What employees’ behaviour reveals about data security

Oleh Forcepoint

Forcepoint looks at understanding user behaviour to help governments secure citizen information.

“Data is the lifeblood of the digital economy and a digital government,” said Singapore Prime Minister Lee Hsien Loong. The government must find ways to “protect the security of the data and preserve the privacy of individuals, and yet not stifle digital innovation.”

In March 2019, Prime Minister Lee convened the Public Sector Data Security Review Committee to give recommendations for improving the government’s data security measures. One of these recommendations was for agencies to strengthen their ability to detect and respond to data incidents.

How can governments achieve this? Cybersecurity firm Forcepoint shares how the company’s risk-adaptive approach that continuously assesses risk and automatically provides proportional enforcement can help to sieve out suspicious activity, without requiring administrator intervention.
 

Cyber risks in Covid-19


The global pandemic and the resultant mass remote working has introduced more cyber risks for organisations. There are two reasons for this.

First of all, security protection at home does not match up to the office’s. Most organisations have made considerable investments in security measures on-premise. “There is a huge degradation in security protection when working from home,” says Brandon Tan, Principal Security Consultant at Forcepoint.

Some organisations require employees to VPN their network back to the office, but that’s inconvenient, especially since many of the data and application is on the cloud now. Backhauling too much increases lag time and creates a poor user experience, explains Tan.

Secondly, employees tend to be more complacent are less cautious about security when working from home, he says. The number of mistakes leading to accidental data leakage is already happening in normal workplace and will only be exacerbated when working from home.
 

How to prevent data loss


Given the inter-agency connectivity, cloud and mobility, agencies no longer have direct visibility into all critical systems. At the same time, data is accessible from anywhere, expanding the attack surface area and making it more difficult to identify and prevent threats.

The traditional, event-centric approach look to solve the problem with additional layers of technology. Instead, the security paradigm needs to shift to the two constants in any organisation, people and data, and everywhere those two constants interact that may pose a security risk.

Taking a security approach that provides visibility into human interaction with data and the context to understand the intent behind that interaction can help to mitigate these risks. Forcepoint’s data loss prevention(DLP) acts as “a security guard that stands between users and the internet”, says Tan. It automatically scans all data that employees are sending out onto the internet, from emails to Excel sheets.

When the solution identifies any sensitive data that’s being shared, it sends an alert to users. “A simple reminder raises user awareness and that itself will basically prevent data loss,” Tan explains. If a malicious insider or a compromised account ignores these warnings and insists on sharing the file, the system blocks it from leaving the network.
 

Human-centric data protection


Traditional DLP approaches rely on static security policies to only stop a data exfiltration event by actively blocking all events that look like exfiltration rather than understanding the bigger picture of how users interact with data. For each document, companies decide how sensitive it is and what actions employees are allowed to take with it. For instance, employees might be able to print a document, but not copy it onto a thumb drive.

It’s difficult to identify and stop malicious behaviour with this approach. If an employee account has tried but failed to download large volumes of sensitive information before, and now wants to print those documents, the static policy would allow it to. There’s no way for the company to detect there’s something wrong and stop the printing.

Forcepoint’s next generation of DLP solves this issue by analysing human behaviour to look for indicators of behaviours to identify risk. If a user has consistently displayed suspicious behaviour, the system will learn that there is malicious intent linked to a user.

This extends to the whole organisation. Forcepoint uses behavioral analysis and machine learning to understand all activities within an organisation’s network, correlate them and establish a baseline of “normal” behavior of each end-user on corporate or unmanaged networks. Forcepoint DLP solution, based on the individual risk assessment, then apply a range of security countermeasures to address the identified risk. For example, Forcepoint Dynamic Data Protection can allow and monitor data access, allow access but encrypt downloads, or fully block access to sensitive files depending on the context of individual interactions with corporate data and the resulting risk score.

“Blanket security policies don’t work,” says Tan. R&D and administrative departments will not have the same level of security requirements, after all. Understanding individual employees’ behaviour and intent will be helpful in reducing the risk of data loss in governments.