Problem: If there are thousands of employees scattered around hundreds of places, how do you keep your organization’s network safe?

Solution: You should monitor your employees wherever they’re located, and devise a standard baseline of their behavior through machine learning techniques. By using that information, you can identify anomalies and protect your network from cyberattacks.

Most organizations still have employees working from home while a small part of the workforce returns to offices, inevitably introducing some changes to user behavior. Keeping an eye out for these changes can prepare you for unexpected internal and external cybersecurity risks to the network. Here are some user behavioral changes that you should look for as organizations continue to adapt to modern work environments in the COVID-19 era.

 1. Unusual access times

 The combination of employees working both from home and from the office can result in a difference in user access times from their usual hours. Monitoring these changes enables you to identify a new standard pattern of logon hours for each employee regardless of their work location, which helps you detect anomalies by identifying changes that go against that normal behavior. For example, if a user’s new normal logon time is 10am to 6pm, and one day they log in at 12am, this will be counted as a time anomaly. You can then immediately investigate if there is a potential insider threat.

 2. Numerous logon failures

 With the increase in distributed workspaces, staying aware of the identity of the people logging in to your network becomes increasingly difficult. Monitoring logon failures helps provide insights into who is trying to access your network, and why there are numerous failures on that particular host within a specific period of time. This helps you detect the source of this suspicious activity, and mitigate a potential threat like account compromise.

 3. Unusual file downloads

 As both remote employees and in-house employees access the organization’s resources from different locations, it can open up the network to intrusions, paving the way for cybercriminals looking to take advantage of the situation and exfiltrate sensitive data. A user with an unusual amount of file downloads will be counted as a count anomaly, and the security admin will be immediately alerted. This can help protect sensitive data from being exfiltrated.

 4. Excessive authentication failures

 A security policy that is as simple as user authentication can protect your organization’s network from external threats, especially with all the new distributed workspaces. Monitoring authentication failures can make you aware of the user account in question, and immediately investigate the security event. This can protect your network from external threats like an intrusion attempt.

 5. Abnormal permission changes

 For an intruder to exploit an organization’s network and access their resources, they need elevated user access privileges. This essentially hands them the key to exfiltrate sensitive data. By monitoring unusual permissions, you will be directed to the user account that is compromised, allowing you to act immediately and stop a potential cyberattack.

As remote work continues and some employees move back to a traditional workplace, there’s more leeway for malicious insiders and intruders to slip under the radar. This means security admins need to tighten their cybersecurity policies by looking at places least trodden upon. For more information on cybersecurity practices, you can follow to ensure network security, check out our remote employee monitoring page.