“Good Enough” Isn’t Enough to Stop Data Loss

Five years ago, the toughest part of my job was convincing the world that insider threat was a big problem. Fast forward to today, and everyone knows insider threat is the biggest everyday data security risk they face. But a new problem has emerged: with widespread awareness of insider threat has come a false sense of confidence. Many CISOs I talk to tell me that they’ve put tools in place — DLP, EDR, CASB, etc. — to stop data exfiltration, and they’re confident they’ve got insider threat covered. But the brutal truth is that “better than we used to be” often isn’t enough. There’s still a major gap in the typical security stack — and it’s putting their data and business at risk.

Overconfidence is rampant, but the statistics tell a different story

Most companies have beefed up their security stack in the past few years. I don’t want to take away from the value of these efforts, but I do want to point to the statistics showing the continual upward trend in insider threat incidents. Every week, that harsh truth hits home for another company, as we read about the latest high-profile insider threat incident that surprised, embarrassed and damaged a company that had been quite confident in their airtight security stack. Like I said, better than before isn’t enough.

The fatal flaw in the policy-based security stack

Almost all conventional data security tools are guided by policies, rules or other admin-defined parameters. DLP, EDR, CASB and the like do an excellent job of hunting down, flagging and sometimes even stopping actions based on defined rules and policies. But therein lies the problem: they can only look for what you tell them to look for. The reality is that you can’t think of everything. No one can. You can’t think of every possible way that an insider could take a given file or data type, so they will always be one (or several) steps ahead. (As a side note, there are now many ways of exfiltrating data that traditional DLP solutions simply cannot cover. Traditional DLP focuses on devices and networks; but things like Bluetooth, Airdrop, etc., don’t always show up on either the device or the network.)

“ It’s almost impossible to think of (and stay current with) all the valuable, sensitive and vulnerable files and data types across your entire organization. ”

Moreover, a lot of companies think their tools are focused on the right files and the right data. But users create new files every day, and the dynamic nature of modern work means that a given file can go from a low-value work-in-progress to a highly sensitive innovation-in-progress within the course of a single day. It’s almost impossible to think of (and stay current with) all the valuable, sensitive and vulnerable files and data types across your entire organization.

Case in point: the recent McAfee insider data theft incident. Three departing employees copied company trade secrets onto USB drives and simply walked out the door. How did a leader in data loss prevention not catch and stop this obvious theft? Because the data they took — sales and marketing files — were not traditionally tagged as IP. The bottom line: If traditional DLP doesn’t stop data loss for McAfee, it won’t stop data loss for you.

You can’t lock down all your trade secrets & IP

Even if you could account for every potentially valuable or sensitive file in your organization, you can’t just lock all these files down. A lot of this information needs to move. Things like source code, customer lists and collaborative development projects need to move between users and even outside your organization in order to keep work moving forward. So you end up writing all sorts of exceptions to your security policies – and in the process, take the teeth out of your policy-based security tools. This makes it much easier for an employee to find a workaround, or a way to take files that look normal.

“ Things like source code, customer lists and collaborative development projects need to move between users and even outside your organization in order to keep work moving forward. So you end up writing all sorts of exceptions to your security policies – and in the process, take the teeth out of your policy-based security tools. ”

You don’t know what you can’t see – so you don’t know when you’ve been beaten

The second fatal flaw of conventional security tools like DLP: they don’t know when they’ve been beaten. They’re focused on seeing specific user actions. If the user action falls outside those defined rules, they don’t see it — and that means you don’t see it. In practice, that means that when users (inevitably) find ways around DLP, you most likely will have no idea until it’s too late to do anything about it. In fact, most companies only discover the data loss because of the proximate damage it causes to their business — weeks, months or years down the line — when a competitor beats them to the market with copycat technology or poaches clients with a leaked customer list.

You need to start with data behavior, not user behavior

All the problem with rigid rules points to an obvious solution: consider the context and behavior surrounding a specific action. There are a lot of solutions that focus on user behavior — trying to pull out context and identify risk by monitoring every keystroke of their employees. But that kind of intrusive employee monitoring comes with its own set of issues. There are ethical privacy concerns, as well as the increasing legal precedents that suggest you need a discrete reason to monitor an employee. Legality aside, invasive monitoring can hurt workplace culture, reduce staff satisfaction and even impact productivity. Moreover, we’ve already established that users’ creativity is often one step ahead of even the best pattern recognition software.

At Code42, we take a different approach: We watch the data — how it changes and where it moves. Users can trick you, but data doesn’t lie. Our underlying real-time backup technology means we’re able to watch all your data, all the time — so we understand what “normal” looks like. If we see something unusual, only then do we enable security to associate it back to the user. We start with cause, then investigate. This eliminates the privacy concerns, and ultimately keeps your attention focused on what you’re really trying to protect: the data.

The big objection: I can’t watch all my data, all the time

All-encompassing data visibility sounds nice, but that alone doesn’t solve the problem of seeing the actual risks and threats amid the ocean of normal activity. When I explain how Code42 is different, I normally get a flood of objections like: Won’t we have to configure the system to provide alerts? Won’t someone have to manage all those alerts? My team is already buried in alert management – you’re just adding to my problem. Here’s what I tell them…

Code42 gives you a clear signal of your risk

Comprehensive data visibility is the foundation of Code42. We know what normal looks like, and we know what your biggest risks look like. For example, we know that departing employees account for around half of all insider data loss incidents. We also know that M&A, or another type of company re-organization, creates one of the most acute risks of insider data loss. So, we focus our attention on these high-risk situations. We’ve already developed the algorithms and defined the parameters on our end — building simple tools like our departing employee lens that focus on these risks — so we’re not placing that burden on you.

Ultimately, we’re watching the behavior of all your data and using our deep data visibility to put relevant context around that activity before triggering an alert — instead of leaving that contextual analysis burden to your team. This minimizes alerts, so your team gets alerts you can trust and act on.

Giving you instant information to investigate immediately

Detecting risky user actions that have slipped past policy-based security tools is an incredibly important capability. But detection is just the first step; you need to be able to determine exactly what happened, if it’s risky, and what needs to be done. And you can’t afford to spend multiple days piecing together that story while your data is still at risk.

Code42 pulls together all that file activity and contextual information to give you distinct answers: this file was copied to this cloud with this browser tab URL, or this USB drive with this serial number, at this exact time. In essence, we give you an immediate answer to the question, “Where’d my file go?” And because Code42 automatically captures every version of every file, with the proper authorizations, you can even open the actual file in question to evaluate its contents and determine the risk. You get the definitive information you need to take action, faster.

Are you comfortable with “good enough”?

It’s always hard to change the status quo — especially when you’ve done a lot of work and made major improvements to achieve the current state. CISOs have done an admirable job of bulking up their security stances with tools designed to prevent both internal and external data risks. But here’s the brutal truth: even the strongest prevention will fail sometimes. Because prevention tools can only stop what you tell them to stop. You can’t think of everything, you can’t lock down all your data (exceptions just create blind spots), and creative (or malicious, or industrious or simply self-serving) users will always stay one step ahead of policy. When user activities inevitably slip past prevention tools, they fall into a dangerous gap in your security stack. You don’t know what’s happened; you typically don’t know anything has happened at all. Your security team is flying blind.

Considering that insider threats like these account for 50% of data breaches, are you really comfortable with leaving this risk uncovered? Or is it time to re-think “good enough?”

Don’t Believe the Hype from DLP Players

We got a good chuckle when one of our competitors recently called us a “DLP Wannabe.” Let’s face it, no one wants to be a data loss prevention provider (DLP) – including us. Seventy-three percent of companies with DLP report that employees complain of lost productivity and collaboration. Eighty-one percent of security decision makers are frustrated with these issues: they feel they need a better way to protect sensitive data without slowing down innovation (Source: Forrester 2019). The brutal truth is no one likes DLP. Our customers that have it don’t like it. The customers that think they need it look for excuses not to buy it.  

“ Seventy-three percent of companies with DLP report that employees complain of lost productivity and collaboration. ”

Progressive organizations thrive on collaboration. We are in the midst of a massive culture change that centers on employees’ ability to share ideas, move faster and transform the customer experience both internally and externally.   

That’s where our approach to protecting data was born. It’s an approach that focuses on enabling security teams and their internal customers to move faster, collaborate with one another and be more productive. We called it next-gen DLP because it’s time for change. It’s time for a new approach that works for the collaboration era.

Code42 Next-Gen Data Loss Protection

Code42 at Jamf Nation User Conference: Data Loss Protection for Macs

The Code42 team is gearing up for the annual user conference for one of our favorite hometown partners: the Jamf Nation User Conference, Nov. 12 – 14 at the Hyatt Regency Hotel in Minneapolis, literally right up the road from our offices. Code42 has been a proud sponsor for JNUC since 2012 and we love rubbing elbows and throwing back a few with our friends in the Apple community. Billed as the world’s largest rally of Apple IT administrators, JNUC is always a great place for us to educate users about the reality of data loss and showcase the tool that truly works to protect data from insider threat: Code42® Next-Gen Data Loss Protection.

“ …69% of organizations say they experienced an insider threat breach while they had a prevention solution in place. ”

Traditional data loss prevention (DLP) claims it can prevent data loss and theft from employees. It relies on arcane policies, rules and user blocking that stifle collaboration and productivity. According to our recently released Data Exposure Report, 69% of organizations say they experienced an insider threat breach while they had a prevention solution in place. No wonder 78% of information security leaders—including those with traditional DLP solutions—believe prevention strategies and tools aren’t enough to stop insider threat. 

“ The right tool provides these insights in real time, so organizations can respond to insider threat immediately, not months after an employee quits and takes data with them. ”

Fortunately, there’s a better way to protect data while also encouraging user collaboration and productivity: by detecting, investigating and responding to suspicious file activity that could indicate an insider is taking data. The right tool provides these insights in real time, so organizations can respond to insider threat immediately, not months after an employee quits and takes data with them. And a comprehensive solution allows Apple IT administrators to visualize their data loss risks with one pane across endpoints, cloud and email.

At JNUC, we’re looking forward to sharing how our next-gen data loss protection solution—which is built for Mac and has complete feature parity in Windows—can do all this and more. Check out customer stories from companies that have successfully used next-gen data loss protection to safeguard their data from insider threat. At JNUC, come check us out at:

  • Nov. 12: 
    – 7 a.m. to 5 p.m. at booth 5
  • Nov. 13:
    – 7 a.m. to 5 p.m. at booth 5
    – 11:15 a.m. in the Nicollet Grand Ballroom for the breakout session, “How to Keep Data Safe: Data Loss Protection and macOS Catalina.
    – 5–8 p.m. for “Off the Clock with Code42” at one of our favorite local spots, Butcher and the Boar. You can register here.
  • Nov. 14: 
    – 7 a.m. to 3 p.m. at booth 5

Looking forward to seeing you there!

Mitigating Departing Employee Data Loss Threats Code42 Blog

Mitigating Departing Employee Data Loss Threats


The first thing most IT security pros think when they read, “DLP is a program or a process — not a product,” is, “A program sounds a lot more complicated and expensive than a product.” But that doesn’t have to be the case. In my last blog, I outlined 10 key steps to building a simplified insider threat program that’s based around three key workflows: departing employees, organizational change and high-risk employees. We believe these three scenarios account for 80% of insider threats

Today, we’re diving into the first workflow: departing employees.

“ Most organizations don’t have a specific and consistent workflow to account for the unique data exposure risks surrounding a departing employee. ”

It’s a big problem, and it’s only getting bigger

Even the very best places to work are feeling the pain of this growing challenge. People are changing jobs more frequently than ever, a trend that started shortly after the recession and has continued accelerating: Employee “quits” (voluntary departures) have risen every year since 2010, according to the U.S. Bureau of Labor Statistics. A recent survey suggests more than half of U.S. workers will look for a new job in 2019 — and half of those new-job-seekers haven’t even been at their current gig for a full year. One big reason: employees increasingly don’t have the same feelings of loyalty toward their employers — in fact, they fully expect to switch jobs frequently in order to stay fresh and grow. With the job market remaining strong (especially for in-demand knowledge workers), their confidence in finding a new job is as high as ever.

And when they leave, they’re taking valuable and/or sensitive data with them. The Code42 2018 Data Exposure Report showed that roughly half of employees admit to taking IP with them when they leave. Even more concerning: The higher you go in the company, the more likely data is walking out the door with over 70% of execs admitting to taking IP from one employer to the next. 

It’s not black and white

The risk posed by departing employees tends to be viewed in absolute terms. Most organizations assume that 99.9% of employees would NEVER take anything or do anything risky. “They’re good people; they know better,” is something we hear all too often. On the flip side, most assume that any employee that does take data is doing so maliciously. The reality is that there’s a tremendous gray area. Most people aren’t outright stealing. They’re doing things like:

  • Pulling together their best work to help them land a new job
  • Taking the work they’re most proud of with them
  • Taking things like templates to use in their new gig
  • Taking “their” client info
  • Deleting files to “help” clean up their devices for the next user
  • Even just sharing work with colleagues, or pulling important working files onto thumb drive to give to a current colleague to ensure the project keeps moving forward after they leave

Most have good (if self-centered) intentions. But they’re still taking actions that put the company at risk.

Offboarding is just as important as onboarding

While most organizations dedicate significant time and resources to their employee onboarding program, offboarding gets far less attention. In fact, most organizations don’t have a specific and consistent workflow to account for the unique data exposure risks surrounding a departing employee much less involve the security team if they actually do have a process. 

Building a departing employee workflow

With employee departures accelerating across the workforce — you need to have a dedicated program to account for these risks. So, what should that program look like? Here are a handful of best practices that simplify the task:

  • Have a corporate policy. You may think your idea of data theft is universal. It’s not. Every organization needs an explicit, written policy around employee data exfiltration: what they can and can’t take; where they can and can’t move data; and how they should go about getting permission to take files or data upon their departure.
  • Publicize the policy. Bad habits are hard to break. Make data protection best practices part of employee onboarding. But also make sure data exfiltration review is part of the offboarding process. A simple reminder can go a long way toward preventing well-intentioned employees from doing something they shouldn’t.
  • Create a departing employee trigger — and execute the workflow every time. Most organizations have a new employee trigger, owned by HR, that automatically sets in motion an onboarding process that includes everything from training to IT and security teams giving the new employee the access privileges they’ll need. HR should also have a departing employee trigger that automatically sets in motion an offboarding process that includes a security analysis of the employee’s data activity to account for potential risks. Just like onboarding, this departing employee workflow should be followed for every departing employee — not just those you consider high-risk. 
  • Go back in time. A common mistake is to think employees start taking data after they give notice or right before they leave. Moreover, most employee monitoring tools only start monitoring an employee once notice is given. The reality is that the risky activity most often occurs much, much earlier — as they’re looking for a new job; after they’ve accepted another position, but before they’ve given notice; etc. To account for this reality, best practice is to analyze departing employee activity going back months from the day they give notice.
  • Build a “red flag” list with LOB. By focusing on just departing employees, you’ve already dramatically narrowed the scope of the security analysis from the traditional, “classify ALL your data” approach of legacy DLP. But you can hone in further by engaging LOB leaders to build a specific list of your organization’s most valuable files and file types: source code for tech companies, CAD drawings at an engineering firm, Salesforce files and customer lists, spreadsheets with financial info, codenames for R&D projects, etc. Make sure your monitoring tools allow you search and filter activity by file type, file name, etc., so you can quickly look for these red-flag activities.
  • Search for common signs of suspicious activity. In addition to looking at specific file categories, your monitoring tools should also allow you to easily see when file activity deviates from normal patterns (a spike, e.g.), to search specifically for after-hours or weekend activity (when suspicious activity often occurs), and to uncover suspicious file mismatches (i.e., a customer list file is renamed “photo of my daughter” and the MIME type doesn’t match the extension).

“ To get to the bottom of suspicious activity and act with confidence, you need the ability to restore and review any version of any file — so you can see if it’s really a problem. ”

A departing employee workflow example

Here’s a rough look at how a departing employee workflow…works:

1) TRIGGER
Employee gives notice, triggering activity review by IT security.

2) ANALYSIS
Security looks back at the past 90 days of employee data activity, searching for suspicious or risky actions.

3) ACTIVITY FLAGGED
Security flags suspicious activity: a product pricing spreadsheet that was emailed to an external address.

4) HR/LOB REVIEW
Security restores the spreadsheet and brings it to HR. HR brings it to the LOB manager. LOB manager confirms that emailing pricing document was not authorized.

5) ESCALATION TO LEGAL
Depending on the activity and severity of the risk, the issue may be escalated to legal.

It all depends on visibility

The departing employee workflow — like your entire insider threat program — depends on visibility. To be able to look back at the last 90 days of a departing employee’s activity, you can’t be working with a DLP or monitoring solution that only kicks on after the employee gives notice. You need to be continuously monitoring all data activity, so you’re instantly ready to execute a 90-day security analysis of any employee, as soon as they give notice. This visibility can’t be limited to file names. To get to the bottom of suspicious activity and act with confidence, you need the ability to restore and review any version of any file — so you can see if it’s really a problem. With this kind of always-on monitoring, you can enable the kinds of targeted triggers that focus your attention where it matters most — and act quickly to mitigate risk and potential damage from the many things departing employees take with them when they leave.

3 Key Workflows to Build an Insider Threat Program Code42 Blog

3 Key Workflows to Build an Insider Threat Program

We’ve never been shy about beating the insider threat drum at Code42, but the buzz on insider threat is reaching fever pitch. Small to medium-sized enterprise security and IT teams know they need to address this looming risk. But the biggest hurdle is answering the question, “Where do we start?”

For the past few years, the prevailing answer has been, “BUILD A COMPREHENSIVE INSIDER THREAT PROGRAM.” But let’s be honest: This is daunting. It’s time-consuming. It’s expensive. Moreover, these “best practices” often involved creating an entire team dedicated exclusively to insider threat detection and response. That sounds fantastic — but well beyond reality for most of us dealing with strained resources and limited budgets.

Most problematic: The root of this traditional approach is implementing traditional DLP. Just mentioning DLP might make you cringe as you imagine expensive technology and super complex rules that, at the end of the day, often do more harm than good — frustrating users with barriers to productivity and leading to workarounds and exceptions that compromise the whole program.

You need something simpler. We all do, because the insider threat problem is not going away. 

“ Start by focusing on the most common data exfiltration scenarios. These center on a few common use cases that impact nearly every organization — departing employees and high-risk workers, accidental leakage and organizational changes (re-organization, M&A, divestiture, etc.). ”

Here at Code42, we’ve come up with a better approach to building an insider threat program — and it all centers on a simple starting point: the everyday triggers that create your biggest insider threat risks. These are common use cases that happen every day (or every hour) that account for the vast majority of insider threat incidents — departing employees, accidental leakage and organizational changes. Hone-in on these high-risk triggers, and make sure you have the right technologies in place to see the full picture — not just a trail of breadcrumbs after the fact.

With these everyday use case triggers as the foundation, here are 10 critical steps that make it faster, easier and more cost-effective for small to medium-sized enterprises:

Code42’s 10 steps to building an insider threat program

1. Get executive buy-in: Don’t fight this battle on your own. Getting definitive buy-in from leadership is the first and most critical step in defining your security and IT team (and your efforts) as value-adding business partners — instead of frustrating data police. 

2. Identify and engage your stakeholders: Continue the buy-in campaign from the top down. Think about which individuals or teams within your organization stand to lose the most from insider data theft or leakage. Identify and engage line-of-business leaders, HR, legal and other IT leaders as key stakeholders in your insider threat program.

3. Know what data is most valuable: Once you know who you’re protecting, engage those line-of-business stakeholders in conversations about what data is most valuable to them. All data has value, but these conversations are essential to understanding the different types of unstructured data to keep a close eye on — and which types of high-value unstructured data will require more creative means of tracking.

4. Think like an insider: With your valuable data in mind, put yourself in the shoes of an insider. Why would they want to move or take information — and what would they ultimately want to do with it? What tactics or blind spots might they exploit to do it? What workarounds could they use to get work done? We call these actions inside indicators of compromise.

Up to this point, the steps may look very similar to more traditional approaches. You’re figuring out what data you’re protecting — and the indicators or compromise that point to insider incidents. Now, here’s where things get simpler:

5. Define insider triggers: Instead of building a monster program with classification schemes and policies that attempt to monitor every potential scenario (and ultimately fail), start by focusing on the most common data exfiltration scenarios. These center on a few common use cases that impact nearly every organization — departing employees and high-risk workers, accidental leakage and organizational changes (re-organization, M&A, divestiture, etc.). These use cases make up the vast majority of insider threat incidents, and serve as the foundational triggers of your insider threat program.

6. Establish consistent workflows: Investigating suspected data exfiltration can be daunting in itself. Once again, start small by focusing on the key use cases. For example, when an employee departure is triggered, define which activities will be examined — and what activities will trigger in-depth investigation. Exceptions and workarounds are the Achilles heel of insider threat programs. Make sure you clearly define the workflow for each trigger — and consistently execute and improve the steps you establish.

7. Create rules of engagement: Once a workflow has been triggered and potential data exfiltration identified, it should be the key stakeholder’s responsibility to directly engage the employee/actor. For example, departing employee and accidental leakage incidents will likely trigger engagement from HR and the line-of-business manager. A M&A workflow might trigger engagement from internal legal staff — or even a CFO. It’s important that these rules of engagement separate security and IT from any enforcement responsibilities. This allows them to focus on monitoring, detection and remediation — and prevents security and IT from developing an adversarial “data police” relationship with staff.

8. Leverage existing security and IT teams — and train your stakeholders: It doesn’t make sense for most small and medium-sized enterprises to create a fully dedicated insider threat team. Because we’ve honed the insider threat program down to a few key workflows, your existing security and IT teams should be able to handle the monitoring and detection responsibilities. But security and IT teams — who are already wearing multiple hats and managing strained resources — don’t have to shoulder the full burden. It’s also critical that all stakeholders (the HR, legal, line-of-business managers, etc.) be trained so they understand the full scope of the insider threat program: what is being monitored, the specific use case triggers, the investigation workflows, the rules of engagement and the tools used to accomplish all of this. This training should also clearly define their roles and responsibilities, so they’re ready to jump in when an incident response workflow is triggered.

9. Be transparent in communication: Transparency is critical for building a healthy culture that values security. Employees should know — from day one — that your organization tracks file activity. They should understand that the program is applied universally and without privileges or exceptions — and they should understand how the program is designed to support their productivity while protecting the business.

10. Implement true monitoring, detection and response technology: Perhaps most important of all, your insider threat program must start long before a trigger. In other words, you can’t afford to only monitor an employee’s activity after he’s given his notice, or after rumors of organization change have begun rippling through the office. Too many insider threat monitoring solutions are limited to this post-trigger scope — and far too often, the actual exfiltration occurs much earlier. True monitoring, detection and response technology must be continuously running, providing historical context and complete visibility into all data activity. This enables your insider threat team to quickly and effectively see the full picture — and protect all data at all times.

At the end of the day, let’s stop talking about insider threat exclusively as “employees stealing stuff.” This market perception perpetuated by our industry has done more harm than good. In reality, insider threats are the actions (good, bad and indifferent) people take with data (any data) that puts customer, employee, partner or company well-being at risk. The smaller the enterprise, the greater the business risk. That’s the real promise of the workflow-based approach: It gives small and medium-sized organizations a simple starting point — just three or four use cases — that will effectively address 80% or more of your insider threat risks. 

A Hot Topic for RSA: Debunking Traditional DLP Code42 Blog

A Hot Topic for RSA: Debunking Traditional DLP

Hundreds of vendors and tens of thousands of cybersecurity professionals will invade San Francisco in a few weeks for the 2019 RSA Conference. The streets around Moscone Center will be filled with buses and cars emblazoned with cybersecurity vendor marketing messages, and the level of pedestrian traffic will skyrocket. When I consider what cybersecurity professionals are looking forward to at the event, it’s not only an opportunity to explore new technologies, but also new ways of thinking about data security. 

It’s all about the data.

Ultimately, people are looking for solutions to their security challenges. They are looking for the technologies that will help them manage their security posture and answer fundamental questions about data: Where is my data? Who has access to my data? How can I monitor when data is leaving my network? How do I know what data is leaving my organization? Bottom line—how can I protect my data?

“ We’re looking forward to RSA to talk about a new approach to data security. In fact, it’s a whole new take on Data Loss Prevention. ”

“I love my DLP.” Said no one ever.

At Code42, we’re looking forward to RSA to talk about a new approach to data security. In fact, it’s a whole new take on Data Loss Prevention (DLP). At its core, our approach debunks the fundamental requirements of policies, classifications and blocking — the things that we’ve learned to love to hate about DLP. And there are other major advantages to our new solution. It lives in the cloud, eliminates long deployments, and gives security teams visibility to every version of every file. We call it Code42 Next-Gen Data Loss Protection— a solution that is defined not by what you can prevent, but rather by how quickly you can detect, assess and respond to threats and reduce business risk.

Let’s face it. Gone are the days where you can build walls big enough to prevent data from getting outside your organization. Traditional DLP solutions aren’t working. The reality is that complicated and policy-laden security strategies run counter to the needs of today’s IP-rich, culturally progressive organizations, which thrive on mobility, collaboration and speed to get work done. 

Next-Gen Data Loss Protection is a challenge to the status quo.  

Yes, the endgame of Code42 Next-Gen Data Loss Protection is a direct challenge to the status quo. It offers businesses a quicker, easier way to protect their organization’s endpoint and cloud data from loss, leak, misuse and theft.

Are you ready to hear more about a different take on data loss protection and see it in action? When you’re at RSA, stop by and visit the Code42 team at Booth S 1359 (in the South Expo Hall). We’ll be conducting product demos, and we’ll have donuts on Wednesday and Thursday morning. Make sure you get there before we run out.

Code42 Policy-Free DLP- It’s Time to Rethink Data Protection

It’s Time to Rethink DLP

As much as we may not like to talk about it, half of the major threats to the security of our corporate data come from the inside. That doesn’t mean that our employees are all malicious — insider threats can surface in many ways: user errors and accidents, lost or stolen devices, even hardware failures — and the list goes on. In fact, a report by International Data Group (IDC) showed that three of the top five most common high-value information incidents involve insiders.

Given this, it’s no surprise that for years, organizations have been using data loss prevention (DLP) solutions to try to prevent data loss incidents. The problem is that the prevention-first approach of legacy DLP solutions no longer meets the needs of today’s IP-rich, culturally progressive organizations, which thrive on mobility, collaboration and speed. The rigid “trust no one” policies of legacy DLP can block user productivity and are often riddled with exceptions and loopholes. For IT, legacy DLP solutions can be expensive to deploy and manage — and only protect selected subsets of files.

“ The prevention-first approach of legacy DLP solutions no longer meets the needs of today’s IP-rich, culturally progressive organizations, which thrive on mobility, collaboration and speed. ”

A fresh start

The prevention focus of traditional DLP forces a productivity trade-off that isn’t right for all companies — and isn’t successfully stopping data breaches. That’s why it’s time for organizations to rethink the very concept of DLP and shift their focus from prevention to protection. Next-generation data loss protection (next-gen DLP) enables security, IT and legal teams to more quickly and easily protect their organization’s data while fostering and maintaining the open and collaborative culture their employees need to get their work done.

Rather than enforcing strict prevention policies that block the day-to-day work of employees, next-gen DLP clears the way for innovation and collaboration by providing full visibility to where files live and move. This approach allows security and IT teams to monitor, detect and respond to suspicious file activity in near real-time.

Next-gen DLP benefits

This next-gen approach to data protection provides the following benefits:

Works without policies: Unlike legacy DLP solutions, next-gen DLP does not require policies — so there is no complex policy management. Because next-gen DLP automatically collects and stores every version of every file across all endpoints, there is no need to set policies around certain types of data. When data loss incidents strike, affected files are already collected, so security and IT teams can simply investigate, preserve and restore them with ease — whether the incident affected one file, multiple files or multiple devices.

Removes productivity blocks: Next-gen DLP enables employees to work without hindering productivity and collaboration. Workers are not slowed down by “prevention-first” policies that inevitably misdiagnose events and interfere with their ability to access and use data to do their work.

Lives in the cloud: As a cloud-native solution, next-gen DLP solutions are free from expensive and challenging hardware management, as well as the complex and costly modular architectures that are common with legacy DLP.

Deploys in days: Next-gen DLP solutions can be rapidly implemented, since the extensive time and effort required to create and refine legacy DLP policies is not needed. Since it works without policy requirements, next-gen DLP is also much easier to manage once deployed than legacy DLP. This is especially important for smaller organizations that can’t wait months or even years for a solution to be fully implemented.

Provides access to every file: While next-gen DLP doesn’t require blanket policies, security teams can still use it to observe and verify employee data use. For example, next-gen DLP can alert administrators when an unusually large number of files are transferred to removable media or cloud services. If the files have left the organization, next-gen DLP can see exactly what was taken and restore those files for rapid investigation and response.

By focusing on all files in an organization, next-gen DLP offers many additional benefits:

  • Visibility into file activity across endpoints and cloud services to speed security investigations. This differs from legacy DLP, which only provides a view of defined subset of data.
  • Fast retrieval of file contents and historical file versions to perform detailed analysis or recovery from data incidents. Legacy DLP solutions don’t collect the contents of files and thus can’t make them available for analysis or recovery.
  • Long-term file retention to help satisfy legal and compliance requirements as well as provide a complete data history for as long a time period as an organization requires. Again, legacy solutions don’t retain file contents and so aren’t able to provide this history.

A new paradigm for DLP

Next-gen DLP is a huge departure from legacy DLP solutions, but it’s a logical and necessary evolution of the category given the changing needs and work preferences of today’s IP-rich and culturally progressive organizations — small, mid-size and large.

Armed with a more discerning tool, organizations no longer have to lock down or block data access with restrictive policies. With full visibility into where every file lives and moves, security teams can collect, monitor, investigate, preserve and recover valuable company data in the event of a data loss incident.

Companies today are looking for better ways to protect their high-value data — while freeing knowledge workers to create the ideas that drive the business. By choosing to implement next-gen DLP, organizations will be able to keep their vital data protected without hindering productivity and innovation.

Code42 Next-Gen Data Loss Protection: What DLP Was Meant to Be

Malware and other external cyber threats get most of the headlines today. It’s not surprising, given the damage done to companies, industries and even countries by outside-in attacks on data. Despite that, insider threats — the risks of data being lost or stolen due to actions inside the company — are just as big a threat.

According to the 2018 Insider Threat Report by Cybersecurity Insiders, 90 percent of cybersecurity professionals feel vulnerable to insider threat. McKinsey’s Insider threat: The human element of cyberrisk reports that 50 percent of breaches involved insiders between 2012-2017.

“ By rethinking traditional DLP, you can know exactly where all your data is, how it is moving throughout your organization and when and how it leaves your organization — without complex policy management, lengthy deployments or blocks to your users’ productivity. ”

“The rise of insider threats is a significant threat to every business and one that is often overlooked,” said Jadee Hanson, Code42’s CISO. “While we all would like to think that employees’ intentions are good, we prepare for malicious actions taken by those from within our organizations. As external protection increases, we all should be concerned as to the influence external actors may have on those working for us and with us every day.”

Insider threats are a big deal, and traditional data loss prevention (DLP) solutions were developed to protect companies and their data from these internal events.

DLP hasn’t delivered

While traditional DLP solutions sound good in concept, most companies are only using a fraction of their capabilities. Security teams describe using these solutions as “painful.” Legacy DLP deployments take months or years, because proper setup requires an extensive data classification process, and refining DLP policies to fit unique users is complex and iterative. And after all that time, traditional DLP still blocks employees from getting their work done with rigid data restrictions that interfere with user productivity and collaboration. They also require on-site servers — counter to the growing business priority of moving solutions to the cloud.

Most importantly, legacy DLP solutions are focused on prevention. Business and security leaders now recognize that prevention alone is no longer enough. Mistakes happen, and data threats sometimes succeed. Being able to recover quickly from data loss incidents is just as important as trying to prevent them.

Rethink DLP

At Code42, we protect over 50,000 companies from internal threats to their data. This focus on protection has enabled us to see things differently, and develop an alternative to data loss prevention: data loss protection. We are excited to announce the new Code42 Next-Gen Data Loss Protection (Code42 Next-Gen DLP) solution that rethinks legacy DLP and protects data from loss without slowing down the business.

Code42 Next-Gen DLP is cloud-native and protects your cloud data as well as all of your endpoint data. It deploys in days instead of months, and provides a single, centralized view with five key capabilities:

  • Collection: Automatically collects and stores every version of every file across all endpoints, and indexes all file activity across endpoints and cloud. 
  • Monitoring: Helps identify file exfiltration, providing visibility into files being moved by users to external hard drives, or shared via cloud services, including Microsoft OneDrive and Google Drive.
  • Investigation: Helps quickly triage and prioritize data threats by searching file activity across all endpoints and cloud services in seconds, even when endpoints are offline; and rapidly retrieves actual files — one file, multiple files or all files on a device — to determine the sensitivity of data at risk.
  • Preservation: Allows configuration to retain files for any number of employees, for as long as the files are needed to satisfy data retention requirements related to compliance or litigation.
  • Recovery: Enables rapid retrieval of one file, multiple files or all files on a device even when the device is offline, or in the event files are deleted, corrupted or ransomed.

By rethinking traditional DLP, you can know exactly where all your data is, how it is moving throughout your organization and when and how it leaves your organization — without complex policy management, lengthy deployments or blocks to your users’ productivity. DLP can finally deliver on what it was originally created to do.

Data, Humans and the Cloud, Part 3: Facing Reality

Digital transformation is changing the face of business. All business. As part of this shift, many IT leaders have decided to use their cloud collaboration tools for data protection and recovery—tools like Google Drive, Microsoft OneDrive, Box and Dropbox. According to a 2017 Intel Security Study, 74 percent of businesses now store some sensitive information in the cloud. And according to a Code42 customer survey, 67 percent of companies have data in three or more cloud storage services.

While a cloud-focused future is clearly the goal, there is still a considerable amount of data being saved to the endpoint. In fact, Code42’s 2017 CTRL-Z Study revealed that IT decision makers believe that as much as 60 percent of corporate information lives on user laptops. Over the course of our three-part blog series, we explore the critical role human behavior plays in how data is stored and protected as your business moves to the cloud.

“ Exclusively using a cloud file sharing or collaboration tool for data protection and recovery leaves companies exposed to a variety of harmful business situations. ”

Part 3: The consequences of the digital transformation/human behavior disconnect

Tools like Google Drive, Microsoft OneDrive, Box and Dropbox definitely have a role to play in a digital transformation strategy. They are great for sharing files, improving workflows, simplifying collaboration for team projects and enabling productivity. However, businesses need to be aware of the challenges posed by relying on them to safeguard and protect company data.

While employees might use these tools to share a specific file, Code42’s 2017 CTRL-Z study found that not every file makes it to an officially sanctioned cloud platform. For example, employees may have files on endpoints that they never intend to share with coworkers; or they may create multiple versions of a file before they are ready to share or collaborate. The final version gets uploaded to the company cloud, but the previous five versions that only exist on the user’s endpoint may be no less valuable to the business. This is why exclusively using a cloud file sharing or collaboration tool for data protection and recovery leaves companies exposed to a variety of harmful business situations, including:

  • Data loss, when an employee deletes a shared file that collaborators can no longer access.
  • Theft, when data moves from laptop to thumb drive to personal cloud storage.
  • Breach, when malware or ransomware infects one laptop and propagates across a cloud system.
  • Non-compliance, should they lose track of where all regulated information resides.
  • Lost productivity, when collecting and preserving files for legal becomes manual.

Unpredictably human

As I mentioned in the first part of this series, employees are, at the end of the day, human. Humans tend to work in ways that make them feel the most productive and satisfied. You will always have employees who ignore policies that slow them down; this is true from your C-level executives all the way down to your most junior employees. And as I covered in the second part of this series, you’ll never have one policy that works for all of your employees, because there are four distinct types of users today when it comes to data storage.

“ Employees don’t create, share and store their work the way companies expect. Asking them to back up their files to cloud platforms is just as unrealistic as asking them to back up to file servers. ”

In short, organizations need to recognize and accept that employees don’t create, share and store their work the way companies expect. Asking them to back up their files to cloud platforms is just as unrealistic as asking them to back up to file servers.

So, what can be done to overcome this gap between human behavior and your digital transformation? First, your organization needs to accept a few statements as true:

  • The files your employees create and store have value to the business.
  • The majority of employee files today still live on endpoints, despite what your policies may state.
  • Failing to protect every file from loss creates risks to productivity, security and compliance.

To ensure the best protection for your data, your security solution should not require intervention from users. If the solution requires action from employees to protect their files, you’ll wind up with critical data that’s unprotected. Your solution must cover all files on all endpoints and back up at regular intervals, so if a data loss incident does occur, the endpoint can be rolled back to a restore point before the event happened. The solution should offer separate archives for every user, so your organization’s data can’t be accessed if one user’s account is somehow breached. Finally, your solution should offer visibility into how the files in your organization move, whether they travel to removable media or to the cloud storage you’re using for collaboration. With data-level visibility, you can be sure every critical file in your organization is completely protected.

According to 451 Research, “60 percent of enterprises plan to shift IT off-premises by 2019, driven by digital transformation.” An important and sometimes overlooked consideration in making this shift is studying the workforce and how employees get work done. After all, employees are the ones creating the very ideas that are driving success in your organization. Are you using the right tools to make sure those ideas are being protected?

Data, Humans and the Cloud, Part 2: Four Types of Users

Digital transformation is changing the face of business. All business. As part of this shift, many IT leaders have decided to use their cloud collaboration tools for data protection and recovery—tools like Google Drive, Microsoft OneDrive, Box and Dropbox. According to a 2017 Intel Security Study, 74 percent of businesses now store some sensitive information in the cloud. And according to a Code42 customer survey, 67 percent of companies have data in three or more cloud storage services.

While a cloud-focused future is clearly the goal, there is still a considerable amount of data being saved to the endpoint. In fact, Code42’s 2017 CTRL-Z Study revealed that IT decision makers believe that as much as 60 percent of corporate information lives on user laptops. Over the course of our three-part blog series, we explore the critical role human behavior plays in how data is stored and protected as your business moves to the cloud.

Read Part 1: Unexpected Behavior here.

“ By understanding the user types that make up a workforce and their work patterns, companies can set out on a digital transformation course that avoids unintentionally creating information risk inside their business. ”

Part 2: The four types of users in your organization and how they store data

From Part 1 of this blog series, the data is clear that most employees don’t work the way IT leaders expect, nor the way their policies may dictate. To add further clarity to this point, a recent Code42 study broke down work habits by common user types. We call them Adopters, Collaborators, Innovators and Travelers. There is a natural alignment between some roles, as illustrated below:

  • Adopters are typically found in finance, human resources or legal roles.
  • Collaborators are often found in marketing, IT and support roles.
  • Innovators are commonly found in research and development, and engineering roles.
  • Travelers are usually found in sales and executive roles.

While there are certainly many differences in the work habits of, for example, your marketing team and engineering team, for the purposes of this study we only examined how they store data in cloud storage services.

  • Adopters keep more than 75 percent of their files in cloud storage services.
  • Collaborators keep 50-75 percent of their files in cloud storage services.
  • Innovators keep 25-49 percent of their files in cloud storage services.
  • Travelers keep less than 25 percent of their files in cloud storage services.
Four types of users in your organization


You may think (or hope) that most of your employees are Adopters, but our research shows that they only make up 10 percent of users. Collaborators are a bit more common—they make up 20 percent of your users. Innovators are the most common, making up 40 percent of users. That leaves Travelers at 30 percent of users. In total, 70 percent of users have less than 50 percent of their data in your cloud storage services.

The power of knowledge

Your initial reaction to this data may be negative. After all, it’s natural to feel discouraged when you learn that employees aren’t following your data protection policies. The silver lining: By understanding the user types that make up a workforce and their work patterns, companies can set out on a digital transformation course that avoids unintentionally creating information risk inside their business.

In the final post in this series, I’ll discuss the consequences of the disconnect between digital transformation and human behavior—and what your organization can do about it.