This website uses cookies. By continuing to browse this website, you accept our use of cookies and our Cookie Policy. Close

Explore the future of cloud & network security at the 2020 SASE Cybersummit.

Close

How a Trusted Employee Becomes a Business Risk, With Tom Miller - Ep. 73

Disengaged, violent, criminal employees are grown - not hired. A once loyal employee can turn into a business risk if you miss red flags and risky behavior. Why continuous discovery - NOT simply relying on a pre-hire background check - is critical to protect employees and the business at large. How exactly does an engaged, loyal employee turn into a news headline and tragedy - what goes on behind the scenes and how can HR manage and respond?

Episode Table of Contents

  • [01:55] Enabling a Trusted Employee to Work Remotely
  • [06:59] The Risk of Banking on a Trusted Employee to Work Remotely
  • [14:12] Predefining the Behaviors of a Trusted Employee Upfront
  • [19:05] The Quest for a Trusted Employee Who Will Concur on a Continuous Evaluation
  • [23:31] Applying the Employee Assistant Program on a  Trusted Employee
  • About Our Guest

Enabling a Trusted Employee to Work Remotely

Carol: Today I'm excited that we're joined by Tom Miller. He's the CEO of ClearForce. Welcome, Tom.

Eric: Tom, you have a deep background in risk management, the credit business, quite extensive.

Tom: I started my career as a banker for JPMorgan Chase and their risk management and analytics function.

Carol: Tom, I actually wanted to jump right into the topic of the day, which is COVID-19. I mean, I've seen a lot of reports about phishing attacks and apps that are infected, fakes, everything. I'm just wondering how you've seen things change in the insider threat world since we've had COVID-19 as part of our world.

Tom: That's a great question. I think today, everything's changed, in the last two weeks or so. I think from an employer and employee perspective, it's this sudden transition from office to telecommuting and remote work and you've got a lot of organizations that have that in their DNA. They're used to having employees that work remotely from home or in remote locations.

Tom: We have a lot of organizations that are brand new and I think it's a bit of a shock to the system from an organizational perspective, who now needs to think through all those capabilities required to not only enable employees to be productive but to find new ways to communicate and engage with individuals that they used to see on a daily basis.

The Psychology of Working From Home

Eric: I almost feel like nothing's changed as it relates to the insider threat, but everything's changed at the same time. We have a lot more people working from home. The psychology of it is different. Before you used to work from home because you chose to, you wanted to. You could go out at night with your friends for social activities, ballgames, drinks, dinner, whatever. Now you're at home, you might be at home with the spouse, you might be at home with the kids, but you're working from home just like you always did. But I think a lot's changed.

Carol: I always work from home, Tom and I have for years. And my favorite meme was one that's come up that said, "When you find out your lifestyle is called quarantine." But for me, even though this is my day to day and has been for years, just knowing that I can't go to my friends, we get together and have a social hour every Monday night, and I can't do that.

Carol: There was that mental part. I don't know if you probably heard, in Utah, which is where I am, last week we had an earthquake. I will tell you the emotional and mental toll on us in Utah was I cried, I sat down and cried after the earthquake.

Eric: Tom, from an insider threat perspective, I mean the world's changing. We have a lot more people working from home. How do you see it from a risk management perspective around the insider threat? Which is different?

What Is a Trusted Employee

Tom: Well, let's start with the premise that nobody wakes up on Monday and decides to commit a crime. So if you're an insider, there's always underlying factors that take what is a trusted, productive individual within the workforce and somehow have now moved them into a spot where they actually may commit crime against the organization.

Tom: That's a big leap from the time they walk through the door until now they're a threat to the organization. So things change and things happen. And I think a big part of that is related to stress and problems that that individual has that the organization is not aware of.

Tom: Now let's put it in this context. You've got folks that used to show up for work in an office and, had personal interactions with their colleagues, their supervisors, their managers. Now all of a sudden they don't, and back to this point. You're all by yourself.

Tom: And the level of stress that literally everybody's facing at some point or at some level today. I mean, it's crazy and unfortunately, you don't have that same one-to-one interaction.

Tom: So the level of engagement, the risk that an individual that is now maybe accelerating some personal challenge that they're facing. That creates massive amounts of risk for the organization.

Eric: What does an organization do about it?

Tom: You got to figure out how to, so number one, you have to over-communicate. So you have to fundamentally change the way you're communicating with your staff. Secondly, you got to figure out how to engage employees.

The Risk of Banking on a Trusted Employee to Work Remotely

Tom: Again, that's more challenging and I don't think it can be passive. It used to be a little bit easier. It was easier to engage individuals when you could walk down the floor, stick your head in their office or their cube.

Eric: I do it all the time? Like, "Hey, how's it going today? What's going on? Why didn't you do this?" I mean, all the time, it's so easy. Now it's hard.

Tom: It was almost, you didn't have to think about it. Now you're going to get conscious and you've got to set that stuff up and be more structured. You got to figure out how to get feedback from teammates and colleagues and coworkers. Do you have a way to capture that? Do you have a way to efficiently and effectively get feedback that there maybe somebody on the team who's not doing so well?

Eric: And what signs are you looking for? Carolyn described the earthquake, she described lockdown. She can't socialize. I know Carolyn is a very social person. Those are risk ratings or flags for me. Like we have thousands of employees across the country, the globe going through this constantly. What do you look for?

Tom: I've used the word engagement a couple of times because I think it matters and I would start there. Are you picking up on behaviors that are indicative that somebody is checking out? Or is it attendance related? Is it they're showing up for video calls or conference calls and they're no longer participating. They don't seem to have any passion for the project that they're working on, they're missing deadlines.

How to Enable a Trusted Employee

Tom: That's the basic blocking and tackling and then you can go beyond that. Is there inappropriate behavior that's taking place? Are there comments being made? Are there statements, are there email communications that are going out to coworkers or customers?

Tom: Or are there an expression of negativity in an inappropriate way? And do you have the means to pick up on it? And most importantly, get it into leadership within the organization so somebody can do something about it.

Eric: And then when we're remote, how do we make sure you're getting what you need when we're remote? It's not just about the threat, but for people who could become problematic. What type of programs, what do we do?

Carol: And you were saying Tom, check in on these people. And that's a lot easier like you said when we're in the office and in our smaller groups. But when we're talking about thousands of employees, how do you check on these indicators?

Tom: I think part of it, and this is an opportunity for technology to play a role. So we work with customers today where you're trying to proactively alert on concerning behaviors. Not on all behavior, but concerning behaviors. Think about even individuals that you've got thousands of employees and you've got folks that now have a completely different daily structure. They get into trouble, right?

Blocking and Tackling

Tom: Like there are people running into, are they having a criminal activity that's occurring that you're not aware of? Are employees getting arrested for drunk driving? Or are they doing things right now that clearly are out of context to who they were within the workplace, but now all of a sudden the behavior is different. Do you have a way to pick up on that?

Tom: Well, we talked before, just even to go back to stress, financial stress right now is a big deal for everybody.

Tom: I mean you have folks that are having incomes reduced. You're having couples or families or maybe the spouse has become unemployed.

Eric: Or people who just lost a ton of money in the market right now. Huge stress, their retirement.

Carol: What I'm hearing, Tom, gets into touchy areas for me. Like you're talking about monitoring outside of the workplace.  That's what we're talking about here. Financial.

Tom: Yes, absolutely. Our advice and the way we work with customers today is make sure you've got a good way to capture all that internal information in an effective way. That's blocking and tackling. Making sure that you've got appropriate internal incident capture where people can report concerns so that positive actions can be taken by management.

Carol: Are companies and employees warming up to that idea? Because I know we're walking on shaky ground here.

Building an Insider Risk Program

Tom: So they are, and clearly the organizations need to partner with their employees base on any type of insider risk or security program they put together. And I'll tell you that starting point almost always is with employee consent. That is foundational.

Tom: It's very difficult to have an effective security or insider risk program today where you're not building it on a foundation of employee privacy and ensuring the protection of every employee's rights. Nobody wants to do that. Nobody wants to step on individual's rights.

Tom: Nobody wants to walk outside of legal compliance on any of that. And again, one of the real key starting points tends to be employee consent. You're explaining to individuals within the organization what and why you're doing, to create a safe environment inside or for the organization largely.

Eric: So let's switch gears slightly to continuous evaluation, because I feel like we're touching on continuous evaluation or what people know as CE right now. Hot topic in the DoD space were, even though you have employee consent when it comes to security clearances, background checks and everything else, the IG is very, the legal teams are very, very sensitive around what they collect on and how. Talk to us about how CE could help us here or not? What are the strengths and limitations?

Tom: The concept of a static point in time assessment of risk makes no sense. It's almost becoming outdated to think that I'm going to look at an individual's behavior at a single point in time and determine whether I have risk as a result of that.

Predefining the Behaviors of a Trusted Employee Upfront

Carol: Yes, that was baffling to me that when I got my clearance they're like, "Okay, we'll check in five years." And another thing they zeroed in on, I had to have an in-person interview, because I had lived in Northern Ireland. And I'm like, "Really? This was 15-20 years ago and you're worried about my ties to Northern Ireland?" I understand why, but the continuous vetting makes a lot more sense to me.

Tom: No, that's exactly right. Not only is it static point in time, but it's looking backwards and it's picking up on information that occurred. But to your point, 15 years ago, I mean put it in the context of criminal justice reform. Like we got a lot of people and then a lot of people that don't get jobs today because of a crime 30 years ago.

Tom: And that individual, or lots of those individuals, are probably fundamentally different people today. But this is the concept of look today and look backwards. That's why CE matters. That's why it's just a better approach on every level to look at the behavior of an individual on an ongoing basis and limited to only those things that actually matter.

Tom: Another important component of CE is rather than searching for negative information about people and trying to look and find things that you are worried about, why don't you predefine what those activities or behaviors or occurrences are upfront and the only time you ever become aware of them is if they happen.

Save a Trusted Employee to Save Your Business

Tom: So if you're worried about somebody being convicted of a felony crime, then become alerted when it happens. You don't need to spend your time searching through it. Or another good example would be on back to financials and the sensitivity of it. Nobody wants your employer combing through your financial information, right? It feels intrusive.

Tom: Super intrusive. And you don't want your employer looking at how you spend, where you spend, how you shop. Nobody wants that. But what does an employer, particularly in this DoD security clearance place, hey, you have somebody that's on a fast path to financial stress, that's a problem, right?

Tom: You have the ability to really limit what you're receiving. And this isn't to say somebody that's got good credit or bad credit or somebody that's missing credit card bills, but you have somebody that's on a rapid track to foreclosing on homes and having their cars repossessed.

Tom: And boy, if you could step in front of that quickly and help them. Help them with credit counseling, help them with positive actions that can course correct something before it really gets to a situation that's difficult to work out of. It's a big deal.

Carol: I love that, Tom. I love the help part. So my good friend Mike Theis works for Carnegie Mellon and he's been in the insider threat business forever. It's how he positions it, save this employee, you don't want to lose a good employee. So let's step in and intervene and help. So, but are you seeing agencies embrace this on a broad level, the CE?

Deciding Which Side of the Line to Walk

Eric: I mean, I know DoD's struggling with it. So outside of DoD, who's trying to decide which side of the line to walk. How does a Veteran's Administration or Department of Energy or Commercial Accounts, how do they understand what my criminal record looks like or my driving record or my financial record?

Tom: You're actually hitting on a super important point. Most of these organizations don't struggle with the data. They struggle with how to protect its use once it's received. That's where the challenge on adoption, the challenge on use, all deals with the fact that can I put the legal guardrails in place to make sure that once the information is received, that the proper actions are taken, they won't get the organization in trouble and create more liability and are not somehow going to stamp on the civil liberties and the individuals underneath.

Tom: Data's easy at some level. I mean there's a lot of information out there that can be brought into an organization. It's not discovering the information, it's what happens and how you action that information in a compliant way thereafter.

Eric: So, I'm working for treasury. I have access to really sensitive information on the American people, potentially foreign countries, whatever, how would treasury pull this data in on me? Would they have to have my concurrence? Would I give them my concurrence to pull in financial data or criminal background data?

The Quest for a Trusted Employee Who Will Concur on a Continuous Evaluation

Tom: For almost all financial information, you absolutely, as an individual need to provide consent. They need consent in order to look at this information because you're protected under FCRA bottom line. The reason you would do it is, from an organizational perspective, your access creates risk. And that access, certainly if it's declassified information, means you have a clearance.

Tom: It means that as a result of that information, you have essentially given the government consent through CE to be able to look at that information. It's not classified. If it's just confidential data. If it's financial information or sensitive information that's unclassified, again, all that has risk. And what we tend to find is organizations that have individuals that have access to highly sensitive information or significant financial data. Those job roles understand that they're different than an average job.

Eric: What you're saying is, depending on the role, depending on the organization, they may need to change their policies and say, "Hey, we're going to start collecting these information on you in the role you're in. You have access to sensitive information and we need to do continuous evaluation, we want your concurrence. If you don't concur, that's fine, but this isn't the job for you."

Tom: You hit on a really good point here. Anytime you're talking about continuous evaluation, the concept of one size fits all makes no sense. That's where you're going to get a breakdown in adoption and buy-in by the employee base is if you are trying to solve across the organization or across multiple companies, it doesn't make any sense.

All Roles Are Not Equal

Tom: Each company has different levels of intellectual property, sensitive data, et cetera. Each company has different jobs and the risk that an individual represents to the organization is absolutely a function of their access. Do they have access to classified data?

Tom: Do they have access to financial data? Do they have access to sensitive information? Somebody working in a marketing department probably is a significantly different risk than somebody that has password access control within IT.

Carol: That's such an important point that all roles are not equal. We cannot do a blanket solution for this.

Eric: Carolyn, would you sign over your rights to have the company look at your criminal record, your background record, your financial data, your credit record or your credit report?

Carol: I grew up with Raytheon and so yes. I expect that to be part of my job. And I'm always interested to hear that millennials expect to be monitored and I expect to be monitored as part of my job.

Eric: I don't think they expect to be monitored.

Carol: They know they are.

Eric: They throw everything out there and they don't really care. But if they were asked specifically, I think, at least my kids would be like, "No, thanks." Just because they can.

Carol: My kid, he's in a fishbowl. He doesn't put anything out there. He's very locked down.

A Whole New Concept of Pre-Hire Requisites

Carol: I would, but like I said, I came into this business in the insider threat under the insider threat role.

Eric: Yes, so you're okay. Not a great example.

Tom: But I think an important one. I think that the use of continual evaluation is industry-specific and job-specific at some level. If you're in government contracting, if you are in financial services, if you have a transportation role, you fundamentally understand that your driving records are something that are going to be evaluated. It's DoD requirement.

Tom: If you're in healthcare, I think the bigger question becomes if you start to get into industries where that's not the norm. You talk about perhaps manufacturing or retail or some of these other segments of the economy, where you can get a job working at a hotel where they may not run a background check.

Tom: For us, I think we find a lot of correlation there. If you're doing pre-hire background checks today, then the concept of continual evaluation is just an extension. If you're not doing any pre-hire background checks, then this is a whole new concept and a whole new policy that the organization's getting their head around.

Eric: Now, as we're wrapping up here, I think that's a great point, right? Most companies, many companies I should say, are doing background checks. I think a lot of employees or candidates are fine with a background check when they're getting a job. We almost need to change the policy as employers.

Applying the Employee Assistant Program on a  Trusted Employee

Eric: We're going to do a background check and also, for you to be employed here, we want to do some level of continuous evaluation which will look like X, Y, and Z for these roles. We need to change policy.

Tom: I totally agree. And go back to my comment on criminal justice reform. It's better. It is not necessarily just better for the organization, it’s better for individuals too. You're not being graded on what happened 10 years ago. You're being graded on what you do in the organization from this point forward.

Eric: We can help them when there is a challenge. Now that we have access to the information, we can better apply the employee assistance programs and things like that to help employees who are in need.

Tom: We hear this from HR executives constantly. Organizations have spent a ton of money on wellness and assistance programs for their employees. The challenge they have is getting the services to the people at the point that they need them.

Carol:  Well, this has been a great conversation and so we can keep it to the point, I'm going to have to wrap us up, but thank you so much for joining us, Tom.

Tom: Thank you very much. I appreciate it.

About Our Guest

Tom has more than 25 years of analytic and risk management experience as a co-founder and CEO of ClearForce, a cyber and employee risk management company based in Vienna, VA.  Prior to ClearForce, Tom was the CEO of ALI Solutions (aka, Austin Logistics).

During his tenure at ALI, Tom served as the CFO and headed the Marketing and Business Development functions at ALI, where he established global distribution channels, established a regional presence in China, and co-invented a patented system for priority queuing algorithms.

Prior to ALI Solutions, Tom was a Vice President at JP Morgan Chase’s card risk management division where he developed and managed the credit risk policy for the card and unsecured credit portfolios. Tom also served as the Vice President of Analytics for Noble Systems Corporation.