Ofer Klein, CEO
October 3, 2022
Current ways of working, with remote working, and increased use of collaboration tools have increased the potential of employee insider threats. Reco’s collaboration security platform is designed to avoid situations where an employee uses anything from sanctioned work collaboration tools to shadow IT to leak sensitive work documents.
One of the significant advantages of collaboration tools are the ways in which they make it easy for employees to create and review information with whoever they work with, and wherever they work. However, this has opened organizations up to new risks of employee insider threat, often in ways in which they never thought of.
In the worst case scenarios, employee insider threats can lead to legal action when an employee intentionally misuses proprietary information, for example in the unnamed case of a company who took a former employee to court for sharing sensitive company information with a competitor. Given that no organization wants to have to do that, how can security tools provide visibility and detection to reduce the impact of employee insider threats before they go too far.
The complexity of the collaboration tool landscape has introduced new challenges for security teams looking to monitor individual systems for unauthorized activity. For example, an employee can choose to receive a file on one system but work on it and share it with another user (either external or internal) on a different tool. As a result, the path that data takes is no longer linear.
In addition, there is the question of user identities. An individual employee may have numerous accounts across different platforms. Where the average organization’s SaaS portfolio contains 254 apps, an employee with an account on each app may have 254 identities. Tracking information across these apps has become and increasingly difficult task.
Tracking identity is further complicated by the use of shadow IT. Shadow IT is when an employee uses a different application that is not officially set up on a corporate account. This can include personal email addresses or communication tools, or simply a different tool to that used by the organization, but registered with a work email address.
As a result, controls over data exfiltration and sharing have been weakened, and an employee insider threat has opened up where employees can evade security controls to share information for a malicious purpose.
A data exfiltration attack usually takes time to fully carry out, especially if the malicious employee sends data out in small batches. However, the use of collaboration tools has made detection more difficult as it is now easier than ever to bypass controls.
For example, collaboration tools often allow files to be shared with external parties such as customers or suppliers. However, this could enable a malicious employee to share sensitive files with their private email account directly from within the file.
Or, it is now easier than ever to create new identities, and again in the spirit of collaboration, a user can send attachments to a fabricated user identity which can then be passed on. This could also include gaining access to and downloading files without business justification.
The Reco detection engine is designed to help organizations detect employee insider threats and data leakage before there is too much damage. For example, the engine maps data journeys across the organization’s systems to build identities for users across all the different tools they use. In this way, data is not lost as a user transfers it from application to application, even when they transfer it to a personal or external identity.
Furthermore, Reco’s business context justification engine detects whether the actions that identity is carrying out are in fact justified based on the permissions and authorities that user usually has in the work that they do. All of this takes Reco seconds to detect, notifying security teams that unauthorized actions have taken place in real-time.
In today’s organizations, data is created, modified, and shared every minute. As a result, it can be extremely difficult to get visibility of what data is being leaked by an employee insider threat or to gain control over the flow.
Reco’s visibility and control functions help organizations gain insights into the identities and data involved in the data breach quickly, in order to help them prevent further action as quickly as possible.
For example, Reco will provide insights into which pieces of data were shared with which users. This includes providing visibility into which pieces of data were shared with a specific user and across which channels (Slack, Google, MSFT, Box, or others), which is particularly useful in the case of an employee insider threat. Finally, Reco will provide visibility of user interactions with third parties and external identities (including an employee’s personal email account).
Once that visibility has been provided, security teams will be able to remediate the problems in order to gain control over the data leakage – for example by removing access to documents or groups, or by identifying the individual responsible.
Contact us now to learn how Reco can help your organization protect yourself from employee insider threats before they reach the point of legal action.