Protecting against malicious outsider attacks is the most significant focus for cybersecurity teams, but it’s critical not to overlook or underestimate the threat from those who already have the access. Ex-employees are responsible for 13% of cybersecurity incidents, and human error is often blamed for many data breaches.
In 2020, organizations spent a mighty £2.9m recovering from security incidents. This vast sum (that should rather have been showing under ‘profits’ on the balance sheet) only reinforces the truth about cybersecurity: it’s not if a breach happens, but when.
Now we can see why that recovery figure is so high. Employees, contractors, and third parties having direct access to sensitive data means that there is often no trace of their actions, malicious or not, making it harder to learn from or detect. The financial and opportunity costs to remediate an internal breach are significant, from reappointing or finding new resources to fix it to the genuine effects to the bottom line and productivity. Interestingly, as learned from the 2018 Morrisons case, if an employee data breach occurs by an individual, it’s the organization that’ll be vicariously liable – not the disgruntled ex-employee seeking revenge.
In order to protect your business and gain a better understanding of what constitutes normal and abnormal behavior, an Irregular Behaviour Detection (IBD) service is essential and proactive.
Baselining: Defining normal behavior
Forming a baseline serves as a reference point for regular IT activities and behaviors, making it easier for anomalies that could be security threats to be identified. Baselining should include everything within an IT environment, think users, traffic, devices, and application access patterns.
When determining your baseline, context is vital for a faster and more accurate analysis of irregular behavior. Using the terms of likelihood is a good place to start – if it happens regularly, it’s less likely to be a threat – but remember, there can be caveats to this too.
Irregular behaviour
With a complex and contextual baseline, irregular behavior is easier to spot. Some examples of irregular user behavior are:
- Downloading harmful files
- Visiting HTTP instead of HTTPS sites, or unauthorized websites
- Plugging unauthorized USB storage devices into corporate devices
- Connecting to unsecured or open wifi networks
- Accessing networks or applications outside business hours or days
These all sound like obvious red flags, but having the right tools to spot these behaviors as irregular and then taking action quickly, is the only way to stay protected against these easily missed behaviors.
GDPR and security monitoring
So, you might be wondering how GDPR compliant all this data monitoring is, and the good news is that GDPR requires it. Security monitoring is an essential part of protecting data from breaches and attacks when it comes to the compliance standard, meaning this data processing doesn’t need explicit permission from the user. This said, GDPR still requires that monitoring data is only used for the purpose it was collected and, of course, shouldn’t violate privacy regulations.
One solution to help with this is anonymized data, which will still provide visibility into irregular behavior and flag any breaches. IBD solutions with privacy-friendly insider risk using pre-build data minimization techniques ticks this box.
If the actions themselves are anomalous, the data can be escalated to a Data Privacy Officer to be unmasked and investigated. If it’s found that the data has been breached or compromised, GDPR requires notification to the Data Protection Authority within 72 hours.
How irregular behavior detection helps with GDPR compliance
As mentioned, security monitoring is required by GDPR; therefore, IBD, in fact, works towards being compliant. ENHALO’s Continuous Irregular Behaviour Detection (CIBD) service ensures that GDPR compliance is maintained while fulfilling its sole purpose of detecting and acting on irregular user behavior.
Robust IBD solutions will have continuous monitoring to provide complete visibility into user behavior and highlight any blind spots. It should also automatically provide prompts for irregular behavior and take real-time actions such as endpoint isolation, lockdown, or user prompts, bringing the entire security process full circle. ENHALO’s CIBD goes even further by training employees on the organization’s Information Security and Acceptable Use policies, ticking off another block towards GDPR compliance and user protection.
Other elements in the IBD solution that are incredibly useful and make for more thorough cybersecurity protection include:
- Monitoring individual user profiles, which are certified by the National Insider Threat Task Force (NITTF).
- Machine learning that monitors user behavior to the extent of keyboard typing patterns, unusual network usage, and excessive printing.
- Powerful out-of-the-box policies that detect sensitive content sent or received via email, copied between applications, or even transferred over video conferencing or USB.
And of course, when it comes to IBD remaining human-centric on security, data leakage and insider threat protection is a must. After all, this is why it is all in place – we are not dealing with bots in this instance.
Staying GDPR compliant
While IBD works towards GDPR compliance, the IBD solution must maintain data protection during security monitoring. In other words, it needs to go both ways.
Thoroughly documenting your monitoring policies and the processing activity is one way to stay compliant and should include:
- The purpose of the processing
- The categories of the data subjects and personal data being processed
- The categories of those who have access to this data
Using role-based access control (RBAC) should already be second nature in your organization, so implementing it here should be an instinctual force of habit. Using the least privileged approach ensures that those with the highest levels of access are carefully monitored too.
As we all know, GDPR requires that any security incidents relating to personal data be reported to the Privacy Officer and documented. This remains the same for your IBD process and its findings.
ENHALO’s IBD will keep your organization safe from internal risk while seamlessly ensuring that GDPR compliance is met.
