2019

Endpoint Security New data security

threats revealed

Trends Report from global study of

six million devices
Contents

Table of Contents

INTRODUCTION 03

KEY INSIGHTS 04

SECURITY SPENDING VERSUS MATURITY 06

TOP ENDPOINT SECURITY RISKS 06

KEY FINDING: ENDPOINT COMPLEXITY IS DRIVING RISK 06

KEY FINDING: ENDPOINT CONTROLS DEGRADE OVER TIME 08

KEY FINDING: FAILED AGENTS PROLONG SECURITY EXPOSURES 08

UNLOCK VALUE FROM EXISTING INVESTMENTS 09

CONCLUSION 10

RESEARCH METHODS 12

2019 ENDPOINT SECURITY TRENDS REPORT | 2

 Introduction

Today’s security technology landscape is overcrowded with tools and technologies built to combat endpoint
risk. At the same time, security budgets at many organizations are increasing rapidly, propelled by the mandate
to protect data and devices. In fact, 24 percent of the overall security spend is allocated to endpoint security
tools. And by 2020, the projected total for global IT security spend is $128 billion1. Yet, over 70 percent of breaches
still originate on the endpoint2. Why?

Industry analysts Forrester3 and Gartner4 have warned about the dangers of equating IT security spending
with security and risk maturity. As organizations attempt to make the endpoint more resilient by buying more
security tools, it is creating endpoint complexity. With an average of 10 security agents on each device and over
5,000 common vulnerabilities and exposures (CVEs) found on the top 20 client applications in 20185 alone, the
endpoint has never been more fragile.

This report outlines the findings from extensive primary research analyzing more than six million enterprise
devices over a one-year period. Our analysis led to a stunning discovery: much of endpoint security spend is
voided because tools and agents fail, reliably and predictably.

Studying millions of devices, agents, and apps, uncovered some startling truths:
• 42 percent of all endpoints are unprotected at any given time;
• Two percent of endpoint agents fail per week; meaning,
• 100 percent of endpoint security tools eventually fail — no tool is immune.

The clear conclusion is that increasing security spending does not increase safety. In fact, every additional
security tool only increases the probability of failure and decay. The data in this report provides evidence that
merely investing in more endpoint security tools is ineffective, and a new approach is needed. To secure the
endpoint, the security tools already in place must be made resilient.

1
Morgan Stanley. 2016. Cybersecurity: Rethinking Security.
2
IDC. 2016
3
Pollard, J. 2018. Justify Security Budget By Its Impact On Maturity. Forrester.
4
Moore, S. Gartner Says Many Organizations Falsely Equate IT Security Spending With Maturity. Gartner.
5
MITRE.ORG

2019 ENDPOINT SECURITY TRENDS REPORT | 3

Key Insights
Endpoint Complexity is Driving Risk

10
Security agents
*

per device
70% 35%

5000+
Common Vulnerabilities and
**

Breaches originating
at the endpoint§
Breaches caused by
existing vulnerabilities†
Exposures (CVEs) on the top 20
client applications each year

Last Known State: Anti-Malware Agent*

28%

Endpoints unprotected at any

= 21%

Endpoints with outdated

+ 7%

Endpoints missing
given point in a year antivirus/anti-malware protection

Rates of Failure: Encryption Agent Health*

13% 75%

Endpoints requiring at least one Repaired agents requiring at least

repair event within 30 days two repair events within 30 days

*
Absolute
50% 5%
**
MITRE
§
IDC
†
Forrester
Repaired agents requiring over Repaired agents requiring over
20 repair events within 30 days 100 repair events within 30 days

2019 ENDPOINT SECURITY TRENDS REPORT | 4

 Rates of Failure: Client/Patch Management Agent Health*

19% 75%

Endpoints requiring at least one Repaired agents requiring at least

repair within 30 days two repairs within 30 days

50% 5%

Repaired agents requiring over Repaired agents requiring over 80

three repairs within 30 days repairs within 30 days

Encryption Decay Rates*

100% 42%

Endpoints that experienced Endpoints with

failed encryption agents encryption failures at
within one year any given point
It is pointless
to invest in new
technologies if the
basic measures –
visibility, control, 12 days 6h
and resilience – Encryption median
time-to-failure
Fastest rate for
encryption to fail
are not operating
effectively first.

2019 ENDPOINT SECURITY TRENDS REPORT | 5

Security Spending Versus Maturity
As organizations continue to increase spending on data
Security Spending Trends
and device security, the research in this report shows
that much of that spend is in vain.

$128B
As a result, IT leaders are actually seeing a negative return
on investment. In a recent report, Forrester summed
up the situation by stating, “The next crisis for security Global IT security
leaders has arrived, and it’s a crisis of accountability…a spend by 2020
new kind of accountability, with leadership asking them
[security leaders] to show how their investments create
value for the organization8.”

The bottom line is that without visibility into their endpoint

security posture, organizations are at a loss as to how to
ensure agents, applications, and controls will continue
functioning and delivering value as intended.
24%
Endpoint security spend
(of overall)7

100%
Endpoint protection tools
Top Endpoint Security Risks fail eventually- no tool is
immune
With 70 percent of breaches originating on the endpoint, it
is the number one target for attacks9. Traditional endpoint
security solutions exist to keep devices secure. The three
most common traditional security tools are: encryption,
endpoint protection (AV/AM/EDR), and client and patch
KEY FINDING:
management tools. 1 Endpoint Complexity is Driving Risk
Encryption software protects data, endpoint protection The research found that devices can have 10 or more
protects against cyber threats, and client and patch endpoint security agents installed — including encryption,
management ensures applications are patched and safe AV/AM, and client/patch management options. The
from vulnerabilities. vast number of tools introduces virtually unlimited
combinations, making it all but impossible to properly
The false sense of security they provide may be the test. This leaves enterprises to validate them in live
greatest source of organizational risk. deployments where they all eventually break.

7
Gartner. IT Key Metrics Data 2019: Key IT Security Measures.
8
Forrester. Pollard, J. 2018. Justify Security Budget By Its Impact On Maturity.
9
Forrester. Heidi Shey and Enza Iannopollo. The State of Data Security and Privacy: 2018 to 2019.

2019 ENDPOINT SECURITY TRENDS REPORT | 6

Ensuring that AV/AM is up-to-date is essential to endpoint
resilience. However, the data shows that despite the
urgency of IT and security teams — at any given point
— 28 percent of endpoints are unprotected: 21 percent
“To understand your security
had outdated AV/AM and seven percent were missing
posture, you need to know: Are
altogether. your endpoints operating as
expected? Do they have the right
Furthermore, of the devices with AV/AM installed, more protections in place?”
than one agent designed to perform the same service
were present on the majority of devices (1.2 AV/AM agents
– Fortune 500 security executive
per endpoint). This adds complexity by increasing the
likelihood that agents will conflict and decay, as a result
of collision when competing for device services and
resources.

In addition to AV/AM proliferation, endpoints are

swelling with risk-generating agents colliding with
Last Known State: Anti-Malware Agent
one another. While the total number of agents per
device (10) is substantial, nine of those agents
came from five technology categories:

Amount of endpoints
21% with outdated
anti-malware/antivirus Encryption

Unified Endpoint
Management (UEM)

+ 7% Amount of endpoints
missing protection
Endpoint Detection
and Response (EDR)

Endpoint Protection
Platform (EPP/AV/AM)

= 28% Amount of endpoints

unprotected
Virtual Private
Network (VPN)

2019 ENDPOINT SECURITY TRENDS REPORT | 7

 KEY FINDING
2 Endpoint Controls Degrade Over Time
Encryption is the staple security tool most often taken for 100% of devices
granted. While it can certainly provide protection, it is not a experienced an encryption
“set it and forget it” solution — quite the contrary. Whether failure within one year.
disabled by users or through malfunction, encryption is
regularly broken, disabled, misconfigured, or missing
In fact, regardless of industry, 100 percent of devices
entirely. In fact, at any given point in time, over 42 percent
experienced encryption failures within one year. On
of endpoints experienced encryption failures.
average, the median time-to-failure for encryption across
However, the near half-time spent unencrypted is only all devices is just 12 days, but our data reveals that it can
part of the story. The study found that data protections happen as quickly as within six hours.
are voided when chronically fragile encryption agents
Digging deeper, we also found that 13 percent of endpoints
fail. What’s more, encryption failures occur reliably and
required at least one encryption agent repair event within
predictably — two percent of encryption agents failed
30 days. Of those, 75 percent reported at least two repair
every week. While half of all encryption failures occurred
events and 50 percent reported more than 20 repair
within two weeks, the rate of decay is constant: eight
events. Chronically ill devices reported as many as 100
percent failure per 30 days.
repair events every month due to endpoint complexity.

FDE Decay Rate FY ‘18 - Running Difference Even more concerning, encryption recovery times are
y = -1 x 10-8 days3 + 8 x 10-6 days2 - 0.0027 days + 0.5368 lengthy — meaning the window of vulnerability (WOV)
R2 = 0.9984
is large. The average WOV for unencrypted devices is 12
100%
days, but 30 percent of devices remain unencrypted for
% of Total Devices Still Encrypted

more than 60 days.

80%

KEY FINDING:
60%
3 Failed Agents Prolong Security Exposures
40%
Client management and patching tools break reliably and
20% predictably. 19 percent of endpoints require at least one
client/patch management repair monthly. So, just when
0%
0 5 10 15 20 30 60 90 180 363 they are needed most, one out of five of these agents fails.
# of Days
In addition to the failure rates, patch and client
Cumulative decay, encryption: 365 days management agents are often repeat offenders. Of those
Rate of decay, encryption: 8%/month patching agents requiring repair, 75 percent reported at
least two repair events and 50 percent reported three
or more repair events. Additionally, five percent could be
considered to be chronically ill, with 80 or more repair

v - v0 a = Acceleration events in the same one-month period.

a=
v = Ending Velocity
v0 = Initial Velocity Part of our analysis examined the most common endpoint
t t = Time applications — classifying and sub-classifying families of
applications to see how vulnerabilities arise.

2019 ENDPOINT SECURITY TRENDS REPORT | 8

 Every six days there is at least
one vulnerability published for
the top application publishers.

Unlocking Value from

Existing Investments
The critical endpoint security solutions we rely on are
flawed. They are extremely fragile, degrade quickly, and

5000+
create unnecessary friction for users. The study found an
average of 10 distinct agents layered onto most of the
devices. With this number, it’s inevitable that agents will
collide, be disabled by users, or go unpatched. These blind
spots hinder the visibility of IT and security leaders and
leave endpoints — and the organizations to which they
CVEs discovered on the top 20
belong — increasingly vulnerable over time.
client applications6 each year
It is clear that there is no shortage of security controls. The
real problem organizations face is in ensuring that these
controls remain in place and are functioning at all times.
It is pointless to invest more money into exciting new
The 20 most common client applications published over technologies (such as blockchain, artificial intelligence,
5,000 vulnerabilities in 2018. If every device had only the and machine learning) if the basic measures – visibility,
top ten applications (half), that could result in as many as control, and resilience – are not operating effectively first.
55 vulnerabilities per device just from those top ten apps.
The data has shown how well-functioning controls fail.
This includes browsers, OSs, and publishing tools.
These failures occur without anyone — threat actors,
Client patch management agents fail at double the rate negligent users, and bots — intending for failure to happen.
encryption agents do. However, once failed, an encryption Additionally, it shows how endpoint complexity amplifies
agent reported seven times more repair events than client this natural propensity for device security to degrade over
management agents. time.

2019 ENDPOINT SECURITY TRENDS REPORT | 9

 “For all of our managed assets,
when there’s a vulnerability of
any sort, with Absolute, we will
know right away where all our
assets are and what versions
they’re running so we can push
the patches out.”

– Fortune 500 security executive

IT and security leaders must create an environment which According to Forrester’s “Justify Security Budget By Its
fosters a path to: Impact on Maturity”, security leaders spend too much time
1. Understanding what’s happening on their measuring their performance based on uncontrollable
organization’s devices (Visibility); external factors — threat actors, tool sets, and motivations.
Measuring maturity, instead, focuses on components
2. Responding to suspicious events to enable the
that can be controlled and for which success can truly be
reduction of security degradation (Control); and
defined.
3. Empowering the applications to persist and automate
their restoration when incidents occur (Resilience).
Conclusion
Forrester recently suggested that any security investment
Threats are becoming more sophisticated and
should be measured based on maturity10. Improving
breaches increasingly common, causing anxiety within
maturity requires coordination, scaling, and optimization
organizations. This fear amplifies a pervasive willingness
of a security program’s components. To move the needle,
to purchase more endpoint protection solutions. Endpoint
it is necessary to activate the fundamental security
security spend is greater than ever. And yet, the endpoint
controls on devices to gain a persistent connection to
is “patient zero” in the vast majority of recent breaches,
each endpoint in a fleet.
proving that simply spending more on security tools isn’t
This provides visibility and control to unlock value from enough. While the answer may be decreasing complexity
existing investments. The basic tools in most enterprise on the endpoint, many of those tools are needed.
security portfolios are more than capable of protecting
In addition, the number of combinations of security
devices, data, users, and apps — as long as they are
controls from a variety of vendors makes it impossible to
working.
test pre-deployment by enterprises.

10
Forrester. Pollard, J. 2018. Justify Security Budget By Its Impact On Maturity.

2019 ENDPOINT SECURITY TRENDS REPORT | 10

Endpoints still require patches, encryption and other They are reducing their overall security costs by monitoring
protections, and those controls must be resilient how their endpoint controls work (or don’t) to reduce
themselves. This resilience can only be made possible endpoint security decay. They validate safeguards and
through persistence — that is, maintaining a constant, eliminate compliance failures. And they are responding
unbreakable connection to data and devices that identifies to threats and exposures with the confidence to control
and remediates security issues as they arise. devices from anywhere. Absolute is a trusted companion
Over 12,000 organizations today are taking advantage of on the journey toward endpoint resilience, persistence,
Absolute’ patented Persistence®, a patented technology and intelligence. Learn how Absolute helps to end the
that delivers this visibility, control, and resilience across ceaseless technology spend and ensure that all endpoints
all devices, apps, agents, and users by orchestrating each are secure and persistent.
cyber resilience indicator with precision. They have in their
arsenal an intelligence service that allows a clear view
into critical details about their endpoint population.

Request a demo
Find out how our solutions can
benefit your organization.

REQ U EST D EMO

About Absolute
Absolute empowers more than 12,000 customers worldwide to protect devices, data, applications, and users against
theft or attack—both on and off the corporate network. With the industry’s only tamper proof endpoint visibility and control
solution, Absolute allows IT organizations to enforce asset management, endpoint security, and data compliance for
today’s remote digital workforces. Absolute’s patented Persistence® technology is embedded in the firmware of Dell, HP,
Lenovo, and other leading manufacturers’ devices for vendor-agnostic coverage, tamper-proof resilience, and ease of
deployment. See how it works at absolute.com and follow us at @absolutecorp.

E MA I L : S A L ES :
[email protected] absolute.com/request-a-demo

PH O N E :
WEBS ITE:
North America: 1-877-660-2289
absolute.com
EMEA: +44-118-902-2000

© 2020 Absolute Software Corporation. All rights reserved. Absolute, the Absolute logo, and Persistence® are trademarks of Absolute Software Corporation. Other names or logos mentioned
herein may be the trademarks of their respective owners. For patent information, visit absolute.com/patents. ABT-2019-Endpoint-Security-Trends-Report-021120
Research Methods
This report outlines the results from a one-year study conducted by Absolute’s security research team. Data was gathered
from over one billion change events on over six million devices.
The devices represent data from 12,000 anonymized organizations across North America and Europe. Each device had
Absolute’s endpoint visibility and control platform activated.
Researchers applied an Endpoint Resiliency Index to the sample to establish a baseline and monitored the results over a
12-month period. The Endpoint Resiliency Index applies the method used by the World Economic Forum’s Environmental
Performance Index to track the overall direction of key variables of quality.11

Endpoint Resiliency Index Model

EHI (TOTAL) OBJECTIVE SECURITY POSTURE CYBER HYGIENE INDICATORS

Data Residency • Sensitive Data Exposure
• Consumer PII Components
• Financial Transaction Data (e.g. purchasing cards)
Data Security Metadata Groups • Government Issued ID (e.g. passport records)
• Corporate Data Assets (e.g. intellectual property)
• Localized Storage
Data Dispersion • Cloud Application Storage
Concealment • Full Disk Encryption

Endpoint Hygiene • Anti-virus, Anti-malware

Protective Technology • Device/OS Firewall
Index (EHI)
Preventative Entry • Blacklist/Whitelist Applications, Services
• Geographical Restriction (Geofencing)
Device Resilience • Admin & Guest Account
• Indexing Encrypted Files
Secure Configuration • Audit/Security Logs
• Strong Key Session
• Application Policy
Identity & • Password Policy
Authentication • Least Privilege, Strong Authentication

To provide further context to the quantitative data, we commissioned a third-party research organization to conduct
in-depth, exploratory interviews with senior executives from Fortune 500 organizations. We also conducted secondary
research of recent studies by industry analysts.
Global Endpoint Risk Research

One billion Six million 12,000 One-year Five Fortune 500

change events devices organizations (anonymized) benchmark study executive interviews

Anonymized organizational and device data points analyzed:

• Industry
• Organization size
• Quantity of active/inactive security agents
• Quantity of active/inactive apps
• Quantity of active/inactive controls
• Recovery time of failed agents/apps/controls
• Operating system

11
World Economic Forum. 2018 Environmental Performance Index.

2019 ENDPOINT SECURITY TRENDS REPORT | 12