Industry Insights

DLP STILL Doesn’t Work: Proofpoint Sues Former Employee for Stealing Company Data

6 min Read

Joe Payne


What’s the #1 indicator that an employee is going to take data? They quit. It’s that simple. If you think your company is immune to departing employees walking out the door with sensitive data, think again. It happens everyday – 
I’ve said this before

Case in point: Last week, a data loss security company, Proofpoint, filed a lawsuit against a former employee for stealing confidential sales-enablement data prior to leaving for Abnormal Security, a market rival. According to the court filing, the employee “then shared at least one of the key documents in Proofpoint’s playbook… to give him and his new employer an unfair competitive edge.” To carry out the alleged heist, the employee didn’t even use the type of sophisticated technology that you might expect. Instead, the high-value documents were moved to an unauthorized USB device and simply walked out the door1. Our own data shows this type of exfiltration is shockingly common with removable media still accounting for 42% of data exfiltration as of March 2021.

The kicker? Proofpoint – a “leader” in data loss prevention – didn’t realize that critical data was leaving until months after the damage was already done. It doesn’t do much good to close the door months after the fox has left the henhouse. Knowing who is taking what when they are preparing to depart allows security teams to ensure that data is returned before the insider leaves the company and the data is exposed to their new employer. It’s also why we put such an emphasis on understanding which activity and behaviors increase the risk for our customers with Insider Risk Indicators (more on that later, though).

Thank you, Proofpoint, for demonstrating what many security leaders already know — legacy Data Loss Prevention (DLP) doesn’t work. If a legacy DLP vendor can’t keep a simple breach from occurring in its own company (a breach of data that Proofpoint claims is worth millions of dollars!), why would anyone trust legacy DLP software to keep their data safe? Short answer: they shouldn’t.

The Insider Risk problem is growing

The Risk created by Insiders is only growing. As companies emerge from the pandemic, 40% of employees are planning to switch jobs. Simply put: when people leave jobs, they take data with them. And according to Code42’s 2020 Data Exposure Report, more than two-thirds of workers who said they have taken data are repeat offenders and 32% of employees who take data to their new job say they were encouraged by their new employers to share data with new colleagues. The consequences of this behavior are even more damaging to a business when workers take data from a former employer and go to work for a competitor. 

Part of the problem is that data has never been more portable — so taking it has never been easier. Sales lists, product specs, pricing information, payroll data and even contact lists are just a few examples of small but critically valuable files that are simple to take. Employees can easily store hundreds of gigabytes on their mobile devices, send company documents to their personal Gmail, or quickly transfer data to personal cloud storage services like Dropbox.

As new cloud-based technologies and collaboration software have emerged, DLP has not kept pace. Defining concrete policies and patterns for “acceptable” human behavior has never been worth the squeeze – now it’s impossible. DLP does not work in today’s collaborative business environment. Full. Stop. 

This is a solvable problem

At Code42 we’ve been working to help our customers tackle the Insider Risk problem head on – before damage is done. Incydr, our Insider Risk Management solution, uses Insider Risk Indicators (IRIs) to identify risky behavior before sensitive data goes anywhere it shouldn’t. Activities like using removable media and personal cloud sharing all contribute to how we identify and manage risk for our customers. 

On top of that, Incydr identifies what data employees are taking as they depart your organization. In fact, we look back for 90 days because we have found that smart employees take important data long before they actually quit. Unlike Proofpoint and other traditional DLP players, we don’t require policies or classification of data, which means our solution rolls out in days not months. Oh, and unlike traditional DLP, we track and prioritize all data exfiltration in near-real-time so that security teams can intervene before departing employees leave the premises.

Chances are you are suffering from a data loss incident right now and don’t even know it. If you don’t want to be wrapped up in a lawsuit with a former employee, it’s time to take a closer look at your data leak protection strategy. You want to get the right tools in place to catch data leaks and theft before employees depart and the damage is done.

Download the Gartner 2020 Market Guide for Insider Risk Management Solutions to learn how a dedicated Insider Risk Management program can more accurately deter, detect and disrupt the activities of insiders that put data at risk – including carelessness, malicious behavior and cloud service usage.

Joe Payne

Joe brings to Code42 more than 20 years of leadership and a proven track record with high-growth software companies. He has a broad experience base in delivering software and Software-as-a-Service (SaaS) solutions to enterprises across numerous industries. As president and CEO of Code42, he drives the company’s strategic direction and oversees all operations. Joe currently serves on the boards of directors of multiple public and private companies, as well as the board of not-for-profit First Focus Campaign for Children.