As insider risks, whether born from negligence, external intimidation, or true malicious internal threats, grow, organizations need to take steps to identify and eliminate these threats. In a previous post we discussed two competing approaches: Insider Risk Management and Insider Threat Surveillance. We promised to examine more closely seven core capabilities required for combatting insider risk. This post will drill down on privacy.
Security and compliance professionals typically think about privacy in the context of regulatory requirements. For example, the EU’s General Data Protection Regulation (GDPR), HIPAA, the California Consumer Privacy Act (CCPA), and a growing number of other laws require organizations to protect personally identifiable information (PII) and personal health information (PHI). When that information is exposed in a breach, organizations are subject to fines, loss of customers, and reputational damage.
Less well understood are the privacy rights of users and how these differ between jurisdictions. For example, in the U.S. and U.K., employers are entitled to monitor private emails to establish whether the contents are business related. If the emails are clearly personal, the contents should not be processed unless there is a suspicion—and evidence—of misconduct. In contrast, in the EU it is illegal in most cases to process the content of private emails. An employer may be permitted to open an email to establish whether it is a business or personal email, but processing must be ceased if the email is found to be personal.
This highlights a challenge with insider threat surveillance solutions like Proofpoint ITM (ObserveIT). They employ monitoring techniques like video capture, keystroke logging, and file scanning to examine each action a user takes, irrespective of intent. This can limit their use to highly regulated environments like classified networks where there is no realistic expectation of employee privacy.
Monitoring viewed as overly intrusive can also adversely affect employee performance. Covert monitoring by management of user activity including web searches and email can easily be seen as invasive and disproportionate to risk. According to a study by MITRE Corporation, higher levels of monitoring can also lead to lost trust and lower organizational commitment.
Insider Risk Management solutions like DTEX InTERCEPT take a very different approach to privacy. DTEX InTERCEPT pseudonymizes PII and collects only application metadata to build a forensic audit trail in a privacy compliant manner. User identities are exposed only when justified by the threat and must be approved by multiple legal and cyber security executives before information is examined by digital forensic analysts.
The DTEX model significantly reduces the amount of data that an organization needs to collect, eliminating the collection of intrusive data sources which are unnecessary for improving security. This enables the DTEX platform to identify high risk events without infringing the privacy of individuals.
Want to learn more? You can download our e-book, “Insider Risk Management vs Insider Threat Surveillance” here.