How you like me now?
Depending on your source, insider threat accounts for anywhere from 27% - 77% of all breaches. Despite the disparity in agreement about size of the problem, most security practitioners agree that the difficulty identifying insider threat is greater than identifying external threats since insiders have legitimate access to and usage of sensitive company resources.
Teams can use DLP, SIEM, or a variety of standard security tools to help identify anomalous behavior, and some companies prohibit any detachable media or forwarding of sensitive documents. Specialized tools for identifying keywords, phrases, or even linguistic clues within employees’ emails and instant messages can supply an added layer of detection for companies with sufficient resources or reason to believe a lookout for disgruntled employees is needed.
Many companies set the expectation with employees that devices or data used for company business are subject to search, and individuals’ actions must adhere to acceptable use policies. That said, few companies have the time to truly follow through and conduct comprehensive searches. Even when searches are automated, semantics of computer/device shorthand make it difficult for security teams to decipher true user intent. Some companies claim their tools use sophisticated algorithms that improve the accuracy with which red flags can be spotted, but we’re still at TBD on whether or not insider threat can be predicted with precision or regularity. Many factors are in play when it comes to employee actions, and this only adds to the toil of stopping insiders before intentional damage is done.
I couldn’t do no wrong and now you need to know
If you’re in the “insider threat accounts for 77% of breaches” camp, then it’s probably worth the time and effort to amp up behavioral analysis and activity monitoring. If you’re in the 27% camp—especially if the organization hasn’t experienced any instances of intentional data theft or fraud—it may be worth considering the potential negative impact of this type of surveillance. Surveillance, in and of itself, is controversial. On a national level, Americans are split on whether or not the NSA’s surveillance programs are A-OK. Some of the split is due to the fact that FUD is being flung far and wide by governmental agencies, leading citizens to believe that surveillance is for their own physical protection. When it comes to the workplace, though, it’s a little more challenging to couch surveillance as “for your own good.”
Most of the searching and scouring can be done behind the scenes by the security team and without alerting employees directly that their information is being surveilled. All it takes is one incident, though, for word to get out and paranoia to spread throughout the office. No one relishes being treated like a suspect, and if employees feel like their every move, every action is being recorded and scrutinized, it could lead to a decrease in productivity, valued employees exiting the company precipitously, or even attempts at workarounds to evade the system or “revenge” against a perceived system of injustice. None of which are good news.
Oh no, would you see right through me?
This is not to say that organizations shouldn’t use best efforts to protect company assets. Protecting assets is security’s business, after all. However, security teams may want to assess the risks (and liability) associated with high levels of surveillance before beginning a full-throttle campaign to search employees’ emails and IMs for potential indictors of disgruntlement which may (or may not) indicate intent to commit theft or fraud.
With any new tool, technology, or policy implemented for the security of the organization, it’s important to remember that there are pros and cons. Don’t forget that employees are assets too. If employees feel overly and unnecessarily monitored, it could actually inspire adverse reactions. Rather than jumping on the bandwagon or spending precious dollars on the blinkiest new tool, consider your organization’s current risk posture and then see if extra employee monitoring is worth your time and effort.