TL;DR:
The steps organizations can take to defend sensitive data against external threats and malicious insiders are similar, even complementary. In both cases, teams are looking for activities that could put data at risk. From a defender’s viewpoint, it doesn’t matter if the threat actor is an employee, partner, or hacker posing as a legitimate user.
However, an additional factor comes into play when monitoring for insider threats. One that can get organizations into trouble if it isn’t addressed correctly is bias.
Monitoring bias is the unwarranted, selective attention to specific employees or departments regardless of their actual behavior. This can lead to unfair judgments and assumptions about an individual's trustworthiness and more intrusive monitoring than necessary. It can also lead to breaches when certain people are given a free pass for activity that might otherwise raise a red flag.
Monitoring bias can impact how organizations assess insider risks, leading to inconsistencies and inaccuracies in identifying potential threats. Monitoring bias can manifest itself in several ways:
Monitoring bias can be manifested in many ways |
This type of discrimination can also cause teams to overlook risky activity from other people or groups. According to a paper by the non-profit Intelligence and National Security Alliance, unjustified monitoring of an individual because of bias can lead to:
Legacy Data Data Loss Prevention and Insider Risk Management solutions were designed for a time when employees worked inside the corporate firewall, and all applications ran locally. They leverage intrusive techniques such as keystroke logging, screen recording, and web monitoring to view and log the actions of individual users. The ability to monitor individuals and ascribe specific activities, including website visits, personal email, and “time on task,” encourages bias and tends to miss the bigger picture of data protection while attempting to focus on productivity.
Bias requires the ability to attribute individual actions to individual employees. A better approach is to identify activities with sensitive data that could put regulated data, trade secrets, and other intellectual property at risk.
Reveal takes a different approach. Reveal watches each user’s activity with sensitive data – not their identity – to build a training baseline and then detect anomalous behavior if it deviates outside the usual pattern. This data-driven approach relies on analytics to identify potential insider risk indicators rather than solely relying on subjective assessments.
Reveal uses pseudonymization to detect and mitigate threats without compromising users' privacy and prevent bias in monitoring users’ activities. Reveal employs data security techniques, allowing you to control whether operators see users' actual or pseudonymized profiles in the Reveal UI. With pseudonymized user profiles, identifying information is either replaced with pseudonyms or hidden, giving operators the information required to uncover risks while maintaining the strict confidentiality of users.
When suspicious activity justifies a deeper investigation, authorized users can request a “scoped investigation” of a user. Scoped Investigations empower organizations to meet employee privacy expectations and comply with information security regulations by limiting the information accessible to security analysts for forensic analysis by default. Scoped Investigations grants time-bound, revocable, and audited data access to only allow comprehensive investigations by authorized personnel.
By separating individual identities from specific actions, bias is eliminated. This allows Reveal to provide clear and objective criteria for monitoring and risk assessment based on job roles and access privileges rather than personal judgments or assumptions. By addressing monitoring bias, whether intentional or unintentional, organizations can enhance their ability to identify and manage insider risks effectively while maintaining a fair and trusted work environment.
Let the team at Next show you what an unbiased investigation can yield, get a demo and learn how your security team can focus on threats.