Removable devices have long been a threat to data security. From employees copying sensitive data onto unsecure devices to malicious outsiders attacking a corporate network through infected USBs, the risks they pose are clear and many companies have taken steps to address them. One of the main ways they have done this has been through Device Control tools that allow companies to control the use of peripheral and USB ports. But as more and more organizations rely on file sharing and cloud storage services to transfer and share information, is USB device control by itself still enough in 2021 to protect sensitive data?
The advent of the EU’s General Data Protection Regulation (GDPR) kicked off a global movement towards stricter measures to guarantee the security of individuals’ personal information. This new wave of legislation, reaching from the US and Brazil all the way to Singapore and Japan, makes companies liable in the eyes of the law for the protection of the sensitive data they collect and process. Taking a page from the GDPR’s book, many of these new laws impose heavy fines for noncompliance.
But regulatory fines are not the only thing companies need to worry about when it comes to data breaches. According to IBM and the Ponemon Institute’s Cost of a Data Breach report 2020, the biggest contributing factor to the overall cost of a data breach, accounting for a staggering 39.4% of the average total cost, is lost business. Companies may lose existing and new customers as their image takes a reputational hit. Data breach investigations can also disrupt business operations and company systems leading to financial losses.
For all these reasons, companies must ensure that they avoid data breaches. Antivirus software and firewalls are essential for tackling external threats and, for many organizations, Device Control tools are used to address internal data leaks and potential attacks via removable devices.
Device Control tools, usually part of Data Loss Prevention (DLP) solutions, allow companies to block or limit the use of USB and peripheral ports, but also devices connected through Bluetooth. This prevents employees from copying potentially sensitive data onto unsecure devices. Flash drives in particular have long been a data security problem as they are easy to steal or misplace. While some companies have chosen to enforce encryption on USBs to ensure that any company USBs stolen or lost cannot be accessed by unauthorized third parties, others have chosen to eliminate their use altogether.
Device Control is particularly effective against the dangers of data exfiltration by malicious insiders and prevents outsiders from attempting to attack a network through an infected removable device or boot a company computer using a USB to bypass login credentials. Organizations wishing to continue using removable devices also have the option of enabling a system of trusted devices issued by the company.
However, while Device Control is an effective way of controlling devices connected to company computers, what happens when an employee needs to take files with them that are too big to be sent by email? With USB flash drives disabled, they will turn to the internet for a solution: file sharing and cloud storage services.
Nowadays, with popular services like Dropbox, Evernote, and Google Drive available to everyone at no cost, few employees will even consider a removable device, but will immediately choose the convenient solution of cloud storage services that will make files available to them at all times from anywhere. And while this is very useful for employees, how can companies be sure that the files they upload to these services do not contain sensitive data? Worst still, what if they are not even aware of which services their employees are using to transfer files?
Some companies address this risk by blocking the use of certain well-known applications, but that might only encourage employees to seek out lesser-known alternatives that might pose an even greater threat to data security.
To ensure compliance with data protection laws and to avoid data leaks and breaches, companies need to look beyond Device Control and address the risks posed by sensitive data transfers over the internet. One way of doing this is to choose a DLP solution like Endpoint Protector that also includes Content Aware Protection features which help monitor and control the movements of sensitive data within and outside of the company network.
Through Content Aware Protection tools, companies can define what sensitive data means to them. They can use predefined profiles for data protection laws and standards like GDPR, HIPAA, or PCI DSS, but also add their own definitions based on their industry and needs.
Using contextual scanning and content inspection, Content Aware Protection tools can identify sensitive data in over a hundred file types and monitor how they are being transferred and used within the corporate network. They can block the transfer of sensitive data through unauthorized channels, even when employees attempt to copy-paste or use a print screen to save or send sensitive data in the body of an email.
Companies can no longer afford to ignore the popularity of internet cloud storage services in the workplace and must implement security measures against any potential data leaks or data breaches resulting from their use.
While Device Control features regulate work computers’ connectivity to other devices, Content Aware Protection tools safeguard sensitive data directly, regardless of what type of files it is found in. Together, these two DLP features offer a more rounded approach to data protection, supporting data legislation compliance efforts along the way.
/Written by Andrada Coos/