Insider Threat Management

Activity Monitoring Software & The Law

Former Employee Arrested for Taking Customer’s Identity! Former Bank Employee Arrested for Stealing from Customer’s Account! The headlines are rolling in almost daily, as employees are being arrested for Insider Threat offenses. As such, CISO’s are increasingly realizing the importance of getting ahead of the problem by developing a comprehensive Insider Threat Management Program. As any effective CISO knows, user activity monitoring - complete with video recording and playback – is an absolute must-have in your arsenal of insider threat mitigation tools. Anyone who has ever spent hours or days sifting through logs to figure out who is elevating user privileges, who inserted a USB drive, or why a server went down, can understand why a simple video playback would help you save time and money—and why the visibility into what someone did on video playback (and irrefutable proof for an investigation) cannot be underestimated any longer.

As security teams figure out how to add user activity monitoring to their Insider Threat Management Program, they may wrestle with questions about whom to monitor and when to monitor them.  They may even wonder about the legal implications. To answer some of these questions, Proofpoint turned to an expert.

Shawn M. Thompson, a leading Insider Threat Prosecutor, explains: “A typical business may have several different groups of users on their network at any given time. Beyond employees, groups including contractors, service providers, third party partners, etc. may have access to a corporate network. Monitoring is, however, not limited only to employees. Businesses are allowed to monitor for legitimate business purposes and this standard does not otherwise confine them to certain groups. The answer does, however, depend on ownership of thedevice or network or upon any governing SLAs that may exist between the user and the monitoring entity. Simply put, if the monitoring entity owns the network or device to which it seeks to monitor, monitoring of any individual storing information on or otherwise traversing the corporate-owned devices or networks, will be allowable.”

Watch the Webinar, “Balancing Privacy and Protection” now.

According to Mr. Thompson, here are the top legal implications to consider when implementing the User Activity Monitoring aspect of an Insider Threat Program:

  • When choosing whom to monitor, from a legal point of view, it is better to monitor all users versus a subset of users in order to avoid discrimination (for example, only monitoring Privileged Users). When choosing to monitor a subset of users a clear policy should be documented with a defined business justification behind it.
  • Policies are vital – employees must understand the boundaries about what the company will and will not monitor. In most states in the U.S, user activity monitoring does not require user consent, however it is advised to do so in case legislation changes. More importantly, transparency with your employees and enforcement of policies will help create a culture that’s conducive to the overall security of your organization.
  • Be mindful of how the data collected through employee monitoring is being used. A company can collect almost any information about the user within the workplace as long as it can safeguard that data through encryption or obfuscation. A Compliance Program should be established, with access to the Employee data limited to a few key company officers.
  • Finally, Employee Monitoring is essential to properly mitigate insider threats, but ensure the monitoring is for legitimate business needs only. Through discoverability, enforceability and usability, an organization should collect as much information as it can in order to have forensic information in case of a breach.

Now that you know the legal implications of monitoring employees, you may want to know a bit more about how activity monitoring with Proofpoint ITM can help you.

1)  Change Behavior: We continuously monitor user behavior and warn end users in real-time via on-screen notifications about behavior that put the business at risk. Proofpoint ITM significantly reduces the number of security incidents resulting from unintentional or malicious behavior by more than 50%.

2)  Precise Visibility: Proofpoint ITM generates video playback and unique user activity logs for any application, including those that do not have internal logs or only have debug logs, including: custom, commercial, and legacy applications. With full visibility into any user action within apps, Proofpoint ITM is able to precisely detect out-of-policy behavior.

3)  Faster Investigations: While it seems many of these insider threats are being caught every day, a lot of them are not caught for years, because Activity Monitoring is not a part of the company’s cybersecurity plan.  With full screen capture of any policy violation, you’ll go from hours of investigating by sifting through logs to watching a video replay of every incident in your environment. This reduces end-to-end investigations to under 10 minutes per incident.

4)  Compliance: With Proofpoint ITM, security teams are able to monitor employees, but also vendors, contractors and third-party partners. Proofpoint ITM not only complies with the standard of law for Activity Monitoring, but it meets monitoring requirements for PCI, SOX, HIPAA, NERC, FFIEC, FISMA, and FERPA.

With this in mind, get a jump-start on developing an Insider Threat Program with a User Activity Monitoring solution like Proofpoint ITM. Download your 15-day FREE trial of Proofpoint's Insider Threat software now.

Subscribe to the Proofpoint Blog