ARTICLES

Compliance. Check.

Health and hygiene are never far from people’s minds these days. Protecting ourselves from viruses is everyone’s business, not just those that work in healthcare or cyber security. Human health and the spread of viral diseases have always been helpful analogies for cyber security awareness, and while the criticality of a digital virus cannot possibly equal the human threat we’re facing today, cyber security is a top-line business risk and one which executives and boards of directors expect experts to handle.

For a business where a majority of users are employees, managing the health and hygiene of devices and endpoints is challenging enough. But for businesses with high percentages of contractors, franchisees, or independent agents, it’s trickier to demand specific cyber security controls and/or practices. The difficulty should not deter efforts, but the balance is loaded.

All of this being said, the cyber risk of conducting business with individuals and groups who need access to sensitive systems, files, documents, and other network services via personally-owned, unmanaged devices is high. This challenge isn’t unique to contractor/independent agent/franchisee situations, of course; security teams have been increasingly dealing with this problem since BYOD emerged over a decade ago. Today, with the work from home economy, security teams need more reliable ways to identify and handle risk from unmanaged, non-corporate devices than ever before.

Verification at the point of attack

AlertSec, a startup based in Palo Alto, CA was founded to take on this challenge. Initially inspired by the insurance market, in which independent brokers and agents are business-critical but not employees, co-founders Ebba Blitz, CEO, and Fredrick Lovstedt, spun off AlertSec from PointSec (a Check Point company) to help solve the problem of managing the risk of thousands (or hundreds of thousands) of personally-owned devices touching corporate resources. As encryption experts, Blitz and Lovstedt wanted to build a product that could check then enforce encryption at the endpoint.

“The challenge with the broker market is that you can’t force encryption—or any security control—in the same way you can with employees," said Blitz. “It would destroy the business model. But encryption is obviously really important. Knowing the health of the devices connecting into the corporate network is really important. You can’t just let anything connect and risk compromise, but it's hard to roll out encryption on hundreds of thousands of devices or full-stop deny access if encryption isn’t there, especially without any warning or guidance.”

AlertSec Ensure, the company’s newly-patented technology, launched to market in 2019, mitigates third-party device risk by first checking devices that are logging in to corporate systems then providing a series of steps to lead independent broker/agents through the process of implementing encryption on their devices.

“You can’t enforce encryption right off the bat,” said Blitz,” but with awareness and education, you can make the process a lot easier. Forty percent of broker devices don’t have encryption installed, so it really needs to be a smooth process.”

Deployment

AlertSec Ensure is deployed as two lines of code by the organization wanting to monitor and manage the health and access controls of unmanaged devices. These organizations could be insurance carriers, as was the initial target market, or it could be any organization in any industry: retail, healthcare, manufacturing, tech, etc. Every company deals in sensitive data and systems so no type of company is immune to the need for device encryption.

After installation, any device touching the interface is automatically connected with the Ensure server where the device encryption status is verified. The health check initiates a one-time download of an agent to the device, which provides the organization the ability to check the device’s encryption on every login attempt. Admins can immediately set Ensure to enforce mode, though Blitz and Lovstedt encourage companies to start with self-attestation and education—alerts, reminders, and security advice for users—before enforcing the requirement for encryption.

With encryption enforcement turned on, AlertSec prompts a download of BitLocker. Blitz says the BitLocker installation is guided and any user, even those with limited technical knowledge, can follow the step-by-step instructions. In enforcement mode, Ensure blocks unencrypted devices and gives admins the ability to monitor every device. AlertSec’s patent makes it so admins don’t have to enroll devices in any third-party MDM solution, which makes rollout and use simple.

Administration

AlertSec Ensure is encryption provider agnostic and supports all major browsers and operating systems. For smartphones running current versions of iOS and Android, Ensure verifies that login passcodes are activated before network access is granted and checks to see if the device has been rooted.

Blitz and Lovstedt emphasize Ensure's ease of use and highlight how the technology affords compliance with all the major cyber security laws and regulations, not to mention, adherence to industry best practices. When dealing with so many risks today, device encryption seems like one of the easier ones to tackle, especially with a tool like AlertSec Ensure that can be simply installed and used to check devices’ health and hygiene. It's one added layer of protection companies can turn on before allowing network access, and that can’t hurt.