Code42 Data Exposure Report: A must-read for security and business decision-makers

Data Exposure – Stockpiling Cryptocurrency? Save Your Money.

For years, organizations have heard the drumbeat of building digital security perimeters to protect their data. And to the best of their ability, they’ve listened to the experts, followed best practices and spent billions on strategies to prevent data losses and breaches.

Unfortunately, that strategy is no longer working and companies know it. In an increasingly complex digital threat landscape, cybercriminals are constantly evolving, waging successful ransomware attacks even on organizations that have well-established breach-prevention profiles. Our recently released Data Exposure Report, which surveyed nearly 1,700 security, IT and business leaders across the U.S., U.K. and Germany, tells this story in stark relief.

Playing defense in an unpredictable threat landscape

I wasn’t surprised to read in the report that 64 percent of CISOs believe their company will have a breach in the next 12 months that will go public. Furthermore, 61 percent say their company has already been breached in the last 18 months. What is surprising to me is the narrow window of time in which these breaches are happening, demonstrating the increasing severity of the threat.

Even more concerning is the growing number of companies that are reacting to ransomware by purchasing cryptocurrency. Nearly three-quarters of the CISOs we surveyed admitted to stockpiling or having stockpiled cryptocurrency in the last 12 months to pay off cybercriminals. Worse yet, 79 percent of them have actually paid ransoms to regain access to their corporate data.

“ Nearly three-quarters of the CISOs we surveyed admitted to stockpiling or having stockpiled cryptocurrency in the last 12 months to pay off cybercriminals. ”

Get hit, get back up

Security and IT leaders estimate that 39 percent of their organization’s data is only held on endpoint devices — making it more difficult to track. As we discussed in our previous blog, “The Risks of Playing Data Hide-and-Seek,” this lack of visibility over endpoint-only data puts valuable company IP at risk — and updating a company security policy will not change the outcome because some employees simply don’t follow the rules.

In business, time is money. This is especially true in the seconds, minutes, days and weeks after a security breach. Yet according to about one-third of security and IT leaders, it would take up to one week to enact their recovery plan.

There is another way

While companies might think that they have no choice but to pay cybercriminals, they do actually have other options. And the overwhelming majority of CISOs agree. Nearly three-quarters (72 percent) reported that their company must improve its breach recovery ability in the next 12 months. And 75 percent stated that their company needs to shift the focus away from prevention-only security to a prevention-and-recovery strategy.

So what does that mean?

Recovery and prevention

From an IT perspective, prevention is only a single facet of a robust security approach. Possessing the capability to find out how a breach occurred — then being able to recover in real time — is the ultimate definition of resilience. With a comprehensive data recovery tool that includes visibility and recovery for endpoints, companies wouldn’t have to a pay a ransom to regain access to their data. They would simply restore their data using their recovery solution.

Code42 can help organizations regain control post-breach. To find out more, click here.

In case you missed them, get the full Code42 Data Exposure Report blog series:

Code42 Data Exposure Report: A must-read for security and business decision-makers

Data Exposure–The Risks of Playing Data Hide-and-Seek

With cybersecurity threats continuing to evolve, even organizations wielding security tools and policies are at risk from a potential breach. In fact, 20 percent of security and IT leaders admit they do not have full visibility to where their data lives and moves—leaving their organizations with a data security blind spot.

According to the findings of our new Data Exposure Report, which surveyed nearly 1,700 security, business and IT leaders, 80 percent of CISOs agree that, “You cannot protect what you cannot see.”

It seems business leaders, on the other hand, are not always aware of the challenges security and IT leaders face to protect data. The overwhelming majority (82 percent) of business leaders believe IT can protect data they cannot see. This disconnect has major implications for data security, as business leaders often determine the budgets that security and IT need to do their jobs.

“ Keeping track of company data is not as straightforward as it may initially seem. Today, it goes beyond simply monitoring traditional sanctioned storage—even in the cloud. ”

Data at risk

With the rise of flexible working practices and the ongoing digitization of information, the importance of data visibility and forensics across employee endpoints cannot be underestimated. In modern enterprises, with data flowing freely in and out of the organization, traditional security perimeters are no longer enough to prevent breaches.

Without the right tools, endpoint data is particularly vulnerable. In fact, 86 percent of security and IT leaders believe saving files outside of company storage—for example on an employee laptop—puts their organization at risk. This is a significant concern considering that 73 percent of security and IT leaders believe that some company data only exists on endpoints. And this is critical data: Security leaders revealed that losing endpoint-only could be business-destroying.

Data hide-and-seek

Keeping track of company data is not as straightforward as it may initially seem. Today, it goes beyond simply monitoring traditional sanctioned storage—even in the cloud.

While business leaders recognize that saving their data outside official storage causes unnecessary risk for their organization, they aren’t going to change their work habits. More than two-thirds (68 percent) of CEOs think there’s a risk to their company if they store data on devices such as laptops without keeping a copy in centralized storage—but they do it anyway.

Security must include recovery

Businesses need a safety net that will allow them to keep track of data stored on endpoints, regardless of employee behavior or communication breakdowns. To minimize risk to valuable IP, companies should have a security strategy that includes not only data recovery in the event of a breach, but also prevention tools to help prevent breaches from happening.

Coming up in the final post in this four-part series, we will explore why companies must shift their security strategy away from prevention-only to a prevention-and-recoverystrategy that effectively deals with an increasingly unpredictable threat landscape. To read the Code42 Data Exposure Report in its entirety, go to code42.com/2018DataExposureReport.

In case you missed them, get part one and two of Code42’s Data Exposure Report blog series.

Tips From the Trenches: Choosing a Security Orchestration Tool

Like most of our customers, we here at Code42 are constantly looking to enhance our efficiencies when it comes to security. As we use more technology in our environment, that means more log sources, more events and potentially more alerts. It also means we have more opportunities to gather information from disparate sources and put together a more complete picture of the events we do investigate.

Five ways security orchestration tools can help

To help simplify and automate those activities, we are turning towards security orchestration tools. There are many reasons to invest in an orchestration tool. But for us, the following five items are the most important:

  1. Case management: As our team has grown, delegating work and tracking who is working on what becomes increasingly important. An orchestration tool can ideally function as that single workspace for assigning, managing and closing tasks.
  2. Metrics: Closely related to the first item on our list, better management of workload can improve visibility into key metrics like SLAs, as well as make it easier to identify bottlenecks and improve efficiency in analyst workflows.
  3. Integration: We’re constantly testing and adding new security tools, so it’s critically important that an orchestration tool easily integrates with tools we not only are using now but also may add in the future. The less time we have to spend developing integrations, the more time we have for investigating anomalies.
  4. Automation: Of course, automation is the name of the game when it comes to an orchestration tool. Automation allows our team to dream up new ways to streamline data collection and enrichment. Automation also can find connections that we may miss when manually reviewing data.
  5. Value: Analyst time is always in short supply. When a tool does the first four things on this list well, it means our security team can spend less time on low-value work—and more time on important analysis tasks. The more a tool allows us to focus on analysis, the more value it brings to our team.

A page out of the Code42 security orchestration playbook

The right orchestration tool also will allow us to leverage our own Code42 application in exciting new ways. Here’s just one example from the Code42 orchestration playbook:

  • Step 1 – Automatically locate files: To determine the scope of an event and show us how many endpoints have a suspicious attachment, we can search for a specific MD5 hash using Code42 Forensic File Search.
  • Step 2 – Restore deleted files: In situations in which the original file has already been deleted, Code42 Backup + Restore allows us to automatically restore that file.
  • Step 3 – Investigate suspicious files: With all the suspicious files identified (and restored, if necessary), we can now conduct analysis via an orchestration tool—such as running it in a sandbox. Best of all, because we didn’t spend hours or days manually locating and restoring files, we can focus all our time on the critical analysis.

This really is just the tip of the iceberg when it comes to use cases for security orchestration tools—whether it’s leveraging Code42 functionality or any of our many other security tools. As we continue our investigation into security orchestration tools, we’ll share more useful integrations and some automation playbook ideas.

Stay tuned for more updates—and as always, happy threat hunting!

Code42 Data Exposure Report: A must-read for security and business decision-makers

Is Your C-Suite Putting Your Data Security at Risk?

According to the results of our 2018 Data Exposure Report, the answer is likely “Yes.” Some of the most surprising insights revealed by the report, based on surveys of nearly 1,700 security, IT and business leaders, have to do with the impact of human emotions and behavior on data security—particularly across the C-suite.

CISOs and IT leaders probably won’t be surprised to learn that C-suite work habits don’t necessarily adhere to data security policies—and CEOs are among the worst offenders. Our report reveals that their risky behavior is due to old-fashioned work habits, convenience, good intentions and even a sense of ownership over the work.

Understanding the motivations behind problematic behavior is a good start toward adopting more effective data security strategies. But the real takeaway is this: strong policies are no match for human behavior. True data protection allows for the reality of human behavior by providing backup and restore capabilities as well as breach prevention.

“ 93 percent of CEOs admit to keeping a copy of their work on a personal device, outside of officially sanctioned company storage. ”

Not practicing what they preach

The report reveals that 78 percent of CEOs believe that ideas, in the form of intellectual property (IP), are one of the most precious assets within their organizations. However, 93 percent of CEOs admit to keeping a copy of their work on a personal device, outside of officially sanctioned company storage. And the majority of security and IT leaders (86 percent) believe the extent to which employees save files outside of corporate storage poses a serious risk to the organization.

Despite knowing that it’s risky, and being charged with enforcing their own company’s policies, C-suiters continue to put precious company data at risk. What gives? According to the survey, an emotional connection to their work is one of the culprits.

The ownership dilemma

The survey finds that 65 percent of business leaders have a strong sense of ownership of their work. More than half (53 percent) say this is because they impart a bit of themselves into what they create.

This should be good, right? Not necessarily. Counterintuitive as it seems, the very employees who feel a sense of personal ownership over their work often engage in risky behavior patterns at the expense of corporate policy.

Nearly three-quarters of CEOs (72 percent) and 49 percent of business leaders admit to bringing IP with them from a previous employer—highlighting that the very people who should be the most responsible for protecting an organization’s most precious data are not playing by the rules.

Working methods and personal preference

Just over half of CEOs (59 percent) admit to downloading software knowing it may not be approved by IT. Seventy-seven percent of business leaders believe the IT team would consider this a risk, yet they do it anyway.

The risks from the C-Suite don’t stop at losing data. Most of us have experienced that “uh-oh” moment when we’ve inadvertently clicked on an email link we shouldn’t have. Almost two-third of CEOs (63 percent) and exactly half of all business leaders have admitted to doing the same—either by accident or oversight.

No wonder 78 percent of CISOs believe that the biggest risk to organizations is people trying to do their jobs the way they want—in a way that is most effective for them—with a disregard for rules.

Recovery must be part of the solution

The results make clear that strong data policies are no match for the reality of human behavior. After all, if your senior leaders aren’t following the rules, how you can expect the broader employee base to follow your policies?

Data security strategies must therefore include recovery solutions in addition to breach prevention tactics. That’s because no matter how strong your security perimeter is, an employee can easily open the gate to data risk and cyber threats.

It’s better to have the ability to quickly and easily recover when that happens rather than hope everyone follows the rules—because the reality is that they aren’t.

Watch for the next blog post in our Data Exposure series. It will delve into the disconnect between business leaders and security/IT staff over how IT goes about its job protecting data. To read the Code42 Data Exposure Report in its entirety, go to code42.com/2018DataExposureReport.

In case you missed part one —Data Exposure Report: A Must-Read for Security Decision-Makers.



Code42 Data Exposure Report: A must-read for security and business decision-makers

Data Exposure Report: A Must-Read for Security Decision-Makers

We’re thrilled to announce the release of our Data Exposure Report. It reveals some startling truths about how human behavior drives data security vulnerabilities, despite the billions companies spend on data loss prevention.

IT leaders and CISOs will find some of their suspicions validated by the findings, particularly that CEOs are among the worst offenders at violating data security policy. But many of the disconnects we found between current data security strategies and the reality of the threat landscape will be surprising and sobering:

  • Almost three-quarters (72 percent) of CEOs admit they’ve taken valuable intellectual property from a former employer. Yet 78 percent of CEOs agree that ideas, in the form of IP, are still the most precious asset in the enterprise.
  • As many as 80 percent of CISOs agree that “you cannot protect what you cannot see.” Business leaders, however, have a different perspective. Among business leaders, 82 percent believe that IT can somehow protect data they cannot see.
  • Among CISOs, 64 percent believe their company will have a breach in the next 12 months that will go public, which has led nearly 73 percent of CISOs to stockpile cryptocurrency to pay cybercriminals.

The report, based on surveys of nearly 1,700 security, IT and business leaders from the U.S., U.K. and Germany, provides a comprehensive view of attitudes toward data security in this age of rapidly evolving cyber threats. This is the first in a series of four blog posts. Each post will delve into one of these key areas:

  • Emotional drivers of employee behavior that can put a company’s data at risk.
  • The importance of data visibility for security to do its job of safeguarding company data.
  • How to recover from a data breach while maintaining continuity.

Potentially most valuable for IT and security leaders, this report provides insights on ways to build business continuity and resilience in the face of an increasingly complex threat landscape. The upshot: resilience comes from companies evolving their data security strategies to include recovery from data breaches as well as prevention of those breaches in the first place.

“ To protect an enterprise today, security teams need to have visibility to where data lives and moves, and who has access to it. Visibility is key in protecting an organization against both internal and external threats. ”

“The time has come for the enterprise to make itself resilient. IT, security and business leaders need to arm themselves with facts about how the emotional forces that drive employee work styles impact data security policy,” said Rob Westervelt, research director for the security products group at IDC. “To protect an enterprise today, security teams need to have visibility to where data lives and moves, and who has access to it. Visibility is key in protecting an organization against both internal and external threats.”

Data is precious, but talk is cheap

The report reveals that, while most CEOs say their IP is one of their most valuable assets, they are the very people who put IP at risk through data practices they admittedly know are unsafe. Some key findings:

  • Among CEOs, 59 percent admit to downloading software without knowing whether it is approved by corporate security. The majority of business leaders (77 percent) believe their IT department would view this behavior as a security risk, but disregard the warning.
  • The majority of CEOs (93 percent) admit to keeping a copy of their work on a personal device, outside of officially sanctioned company storage. More than 68 percent of CEOs think there’s risk in keeping data solely outside of company storage, but they do so anyway.

So even though they know it’s risky—and they may have even lost work as a result of it —C-suiters continue to put their companies at risk by defying company policies and data security best practices.

The risks of playing data hide-and-seek

In this digital age, more flexible workplaces result in employees saving data on their endpoints, making it increasingly difficult for security departments to see data to protect it during a breach. Some key findings from the report:

  • Nearly three-quarters (73 percent) of security and IT leaders believe that some company data only exists on endpoints, such as desktops or laptops.
  • As many as 71 percent of security and IT leaders and 70 percent of business leaders believe that losing all corporate data held on the endpoint devices would be business-destroying or seriously disruptive.
  • In addition, 86 percent of security and IT leaders believe employees saving files outside of corporate storage poses a serious risk to the organization.

While clear and strong company policy about data security is critical, clearly it’s no match for the reality of human behavior. Companies must resign themselves to employees working and saving precious IP on their endpoints—not to mention engaging in other risky behavior that could result in a data loss incident.

Playing defense in an unpredictable threat landscape

In the evolving threat landscape, companies that experience a ransomware attack are increasingly faced with the untenable choice of paying off cybercriminals or losing precious data. Some key findings from the report:

  • Among CISOs, 61 percent say their company has been breached in the past 18 months.
  • The threat of cyberattack has led 73 percent to stockpile cryptocurrency to pay cybercriminals; of those, 79 percent have paid a ransom.

The most sobering part about these particular findings is the unnecessary use of resources to react to cyberthreats in this way. If a data loss event strikes, a comprehensive data security strategy that includes visibility provides companies with the ability to understand what happened and when. As a result, they are positioned to recover much faster.

An ounce of prevention no longer worth a pound of cure

“ Three-quarters of CISOs (75 percent) and 74 percent of CEOs believe their security strategies need to change from prevention-only to prevention-and recovery-driven security. ”

Despite the disconnect between what they practice and what they preach, the report indicates that business leaders understand the need for a multi-pronged security approach in today’s complex threat landscape.

  • Three-quarters of CISOs (75 percent) and 74 percent of CEOs believe their security strategies need to change from prevention-only to prevention-and recovery-driven security.

To read the Code42 Data Exposure Report in its entirety, go to code42.com/2018DataExposureReport.

Read Part Two of our blog series on the Code42 Data Exposure Report, “Is Your C-Suite Putting Your Data Security at Risk,” to learn how emotional drivers contribute to poor data security habits among employees.

Zinpro Redefines Data Security for its Remote Workforce

Due to the evolving nature of cyber threats—including ransomware, cryptomining, inside actors and more—the definition of “data security” is shifting. Traditional data recovery, including backup and restore, is merging with security functionality to create more comprehensive data protection—the kind of protection companies need in a threat landscape where breaches happen even with the strongest security perimeters.

Luckily for organizations, there are strategies and tools out there to allow the kind of collaboration within IT and security that will reduce risk and save time and money.  Nowhere is this more important than in managing the IT needs of a remote workforce. A great example of best practices around this is Zinpro Corp., which uses Code42’s Backup + Restore and Security Center solutions to protect the data of its global employee base.

Zinpro secures and recovers their data with Code42.

Remote backup for global workforce

For nearly half a century, Zinpro has pioneered research and development of organic trace minerals that improve animal wellness and performance. With a tight focus on trace mineral nutrition, the private, family-owned company attributes its steady growth to the high caliber of its products and its workforce.

It now operates in 11 countries and markets its products in more than 70 countries. Continuous growth of a largely remote workforce brought IT challenges, such as providing reliable backup and monitoring of the company’s employee base. That’s where Code42 comes in.

Zinpro started using Backup + Restore five years ago to protect and mitigate data loss across its global workforce. The Backup + Restore solution has saved the day for Zinpro’s IT department many times.

In one example, an employee working in Belgium took her laptop to the Apple store to diagnose an issue. In order to reinstall the operating system, an Apple employee wiped her hard drive, deleting all of her files.

The employee, who hadn’t backed up her files locally, asked Zinpro’s IT department if anything could be done. Because Zinpro had been using Code42, they were able to restore everything to her computer.

“Without the Code42 backup, she would have lost everything,” said Andrew Williams, Zinpro’s systems engineer and client device specialist. “We were able to use Code42 to restore everything.” Andrew was a finalist in Code42’s 2018 Evolutionary Awards in the Catalyst category.

“ Zinpro is also expanding its use of Code42 Security Center, merging the success of its Backup + Restore practices with the solution’s data monitoring capabilities. The new approach is already reaping benefits. ”

Data visibility

Zinpro is also expanding its use of Code42 Security Center, merging the success of its Backup + Restore practices with the solution’s data monitoring capabilities. The new approach is already reaping benefits. Recently, when an employee left the company, Zinpro was unsure whether she had taken files with her.

Using Code42, Zinpro’s IT department was able to quickly check her computer to see if any files had been moved or transferred. “There was nothing to be worried about, everything was good to go,” said Williams. “Code42 helped put our minds at ease.”

As Zinpro has grown, it continues to add Code42 licenses for each employee. Williams, who is in charge of purchasing for the IT department, has had no trouble making the case for each employee to have a Code42 seat.

“Code42 has saved me many different times and it’s made my job 10 times easier,” said Williams.

Continuing its legacy of steady global growth, Zinpro has a bright future improving trace mineral nutrition for animals. And through its use of Code42 solutions, Zinpro’s IT department will be able to do its part in supporting the company’s employees and mission.

“Code42 is great,” says Williams. “Everyone at Code42 is easy to talk to. You can ask them anything. If they don’t know, they’ll find someone to get the answer for you.”

Finding Files in the Wild: From Months to Hours

Every day, your organization faces a variety of data security challenges. Many come from outside your organization, but a significant number also come from within. There are countless reasons why someone may take sensitive data from your organization, many of which are purely opportunistic. For example, what if a file with sensitive financial information is mistakenly emailed to an entire company? That may prove too tempting an opportunity for some. How can your organization respond when this happens? In this post, I’ll discuss how the response process often works today—and how it can be streamlined with Code42 Forensic File Search.

A true story

Here’s a true story of an IT team working through just such a challenge: At this organization, the HR team used Microsoft Excel for management of financial information such as bonus structures and payout schedules. By mistake, a member of the team sent an email containing an Excel file with compensation information for the entire staff to the whole company, instead of the select few who were supposed to receive it. Over 6,000 employees worldwide received the email.

Fortunately, the most sensitive information was contained on a hidden tab in the Excel file, and most employees never even opened the file. The IT team was able to recall the email, but the legal team needed to know who in the company had downloaded and opened it, in case the information within was ever used in a lawsuit. The IT and Security teams were tasked with finding every copy of the file in the organization.

A painful two-month process

While recalling the email cut the number of potential endpoints to search to around 1,000, the IT team still had to search all those devices—many of which belonged to individuals at the organization’s international offices. The IT team used a Windows file searching utility to crawl the user endpoints in question, searching for the name of the file. However, Outlook’s email client can scramble names of files, so the IT team also had to scan for any Excel file in the Temp folder of each machine, and open those files to visually confirm that it wasn’t the file in question.

Each scan would take between one and eight hours, depending on the size of the drive—and the scan could only be run when the target endpoint was online. If a laptop was closed during the scan, the process would have to be restarted. If a device was located in an international office, the IT team would have to work nights in order to run the scan during that office’s working hours.

The process was a tremendous hit to productivity. The IT team tasked fully half its staff to running the scans. Two of the organization’s five security team members were tasked with overseeing the process. Even the legal team’s productivity was affected. Since the IT team had to open every version of the file to verify the sensitive financial data within, the legal team had to draw up non-disclosure agreements for every person working on the project.

All told, the search for the mistakenly distributed financial file took the organization two months, and the IT team estimated that they had only recovered 80 percent of the instances of the file.

“ With Code42 Forensic File Search, administrators can search and investigate file activity and events across all endpoints in an organization in seconds. ”

A better way: Code42 Forensic File Search

Fortunately, there is a better method for locating critical files in an organization. With Code42 Forensic File Search, administrators can search and investigate file activity and events across all endpoints in an organization in seconds. In the case of this Excel file, the IT team could have used Code42 Forensic File Search to search for the MD5 hash of the file. By searching for the MD5 instead of the file name, Code42 Forensic File Search would locate all instances of the file across all endpoints, including versions that had been renamed in the Temp folder or renamed to intentionally disguise the file. This single search would find all copies of the file, even on endpoints that are offline.

The feature video demonstrates Code42 Forensic File Search in action. The IT team member that shared this story is confident that it would have played out very differently with Code42 Forensic File Search. “Had we had Code42 Forensic File Search deployed, that project was probably done in a couple hours,” he said. “We would have cut two months to a couple hours.”

Tips From the Trenches: Automating File Scans and Alerts

Welcome to the first post of our Tips from the Trenches blog series. Authored by the Code42 security team, the series will explore some of the industry’s latest data security tools and tricks.

One of the best parts of working on the Code42 security operations team is that we’re facing (and solving) many of the exact same challenges as our customers. That means we get to share our experiences and trade tools, tips and tactics for what works—and what doesn’t. With that in mind, here are a few of the cool new ways we’re using search to identify hidden threats before they turn into big problems.

Better criteria for automated scanning and alerting

We’ve got a couple of tools set up to constantly scan our digital environments for risks. Recently, I created a new tool in Python that helps us go deeper with that scanning and alerting—searching via MD5 hash, hostname and filename, to name a few. This scriptable interface to the Code42 Forensic File Search API also allows for use of the full API by accepting raw JavaScript Object Notation (JSON) search payloads, meaning searches are only limited by the imagination of the user.

“ The scriptable interface to the Code42 Forensic File Search API also allows for use of the full API by accepting raw JavaScript Object Notation (JSON) search payloads, meaning searches are only limited by the imagination of the user. ”

Identifying macro-enabled Office files—a common malware source

One sample JSON search payload is the repo searches for macro-enabled Office files in users’ Downloads directories, such as *.docm and *.xlsm files—some of the most common vectors for malware. With the new tool, an automatic search alerts us when new files arrive on endpoints, so we can take action—such as sending the MD5 hash to a service like Virus Total to get a report, or even retrieving the file and sending it to a malware analysis sandbox if necessary.

Snuffing out WannaCry threats

We’ve done some early integration work to test combining Code42 Forensic File Search with a threat intel feed. This will allow us to search and detect malicious files based on MD5 hashes sourced from paid or open-source intel services.

Sharing new threat search tools and tactics

Like you, we’re dealing with new and evolving threats on a daily basis here on the Code42 Security Operations team. We’re constantly looking for new ways to use the tools we have to search and detect threats in smarter, better ways. All of the new search tools I mentioned above are available on our public Github site: https://github.com/code42/ffs-tools.

Live Q&A

Have questions about using Code42 Forensic File Search? Senior Product Manager Matthias Wollnik and I will be fielding questions live on Tuesday, July 24 from 10:30-11:30 am US Central time in the Code42 community.

Keep an eye out for more Tips from the Trenches coming soon—until then, happy threat hunting!

Data, Humans and the Cloud, Part 3: Facing Reality

Digital transformation is changing the face of business. All business. As part of this shift, many IT leaders have decided to use their cloud collaboration tools for data protection and recovery—tools like Google Drive, Microsoft OneDrive, Box and Dropbox. According to a 2017 Intel Security Study, 74 percent of businesses now store some sensitive information in the cloud. And according to a Code42 customer survey, 67 percent of companies have data in three or more cloud storage services.

While a cloud-focused future is clearly the goal, there is still a considerable amount of data being saved to the endpoint. In fact, Code42’s 2017 CTRL-Z Study revealed that IT decision makers believe that as much as 60 percent of corporate information lives on user laptops. Over the course of our three-part blog series, we explore the critical role human behavior plays in how data is stored and protected as your business moves to the cloud.

“ Exclusively using a cloud file sharing or collaboration tool for data protection and recovery leaves companies exposed to a variety of harmful business situations. ”

Part 3: The consequences of the digital transformation/human behavior disconnect

Tools like Google Drive, Microsoft OneDrive, Box and Dropbox definitely have a role to play in a digital transformation strategy. They are great for sharing files, improving workflows, simplifying collaboration for team projects and enabling productivity. However, businesses need to be aware of the challenges posed by relying on them to safeguard and protect company data.

While employees might use these tools to share a specific file, Code42’s 2017 CTRL-Z study found that not every file makes it to an officially sanctioned cloud platform. For example, employees may have files on endpoints that they never intend to share with coworkers; or they may create multiple versions of a file before they are ready to share or collaborate. The final version gets uploaded to the company cloud, but the previous five versions that only exist on the user’s endpoint may be no less valuable to the business. This is why exclusively using a cloud file sharing or collaboration tool for data protection and recovery leaves companies exposed to a variety of harmful business situations, including:

  • Data loss, when an employee deletes a shared file that collaborators can no longer access.
  • Theft, when data moves from laptop to thumb drive to personal cloud storage.
  • Breach, when malware or ransomware infects one laptop and propagates across a cloud system.
  • Non-compliance, should they lose track of where all regulated information resides.
  • Lost productivity, when collecting and preserving files for legal becomes manual.

Unpredictably human

As I mentioned in the first part of this series, employees are, at the end of the day, human. Humans tend to work in ways that make them feel the most productive and satisfied. You will always have employees who ignore policies that slow them down; this is true from your C-level executives all the way down to your most junior employees. And as I covered in the second part of this series, you’ll never have one policy that works for all of your employees, because there are four distinct types of users today when it comes to data storage.

“ Employees don’t create, share and store their work the way companies expect. Asking them to back up their files to cloud platforms is just as unrealistic as asking them to back up to file servers. ”

In short, organizations need to recognize and accept that employees don’t create, share and store their work the way companies expect. Asking them to back up their files to cloud platforms is just as unrealistic as asking them to back up to file servers.

So, what can be done to overcome this gap between human behavior and your digital transformation? First, your organization needs to accept a few statements as true:

  • The files your employees create and store have value to the business.
  • The majority of employee files today still live on endpoints, despite what your policies may state.
  • Failing to protect every file from loss creates risks to productivity, security and compliance.

To ensure the best protection for your data, your security solution should not require intervention from users. If the solution requires action from employees to protect their files, you’ll wind up with critical data that’s unprotected. Your solution must cover all files on all endpoints and back up at regular intervals, so if a data loss incident does occur, the endpoint can be rolled back to a restore point before the event happened. The solution should offer separate archives for every user, so your organization’s data can’t be accessed if one user’s account is somehow breached. Finally, your solution should offer visibility into how the files in your organization move, whether they travel to removable media or to the cloud storage you’re using for collaboration. With data-level visibility, you can be sure every critical file in your organization is completely protected.

According to 451 Research, “60 percent of enterprises plan to shift IT off-premises by 2019, driven by digital transformation.” An important and sometimes overlooked consideration in making this shift is studying the workforce and how employees get work done. After all, employees are the ones creating the very ideas that are driving success in your organization. Are you using the right tools to make sure those ideas are being protected?

Data, Humans and the Cloud, Part 2: Four Types of Users

Digital transformation is changing the face of business. All business. As part of this shift, many IT leaders have decided to use their cloud collaboration tools for data protection and recovery—tools like Google Drive, Microsoft OneDrive, Box and Dropbox. According to a 2017 Intel Security Study, 74 percent of businesses now store some sensitive information in the cloud. And according to a Code42 customer survey, 67 percent of companies have data in three or more cloud storage services.

While a cloud-focused future is clearly the goal, there is still a considerable amount of data being saved to the endpoint. In fact, Code42’s 2017 CTRL-Z Study revealed that IT decision makers believe that as much as 60 percent of corporate information lives on user laptops. Over the course of our three-part blog series, we explore the critical role human behavior plays in how data is stored and protected as your business moves to the cloud.

Read Part 1: Unexpected Behavior here.

“ By understanding the user types that make up a workforce and their work patterns, companies can set out on a digital transformation course that avoids unintentionally creating information risk inside their business. ”

Part 2: The four types of users in your organization and how they store data

From Part 1 of this blog series, the data is clear that most employees don’t work the way IT leaders expect, nor the way their policies may dictate. To add further clarity to this point, a recent Code42 study broke down work habits by common user types. We call them Adopters, Collaborators, Innovators and Travelers. There is a natural alignment between some roles, as illustrated below:

  • Adopters are typically found in finance, human resources or legal roles.
  • Collaborators are often found in marketing, IT and support roles.
  • Innovators are commonly found in research and development, and engineering roles.
  • Travelers are usually found in sales and executive roles.

While there are certainly many differences in the work habits of, for example, your marketing team and engineering team, for the purposes of this study we only examined how they store data in cloud storage services.

  • Adopters keep more than 75 percent of their files in cloud storage services.
  • Collaborators keep 50-75 percent of their files in cloud storage services.
  • Innovators keep 25-49 percent of their files in cloud storage services.
  • Travelers keep less than 25 percent of their files in cloud storage services.
Four types of users in your organization


You may think (or hope) that most of your employees are Adopters, but our research shows that they only make up 10 percent of users. Collaborators are a bit more common—they make up 20 percent of your users. Innovators are the most common, making up 40 percent of users. That leaves Travelers at 30 percent of users. In total, 70 percent of users have less than 50 percent of their data in your cloud storage services.

The power of knowledge

Your initial reaction to this data may be negative. After all, it’s natural to feel discouraged when you learn that employees aren’t following your data protection policies. The silver lining: By understanding the user types that make up a workforce and their work patterns, companies can set out on a digital transformation course that avoids unintentionally creating information risk inside their business.

In the final post in this series, I’ll discuss the consequences of the disconnect between digital transformation and human behavior—and what your organization can do about it.

Facebook Twitter Google LinkedIn YouTube