Notifications
Clear all
Topic starter
25/06/2026 3:07 pm
TL;DR: Ransomware, phishing, and lost devices create shared responsibility questions that sit at the intersection of policy, employment law, and security practice, according to Imprivata. The real governance issue is prevention, because blame after the incident does not reduce exposure or limit future breach impact.
NHIMG editorial — based on content published by Imprivata: ransomware responsibility, lost devices, and why prevention matters more than blame
Questions worth separating out
Q: What breaks when organisations rely on blame after ransomware or device loss?
A: Blame does not restore access control, remove malware, or recover exposed data.
Q: Why do lost company devices create such high security risk?
A: A lost device becomes dangerous when its data, sessions, or cached credentials remain usable to someone who finds it.
Q: How can security teams make phishing less damaging when users still click?
A: Teams should assume some users will click and design controls so a click does not equal compromise.
Practitioner guidance
- Define loss-response authority before devices go missing Pre-authorise remote lock, wipe, and session revocation for managed endpoints so response does not wait for ad hoc approval after a device is lost or stolen.
- Tighten phishing resilience around the sign-in path Use phishing-resistant MFA, suspicious sign-in detection, and rapid account verification so one deceptive email does not become durable access.
- Reduce the value of a compromised endpoint Encrypt local storage, segment access to shared systems, and limit where a user session can reach from a managed device.
What's in the full article
Imprivata's full article covers the operational detail this post intentionally leaves for the source:
- Policy examples showing how organisations assign responsibility for lost devices, phishing, and accidental data exposure.
- Practical guidance on balancing employee accountability with support when incidents happen in good faith.
- A breakdown of device governance, lost device recovery, and end-user training practices for distributed workforces.
- The article's framing on how organisations can reduce liability while improving employee confidence and compliance.
👉 Read Imprivata's analysis of ransomware responsibility and device loss →
Ransomware responsibility and device loss: what should teams do?
Explore further
25/06/2026 4:27 pm
Blame-based ransomware governance fails because it treats human error as the root cause instead of the control failure. The article is correct that responsibility depends on policy, law, and circumstance, but the security lesson is that post-incident punishment does not reduce attack surface. The programme question is whether device access, authentication, and recovery controls were strong enough that a single mistake could not become a breach. Practitioners should treat blame as an HR outcome, not a security strategy.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, which shows how quickly one identity failure can recur across environments.
A question worth separating out:
Q: Who is accountable when ransomware or a compromised device causes a breach?
A: Accountability usually depends on company policy, employment terms, and local law, but security responsibility should be shared across the organisation. Employees must follow documented procedures, while the organisation must provide controls that limit damage when mistakes happen. Good governance separates accountability from the technical ability to contain the incident.
👉 Read our full editorial: Ransomware responsibility exposes the limits of blame-based security
