Nobody wants to ignore an ongoing cyberattack — but overreacting to harmless user activities can do almost as much damage.
When you think about the must-have capabilities for organizational cybersecurity, spotting attacks and rapidly taking action to prevent them is at the top of the list. It’s almost as important, though, to pay attention to the flip-side of that proposition — and ensure your cybersecurity tools are able to identify risky behavior without flagging harmless activity as potentially malicious.
With cybersecurity professionals reporting spending as much as 30% of their time chasing down groundless reports of risky behavior or unauthorized data access, false positives are becoming a big problem for many organizations. Fortunately, new technologies are now making it possible for security teams to strike back, and reassign resources in more targeted and proportional ways.
The problem with false positives
False positives occur when a user acts in ways that raise red flags, but aren’t actually doing anything wrong. Perhaps they’ve logged on from a new device; perhaps they’re on a business trip and accessing files from a different geographic location; or perhaps they have a legitimate reason to share sensitive files with other business divisions.
Flagging those activities and taking corresponding security measures — locking users out of their accounts or blocking access to files — stops users from doing their jobs, fosters resentment about cybersecurity precautions in general, and doesn’t make your organization safer.
As every CISO knows, building trust and winning buy-in for security programs is a key challenge — and a key stumbling block. False positives directly erode trust in your security initiatives, and increase the chance of your employees trying to circumvent security rules and procedures that, though designed to keep them safe, have come to be seen as merely an irritant.
Because most data protection policies are based on rules and simple keyword-based pattern recognition strategies, though, false positives are increasingly prevalent. As long as our security systems are powered by dumb algorithms that blindly apply rules with no real understanding of the data they’re processing, false positives will be unavoidable.
A snowballing security crisis
The ideal security system would identify malicious or risky network activity with 100% accuracy, then immediately take forceful and decisive action to lock down the network, prevent misuse of data, and reassert control of sensitive information. The more false positives you have, the more you’ll have to compromise — perhaps you’ll add a second tier of checks before you lock users out of accounts, or require human intervention before you knock key data offline.
That creates more time and space for mistakes to spiral into crises, or for attackers to siphon off data before they’re stopped. And of course, false positives also drive up operating costs and take up your security team’s time as you figure out what went wrong, and reinstate access to key data or accounts.
At their root, these damaging missteps are frequently grounded in a failure to accurately identify which data and documents genuinely need protecting. Given the sheer volumes of data now flowing through the modern workplace, manually sorting and classifying data isn’t just burdensome — it’s error-prone and doomed to failure.
Worse still, as those errors in your data classification compound, your employees will lose faith in your security processes, and stop putting in as much effort to properly identify and label the data they create and use. All too soon, the problem can snowball, with disgruntled employees processing degraded data that over time triggers even more morale-sapping false positives.
How to mitigate false positives
So what’s the solution? Well, there’s no way to eliminate false positives altogether — or at least, not without creating the potential for false negatives that would pose an unacceptable security risk. But you can reduce false positives to an occasional annoyance that doesn’t demoralize employees or require you to downscale your security response to flagged user activity.
The key is to ensure that you have full visibility into what data you have in your system, how it’s being used, and how sensitive it is. Crucially, this can’t be achieved with manual data-tagging and classification strategies, because as such strategies scale they inevitably consume more time than any individual or organization can afford to give them.
Instead, organizations need to adopt automated tools that can rapidly analyze and tag data according to sensitivity, then use that metadata to enforce rigorous policies that prevent data from being misused in real time. That might sound like science fiction — but with new developments in AI and machine learning, such technologies are now not only available but also affordable and easy to implement.
Automated tools can sort and classify sensitive data up to 10,000 times faster than a human, and with much less margin for error. Sensitive information — from sales numbers to credit card information — can be spotted and tagged at scale, and your security team can create and effortlessly implement policies to ensure sensitive data isn’t inadvertently shared, moved onto insecure servers or cloud systems, or handled in inappropriate ways.
By combining automatically classified data with smarter, AI-enabled tools, it’s possible to gain far richer and more rigorous insights into both user behavior and the nature of the assets you’re trying to protect. The result: a tougher security perimeter and a more accurate and reliable process that dramatically reduces the potential for false positives.
Get smart about cybersecurity
With companies of all kinds facing new security challenges in the wake of the COVID-19 pandemic and the switch to remote work, it’s never been more important for organizations to come up with robust but cost-effective and scalable cybersecurity strategies. As things stand, false positives — both at the micro-level of individual document classification, and at the macro-level of mistaken security alerts and account lock-outs — represent a major obstacle for organizations seeking to level up their online security.
The key is to refuse to accept false positives simply as the cost of doing business, and to insist on finding a better approach. False positives eat up your employees’ time at every level of your organization. Companies need to invest in smart, seamless, and scalable automated IT systems to map data and user behaviors and ensure they have the 360-degree visibility they need to respond appropriately to both risky and benign behaviors — without compromising on overall network security.