The Problem: A regional bank needs to know howemployees are handling confidential information—such asSocial Security numbers—and if the information is safe afterthey’ve touched it.
The Details: Banks have done a pretty good job of securingthe perimeters of their networks from hackers and maliciousattacks, says Jim Brockett, chief information officer of Spokane,Wash.-based Washington Trust Bank. But they’ve had a hardertime protecting the insides of their networks from careless ormalicious employees who have legitimate access to customers’information—especially in areas like call centers, where pay islow and turnover is high. Brockett wasn’t confident that heknew what was happening to the information inside his ownbank. “We’ve had traditional theft and fraud,” he says, but ifcustomer names had been cut and pasted to a thumb drive andsold, “I don’t have any way of knowing.”
The Solution: Bot-based software from NextSentry, a vendorin Spokane. The software, called ActiveSentry, is downloadedto employees’ workstations and monitors what staffers aredoing with the bank’s data inside their browsers and applications.Information on the activity is sent to a server.
The technology was first developed for the government byNext IT, NextSentry’s former parent company, and has beenused by law enforcement to monitor conversations conductedby suspected pedophiles or terrorists in Internet Relay Chatchannels. But the government’s long sales cycle made it a hardmarket, says Sam Fleming, NextSentry’s chief technologyofficer, and Brockett was willing to help shape the technologyfor Washington Trust in return for a discount on the software.(Brockett declines to say how much the bank has spent.) TheCIO advised the vendor on which types of transactions andaccount patterns to track for banks, and how to report summariesof data on a dashboard so the bank’s analysts weren’tburied in gigantic logs of events.
NextSentry spun out of Next IT in June 2006 and now has11 customers in financial services, health care, gaming and theauto industry, a spokeswoman says.
The Result: All employees have been on the software for sixmonths, and the bank gets daily reports on what’s happening toits data. Brockett can know when somebody is printing lists ofaccount numbers, or cutting and pasting them from one applicationto another, or trying to save them on thumb drives they’veplugged into their workstations. If an event is deemed suspicious,the software can record it by taking screenshots every oneor two seconds. The bank can also direct the software to shutdown applications, alert employees or block certain actions,such as e-mailing data the bank deems private or confidential.(Alerts are not always effective, however—one employeewas warned that an action was against bank policy but tried itanyway for four days, until supervisors told him to stop.)
Brockett has run into some challenges with ActiveSentry.He says it took a while to get a feel for the reports and figureout which and how much data to track. The bank is stilladding filters and reports, and he figures that will be “a constantthing” with this product. The bank is careful to have a”rock-solid policy” that employees have no right to privacy ontheir workstations, he says, which some employees don’t like.His analysts are also careful not to divulge which behaviorsthe bank is monitoring because “word spreads quick” whenan employee does something that requires follow-up, and thatmakes the product less effective.
Brockett also cautions potential customers to be clear in theirown mind on why they’re using ActiveSentry, because the numberof options is vast. “We’re looking for fraud, not productivity,”he says. “There should be other ways to measure that.”
