A growing number of companies are under pressure to protect sensitive data — and not just from hackers lurking outside the digital walls. They're also looking to protect it from insiders — employees who may want to swipe information such as customer bank account numbers or electronic medical records.
A new breed of security software is hitting the market to help with insider threat detection. And it raises some real labor-relations issues.
MonitoringTo Find Bad Intent
Michael Crouse, the director of Insider Threat Strategies at Raytheon, gives me a virtual tour of a product called SureView.
Lots of security software tracks files when they move between computers and servers. But SureView is a way to zoom into the employee's desktop and follow every keystroke.
Crouse points to an imaginary employee desktop, with a file called "Familynotes.txt."
The content could be personal notes about one's family. Or it could be company secrets. If the employee copies it to a USB stick, the software sets off a red alert, grabs that same file and displays its contents in real-time.
Managers can't predict when an alleged violation might happen. SureView lets them rewind to the minutes or hour before the red alert, and watch like a slow-motion film. Crouse says the software records four frames per second and "it's very compressed video, but it's very readable by an investigator."
SureView also tracks employee emails and the websites they visit and pairs that data with this new stream to try to pinpoint malicious intent. "You can kind of by watching the video determine that," Crouse says.
Tapping A New Market
Raytheon is a leading military contractor in the U.S. But here, the company is selling to a new market: the small business with sensitive data.
In an infomercial, the company reframes the security problem: "When most people think of cyberthreats, they picture criminals or hackers trying to break into a network. What they don't realize is some of the biggest threats are already inside."
As an employee, it would creep me out if I believed that my employer were doing that.
Companies currently use software to block an employee from copying or emailing an unauthorized document. But according to a study by the research group Gartner, only 5 percent of that software traces every move, looking for bad actors. By 2018, the study projects, it'll be 80 percent.
Behind this new technology is a new management philosophy that assigns a risk level to every employee. Like the infomercial says, "100 percent of companies are at risk. But risk can be minimized."
Unintended Consequences
What's hard to minimize is the false alarm. "It really is the limiting factor ... to insider threat detection," computer scientist Greg Shannon says.
Shannon heads an institute at Carnegie Mellon that specializes in insider threat technologies. He says failures in these technologies can create a really toxic workplace. Say I'm poking around a bunch of files, doing research above and beyond the call of duty. In the old days, no one would know, or I'd be called proactive.
Now, Shannon says, I'm under suspicion. "That's pretty demoralizing, demotivating and I may just say, fine, I'm going to find a job elsewhere. Even if I've ... maybe especially if I've done nothing wrong."
Lamar Pierce, a management professor at Washington University's Olin Business School, has another concern. He's seen managers misuse surveillance tools and effectively pick fights with employees who play a little fantasy football on the job.
Pierce says there's an inherent problem with mission creep, where bosses ask the wrong questions: "Why don't we start monitoring directly what people are doing during the afternoon? Why don't we starting reading people's emails to see if they say anything bad about the boss?"
Fear Of 'Being Spied Upon'
Cloudera, a San Francisco company with about 600 workers, records its employees' emails and Web-surfing patterns. Even though that's a standard practice, company co-founder Mike Olson says he isn't comfortable talking about it "because it raises in the minds of employees that they're being spied upon."
Olson says Cloudera does not currently have managers sitting in surveillance booths, looking for bad actors. And he doesn't like the sound of that.
"Absolutely every action I take on my computer while in the office is observed. I understand in the abstract that that's possible. As an employee, it would creep me out if I believed that my employer were doing that," he says.
Security companies are hoping that as this new software becomes more accurate, it'll feel a little less creepy.
Copyright 2021 NPR. To see more, visit https://www.npr.org.