Stolen Hours: How Proofpoint Insider Threat Management Helped Identify Users Outsourcing Their Work

For most insider risk teams, the top concern is typically the departing employee. And for good reason: departing employees, whether careless or malicious, often feel entitled to the intellectual property they've created and want to take it when they leave. The good news is that employees who give their notice can be monitored in a high-risk group. But what about other less frequent, but just as damaging insider threats? Examples include espionage, sabotage and fraud. A global health insurer's insider threat team set out to answer this very question: what hidden risks might be lurking in our organization?

In this blog post, we share how this global health insurer uncovered a new insider threat- time fraud-and used Proofpoint Insider Threat Management (ITM) to reduce the risk and protect their organization.

A manual, disjointed approach to insider risk

In 2024, the global health insurer faced several challenges. As the business grew, so did the volume of highly sensitive personal health information (PHI)-the lifeblood of their business. Over the previous decade, the company made several acquisitions, resulting in a mix of security practices and cultures. In addition, a large seasonal workforce that helped during the benefits enrollment season increased the number of contractors with access to sensitive data.

To add to the challenges, the insider risk team was using a legacy tool that did not provide the visibility they needed. In fact, the team used several different tools to investigate insider-led incidents. This meant gathering information from many sources to piece together a full picture. In some cases, it took over 12 hours to search through Microsoft logs to find just one key data point. What's more, the team's legacy tool required an agent to be installed on a user's computer before any risky behavior took place. That rendered it nearly useless given the unpredictable nature of insider threats.

After careful review, the insider risk team chose Proofpoint ITM. They selected it for its in-depth visibility, access to historical user data to aid investigations, adaptive risk controls and operational efficiency.

Detecting unknown risk with dynamic monitoring

Just several months after deploying ITM, the insider risk team used it to proactively identify numerous insider threats, helping to prevent damage to the organization.

One primary use case the team identified was time fraud. This happens when a user is paid for doing a job they don't actually work on, instead giving someone else access to do it for them. Time fraud is considered an insider threat because of the harm that can arise from an insider misusing their authorized access to the organization's network, systems or data.

The insider risk team at the health insurer had received reports of possible time fraud. To investigate, they created a dynamic policy to detect when workers used desktop screen sharing. A dynamic policy proactively identifies risky behavior and triggers when an alert is generated. Unlike static policies, a dynamic policy is based on risky behavior, not on a pre-identified user or group of users taking a risky action. This adaptive approach helps uncover unknown risks while giving insider risk teams actionable alerts and protecting user privacy.

With the help of dynamic policies, the insider risk team detected cases where users offloaded their work by giving someone else control of their desktop through Zoom or Teams. There were several incidents, which ranged in length from five minutes to eight hours. With detailed metadata and screenshots captured by ITM, the team had the evidence needed to confirm the risky behavior. As a result, they built a case in minutes instead of days, helping to speed up the investigation.

In a similar case, a new hire at the health insurer was found to be still working for their former employer-essentially double jobbing. ITM provided the visibility needed to detect this risky behavior and violation of corporate policy.

Proofpoint helps reduce risk and gain operational efficiencies

With ITM, the health insurer has realized several benefits. These include:

• Reduced risk. With the visibility provided by Proofpoint, the insider risk team was able to act at the earliest point of detection, helping to proactively mitigate risk. The team used explorations-a dashboard of user activity-to view events and incidents in real time, helping guide proactive investigations.
• Operational efficiencies. Contextual insights and forensic evidence helped the team to speed up investigations and resolve incidents-as many as three per day. The evidence was irrefutable, enabling the team to make informed decisions and take quick action.
• Mature insider threat program. The insider risk team had been eager to explore use cases beyond traditional investigations such as departing employees. With dynamic policies in ITM, the team was able to address security and policy violations, work more efficiently, and proactively identify areas of risk. As a result, they have matured their program, expanded the team and added value to the business.

The insider risk team at the global health insurer saw major benefits after switching from a manual, outdated tool to Proofpoint ITM, which can identify risky behavior in real time. The following table summarizes these.

Learn more

• Read more about how Proofpoint can help you mitigate insider risk.
• Watch a webinar to learn more about adaptive insider risk management and dynamic policies.