If there was ever a time for Code42 to highlight its value, this would seem to be it. Insiders are among the biggest threats to data security. And the two times they are most likely to pose a threat to their companies are when they leave their jobs and when they work remotely. Covid-19 has created the most massive layoffs and the largest remote workforce in U.S. history.
Founded in 2001, Code42 used to be known for backup software. But these days it’s all about solving the ever-growing problem associated with insider threats. During a recent briefing for TAG Cyber analysts, the marketing team of the company, which is headquartered in Minneapolis (with offices near Denver, Washington, D.C., and London), acknowledged the challenge.
The employment changes and the upheaval have been daunting. And Job #1 for Code42 is to give client companies clearer visibility of their data, now in the hands of a 100 percent remote workforce. There’s more at stake all the time in this new digital economy, said Abhik Mitra, a senior product marketing manager. “It isn’t just a security or IT matter anymore,” he said.
“So many constituents are involved,” added Mark Wojtasiak, vice president of portfolio marketing, “that it isn’t just a cybersecurity problem.” When it comes to insider threat, it’s more of a culture problem, and the gap between security, IT, Legal and HR needs to be bridged with programs, processes and product, said Wojtasiak.
The Covid-19 pandemic has underscored the importance of the collaboration culture, said Alexandra Gobbi, the chief marketing officer. The tremendous expansion of the remote workforce has added risk, she said, but it’s also been a positive development. Companies are realizing that their workforce can work productively in a remote way, and that innovation can continue.
Wojtasiak said that some of the recent changes are likely to be at least prolonged, if not permanent. He has taken to calling these developments the “next-normal.” Speaking of chief information security officers, he wrote in a recent blog posted on the Code42 website:
“Managing data risk is not only an information security issue falling squarely in the hands of the CISO. In the next-normal, managing data risk is an organization-wide responsibility, so these questions also apply to the CEO, CIO, CHRO, general counsel and line of business leaders.”
In our briefing, he added that CISOs should now have a seat at the table. They need to be part of the leadership team, if they weren’t already. He suggested that they will be going forward.
Lawyers are also key players, Wojtasiak continued. Compliance, employee privacy and transparency need to be balanced against risk. “Who better to think about risk holistically than Legal?” he said. Chief risk officers often have legal backgrounds, he noted. “Lawyers are good at managing risk—not just mitigating risk, but managing it,” he said.
How the Software Works
The first thing to understand is that Code42 doesn’t set or enforce data policies. It focuses on the data and how it moves, looking for anomalies that could indicate vulnerability and risk to corporate data.
When employees are onboarding, employers can see on their dashboards what these new hires bring in. Did they bring source code with them? Did they bring documents from their former places of employment? Employers can see the flow of data into their companies’ cloud, and they can even examine specific files. But Code42 cannot.
“Code42 can never see our customers’ files,” Wojtasiak said. “The customer always owns the key.”
The client’s ability to see the data extends to both employees located in the company’s headquarters, and in someplace more remote (think the local Starbucks). They can view the flow of data on a special day, like the day of an exfiltration event. Or they can focus on the actions of employees deemed to be risky because they handle high-value data. And companies can configure and customize alerts, so they receive warnings when files are moved in certain ways.
The key there, said Mitra, is to avoid “alert fatigue.” Too many alerts elicit the same reaction that recurring false fire alarms do: they’re ignored.
For small companies, the Code42 dashboard lets the firm view each employee’s handling of data. But for companies with hundreds or thousands of workers, that’s not practical. So they generally focus on unusual or risky data behavior. They can list the five or 10 largest files moved and see what comes up.
In the PowerPoint deck that the marketing team showed us, they had slides that provided examples. One (which you can see at the top of this article) had data for high risk employees and departing employees. It also showed the top five remote employees with the riskiest data behavior during the previous seven days (they all moved lots of files), and destinations to which files were moved (including iCloud, Box, Dropbox and removable media). It’s all based on data flow, not “Big Brother” spying on individuals.
What the Software Does Not Do
One of the most important things to understand is that Code42 does not block data from being exfiltrated. And that’s one of the reasons, Gobbi said, that the role of the client’s general counsel is so important. When the client’s tech team discovers unauthorized movement of data, it’s up to them to notify the GC and the CEO, or the line of business manager, who can then confront the employee. This process varies from one organization to another, so Code42 makes it easy for customers to right-size their response to the own processes, or set up an entirely new process.
The key, Gobbi emphasized, is speed. When trying to minimize the impact of data leakage and take the right action—whether to block or to recover—the most critical variable is the speed of the detection and the speed of the response.
Some customers have struggled with the Code42 approach at first, Gobbi said. But after they thought about it, they agreed that it was the right one. It means, though, that effective blocking requires a partnership between the tech and legal teams.
The alternative approach, Mitra explained, would be jumping the gun and blocking the user, which assumes guilt. That was not a policy that Code42 wanted to adopt.
The old school approach, said Wojtasiak, is technology-based. It would lock down the computer. But Code42’s system requires a human response. It’s up to the business leaders to act. Their reaction doesn’t have to be heavy-handed, he said. The employee’s motive may have been nefarious. But that isn’t always the case. Sometimes people aren’t aware of security policies, and the client could decide that the appropriate response is to require the employee to undergo training.
The bottom line is that Code42 encourages clients to be transparent with their employees. And it shares best practices with customers. But it doesn’t tell them what to do.
It supplies clients with the tools and the information with which to monitor and control their data. And it empowers them to make informed decisions that best support their businesses.
Whether Code42 is the right company to partner with for solving insider threat may well come down to how a company feels about that approach. But this does seem to be a prime time to appreciate the value of what it does.