to regulators and legal fees if data subjects decide to take action. Unfortunately, there’s often a human cost involved, too. Our research found 89% of insider data breaches had consequences for the employee involved.
Insider risk is a complex issue that has, in the past, been difficult for security teams to solve. It’s not just about intentional exfiltration of data – insider risk comes in many forms. Employees are vulnerable to targeted attacks, such as phishing, and they’re also prone to human error, both of which cause data breaches. Security teams must take the time to understand the different facets of insider risk, and put in place the right technology to mitigate the risk posed by people’s behavior, especially when the individual is acting with the best of intentions and just trying to get their jobs done.
With more companies switching to remote work, what are the main security issues that might come up in the process? What can be done to combat these threats?
The shift to remote work has exacerbated the risk. Recent research by Egress found that over half of IT leaders believe that remote working increased insider incidents. The increase in distractions and stress caused by remote work and the pandemic created an environment of heightened risk for human error. There was also an increase in insider incidents caused by employees bending the rules – for example, using personal devices when working from home. Remote employees are also more vulnerable to targeted attacks such as phishing, because they’re at arms’ length from their security teams.
To combat these issues, organizations must put in place intelligent technology that can understand their employees’ behavior and mitigate any risk they create.
Which security solutions do you see taking the stage in 2022? Alternatively, what measures do you think are going to fall off the radar in the near future?
In 2022, we’ll see organizations leveling up their response to phishing attacks. Security leaders are well-aware that phishing is a major threat, and that it also paves the way for future attacks, such as ransomware. I think we’ll see organizations turning away from legacy solutions such as secure email gateways (SEGs) that fail to detect the most sophisticated phishing attacks, and we’ll see increased uptake of IESS and CESS solutions to mitigate inbound and outbound risk.
Would you like to share what’s next for Egress?
We’ve had a big year in 2021 – we launched Egress Defend, opened our second North American office in New York, and made several key leadership hires. Next year, we’ll see this momentum continue, with our sights set on furthering our expansion.
We’ll also be looking at new ways of adding value for our customers and mitigating the risks they face. We’ll be looking at new applications of our product and developing our intelligent email security solutions further to ensure we’re always one step ahead of the competition.
Ultimately, our goal moving forwards is to help even more organizations around the globe to tackle their most complex cybersecurity problem – insider risk.