Managing an expanding attack surface in the post-COVID era

Print Friendly, PDF & Email

Managing an expanding attack surface in the post-COVID era

The past 18 months have seen monumental shifts in the way organisations do business. These trends have in turn had a dramatic impact on the corporate attack surface. New research reveals that a worryingly high percentage of firms’ IT infrastructure contains vulnerabilities. Yet as businesses continue to build out their supply chain partnerships and support hybrid working practices, there’s no turning back.

That should be driving an urgent rethink about how to mitigate third-party risk. As ever, a careful balance will need to be struck between maximising security and maintaining staff productivity.

Why the attack surface matters

At a high level, the cyber-attack surface refers to all of an organisation’s physical and digital assets which could theoretically be compromised in an attack. That means applications, servers, PCs and laptops, websites, network ports, and much more. The bottom line is that the bigger the attack surface, the more there is for threat actors to aim at.

Minimising and securing it should therefore be a focus for any mature security programme. But doing so is easier said than done. Supply chains and remote workers are as mission-critical as you can get, so it’s important that any efforts don’t impact business operations. The recent campaign targeting customers of IT software firm Kaseya shows how complex modern supply chain attacks can be today. And the double-digit surge in ransomware attacks detected by Barracuda Networks over the past year illustrates the persistent risks associated with home working endpoints.

The problem with supply chains

New research from Israeli startup Cyberpion highlights just how much companies rely on third-party partners today. It reveals that 73% of Fortune 500 companies’ total IT infrastructure is external. Even worse, a quarter of these assets contain known vulnerabilities and other risks. These include:

  • A quarter of external cloud IT assets failed at least one security test
  • Nearly 10% of corporate login pages are considered insecure due to invalid SSL certificates, or because login data is transmitted in HTTP (unencrypted)
  • Nearly 5% of hundreds of cloud assets these firms connect to are vulnerable to major abuse, including misconfigurations that could allow attackers to read or overwrite data

Although these figures are for Fortune 500 firms, SMEs are arguably even more exposed to their supply chains. As threat actors find increasingly effective ways to probe for security gaps between third parties, the risks will continue to surge. A report from EU security agency Enisa predicts that there will be four times more supply chain attacks in 2021 than in 2020, with half attributed to more sophisticated Advanced Persistent Threat (APT) actors.

The hybrid working conundrum

A second major reason why attack surfaces are expanding is the rapid growth of remote workers. The past year has seen an explosion in unmanaged endpoints such as home PCs, laptops, and smart devices. This is perfect fodder for opportunistic cyber-criminals keen to find a relatively undefended route into corporate networks. You might have bolted the front door, but what about the windows? With more windows than ever to try, the chances of one of them being left ajar are increasingly likely.

Unfortunately, it’s getting increasingly difficult for IT teams to mandate improved security practices. A recent study found many remote workers view productivity as more important than mitigating cyber-risk. The vast majority of IT leaders claimed in response that the increase in home workers has created a “ticking time bomb” for a corporate network breach.

The bad news is that as the pandemic recedes and hybrid working emerges as the preferred model of most businesses, these risks will continue to expose organisations to financial and reputational damage.

Reducing the attack surface

However, reducing and securing the attack surface is something all SMEs can do with the right set of best practices to guide them. First on the list is understanding exactly what assets your organisation holds. Where are all those servers, laptops, cloud systems, websites, and applications? Could some of them be decommissioned? Next, run scans to check where there are vulnerabilities.

Now it’s time to apply people, process, and policy changes including:

  • Enhanced staff training and awareness (ie how to spot phishing attacks)
  • Web application firewalls
  • Comprehensive risk-based patch and vulnerability management programmes
  • Cloud Security Posture Management (CSPM) or similar tools to mitigate the risk of misconfiguration
  • Support Zero Trust access with continuous, risk-based multi-factor authentication from anywhere
  • Regularly audit supply chain partners to the same high level

The bottom line is threat actors will always look for the easiest way to generate the maximum return on their investment of time and resources. So make yourself a smaller target by focusing on attack surface reduction, and they’ll be more inclined to pass on your organisation.

Scroll to top