Protect Your Company’s Critical Data with DocuSign Monitor

Internal data breaches are a major challenge for all types of organizations. According to IBM Security, 83% of organizations have experienced more than one data breach, and the average cost of a single data breach for U.S.-based companies is $9.4 million.

Inadequate protection of employee login credentials is a leading cause of data breaches. According to the 2023 Verizon Data Breach Incident Report, nearly 45% of data breaches were initiated through the use of stolen credentials, while another 19% were caused by internal actors, either intentionally or otherwise.

And while all data breaches are costly to organizations, those that result from internal user activity—whether through stolen credentials, intentional actions or accidental data loss—expose 10 times the number of records as an external breach.

Why? Because insider breaches typically go undetected for much longer than external incidents.

Companies hope their users are doing the right thing and assume single sign-on (SSO) protocols are sufficient to protect them. But SSO alone is not a true defense against compromised credentials and internal bad actors.

Today, the best-prepared organizations use technology to continuously monitor sensitive data and processes for unusual activity. That’s why DocuSign created Monitor—a solution designed to protect critical data and agreements from unauthorized activity through round-the-clock tracking.

How does DocuSign Monitor work?

DocuSign Monitor helps organizations detect and respond to unusual activities through three key functions:

1. Detect potential threats from inside or outside the organization with rules-based alerts
2. Provide ready access to in-depth data points to help security teams investigate the activity that triggered the alert
3. Help administrators respond quickly to verified threats before they cause significant damage

Monitor is more than a toolkit—it comes with over 20 pre-built alerts for the most common types of suspicious activity, an actionable dashboard and a companion API. Monitor also supports security information and event management (SIEM) with a Splunk app available on the Splunkbase™marketplace.

Monitor includes pre-built alerts designed to identify and warn against the most common data breach scenarios, including:

• A user fails multiple login attempts, signifying a potential external brute-force attack
• A bulk user export is initiated, indicating employee information was potentially compromised
• A simultaneous login, signifying unauthorized access

In all of the most common suspicious activity scenarios, Monitor checks for unusual activity and generates an alert to the administrator or information security officer in real time.

For example, if Monitor detects an unusually large number of DocuSign envelopes deleted by a single user, it will automatically send email and browser notifications to the designated security resource. The security staff member can then use Monitor to investigate the incident or take immediate action to prevent further activity until an investigation can be completed.

Detecting and mitigating risk

Monitor has helped security teams across numerous industries detect and mitigate risk, potentially avoiding significant financial losses.

For example, a global credit card company used Monitor to detect changes to password policy, a violation of the firm’s governance policy and a potential data breach risk. The firm was able to successfully investigate and mitigate the incident without loss.

In another real-life scenario, a global British-American financial institution detected transactions on its platform originating from Liberia, a jurisdiction where no authorized transactions should occur. The firm was able to detect and mitigate this unauthorized activity—preventing a possible data breach—only two days after first implementing and activating Monitor in its operations.

It can be difficult to place a dollar value on risk averted. But it’s safe to assume that the potential financial damages in the above situations would have far exceeded the cost of implementing Monitor.

New enhancements to Monitor

DocuSign is excited to announce several new enhancements to Monitor that make the platform even more powerful and easy to use.

First, Monitor protects agreements from potential threats with three new enhanced security measures:

• Credential leak alerting: Track compromised or stolen user credentials found on the dark web and alert users to reset their passwords and report suspicious activity
• IP safelists: Get better visibility and focus on unauthorized activity by creating a safelist of internal and secure IP addresses. Decrease alert traffic from safe-listed IPs—freeing up admin time
• Automated actions: Proactively block malicious activity based on DocuSign and country-specific security policies, such as U.S. embargo laws

Next, users of DocuSign CLM—an end-to-end contract lifecycle management solution—now have access to Monitor to proactively protect their CLM agreement data. Users can detect potential threats across the contract lifecycle with rules-based alerts, investigate unauthorized activity from internal and external stakeholders with in-depth, actionable data and act instantly with Monitor’s recommended actions, helping to limit risk exposure and maintain compliance.

Monitor is a next-level security solution that identifies and mitigates risk. It simplifies compliance with U.S., EU and global security standards and easily integrates into your existing security stack through the Monitor API and Splunkbase app. 

Learn more about DocuSign Monitor and the DocuSign Admin Tools suite of next-generation digital solutions for enhanced security, scalability and oversight.