n recent years, the protection of sensitive information has become mandatory for most companies, regardless of where they are located in the world. A new wave of data protection legislation, spearheaded by the EU’s General Data Protection Regulation (GDPR), has made companies liable for the protection of sensitive data such as personally identifiable information (PII) in front of the law.
At the same time, specialized laws have appeared such as HIPAA that governs healthcare information in the US, and standards such as PCI DSS that protect credit card numbers globally. Failure to comply with these laws and standards can lead to regulatory fines and lost business. Companies can also be barred from participating in lucrative bids due to noncompliance.
As a consequence, data protection has become a top priority for many companies. When developing their cybersecurity strategies, organizations don’t just have to define what sensitive data means to them in the context of their sector and national legal framework, but must also consider the three different states data can find itself in:
- Data at rest: static data stored on hard drives that is archived or not often accessed or modified.
- Data in use: data that is frequently updated by multiple users within a network and is very much active.
- Data in transit: data that is being transferred outside the network and subject to third-party services whose security cannot be guaranteed.
Why Data at Rest Needs to be Protected
Data in transit or data in motion is considered the most vulnerable type of data as it’s transferred over the internet, outside the security of corporate networks through potentially insecure channels such as cloud storage or third-party service providers to destinations with laxer information security policies in place. Data in motion can also become the victim of Man-in-the-Middle (MITM) cyberattacks that target data as it travels.
However, while data at rest is protected by a company’s cybersecurity strategy and is usually stored locally within the company network, it is still at risk from both malicious outsiders and insider threats. Data at rest is often a more attractive prize for cybercriminals because the volume of information that can be stolen is higher than in data packets in transit. Many of the most spectacular data breaches in the last ten years have involved the theft of data at rest. Malicious insiders also target data at rest when stealing data for the same reason outsiders do: it represents a bigger payday.
Data at rest is also particularly vulnerable to employee carelessness. If someone gains unauthorized access to a work computer or if a company device is stolen or lost, the data at rest on it can be easily accessed and stolen by booting a device using a USB flash drive and bypassing login credentials. This became a particularly relevant issue during the COVID-19 pandemic when most companies were forced to allow their employees to work remotely and take their company-issued devices home with them.
Securing Data at Rest
Conventional antivirus software and firewalls are the most common security measures used to protect data at rest. However, these do not guarantee safety from phishing or social engineering attacks that target individuals, tricking them into revealing credentials and sensitive information that can compromise a company’s data security. They also do not protect sensitive data from insider threats. Access control can be an effective measure to reduce data at rest vulnerability, allowing only employees that require access to sensitive data to perform their duties to store it locally.
One of the best and easiest ways companies can start protecting their data at rest from employee carelessness is by implementing encryption solutions. Operating systems’ native data encryption tools such as Windows’ BitLocker and macOS’ FileVault allow organizations to encrypt employee hard drives, ensuring that, should someone steal or find a company device, they would be unable to access it without an encryption key, even when booting a computer using a USB.
Using Data Loss Prevention Tools to Protect Data at Rest
Companies can go one step further: to secure data at rest, they can use Data Loss Prevention (DLP) solutions that can block or limit the connection of USBs, mobile devices, or removable storage drives altogether. In this way, malicious USBs cannot be connected to a device to infect it, nor can they be used to boot a computer. They also prevent data exfiltration via storage devices. Some solutions like Endpoint Protector even offer enforced encryption features that allow employees to use company-approved USB devices but ensure that all files copied on them are encrypted.
Using content inspection and contextual scanning, DLP tools can also search for sensitive data based on predefined or custom content, file name, or particular compliance profiles in hundreds of file types stored locally on employees’ computers. Based on the results, remediation actions can be taken. The sensitive data found can be encrypted or deleted to ensure that it is not stolen or misused. DLP solutions offer a way of controlling sensitive information on employees’ computers remotely, removing it when access to it is no longer desirable, and acting as an additional layer of security in data management.
It is clear that protecting only one type of data, whether in motion or use or both, and ignoring data at rest can lead to disastrous consequences. Therefore, it is essential that companies look for all-inclusive solutions that deal with all sensitive data, no matter what state it finds itself in.