In 2022, Uber’s entire internal network was compromised by an 18-year-old. Not through some exotic zero-day exploit. The attacker bought stolen credentials on the dark web, MFA-bombed an employee with push notifications until they accepted one, and then moved laterally through the network using a single compromised endpoint. One device. That’s all it took to get access to Uber’s internal systems, their Slack, their cloud dashboards, their vulnerability reports.
Uber has a security team. They have a budget. They have tools. And one endpoint with the wrong access still brought the whole thing down.
Now think about a 12-person CPA firm where half the attorneys bring their own laptops and nobody’s really sure what’s installed on any of them.
What “endpoint security” actually means
Most people hear “antivirus” and think they’re covered. Traditional antivirus works by comparing files against a list of known threats. If it’s seen the virus before, it catches it. If it hasn’t, it doesn’t. That approach stopped being sufficient about ten years ago.
Modern endpoint detection and response, EDR, works differently. It watches what programs actually do on the machine. If a legitimate-looking PDF viewer suddenly starts accessing the password database, EDR notices that behavior even if the file itself hasn’t been flagged by anyone yet. It’s watching actions, not just matching signatures.
The 2024 CrowdStrike Global Threat Report found that 75% of attacks are now malware-free, meaning they use stolen credentials, legitimate admin tools, and living-off-the-land techniques that traditional antivirus won’t catch at all. The attacker doesn’t drop a virus on the machine. They log in with a real username and password and use tools that are already installed.
That’s why the Uber attack worked. No malware was needed. The attacker had credentials and a device that let them move through the network.
The personal laptop problem
This one comes up constantly with small firms. Someone buys a laptop at Best Buy, connects it to the firm’s Wi-Fi, logs into their email, and starts working. That laptop has no management software, no EDR, no disk encryption, and whatever their teenager installed last weekend. It’s connected to the same network as every client file the firm has.
The Verizon 2024 DBIR reports that endpoint compromise is the initial access vector in a significant percentage of breaches targeting small and mid-size businesses. And in most cases, the compromised device was either unmanaged or running outdated security software.
A managed endpoint means someone knows what’s on that device, can push security updates to it, can enforce disk encryption, and can see what it’s doing on the network. An unmanaged endpoint is a door you don’t know is open.
What actually needs to happen
Every device that touches firm data or connects to the firm network needs three things.
EDR software that watches behavior, not just known threats. Microsoft Defender for Business is decent and included in Microsoft 365 Business Premium. There are other good options. The point is it needs to be EDR, not just the antivirus that came pre-installed with Windows.
Device management that enforces security policies. Disk encryption turned on. Automatic updates enabled. Screen lock after five minutes. A way to remotely wipe the device if it’s lost or stolen. If an attorney leaves their laptop in an airport, and it will happen eventually, you need to be able to kill that device remotely before someone pulls client files off it.
Network segmentation so that one compromised device can’t reach everything. The guest Wi-Fi shouldn’t be on the same network as the file server. The paralegal’s laptop doesn’t need access to the accounting system. Every connection you don’t need is an attack path you’re leaving open for free.
None of this is complicated. None of it requires specialized hardware. It requires someone to set it up and maintain it. The alternative is hoping that every device that connects to your network is clean, updated, and not already compromised. That’s not a security strategy. That’s a wish.