42 Seconds with a Code42 Customer: Lehigh University

Code42 provides your business with a variety of data security benefits, including increased productivity, risk mitigation, streamlined user workflows, and more–all in a single product that’s been proven to ultimately save you money. While Code42 has a few primary use cases–backup and recovery, device migration, etc.–we’ve learned that our different customers use Code42 in different ways. To explore how customers use our product, we recently partnered with the talented team at creative agency Crash+Sues to create a series of animated videos featuring the voices and likenesses of actual Code42 users.

In our latest video, Naazer Ashraf, senior computing consultant at Lehigh University, explains why they rely on Code42 over sync and share products for data backup and restore. As one of the nation’s premier research universities, Lehigh’s faculty are known for their excellence in research. Obviously, data is extremely important (and valuable) to researchers, so imagine the reaction when one researcher deleted files from Google Drive to save space–and discovered that doing so wiped the files for 10 other researchers. Naazer tells the story in just 42 seconds. Check it out below.

Protect Your Data from Insider Threats with Code42

Code42 provides your business with a variety of benefits, including increased productivity, risk mitigation, streamlined user workflows, and more – all in a single product that’s been proven to ultimately save you money. Recently, Code42 launched Security Center, a new suite of tools to help you spot suspicious data use behaviors in your workforce – and respond to them if necessary. There’s a big reason why we added this feature – the facts show that 89 percent of corporate data loss involves the actions of an insider.

We recently partnered with the talented team at creative agency Crash+Sues to create a series of videos about the core features of Code42. This most recent video focuses on an all-too common scenario in which an employee decides to steal valuable data from his employer. Unfortunately for him, this company has Code42’s Security Center.

Take a look today for an illustration of how Code42 and Security Center can help keep your enterprise’s data safe from insider threats.

3 Steps to Building a Successful Insider Threat Program in the Age of Data Privacy

Data privacy laws are picking up steam – think the General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA) – and there is a lot of concern about what security and privacy teams can and should do to enforce policies that protect the business. From a data privacy standpoint, consumers – and employees for that matter – historically have been largely left in the dark about what personal information a business may have about them and how that information is being used, stored and shared. With GDPR and CCPA, consumers and employees now are more emboldened to ask questions and provide direction on how their data is used.

In this new world with data privacy top of mind, corporate insider threat programs are especially under the microscope – and they’re getting an (undeserved) bad rap. There is a misconception that insider threat programs impinge on personal data privacy rules. As a result, some employees have very strong reactions against insider threat programs. To that end, many security teams end up having conversations around insider threat that end with comments such as, “I don’t want to be Big Brother!” or “Having a program implies I don’t trust my fellow co-workers.”

The reality is that data drives businesses and data is leaving companies every day (read more on this topic in our 2019 Data Exposure Report). Even though data loss by employees can take different forms, it’s important to take them all seriously. Sometimes employees take data accidentally. Other times, they take it intentionally without realizing the harm their actions could cause. Still other times, employees take data maliciously. Regardless of intent, the damages of data loss are real and it’s important we consider these risks to our businesses.

Insider threat programs are necessary and very effective in protecting corporate IP.  To run an insider threat program while keeping employee privacy concerns in check, consider these three important steps:

Decide what you need to monitor

What does insider threat mean to you? I like to use a simple definition that removes intent and focuses on impact: insider threat is any type of threat to an organization’s security posture from within. Focus on the systems that manage your sensitive information, the departments that are more likely to handle sensitive information, or on the workflows that increase the probability that information is leaving the company (think departing employees, mergers & acquisitions, etc.).

Build out a program around it

Once you’ve defined what matters, build out an insider threat program around it. Programs are typically built out in one of three ways (though often a combination of these):

  • Logging and alerting: If you defined sensitive systems as the focus, this is often a natural way to build out your program. Make sure you are capturing all relevant logging  activities (this is sometimes tricky with SaaS applications) and set up alerts for activity that may be deemed more risky.
  • Special tools: You may decide there are additional tools you want to implement in order to monitor and manage your insider threat program. Depending on the technology implemented, you may get additional alerts, risk ranking, or integrated workflows to help guide your set up.
  • Defined processes: As much as we’d like to think technology can solve all of our problems, sometimes the best program starts with a manual process. This could include an onboarding or offboarding checklist, a periodic audit of privileged user activity and employee training.

As with all things security, remember that there is very little “black and white.” Build your program to allow for additional context, account for the potential of human error, and incorporate other stakeholders (legal, human resources, managers, etc.) into the program to ensure you are addressing risk appropriately.

If you are looking for additional guidance on the mechanics of building or maturing an insider threat program, here are a couple of great resources to check out:

Tell your employees

Finally, no matter how you decide to build out your program, let your employees know what you are doing. Be very clear with employees about what information your program is collecting and monitoring, and how the information is being used. I often see this in the form of a log-in banner, an employee privacy statement or policy, or as part of security awareness training. Also, have a feedback process for people to reach out to you for more information.

My best advice when deciding what information to share is to put yourself in the shoes of an employee. What would you want to know, and would you find the data monitoring to be reasonable? At the end of the day, while you may be the owner of your organization’s insider threat program, you are also likely the subject of someone else’s.

From the Desk of a CISO – Leadership Lessons

Quite a bit has changed in information security since I began my career more than a decade ago. 

Talk of cloud being the primary enterprise development platform was based on complete speculation. Mobile computing had yet to hit full stride. Software as a service (SaaS) was in its infancy. Since then, we have seen the rise of the nation-state attacker, extensive malware attacks, highly-publicized insider threat cases, exponential growth of data due to the declining costs of storage and considerable digital transformation investments. As all of these trends evolved and took hold, the nature of information security also changed.

Throughout all of these changes, I have worked in information security; previously, at a national retail enterprise and, more recently, as a CISO here at Code42. Over the years, I’ve learned a few important lessons about how to be successful in information security that I’d like to share here.

Lesson 1 – Be Part of the Solution

Too often security teams do a great job at identifying and pointing out risks and then handing them off to others to solve. In their earnest desire to eliminate those risks, they forget how important it is to understand how people go about getting their work done. So, rather than try to help others deliver their work or projects in a secure way, they identify risks and throw them over the fence for other teams to fix. That has to stop. We need to create partnerships, build empathy and become part of the solution. Building empathy helps us understand how others deliver work and the struggles they might go through to get their jobs done.

Because we are developing software at Code42, our top risks lie in the software development cycle. That’s why my team works very closely with our developers to help identify and address security gaps. To build greater empathy, I have challenged my team to learn the basics of a coding language. This has helped us gain a fuller understanding of the challenges developers face everyday and, more importantly, how we need to work with them to be part of the solution.

Lesson 2 – Balance Risk

In security, it is less about eliminating risks— and more about balancing risks. Think of a retail floor. Sure, everything on a shelf that isn’t locked down is at risk of being stolen. But if you lock everything up behind glass, your sales are going to plummet. At the end of the day, you are in the business of selling goods, which is why retailers don’t lock up everything. It’s the same with all business risks. You have to balance the business benefit with the business risk and put reasonable risk mitigations in place. For a retailer, this could be cameras, security guards, and/or only locking down items with a high risk of theft.

As a security leader, we don’t want to place overly aggressive security controls on everything. We are trying to tune the right level of security for the organization. You have to balance what the board, CEO and customers want and, at the same time, match the culture of the organization.

In a lot of cases, security leaders push forward with their own security risk posture ideals versus trying to truly understand the acceptable risk posture of the organization.

Lesson 3 – Build a Strong Team

While a bit more obvious, I can’t stress enough the importance of building and retaining a strong team. The team here at Code42 is close-knit. I have worked with many of these people for more than a decade. It’s hard to place a value on that. It’s a lot like professional athletes who know the moves their teammates are going to make before they do. That makes it possible to build a well-tuned, committed and effective team, not to mention retain talent in a talent-deficit industry. When you have a team you trust, it makes security much more effective and laser focused on the overall mission of the organization. I am thankful to be a part of such a strong, dedicated team that trusts one another and has a high degree of respect for one another. 

Lesson 4 – Transparency Trumps

To be effective in this industry, security professionals need to be transparent. In some cases, security teams still operate like the man behind the curtain: No one knows what magic they are operating, and  budget is gained by claiming that the sky is falling. But with today’s skepticism, seeing is believing. That’s why it’s so important to demonstrate how risks could be exploited. I recommend having your red team perform an exercise to determine exactly how easily a risk may be exploited, and share the results with other decision makers. 

In the same vein of transparency, it’s important to explain risks as they really are. Many security professionals will overhype a risk in an attempt to get attention or budget for a project. That tack may work in the short-term, but it will diminish trust in the long run.

As a security team, we are 100% transparent on the risks we see and the areas where we are digging deeper. This way, when a threat or new risk arises, we have a tremendous amount of trust and support to mitigate the risk. 

Lesson 5 – Provide Value, Don’t Fear Failure

Finally, being a CISO, or data security professional in general, is a stressful job. There is a lot of discussion around stress in the information security profession and how, as a result, the average tenure for CISOs is about two years or less. CISOs must balance the stress by focusing on the good, which is the value they’re providing to their business. At Code42, we strive for a blameless culture – one where we learn lessons rather than fear failure. This type of a culture helps contextualize stress. 

In my job, I want to feel challenged throughout the workday. I’m energized and get a lot of joy knowing that we are providing value and actually helping our company and customers address their security risks. We are working for a company that helps all of our customers deliver on security with the software we develop. For a security professional, it doesn’t get more exciting than that.

2020: The Cybersecurity Year Ahead

Security never stops. As 2019 comes to an end, security professionals are looking to what is in store for the year ahead. To get some answers, we reached out to Code42 leadership and security experts to get a sense of their cybersecurity expectations for the coming year.

While they expect plenty of tough challenges when it comes to protecting data, there is some good news in the mix. The team anticipates that enterprises will take steps toward formalizing (and automating) their security programs where gaps exist.

Here’s what the Code42 team had to say:

Insider threat programs grow more prevalent

Relentless reports of new, high-profile insider breaches will push many more businesses to finally take insider threat seriously enough to formalize programs and allocate a larger budget dedicated to protecting their intellectual property. This year, at least half of data breaches involved an insider, but in 2020, that figure could exceed 60%.

When it comes to insider threat, companies will begin to lean into new technologies designed distinctly for protecting from insider threats, and they’ll stop shoehorning outdated, ineffective technologies that were never really intended to mitigate insider risks to begin with. Finally, more than 20% of organizations will begin actively measuring what departing employees take from their organization.
Joe Payne, president and CEO at Code42

“ When it comes to insider threat, companies will begin to lean into new technologies designed distinctly for protecting from insider threats, and they’ll stop shoehorning outdated, ineffective technologies that were never really intended to mitigate insider risks to begin with. ”

The role of security will increasingly integrate within IT

With the continued cybersecurity talent gap, along with increased regulatory demands and security threats, security and IT will have to work more closely together. What I mean by this is traditional IT will be expected to take on security responsibilities, while security roles will evolve to become more hands-on and step into actual problem-solving rather than problem-identification mode. 

Security has always been positioned to cover confidentiality, integrity and availability – the well-known security CIA triad. While IT has traditionally been focused on availability, it’s increasingly recognized that data integrity and confidentiality need to be a part of the broader IT strategy. There has always been an opportunity for a natural fit between IT and security, and 2020 will prove to be the year that we recognize the similarities and start to benefit from the combined focus from these two disciplines.
Jadee Hanson, CISO and VP of Information Systems, Code42

Collaborative tools get security department green light

Progressive organizations thrive on collaboration. After all, we are in the midst of a massive culture change that centers on employees’ ability to share ideas, move faster, and collaborate. CEOs are requiring that their employees use Slack, Chatter, Box, and OneDrive to work together to be more productive. However, at the same time, CISOs have been busily blocking collaboration by using legacy prevention technology. In 2020, progressive CISOs will stop blocking and will start focusing on enabling collaboration by adopting new approaches that better address insider risk.
Joe Payne, president and CEO at Code42

“ CEOs are requiring that their employees use Slack, Chatter, Box, and OneDrive to work together to be more productive. However, at the same time, CISOs have been busily blocking collaboration by using legacy prevention technology. ”

DevOps teams embrace security

Organizations have adopted DevOps, but security hasn’t always kept pace. As DevOps grows, so does the desire (and the need) for security to become embedded within these teams. In the next year, organizations will increasingly seek ways to build the skills, tools, and knowledge they need to build security directly into DevOps teams.
Michelle Killian, director, information security, Code42

The security talent shortage continues

By nearly all estimates, the industry is millions of cybersecurity jobs short of what’s needed to adequately secure enterprise data. This shortage will push security teams to automate as much as they can to stretch their capabilities. Hopefully, teams will focus on optimizing the basics because it remains true that the vast majority of breaches could have been prevented if security 101 practices were followed. Areas that will be automated include manual operations tasks, application security testing, data monitoring, and more.
Todd Thorsen, senior manager information security, risk management and compliance, Code42

Security ‘solutions’ continue to grow in complexity

The complexity of security vendor solutions remains too high in cybersecurity. Many vendors continue to proudly talk about how sophisticated their products are and how they can solve complex problems. The problem is: using these security tools themselves is an overly complex and unwieldy process. At the same time, the security industry struggles with a serious shortage of skilled cybersecurity personnel. Something has to give.

In 2020, we will see security vendors focus on providing both signal and simplicity. To align with the realities of personnel shortage, solutions will surface highly actionable information and present it in easy-to-use, accessible ways so that security teams can act quickly without being embroiled in endless investigations.
Joe Payne, president and CEO at Code42

“ In 2020, we will see security vendors focus on providing both signal and simplicity. To align with the realities of personnel shortage, solutions will surface highly actionable information and present it in easy-to-use, accessible ways so that security teams can act quickly without being embroiled in endless investigations. ”

Move from reactive to proactive security

Companies are so busy reacting to incidents and putting out fires that they are missing opportunities to proactively reduce risk. One area is how staff and others will continue to be a highly exploited threat vector, yet companies will continue to trail behind mitigating their human risks. One thing is for sure: training alone is not going to work, as companies need to create security-minded cultures in their workplaces.
Chrysa Freeman, program manager, security awareness, training and culture, Code42

Expect a major breach within a federal agency

A federal agency will experience a large-scale data breach at the hands of an insider. This will highlight the growing insider threat blind spot for all large organizations.

Also, foreign hackers and the election take center stage. There will be proposed federal regulations requiring encryption back-doors and FCC regulation of social media in advance of the elections. As the elections approach, there will be reports of hacks and vulnerabilities, many with grand claims. All of these claims will be unsubstantiated, viciously spun, yet cause no direct or measurable harm. But they will create enough doubt and disruption to further the nation’s political divide.
Andrew Moravec, principal security architect, Code42

The return of ransomware

It used to be that cryptojacking—using someone else’s computing to mine cryptocurrency—was a relatively easy path to profit. But as the price of bitcoin continues to fluctuate wildly, those profits are no longer such a sure thing. As a result, adversaries will shift their attacks to optimize their efforts. Once their malware is deployed onto endpoints, they may decide ransomware is the way to go, which would very well lead to a resurgence in ransomware attacks.
Jeff Holschuh, senior manager of identity, Code42

A renewed focus on data privacy

The CCPA (California Consumer Privacy Act) goes into effect at the beginning of 2020. The act will have a substantial impact on companies that don’t yet have mature data security and privacy programs in place. As enforcement actions are brought under this new law, companies will scramble to ensure they are meeting all of the law’s requirements.

Essentially, CCPA focuses on data collection rules, breach disclosure, and the selling of consumer personal data. Expect not only CCPA-driven lawsuits and fines, but also a nationwide rush by companies to ensure they can comply.
Nathan Hunstad, principal security engineer and researcher, Code42

Building an Insider Threat Program Without Becoming Big Brother

I don’t believe that there’s an enterprise in existence that wouldn’t benefit from an insider threat program. Nearly every enterprise will experience repeated data theft and confidential data exposure as a direct result of the accidental or deliberate actions of one of their trusted insiders. I know that’s not easy to hear, but it’s true.

Consider a survey conducted by Osterman Research. The survey found that 69% of respondents experienced significant data or knowledge loss as a result of employees taking information with them when they left, as Andy Patrizio wrote in his CIO story, Sensitive data often follows former employees out the door.

“ Nearly every enterprise will experience repeated data theft and confidential data exposure as a direct result of the accidental or deliberate actions of one of their trusted insiders. ”

Despite how pervasive and serious the risks posed by insider threat are today, few organizations have an insider threat program in place, and fewer still have an effective insider threat program.

There are a number of reasons insider threat programs aren’t very common. The first is that getting started in building an insider threat program can be overwhelming – even though it doesn’t have to be. Some of these challenges are technical, such as the failings of traditional data leak prevention products. Other challenges are cultural; for instance, many organizations fear that their insider threat program could turn into a Big Brother level of oversight.

However, when done right, an insider threat program doesn’t have to become Big Brother. In fact, it doesn’t have to become overbearing or negatively affect culture. In this post, I share the key insights I’ve learned that will help any organization get started with an effective insider threat program that won’t turn into Big Brother.

Earn the support of your executives

It’s true of any data security program, but especially for an insider threat program: to succeed, you need to have the support of business leadership. It will be your organizational leadership that ensure the program gets the continuous funding it needs as well as the political backing to overcome any speed bumps that arise.

Obtaining that support is best achieved by articulating to executive leadership the real-world risks to the organization so that they understand the threats and how important it is to fund and support such an effort. This will require detailing the types of data risks your organization faces and the strategy for mitigating those risks.

Earn the support of stakeholders throughout the organization

Partnership from other business stakeholders, such as the legal department and human resources, also are essential. If you are trying to build effective data security and insider risk management processes into your employee onboarding processes, job changes, and terminations, then you will want to work closely with the human resources and legal departments. If these departments are not engaged with the insider threat program, you run the risk of having an ineffective program on your hands.

“ If you are trying to build effective data security and insider risk management processes into your employee onboarding processes, job changes, and terminations, then you will want to work closely with the human resources and legal departments. ”

Prepare for culture shocks

One of the reasons insider threat programs can appear authoritarian is they are designed without the existing internal culture in mind.

When it came to managing insider risks at a former employer, it was common for me to run into cultural issues. We were always working closely with our vendors, many of whom were based in Silicon Valley. While discussing data risks with these organizations, we often learned that they did not have even the most basic controls pertaining to insider threat, including not bothering with employee background checks. They often didn’t understand who was joining the organization. “We trust our people,” they’d say. “We only hire the best, most talented people. Everybody wants to work here. Why would anybody do anything bad here?”

In building an insider threat program, you’ll have to deal with such cultural barriers, and the challenges to overcome them are real. Essentially, to overcome those challenges, you will need to convince staff and everyone throughout the organization that the focus isn’t on punishing people doing things they shouldn’t, but rather protecting the organization’s data and its business viability.

For those in regulated industries, this conversation is likely a lot easier to have with executives and staff. When you work in a regulated industry, it’s evident why certain types of data must be watched and protected, and it’s easier to extend that to other kinds of data.

For those working outside of regulated industries, where it’s not mandated that data be protected, it’s undoubtedly a much more challenging argument to win. But it’s an argument that executives will be receptive to if you explain the costs to the business associated with losing data or intellectual property that is important to the organization.  

Make sure the program is transparent

Another reason insider threat programs can appear oppressive is when they are built in secret. When staff are aware of the insider threat program, but they don’t understand why it is in place, they are more likely to grow resentful and even fearful of the program. Also, when staff aren’t at all aware about the insider threat program, they can be very brazen in taking data that belongs to the company. There is no reason to take either of these counterproductive approaches.

When organizations are transparent about the insider threat program and why it’s necessary, then staff, contractors, and business leaders will be more supportive of the effort to protect intellectual property and confidential and valuable information. 

Establish acceptable data use policies

Everyone will feel better about the program if they are not finding themselves second guessing whether or not they are acting within protocol. Are they permitted to use cloud storage services? If so, which ones? Can data be moved to USB devices and other local, removable storage devices? What about sharing data on corporate collaborative platforms such as Slack or Microsoft Chatter? What’s the policy for taking data home and/or keeping it on their notebooks?

Staff and contractors need clear demarcation lines of what is an acceptable use of the organization’s systems and data and who owns the organization’s data. Employees must be made aware of these policies.

Data risk will vary depending on the organization

The specific type of data that is protected will be dependent on the nature of the organization and the industry in which it works. The types of data and roles that will pose more significant risks will vary among different types of organizations. An aerospace engineering firm or defense contractor will have a different risk posture than a law firm, financial services firm, or pharmaceutical company. Within all of these organizations, there will be a lot of targeted information that can be monetized and is important to the organization, but the nature of the data (and who can access the most valuable data) will vary.

“ Within all of these organizations, there will be a lot of targeted information that can be monetized and is important to the organization, but the nature of the data (and who can access the most valuable data) will vary. ”

Put the right data protection tools in place

Although much of your insider threat program will consist of data security policies and employee training and awareness, those policies will need to be enforced with technology. When considering the types of tools that will support your insider threat program, choose the best tools to provide the capability to detect, investigate, and respond to data breach incidents with the appropriate level of insight.

Another consideration is how well the tools you select will integrate within your environment. This must be viewed from the standpoint of how well it will work with both internal processes and existing toolsets. For example, if you have an established automated employee off-boarding process, can you connect to those processes so that you have timely, accurate insights into employee status changes? The same holds true when it comes to employee onboarding.

Provide ongoing training and awareness

Ongoing security training and awareness exercises are essential for maintaining good data security practices and muscle memory for all employees across the organization. If your organization has an existing security training and awareness function, you can integrate insider threat messaging into awareness exercises.

Incorporating insider threat scenarios into ongoing security training and awareness will also help employees understand the importance of the risks you’re trying to manage. This will help employees understand the rationale and can also create allies within your organization.  

Build a sustainable program that will change with the times

Just as your organization and business environment evolve over time, so will your organization’s risks. So, it is important to ensure that your insider threat program can keep pace with the changes in your business and risks. Fundamentally it’s about keeping your focus on effectively managing data exfiltration and insider risk as your organization evolves.

All of this may seem straightforward—and it is—but that doesn’t make it easy or swift to accomplish. Like so many effective processes, the important thing is to keep your insider threat program risk-based, aligned with your organization’s culture and nimble enough to evolve with your organization.  

If you’re building an insider threat program from scratch, start small, keep it simple and be open to making changes. Early wins are important and will help drive the success of the program. Furthermore, they will keep the support of executives and staff who understand that the organization’s long-term success depends on protecting its data. Because it certainly does.

“Good Enough” Isn’t Enough to Stop Data Loss

Five years ago, the toughest part of my job was convincing the world that insider threat was a big problem. Fast forward to today, and everyone knows insider threat is the biggest everyday data security risk they face. But a new problem has emerged: with widespread awareness of insider threat has come a false sense of confidence. Many CISOs I talk to tell me that they’ve put tools in place — DLP, EDR, CASB, etc. — to stop data exfiltration, and they’re confident they’ve got insider threat covered. But the brutal truth is that “better than we used to be” often isn’t enough. There’s still a major gap in the typical security stack — and it’s putting their data and business at risk.

Overconfidence is rampant, but the statistics tell a different story

Most companies have beefed up their security stack in the past few years. I don’t want to take away from the value of these efforts, but I do want to point to the statistics showing the continual upward trend in insider threat incidents. Every week, that harsh truth hits home for another company, as we read about the latest high-profile insider threat incident that surprised, embarrassed and damaged a company that had been quite confident in their airtight security stack. Like I said, better than before isn’t enough.

The fatal flaw in the policy-based security stack

Almost all conventional data security tools are guided by policies, rules or other admin-defined parameters. DLP, EDR, CASB and the like do an excellent job of hunting down, flagging and sometimes even stopping actions based on defined rules and policies. But therein lies the problem: they can only look for what you tell them to look for. The reality is that you can’t think of everything. No one can. You can’t think of every possible way that an insider could take a given file or data type, so they will always be one (or several) steps ahead. (As a side note, there are now many ways of exfiltrating data that traditional DLP solutions simply cannot cover. Traditional DLP focuses on devices and networks; but things like Bluetooth, Airdrop, etc., don’t always show up on either the device or the network.)

“ It’s almost impossible to think of (and stay current with) all the valuable, sensitive and vulnerable files and data types across your entire organization. ”

Moreover, a lot of companies think their tools are focused on the right files and the right data. But users create new files every day, and the dynamic nature of modern work means that a given file can go from a low-value work-in-progress to a highly sensitive innovation-in-progress within the course of a single day. It’s almost impossible to think of (and stay current with) all the valuable, sensitive and vulnerable files and data types across your entire organization.

Case in point: the recent McAfee insider data theft incident. Three departing employees copied company trade secrets onto USB drives and simply walked out the door. How did a leader in data loss prevention not catch and stop this obvious theft? Because the data they took — sales and marketing files — were not traditionally tagged as IP. The bottom line: If traditional DLP doesn’t stop data loss for McAfee, it won’t stop data loss for you.

You can’t lock down all your trade secrets & IP

Even if you could account for every potentially valuable or sensitive file in your organization, you can’t just lock all these files down. A lot of this information needs to move. Things like source code, customer lists and collaborative development projects need to move between users and even outside your organization in order to keep work moving forward. So you end up writing all sorts of exceptions to your security policies – and in the process, take the teeth out of your policy-based security tools. This makes it much easier for an employee to find a workaround, or a way to take files that look normal.

“ Things like source code, customer lists and collaborative development projects need to move between users and even outside your organization in order to keep work moving forward. So you end up writing all sorts of exceptions to your security policies – and in the process, take the teeth out of your policy-based security tools. ”

You don’t know what you can’t see – so you don’t know when you’ve been beaten

The second fatal flaw of conventional security tools like DLP: they don’t know when they’ve been beaten. They’re focused on seeing specific user actions. If the user action falls outside those defined rules, they don’t see it — and that means you don’t see it. In practice, that means that when users (inevitably) find ways around DLP, you most likely will have no idea until it’s too late to do anything about it. In fact, most companies only discover the data loss because of the proximate damage it causes to their business — weeks, months or years down the line — when a competitor beats them to the market with copycat technology or poaches clients with a leaked customer list.

You need to start with data behavior, not user behavior

All the problem with rigid rules points to an obvious solution: consider the context and behavior surrounding a specific action. There are a lot of solutions that focus on user behavior — trying to pull out context and identify risk by monitoring every keystroke of their employees. But that kind of intrusive employee monitoring comes with its own set of issues. There are ethical privacy concerns, as well as the increasing legal precedents that suggest you need a discrete reason to monitor an employee. Legality aside, invasive monitoring can hurt workplace culture, reduce staff satisfaction and even impact productivity. Moreover, we’ve already established that users’ creativity is often one step ahead of even the best pattern recognition software.

At Code42, we take a different approach: We watch the data — how it changes and where it moves. Users can trick you, but data doesn’t lie. Our underlying real-time backup technology means we’re able to watch all your data, all the time — so we understand what “normal” looks like. If we see something unusual, only then do we enable security to associate it back to the user. We start with cause, then investigate. This eliminates the privacy concerns, and ultimately keeps your attention focused on what you’re really trying to protect: the data.

The big objection: I can’t watch all my data, all the time

All-encompassing data visibility sounds nice, but that alone doesn’t solve the problem of seeing the actual risks and threats amid the ocean of normal activity. When I explain how Code42 is different, I normally get a flood of objections like: Won’t we have to configure the system to provide alerts? Won’t someone have to manage all those alerts? My team is already buried in alert management – you’re just adding to my problem. Here’s what I tell them…

Code42 gives you a clear signal of your risk

Comprehensive data visibility is the foundation of Code42. We know what normal looks like, and we know what your biggest risks look like. For example, we know that departing employees account for around half of all insider data loss incidents. We also know that M&A, or another type of company re-organization, creates one of the most acute risks of insider data loss. So, we focus our attention on these high-risk situations. We’ve already developed the algorithms and defined the parameters on our end — building simple tools like our departing employee lens that focus on these risks — so we’re not placing that burden on you.

Ultimately, we’re watching the behavior of all your data and using our deep data visibility to put relevant context around that activity before triggering an alert — instead of leaving that contextual analysis burden to your team. This minimizes alerts, so your team gets alerts you can trust and act on.

Giving you instant information to investigate immediately

Detecting risky user actions that have slipped past policy-based security tools is an incredibly important capability. But detection is just the first step; you need to be able to determine exactly what happened, if it’s risky, and what needs to be done. And you can’t afford to spend multiple days piecing together that story while your data is still at risk.

Code42 pulls together all that file activity and contextual information to give you distinct answers: this file was copied to this cloud with this browser tab URL, or this USB drive with this serial number, at this exact time. In essence, we give you an immediate answer to the question, “Where’d my file go?” And because Code42 automatically captures every version of every file, with the proper authorizations, you can even open the actual file in question to evaluate its contents and determine the risk. You get the definitive information you need to take action, faster.

Are you comfortable with “good enough”?

It’s always hard to change the status quo — especially when you’ve done a lot of work and made major improvements to achieve the current state. CISOs have done an admirable job of bulking up their security stances with tools designed to prevent both internal and external data risks. But here’s the brutal truth: even the strongest prevention will fail sometimes. Because prevention tools can only stop what you tell them to stop. You can’t think of everything, you can’t lock down all your data (exceptions just create blind spots), and creative (or malicious, or industrious or simply self-serving) users will always stay one step ahead of policy. When user activities inevitably slip past prevention tools, they fall into a dangerous gap in your security stack. You don’t know what’s happened; you typically don’t know anything has happened at all. Your security team is flying blind.

Considering that insider threats like these account for 50% of data breaches, are you really comfortable with leaving this risk uncovered? Or is it time to re-think “good enough?”

Microsoft and Code42 Ignite the Focus on Insider Threat

The entire Code42 team had a great time attending Microsoft Ignite in Orlando. Microsoft Ignite brings together more than 25,000 attendees who have keen interests in software development, security, architecture and IT. I have to tell you, before going to Ignite, I held preconceived notions that attendees would hold a clear bias toward IT challenges and not the broader challenges facing enterprise security.

Fortunately, I was mistaken, and it quickly became apparent that security and cloud concerns were a big part of the conversation. For all of us at Code42, that meant we were in store for an exciting week. We came to Ignite with a significant announcement – our new integration with Office 365 email.

More tools to mitigate insider threat

Why integrate Code42 with Office 365 email? There are a couple of reasons. First, while there’s been plenty of talk about the demise of email as the top communication platform, the reality is the amount of confidential and proprietary information sent via attachments every day in email is mind-boggling and enterprises need better controls. Second, while Office 365 email does provide ways to create email policies and flag risky emails, Code42 provides complementary insights and valuable investigative information into the who what, when and why (as I like to call it) around the files. This is just another way Code42 helps our customers to mitigate insider risks.

We also showcased some new Code42 capabilities that enhance the workflow for departing employee data exfiltration detection. As you may already know, managing the data exfiltration risks associated with departing employees has been a significant effort for Code42. When it comes to mitigating insider threats and data breaches, it turns out that departing employees are notorious for taking trade secrets, confidential information, and other types of intellectual property with them as they leave organizations for new companies.

The departing employee challenge is exacerbated by the following: first, most organizations don’t have a data exfiltration mitigation policy in place for departing employees; and second, there typically aren’t technology or applications available to assist in the departing employee workflow. This is precisely why Code42 developed and released its new departing employee workflow capabilities.

“ The departing employee challenge is exacerbated by the following: first, most organizations don’t have a data exfiltration mitigation policy in place for departing employees; and second, there typically aren’t technology or applications available to assist in the departing employee workflow. ”

Being able to showcase such powerful new capabilities and seeing the positive reactions from such a large crowd, was one of the most rewarding parts of Ignite for me. Of course, Code42 SVP Rob Juncker got us off to the ideal start with a session mainly dedicated to insider threat and the importance of having a well-defined off-boarding process to protect valuable IP when employees leave.

The new capabilities were a hit among attendees. But, more importantly, to me, the new departing employee capabilities were the catalyst for conversations into understanding current departing employee workflows. These conversations largely confirmed what we’ve been saying here at Code42: that typical departing employee workflows are either under-developed or non-existent. No wonder insider threat continues to be on the upswing!

While Ignite gathers an IT-centric audience, what we learned is that when it comes to insider threat, multiple departments are part of the conversation. It isn’t uncommon to expect IT, security, compliance as well as HR teams to be in the mix when figuring out the best course of action to manage insider threat.

Demos, doughnuts and a customer’s personal account

We were also fortunate to be joined by one of our customers, David Chiang, an IT system engineer at semiconductor provider MACOM. David presented on how MACOM relies on Code42 to detect, investigate and respond to insider threats and file exfiltration. He framed the departing employee threat perfectly when explained how, when a departing employee tells MACOM that they’re “just taking personal pictures,” MACOM can now (thanks to Code42) look back and validate if that’s so. “If we access the files and find that it was company property, the conversation changes,” he explained.

And under those circumstances, that conversation should change. The problem is that too many – actually, the vast majority of organizations – don’t have such process and technology in place to provide themselves that level of visibility. Hopefully, our data security and departing employee announcements, an excellent and in-depth story from one of our customers on their success (over some excellent mini donuts) resonated and will change some of the status quo for the better.

While Code42 went into Microsoft Ignite with an intent to learn and educate around regarding the insider threat, it turned out we weren’t alone. There were two other significant announcements that reinforced the importance of mitigating insider threats. The first of those was Proofpoint’s acquisition of ObserveIT. Why? Because ObserveIT has been in the insider threat space for quite some time, and this acquisition is clear validation that Proofpoint views insider threat as an integral expansion of their security portfolio moving forward. The second announcement was from Microsoft itself. Microsoft unveiled its Insider Risk Management tool within Office 365 that is designed to help identify and remediate threats coming from within an organization.

I’m happy to say that the many announcements, as well as attendee interest and conversation around the issue, give me hope that insider threat programs are about to take center stage when it comes to managing enterprise data risk. And next year, Microsoft Ignite 2020, is bound to dig even deeper into the insider threat and all of the associated risks. We can’t wait to be there.

Insider Threat Begs the Question, “Where’d My File Go on the Web?”

You know the risks posed by Shadow IT and unsanctioned app use. It’s a blind spot we’ve all been fighting for years now. But a new challenge is emerging: what do you do when the app is sanctioned? For example, how do you stop employees from exfiltrating data via Google Drive — when your organization uses this app, legitimately, all day long? With cloud and web-based apps like Google Drive, Gmail, OneDrive and Slack increasingly blurring the lines between personal and professional use, how do you shine light into the alarming blind spot we’re calling “Mirror IT?”

An easy way to move and share files

Most of us have used email or cloud storage as a means to instantly and easily make files available from anywhere. In fact, our 2019 Code42 Data Exposure Report found that 43% of business decision-makers say they use their personal email to share files with peers, and 41% use Google Drive. Not surprisingly, this is also one of the most common (and fastest growing) methods of employee data theft a.k.a. insider threat. Look to the headlines and you’ll read about cases like the sales executive at U.S. solar company SunPower Corp who emailed himself highly confidential files — and used them in his next role at a SunPower competitor.

“ An experienced security team with a range of tools at their disposal should be able to use network-layer information to piece together a good idea of where that file went — but only if users are on the network…and it won’t be fast or fun. ”

You can see that, right?

It’s not that modern data security tools are totally blind to this kind of activity. Most have some level of visibility into the web and cloud apps that touch your files. But some of the most popular enterprise data security tools are still limited to telling you that Google Chrome or Firefox accessed a file — essentially telling you that your file went somewhere on the internet. An experienced security team with a range of tools at their disposal should be able to use network-layer information to piece together a good idea of where that file went — but only if users are on the network…and it won’t be fast or fun.  

Sanctioned apps make things blurry

The real challenge comes in “Mirror IT” situations where employees have both personal and professional accounts for apps like Gmail, Google Drive or Slack. In these scenarios, how can you see — and respond to — an employee removing a customer list or source code via the approved Google Drive app? Leading CASB solutions can block unapproved sites — but they won’t help you here. Even top-of-class data loss prevention tools can only get as far as telling you that Google Drive accessed the file. But you have no way to make the all-important distinction about whether that file was uploaded to their personal or professional Google Drive account. Once again, a veteran security analyst could likely get to the bottom of this question, given some time — but in the meantime, those valuable files remain exposed.

A simple, fast answer to the question, “Where’d my file go?”

Code42 shines powerful light into the black hole of web and cloud file activity in a number of ways. Now, we’re solving the challenge of “Mirror IT” by giving you a first-of-its-kind level of visibility: Code42 shows you the title of the tab and the specific tab URL that was active at the moment the file activity occurred. This means you can plainly discern personal versus professional accounts and instantly understand the potential risk to your data.

It’s all part of the simple, speedy solution we’ve created for homing in on the risky signal amid all the noise of your users’ normal, harmless activity. The Code42 dashboard lets you immediately see when files are read or uploaded by an internet browser — and gives you one-click visibility into the tab title and URL.

The end result: with just two clicks, you can definitively answer the question, “where’d my file go?” and immediately take action, if necessary. It’s just one more way Code42 provides much-needed visibility to give you high-fidelity alerts and actionable information to help you find and address the data risks in your organization.

Don’t Believe the Hype from DLP Players

We got a good chuckle when one of our competitors recently called us a “DLP Wannabe.” Let’s face it, no one wants to be a data loss prevention provider (DLP) – including us. Seventy-three percent of companies with DLP report that employees complain of lost productivity and collaboration. Eighty-one percent of security decision makers are frustrated with these issues: they feel they need a better way to protect sensitive data without slowing down innovation (Source: Forrester 2019). The brutal truth is no one likes DLP. Our customers that have it don’t like it. The customers that think they need it look for excuses not to buy it.  

“ Seventy-three percent of companies with DLP report that employees complain of lost productivity and collaboration. ”

Progressive organizations thrive on collaboration. We are in the midst of a massive culture change that centers on employees’ ability to share ideas, move faster and transform the customer experience both internally and externally.   

That’s where our approach to protecting data was born. It’s an approach that focuses on enabling security teams and their internal customers to move faster, collaborate with one another and be more productive. We called it next-gen DLP because it’s time for change. It’s time for a new approach that works for the collaboration era.

Code42 Next-Gen Data Loss Protection

Code42 at Jamf Nation User Conference: Data Loss Protection for Macs

The Code42 team is gearing up for the annual user conference for one of our favorite hometown partners: the Jamf Nation User Conference, Nov. 12 – 14 at the Hyatt Regency Hotel in Minneapolis, literally right up the road from our offices. Code42 has been a proud sponsor for JNUC since 2012 and we love rubbing elbows and throwing back a few with our friends in the Apple community. Billed as the world’s largest rally of Apple IT administrators, JNUC is always a great place for us to educate users about the reality of data loss and showcase the tool that truly works to protect data from insider threat: Code42® Next-Gen Data Loss Protection.

“ …69% of organizations say they experienced an insider threat breach while they had a prevention solution in place. ”

Traditional data loss prevention (DLP) claims it can prevent data loss and theft from employees. It relies on arcane policies, rules and user blocking that stifle collaboration and productivity. According to our recently released Data Exposure Report, 69% of organizations say they experienced an insider threat breach while they had a prevention solution in place. No wonder 78% of information security leaders—including those with traditional DLP solutions—believe prevention strategies and tools aren’t enough to stop insider threat. 

“ The right tool provides these insights in real time, so organizations can respond to insider threat immediately, not months after an employee quits and takes data with them. ”

Fortunately, there’s a better way to protect data while also encouraging user collaboration and productivity: by detecting, investigating and responding to suspicious file activity that could indicate an insider is taking data. The right tool provides these insights in real time, so organizations can respond to insider threat immediately, not months after an employee quits and takes data with them. And a comprehensive solution allows Apple IT administrators to visualize their data loss risks with one pane across endpoints, cloud and email.

At JNUC, we’re looking forward to sharing how our next-gen data loss protection solution—which is built for Mac and has complete feature parity in Windows—can do all this and more. Check out customer stories from companies that have successfully used next-gen data loss protection to safeguard their data from insider threat. At JNUC, come check us out at:

  • Nov. 12: 
    – 7 a.m. to 5 p.m. at booth 5
  • Nov. 13:
    – 7 a.m. to 5 p.m. at booth 5
    – 11:15 a.m. in the Nicollet Grand Ballroom for the breakout session, “How to Keep Data Safe: Data Loss Protection and macOS Catalina.
    – 5–8 p.m. for “Off the Clock with Code42” at one of our favorite local spots, Butcher and the Boar. You can register here.
  • Nov. 14: 
    – 7 a.m. to 3 p.m. at booth 5

Looking forward to seeing you there!

Code42 blog header

Hey Microsoft Ignite, Code42 is Here Talking Insider Threat

Team Code42 is excited to be at the Orange County Convention Center for the Microsoft Ignite conference this week. We have a ton going on and are ready to talk to security and IT teams about one of the biggest insider threats to their data – employees who quit. Swing by to see us at booth #1141 and find out how we can show you exactly what IP your employees are stashing in their pockets, personal email and cloud. Hint: they probably took the data long before you knew they were leaving.

All week, we will be ready to give demos and previews of our Code42(R) Next-Gen Data Loss Protection solution, which makes it quicker and easier to detect, investigate and respond to insider threats. Visit with Team Code42:

  • Nov. 4: 12:30-7:30 p.m.
  • Nov. 5: 8:30 a.m. to 6 p.m.
  • Nov. 6: 8:30 a.m. to 6 p.m.
  • Nov. 7: 8:30 a.m. to 5:15 p.m.

Monday:

Rob Juncker, SVP, Speaks in Theater C at 2:15 p.m
Employees are Taking Data when They Quit
Sixty percent of departing employees admit to taking data – company trade secrets, customer lists and source code – when they leave their job. Want to know the truth? The other 40% probably are lying and also have taken data. At a time when the data economy is flourishing and your competitive edge hinges on keeping your most innovative ideas under lock and key, we have to find better ways to protect valuable IP and trade secrets when employees and contractors quit and head off to their next gig. That’s why Rob Juncker, our SVP of product, research, operations and development, is leading off the show with a presentation about insider threat called, “Employees are Taking Data when They Quit.” Head over to Theater C on the expo show floor at 2:15 p.m. ET on Monday to catch his talk.

Tuesday and Wednesday:

Code42 Customer MACOM in Booth #1141
Don’t take our word for it. Hear from one of our power users, MACOM’s David Chiang, about how he uses the Code42 solution to hang onto MACOM’s most valuable files. Be sure to spend some time talking to David in Code42 booth #1141 about how he tackles the challenge of data loss from departing employees and protects MACOM’s highly proprietary semiconductor designs and CAD drawings. He’ll be in the booth Tuesday and Wednesday from 9 a.m. to 12 p.m.

Other Activities in Code42 Booth #1141

Monday: Demos and Drinks, 4-7:30 p.m.
End your day with a product demo and glass of McSwagger’s Own Ale from local brewery Crooked Can Brewing Company.

Tuesday: Demos and Donuts, 8:30 a.m. to 12 p.m.
Grab mini donuts made fresh in our booth while taking in a solution demo.

Wednesday: Midweek Energy Boost, 8:30 a.m. to 12 p.m.
Need some more wings mid-week? We’re doing a Red Bull giveaway and solution demos.

Thursday: Thank You, Safe Travels Cookies, 11 a.m. to 3 p.m.
Before you finish at Ignite, swing in for a solution demo and fresh-made cookies.