Wednesday, January 20, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

Endpoint Security Won’t Solve All Your Needs

by Carlos Pelaez
June 1, 2015
in Compliance
Endpoint Security Won’t Solve All Your Needs

Companies are rushing to buy endpoint security and may be misinformed when it comes to the remaining risks. Vendors that produce endpoint security have a self-serving interest to make statements that mislead the buyer into believing that their solution will put them out of scope from compliance needs or that the risk of a breach is properly covered.

The reality is that endpoint security is only one tool in an arsenal that companies should use. Yes, endpoint security is a good thing. However, so are other key IT security tools and methods, such as:

  • Network Segmentation—where the network is divided into smaller sized portions so that the strongest security resources can be focused on the network areas with the critical data.
  • Whitelisting Applications—allowing only pre-authorized applications to run and restricting every other process at the CPU level to lock down any potential virus or malware.
  • Least Privilege Access—a security approach where users are only able to do enough to get their job done and not are not granted access to do anything more than what is required. This restricts data and systems to a need-to-know basis.

In addition, endpoint security will not remove your organization from scope or compliance regulations. While encrypting the data and securing the devices that can extract the data is important, compliance is still required and will include many other factors. For example, endpoint security will not resolve the following common compliance areas:

  • Change Management—the process for making changes to systems, applications and other IT offerings that are used by end users and customers.
  • Logical Access—administering user IDs and passwords and removing users when they leave the company, which requires role-/group-based security to administer and restrict access.
  • Disaster Recovery Planning—in the event of emergency, the IT systems will need to be restored in an alternative location so that the business can continue to operate.

The misconception that endpoint security will solve everything cybersecurity-related is not unexpected. There are numerous risks around losing data that endpoint security accommodates. For example, if the data is encrypted in a way that makes it inaccessible to any unapproved or unauthorized device, it can help keep that data safe. However, the data can still be removed by someone who works at the organization and has access to the corporate network. This insider threat can be a significant risk. The insider may take the data intentionally. For example, Snowden took hard drives and other data from the NSA that had been encrypted because he had the keys to unlock them. Other times it may be accidental, such as from malicious software that has taken over a computer and leaks the data onto the Internet. Another benefit touted by vendors of endpoint security is that only authorized devices can access the network, which reduces the possible attack surface for an organization. This is a great perspective on security, but its specific benefit can be reduced when a device is stolen, when it is taken over by malicious software or when the security keys that mange endpoint security are compromised. The use of endpoint security often resolves one potential threat, but it then makes another area even more critical, such as key management.

Key management in endpoint security relates to the ability to decode the encrypted data and allow users to access it. Those keys must be guarded, and the risk that organizations will purchase endpoint security and forget to focus on this step is high. Once organizations invest in security tools, they begin to feel secure, and this false sense of security is a significant trap. It is very common for organizations not to know all of the methods for key management and for complacency to set in because the latest tool purchased was thought to keep the organization safe.

Ultimately, endpoint security is only one of many tools and should not be accepted as a panacea to all of the organization’s cybersecurity risks. Endpoint security should be approached as a powerful tool, but the enthusiasm that drives an organization to purchase it and implement it should also drive them to clearly understand how it maps to their needs. The solution should be mapped to specific compliance areas and compliance controls. The solution should also be architected in a way that it shows how all of the security tools and procedures come together to provide a more secure environment. Endpoint security will not solve every problem, but it is a good tool and it should also be supported with a holistic cybersecurity strategy.


Previous Post

OMG! #SocialMedia & #Compliance? ROFL!

Next Post

5 Tips for Companies on Navigating Facilitation Payments in India

Carlos Pelaez

June 1 - Carlos PelaezCarlos Pelaez is the National Practice Leader for Coalfire’s practice area focused on serving Service Organizations and Internal Audit departments. He provides the framework and methodology to local audit teams so that they may be well equipped to validate compliance and cyber-security needs for cloud based solutions.

Related Posts

hand showing three fingers on gray background

A Culture of Compliance: The 3 R’s

January 19, 2021
2021 with light bulb in place of zero on orange background

Why 2021 is a Fresh Start for Compliance Training

January 18, 2021
wrench with 100 dollar bills

DOJ Launches 2 Criminal Prosecutions of Illegal No-Poach and Wage-Fixing Agreements

January 14, 2021
mobile health care app

Prioritizing Compliance Along Health Care’s Digital Transformation Journey

January 14, 2021
Next Post
5 Tips for Companies on Navigating Facilitation Payments in India

5 Tips for Companies on Navigating Facilitation Payments in India

Access realtime data

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management culture of ethics cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence fcpa enforcement actions financial crime GDPR GRC HIPAA information security internal audit KYC/know your customer machine learning monitoring regtech reputation risk risk assessment Sanctions SEC social media risk technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights