Managed Endpoints: Under Whose Control?

Corporate security teams are generally confident in their ability to control managed employee endpoints (desktops and laptops). They’re more concerned with their lack of control over the ones that go unmanaged, which include BYOD, contractor laptops and home computers used for remote access. These can be infected with malware and then introduce unknown risks to the corporate network.

However, we’ve found that not all managed corporate endpoints are easily controlled and protected against malware infections. A large customer of IBM Security recently revealed that its employees’ corporate-issued laptops are 10 times more infected with malware than their employees’ desktops.

Traveling Endpoints

We believe the primary reason for this infection increase is that laptops roam in and out of the corporate network. Unlike desktops, which stay on the corporate network at all times, laptops are used from a variety of locations (home, coffee shops, airports, hotels, etc.).

When laptops leave the corporate network, they are no longer protected by network perimeter controls or network-based malware-detection solutions. By intermittently connecting to the corporate network, these so-called managed devices actually become “quasi-managed.” Using laptops on public, insecure networks significantly increases exposure to malware. And as these “traveling laptops” are left with fewer defenses, they become far more vulnerable to advanced targeted attacks, heightening their infection rates.

Further, laptops aren’t visible to the security team when roaming outside of the corporate network, so corporate security is unaware of infections when they occur and cannot remediate them.

In Malware Territory

Ultimately, the most significant danger is that infected laptops can introduce malware to the entire corporation when they reconnect to the corporate network. Security teams need to reevaluate the controls used to protect managed laptops that roam outside of the corporate network and out of their control. The risk these laptops introduce can be significant if they’re infected with advanced malware focused on user login credentials, sensitive business information (including emails and documents) and unfettered access to the corporate network.

Take a proactive response to today’s advanced persistent threats! Read the white paper to learn how

Share this Article:
George Tubin

Sr. Security Strategist

George Tubin is the Senior Security Strategist for Trusteer, an IBM company, where he heads the thought leadership program to advance online and mobile banking security and adoption, and advise enterprises on best practices for protecting corporate assets from targeted attacks. With over 25 years in the banking and high-technology industries, his areas of expertise include consumer online and mobile banking, online fraud and identity theft prevention, and enterprise fraud management strategies.