Security at the network gateway, or in the cloud itself, can improve your security posture, but if you were only allowed one sort of security solution, you'd want it to be endpoint-based, for four main reasons:
Endpoints are the nucleus of most malware attacks, even if the final target is not the endpoint itself.
Endpoints are where your confidential and encrypted data is most likely to be unscrambled for presentation.
Endpoints are almost always not just on your network, but inside it.
Endpoints are increasingly the gateway into your network for new content.
You might disagree with the last point, but data which enters your network via a traditional gateway device might only become available when it reaches the end- user, thanks to encryption. Such data doesn't really exist (or, at least, is unrecognisable) until it is at the endpoint.
Data files introduced to a computer via a USB key or another removable device, or files downloaded whilst a laptop is connected to someone else's network, don't pass through traditional gateway devices at all. This means they quite literally don’t ‘exist’ on your network until they first appear on the endpoint.
Clearly, then, we need to protect endpoints in order to prevent them being owned by cybercriminals. Endpoint malware threatens not only the computer it infects, but also other computers on the network and the reputation of the organisation itself.
This poses the questions: just what is an endpoint these days, and where does endpoint protection end?
In the early days of malware prevention, the admittedly-annoying word ‘endpoint’ didn't exist. We just talked about PCs instead. And PCs generally excluded servers and other dedicated devices, being limited to computers running DOS or Windows, issued to individual employees as general business tools. These days, well-informed system administrators aren't so restrictive in their definition.
Computers not running Windows, such as Macs, are endpoints, too. Sure, they are much less likely to get infected than their Windows cousins, but infection can happen. And they are perfectly capable of being Typhoid Marys, glibly passing on infections to which they themselves are immune.
Servers, too, are endpoints – not least because they are at the end of a network cable. Often, they run an operating system that is indistinguishable at its core from the one used on laptops and PCs. And since servers generally dish out content to other devices on the network, they too can be Typhoid Marys.
So where does this leave modern-day networked computers such as point of sale (POS) terminals, kiosks, cash registers, digital signs and the like? Are they endpoints? Or do their special purpose and their carefully-restricted user interface mean you can exclude them from malware risk analysis?
No, you probably can’t. Increasing numbers of embedded and single-purpose computing devices are not only connected to your regular business network, but also run a core operating system which is similar or identical to the operating systems you use elsewhere. Microsoft's Windows Embedded Platform, for example, comes in a dizzying range of variants, but is very carefully advertised as: "One platform. Endless Possibilities".
Ignoring your embedded devices is a bit like locking up your house but leaving the bathroom window open on the grounds that it's the smallest opening and the least interesting room for a burglar.
So if you have decided not to protect your customer's embedded devices such as POS terminals and digital signs, you might want to reconsider. Sure, they generally have a lower surface area of attack than the average laptop, but they can also be the trickiest and most expensive to cure if they do become infected. And if infected, they actively threaten the rest of your network.
Lock that bathroom window, or at least put burglar guards on it.