Choice Cybersecurity has added a data discovery, encryption, and loss prevention solution from Actifile to its lineup of risk assessment, security, and compliance offerings for managed service providers.
The system, which has been available since earlier this year, arms MSPs with important capabilities for finding and protecting personally identifiable information (PII) at a time when regulations like HIPAA, GDPR, and the California Consumer Privacy Act (CCPA) are imposing increasingly strict data privacy requirements, according to Choice Cybersecurity CEO Steve Rutkovitz.
“They have to have really clear visibility not only into the firewalls, and PCs, and servers, and vulnerabilities like we’ve been working on very hard to do, but now you really have to understand what’s inside the data,” he says.
Actifile’s software eases that task, Rutkovitz continues, by automatically cataloging not only data at rest in storage systems, which Choice could already do for its customers, but also data in motion to and from endpoints.
“This is really game changing because now we know what’s leaking out of the company,” says Rutkovitz, who adds that the Actifile system regularly finds data in so-called “shadow IT” deployments that business owners aren’t aware of. “They didn’t even know people are using Gmail, because they [think they] only have OneDrive,” he says.
The Actifile solution’s discovery functionality produces an exact count of records containing PII as well. “One of the problems that I find when I talk to companies is they don’t know how many records they have,” says Rutkovitz, who notes that HIPAA and other regulations include requirements that apply only to breaches exceeding a specific quantity of files.
“All the fines are based on number of breached records,” he says. “Unless you know the number of records that potentially could be breached, you really can’t protect your customer.”
Once the Actifile system has inventoried all of an end user’s records, it estimates the potential financial impact of a breach. “It can tell you that you have a $30 million liability, you have a $300 million liability, whatever it is,” Rutkovitz says.
Significantly, the solution then safeguards PII-bearing records, including those in the cloud, by applying AES-256 encryption to them. Users can enable or disable that functionality with a single click, notes Rutkovitz. Actifile’s software encrypts individual files rather than entire drives, he adds, which means that regulated data remains inaccessible to unauthorized viewers no matter where it goes.
Additional features in the Actifile solution include a multi-tenant administration interface and the ability to enforce customized data loss prevention policies. “We can block files, we can alert on files, and we can also report on file transfers in and out of the organization,” Rutkovitz says. Users can employ the system in conjunction with incident response efforts after successful breaches as well.
“We have audit logs, so we can see exactly what files either came in or left, and we can see if they were encrypted or not encrypted,” Rutkovitz says. Organizations can use that information to prove to auditors or investigators that exfiltrated data falls under the “safe harbor” provisions in most privacy regulations, which spare companies from having to issue an embarrassing public breach notification when stolen records are encrypted.
Actifile’s software automatically finds and encrypts data as it’s created over time, so MSPs can use the system to earn both one-time revenue from data discovery engagements and recurring revenue from ongoing data protection. “This is really encryption as a service,” says Rutkovitz, who adds that approximately 90% of end users agree to pay monthly fees for ongoing encryption and management after completing the initial discovery process.
Choice, which has exclusive distribution rights to the Actifile system for managed service providers in the U.S., charges $7 per user per month for the product. According to Rutkovitz, MSPs typically earn up to a 50% margin on the solution.
“It’s pretty much set and forget, but it’s a very sticky product because as long as that data is encrypted, the customer’s going to stay with you forever,” he says.
Actifile’s software is designed to address issues that pose a challenge even for cybersecurity specialists like Choice. For starters, businesses have too much data in too many places for anyone to keep track of manually. “It’s peppered all over,” Rutkovitz says, including in the cloud. Securing that data item by item is such a time-consuming ordeal, furthermore, that few Choice clients took the time to protect exposed records before the Actifile system’s one-click encryption became available.
“I could show people the problem, but very few people really did anything about it,” Rutkovitz says.
Actifile’s platform is the latest addition to a set of services from Choice designed to augment the skills of MSPs without in-depth security expertise. The company’s original and still flagship offerings are risk assessments that help businesses identify missing patches, weak passwords, exposed ports, misconfigured Active Directory settings, and other vulnerabilities.
According to Rutkovitz, Actifile is presently finalizing discovery and encryption software for Apple Macs. A mobile app is in development as well.