The upcoming POPI Act deadline has many organisations scrambling to reach compliance.
With only a year to prepare since the Act was signed into law last July, many have had a tough time implementing all the necessary controls to protect personal information.
In this article, we’ll look at one of the greatest threats – irregular user behaviour – and explain how you can quickly get it under control.
What is irregular behaviour detection?
Most security budgets are tied up in perimeter defence and incident response, geared towards attacks from outside the organisation.
We see the same media coverage of the latest cyberattacks and external threats over and over, but what if this was only part of the story?
Historically, a vast proportion of data breaches have been caused by individuals inside the organisation. Individuals like employees, contractors, and third parties have direct access to personal information and can easily compromise that information, either by accident or design. This phenomenon is known as the ‘insider threat,’ which creates a substantial risk that isn’t addressed by most security solutions.
Here is where irregular behaviour detection comes into play.
First, organisations establish a baseline for everything in an IT environment, including users, network traffic, devices, DNS traffic, application access patterns, host connection patterns, seasonal spikes, etc. Once this baseline is set, continuous irregular behaviour detection is used to identify activity that doesn’t fit the baseline – i.e., suspicious or unusual activity.
Common examples of dangerous irregular or abnormal behaviour include:
- Downloading harmful files via an Internet browser.
- Visiting insecure websites, e.g., those that start HTTP:// instead of HTTPS:// sites.
- Plugging unauthorised USB drives into corporate devices.
- Connecting to unsecured or open Wi-Fi networks.
- Copy/paste or uploading of identity numbers
If irregular behaviour turns out to be acceptable, it is managed by an exception and update to the baseline. However, if the behaviour is dangerous or undesirable, an irregular behaviour detection tool allows you to identify and block the behaviour before it causes a data breach.
Almost 60% of all data breaches are detectable with irregular behaviour
To evaluate the risk caused by internal users, we’ll look at two of the cybersecurity industry’s most respected research publications: Verizon’s 2021 Data Breach Investigations Report and IBM’s 2020 Cost of a Data Breach Study.
- According to Verizon, 20-30% of breaches are caused by insiders, mainly due to mistakes. Of these, 80% lead to a compromise of personal data.
- While insiders are directly responsible for 20-30% of breaches, a much higher percentage of breaches involve insider behaviour in a different form.
- According to the 2020 Cost of a Data Breach Study, 52% of data breaches are caused by an external attacker.
- Social engineering attacks like phishing also require insiders’ unintentional ‘help’, often presenting as irregular user behaviour.
- A further 8% of external attacks use stolen credentials more directly.
Therefore, more than 38% of external attacks rely on the use of privileged accounts. Combined with human error, almost 60% of all data breaches include irregular behaviour at some point.
POPI Data and Irregular Behaviour Detection
The POPI Act commenced on 1st July 2020 and gave organisations just one year to ensure their IT security program is compliant, with a final deadline of 30th June 2021.
Organisations have less than one month to reach POPI compliance. To do this, they must securely manage the data capture and storage process for personal information relating to customers and employees, including processes involved with:
- Recording and capturing personal information.
- Saving documents to a network, cloud storage service, or USB drive.
- Transferring data between devices, networks, and physical locations.
Naturally, all these activities are susceptible to data compromise, either through accidental or malicious activity. Implementing systems to prevent this is essential to meet POPI compliance requirements.
Herein lies a significant challenge. POPI is descriptive rather than prescriptive. That means each organisation must determine its unique path to compliance and must be able to provide evidence of its risk assessment process, decisions, actions, and investments.
Remember the figures from earlier. Almost 60% of all personal information breaches are directly or indirectly caused by irregular behaviour. By identifying and preventing that behaviour, you can mitigate the risk of personal data loss and ease the path to POPI compliance.
How to Detect Irregular or Abnormal Network Traffic
To manage irregular or abnormal behaviour, an automated, real-time detection and prevention solution is needed.
ENHALO’s Irregular Behavior Detection (IBD) Service identifies and alerts your IT security team to suspicious behaviour in real-time, making it easy to prevent before it leads to a breach:
- AI and Machine Learning (ML) algorithms monitor user behaviour in your environment, such as typing patterns, unusual network and application use, and excessive printing to detect threats early.
- Out-of-the-Box policies based on real-world insider risk scenarios ensure malicious insider detection from day one.
- Automated procedures detect sensitive content sent and received by email, copied between applications, transferred over video conferencing, or exfiltrated through USB and other storage media.
- On-the-spot training is triggered when a user violates your organisation’s Information Security or Acceptable Use Policy, helping avoid repeat incidents.
Crucially, our service solution enables real-time response to irregular behaviour, including endpoint isolation, asset lockdown, and user prompts.
We guarantee a strong security posture that prevents breaches and helps to maintain compliance with POPI and other regulatory frameworks.
Disclaimer Insights and press releases are provided for historical purposes only. The information contained in each is accurate only as of the date material was originally published.