The pandemic is changing typical user behaviour at work
While change is to be expected, it poses challenges for those charged with securing environments, writes Jim Cook.
For many law firms, the COVID-19 pandemic has been their first real-world test of a majority remote worker scenario. Many firms already had flexible remote work arrangements, whether an occasional work-from-home day for teams or certain individuals working fully from home, but most had a majority of workers at an office or offices, working within the confines of a secured environment.
Moving such large numbers to a full work-from-home arrangement required emergency measures and workarounds, including new cloud-based systems, rapidly scaled-up remote access tools, and even allowances for staff to make last-minute home office purchases. Some approaches were more centrally coordinated and controlled than others.
The bottom line is that most law firms have undergone significant fundamental and structural changes, requiring people to behave and work differently. For those of us charged with keeping the workplace – and its systems and data – secure, these changes mean a rise in anomalous or out-of-the-ordinary employee behaviour.
Even with sound strategies and solutions in place, it can be difficult to distinguish between benign behaviour, such as employees scoping out a valid workaround to a business problem, and more threatening behaviour that could put corporate systems or data at risk.
The challenge has not gone unnoticed.
“As employees shift to remote work, companies are bracing for a surge in both accidental and malicious insider attacks,” a recently released 2020 Insider Threat report finds.
“Many [employees] are using personal or newly purchased devices. [Additionally], employees are using applications that allow them to store files in their personal cloud, share information, and communicate and collaborate with colleagues – often without the security team’s knowledge or oversight.
"[This] makes the detection and prevention of insider attacks more difficult than it was just a year ago.”
Charting the impact
Law firms among many industries have always been aware of insider threats, though that has not stopped a general upward trend in the number and frequency of incidents reported in recent times. A Ponemon Institute study found that “since 2018, the average number of incidents involving employee or contractor negligence has increased from 13.2 to 14.5 per organisation”.
The report found the “average number of credential theft incidents has almost tripled over the past two years” and that 60 per cent of organisations “had more than 30 incidents per year”.
It’s still too early to gauge what exact impact COVID-19 will have on these numbers. However, as these numbers are from pre-lockdown, it is clear that if we don’t change the way we detect threats to adjust to the changes in staff and organisational behaviour, they are likely to rise further.
On the other hand, it’s also possible for companies to go too far as they try to cast a wider net in response to a much larger number of vectors that could lead to data leakage or loss.
At a time when staff may already be on edge dealing with new and unfamiliar processes and systems, approaches that others may construe (or misconstrue) as surveillance may erode or undermine employer-employee trust during a critical time.
One way security teams are solving this is through the use of deception technology. This approach may sound counter-intuitive, but it’s all in the implementation.
Deception is not about watching an employee’s every move. Rather, it involves setting up specific decoys, such as fake data stores or logins, that virtually no one will find or have a need to touch as they’re going about their legitimate day-to-day work.
In that way, deception techniques are much less invasive and engender trust. Employees can go about their business without risk because, to run across deception, they would have to be looking for or engaging with something they weren’t supposed to access.
Deception technology also allows firms to identify the source of any illicit activity that engages the decoy and record all actions that occur. This forensic collection provides the security teams with the data they need to investigate the incident and determine if it is a compromised system or an insider. It also gives them the evidence they need to take any necessary administrative or corrective actions.
The effective use of deception technology allows law firms to detect in-network threats and early reconnaissance activity while collecting evidence to support the eventual outcome, whether that is a reprimand, dismissal, or legal action. It also helps organisations navigate this period of uncertainty, without unnecessarily flagging every change in employee behaviour as a threat.
By Jim Cook, ANZ regional director at Attivo Networks