It’s a Good Idea to Monitor Employees

Tom Reilly is CEO of Arcsight.

Ever since the advent of the first business, trusted employees have stolen from their employers. Occasionally they stole for revenge or even excitement, but for the most part, they stole for money. Traditionally, perpetrators have been found in the stock room, maybe working a register, or handling accounting. However, with the advent of corporate IT networks that provide hundreds and thousands of employees with easy access to highly valuable information, the most dangerous of perpetrators are now sitting in a cubicle row or in a corner office.A quick scan of headlines reveals that these perpetrators are of both genders and are found in all geographies and industries.

A Dupont scientist stole $400 million in intellectual property from his employer in the form of 16,706 documents and over 22,000 scientific abstracts. An employee working in a Texas physician’s office that was contracted to treat FBI agents attempted to sell an agent’s health records to drug traffickers for $500. A Federal Emergency Management Agency (FEMA) employee stole the identity information of 200 persons and opened $150,000 in credit accounts.

Whether it’s for a little money or a lot, malicious employees have been fleecing their employers for years. Unfortunately, with the recent economic downturn, more white-collar workers might feel that the reward, or the vengeance of stealing from their employer, may outweigh the risk of being caught. Combine increasing financial stress with easy access to highly valuable corporate data and a multitude of online black market outlets that turn information into cash, and you have the perfect recipe for insider cybercrime.

Employees can commit cybercrimes such as fraud, identity theft, and theft of intellectual property much faster and easier than ‘untrusted’ outsiders. Never before have so many had so much access to such a wealth of data. For example, an employee with access to sensitive information doesn’t have to be a world-class hacker to print it, copy it to an MP3 player, or e-mail it to a friend.

Knowing this, many organizations have already increased their vigilance by monitoring activities that may signal insider threats such as the applications that employees are using and how they are being used, data that is being accessed and how much, and what information is being downloaded, printed, or emailed, and at what time of day.

As a result, many companies have clearly shifted from worrying mostly about external hackers, worms, or phishing attacks to worrying about the insider threat, which now appears to be their top concern. Hence, there will be a greater onus on monitoring for insider activity and determining the ‘who’ when an incident occurs. Questions such as who did it, should they be doing it, and if not, what else are they doing, how long has it been happening, and who else is involved, need to be addressed efficiently and effectively. At the end of the day, you can’t arrest a laptop.

Some people might see this as ‘Big Brother’. Perhaps surprisingly, however, not only are organizations pushing for this type of monitoring, but so are many employees. In these hard times, an attack on a company could have a direct impact on the employees.

Since the damage caused by an insider can be substantially higher than that caused by an outsider, prudence dictates that insider monitoring be put in place for everyone’s protection. Much like a store owner keeps an eye on his inventory and registers, corporations are keeping an eye on their most important asset, information.