An endpoint, put simply, is any device connected to your business network. The most common examples are laptops and mobile devices, but smart speakers, lighting and heating are becoming increasingly commonplace in offices as well as homes.
In 2018, there were more than 23 billion internet-connected devices active worldwide. This number is set to more than double and is projected to reach more than 50 billion in just four years’ time. With internet speeds and online accessibility continuing to increase, the number of endpoints on your network will also grow, making management a genuine challenge for SMBs in the short-term future.
With so many potential weak spots that could expose your business to data breaches, it is clear that simply running traditional antivirus and firewalls is not enough to keep your data secure anymore. These software tools are still crucial for identifying instances of malicious code and removing malware, but should be implemented as part of a wider-reaching security policy.
These four steps identify measures that businesses owners can implement alongside software solutions to ensure that staff and customers alike are effectively protected.
1. Establish a data policy
As investments in dedicated IT staff and complex security solutions continue to increase, it is vital to consider the smaller aspects that could be used to gain access to your network. Any system can only ever be as strong as its weakest link and, of the five main causes of data breaches, four are related to human error. To truly minimise the issues around endpoint security, the users are the best place to start.
By developing a transparent data policy, anyone who is given access to your network will understand what is expected in terms of their conduct. In most cases it is small, habitual changes that will make the greatest difference. For example, users should be encouraged to install security patches and updates as soon as they become available, rather than delaying because of the inconvenience of not being able to use a device. A data policy is especially important for companies that allow employees to use their own devices for work. These employees should agree to a BYOD policy that further formalises their security responsibilities.
Similarly, the policy around passwords should be clear. All passwords need to be both complex and regularly updated. However, simply enforcing this rule without understanding the realities of its implementation could result in staff struggling to remember the complex passwords for their apps, laptop and accounts. This could mean that they begin writing passwords on post-it notes to help them remember – relegating an important policy change to red tape that is tolerated rather than invested in.
Understanding the needs of the people expected to implement the policy on a day-to-day basis is the best way to ensure that it is supported. In this case, providing a password management tool would not only ensure passwords were strong, but also generate replacements. Staff would then only need to remember one complex password.
2. Secure your IoT devices
While it used to be just desktop devices, printers and servers, the number of devices connected to a business’ network has increased dramatically as the way people work has been influenced by new technologies. But this is not just about increases in mobile working.
The Internet of Things has seen a dramatic increase in the use of automation for features such as lighting and heating, with Juniper estimating that there will be more than 50 billion connected devices by 2022. While this brings the benefit of convenience, these devices are not always considered endpoints, when they are actually some of the most vulnerable devices on your network.
When setting up a new smart device, it is likely that security is not the first thing that comes to mind. This means that, in many cases, default passwords are used during setup and then not replaced with an effective backup. This is the equivalent of leaving your front door on the latch: it may look secure from a distance, but the slightest attempt to open it would give easy access.
Hackers do not care what the device is; if it is not secured then is it offering backdoor access to your network. A security policy will help to ensure security not only on personal devices, but in the wider office. Those responsible for fixtures and fittings need to ensure that smart devices are also treated with the same degree of security consideration as laptops and servers. As a starting point consider running an IT Security Health Check tool to identify potential weaknesses in your existing network.
3. Keep backups
In recent years, ransomware has become a familiar term due to high-profile attacks like WannaCry and NotPetya. In these attacks, international companies and governments only discovered that their devices had been breached when a message popped up threatening to encrypt or delete files unless a ransom was paid.
For most companies this may seem like a disastrous situation and many feel compelled to comply with the demands. Despite this, a 2018 report found that more than half of those who paid the ransom did not get any of their data back. As bad as this sounds, this is a threat that can be significantly reduced with one simple measure.
By keeping complete, secure backups of your data outside the main network, the threat of losing data from a ransomware attack is minimised as you can simply reinstall the infected devices and restore your data. This method might mean you lose some of the most recent data that had not yet been backed up and require dedicating a number of hours to restoring infected devices, but is certainly preferable to losing large amounts of sensitive data.
4. Be proactive
Endpoint security is a continually evolving challenge. For this reason, the best tactic for minimising security risks is to be prepared. Alongside your data policy should be a detailed crisis response strategy to ensure that, in the event of a data breach, the threat can be swiftly contained, preventing its spread and minimising the damage it could cause.
For this to work effectively, all members of staff need regular training on how to identify suspicious activity and be confident enough to report it. Even if this means a number of false alarms, it is better that staff feel able to warn of red flags rather than second-guessing their judgement and not saying anything.
Crisis management also needs to reach beyond your own staff. Should a breach occur, clients and customers who may be affected should be informed in the most swift and transparent way possible. With so many data breaches occurring, your company is unlikely to suffer any irreparable damage to its reputation so long as your crisis response is clear and concise.
While it might seem intimidating at first, there are plenty of simple steps that businesses can take to improve their security. Endpoint security software will help to ensure that devices are regularly updated and protected, but the key to minimising risk is everyone in the business understanding that security is a joint responsibility and committing to doing their part.