Don’t Poison Your Employee Experience With the Wrong Approach to Insider Threat

The year 2019 was a harsh reminder that as much as organizations try to downplay insider threats, they cannot be ignored or overlooked. Organizations like Capital One, McAfee (itself an insider threat solution) and even Apple can attest as they all found themselves on the wrong side of the headlines. Needless to say, as the year wrapped up, many 2020 predictions and resolutions included a better approach to insider threat.   

Forrester’s aptly titled report, “Don’t Poison Your Employee Experience With The Wrong Approach To Insider Threat” is timely! As much as we don’t want to admit the obvious, our colleagues are among the biggest threats to the data security of our organizations. But there’s a balance between understanding malicious and non-malicious intent. And with the CCPA and GDPR serving as backdrops to data privacy, security organizations have their work cut out in balancing the security and productivity of end users. No easy feat!

My Top 5 Takeaways on Forrester’s Latest Report on Insider Threat:

  1. Make your insider threat program fit within the overall security program. We know incident response processes have taken center stage in the security world. It’s all about decreasing time to detect and respond to threats. Insider threat needs to be a part of the overall incident process. Few organizations have well-defined incident response scenarios for insider threats, but that trend is changing fast.
  2. Don’t let security become a burden on employee productivity. Code42 has been saying this for quite some time and it’s worth repeating. Security is often confronted with a crossroads situation. Traditionally, the idea of prevention (otherwise known as Data Loss Prevention) has operated on the notion of blocking suspected users from carrying out their jobs. This approach is outdated and comes at the cost of collaboration. A new wave of solutions are paving the way for a security strategy rooted in protection, and one that embraces collaboration.
  3. The Collaboration Culture is a Security Culture. Gone are the days where security is a dreaded practice with productivity stalling implications. Today’s security culture is about embracing collaboration and why not? Ask any CEO what their top digital transformation initiatives are and they’re likely to put “better collaboration” near the top of the list.
  4. Technology and human intelligence fuel your insider threat program. Emerging insider threat programs are made up of people and technology. While many organizations have relied on technology to solve a very human program, it’s clear that understanding user behavior patterns, what drives user actions and predicting users’ next moves are equally important. In the end, an insider threat program is all about speeding up time to respond to a threat. By combining technology and human intelligence, you are building yourself an all-encompassing program that covers multiple vectors.
  5. Code42 takes the focus off users and instead focuses on file behavior. And of course, I have to mention Code42 here. While many security solutions are solely focused on user behaviors and actions, our approach has been simply rooted in understanding the behavior of the file. And it’s very simple logic… In the end, the malicious end user is after your “data,” so understanding everything about that data is paramount. As I like to say, “don’t follow the employee, follow the data.” With data privacy becoming more important and organizations growing more mindful of being “big brother,” an approach rooted in data will only become more important and compelling.

2020 will undoubtedly be another breakthrough year for insider threat. There will be more headlines, innovative security solutions and smarter insiders. In the midst of this growing problem, it’s good to see Forrester remind us that building an effective insider threat program doesn’t have to come at the cost of killing your employee experience. An effective security strategy coupled with a productive workforce? I say bring on 2020.

Download the complimentary Forrester report here.

From Carelessness to Activism — Why Insiders Do What They Do

Whenever the subject of insider threat arises, the discussion gravitates toward the insider who has acted maliciously in some way. People often think of the executive or staffer who stole confidential information about an impending corporate transaction or intellectual property, such as source code, and intentionally exposed or sold it.

This certainly is understandable, after all such stories permeate the press. Just a few weeks back in late January, Hershey sued one of its former executives for alleged theft of some of its most sensitive trade secrets and confidential business information before going to work for a direct competitor, while Coca-Cola learned of an alleged security breach when a former employee was found with a drive containing the personal information of about 8,000 people. There is also the case of the three former McAfee employees that the company alleges took confidential information to a competitor.

While incidents like these are all too common, they’re not the only types of insider risks that damage the data security at organizations. There are many other reasons, beyond financial gain, why insiders do what they do. In this post, we hope to highlight some of the other common causes behind insider risks, and what they mean for your security and insider threat program.

The careless insider

As our Data Exposure Report  has shown, not all insiders intentionally act maliciously. Many insiders will inadvertently click on a link tucked within a phishing email and their endpoint will get infected. Or they will be careless with their notebook or removable drives and lose them. Drives that are, of course, unencrypted. This is perhaps one of the largest insider threat categories. And it’s not just front-line employees. According to our 2019 Data Exposure Report, 78% of CISOs and 65% CEOs admitted that they’ve clicked on a link that they shouldn’t have.

People want to use the data as they wish

Not only do people want to use data as they wish, they actually view enterprise data as their data. According to our research, over 70% of information security and business decision-makers agreed that the data at work isn’t just corporate data, it’s their work and their ideas. This means there is great risk departing employees will take data with them when they leave for a new employer. Conversely, new staff are likely bringing work from their previous employer into their new companies.

People want to work the way they want to work

Not only do staffers and other insiders want to use data as they wish, they want to work exactly how they want to work. There’s a lot of this Shadow IT underway, especially when it comes to collaboration, cloud storage, and social media. Our research and experience with our customers show that insiders will, rather than use collaborative tools provided by the organization, turn to unauthorized collaborative tools, social media and personal email to share information. Not good.

Political motivations

People today are more politically motivated than at any other time in recent history, and they are more likely to act in accordance with their political beliefs. Whether it’s over environmental issues, party politics, or other social causes, if someone perceives the organization they work for to be on the wrong side of a social cause, it could very likely be a catalyst for someone to lash out at the company by stealing, destroying or exposing data.

The spurned staffer

Sometimes insiders will do something bad with a motivation other than financial, or at least the financial gain is secondary to extracting a reprisal of some sort. These types of insider threat actions can be triggered by resentment for being overlooked for a promotion, a raise that was perceived as inadequate, perceived poor project assignments, scorned office romance, and any number of other potential personal reasons. 

As you see, there are many different reasons and motivations behind insider threats. How should your enterprise protect itself from insider threats with such varying motivations?

Focus on the data, not the motivation

Fortunately, you don’t need a different plan for each motivation. At least not when it comes to protecting your data. What enterprises need is a data security policy that includes data security awareness training and technology to monitor data movements to avoid unwanted data exfiltration.

An effective data security policy will also detail who owns the data and the proper ways to access, use and store that data. It’s also important that staffers be continuously reminded of this policy through periodic security awareness training or login banners. Finally, you’re going to need technical controls in place that will enforce your data security protocols.

One thing we’ve certainly learned is that those technical controls that attempt to block data leaving the organization are not actually effective at stopping unwanted data exfiltration. In fact, by just being in place, these technologies often create a false sense of security. We’ve learned, instead, that capabilities to monitor and audit all data movement are much more effective.

It’s true that the motivations behind the insider threat are varied and the risks they pose are significant. After all, who else better knows where the valuable data resides, why it’s valuable, and how to obtain it than those on the inside. Fortunately, to succeed at minimizing insider threat, you don’t need to focus on every motivation — you just need to focus on the data.

Code42 blog header

RSA Conference – The Busiest Security Week of the Year

The world will be talking security very soon – the RSA Conference is just around the corner.  From February 24 to 27, more than 40,000 information security practitioners, influencers and enthusiasts will descend on the Moscone Center in San Francisco for a week packed with presentations, product demos, breaking news stories and connecting with peers. 

Team Code42 will be in the North Hall of the Moscone Center ready to talk to security and IT teams about one of the biggest risks to their data –  insider threats. If your challenge is to protect your data from walking out the door when your employees transition out or from careless users, schedule a technical demo now or drop in at our booth, N-6079. We take a new approach to insider threat detection, investigation and response and can protect your most valuable IP, product plans and customer lists without rigid policies and without blocking your employees from collaborating and sharing files. We cut through the noise and give you access to incredible detail about file movements with only a click or two. We’ll be at booth, N-6079:

  • Feb 24: 4:30-7 p.m.
  • Feb. 25: 10 a.m. to 6 p.m.
  • Feb. 26: 10 a.m. to 6 p.m. (Pub Crawl from 4-6 p.m.)
  • Feb. 27: 10 a.m. to 3 p.m.

If you don’t yet have an expo pass and are having some serious FOMO, we’ll get you in the door for free. Reach out now for a complimentary expo pass.

Code42’s CEO and SVP to Present Feb. 25

We are thrilled to share that CEO Joe Payne and SVP Vijay Ramanthan will co-present from the expo floor of the Moscone Center the afternoon of Feb. 25. Please join them to hear their insights about why insider threat is such a big, unsolved problem for today’s most progressive companies, and how companies can get a leg up on some of the biggest threats to their data.

The Insider Threat –- You’re Flying Blind
Code42 President and CEO Joe Payne and Senior Vice President Vijay Ramanathan
When: Feb. 25: 4:20-4:50 p.m.
Where: Moscone Center North – North Briefing Center, booth N-6545
Session Description: Studies show that 90% of data loss that manifests from inside organizations goes undetected. What’s worse, nearly 70% of organizations that were breached from the inside had a data loss prevention solution in place. The brutal truth – prevention solutions are not effective at stopping insider threats. Attend this session to learn from Code42 senior executives about how data risk detection and response ensures you and your organization are not blindsided.

Code42 Customer Theater Presentations Feb. 25 and Feb. 26 

This year we are really excited to welcome three of our customers to speak in our booth, N-6079 during RSAC 2020. Security practitioners from BAYADA Home Healthcare, Crowdstrike and Exabeam will share the strategies they’ve used in their successful insider threat programs. 

Look Closer: Your Files are Leaving During Employee Departures
Speaker: Andrew Jarrett, Senior Manager, Desktop Equipment Services, BAYADA Home Health Care
When: Feb. 25: 11 a.m. to 12 p.m. | Feb. 26: 11 a.m. to 12 p.m.
Where: Code42 booth N-6079
Session Description: Sixty-three percent of employees brought data with them from their previous employer (Code42 Data Exposure Report 2019). The flip side of this is that employees are taking data with them when they quit, and most organizations do not have the processes or tools in place to detect, investigate or respond when data is put at risk by a departing employee. BAYADA Home Health Care recognized this risk, and took action to mitigate it by defining an internal departing employee process built around the use of Code42’s insider threat solution.

Insider Threat: The Risk your SOC Won’t Catch
Speaker: Ryan Bonfadini, Incident Response Analyst, CrowdStrike 
When: Feb. 25: 1-2 p.m. | Feb. 26: 1-2 p.m.
Where: Code42 booth N-6079
Session Description: Don’t let your insider threat program be stuck in the past (or be nonexistent). Learn how to modernize your insider threat program and prepare for next generation attacks. During this session, Ryan Bonfadini will share his expertise gained over the past seven years where he has established and matured insider threat programs at CrowdStrike and Symantec.

Data Security in the Age of Collaboration 
Speaker: Alex Koshlich, IT InfoSec Manager, Exabeam
When: Feb. 25: 2-3 p.m.  | Feb. 26: 2-3 p.m.
Where: Code42 booth N-6079
Session Description: For many companies, the accelerated pace of their growth doubles as one of their greatest security risks. To maintain security while fostering growth, Exabeam allows employees to use whatever tools are necessary to get the job done, as long as security can maintain visibility into those tools. To accomplish this, Exabeam relies on Code42’s solution to see how files are moving across their endpoints and cloud applications. 

After Hours Security Party

Join Code42 for an exclusive, invite-only event at the Minna Gallery with fellow RSAC attendees! Enjoy complimentary drinks, live entertainment and heavy appetizers. Space is limited, so RSVP now.

When: Feb. 25: 7-10 p.m.
Where: 111 Minna Gallery, 111 Minna St., San Francisco, CA 94105

From the Desk of a CISO: The Five Core 2020 Cybersecurity Resolutions

Over the recent years, cybersecurity, and certainly the role of the CISO, have evolved – in many ways, for the better. Thanks in large part to the rapid digitization of business, the explosion of data and data sharing across the enterprise, and the move to cloud security and mobile, the nature of information security has to change. And it has to change quickly.

At Code42, as we work to provide an insider threat detection, investigation and response solution to organizations that need to securely share data and collaborate to succeed at their work, we find ourselves in the center of it all. As 2020 is taking off, it’s a perfect time for security teams to reflect on what areas they can improve on when it comes to providing the most effective security to their organizations. As I’ve considered the state of enterprise security over the past few weeks, I’ve developed my list of 2020 resolutions. To be sure, some organizations, including Code42, are doing these things already. Yet there’s always room for improvement – and in security, we all need to work together toward the constant goal of improvement. 

Here are the areas that are especially important for businesses to focus on throughout 2020 and, as necessary, resolve themselves to improve.

Make sure security is a business driver

With the increased competitiveness of today’s business environment and the drive to digital transformation, cybersecurity can no longer be viewed as a reason not to move a business forward. The 2019 Harvey Nash / KPMG CIO Survey found that 44% of CIOs and technology leaders expect significant changes to come to their products, service offerings, or even their business model in the next few years. Security teams need to support, not hinder, this business change.

One way security teams can improve is to better understand and appreciate how their company drives revenue and ensure they are making smart decisions to support its specific business model. What does this mean in practice? Consider how a manufacturer will have a different risk posture than a healthcare provider and how a healthcare provider’s risk posture will also be quite different from that of a trucking company or software provider. It’s important that security professionals think of themselves not just as security professionals, but as risk managers that help direct and inform the business on taking on the risks that allow the company to meet their overall goals. 

At Code42, our focus is on helping to secure this faster world of collaboration, which fundamentally enables security to be at the cornerstone of driving the business forward. We believe in supporting all forms of collaboration and innovation. We also believe that collaboration needs to be secure.

“ It’s important that security professionals think of themselves not just as security professionals, but as risk managers that help direct and inform the business on taking on the risks that allow the company to meet their overall goals. ”

Embed security throughout the business

In many organizations, it’s still common for new applications, services and business decisions to be made without the security team being part of the decision-making process. Unfortunately, when security is brought in at the eleventh hour and finds a number of risks that must be resolved, it causes considerable re-work, increases costs to remediate and unacceptably slows down the business.

Further, the more rapidly businesses digitize, the more aggressively they add new product features, change business models and enter new markets and geographies (which come with their own geopolitical risks). As such, security leadership needs to be a part of discussions around planning and implementation from the beginning.

Having security embedded early saves time, costs and lots of headaches. To do this requires that security is built into the development and business decision-making process. In practice, this means that security engineers are integrated into the software lifecycle process – helping to write code, fix vulnerabilities, or address developers’ needs with consistent security solutions. (I advocated for security to be ingrained in these types of activities in a recent blog.) Or it means that your security org helps to vet a product or solution before it’s acquired. Or it means that the board asks the CISO for a security risk analysis before entering new geographies and business segments.

To stay competitive, however, it’s just not enough to make sure security is part of the process – security needs to be as effective and efficient as possible. Which brings us to our next resolution.

Automate all of the things

Security teams not only need to be involved early on to identify risks, they need to be enabled to fix those risks themselves through integration and automation. Automating security means mundane tasks can be handled without human interaction, freeing up security engineers for more important, strategic, value-added work.

Automating security tasks in the development workflow not only saves time and enables speed and scale, but it’s also critical for solving key issues faced by security professionals. Automation can help ease the security talent gap, alleviate alert fatigue, speed up time to incident resolution and reduce errors.

“ Automating security tasks in the development workflow not only saves time and enables speed and scale, but it’s also critical for solving key issues faced by security professionals. ”

We are always working on improving our processes in these areas, i.e., areas that can be automated, including software testing, vulnerability management, malware incident response, and more. Any mundane task is a candidate for automation. For instance, when vulnerabilities are identified from an automated scan, it’s possible (sometimes) to automatically patch and, other times, gather all of the necessary context and package it for admins so they can get to work instantly.

If there’s an alert to malware, automatically grab the necessary context from a source, such as Virus total and, when necessary, possibly quarantine the infection. If a remedy cannot be automated, gather the associated content so analysts can quickly make a decision and respond.

The move to DevOps helps with security automation. Some call this DevSecOps. It doesn’t matter what you call it, but what does matters is that security processes are an automated part of the development lifecycle. It matters that the security person is part of the cycle.

Focus on the human side of security

For years, we have focused on external actors and perimeter defense. We now need to shift the focus to include internal threats. We know that insiders have a considerable impact on an organization’s security. Yet, many organizations expend too much focus on external threats and not enough on internal threats. It’s time organizations appropriately reallocate their focus.

“ Seventy-eight percent of CISOs and 65% of CEOs admit to clicking on a link they should not have. ”

How do insiders create risk? Let me count the ways… For one, some users sidestep company-provided file sharing and collaboration tools for tools of their own choice. This creates risk. Our 2019 Data Exposure Report found that 31% of business decision-makers use social media platforms, e.g., Twitter, Facebook, LinkedIn, to share company data, while 37% use WhatsApp and 43% use personal email to send files and collaborate with their colleagues. Another way? Seventy-eight percent of CISOs and 65% of CEOs admit to clicking on a link they should not have. This shows that it’s not just staff, but also senior leaders that can make poor data security decisions. Have you ever emailed or shared a document with the wrong person? It’s not difficult to do. Though unintentional, the end result is still a risk to data.

Ultimately, enterprises can put protections and controls in place at every turn. Still, it only takes one internal user to abuse their access in a nefarious or careless way to cause a data breach.

Organizations need to dedicate more time to identifying insider threats, deciding what monitoring to put in place and optimizing how they detect and respond when events occur. Importantly, we have to do this without losing sight of our main focus to enable the business to collaborate securely.

“ Ultimately, enterprises can put protections and controls in place at every turn. Still, it only takes one internal user to abuse their access in a nefarious or careless way to cause a data breach. ”

Build a culture of security

No program or software solution will prevent all data from being at risk of exfiltration. It’s the security team’s job to educate employees on security risks and help foster an appropriate security culture.

What does it mean to build a good security culture? Consider security culture to be how those working within the organization act when it comes to data security. When there is a healthy security culture, everyone thinks before they click on links, for instance. If they have security questions, they’ll feel free to reach out to the security organization for answers. When they want to use a new product or service, or work in a new way, they will ask security about the risks. This is what good security culture looks like in practice.

Good security culture is actually a pillar of an effective insider threat program. Consider how many people in your organization would “say something if they see something,” to take a line from homeland security. Most staff, if they see a peer sharing a document out of policy or in an unsecure way, won’t say anything at all. It’s because people aren’t taught how to say something or help co-workers do the right thing. An effective security culture helps change that for the better.

While every organization is different, some organizations may be further along with these resolutions than others. However, with the rising insider threat and the increased pace of digital transformation, all organizations will benefit by making sure they are on track to continuously improve themselves.

3 Steps to Building a Successful Insider Threat Program in the Age of Data Privacy

Data privacy laws are picking up steam – think the General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA) – and there is a lot of concern about what security and privacy teams can and should do to enforce policies that protect the business. From a data privacy standpoint, consumers – and employees for that matter – historically have been largely left in the dark about what personal information a business may have about them and how that information is being used, stored and shared. With GDPR and CCPA, consumers and employees now are more emboldened to ask questions and provide direction on how their data is used.

In this new world with data privacy top of mind, corporate insider threat programs are especially under the microscope – and they’re getting an (undeserved) bad rap. There is a misconception that insider threat programs impinge on personal data privacy rules. As a result, some employees have very strong reactions against insider threat programs. To that end, many security teams end up having conversations around insider threat that end with comments such as, “I don’t want to be Big Brother!” or “Having a program implies I don’t trust my fellow co-workers.”

The reality is that data drives businesses and data is leaving companies every day (read more on this topic in our 2019 Data Exposure Report). Even though data loss by employees can take different forms, it’s important to take them all seriously. Sometimes employees take data accidentally. Other times, they take it intentionally without realizing the harm their actions could cause. Still other times, employees take data maliciously. Regardless of intent, the damages of data loss are real and it’s important we consider these risks to our businesses.

Insider threat programs are necessary and very effective in protecting corporate IP.  To run an insider threat program while keeping employee privacy concerns in check, consider these three important steps:

Decide what you need to monitor

What does insider threat mean to you? I like to use a simple definition that removes intent and focuses on impact: insider threat is any type of threat to an organization’s security posture from within. Focus on the systems that manage your sensitive information, the departments that are more likely to handle sensitive information, or on the workflows that increase the probability that information is leaving the company (think departing employees, mergers & acquisitions, etc.).

Build out a program around it

Once you’ve defined what matters, build out an insider threat program around it. Programs are typically built out in one of three ways (though often a combination of these):

  • Logging and alerting: If you defined sensitive systems as the focus, this is often a natural way to build out your program. Make sure you are capturing all relevant logging  activities (this is sometimes tricky with SaaS applications) and set up alerts for activity that may be deemed more risky.
  • Special tools: You may decide there are additional tools you want to implement in order to monitor and manage your insider threat program. Depending on the technology implemented, you may get additional alerts, risk ranking, or integrated workflows to help guide your set up.
  • Defined processes: As much as we’d like to think technology can solve all of our problems, sometimes the best program starts with a manual process. This could include an onboarding or offboarding checklist, a periodic audit of privileged user activity and employee training.

As with all things security, remember that there is very little “black and white.” Build your program to allow for additional context, account for the potential of human error, and incorporate other stakeholders (legal, human resources, managers, etc.) into the program to ensure you are addressing risk appropriately.

If you are looking for additional guidance on the mechanics of building or maturing an insider threat program, here are a couple of great resources to check out:

Tell your employees

Finally, no matter how you decide to build out your program, let your employees know what you are doing. Be very clear with employees about what information your program is collecting and monitoring, and how the information is being used. I often see this in the form of a log-in banner, an employee privacy statement or policy, or as part of security awareness training. Also, have a feedback process for people to reach out to you for more information.

My best advice when deciding what information to share is to put yourself in the shoes of an employee. What would you want to know, and would you find the data monitoring to be reasonable? At the end of the day, while you may be the owner of your organization’s insider threat program, you are also likely the subject of someone else’s.

From the Desk of a CISO – Leadership Lessons

Quite a bit has changed in information security since I began my career more than a decade ago. 

Talk of cloud being the primary enterprise development platform was based on complete speculation. Mobile computing had yet to hit full stride. Software as a service (SaaS) was in its infancy. Since then, we have seen the rise of the nation-state attacker, extensive malware attacks, highly-publicized insider threat cases, exponential growth of data due to the declining costs of storage and considerable digital transformation investments. As all of these trends evolved and took hold, the nature of information security also changed.

Throughout all of these changes, I have worked in information security; previously, at a national retail enterprise and, more recently, as a CISO here at Code42. Over the years, I’ve learned a few important lessons about how to be successful in information security that I’d like to share here.

Lesson 1 – Be Part of the Solution

Too often security teams do a great job at identifying and pointing out risks and then handing them off to others to solve. In their earnest desire to eliminate those risks, they forget how important it is to understand how people go about getting their work done. So, rather than try to help others deliver their work or projects in a secure way, they identify risks and throw them over the fence for other teams to fix. That has to stop. We need to create partnerships, build empathy and become part of the solution. Building empathy helps us understand how others deliver work and the struggles they might go through to get their jobs done.

Because we are developing software at Code42, our top risks lie in the software development cycle. That’s why my team works very closely with our developers to help identify and address security gaps. To build greater empathy, I have challenged my team to learn the basics of a coding language. This has helped us gain a fuller understanding of the challenges developers face everyday and, more importantly, how we need to work with them to be part of the solution.

Lesson 2 – Balance Risk

In security, it is less about eliminating risks— and more about balancing risks. Think of a retail floor. Sure, everything on a shelf that isn’t locked down is at risk of being stolen. But if you lock everything up behind glass, your sales are going to plummet. At the end of the day, you are in the business of selling goods, which is why retailers don’t lock up everything. It’s the same with all business risks. You have to balance the business benefit with the business risk and put reasonable risk mitigations in place. For a retailer, this could be cameras, security guards, and/or only locking down items with a high risk of theft.

As a security leader, we don’t want to place overly aggressive security controls on everything. We are trying to tune the right level of security for the organization. You have to balance what the board, CEO and customers want and, at the same time, match the culture of the organization.

In a lot of cases, security leaders push forward with their own security risk posture ideals versus trying to truly understand the acceptable risk posture of the organization.

Lesson 3 – Build a Strong Team

While a bit more obvious, I can’t stress enough the importance of building and retaining a strong team. The team here at Code42 is close-knit. I have worked with many of these people for more than a decade. It’s hard to place a value on that. It’s a lot like professional athletes who know the moves their teammates are going to make before they do. That makes it possible to build a well-tuned, committed and effective team, not to mention retain talent in a talent-deficit industry. When you have a team you trust, it makes security much more effective and laser focused on the overall mission of the organization. I am thankful to be a part of such a strong, dedicated team that trusts one another and has a high degree of respect for one another. 

Lesson 4 – Transparency Trumps

To be effective in this industry, security professionals need to be transparent. In some cases, security teams still operate like the man behind the curtain: No one knows what magic they are operating, and  budget is gained by claiming that the sky is falling. But with today’s skepticism, seeing is believing. That’s why it’s so important to demonstrate how risks could be exploited. I recommend having your red team perform an exercise to determine exactly how easily a risk may be exploited, and share the results with other decision makers. 

In the same vein of transparency, it’s important to explain risks as they really are. Many security professionals will overhype a risk in an attempt to get attention or budget for a project. That tack may work in the short-term, but it will diminish trust in the long run.

As a security team, we are 100% transparent on the risks we see and the areas where we are digging deeper. This way, when a threat or new risk arises, we have a tremendous amount of trust and support to mitigate the risk. 

Lesson 5 – Provide Value, Don’t Fear Failure

Finally, being a CISO, or data security professional in general, is a stressful job. There is a lot of discussion around stress in the information security profession and how, as a result, the average tenure for CISOs is about two years or less. CISOs must balance the stress by focusing on the good, which is the value they’re providing to their business. At Code42, we strive for a blameless culture – one where we learn lessons rather than fear failure. This type of a culture helps contextualize stress. 

In my job, I want to feel challenged throughout the workday. I’m energized and get a lot of joy knowing that we are providing value and actually helping our company and customers address their security risks. We are working for a company that helps all of our customers deliver on security with the software we develop. For a security professional, it doesn’t get more exciting than that.

2020: The Cybersecurity Year Ahead

Security never stops. As 2019 comes to an end, security professionals are looking to what is in store for the year ahead. To get some answers, we reached out to Code42 leadership and security experts to get a sense of their cybersecurity expectations for the coming year.

While they expect plenty of tough challenges when it comes to protecting data, there is some good news in the mix. The team anticipates that enterprises will take steps toward formalizing (and automating) their security programs where gaps exist.

Here’s what the Code42 team had to say:

Insider threat programs grow more prevalent

Relentless reports of new, high-profile insider breaches will push many more businesses to finally take insider threat seriously enough to formalize programs and allocate a larger budget dedicated to protecting their intellectual property. This year, at least half of data breaches involved an insider, but in 2020, that figure could exceed 60%.

When it comes to insider threat, companies will begin to lean into new technologies designed distinctly for protecting from insider threats, and they’ll stop shoehorning outdated, ineffective technologies that were never really intended to mitigate insider risks to begin with. Finally, more than 20% of organizations will begin actively measuring what departing employees take from their organization.
Joe Payne, president and CEO at Code42

“ When it comes to insider threat, companies will begin to lean into new technologies designed distinctly for protecting from insider threats, and they’ll stop shoehorning outdated, ineffective technologies that were never really intended to mitigate insider risks to begin with. ”

The role of security will increasingly integrate within IT

With the continued cybersecurity talent gap, along with increased regulatory demands and security threats, security and IT will have to work more closely together. What I mean by this is traditional IT will be expected to take on security responsibilities, while security roles will evolve to become more hands-on and step into actual problem-solving rather than problem-identification mode. 

Security has always been positioned to cover confidentiality, integrity and availability – the well-known security CIA triad. While IT has traditionally been focused on availability, it’s increasingly recognized that data integrity and confidentiality need to be a part of the broader IT strategy. There has always been an opportunity for a natural fit between IT and security, and 2020 will prove to be the year that we recognize the similarities and start to benefit from the combined focus from these two disciplines.
Jadee Hanson, CISO and VP of Information Systems, Code42

Collaborative tools get security department green light

Progressive organizations thrive on collaboration. After all, we are in the midst of a massive culture change that centers on employees’ ability to share ideas, move faster, and collaborate. CEOs are requiring that their employees use Slack, Chatter, Box, and OneDrive to work together to be more productive. However, at the same time, CISOs have been busily blocking collaboration by using legacy prevention technology. In 2020, progressive CISOs will stop blocking and will start focusing on enabling collaboration by adopting new approaches that better address insider risk.
Joe Payne, president and CEO at Code42

“ CEOs are requiring that their employees use Slack, Chatter, Box, and OneDrive to work together to be more productive. However, at the same time, CISOs have been busily blocking collaboration by using legacy prevention technology. ”

DevOps teams embrace security

Organizations have adopted DevOps, but security hasn’t always kept pace. As DevOps grows, so does the desire (and the need) for security to become embedded within these teams. In the next year, organizations will increasingly seek ways to build the skills, tools, and knowledge they need to build security directly into DevOps teams.
Michelle Killian, director, information security, Code42

The security talent shortage continues

By nearly all estimates, the industry is millions of cybersecurity jobs short of what’s needed to adequately secure enterprise data. This shortage will push security teams to automate as much as they can to stretch their capabilities. Hopefully, teams will focus on optimizing the basics because it remains true that the vast majority of breaches could have been prevented if security 101 practices were followed. Areas that will be automated include manual operations tasks, application security testing, data monitoring, and more.
Todd Thorsen, senior manager information security, risk management and compliance, Code42

Security ‘solutions’ continue to grow in complexity

The complexity of security vendor solutions remains too high in cybersecurity. Many vendors continue to proudly talk about how sophisticated their products are and how they can solve complex problems. The problem is: using these security tools themselves is an overly complex and unwieldy process. At the same time, the security industry struggles with a serious shortage of skilled cybersecurity personnel. Something has to give.

In 2020, we will see security vendors focus on providing both signal and simplicity. To align with the realities of personnel shortage, solutions will surface highly actionable information and present it in easy-to-use, accessible ways so that security teams can act quickly without being embroiled in endless investigations.
Joe Payne, president and CEO at Code42

“ In 2020, we will see security vendors focus on providing both signal and simplicity. To align with the realities of personnel shortage, solutions will surface highly actionable information and present it in easy-to-use, accessible ways so that security teams can act quickly without being embroiled in endless investigations. ”

Move from reactive to proactive security

Companies are so busy reacting to incidents and putting out fires that they are missing opportunities to proactively reduce risk. One area is how staff and others will continue to be a highly exploited threat vector, yet companies will continue to trail behind mitigating their human risks. One thing is for sure: training alone is not going to work, as companies need to create security-minded cultures in their workplaces.
Chrysa Freeman, program manager, security awareness, training and culture, Code42

Expect a major breach within a federal agency

A federal agency will experience a large-scale data breach at the hands of an insider. This will highlight the growing insider threat blind spot for all large organizations.

Also, foreign hackers and the election take center stage. There will be proposed federal regulations requiring encryption back-doors and FCC regulation of social media in advance of the elections. As the elections approach, there will be reports of hacks and vulnerabilities, many with grand claims. All of these claims will be unsubstantiated, viciously spun, yet cause no direct or measurable harm. But they will create enough doubt and disruption to further the nation’s political divide.
Andrew Moravec, principal security architect, Code42

The return of ransomware

It used to be that cryptojacking—using someone else’s computing to mine cryptocurrency—was a relatively easy path to profit. But as the price of bitcoin continues to fluctuate wildly, those profits are no longer such a sure thing. As a result, adversaries will shift their attacks to optimize their efforts. Once their malware is deployed onto endpoints, they may decide ransomware is the way to go, which would very well lead to a resurgence in ransomware attacks.
Jeff Holschuh, senior manager of identity, Code42

A renewed focus on data privacy

The CCPA (California Consumer Privacy Act) goes into effect at the beginning of 2020. The act will have a substantial impact on companies that don’t yet have mature data security and privacy programs in place. As enforcement actions are brought under this new law, companies will scramble to ensure they are meeting all of the law’s requirements.

Essentially, CCPA focuses on data collection rules, breach disclosure, and the selling of consumer personal data. Expect not only CCPA-driven lawsuits and fines, but also a nationwide rush by companies to ensure they can comply.
Nathan Hunstad, principal security engineer and researcher, Code42

Building an Insider Threat Program Without Becoming Big Brother

I don’t believe that there’s an enterprise in existence that wouldn’t benefit from an insider threat program. Nearly every enterprise will experience repeated data theft and confidential data exposure as a direct result of the accidental or deliberate actions of one of their trusted insiders. I know that’s not easy to hear, but it’s true.

Consider a survey conducted by Osterman Research. The survey found that 69% of respondents experienced significant data or knowledge loss as a result of employees taking information with them when they left, as Andy Patrizio wrote in his CIO story, Sensitive data often follows former employees out the door.

“ Nearly every enterprise will experience repeated data theft and confidential data exposure as a direct result of the accidental or deliberate actions of one of their trusted insiders. ”

Despite how pervasive and serious the risks posed by insider threat are today, few organizations have an insider threat program in place, and fewer still have an effective insider threat program.

There are a number of reasons insider threat programs aren’t very common. The first is that getting started in building an insider threat program can be overwhelming – even though it doesn’t have to be. Some of these challenges are technical, such as the failings of traditional data leak prevention products. Other challenges are cultural; for instance, many organizations fear that their insider threat program could turn into a Big Brother level of oversight.

However, when done right, an insider threat program doesn’t have to become Big Brother. In fact, it doesn’t have to become overbearing or negatively affect culture. In this post, I share the key insights I’ve learned that will help any organization get started with an effective insider threat program that won’t turn into Big Brother.

Earn the support of your executives

It’s true of any data security program, but especially for an insider threat program: to succeed, you need to have the support of business leadership. It will be your organizational leadership that ensure the program gets the continuous funding it needs as well as the political backing to overcome any speed bumps that arise.

Obtaining that support is best achieved by articulating to executive leadership the real-world risks to the organization so that they understand the threats and how important it is to fund and support such an effort. This will require detailing the types of data risks your organization faces and the strategy for mitigating those risks.

Earn the support of stakeholders throughout the organization

Partnership from other business stakeholders, such as the legal department and human resources, also are essential. If you are trying to build effective data security and insider risk management processes into your employee onboarding processes, job changes, and terminations, then you will want to work closely with the human resources and legal departments. If these departments are not engaged with the insider threat program, you run the risk of having an ineffective program on your hands.

“ If you are trying to build effective data security and insider risk management processes into your employee onboarding processes, job changes, and terminations, then you will want to work closely with the human resources and legal departments. ”

Prepare for culture shocks

One of the reasons insider threat programs can appear authoritarian is they are designed without the existing internal culture in mind.

When it came to managing insider risks at a former employer, it was common for me to run into cultural issues. We were always working closely with our vendors, many of whom were based in Silicon Valley. While discussing data risks with these organizations, we often learned that they did not have even the most basic controls pertaining to insider threat, including not bothering with employee background checks. They often didn’t understand who was joining the organization. “We trust our people,” they’d say. “We only hire the best, most talented people. Everybody wants to work here. Why would anybody do anything bad here?”

In building an insider threat program, you’ll have to deal with such cultural barriers, and the challenges to overcome them are real. Essentially, to overcome those challenges, you will need to convince staff and everyone throughout the organization that the focus isn’t on punishing people doing things they shouldn’t, but rather protecting the organization’s data and its business viability.

For those in regulated industries, this conversation is likely a lot easier to have with executives and staff. When you work in a regulated industry, it’s evident why certain types of data must be watched and protected, and it’s easier to extend that to other kinds of data.

For those working outside of regulated industries, where it’s not mandated that data be protected, it’s undoubtedly a much more challenging argument to win. But it’s an argument that executives will be receptive to if you explain the costs to the business associated with losing data or intellectual property that is important to the organization.  

Make sure the program is transparent

Another reason insider threat programs can appear oppressive is when they are built in secret. When staff are aware of the insider threat program, but they don’t understand why it is in place, they are more likely to grow resentful and even fearful of the program. Also, when staff aren’t at all aware about the insider threat program, they can be very brazen in taking data that belongs to the company. There is no reason to take either of these counterproductive approaches.

When organizations are transparent about the insider threat program and why it’s necessary, then staff, contractors, and business leaders will be more supportive of the effort to protect intellectual property and confidential and valuable information. 

Establish acceptable data use policies

Everyone will feel better about the program if they are not finding themselves second guessing whether or not they are acting within protocol. Are they permitted to use cloud storage services? If so, which ones? Can data be moved to USB devices and other local, removable storage devices? What about sharing data on corporate collaborative platforms such as Slack or Microsoft Chatter? What’s the policy for taking data home and/or keeping it on their notebooks?

Staff and contractors need clear demarcation lines of what is an acceptable use of the organization’s systems and data and who owns the organization’s data. Employees must be made aware of these policies.

Data risk will vary depending on the organization

The specific type of data that is protected will be dependent on the nature of the organization and the industry in which it works. The types of data and roles that will pose more significant risks will vary among different types of organizations. An aerospace engineering firm or defense contractor will have a different risk posture than a law firm, financial services firm, or pharmaceutical company. Within all of these organizations, there will be a lot of targeted information that can be monetized and is important to the organization, but the nature of the data (and who can access the most valuable data) will vary.

“ Within all of these organizations, there will be a lot of targeted information that can be monetized and is important to the organization, but the nature of the data (and who can access the most valuable data) will vary. ”

Put the right data protection tools in place

Although much of your insider threat program will consist of data security policies and employee training and awareness, those policies will need to be enforced with technology. When considering the types of tools that will support your insider threat program, choose the best tools to provide the capability to detect, investigate, and respond to data breach incidents with the appropriate level of insight.

Another consideration is how well the tools you select will integrate within your environment. This must be viewed from the standpoint of how well it will work with both internal processes and existing toolsets. For example, if you have an established automated employee off-boarding process, can you connect to those processes so that you have timely, accurate insights into employee status changes? The same holds true when it comes to employee onboarding.

Provide ongoing training and awareness

Ongoing security training and awareness exercises are essential for maintaining good data security practices and muscle memory for all employees across the organization. If your organization has an existing security training and awareness function, you can integrate insider threat messaging into awareness exercises.

Incorporating insider threat scenarios into ongoing security training and awareness will also help employees understand the importance of the risks you’re trying to manage. This will help employees understand the rationale and can also create allies within your organization.  

Build a sustainable program that will change with the times

Just as your organization and business environment evolve over time, so will your organization’s risks. So, it is important to ensure that your insider threat program can keep pace with the changes in your business and risks. Fundamentally it’s about keeping your focus on effectively managing data exfiltration and insider risk as your organization evolves.

All of this may seem straightforward—and it is—but that doesn’t make it easy or swift to accomplish. Like so many effective processes, the important thing is to keep your insider threat program risk-based, aligned with your organization’s culture and nimble enough to evolve with your organization.  

If you’re building an insider threat program from scratch, start small, keep it simple and be open to making changes. Early wins are important and will help drive the success of the program. Furthermore, they will keep the support of executives and staff who understand that the organization’s long-term success depends on protecting its data. Because it certainly does.

“Good Enough” Isn’t Enough to Stop Data Loss

Five years ago, the toughest part of my job was convincing the world that insider threat was a big problem. Fast forward to today, and everyone knows insider threat is the biggest everyday data security risk they face. But a new problem has emerged: with widespread awareness of insider threat has come a false sense of confidence. Many CISOs I talk to tell me that they’ve put tools in place — DLP, EDR, CASB, etc. — to stop data exfiltration, and they’re confident they’ve got insider threat covered. But the brutal truth is that “better than we used to be” often isn’t enough. There’s still a major gap in the typical security stack — and it’s putting their data and business at risk.

Overconfidence is rampant, but the statistics tell a different story

Most companies have beefed up their security stack in the past few years. I don’t want to take away from the value of these efforts, but I do want to point to the statistics showing the continual upward trend in insider threat incidents. Every week, that harsh truth hits home for another company, as we read about the latest high-profile insider threat incident that surprised, embarrassed and damaged a company that had been quite confident in their airtight security stack. Like I said, better than before isn’t enough.

The fatal flaw in the policy-based security stack

Almost all conventional data security tools are guided by policies, rules or other admin-defined parameters. DLP, EDR, CASB and the like do an excellent job of hunting down, flagging and sometimes even stopping actions based on defined rules and policies. But therein lies the problem: they can only look for what you tell them to look for. The reality is that you can’t think of everything. No one can. You can’t think of every possible way that an insider could take a given file or data type, so they will always be one (or several) steps ahead. (As a side note, there are now many ways of exfiltrating data that traditional DLP solutions simply cannot cover. Traditional DLP focuses on devices and networks; but things like Bluetooth, Airdrop, etc., don’t always show up on either the device or the network.)

“ It’s almost impossible to think of (and stay current with) all the valuable, sensitive and vulnerable files and data types across your entire organization. ”

Moreover, a lot of companies think their tools are focused on the right files and the right data. But users create new files every day, and the dynamic nature of modern work means that a given file can go from a low-value work-in-progress to a highly sensitive innovation-in-progress within the course of a single day. It’s almost impossible to think of (and stay current with) all the valuable, sensitive and vulnerable files and data types across your entire organization.

Case in point: the recent McAfee insider data theft incident. Three departing employees copied company trade secrets onto USB drives and simply walked out the door. How did a leader in data loss prevention not catch and stop this obvious theft? Because the data they took — sales and marketing files — were not traditionally tagged as IP. The bottom line: If traditional DLP doesn’t stop data loss for McAfee, it won’t stop data loss for you.

You can’t lock down all your trade secrets & IP

Even if you could account for every potentially valuable or sensitive file in your organization, you can’t just lock all these files down. A lot of this information needs to move. Things like source code, customer lists and collaborative development projects need to move between users and even outside your organization in order to keep work moving forward. So you end up writing all sorts of exceptions to your security policies – and in the process, take the teeth out of your policy-based security tools. This makes it much easier for an employee to find a workaround, or a way to take files that look normal.

“ Things like source code, customer lists and collaborative development projects need to move between users and even outside your organization in order to keep work moving forward. So you end up writing all sorts of exceptions to your security policies – and in the process, take the teeth out of your policy-based security tools. ”

You don’t know what you can’t see – so you don’t know when you’ve been beaten

The second fatal flaw of conventional security tools like DLP: they don’t know when they’ve been beaten. They’re focused on seeing specific user actions. If the user action falls outside those defined rules, they don’t see it — and that means you don’t see it. In practice, that means that when users (inevitably) find ways around DLP, you most likely will have no idea until it’s too late to do anything about it. In fact, most companies only discover the data loss because of the proximate damage it causes to their business — weeks, months or years down the line — when a competitor beats them to the market with copycat technology or poaches clients with a leaked customer list.

You need to start with data behavior, not user behavior

All the problem with rigid rules points to an obvious solution: consider the context and behavior surrounding a specific action. There are a lot of solutions that focus on user behavior — trying to pull out context and identify risk by monitoring every keystroke of their employees. But that kind of intrusive employee monitoring comes with its own set of issues. There are ethical privacy concerns, as well as the increasing legal precedents that suggest you need a discrete reason to monitor an employee. Legality aside, invasive monitoring can hurt workplace culture, reduce staff satisfaction and even impact productivity. Moreover, we’ve already established that users’ creativity is often one step ahead of even the best pattern recognition software.

At Code42, we take a different approach: We watch the data — how it changes and where it moves. Users can trick you, but data doesn’t lie. Our underlying real-time backup technology means we’re able to watch all your data, all the time — so we understand what “normal” looks like. If we see something unusual, only then do we enable security to associate it back to the user. We start with cause, then investigate. This eliminates the privacy concerns, and ultimately keeps your attention focused on what you’re really trying to protect: the data.

The big objection: I can’t watch all my data, all the time

All-encompassing data visibility sounds nice, but that alone doesn’t solve the problem of seeing the actual risks and threats amid the ocean of normal activity. When I explain how Code42 is different, I normally get a flood of objections like: Won’t we have to configure the system to provide alerts? Won’t someone have to manage all those alerts? My team is already buried in alert management – you’re just adding to my problem. Here’s what I tell them…

Code42 gives you a clear signal of your risk

Comprehensive data visibility is the foundation of Code42. We know what normal looks like, and we know what your biggest risks look like. For example, we know that departing employees account for around half of all insider data loss incidents. We also know that M&A, or another type of company re-organization, creates one of the most acute risks of insider data loss. So, we focus our attention on these high-risk situations. We’ve already developed the algorithms and defined the parameters on our end — building simple tools like our departing employee lens that focus on these risks — so we’re not placing that burden on you.

Ultimately, we’re watching the behavior of all your data and using our deep data visibility to put relevant context around that activity before triggering an alert — instead of leaving that contextual analysis burden to your team. This minimizes alerts, so your team gets alerts you can trust and act on.

Giving you instant information to investigate immediately

Detecting risky user actions that have slipped past policy-based security tools is an incredibly important capability. But detection is just the first step; you need to be able to determine exactly what happened, if it’s risky, and what needs to be done. And you can’t afford to spend multiple days piecing together that story while your data is still at risk.

Code42 pulls together all that file activity and contextual information to give you distinct answers: this file was copied to this cloud with this browser tab URL, or this USB drive with this serial number, at this exact time. In essence, we give you an immediate answer to the question, “Where’d my file go?” And because Code42 automatically captures every version of every file, with the proper authorizations, you can even open the actual file in question to evaluate its contents and determine the risk. You get the definitive information you need to take action, faster.

Are you comfortable with “good enough”?

It’s always hard to change the status quo — especially when you’ve done a lot of work and made major improvements to achieve the current state. CISOs have done an admirable job of bulking up their security stances with tools designed to prevent both internal and external data risks. But here’s the brutal truth: even the strongest prevention will fail sometimes. Because prevention tools can only stop what you tell them to stop. You can’t think of everything, you can’t lock down all your data (exceptions just create blind spots), and creative (or malicious, or industrious or simply self-serving) users will always stay one step ahead of policy. When user activities inevitably slip past prevention tools, they fall into a dangerous gap in your security stack. You don’t know what’s happened; you typically don’t know anything has happened at all. Your security team is flying blind.

Considering that insider threats like these account for 50% of data breaches, are you really comfortable with leaving this risk uncovered? Or is it time to re-think “good enough?”

Microsoft and Code42 Ignite the Focus on Insider Threat

The entire Code42 team had a great time attending Microsoft Ignite in Orlando. Microsoft Ignite brings together more than 25,000 attendees who have keen interests in software development, security, architecture and IT. I have to tell you, before going to Ignite, I held preconceived notions that attendees would hold a clear bias toward IT challenges and not the broader challenges facing enterprise security.

Fortunately, I was mistaken, and it quickly became apparent that security and cloud concerns were a big part of the conversation. For all of us at Code42, that meant we were in store for an exciting week. We came to Ignite with a significant announcement – our new integration with Office 365 email.

More tools to mitigate insider threat

Why integrate Code42 with Office 365 email? There are a couple of reasons. First, while there’s been plenty of talk about the demise of email as the top communication platform, the reality is the amount of confidential and proprietary information sent via attachments every day in email is mind-boggling and enterprises need better controls. Second, while Office 365 email does provide ways to create email policies and flag risky emails, Code42 provides complementary insights and valuable investigative information into the who what, when and why (as I like to call it) around the files. This is just another way Code42 helps our customers to mitigate insider risks.

We also showcased some new Code42 capabilities that enhance the workflow for departing employee data exfiltration detection. As you may already know, managing the data exfiltration risks associated with departing employees has been a significant effort for Code42. When it comes to mitigating insider threats and data breaches, it turns out that departing employees are notorious for taking trade secrets, confidential information, and other types of intellectual property with them as they leave organizations for new companies.

The departing employee challenge is exacerbated by the following: first, most organizations don’t have a data exfiltration mitigation policy in place for departing employees; and second, there typically aren’t technology or applications available to assist in the departing employee workflow. This is precisely why Code42 developed and released its new departing employee workflow capabilities.

“ The departing employee challenge is exacerbated by the following: first, most organizations don’t have a data exfiltration mitigation policy in place for departing employees; and second, there typically aren’t technology or applications available to assist in the departing employee workflow. ”

Being able to showcase such powerful new capabilities and seeing the positive reactions from such a large crowd, was one of the most rewarding parts of Ignite for me. Of course, Code42 SVP Rob Juncker got us off to the ideal start with a session mainly dedicated to insider threat and the importance of having a well-defined off-boarding process to protect valuable IP when employees leave.

The new capabilities were a hit among attendees. But, more importantly, to me, the new departing employee capabilities were the catalyst for conversations into understanding current departing employee workflows. These conversations largely confirmed what we’ve been saying here at Code42: that typical departing employee workflows are either under-developed or non-existent. No wonder insider threat continues to be on the upswing!

While Ignite gathers an IT-centric audience, what we learned is that when it comes to insider threat, multiple departments are part of the conversation. It isn’t uncommon to expect IT, security, compliance as well as HR teams to be in the mix when figuring out the best course of action to manage insider threat.

Demos, doughnuts and a customer’s personal account

We were also fortunate to be joined by one of our customers, David Chiang, an IT system engineer at semiconductor provider MACOM. David presented on how MACOM relies on Code42 to detect, investigate and respond to insider threats and file exfiltration. He framed the departing employee threat perfectly when explained how, when a departing employee tells MACOM that they’re “just taking personal pictures,” MACOM can now (thanks to Code42) look back and validate if that’s so. “If we access the files and find that it was company property, the conversation changes,” he explained.

And under those circumstances, that conversation should change. The problem is that too many – actually, the vast majority of organizations – don’t have such process and technology in place to provide themselves that level of visibility. Hopefully, our data security and departing employee announcements, an excellent and in-depth story from one of our customers on their success (over some excellent mini donuts) resonated and will change some of the status quo for the better.

While Code42 went into Microsoft Ignite with an intent to learn and educate around regarding the insider threat, it turned out we weren’t alone. There were two other significant announcements that reinforced the importance of mitigating insider threats. The first of those was Proofpoint’s acquisition of ObserveIT. Why? Because ObserveIT has been in the insider threat space for quite some time, and this acquisition is clear validation that Proofpoint views insider threat as an integral expansion of their security portfolio moving forward. The second announcement was from Microsoft itself. Microsoft unveiled its Insider Risk Management tool within Office 365 that is designed to help identify and remediate threats coming from within an organization.

I’m happy to say that the many announcements, as well as attendee interest and conversation around the issue, give me hope that insider threat programs are about to take center stage when it comes to managing enterprise data risk. And next year, Microsoft Ignite 2020, is bound to dig even deeper into the insider threat and all of the associated risks. We can’t wait to be there.