For years the primary focus of security has been securing the endpoints. If we can just protect the desktops and laptops and tablets and smartphones from malicious exploits and prevent them from being compromised, then all would well. The problem is that it\u2019s virtually impossible to assure the endpoint is secure. That\u2019s why you should assume the endpoint will be compromised, and focus instead on ensuring the sensitive data on the endpoint is secure.\tI\u2019m not suggesting you throw in the towel or raise the white flag on endpoint security. You still have to employ reasonable defenses, and follow established best practices. Your endpoints should have essential protection like a firewall, and antimalware software. You still want to make it a challenge and deter or block the attacks you can. You just need to also be realistic and understand that compromise is more a matter of \u201cwhen\u201d than \u201cif\u201d.\tProtect Data at Rest\tSensitive data should be encrypted. Even if an attacker is successful in compromising the endpoint, it should not enable them to access things like confidential company data, customer information, or other sensitive data.\tYou should use encryption technologies like Truecrypt or PGP, or use the built-in BitLocker encryption available in many versions of Microsoft Windows. Depending on what encryption tool you use, it will either encrypt the entire hard drive, or just designated folders. If it does encrypt only designated folders, you need to ensure that users know where those folders are, and develop a habit of storing sensitive information in the appropriate location.\tOne issue with encryption, however, is that most encryption solutions are designed to enable seamless access for authorized users. In other words, there is no additional authentication that occurs in order to access the encrypted data\u2014once the user is logged in, the data is accessible just like the unencrypted data. The reason that\u2019s a problem is that most attacks allow the attacker to use the system with the same privileges as the currently logged in user\u2014which means unfettered access to encrypted information.\tSecure Data After Compromise or Loss\tEncryption is like the firewall and antimalware protection\u2014it\u2019s a layer of protection that makes it more difficult for attackers, but it isn\u2019t impervious. For true protection of sensitive data on an endpoint, you need a way to erase or remove the sensitive data in the event of an endpoint being lost, stolen, or compromised.\tMost tablets and smartphones have features that allow the entire contents to be wiped remotely. There are also a variety of mobile device management solutions that enable IT admins to remotely erase sensitive data from a device. With Windows 8.1, Microsoft has added the ability for IT admins to erase company data remotely from Windows 8.1 endpoints as well.\tHopefully your endpoint security will protect you, and you won\u2019t have to worry about compromised endpoints. It\u2019s unlikely, but possible. The important thing, though, is that you assume your endpoints will be compromised, and put tools and processes in place that enable you to protect or erase your sensitive data to keep it out of the hands of the attackers.