A growing number of companies are using commercially available electronic information (CAEI) to assess risk from employees and contractors working in their environments.
According to a recent analysis by consumer credit reporting agency TransUnion, there has been a more-than 50-percent increase in the use of credit records, public records and device-related data to enhance insider threat analytics over the last three years.
This increase results from a recognition of the need for and value of CAEI data, as well as growing interest attributable to the success of early CAEI adopters in detecting risky insiders – especially at companies that treat the data as a core part of a larger employee wellness program.
Despite the obvious successes, a combination of cultural, legal and privacy hurdles often stop companies from incorporating CAEI into their security environments. Let’s take a look at CAEI, and how some firms are overcoming the hurdles
What is CAEI?
Insider threat programs need a wide breadth of data to effectively assess the risk that employees and contractors may or may not pose to their organization, whereas data available just within an organization tells only part of the story and may be missing significant indicators.
As a result, employers wanting to accurately assess risk are turning to data aggregators that warehouse both regulated and unregulated data – often referred to as open-source data or publicly available electronic information (PAEI). In reality, this data is not publicly available to just anyone; there must be a legally defined permissible purpose and the user of the data must be credentialed to ensure proper protection of highly sensitive personal information. The alternative – and more accurate – way to describe the data is commercially available electronic information, or CAEI.
CAEI is available to government and industry insider threat programs that are vetted and legally bound to the requirements as mandated by the Fair Credit Reporting Act (FCRA) and the Gramm-Leach-Bliley Act (GLBA). Examples of CAEI from TransUnion can be seen in the image above. Other providers of similar data include Experian, Equifax, Thomson Reuters and LexisNexis.
Using CAEI to Identify Insider Risk
Stress is commonly accepted as an insider threat indicator if combined with other indicators or behaviors. While few people who are under stress commit insider threat acts, most people who commit insider threat acts are under some type of stress. Moreover, an increase in stress can be a trigger for worsening behavior.
CAEI can be used to detect stressors, behavioral associations and concerning behaviors, any of which may point to increased risk of insider threat activity. For example, a sudden rise in personal debt combined with reported debt collection activity may indicate financial distress, which can be personally very stressful.
Many companies, especially in the financial services sector, rely on CAEI to conduct credit history and criminal background checks as a pre-hire function. These companies have specific criteria that prohibit the hiring of candidates with specific histories or credit situations.
Other companies, especially in the defense industry, are using CAEI to conduct continuous evaluation of employees who maintain a U.S. government security clearance. They use CAEI in a proactive manner to validate whether employees are abiding by their reporting requirements on an ongoing basis.
Overcoming “Is This Legal?” and “This is Not Our Culture.”
Companies are concluding that applied use of CAEI is legal if they meet two important criteria. First, they must comply with the privacy protection requirements offered by the Equal Employment Opportunity Commission (EEOC), FCRA and GLBA. Second, they must obtain consent from the employees and potential new hires before they acquire and use the data.
For corporate programs, consent is generally easy to obtain from potential new hires. Obtaining consent from existing employees, on the other hand, may require careful messaging about the use and protections of the data. Additionally, organizations need a plan for working with employees who decline to give consent.
Companies have successfully justified their programs to leadership and employees with these points:
- Defining and limiting access, use and retention of the data.
- Access is usually limited to HR and the insider risk program for new hires, and the insider risk program for employees.
- Use is limited to assessing specific types of risk and concerning behaviors that will be proactively addressed.
- A minimal amount of information will be used to assess risk and will not be used for other purposes.
- Financial and credit-report monitoring is an employee benefit that helps identify risky activity that the employee may not have been aware of but subsequently is able to mitigate before the situation gets worse.
- The information will be used to proactively engage with employees and to help alleviate their stressful situations.
Common Approaches to Effectively Using CAEI
CAEI providers know their information best and are thus most qualified to identify high-risk and abnormal situations. They offer a range of customizable services to meet the specific information needs of their customers, as well as delivery options that protect employee identity.
Insider threat programs using CAEI will typically triage the information as it is received, looking for specific events or alerts and then conducting a preliminary inquiry into the event within the context of other known events, behaviors, job role and amount of access to critical assets. If the information is a reportable event for security clearance holders, the company will confirm that the event was reported. In some cases, they may remind employees of their reporting requirements.
Herein lie three challenges for the insider threat program:
- How is CAEI (non-cyber data) integrated with the cyber data already in use at the organization to calculate a risk score?
- How are the events weighted and how long should their impact last?
- How are high-volume cyber events managed alongside low-volume non-cyber (CAEI) events?
Calculating Risk Using Both CAEI and Cyber Data is Critical
The approach of triaging events as they occur is effective for considering the circumstances at that specific point in time. However, considering the impact of a reported event over a longer, more appropriate period of time as other behaviors are detected – on the network, in access control systems or reported by co-workers – can be a challenge.
A CAEI event might be the first indicator of a problem, but it may not be enough to prompt action or open an inquiry. Employee behaviors detected or reported in the subsequent weeks or months may change the risk profile of the individual. Therefore, it is critically important the CAEI data be integrated and analyzed in the context of all other events – for months and even years after their initial discovery.
The Haystax Insider Threat Mitigation Suite (ITMS) was purpose-built to address these challenges when calculating an insider risk score. The Bayesian network that sits at the heart of our probabilistic insider threat model continuously calculates the score as both cyber and non-cyber events are applied against nodes in the model.
Each node contains polarity, strength and half-life values:
- Polarity allows events to have either a positive or negative effect on the risk score. For example, a “job promotion” event could reduce the risk score while a “failure to complete required training” event could increase it.
- Strength indicates the magnitude of the event’s effect on the risk score; we support 12 levels of strength.
- Half-life is the number of days for the intended effect of an event to be halved or doubled.
Analytic results from an ITMS model fed with a diverse set of CAEI enable insider risk teams to focus their attention on evaluating and mitigating their highest risks, thereby spending less time investigating insiders that are not of concern.
# # #
David Sanders is Director of Insider Threat Operations at Haystax.
Note: Haystax offers an array of services and solutions to help companies identify, investigate and respond to formerly trusted insiders who may try to steal data or otherwise pose a threat to the enterprise. Click here to learn more about our new Insider Threat Detection & Response (ITDR) service, offered through our sister company CYDERES, as well as our Haystax Insider Risk Mitigation Suite.