3 ways to improve PC security

Insider Pro columnist Jack Gold writes that organizations must focus on three key areas if they want to protect their PCs -- and ultimately the entire organization -- from security breaches.

network security / network traffic scanning
HYWARDS / Getty Images

Companies continue to struggle with ensuring their PCs are protected from malware attacks, data breaches and miscellaneous “bad actor” attacks (e.g. ransomware, identity theft, data exfiltration). A new revelation of a security breach every day seems to come every day.

While there are literally hundreds of add-on security solutions in the marketplace, it’s difficult to know if the PC end-point devices themselves are being maximally protected. Should enterprises expect their PC vendors to secure them? The answer is, yes, and enterprise-class device makers are doing a lot, which is not always apparent to organizations purchasing devices.

Data breaches are very costly. In a recent survey we (J.Gold Associates, LLC) conducted of SMB companies in 16 countries, the average cost of a data breach was $103,000. While this is small by large enterprise standards (which could easily be in the millions), it represents a major impact to companies in the fewer than 100 employee range. In many instances, companies undergoing such a cost would never recover and eventually go out of business.

All organizations, no matter small or large, must focus on preventing security threats. And if you think you’re not affected, our research determined that 70 percent of companies indicated they’ve had a security breach. The research also showed that there was a major correlation between how likely a PC is to have a breach and how old the machine is. A 2-3-year-old machine had twice as many data breaches or malware attacks as a 1-2-year-old machine, and a PC that was 5-years-old had six times the security incidents as a 1-2 year old machine.

Clearly older is not better. But while age is a major determining factor due to lack of many of the security improvements newer machine incorporate, it’s not enough to just look at acquiring new machines without also understanding what they do to protect. There are three areas where organizations must focus if they are to protect their PCs, and ultimately the entire organization, from security breaches:

  1. Hardware
  2. Software (including the OS and apps)
  3. Services

Below is a brief overview of some things to look for.

Security step 1: Hardware -- keep away from consumer grade products

In the hardware space, companies should look to not only what’s available from the CPU vendors powering the machine that enhances security (e.g., Intel’s SGX technology for vaulting critical system level code, or vPro for enterprises with enhanced capabilities), but also specific additions from the PC vendor (e.g., HP’s multi-component Sure Suite of security products including SureStart for BIOS protection and Sure Recovery for OS level protection, or Dell’s SureBoot that protects against BIOS attacks and manipulation).

Further, making sure that the PC includes a hardware “vaulting” system that safeguards against tampering with critical identity and boot components beyond the BIOS (e.g., Dell SureID, HP SureStart) is required. However, most of the security protections listed above are reserved for enterprise class devices (e.g., Dell Latitude, HP Elite Books) so organizations purchasing consumer-level protects will not be able to avail themselves of these increased protections.

My advice is to always deploy enterprise-class PCs. They will cost a little more, but will offer much better security, not to mention their likely higher reliability and longer life.

Security step 2:  Software – turn to machine learning and third-party help

At the software/application level, several components need to be evaluated and employed. One of the main infiltration points for security incidents is through browser attacks. To this end HP implemented its SureClick technology, which essentially creates a virtual machine for each instance of a browser, so that no malicious code can be transferred to the core machine systems. But equally as critical is the need to monitor the actions inherent in the operations of the PC, especially when dealing with files and/or email attachments.

A machine learning (ML) approach, such as Dell’s Endpoint Security Suite (through a partnership with Cylance) and HP’s Sure Sense monitors the operations and looks for any anomalous behaviors. Once it detects a problem, the system, which is continuously learning, not only for the machine it’s installed on, but from analyzing data from millions of other machines in the cloud and applying that to the protection analysis, can shut down any malicious activity.

There are, of course, many additional components from third-parties that can be applied to prevent attacks. Traditional antivirus suites (e.g., Symantec, McAfee) can improve overall security protection and fill a void that ML systems may not be able to protect against (e.g., older style signature-based systems are more appropriate to detecting and eliminating older style viruses that are still prevalent today). PC vendor systems, while good, are only one component of an overall corporate security strategy and architecture necessary to fully protect the organization.

Security step 3: Services ideal for business with limited security expertise

Finally, the PC vendors also offer a continuous security services monitoring and prevention capability (e.g., Dell Data Guardian services and a new relationship with CrowdStrike and HP Device as a Service). These services are most useful for those companies that do not have an extensive security organization and/or as a component of an increasingly attractive PC lifecycle leasing and management plan.

Security services are growing in popularity especially as the threats expand and many companies no longer want to devote the substantial resources necessary to manage endpoints. Your organizations should evaluate these additional cost-effective services especially if you have limited security expertise in house.

Bottom line: Enterprises large and small must focus on protecting their most important assets – their data. Breaches are costly and can cause major disruptions in employee productivity and customer loyalty. It’s a smart investment to look at acquiring PCs that offer the maximum protections from enterprise class vendors.

The additional cost will be more than outweighed by the elimination of potential data breaches and malware attacks, offering a significant return on investment. And those companies not confident in their own security resources would do well to employ the professional monitoring and management services offered by the vendors.