The primary tool of today’s business environment is the computer. Whether a desktop or laptop, running on Windows or macOS, these are the devices employees spend most of their working hours in front of and on which they access sensitive information. They are indispensable tools but also the main source of data loss or theft.
It often has less to do with endpoint security itself and more to do with computer users. According to the Ponemon Institute’s 2022 Cost of Insider Threats: Global Report, security incidents that occurred due to insider threats have risen 44% over the past two years, with costs per incident reaching $15.38 million. A separate report on overall data breach costs showed that, by falling victims to phishing and social engineering attacks, turning malicious or negligent, insiders accounted for 33% of all data breaches in 2021.
The rise of data protection legislation and international standards such as the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Payment Card Industry Data Security Standard (PCI DSS) have made the protection of personally identifiable information (PII) and financial data a mandatory requirement for companies of all sizes. Noncompliance can bring with it not only massive fines but also the risk of reputational damage and lost business.
What is endpoint DLP and why is it important?
Data Loss Prevention (DLP) tools emerged to help companies protect sensitive data – whether PII, intellectual property, or confidential information – from insider risks and data leakage. There are several types of DLP solutions based on where they are deployed. They can be at the endpoint or network level or in the cloud.
When considering DLP solutions, businesses often turn to network DLP solutions as seemingly well-rounded and easy-to-implement tools. However, while they are efficient in protecting sensitive data in motion, their reach is limited: they can only protect data while computers are connected to the company network and cannot prevent data transfer onto portable devices. This is where endpoint DLP comes into play.
Endpoint DLP often intimidates organizations because of what its company-wide implementation implies: the installation on every endpoint of a client or agent that will then have to be maintained and regularly updated. They imagine it would be time-consuming and complex, but the reality is quite the opposite. Products like Endpoint Protector, for example, are up and running in 30 minutes or less. Not only that, they offer granular features based on company needs, management of all endpoints from a single dashboard, and updates that can be installed without requiring a restart.
But what are the biggest advantages of endpoint DLP solutions? Here are the top three:
1. Protecting data on the go
One of the main benefits of endpoint DLP is that it’s not dependent on a corporate network to function. Data loss prevention policies are applied at the computer level, and they will continue to protect sensitive information in real-time whether an employee is working on-premises or remotely.
With today’s workforce becoming increasingly mobile and the risks inherent in any environment outside the security of a company network, it is essential that data be protected regardless of endpoint devices’ physical location.
Using endpoint DLP, companies do not need to restrict employees’ mobility, limiting their ability to travel and work from anywhere. They can rest assured that sensitive data will remain just as secure, whether they are at a conference, at a client’s office, or at home.
2. Controlling portable devices
Another easy way sensitive data is lost is through removable media. Employees can copy files onto personal USBs without violating any network DLP policy. Endpoint DLP, however, enables administrators to choose different levels of trust for devices based on specific criteria. In this way, they can, for example, allow only company devices to connect to endpoints or block them all. Not being dependent on the company network to function, these policies can be enforced even offline.
Additional features can offer encryption capabilities for USBs. Organizations can ensure that file transfers from an organization’s endpoints onto portable devices, be they company-owned or not, are automatically encrypted. In this way, sensitive information is always protected even when it is physically on the move. In case of lost encryption passwords or malicious insiders, admins even can reset passwords or remotely wipe USBs.
3. Data visibility on the endpoint
While network DLP products are good at keeping data from traveling outside company networks, they usually do not offer content discovery capabilities on the endpoint. This means that companies do not know if employees have sensitive information stored on their computers.
This is a major issue when it comes to compliance: many data protection regulations require companies to restrict access to sensitive information and store it only for as long as it is needed for the original purpose it was collected for. On top of that, many data subjects now have the right to request that their data be deleted or have the option to withdraw consent for data processing.
If organizations do not know where their data is stored on company endpoints, they risk running foul of data protection regulations and incurring steep fines for noncompliance. Using endpoint DLP, admins can scan data at rest on computers company-wide and take remediation actions when it is found. Information can be deleted or encrypted based on needs, thus ensuring that companies can enforce the right to be forgotten and restrictions that need to be applied for compliance with data protection regulations.