GoKawiilCOMMENTARY
A laptop sits in my home office, issued by a client 14 months ago for a project that was "temporarily paused." I've received no request to return it.
The device still has VPN access, saved credentials, and certificates that authenticate me to their internal network. I'm one of the numerous consultants they work with. If I wanted to, or if this laptop fell into the wrong hands, it would be a direct path into their infrastructure.
According to a Kensington study, 76% of IT decision-makers reported device theft in the past two years, 46% experienced a data breach as a direct result of stolen or unsecured devices, and a third of thefts led to legal or regulatory consequences due to compromised data.
This isn't an isolated case. I currently have three laptops from different enterprise organizations sitting in my home office. It's as though no one even bothers about these devices anymore.
Related:Startup Trends Shaking Up Browsers, SOC Automation, AppSec
The Pattern Across Organizations
As someone who conducts Salesforce audits and zero-trust maturity assessments, I've seen this problem everywhere. The common denominator across most organizations? Terrible asset inventory and management. They consistently fail the endpoint visibility portion of zero-trust assessments, which should be one of the easiest controls to implement.
The disconnect becomes even more obvious when I onboard organizations for managed detection and response services. The number of endpoints clients specify is rarely close to the actual number onboarded. In some cases, devices remain offline for extended periods, so we can't onboard them. When I investigate, I find out that these are contractor devices or laptops issued to former employees, devices that should have been retrieved months, if not years, ago.
Why This Matters
... continue reading