Mitigating Departing Employee Data Loss Threats Code42 Blog

Mitigating Departing Employee Data Loss Threats


The first thing most IT security pros think when they read, “DLP is a program or a process — not a product,” is, “A program sounds a lot more complicated and expensive than a product.” But that doesn’t have to be the case. In my last blog, I outlined 10 key steps to building a simplified insider threat program that’s based around three key workflows: departing employees, organizational change and high-risk employees. We believe these three scenarios account for 80% of insider threat. 

Today, we’re diving into the first workflow: departing employees.

“ Most organizations don’t have a specific and consistent workflow to account for the unique data exposure risks surrounding a departing employee. ”

It’s a big problem, and it’s only getting bigger

Even the very best places to work are feeling the pain of this growing challenge. People are changing jobs more frequently than ever, a trend that started shortly after the recession and has continued accelerating: Employee “quits” (voluntary departures) have risen every year since 2010, according to the U.S. Bureau of Labor Statistics. A recent survey suggests more than half of U.S. workers will look for a new job in 2019 — and half of those new-job-seekers haven’t even been at their current gig for a full year. One big reason: employees increasingly don’t have the same feelings of loyalty toward their employers — in fact, they fully expect to switch jobs frequently in order to stay fresh and grow. With the job market remaining strong (especially for in-demand knowledge workers), their confidence in finding a new job is as high as ever.

And when they leave, they’re taking valuable and/or sensitive data with them. The Code42 2018 Data Exposure Report showed that roughly half of employees admit to taking IP with them when they leave. Even more concerning: The higher you go in the company, the more likely data is walking out the door with over 70% of execs admitting to taking IP from one employer to the next. 

It’s not black and white

The risk posed by departing employees tends to be viewed in absolute terms. Most organizations assume that 99.9% of employees would NEVER take anything or do anything risky. “They’re good people; they know better,” is something we hear all too often. On the flip side, most assume that any employee that does take data is doing so maliciously. The reality is that there’s a tremendous gray area. Most people aren’t outright stealing. They’re doing things like:

  • Pulling together their best work to help them land a new job
  • Taking the work they’re most proud of with them
  • Taking things like templates to use in their new gig
  • Taking “their” client info
  • Deleting files to “help” clean up their devices for the next user
  • Even just sharing work with colleagues, or pulling important working files onto thumb drive to give to a current colleague to ensure the project keeps moving forward after they leave

Most have good (if self-centered) intentions. But they’re still taking actions that put the company at risk.

Offboarding is just as important as onboarding

While most organizations dedicate significant time and resources to their employee onboarding program, offboarding gets far less attention. In fact, most organizations don’t have a specific and consistent workflow to account for the unique data exposure risks surrounding a departing employee much less involve the security team if they actually do have a process. 

Building a departing employee workflow

With employee departures accelerating across the workforce — you need to have a dedicated program to account for these risks. So, what should that program look like? Here are a handful of best practices that simplify the task:

  • Have a corporate policy. You may think your idea of data theft is universal. It’s not. Every organization needs an explicit, written policy around employee data exfiltration: what they can and can’t take; where they can and can’t move data; and how they should go about getting permission to take files or data upon their departure.
  • Publicize the policy. Bad habits are hard to break. Make data protection best practices part of employee onboarding. But also make sure data exfiltration review is part of the offboarding process. A simple reminder can go a long way toward preventing well-intentioned employees from doing something they shouldn’t.
  • Create a departing employee trigger — and execute the workflow every time. Most organizations have a new employee trigger, owned by HR, that automatically sets in motion an onboarding process that includes everything from training to IT and security teams giving the new employee the access privileges they’ll need. HR should also have a departing employee trigger that automatically sets in motion an offboarding process that includes a security analysis of the employee’s data activity to account for potential risks. Just like onboarding, this departing employee workflow should be followed for every departing employee — not just those you consider high-risk. 
  • Go back in time. A common mistake is to think employees start taking data after they give notice or right before they leave. Moreover, most employee monitoring tools only start monitoring an employee once notice is given. The reality is that the risky activity most often occurs much, much earlier — as they’re looking for a new job; after they’ve accepted another position, but before they’ve given notice; etc. To account for this reality, best practice is to analyze departing employee activity going back months from the day they give notice.
  • Build a “red flag” list with LOB. By focusing on just departing employees, you’ve already dramatically narrowed the scope of the security analysis from the traditional, “classify ALL your data” approach of legacy DLP. But you can hone in further by engaging LOB leaders to build a specific list of your organization’s most valuable files and file types: source code for tech companies, CAD drawings at an engineering firm, Salesforce files and customer lists, spreadsheets with financial info, codenames for R&D projects, etc. Make sure your monitoring tools allow you search and filter activity by file type, file name, etc., so you can quickly look for these red-flag activities.
  • Search for common signs of suspicious activity. In addition to looking at specific file categories, your monitoring tools should also allow you to easily see when file activity deviates from normal patterns (a spike, e.g.), to search specifically for after-hours or weekend activity (when suspicious activity often occurs), and to uncover suspicious file mismatches (i.e., a customer list file is renamed “photo of my daughter” and the MIME type doesn’t match the extension).

“ To get to the bottom of suspicious activity and act with confidence, you need the ability to restore and review any version of any file — so you can see if it’s really a problem. ”

A departing employee workflow example

Here’s a rough look at how a departing employee workflow…works:

1) TRIGGER
Employee gives notice, triggering activity review by IT security.

2) ANALYSIS
Security looks back at the past 90 days of employee data activity, searching for suspicious or risky actions.

3) ACTIVITY FLAGGED
Security flags suspicious activity: a product pricing spreadsheet that was emailed to an external address.

4) HR/LOB REVIEW
Security restores the spreadsheet and brings it to HR. HR brings it to the LOB manager. LOB manager confirms that emailing pricing document was not authorized.

5) ESCALATION TO LEGAL
Depending on the activity and severity of the risk, the issue may be escalated to legal.

It all depends on visibility

The departing employee workflow — like your entire insider threat program — depends on visibility. To be able to look back at the last 90 days of a departing employee’s activity, you can’t be working with a DLP or monitoring solution that only kicks on after the employee gives notice. You need to be continuously monitoring all data activity, so you’re instantly ready to execute a 90-day security analysis of any employee, as soon as they give notice. This visibility can’t be limited to file names. To get to the bottom of suspicious activity and act with confidence, you need the ability to restore and review any version of any file — so you can see if it’s really a problem. With this kind of always-on monitoring, you can enable the kinds of targeted triggers that focus your attention where it matters most — and act quickly to mitigate risk and potential damage from the many things departing employees take with them when they leave.

3 Key Workflows to Build an Insider Threat Program Code42 Blog

3 Key Workflows to Build an Insider Threat Program

We’ve never been shy about beating the insider threat drum at Code42, but the buzz on insider threat is reaching fever pitch. Small to medium-sized enterprise security and IT teams know they need to address this looming risk. But the biggest hurdle is answering the question, “Where do we start?”

For the past few years, the prevailing answer has been, “BUILD A COMPREHENSIVE INSIDER THREAT PROGRAM.” But let’s be honest: This is daunting. It’s time-consuming. It’s expensive. Moreover, these “best practices” often involved creating an entire team dedicated exclusively to insider threat detection and response. That sounds fantastic — but well beyond reality for most of us dealing with strained resources and limited budgets.

Most problematic: The root of this traditional approach is implementing traditional DLP. Just mentioning DLP might make you cringe as you imagine expensive technology and super complex rules that, at the end of the day, often do more harm than good — frustrating users with barriers to productivity and leading to workarounds and exceptions that compromise the whole program.

You need something simpler. We all do, because the insider threat problem is not going away. 

“ Start by focusing on the most common data exfiltration scenarios. These center on a few common use cases that impact nearly every organization — departing employees and high-risk workers, accidental leakage and organizational changes (re-organization, M&A, divestiture, etc.). ”

Here at Code42, we’ve come up with a better approach to building an insider threat program — and it all centers on a simple starting point: the everyday triggers that create your biggest insider threat risks. These are common use cases that happen every day (or every hour) that account for the vast majority of insider threat incidents — departing employees, accidental leakage and organizational changes. Hone-in on these high-risk triggers, and make sure you have the right technologies in place to see the full picture — not just a trail of breadcrumbs after the fact.

With these everyday use case triggers as the foundation, here are 10 critical steps that make it faster, easier and more cost-effective for small to medium-sized enterprises:

Code42’s 10 steps to building an insider threat program

1. Get executive buy-in: Don’t fight this battle on your own. Getting definitive buy-in from leadership is the first and most critical step in defining your security and IT team (and your efforts) as value-adding business partners — instead of frustrating data police. 

2. Identify and engage your stakeholders: Continue the buy-in campaign from the top down. Think about which individuals or teams within your organization stand to lose the most from insider data theft or leakage. Identify and engage line-of-business leaders, HR, legal and other IT leaders as key stakeholders in your insider threat program.

3. Know what data is most valuable: Once you know who you’re protecting, engage those line-of-business stakeholders in conversations about what data is most valuable to them. All data has value, but these conversations are essential to understanding the different types of unstructured data to keep a close eye on — and which types of high-value unstructured data will require more creative means of tracking.

4. Think like an insider: With your valuable data in mind, put yourself in the shoes of an insider. Why would they want to move or take information — and what would they ultimately want to do with it? What tactics or blind spots might they exploit to do it? What workarounds could they use to get work done? We call these actions inside indicators of compromise.

Up to this point, the steps may look very similar to more traditional approaches. You’re figuring out what data you’re protecting — and the indicators or compromise that point to insider incidents. Now, here’s where things get simpler:

5. Define insider triggers: Instead of building a monster program with classification schemes and policies that attempt to monitor every potential scenario (and ultimately fail), start by focusing on the most common data exfiltration scenarios. These center on a few common use cases that impact nearly every organization — departing employees and high-risk workers, accidental leakage and organizational changes (re-organization, M&A, divestiture, etc.). These use cases make up the vast majority of insider threat incidents, and serve as the foundational triggers of your insider threat program.

6. Establish consistent workflows: Investigating suspected data exfiltration can be daunting in itself. Once again, start small by focusing on the key use cases. For example, when an employee departure is triggered, define which activities will be examined — and what activities will trigger in-depth investigation. Exceptions and workarounds are the Achilles heel of insider threat programs. Make sure you clearly define the workflow for each trigger — and consistently execute and improve the steps you establish.

7. Create rules of engagement: Once a workflow has been triggered and potential data exfiltration identified, it should be the key stakeholder’s responsibility to directly engage the employee/actor. For example, departing employee and accidental leakage incidents will likely trigger engagement from HR and the line-of-business manager. A M&A workflow might trigger engagement from internal legal staff — or even a CFO. It’s important that these rules of engagement separate security and IT from any enforcement responsibilities. This allows them to focus on monitoring, detection and remediation — and prevents security and IT from developing an adversarial “data police” relationship with staff.

8. Leverage existing security and IT teams — and train your stakeholders: It doesn’t make sense for most small and medium-sized enterprises to create a fully dedicated insider threat team. Because we’ve honed the insider threat program down to a few key workflows, your existing security and IT teams should be able to handle the monitoring and detection responsibilities. But security and IT teams — who are already wearing multiple hats and managing strained resources — don’t have to shoulder the full burden. It’s also critical that all stakeholders (the HR, legal, line-of-business managers, etc.) be trained so they understand the full scope of the insider threat program: what is being monitored, the specific use case triggers, the investigation workflows, the rules of engagement and the tools used to accomplish all of this. This training should also clearly define their roles and responsibilities, so they’re ready to jump in when an incident response workflow is triggered.

9. Be transparent in communication: Transparency is critical for building a healthy culture that values security. Employees should know — from day one — that your organization tracks file activity. They should understand that the program is applied universally and without privileges or exceptions — and they should understand how the program is designed to support their productivity while protecting the business.

10. Implement true monitoring, detection and response technology: Perhaps most important of all, your insider threat program must start long before a trigger. In other words, you can’t afford to only monitor an employee’s activity after he’s given his notice, or after rumors of organization change have begun rippling through the office. Too many insider threat monitoring solutions are limited to this post-trigger scope — and far too often, the actual exfiltration occurs much earlier. True monitoring, detection and response technology must be continuously running, providing historical context and complete visibility into all data activity. This enables your insider threat team to quickly and effectively see the full picture — and protect all data at all times.

At the end of the day, let’s stop talking about insider threat exclusively as “employees stealing stuff.” This market perception perpetuated by our industry has done more harm than good. In reality, insider threats are the actions (good, bad and indifferent) people take with data (any data) that puts customer, employee, partner or company well-being at risk. The smaller the enterprise, the greater the business risk. That’s the real promise of the workflow-based approach: It gives small and medium-sized organizations a simple starting point — just three or four use cases — that will effectively address 80% or more of your insider threat risks. 

A Hot Topic for RSA: Debunking Traditional DLP Code42 Blog

A Hot Topic for RSA: Debunking Traditional DLP

Hundreds of vendors and tens of thousands of cybersecurity professionals will invade San Francisco in a few weeks for the 2019 RSA Conference. The streets around Moscone Center will be filled with buses and cars emblazoned with cybersecurity vendor marketing messages, and the level of pedestrian traffic will skyrocket. When I consider what cybersecurity professionals are looking forward to at the event, it’s not only an opportunity to explore new technologies, but also new ways of thinking about data security. 

It’s all about the data.

Ultimately, people are looking for solutions to their security challenges. They are looking for the technologies that will help them manage their security posture and answer fundamental questions about data: Where is my data? Who has access to my data? How can I monitor when data is leaving my network? How do I know what data is leaving my organization? Bottom line—how can I protect my data?

“ We’re looking forward to RSA to talk about a new approach to data security. In fact, it’s a whole new take on Data Loss Prevention. ”

“I love my DLP.” Said no one ever.

At Code42, we’re looking forward to RSA to talk about a new approach to data security. In fact, it’s a whole new take on Data Loss Prevention (DLP). At its core, our approach debunks the fundamental requirements of policies, classifications and blocking — the things that we’ve learned to love to hate about DLP. And there are other major advantages to our new solution. It lives in the cloud, eliminates long deployments, and gives security teams visibility to every version of every file. We call it Code42 Next-Gen Data Loss Protection— a solution that is defined not by what you can prevent, but rather by how quickly you can detect, assess and respond to threats and reduce business risk.

Let’s face it. Gone are the days where you can build walls big enough to prevent data from getting outside your organization. Traditional DLP solutions aren’t working. The reality is that complicated and policy-laden security strategies run counter to the needs of today’s IP-rich, culturally progressive organizations, which thrive on mobility, collaboration and speed to get work done. 

Next-Gen Data Loss Protection is a challenge to the status quo.  

Yes, the endgame of Code42 Next-Gen Data Loss Protection is a direct challenge to the status quo. It offers businesses a quicker, easier way to protect their organization’s endpoint and cloud data from loss, leak, misuse and theft.

Are you ready to hear more about a different take on data loss protection and see it in action? When you’re at RSA, stop by and visit the Code42 team at Booth S 1359 (in the South Expo Hall). We’ll be conducting product demos, and we’ll have donuts on Wednesday and Thursday morning. Make sure you get there before we run out.

Code42 Policy-Free DLP- It’s Time to Rethink Data Protection

It’s Time to Rethink DLP

As much as we may not like to talk about it, half of the major threats to the security of our corporate data come from the inside. That doesn’t mean that our employees are all malicious — insider threats can surface in many ways: user errors and accidents, lost or stolen devices, even hardware failures — and the list goes on. In fact, a report by International Data Group (IDC) showed that three of the top five most common high-value information incidents involve insiders.

Given this, it’s no surprise that for years, organizations have been using data loss prevention (DLP) solutions to try to prevent data loss incidents. The problem is that the prevention-first approach of legacy DLP solutions no longer meets the needs of today’s IP-rich, culturally progressive organizations, which thrive on mobility, collaboration and speed. The rigid “trust no one” policies of legacy DLP can block user productivity and are often riddled with exceptions and loopholes. For IT, legacy DLP solutions can be expensive to deploy and manage — and only protect selected subsets of files.

“ The prevention-first approach of legacy DLP solutions no longer meets the needs of today’s IP-rich, culturally progressive organizations, which thrive on mobility, collaboration and speed. ”

A fresh start

The prevention focus of traditional DLP forces a productivity trade-off that isn’t right for all companies — and isn’t successfully stopping data breaches. That’s why it’s time for organizations to rethink the very concept of DLP and shift their focus from prevention to protection. Next-generation data loss protection (next-gen DLP) enables security, IT and legal teams to more quickly and easily protect their organization’s data while fostering and maintaining the open and collaborative culture their employees need to get their work done.

Rather than enforcing strict prevention policies that block the day-to-day work of employees, next-gen DLP clears the way for innovation and collaboration by providing full visibility to where files live and move. This approach allows security and IT teams to monitor, detect and respond to suspicious file activity in near real-time.

Next-gen DLP benefits

This next-gen approach to data protection provides the following benefits:

Works without policies: Unlike legacy DLP solutions, next-gen DLP does not require policies — so there is no complex policy management. Because next-gen DLP automatically collects and stores every version of every file across all endpoints, there is no need to set policies around certain types of data. When data loss incidents strike, affected files are already collected, so security and IT teams can simply investigate, preserve and restore them with ease — whether the incident affected one file, multiple files or multiple devices.

Removes productivity blocks: Next-gen DLP enables employees to work without hindering productivity and collaboration. Workers are not slowed down by “prevention-first” policies that inevitably misdiagnose events and interfere with their ability to access and use data to do their work.

Lives in the cloud: As a cloud-native solution, next-gen DLP solutions are free from expensive and challenging hardware management, as well as the complex and costly modular architectures that are common with legacy DLP.

Deploys in days: Next-gen DLP solutions can be rapidly implemented, since the extensive time and effort required to create and refine legacy DLP policies is not needed. Since it works without policy requirements, next-gen DLP is also much easier to manage once deployed than legacy DLP. This is especially important for smaller organizations that can’t wait months or even years for a solution to be fully implemented.

Provides access to every file: While next-gen DLP doesn’t require blanket policies, security teams can still use it to observe and verify employee data use. For example, next-gen DLP can alert administrators when an unusually large number of files are transferred to removable media or cloud services. If the files have left the organization, next-gen DLP can see exactly what was taken and restore those files for rapid investigation and response.

By focusing on all files in an organization, next-gen DLP offers many additional benefits:

  • Visibility into file activity across endpoints and cloud services to speed security investigations. This differs from legacy DLP, which only provides a view of defined subset of data.
  • Fast retrieval of file contents and historical file versions to perform detailed analysis or recovery from data incidents. Legacy DLP solutions don’t collect the contents of files and thus can’t make them available for analysis or recovery.
  • Long-term file retention to help satisfy legal and compliance requirements as well as provide a complete data history for as long a time period as an organization requires. Again, legacy solutions don’t retain file contents and so aren’t able to provide this history.

A new paradigm for DLP

Next-gen DLP is a huge departure from legacy DLP solutions, but it’s a logical and necessary evolution of the category given the changing needs and work preferences of today’s IP-rich and culturally progressive organizations — small, mid-size and large.

Armed with a more discerning tool, organizations no longer have to lock down or block data access with restrictive policies. With full visibility into where every file lives and moves, security teams can collect, monitor, investigate, preserve and recover valuable company data in the event of a data loss incident.

Companies today are looking for better ways to protect their high-value data — while freeing knowledge workers to create the ideas that drive the business. By choosing to implement next-gen DLP, organizations will be able to keep their vital data protected without hindering productivity and innovation.

Code42 Next-Gen Data Loss Protection: What DLP Was Meant to Be

Malware and other external cyber threats get most of the headlines today. It’s not surprising, given the damage done to companies, industries and even countries by outside-in attacks on data. Despite that, insider threats — the risks of data being lost or stolen due to actions inside the company — are just as big a threat.

According to the 2018 Insider Threat Report by Cybersecurity Insiders, 90 percent of cybersecurity professionals feel vulnerable to insider threat. McKinsey’s Insider threat: The human element of cyberrisk reports that 50 percent of breaches involved insiders between 2012-2017.

“ By rethinking traditional DLP, you can know exactly where all your data is, how it is moving throughout your organization and when and how it leaves your organization — without complex policy management, lengthy deployments or blocks to your users’ productivity. ”

“The rise of insider threats is a significant threat to every business and one that is often overlooked,” said Jadee Hanson, Code42’s CISO. “While we all would like to think that employees’ intentions are good, we prepare for malicious actions taken by those from within our organizations. As external protection increases, we all should be concerned as to the influence external actors may have on those working for us and with us every day.”

Insider threats are a big deal, and traditional data loss prevention (DLP) solutions were developed to protect companies and their data from these internal events.

DLP hasn’t delivered

While traditional DLP solutions sound good in concept, most companies are only using a fraction of their capabilities. Security teams describe using these solutions as “painful.” Legacy DLP deployments take months or years, because proper setup requires an extensive data classification process, and refining DLP policies to fit unique users is complex and iterative. And after all that time, traditional DLP still blocks employees from getting their work done with rigid data restrictions that interfere with user productivity and collaboration. They also require on-site servers — counter to the growing business priority of moving solutions to the cloud.

Most importantly, legacy DLP solutions are focused on prevention. Business and security leaders now recognize that prevention alone is no longer enough. Mistakes happen, and data threats sometimes succeed. Being able to recover quickly from data loss incidents is just as important as trying to prevent them.

Rethink DLP

At Code42, we protect over 50,000 companies from internal threats to their data. This focus on protection has enabled us to see things differently, and develop an alternative to data loss prevention: data loss protection. We are excited to announce the new Code42 Next-Gen Data Loss Protection (Code42 Next-Gen DLP) solution that rethinks legacy DLP and protects data from loss without slowing down the business.

Code42 Next-Gen DLP is cloud-native and protects your cloud data as well as all of your endpoint data. It deploys in days instead of months, and provides a single, centralized view with five key capabilities:

  • Collection: Automatically collects and stores every version of every file across all endpoints, and indexes all file activity across endpoints and cloud. 
  • Monitoring: Helps identify file exfiltration, providing visibility into files being moved by users to external hard drives, or shared via cloud services, including Microsoft OneDrive and Google Drive.
  • Investigation: Helps quickly triage and prioritize data threats by searching file activity across all endpoints and cloud services in seconds, even when endpoints are offline; and rapidly retrieves actual files — one file, multiple files or all files on a device — to determine the sensitivity of data at risk.
  • Preservation: Allows configuration to retain files for any number of employees, for as long as the files are needed to satisfy data retention requirements related to compliance or litigation.
  • Recovery: Enables rapid retrieval of one file, multiple files or all files on a device even when the device is offline, or in the event files are deleted, corrupted or ransomed.

By rethinking traditional DLP, you can know exactly where all your data is, how it is moving throughout your organization and when and how it leaves your organization — without complex policy management, lengthy deployments or blocks to your users’ productivity. DLP can finally deliver on what it was originally created to do.

Data, Humans and the Cloud, Part 3: Facing Reality

Digital transformation is changing the face of business. All business. As part of this shift, many IT leaders have decided to use their cloud collaboration tools for data protection and recovery—tools like Google Drive, Microsoft OneDrive, Box and Dropbox. According to a 2017 Intel Security Study, 74 percent of businesses now store some sensitive information in the cloud. And according to a Code42 customer survey, 67 percent of companies have data in three or more cloud storage services.

While a cloud-focused future is clearly the goal, there is still a considerable amount of data being saved to the endpoint. In fact, Code42’s 2017 CTRL-Z Study revealed that IT decision makers believe that as much as 60 percent of corporate information lives on user laptops. Over the course of our three-part blog series, we explore the critical role human behavior plays in how data is stored and protected as your business moves to the cloud.

“ Exclusively using a cloud file sharing or collaboration tool for data protection and recovery leaves companies exposed to a variety of harmful business situations. ”

Part 3: The consequences of the digital transformation/human behavior disconnect

Tools like Google Drive, Microsoft OneDrive, Box and Dropbox definitely have a role to play in a digital transformation strategy. They are great for sharing files, improving workflows, simplifying collaboration for team projects and enabling productivity. However, businesses need to be aware of the challenges posed by relying on them to safeguard and protect company data.

While employees might use these tools to share a specific file, Code42’s 2017 CTRL-Z study found that not every file makes it to an officially sanctioned cloud platform. For example, employees may have files on endpoints that they never intend to share with coworkers; or they may create multiple versions of a file before they are ready to share or collaborate. The final version gets uploaded to the company cloud, but the previous five versions that only exist on the user’s endpoint may be no less valuable to the business. This is why exclusively using a cloud file sharing or collaboration tool for data protection and recovery leaves companies exposed to a variety of harmful business situations, including:

  • Data loss, when an employee deletes a shared file that collaborators can no longer access.
  • Theft, when data moves from laptop to thumb drive to personal cloud storage.
  • Breach, when malware or ransomware infects one laptop and propagates across a cloud system.
  • Non-compliance, should they lose track of where all regulated information resides.
  • Lost productivity, when collecting and preserving files for legal becomes manual.

Unpredictably human

As I mentioned in the first part of this series, employees are, at the end of the day, human. Humans tend to work in ways that make them feel the most productive and satisfied. You will always have employees who ignore policies that slow them down; this is true from your C-level executives all the way down to your most junior employees. And as I covered in the second part of this series, you’ll never have one policy that works for all of your employees, because there are four distinct types of users today when it comes to data storage.

“ Employees don’t create, share and store their work the way companies expect. Asking them to back up their files to cloud platforms is just as unrealistic as asking them to back up to file servers. ”

In short, organizations need to recognize and accept that employees don’t create, share and store their work the way companies expect. Asking them to back up their files to cloud platforms is just as unrealistic as asking them to back up to file servers.

So, what can be done to overcome this gap between human behavior and your digital transformation? First, your organization needs to accept a few statements as true:

  • The files your employees create and store have value to the business.
  • The majority of employee files today still live on endpoints, despite what your policies may state.
  • Failing to protect every file from loss creates risks to productivity, security and compliance.

To ensure the best protection for your data, your security solution should not require intervention from users. If the solution requires action from employees to protect their files, you’ll wind up with critical data that’s unprotected. Your solution must cover all files on all endpoints and back up at regular intervals, so if a data loss incident does occur, the endpoint can be rolled back to a restore point before the event happened. The solution should offer separate archives for every user, so your organization’s data can’t be accessed if one user’s account is somehow breached. Finally, your solution should offer visibility into how the files in your organization move, whether they travel to removable media or to the cloud storage you’re using for collaboration. With data-level visibility, you can be sure every critical file in your organization is completely protected.

According to 451 Research, “60 percent of enterprises plan to shift IT off-premises by 2019, driven by digital transformation.” An important and sometimes overlooked consideration in making this shift is studying the workforce and how employees get work done. After all, employees are the ones creating the very ideas that are driving success in your organization. Are you using the right tools to make sure those ideas are being protected?

Data, Humans and the Cloud, Part 2: Four Types of Users

Digital transformation is changing the face of business. All business. As part of this shift, many IT leaders have decided to use their cloud collaboration tools for data protection and recovery—tools like Google Drive, Microsoft OneDrive, Box and Dropbox. According to a 2017 Intel Security Study, 74 percent of businesses now store some sensitive information in the cloud. And according to a Code42 customer survey, 67 percent of companies have data in three or more cloud storage services.

While a cloud-focused future is clearly the goal, there is still a considerable amount of data being saved to the endpoint. In fact, Code42’s 2017 CTRL-Z Study revealed that IT decision makers believe that as much as 60 percent of corporate information lives on user laptops. Over the course of our three-part blog series, we explore the critical role human behavior plays in how data is stored and protected as your business moves to the cloud.

Read Part 1: Unexpected Behavior here.

“ By understanding the user types that make up a workforce and their work patterns, companies can set out on a digital transformation course that avoids unintentionally creating information risk inside their business. ”

Part 2: The four types of users in your organization and how they store data

From Part 1 of this blog series, the data is clear that most employees don’t work the way IT leaders expect, nor the way their policies may dictate. To add further clarity to this point, a recent Code42 study broke down work habits by common user types. We call them Adopters, Collaborators, Innovators and Travelers. There is a natural alignment between some roles, as illustrated below:

  • Adopters are typically found in finance, human resources or legal roles.
  • Collaborators are often found in marketing, IT and support roles.
  • Innovators are commonly found in research and development, and engineering roles.
  • Travelers are usually found in sales and executive roles.

While there are certainly many differences in the work habits of, for example, your marketing team and engineering team, for the purposes of this study we only examined how they store data in cloud storage services.

  • Adopters keep more than 75 percent of their files in cloud storage services.
  • Collaborators keep 50-75 percent of their files in cloud storage services.
  • Innovators keep 25-49 percent of their files in cloud storage services.
  • Travelers keep less than 25 percent of their files in cloud storage services.
Four types of users in your organization


You may think (or hope) that most of your employees are Adopters, but our research shows that they only make up 10 percent of users. Collaborators are a bit more common—they make up 20 percent of your users. Innovators are the most common, making up 40 percent of users. That leaves Travelers at 30 percent of users. In total, 70 percent of users have less than 50 percent of their data in your cloud storage services.

The power of knowledge

Your initial reaction to this data may be negative. After all, it’s natural to feel discouraged when you learn that employees aren’t following your data protection policies. The silver lining: By understanding the user types that make up a workforce and their work patterns, companies can set out on a digital transformation course that avoids unintentionally creating information risk inside their business.

In the final post in this series, I’ll discuss the consequences of the disconnect between digital transformation and human behavior—and what your organization can do about it.

Data, Humans and the Cloud, Part 1: Unexpected Behavior

Digital transformation is changing the face of business. All business. As part of this shift, many IT leaders have decided to use their cloud collaboration tools for data protection and recovery—tools like Google Drive, Microsoft OneDrive, Box and Dropbox. According to a 2017 Intel Security Study, 74 percent of businesses now store some sensitive information in the cloud. And according to a Code42 customer survey, 67 percent of companies have data in three or more cloud storage services.

While a cloud-focused future is clearly the goal, there is still a considerable amount of data being saved to the endpoint. In fact, Code42’s 2017 CTRL-Z Study revealed that IT decision makers believe that as much as 60 percent of corporate information lives on user laptops. Over the course of our three-part blog series, we explore the critical role human behavior plays in how data is stored and protected as your business moves to the cloud.

“ Understanding how your employees actually create, store and share information is a critical first step in smoothing the path to any digital transformation. ”

Part 1: The disconnect between digital transformation and human behavior

Where do your employees store the files they create? Your policy may be for employees to put them on an approved shared drive, but that doesn’t actually answer the question. Policy is one thing, but what your employees actually do is something else entirely.

It’s clear there are benefits to deploying cloud collaboration products. Tools like Google Drive, Microsoft OneDrive, Box and Dropbox can improve employee collaboration and productivity, enhance customer experiences and accelerate companies’ digital transformation strategies. It makes sense that many companies have mandated their use in today’s knowledge economy, in which ideas drive business growth. But just because you have a rule doesn’t mean it will be followed. Understanding how your employees actually create, store and share information is a critical first step in smoothing the path to any digital transformation.

Unexpected employee work habits  

To gain deeper insight into workforce habits, Code42 partnered with customers with between 500 and 5000 employees to examine data storage behavior. This study surveyed 1,039 users, 1,192 endpoint devices, 120 million files and 105 TB of data. The results quickly painted a clear picture: employees are not working the way that business leaders believe they are.

The study found that only 23 percent of the data employees generate and store on laptops and desktops makes its way to tools like Google Drive, Microsoft OneDrive, Box or Dropbox. That means 77 percent of data lives exclusively on employee computers. When measured by file count, a mere one percent of all the files created are stored on cloud collaboration platforms. It goes without saying that if 99 percent of all files created are not being stored in the cloud, then the goals of digital transformation are not being realized.

Why does this disconnect exist? Employees are, at the end of the day, human. And its simply human nature to prefer to work using methods that feel the most productive and satisfying. We all have an emotional connection to the work we produce, as there is a natural tendency to feel that what we create has a piece of ourselves in it. With that in mind, it’s not surprising that employees tend to ignore policies that hinder their productivity or otherwise prevent them from producing their best work. This is true from entry-level workers all the way up to the C-suite. In fact, Code42’s CTRL-Z Study revealed that 75 percent of CEOs admit to using applications/programs that they aren’t sure are approved by IT—all in the name of productivity.

“ Code42’s CTRL-Z Study revealed that 75 percent of CEOs admit to using applications/programs that they aren’t sure are approved by IT—all in the name of productivity. ”

IT’s view on endpoint data is wrong

There is an opinion held by many IT leaders that nothing of value lives on employee laptops. Our study shows, however, that this isn’t the case at all. In addition to demonstrating the quantity of files on employee endpoints, the study also looked at employee-created files by file type. The study found that 36 percent of the files on employee laptops and desktops are indicative of intellectual property (IP), such as programming files, images, spreadsheets, zip files, presentations, and audio and video files. Failure to properly safeguard IP can leave a business open to significant risk. For example:

  • Losing source code or product roadmaps can impact time to market;
  • Losing strategy documentation can affect time to opportunity;
  • Losing customer lists or project proposals jeopardizes time to revenue; and
  • Losing customer information puts companies at a high risk of non-compliance.

Not only does data exist in large quantities on endpoints, that data has huge value. IP can account for 80 percent of a company’s business. If your IP lives on endpoints—not in the cloud—then IT needs a new approach to protecting that data.

The big picture

How can you bridge the divide between human behavior and your digital transformation into the cloud? Crafting policies around data backup that require employee action is, in a word, pointless. Employees didn’t back up in the era of file servers, and they won’t today with corporate-mandated cloud collaboration platforms. To safeguard their success, businesses on the path to a cloud-only digital transformation must accept and operationalize the fact that:

  • The files employees create and store have value to the business.
  • The majority of employee files today still live on endpoints, such as laptops and desktops.
  • Failing to protect every file from loss creates risks to productivity, security and compliance.

To deal with the divide between human behavior and your digital transformation, comprehensive data protection that doesn’t rely on user intervention is required. When all endpoint data is securely and automatically protected, you can be sure that all of the valuable data on employee laptops is being preserved. This is especially important given that four types of users in your organization all store data differently.

In my next blog post, I’ll dive deeper into these four user types, which will shed more light on the reality of how data is being stored in your organization.

Five Steps to Disarming Ransomware Attacks

You have 48 hours to send two Bitcoins to the address below or your data will be erased. Do not contact the authorities.

If you’ve seen this notice, you know the fear induced by a ransomware attack. And if you haven’t, there’s a good chance you soon will. In 2017, the number of ransomware assaults grew 250 percent in the first quarter alone, causing millions of dollars in lost productivity and lost data. Today, ransomware remains one of the top cyber threats to enterprises. Why? Here are 10 factors that make ransomware irresistible to cybercriminals—and five steps to disarming attacks.

  1. Ransomware tools are becoming more sophisticated: From malware that flies under the AV radar to brute force attacks, hackers are constantly getting better at getting in. Better encryption makes it all but impossible for victims to unlock their files without paying for the key.
  2. Phishing, sadly, still works: Phishing attacks have been going on for 30 years now, so users must be experts at spotting them by now, right? Wrong. Phishing attacks are still effective, and employees may assume that IT and security teams are keeping them safe from phishing attacks.
  3. The most vulnerable attack vector is unprotected: Without a comprehensive endpoint backup solution, an organization’s laptops and desktops are unprotected. And yet, the Code42 CTRL-Z study revealed that IT decision makers believe that 60 percent of corporate information lives on users’ laptops. If executives know this, so do cybercriminals.
  4. Human behavior creates risk: Your policies say that employees must back up their data to a shared server to keep it safe from endpoint attacks. Unfortunately, employees aren’t following your protocol, leaving endpoint data—which is more than half of enterprise data—unprotected.
  5. Anyone can launch a ransomware attack: Following the trend of the legitimate software industry, Ransomware-as-a-Service (RaaS) takes ransomware accessibility to a new level. People with little technical expertise can “rent” ransomware and create their own phishing emails.
  6. Cryptocurrency makes money laundering easy: To a cybercriminal, the risky part of ransomware is direct interaction with a victim to obtain payment. But the emergence of cryptocurrencies removes much of this risk, creating a digital layer of anonymity between the victim and extortionist.
  7. Attacks target the enterprise: Cybercriminals are increasingly targeting those most likely to pay, and businesses are the ideal targets. They have valuable data they can’t afford to lose and a lot more cash on hand than individual targets.
  8. Once in an organization, ransomware spreads quickly: It only takes one employee to spread an infected file throughout your organization. Your employees are sharing thousands of files with each other every day. Cloud collaboration platforms make file sharing easier than ever, but platforms with automatic sync can actually spread ransomware, syncing infected files to the shared cloud and exposing others.
  9. Prevention is nearly impossible: The number of cybercriminals, combined with the sprawling attack surface, make prevention virtually impossible. More importantly, preventive AV products can’t stop human error. Bigger walls and stronger locks do nothing if your employees are willingly or unintentionally handing over the keys.
  10. Paying the ransom fuels the demand: As long as victims keep paying the ransom, money will continue to pour into the growing black market for ransomware and fuel the increasing sophistication of these exploits. More money, more hackers, more attacks and higher ransoms­­–these are the real costs of paying the ransom.

Break the cycle: focus on the data

The 10 items above paint a bleak picture, but the antidote to ransomware is actually quite simple: Shift the focus from those trying to steal data to the data they’re trying to steal. By focusing on ensuring all data is collected and protected, the enterprise can enable a swift, clean recovery from ransomware and fight it at its source. Here are five quick tips to disarm ransomware:

  1. Collect and protect the data: Truly comprehensive enterprise data protection includes covering data where it lives—on the endpoint. The solution can’t rely on user behavior, and it can’t slow down user productivity because employees will work around it. The solution must be automatic, continuous and frictionless to give IT certainty that every user, every device, every file and every version is covered.
  2. If ransomware hits, have no fear: With all laptop and desktop data continuously backed up, ransomware ceases to be scary. The enterprise has the tools in place to execute an efficient, successful recovery.
  3. Make the clean, quick restore: Comprehensive endpoint data protection turns restore from a costly, weeks-long affair into a quick, push-button task. IT simply rolls back to the last known good state to conduct bulk file restores or allows users to perform a self-service restore.
  4. Never pay the ransom: With quick and comprehensive data restores, the enterprise can laugh at ransom demands.
  5. Feel proudyou’re doing your part: With the tools in place to take the ransom out of ransomware, the enterprise community can cut off the cash flow and begin to shut down the ransomware market.

Every Idea Matters: Secure Them with Code42

At the most basic level, every business sprang from an idea. Every advancement, every cure, every game changer–they all started as a concept in someone’s mind. No matter the industry, ideas are the fuel that helps every one of our customers grow.

Every idea matters. It’s a simple concept, but one that guides us at Code42 as we secure our customers’ data–their ideas–wherever they live or move.

Case in point: This week we announced the Code42 Forensic File Search product, which helps security, IT and compliance teams dramatically reduce the time it takes to investigate, respond to and recover from data security incidents that threaten their valuable IP. Because it collects file metadata and events across all endpoints in an organization and makes them searchable via the cloud, you can cut incident response investigations from weeks and months to mere seconds.

Expanding security capabilities

While this new product is exciting in itself, it also marks an important expansion of our security capabilities for global enterprises. With Code42 Backup + Restore, you have access to complete file contents on any endpoint. Code42’s File Exfiltration Detection gives you visibility into departing employees moving files to external drives or cloud services. Code42 Forensic File Search provides you metadata from file activity. Together, these features offer you the greatest visibility yet into what’s happening to the valuable ideas on your organization’s endpoints.

Later this year, we’ll extend the same visibility to the data that lives on corporate cloud applications, including Microsoft OneDrive, Google Drive, Box and Slack. While the endpoint will continue to be relevant, and a key source of data exfiltration and infiltration, we know that in the next five years that much of the data on endpoints will move to the cloud. We intend to be at the forefront of this transition.

Every feature of the Code42 platform was designed with the same end goal in mind: to protect the valuable ideas fueling our customers’ growth. Our customers are changing the world with their ideas. It’s our job to keep those ideas safe. Because every idea matters.