Even the most security-conscious organizations can be caught off guard. Despite massive investments in firewalls, VPNs, and threat detection, the biggest vulnerability often sits quietly in employees’ hands — or laps. “Organizations spend millions on cybersecurity, yet breaches often start with employee devices,” says Lars Veelaert, CEO of cybersecurity startup XFA. “Even in well-protected companies, 60% of devices used for work are unknown to or ignored by the company, and the average device is 350 days out of date.”

The rise of hybrid work, freelancers, and the bring-your-own-device (BYOD) culture has only amplified the risk. Employees juggle multiple devices — MacBooks, Android phones, tablets — for both personal and professional use. Traditional IT security, which relies on invasively controlling company hardware, simply cannot scale to this diversity.

“Years ago, one engineer could manage a few desktops that remained at the office. Today, managing two or three devices per employee, each with different operating systems and personal use patterns, is operationally impossible,” Veelaert explains.

The blind spot in modern cybersecurity

Ignored devices are more than a minor nuisance. They’re a systemic blind spot. Research from leading cybersecurity firms shows that a single outdated or unsecured device can provide hackers with a direct path into an entire corporate network.

Before founding XFA, Veelaert worked as a cybersecurity advisor. “We quantified that blind spot: an alarming 40–60% of devices on a corporate network were unknown, and each device was almost a year behind on updates — consequently missing crucial security patches.”

This risk is compounded by modern work habits. Hybrid schedules mean team members connect from coffee shops, coworking spaces, or their homes, often on devices that the IT department doesn’t issue or monitor. Freelancers and contractors add another layer of complexity. Each unverified device expands the potential attack surface, and traditional endpoint security struggles to keep pace.

The COVID-19 pandemic accelerated the problem. As hybrid work became the norm, unknown and/or ignored devices multiplied. “That was the moment we decided to launch XFA,” Veelaert says. “We saw companies struggling globally. So we made it our mission to make every device safe, regardless of who owns it, its type, or its operating system.”

XFA’s approach is simple but effective: verify every device used to access corporate apps without taking control away from employees, contractors or partners. “We want a future where it doesn’t matter who owns the device or what personal preferences they have. Every device is secured the same way,” Veelaert explains.

How XFA works

At the heart of XFA’s technology is the login moment. Every time a member of the team logs in, the system checks whether the device meets security standards — whether updates are current, encryption is enabled, and passwords are set. Employees are guided to install lightweight apps themselves, maintaining control over their devices.

“We optimize for productivity. Everyone can work anywhere, on any device, safely within weeks,” Veelaert says. Compliance is another benefit: GDPR, ISO, and NIST 2 standards can be met because every device used for work — not just company-issued ones — is secured. The average company can reduce 80% of its ignored device risk in just three months.

Why device trust is becoming non-negotiable

XFA’s approach aligns with the Zero Trust security model, which assumes that no device or user is automatically trustworthy. “If we know every device an employee uses, we can support and coach the user too, not just secure the device,” Veelaert notes.

For today’s workforce — multilocation, multidevice, multitasking — security can’t rely on rigid IT controls alone. Productivity and privacy must go hand in hand with protection.

The future of cybersecurity is human-centered

Looking ahead, XFA aims to become the go-to technology for companies seeking secure, productive solutions worldwide. “We want to help organizations scale security across every device while respecting employee privacy,” Veelaert says. The broader lesson is clear: cybersecurity isn’t just about protecting systems. It’s about protecting people and devices together, enabling safe and productive workflows wherever work happens.

Concrete takeaways for organizations

Veelaert shares four practical steps companies — and employees — can take to secure all devices immediately:

1. Keep systems and apps up-to-date. Enable automatic updates for operating systems (Windows, macOS, Android, iOS) and key applications. Outdated software is still one of the top attack vectors.
2. Enable full-disk encryption. Protect sensitive data in case a device is lost or stolen. Laptops, smartphones, and tablets should all have encryption enabled by default.
3. Use strong, unique passwords. Encourage password managers to avoid reuse, and implement multi-factor authentication (MFA) wherever possible.
4. Require passwords on wake/unlock. Devices should lock automatically when idle, and users must enter a password or use biometrics to unlock, minimizing unauthorized access risks. 

“Most security leaders know what needs to be done,” Veelaert concludes. “The real challenge is operational: getting every team member — especially on personal or contractor devices — to consistently follow these steps. The percentage of unknown devices isn’t a small 5 or 10 percent. It’s 60%. That’s where organizations need to start.”