It has become more critical than ever that commercial enterprises and government organizations evolve their employee monitoring and insider threat management approaches and mindsets.
Enterprise workforces are increasingly taking a more active role in understanding how their data is being collected and stored, and where invasions of their personal privacy might exist as digital transformation accelerates. While there is a growing understanding and comfort level with the need for employers to monitor in order to prevent security incidents, data breaches as well as operational readiness and efficiency, there’s also an increasing intolerance for unnecessary or unwarranted invasions of privacy. And this shift in mindset is having widespread effects across the enterprise - from human resources, to company culture, from workforce safety to data security, and of course, employee monitoring.
A recent piece of research from Gartner notes that while employee monitoring is not a new discipline the global COVID-19 pandemic has pushed substantially more employees to work remotely at very short notice and exacerbated an already hastened interest in both employee monitoring and insider threat management solutions. The same research notes that employee monitoring for the purpose of improving productivity can quickly create ethical challenges and create a toxic work culture that leads to employees trying to evade the use of the solutions.
THE SIX PRINCIPLES OF WORKFORCE CYBER INTELLIGENCE
RESPECT FOR EMPLOYEE PRIVACY BY DESIGN
The good news is that there is a wide range of user-centric, behavior-based technologies now available that make it entirely possible for organizations to gain full visibility without invading employee privacy (or impeding productivity, performance, or efficiency.) And, the investment in these technologies can go a long a way in alleviating angst at a time when monitoring is a sticky topic among employees.
Since American companies generally aren’t required by law to disclose how they monitor employees using company-issued devices, the best-case scenario in most workplace environments today is including a catch-all clause in employment contracts. This ambiguity, along with the concept of self-policing, has allowed organizations to treat the privacy and protection of employees as an after-thought (at best). And it has opened the doors for employer manipulation and abuses of power, overreaching and overstepping without much consequence.
But with the emergence of the General Data Protection Regulation (GDPR) and similar regulations in other geographies, it’s quickly becoming evident that any global business hoping to sustain and thrive must adopt the mindset that views privacy as a ‘fundamental right of every human being.’ This is necessary not only to avoid considerable penalties, but also to be competitive in attracting and retaining skilled, talented employees.
It is also worth noting that all signs point to additional regulation and compliance requirements coming, both to the US and across the globe, and the emphasis on employee personal data protection should have all businesses paying attention. The recently passed California Consumer Privacy Act of 2018 gives Californians more control over the use of their personal information to protect their fundamental right to privacy, and imposes new data collection requirements and prohibitions on businesses.
So, how do we identify and deploy solutions designed with privacy in mind? There must be complete visibility into employee behavior and the ability to generate a high-fidelity signal into where suspicious behavior or activity is taking place. The ability to be reliably and immediately informed when an employee or device may be compromised means it is no longer necessary to try to see and capture everything... just what is deemed a potential risk.
There has also been significant innovation in capabilities like data anonymization, which can keep a user’s identity hidden until suspicious activity is detected. This not only helps address employee privacy concerns, but also provides a layer of protection at a time when behavioral data is increasingly being labeled as sensitive, personally identifiable information.
64 percent of Americans say they would be comfortable with their employer monitoring their digital activities on work-issued devices if it was for security purposes and the data was anonymized.
(Dtex / Harris Poll)
A LAYERED APPROACH SPANNING PREVENTION, DETECTION, MITIGATION, AND INVESTIGATION
A FOCUS ON RESTRICTION AND INVESTIGATION, IN HOPES OF PREVENTION
The sheer volume of threats, both internal and external, has rendered prevention-centric approaches to security unsustainable. Compounded by the increasingly diverse and sophisticated tools of today’s bad actors, allowing them to stealthily evade detection and steal corporate data, organizations can no longer afford to take a purely reactive approach either.
Traditional employee monitoring solutions are notorious for their heavy footprint - generating excessive amounts of data and requiring a significant investment in people and resources to analyze it before it can be acted upon. Without sufficient resources or infrastructure to support, organizations have been forced to resort to an investigative, forensics-only style of security - piecing together events after a threat, compromise, or data breach has been identified. Once an investigation is completed, punishment or restriction are used in hopes of preventing future occurrences.
The security of an organization's data is directly dependent on the security and protection of its users. It’s unreasonable to expect to minimize insider-related incidents without a layered approach, encompassing prevention and detection as well as mitigation and response – and without equal investment in both technology and human-readiness.
Empowering employees with consistent and comprehensive education is an absolute must, given the volatility and sophistication of today’s threat landscape, as is equipping them with the tools needed to build responsible security habits.
But, even in the best-case scenario – with a commitment to employee education and training, and high levels of employee awareness – human behaviors will eventually put an organization at risk. This further emphasizes the need to have a continuous monitoring system in place that delivers unobstructed, real-time visibility into user behavior.
80% of organizations don’t measure the success of security awareness training and cyber hygiene programs. (Thycotic, The 2017 State of Cybersecurity Metrics Report)
APPLYING BEHAVIORAL CONTEXT, MACHINE LEARNING & ACTIONABLE INTELLIGENCE
BUILDING RULES TO ALERT ON EVERY POTENTIALLY RISKY BEHAVIOR AND EVENT
While the visibility and information provided by traditional monitoring solutions are essential, it’s critical – and now entirely possible - to go a step beyond that. Visibility, in order to truly be effective, needs be enriched with intelligence and powered by technologies that are capable of continuously learning and self-tuning.
Legacy employee monitoring tools use a rule-based model, where behaviors or events are labeled ‘good’ or ‘bad’ and alerts are generated accordingly (when potentially ‘bad’ activity is detected.) But, what we once thought of as black and white has become shades of grey, thanks to the human element - and what presents as risky or suspicious activity for one person does not necessarily represent suspicious activity for another.
With so many variables to contend with, it is essentially impossible for the average organization to develop a rule for all potentially risky scenarios. But because rule- based solutions are only as intelligent as the information being fed into them, they rely completely on the humans who manage them to tell them what to look for.
For many analysts with limited bandwidth, this makes it necessary to cast a wide net – generating potentially hundreds, if not thousands, of alerts that require a manual review to verify if a bona-fide threat exists. And has resulted in a constant state of information overload.
The ability to write rules and policies tailored to our specific needs and environments is absolutely necessary, and the best way to generate immediate value from any monitoring solution. But if alerts and indicators are designed based only on known and available information, without seeking out additional context or intelligence, there will inevitably be things that fall through the cracks. And the simple fact is that if we don’t know it presents a risk, we won’t know to look for it.
For a monitoring solution to truly have value, it needs to be equipped to understand behavioral context, establish a baseline of normal behavior, and apply advanced analytics and machine-learning to determine if an event or behavior is abnormal. With better anomaly detection comes higher-quality alerts - and reliable, actionable intelligence.
PRIORITIZING CONSISTENT AND ENTERPRISE-WIDE VISIBILITY
MONITORING OF ALL USERS
The reality is that all users are equally capable of putting the business at risk - whether that’s falling prey to malicious actors and their social engineering tactics or engaging in negligent behavior.
But, the heavy footprint of traditional monitoring solutions has largely limited the number of employees that organizations are able to monitor and, in turn, has inhibited their ability to deploy at scale. As a result, many security teams have narrowed their focus, and visibility, to include only their most privileged users.
It’s certainly true that with increased access to systems and data comes increased vulnerability and potential for devastation. As with non-privileged users, it’s imperative that privileged users don’t become exceptions-to-the-rule or security blind spots – especially as they have become a target for manipulation and exploitation with the GDPR coming into effect.
More than 60 percent of insider incidents are the result of user negligence. (Ponemon Institute, 2018 Cost of Insider Threats Report)
But, the bottom line is that every user is vulnerable.
A common pattern seen in many high profile cyber-attacks - including Austrailian Government, Twitter, Yahoo, SWIFT and the Bangladesh Bank, the U.S. Office of Personnel Management (OPM), and many more - begins with a targeted social engineering or phishing attack on a ‘semi-privileged and unsuspecting employee.’ Once the attacker has successfully stolen the employee’s credentials, they are able to compromise an employee’s workstation with malware and use privileged credentials harvested from the compromised workstation to expand their attack to other assets within the enterprise.
The success of cybercriminals leveraging privileged credentials is directly related to their ability to move laterally, and subsequently escalate privileges or exfiltrate data, without raising red flags. This means it’s critical to choose advanced, behavior-based solutions – which are the only ones capable of recognizing and flagging when someone with seemingly legitimate access is engaging in inappropriate or potentially harmful activity.
Only 35 percent of organizations have complete visibility into which insiders have privileged access. (Bomgar, Privileged Access Threat Report 2018)
It is equally critical for organizations to understand the number of employees with privileged access and apply real-time visibility across all users and environments, regardless of designation of privilege. And this visibility needs to be delivered via technologies that have proven to be scalable, with the ability to grow and adapt as the needs of the business grow.
OPEN, TRANSPARENT MONITORING APPROACHES AND POLICIES
MONITORING APPROACHES ROOTED IN SECRECY AND AMBIGUITY
Companies run the risk of weakening their first and last line of defense if they aren’t transparent about how and why they're monitoring employees. The traditional belief is that effective security requires the use of secrecy or the element of surprise - but in a new world that values trust and open communication, this approach is both flawed and potentially dangerous.
A transparency-led environment, built on mutual trust and open communication, is much more likely to make well-intentioned employees feel more comfortable and empowered. On the flip side, those wishing to engage in malicious activity will have a much harder time finding dark corners to hide or lurk in.
And whether careless or malicious, risky employee behaviors have a much better chance of being addressed before resulting in potentially devastating consequences.
There’s also research that shows transparency of information can ‘breed self-correcting behavior,’ which supports the theory that people are more likely to be at their best when they know they’re being held accountable. The employees who understand what monitoring technologies and practices are in place, and how their employees generate and use data, will ultimately be in a better position to understand what types of online activities and behaviors are potentially harmful.
77 percent of employed Americans say they would be less concerned with their employer monitoring their digital activity on personal or work-issued devices they use to conduct work, as long as they are transparent about it and let them know up front.
EMPLOYEES ARE EMPOWERED TO REMAIN GREATEST ASSETS
THE WORKFORCE IS IMMEDIATELY ESTABLISHED AS GREATEST VULNERABILITIES
It’s been established that having the right systems in place – those that deliver full visibility, use lightweight data collection, and have proven themselves to be scalable - is essential. And yet, the traditional monitoring solutions deployed across the enterprise have not only impeded the speed and reliability of corporate networks, but also employee access and efficiency.
While the technical limitations of heavy monitoring solutions are certainly to blame, so are the ‘Zero Trust’ methodology and framework embraced alongside. Centered on blocking or severely restricting access to resources and applications, this approach has actually raised our risk levels in many cases - leading users to engage in risky or irresponsible behaviors simply because they are unable to complete an essential or urgent task.
With the right technologies in place and the capabilities needed to continuously monitor risky behavior, it becomes truly possible to extend trust and allow employees to move more freely. This type of environment is likely to leave them feeling not only more empowered and accomplished, but also better equipped to make responsible security decisions.
The bottom line: yesterday’s employee monitoring approaches and technologies do not work for today’s modern and distributed workforce model.
Today’s solutions must provide complete visibility into everything users do on their work devices, capable of generating intelligence, shining a spotlight on suspicious behavior, and filtering out all the noise. And they must be scalable enough to be deployed enterprise- wide without negative impact to network performance.
Just as importantly, these programs need to be built on transparency, with the utmost respect for personal privacy and data protection. And mutual trust - between companies and their employees, as well as contractors, partners or customers - must be at the core of any program or initiative that requires visibility into behavior or the capture and collection of data.