Before we begin, we will clarify the key terms that we will be using throughout the course of this guide and answer common endpoint monitoring and management questions.
The term “endpoint” refers to devices that are connected from the end of a network. This includes (but is not limited to) laptops, workstations, kiosks, POS terminals, servers, and IoT devices.
Endpoint security describes cybersecurity practices that are implemented to protect endpoint devices that are used on a network. Endpoint security and data loss prevention software provides added endpoint and data security with software-enforced policy management including controls over peripheral device use such as the ability to disable USB ports or methods for prescribing USB data transfer policies based on users or devices.
For small workgroups that only need to manage specific devices, USB ports can be disabled by an administrator using Windows Device Manager. For companies with larger teams or those that require greater device control (such as configuring read-only access or managing USB permissions for specific users), a third-party endpoint protection software solution such as CurrentWare’s AccessPatrol will be required.
Data loss prevention (DLP) describes the strategies and resources used to ensure that data is not abused, lost, or accessed by unauthorized users. DLP often focuses on the management and security of sensitive data such as intellectual property (IP) or personally identifiable information (PII), however, it can also refer to related strategies that protect project files and other data from accidental deletion, file corruption, or natural disasters.
CurrentWare’s endpoint security product AccessPatrol can block specific file types from being transferred to USB devices such as flash drives or external hard drives. This feature is often used to allow users to use USB devices for work-related tasks while preventing sensitive files for databases (.ACCDB, .DBC, etc) or spreadsheets (.xls, .csv, etc) from being illicitly transferred.
Endpoint monitoring is the practice of tracking company endpoints and the activities taking place on them to manage their associated cybersecurity risks. Endpoint monitoring and management as a practice utilizes dedicated endpoint security tools with features such as device monitoring for increased visibility of endpoint devices as well as features for restricting users from using unauthorized peripheral devices (USBs, Bluetooth, CDs, etc) on endpoint devices.
An endpoint management policy is a written and/or software-enforced set of rules for the endpoint devices on a network. These policies manage the endpoints and peripherals that are permitted, the level of access devices and users have to a network on a given endpoint, as well as the acceptable uses for each endpoint device.
Data breaches exposed 7.9 billion records in the first nine months of 2019 according to a report from Risk Based Security. What would happen to your company, your customers, and your reputation if your most trusted employees stole or compromised the data they had access to? Endpoint monitoring and management tools will be a critical technical safeguard when addressing the threat of data breaches as part of your information governance and data loss prevention (DLP) strategy.
Endpoint security software is a valuable tool for mitigating against the dangers of illicit data transfers and file mismanagement, but it can cause serious productivity blocks if not configured in a way that makes sense for your company. In this guide, we will show you how to develop an endpoint monitoring and management policy that meets your data security needs without creating productivity bottlenecks that frustrate your employees.
Endpoint monitoring and restriction tools provide a critical layer of security for your data loss prevention (DLP) and data security strategy. Endpoint security software with device control features gives you the means to mitigate devastating data breaches caused by insider threats, rogue USB devices, attacks from cybercriminals, and illicit transfers from unauthorized users.
When developing your endpoint monitoring and restriction policy, you will need to carefully think about the sensitivity of the data you are responsible for protecting. By monitoring and restricting endpoints that have access to the networks where sensitive data is stored, you can prevent serious reputational, operational, and financial damages that will arise following a breach of sensitive data such as intellectual property or personally identifiable information (PII).
Data breaches of sensitive information have devastating consequences for the consumers and companies affected by the data breach. A compromised database full of personally identifiable information is incredibly valuable for cybercriminals as this information can either be used directly for identity theft or sold to others in their network for related purposes.
When sensitive information needs to be supplied to third parties by consumers or companies, they need to have the confidence that the entity they’re working with is capable of protecting their data.
Companies that fail to adequately protect sensitive data from data breaches can face severe penalties in the form of non-compliance fines and litigation. A proposed $1.13 billion class-action lawsuit was filed against LifeLabs following the potential breach of 15 million health records caused by a ransomware attack. The lawsuit alleges that LifeLabs failed to maintain adequate safeguards to protect the data and seeks compensation for those affected by the breach as they are now vulnerable to identity theft and blackmail from the data exposed in the breach.
Data security regulations that govern the security standards for sensitive information such as personally identifiable information (PII), personal health information (PHI), or financial records require that adequate measures are taken to protect the data used by the regulated company. Endpoint security software is a critical technical safeguard for protecting sensitive data that is stored on or accessed by endpoints.
Full Name | Description | Applies To | Greatest Cost of Non-Compliance (USD) |
International Traffic in Arms Regulations (ITAR) | United States – Government regulation of defense-related exports and imports ITAR requires entities to implement measures to prevent the loss of ITAR-controlled data | All manufacturers, exporters, and brokers of defense-related imports and exports for the USA – including technical data | Civil fines of up to $500,000 per violation, criminal fines up to $1,000,000, 10 years imprisonment per violation, as well as bans from providing future exports. |
The Federal Information Security Modernization Act of 2014 (FISMA) | United States – Cybersecurity framework for protecting sensitive information held by the federal government and related parties | Executive agencies within the US federal government | Loss of federal funding. A low FISMA grade indicates that you are at risk for a data breach |
The Personal Data (Privacy) Ordinance (PDPO) | Asia (Hong Kong) – Principle-based data protection law for the use, collection, and handling of personal data. | Private and public sectors that process data in or from Hong Kong | A fine of up to ~$128,862 (HK$1,000,000) and imprisonment. |
The General Data Protection Regulation (GDPR) | Europe – Principle-based data protection law for the use, collection, and handling of personal data. | Companies and other entities that process personal data of EU citizens, including website cookies and other marketing data | Discretionary fines of the greater of ~$22,096,200 (€20 million) or 4% of annual global turnover |
The Health Insurance Portability and Accountability Act (HIPAA) | United States – National act for regulating the electronic transmission of health information | Health plans, healthcare clearinghouses, and healthcare providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards | Fines of up to $1.5 million per violation category per year |
Each industry and organization will have its own unique set of data security requirements that will heavily inform their endpoint restriction policy. While the use of data security best practices will always be necessary to adequately protect data, the level of endpoint restrictions used as a safeguard will vary in intensity depending on the sensitivity of the data the organization handles and the associated level of risk.
While John’s exact role is top secret, we do know that he works in the field of Military Intelligence. Because John’s information governance and cybersecurity responsibilities are a matter of national security, he takes every precaution available to him to eliminate the potential for unauthorized data transfers and to mitigate cybersecurity threats.
Sam is the HIPAA Security Officer for her company. She uses endpoint monitoring and restriction to protect the sensitive personal health information (PHI) of patients as a technical safeguard for maintaining HIPAA compliance for her company.
Karen is a manager for an independent retail company that sells through an eCommerce platform. Karen’s payment processing is handled by a third party that maintains their own data security compliance, however, she collects personally identifiable information of customers when arranging shipment of her products. She wants to use endpoint monitoring to alert her to incidents of her staff attempting to perform illicit data transfers.
Chris started his design career as a freelancer. Over time his independent operation grew into a modest design agency with his own employees and contractors. To help make IT security easier to manage, he ensures that his creative staff members do not need or have access to any sensitive data for the work that they do. Chris primarily uses file operations monitoring reports to protect his company’s intellectual property (IP) by ensuring that only pre-approved renders for portfolios leave the office.
When developing your endpoint security policy, these are key considerations that will influence the level of device control measures that you implement, the users and/or devices that you restrict, and how you will best use monitoring data to inform your data loss prevention and data breach mitigation strategy.
The policies you develop will be heavily influenced by the devices you intend to manage. Each endpoint device has a unique risk level and accompanying management needs. It is critical that you understand the unique needs of each of these devices as they will influence the level of monitoring and restrictions implemented.
Users with access to sensitive data need to be closely monitored, particularly when their endpoints have integrated data transfer hardware such as USB ports, SD/MM card slots, CD drives, or Bluetooth. Endpoint security software allows you to implement software-enforced policies that prevent illicit data transfers by blocking users from copying files to USB devices such as flash drives and external hard drives, providing an added layer of security against data theft and accidental breaches caused by mismanaged USB devices.
Unmanaged USB devices including personal flash drives, mobile phones, and miscellaneous devices such as USB-powered fans are a potential vector for data breaches caused by malware should the devices be unknowingly compromised. If your company has stringent data security standards, it is strongly advised that you limit the number of permitted USB devices by implementing software-enforced USB access policies.
Internet connectivity serves as a vital resource for managing distributed teams, sharing information, and connecting with customers. The internet also poses a remarkable cybersecurity vulnerability that needs to be managed appropriately.
The internet provides malware with a gateway to systems by transmitting it through compromised files sent in phishing emails as well as through “drive-by” downloads where a malicious website installs the malware on the user’s computer without their knowledge. These common internet-based attacks are best mitigated through the use of content filtering tools that allow for the blocking of dangerous websites, prevent the opening of suspicious files, and disable unauthorized computer programs.
It’s important to note that computers that are not connected to the internet via an ethernet cable may still be connected to a Wi-Fi network if it has Wi-Fi hardware installed. You can further prevent the potential for accidental internet access as part of your endpoint management policy by implementing a software-enforced policy that disables Wi-Fi hardware or by using internet blocking software.
IoT devices provide a unique level of risk thanks to a combination of their access to the network and a lack of robust security standards for IoT device manufacturers. A seemingly innocuous IoT sensor that helped a casino manage its aquarium became an entry point for a data breach that resulted in an information leak about the casino’s high-rollers. IoT vulnerabilities are largely caused by surprisingly widespread practices such as hardcoded passwords, web interfaces without sufficient authentication measures such as multi-factor authentication (MFA), and an inability or lack of support to securely patch known security vulnerabilities.
Due to their unique risk, these devices need to be treated with an added layer of caution, particularly if the device or the manufacturer does not natively support adequate cybersecurity measures. Unless you can confidently confirm otherwise, it is best to assume IoT devices are high-risk and treat them appropriately, including placing them on an entirely separate network that does not have access to sensitive data (“air gapping” or network segmentation).
Mobile devices are popular among professionals that want to continue working while traveling. Unfortunately, the portability of mobile devices comes at the cost of reduced physical security and added network vulnerabilities. If your employees are potentially working from outside a secured building in favor of a local coffee shop, airport, or co-working space, they will require greater monitoring and restriction to address the added risk.
To mitigate the risks associated with mobile devices, you can make use of an enterprise-class Mobile Device Management (MDM) system. An MDM allows you to delete sensitive data remotely, track lost or stolen devices, and enforce MFA on mobile devices, among a suite of other important features for securing mobile endpoints.
Risk Factors for Mobile Devices:
While implementing the highest level of endpoint restriction possible will provide greater threat mitigation, a policy that is far more restrictive than necessary for the endpoint’s corresponding risk level will create unnecessary productivity and usability bottlenecks. The bottlenecks caused by an overzealous endpoint security policy will needlessly frustrate users, leading to a greater risk of non-compliance with your organization’s endpoint and data security requirements.
When determining the level of restrictions required for your endpoint monitoring and management policy, it is important to tailor the degree of restriction based on the risk level associated with the device. Endpoint devices can be placed into three risk categories: Low Risk, Moderate Risk, and High Risk.
The risk category for a given endpoint is classified based on the severity of the impact should the device be compromised as well as the likelihood that such an event will occur. It is important to note that while moderate and high-risk assets should be prioritized, even low-risk endpoints must meet minimum security standards to prevent them from becoming a vulnerability due to mismanagement.
An endpoint device that is seemingly low in risk can actually belong to the high-risk category if it has access to a shared network that could be used as an entry point for a hacker performing a cyberattack.
The below risk factors will serve as a baseline for evaluating the risk level of your endpoints. These risk factors can be more or less risky than outlined below depending on how they interact with other risk factors. A publicly accessible endpoint has lower physical security and is thus potentially a high-risk device, however, if it has no access to sensitive data (ex. a public-facing digital map kiosk that is unable to connect to higher-risk systems) it could be considered low-risk.
Lower Risk | Moderate Risk | High Risk | |
Device Accessibility | Trusted, Monitored & Managed Employees | Trusted, Monitored & Managed Guests | General Public |
Hardware & Software | Whitelisted/authorized devices | Wireless internet (Wi-Fi) Shadow IT1 Internet-of-Things (IoT) devices | Unpatched and legacy systems2 Unmanaged USB devices and ports |
Data Sensitivity | Publicly available data or data that is intended to be openly available without restriction | Unpublished, unclassified, and otherwise non-sensitive internal documents such as meeting minutes | Devices that are connected to a network with access to data that is expected to be compliant with data security requirements such as HIPAA, GDPR, FERPA, FISMA, ITAR, PCI-DSS, etc |
Level of Importance | Devices that are connected to systems that provide non-critical services, such as a digital map kiosk for patrons in a mall | Devices that are connected to systems that provide an important service, such as employee workstations that are used to perform day-to-day duties | Devices that are connected to systems that provide a critical service such as IoT-connected power systems Devices that are connected to systems that would |
Difficulty of Recovery | The connected system is easily recovered with minimal to no disruption to operations | The connected system is able to be recovered with moderate disruption to operations | The endpoint is connected to systems that are difficult to recover or recovery will cause a major disruption to operations |
1 Shadow IT: Unapproved software/hardware that is not managed by the corporate IT security team.
2 Legacy systems: Systems that rely on outdated hardware and software that is no longer receiving critical security updates from their manufacturer(s) or the organization.
Supporting elements of endpoint security policies such as defining the acceptable use of devices (AUDs/AUPs) are critical for further enforcing endpoint monitoring and restriction as they provide the baseline for what will be considered suspicious activity in the context of your organization. With a well-established set of expectations, you can properly address behaviors that put the integrity of data security at risk.
Well-defined and communicated written policies and guidelines provide a necessary structure for communicating your expectations of how endpoint device management and information governance is to be carried out by employees and other users in your company. While templates can serve as a structure for understanding the core principles, you cannot afford to forgo mindfully considering the elements that are important for your company’s data security needs.
Auditing the monitoring data and alerts provided by your chosen endpoint detection and response software is an integral component of maintaining endpoint security as it provides you and your security team with valuable insights into the activities carried out on endpoints within your network. The insights from these reports can be used to identify non-compliant users using endpoint devices in an insecure manner, collect evidence of illicit file transfer attempts, and monitor the peripheral devices used within your company.
Now that you have outlined the core principles and tools for your endpoint monitoring and management strategy, it is time to implement it. To make the transition as seamless as possible, your policy implementation strategy needs to be mindfully planned and designed to best guide your users through the process of acclimating to their new workflows and expectations.
While the security of your data is paramount, that does not mean you should forgo consulting your employees – after all, they are the ones that are the most intimately familiar with what is needed for them to work effectively.
Collecting end-user feedback on your endpoint security and management framework provides you with the perfect opportunity to identify elements of your policy that may cause an unexpected productivity bottleneck. While not every piece of feedback can be acted on, you are likely to find opportunities where your proposed policy can be reasonably adjusted to better fit the workflow of your constituents.
A policy that is written but not adequately communicated is not likely to effectively fulfill its purpose. Policy education is essential for anyone who is expected to use technology in your workplace as it ensures that your baseline of expectations is fully understood and that a precedent for enforcement is established.
The effectiveness of your policy will rely heavily on your willingness to consistently enforce the standards you have for your users in the event that they fail to comply with their data security responsibilities. Software-based enforcement measures are an excellent protective tool, however, they should not be the sole source of your policy enforcement; you need complementary measures.
The frequency with which you review your policy will depend on your security needs and the regulatory compliance frameworks you are subject to. For example, entities covered under HIPAA are expected to “review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.”
With an endpoint monitoring and management strategy backed by robust tailored policies and endpoint protection software, you will be better prepared to mitigate against devastating data breaches. By taking a proactive approach to data security your company will be better positioned to use data safely, make advantageous partnerships, and protect the integrity of your operations.