When you think about endpoint security, what comes to mind? Endpoint security focuses on protecting corporate networks that are bridged to users’ devices remotely via laptops, mobile devices, tablets and other technologies. Because these gadgets are connected to corporate networks, they can represent a security threat. Endpoint security is designed to lessen these threats through proactive practices and tools, such as firewalls, access controls, antivirus software and intrusion prevention, among others.
But sometimes following traditional best practices for endpoint security isn’t enough. Barkly reports that “over 40% of US businesses were compromised due to fileless attacks and exploits. Overwhelmingly, respondents cited that over-reliance on traditional endpoint security has left organizations exposed to significant risk.” Endpoints continue to be the most likely entrances into an enterprise for hackers, and endpoint breaches can remain undetected on a network for many months as these vandals gather further intel. In 2017, the average organization lost over $5 million from endpoint attacks.
Most security experts admit endpoint data breaches are less about if they will happen and more about when they will occur. So, we think it’s time to focus on preventing sensitive data from being available to hackers when defining best practices for endpoint security. This means you need to expand your best practices to include good data hygiene practices and employ data erasure when sensitive data is no longer needed for retention purposes, or is redundant or obsolete.
How to Achieve Data Hygiene Best Practices
To achieve data hygiene best practices, you first need to locate all the data your organization has across all its IT assets and in the cloud. Then, you must classify your data into one of three categories: business-critical (need it now), necessary for compliance (need it later) or unnecessary (redundant, trivial or obsolete). Once you’ve classified the data you have, it’s time to build a program to continue to classify data across its lifecycle, from creation, to use, sharing, updating, archiving, storing and, finally, secure disposal.
Many organizations fall short when it comes to erasing sensitive files and data from local disk storage on endpoint computers and laptops. Email attachments, database exports and custom reports all contain sensitive data that may reside on one or more users’ local desktop or laptops. In many cases, these have been downloaded and saved locally to help users perform one or more legitimate job functions. You can’t stop your employees from using sensitive information, but you can make sure that sensitive data is securely and permanently erased when it’s no longer needed.
Adding Data Erasure to Your Endpoint Security Plan
To add data erasure best practices to your endpoint security strategy, look for a “file eraser” tool for use on desktops, laptops and other endpoints. Use this tool in accordance with your own policies, as well as regulations that require customer information to be securely removed, including the GDPR.
The first step to employing such a tool is to educate users that deleting a file, reformatting a computer or emptying a laptop’s recycle bin doesn’t remove that file forever. It’s still there and easily recoverable. Instead, users should mark items for secure erasure. (Some tools, like Blancco File Eraser, can be automatically deployed and updated to one or more endpoint devices via Microsoft Windows Installer msi package.) There are many situations in which erasure should occur, including:
- Routine shredding for specific sensitive files at user logout, user login or at other designated times and frequencies
- Compliance and auditing purposes; when employees are traveling with corporate laptops when erasure is needed to satisfy retention requirements
- Inappropriate/personal files have been identified and require removal, among other situations
There’s much more to discover about data erasure and endpoint security. Download the full eBook, “A New Take on Endpoint Security Best Practices: Better Data Hygiene and Secure Erasure to further explore this new take on endpoint security.