Protect business data across a Cloud-first, global workforce
Media and advertising companies have a better understanding than most of how open, flexible work culture is both essential and challenging. That was certainly true in the case of this large media, marketing and advertising agency. “Even before the pandemic, a large portion of our users were remote and freelance employees, working on different devices, on and off the network — and in an industry that traditionally has a pretty high turnover rate,” says the
company’s CIO. A busy security team of five managed around 1,000 users spread across offices and remote locations in its North American business divisions.
Back in 2019, the company was re-evaluating data security technologies and practices as part of its ongoing efforts to maintain and improve security posture. The motivation was both internal and external. “We wanted to ensure our people had continuous access to the files they needed to move work forward while ensuring those files remain protected,” explains the CIO. “We are working toward SOC-2 and we also have clients that have their own requirements around data leakage protection, so we wanted to make sure we could meet and exceed those client specifications.”
Incydr Proof of Value results in aha moment for security team
As the security team evaluated technologies to improve their data security posture, they engaged Code42 in a Proof of Value exercise for their Insider Risk Management solution. Within days of initiating the POV, the security team recognized the much broader potential of the Incydr product. “We knew Incydr could show us what people were doing with the files,” says the CIO. “And here’s this guy that was about to leave the company — a very senior person — and we saw that he had just downloaded every single file that he owned onto a USB drive. Every single PowerPoint he’d worked on, every bit of client info — everything. It was eye-opening.” It was a true “aha moment”: “We said, ‘This could be great for our compliance and data protection,” says the CIO.
Thanks to the heads-up from Incydr, the security team immediately notified HR, and legal was able to contact the departing senior staff member before he left the company. Fortunately, as is increasingly the case with insider data exfiltration today, the employee wasn’t intending to steal valuable and sensitive information. “He just wanted to quickly grab all his personal files and portfolio work,” says the CIO. “He apologized and returned the USB with all the non-personal stuff on it promptly.”
Greater context and visibility help address an industry-wide challenge
While the high-profile data exfiltration nightmare had a happy ending, the experience was indicative of a much bigger challenge for the company. “We have a very high turnover rate — probably 25% annually, which is typical in this industry — and that does create a bit of a problem,” says the CIO. Departing employees typically head to competitors. “If you want a promotion, the best way to do that is to leave and go to a competitor. That’s pretty much the name of the game for advertising and marketing firms,” he explains. Not surprisingly, employees feel a sense of pride and ownership over the work they’re doing. So, they feel entitled to take it and use it to land their next gig, or to build on in their future work. But that non-malicious file exfiltration still puts the company — and its clients — at risk. It’s not just embarrassing to have customer files leak. If creative gets out before launch, it could destroy a campaign. And if the thinking and strategy behind a campaign gets out at any time, it could destroy a client’s competitive positioning and advantage.
“We’ve known that people were doing things like this,” says the Systems Security Director. But before Incydr, a lack of visibility into file activity limited the team’s ability to detect and respond to specific incidents. “When we reported the departing employee data exfiltration to legal, they were like, ‘Wow, this is amazing — do we have this for everybody?’” says the CIO, “And the answer at first was, ‘No.’”
The ability to protect valuable files while enabling an open, agile work culture
The nature of the media, marketing and advertising business makes the company’s valuable and sensitive files nearly impossible to lock down. “We don’t work for a bank or finance company; we have a lot of things open,” explains the CIO. Employees need to access every corner of the Internet, regularly work within social media platforms to build and activate content, and use web- and cloud-based apps to simplify and accelerate their productivity and
collaboration. “We have to allow Facebook, for example, because we’re creating content on Facebook and placing ads on Facebook every day. We let people use their own Gmail or Hotmail accounts. For us, it’s pretty much all open.” And the creative work and campaign strategy documents they’re creating are both unstructured and constantly evolving. Employees are creating, sharing, editing and collaborating on files all day — with other remote colleagues, as well as with clients and other third parties — and “what’s ‘valuable’ changes from day to day, even hour to hour, based on time-sensitive campaigns,” explains the CIO.
That’s where the comprehensive visibility provided by Incydr comes in. “Incydr lets us see all this file activity — all users, all devices, all channels — while letting us keep a very open culture,” says the CIO.
A proactive data protection strategy when employees depart the organization
Having recognized the broader potential of the Incydr solution to address the complex insider file exfiltration risks of their open, agile business, the security team has started by narrowing its focus to what they know is their biggest data security risk: departing employees. “As soon as HR notifies us that someone is leaving, we add the user to Incydr’s Departing Employee Lens,” says the Systems Security Director.
The company is working toward integrating Incydr with its HR system, Workday, to fully automate this process. But for now, the focused lens, high-fidelity alerting and easy investigation capabilities of Incydr empower the relatively modest security team to tackle the departing employee challenge. “We have a very small group, really just a few of us handle all the alerts,” says the Systems Security Director. Once an alert comes in, “It usually only takes us a few minutes to investigate,” he says. “And even if it’s more like a thousand files that have been moved, it still wouldn’t take us more than 30 minutes to investigate and respond.” “We provide a report generated by Incydr to our HR team over email,” explains the Systems Security Director, “And the report basically says, ‘This is what they exfiltrated and this is where it went (a USB device, for example).”
The company’s HR and Legal teams regularly use these Incydr reports to effectively protect data from leaving when employees depart. In fact, HR now includes an explanation of Incydr’s capabilities in their employee offboarding briefing. “They’re beginning to be a little bit more vocal in notifying people — boosting awareness on top of acceptable use policy, because no matter how many times you tell people, they still do these things,” says the CIO. That proactive communication is paying off: “We used to get the alerts even more often and they’re slowing down now,” the CIO says.
The ability to identify and address common exfiltration opportunities without sacrificing culture
While cloud sharing is an increasing data exfiltration risk, departing employees still go “old school” when taking files. “When we’re look at departing employees, it’s typically just USB as the vector,” says the Systems Security Director. In the instances of intentional exfiltration, “I think people know we’re monitoring network traffic, but they don’t think we’ll be looking at the drives,” he explains.
And what are departing employees most often taking? “It’s a little of everything,” says the company’s IT Security Manager, “Sometimes you’ll see a ton of pictures and then a few things that are client-related. Other times you’ll just see a dump of work-related files.” While most of this is accidental or unintentional, even when employees are purposefully taking client- related files, “They’re likely not trying to harm the company. They’re just looking out for #1,” says the IT Security Manager, “But unfortunately, it could still be damaging to our company and our clients, no matter their intent.”
Incydr data protection across the business to protect their most valuable assets and enable employees
The small-but-mighty security team is taking a forward-thinking and proactive approach to the rapidly growing insider risk that’s an inevitable product of fast-paced, cloud-powered collaboration culture. “We know that remote work, cloud-driven work is only accelerating — and not just on the creative side, but across the entire business,” says the CIO. They’re planning to expand Incydr to other divisions of their North American business. “It is my intention to get every single person that we have — all 3,000-plus on the North American side — using Incydr.”
Summing up the value of the Incydr solution, this group of veteran security professionals says Incydr insights aren’t revelatory so much as empowering: “We’ve always known that people are doing things they shouldn’t,” says the Systems Security Director, “Now we can prove it and do something about it before it hurts the business.”