42 Seconds with a Code42 Customer: Lehigh University

Code42 provides your business with a variety of data security benefits, including increased productivity, risk mitigation, streamlined user workflows, and more–all in a single product that’s been proven to ultimately save you money. While Code42 has a few primary use cases–backup and recovery, device migration, etc.–we’ve learned that our different customers use Code42 in different ways. To explore how customers use our product, we recently partnered with the talented team at creative agency Crash+Sues to create a series of animated videos featuring the voices and likenesses of actual Code42 users.

In our latest video, Naazer Ashraf, senior computing consultant at Lehigh University, explains why they rely on Code42 over sync and share products for data backup and restore. As one of the nation’s premier research universities, Lehigh’s faculty are known for their excellence in research. Obviously, data is extremely important (and valuable) to researchers, so imagine the reaction when one researcher deleted files from Google Drive to save space–and discovered that doing so wiped the files for 10 other researchers. Naazer tells the story in just 42 seconds. Check it out below.

Protect Your Data from Insider Threats with Code42

Code42 provides your business with a variety of benefits, including increased productivity, risk mitigation, streamlined user workflows, and more – all in a single product that’s been proven to ultimately save you money. Recently, Code42 launched Security Center, a new suite of tools to help you spot suspicious data use behaviors in your workforce – and respond to them if necessary. There’s a big reason why we added this feature – the facts show that 89 percent of corporate data loss involves the actions of an insider.

We recently partnered with the talented team at creative agency Crash+Sues to create a series of videos about the core features of Code42. This most recent video focuses on an all-too common scenario in which an employee decides to steal valuable data from his employer. Unfortunately for him, this company has Code42’s Security Center.

Take a look today for an illustration of how Code42 and Security Center can help keep your enterprise’s data safe from insider threats.

Leave the World a Better, and More Accessible, Place - Code42

Leave the World a Better, and More Accessible, Place

It doesn’t take long after a new employee joins Code42 for them to realize that we are a company that knows having values isn’t meaningful unless you truly LIVE the values. From the way we greet employees when they walk through the door, to the way we show them around the office, our cultural values are front and center. We assume positive intent. We get it done and do it right. We are not afraid. We believe that corporations should have more than solely an investor responsibility; they also should have a civic responsibility to “leave the world a better place.” For many of us at Code42, leaving the world a better place gives us a great purpose through work, one that encourages us to give back.

At Code42, we’re always striving to create a more diverse workplace. That diversity takes many forms, including but not exclusive to race, ethnicity, age, gender, sexual orientation, spiritual belief, socioeconomic status, ability and disability. We try to encourage engaging in each dimension across our business.  

Throughout 2018, we made strong strides to address diversity head-on. Going into 2019, we knew we wanted to accelerate our efforts on web accessibility within our product. There were two main events that precipitated that goal. First, a colleague gave a lightning talk about how accessibility improves the experience for all users, not just those with different accessibility needs. That talk really resonated across our team. Perhaps one of the most poignant examples of that talk was the “curb cut effect,” as highlighted in an episode of the 99% Invisible podcast. In the 1970’s, after cities began implementing curb cuts, they found that the impact of those accessibility improvements was wider-reaching than they anticipated. It turns out that everyone benefited by having access over the curb, whether they were in wheelchairs, on bikes, pushing a stroller, or towing a cart behind them.

The second event happened this year during the Superbowl. An ad caught my eye. Microsoft aired a commercial that debuted their Accessibility Controller, which allows anyone, regardless of their needs, to be able to use the controller effectively. They took a bold stance in the market with the phrase, “When we all play, we all win,” which struck right at the heart of the issue. Nobody should feel as though they cannot use or engage with a product. Put more succinctly, when technology empowers each of us, it empowers all of us.

So, what does that mean for Code42? We’re making a commitment to ensure our product is more accessible. While we can’t magically change where we are today, we can change where we go in the future. We’re happy to announce that we’ve launched an initiative called, “Acutely Aware for Accessibility.” The goal of this initiative is to ensure we test to WCAG 2.1 standards and begin to ensure the new capabilities we create use technology choices that empower everyone. No longer will it be acceptable to simply mark defects against the function of the product for mouse users who don’t employ assistive technology. Instead, we will now expect our employees and customers to log defects against our product when we fail to live up to the accessibility standards that we’ve set. In the coming months and years, we’ll be excited to announce more on this initiative and share our progress. For the time being, we want to emphasize our commitment to inclusion with our products here at Code42.

At Code42, our values define how we work, play and engage with each other, not just in the four walls of our workplace, but also in our community. Each day we are committed to leaving the world a better place. And each day when we arise, we know that while we’ll never reach the finish line of this journey, we know that we can contribute more back to the society that raised the caring, creative and innovative employees that we have here. 

The Five Big Themes I’ll Be Looking for Next Week at Black Hat

If there was one annual event that encapsulates cybersecurity, it’s Black Hat. For more than 20 years, thousands have gathered to learn security during the Black Hat training sessions and see cutting-edge research on display at the Black Hat Briefings. Black Hat has been doing this every year in Las Vegas since 1997. That’s right about the time enterprise data security started maturing into widespread practice. Over the years, the crowds have grown, and so has the importance of data security. 

Every year at Black Hat, I try to keep an eye out for different trends. These are themes that I believe will be important and drive a lot of the conversation at the conference, not to mention the months that follow. Here’s what I’m looking at this year:

“ What piques my interest about insider threat isn’t just the number of attacks perpetrated by insiders; it’s about how damaging insiders can be to an organization. After all, insiders know where the data is and what data is valuable. ”

The insider threat

There have been several recent news stories that highlight insider threat and it’s no fluke that they dominate the news cycle. Insider threats are up 50 percent in the past four years alone. Recently, we learned about the McAfee employees who quit and were sued for allegedly taking intellectual property to a competitor. Then there was the SunPower exec who emailed himself highly sensitive trade secrets. And the Desjardin employee who accessed the data of nearly three million bank customers. Earlier this year, the Verizon Insider Threat Report found that 20 percent of cybersecurity incidents originated from trusted insiders and often went unnoticed for weeks, months, and even years. 

What piques my interest about insider threat isn’t just the number of attacks perpetrated by insiders; it’s about how damaging insiders can be to an organization. After all, insiders know where the data is and what data is valuable. I’ll be looking for lots of conversations in this area, and new insights into ways to better detect and respond to insider threats before IP is gone and the damage is done.

The increased importance of DevSecOps

The popularity of DevOps keeps growing. According to Allied Market Research, the global market for DevOps tools was nearly $3 billion in 2016 and is expected to reach over $9 billion by 2023 — growing at a healthy 19% annual clip. Yet, enterprises have a challenge when it comes to incorporating security into the DevOps application development and management processes. That’s what DevSecOps is all about. I think we’re going to hear some great advice and ways to maximize the incorporation of strong security practices into DevOps.

Insight into the emerging threat landscape

We always look toward finding a fresh perspective on the threat landscape at Black Hat. The conference presenters are always examining new attack methods in detail. This year will be no different, and I’m expecting to see interesting approaches to attacks via social media and insider threat exploits.

Latest trends in Zero Trust security

Zero Trust has moved from buzzword to reality, but we’re just beginning to see organizations move beyond superficial Zero Trust implementations. I expect the conversations around Zero Trust, a concept of security centered on the belief that companies shouldn’t trust anyone or anything inside or outside their perimeters, and instead must verify and monitor anything and everything trying to access company data, to become more meaningful and results-based. This will continue to be an interesting and compelling topic in the months following Black Hat.

A deep look inside a few interesting security vulnerabilities

At Black Hat, if you don’t make it to a few sessions where they dive deep into a security flaw or exploit, you’re really missing out. These sessions are eye-opening, heart-stopping, and mind-jarring to see. It opens your eyes to the ways in which people make new inroads to devices, hack into large enterprises, and leverage vulnerable software to do it silently.

I’m also going to keep a lookout for new buzzwords and emerging attack trends. For instance, we already see the rapid rise of deepfake movies. And let’s face it, these videos are getting incredibly good, thanks to sophisticated algorithms that create unprecedented reality. Soon, we’ll have issues trusting our own eyes and ears and their ability to discern what is real. This will be fun to see take shape this year.  

Finally, we all know that the IT industry is increasingly turning to artificial intelligence (AI) and machine learning to help secure our increasingly complex environments. But when it comes to new security technologies, it’s a bit of a double-edged sword. What can be used for our defense can also be used to attack us. AI is no different, and in the near future, we’re going to see AI used more commonly to attack enterprises. AI-based attacks are on their way. You can count on it.

Code42 Next-Gen Data Loss Protection Customer Success

CrowdStrike and Code42 vs. External and Insider Threats (Video)

After working on security teams at large retail organizations, I’m now in the unique, and fortunate, position to be the director of security at Code42, an organization that makes one of the products that my team uses daily. This gives us direct access to Code42’s latest product features, beta testing, and the opportunity to network with organizations like CrowdStrike both as peers and as customers of each other’s products.

The Code42 Next-Gen Data Loss Protection solution is an incredibly helpful tool to have in the toolkit. I’m proud of how my company is innovating to help fill a critical need in data security, particularly around protecting data from insider threats. But as any savvy security professional knows, there’s no one silver bullet to address all of an organization’s data security needs. For this, I rely on different products to protect Code42’s data from an ever-present array of threats.

One of the key solutions we use at Code42 is CrowdStrike, the fastest-growing endpoint detection and response solution on the market. Some of the things I love about CrowdStrike are its high-fidelity rate and its low rate of false positives; how it has a lot of searchable, granular event data; and its Falcon OverWatch service, which provides a “second set of eyes” to alert us to unusual activity in our environment. 

CrowdStrike and Code42 work shoulder-to-shoulder to protect our data. CrowdStrike protects our organizations from external threats such as malware, while Code42 accelerates our detection of and response to insider threats, like departing employees

“ CrowdStrike and Code42 work shoulder-to-shoulder to protect our data. CrowdStrike protects our organizations from external threats such as malware, while Code42 accelerates our detection of and response to insider threats, like departing employees. ”

As you can tell, I’m a huge advocate for CrowdStrike, which made it particularly cool to meet with Tim Briggs, CrowdStrike’s incident response analyst, at our Evolution19 conference in Denver earlier this year. I learned a lot from Tim, and even got a few tips from the trenches about how he uses Code42 and CrowdStrike in their environment. For example, Tim shared a story about a recent incident, when their security team received an alert from the CrowdStrike platform that was related to torrent activity in their system. Torrent activity could be extremely malicious, in that an employee may be exfiltrating valuable IP, or it could simply mean an employee was misusing company assets. 

With the alert in hand, the CrowdStrike security team was able to use Code42 to look at the files and download history of the employee in question. They quickly figured out that the employee was downloading movies onto their device. With that context, the CrowdStrike team was able to ascertain that, while the employee was misusing company assets, he wasn’t behaving maliciously or exfiltrating data. The security team was then able to report that to their executive team. 

While the threat landscape is in a constant state of flux, two things will never change. Breaches will happen, and employees will take data when they leave. It is that simple. Together, CrowdStrike and Code42 are dedicated to making it faster and easier for our respective customers to detect and respond to insider and external threats. 

Code42 Next-Gen Data Loss Protection Customer Success

Code42 and Splunk Protect IP from Employee Misuse for MACOM (Video)

As a semi-conductor design and manufacturer company, MACOM’s data includes proprietary designs and CAD drawings that are extremely valuable forms of IP. Making sure that data stays within the company and is protected from employee misuse is key to our success as a business. Part of our challenge in protecting our data is that we’re about 1,500 employees spread across roughly 50 sites globally. For such a large global organization, our security team runs lean. Jeff Litwinowich, director of IT and Security, and I are really the only two members of the team who are accountable for security at MACOM. To give us some extra horsepower, we need tools that provide visibility into what’s happening in regards to our data on both endpoints and in cloud applications.  

Having had a positive experience as a Code42 customer at a previous organization, Jeff and I were eager to look at Code42 Next-Gen Data Loss Protection as we were evaluating products which could help lay the foundation of our data loss protection strategy. At the time, MACOM was in the midst of our digital transformation, with the intention to go from IT 1.0 to 3.0 within the year. We needed a product to ensure that our data is always protected, as we were rapidly adopting cloud solutions and going through organizational changes. We needed to accomplish this without placing an administrative burden on our lean IT or security teams, or requiring on-premises infrastructure to support.   

Our initial POC validated that Code42 was easy to deploy and could detect data movement that previously would have gone unnoticed. The POC soon expanded to a company-wide deployment of Code42 Next-Gen Data Loss Protection. The global deployment went very smoothly. It was complete within about a month, which was a fast turnaround for us. Today, we have gone a step further, and integrated Code42 and Splunk. Together, these solutions not only help us monitor data activity, but also consolidate that information for a clear snapshot of what’s happening at an individual and organizational level. Having these tools provides efficiencies and enhanced security beyond what we had before. 

“ If a departing employee tells us they’re just taking personal pictures that were on their device, we can look back and validate if that is true. If we access the files and find that it was actually company property, the conversation changes. ”

Code42 and Splunk allow us to trust our employees, but verify. We’re a company of people and everyone needs to trust each other and work together. While I want to believe that no one is doing anything malicious, it’s my duty to verify, to ensure we’re all in the clear. Code42 is the validator. 

Validation happens in a few ways. When a rule is broken, we need to understand why it was broken. Was there a legitimate business reason, and was that a good enough reason not to follow that rule? Should we make an exception to the rule?

Validation can also be thought of as our way of responding to data exfiltration incidents. In times when we detect data leaving the company, we are able to access the file in question and determine if it was inadvertent or malicious. For example, if a departing employee tells us they’re just taking personal pictures that were on their device, we can look back and validate if that is true. If we access the files and find that it was actually company property, the conversation changes. 

“ Code42 and Splunk allow us to trust our employees, but verify. ”

In my role, I have a general idea of what data is important and what’s not, but I rely on the business to tell me what is truly critical. HR and legal are my primary stakeholders when it comes to protecting data from insider threats. Generally, they are looking at users who are involved in litigation or someone who’s leaving the company. They ask us to monitor the user’s activity and provide insight related to actions the user has taken in regards to their data in the past. By analyzing the Code42 data in the Splunk dashboard, I can easily go back and look at somebody’s activities after the fact to make sure we’re protecting what’s most critical to the business. 

With Code42 and Splunk, I am also able to be proactive. By setting up alerts, I can look at specific users and get immediate notification if they’re engaging in suspicious behavior like moving something to an unsanctioned cloud application or a USB. The best thing about Code42 is we have all the data and it gives us an incredible amount of visibility that we’ve never had before. 

Code42 security industry awards

Gosh, Well, What Can We Say Except “Thank You?”

Wherever their sensitive data and IP lives or moves, whether on endpoints, Google Drive or portable hard drives, companies trust us to protect their ideas and most valuable data, and we take that trust seriously. Ensuring their success is our number one mission at Code42.

That’s why it is especially gratifying when we are recognized among the industry’s most innovative and progressive companies for finding new ways to help our customers’ speed their detection and response to insider threats and other data loss and exfiltration events. We are thrilled to announce that in the first half of 2019 our Code42®Next-Gen Data Loss Protection solution has earned a number of industry honors:

  • Cybersecurity Insiders named Code42 a Gold Winner for Data Leakage Protection and a Silver Winner for Best Cybersecurity Company in the 2019 Cybersecurity Excellence Awards. These awards are produced in partnership with more than 400,000 cybersecurity professionals on LinkedIn to make award selections. 
  • Code42 was twice named a winner in the Cyber Defense Magazine 2019 InfoSec Awards in the categories of Next-Gen Data Loss Prevention and Next-Gen Insider Threat Detection. The Code42 Next-Gen DLP was selected by a panel of security professionals for the honor, which seeks to recognize industry innovators and those poised to become the next generation of industry leaders. 
  • Code42 Next-Gen DLP won the Bronze Stevie® Award in the Endpoint Security Management Solution category as part of the 17thAnnual American Business Awards®. More than 200 professionals worldwide participate in judging the Stevie® Awards. 

While we’re proud to make a difference in the businesses of our customers, we also take pride in making Code42 a great place to work for employees. 

  • For the fifth time, Code42 was named one of the Top Workplaces in Minnesota by the Star Tribune, our local Minneapolis newspaper. As a Top Workplace, Code42 joins the ranks of the most progressive companies in Minnesota, based on employee opinions measuring engagement, organizational health and satisfaction.

It’s the dedication and hard work of our employees that enable us to continue to fulfill our customer-first mission. With that said, we want to extend a special thanks to our employees and customers whose passion for what they do has driven us for the last 18 years to become an industry leader in data security.

Mitigating Departing Employee Data Loss Threats Code42 Blog

Mitigating Departing Employee Data Loss Threats


The first thing most IT security pros think when they read, “DLP is a program or a process — not a product,” is, “A program sounds a lot more complicated and expensive than a product.” But that doesn’t have to be the case. In my last blog, I outlined 10 key steps to building a simplified insider threat program that’s based around three key workflows: departing employees, organizational change and high-risk employees. We believe these three scenarios account for 80% of insider threat. 

Today, we’re diving into the first workflow: departing employees.

“ Most organizations don’t have a specific and consistent workflow to account for the unique data exposure risks surrounding a departing employee. ”

It’s a big problem, and it’s only getting bigger

Even the very best places to work are feeling the pain of this growing challenge. People are changing jobs more frequently than ever, a trend that started shortly after the recession and has continued accelerating: Employee “quits” (voluntary departures) have risen every year since 2010, according to the U.S. Bureau of Labor Statistics. A recent survey suggests more than half of U.S. workers will look for a new job in 2019 — and half of those new-job-seekers haven’t even been at their current gig for a full year. One big reason: employees increasingly don’t have the same feelings of loyalty toward their employers — in fact, they fully expect to switch jobs frequently in order to stay fresh and grow. With the job market remaining strong (especially for in-demand knowledge workers), their confidence in finding a new job is as high as ever.

And when they leave, they’re taking valuable and/or sensitive data with them. The Code42 2018 Data Exposure Report showed that roughly half of employees admit to taking IP with them when they leave. Even more concerning: The higher you go in the company, the more likely data is walking out the door with over 70% of execs admitting to taking IP from one employer to the next. 

It’s not black and white

The risk posed by departing employees tends to be viewed in absolute terms. Most organizations assume that 99.9% of employees would NEVER take anything or do anything risky. “They’re good people; they know better,” is something we hear all too often. On the flip side, most assume that any employee that does take data is doing so maliciously. The reality is that there’s a tremendous gray area. Most people aren’t outright stealing. They’re doing things like:

  • Pulling together their best work to help them land a new job
  • Taking the work they’re most proud of with them
  • Taking things like templates to use in their new gig
  • Taking “their” client info
  • Deleting files to “help” clean up their devices for the next user
  • Even just sharing work with colleagues, or pulling important working files onto thumb drive to give to a current colleague to ensure the project keeps moving forward after they leave

Most have good (if self-centered) intentions. But they’re still taking actions that put the company at risk.

Offboarding is just as important as onboarding

While most organizations dedicate significant time and resources to their employee onboarding program, offboarding gets far less attention. In fact, most organizations don’t have a specific and consistent workflow to account for the unique data exposure risks surrounding a departing employee much less involve the security team if they actually do have a process. 

Building a departing employee workflow

With employee departures accelerating across the workforce — you need to have a dedicated program to account for these risks. So, what should that program look like? Here are a handful of best practices that simplify the task:

  • Have a corporate policy. You may think your idea of data theft is universal. It’s not. Every organization needs an explicit, written policy around employee data exfiltration: what they can and can’t take; where they can and can’t move data; and how they should go about getting permission to take files or data upon their departure.
  • Publicize the policy. Bad habits are hard to break. Make data protection best practices part of employee onboarding. But also make sure data exfiltration review is part of the offboarding process. A simple reminder can go a long way toward preventing well-intentioned employees from doing something they shouldn’t.
  • Create a departing employee trigger — and execute the workflow every time. Most organizations have a new employee trigger, owned by HR, that automatically sets in motion an onboarding process that includes everything from training to IT and security teams giving the new employee the access privileges they’ll need. HR should also have a departing employee trigger that automatically sets in motion an offboarding process that includes a security analysis of the employee’s data activity to account for potential risks. Just like onboarding, this departing employee workflow should be followed for every departing employee — not just those you consider high-risk. 
  • Go back in time. A common mistake is to think employees start taking data after they give notice or right before they leave. Moreover, most employee monitoring tools only start monitoring an employee once notice is given. The reality is that the risky activity most often occurs much, much earlier — as they’re looking for a new job; after they’ve accepted another position, but before they’ve given notice; etc. To account for this reality, best practice is to analyze departing employee activity going back months from the day they give notice.
  • Build a “red flag” list with LOB. By focusing on just departing employees, you’ve already dramatically narrowed the scope of the security analysis from the traditional, “classify ALL your data” approach of legacy DLP. But you can hone in further by engaging LOB leaders to build a specific list of your organization’s most valuable files and file types: source code for tech companies, CAD drawings at an engineering firm, Salesforce files and customer lists, spreadsheets with financial info, codenames for R&D projects, etc. Make sure your monitoring tools allow you search and filter activity by file type, file name, etc., so you can quickly look for these red-flag activities.
  • Search for common signs of suspicious activity. In addition to looking at specific file categories, your monitoring tools should also allow you to easily see when file activity deviates from normal patterns (a spike, e.g.), to search specifically for after-hours or weekend activity (when suspicious activity often occurs), and to uncover suspicious file mismatches (i.e., a customer list file is renamed “photo of my daughter” and the MIME type doesn’t match the extension).

“ To get to the bottom of suspicious activity and act with confidence, you need the ability to restore and review any version of any file — so you can see if it’s really a problem. ”

A departing employee workflow example

Here’s a rough look at how a departing employee workflow…works:

1) TRIGGER
Employee gives notice, triggering activity review by IT security.

2) ANALYSIS
Security looks back at the past 90 days of employee data activity, searching for suspicious or risky actions.

3) ACTIVITY FLAGGED
Security flags suspicious activity: a product pricing spreadsheet that was emailed to an external address.

4) HR/LOB REVIEW
Security restores the spreadsheet and brings it to HR. HR brings it to the LOB manager. LOB manager confirms that emailing pricing document was not authorized.

5) ESCALATION TO LEGAL
Depending on the activity and severity of the risk, the issue may be escalated to legal.

It all depends on visibility

The departing employee workflow — like your entire insider threat program — depends on visibility. To be able to look back at the last 90 days of a departing employee’s activity, you can’t be working with a DLP or monitoring solution that only kicks on after the employee gives notice. You need to be continuously monitoring all data activity, so you’re instantly ready to execute a 90-day security analysis of any employee, as soon as they give notice. This visibility can’t be limited to file names. To get to the bottom of suspicious activity and act with confidence, you need the ability to restore and review any version of any file — so you can see if it’s really a problem. With this kind of always-on monitoring, you can enable the kinds of targeted triggers that focus your attention where it matters most — and act quickly to mitigate risk and potential damage from the many things departing employees take with them when they leave.

Happy Anniversary! GDPR One Year Later

Happy Anniversary! GDPR One Year Later

It’s been a year since we — and many of you — went live with enhancements to our privacy and security programs tied to GDPR, and two years since we started the GDPR journey. That’s why it’s a great time to look back at the impact GDPR has had on the way we do business.

This post is purely for general information purposes and is not intended as legal advice. This blog gives a glimpse into Code42’s early GDPR implementation. We, along with GDPR as well as other national and international privacy rules, will continue to evolve and mature.

“ The GDPR journey shouldn’t be a one-department initiative or the sole responsibility of Legal or Security. It must be a business-driven initiative with Legal and Security providing recommendations and guidance. ”

What we did to get ready for May 2018

We started preparing for GDPR around May 2017. The GDPR journey shouldn’t be a one-department initiative or the sole responsibility of Legal or Security. It must be a business-driven initiative with Legal and Security providing recommendations and guidance. At Code42, we established a cross-functional group comprised of Legal, Security, IT and system subject matter experts. The key activities of this group were to:

  1. Create an inventory of applications in scope for GDPR. We have European employees and customers so we had to look at applications that were both internal and customer-impacting. When outlining in-scope applications for GDPR, we kept in mind that more restrictive data privacy laws seem imminent in the U.S. We also conducted a cost-benefit analysis to determine whether we should keep non-EU PI in scope now or revisit it at a later date.  
  2. Define retention periods for all of the applications in scope. Prior to our GDPR journey, we had a retention program in place, but it was largely focused on data we knew we had legal, regulatory or other compliance obligations around, including financial records, personnel files, customer archives and security logs. GDPR just gave us the nudge we needed to mature what we were already committed to and have better conversations around what other data we were storing and why.
  3. Figure out how to purge personal data from applications. This may be challenging for SaaS organizations. When applications are managed on premise, it’s much easier to delete the data when you no longer need it. But translating that to all your SaaS applications is another story. There are a few areas where SaaS applications are still maturing compared to their on-prem counterparts, and data deletion appears to be one of them. Delete (or anonymize) data, where you can. Otherwise, either add the applications to a risk register, requesting that the application owner do a risk accept and submit a feature request to the vendor, or look for a new vendor who can meet your retention requirements.
  4. Create an audit program to validate compliance with our security program. We are fortunate to have an awesome internal audit program that monitors effectiveness of our security program, among other IT and technology-related audit tasks. So it was logical to test our in-scope applications against our newly defined retention requirements. We review applications periodically.
  5. And lastly, but just as important, define a process for data subjects to request that their information be deleted outside of a standard retention schedule (aka “right to be forgotten”). It is important to remember that this is not an absolute. While we want to honor a data subject’s request as much as possible, there may be legitimate business cases where you may need to maintain some data. The key for us was defining what those legitimate business cases were so we could be as transparent as possible if and when we received a request.

What we’ve learned in the last year

So what have we learned about GDPR one year and two internal audits later? A lot. 

What’s going well

1. A vendor playing nice

We had a really great success story early on with one vendor. When we dug into it, we found that our users were previously set up with the ability to use any email address (not just a Code42 email). We also learned our instance was configured to save PII that wasn’t a necessary business record. Based on that conversation, we were able to make a few configuration changes and actually take that application out of scope for GDPR! 

2. A more robust application lifecycle program and greater insight into the actual cost of a tool

As a technology company that is continually innovating, we want to empower our users to use tools and technologies that excite them and increase productivity. At the same time, we want to ensure we are addressing security, privacy and general business requirements. Users often find tools that are “so cheap” in terms of the cost of user licenses. Our new Application Lifecycle Management (ALM) process, however, gives us a better sense of the actual cost of a new tool when we factor in:

  • Onboarding requirements: Think Legal, Security, IT, Finance. Are there compliance requirements? Do we already have similar tools in place?
  • Audit requirements: Will this be part of the GDPR data retention audit, user access audit or other application audit?
  • Stand-up/stand-down requirements: Will it integrate with single sign-on solution? How does it integrate with other tools? How is data returned or destroyed?
  • Support requirements: Who are users going to contact when they inevitably need help using the tool?

When the person making the request can see all of the added costs going into this “inexpensive” tool, it makes for easier discussions. Sometimes we’ve moved forward with new tooling. Other times we’ve gone back to existing tools to see if there are features we can take advantage of because the true “cost” of a new solution isn’t worth it.

3. A great start toward the next evolution of privacy laws

On the heels of GDPR, there has been a lot of chatter about the introduction of more robust state privacy laws and potentially a federal privacy law. While future regulations will certainly have their own nuances, position yourselves to comply with them in a way that will require just small tweaks versus major lifts like the GDPR effort.

What’s not working

1. What exactly IS personal data?

We have had a lot of conversations about what data was in scope… and I mean A LOT. According to the GDPR, personal data is defined as any information related to an identified or identifiable natural person. That puts just about every piece of data in scope. And while it may seem like an all-or-nothing approach may be easier, consider risks that could affect things like availability, productivity, retention, etc. when implementing controls, then scope programs appropriately to address those risks in a meaningful way. 

2. “Yes, we are GDPR compliant!”

One thing we realized very quickly was that it wasn’t enough to simply ask our vendors if they were “GDPR compliant.” We ended up with a lot of “Yes!” answers that upon further investigation were definite “No’s.” Some lessons learned: 

  • Understand the specific requirements you have for vendors: Can they delete or anonymize data? Can they delete users? 
  • Whenever possible, schedule a call with your vendors to talk through your needs instead of filing tickets or emailing. We found it was much easier to get answers to our questions when we could talk with a technical representative.
  • Ask for a demo so they can show you how they’ll delete or anonymize data and/or users. 
  • Don’t rely on a contractual statement that data will be deleted at the end of a contract term. Many tools still aren’t able to actually do this. It’s important that you know what risks you are carrying with each vendor.
  • Audit your vendors to ensure they are doing what they said they would. 

Would we do it all over again?

Actually, yes. While our GDPR project caused some grumbling and frustration at the beginning, it has now become an integrated part of how we operate. There is no panic and no annoyance. Instead, there are lots of great proactive conversations about data. At the end of the day, we have matured our tool management, and our privacy and security; and our data owners feel a stronger sense of data ownership.

Wanna see a sample of our Application Lifecycle Management (ALM) vetting checklist? 

Legacy_DLP_does_not_work_Code42_Blog

Legacy DLP Doesn’t Work: McAfee Sues Former Employees for Stealing Company Data

If you think your company is immune to departing employees walking out the door with sensitive data, think again.

Case in point: A world leader in data loss security, McAfee, just filed a lawsuit against three former employees for conspiracy and stealing trade secrets before they went to work for Tanium, a market rival. To carry out the alleged heist, the employees did not use the type of sophisticated technology that you might expect. Instead, according to the lawsuit, confidential company information was moved to unauthorized USB devices, private email addresses and cloud-based drives.

“ If a legacy DLP vendor can’t keep a simple breach from occurring in its own company, why would anyone trust legacy DLP software to keep their data safe? Short answer: they shouldn’t. ”

The kicker? A “leader” in data loss prevention didn’t realize that critical data was leaving until months after the damage was already done. And even then, they couldn’t definitively determine what had been taken or how much. 

Thank you, McAfee, for demonstrating what many of your customers must already know — legacy Data Loss Prevention (DLP) doesn’t work. If a legacy DLP vendor can’t keep a simple breach from occurring in its own company (a breach of data that McAfee claims is worth millions of dollars!) why would anyone trust legacy DLP software to keep their data safe? Short answer: they shouldn’t.

The insider threat problem is growing

The insider threat problem is getting worse. Simply put: when people leave jobs, they take lots of data with them. According to McKinsey, 50 percent of breaches involved insiders between 2012 and 2017. It’s no longer a matter of whether data leaves, but when it leaves – and it’s leaving every day.

Part of the problem is that data has never been more portable — so taking it has never been easier. Sales lists, product specs, pricing information, payroll data and even contact lists are just a few examples of small but critically important files that are simple to take. Employees can store hundreds of gigabytes on their mobile devices, put 1TB or more of data on removable media, or quickly transfer data to personal cloud storage services like Dropbox.

Not only is data moving around more, but so are employees. The median tenure of U.S. workers ages 25 to 34 is just 2.8 years. And as they move from company to company, they take data with them. But that’s not all. While they may change companies, many opt to stay within the same industry, making the data that goes with them even more valuable.

“ We are offering all McAfee customers six months of free service when they buy a year of Code42 Next-Gen Data Loss Protection. ”

This is a solvable problem

At Code42 we’ve been working to help our customers face these challenges. Our insider threat solution identifies what data employees are taking as they depart your organization. In fact, we look back for 90 days because we have found the smart employees take important data long before they actually quit. Unlike McAfee and other traditional DLP players, we don’t require policies or classification of data, which means our solutions roll out in days not months. Oh, and unlike traditional DLP, we track all data exfiltration. Our products are designed to tell you before the damage is done so you don’t have to file lawsuits like McAfee’s.

To put our conviction on display, we are offering all McAfee customers six months of free service when they buy a year of Code42 Next-Gen Data Loss Protection*. And yes, that offer even extends to McAfee. After all, their data is valuable too, and they clearly need a better solution. 

*Offer details: If you are a current McAfee DLP customer, Code42 will offer six free months of service to switch to Code42. You must be a new Code42 customer and you must buy a minimum of 12 months of service to qualify for the six free months. This offer is valid through December 31, 2019. Contact Code42 sales at (877) 464-1061, or email mark.blaseck@code42.com.

Gartner’s CARTA Enable a Shift in Data Security

CARTA: What Role will it Play in the Hippy Era of Data Love?

The Gartner Security & Risk Management Summit 2019 is upon us and this year’s theme is all about how you can shift organizational culture to improve cybersecurity, data privacy and business resilience.

When it comes to building a viable data security strategy, organizational culture has easily been one of the more overlooked elements. But that is changing! Today, end users play a key role in shaping security. The ultimate conundrum organizations face is how to embrace cultural shifts that drive  productivity without jeopardizing data protection.

“ CARTA offers a strategic approach to information security that assumes that everyone inside a security perimeter is a threat and all data interactions are a security event. ”

To that end, I’m very interested to learn more about Gartner’s Continuous Adaptive Risk and Trust Assessment (CARTA) framework. A logical companion to Forrester’s Zero Trust model, CARTA offers a strategic approach to information security that assumes that everyone inside a security  perimeter is a threat and all data interactions are a security event. The approach makes sense. In times where insider threat scenarios are clearly on the rise, a data focused approach to detecting and responding to risk becomes paramount. In my opinion, the best part of the CARTA framework is its approach of continuously adapting to change and learning from each data interaction.

I’ve often joked with security analysts that they have the unenviable task of protecting data in the hippy era of data love. In this new data paradigm, users call the shots. They use their device of choice, work from their location of choice and sometimes select their corporate IP storage destination of choice! Today’s users have rejected the mores of mainstream security. Countering this wave may actually have adverse effects on the business.

One of the key questions for me to answer at this year’s summit will be, “How well can CARTA enable this cultural shift?”

If you are attending the Gartner Security & Risk Management Summit, stop by booth #448. Learn how the Code42 Next-Gen Data Loss Protection solution makes it quicker and easier to detect and respond to data exfiltration and insider threats.

Code42 Blog

Breach Fatigue – And How to Take Action

Since 2005, a staggering 9,033 data breaches have been made public — that averages about 1.77 breaches a day. In the wake of this stream of breaches, a sense of apathy has taken hold, causing both employees and organizations to become numb to their own security risks.

In her latest byline for TechBeacon, Code42 Chief Information Security Officer Jadee Hanson shares the dangers of employees and leadership experiencing breach fatigue and how it leaves an organization open to insider threats, ineffective security strategies and other security vulnerabilities.