Even before the pandemic, many companies had a relaxed approach to the devices employees brought to work. In fact, many businesses had BYOD (bring your own device) policies that allowed team members to work on personal laptops or cell phones. By one account, 75% of employees use their personal cell phones for work. The rise of remote work has only escalated the use of tablets, laptops, and mobile phones for professional use.
Unfortunately, these devices are not often equipped with the right security measures. Or worse, used completely unsanctioned. Shadow IT refers to the use of devices, technologies, and software that have not been approved or vetted by internal IT departments.
The average employee uses 2.5 devices for work. And, regardless of whether these devices are sanctioned or shadowed, there’s a huge amount of potential for a malicious actor to exploit these endpoints and steal your data. Integrating endpoint data loss prevention is a key step to locking down your cybersecurity and preventing data exfiltration through employees’ devices.
What is endpoint DLP?
Endpoint data loss prevention tools monitor servers, computers, laptops, and mobile devices on which data is used, moved, or saved. These tools classify data according to compliance regimes or administrator rules and track the use of data on all endpoints, regardless of if the device is connected to the network. Many endpoint DLP solutions are also able to encrypt data.
Compared to network data loss prevention, endpoint DLP enables companies to extend protection onto devices where data is transferred. Any device on which data is used, moved, or saved can leverage endpoint DLP security to prevent data leakage, loss, or misuse.
Endpoint DLP solutions are particularly important as companies continue to support hybrid/remote work and allow employees to use their own devices. “Most organizations grossly underestimate the number of shadow IT applications already in use,” said Brian Lowans, principal research analyst at Gartner.
Adding endpoint DLP to your company’s security policy can help ensure every team member understands the importance of data loss prevention, as well as has DLP installed on their devices.
Why is endpoint DLP important?
There are a range of privacy and security risks that are introduced when employees bring their own devices to the professional environment.
Data leakage and loss tops the list. An unsecured device (one without a passcode or left unlocked) can easily compromise PII or PHI. When a device goes missing or is stolen, hackers can access enterprise data relatively easily.
Devices that connect to unsecured Wifi networks can also expose the company data to risk. Man-in-the-middle attacks, eavesdropping at a public Wifi hotspot, and even connecting to personal area networks pose similar security risks. Even simply sharing a phone with a friend or family member can inadvertently raise the risk of insider threat.
Then, even the most careful employees may still be fooled into downloading rogue or malicious apps. In 2015, Apple removed over 300 pieces of software from the app store after malware that targeted developers managed to create infected iOS apps. Attacks on mobile devices are getting more and more sophisticated, and that’s not even considering the privacy concerns that arise when employees use their personal devices for work.
On top of these risks, IT teams have zero visibility into how data is transmitted, stored, and processed on a personal device. As a result, it can be difficult to see if data has been exposed even after the fact.
Endpoint DLP best practices
It’s unlikely that your employees will stop working on their personal devices; nor is it possible (or feasible) to root out all shadow IT that could put your company at risk. Instead, it’s worth integrating endpoint DLP into your company’s security policy and training workers on some of these best practices.
Pair technology with training
Implementing a DLP tool can be a double-edged sword. On one hand, it’s a critical way to monitor, manage, and reduce the risk of data exposure and exfiltration. On the other hand, it can lead employees to believe their devices are completely secure.
Make sure your employees receive regular, frequent reminders about secure device use. Just because there’s an endpoint DLP solution doesn’t mean anyone can be lax about leaving their device unlocked, using an insecure password, or connecting to public Wifi. Help team members understand exactly what the technology can do, and what it can’t.
Collaborate on DLP implementation
Asking employees to add a DLP solution to their personal devices can feel intrusive. As a result, “Organizations are strongly advised to define their business processes for dealing with DLP policy creation and violations before turning on the tools,” wrote one expert.
Create a clear policy that defines what will be monitored, who will have access to the endpoint solution, and what the procedure is for dealing with a potential data leak. Give employees a transparent process that’s adjusted according to user roles. For instance, the marketing team will use different content, subject to specific compliance restrictions, than the HR team. Work with these teams to understand how they are using data and implement DLP in a way that suits their needs.
Consider the whole DLP puzzle
Endpoint data loss prevention is important, but it’s one piece in the entire DLP puzzle. Ideally, organizations should also have network and cloud data loss prevention in place. Network DLP is easier to deploy in a bigger company, and covers a range of content within the network, such as file sharing, email, and messaging tools.
The scope of network DLP ends with cloud DLP, where a tool like Nightfall can protect information shared in SaaS, IaaS, and PaaS programs. The prevalence of Slack, AWS, Atlassian, and other cloud-based programs tracks with the increased use of personal devices; cloud DLP is just as vital as endpoint DLP.
Want to learn more? You can find out more about data loss prevention and get started with Nightfall by scheduling a demo at the link below.