Investing in Tessian, a Company Helping to Tackle the Human Element in Email Security Breaches

Email remains the backbone of enterprises’ communications today, meaning that it also represents their biggest security risk. Business email compromises and phishing scams resulted in $26B in losses from 2016-2019, and the cost of a data breach now averages $3.86MM while a mega breach (50 million records) costs an average $392MM.

These breaches are most often triggered by employee error—in fact, a recent study suggests that human error contributes to up to 95% of cyber security breaches. As hackers conduct increasingly sophisticated social engineering attacks and further leverage automation, the onus of defending against them often falls to the employees themselves—most of whom are unequipped to do so. As a result, expenditures on security awareness training for employees are expected to reach $10B by 2027.

Incumbent cyber security tools such as secure email gateways are effective at filtering spam and suspicious attachments, but are built on 20-year-old technology and often miss attacks disguised as legitimate emails. Enterprises can also be compromised if their outbound email security controls fail to prevent user mistakes or malicious insider activity, but most data loss prevention players in this space use static, rules-based approaches that cannot intelligently detect when employees send sensitive information to the wrong recipients or covertly email themselves confidential materials. Furthermore, security awareness training has thus far demonstrated minimal impact on employee behavior because programs are typically offered only once or twice a year, the content is generally one-size-fits-all, and they leave employees with few resources to turn to or feedback to learn from when they face threats in real time.

Therefore, several emerging startups are now using machine learning to address this human fallibility issue and lift some of the burden off users and security teams. Among these, we have high expectations for the startup Tessian.

Tessian’s Human Layer Security platform intelligently protects against data breaches and security threats caused by human activity—such as data exfiltration, accidental data loss, business email compromise, and phishing attacks—with minimal disruption to employees’ workflow. The platform uses historical emails to model “normal” email usage patterns and create intricate, continuously updated “relationship graphs” for individuals and the organization at large. It then applies that intelligence in real-time to analyze, detect, and prevent both inbound and outbound-based incidents. Remediation actions can be tuned to the risk severity, with high-risk emails immediately quarantined for the enterprise’s security team to address and action on less suspicious emails delegated to the end-users themselves. Users also receive in-the-moment alerts or tailored nudges that explain why an email is suspicious or warn them when they are about to send the wrong attachment to a client. These warnings act as continuous training for employees, providing them relevant, real-time information to help them make the best security decision for their organization.

Meanwhile, Tessian’s Human Layer Risk Hub leverages the same data and models to create a risk profile for each email user, adding a new dimension to an organization’s security posture assessment. The risk scores update continuously, responding positively when a user makes a wise security decision and negatively to high-risk email security behavior. This enables organizations to better tailor their cyber security monitoring and coaching, delivering both an immediate ROI in preventing and quickly remediating incidents and highly positive end-user feedback.

Tessian co-founders Timothy Sadler and Edward Bishop, technologists who hail from the financial services industry, fully appreciate the gravity of data security breaches and understand how individuals operate within broader systems. With human error causing security breaches beyond email as well, the company has a broader vision of extending its controls to secure the human layer deeper into the enterprise. It was this vision and expertise that got Citi Ventures excited to participate in Tessian’s Series C fundraise, alongside March Capital, Okta Ventures, and Sozo Ventures. We believe that Tessian’s Human Layer Security represents a new category in the security landscape, and we see their efforts as a first step in closing the gap on the greatest source of enterprise risk―human fallibility. We are thrilled to partner with Tim, Ed, and the entire Tessian team as they build towards this new paradigm.

For more information, contact Matt Carbonara at matt.carbonara@citi.com.