How secure can endpoints get? The answer is, extremely secure. In many cases, workstations are only protected by a Windows login password and antivirus and mobile devices are not protected at all. These two sole protections are very common in home and business, but they’re simply not enough with today’s dynamic threats. Here are a dozen ways to protect endpoints, the data on them, and the users behind them.
14 Ways to Improve Endpoint Security
- Absolute persistence. Formerly known as LoJack, this product is built in to the bios of many business machines. Once activated, the machine can be tracked if lost, remotely wiped, and a ton of data and history can be collected about it. Reinstall Windows? It’s still there. Swap the hard drive? It’s still there. You can’t get rid of it. This product creates an anti theft deterrent and an additional layer of tracking inventory and information about the inventory.
- BIOS passwords. Usually not activated, but once a very common method of protecting systems. Preventing BIOS level changes can be controlled by setting administrative passwords on the system BIOS. Don’t allow just anyone who has physical access to machines to mess with these settings.
- Encryption. This one is HUGE. Many business machines are not encrypted, but they should be. A non encrypted hard drive can be pulled out of a system and all the data can be easily copied. Don’t let this happen. Encrypt your computers with Bitlocker, which is already built in to Windows 10 Pro. While you’re at it, set a Bitlocker PIN, and don’t forget to back up the recovery key.
- Endpoint protection. An antivirus is good, but what’s better is a managed antivirus. A managed antivirus has a portal where all the machines are visible. Details about threats, metrics, and much more can be seen here. Don’t just install an antivirus and hope for the best. Use a managed product.
- Cyber AI - Protecting against viruses is great, but what about the other things that fly under the radar? Antivirus products may not spot custom malicious software that behaves oddly and attempts to steal data or cause harm. A cyber AI product will detect this behavior and report it to the SOC or IT team.
- Phishing training - This is another thing that most small and medium business don’t do but definitely should. Phishing is a gaping problem and many fall victim. Successful phishing can wreak havoc and result in heavy financial damage to a company. Phishing should be prevented with running regular phishing campaigns and related training.
- Backup - Many users store data locally. They shouldn’t, but it happens. Backing up endpoints is a great way to ensure that data don’t disappear if a hard drive fails.
- Data loss prevention - Nope, this doesn’t mean backup. Data loss prevention is a methodology to prevent company data from sprouting legs and walking away. It’s entirely too easy to copy company data and walk over to a competitor with it. DLP makes this difficult.
- Mobile device management - Hello? Is anyone managing these cell phones? Many companies allow users to configure their email on their mobile devices and then that’s it. What happens on those mobile devices is completely up to the users. That shouldn’t be the case. Using company email on a mobile device should include mobile device management. Users should be at minimum forced to have lock passwords on their devices and also upgrade to the latest operating systems as they become available to ensure the data on the devices stays as secure as possible.
- Log aggregation - Workstations keep logs of many activities, and eventually those logs are overwritten. Consider a log aggregation system to ensure these logs are kept for long periods of time. You never know when a log from a few months ago will need to be reviewed
- Change tracking - Did someone pull half of their RAM out and then start complaining that their workstation is slow so they can get a new one? You’ll never know unless you’re tracking hardware changes.
- MFA - Multi factor authentication is absolutely essential. Passwords get pwned or brute forced, but getting around MFA is very difficult for an attacker.
- Group Policy - Your head of accounting has been using the same 6 character password for a decade that’s also written on a crusty sticky note attached to their monitor. This isn’t great. Local group policies are needed to ensure password minimums are maintained and password rotation occurs. Also, disabling hard drive access to those USB ports wouldn’t hurt.
- No local admin - Allowing staff to install whatever they want on their computers is never a good idea. Prevent local admin access on their accounts and only allow approved software to be installed to prevent problems and support challenges.
You had no idea all this was possible. That’s ok, because you’re not an IT professional. Consider working with a partner that knows how these things work, and just as important, knows how to roll these out to a team with minimal annoyance and maximum endpoint protection.