best practices for endpoint security

Endpoints are always the entry point for data breaches. Given the impact a breach can have on your organization, applying best practices for endpoint security is of paramount importance. The risks to your organization are growing higher every year. According to the Identity Theft Resource Center (ITRC), the number of data breaches grew by 17% in 2021 versus 2020 with 1,291 breaches through the first three quarters of the year.

And the average cost of a data breach is escalating as well. Based on research from IBM and the Ponemon Institute, the average cost of a data breach reached $4.24 million USD in 2021, the highest it has been in the last 17 years. They also found that the average cost was $1.07 million USD higher in breaches where remote work was a factor in causing the breach, which shows just how vulnerable endpoints can be to cybersecurity threats with our current remote and hybrid working models in place.

The importance of endpoint security

Organizations are facing many endpoint security challenges as every device connected to your business could be a possible attack vector. Therefore, identifying and safeguarding every device that accesses your network, regardless of where they are is critical.

best practices for Endpoint security: defining what an endpoint is

Employees are no longer relying on just their desktop PCs at the office. The explosion of remote work in the last few years has increased the use of laptops, iPads, iPhones, smartwatches, you name it, to access essential company information 24 hours a day, seven days a week – hopefully encrypted – from wherever and whenever they want to work. It’s also not confined to user devices. Printers, fax machines, point-of-sale systems, and an ever-growing list of Internet of Things (IoT) devices now accessing your network are all examples of endpoints and possible areas of entry for bad actors. That’s where policies and processes come in to play. Here is a list of best practices for endpoint security your organization can implement to increase protection.

Applying best practices for endpoint security

The good news is that safeguarding your endpoints with a well-thought-out strategy isn’t difficult. A lot of it boils down to some essential IT practices. The idea is to automate as much as possible to stay ahead of it. Below are seven fundamental best practices for endpoint security every organization should follow.

1.    Educate your users

Proper endpoint security starts with educating the users of the endpoints that access your network and data. You can make your IT and endpoint environment as safe and strong as possible, but if a user reads an email and clicks on an attachment they shouldn’t have opened and clicked, it can create an opening in your perimeter for hackers to attack your company.

Making sure your organization provides security and compliance training to your users and confirming that they finish it successfully on a regular basis is a critical but partial answer. Another action the IT or security staff should do is send out alerts to users whenever a questionable email is circulated, with advice on how to properly delete or quarantine it.

2.    Find and track all devices that connect to your network

Regardless of platform, operating system, or location, you must be aware of and able to track and monitor every device that connects to your network. This includes company-owned computers, printers, and IoT devices, as well as laptops, tablets, and phones used by your employees as part of your BYOD program.

Go beyond making sure that unauthorized individuals do not gain access to any of these devices and also determine what is not meant to be accessing your network, such as who has more access permissions than they require, and which devices have become infected. Even if you don’t have a unified endpoint management system in place and are forced to manage several, disparate management systems, this degree of visibility and control is critical to guaranteeing the security of your endpoints.

3.    Install and maintain the latest operating systems, security software and patches

After gaining visibility into every device connecting to your network, now you need to identify the endpoints that require updates and patches made to the operating systems, applications, and security software they have installed or need to have installed.

Having the most up-to-date security software installed on all your devices will aid in the blocking and removal of malware from your endpoints. In addition to the security software, the makers of the operating systems and apps your company relies on regularly invest a pretty penny to patch vulnerabilities in their software, but those updates and patches are only effective if your endpoints are kept up-to-date on a regular basis.

4.    Employ a zero trust security approach to user privileges

A zero trust security approach to user privileges aims to prohibit unauthorized users from accessing sensitive data and from spreading malware that could infect it. As referenced above, this approach is proven to be effective for significantly lowering the cost of a data breach at organizations with a mature zero trust approach.

Administrators must keep track of which systems the users access from their endpoints and whether the access rights granted to each user are acceptable for their role. Users should only have access to business systems and data that they require to perform their duties. Users should have least-privilege access to the systems they need by default, with administrator privileges reserved for specialized users.

5.    Regulate USB port access

Unattended workstation USB ports, as well as devices such as printers, cameras, and external drives, could be used to steal company data or introduce malware into the network. Administrators should use a least-privilege strategy to granularly limit who has access to which USB ports and where in order to prevent malware, avoid data theft, and maintain your zero trust security standards.

6.    Discover and fix vulnerabilities

You must identify software versions, settings, or device configurations that may expose your system to vulnerabilities. Conduct frequent IT security audits by scanning all Windows, Mac, and Linux systems with the Open Vulnerability Assessment Language (OVAL). This will enable you to identify and fix vulnerabilities in your environment as well as systems that do not adhere to your security and configuration policies.

7.    Rapidly remediate missing and infected devices

Track and monitor your traditional and mobile devices at all times. Remotely lock, wipe, or factory reset a mobile device or its password if it goes missing to prevent company data from being accessed, corrupted, or stolen. If you believe an endpoint has been infected with malware, reimage the device immediately using a gold master image.

 best practices for endpoint security


The risks and costs of data breaches are rising, and endpoints are frequently the entry point for these attacks. Having a fundamentally sound approach to endpoint security is essential to protecting your organization from cybercriminals and it can be implemented by following the seven best practices for endpoint security outlined above.

About the Author

Ken Galvin

Ken Galvin is the Director of Marketing for the KACE Unified Endpoint Management and Data Protection solutions of Quest Software’s Information Systems Management business. He has been with KACE for eight of his sixteen years at Quest where he previously managed Product Management for other products related to datacenter and endpoint management. Ken lives with his wife in Virginia 1.5 hours west of Washington, DC where they raised their four adult children.

Related Articles