Managed Endpoints: Under Whose Control?
Corporate security teams are generally confident in their ability to control managed employee endpoints (desktops and laptops). They’re more concerned with their lack of control over the ones that go unmanaged, which include BYOD, contractor laptops and home computers used for remote access. These can be infected with malware and then introduce unknown risks to the corporate network.
However, we’ve found that not all managed corporate endpoints are easily controlled and protected against malware infections. A large customer of IBM Security recently revealed that its employees’ corporate-issued laptops are 10 times more infected with malware than their employees’ desktops.
We believe the primary reason for this infection increase is that laptops roam in and out of the corporate network. Unlike desktops, which stay on the corporate network at all times, laptops are used from a variety of locations (home, coffee shops, airports, hotels, etc.).
When laptops leave the corporate network, they are no longer protected by network perimeter controls or network-based malware-detection solutions. By intermittently connecting to the corporate network, these so-called managed devices actually become “quasi-managed.” Using laptops on public, insecure networks significantly increases exposure to malware. And as these “traveling laptops” are left with fewer defenses, they become far more vulnerable to advanced targeted attacks, heightening their infection rates.
Further, laptops aren’t visible to the security team when roaming outside of the corporate network, so corporate security is unaware of infections when they occur and cannot remediate them.
In Malware Territory
Ultimately, the most significant danger is that infected laptops can introduce malware to the entire corporation when they reconnect to the corporate network. Security teams need to reevaluate the controls used to protect managed laptops that roam outside of the corporate network and out of their control. The risk these laptops introduce can be significant if they’re infected with advanced malware focused on user login credentials, sensitive business information (including emails and documents) and unfettered access to the corporate network.