Skip to main content

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

This article applies to Cloud.

Other available versions:

Versions 6 and 7Link: What version am I on?

Code42 Support

Best practices for defending against insider threat


An insider threat is a potential for harm coming from people within an organization, such as employees, former employees, contractors, or business associates. An insider threat can compromise an organization's data, computer systems, or security, and the threat itself might be theft of information, fraud, or sabotage.

This article provides best practices for security teams to follow in order to to most effectively monitor for insider threat activities and respond to incidents.

For additional Code42 best practices to protect your company from data loss, see Code42 Next-Gen Data Loss Protection best practices. For additional best practices to protect your company's data when employees leave, see Best practices for protecting data when employees leave


Watch the short video below to learn how to detect data loss from an insider threat. For more videos, visit the Code42 University.


  • Although Code42 is an essential part of your defense against insider threat, a robust insider threat response program involves many additional processes and stakeholders. Forrester Research offers steps for establishing such a program. For details, see the The Forrester Playbook for Insider Threat available from Code42. 
  • Some of these tasks require a product plan that includes the necessary features. Contact your Customer Success Manager (CSM) for assistance with licensing. If you're not sure how to reach your CSM, email and we will connect you.

Monitor insider threat activity

A key part of a robust insider threat response program is monitoring for insider threat activity.

Code42's File Exfiltration Detection provides monitoring tools that give you visibility into activity often associated with malicious insider behavior, such as unauthorized file movement. After setup, monitoring operates in the background and provides alerts to notify you when suspicious activity occurs.

The following Code42 features help you monitor and view insider threat activity:

Endpoint monitoring

Endpoint monitoring uses the Code42 app to capture file activity on each device in real time, helping you identify five types of potential data leaks or security problems:

  • Removable media
  • Personal cloud
  • Application activity (file upload and download)
  • Restore
  • Pattern matching

Endpoint monitoring identifies most file activity anywhere on a user's device, not just within the user's backup file selection. Pattern matching, however, only applies to files included in the user's backup file selection.

You can visualize the data collected by endpoint monitoring in two ways:

See Enable endpoint monitoring for file exfiltration detection for additional information.

Advanced search options
If you are licensed for Code42 Forensic File Search with the endpoint data source, user activity for Cloud Folders, Removable Media, and Application Activity is also available via the Investigation > Forensic Search section of the administration console.

Exposure filters in Forensic File Search introduce more advanced search options, and also display some file activity details in the administration console that were previously only available via CSV export. For more details, see the Forensic File Search reference guide

User activity

User activity searches for users' security events detected by endpoint monitoring. The report can help you identify and visualize potential data leaks. You can also export the results to a CSV file for analysis or archiving.

See User Activity and Activity Notifications reference for additional information.

Activity notifications

Use activity notifications to monitor file activity detected by endpoint monitoring for specific high-risk users and receive an email notification when suspicious activity occurs.

See Configure activity profiles for additional information.

Code42 app for Splunk

If your organization has Splunk Enterprise or Spunk Cloud, use the Code42 app for Splunk to visualize detailed endpoint monitoring data in the security dashboards. The Code42 app for Splunk has separate dashboards for monitoring removable media, cloud services, file restore, and file upload.

See Install and manage the Code42 app for Splunk for additional information.

Respond to an insider threat incident

When an insider threat incident occurs, you need to move quickly to identify the actors involved and the files compromised. The following Code42 features help you respond to an insider threat incident:

Forensic File Search

In the event of an insider threat incident, Forensic File Search provides detailed visibility for Code42 administrators about files on user devices, including files not selected for backup. Using Forensic File Search, administrators can search file metadata to gain a clearer understanding of file activity throughout the organization.

Forensic File Search helps you to quickly answer questions such as:

  • Is there file activity that looks like malicious activity?
  • Is there evidence of covering up malicious activity?
  • Who in my organization has, or previously had, a specific file?

Forensic File Search reports on file events detected by Code42. A file event is any activity observed for a file. For example, creating, modifying, renaming, moving, or deleting a file generates an event for that file. Events are reported for both user and system actions. Search results return file events for all organizations in your Code42 environment.

See Configure Forensic File Search and Forensic File Search use cases for additional information.

Access Lock

If a user is identified as an insider threat, Access Lock enables administrators to lock the user's Windows device, thereby preventing unauthorized access. Locking the device prevents access to all content on the device (not just the files selected for backup). Access Lock leverages Microsoft's BitLocker technology to lock all drives connected to the device with a new key. Once a device is locked, it is completely inaccessible without the new recovery key to unlock it. The data on the device is retained and can be used to further investigate the threat.  

See Access Lock for additional information. 

Legal Hold web app

If file activity is identified as coming from an insider threat, files involved in that activity, and their history, can be collected and held for legal action using Code42's Legal Hold web app

File collection from a legal hold may be part of eDiscovery, the process of discovery in legal cases when the information is in electronic format. As part of the eDiscovery process, you may need to perform tasks such as the following in response to an insider threat incident:

  • Determine who has restored files from a particular organization and when the restores occurred. 
  • Search the logs stored on endpoint devices running the Code42 app.

See eDiscovery integration guide and Configure a legal hold for additional information.

Additional help

If you are new to Code42 for Enterprise, contact our sales team to get started.

If you already use Code42 for Enterprise, contact your Customer Success Manager (CSM) for enterprise support at for assistance with:

  • Licensing for specific features
  • Configuring your Code42 environment to best handle insider threat