Most security conversations start at the wrong end. They focus on sophisticated attacks, novel exploits, the stuff that makes headlines. The reality is more boring and more useful: Microsoft has found that somewhere between 80 and 90% of successful ransomware attacks come from unmanaged devices.
Not zero-days. Not nation-state tooling. Devices nobody was watching.
What "unmanaged" actually means
An unmanaged device is any machine touching your systems that your security policies do not reach. The contractor's personal laptop. The employee who set up a new machine themselves and never enrolled it. The device that was supposed to get configured but slipped through during a busy onboarding week. The laptop of someone who left, still holding cached credentials.
Each one is a door you did not know was open. And the data backs this up beyond ransomware: the majority of breaches trace back to endpoint devices, and a large share of compromised corporate credentials turn up on unmanaged machines.
Why AI made this worse, not different
The interesting shift is not in the entry point. It is in the volume and speed of attempts.
AI has lowered the cost of running attacks. Phishing campaigns that used to take effort now scale trivially, and credential-theft attacks have spiked sharply. Two out of three managed service providers report being hit by an AI-driven threat in the past year. The attacker's job got easier and cheaper.
That changes the defensive math. When attempts are rare, an unmanaged device is a gamble that often pays off. When attempts are constant and cheap, every unmanaged device is a matter of when, not if.
The fix is not more tools. It is fewer gaps.
The instinct is to buy another security product. Usually that is not the problem. The problem is coverage. A great EDR agent protects nothing on the laptop it was never installed on.
The companies that handle this well share one trait: there is no moment where a device is in use but unmanaged. Security is not a step someone remembers to do after the laptop arrives. It is baked into the device before the employee ever powers it on.
That means:
- Every device ships enrolled. MDM and EDR configured at the source, not as a follow-up task. The machine is compliant on first boot.
- No self-provisioning. People do not set up their own access to company systems on machines IT never saw.
- Offboarding closes the door. When someone leaves, access is revoked and the device is retrieved and wiped, not left floating with live credentials.
Security by default, not by reminder
The hardest part of endpoint security is not the technology. It is consistency at scale, across countries, during fast hiring, when everyone is busy. That is precisely when devices slip through unmanaged, and precisely when attackers are counting on it.
Delivering devices with MDM and EDR already in place removes a large share of the usual risk vectors before the employee starts working. It does not make you invincible. It does close the door that 80 to 90% of ransomware walks through.
The most secure device is the one that was never unmanaged in the first place. Build it that way from day zero, and most of this problem disappears quietly. Which is the point.