Attacks on digital infrastructure are high on the worry list for CISOs in every sector. They hit retail giants like M&S, car manufacturers like Jaguar Land Rover, hospitals and even nurseries. Reports of serious cyber incidents seem to land with uncomfortable regularity, rising by 50% in the past year.
There’s plenty of talk about the risks businesses face, usually focused on AI-driven malware, zero-days, and the latest attack techniques – threats they’re constantly trying to keep up with. But the more uncomfortable truth is that attackers are also exploiting what organizations aren’t doing at all.
Many environments still run with thousands of accounts whose passwords never expire, and inactive “ghost” user accounts that are still enabled – a classic case of configure-once, forget-forever access. In parallel, there’s a physical blind spot: USB sticks, external drives and microSD cards stuffed with sensitive data.
They might be rarely used but perfectly readable and easily abused if they’re picked up by the wrong person.
The old proverb “idleness rusts the mind” doesn’t have to apply to data though – new secure storage is designed to harden when it’s idle, turning inactivity from a weakness into part of your defense.
How idleness turns into breaches
Cybercriminals rarely break in with a single dramatic move. They work in phases, and an idle entry points make the first one almost effortless.
It can start with access that shouldn’t still be valid: a contractor account that was never revoked, a legacy service account with a non-expiring credential, or a “temporary” admin exception that outlived the project it was created for. From there, attackers can act like a normal user would, which is exactly why it’s so hard to spot them early.
The same pattern shows up with physical storage. Companies are notoriously bad at copying sensitive files onto devices – laptops, external drives, USB sticks, microSD cards – without considering the security implications.
Think of the unencrypted USB left on a train, the hard drive in the stolen bag, the memory card still in an unretrievable crashed drone, or the portable drive that’s moved from desk to drawer to box over several years. The hardware goes missing, staff move on, and yet the data is still sitting there, readable to anyone who finds it.
The end result may be anything from a quiet data leak that only surfaces months later to direct extortion.
The usability vs security trade-off (and how it gets weaponized)
Most organizations don’t end up vulnerable because they don’t care. They get there because friction is costly. Credentials don’t change because rotating them once caused downtime. Access stays broad because nobody wants constant tickets and blockers.
Files get copied to USBs and SD cards because the quickest way to move data usually wins.
Yes, those choices make operations smoother, but they also smooth the path for attackers. The same easy processes your teams rely on day-to-day, plus any unsecure device holding sensitive data, are exactly what an attacker uses to get in and reach high-value systems.
Another issue is that security efforts tend to follow what’s visible. Data in transit is easier to standardize and show progress on: encrypt the connection, harden remote access, monitor sessions.
Data at rest is where governance gets patchy: not just in years of shared drives, cloud buckets and legacy network storage, but also in the hardware people use to move data around. Laptops, USB sticks and SD cards fall outside the network’s safety net: carried between sites, misplaced and perhaps not even encrypted.
This sprawl turns into an obvious risk: too many places to store sensitive data, too many access paths, too few consistent rules to keep it safe.
The answer isn’t making systems painful to use. It’s designing defaults that don’t rely on constant manual upkeep and using smart hardware.
What companies can do now
The first step is simple: work out what’s still enabled that nobody actively owns and what devices hold valuable data before a malicious actor does.
Look for accounts that haven’t authenticated in months but remain enabled, passwords set to never expire, and service accounts that still have broad permissions because changing them once caused downtime.
Do the same for infrastructure: review legacy systems that are not used but still connected to identity, network, or storage and either isolate, decommission or properly secure them with updated authentication, tighter permissions and encryption.
Next, shrink the blast radius. Separate critical workflow functions, and limit what standard admin accounts and endpoints can even see, let alone access. Similarly, treat idle data as a lifecycle decision. If it isn’t used, archive it securely with tight access controls or retire it.
Leaving sensitive data “somewhere on a share” is how forgotten files become expensive incidents.
And finally, don’t ignore the physical layer of resilience. Offline and removable storage must be part of your resilience plan, and it has to survive theft, tampering, heat, moisture and mishandling – and still enforce security when it’s not plugged in.
That’s where hardened, secure-by-default storage makes the difference: it’s designed to stay locked down while idle, so “offline” doesn’t become “unprotected.”
Features like built-in hardware encryption, authentication at the point of access and tamper evidence help ensure a recovery copy stays both secure and usable under pressure, even when the rest of the environment can’t be trusted.
For example, if an attacker obtains admin credentials and later gets access to a backup device or media, encryption plus access-time authentication can stop that from turning into a full system compromise.
Cybercrime thrives on what organizations neglect. The fix is to treat idleness as part of your defense strategy and not a forgotten doorway.
We've featured the best private browser.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.