DMMM Level 1 — Ad Hoc — means no device inventory, no policy enforcement, no visibility, and no ability to respond when something goes wrong. It feels free because there’s no MDM subscription and no IT overhead. But Level 1 has a cost. It’s just hidden until something breaks.

Cost #1: The undetected breach. Without device monitoring, you can’t detect when a device is compromised. The average time to identify a breach is 204 days according to IBM’s Cost of a Data Breach Report. At Level 1, that number is likely higher because you have no detection capability at all. Every day a breach goes undetected, the cost of remediation increases. The difference between a $50,000 incident and a $4.5 million incident is often just detection time.

Cost #2: The regulatory fine. If your business handles personal data (and almost every business does), you’re subject to data protection regulations — HIPAA for healthcare, GLBA for financial services, FERPA for education, CCPA/CPRA for California consumers, GDPR for EU data. At Level 1, you cannot demonstrate compliance because you have no records of device management, no proof of policy enforcement, and no audit trail. Regulatory fines for data breaches where the organization failed to implement reasonable security measures range from $100,000 to $1.5 million per incident.

Cost #3: The employee departure. We covered this in detail in our BYOD article, but the math is simple: every employee who leaves your company with company data on their unmanaged personal device is a data leak. At Level 1, you have no way to know what data they have, no way to remove it, and limited legal standing to demand its return if you never had a policy requiring its management.

Cost #4: The lost device. A laptop is left in an Uber. A phone is stolen at a conference. At Level 1, you can’t remote wipe it. You can’t even confirm what data was on it. If it contained client records, you now have a reportable breach — notification obligations, credit monitoring costs, potential litigation. A $30/month MDM subscription would have given you remote wipe capability. The breach notification and remediation will cost $150,000 minimum.

Cost #5: The insurance problem. Cyber insurance underwriters are increasingly asking about endpoint management as part of their application process. Organizations at DMMM Level 1 may face higher premiums, coverage exclusions, or outright denial. If you do have cyber insurance and you file a claim, but the investigation reveals you had no endpoint management in place, the insurer may deny the claim based on failure to maintain reasonable security controls.

The total cost of being at Level 1 isn’t a fixed number — it’s a probability distribution. You might go years without an incident. But when one happens, the cost is 10x to 100x what you would have spent on prevention. An MDM platform costs $1 to $5 per device per month. A BYOD policy costs nothing but time. The DMMM exists to make this math obvious before the incident — not after.