A Laptop Sitting in a Home Office — and a Direct Path to Corporate Infrastructure
Consider this scenario: a laptop issued by a client organization 14 months ago for a project that was described as "temporarily paused" still sits in a consultant's home office. No one has asked for it back. The device retains active VPN access, saved credentials, and certificates that authenticate the holder directly to the client's internal network. As Abib Oyebamiji, a cybersecurity consultant with New Era Technology, points out, that kind of unchecked access isn't a hypothetical — it's his current reality. And he isn't alone: he personally holds three laptops from different enterprise organizations.
The exposure this creates is difficult to overstate. According to a Kensington study, 76% of IT decision-makers reported device theft in the past two years, 46% experienced a data breach as a direct result of stolen or unsecured devices, and 33% of thefts led to legal or regulatory consequences due to compromised data. A single unrecovered device sitting on an attacker's desk — or a contractor's kitchen table — can serve as a ready-made entry point into enterprise infrastructure.
A Pattern That Repeats Across Organizations
For professionals conducting Salesforce audits and zero-trust maturity assessments across multiple industries, this problem appears with striking regularity. The common thread is almost always the same: poor asset inventory and management practices. Organizations consistently underperform on the endpoint visibility portion of zero-trust assessments — which Oyebamiji notes should be among the easiest controls to implement.
The disconnect becomes stark during managed detection and response (MDR) onboarding. The number of endpoints a client claims to have rarely matches the number that can actually be onboarded. Some devices remain offline for extended periods and cannot be reached. When these cases are investigated, the explanation is almost always the same: the devices belong to contractors or former employees and should have been recovered months or even years earlier.
Why Forgotten Devices Are More Than an Administrative Problem
The risk profile of a forgotten device extends well beyond the inconvenience of a misplaced asset. Each unaccounted endpoint introduces several compounding threat vectors:
- Asset management failure: You cannot protect infrastructure you do not know exists.
- Insider threat exposure: Contractors who retain corporate devices with valid credentials at home represent a trivial insider threat opportunity — whether they act on it or not.
- Lateral movement risk: Devices with authenticated network access and elevated privileges give attackers a privileged position inside the network if those devices are compromised.
- Third-party risk amplification: A contractor's home network — often populated with unsecured or compromised IoT devices — effectively becomes part of your attack surface.
- Supply chain blind spots: With no visibility into device location or custodianship, supply chain security cannot be meaningfully enforced.
The compliance ramifications are equally serious. Both HIPAA and NIST SP 800-53 CM-8 explicitly require organizations to maintain accurate inventories of information system components. When auditors ask where all endpoints are and an organization cannot answer, that constitutes a significant finding.
There is also a financial dimension that often goes unexamined. Unreturned devices could be repurposed for incoming hires or responsibly decommissioned and donated. Instead, organizations continue paying for software licenses and management overhead for devices nobody is actively using. And because dormant devices are invisible to vulnerability scanning operations, they go unpatched — sitting exposed while known endpoints receive security updates.
How Devices Get Forgotten in the First Place
The mechanics of the problem are not complicated, which makes its persistence all the more frustrating. Organizations bring in contractors for short-term projects. Remote work scatters employees across geographies. Projects get labeled as "paused" rather than formally closed. IT assumes contractors will return devices; business units assume IT is tracking them. The contractor moves on, and the device quietly disappears from any active oversight.
Remote work removes the natural physical checkpoint that once caught these cases. In an office environment, returning a badge on your last day was a visible, enforced ritual. That ritual has no equivalent for a laptop sitting in a spare room hundreds of miles away. Without a deliberate process to fill that gap, devices simply fade into the background.
Practical Steps Organizations Should Take Now
Eliminate the Problem at the Source
The most effective solution is to stop issuing corporate laptops to contractors altogether. Enforcing bring-your-own-device (BYOD) policies for all third-party work, and providing access through virtual desktop infrastructure or cloud workspaces such as Amazon WorkSpaces, shifts device management responsibility back to the contractor. This eliminates the forgotten-laptop problem structurally. Contractors are not liable for damage or theft of devices that aren't theirs, and organizations are no longer responsible for endpoints scattered across the world.
Automate Dormancy Detection
For organizations that must issue devices, automation is the next line of defense. A Python or PowerShell script that queries Active Directory, Microsoft Intune, or endpoint logs for last logon dates can flag devices that have been dormant for more than 45 days. Tools like Intune and endpoint detection and response platforms such as SentinelOne have this functionality built in. Critically, generating reports is not enough — when a device surfaces as dormant, someone must investigate. That means contacting the engagement manager and pressing them to get the device physically returned.
Build and Enforce an Emergency Response Plan
Every organization should have a documented emergency response plan covering stolen or missing devices, and that plan should be part of contractor onboarding training. Key questions — who gets notified, what the remote wipe timeline is, what data classification applies — should be answered before a device goes missing, not after.
The plan must also account for rogue contractors. Cases involving proxy-employee schemes have surfaced in which contractors caught in laptop-farm arrangements sell corporate devices the moment they are exposed, particularly in jurisdictions where legal recourse is limited. Security operations centers need a formal playbook for this scenario, and remote wipe capability must be enabled on every issued device without exception.
The Zero-Trust Paradox
There is a deep irony embedded in this problem. Organizations invest millions of dollars implementing zero-trust architectures — frameworks built on the principle of "never trust, always verify" — while simultaneously losing track of hundreds of endpoints. Zero trust requires knowing what devices exist, where they are, and who holds them. Without that knowledge, there is nothing to verify. As Oyebamiji puts it plainly: if you do not know which devices exist, you are not doing zero trust — you are doing zero visibility.
The forgotten endpoint problem does not require a sophisticated nation-state actor or a novel vulnerability chain to exploit. It requires only that someone recognize the access a dormant device provides and act on it. A quarterly audit, an automated dormancy script, or a policy shift away from issuing contractor laptops could eliminate the risk entirely.
The precondition is simply acknowledging that those paused projects and unreturned laptops are not someone else's responsibility. They belong to the organization that issued them — and the risk they carry does too.
Source: Dark Reading