Skip to main content
zeroShadow

Workspace Security Bulletin April 2026

Apr 13, 2026 | 3 min read

Prevent security incidents by closing common gaps: improve device management, and strictly enforce account lifecycle management for human and machine identities.

ZeroShadow Workspace Security Bulletin, April 2026. A futuristic digital office where silhouetted professionals work at laptops. Glowing neon magenta and teal data streams flow between desks, overlaid with circuit board patterns and a TLP: CLEAR classification.

Over the past few weeks, we’ve seen a notable increase in security incidents across the industry utilizing very similar attack vectors.

These weren’t the result of cutting-edge, highly sophisticated zero-day exploits. This was access not being properly reviewed, weak lifecycle management, gaps in endpoint monitoring and over-reliance on trusting individuals. Social engineering will always be a risk, so we should build layers of defence and technical controls to limit the potential damage an incident can cause.

Incidents don’t often happen because our people are malicious, they happen because there was an opportunity. To help eliminate those opportunities, our intelligence recommends immediately reviewing three key areas:

1. Device management, and moving beyond BYOD

While Bring Your Own Device (BYOD) policies offer flexibility, we must acknowledge their severe limitations in a high-risk environment. BYOD creates massive blind spots. When dealing with unmanaged personal devices you cannot enforce security baselines.

Entities should operate on company-owned devices for their most critical functions, with suitable Mobile Device Management (MDM) and Endpoint Detection and Response (EDR) installed.

MDM ensures device compliance and remote wipe capabilities, while EDR provides the visibility needed to detect and stop suspicious activity before an attacker can establish a foothold. Without these tools, you are effectively flying blind on the endpoint.

2. Account lifecycle management

2.1 Interactive accounts (the humans)

Security isn’t just about onboarding, it includes offboarding and role changes. Accounts we think are not being used are the prime targets.

Go into Google Workspace, GitHub, AWS, and all of your core systems today. Review your interactive user accounts and immediately disable or remove access for anyone who has left or changed to a role that no longer needs that access.

This cannot be an annual check-box exercise. You must stay on top of this continuously. Proper joiner/mover/leaver processes must be enforced, not just assumed.

2.2 Non-interactive accounts (the machines)

Service accounts, API keys, Personal Access Tokens and machine identities need as much scrutiny, if not more, than human users. These accounts are often the most powerful, respect them.

Assess your access controls for all non-interactive accounts. Is that specific service still needed, does it actually need global admin permissions, or is it just for convenience? Where are your keys stored? Is access to those keys restricted to those who really need it? Is an alert generated if access occurs outside of expected parameters?

Challenge each other on these setups. A compromised API key might not grant direct access to funds, but attackers actively seek them out to navigate your infrastructure.

A mindset shift we're encouraging

We know many of you are building fast, innovating, and pushing boundaries that’s exactly what makes this space exciting. Security needs the same mindset. Don’t be afraid to be disruptive internally when it comes to getting the right controls in place.

That may mean challenging existing access, slowing something down to do it properly, reworking processes that “kind of work” and calling out gaps, even if they’ve been there for a while.

The strongest teams we work with aren’t the ones with perfect security, they’re the ones willing to continuously question and improve it.

Where this fits into what we're building together

Behind the scenes, we’re evolving how we support clients, moving towards a more structured, risk-focused approach. Rather than ticking boxes, the focus is on developing understanding where real risks sit, prioritising what actually matters in your environment, establishing controls that are practical, tested, and actually hold up under pressure.

Conclusion

Ask yourself: if someone had the wrong access today, would you know and how quickly?

If the answer isn’t clear, that’s where to start. If you would like any help reviewing access models, improving monitoring, or validating controls, we’re here to work through it with you.

No noise. No over-engineering. Just what works.

zeroShadow Security Risk Management

Further reading:

Share this post