Security recommendations

By following the simple steps described here, you can mitigate risks and keep your company's data secure and protected at all times.

To operate SafeGuard Enterprise in a certification-compliant mode, see the SafeGuard Enterprise Manual for certification-compliant operation.

Avoid sleep mode

On SafeGuard Enterprise protected endpoints, encryption keys might be accessible to attackers in certain sleep modes where the endpoint's operating system is not shut down properly and background processes are not terminated. Protection is enhanced when the operating system is always shut down or hibernated properly.

Train users accordingly or consider centrally disabling sleep mode on endpoints that are unattended or not in use:

Implement a strong password policy

Implement a strong password policy and force password changes at regular intervals, particularly for endpoint logon.

Passwords should not be shared with anyone nor written down.

Train users to choose strong passwords. A strong password follows these rules:

Do not disable SafeGuard Power-on Authentication

SafeGuard Power-on Authentication provides additional logon protection on the endpoint. With SafeGuard Full Disk Encryption, it is installed and enabled by default. For full protection, do not disable it. For more information, see Sophos knowledgebase article 110282.

Protect against code injection

Code injection, for example DLL pre-loading attacks might be possible when an attacker is able to place malicious code, for example executables, in directories that may be searched for legitimate code by the SafeGuard Enterprise encryption software. To mitigate this threat:

Encryption best practices