Software That Sees Employees, Not Outsiders, As The Real Threat : All Tech Considered Security software that's meant to prevent data loss in firms is shifting the focus to employee behavior, monitoring activity round-the-clock in search of bad intent. But will bosses go too far?
NPR logo

Software That Sees Employees, Not Outsiders, As The Real Threat

  • Download
  • <iframe src="" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript
Software That Sees Employees, Not Outsiders, As The Real Threat

Software That Sees Employees, Not Outsiders, As The Real Threat

  • Download
  • <iframe src="" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript


From NPR News, this is ALL THINGS CONSIDERED. I'm Robert Siegel.


I'm Melissa Block, and it's time now for All Tech Considered. More and more companies feel they have to protect sensitive data. And not just from hackers lurking outside their digital walls, but from insiders - employees who might swipe bank account numbers or electronic medical records, for example. Now, a new breed of security software is hitting the market to help with what's called insider threat detection. And as NPR's Aarti Shahani reports, that's raising some real labor relations issues.

AARTI SHAHANI, BYLINE: Step into the presentation, please.

MICHAEL CROUSE: Appreciate your time. And thanks again for joining us.

SHAHANI: Michael Crouse is the director of Insider Threat Strategies at Raytheon. He is giving me a virtual tour of a product called SureView.

CROUSE: So you're basically watching a screen.

SHAHANI: An employee's screen. Lots of security products track data when it moves between computers and servers. But SureView is a way to zoom into the employee's desktop and follow every keystroke. Take this file.

CROUSE: Family notes.txt.

SHAHANI: It could be family notes, or it could be company secrets. If the employee copies it to a USB stick, the software sets off a red alert, grabs that same file and displays its contents in real time.

CROUSE: And you can see kind of the quick view of it over to the right-hand screen.

SHAHANI: Managers can't predict when an alleged violation might happen, so SureView lets them rewind to the minutes or hour before the alert and watch like a slow-motion film.

CROUSE: So it's very compressed video, but it's very readable by an investigator.

SHAHANI: The software also tracks employee e-mails and websites they visit and pairs that data with this new stream to try to pinpoint malicious intent.

CROUSE: You can kind of, by watching video, determine that.

SHAHANI: Raytheon is a leading military contractor in the U.S., but here they're selling to a new market, the small business with sensitive data. They even put together this infomercial.


UNIDENTIFIED MAN: When most people think of cyber threats, they picture criminals or hackers trying to break into a network. What they don't realize is some of the biggest threats are already inside.

SHAHANI: Right now, companies use software to block an employee from copying or e-mailing an unauthorized document. But according to the research group, Gartner, only five percent of that software traces every move, looking for bad actors. By 2018, they project it'll be 80 percent. Behind this new technology is a new management philosophy. One that assigns a risk level to every employee.


UNIDENTIFIED MAN: One hundred percent of companies are at risk.

SHAHANI: What's hard to minimize is the false alarm.

CROUSE: It really is the limiting factor, if you will, to insider threat detection.

SHAHANI: Greg Shannon is a computer scientist at Carnegie Mellon. He says failures in technology can create a really toxic workplace. Say I'm poking around a bunch of files, doing research above and beyond the call of duty. In the old days, no one would know, or I'd be called proactive. Now, Shannon says, I'm under suspicion.

CROUSE: That's pretty demoralizing, demotivating and may just - I mean, just say, fine, I'm going to go find a job elsewhere. Even if I've - maybe especially if I've done nothing wrong.

SHAHANI: Lamar Pierce is a management professor at Washington University's Olin Business School. And he's got another concern. He's seen managers misuse surveillance tools. Pick fights with employees who play a little fantasy football on the job.

LAMAR PIERCE: Why don't we start monitoring directly what people are doing during the afternoon? Why don't we start, you know, reading people's e-mails to see if they say anything bad about the boss?

MIKE OLSON: Productive day?

SHAHANI: Mike Olson is the founder of Cloudera, a San Francisco company with about 600 workers. Cloudera records employee e-mails and web-surfing patterns. And even though that's a standard practice, Olson isn't comfortable talking about it.

OLSON: Because it raises in the minds of employees that they are being spied upon.

SHAHANI: Olson says Cloudera does not currently have managers sitting in surveillance booths, looking for bad actors. And he doesn't like the sound of that.

OLSON: Absolutely every action I take on my computer while in the office is observed. I understand, in the abstract, that that's possible. As an employee, it would creep me out if I believed that my employer were doing that.

SHAHANI: Security companies are hoping that as this new software becomes more accurate, it'll feel less creepy. Aarti Shahani, NPR News.

Copyright © 2014 NPR. All rights reserved. Visit our website terms of use and permissions pages at for further information.

NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.