Skip to main content

This article applies to version 6.

Other available versions:


Available in:

Small Business
Code42 Support

Best practices for defending against insider threat

This article applies to version 6.

Other available versions:


Available in:

Small Business


An insider threat is a potential for harm coming from people within an organization, such as employees, former employees, contractors, or business associates. An insider threat can compromise an organization's data, computer systems, or security, and the threat itself might be theft of information, fraud, or sabotage.

This article provides best practices for Code42 administrators to follow in order to to most effectively monitor for insider threat activities and respond to incidents.


  • You must have a Security Center product plan (File Exfiltration Detection and/or Forensic File Search) and the Legal Hold add-on in the Recovery product plans. Contact your Customer Success Manager (CSM) for enterprise support at for assistance with licensing.
  • Forensic File Search is only available in Code42 cloud environments.
  • Although Code42 is an essential part of your defense against insider threat, a robust insider threat response program involves many additional processes and stakeholders. Forrester Research offers steps for establishing such a program. For details, see the The Forrester Playbook for Insider Threat available from Code42. 

Monitor insider threat activity

A key part of a robust insider threat response program is monitoring for insider threat activity.

Code42's File Exfiltration Detection offering provides monitoring tools that give you visibility into activity often associated with malicious insider behavior, such as unauthorized file movement. After setup, monitoring operates in the background and provides alerts to notify you when suspicious activity occurs.

The following Code42 features help you monitor and view insider threat activity:

Endpoint monitoring

Endpoint monitoring uses the Code42 app to capture file activity on each device in real time, helping you identify five types of potential data leaks or security problems:

  • Removable media
  • Personal cloud
  • Browser activity (Windows devices only)
  • Restore
  • Pattern matching

Endpoint monitoring identifies most file activity anywhere on a user's device, not just within the user's backup file selection. Pattern matching, however, only applies to files included in the user's backup file selection.

You can visualize the data collected by endpoint monitoring in two ways:

  • Sign in to the Security Center to view basic information from endpoint monitoring in a web browser.
  • Install the Code42 app for Splunk to visualize detailed endpoint monitoring data as part of a larger Splunk installation.

See Endpoint monitoring for additional information.

User activity

User activity searches for users' security events detected by endpoint monitoring. The report can help you identify and visualize potential data leaks. You can also export the results to a CSV file for analysis or archiving.

See Security Center reference for additional information.

Activity notifications

Activity notifications monitors file activity detected by endpoint monitoring for specific high-risk users and sends an email notification when suspicious activity occurs.

See Configure activity profiles in Security Center for additional information.

Code42 app for Splunk

If your organization has Splunk Enterprise or Spunk Cloud, use the Code42 app for Splunk to visualize detailed endpoint monitoring data in the security dashboards. The Code42 app for Splunk has separate dashboards for monitoring removable media, cloud services, file restore, and file upload.

See Install and manage the Code42 app for Splunk for additional information.

Data leak detection script

With the data leak protection script, you can monitor and protect the archives of selected users in your Code42 environment against unauthorized or suspicious restore activity. The script is in the form of a Code42 API Python script.  

Use the script to monitor one or more users for:

  • Number of restores since the last script run
  • Restores to devices that are not the original source of the data
  • Restores performed by a user who does not own the data
  • Web restores

When the script detects an activity that may lead to a data leak, it can take one of the following actions:

  • None
  • Warn
  • Block

See Data leak prevention and detection with the Code42 API for additional information.

Respond to an insider threat incident

When an insider threat incident occurs, you need to move quickly to identify the actors involved and the files compromised. 

The following Code42 features help you respond to an insider threat incident:

Access Lock

If a user is identified as an insider threat, Access Lock enables administrators to lock the user's Windows device, thereby preventing unauthorized access. Locking the device prevents access to all content on the device (not just the files selected for backup). Access Lock leverages Microsoft's BitLocker technology to lock all drives connected to the device with a new key. Once a device is locked, it is completely inaccessible without the new recovery key to unlock it. The data on the device is retained and can be used to further investigate the threat.

See Access Lock for additional information. 

Legal Hold web app

If file activity is identified as coming from an insider threat, files involved in that activity, and their history, can be collected and held for legal action using Code42's Legal Hold web app

File collection from a legal hold may be part of eDiscovery, the process of discovery in legal cases when the information is in electronic format. As part of the eDiscovery process, you may need to perform tasks such as the following in response to an insider threat incident:

  • Determine who has restored files from a particular organization and when the restores occurred. 
  • Search the logs stored on endpoint devices running the Code42 app.

See eDiscovery integration guide and Configure a legal hold for additional information.

Additional help

If you are new to Code42 for Enterprise, contact our sales team to get started.

If you already use Code42 for Enterprise, contact your Customer Success Manager (CSM) for enterprise support at for assistance with:

  • Licensing for Security Center or the Legal Hold web app.
  • How to configure your Code42 environment to best handle insider risk.