Device theft and insider threats have always posed serious challenges for cybersecurity teams. With work-from-home and bring-your-own-device (BYOD) policies now commonplace, the risk of devices falling into the wrong hands has grown significantly. Recent events have only underscored these concerns.
On January 6th, laptops and iPads were stolen from the United States Capitol Building, including the laptop of Speaker of House Nancy Pelosi. Then, on January 22nd, Tesla filed a lawsuit against a former employee accusing that individual of stealing trade secrets by uploading several confidential files to his personal Dropbox account.
In both examples, attackers could exploit stolen data in numerous ways—extortion, ransomware, selling information to competitors, or even threatening national security.
This post discusses how enterprises can protect sensitive data when devices are compromised or insider threats are present.
Common Security Measures
Organizations typically rely on:
-
Disk encryption
-
Access controls for shared files
-
Network security tools
-
Endpoint protections
These are important, but they offer limited protection in certain scenarios:
-
A stolen, unlocked device containing confidential files
-
An insider intentionally exfiltrating documents
-
Files already copied or synced to a personal device or cloud account
You may be thinking that we are about to propose some convoluted Digital Rights Management (DRM) solution or a client-side enforced access control, but we are not. The solution is actually available in the tools that many people use today, although one could argue it does fall under the umbrella of DRM (but it’s definitely not convoluted).
Even if you revoke a user’s access or disable their account, any files already on their device—or already sent externally—are compromised.
A better approach is ensuring each file protects itself, regardless of where it ends up.
Built-In Security
To truly defend against theft or insider misuse, the security must be applied directly to the file content, not the device.
This requires:
-
Encrypting the file itself, not just the storage medium
-
Allowing only authorized users to decrypt it
-
Enforcing access policies even if the file moves between devices
While this may sound complex, modern tools already support it—and without creating a poor user experience. For adoption to succeed, the process must be seamless. Users should simply double-click a file and have it open automatically if they have permission. If not, the file remains unreadable ciphertext.
Several widely used platforms already support certificate-based encryption:
-
PDF encryption (certificate mode)
-
Windows Encrypting File System (EFS)
-
Microsoft Sensitivity Labels / Information Protection
Using these features, enterprises can build a strong, scalable data protection framework.
This may sound complicated but it is actually well-supported. PDF files, Windows Encrypted File System, and Microsoft’s Sensitivity Labels all support using public key cryptography to encrypt content. Using this, it is possible to build a robust data security platform that can help protect data even when devices are stolen or files are compromised.
Those familiar with Garantir know that we are strong proponents of securing the enterprise’s private keys in a centrally managed HSM and providing proxied access to use these keys without ever exporting them. With the keys centrally managed and controlled, advanced security controls can be placed on the keys and every usage can be audited. If a user should no longer be able to read certain files, you can simply revoke their access to the relevant keys. Using techniques like enveloped encryption and client-side hashing, this solution is highly performant and users won’t notice any impact.
The Role of Centralized Key Management
At Garantir, we emphasize protecting private keys in centrally managed Hardware Security Modules (HSMs), with proxied access so keys are never exported to client devices.
When encryption keys are centrally controlled, you can:
-
Enforce strict access policies
-
Revoke user access instantly
-
Apply multi-factor controls or approval workflows
-
Audit every decryption request
-
Trigger alerts for suspicious activity
Through techniques like enveloped encryption and client-side hashing, performance remains fast, and users experience no noticeable delay.
Below are examples showing this approach applied to PDFs, Windows EFS, and Microsoft’s sensitivity labels—demonstrating how file-level encryption can extend across many file types and platforms.
In this next example, we show how the same idea can be extended to other file types via Encrypted File System for Windows.
Microsoft’s sensitivity labels feature extends this same concept to other files and platforms. With it, you can apply this protection to many file types on Windows, macOS, iOS, and Android.
Economics of an Attack
While no solution is perfect. an authorized user could still take screenshots or manually retype information. This approach dramatically increases the cost and difficulty of an attack.
Additionally:
-
Unusual spikes in decryption requests
-
Large numbers of files being accessed at once
-
Access from unusual devices or locations
can all be detected by the cryptographic proxy server, enabling early intervention.
Enhance Your Data Protection Strategy with GaraTrust
If you’re exploring how to better protect confidential data from device theft or insider threats, GaraTrust can help. GaraTrust keeps private keys secured inside your enterprise HSMs or key managers and provides proxied, controlled, and auditable key access for decrypting sensitive files.
