IT Briefcase Exclusive Interview: Combating the Employee Threat to Data Security

With businesses in possession of more sensitive data than ever – and with employees now commonly using mobile devices to access that data from anywhere – security is an ever-increasing concern. Cam Roberson, Director of the Reseller Channel at Beachhead Solutions, shares his perspective on how device security technology is addressing this need across industries.

• Q. What should businesses be most concerned about today with the constant threat of data breaches and the loss of sensitive data?

A. There have been a tremendous (and growing) number of recent high profile hacking incidents – so many that enterprises and the public at large may already feel like they have a grasp of how dangerous they can be. However, because so many reports emphasize episodes involving outside hackers, businesses may not understand that the much more common day-to-day threat is actually the user behavior of their own personnel. PrivacyRights.org finds that data breaches are 3x more likely to be caused by the actions of an employee – whether careless or intentional – than by hacking performed by an outside party. Given this fact, businesses should place appropriate focus on employee training and technology that guards against data exposure at points where employees have access and may otherwise behave carelessly. Employees who understand how to protect data are that much more careful in situations that carry risk – like working on a laptop remotely or when about to click on what might be a phishing email.

• Q. What are the strengths and limitations of device security solutions, and how important is employee behavior in keeping data protected?

A. Properly used, device security solutions are capable of encrypting sensitive business data and managing access on any device employees use to do their work (including BYOD). In the event that a smartphone or laptop that contains (or has access to) sensitive data is lost or stolen, the right device security strategy can make that data unreadable, revoke access, and even delete the data remotely if necessary. Even as such technologies can remotely enforce security policies on these devices, employee behavior must still be addressed. No matter how effective data security technology is, employee error can still invite havoc. Therefore, employee training must be part of a holistic data security strategy. Employees educated in proper device and data security practices will know not to leave devices unattended after credentials have been entered, and will understand the importance of protecting their login information (i.e. not writing their password on a sticky note attached to the device, which we see too often). It’s important that employees be treated as caretakers of the data in their custody, and are prepared well for the role.

• Q. How are laws and regulations such as HIPAA and FINRA affecting how businesses approach data security across certain industries?

A. HIPAA, FINRA, and other such laws require specific data security measures to be in place to protect the private personal data of an organization’s clients. For example, HIPAA is designed to ensure that a medical facility – or any entity handling the protected health information of patients – safeguards client privacy by taking reasonable precautions to defend against data breaches. FINRA has a similar function in the financial industry, as does ALTA in real estate.

The ultimate effect of this for businesses in these industries is to raise the stakes around data security. Companies suffering data breaches that fail to properly implement the protections required by these laws are routinely facing devastating regulatory fines. Because of these stakes, and the complexities of the regulations involved, we see a lot of businesses often enlisting managed service providers (MSPs) that have expertise at providing for their data security needs and ensuring compliance with all requirements.

• Q. How do cloud-based approaches to device security compare with solutions based on full-disk encryption?

A. Full-disk encryption (FDE) encrypts all data on a disk, rendering that data unreadable until credentials are entered. It’s a popular method, but it does have drawbacks. Because access to the system usually requires pre-boot authentication it’s not easy to maintain – remote updates, diagnostics, and troubleshooting require human assistance on the remote end, or must be performed in person. This is cumbersome and can also be frustrating to end users. In contrast, cloud-based strategies are capable of delivering encryption, data security, and required maintenance transparently, so much so that employees can work efficiently and without really being aware of the security processes active on their devices.

• Q. What role does Beachhead’s technology play in securing employee-controlled devices?

A. Beachhead Solutions’ SimplySecure is a cloud-based platform that allows businesses or MSPs to encrypt and secure sensitive company data across all devices that employees may use to access it, including desktops, laptops, phones, tablets, or USB drives. The management platform encrypts all sensitive data on these devices, and allows IT administrators to remotely control (revoke or restore) user access or even wipe data from devices when necessary – say, if a device is lost or stolen.

• Q. What are some common scenarios you see where a device becomes compromised and suddenly represents a security risk?

A. The moment a physical device leaves the control of the business owner, its data must be considered at tremendous risk and worst-case scenarios must be considered. In these situations, it’s really not enough to simply say, “Well, good thing the data is encrypted and everything is fine!” Yes, all devices absolutely must be encrypted, and that protects the data against most thieves. However, there is no encryption that can protect sensitive data if the thief has the password (e.g. former employees), has learned the password (e.g. some form of social engineering), has stolen the password (say if it was written in a notebook stolen along with the device), or has stolen the device with the power on and the device already authenticated. Businesses need to be able to reach out and secure that data under these scenarios as well.

• Q. Can you share some real-world examples of incidents where data breaches have been averted by device security technology?

A. We’ve heard some wild stories over the years that go beyond the everyday tales of lost or stolen devices where data remains secure because encryption is in place, which is what we most commonly see. In one incident, a resident of a group home became frustrated because a particular computer was only available to the staff, and threw it out a window. Fortunately it was discovered later, and while, it did contain a lot of HIPAA-covered data, there was never a risk of a data breach because encryption and remote oversight were present on the device.

In another story we found pretty shocking, an administrator at a medical practice (a trusted, long-time employee) took a work laptop home with him for the weekend – nothing out of the ordinary. The laptop contained sensitive patient medical data along with the practice’s financial data. At the end of the weekend, a family member actually called the practice to inform them that the administrator had died in a car accident. Fellow employees at the practice were appropriately distraught, but they were also careful to try to recover the laptop full of data, which the family member looked for but couldn’t find. The practice then asked the MSP providing its data security to look into it. Using its data security tools, the MSP was able to see that the missing laptop was online, and was able to activate the device’s webcam. What they saw next was the administrator, very much alive and watching YouTube videos in a trailer in the desert. The MSP contacted the police, who ultimately confirmed that the administrator has faked his own death, and had stolen not just the laptop but the RV he was hiding in as well. It’s an example that goes to show how important it is to have the right security tools in place to remotely wipe data and control access – you never know what situations might come up where they’ll save the day.

Author Bio

Cam Roberson is Director of the Reseller Channel at Beachhead Solutions, a company that designs cloud-managed mobile device security tools. Prior to joining Beachhead in 2007, Roberson held management roles as Business Graphics Group and Apple. He resides in the San Francisco Bay Area.