The employee who exfiltrated data after being fired. The employees who exposed 250 million customer records. The employee who stole trade secrets to get a leg up in his next job because hey, after all, it’s “his” work that he’s taking, right?
Those are our traditional notions of insider risk and threat, but the pandemic-induced push to remote work has created what Forcepoint’s Michael Crouse, director of enterprise user and data protection, calls a “big shift.”
“It’s not that people are trying to do harm against an organization,” he says. Rather, they often feel they have to slip past IT to just get their jobs done, employing “shadow IT” – projects that are managed outside of, and without the knowledge of, the IT department.
“I think people feel that the processes, that maybe the solutions in place that allow them to do the job, aren’t effective,” he says. “So you think about it from a shadow IT point of view. You know, when we kind of went away from those four walls, protecting your employees, everybody comes into work, they sit behind their desk in the office, all the IT infrastructure is built for being behind those four walls, protecting those individuals, whether it’s the VPN sessions, whether it’s, you know, their network firewalls.”
When you extend that perimeter, “some of the processes that were in place by the IT organizations aren’t effective, or they’re inhibiting a person’s ability to get the job done,” he says. “So what do people do is they look for alternative ways. So they go, for example, to shadow IT, or they go to working off the VPN because working on the VPN is slow.”
With over a quarter-century of experience supporting commercial and federal organizations, starting with the National Security Agency (NSA), Crouse promotes a paradigm shift for cybersecurity: one that’s focused on dynamic user protection and adaptive risk mitigation.
He works closely with top company decision-makers and lends key influence in helping them improve employee security behavior by changing the way people think about security; developing new cybersecurity policies, procedures, and technical approaches; and generating real-time, actionable data derived from employee behavior and industry baselines.
What does that all mean? It means that his approach to risk “has evolved from more of the, ‘What happened?’ to the ‘Why happened?’, he says.
“Once you know the behavior of individuals that could be, for example, taking information from an organization, committing IT sabotage, maybe committing fraud within your organization, once you know the behavior of the individual, then you can start observing what we call technical observance or monitoring for those technical observables, those behaviors,” he said. “You can get left of the actual breach or left of the actual action or incentive that is actually causing you a lot of heartache and a lot of pain within organizations.”
In this podcast, hosted by Threatpost host Cody Hackett, Forcepoint’s Crouse discusses insider risk is more than just monitoring user activity or analytics or preventing data leaks.”It’s that entire portfolio of solutions that are coming together in a second, verged environment,” he says.