The Work-From-Home Enterprise: Data Security Questions Investors and Board Members Should be Asking

Poof! Just like that the very perimeter organizations built around infrastructure, network, and endpoints to keep organizations safe is gone. Yes, we all have been saying the perimeter is gone for what feels like years now. But now, it’s really gone. This time for real, and I would argue for good.  

Our world has been turned upside down. The COVID-19 outbreak is first and foremost a health crisis that demands swift action in order to keep our loved ones, students, employees, neighbors and communities safe. Organizations and institutions around the world shut down offices and classrooms, fundamentally flipping the everyday face-to-face routines we all have to the work-from-home digital realm. 

What started as a health crisis is shifting dramatically to a global economic crisis. Businesses are being forced to make very hard decisions about their people, processes and spend for the sheer purpose of continuity. What we are experiencing is a wave of crisis centered on near-term survival. What we are missing is a wave that will have much longer-term impact. And it centers on the very thing the aforementioned perimeter was designed for — data security.

“ We have a security crisis on our hands. It demands we, as a security industry, rethink, reimagine and rebuild what data security means in what we contend is not the new normal, but the next-normal. ”

In a world where every employee and student is suddenly working from home, the very policies and processes organizations and institutions have put into place to secure data are rendered obsolete. We have a security crisis on our hands. It demands we, as a security industry, rethink, reimagine and rebuild what data security means in what we contend is not the new normal, but the next-normal. The information technology industry prepared us for the next-normal. Heck, they enabled it with technology like Slack, Zoom, Google Suite and Microsoft Office 365. Like it or not, the next-normal is already here and it’s in the cloud. It’s focused on collaboration, speed and simplicity. What’s not focused on collaboration, speed and simplicity? Data Security. It’s time information security catches up and catches up quick. 

Data security for the next-normal

To help boards of directors and business leaders think through the data security implications of the next-normal, we put together a series of questions that cover three key areas of data risk: remote employees, departing employees and high-risk employees. Managing data risk is not only an information security issue falling squarely in the hands of the CISO. In the next-normal, managing data risk is an organization-wide responsibility, so these questions also apply to the CEO, CIO, CHRO, general counsel and line of business leaders.

“ In the next-normal, managing data risk is an organization-wide responsibility ”

Remote workers

We are living through the largest shift in work culture in our lifetime. The spread of the virus has forced many people to work from home. A decision that, while necessary, has put a strain on your IT and security teams. Suddenly, they are on the hook to manage data risk beyond  the perimeter and do it at scale. Doing so requires some real gut-check questions:

  • Do you have visibility into all employees’ off-network file activity?
  • Do you know what trusted and untrusted collaboration tools employees are using? 
  • Do you know what data employees are moving, when they move it and where?   

Employee departures

With the global economy headed for a downturn, many businesses are planning actions that impact their human capital  — whether it’s furloughing employees, eliminating contractors or reducing their workforce. Employees are on edge. And when they’re on edge, they make decisions with data they may not normally make.  

  • When someone leaves your company, what do you do to ensure they aren’t taking confidential information with them? 
  • If an employee who is leaving returned a wiped laptop, could you determine what confidential information that employee accessed before wiping the laptop?  
  • If you suspect that a key employee took confidential information to a competitor, how would you investigate? How long would that take? What would it cost?  Would you have enough information to pursue litigation if required?

High-risk employees

To ensure business continuity during a crisis, it is important to have a clear picture of employees who are considered high risk. Workers could be considered high risk because of the data they produce or have access to, and/or because of their data controls and privileges.

  • If one of your key employees had his/her corporate IT credentials compromised, could you detect if the account was being used to transmit confidential information outside of the company? 
  • Which employees have access to your most sensitive information, including customer lists, source code, product roadmaps and more? What technology are you using to detect if they misuse that information (either intentionally or accidentally)? How would you know if an employee took sensitive data? When would you know? 
  • What steps would you take to prevent misuse of your trade secrets by employees? 
  • If one of your employees accidentally shared a file outside of your organization, how would you investigate to determine whether you had any reporting obligations to regulators or customers?
  • Have you educated your employees, especially privileged employees, about how to detect and avoid falling for potential phishing or malware campaigns? 

Of course, this is not an exhaustive list of questions for every possible data risk scenario, but they are a baseline for assessing your level of visibility or lack thereof. With the onset of COVID-19, we are navigating some uncharted territory. The next-normal has been thrusted upon us, and it’s rooted in cloud, collaboration, speed and simplicity. If we are to survive in the short-term and thrive long-term, we must rethink, reimagine and rebuild how we do data security.  We’re here to help.

Collaboration Without Compromise: A New Approach to Securing the Remote Work Culture

We are witnessing the largest shift in work culture in our lifetime. And it’s putting remote work and collaborative technologies to the test at a scale that we have never seen before. Everyday the news is bringing us stories about more employees who are logging in from their kitchen table to email, slack, airdrop and message their colleagues. And while they are all focused on getting their work done, what might not be so apparent, is that they are also opening up their companies to heightened data risk. 

The simple truth is old-school technologies that were designed to prevent data from moving outside traditional security perimeters were never built to safeguard collaborative workforces. And if they weren’t equipped to protect routine cloud collaboration, how can they possibly handle the highly distributed workforces and huge influx of remote workers we are seeing today. 

The implications? This unprecedented situation is going to shine a light on gaps in the security stack that have existed for some time. So what can companies do to help secure this growing remote work culture?

Embrace the wave of collaboration

For starters, it means embracing the collaboration wave. The growth of remote work did not just start this month, it has been gathering steam the past dozen years. A survey by Global Workplace Analytics and FlexJobs states that remote work has grown 159% over the last 12 years. 

Collaborative work cultures definitely have their advantages. That’s why making it easy for employees to connect and get their jobs done — whether they’re in the office, on the couch, or at the coffee shop — has moved to the top of the to-do lists for many c-suites. In fact, according to the Code42 2019 Data Exposure Report, workforce culture ranks first among CEO, CIO and CHRO strategies and priorities. Why? CEOs, CIOs and CHROs are changing corporate culture in order to move faster. The more productive a workforce; the greater the payoff on the bottom.

Don’t let the inside be the blindside

Certainly, collaborative technologies — like Slack, Box, Microsoft Teams and OneDrive — are making it easier for remote workers to legitimately share files. The challenge, however, is they’re also making it easier to exfiltrate data, such as product ideas, source code and customer lists. 

Imagine how easy it is for an employee working from home to flip between personal and corporate cloud accounts like Google and Slack as part of their daily routine. Granted, some employees have malicious motivations. However, for the most part, its workers with the best intentions who will login to the most convenient tools at their disposal to get their jobs done — often without realizing the added data security risks they are creating for their company. 

The challenge is businesses are empowering employees with technologies for collaboration without having the proper security programs in place. Without the right technology, security teams are unable to detect and track files as they move between corporate and personal accounts. This leaves the files that employees create and share everyday vulnerable — and businesses open to insider threats.

The following stats paint a telling picture:

  • 89% of CISOs believe a fast-paced culture puts their company at greater data risk. (Source: Code42 Data Exposure Report 2019)
  • In the last 12 months, 66% of data breaches were inside jobs. (Source: Code42 Data Exposure Report 2019)
  • Only 10% of security budgets are dedicated to insider threats.

Bottom line: Insider risk programs are too often overlooked and underfunded – something that needs to change in this new era of collaboration.

Recognize that the culture shift requires a technology shift

So the question is. . . is it possible to have collaboration without compromise? Absolutely! Empowering employees to work-on-the-go does not have to come at the expense of the safety of data — that is, if companies are willing to shift how they think about and approach security. 

The lesson many companies have already learned is that traditional, prevention-based approaches to data security that focus on blocking are failing to protect data when workforces are highly distributed and reliant on the cloud to collaborate. In the Code42 2019 Data Exposure survey of 1600 business and IT leaders, 69% admitted that their organizations suffered an insider data breach at the same time they had a prevention solution in place. Not only were the organizations breached, but 73% admitted it takes months to discover, investigate and respond to a data breach. 

Think about it. Legacy solutions are busy trying to block access to files when the rest of the remote workforce is busy sharing. The approaches are working in direct opposition to one another. That’s why a new data security strategy is needed — one that fosters rather than tries to deter collaboration and productivity. 

At Code42, we believe data security should be defined not by what you can prevent, but by how fast you can detect, investigate and respond to the inevitable threats to data security. Fans of traditional prevention solutions will say: but if I can’t block, how can I prevent data from leaving? The truth is, data is already leaving. What is needed is a solution that offers complete visibility to where data lives and a high fidelity signal when it moves and leaves. 

If there is anything that we’ve learned during these past several weeks, it’s that the collaboration culture is here to stay. What we need to understand is that properly securing it is going to look different.

Code42 2020 Data Exposure Report: The Risky Rise of Collaboration Culture

As we’ve covered in this blog in quite some depth, mitigating insider threat isn’t easy. Workers who are given trusted access to applications and data oftentimes sit in a great position to abuse that trust – either maliciously or unintentionally.  After all, they usually know where the organization’s most valuable data resides. 

Unfortunately, the challenges we’ve seen to date are only the beginning. Our newly released 2020 Data Exposure Report reveals how cloud-based collaboration tools have forever transformed the way staffers share information and collaborate with their peers. As our report found, employees are now relying on countless numbers of messaging apps, file transfer services, and cloud apps to share data within — and without — their organizations.

“ Employees today are using every app and cloud service they can as they try to work and be productive in ways that are most convenient to them. ”

Sure, employees have been sharing in ways that they shouldn’t, such as with corporate or personal email, for decades. But email is relatively easier to monitor than all of these new communication services and ways to collaborate. Today, email is but a portion of how staffers collaborate on data files. Employees today are using every app and cloud service they can as they try to work and be productive in ways that are most convenient to them.

This trend is undoubtedly giving security professionals heartburn. According to this survey, which is based on 4,505 knowledge workers in the U.S., U.K. and Germany, Austria, and Switzerland, staffers regularly rely on both cloud services that they’re authorized to use — and those that they aren’t. In fact, the survey found that 37% of respondents use unauthorized apps daily to share enterprise data and collaborate on work.

What unauthorized apps are employees using?

What unauthorized apps and services are insiders using to sidestep security policy, and why do they avoid those apps that have been sanctioned? Respondents said that they avoid enterprise approved apps because they find them complicated, slow and insufficient. The unapproved apps they turn to most often include WhatsApp (34%), Google Drive (30%), Facebook (29%) and personal email (26%).

This changing nature of how workers collaborate and the varying tools they use is proving too great a match for traditional insider threat programs. Too many insider threat programs today don’t have the ability to provide security teams the actionable insights they need to identify and mitigate data leaks. This is true whether those leaks are intentional or accidental.

This survey highlights just how far behind most enterprises are when it comes to reining in the risks associated with data loss, especially with both the growing collaborative work culture and as employees change jobs. As we’ve covered in depth over recent months, departing employees are a significant risk. Our survey confirms this.

“ Rely on our survey, which found that 87% of employees surveyed said that their former employer did not verify whether they took data with them as they left. ”

The survey found that 51% of those surveyed believe that organizations overlook the risk to corporate data and that such risk is a more significant threat than they realize. Consider this: 65% of our respondents admitted that they have repeatedly taken data from former employers, and about one-third of those respondents said that they were encouraged by their new employers to share their infiltrated data with their new co-workers!

Still aren’t convinced that enterprises aren’t taking the departing employee risk seriously? Don’t just take my word for it. Rely on our survey, which found that 87% of employees surveyed said that their former employer did not verify whether they took data with them as they left.

If enterprises are going to successfully secure the collaboration culture and their data — and effectively mitigate insider threat — they are going to have to make significant adjustments in their approach to data security. They are going to have to find ways to detect and examine how data files are moving across endpoints and cloud services.

These data sharing and work collaboration trends are only going to increase in the years ahead. In fact, the pace of these trends will  accelerate as more workers continue to collaborate how they want wherever there’s an Internet connection. Interestingly, despite an increased emphasis on file-sharing, 36% of workers have grown more complacent about data security. Finally, this survey confirmed what we already knew – that departing employees and insiders pose significant risks to data security whether they intend to or not. But, it also unearthed a few new nuggets. That includes, stunningly, many employers encouraging the use of data brought from new hires from their previous employers. The survey also uncovered how employees believe that the collaboration culture is making employees even more complacent when it comes to data security. And, ultimately, the survey showed that traditional data loss prevention tools just don’t work, especially in this age of job changing, and increased collaboration and file sharing. Don’t forget to get your copy of the full report, here.

Don’t Poison Your Employee Experience With the Wrong Approach to Insider Threat

The year 2019 was a harsh reminder that as much as organizations try to downplay insider threats, they cannot be ignored or overlooked. Organizations like Capital One, McAfee (itself an insider threat solution) and even Apple can attest as they all found themselves on the wrong side of the headlines. Needless to say, as the year wrapped up, many 2020 predictions and resolutions included a better approach to insider threat.   

Forrester’s aptly titled report, “Don’t Poison Your Employee Experience With The Wrong Approach To Insider Threat” is timely! As much as we don’t want to admit the obvious, our colleagues are among the biggest threats to the data security of our organizations. But there’s a balance between understanding malicious and non-malicious intent. And with the CCPA and GDPR serving as backdrops to data privacy, security organizations have their work cut out in balancing the security and productivity of end users. No easy feat!

My Top 5 Takeaways on Forrester’s Latest Report on Insider Threat:

  1. Make your insider threat program fit within the overall security program. We know incident response processes have taken center stage in the security world. It’s all about decreasing time to detect and respond to threats. Insider threat needs to be a part of the overall incident process. Few organizations have well-defined incident response scenarios for insider threats, but that trend is changing fast.
  2. Don’t let security become a burden on employee productivity. Code42 has been saying this for quite some time and it’s worth repeating. Security is often confronted with a crossroads situation. Traditionally, the idea of prevention (otherwise known as Data Loss Prevention) has operated on the notion of blocking suspected users from carrying out their jobs. This approach is outdated and comes at the cost of collaboration. A new wave of solutions are paving the way for a security strategy rooted in protection, and one that embraces collaboration.
  3. The Collaboration Culture is a Security Culture. Gone are the days where security is a dreaded practice with productivity stalling implications. Today’s security culture is about embracing collaboration and why not? Ask any CEO what their top digital transformation initiatives are and they’re likely to put “better collaboration” near the top of the list.
  4. Technology and human intelligence fuel your insider threat program. Emerging insider threat programs are made up of people and technology. While many organizations have relied on technology to solve a very human program, it’s clear that understanding user behavior patterns, what drives user actions and predicting users’ next moves are equally important. In the end, an insider threat program is all about speeding up time to respond to a threat. By combining technology and human intelligence, you are building yourself an all-encompassing program that covers multiple vectors.
  5. Code42 takes the focus off users and instead focuses on file behavior. And of course, I have to mention Code42 here. While many security solutions are solely focused on user behaviors and actions, our approach has been simply rooted in understanding the behavior of the file. And it’s very simple logic… In the end, the malicious end user is after your “data,” so understanding everything about that data is paramount. As I like to say, “don’t follow the employee, follow the data.” With data privacy becoming more important and organizations growing more mindful of being “big brother,” an approach rooted in data will only become more important and compelling.

2020 will undoubtedly be another breakthrough year for insider threat. There will be more headlines, innovative security solutions and smarter insiders. In the midst of this growing problem, it’s good to see Forrester remind us that building an effective insider threat program doesn’t have to come at the cost of killing your employee experience. An effective security strategy coupled with a productive workforce? I say bring on 2020.

Download the complimentary Forrester report here.

From Carelessness to Activism — Why Insiders Do What They Do

Whenever the subject of insider threat arises, the discussion gravitates toward the insider who has acted maliciously in some way. People often think of the executive or staffer who stole confidential information about an impending corporate transaction or intellectual property, such as source code, and intentionally exposed or sold it.

This certainly is understandable, after all such stories permeate the press. Just a few weeks back in late January, Hershey sued one of its former executives for alleged theft of some of its most sensitive trade secrets and confidential business information before going to work for a direct competitor, while Coca-Cola learned of an alleged security breach when a former employee was found with a drive containing the personal information of about 8,000 people. There is also the case of the three former McAfee employees that the company alleges took confidential information to a competitor.

While incidents like these are all too common, they’re not the only types of insider risks that damage the data security at organizations. There are many other reasons, beyond financial gain, why insiders do what they do. In this post, we hope to highlight some of the other common causes behind insider risks, and what they mean for your security and insider threat program.

The careless insider

As our Data Exposure Report  has shown, not all insiders intentionally act maliciously. Many insiders will inadvertently click on a link tucked within a phishing email and their endpoint will get infected. Or they will be careless with their notebook or removable drives and lose them. Drives that are, of course, unencrypted. This is perhaps one of the largest insider threat categories. And it’s not just front-line employees. According to our 2019 Data Exposure Report, 78% of CISOs and 65% CEOs admitted that they’ve clicked on a link that they shouldn’t have.

People want to use the data as they wish

Not only do people want to use data as they wish, they actually view enterprise data as their data. According to our research, over 70% of information security and business decision-makers agreed that the data at work isn’t just corporate data, it’s their work and their ideas. This means there is great risk departing employees will take data with them when they leave for a new employer. Conversely, new staff are likely bringing work from their previous employer into their new companies.

People want to work the way they want to work

Not only do staffers and other insiders want to use data as they wish, they want to work exactly how they want to work. There’s a lot of this Shadow IT underway, especially when it comes to collaboration, cloud storage, and social media. Our research and experience with our customers show that insiders will, rather than use collaborative tools provided by the organization, turn to unauthorized collaborative tools, social media and personal email to share information. Not good.

Political motivations

People today are more politically motivated than at any other time in recent history, and they are more likely to act in accordance with their political beliefs. Whether it’s over environmental issues, party politics, or other social causes, if someone perceives the organization they work for to be on the wrong side of a social cause, it could very likely be a catalyst for someone to lash out at the company by stealing, destroying or exposing data.

The spurned staffer

Sometimes insiders will do something bad with a motivation other than financial, or at least the financial gain is secondary to extracting a reprisal of some sort. These types of insider threat actions can be triggered by resentment for being overlooked for a promotion, a raise that was perceived as inadequate, perceived poor project assignments, scorned office romance, and any number of other potential personal reasons. 

As you see, there are many different reasons and motivations behind insider threats. How should your enterprise protect itself from insider threats with such varying motivations?

Focus on the data, not the motivation

Fortunately, you don’t need a different plan for each motivation. At least not when it comes to protecting your data. What enterprises need is a data security policy that includes data security awareness training and technology to monitor data movements to avoid unwanted data exfiltration.

An effective data security policy will also detail who owns the data and the proper ways to access, use and store that data. It’s also important that staffers be continuously reminded of this policy through periodic security awareness training or login banners. Finally, you’re going to need technical controls in place that will enforce your data security protocols.

One thing we’ve certainly learned is that those technical controls that attempt to block data leaving the organization are not actually effective at stopping unwanted data exfiltration. In fact, by just being in place, these technologies often create a false sense of security. We’ve learned, instead, that capabilities to monitor and audit all data movement are much more effective.

It’s true that the motivations behind the insider threat are varied and the risks they pose are significant. After all, who else better knows where the valuable data resides, why it’s valuable, and how to obtain it than those on the inside. Fortunately, to succeed at minimizing insider threat, you don’t need to focus on every motivation — you just need to focus on the data.

From the Desk of a CISO: The Five Core 2020 Cybersecurity Resolutions

Over the recent years, cybersecurity, and certainly the role of the CISO, have evolved – in many ways, for the better. Thanks in large part to the rapid digitization of business, the explosion of data and data sharing across the enterprise, and the move to cloud security and mobile, the nature of information security has to change. And it has to change quickly.

At Code42, as we work to provide an insider threat detection, investigation and response solution to organizations that need to securely share data and collaborate to succeed at their work, we find ourselves in the center of it all. As 2020 is taking off, it’s a perfect time for security teams to reflect on what areas they can improve on when it comes to providing the most effective security to their organizations. As I’ve considered the state of enterprise security over the past few weeks, I’ve developed my list of 2020 resolutions. To be sure, some organizations, including Code42, are doing these things already. Yet there’s always room for improvement – and in security, we all need to work together toward the constant goal of improvement. 

Here are the areas that are especially important for businesses to focus on throughout 2020 and, as necessary, resolve themselves to improve.

Make sure security is a business driver

With the increased competitiveness of today’s business environment and the drive to digital transformation, cybersecurity can no longer be viewed as a reason not to move a business forward. The 2019 Harvey Nash / KPMG CIO Survey found that 44% of CIOs and technology leaders expect significant changes to come to their products, service offerings, or even their business model in the next few years. Security teams need to support, not hinder, this business change.

One way security teams can improve is to better understand and appreciate how their company drives revenue and ensure they are making smart decisions to support its specific business model. What does this mean in practice? Consider how a manufacturer will have a different risk posture than a healthcare provider and how a healthcare provider’s risk posture will also be quite different from that of a trucking company or software provider. It’s important that security professionals think of themselves not just as security professionals, but as risk managers that help direct and inform the business on taking on the risks that allow the company to meet their overall goals. 

At Code42, our focus is on helping to secure this faster world of collaboration, which fundamentally enables security to be at the cornerstone of driving the business forward. We believe in supporting all forms of collaboration and innovation. We also believe that collaboration needs to be secure.

“ It’s important that security professionals think of themselves not just as security professionals, but as risk managers that help direct and inform the business on taking on the risks that allow the company to meet their overall goals. ”

Embed security throughout the business

In many organizations, it’s still common for new applications, services and business decisions to be made without the security team being part of the decision-making process. Unfortunately, when security is brought in at the eleventh hour and finds a number of risks that must be resolved, it causes considerable re-work, increases costs to remediate and unacceptably slows down the business.

Further, the more rapidly businesses digitize, the more aggressively they add new product features, change business models and enter new markets and geographies (which come with their own geopolitical risks). As such, security leadership needs to be a part of discussions around planning and implementation from the beginning.

Having security embedded early saves time, costs and lots of headaches. To do this requires that security is built into the development and business decision-making process. In practice, this means that security engineers are integrated into the software lifecycle process – helping to write code, fix vulnerabilities, or address developers’ needs with consistent security solutions. (I advocated for security to be ingrained in these types of activities in a recent blog.) Or it means that your security org helps to vet a product or solution before it’s acquired. Or it means that the board asks the CISO for a security risk analysis before entering new geographies and business segments.

To stay competitive, however, it’s just not enough to make sure security is part of the process – security needs to be as effective and efficient as possible. Which brings us to our next resolution.

Automate all of the things

Security teams not only need to be involved early on to identify risks, they need to be enabled to fix those risks themselves through integration and automation. Automating security means mundane tasks can be handled without human interaction, freeing up security engineers for more important, strategic, value-added work.

Automating security tasks in the development workflow not only saves time and enables speed and scale, but it’s also critical for solving key issues faced by security professionals. Automation can help ease the security talent gap, alleviate alert fatigue, speed up time to incident resolution and reduce errors.

“ Automating security tasks in the development workflow not only saves time and enables speed and scale, but it’s also critical for solving key issues faced by security professionals. ”

We are always working on improving our processes in these areas, i.e., areas that can be automated, including software testing, vulnerability management, malware incident response, and more. Any mundane task is a candidate for automation. For instance, when vulnerabilities are identified from an automated scan, it’s possible (sometimes) to automatically patch and, other times, gather all of the necessary context and package it for admins so they can get to work instantly.

If there’s an alert to malware, automatically grab the necessary context from a source, such as Virus total and, when necessary, possibly quarantine the infection. If a remedy cannot be automated, gather the associated content so analysts can quickly make a decision and respond.

The move to DevOps helps with security automation. Some call this DevSecOps. It doesn’t matter what you call it, but what does matters is that security processes are an automated part of the development lifecycle. It matters that the security person is part of the cycle.

Focus on the human side of security

For years, we have focused on external actors and perimeter defense. We now need to shift the focus to include internal threats. We know that insiders have a considerable impact on an organization’s security. Yet, many organizations expend too much focus on external threats and not enough on internal threats. It’s time organizations appropriately reallocate their focus.

“ Seventy-eight percent of CISOs and 65% of CEOs admit to clicking on a link they should not have. ”

How do insiders create risk? Let me count the ways… For one, some users sidestep company-provided file sharing and collaboration tools for tools of their own choice. This creates risk. Our 2019 Data Exposure Report found that 31% of business decision-makers use social media platforms, e.g., Twitter, Facebook, LinkedIn, to share company data, while 37% use WhatsApp and 43% use personal email to send files and collaborate with their colleagues. Another way? Seventy-eight percent of CISOs and 65% of CEOs admit to clicking on a link they should not have. This shows that it’s not just staff, but also senior leaders that can make poor data security decisions. Have you ever emailed or shared a document with the wrong person? It’s not difficult to do. Though unintentional, the end result is still a risk to data.

Ultimately, enterprises can put protections and controls in place at every turn. Still, it only takes one internal user to abuse their access in a nefarious or careless way to cause a data breach.

Organizations need to dedicate more time to identifying insider threats, deciding what monitoring to put in place and optimizing how they detect and respond when events occur. Importantly, we have to do this without losing sight of our main focus to enable the business to collaborate securely.

“ Ultimately, enterprises can put protections and controls in place at every turn. Still, it only takes one internal user to abuse their access in a nefarious or careless way to cause a data breach. ”

Build a culture of security

No program or software solution will prevent all data from being at risk of exfiltration. It’s the security team’s job to educate employees on security risks and help foster an appropriate security culture.

What does it mean to build a good security culture? Consider security culture to be how those working within the organization act when it comes to data security. When there is a healthy security culture, everyone thinks before they click on links, for instance. If they have security questions, they’ll feel free to reach out to the security organization for answers. When they want to use a new product or service, or work in a new way, they will ask security about the risks. This is what good security culture looks like in practice.

Good security culture is actually a pillar of an effective insider threat program. Consider how many people in your organization would “say something if they see something,” to take a line from homeland security. Most staff, if they see a peer sharing a document out of policy or in an unsecure way, won’t say anything at all. It’s because people aren’t taught how to say something or help co-workers do the right thing. An effective security culture helps change that for the better.

While every organization is different, some organizations may be further along with these resolutions than others. However, with the rising insider threat and the increased pace of digital transformation, all organizations will benefit by making sure they are on track to continuously improve themselves.

3 Steps to Building a Successful Insider Threat Program in the Age of Data Privacy

Data privacy laws are picking up steam – think the General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA) – and there is a lot of concern about what security and privacy teams can and should do to enforce policies that protect the business. From a data privacy standpoint, consumers – and employees for that matter – historically have been largely left in the dark about what personal information a business may have about them and how that information is being used, stored and shared. With GDPR and CCPA, consumers and employees now are more emboldened to ask questions and provide direction on how their data is used.

In this new world with data privacy top of mind, corporate insider threat programs are especially under the microscope – and they’re getting an (undeserved) bad rap. There is a misconception that insider threat programs impinge on personal data privacy rules. As a result, some employees have very strong reactions against insider threat programs. To that end, many security teams end up having conversations around insider threat that end with comments such as, “I don’t want to be Big Brother!” or “Having a program implies I don’t trust my fellow co-workers.”

The reality is that data drives businesses and data is leaving companies every day (read more on this topic in our 2019 Data Exposure Report). Even though data loss by employees can take different forms, it’s important to take them all seriously. Sometimes employees take data accidentally. Other times, they take it intentionally without realizing the harm their actions could cause. Still other times, employees take data maliciously. Regardless of intent, the damages of data loss are real and it’s important we consider these risks to our businesses.

Insider threat programs are necessary and very effective in protecting corporate IP.  To run an insider threat program while keeping employee privacy concerns in check, consider these three important steps:

Decide what you need to monitor

What does insider threat mean to you? I like to use a simple definition that removes intent and focuses on impact: insider threat is any type of threat to an organization’s security posture from within. Focus on the systems that manage your sensitive information, the departments that are more likely to handle sensitive information, or on the workflows that increase the probability that information is leaving the company (think departing employees, mergers & acquisitions, etc.).

Build out a program around it

Once you’ve defined what matters, build out an insider threat program around it. Programs are typically built out in one of three ways (though often a combination of these):

  • Logging and alerting: If you defined sensitive systems as the focus, this is often a natural way to build out your program. Make sure you are capturing all relevant logging  activities (this is sometimes tricky with SaaS applications) and set up alerts for activity that may be deemed more risky.
  • Special tools: You may decide there are additional tools you want to implement in order to monitor and manage your insider threat program. Depending on the technology implemented, you may get additional alerts, risk ranking, or integrated workflows to help guide your set up.
  • Defined processes: As much as we’d like to think technology can solve all of our problems, sometimes the best program starts with a manual process. This could include an onboarding or offboarding checklist, a periodic audit of privileged user activity and employee training.

As with all things security, remember that there is very little “black and white.” Build your program to allow for additional context, account for the potential of human error, and incorporate other stakeholders (legal, human resources, managers, etc.) into the program to ensure you are addressing risk appropriately.

If you are looking for additional guidance on the mechanics of building or maturing an insider threat program, here are a couple of great resources to check out:

Tell your employees

Finally, no matter how you decide to build out your program, let your employees know what you are doing. Be very clear with employees about what information your program is collecting and monitoring, and how the information is being used. I often see this in the form of a log-in banner, an employee privacy statement or policy, or as part of security awareness training. Also, have a feedback process for people to reach out to you for more information.

My best advice when deciding what information to share is to put yourself in the shoes of an employee. What would you want to know, and would you find the data monitoring to be reasonable? At the end of the day, while you may be the owner of your organization’s insider threat program, you are also likely the subject of someone else’s.

From the Desk of a CISO – Leadership Lessons

Quite a bit has changed in information security since I began my career more than a decade ago. 

Talk of cloud being the primary enterprise development platform was based on complete speculation. Mobile computing had yet to hit full stride. Software as a service (SaaS) was in its infancy. Since then, we have seen the rise of the nation-state attacker, extensive malware attacks, highly-publicized insider threat cases, exponential growth of data due to the declining costs of storage and considerable digital transformation investments. As all of these trends evolved and took hold, the nature of information security also changed.

Throughout all of these changes, I have worked in information security; previously, at a national retail enterprise and, more recently, as a CISO here at Code42. Over the years, I’ve learned a few important lessons about how to be successful in information security that I’d like to share here.

Lesson 1 – Be Part of the Solution

Too often security teams do a great job at identifying and pointing out risks and then handing them off to others to solve. In their earnest desire to eliminate those risks, they forget how important it is to understand how people go about getting their work done. So, rather than try to help others deliver their work or projects in a secure way, they identify risks and throw them over the fence for other teams to fix. That has to stop. We need to create partnerships, build empathy and become part of the solution. Building empathy helps us understand how others deliver work and the struggles they might go through to get their jobs done.

Because we are developing software at Code42, our top risks lie in the software development cycle. That’s why my team works very closely with our developers to help identify and address security gaps. To build greater empathy, I have challenged my team to learn the basics of a coding language. This has helped us gain a fuller understanding of the challenges developers face everyday and, more importantly, how we need to work with them to be part of the solution.

Lesson 2 – Balance Risk

In security, it is less about eliminating risks— and more about balancing risks. Think of a retail floor. Sure, everything on a shelf that isn’t locked down is at risk of being stolen. But if you lock everything up behind glass, your sales are going to plummet. At the end of the day, you are in the business of selling goods, which is why retailers don’t lock up everything. It’s the same with all business risks. You have to balance the business benefit with the business risk and put reasonable risk mitigations in place. For a retailer, this could be cameras, security guards, and/or only locking down items with a high risk of theft.

As a security leader, we don’t want to place overly aggressive security controls on everything. We are trying to tune the right level of security for the organization. You have to balance what the board, CEO and customers want and, at the same time, match the culture of the organization.

In a lot of cases, security leaders push forward with their own security risk posture ideals versus trying to truly understand the acceptable risk posture of the organization.

Lesson 3 – Build a Strong Team

While a bit more obvious, I can’t stress enough the importance of building and retaining a strong team. The team here at Code42 is close-knit. I have worked with many of these people for more than a decade. It’s hard to place a value on that. It’s a lot like professional athletes who know the moves their teammates are going to make before they do. That makes it possible to build a well-tuned, committed and effective team, not to mention retain talent in a talent-deficit industry. When you have a team you trust, it makes security much more effective and laser focused on the overall mission of the organization. I am thankful to be a part of such a strong, dedicated team that trusts one another and has a high degree of respect for one another. 

Lesson 4 – Transparency Trumps

To be effective in this industry, security professionals need to be transparent. In some cases, security teams still operate like the man behind the curtain: No one knows what magic they are operating, and  budget is gained by claiming that the sky is falling. But with today’s skepticism, seeing is believing. That’s why it’s so important to demonstrate how risks could be exploited. I recommend having your red team perform an exercise to determine exactly how easily a risk may be exploited, and share the results with other decision makers. 

In the same vein of transparency, it’s important to explain risks as they really are. Many security professionals will overhype a risk in an attempt to get attention or budget for a project. That tack may work in the short-term, but it will diminish trust in the long run.

As a security team, we are 100% transparent on the risks we see and the areas where we are digging deeper. This way, when a threat or new risk arises, we have a tremendous amount of trust and support to mitigate the risk. 

Lesson 5 – Provide Value, Don’t Fear Failure

Finally, being a CISO, or data security professional in general, is a stressful job. There is a lot of discussion around stress in the information security profession and how, as a result, the average tenure for CISOs is about two years or less. CISOs must balance the stress by focusing on the good, which is the value they’re providing to their business. At Code42, we strive for a blameless culture – one where we learn lessons rather than fear failure. This type of a culture helps contextualize stress. 

In my job, I want to feel challenged throughout the workday. I’m energized and get a lot of joy knowing that we are providing value and actually helping our company and customers address their security risks. We are working for a company that helps all of our customers deliver on security with the software we develop. For a security professional, it doesn’t get more exciting than that.

2020: The Cybersecurity Year Ahead

Security never stops. As 2019 comes to an end, security professionals are looking to what is in store for the year ahead. To get some answers, we reached out to Code42 leadership and security experts to get a sense of their cybersecurity expectations for the coming year.

While they expect plenty of tough challenges when it comes to protecting data, there is some good news in the mix. The team anticipates that enterprises will take steps toward formalizing (and automating) their security programs where gaps exist.

Here’s what the Code42 team had to say:

Insider threat programs grow more prevalent

Relentless reports of new, high-profile insider breaches will push many more businesses to finally take insider threat seriously enough to formalize programs and allocate a larger budget dedicated to protecting their intellectual property. This year, at least half of data breaches involved an insider, but in 2020, that figure could exceed 60%.

When it comes to insider threat, companies will begin to lean into new technologies designed distinctly for protecting from insider threats, and they’ll stop shoehorning outdated, ineffective technologies that were never really intended to mitigate insider risks to begin with. Finally, more than 20% of organizations will begin actively measuring what departing employees take from their organization.
Joe Payne, president and CEO at Code42

“ When it comes to insider threat, companies will begin to lean into new technologies designed distinctly for protecting from insider threats, and they’ll stop shoehorning outdated, ineffective technologies that were never really intended to mitigate insider risks to begin with. ”

The role of security will increasingly integrate within IT

With the continued cybersecurity talent gap, along with increased regulatory demands and security threats, security and IT will have to work more closely together. What I mean by this is traditional IT will be expected to take on security responsibilities, while security roles will evolve to become more hands-on and step into actual problem-solving rather than problem-identification mode. 

Security has always been positioned to cover confidentiality, integrity and availability – the well-known security CIA triad. While IT has traditionally been focused on availability, it’s increasingly recognized that data integrity and confidentiality need to be a part of the broader IT strategy. There has always been an opportunity for a natural fit between IT and security, and 2020 will prove to be the year that we recognize the similarities and start to benefit from the combined focus from these two disciplines.
Jadee Hanson, CISO and VP of Information Systems, Code42

Collaborative tools get security department green light

Progressive organizations thrive on collaboration. After all, we are in the midst of a massive culture change that centers on employees’ ability to share ideas, move faster, and collaborate. CEOs are requiring that their employees use Slack, Chatter, Box, and OneDrive to work together to be more productive. However, at the same time, CISOs have been busily blocking collaboration by using legacy prevention technology. In 2020, progressive CISOs will stop blocking and will start focusing on enabling collaboration by adopting new approaches that better address insider risk.
Joe Payne, president and CEO at Code42

“ CEOs are requiring that their employees use Slack, Chatter, Box, and OneDrive to work together to be more productive. However, at the same time, CISOs have been busily blocking collaboration by using legacy prevention technology. ”

DevOps teams embrace security

Organizations have adopted DevOps, but security hasn’t always kept pace. As DevOps grows, so does the desire (and the need) for security to become embedded within these teams. In the next year, organizations will increasingly seek ways to build the skills, tools, and knowledge they need to build security directly into DevOps teams.
Michelle Killian, director, information security, Code42

The security talent shortage continues

By nearly all estimates, the industry is millions of cybersecurity jobs short of what’s needed to adequately secure enterprise data. This shortage will push security teams to automate as much as they can to stretch their capabilities. Hopefully, teams will focus on optimizing the basics because it remains true that the vast majority of breaches could have been prevented if security 101 practices were followed. Areas that will be automated include manual operations tasks, application security testing, data monitoring, and more.
Todd Thorsen, senior manager information security, risk management and compliance, Code42

Security ‘solutions’ continue to grow in complexity

The complexity of security vendor solutions remains too high in cybersecurity. Many vendors continue to proudly talk about how sophisticated their products are and how they can solve complex problems. The problem is: using these security tools themselves is an overly complex and unwieldy process. At the same time, the security industry struggles with a serious shortage of skilled cybersecurity personnel. Something has to give.

In 2020, we will see security vendors focus on providing both signal and simplicity. To align with the realities of personnel shortage, solutions will surface highly actionable information and present it in easy-to-use, accessible ways so that security teams can act quickly without being embroiled in endless investigations.
Joe Payne, president and CEO at Code42

“ In 2020, we will see security vendors focus on providing both signal and simplicity. To align with the realities of personnel shortage, solutions will surface highly actionable information and present it in easy-to-use, accessible ways so that security teams can act quickly without being embroiled in endless investigations. ”

Move from reactive to proactive security

Companies are so busy reacting to incidents and putting out fires that they are missing opportunities to proactively reduce risk. One area is how staff and others will continue to be a highly exploited threat vector, yet companies will continue to trail behind mitigating their human risks. One thing is for sure: training alone is not going to work, as companies need to create security-minded cultures in their workplaces.
Chrysa Freeman, program manager, security awareness, training and culture, Code42

Expect a major breach within a federal agency

A federal agency will experience a large-scale data breach at the hands of an insider. This will highlight the growing insider threat blind spot for all large organizations.

Also, foreign hackers and the election take center stage. There will be proposed federal regulations requiring encryption back-doors and FCC regulation of social media in advance of the elections. As the elections approach, there will be reports of hacks and vulnerabilities, many with grand claims. All of these claims will be unsubstantiated, viciously spun, yet cause no direct or measurable harm. But they will create enough doubt and disruption to further the nation’s political divide.
Andrew Moravec, principal security architect, Code42

The return of ransomware

It used to be that cryptojacking—using someone else’s computing to mine cryptocurrency—was a relatively easy path to profit. But as the price of bitcoin continues to fluctuate wildly, those profits are no longer such a sure thing. As a result, adversaries will shift their attacks to optimize their efforts. Once their malware is deployed onto endpoints, they may decide ransomware is the way to go, which would very well lead to a resurgence in ransomware attacks.
Jeff Holschuh, senior manager of identity, Code42

A renewed focus on data privacy

The CCPA (California Consumer Privacy Act) goes into effect at the beginning of 2020. The act will have a substantial impact on companies that don’t yet have mature data security and privacy programs in place. As enforcement actions are brought under this new law, companies will scramble to ensure they are meeting all of the law’s requirements.

Essentially, CCPA focuses on data collection rules, breach disclosure, and the selling of consumer personal data. Expect not only CCPA-driven lawsuits and fines, but also a nationwide rush by companies to ensure they can comply.
Nathan Hunstad, principal security engineer and researcher, Code42

Building an Insider Threat Program Without Becoming Big Brother

I don’t believe that there’s an enterprise in existence that wouldn’t benefit from an insider threat program. Nearly every enterprise will experience repeated data theft and confidential data exposure as a direct result of the accidental or deliberate actions of one of their trusted insiders. I know that’s not easy to hear, but it’s true.

Consider a survey conducted by Osterman Research. The survey found that 69% of respondents experienced significant data or knowledge loss as a result of employees taking information with them when they left, as Andy Patrizio wrote in his CIO story, Sensitive data often follows former employees out the door.

“ Nearly every enterprise will experience repeated data theft and confidential data exposure as a direct result of the accidental or deliberate actions of one of their trusted insiders. ”

Despite how pervasive and serious the risks posed by insider threat are today, few organizations have an insider threat program in place, and fewer still have an effective insider threat program.

There are a number of reasons insider threat programs aren’t very common. The first is that getting started in building an insider threat program can be overwhelming – even though it doesn’t have to be. Some of these challenges are technical, such as the failings of traditional data leak prevention products. Other challenges are cultural; for instance, many organizations fear that their insider threat program could turn into a Big Brother level of oversight.

However, when done right, an insider threat program doesn’t have to become Big Brother. In fact, it doesn’t have to become overbearing or negatively affect culture. In this post, I share the key insights I’ve learned that will help any organization get started with an effective insider threat program that won’t turn into Big Brother.

Earn the support of your executives

It’s true of any data security program, but especially for an insider threat program: to succeed, you need to have the support of business leadership. It will be your organizational leadership that ensure the program gets the continuous funding it needs as well as the political backing to overcome any speed bumps that arise.

Obtaining that support is best achieved by articulating to executive leadership the real-world risks to the organization so that they understand the threats and how important it is to fund and support such an effort. This will require detailing the types of data risks your organization faces and the strategy for mitigating those risks.

Earn the support of stakeholders throughout the organization

Partnership from other business stakeholders, such as the legal department and human resources, also are essential. If you are trying to build effective data security and insider risk management processes into your employee onboarding processes, job changes, and terminations, then you will want to work closely with the human resources and legal departments. If these departments are not engaged with the insider threat program, you run the risk of having an ineffective program on your hands.

“ If you are trying to build effective data security and insider risk management processes into your employee onboarding processes, job changes, and terminations, then you will want to work closely with the human resources and legal departments. ”

Prepare for culture shocks

One of the reasons insider threat programs can appear authoritarian is they are designed without the existing internal culture in mind.

When it came to managing insider risks at a former employer, it was common for me to run into cultural issues. We were always working closely with our vendors, many of whom were based in Silicon Valley. While discussing data risks with these organizations, we often learned that they did not have even the most basic controls pertaining to insider threat, including not bothering with employee background checks. They often didn’t understand who was joining the organization. “We trust our people,” they’d say. “We only hire the best, most talented people. Everybody wants to work here. Why would anybody do anything bad here?”

In building an insider threat program, you’ll have to deal with such cultural barriers, and the challenges to overcome them are real. Essentially, to overcome those challenges, you will need to convince staff and everyone throughout the organization that the focus isn’t on punishing people doing things they shouldn’t, but rather protecting the organization’s data and its business viability.

For those in regulated industries, this conversation is likely a lot easier to have with executives and staff. When you work in a regulated industry, it’s evident why certain types of data must be watched and protected, and it’s easier to extend that to other kinds of data.

For those working outside of regulated industries, where it’s not mandated that data be protected, it’s undoubtedly a much more challenging argument to win. But it’s an argument that executives will be receptive to if you explain the costs to the business associated with losing data or intellectual property that is important to the organization.  

Make sure the program is transparent

Another reason insider threat programs can appear oppressive is when they are built in secret. When staff are aware of the insider threat program, but they don’t understand why it is in place, they are more likely to grow resentful and even fearful of the program. Also, when staff aren’t at all aware about the insider threat program, they can be very brazen in taking data that belongs to the company. There is no reason to take either of these counterproductive approaches.

When organizations are transparent about the insider threat program and why it’s necessary, then staff, contractors, and business leaders will be more supportive of the effort to protect intellectual property and confidential and valuable information. 

Establish acceptable data use policies

Everyone will feel better about the program if they are not finding themselves second guessing whether or not they are acting within protocol. Are they permitted to use cloud storage services? If so, which ones? Can data be moved to USB devices and other local, removable storage devices? What about sharing data on corporate collaborative platforms such as Slack or Microsoft Chatter? What’s the policy for taking data home and/or keeping it on their notebooks?

Staff and contractors need clear demarcation lines of what is an acceptable use of the organization’s systems and data and who owns the organization’s data. Employees must be made aware of these policies.

Data risk will vary depending on the organization

The specific type of data that is protected will be dependent on the nature of the organization and the industry in which it works. The types of data and roles that will pose more significant risks will vary among different types of organizations. An aerospace engineering firm or defense contractor will have a different risk posture than a law firm, financial services firm, or pharmaceutical company. Within all of these organizations, there will be a lot of targeted information that can be monetized and is important to the organization, but the nature of the data (and who can access the most valuable data) will vary.

“ Within all of these organizations, there will be a lot of targeted information that can be monetized and is important to the organization, but the nature of the data (and who can access the most valuable data) will vary. ”

Put the right data protection tools in place

Although much of your insider threat program will consist of data security policies and employee training and awareness, those policies will need to be enforced with technology. When considering the types of tools that will support your insider threat program, choose the best tools to provide the capability to detect, investigate, and respond to data breach incidents with the appropriate level of insight.

Another consideration is how well the tools you select will integrate within your environment. This must be viewed from the standpoint of how well it will work with both internal processes and existing toolsets. For example, if you have an established automated employee off-boarding process, can you connect to those processes so that you have timely, accurate insights into employee status changes? The same holds true when it comes to employee onboarding.

Provide ongoing training and awareness

Ongoing security training and awareness exercises are essential for maintaining good data security practices and muscle memory for all employees across the organization. If your organization has an existing security training and awareness function, you can integrate insider threat messaging into awareness exercises.

Incorporating insider threat scenarios into ongoing security training and awareness will also help employees understand the importance of the risks you’re trying to manage. This will help employees understand the rationale and can also create allies within your organization.  

Build a sustainable program that will change with the times

Just as your organization and business environment evolve over time, so will your organization’s risks. So, it is important to ensure that your insider threat program can keep pace with the changes in your business and risks. Fundamentally it’s about keeping your focus on effectively managing data exfiltration and insider risk as your organization evolves.

All of this may seem straightforward—and it is—but that doesn’t make it easy or swift to accomplish. Like so many effective processes, the important thing is to keep your insider threat program risk-based, aligned with your organization’s culture and nimble enough to evolve with your organization.  

If you’re building an insider threat program from scratch, start small, keep it simple and be open to making changes. Early wins are important and will help drive the success of the program. Furthermore, they will keep the support of executives and staff who understand that the organization’s long-term success depends on protecting its data. Because it certainly does.