An internal document obtained by Motherboard revealed Amazon’s plan to track employee’s keystroke entries. The tech and e-commerce giant plans to curb ever-increasing data leaks using this type of surveillance. Imposters, rogue employees, and hackers routinely compromise customers’ confidential information.
Amazon is considering deploying advanced keystroke tracking tools. A company known as BehavioSec is working with the e-commerce firm to license specialized tools capable of enhancing system surveillance. The vendor’s software relies on behavioral biometrics to determine the nature of user activity. Behavioral biometrics eliminates the need to depend on static data or personally identifiable information.
Profiles generated by BehavioSec’s software make it easier to detect suspicious activity. Amazon shortlisted BehavioSec’s product based on privacy considerations. Other tools considered by the firm presented privacy challenges linked to keystroke data collection.
According to the internal document, Amazon detected several breaches that compromised customers’ sensitive data. In one of the incidents, an imposter illegally accessed customer data by posing as a service agent. For this reason, the company is looking to deploy an effective IT security solution to verify users’ identities and monitor device usage.
The security gaps present a serious threat that could damage customers’ confidence and Amazon’s reputation. Data exfiltration is a major concern for the management team since many employees work from home. Amazon plans to thwart threats that arise under various conditions, including unauthorized access via a device that an employee forgot to lock.
It aims to eliminate imposter takeover by 2022 since employee and customer data security is a top priority. The company stated that it regularly explores and tests wide-ranging cybersecurity technologies to bolster data protection measures. However, it is mindful of the need to achieve a delicate balance between monitoring employee activity and remaining compliant with privacy laws.
The internal document also revealed that outsourced workers in the Philippines and India present a higher risk of data exfiltration. Most of the recorded incidents happen in these countries. Hence, Amazon is hoping that BehavioSec’s solution will address the problem.
In general, companies rely on the employee-manager team to enhance security controls. However, the remote work trend introduced a new dynamic that compromised companies’ basic security controls. When employees work from home, it becomes difficult to detect all unauthorized access to sensitive data.
Under such circumstances, companies need to find viable solutions to compensate for the reduced controls. Experts believe that keystroke monitoring is a security feature that remote workers should expect to find on company devices in the future. BehavioSec’s profiling mechanism plays an essential role in helping companies detect sophisticated cyber attacks.
Highly skilled hackers often gain access to corporate systems and remain undetected for lengthy periods. Behavioral profiling detects such intrusions by monitoring anomalous patterns and user behaviors. This approach detects patterns in one or more connected devices. For instance, security software will raise a red flag if a video surveillance camera connects to a suspicious domain.
In Amazon’s case, behavioral profiling makes it easier to identify compromised devices. Many of the company’s customer service agents work remotely in shared residences. Meanwhile, some agents store their devices on properties with poor physical security.
Federal law allows businesses to monitor their employees’ activities under specific circumstances. Several states also provide regulatory guidelines on the subject. However, transparency is a key component of employee monitoring practices. Failing to inform employees about workplace or digital surveillance may result in legal action.
In some cases, the law does not compel companies to inform employees about surveillance activities. The (ECPA) Electronic Communications Privacy Act of 1986 legalizes surveillance for organizations with a legitimate business reason to monitor employees. As such, employers can view emails composed and sent by employees.
On the other hand, a different regulatory framework deals with web activity surveillance. It allows companies to track keystrokes and web browsing activity on corporate devices and networks. Employers should use information from the monitoring activities for internal purposes only. Sharing information with third parties is against the law.
Similarly, the law compels employers to safeguard the collected information to prevent unauthorized access. Employees can initiate legal action against an employer if with sensitive information leaks following a data breach.
These regulatory requirements necessitate a cautious deployment of keystroke tracking tools and other surveillance software. Thus, Amazon is treading carefully when it comes to the employee monitoring tool it wants to use.