In early 2020, millions of people started working remotely for the first time on their companies’ laptops and mobile devices.
And with millions of these devices now offsite, this threw but one more wrinkle in tech support’s security plans—in addition to worrying about insecure networks and malware attacks, IT also has to now safeguard against physical theft.
Yes, device encryption is the logical fail-safe for such a scenario and a must-have for any remote IT setup. Yet, being able to encrypt devices at scale—and with limited disruption to employees—isn’t so easy, especially for organizations that have stringent security protocols and employees that are unaccustomed to working offsite.
We set out to change this problem for our customers.
In particular, in March of 2020 a European security agency, who asked to remain anonymous, used Nexthink to help guide their employees through a complicated and disruptive multi-step encryption process in record time.
In this article, I will show how this particular customer did it, and how Nexthink can speed up the device encryption process and help any organization become more secure, productive, and flexible during these times of uncertainty.
Why is encryption such a pain for IT anyway?
Message encryption is as old as antiquity and it still forms the backdrop for basic computing today.
Back then, ciphers (encryption algorithms) were used to unlock hidden messages from a limited range of letter and key combinations. People could decode encrypted messages within a reasonable amount of time and attempts.
Fast forward to today and advanced computing has made it virtually impossible for thieves to crack into the raw data that is encoded on most computers and passes over the internet. A 256-bit encryption key—the standard for protecting most hardware and software—all but guarantees your data will remain safe and undecipherable if of course, your encryption software is properly executed.
Though encryption keys are full proof, enterprise tech teams encounter problems when they have to enable their encryption software.
Here’s what I mean.
Most digital encryption projects (individual file and folder encryption, volume encryption, or full-disk encryption) will inevitably require some input from end users. At a minimum, employees will need to define a single strong password but that might not be all they’ll have to do.
More often than not, IT will ask employees multiple times to assist with encrypting their own device.
There is plenty of powerful, built-in encryption software in market that can quickly secure a company’s work devices—Apple FileVault for Mac, BitLocker for Windows and even third party tools (like Veracrypt for Linux) can get the job done.
But in order for these programs to run, end users might have to manually reboot, trigger certain sessions and authorize new passwords—sometimes several times over.
In addition, tech support might even force a reboot on an employee device to help push the process along regardless of where that person is in their workday or what they are working on.
But why would IT ever do this?
In such a scenario, a forced reboot might be the least bad option available.
Many times the encryption software that IT runs has a “grace period” (i.e. 14 days) for users to finish their respective steps—failure to do so might mean the software could automatically disconnect an employee and continuously force a restart on their device—I saw this happen once to an end user where every 10 minutes his laptop would automatically restart!
Another possible messy scenario: any remote employee whose disk is not fully encrypted, might have to return to the office or ship their device back to IT to resolve the process or extend the user’s grace period.
Aside from these disruptions, employees rarely receive assurances either.
During the standard encryption project, end users won’t be able to answer questions like:
Will I be able to work once the encryption process has started?
Do I need to stay connected to my device while the encryption is in progress or can I leave?
Once my hard drive is fully encrypted, will I get a confirmation?
The reason being is that most* IT departments lack the type of communication and automation capabilities to effectively target employees by geography, work device, software type, and their unique digital experience.
It’s true that most* teams lack this hybrid functionality, but not all.
Acting swiftly and intelligently for 15,000 devices
Last month, a European security agency accomplished this very task. With the country soon to enter lockdown, their IT department needed to transfer 15,000 employees and their devices offsite in just 3 days.
"In a few days we deployed more encrypted laptops than in the last 5 years"
Their IT department had SCCM to help deploy and update their dormant encryption software, but they needed a plan first to guide employees through their multi-step encryption process.
In particular, the agency’s employees would have to: reboot their device, open a session with their profile so the dormant encryption software could activate, then after a few minutes reboot a second time, and finally define their unique encryption password.
Without Nexthink, their alternatives to enable this process were unhelpful to say the least:
- force a reboot on 15,000 work devices, which would most surely disrupt workers and tamper with their critical national security projects; or
- ask employees to trigger the first required reboot and hope they’d be able to figure out the rest of the process without giving up and phoning into the L1 help line.
Attacking the problem at both ends, the IT team used Nexthink to initiate powerful remote actions (Act) and send targeted messages (Engage) to employees to guide them through the process in record time.
By the third day, all 15,000 workers transferred offsite with fully encrypted laptops and without a single employee having to call into the IT department for help!
Endpoint protection at home or in the office
Like many of our customers, this particular IT department is using Nexthink’s critical services dashboards to now monitor their employees’ remote devices and ensure they continue to have the latest certificates for their VPN and collaboration tools, and that their firewalls, malware and user accounts are correctly installed and stable.
In an effort to plan a “work from anywhere” policy, the agency’s IT team will use Nexthink to conduct a full scan of their employees’ devices to ensure they have the latest antivirus protection and are safe enough to connect back to their internal network.
Nexthink is helping several enterprise tech teams solve their most demanding remote work problems. We’re here to advance the Digital Employee Experience, whether people work from home or the office.
Have questions? Contact Us
Interested in seeing how our Remote Worker Experience library pack works? Watch Our Demos