How to Upgrade Endpoint Security

Endpoint Protection Keyword Cloud on Blue Cloud

Is your small or mid-tier business considering to upgrade its endpoint security?  If so, ensure the choice is aligned with the strategic objectives of the enterprise.  What’s the value of the assets being protected (device, data, cost to replace or recreate the data)?  A search committee of key representatives from departments should be created to gather data from stakeholders (i.e. business unit leaders, critical users, and select members of the C-suite).  Their answers are compiled to create evaluation criteria of endpoint security products from vendors.  A private [information security] consultant should assist the committee to shape the search and secure process from an external perspective.

Influence of Broadband

The proliferation of broadband, with its widening bandwidth, increased speed, and means to connect to resources beyond the LAN or WAN, have widely opened the door to cyberthreats daily from anywhere in the world; the leader of the C2 channel is often far behind the frontline attackers.  As SMB’s scale their use of cloud computing services, and select staff works remotely from client sites or home, the value of traditional signature-based antivirus/malware agents as a layer of defense has been reduced dramatically.  Redundancy of data, hard drive encryption (via TPM), NextGen anti-malware, user awareness training, and best practices in security hygiene are part of a defense-in-depth architecture derived from an information security program for the enterprise.  The end goal is to protect endpoints, done through endpoint security and information security hygiene.

Strategic Alignment

Small Biz NWHandshake



A structured process of evaluating information technology tools (e.g. software, computer-based training providers) for an enterprise that is well thought-out, carried out, and endorsed by the CTO or CIO and COO, is critical to assist the enterprise to realize its operating objectives (a/k/a strategic alignment per ISACA’s CGEIT).  Its use should fall within IT governance policies, its performance be measurable through key performance indicators (KPI’s) and key goal indicators (KGIs), and the vendor should provide adequate support of their tool to ensure customer success.  The total cost of ownership (TCO) should be justified within the budgets of the stakeholders.  Evaluation should follow a simple repetitive procedure to carry out yet, offer clear justification to adopt or reject each vendor; outcomes of selection should be free of reasonable doubt.  It is suggested that five top weights should fall into place of the tools’ ability to comply with basic outcomes of evaluation: severely fails, slightly fails, meets, somewhat exceeds, robustly exceeds.

malware iconRisk Pyramid

Before embarking on vendor evaluation, its critical to understand the data being protected and external threats that could compromise data and computing devices.  A SWOT analysis of the defense-in-depth architecture in production and the external threat landscape identifies the features and functionality required from endpoint security.  The risk pyramid (above) suggests the features needed from an endpoint agent.  Jones (2016, Sep 26) notes “the likelihood of an attacker directly breaking into your network over the wire is much less than from [common] theft or loss of a laptop”; the latter is more likely.  It’s pertinent to note that effective security is delivered via integrated layers, creating barriers for attackers to overcome before reaching valuable data or devices.  Jones (2016, Sep 26) suggests six key layers, the first of which is antivirus/encryption.  On-board endpoint security should be just-enough to reach goals; cost should not exceed the value of the assets it protects.  Redundancy of data, login passwords, hard drive encryption, and information security hygiene helps cut the cost of security.  (Note: Data that’s been made redundant can be replaced easily after a computing device has been cleaned or replaced.)

A perspective on endpoint security for CPA firms is used as example.  David Jones published an article on 09/26/2016 about [CPA] firm management entitled “A Practical Approach to CPA Firm Cyber Security”, he said “ The cyber-threat landscape has evolved considerably over the last 5 years into something that most small CPA firms find overwhelming”.  The nature of CPA’s work makes them inherently vulnerable to cyberattacks.  Therefore, it’s imperative to have endpoint security to stop an initiated attack.  A broad and general perspective of computing habits by small to mid-tier CPA firms includes from an office, remote from client sites (and home) via laptops, and from mobile devices to read files from a server or cloud service provider.  Broadband has enabled migration to file storage in the cloud vs. traditional VPN into an on-premise file server.  The most important company asset is client data, accessed more often from laptops and mobile.  Endpoint security would protect servers, file sharing from the cloud, desktop computers, laptops, tablets when needed, and smartphones.  Email security is related to endpoint security; endpoint agents will scan email attachments for malware or indicators of compromise before opening them.  (Subscription-based voice-over-IP telephony is becoming more commonplace, yet cyber security thereof will not be discussed in this post.)  An endpoint agent should defend silently in the background, foster user productivity, the admin console offers visibility of endpoint activity timely and provides reports on-demand and scheduled and be cost-effective.

Eval Criteria

Structured Evaluation

Any information technology tool worth adopting must pass a structured evaluation that compares features and supports evaluation criteria; this post identified ten criteria, weighted in importance, totaling 100%, to produce a weighted aggregate score; weights should be adjusted to align with strategic objectives of the enterprise.  The concepts of COBIT 5 (e.g. steps to govern and manage IT) can be useful to drive the creation of evaluation criterion, and weighting thereof.  COBIT 5 can influence decision-making about how function of the tool can meet expectations of the stakeholders it will serve.

Functionality of an endpoint security tool must be aligned with the operating needs of business units making up the enterprise.  Aggregate the cost per asset (e.g. device, data, Average Loss Expectancy, cost to replace or recreate the data).  What would the data be worth for sale if lost?  The aggregate value [of the devices and data] should be divided by the number of endpoints in production, producing a value per device to compare to the cost of endpoint security per device.  (It’s noteworthy that a tool that meets the key criterion yet, is unsupported by the vendor, creates inherent risk in its use that stakeholders may not want to assume.)  TCO includes costs to install, onboard, train (admin and users), maintain, support, and decommission the tool within its lifecycle.  (It’s noteworthy that endpoint security is a layer of information security hygiene.)       Your search committee should compile the results of discussions with stakeholders, critical users, and select executive staff to reach consensus about the critical and sensitive nature of the data protected; this will guide the search committee to create a short list of choices considered for adoption to meet or exceed a  percent threshold of the weighted aggregate score of evaluation criteria; the remaining percentage would be served within facets of the firm’s information security program.

Cost-Benefit Analysis

Any information technology tool considered must pass a cost-benefit analysis to justify its adoption and meet budget limitations of departments.  TCO should be just-right for the intended use.  Costs may be the sum of departmental budgets controlled by stakeholders with separate interests.  A cost-benefit analysis should include whether a less expensive tool could serve stakeholder needs sufficiently. Choose your vendors by tier of service (e.g. 1,2,3,4) to compare them equally.

Findings and Recommendations

Eval Criteria Weights

Corp Advisor

The search committee should present their findings over a few paragraphs; vendor selection should be made with due care.  The narrative explains the results of their research and outlines the endpoint security product offered by each tier of vendor.  Recommendations are aligned with the strategic objectives of the search project.  Its noteworthy that redundancy of data, hard drive encryption (via TPM), NextGen anti-malware, user awareness training, and best practices in security hygiene are part of a defense-in-depth architecture derived from an information security program for the enterprise.  The evaluation should be formerly presented first to the relevant managers in the IT department, with the final version being presented to the CTO or CIO and CISO for their endorsement and political support.  The CTO or CIO should present it to the COO for their endorsement and support.  The final report should be presented to the stakeholders in a formal meeting, with a memo of support from the CTO or CIO, CISO and COO.  Two consecutive Proofs-of-Concept are recommended with the finalists by sampling the population of endpoints over a three-month period each.  The firm’s senior leadership needs to decide what their budget can afford for your initiative within the scope of endpoint security that includes costs for computer-based user-awareness training and information security hygiene.

Thank you for giving this topic your time, attention and consideration; I trust there are takeaways to use.  If you’re interested in conducting a search to upgrade the endpoint security of your small or mid-tier business, please click Request a Consultation at the base of this page, fill out “Endpoint Security” in the subject line, include the email signature of your CIO, CTO, CISO or COO in the message body; I reply within 24hours to arrange an exploratory conference call. ###