The Massachusetts Air National Guardsman recently indicted on suspicion of posting classified documents online is among the most dramatic examples of a malicious insider breach, but many security lapses caused by insiders are inadvertent, the result of poor training, a misunderstanding of rules or best practices, or exploitation by an external bad actor.
If an agency hopes to reduce cyber risk and protect its sensitive information, it needs to guard against all types of insider threats. Fortunately, effective tools and strategies can help uncover risky insider behavior, gain an accurate picture of insider risk and strengthen cyber posture.
Just as important, agencies can achieve those goals without compromising employees’ privacy or making them feel like they’re under surveillance.
Quantify Insider Risk and Flag Risky Users
Protecting an agency against insider threats starts with understanding how employees behave on their devices and across the organization’s applications and networks. The most effective way of achieving that goal is through two purpose-built technologies: user activity monitoring (UAM) and behavioral analytics.
A UAM solution tracks digital activity such as user logins, system access and data transfers. It then flags unusual or risky behavior on a dashboard or in a report to security analysts. Combined with other relevant data, UAM can help the security team understand employee behavior — including motivation and intent — that could indicate insider risk.
UAM doesn’t just point to potential issues directly caused by employees. It can also reveal security policies or technology limitations that increase an agency’s risk.
For instance, agency systems might be designed to prevent users from downloading large files. But if users need those files to do their jobs, they could try to circumvent policy and transfer the data from one system to another in a way that puts the information at risk of exposure.
UAM can be augmented by behavioral analytics to achieve an even clearer picture of risk. A behavioral analytics solution establishes a baseline of each employee’s typical digital behavior and assigns an associated risk score. The solution updates the risk score in real time as employee behavior changes.
An employee who uses the network during business hours and accesses only files associated with their role would have a low risk score. If that user suddenly began logging on after hours and trying to access files from another department, their risk score would rise.
Security analysts could then investigate whether the worker had a legitimate reason for the change in behavior. If they determined that the behavior wasn’t malicious, the user’s risk score would revert to the baseline.
Effective UAM Has Guardrails Protecting Employee Privacy
Of course, the purpose of UAM and behavioral analytics isn’t to spy on users or monitor their productivity. Rather, it’s to understand anomalous user behavior to quantify an agency’s cyber risk. It also helps security analysts to quickly rule out false positives so they can focus their attention on actual issues.
With that in mind, an effective UAM solution will implement guardrails that protect employee privacy and keep personal information safe. It’s not an app an agency downloads and simply turns on. Instead, it’s a tool meant to be deployed as part of a comprehensive insider risk program, with governance and oversight that ensure it’s being used as intended.
An agency should plan for and deploy UAM with input from human resources, legal, and governance, risk and compliance staff. Cybersecurity and IT teams should collaborate with those stakeholders to set policies about which digital activity they’ll track and which associated data they’ll capture.
An agency might capture logins to agency systems and access to agency data but not monitor logins to external websites, such as personal social media and bank accounts. Similarly, security analysts should have permission to view digital behavior data but not the ability to see employee personal information. Any data the system captures, such as system access logs, should be encrypted so that sensitive data can’t be exposed.
Agency employees should be fully informed about the insider risk program. They should understand what behavior it will track and what data it will capture, as well as how it will protect their privacy.
Consider awareness training sessions and high-level demos so that workers feel there’s complete transparency. That will improve their willingness to buy into the program. Make sure they recognize how UAM and behavioral analytics can benefit them directly; for example, by helping to protect their personal identifiable information in HR files.
Government organizations will remain targets of cyberattacks. They’ll also continue to grapple with insider cyber risk, both from malicious activity and from well-meaning team members who inadvertently engage in risky behavior. But with effective use of UAM and behavioral analytics, agencies can quantify their insider risk and reduce the incidence of data breaches — all while protecting their employees’ privacy.