How Does the Pandemic Change the Way We Protect Systems From Internal Threats?


By Sergey Ozhegov, CEO of SearchInform

“If last year we talked about going remote, today we see that most organisations leave employees the opportunity to work from home permanently or several days a week. We can see this tendency happens to our clients – if in 2019 the companies had slightly more than 10% of remote employees, and in 2020 they relocated most of the staffers to work remotely, then in 2021 the percentage of remote workers decreased, but not significantly. Therefore, now the information security solutions need to be developed with this factor in developers’ minds,” says Sergey Ozhegov, CEO of SearchInform.

It is well known that the transition to remote work has exacerbated information security problems. After all, it is much more difficult to control employee activity in a hybrid office (a significant part of employees has the opportunity to work at home for a certain amount of time) than in an enterprise in which information circulates exclusively within the corporate network.

At the same time, under the influence of the pandemic, the number of hybrid enterprises has increased markedly: for example, according to the IDC survey, if before the pandemic in 38% of the enterprises which took part in the survey no one was allowed to work at home, then after the first wave of the coronavirus the share of such enterprises decreased to 8%. At the same time, under the influence of the pandemic, the share of companies in which over 50% of employees had the right to spend more than half of their working hours at home increased from 15% to 35%.

“The mindset of information security experts has changed,” says Sergey Ozhegov. “In the context of remote work, blocking of document transfer (financial documents, information to which the access is limited, personal data, etc.) has become critical. Therefore, the developers have strengthened and expanded the types of blocking in DLP systems. Previously, blocking features were implemented only for specific communication channels and specific applications. However, now insiders have access to hundreds of data transfer and communication channels – zoom, skype, instant messengers, video conferencing systems, etc. Therefore, there is a need for technologies that are not tied to a specific application. We are seeing an increased demand for open-source APIs. Customers want to be able to modify products for their own unique business processes, for rare or self-written software. Companies need seamless interoperability of all IT infrastructure components.”

Sergey also noted that if previously the topic of moving to the cloud was practically a “taboo” for information security specialists, now the use of cloud technologies for many companies started to be the new normal. “The Internet is becoming more reliable and end users have less and less questions about protecting cloud storage.”

What do insiders leak, where to and in which ways?

80% of companies believe that internal information security incidents are more dangerous than external ones, according to SearchInform analysts based on the company’s research (find out more statistics and real-life use cases regarding internal threat prevention). The cause of these incidents can be both deliberate actions and disregard for the elementary rules of “cybersecurity hygiene”. Moreover, unintentional actions of employees are the causes of information security incidents more often than deliberate and malicious ones.

Alexey Drozd, head of the SearchInform information security department, believes that SMB is most exposed to information security risks. The reason is that, as a rule, they do not use specialized software that allows automated control of employee actions and information movement. Therefore, managers can’t assess the likelihood of risks and the effectiveness of possible data protection measures.

To dig deeper, SearchInform analysts summarised information received about incidents in 50 SMB companies in six industries (wholesale and retail, manufacturing, services, IT, construction, thermal power), which was collected while outsourcing information security and data protection to professional services. The data collected using DLP systems showed that during the study (it lasted several months), attempts to leak data were recorded in each of 50 enterprises.

It also turned out that during the attempts to leak corporate data, employees most often (in 56% of cases) used external media: flash drives, hard drives, mobile phones and other equipment. Also, email (21% of cases) and cloud (19%) follow by a wide margin.

“To prevent employees from leaking data uploading it to external media, the employer may prohibit copying data of a certain format. Or any documents on particular PCs. However, at the same time, there is a risk of slowing down some business processes, because then employees will not be able to perform part of their job duties. Therefore, such a measure must be applied pointwise. It is more efficient to use a data encryption tool: the document will be copied to an external storage, but the user will be able to open it only on authorised PCs, or if there are specific permissions (a password, for example). This will allow employees to share data, but will prevent data transfer outside the company,” says Aleksey Drozd.

Insider’s psychology

This issue was raised by Alexey Filatov, scientific supervisor of the SearchInform profiling department, in his speech.

He highlighted that, according to the Cost of Data Breach Report, under the influence of the self-isolation mode due to remote work, the number of leaks increased fivefold!

Alexey Filatov, referring to the research of Owner Consulting, noted that 10% of people never stole, 10% of people always stole, and 80% of people would steal if they are under pressure or are offered remuneration. In this case, an insider’s motives can be divided into five large groups: negligence, revenge or resentment, profit, fraud, ideological considerations.

There are studies that claim that up to 40% of insiders and employees who commit serious violations of information security rules do not manifest themselves within the network environment before an incident. At the same time, more than 80% of insiders have significant personal and behavioral peculiarities, which can be identified and assessed so that the risk of the violation of information security rules by a specific employee can be calculated. However, as Alexey Filatov notes, tests and questionnaires won’t help with identifying personality traits that are important for specialists responsible for risk mitigation, since when filling out these questionnaires, employees give predominantly socially desirable answers.

In general, the portrait of an insider is as follows: this is a person who is more of a strong independent individual as opposed to a team player. In addition, this person is in pursuit of money, material values, and power in communication. Also, there can be high impulsivity and emotionality, mood swings, and gambling. High selfishness, conflict and aggressiveness, sabotage and lack of obligation in the performance of professional duties, high unfulfilled ambitions, low loyalty to the previous employer, the pursuit of personal privilege, average or low professional productivity based on KPI.

Alexey Filatov points out that the digital behavior of an insider is difficult to pattern. At the same time, an insider is characterized by:

  • the desire not to use a corporate computer for personal purposes;
  • insignificant amount of entertainment traffic;
  • complete absence or minimal amount of positive linguistics in correspondence;
  • a small number of open connections and contacts;
  • interest in politics and weapons;
  • episodic rather than constant network activity.

However, as Alexey Filatov notes, there is a set of tools that allow, based on the analysis of the digital footprint of an employee, to compose his or her psychological profile for calculating the risks in the field of information security, as well as for identifying, delimiting and reducing potential risk groups without any leads and operational information. At the same time, the activity of an employee is assessed exclusively within a corporate computer, without invading privacy and violating any legal norms.

“Detailed knowledge and understanding of personnel allows companies not only to be proactive in preventing information leaks, but also to increase the efficiency of management and the work of the entire team,” says Alexey Filatov.


Sergey Ozhegov, CEO of SearchInform, has been contributing to the company’s development, handling strategic decision-making since 2015. Co-founder of the annual SearchInform Road Show series of conferences. He has been working in IT and information security for 15 years.


Follow Brilliance Security Magazine on Twitter, Facebook, and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.