Have you tried to deploy an encryption product but failed? Don’t give up. Without the right approach, you will find it difficult to secure your business data. And if half of your company is working remotely and using unencrypted devices, even one stolen phone can jeopardize your business.
Data breaches and the ensuing reputational damage pushed the small and medium-sized business (SMB) sector to start adopting encryption even prior to the arrival of the GDPR. But the SMB segment is huge and embraces a wide spectrum of levels of cybersecurity maturity and data governance approaches.
The GDPR makes it the legal responsibility of business owners and IT operators to secure customer and employee personal data. The regulation, with its suggestion to encrypt, anonymize or destroy data (after business use), along with an ever-growing number of data breaches, is driving SMBs to implement data protection technologies.
However, in the rush to secure business data, proper vetting of products and best practices in implementing solutions has often been lacking. With limited time for market research, and the reality of finding a market flooded by a vast selection of products, it remains challenging for owners and decision-makers to find the right fit for their needs.
If you are facing this decision, make sure to answer the following questions:
1. Which devices present a greater risk: On-site or off-site?
Let’s look at laptops, since they can be considered the core physical infrastructure at most SMBs. The following might seem an obvious point, but be aware that devices are more susceptible to theft when away from the office. Keeping this in mind is the right way to start researching for a solution. Be sure to test a solution’s effectiveness in managing problem scenarios for your remote users. If you are satisfied with its performance when leveraged by remote users, then you’ve at least created a shortlist.
2. Why is a well-designed product important?
Design and function are interlinked. The ability to rapidly alter security policy, encryption keys, features and the operation of endpoint encryption remotely means that your default policy can be both strong and tight. Exceptions can be employed only when and where needed and rolled back just as easily. If you can’t do this you’ll be forced to leave “a key under the doormat” just in case. This would be like tearing holes in your security policy before deployment is complete.
3. What about remote locking and wiping of laptops?
This issue could become crucial if a company laptop with full-disk encryption gets stolen while in sleep mode or with the operating system booted up. It’s even worse if those systems come with the pre-boot password affixed on a label or tucked in the laptop bag. If a remote lock or wipe function isn’t available, then the system is either left unprotected or secured only by the user account password. In either case, this leaves the encryption bypassed.
Also, it is important to know whether the solution has been designed to accommodate the typical use cases that would otherwise unravel a well-designed security policy.
4. Removable media: Can the solution secure them without whitelisting every item?
The diversity of writeable devices in use for everyday work makes it almost impossible for admins to whitelist them all, or to decide whether it’s permissible to read from or write to that device.
It is much easier to set a file-level policy – distinguishing between files that need encryption and those that don’t – with the selected files protected every time they move from a workstation or corporate network to any portable device.
So, if you connect a personal USB stick, the solution shouldn’t force you to encrypt your private data. On the other hand, any files being copied from your company system should be encrypted. It is a simple idea, but one that makes any device safe without the need for whitelisting.
Ultimately, flexibility and ease of use are what ensure successful deployment of endpoint encryption technology.
So, you need to define whether the solution you want to use is actually easy to deploy. If setup takes too long and requires additional tools for operation, it will simply lead to headaches for system admins, creating new security risks. Target an easy-to-deploy solution that doesn’t require advanced IT expertise and preserves both finances and your human resources capacity. If a positive user experience follows that easy deployment, then IT staff won’t be further taxed by user lockouts, lost data and other frustrations.
Validated, commercial encryption products have been proven strong enough for some time. However, a significant number of the recorded data breaches involving lost or stolen laptops and USB drives occurred within organizations that had bought and deployed encryption products.
Notes archived from these incidents reveal that being able to fit the solution to your environment, working practices and ease of use for everyday users are the key challenges.