The primary tool of today’s business environment is the computer. Whether a desktop or laptop, these are the devices in front of which employees spend most of their working hours and on which they access sensitive information. They are indispensable tools, but also the main source for data loss or theft.
The reason is a fairly simple one: it has less to do with the devices themselves and more to do with their users. Whether malicious or simply negligent, employees are believed to be responsible for no less than 84% of data breaches. As companies become increasingly aware of this reality and new data protection regulations bring with them harsh fines as well as civil and, at times, even penal liabilities for failure to protect individuals’ personal information, new Data Loss Prevention (DLP) tools have emerged to curb data loss and protect sensitive data.
There are several types of DLP solutions based on where they are deployed. They can be at endpoint or network level or in the cloud. When considering DLP solutions, businesses often turn to network DLP solutions as seemingly well-rounded and easy-to-implement tools. However, while they are efficient in protecting sensitive data in motion, their reach is limited: they can only protect data when computers are connected to the company network and cannot prevent data transfer onto portable devices. This is where endpoint DLP comes into play.
Endpoint DLP often intimidates organizations because of what its company-wide implementation implies: the installation on every endpoint of a client or agent that will then have to be maintained and regularly updated. They imagine it would be time consuming and difficult, but the reality is quite the opposite. Products like Endpoint Protector for example are up and running in 30 minutes or less. Not only that, they offer easy deployment and management of all endpoints from a single dashboard as well as updates that can be installed without requiring a restart.
But what are the biggest advantages of endpoint DLP solutions? Here are the top 3:
1. Protecting data on the go
One of the main benefits of endpoint DLP is the fact it’s not dependent on a company network to function. Its policies are applied at computer level and they will continue to protect sensitive information whether an employee is in the office or working remotely.
With today’s workforce becoming more and more mobile and the risks inherent in any environment outside the security of a company network, it is essential that data be protected regardless of an endpoint’s physical location.
Using endpoint DLP, companies will not restrict employees’ mobility, limiting their ability to travel and work from anywhere, and they can rest assured that wherever they are, at a conference, a client’s office or at home, sensitive data will remain just as secure.
2. Controlling portable devices
Another easy way sensitive data is lost is through portable devices. Employees can copy files onto personal USBs without violating any network DLP policy. Endpoint DLP however enables administrators to choose different levels of trust for devices based on specific criteria. In this way they can, for example, allow only company devices to connect to endpoints or block them all. Not being dependent on the company network to function, these policies can be enforced even offline.
Additional features can offer encryption capabilities for USBs. Organizations can ensure that any data copied from an organization’s endpoints onto portable devices, be they company-owned or not, are automatically encrypted. In this way, sensitive information is always protected even when it is physically on the move. In case of lost encryption passwords or malicious insiders, admins even have the option of resetting passwords.
3. Data visibility on the endpoint
While network DLP products are good at keeping data from travelling outside company networks, they usually do not offer content discovery capabilities on the endpoint. This means that companies have no way of knowing if employees have sensitive information saved on their computers.
This is a major issue when it comes to compliance: many data protection regulations require companies to restrict access to sensitive information and store it only for as long as it is needed for the original purpose it was collected for. On top of that, many data subjects now have the right to request that their data be deleted or have the option to withdraw consent for data processing.
If organizations do not know where their data is stored on company endpoints, they risk running fowl of data protection regulations and incurring steep fines for noncompliance. Using endpoint DLP, admins can scan data at rest on computers company-wide and take remediation actions when it is found. Information can be deleted or encrypted based on needs, thus ensuring that companies can enforce the right to be forgotten and restrictions that need to be applied for compliance with data protection regulations.