We’ve seen it’s really interesting, when we first put it in our own company, every single person who left, every single one took data that they shouldn’t take, in our own company. That is the important of a Non-Compete agreement for any cybersecurity threat.
But today, nobody does.
What’s the difference? They now know, we’re watching the store, because before, and also in most companies today, no one’s watching the store. If the store is wide open, and all the windows and doors are open, and everybody else is doing it, then people take a lot of data and become a cybersecurity threat.
But in general, people are good, and if you just show that you have some controls in place and that you don’t expect them to do it, people just stop immediately. In fact, today, at our company, almost every employee will email security saying:
“Hey, I’m leaving, but I want you to know, I’m taking these three files because they have my personal information on them” or something. They’ll tell them in advance.
That’s a really interesting change in dynamic and that’s all about us being very transparent with the organization about what our software does and what our security team expects. Like I said, most people are good, most people aren’t those malicious hackers out there.
Some people ask, “Hey, wait a second, are you watching us?”
To be clear, we’re only watching for data that employees move to untrusted sites, so if employees are sharing data with our ad agency, or they’re sharing data with our keyword search agency, or whatever they’re doing, none of that gets flagged that there’s no issues there.
But, if employees are sharing company data with themselves or with third parties or with somebody they shouldn’t, they should be okay with the company saying, “Hey, why are you doing that?” and questioning that, and challenging that. A lot of times it’s by accident.
We had an interesting story happen a few weeks ago. We hired a new employee away from another security company, she joined us as a salesperson and she’d been with us about 10 days and all of a sudden, she downloaded all of this new confidential material from her old company onto her laptop.
Your software caught that and alerted on it, and our security team met with her and said, “Hey, what’s going on here?” and she said, “Oh, my God, I have no idea how that got there.”
They said, “Well, let me ask you a question. Did you just sign into iCloud?” And she’s like, “Yeah, when I plugged my phone into my computer, it made me put my iCloud account in.”
What had happened is iCloud automatically copied all of her documents when she was at her old company to iCloud and then copied them down to her new laptop when she signed into iCloud on her new laptop and she didn’t even know that was happening.
That’s one thing that Apple does, it’s really not a good practice, it turns iCloud on automatically, with any new machine.
So that’s one of those examples where we had her delete all that material, we notified the other company, so they knew what had happened, they were embarrassed because they didn’t see they weren’t using Code 42 and they didn’t see the data leave, they should have seen the data when she first copied it from their company, but they didn’t have the tech in place.
So that’s interesting, because that’s also a new sales prospect for us, because they realize, “Oh, my gosh, we need to be able to see these kinds of things.” A lot of times it can be accidental, and so we assume positive intent, we assume the employee is not doing this on purpose, but then we verify to make sure.
There’s no camera, we don’t have camera software that’s looking at what the employee is doing, we’re not looking at their keystrokes, we’re not measuring their work productivity or anything like that.
We’re just watching really important company information and if they’re removing it to someplace that shouldn’t go and if so, if the security team doesn’t pay attention or listen to that they’re really not doing their job.
The cybersecurity threats and industry is always evolving and the bad folks are almost always one step ahead, because there’s such an incentive to be bad right now, we’re seeing a huge amount of ransomware out there.
What I would say to all you entrepreneurs out there, you should have a backup strategy and a ransomware strategy meeting.
You don’t want to be in a position of paying ransom because if you’re stuck having to pay ransom, not only are you losing out on all that money, two thirds of people that pay the ransom get hacked again within the first year by the same group, because turns out, “there’s no honor among thieves” is an old expression, and there is no honor among thieves.
They’ll tell you that they’ve rid your system of their software, but they haven’t, they’ve left backdoors, so ransomware is a big deal right now, you need to have backups of all your cloud information, but also stuff on your endpoints as well.
I think the most important thing is, and I’m talking to SaaS entrepreneurs and CEOs, you’ve got to build security from the beginning today, you need a whole sec DevOps approach, where security is part of DevOps, it’s not separated.
Security is not something we do after the fact it’s not something, “Hey, we got to build our product first.” and then we’ll worry about how to secure it, you’ve lost if you do that, security has got to be baked in.
I am a 500 person company and I have more than 20 people in security, and so that is a difference, when I was running my last company, I think we had three or four people in security with a 500 person company. It’s changed, you need to have a real focus on security and security needs to be part of product development, it needs to be something you think about from the get go.
The most hacks also that we see today are misconfigured cloud servers, they are just seeing an incredible amount of misconfiguration, which results in data spillage and data leakage, and it’s all avoidable.
If you have the right people on the team, who understand security, and how to secure your application, that will pay dividends in spades, because it just takes one, especially as a young company, if you have one breach, you’re done.
If you’re trying to win in the enterprise space as a B2B SaaS company, you can’t afford one breach.
I think it’s just a constant investment in security.
We have sent people to school, we’ve trained people, we put in new methodologies but we also leverage some really good cloud technology.
We use both Azure and AWS as part of our product and we leverage the capabilities that they have, because they are some of the best in the world in security. I never thought I would say that about Microsoft, but they are.
Learn how to leverage, don’t roll your own. Many founders want to roll their own infrastructure, they want to roll their own applications to run their business and blah, blah. Don’t do that!
Invest in best of breed technologies, to help you grow your business and certainly invest in, if you’re going to build something cloud native, I wouldn’t do it on “Jim’s discount cloud service.” If I were you, I would really leverage AWS or IBM and any of the public clouds that have strong security.
Joe Payne is the CEO of Code42 Software, a leading data and cybersecurity company that focuses on reducing the risk of data leakage from insider threats.
Joe is a seasoned executive with more than 20 years of experience and a proven track record leading high growth security and technology companies.
Joe engages personally in product strategy and direction, while growing and providing vision and guidance to a world-class team of security executives.
Previously, Joe served as CEO of eSecurity, the first SIEM software company and also served as the president of iDefense prior to its acquisition by VeriSign.
At iDefense, Joe led some of the best white-hat security researchers in the world and worked with the top financial institutions and government agencies in the United States to help improve their risk profile.