Security Case: What Are Your Employees Doing at Work?

By Deborah Gage Print this article Print

Washington Trust Bank couldn't tell whether workers were downloading confidential information to thumb drives. So, it installed software to monitor workstation data flow.

The Problem: A regional bank needs to know how employees are handling confidential information—such as Social Security numbers—and if the information is safe after they've touched it.

The Details: Banks have done a pretty good job of securing the perimeters of their networks from hackers and malicious attacks, says Jim Brockett, chief information officer of Spokane, Wash.-based Washington Trust Bank. But they've had a harder time protecting the insides of their networks from careless or malicious employees who have legitimate access to customers' information—especially in areas like call centers, where pay is low and turnover is high. Brockett wasn't confident that he knew what was happening to the information inside his own bank. "We've had traditional theft and fraud," he says, but if customer names had been cut and pasted to a thumb drive and sold, "I don't have any way of knowing."

The Solution: Bot-based software from NextSentry, a vendor in Spokane. The software, called ActiveSentry, is downloaded to employees' workstations and monitors what staffers are doing with the bank's data inside their browsers and applications. Information on the activity is sent to a server.

The technology was first developed for the government by Next IT, NextSentry's former parent company, and has been used by law enforcement to monitor conversations conducted by suspected pedophiles or terrorists in Internet Relay Chat channels. But the government's long sales cycle made it a hard market, says Sam Fleming, NextSentry's chief technology officer, and Brockett was willing to help shape the technology for Washington Trust in return for a discount on the software. (Brockett declines to say how much the bank has spent.) The CIO advised the vendor on which types of transactions and account patterns to track for banks, and how to report summaries of data on a dashboard so the bank's analysts weren't buried in gigantic logs of events.

NextSentry spun out of Next IT in June 2006 and now has 11 customers in financial services, health care, gaming and the auto industry, a spokeswoman says.

The Result: All employees have been on the software for six months, and the bank gets daily reports on what's happening to its data. Brockett can know when somebody is printing lists of account numbers, or cutting and pasting them from one application to another, or trying to save them on thumb drives they've plugged into their workstations. If an event is deemed suspicious, the software can record it by taking screenshots every one or two seconds. The bank can also direct the software to shut down applications, alert employees or block certain actions, such as e-mailing data the bank deems private or confidential. (Alerts are not always effective, however—one employee was warned that an action was against bank policy but tried it anyway for four days, until supervisors told him to stop.)

Brockett has run into some challenges with ActiveSentry. He says it took a while to get a feel for the reports and figure out which and how much data to track. The bank is still adding filters and reports, and he figures that will be "a constant thing" with this product. The bank is careful to have a "rock-solid policy" that employees have no right to privacy on their workstations, he says, which some employees don't like. His analysts are also careful not to divulge which behaviors the bank is monitoring because "word spreads quick" when an employee does something that requires follow-up, and that makes the product less effective.

Brockett also cautions potential customers to be clear in their own mind on why they're using ActiveSentry, because the number of options is vast. "We're looking for fraud, not productivity," he says. "There should be other ways to measure that."

This article was originally published on 2007-04-09
Senior Writer
Based in Silicon Valley, Debbie was a founding member of Ziff Davis Media's Sm@rt Partner, where she developed investigative projects and wrote a column on start-ups. She has covered the high-tech industry since 1994 and has also worked for Minnesota Public Radio, covering state politics. She has written freelance op-ed pieces on public education for the San Jose Mercury News, and has also won several national awards for her work co-producing a documentary. She has a B.A. from Minnesota State University.

eWeek eWeek

Have the latest technology news and resources emailed to you everyday.