Skip to main content

Instructor, no.

Incydr Professional, Enterprise, Horizon, and Gov F2, yes.

Incydr Basic, Advanced, and Gov F1, yes.

Code42 Support

Secure data throughout employee tenure


Throughout an employee's time at your company, their access to data may pose more or less risk. For example, a new employee may unknowingly break company policy by using a thumb drive, or an employee who put in their notice may plan to take company data with them when they leave. 

To be sure your data remains secure, use watchlists to more closely monitor the file activity of employees with higher risk profiles. 

For detailed steps about how to add employees to watchlists, see Manage watchlists.

About watchlists

While having access to your high-impact data may be critical for an employee to do their job, this access can leave you vulnerable for potential data loss. 

Use watchlists to more closely monitor employees that may have higher risk due to their job requirements or their past behaviors:

  • Departing: Employees about to leave the company
  • New hire: Brand new employees that may not be aware of your security practices
  • High impact: Employees who have a special role or broad access to high-value data
  • Elevated access: Employees who have elevated privilege or access to sensitive systems
  • Performance concerns: Employees that have a poor performance review, got a demotion, or are on a performance improvement plan
  • Flight risk: Employees that have reached a tenure when you often see them leave or they express job dissatisfaction, get turned down for a promotion, or have teammate conflicts  
  • Suspicious system activity: Employees who tried to access sensitive systems or raised alerts in other security monitoring systems
  • Poor security practices: Employees that use unsanctioned tools to get their jobs done or have poor security awareness as shown by consistently falling for phishing tests or failing security training
  • Contractor: Employees who have a contract or temporary status

For each watchlist, you can set up customized alerts to notify you when important data may be leaving your organization. 

More tools to identify insider risks

In addition to the watchlists, the following tools and resources help aid your insider risk detection program: 

  • Use the Departing employee risk report to establish a standard process to investigate employees as they leave your organization. Quickly review a user's file activity for the previous 90 days and determine if a response is needed now or upon their departure.
  • Use the All users list to see what users have critical file activity is occurring across your organization.
  • Use the User profile to check an employee's file activity ad-hoc, to verify that you don't have data leaving your organization. Based on what you see on the User profile, you may determine the employee should be added to a watchlist. 
  • Risk indicators call attention to potentially risky file activity from an employee, such as a file extension mismatch or file activity that occurs when the employee is typically not active. 
  • Look at all the file activity across your organization on the Risk Exposure dashboard.
  • Add trusted domains and IP addresses to help you focus on higher risk activity.
  • Create alerts to notify you when specific file activity behaviors exceed your thresholds.
  • Add data sources to get alerts about file activity in your designated cloud services, such as Google Drive, Microsoft OneDrive, or Box, and email services such as Gmail or Microsoft Office 365.
  • Identify where to focus controls, training, and engagement with the Insider Risk Trends dashboard to improve your organization's risk profile.

For more information about how you can use Code42 to detect, investigate, and respond to insider risks, see Detect and respond to insider risks.

  • Was this article helpful?