By Chris Bush, Head of Security, ObserveIT
More than 50 percent of data breaches are caused by an organisation’s insiders, according to Forrester’s 2019 report. And it’s not just employees who are Insider Threats to cybersecurity; it’s also an organisation’s contractors, third-party vendors, and partners.
With Ponemon research revealing that the cost and frequency of Insider Threat breaches are on the rise, it’s no surprise that organisations are taking affirmative measures to tackle the Insider Threat.
Insider threats: a people problem
Insider Threats can be malicious, completely accidental, and anything in between. Last October Heathrow Airport was fined £120,000 by the Information Commissioner’s Office for “serious” data protection failings after an employee dropped a USB stick containing sensitive personal data in a London street. Though accidental, the end result was arguably just as harmful as disgruntled Morrisons employee, Andrew Skelton’s, deliberate exposure of the private data of 100,000 personnel.
Whether intentional or not, people are at the heart of Insider Threats. Consequently, understanding human behaviour and motivations is the key to fighting it. Traditional Insider Threat security tools, like Data Loss Prevention (DLP) and Security Information and Event Management (SIEM) only track data movement. DLPs stop data loss through classification and tracking of individual files, and SIEMs collect and analyse reports on log data. This focus on data leaves security teams without the context needed to effectively detect and investigate Insider Threat incidents.
Monitoring prevents, detects and remediates Insider threats
Increasingly, businesses are monitoring and recording the activities of employees to help protect critical business and customer data from unauthorized access, theft, and accidental disclosure, as well as to comply with industry requirements.
Not surprisingly, this has raised serious concerns about employee privacy in the workplace. But activity monitoring in the context of cybersecurity isn’t a matter of Big Brother watching each and every move, keeping tabs on each website visited or what content is being viewed by every individual in the network. For one thing, even in a medium-sized enterprise – let alone a large, multi-national enterprise – it would be infeasible to record and analyse such a massive amount of activity and data over company systems. Security teams are already suffering from alert fatigue, due to the sheer volume of security alerts they receive, many of which are false positives.
Instead, organisations can create rules for their activity monitoring to flag activity only when specific behaviour is detected. These “rules” are based on an organisation’s particular needs. For instance, if employee training is a priority, monitoring can be set to generate real-time reminders to users when out-of-policy activity occurs, such as using prohibited cloud storage applications like Box or Dropbox.
Such reminders educate employees and reinforce cybersecurity training. If malware is a prominent threat, monitoring can be configured to detect and block certain actions outright, such as employees who plug in a removable media, like a USB, that can introduce malware onto company machines or serve as a vehicle for data exfiltration.
Monitoring activity also allows organisations to create a benchmark for normal behaviour, which in turn enables security teams to quickly spot atypical activity, such as an unusual number of logins or uncharacteristic activity on an account. In the event of a suspected breach, monitoring allows comprehensive visibility into company network activity that reduces investigation time dramatically, providing businesses with the “who, what, when, where, why, and how” they need to respond rapidly and effectively.
How to preserve employee privacy
It’s essential that businesses be open and transparent with employees as to what is being monitored and why. By openly discussing monitoring and how it fits into overall cybersecurity policies – namely, to protect company systems and data, including employee data – employees will better understand that monitoring is being conducted for legitimate purposes and in a justified manner.
Monitoring can also utilise data anonymisation so that there is no infringement on individual privacy. With anonymisation, personal information that identifies the user can be replaced with randomly generated codes and only when there is a requirement to investigate that data – like when suspicious, out-of-pattern or out-of-policy activity takes place – can an authorised person look at the data to understand what has happened. By limiting access to a need-to-know basis only, organisations can further protect employee privacy.
The Insider Threat is not going away, and as corporate responsibilities under GDPR become clearer and expectations greater, it’s crucial that organisations proactively protect against it. By monitoring in a way that protects employee privacy, businesses can affirmatively protect employees and data, without the need to sacrifice user privacy for data protection. Now that’s a win for all.
About the author
Chris Bush, Head of Security, ObserveIT, Biography:
Chris is a career security professional with more than 20 years of IT security industry experience. Chris is responsible for ObserveIT’s information and operational security strategy. His prior experience includes serving as VP of Security Service at Cybereason where he built and operated a Managed Detection and Response service. Chris also spent 13 years at Novartis Pharmaceuticals where he served as Head of Security.