Meet Ai3, the DTEX Risk Assistant. Fast-track effective insider risk management with guided investigations.



A Human-centric Approach to Operational Awareness and Risk Management.

Workforce Cyber Intelligence 102: An Introduction to Workforce Cyber Intelligence

Last week, we shared the first post in our series surrounding the various components of Workforce Cyber Intelligence and what the insights driven by this technology can do for employers and employees alike. That 101 introduction provided a quick overview of the technological landscape surrounding insider threat, employee monitoring, user behavior analytics and data loss prevention initiatives and what’s to come as we start to peel back the layers of the various components of Workforce Cyber Intelligence.

Now, we’re here to dive deeper into:

  • The definition of Workforce Cyber Intelligence & the challenges of user behavior analytics, monitoring and surveillance
  • Where solutions today are falling short
  • Options for engaging and securing employees the right way

What’s Workforce Cyber Intelligence?

Workforce Cyber Intelligence is a growing philosophy and emerging set of software capabilities that offer a new approach to enterprise data collection and analysis. It focuses on creating safer, smarter and more secure enterprises by understanding how, when, why, where and for how long employees and third parties interact with data, machines, applications and their peers as they perform their job responsibilities. Specific use cases include helping to increase organizational performance, supporting employee development, detecting malicious and negligent insiders, maximizing asset utilization and preventing data loss.

Workforce Cyber Intelligence is defined by three key motivations: privacy, protection & performance.

  • Privacy: Employees are increasingly aware of and diligent in understanding how employers monitor work activities and behaviors. Employees want to know that personal activities and behaviors remain private and anonymous unless those activities directly increase organizational risk, cause cultural conflict, or limit successful operations. This is a fair ask of employees and is becoming a major factor in compliance regulations and mandates.
  • Protection: Humans are an organization’s greatest asset and their biggest vulnerability. Protecting them from exploitation by external attackers is critical, as is limiting the risk of accidental or malicious actions of employees as trusted insiders. This has been accelerated by remote work models and the corresponding erosion of the network perimeter. This new way of doing business requires a new approach to employee cyber intelligence — one that baselines human activities and behaviors and protects both organizations and their employees by highlighting anomalies.
  • Performance: Employees are always a deciding factor in the success or failure of an organization. However, monitoring for the purpose of identifying non-productive employees is counterproductive in an organization that values quality over quantity. It also creates a culture of mistrust. The purpose, motivations and measurement of performance and productivity need to change. The focus must shift to learning from the workforce; observing how employees interact with, utilize and leverage data, systems and machines; and employing that intelligence to consistently improve operational performance, investment strategies and employee development.

Why Legacy Monitoring Solutions Fall Short

To accurately measure productivity, improve security and protect employee privacy, you must first understand the shortcomings of legacy endpoint monitoring and log-file-based behavioral analytics solutions.

  1. Gathering and analyzing data: You may think that you can easily gather a lot of data for analysis, discover some findings and report on them, right? Unfortunately, no. The process is straightforward, but the mechanics present challenges. Collecting user data often involves overtaxing endpoints and the network and consequently impeding end-user productivity. Analysis of the captured data carries fears of data misuse and privacy infringement, not to mention wasted resources on false positives and “noise.”
  2. Managing access and perception: Arguably one of the tougher challenges of collecting user data and monitoring the workforce is the workforce’s perception of an organization’s motivation. When employees hear about monitoring, their initial impressions are negative. Changing those impressions requires openness and assurance that any data being collected is intended to protect individuals, sensitive data and the organization, and is handled in the most secure, private and respectful way possible.

Privacy will be the primary concern to alleviate. In addition to regulatory requirements, protecting employees’ privacy is crucial if you want to maintain healthy employee engagement and partnership.

Managing access to the collected data is another challenge to overcome. Information on individual employees should be anonymized and unmasked only on a strict “need to know” basis. Without due cause, no user activity or behavioral data should be available to users or administrators, even those with elevated privileges. Strict data access control with a clear, evidentiary quality audit trail will safeguard employee confidentiality.

Data minimization is a critical prerequisite to privacy. Invasive surveillance such as keystroke logging and screen capture, as well as the collection of user content such as emails and instant messages are not required to detect insider risks and protect organizational data. Employees don’t want corporate IP leaked on purpose or by accident. Resistance to any monitoring is caused by poor communication about what is collected and how it is used. Organizational transparency about the technical details of secure collection and the protection of employee privacy can alleviate these concerns. Unmasking of any individual actions should always be proportional to the risk and limited to the smallest set of people possible.

  1. Watching rules, ignoring people: Many user activity and threat monitoring solutions simply provide alerts when a specific condition is met. For instance, a user may trigger a rule by plugging in a flash drive. The resulting alert speaks only to the act of a flash drive being plugged in.

People cause the activity, so people should be part of the context. When a trigger is met and an alert is sent, there should be some context behind it.

How to Monitor and Secure Employees the Right Way

For a solution to protect employees and prevent data loss, while not adversely impacting operational performance, it must benefit both the employer and the employee. Both should be provided protection and face accountability.

With a proper solution, the organization benefits from a decreased security risk profile from better monitoring and security controls. Operational efficiency can also be improved by providing insights on key performance indicators (KPIs) that can be correlated against actual productivity instead of simply measuring how much time an employee spends in an application or on their device.

A solution placing higher value on employees’ work and minimizing data collection engenders a higher commitment to the organization. Such a solution should accomplish its goals by protecting employee privacy and helping them do their jobs without becoming a burden or disruption.

A Look Ahead at Next Week

Next week, we’ll be diving into Workforce Cyber Intelligence 103: The Importance of Privacy by Design When Monitoring and Securing Employees in the Enterprise. Stay tuned for those insights! You can also download the entire Workforce Cyber Intelligence for Dummies book.

I’m looking forward to sharing more in next week’s post, which will provide more of an in-depth introduction to Workforce Cyber Intelligence.

Interested in learning more now, feel free to reach out to me at [email protected], follow us on LinkedIn at: or on Twitter at @DtexSystems to spark a conversation. We love hearing from you!