Kathy, can you briefly introduce yourself and your role as VP of People at Code 42? How has your journey been so far?

In 2020, I joined Code42, the leader in data loss and insider threat protection. In late 2022, I became the VP, People, and was responsible for spearheading the company’s people activities and overseeing talent acquisition, education and development, people business partnerships, and benefits teams. I have over two decades of human resources experience with previous roles at Sportradar, MACC Commonwealth, VMware, and Shavlik Technologies. At Code42, one of my primary roles is to cultivate a thriving work environment, company culture, and employee experience to further the company’s mission of securing the modern workplace from data exfiltration.

Mission

Could you share Code 42’s mission for addressing insider risk and creating a secure work environment?

Code42’s insider risk software solutions provide the right balance of transparency, technology, and training to detect and appropriately respond to data risk. With Code42, security professionals can protect corporate data and reduce data loss from insiders while fostering an open and collaborative culture for employees.

Insider Risk and Remote Work:

Insider risk is on the rise. Can you shed light on why this issue has gained such prominence lately, especially with the increase in security incidents?

While insider risk is not a new problem, it has become increasingly urgent to proactively address. The shift toward a vastly distributed workforce, reliance on cloud tools and digital applications, employment patterns like the Great Resignation and recent layoffs, and more recently, changes in legislation to non-compete restrictions, have contributed to a rise in the exposure, threat, and loss of valued data and IP.

Many internal breaches are not caused by malicious actors, but by employees simply trying to do their jobs in the most efficient way possible, which could mean using unsanctioned apps, platforms, or tools. While employees are leveraging these tools with the best intentions, they’re typically unaware that their actions have consequences that could impact the entire organization. Keeping track of the tools they can and cannot use can quickly become too complex or overwhelming to employees who may deprioritize (or simply forget) company-sanctioned security practices in favor of what’s more convenient at the moment.

Remote workers seem more vulnerable to insider risk. What factors make them particularly susceptible to this threat?

Though insider risk is not new, it has become more prevalent over the past few years due to remote work and higher turnover. In remote-first distributed workforces, increased use of collaboration tools and high-risk digital behaviors increase risks. Our workforce is more transient than ever, which is resulting in unprecedented levels of business risk.

The rise in fully hybrid, remote, and flexible working environments has spurred a reliance on cloud applications and collaboration tools to bring the office to employees. As the use of these tools is now commonplace, the resulting potential for data leak, loss and theft has increased exponentially.

In today’s cloud-fueled workplace, HR leaders must take on the mantle of defending against insider risk. The fight against insider-driven data loss must expand beyond just your security team; HR leaders have a vital role to play, particularly in channeling their knowledge of people to approach these conversations with an empathetic lens.

Can you share some real-world examples illustrating the impact of insider risk on companies of varying sizes and industries?

For business leaders, some of the most daunting cybersecurity threats are those emanating from ‘inside the house’ — especially when it comes to employees taking valuable IP to competitors upon leaving their organization.

I’ve seen this hit close to home, as one of Code42’s customers found that a departing software engineer exfiltrated $5 million worth of source code. Thankfully, the file movement was detected before the employee left, and any potential damage was thwarted, but it could have been much worse. The reality is that these scenarios happen every day at companies of all sizes and across all industries, but most aren’t as vigilant in stopping data from walking out the door.

This type of insider threat – the departing employee (whether malicious or not) – demands much more attention from business leaders. Data loss incidents are an increasingly pervasive problem, with Code42’s 2023 Data Exposure Report survey identifying a year-over-year increase of 32% in the number of insider risk incidents, and that 85% of companies are facing technology and visibility challenges when it comes to protecting data from exfiltration by insiders.

Mitigating Insider Risk:

In your view, what are some effective strategies or best practices for organisations to mitigate insider risk?

Our research found that 93% of CISOs say that the new hybrid-remote workforce has increased the need for data security training in their company.

While cyber threats are ever-evolving, human error remains a constant. Partnered with a strong foundation of effective security training at orientation, a promising new approach to the human element lies in the automation of security training to foster real-time learning. We have found success in automating the sending of customized microtrainings, which are triggered in real time by employee behavior. These microtrainings are more timely and relevant than quarterly or yearly company-wide training sessions, resulting in security knowledge that sticks.

For example, when an employee accidentally uploads a file to an untrusted Dropbox account, an automated “nudge” training is sent to remind them of company policy and best practices for data handling. This individualized and timely approach builds stronger data security postures over time.

In addition to our customized microtrainings, we’ve leaned into empathetic investigations to correct and educate employees. Often, security investigations assume the end-user was acting maliciously; however, we have found that by reaching out to employees with empathy and nuance, organizations are in a much better place to holistically understand why employees are making mistakes and breaking policy. There are various ways to approach this, but the first step is always connecting with the employee to understand the situation and hear them out. Through these conversations, security teams can offer employees guidance to make better decisions with company data.

Ultimately, creating a culture of transparency and empathy will foster a security-minded organization and encourage employees to closely monitor their own behaviors and avoid potential insider threat events.

Culture of Trust and Transparency:

As organisations adapt to remote and hybrid work, what challenges might they face in building a culture of trust, transparency, and security awareness?

Traditional methods of data loss prevention often focus on coercing employees into admitting suspected wrongdoing. In contrast, I believe that the best approach to mitigating this type of data loss is to start with empathy.

Most companies hold security training as part of their onboarding process, and others offer an annual training refresh. However, a once-yearly reminder of security protocols isn’t enough to ensure proper retention. The best way to create awareness among employees is to send real-time reminders, coupled with annual, biannual, or monthly training refreshers.

When it comes to training employees, simple education delivered at the right time, can go a long way toward steering behavior and building a security-aware culture. This shift in approach results in increased control over organizational data and creates secure work habits to decrease future chances of employees putting data at risk.

You’ve stressed the importance of a culture of trust and transparency. How can organisations cultivate and sustain this culture, especially in remote or hybrid work environments?

People are the engine that fuels innovation in the modern enterprise and are an organization’s greatest asset. For security teams, however, humans are often regarded as the “weakest link” in the security chain. Because insider threat is fundamentally rooted in the behaviors, motivations, and actions of an organization’s employees, it requires a human-focused approach.

Leading with empathy is essential. Leaders must acknowledge that employees are humans, not machines and that they make honest mistakes. Creating a blame-free environment allows for a trusting and supportive culture. The training assessment and improvement process must be continuous, starting with comprehensive onboarding that educates employees on data security principles and best practices. To build trust, HR leaders need to openly communicate the organization’s data and security policies and partner with security teams for timely risk intervention.

Lastly, HR plays a foundational role across every phase of an employee’s work lifecycle — from screening and hiring, promotions and reassignments, through their post-employment departure — they are integral in establishing and maintaining a secure organizational environment. Sitting at the nexus of employee development and training, HR leaders must work closely with their security counterparts to ensure that all employees are properly trained on existing security protocols and know about the latest threats.

Interconnected Factors:

Kathy, how do remote workers, employee engagement, and insider risk relate, and why is this connection crucial in today’s hybrid-remote workplace?

Today, data is highly portable. The same cloud technologies that empower employees to connect, create and collaborate faster and easier also make it faster and easier to expose and exfiltrate data. As cloud-based collaboration tools have risen in popularity, personal use of the same tools has created a high risk for data leaks and theft, which can pose significant financial costs to businesses.

To identify risky insider behaviors, companies need to establish strong programs to fight insider-driven data loss. SaaS-based technologies, like Code42’s Incydr solution, help provide the right visibility into data movement and file sharing without blocking a company’s collaborative culture or employee productivity.

The bottom line is that cultivating a collaborative company culture, where employees are the allies of the security team, is essential to curbing insider risk incidents and establishing a proactive security posture. Organizations need to reevaluate their approach to this type of data loss to ensure the technology and programs in place are effective and that they drive cultures where employees make safer and smarter decisions about sharing data.

Conclusion Question

In the coming five years, how does Code 42 envision its future, both in terms of growth and the impact it aims to achieve?

Our main goal of protecting the collaboration culture will remain a driving force for Code42 in the years to come. As data loss from insiders grows with each passing year, we see our role in helping safeguard organizational data as paramount.

Oftentimes, the biggest threats to valuable IP are those that are unknown. While protecting against known risks remains critical, accounting for unknown risks can present a formidable challenge. We at Code42 are committed to partnering with business leaders to achieve a holistic understanding of their data protection strategies against insider threats.

Beyond pragmatic approaches to these issues, we’re also invested in imbuing company cultures with the right tools and mentalities to become truly aligned in protecting IP. You can invest in every tool on the market, but if your employees don’t understand or trust your insider threat policies, you’ve already shot yourself in the foot. Helping companies create and maintain empathetic, security-aware cultures is a driving force behind our work, and we see it as a crucial step in establishing an insider risk management program.

Final thoughts

Kathy, is there any key takeaway or message you’d like to leave our audience regarding insider risk, remote work, or building a culture of trust and security in the workplace?

A focus on cybersecurity education – specifically skill development – is long overdue. In addition to a cybersecurity skills gap and workforce shortage, technology is rapidly changing, and we are seeing more and more companies, governments, private entities, families, and individuals impacted by cybersecurity incidents.

When it comes to attracting and retaining talent, employers should continue to think of upskilling their teams and providing up-to-date training on the always-changing and evolving field of cybersecurity.

In a field that is low in diversity of representation, there also needs to be more commitment demonstrated toward upskilling and investing in communities that are less represented in cybersecurity.