The risk from malicious insiders has long been top-of-mind among security professionals. More recently it has grabbed the attention of executive teams and board members. Addressing the risk is more complicated. Employees, vendors, and partners require access to sensitive information, and heavy-handed approaches using complicated and static rules that can frustrate users. This hampers productivity and leads users to search for workarounds that can also put data at risk.
We recently released an e-book comparing two distinct approaches: Insider Risk Management and Insider Threat Surveillance. The former is represented by DTEX InTERCEPT and the latter by Proofpoint ITM (formerly ObserveIT). The approaches share common goals of preventing data loss, detecting insider threats, accelerating incident response, and maintaining compliance.
The last goal—maintaining compliance—is increasingly important to organizations. Most think of this as consumer privacy covered by regulations like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). But even without compliance requirements, organizations need to be conscious of protecting employee privacy, especially when it comes to understanding insider risks.
The Human Element
While these requirements are obviously critical, it is also important to drive innovation while protecting the privacy of employees. Today’s marketplace requires organizations to adapt quickly to changing customer requirements and competitive pressure. This requires an insider risk solution that takes the best strategies from a variety of approaches, including rules from data loss prevention for known bad behavior, machine learning, and behavior analytics based on better data to identify malicious intent, and a privacy-first approach to employee monitoring that protects employees and is used in a proportional manner.
Insider Risk Management (IRM) views the employee as a source of intelligence rather than a subject of surveillance. It effectively flips a model of invasive monitoring to one that anonymizes user intelligence and collects only the minimum metadata necessary to build a forensic audit trail, with full respect for an employee’s fundamental right to privacy. File scanning, Email/Web/Messaging application content capture, keystroke logging, and screen recording are not necessary for effective security with a metadata collection model. IRM goes beyond compliance requirements, prioritizing employee privacy, while still enabling worker productivity.
Insider Threat Surveillance technologies have not only employed invasive content inspection, keystroke logging, and video capture capabilities but also often collect more data than necessary for their stated purpose. This creates unnecessary employee privacy issues, as well as significant costs associated with excess data storage and processing. In some countries it may be illegal to monitor employees (or to use evidence from monitoring) to reprimand or dismiss an employee unless an Acceptable Use Policy has been well communicated to staff. In countries with well-established data protection laws, organizations must provide information about the processing of personal data, including what type of data is collected, who has access to the data, and under what circumstances monitoring may occur.
In future posts we will examine 7 core considerations and capabilities that differentiate Insider Threat Surveillance technology from Insider Risk Intelligence & Management platforms, including:
- Privacy
- Scalability
- Behavioral analytics
- Reporting
- Time-to-value
- Ecosystem integration
- Total cost of ownership