As businesses continue to operate in increasingly complex and distributed environments, the risks associated with network intrusions and data breaches have grown exponentially. Endpoint security risks have become a major factor in company security. Advanced endpoint security solutions are essential for defending against sophisticated and persistent cyberattacks, such as Advanced Persistent Threats (APTs), which can covertly access, monitor activity, and steal sensitive data over extended periods. Here’s why endpoint security matters more than ever in a post-pandemic world.
What are endpoint security risks?
Endpoint security risks refer to the vulnerabilities and potential threats that target devices, or endpoints, connected to a network. Endpoints include any device that communicates with a network, such as laptops, smartphones, tablets, desktops, and servers. Because these devices often serve as entry points into a network, they are prime targets for cybercriminals.
How They Work:
- Targeting Vulnerabilities: Attackers exploit weaknesses in endpoint devices, such as outdated software, weak passwords, or misconfigured settings. These vulnerabilities can provide a pathway for unauthorized access or malware infections.
- Gaining Access: Once a vulnerability is exploited, attackers can gain access to the endpoint and, by extension, the network it connects to. This access can allow attackers to steal data, install malware, or gain control over the device.
- Spreading Laterally: After compromising one endpoint, attackers often use it as a launching pad to move laterally across the network, targeting other connected devices. This spread can quickly escalate, leading to widespread network compromise.
- Executing Threats: With control over an endpoint, attackers can execute various types of cyberattacks, such as ransomware, data exfiltration, or Distributed Denial of Service (DDoS) attacks, causing significant disruption to the organization.
Types of endpoint security risks
Phishing
A typical phishing email. Such messages can be characterized by a suspicious sender, grammatical errors, and a malicious link.
A typical phishing email. Such messages can be characterized by a suspicious sender, grammatical errors, and a malicious link.
The most popular and least sophisticated form of cyber threats, phishing, is the use of fake messages to gain access. The message ostensibly comes from a trustworthy entity (such as a bank or known company) to trick users into providing personal information or downloading malware. The information or malware is then used to gain access to the user’s system, and from there gain a foothold into the larger network that the user works for.
There have been massive phishing attacks throughout history, here are some examples:
- Phishing is responsible for the JPMorgan Chase breach that compromised 76 million households and 7 million businesses.
- 2014 Sony Pictures hack that saw private emails leaked, upcoming movies released to torrent sites, and cost the company over $100 million.
Device Loss
According to TrendMicro, over 40% of data breach incidents between 2005 and 2015 were caused by lost or stolen endpoint devices like laptops, tablets, smartphones, and other remote devices used by remote employees.
In 2012, a physician’s stolen laptop contained the personal information of over 3,600 patients. The Massachusetts Eye and Ear Infirmary where the doctor was affiliated ended up paying a $1.5 million fine for violating the HIPAA privacy rule.
Outdated Patches
One of the pains of modern life, constant patches for operating systems are a slight inconvenience but a necessary evil to keep up with evolving threats online. And yet many companies (even those on the Forbes 500) still neglect to hit the update button.
The most famous example is Equifax’s data breach in 2017. The credit reporting agency failed to patch a glaring vulnerability in one of its servers, which allowed hackers to steal the personal data of 148 million US consumers. The ensuing debacle ended in a $650 million FTC fine and a $77.5 million class-action settlement.
Malware Ads
Also known as malvertising, this scam uses legitimate-looking advertisements, and can propagate across reputable websites and social media before being taken down.
In recent years, sophisticated malware have appeared that don't require any user interaction at all. Such “pre-click” malware can be embedded in the main scripts of webpages, enabling them to run automatically even without being clicked by the user. Host victims include popular sites like The New York Times, the London Stock Exchange, and Spotify.
Drive-by Download
Similar to phishing, this method uses deception to trick users into clicking a link or downloading malware. Examples include fake system alerts, anti-virus notifications, or deceptive installation agreements different from the program the user intended to download.
Drive-by payloads can include Trojan backdoors like the RAT, keyloggers that record keystrokes, and ransomware like the 2016 Locky ransomware attack that took advantage of an auto-run vulnerability in Adobe Flash.
Data Loss and Theft
Data loss refers to sensitive data being irretrievably deleted. For an individual, this endpoint security risk can be devastating – years’ worth of personal photos, portfolio or correspondence. For an organization, this can be fatal: according to a University of Texas study, 94% of businesses that experience extensive data loss go belly up – 43% shut down immediately, while 51% close up within two years.
Data theft is even more insidious. This means that priceless corporate data, from customer databases to years of R&D, can end up on the dark web or in the hands of competitors.
The 2023 IBM Cost of Data Breach Study revealed that the global average cost of a data breach reached $4.45 million, marking a 15% increase over three years. This trend has particularly impacted the healthcare, financial, and pharmaceutical sectors.
Ransomware
Ransomware attacks continue to wreak havoc across industries, with education, finance, and healthcare among the most targeted. In 2024, the average ransom demand surged to $2.73 million, reflecting a dangerous upward trend. Education remains particularly vulnerable, with 79% of institutions hit by attacks. Meanwhile, finance and insurance sectors experienced a 64% increase in incidents, making them prime targets.
No organization is immune, and as ransomware attacks grow more sophisticated, businesses must prioritize cybersecurity to avoid crippling losses.
DDoS
A Distributed Denial of Service attack uses a flood of incoming traffic to overwhelm a website, server or network. It uses compromised devices to repeatedly access the target site and eventually disrupt its bandwidth, resulting in a denial of service to normal traffic.According to one research, DDoS attacks soared by 87% year-on-year in 2019, with 16 attempts being made every minute. Of all the attacks made last year, two-thirds were aimed at customer-facing enterprise systems.
Advanced Persistent Threats
APTs refer to groups that gain access to a network and remain undetected for a long period. As the name implies, they are distinct from typical hacker groups in three ways:
Advanced – They have access to a wide range of both commercial and non-commercial intrusion technologies, including advanced hardware and software available only to nation-state actors
Persistent – Rather than being short-term opportunists, APTs are content to lie dormant in compromised networks for months or years, similar to “sleeper cells”
Organized – Compared to informal groups, APTs are highly organized, disciplined and coordinated in their intrusion and execution
In the Marriott breach that we mentioned before, US government sources suspect that APTs affiliated with Chinese state agencies were behind the attack. Among the circumstantial pieces of evidence are
- code and methodology employed are similar to those use by state-sponsored Chinese hackers.
- of the compromised data was leaked or sold to the dark web, in contrast to amateur groups looking for financial gain.
- Marriott happens to be the top hotel provider for the US government.
Likewise, China was also implicated in the Equifax breach. Three years after the incident, a Justice Department investigation indicted four members of China's military for the attack that compromised the personal information of 148 million US citizens.
In both cases, the APT actors lived up to the word “persistent”; the Marriott intruders lay undetected in Starwood's network for four years, even before it was bought by Marriott. In Equifax, the intruders gained access in March, but only began acting in July after weeks of virtual reconnaissance and subtle queries to get a feel for the system. Both incidents also displayed organization: the stolen data was first compressed and broken into chunks, stealthily exfiltrated as part of background traffic, then deleted in an attempt to cover their tracks.
Unfortunately, the fact that state-sponsored actors may be behind the breach are of little consolation to the victims. Marriott still faces up to $123 million in GDPR fines, while Equifax had to shell out $700 million in penalties and consumer settlement.
Botnet Attacks
Much like a zombie outbreak, a botnet attack turns the infected device into a slave without the owner even being aware of it.
A botnet is any device that has been compromised and can be controlled by unauthorized people. They can be used to send spam, infect other devices, or carry out DDoS attacks as part of a botnet campaign. In effect, the device has become part of a “zombie army” without the owner being aware of it.
In the past botnets were limited to PCs. Today, thanks to the prevalence of IoT (Internet of Things), a wider range of wireless devices are vulnerable to botnet infection. These range from Android smartphones and tablets to smart TVs, CCTV cameras and even smart home appliances like Alexa-enabled lights and microwave ovens.
This endpoint security risk is a double pain because once infected, a portion of the device's processing power, energy and bandwidth goes to botnet attacks whenever it gets activated to take part in a botnet campaign.
Macro and Script Attacks
A macro attack uses a virus written in macro language, the kind used by word processors and spreadsheet apps. Hence, it's most commonly disguised as a Word or Excel document. What makes this endpoint security risk doubly insidious is its form; while most users would be cautious opening a .exe file, a .doc or .xls attachment is less likely to arouse suspicion, particularly if it looks like an office document or sales invoice.
On the other hand, a script attack comes from infected sites or browser-based apps. When a user views such a site or app, it executes a malicious command in the browser without the user's knowledge.
Both attacks are primarily used as vectors to gain access to the device. For example, the macro attack might be used to download malware automatically, while the script attack may be used to control the device's webcam, microphone, or steal session cookies (credentials that will allow them to spoof the user on other sites).
Endpoint security challenges in organizations
Amid the many ways endpoint security can be breached, there are four main factors that limit an organization’s ability to effectively address these risks with endpoint security solutions.
Challenge # 1: Human Behavior
The first is human behavior. Majority of the attack methods depend on human users unwittingly giving access to external actors, whether from falling prey to a phishing scam to neglecting a critical patch or downloading a malware app or macro attachment. Case in point: just a couple of weeks ago, Marriott disclosed yet another data breach affecting 5 million guests, after two employees were phished.
Challenge #2: Disjointed Security Solutions
Second is disjointed security solutions. While a workstation and office server may have all the necessary security software, most mobile endpoints like smartphones and personal laptops may not have the same safeguards. Although antivirus software is crucial for protecting individual devices from malware infections and unauthorized access, organizations need comprehensive endpoint security solutions that go beyond just antivirus software to safeguard critical data, meet compliance requirements, and pass audits. A survey of 588 IT security professionals employed in Global 200 companies found that 67% experienced a data breach in their organization caused by mobile endpoint devices.
Challenge #3: Limited Resources
Third is limited resources. Even if an organization identifies gaps in endpoint cyber security, it may not have the necessary resources to plug all the holes. For example, not all enterprise security platforms cover devices like Android smartphones and tablets, leaving a chink in its network armor.
Challenge #4: Endpoint Threats Evolution
The last one concerns evolving endpoint security threats. Each day brings a new virus, malicious code, SQL injection, or piece of malware on the web. Even old vulnerabilities like the ‘90s era macro virus can get recycled and updated for the new generation of Office 365. Meanwhile, it takes companies over six months on average to even become aware of a data breach (in Marriott's case, it took 4 years!)
How to protect your organization
Get Informed
The first step to safeguarding your information is to get informed. Just by reading this article you're already halfway there. The other half is getting information about your business endpoints. More specifically, endpoints at the organization-, people-, and device-level.
- Organization – What type of IT setup do you have (Own server, co-located data center, etc)?
- People – What kind of setup did they have before the pandemic (Office, remote, field, co-working space)?
- Tools – What types of business software is used for communication, project monitoring / collaboration, accounting, etc? Consider adding an IT Asset Inventory tool to your repertoire to provide essential insight into your full IT stack.
Get Organized
Once you have the necessary information, it's time to do something about it and get organized.
- Organization-level: What are the endpoint security risks that need to be addressed on the network side?
- People-level: Group people according to working environment (office vs home / remote), device source and type (personal vs. company provided, PC vs mobile), and even OS (Windows, Mac, iOS, etc.)
- Tools: List down the apps and business programs most commonly used by everyone, including specialized apps used by specific departments (ex. Adobe for the creative team)
- Create necessary security policies:
- BYOD
- Data Security
- Remote Security
- Device Loan
Get Help
Finally, with all endpoints identified and organized, get help.
- Organization – What network security platform best fits your specific IT setup? What hardware / software / updates may have been overlooked?
- People – Assuming that the office-based and company device-provided group have the requisite security software, focus on the remote group using their own mobile devices and personal PCs. What security solution best fits the myriad gadgets and OS platforms?
- Tools – Does your current enterprise software cover all your business apps? If not, which ones are vulnerable to intrusion and require additional protection or replacement?