Insider Threat Begs the Question, “Where’d My File Go on the Web?”

You know the risks posed by Shadow IT and unsanctioned app use. It’s a blind spot we’ve all been fighting for years now. But a new challenge is emerging: what do you do when the app is sanctioned? For example, how do you stop employees from exfiltrating data via Google Drive — when your organization uses this app, legitimately, all day long? With cloud and web-based apps like Google Drive, Gmail, OneDrive and Slack increasingly blurring the lines between personal and professional use, how do you shine light into the alarming blind spot we’re calling “Mirror IT?”

An easy way to move and share files

Most of us have used email or cloud storage as a means to instantly and easily make files available from anywhere. In fact, our 2019 Code42 Data Exposure Report found that 43% of business decision-makers say they use their personal email to share files with peers, and 41% use Google Drive. Not surprisingly, this is also one of the most common (and fastest growing) methods of employee data theft a.k.a. insider threat. Look to the headlines and you’ll read about cases like the sales executive at U.S. solar company SunPower Corp who emailed himself highly confidential files — and used them in his next role at a SunPower competitor.

“ An experienced security team with a range of tools at their disposal should be able to use network-layer information to piece together a good idea of where that file went — but only if users are on the network…and it won’t be fast or fun. ”

You can see that, right?

It’s not that modern data security tools are totally blind to this kind of activity. Most have some level of visibility into the web and cloud apps that touch your files. But some of the most popular enterprise data security tools are still limited to telling you that Google Chrome or Firefox accessed a file — essentially telling you that your file went somewhere on the internet. An experienced security team with a range of tools at their disposal should be able to use network-layer information to piece together a good idea of where that file went — but only if users are on the network…and it won’t be fast or fun.  

Sanctioned apps make things blurry

The real challenge comes in “Mirror IT” situations where employees have both personal and professional accounts for apps like Gmail, Google Drive or Slack. In these scenarios, how can you see — and respond to — an employee removing a customer list or source code via the approved Google Drive app? Leading CASB solutions can block unapproved sites — but they won’t help you here. Even top-of-class data loss prevention tools can only get as far as telling you that Google Drive accessed the file. But you have no way to make the all-important distinction about whether that file was uploaded to their personal or professional Google Drive account. Once again, a veteran security analyst could likely get to the bottom of this question, given some time — but in the meantime, those valuable files remain exposed.

A simple, fast answer to the question, “Where’d my file go?”

Code42 shines powerful light into the black hole of web and cloud file activity in a number of ways. Now, we’re solving the challenge of “Mirror IT” by giving you a first-of-its-kind level of visibility: Code42 shows you the title of the tab and the specific tab URL that was active at the moment the file activity occurred. This means you can plainly discern personal versus professional accounts and instantly understand the potential risk to your data.

It’s all part of the simple, speedy solution we’ve created for homing in on the risky signal amid all the noise of your users’ normal, harmless activity. The Code42 dashboard lets you immediately see when files are read or uploaded by an internet browser — and gives you one-click visibility into the tab title and URL.

The end result: with just two clicks, you can definitively answer the question, “where’d my file go?” and immediately take action, if necessary. It’s just one more way Code42 provides much-needed visibility to give you high-fidelity alerts and actionable information to help you find and address the data risks in your organization.

I’m Taking Data, and DLP Can’t Stop Me (Video)

Here’s my confession: I plan to take data with me whenever I leave my employment at Code42. I know exactly what data I will take and how I will take it. Am I concerned about getting caught? Not really. Most data loss prevention products won’t even see me doing it, let alone prevent me.

I’m not alone in my data scheming. Code42’s 2018 Data Exposure Report revealed that up to 72 percent of employees admit to taking data from their previous employer to their new one­—and that’s just those who will admit to the data theft. On top of that, 90 percent of companies feel vulnerable to insider threat.

Thankfully, in my case, all of the data on my list consist simply of pictures of me and my dog. But when I’m taking data with me upon my departure, shouldn’t the company security team be able to tell? Ideally, yes. The challenge is that humans are unpredictable, and prevention toolsets don’t take our chaotic nature into account.

“ At its core, data loss prevention (DLP) isn’t new. In fact, the desire to prevent data from disappearing is universal. Sadly, the failures to prevent data loss are as common as they are ancient—just ask the librarians at Alexandria how well their plans to prevent data loss worked. ”

While Code42 isn’t in the business of securing burning libraries, we do focus on data loss protection. Unfortunately, data loss prevention as a software category has experienced innumerable failures. Whether it’s trying to prevent the loss of source code, client lists, CAD drawings, or the latest episode of a certain winter-obsessed TV show: people put their date into places they shouldn’t—and they’re able to do this regardless of how good their data loss prevention tools and polices are, or how large a security team they have in place, or how many ports on their machines are disabled: data loss prevention is failing. If you have data loss prevention deployed, there’s a good chance it is failing you right now.

Scared yet? Concerned?

You should be. People, even when set loose in a perfectly architected, immaculately maintained environment, will still wreak havoc intentionally or accidentally. If you build a wall, someone will build a taller ladder. If you block USB access, someone will use any number of other options to obtain that access. For everything else, there’s Florida Man. The TL;DR version: No plan survives first contact with the enemy.

What does all of this mean for data loss prevention tools? It means policies don’t stop people from taking data. One can’t out-engineer the malicious intent of a determined human. This is why Code42 moves beyond prevention to data loss protection; in other words, prevention on its own simply doesn’t work—and it doesn’t work for all of the reasons I just cited. At Code42, we focus on protecting from data loss. That’s because it’s possible and it’s critical to be able to rapidly detect, investigate and respond to a potential data loss incident.

To these ends, there are three additions we’ve made to our product that will help you to better protect your organization from data loss. Here they are:

Data Exposure Dashboards

Our data exposure dashboards enable you to quickly visualize exfiltration events across removable media as well as personal and corporate cloud accounts. They provide a 1-, 7-, 30-, or 90-day view of events across your organization in order to quickly investigate anomalous findings. Additionally, these dashboards reveal which files have been shared externally in your corporate Google Drive, OneDrive, and Box environments over the same period of time.

Data Exfiltration Alerts

The new data exfiltration alerts enable the creation of alert profiles for some, or all, of the users in your organization based upon how much data are being moved to removable media and cloud services. These alerts show exactly what data were moved, down to the specific file content. This makes it easy to assess whether the exfiltration poses a data loss risk to your organization.


Alerts are great, but they don’t work in a vacuum. Alerts need context. Previously, we’ve written about our integration with Splunk Phantom, and now we’re happy to announce support for IBM’s Resilient Security Orchestration and Automation (SOAR) platform. With this new integration, it’s now possible to include Code42’s data exfiltration and forensic metadata in your existing incident response automations. You can learn more and download the Code42 Resilient app by visiting IBM Security App Exchange.

And with that, I’m afraid this post has come to an end.

But not before I take a moment to brag. Code42 keeps racking up hardware in the form of industry awards. Most recently, we were honored with the Black Unicorn award from CyberDefense. If you want to see how awesome we are, head over to our honors page.

Stay safe out there.