Technology Talk: That forgotten notebook holds plenty of secrets to enterprise access.
A laptop sits in my home office, issued by a client 14 months ago for a project that was "temporarily paused." I've received no request to return it. The device still has VPN access, saved credentials, and certificates that authenticate me to its internal network.
I'm one of numerous consultants that the client works with. If I wanted to, or if this laptop fell into the wrong hands, it would be a direct path into its infrastructure.
According to a Kensington study, 76% of IT decision-makers reported device theft in the past two years, 46% experienced a data breach as a direct result of stolen or unsecured devices, and 33% of thefts led to legal or regulatory consequences due to compromised data.
This isn't an isolated case. In fact, I have three laptops from different enterprise organizations. It's as though no one even bothers about these devices anymore.
As someone who conducts Salesforce audits and zero-trust maturity assessments, I've seen this problem everywhere. The common denominator across most organizations? Terrible asset inventory and management. They consistently fail the endpoint visibility portion of zero-trust assessments, which should be one of the easiest controls to implement.
The disconnect becomes even more obvious when I onboard organizations for managed detection and response services. The number of endpoints clients specify is rarely close to the actual number onboarded. In some cases, devices remain offline for extended periods, so we can't onboard them. When I investigate, I find out that these are contractor devices or laptops issued to former employees — devices that should have been retrieved months, if not years, ago.
Insider threats become trivial when contractors have corporate devices with valid credentials at home. Lateral movement is easier when attackers compromise devices with authenticated network access and elevated privileges. Third-party risk multiplies when contractors' home networks — complete with compromised IoT devices — become your attack surface.
Supply chain security breaks down entirely when you have no visibility into where devices are or who has them.
From a compliance standpoint, this is a disaster. HIPAA and NIST SP 800-53 CM-8 require accurate inventories of information system components. When auditors ask, "Where are all your endpoints?" and you can't answer, that's a serious finding.
The financial waste is equally bad. Forgotten devices could be repurposed for new hires or decommissioned and donated. Instead, organizations pay for software licenses and management overhead for devices nobody's using. And when you can't account for all endpoints, your vulnerability scans are incomplete; you're patching known devices while forgotten ones sit exposed.
For organizations that must issue devices, automation is key. Write a Python or PowerShell script that queries Active Directory, Intune, or endpoint logs for last logon dates. Flag devices that are dormant for more than 45 days. Tools like Microsoft Intune or endpoint detection and response solutions like SentinelOne have this built in.
But don't just generate reports; when a device shows as dormant, investigate. Call the engagement manager. Press them to get it returned.
Every organization should have an emergency response plan for stolen devices, and this should be part of contractor onboarding training. What happens if a laptop is stolen? Who gets notified? What's the timeline for remote wipe? These shouldn't be questions you’re figuring out after the fact.
The response plan also needs to cover rogue contractors. I've investigated proxy-employee cases in which contractors caught in laptop-farm schemes sell corporate laptops the moment they're discovered, especially in countries with no legal recourse. Your security operations center needs a playbook for this, and remote wipe must be enabled on every device.
If you don't know which devices exist, where they are, or who has them, you can't verify anything. You are not doing zero trust; you're doing zero visibility.
The forgotten endpoint problem isn't a sophisticated supply chain attack or a novel vulnerability. It's basic blocking and tackling that most organizations are failing. A simple quarterly audit, an automated script, or a policy change could eliminate this risk entirely.
But first you must acknowledge that those paused projects and unreturned laptops aren't someone else's problem. They are yours.
A laptop sits in my home office, issued by a client 14 months ago for a project that was "temporarily paused." I've received no request to return it. The device still has VPN access, saved credentials, and certificates that authenticate me to its internal network.
I'm one of numerous consultants that the client works with. If I wanted to, or if this laptop fell into the wrong hands, it would be a direct path into its infrastructure.
According to a Kensington study, 76% of IT decision-makers reported device theft in the past two years, 46% experienced a data breach as a direct result of stolen or unsecured devices, and 33% of thefts led to legal or regulatory consequences due to compromised data.
This isn't an isolated case. In fact, I have three laptops from different enterprise organizations. It's as though no one even bothers about these devices anymore.
The Pattern Across Organizations
As someone who conducts Salesforce audits and zero-trust maturity assessments, I've seen this problem everywhere. The common denominator across most organizations? Terrible asset inventory and management. They consistently fail the endpoint visibility portion of zero-trust assessments, which should be one of the easiest controls to implement.
The disconnect becomes even more obvious when I onboard organizations for managed detection and response services. The number of endpoints clients specify is rarely close to the actual number onboarded. In some cases, devices remain offline for extended periods, so we can't onboard them. When I investigate, I find out that these are contractor devices or laptops issued to former employees — devices that should have been retrieved months, if not years, ago.
Why This Matters
The security implications go beyond losing track of laptops. Each forgotten device represents multiple risk vectors: Asset management failure means you can't protect what you don't know exists.Insider threats become trivial when contractors have corporate devices with valid credentials at home. Lateral movement is easier when attackers compromise devices with authenticated network access and elevated privileges. Third-party risk multiplies when contractors' home networks — complete with compromised IoT devices — become your attack surface.
Supply chain security breaks down entirely when you have no visibility into where devices are or who has them.
From a compliance standpoint, this is a disaster. HIPAA and NIST SP 800-53 CM-8 require accurate inventories of information system components. When auditors ask, "Where are all your endpoints?" and you can't answer, that's a serious finding.
The financial waste is equally bad. Forgotten devices could be repurposed for new hires or decommissioned and donated. Instead, organizations pay for software licenses and management overhead for devices nobody's using. And when you can't account for all endpoints, your vulnerability scans are incomplete; you're patching known devices while forgotten ones sit exposed.
Why This Keeps Happening
Organizations need contractors for short-term projects. Remote work distributes employees globally. Projects get "paused" instead of formally ended. IT assumes contractors will return devices; business units assume IT is tracking its gear. The contractor moves on, and the laptop just stays. With remote work, there's no physical checkpoint like handing back a badge on your last day. The device fades into the background.What Organizations Should Do
First, stop issuing corporate laptops to contractors. Enforce bring-your-own-device policies for all third-party work and provide access via virtual desktop infrastructure or cloud workspaces, such as Amazon WorkSpaces. This shifts the burden of device management back where it belongs and eliminates the "forgotten laptop" problem entirely. Contractors won't have to worry about damaged or stolen devices that aren't theirs, and organizations won't have endpoints scattered across the world.For organizations that must issue devices, automation is key. Write a Python or PowerShell script that queries Active Directory, Intune, or endpoint logs for last logon dates. Flag devices that are dormant for more than 45 days. Tools like Microsoft Intune or endpoint detection and response solutions like SentinelOne have this built in.
But don't just generate reports; when a device shows as dormant, investigate. Call the engagement manager. Press them to get it returned.
Every organization should have an emergency response plan for stolen devices, and this should be part of contractor onboarding training. What happens if a laptop is stolen? Who gets notified? What's the timeline for remote wipe? These shouldn't be questions you’re figuring out after the fact.
The response plan also needs to cover rogue contractors. I've investigated proxy-employee cases in which contractors caught in laptop-farm schemes sell corporate laptops the moment they're discovered, especially in countries with no legal recourse. Your security operations center needs a playbook for this, and remote wipe must be enabled on every device.
The Zero-Trust Disconnect
Here's the irony: Organizations spend millions implementing zero-trust architectures while simultaneously losing track of hundreds of endpoints. Zero trust is built on the principle of "never trust, always verify." But verify what, exactly?If you don't know which devices exist, where they are, or who has them, you can't verify anything. You are not doing zero trust; you're doing zero visibility.
The forgotten endpoint problem isn't a sophisticated supply chain attack or a novel vulnerability. It's basic blocking and tackling that most organizations are failing. A simple quarterly audit, an automated script, or a policy change could eliminate this risk entirely.
But first you must acknowledge that those paused projects and unreturned laptops aren't someone else's problem. They are yours.