Surreptitious Spyware versus Insider Risk Management

On Monday, President Biden signed an executive order limiting the purchase and use of commercial spyware by U.S. government departments and agencies. While the new order doesn’t entirely prohibit spyware, it lays out the criteria for which uses could be disqualified; and suggests that a case-by-case basis review will be required to allow agencies to acquire the technology for nonoperational uses, such as testing it for research or cybersecurity purposes.

According to statements, officials must certify that the spyware tools do not “pose significant counterintelligence or security risks to the United States government or significant risks of improper use by a foreign government or foreign person.”

This new executive order is part of an effort to improve cybersecurity and protect against malicious cyber activity. More specifically, it is to get ahead of the problem and set standards for other governments and its allies, which buy and deploy commercial spyware. It is also intended to ensure that government agencies are not engaging in activities that could be used to target and exploit vulnerable individuals or organizations.  

Important to note, the directive targets spyware, not the array of cybersecurity tools commonly deployed within federal or local government or enterprise organizations for mitigating external or internal threats.

What is commercial spyware?

Commercial spyware is a sophisticated and malicious surveillance software tool that accesses electronic devices remotely, to extract their content, and manipulate their components, all without the knowledge or consent of the devices’ users.  Data compromised by spyware often includes confidential information such as: login credentials — passwords and usernames, account PINs, credit card numbers, keyboard strokes, browsing habits, and harvested email addresses. 

And it is no surprise that governments around the world — including the U.S. — are targets because they are known to collect large amounts of data for intelligence and law enforcement purposes, including communications from their own citizens.

While the use of commercial spyware is illegal in most geographies, it has been increasingly used by other countries in recent years to surveil dissidents, journalists, and politicians, among others. But there’s a misconception that only influencers and politically active people can become the target of spyware. Spyware operators have many other goals besides espionage, and virtually everyone is a potential target.

Insider risk management is different – here’s how

Insider threat attacks are getting worse, taking longer to detect and becoming more extensive. Why? For the past few years, arguably all companies and their employees have needed to adapt and find ways to stay fluid with work. Remote work is now the norm, and often employees can be found working hours outside of the typical 9-5, whether it’s due to childcare, lack of commuting, or simply close proximity to “the office.” Prior to the pandemic, off-hours digital activity would have been a sure sign of an insider threat. 

Moreover, users in the modern workplace have ubiquitous access to create, manage, and share data across a broad spectrum of platforms and services. With so many employees, contractors and vendors with legitimate credentials, the problem is compounded, making the more traditional tell-tale signs of insider risk even more diluted. 

Whether accidental or intentional, insiders can wreak havoc on organizations because they are authorized to access proprietary information including information about security practices, data, and systems. As a result, organizations have adopted measures and have turned to insider risk management technology to mitigate this evolving threat landscape.

Gartner defines insider risk management (IRM) as the tools and capabilities to measure, detect and contain undesirable behavior of trusted accounts within the organization. Insider risk may involve errors, fraud, theft of confidential or commercially valuable information, or the sabotage of computer systems.

While many IRM technologies and trusted security services use “spyware-like” monitoring and tracking, nowadays the “spyware” term is reserved solely for malicious applications.

The “right side” of surveillance and monitoring

innerActiv’s insider risk intelligence platform provides powerful, real-time analytics that look across user behavior and data movement on endpoints, networks, in the cloud, and on-premises, to provide complete visibility, detection, prevention, and response to potential insider threat situations. When anomalies appear, determining whether the irregularities are, in fact, potential insider threats can be costly to an organization. By anticipating versus reacting to shifts or suspicious activity, companies can lower the cost of investigations and overall operational impact to their organization.  

Every rule and feature of the innerActiv Insider Risk Intelligence platform has been built with highly customizable options that allow for any exclusions that may be necessary to protect the privacy of an organization and its employees. Only that data that you request will display to only approved personnel, so there’s no concerns about exposure of personal data or of sensitive alerts ending up as public knowledge. Additionally, companies have the choice to notify and interact with end users or operate fully in silent “stealth” mode, depending on the use case and deployment scenario.

When it comes to addressing insider risk, security starts from within. Protecting sensitive company data from exfiltration and misuse requires a combination of the right people, process, and technology. Learn more about how to prepare your organization.