Security Leaders Share Their Learnings in a Work-from-Home World

There’s been a lot of change in the workplace in the past month with entire companies moving their employees out of offices and into their homes. While the shift has been a change for everyone, it has created unique challenges for security teams. Code42 CISO and CIO Jadee Hanson and Sumo Logic CSO George Gerchow got together on a webcast to discuss how they transitioned their companies to working from home. They talked about how they prepared and what they would have done differently — with the hope that other organizations can benefit from what they learned. 

Read on for a summary of their conversation — or for more details, watch their webcast recording

Bad actors abound – stay vigilant

The pandemic has unleashed cyber threats, including phishing and malware attacks, credential stuffing and GoFundMe scams —  with a goal of sowing fear and preying on people’s anxieties. The bad actors continue to look for new opportunities to target companies and individuals — and specifically user endpoints. The endpoint devices of remote workers are the ultimate targets. 

“ Security best practices are the same, regardless of our physical work location…Security teams just might need to apply some additional technology on the endpoint now. But at the end of the day, security fundamentals are largely the same. ”

Why do endpoints have a fresh bullseye? George pointed out that employees logged in from their personal networks may be using a default password on their home Internet or have fewer security measures in place, which opens up their work accounts to new external threats. That’s why it’s so important for work-from-home employees to be alert to suspicious activity and take a “see something, say something” approach when partnering with their security teams. Despite the rise in cyber threats, Jadee noted, “Security best practices are the same, regardless of our physical work location…Security teams just might need to apply some additional technology on the endpoint now. But at the end of the day, security fundamentals are largely the same.” 

Get the right tools to balance visibility and collaboration

As the security teams at Code42 and Sumo Logic prepared to support their full-time, work-from-home employee bases, there were a number of “must-haves.” Topping the list was having visibility to on- and off-network file activity. When Code42’s workforce went from 30% to 100% remote, the security team reassessed and tested to see how much visibility was needed to secure a work-from-home environment. Then they flipped the organization to a split tunnel VPN model. Jadee explained, “Essentially, what that means is important business work is still going to come through our VPN. But other activities that people are now doing on their devices, like watching movies on Netflix and Hulu, is going to go direct.” There were also some cases where users needed to be on key services on full tunnel VPN, so adjustments were made to ensure employees had what they needed to work not only productively, but also securely. 

Another must-have for a fully remote workforce? The safe use of collaboration tools. While cloud-based tools, like Slack and Google Drive, are important to enable collaboration and innovation within the office walls, they are even more critical when all employees are working from home. George encourages collaboration with control, explaining, “We want to make sure that people are putting their data in the right places. Because now they’re outside of that (corporate) perimeter… and no longer in the office. So are people storing stuff in OneDrive or Google Drive the way that they’re supposed to? Are they using unsanctioned places to store data? Are they storing things on their local computer?” At Sumo Logic, they keep up an open conversation coming from leadership about best practices so that tools, like Slack, can be used to keep everyone connected without unnecessarily putting important data at risk. Establishing a new baseline for what activity looks like when all users are off network while working from home has been instrumental. 

New challenges are here to stay 

Throughout the conversation, it became clear that some of the biggest challenges and changes in shifting to a remote workforce were not on the tech side, but on the people side of the business. Jadee explained, “Tech is just the enabler for all of us to work from home. There’s also a huge cultural shift that needs to happen. We’re not just asking everybody to work from home. Rather, we’re telling people to work from home in a different world during a pandemic.” Having the resources to get employees the equipment and software they need to succeed helps remove yet another stressor. George explained that he’s learned that people want their organizations to give prescriptive direction during times like these so everyone is aware of the expectations while working from home. To support their shift to working from home, Sumo Logic created an Emergency Management Committee leading up to the fully remote workforce, and they continue to get together to keep employees updated on key changes. 

Today, businesses are run differently and that will affect the future. Both companies identified the most vital, or bare bones, necessities to run their organizations. George explained, “We all have a bunch of systems out there. But as far as let’s say, sales is concerned, what do you really need, at a bare minimum, to be able to effectively sell? Or, what is the bare minimum our supply chain needs to deliver product to our customers?” Exercises like these help not only ruthlessly prioritize, but also plan for what comes next. When people return to the office, it will be critical to understand the tools that are essential for people to be successful in their jobs.  

When it comes to work habits, both leaders emphasized the importance of taking breaks and staying connected on a personal level. Video calls help us keep the facetime we’re used to in the office and pick up on non-verbal cues during meetings. Virtual happy hours and regular team check-ins have become commonplace. It’s important to talk about something other than work and to have the watercooler discussions to check on how coworkers and families are doing. With families and pets at home, there’s also a need for understanding that there will be disruptions during calls and throughout the work day. Reassure co-workers that unexpected events at home are okay – that will help build a better, more connected, remote work environment. Finally, Jadee shared some parting words about self care: “If we thought security teams were stressed before, this is a new level for us. So it’s really important that we take time to recharge. We’re no good to the companies we support if we’re unhealthy and rundown.”

To hear more about how these leaders prepared and what they learned about moving an entire workforce to work-from-home, take in the full webinar recording.

From the Desk of a CISO: The Five Core 2020 Cybersecurity Resolutions

Over the recent years, cybersecurity, and certainly the role of the CISO, have evolved – in many ways, for the better. Thanks in large part to the rapid digitization of business, the explosion of data and data sharing across the enterprise, and the move to cloud security and mobile, the nature of information security has to change. And it has to change quickly.

At Code42, as we work to provide an insider threat detection, investigation and response solution to organizations that need to securely share data and collaborate to succeed at their work, we find ourselves in the center of it all. As 2020 is taking off, it’s a perfect time for security teams to reflect on what areas they can improve on when it comes to providing the most effective security to their organizations. As I’ve considered the state of enterprise security over the past few weeks, I’ve developed my list of 2020 resolutions. To be sure, some organizations, including Code42, are doing these things already. Yet there’s always room for improvement – and in security, we all need to work together toward the constant goal of improvement. 

Here are the areas that are especially important for businesses to focus on throughout 2020 and, as necessary, resolve themselves to improve.

Make sure security is a business driver

With the increased competitiveness of today’s business environment and the drive to digital transformation, cybersecurity can no longer be viewed as a reason not to move a business forward. The 2019 Harvey Nash / KPMG CIO Survey found that 44% of CIOs and technology leaders expect significant changes to come to their products, service offerings, or even their business model in the next few years. Security teams need to support, not hinder, this business change.

One way security teams can improve is to better understand and appreciate how their company drives revenue and ensure they are making smart decisions to support its specific business model. What does this mean in practice? Consider how a manufacturer will have a different risk posture than a healthcare provider and how a healthcare provider’s risk posture will also be quite different from that of a trucking company or software provider. It’s important that security professionals think of themselves not just as security professionals, but as risk managers that help direct and inform the business on taking on the risks that allow the company to meet their overall goals. 

At Code42, our focus is on helping to secure this faster world of collaboration, which fundamentally enables security to be at the cornerstone of driving the business forward. We believe in supporting all forms of collaboration and innovation. We also believe that collaboration needs to be secure.

“ It’s important that security professionals think of themselves not just as security professionals, but as risk managers that help direct and inform the business on taking on the risks that allow the company to meet their overall goals. ”

Embed security throughout the business

In many organizations, it’s still common for new applications, services and business decisions to be made without the security team being part of the decision-making process. Unfortunately, when security is brought in at the eleventh hour and finds a number of risks that must be resolved, it causes considerable re-work, increases costs to remediate and unacceptably slows down the business.

Further, the more rapidly businesses digitize, the more aggressively they add new product features, change business models and enter new markets and geographies (which come with their own geopolitical risks). As such, security leadership needs to be a part of discussions around planning and implementation from the beginning.

Having security embedded early saves time, costs and lots of headaches. To do this requires that security is built into the development and business decision-making process. In practice, this means that security engineers are integrated into the software lifecycle process – helping to write code, fix vulnerabilities, or address developers’ needs with consistent security solutions. (I advocated for security to be ingrained in these types of activities in a recent blog.) Or it means that your security org helps to vet a product or solution before it’s acquired. Or it means that the board asks the CISO for a security risk analysis before entering new geographies and business segments.

To stay competitive, however, it’s just not enough to make sure security is part of the process – security needs to be as effective and efficient as possible. Which brings us to our next resolution.

Automate all of the things

Security teams not only need to be involved early on to identify risks, they need to be enabled to fix those risks themselves through integration and automation. Automating security means mundane tasks can be handled without human interaction, freeing up security engineers for more important, strategic, value-added work.

Automating security tasks in the development workflow not only saves time and enables speed and scale, but it’s also critical for solving key issues faced by security professionals. Automation can help ease the security talent gap, alleviate alert fatigue, speed up time to incident resolution and reduce errors.

“ Automating security tasks in the development workflow not only saves time and enables speed and scale, but it’s also critical for solving key issues faced by security professionals. ”

We are always working on improving our processes in these areas, i.e., areas that can be automated, including software testing, vulnerability management, malware incident response, and more. Any mundane task is a candidate for automation. For instance, when vulnerabilities are identified from an automated scan, it’s possible (sometimes) to automatically patch and, other times, gather all of the necessary context and package it for admins so they can get to work instantly.

If there’s an alert to malware, automatically grab the necessary context from a source, such as Virus total and, when necessary, possibly quarantine the infection. If a remedy cannot be automated, gather the associated content so analysts can quickly make a decision and respond.

The move to DevOps helps with security automation. Some call this DevSecOps. It doesn’t matter what you call it, but what does matters is that security processes are an automated part of the development lifecycle. It matters that the security person is part of the cycle.

Focus on the human side of security

For years, we have focused on external actors and perimeter defense. We now need to shift the focus to include internal threats. We know that insiders have a considerable impact on an organization’s security. Yet, many organizations expend too much focus on external threats and not enough on internal threats. It’s time organizations appropriately reallocate their focus.

“ Seventy-eight percent of CISOs and 65% of CEOs admit to clicking on a link they should not have. ”

How do insiders create risk? Let me count the ways… For one, some users sidestep company-provided file sharing and collaboration tools for tools of their own choice. This creates risk. Our 2019 Data Exposure Report found that 31% of business decision-makers use social media platforms, e.g., Twitter, Facebook, LinkedIn, to share company data, while 37% use WhatsApp and 43% use personal email to send files and collaborate with their colleagues. Another way? Seventy-eight percent of CISOs and 65% of CEOs admit to clicking on a link they should not have. This shows that it’s not just staff, but also senior leaders that can make poor data security decisions. Have you ever emailed or shared a document with the wrong person? It’s not difficult to do. Though unintentional, the end result is still a risk to data.

Ultimately, enterprises can put protections and controls in place at every turn. Still, it only takes one internal user to abuse their access in a nefarious or careless way to cause a data breach.

Organizations need to dedicate more time to identifying insider threats, deciding what monitoring to put in place and optimizing how they detect and respond when events occur. Importantly, we have to do this without losing sight of our main focus to enable the business to collaborate securely.

“ Ultimately, enterprises can put protections and controls in place at every turn. Still, it only takes one internal user to abuse their access in a nefarious or careless way to cause a data breach. ”

Build a culture of security

No program or software solution will prevent all data from being at risk of exfiltration. It’s the security team’s job to educate employees on security risks and help foster an appropriate security culture.

What does it mean to build a good security culture? Consider security culture to be how those working within the organization act when it comes to data security. When there is a healthy security culture, everyone thinks before they click on links, for instance. If they have security questions, they’ll feel free to reach out to the security organization for answers. When they want to use a new product or service, or work in a new way, they will ask security about the risks. This is what good security culture looks like in practice.

Good security culture is actually a pillar of an effective insider threat program. Consider how many people in your organization would “say something if they see something,” to take a line from homeland security. Most staff, if they see a peer sharing a document out of policy or in an unsecure way, won’t say anything at all. It’s because people aren’t taught how to say something or help co-workers do the right thing. An effective security culture helps change that for the better.

While every organization is different, some organizations may be further along with these resolutions than others. However, with the rising insider threat and the increased pace of digital transformation, all organizations will benefit by making sure they are on track to continuously improve themselves.

From the Desk of a CISO – Leadership Lessons

Quite a bit has changed in information security since I began my career more than a decade ago. 

Talk of cloud being the primary enterprise development platform was based on complete speculation. Mobile computing had yet to hit full stride. Software as a service (SaaS) was in its infancy. Since then, we have seen the rise of the nation-state attacker, extensive malware attacks, highly-publicized insider threat cases, exponential growth of data due to the declining costs of storage and considerable digital transformation investments. As all of these trends evolved and took hold, the nature of information security also changed.

Throughout all of these changes, I have worked in information security; previously, at a national retail enterprise and, more recently, as a CISO here at Code42. Over the years, I’ve learned a few important lessons about how to be successful in information security that I’d like to share here.

Lesson 1 – Be Part of the Solution

Too often security teams do a great job at identifying and pointing out risks and then handing them off to others to solve. In their earnest desire to eliminate those risks, they forget how important it is to understand how people go about getting their work done. So, rather than try to help others deliver their work or projects in a secure way, they identify risks and throw them over the fence for other teams to fix. That has to stop. We need to create partnerships, build empathy and become part of the solution. Building empathy helps us understand how others deliver work and the struggles they might go through to get their jobs done.

Because we are developing software at Code42, our top risks lie in the software development cycle. That’s why my team works very closely with our developers to help identify and address security gaps. To build greater empathy, I have challenged my team to learn the basics of a coding language. This has helped us gain a fuller understanding of the challenges developers face everyday and, more importantly, how we need to work with them to be part of the solution.

Lesson 2 – Balance Risk

In security, it is less about eliminating risks— and more about balancing risks. Think of a retail floor. Sure, everything on a shelf that isn’t locked down is at risk of being stolen. But if you lock everything up behind glass, your sales are going to plummet. At the end of the day, you are in the business of selling goods, which is why retailers don’t lock up everything. It’s the same with all business risks. You have to balance the business benefit with the business risk and put reasonable risk mitigations in place. For a retailer, this could be cameras, security guards, and/or only locking down items with a high risk of theft.

As a security leader, we don’t want to place overly aggressive security controls on everything. We are trying to tune the right level of security for the organization. You have to balance what the board, CEO and customers want and, at the same time, match the culture of the organization.

In a lot of cases, security leaders push forward with their own security risk posture ideals versus trying to truly understand the acceptable risk posture of the organization.

Lesson 3 – Build a Strong Team

While a bit more obvious, I can’t stress enough the importance of building and retaining a strong team. The team here at Code42 is close-knit. I have worked with many of these people for more than a decade. It’s hard to place a value on that. It’s a lot like professional athletes who know the moves their teammates are going to make before they do. That makes it possible to build a well-tuned, committed and effective team, not to mention retain talent in a talent-deficit industry. When you have a team you trust, it makes security much more effective and laser focused on the overall mission of the organization. I am thankful to be a part of such a strong, dedicated team that trusts one another and has a high degree of respect for one another. 

Lesson 4 – Transparency Trumps

To be effective in this industry, security professionals need to be transparent. In some cases, security teams still operate like the man behind the curtain: No one knows what magic they are operating, and  budget is gained by claiming that the sky is falling. But with today’s skepticism, seeing is believing. That’s why it’s so important to demonstrate how risks could be exploited. I recommend having your red team perform an exercise to determine exactly how easily a risk may be exploited, and share the results with other decision makers. 

In the same vein of transparency, it’s important to explain risks as they really are. Many security professionals will overhype a risk in an attempt to get attention or budget for a project. That tack may work in the short-term, but it will diminish trust in the long run.

As a security team, we are 100% transparent on the risks we see and the areas where we are digging deeper. This way, when a threat or new risk arises, we have a tremendous amount of trust and support to mitigate the risk. 

Lesson 5 – Provide Value, Don’t Fear Failure

Finally, being a CISO, or data security professional in general, is a stressful job. There is a lot of discussion around stress in the information security profession and how, as a result, the average tenure for CISOs is about two years or less. CISOs must balance the stress by focusing on the good, which is the value they’re providing to their business. At Code42, we strive for a blameless culture – one where we learn lessons rather than fear failure. This type of a culture helps contextualize stress. 

In my job, I want to feel challenged throughout the workday. I’m energized and get a lot of joy knowing that we are providing value and actually helping our company and customers address their security risks. We are working for a company that helps all of our customers deliver on security with the software we develop. For a security professional, it doesn’t get more exciting than that.

2020: The Cybersecurity Year Ahead

Security never stops. As 2019 comes to an end, security professionals are looking to what is in store for the year ahead. To get some answers, we reached out to Code42 leadership and security experts to get a sense of their cybersecurity expectations for the coming year.

While they expect plenty of tough challenges when it comes to protecting data, there is some good news in the mix. The team anticipates that enterprises will take steps toward formalizing (and automating) their security programs where gaps exist.

Here’s what the Code42 team had to say:

Insider threat programs grow more prevalent

Relentless reports of new, high-profile insider breaches will push many more businesses to finally take insider threat seriously enough to formalize programs and allocate a larger budget dedicated to protecting their intellectual property. This year, at least half of data breaches involved an insider, but in 2020, that figure could exceed 60%.

When it comes to insider threat, companies will begin to lean into new technologies designed distinctly for protecting from insider threats, and they’ll stop shoehorning outdated, ineffective technologies that were never really intended to mitigate insider risks to begin with. Finally, more than 20% of organizations will begin actively measuring what departing employees take from their organization.
Joe Payne, president and CEO at Code42

“ When it comes to insider threat, companies will begin to lean into new technologies designed distinctly for protecting from insider threats, and they’ll stop shoehorning outdated, ineffective technologies that were never really intended to mitigate insider risks to begin with. ”

The role of security will increasingly integrate within IT

With the continued cybersecurity talent gap, along with increased regulatory demands and security threats, security and IT will have to work more closely together. What I mean by this is traditional IT will be expected to take on security responsibilities, while security roles will evolve to become more hands-on and step into actual problem-solving rather than problem-identification mode. 

Security has always been positioned to cover confidentiality, integrity and availability – the well-known security CIA triad. While IT has traditionally been focused on availability, it’s increasingly recognized that data integrity and confidentiality need to be a part of the broader IT strategy. There has always been an opportunity for a natural fit between IT and security, and 2020 will prove to be the year that we recognize the similarities and start to benefit from the combined focus from these two disciplines.
Jadee Hanson, CISO and VP of Information Systems, Code42

Collaborative tools get security department green light

Progressive organizations thrive on collaboration. After all, we are in the midst of a massive culture change that centers on employees’ ability to share ideas, move faster, and collaborate. CEOs are requiring that their employees use Slack, Chatter, Box, and OneDrive to work together to be more productive. However, at the same time, CISOs have been busily blocking collaboration by using legacy prevention technology. In 2020, progressive CISOs will stop blocking and will start focusing on enabling collaboration by adopting new approaches that better address insider risk.
Joe Payne, president and CEO at Code42

“ CEOs are requiring that their employees use Slack, Chatter, Box, and OneDrive to work together to be more productive. However, at the same time, CISOs have been busily blocking collaboration by using legacy prevention technology. ”

DevOps teams embrace security

Organizations have adopted DevOps, but security hasn’t always kept pace. As DevOps grows, so does the desire (and the need) for security to become embedded within these teams. In the next year, organizations will increasingly seek ways to build the skills, tools, and knowledge they need to build security directly into DevOps teams.
Michelle Killian, director, information security, Code42

The security talent shortage continues

By nearly all estimates, the industry is millions of cybersecurity jobs short of what’s needed to adequately secure enterprise data. This shortage will push security teams to automate as much as they can to stretch their capabilities. Hopefully, teams will focus on optimizing the basics because it remains true that the vast majority of breaches could have been prevented if security 101 practices were followed. Areas that will be automated include manual operations tasks, application security testing, data monitoring, and more.
Todd Thorsen, senior manager information security, risk management and compliance, Code42

Security ‘solutions’ continue to grow in complexity

The complexity of security vendor solutions remains too high in cybersecurity. Many vendors continue to proudly talk about how sophisticated their products are and how they can solve complex problems. The problem is: using these security tools themselves is an overly complex and unwieldy process. At the same time, the security industry struggles with a serious shortage of skilled cybersecurity personnel. Something has to give.

In 2020, we will see security vendors focus on providing both signal and simplicity. To align with the realities of personnel shortage, solutions will surface highly actionable information and present it in easy-to-use, accessible ways so that security teams can act quickly without being embroiled in endless investigations.
Joe Payne, president and CEO at Code42

“ In 2020, we will see security vendors focus on providing both signal and simplicity. To align with the realities of personnel shortage, solutions will surface highly actionable information and present it in easy-to-use, accessible ways so that security teams can act quickly without being embroiled in endless investigations. ”

Move from reactive to proactive security

Companies are so busy reacting to incidents and putting out fires that they are missing opportunities to proactively reduce risk. One area is how staff and others will continue to be a highly exploited threat vector, yet companies will continue to trail behind mitigating their human risks. One thing is for sure: training alone is not going to work, as companies need to create security-minded cultures in their workplaces.
Chrysa Freeman, program manager, security awareness, training and culture, Code42

Expect a major breach within a federal agency

A federal agency will experience a large-scale data breach at the hands of an insider. This will highlight the growing insider threat blind spot for all large organizations.

Also, foreign hackers and the election take center stage. There will be proposed federal regulations requiring encryption back-doors and FCC regulation of social media in advance of the elections. As the elections approach, there will be reports of hacks and vulnerabilities, many with grand claims. All of these claims will be unsubstantiated, viciously spun, yet cause no direct or measurable harm. But they will create enough doubt and disruption to further the nation’s political divide.
Andrew Moravec, principal security architect, Code42

The return of ransomware

It used to be that cryptojacking—using someone else’s computing to mine cryptocurrency—was a relatively easy path to profit. But as the price of bitcoin continues to fluctuate wildly, those profits are no longer such a sure thing. As a result, adversaries will shift their attacks to optimize their efforts. Once their malware is deployed onto endpoints, they may decide ransomware is the way to go, which would very well lead to a resurgence in ransomware attacks.
Jeff Holschuh, senior manager of identity, Code42

A renewed focus on data privacy

The CCPA (California Consumer Privacy Act) goes into effect at the beginning of 2020. The act will have a substantial impact on companies that don’t yet have mature data security and privacy programs in place. As enforcement actions are brought under this new law, companies will scramble to ensure they are meeting all of the law’s requirements.

Essentially, CCPA focuses on data collection rules, breach disclosure, and the selling of consumer personal data. Expect not only CCPA-driven lawsuits and fines, but also a nationwide rush by companies to ensure they can comply.
Nathan Hunstad, principal security engineer and researcher, Code42

Code42 Blog

Breach Fatigue – And How to Take Action

Since 2005, a staggering 9,033 data breaches have been made public — that averages about 1.77 breaches a day. In the wake of this stream of breaches, a sense of apathy has taken hold, causing both employees and organizations to become numb to their own security risks.

In her latest byline for TechBeacon, Code42 Chief Information Security Officer Jadee Hanson shares the dangers of employees and leadership experiencing breach fatigue and how it leaves an organization open to insider threats, ineffective security strategies and other security vulnerabilities.

Learnings From Verizon’s Insider Threat Report Code42 Blog

Learnings From Verizon’s Insider Threat Report

What does McKinsey call one of the largest unsolved issues in cybersecurity today? Insider threat. They noted that a staggering half of all breaches between 2012-2017 had an insider threat component. To make consequential strides in combatting insider threat, the topic must be explored further. Thanks to Verizon’s Threat Research Advisory Center, which produced the Verizon Insider Threat Report, we can take an in-depth look at the role insider threat plays in the broader cyber threat landscape.

The Verizon report draws on statistics from their Data Breach Incident Reports and lessons learned from hundreds of investigations conducted by their internal forensics teams. It highlights the ease with which insiders exfiltrate data, while detection on the other hand often takes far longer.

“ Insider threat should no longer be a taboo subject for internal security teams. Denial has not helped – it has only resulted in time-to-discovery being months-to-years for most inside breaches. ”

A trio of Code42’s leading experts on insider threat shared their reactions to the report. Read on to find out their most compelling takeaways.

Jadee Hanson, CISO and VP Information Systems for Code42 called out:

  • The top motivations for insider threats include financial gain (48%), which is not surprising. This is followed second by FUN (23%). It’s deeply concerning to think that a colleague would do something detrimental to their own company… just for fun. 
  • Detecting and mitigating inside threats requires a completely different approach than what we (security teams) are used to when it comes to external threats. Insiders are active employees with active access and sometimes the actions these individuals take look completely normal to a security analyst. 
  • Security awareness and education and overall company culture continue to be a very effective way to mitigate the risks of insider threats. 

  • Data theft incidents are driven mostly by employees with little to no technical aptitude or organizational power. Regular users have access to sensitive and monetizable data and unfortunately too often are the ones behind most internal data breaches.

Code42’s Vijay Ramanathan, SVP Product Management, shared these thoughts: 

  • Insider threat should no longer be a taboo subject for internal security teams. Denial has not helped – it has only resulted in time-to-discovery being months-to-years for most inside breaches. This is a massive blind spot for security teams. Also, this is a problem for all sorts of companies. Not just large ones.

  • The report outlines counter measures that companies should take as part of a comprehensive data security strategy. This is a great starting point. But those measures (outlined on page 7) are nonetheless complex and require skilled staff. This continues to be difficult for many companies, particularly smaller and mid-market organizations, to navigate, especially because of the chronic skills shortage in the security industry. 

  • The “Careless Worker” is called out as one of the harder vectors to protect against. Security teams need to take a proactive, “data hunting” approach to help them understand where data lives and moves, when it leaves the organization, and in what situations data is at risk.

  • Robust data collection and preservation, along with behavior analytics, are models that can help organizations understand where accidental or deliberate data exposure/exfiltration may be occurring. This need is going to become even more stark in the next 12-36 months as companies come to terms with the reality that current data security tools, technologies and practices (eg. policy management, data classification, user blocking, highly-skilled security staff) are not designed for a much more fluid and unpredictable future.

Mark Wojtasiak, VP Portfolio Marketing highlighted: 

  • Nowhere in the report did Verizon say the goal was to prevent insider threats – the focus was all about detection, investigation and response. Verizon even called out DLP as a monitoring tool, likely to the chagrin of legacy DLP providers.
  • The single biggest problem relative to insider threat is detecting them in the first place and the length of time it takes to detect one. I argue that most insider breaches go undetected altogether and the number of insider breaches are actually grossly underreported.
  • Detecting insider threats comes down to how effective a company is in defining, collecting, correlating, analyzing and reporting on insider indicators of compromise. This basically means “machining” a security analyst’s intuition.
  • Creating insider indicators of compromise is difficult because they rely heavily on what is considered “normal” or “abnormal,” which can vary greatly by company, department, job role, individual and the data itself. It’s a lot of work, so why not just use machine learning to do it? 
  • Once an insider breach is detected and the investigation process starts, it can grow very complex quickly. Oftentimes multiple stakeholders are involved and organizations might hire or outsource digital forensic services, which can be expensive. There has to be a faster, simpler process, especially for small to mid-market companies, which can be devastated by insider threats.
  • Insider Threat Programs go way beyond the incident response process (detect – investigate – respond – communicate, etc.). Ongoing vulnerability audits and assessments are needed to fine tune the insider indicators of compromise.
  • I still find it shocking that data classification continues to be a must have – and that employees need to be trained, made aware of and actually take the steps to classify the data they create. Couldn’t it be an indicator of compromise in and of itself if an employee self-classifies data as non-sensitive, then exfiltrates it? 
  • Finally, it is clear that the key to establishing an insider threat program is to start with the data (called “assets” in the report), and then move to people. 

The rise of insider threats is a significant threat to every business and one that is often overlooked. While we all would like to think that employees’ intentions are good, we must prepare for malicious (or accidental) actions taken by those from within our organizations. And because up to 80 percent of a company’s value lies in its intellectual property, insiders are in the position to do serious harm to your business. Is your business prepared to minimize the impact of these data threats?

Code42 Next-Gen Data Loss Protection: What DLP Was Meant to Be

Malware and other external cyber threats get most of the headlines today. It’s not surprising, given the damage done to companies, industries and even countries by outside-in attacks on data. Despite that, insider threats — the risks of data being lost or stolen due to actions inside the company — are just as big a threat.

According to the 2018 Insider Threat Report by Cybersecurity Insiders, 90 percent of cybersecurity professionals feel vulnerable to insider threat. McKinsey’s Insider threat: The human element of cyberrisk reports that 50 percent of breaches involved insiders between 2012-2017.

“ By rethinking traditional DLP, you can know exactly where all your data is, how it is moving throughout your organization and when and how it leaves your organization — without complex policy management, lengthy deployments or blocks to your users’ productivity. ”

“The rise of insider threats is a significant threat to every business and one that is often overlooked,” said Jadee Hanson, Code42’s CISO. “While we all would like to think that employees’ intentions are good, we prepare for malicious actions taken by those from within our organizations. As external protection increases, we all should be concerned as to the influence external actors may have on those working for us and with us every day.”

Insider threats are a big deal, and traditional data loss prevention (DLP) solutions were developed to protect companies and their data from these internal events.

DLP hasn’t delivered

While traditional DLP solutions sound good in concept, most companies are only using a fraction of their capabilities. Security teams describe using these solutions as “painful.” Legacy DLP deployments take months or years, because proper setup requires an extensive data classification process, and refining DLP policies to fit unique users is complex and iterative. And after all that time, traditional DLP still blocks employees from getting their work done with rigid data restrictions that interfere with user productivity and collaboration. They also require on-site servers — counter to the growing business priority of moving solutions to the cloud.

Most importantly, legacy DLP solutions are focused on prevention. Business and security leaders now recognize that prevention alone is no longer enough. Mistakes happen, and data threats sometimes succeed. Being able to recover quickly from data loss incidents is just as important as trying to prevent them.

Rethink DLP

At Code42, we protect over 50,000 companies from internal threats to their data. This focus on protection has enabled us to see things differently, and develop an alternative to data loss prevention: data loss protection. We are excited to announce the new Code42 Next-Gen Data Loss Protection (Code42 Next-Gen DLP) solution that rethinks legacy DLP and protects data from loss without slowing down the business.

Code42 Next-Gen DLP is cloud-native and protects your cloud data as well as all of your endpoint data. It deploys in days instead of months, and provides a single, centralized view with five key capabilities:

  • Collection: Automatically collects and stores every version of every file across all endpoints, and indexes all file activity across endpoints and cloud. 
  • Monitoring: Helps identify file exfiltration, providing visibility into files being moved by users to external hard drives, or shared via cloud services, including Microsoft OneDrive and Google Drive.
  • Investigation: Helps quickly triage and prioritize data threats by searching file activity across all endpoints and cloud services in seconds, even when endpoints are offline; and rapidly retrieves actual files — one file, multiple files or all files on a device — to determine the sensitivity of data at risk.
  • Preservation: Allows configuration to retain files for any number of employees, for as long as the files are needed to satisfy data retention requirements related to compliance or litigation.
  • Recovery: Enables rapid retrieval of one file, multiple files or all files on a device even when the device is offline, or in the event files are deleted, corrupted or ransomed.

By rethinking traditional DLP, you can know exactly where all your data is, how it is moving throughout your organization and when and how it leaves your organization — without complex policy management, lengthy deployments or blocks to your users’ productivity. DLP can finally deliver on what it was originally created to do.

Code42 Data Exposure Report: A must-read for security and business decision-makers

Data Exposure – Stockpiling Cryptocurrency? Save Your Money.

For years, organizations have heard the drumbeat of building digital security perimeters to protect their data. And to the best of their ability, they’ve listened to the experts, followed best practices and spent billions on strategies to prevent data losses and breaches.

Unfortunately, that strategy is no longer working and companies know it. In an increasingly complex digital threat landscape, cybercriminals are constantly evolving, waging successful ransomware attacks even on organizations that have well-established breach-prevention profiles. Our recently released Data Exposure Report, which surveyed nearly 1,700 security, IT and business leaders across the U.S., U.K. and Germany, tells this story in stark relief.

Playing defense in an unpredictable threat landscape

I wasn’t surprised to read in the report that 64 percent of CISOs believe their company will have a breach in the next 12 months that will go public. Furthermore, 61 percent say their company has already been breached in the last 18 months. What is surprising to me is the narrow window of time in which these breaches are happening, demonstrating the increasing severity of the threat.

Even more concerning is the growing number of companies that are reacting to ransomware by purchasing cryptocurrency. Nearly three-quarters of the CISOs we surveyed admitted to stockpiling or having stockpiled cryptocurrency in the last 12 months to pay off cybercriminals. Worse yet, 79 percent of them have actually paid ransoms to regain access to their corporate data.

“ Nearly three-quarters of the CISOs we surveyed admitted to stockpiling or having stockpiled cryptocurrency in the last 12 months to pay off cybercriminals. ”

Get hit, get back up

Security and IT leaders estimate that 39 percent of their organization’s data is only held on endpoint devices — making it more difficult to track. As we discussed in our previous blog, “The Risks of Playing Data Hide-and-Seek,” this lack of visibility over endpoint-only data puts valuable company IP at risk — and updating a company security policy will not change the outcome because some employees simply don’t follow the rules.

In business, time is money. This is especially true in the seconds, minutes, days and weeks after a security breach. Yet according to about one-third of security and IT leaders, it would take up to one week to enact their recovery plan.

There is another way

While companies might think that they have no choice but to pay cybercriminals, they do actually have other options. And the overwhelming majority of CISOs agree. Nearly three-quarters (72 percent) reported that their company must improve its breach recovery ability in the next 12 months. And 75 percent stated that their company needs to shift the focus away from prevention-only security to a prevention-and-recovery strategy.

So what does that mean?

Recovery and prevention

From an IT perspective, prevention is only a single facet of a robust security approach. Possessing the capability to find out how a breach occurred — then being able to recover in real time — is the ultimate definition of resilience. With a comprehensive data recovery tool that includes visibility and recovery for endpoints, companies wouldn’t have to a pay a ransom to regain access to their data. They would simply restore their data using their recovery solution.

Code42 can help organizations regain control post-breach. To find out more, click here.

In case you missed them, get the full Code42 Data Exposure Report blog series:

Code42 Data Exposure Report: A must-read for security and business decision-makers

Data Exposure–The Risks of Playing Data Hide-and-Seek

With cybersecurity threats continuing to evolve, even organizations wielding security tools and policies are at risk from a potential breach. In fact, 20 percent of security and IT leaders admit they do not have full visibility to where their data lives and moves—leaving their organizations with a data security blind spot.

According to the findings of our new Data Exposure Report, which surveyed nearly 1,700 security, business and IT leaders, 80 percent of CISOs agree that, “You cannot protect what you cannot see.”

It seems business leaders, on the other hand, are not always aware of the challenges security and IT leaders face to protect data. The overwhelming majority (82 percent) of business leaders believe IT can protect data they cannot see. This disconnect has major implications for data security, as business leaders often determine the budgets that security and IT need to do their jobs.

“ Keeping track of company data is not as straightforward as it may initially seem. Today, it goes beyond simply monitoring traditional sanctioned storage—even in the cloud. ”

Data at risk

With the rise of flexible working practices and the ongoing digitization of information, the importance of data visibility and forensics across employee endpoints cannot be underestimated. In modern enterprises, with data flowing freely in and out of the organization, traditional security perimeters are no longer enough to prevent breaches.

Without the right tools, endpoint data is particularly vulnerable. In fact, 86 percent of security and IT leaders believe saving files outside of company storage—for example on an employee laptop—puts their organization at risk. This is a significant concern considering that 73 percent of security and IT leaders believe that some company data only exists on endpoints. And this is critical data: Security leaders revealed that losing endpoint-only could be business-destroying.

Data hide-and-seek

Keeping track of company data is not as straightforward as it may initially seem. Today, it goes beyond simply monitoring traditional sanctioned storage—even in the cloud.

While business leaders recognize that saving their data outside official storage causes unnecessary risk for their organization, they aren’t going to change their work habits. More than two-thirds (68 percent) of CEOs think there’s a risk to their company if they store data on devices such as laptops without keeping a copy in centralized storage—but they do it anyway.

Security must include recovery

Businesses need a safety net that will allow them to keep track of data stored on endpoints, regardless of employee behavior or communication breakdowns. To minimize risk to valuable IP, companies should have a security strategy that includes not only data recovery in the event of a breach, but also prevention tools to help prevent breaches from happening.

Coming up in the final post in this four-part series, we will explore why companies must shift their security strategy away from prevention-only to a prevention-and-recoverystrategy that effectively deals with an increasingly unpredictable threat landscape. To read the Code42 Data Exposure Report in its entirety, go to code42.com/2018DataExposureReport.

In case you missed them, get part one and two of Code42’s Data Exposure Report blog series.

Code42 Data Exposure Report: A must-read for security and business decision-makers

Data Exposure Report: A Must-Read for Security Decision-Makers

We’re thrilled to announce the release of our Data Exposure Report. It reveals some startling truths about how human behavior drives data security vulnerabilities, despite the billions companies spend on data loss prevention.

IT leaders and CISOs will find some of their suspicions validated by the findings, particularly that CEOs are among the worst offenders at violating data security policy. But many of the disconnects we found between current data security strategies and the reality of the threat landscape will be surprising and sobering:

  • Almost three-quarters (72 percent) of CEOs admit they’ve taken valuable intellectual property from a former employer. Yet 78 percent of CEOs agree that ideas, in the form of IP, are still the most precious asset in the enterprise.
  • As many as 80 percent of CISOs agree that “you cannot protect what you cannot see.” Business leaders, however, have a different perspective. Among business leaders, 82 percent believe that IT can somehow protect data they cannot see.
  • Among CISOs, 64 percent believe their company will have a breach in the next 12 months that will go public, which has led nearly 73 percent of CISOs to stockpile cryptocurrency to pay cybercriminals.

The report, based on surveys of nearly 1,700 security, IT and business leaders from the U.S., U.K. and Germany, provides a comprehensive view of attitudes toward data security in this age of rapidly evolving cyber threats. This is the first in a series of four blog posts. Each post will delve into one of these key areas:

  • Emotional drivers of employee behavior that can put a company’s data at risk.
  • The importance of data visibility for security to do its job of safeguarding company data.
  • How to recover from a data breach while maintaining continuity.

Potentially most valuable for IT and security leaders, this report provides insights on ways to build business continuity and resilience in the face of an increasingly complex threat landscape. The upshot: resilience comes from companies evolving their data security strategies to include recovery from data breaches as well as prevention of those breaches in the first place.

“ To protect an enterprise today, security teams need to have visibility to where data lives and moves, and who has access to it. Visibility is key in protecting an organization against both internal and external threats. ”

“The time has come for the enterprise to make itself resilient. IT, security and business leaders need to arm themselves with facts about how the emotional forces that drive employee work styles impact data security policy,” said Rob Westervelt, research director for the security products group at IDC. “To protect an enterprise today, security teams need to have visibility to where data lives and moves, and who has access to it. Visibility is key in protecting an organization against both internal and external threats.”

Data is precious, but talk is cheap

The report reveals that, while most CEOs say their IP is one of their most valuable assets, they are the very people who put IP at risk through data practices they admittedly know are unsafe. Some key findings:

  • Among CEOs, 59 percent admit to downloading software without knowing whether it is approved by corporate security. The majority of business leaders (77 percent) believe their IT department would view this behavior as a security risk, but disregard the warning.
  • The majority of CEOs (93 percent) admit to keeping a copy of their work on a personal device, outside of officially sanctioned company storage. More than 68 percent of CEOs think there’s risk in keeping data solely outside of company storage, but they do so anyway.

So even though they know it’s risky—and they may have even lost work as a result of it —C-suiters continue to put their companies at risk by defying company policies and data security best practices.

The risks of playing data hide-and-seek

In this digital age, more flexible workplaces result in employees saving data on their endpoints, making it increasingly difficult for security departments to see data to protect it during a breach. Some key findings from the report:

  • Nearly three-quarters (73 percent) of security and IT leaders believe that some company data only exists on endpoints, such as desktops or laptops.
  • As many as 71 percent of security and IT leaders and 70 percent of business leaders believe that losing all corporate data held on the endpoint devices would be business-destroying or seriously disruptive.
  • In addition, 86 percent of security and IT leaders believe employees saving files outside of corporate storage poses a serious risk to the organization.

While clear and strong company policy about data security is critical, clearly it’s no match for the reality of human behavior. Companies must resign themselves to employees working and saving precious IP on their endpoints—not to mention engaging in other risky behavior that could result in a data loss incident.

Playing defense in an unpredictable threat landscape

In the evolving threat landscape, companies that experience a ransomware attack are increasingly faced with the untenable choice of paying off cybercriminals or losing precious data. Some key findings from the report:

  • Among CISOs, 61 percent say their company has been breached in the past 18 months.
  • The threat of cyberattack has led 73 percent to stockpile cryptocurrency to pay cybercriminals; of those, 79 percent have paid a ransom.

The most sobering part about these particular findings is the unnecessary use of resources to react to cyberthreats in this way. If a data loss event strikes, a comprehensive data security strategy that includes visibility provides companies with the ability to understand what happened and when. As a result, they are positioned to recover much faster.

An ounce of prevention no longer worth a pound of cure

“ Three-quarters of CISOs (75 percent) and 74 percent of CEOs believe their security strategies need to change from prevention-only to prevention-and recovery-driven security. ”

Despite the disconnect between what they practice and what they preach, the report indicates that business leaders understand the need for a multi-pronged security approach in today’s complex threat landscape.

  • Three-quarters of CISOs (75 percent) and 74 percent of CEOs believe their security strategies need to change from prevention-only to prevention-and recovery-driven security.

To read the Code42 Data Exposure Report in its entirety, go to code42.com/2018DataExposureReport.

Read Part Two of our blog series on the Code42 Data Exposure Report, “Is Your C-Suite Putting Your Data Security at Risk,” to learn how emotional drivers contribute to poor data security habits among employees.