According to Verizon’s 2025 Data Breach Investigations Report, more than two-thirds of breaches involve endpoints. Some eye-catching endpoint security statistics include:
- About 88 percent of breaches reported involving endpoints involved the use of stolen credentials.
- Thirty percent of compromised systems in infostealer logs were enterprise-licensed devices.
The most concerning statistic relates to the effectiveness of traditional endpoint protection: 66 percent of malware infections occur on devices with antivirus or endpoint security solutions installed.
How should MSPs protect endpoints?
SmarterMSP.com reached out to some endpoint experts to see what managed service providers (MSPs) can do to protect endpoints at scale.
AJ Thompson, Chief Commercial Officer at UK-based MSP Northdoor, notes that endpoints have become prime targets for cybercriminals. With the dramatic rise in hybrid working, the traditional security perimeter has effectively dissolved.
“Each endpoint now represents a potential entry point, and we’re seeing threat actors actively exploiting this expanded attack surface,” Thompson states. When it comes to implementing endpoint protection at scale, Northdoor has found success in focusing on three key areas:
-
Visibility is non-negotiable. “You simply can’t protect what you can’t see. Modern endpoint solutions must deploy lightweight, tamper-proof agents across all device types that maintain visibility even when operating outside corporate networks.”
-
Legacy security approaches relying on signatures are inadequate against today’s sophisticated threats. “The most effective solutions now employ AI-driven detection that monitors behavioral patterns rather than matching known signatures. Our clients have seen up to 80 percent reduction in false positives with these approaches, freeing security teams from constant alert fatigue.”
-
Response capabilities must operate at machine speed. “With ransomware attacks constituting over a third of all cybersecurity incidents, organizations can’t afford manual response processes.”
Thompson explains that MSPs are increasingly working as strategic partners. The CISO establishes the security vision and requirements aligned with business objectives, while MSPs provide the specialized expertise and operational capabilities to execute at scale. “This partnership approach allows organizations to maintain robust security postures without building extensive in-house security operations.”
Why smart automation is essential for endpoint security
Cam Roberson, Vice President at Beachhead Solutions, agrees that endpoints are especially vulnerable.
“The sheer scale of today’s device fleets (laptops, phones, and even the still-too-often-unprotected USB drive!) makes manual response strategies increasingly obsolete,” Roberson says. And that means for MSPs, the way to secure endpoints at scale is through intelligent automation. “MSPs or security teams must be able to predefine responses to suspicious behavior like consecutive invalid login attempts, policy violations (like geofence anomalies), or environmental risk signals, and then trust the system to act in real-time,” he states, adding that response might mean denying access, or quarantining data, or something else. Still, at least you have a ready-to-go response.
Roberson notes that without this kind of automation to handle endpoint threats at scale, response times lag, and exposures grow.
“Smart, automated endpoint response doesn’t just reduce risk. It’s the only sustainable way to deliver always-on protection across thousands of devices, especially in our increasingly mobile and distributed work environments. It’s also how MSPs can keep pace with the speed and sophistication of today’s adversaries,” Roberson concludes.
Fast, decisive response is key in modern endpoint defense
Aristide Bouix is an independent cybersecurity consultant who led the onboarding of a 1,000-laptop macOS fleet using Apple’s embedded secure element to enroll devices into Okta Trust Identity.
“It was a clean and secure setup until, of course, the endpoint is either compromised or physically stolen,” Bouix shares, adding that he has seen both. From a late patch that let a trojan escape a browser sandbox to a laptop lost at a party and reported missing only 24 hours later with a weak local password still in place, Bouix has seen all aspects of endpoint weakness.
“And it’s not just user devices. Servers, especially in cloud environments, are also vulnerable. They often carry embedded cloud credentials, which means that any endpoint-style compromise (say, via a Server Side Request Forgery [SSRF] on an exposed, unpatched web app) can turn into a full-blown cloud escalation,” Bouix remarks, adding that he has seen Drupal servers get popped before the CVE even dropped, simply because patch cycles lag. Some frameworks are more brittle than others.
This is where endpoint detection and response (EDR) really earns its keep. Bouix concludes with how it’s not just about prevention anymore but rather about a fast and decisive response. “Whether it’s stopping a Trojan in a developer laptop or isolating a compromised server before it laterals into cloud permissions, endpoint visibility is foundational.”
Scalable security starts at the endpoint
Endpoints are a top target for attackers, and protecting them requires more than just traditional antivirus. As the experts in this blog explain, MSPs need to prioritize visibility, automation, and fast response to stay ahead. Whether it is detecting unusual behavior, isolating a compromised device, or preventing lateral movement in a cloud environment, smart and scalable strategies make all the difference. With the right approach, MSPs can deliver strong and reliable endpoint protection for every client.
Photo: TeroVesalainen / Shutterstock
This post originally appeared on Smarter MSP.