Enterprises across all industries operate on consumer data. In addition to being necessary for completing day-to-day business functions, this data can be used to improve customer experiences, discover new opportunities and inform long-term strategy decisions. Within the boundaries of corporate offices, their secure networks and devices, and their legacy data privacy tools, consumers’ sensitive data has always been highly protected. But, as with many things, this was all upended by the COVID-19 pandemic.
Endpoint data protection then vs. now
Typically, endpoint security measures have always acted as a layer to protect personal devices accessing sensitive data on an enterprise network. After March 2020, when the pandemic really took hold and sent employees home in droves, information security teams had to scramble to bulk up endpoint data protection across laptops and operating systems so sensitive data wasn’t left vulnerable to compromise.
With remote work still so prevalent, even in industries whose data is highly regulated, the need for endpoint data protection has only intensified. On top of cyberattacks, there’s another scary threat to avoid: noncompliance penalties. Let’s take a look at some of the industries that stand to lose the most from a compliance violation.
Employees at banks, credit card companies, tax preparation services and investment or lending firms work with sensitive financial data daily. In the current remote work environment, this means that information regulated by legislation like the GLBA and PCI-DSS — think bank account and credit card numbers, credit histories and Social Security numbers — is constantly being processed, downloaded and saved to endpoint devices. When the presence of this data is forgotten or unknown, it’s likely not being properly protected either. Not only does this increase the risk of compromise, but the act itself of not protecting something like payment card data violates the PCI-DSS and can result in fines as high as $500,000 per incident. GLBA penalties cost a little less at up to $100,000 per violation.
Health insurance companies, home delivery pharmacies and even healthcare providers shifted operations to remote environments as a result of the pandemic. If you had a telehealth visit with your doctor, consider that sensitive data in motion on an endpoint device.
While the healthcare industry was already well on its way to digitally transforming processes like billing and payments, prescription fulfillment and maintaining health record databases, the pandemic certainly accelerated it. HIPAA requires any organization that handles healthcare information directly or is partnered with a healthcare company — like companies in every other industry offering health insurance to employees — to have measures in place that safeguard digital personal healthcare information (PHI). These include encryption, access controls and monitoring.
As far as endpoints are concerned, if they’re being used to access or process PHI, they need to feature these protective measures as well. If an endpoint device containing PHI were to be compromised, the penalty per violation could range from a mere $100 to a hefty $1.5 million, depending on the level of the compromised data’s sensitivity.
Higher ed institutions have all sorts of sensitive data on file, including student and faculty health records, bank and credit card information and student academic records. In addition to HIPAA and PCI-DSS, colleges and universities are subject to FERPA as well. FERPA protects students’ academic info, such as grades and attendance, in addition to personally identifiable information like names and addresses, from being published without their consent.
While no institution has yet been prosecuted for a FERPA violation, the shift to taking classes and working remotely via endpoint devices has created more risk for higher education institutions. With sensitive information moving from laptop to laptop over unsecured networks, as well as new platforms being introduced so business operations can be handled digitally, many colleges and universities have become easy targets for both cybercrimes and inadvertent insider threats.
Hiring and other HR processes, which are gold mines for all sorts of sensitive data, moved online due to the pandemic. Many companies saw this as an opportunity to search for talent across state lines, and why not? But it also meant that employees’ personal data was protected by their states’ privacy regulations, and companies were, and are, subject to the corresponding noncompliance penalties.
For example, any company with employees residing in California must adhere to the California Consumer Privacy Act, which, despite its name, also protects employee records. If an employee’s sensitive personal information were to be breached and the company was at fault, it’d be required to financially compensate that employee for damages. Additionally, companies must honor the right to request access or deletion of personal information guaranteed by the CCPA. With endpoint devices in the picture, it’s easy for personal information to be duplicated and forgotten, and while not intentional, this data existing after a request for deletion has been made is still a violation. What’s more, data that’s forgotten about means it’s likely not protected properly and can be easily compromised.
As remote work continues, so will digital hiring, and it’s important to protect the sensitive information that’s transmitted from endpoint to endpoint in the process.
How to strengthen endpoint data protection
Now that you know why endpoint data protection is more important than ever, here’s how you can fortify your own efforts.
Promote awareness of endpoint security to all employees
Employees need to understand what’s at stake in order to ensure they’re working from endpoint devices in the safest way possible. Communicate the actions and behaviors that could put sensitive data at risk of compromise, such as working from public or other unsecured networks, signing into a work account from a new or unfamiliar device, falling prey to a phishing attack or simply downloading a piece of data and not discarding it properly once it’s no longer useful.
Implement a data lifecycle management solution
A data lifecycle management (DLM) solution is one of the most effective endpoint data protection tools out there. It can accurately discover data wherever it exists across your organization, from laptops and cloud repositories to operating systems and third-party applications. After discovery, a DLM solution classifies data based on its level of sensitivity so it can be protected in accordance with regulatory standards and continuously monitored by IT and governance teams. Finally, a DLM can remediate any data that’s been duplicated or modified on endpoints and safely destroy data that’s no longer useful to help maintain compliance, ensuring it doesn’t become a gateway to compromise.
Protect your endpoint devices with Spirion
Spirion’s suite of data lifecycle management tools allow enterprises to embrace remote work with endpoint data protection at the forefront. It automatically discovers sensitive data wherever it lives across an organization, including employees’ laptops, so it can be strategically secured, accurately classified, constantly monitored and safely remediated. Set the stage for optimized security and compliance with Spirion. Learn more today.