Compromised devices and data protection: Be prepared or else
The January 6 riot and storming of the U.S. Capitol demonstrated just how quickly and unexpectedly our devices can fall into the wrong hands.
The allegation that one rioter stole a laptop from House Speaker Nancy Pelosi’s office with the intention to sell it to Russian intelligence only underscores the troubling fact that countless devices – and the data they contain – face possible exposure in the blink of an eye.
Authorized device users within the Capitol abandoned their devices (understandably) quickly and, unfortunately, while still logged into credentialed sessions, thus neutralizing any password and encryption protections. The rioters posted photos of computer screens with emails clearly displayed.
This event serves as a reminder that any of our devices can be lost or stolen instantly and absolutely unexpectedly, and that the only way to protect data is through the security processes that were previously put in place. It is critical that organizations truly recognize that hardware is now cheaper than ever, and that data has never been more valuable. Hardware loss by an organization is ultimately acceptable and survivable, but data loss may not be.
Implementing effective layers of protection to prevent data breaches stemming from compromised hardware requires vigilance across several fronts, from encryption to remote access controls to more effective employee training.
A single layer of encryption simply isn’t enough
While encryption alone isn’t fully sufficient to secure data, it’s also the case that multiple layers of encryption are often necessary to ensure that any exposed data is rendered unreadable and unusable. For example, an encryption tool like Bitlocker, if used on its own, can leave data vulnerable in certain scenarios such as if a power failure interrupts the encryption process, or if a system administrator’s credentials are compromised. In the wrong hands, a system administrator account will be able to view all files as decrypted and in clear text.
However, deploying a solution like Encrypted File System (EFS) as a secondary encryption layer on top of Bitlocker will provide additional file-level encryption. In this way, EFS makes it possible to ensure the encryption of sensitive data, even if an attacker has gained access to device hardware and has powerful credentials in hand.
This approach provides the added benefit of making it possible to service devices without it being necessary to allow data access or present any risk of exposure. By implementing a layered encryption strategy with protection at both the full drive and file levels, organizations can take peace of mind that the loss of a particular device is hardly a loss at all.
Remote data deletion and data quarantine capabilities are essential
Businesses require security solutions that enable remote oversight of sensitive data, even when that data is accessed and stored across countless employee-used devices in myriad locations. This necessity has been made all the clearer by the widespread adoption of work-from-home policies accelerated by the COVID-19 pandemic. Devices in the field face that much greater chances of becoming lost or stolen. If credentials are stolen as well, or devices are taken during credentialed sessions, sensitive data is very much at risk.
With the right tools and strategies in place, an organization can immediately revoke data access and delete their company’s data from compromised devices remotely, as assuredly as if the device was connected to a secured local network in an office setting. Security administrators can remotely quarantine data on devices as well, revoking access temporarily as a precaution when risks are uncertain.
Modernized solutions also offer geofencing-based capabilities that send alerts if a device travels outside of allowed locations, as well as additional safeguards such as two-factor authentication.
Enforceable employee training is the single most important security measure
It is often said that employees and their behavior are the greatest threat to data security – and it’s never been truer. Employees are ultimately the caretakers of their devices and the data access they’re entrusted with. They therefore have many opportunities to make attackers’ lives easier: leaving devices unattended and unsecured, being careless with their credentials, clicking on phishing emails, etc.
To be fair, modern spear-phishing techniques that target individual employees with emails impersonating their managers and asking for credentials or money transfers are quite challenging to recognize. This is especially true with remote work, where co-workers who could verify such actions is no longer just a few desks over. Employees are not as naturally vigilant as their employers think they are, and this is a major disconnect right now.
Employee training programs can provide crucial education in security best practices. Advanced training solutions can even put employees to the test with actual emails mimicking phishing techniques. The right solution should also track and enforce training progress and certify each employee as they demonstrate that they’ve internalized effective practices.
Conclusion
Attacks on devices and data often strike suddenly and without warning. And once they come, your security – and perhaps your business – will live or die by the measures you’ve prepared beforehand. If you ensure your organization has layered encryption, remote access controls, and well-trained employees at the ready, you’re that much more likely to thwart such attacks before they do harm.