The Challenge of Securing Humans (or ‘Why Balderton just led the Series A in Tessian’)

One of the rarely admitted secrets of computer security is that most breaches are not caused by the clever technology or genius hackers so beloved by Hollywood movies. Instead, the vast majority of times unauthorized access is granted to a system or sensitive data lost or stolen it happens because of human error. A salesperson misaddresses an email sending files relating to one customer to another with a similar name. Someone in accounting doesn’t pay enough attention to an email that appears to be from the marketing department and makes a payment they shouldn’t have. And someone in HR gets a call from somebody who sounds like the CEO and gives sensitive employee information over the phone.

Exciting stuff but not how hacks actually happen (Credit: Mission Impossible / Cruise Wagner Productions)

A great deal of modern life, whether personal or business boils down to communications between individuals and groups. However bullet-proof the channels of communication or the tools used to send and receive messages, if the people on either end make mistakes, security fails and breaches occur.

To combat the fault-prone nature and behaviour of all us humans, security companies and experts write rules. Every time you send or receive an email, hundreds, if not thousands of rules are checked to see if anything about what you just did might have been a mistake, oversight or manipulation that could lead to a security failure. We all know what happens if sufficient rules are triggered — emails are bounced back, we get asked if we really meant to do something and, in professional settings, compliance departments are notified and messages re-routed.

The problem with this is obvious. Human behaviour is just too complex to be codified in simple, hardwired rules. Increasingly complex logic leads either to massive false positives — a common experience for anyone who works in a high-security environment like government, or financial or legal services — or new, subtly different behaviour that gets through despite the tangle of efforts to stop it.

The modern solution to this multi-faceted, complex problem of greys that people have furiously tried to pretend is black or white is of course Artificial Intelligence. Simply put, techniques like machine learning create a framework that computers can use to understand what ‘normal’ behaviour looks like. Once you know normal, you can spot abnormal and abnormal is what happens when something is about to go wrong.

The use of AI in security from a network perspective has rapidly become an industry norm with companies like Darktrace leading the charge. But, going back to my early observations, most security goes wrong not on the network but at the hands of a person. And that is why I was so impressed by the work of the team at Tessian.

We’ve known Tessian (previously CheckRecepient) for a long time, having tracked the company since it was part of the excellent CyLon accelerator. Originally focusing on just one key problem — making sure that employees at legal and financial services firms don’t send emails to the wrong person, whether by mistake or on purpose — Tessian built a highly scalable AI architecture that checks every email and its contents live and as it leaves a user’s outbox. Part of their achievement is of course excellent engineering (what else would you expect from a team of three co-founders who met at Imperial?). Equally important is the insight into human behaviour and the reality of where secure systems actually fail — it is this insight and the strategy born of it that I think was the true genius behind the team’s product.

Tessian’s team have quiet but rapidly grown their business, based in London but selling worldwide

Unsurprisingly to us, this solution hit a nerve with enterprises and the company has quietly but rapidly grown. While originally focused on a single challenge — hence the old name! — the architecture that was built to solve it is extensible beyond that into a fully-blown security engine that understands people, their behaviour and their conversations.

Of course we were not the only ones to get excited about this innovative way of looking at the problem. Our friends at Amadeus, Local Global, Accel, Crane and the omnipresent Walking VC have already invested in the company. But, as the company and its products grew it became clear that it was time for them to raise a Series A and as that is the stage that Balderton focuses on, we felt like it was a great time to start working together. I’m glad to say that Tim, Ed, Tom and the rest of the team felt the same about us and so we’re honoured to be investing in the company and joining its journey from here.