Insider Threats – Trust But Verify

employee copying files

What you don’t know your employees are doing behind your back can destroy your business. Enter predictive insider risk management tools.

We all want to trust our staff.  After all, we went through a long and expensive process to hire them, get them up to speed, and set them on the path to achieving our aligned goals.

What happens when those goals start to diverge though? What happens when an employee decides to jump ship for higher pay or a change of scenery? It would be ideal if when that happens, and there is no denying that it will happen, both parties leave feeling sad for the loss and optimistic about the future. That sometimes isn’t the reality though.

When I was a young guy, maybe 8 or 9, I would go visit my dad at work on occasion. This was always a great time. I loved the noise and smells of the machinery in the plant, and the nice receptionist lady that always gave me a candy. That lady and some other staff would come to dinners at our home on occasion, They sometimes attended family outings. It was very much a family business and they were very much part of the family. It wasn’t until my early twenties when I saw the nice candy lady being escorted off the property in handcuffs that I understood that no matter how much you trust your staff, you cannot turn a blind eye and hope for the best. It turns out that she used my family’s trust to embezzle hundreds of thousands of dollars over the years. I never found out why she stole from us. I only remember the betrayal and the deep sadness of my dad and grandparents who had started the company in the 50’s with the intention of building something with integrity that would sustain our family for generations.

The old adage of ‘trust but verify’ is very relevant in today’s computing age. It is an old Russian proverb that was adopted into English during the nuclear disarmament of the 80’s. It defines the ability of potential adversaries to find common ground and use a third party to mediate and verify that each party is living up to it’s agreed upon obligations. During the cold war this meant that both the US and Russia would deprovision their nuclear arsenals to some degree in order to de escalate the growing conflict. They used the UN to inspect nuclear facilities to make sure that both parties were doing what they agreed to do.

In a business setting, it isn’t quite as tense a situation, but the concept can be scaled down. The ‘third party’ in a business setting are tools that use AI and predictive analytics to discern if anomalous behaviour is occurring. A common approach to this ‘risk-based detection’ is to look for situations that don’t match up with what an employee’s predictive model suggests they should be doing.

Eg. They send, on-average, 100 emails per day, but on Friday of last week they sent 1000 messages to a single recipient. The AI might flag this odd behaviour and suggest that an employee may be exfiltrating data. You’d receive an alert and get an opportunity to investigate the situation before it becomes a lawsuit or worse, a criminal proceeding.

Here are a few things that can be done with these insider threat detection tools.

Functions of predictive Insider Risk Management tools:

  • Alert you and stop potential data theft from departing employees
  • Alert you and prevent data leaks of your intellectual property
  • Alert you and block the use of offensive language used in either internal or external communications.
  • Alert you and block compliance policy violations (prevent sending or accepting credit cards or SIN or health card numbers via email, for example)

The actions employees take are measured against predefined policy templates and the IRM platform acts based on the settings you specify.

E.g. If a user copies more than 20 files to a USB thumb drive, raise an alert to investigate. If they copy 100 files, lock their account. Or instead of immediately locking their account you may wish to enable litigation hold on their email account in order to dive deeper into what they may be doing and prevent them from hiding evidence if they are playing a long game.

E.g. They plan to leave in 6 months time after taking as much as they can get away with over that 6-month period. Litigation hold will retain everything they do with their email account regardless of what they see. They could empty their deleted items every day and while Office 365 can recover this for 30 days, beyond that it cannot. With litigation hold, they would see their deleted items as empty, but everything would be preserved.

This and similar services are included in our managed services packages. Please reach out if you’d like to learn more.

Posted in