Spyware-For-Business Company Thinks Concerns About 'Medical Bills' Are Indicators Of An 'Insider Threat'
from the terminated-for-googling-'student-loans' dept
It’s no secret that many companies monitor their employees’ computer use. But things are going much further than simply ensuring the normal “don’ts” — file sharing, porn viewing, etc. — are tracked for disciplinary reasons. Companies are now on the lookout for the next “insider threat.” Some companies are viewing the Snowden saga as the ultimate cautionary tale, albeit one that results in more surveillance rather than less. (via Dealbreaker)
Guarding against such risks is an expanding niche in the security industry, with at least 20 companies marketing software tools for tracking and analyzing employee behavior. “The bad guys helped us,” says Idan Tendler, the founder and chief executive officer of Fortscale Security in San Francisco. “It started with Snowden, and people said, ‘Wow, if that happened in the NSA, it could happen to us.’?”
But the effort to find — and prevent — the next “insider threat” from damaging his or her company seems to be just as misguided as the government’s efforts to do the same. Looking for potential threats often results in viewing almost everything as an indicator of future treachery.
One company cited “changes in email habits” as being indicative of an “insider threat.” Others, like Stroz Friedberg, aren’t as selective. The company, started by former FBI agent Edward Stroz, veers into the same dangerous territory the government does when rooting out “threats.” In its hands, normal activities are viewed with suspicion by its monitoring software.
The software establishes a base line and then scans for variations that may signal that an employee presents a growing risk to the company. Red flags could include a spike in references to financial stresses such as “late rent” and “medical bills.”
And what better way to tackle “late rent” or “medical bills” than suddenly finding yourself unemployed simply because re-purposed FBI analytic software thinks any small sign of (possibly temporary) financial instability indicates your next move will be to steal something. Millions of people in the US deal with these realities frequently — especially the latter. And yet, millions of employees still find other ways to tackle these problems instead of dipping their hands in the tills or running off with sensitive documents.
Stroz’s software also thinks — like the government — that an unhappy employee is a malicious employee.
He offers the scenario of a star trader at a bank who’s disappointed with the size of her annual bonus. Instead of being blindsided when she defects to a rival, a bank using Scout could identify her discontent early and make sure she doesn’t take sensitive data or other team members with her.
Or, the company could try to work with the employee rather than just secretly track her until her eventual exit. Once again, unhappy employees leave companies all the time without taking anything with them. Sure, a few do, but the deployment of software like this will generally produce more false positives (and a further strain work relationships) than insider threats. And there’s nothing like firing people for something they haven’t done (but might!) to endear a company to its remaining employees.
Despite all of this, Edward Stroz believes his company’s predictive employee policing software is just another way for companies to show their employees how much their staff means to them.
He’s still careful when discussing the software, describing it as a way to help employers build a “caring workplace.”
Oh, it’s anything but. While employees will often accept monitoring of their internet/computer usage as being a necessary part of the employee-employer relationship, they’re not going to be happy to find out that searching for information about medical bills might see them lose a source of income. And they’re definitely not going to be thrilled to learn that expressing displeasure about company practices and policies may result in the same thing. If a company wants to foster a “caring workplace,” it should be addressing employee discontent, not monitoring it. But what do you expect from companies — and the entities that provide them with spyware — that view the Snowden leaks as justifying increased surveillance?
Oh, and employees had better believe their file sharing use will be actively monitored (and used against them). Stroz Friedberg may be making enterprise pre-crime software now, but its past as an RIAA lobbying firm (and its slightly-later past as a Six Strikes “independent expert“) has been well-noted.
Filed Under: insider threats, monitoring, spyware
Companies: fortscale security
Comments on “Spyware-For-Business Company Thinks Concerns About 'Medical Bills' Are Indicators Of An 'Insider Threat'”
The Stroz Analysis Engine is a powerful tool for your business. Recently established in Fortune 500 companies, all but two are now bankrupts as the software positioned 99.9% of employees as threats.
“At Stroz, we believe to be human is to be a threat, so we’ll ensure all your employees are either ‘happy’ (to have a job, willfully bending to corporate policy) or fired.” – Stroz
PS: Walmart, think twice before using this software. It’s bad enough you only have two checkouts open at any time. This software will reduce that number to zero.
I’d like to hope that, if you’re not already boycotting Walmart (y’know, for all the scummy moves they’ve done over the years), you’ll stop shopping there (how else would you know about those two cash register?) if they implement the Stroz software.
Gee why does this level of disconnect from reality not shock me. See Also: “Independent” Review of CCI
This maybe just maybe helps highlight the amazing disconnect between those on top and those who provide them that living.
Workers are seen as threats no matter what, oh something horrible happened to them… QUICK LOCK THE FILES!!
Once upon a time a business would find out about troubles befalling their workers and extend some reasonable aid, because a happy worker is more productive and committed to the company.
Now everything is viewed from the viewpoint of those “on top” where if you see a weakness, you pounce and destroy. And living with this constant fear of takeovers, SEC investigations, etc where everyone is after them they become paranoid. They spend MILLIONS of dollars, that they got by cutting into the compensation for the workers, propping up the sales pitch of if you do not do this your workers will destroy you… ignoring that these sorts of actions will do very little to catch people committed to your downfall, and increases the sheer number of people who will grow to despise you and will help the one who decides you need to go down.
See also: Every stupid plan the **AA’s have ever put forth.
Punish those who pay them, chasing imaginary dollars.
You’re talking about people who see revenue as property and paying wages as theft. CEO and top-tier management bonuses, not so much.
What is the False Positive rate?
I can’t see where the accuracy of such of a system would be very high. What kind of resources is a company going to deploy to verify that an employee is actually a risk after being flagged? What are they going to do after 6 months when 80% of their employees have been identified as risks?
Re: What is the False Positive rate?
Fire everybody and close the company. Problem solved, no more inside threat!
It's a scam!
The only company that will make money from this software is the one that sells it.
It’s feeding on the combined beliefs that computers can now perform acts of wizardry in the eyes of the non-specialists and that ‘predictive’ algorithms are actually accurate enough to pinpoint “threats” because lettersoup-organizations keep trying to convince the public that they are…
To me it sounds like someone trying to sell snakeoil…
Email content scanning doesn't work
We’ve learned that — painfully — over 20+ years of trying to detect spam, phishing, and malware.
If you haven’t been working in these areas, let me summarize: the code which attempts to do this requires daily updates in order to have a decent chance of yielding results with acceptable FP (false positive) and FN (false negative) rates. And even with all that constant, meticulous attention to detail, it still fails miserably all day, every day. It really is a horrible mess.
The reason is simple: it’s an attempt to “enumerate badness”, which is aptly described by Marcus Ranum in The Six Dumbest Ideas in Computer Security as Dumb Idea #2. Stroz’s software isn’t exempt from this problem — but given their marketing pitch, which is geared toward naive customers who only care about FN rates and not FP, they’ll probably just ignore it.
*running risk analysis*
Target: Commentators Of Techdirt
Recommendation: Revoke Access
There you go Techdirt! No more insider threats! That’ll be $100,000.
Re: (deeply indebted to the AC)
re-running risk analysis, with volume set to 11
Target: Employees, Stringers, Guests, Staff, Consultants, The Barista at StarBucks, etc, Of Techdirt
Recommendation: Fire them all. Shut the business down. Move to Ittoqqotoormiit, learn to love dried ammasat and raw caribou liver.
No more insider, outsider, or bystander threats.
That’ll be $300,000, please.
Oh, at Techdirt they already track insider threats.
What did you think those “insider” labels are?
Right, I’ve got an idea, bear with me, I’ve only just thought of this…
How about companies (and Gov agencies etc) stop doing things that need to be whistleblown about?
Is it possible that just this one small change in philosophy could prevent these many whistleblowers who are just waiting for that one scandal they can break?
I know, I must be crazy right… who would consider actually functioning like a civilised human being!
No one with power, because they got there, most often, by doing the exact same underhanded things they are terrified of others doing.
Re: Re: Re:... what they are afraid of
Is not underhanded snake strangling scum. Those they can deal with by either promotions or stock options. What scares them are people who have a conscience and will blow the whistle on them. It is the Dudley Dorights that have them terrified.
Maybe I should get into the discount torch pitchfork tar and feather distribution business? I hear that it will be a seller’s market.
They need to learn about cause and effect
Is it any wonder that companies like this create disgruntled employees? What they should be doing is figure out why their employees get disgruntled and tackle the cause. Instead, they are just creating more disgruntled employees.
Re: They need to learn about cause and effect
When the the employers are the problem, they will never find the cause.
This isn’t the first time the question of personal mail on a work account has come up. I first encountered articles on it in the late 1980s.
Nowadays, with most people having mail at home, or even a smartphone, I have trouble understanding why the question even comes up.
Nothing good can come out of using your employer’s machines for mail.
The corporations would prefer everyone in leg chains
Since corporations don’t have a brain, its dangerous to treat them as entities, they make Manson look civilized.
Re: The corporations would prefer everyone in leg chains
lucky for them the companies that make military hardware for the US military are given prisoners to work for them as slave labour
distrust the employer
It goes both ways.
Give respect in order to get respect.
To learn to lead, one must learn to follow.
Why does management have, and keep, their collective heads in the sand? While this is not true for all management, it seems true for most management.
While insider threats can actually be a problem for SOME businesses, by far the biggest “insider” threat to a business is due to the fact that employees are lazy as hell and don’t adhere to security protocols. They download anything, open every attachment in their email, and do generally stupid things on their work machines. This opens the door and gives a potential hacker a pivot point on the network. That is by far the biggest insider threat.
Spending big dollars on this software (and this type of software is absurdly expensive)is stupid, intrusive, and isn’t going to do anything for security. The fact they characterize insider threats as “hard up” for money or have medical bills or are unhappy shows a complete lack of understanding of the vast majority of insider problems. The typical threat is far more mundane – just pure curiosity. People with keys wanting to see what is behind the all the doors they can open. IT admins reading management emails and things like that.
More stupid thoughts..
Dont companies and corps get w write off for Estimated theft?
With this software I would NOT give them a write off.
Its Standard procedure in all business to anticipate a Loss prevention of Upto 10% of sales.
Anything below 5% is great..
but with the Over priced goods in the USA, they are anticipating a Net loss of 30+%..(which means goods are 3 times the price)
Sounds like a great lawsuit for discrimination based upon disability. Google medical bills and something disability oriented if you think you’re in danger of getting fired for your legal authorized computer usage.
Or you know...
Sit down and talk to your employees regularly like real people…
God forbid we actually have conversations with our fellow coworkers to see how they’re feeling about life and work. Establishing a trusting personal relationship will go a lot further toward discouraging malicious behavior than some spying software and the untrusting management of suspicious employees.
Those who purchase and use this software *ARE* the insider threats!
Time for sarcasm.
Tim you must be joking! Of course those with medical problems are a threat! Why else would TSA give those people trouble and search them in disturbing and invasive ways? Everyone knows that those with medical conditions and horrific injuries leaving them mute are Islamic terrorists just waiting to crash a plane into the new World Trade Center! Just the other day I saw police hassling an old woman with a walker; clearly she has the codes to the president’s launch codes.
TL;DR: Lost me at ...
Badguys == Snowden.