A notable organisation was grappling with insider risk issues. Previous incidents confirmed that around 99.9% of the undesirable activity by employees was inadvertent or due to lack of awareness. The organisations leadership was aware of many recent high profile data breaches in other organisations resulting from insider activity and didn't want to be next. The leadership team decided to implement the ShadowSight Insider Risk Management Platform. This decision was driven by issues such as employees breaching policy, subverting security controls, clicking on phishing emails and generally exposing the organisation's sensitive information to significant risk. Despite conventional security measures such as annual compliance training and security awareness campaigns, the organisation remained vulnerable to data leakage, with no demonstrable reduction in risk.

The organisation's decision to implement the ShadowSight Insider Risk Management Platform stemmed from a multifaceted and escalating series of internal security challenges. Over time, the organisation had observed a worrying trend of policy breaches and security control subversions. This included:

  • Repeated Incidences of Employee Misconduct: Employees were frequently found breaching policy, demonstrating a lack of awareness or disregard for the established security protocols.
  • Confidential Information Leakage: There were numerous instances where employees inadvertently or negligently exposed sensitive company data, posing a severe risk of data breaches.
  • Phishing Vulnerabilities: A significant number of employees were susceptible to phishing attacks, highlighting deficiencies in their understanding of digital threats.
  • Ineffectiveness of Traditional Security Measures: Despite deploying standard security education measures such as annual compliance training and visible security reminders, the organisation realised these methods were insufficient in cultivating a robust security culture.

Recognising these vulnerabilities, and spurred by the increasing instances of high-profile data breaches, in other organisations, the executive team concluded that a more sophisticated and proactive approach was necessary to mitigate insider threats.

The incident

The effectiveness of ShadowSight was soon demonstrated when it detected an employee, who was on a performance improvement plan, emailing a document titled "family recipes" to a personal Gmail account. Although this seemed innocuous at first, ShadowSight's comprehensive monitoring of various systems, including email and HR data, flagged this as suspicious. Further analysis revealed the document contained not just recipes but also embedded Excel spreadsheets with confidential sales figures and customer details. The employee admitted to intending to use this data in a future role with a competitor.

The incident in detail

Part 1: Detection of Suspicious Activity

  • Event Trigger: The incident began when ShadowSight flagged an email sent by an employee to a personal Gmail account. The email contained an attachment titled "family recipes."
  • Initial Assessment: At first glance, the email appeared harmless. However, ShadowSight’s integrated monitoring systems raised an alert due to the sensitive contents, the unusually large size of the document and the fact that the employee was on a performance improvement plan.

Part 2: Contextual Analysis and Red Flags

  • HR Data Integration: ShadowSight's linkage with the organisation's HR system revealed critical context: the employee in question was currently under a performance improvement plan, adding a layer of suspicion to the activity.
  • Deep Content Inspection: Further scrutiny of the document by ShadowSight unveiled that it was more than a mere recipe collection. While the initial pages contained recipes, subsequent sections included embedded Excel spreadsheets.

Part 3: Uncovering the Truth and Mitigation

  • Content Revelation: The embedded spreadsheets contained detailed sales figures and customer information; data highly sensitive to the organisation.
  • Employee Confrontation and Admission: Upon being confronted, the employee admitted to extracting this information for future use in a competitive role outside the organisation.

Advantages of Implementing ShadowSight

  1. Comprehensive Monitoring: ShadowSight’s ability to monitor various systems, including email, SharePoint, and internet uploads, ensures a thorough risk assessment.
  2. Contextual Analysis: Integration with HR systems provides crucial context, such as employee status, which aids in assessing risk levels.
  3. Advanced Detection Techniques: ShadowSight’s sophisticated scanning can distinguish between innocuous and malicious activities, even when they are well-disguised.
  4. Proactive Risk Mitigation: The platform's early detection capabilities allow organisations to rapidly intervene where risky activity is detected.
  5. Enhanced Security Culture: Continuous monitoring and detection of risks contribute to fostering a more security-conscious work environment.

Risk Mitigation

ShadowSight effectively mitigates risks by:

  • Identifying and analysing unusual employee activities.
  • Providing contextual insights into potential risks.
  • Allowing for early intervention to prevent data breaches.
  • Detecting trending risky activity by staff

Return on Investment

The return on investment in such a tool can often be realised within the first month of implementation. This is evidenced by:

  • Prevention of costly data breaches.
  • Protection of sensitive information.
  • Maintenance of organisational reputation and customer trust.

To Summarise

The implementation of the ShadowSight Insider Risk Management Platform proved crucial in detecting and preventing a significant data breach. Its comprehensive and context-aware monitoring capabilities enabled the organisation to identify and address a serious insider threat, underscoring the importance and value of such advanced security solutions in today's digital landscape.

Christopher McNaughton

Strategic Advisor, ShadowSight

Who is Christopher McNaughton

Chris is a proficient problem solver with a strategic aptitude for anticipating and addressing potential business issues, particularly in areas such as Insider Threat, Data Governance, Digital Forensics, Workplace Investigations, and Cyber Security. He thrives on turning intricate challenges into opportunities for increased efficiency, offering pragmatic solutions derived from a practical and realistic approach.

Starting his career as a law enforcement Detective, Chris transitioned to multinational organisations where he specialised and excelled in Cyber Security, proving his authority in the field. Even under demanding circumstances, his commitment to delivering exceptional results remains unwavering, underpinned by his extraordinary ability to understand both cyber and business problems swiftly, along with a deep emphasis on active listening.

What is ShadowSight

ShadowSight is an innovative insider risk staff monitoring tool that proactively guards your business against internal threats and safeguards vital data from unauthorised access and malicious activities. ShadowSight transforms insider threat management by integrating Security Information and Event Management (SIEM) with behavioural analytics. This powerful combination dynamically adapts to both business operations and employee behaviours, efficiently identifying activities that pose organisational risks. This Australian innovation streamlines threat detection with user-friendly interfaces, eliminates ongoing professional services, and integrates seamlessly into existing business processes. It efficiently filters activities, applies custom rules, and offers comprehensive visibility through a single pane. ShadowSight provides a smarter approach to safeguarding against insider threats, distinguishing itself as the leader in adaptive security solutions.