Growing businesses are constantly opening themselves up to new vulnerabilities through the cloud, poor access control, and remote work. By identifying attack surfaces and keeping them in check, you can make sure emerging cyber attacks won’t be an issue for your thriving company, discusses Taylor Hersom, founder and CEO of Eden Data.
As your company grows, so do its operations, consumer reach, and workforce. Unfortunately, attack surfaces – entry points vulnerable to data breaches and cyberattacks—also take a share of your business’ success. Gartner’s 2022 Security and Risk Management Summit highlighted the impending expansion of attack surfaces and the importance of securing them.
As companies increasingly migrate to the cloud, use the internet of things (IoT), leverage social media, and use APIs, their risk detection must be up to par. Every new asset or entry point becomes a shiny new toy for hackers. IT teams should be ready to take preventive—not reactive—measures. When a company sets up a new printer, laptop, or new cloud host, these assets should be secured to avoid malicious attacks.
Just like Conti’s 2022 ransomware attack against the Costa Rican government that exposed 97% of stolen information, vulnerable systems can be easily penetrated by hackers, leaving critical data unprotected. Let’s explore different attack surfaces and the modern solutions available for scalable companies.
Main Attack Surfaces To Watch Out For
Company growth usually entails building a more extensive web page, welcoming more staff, and getting new hardware. These changes might open up new attack surfaces: A new SaaS, setting up users on the network and using APIs. And it’s no longer enough just to set up firewalls, as many assets face exposure outside a company’s domain, like on customer apps, emails, and websites.
However, keep an eye on physical assets like computers, hard drives, and mobile devices. No device should be left unattended—this will minimize attack vectors.
So, where should you put special attention to spot and protect attack surfaces? Let’s take a look.
Multi-Cloud Strategies
Expanding organizations will often adopt various public cloud services. For example, they could use Amazon Web Services and Azure to run separate operations. And what’s the reason? Some businesses might do this to keep services going if one data center is down; it comes down to mitigating possible disruptions. Another reason is keeping data scattered in different infrastructures instead of putting all your eggs in one basket. This way, the risk of full data loss is minimized.
Although these strategies aim to lower risk, hiring more services means more attack surfaces to take care of. For example, cloud misconfiguration—not updating your legacy protocols from previous software into cloud systems and running APIs without proper controls— is a prominent gateway for cyberattacks.
APIs are often the glue connecting systems in the cloud, and they help apps communicate seamlessly with each other. They’re also a hacker’s favorite dish waiting to be served. As the number of APIs used by companies grows, so do the threats. A 2022 study showed that API-related vulnerabilities cost businesses up to $75 billion annually. Exposed API keys, which identify users or applications to access data, can be the perfect vector for malicious attacks.
Remote Work
Even before the pandemic, many companies started offering remote work options to attract more candidates. Post-pandemic, emerging businesses put in place working-from-home initiatives to eliminate rent costs. While this makes for more flexible work environments, flexibility comes with an extra dose of security risks.
Findings show that remote workers are the main target of hackers, and cyberattacks have increased by 238% since the beginning of the pandemic. Systems that are not controlled in a single network are more prone to hackers—especially devices like personal laptops using public internet connections and mobile devices with sensitive data.
Open Source
Rapid-growth companies requiring sturdy software to function, like the tech and financial sectors, have started leveraging open-source options as it speeds up the coding process. In 2022, Red Hat reported that 82% of IT leaders choose to work with enterprise open-source vendors.
Although it is considered safe, the truth is anyone can get their hands on this publicly available asset. The most recent example is the Log4j case, where millions of companies are still affected by a severe vulnerability in the logging service. Many developers can secure and patch open-source codes, but others are there to disrupt the software and steal information.
See More: Cyber Risk Assessments: How to Reduce Risk and Optimize Insurance
Successful Attack Surface Management
The number of entry points and hidden vectors that hackers can penetrate might discourage security leaders. Still, it’s nothing that can’t be fixed with attack surface management.
Ethical Hacking
Managing assets means IT teams must map their systems and identify all possible attack surfaces. Bringing them into visibility with scans that run periodic checks, like Microsoft’s Defender External Surface Management, can help uncover entry points. However, this approach can become complacent and passive in the face of evolving hacking trends.
A more hands-on approach is ethical hacking, dressing up an IT team member as a hacker to test out vulnerabilities. And in the era of rising AI solutions, ethical hacking AI is an increasing white hat tool that constantly identifies threats from weak security systems.
Access Control
A small company of two to five people who usually work in the same office might not need rigorous access control. But it becomes a necessity as it grows and welcomes more team members from different locations. This entails limiting access to sensitive data and operating systems and properly authenticating key people.
In 2019, Microsoft reported that systems were 99% safer when using multi-factor authentication (MFA). This is a simple yet effective way to identify team members and control access. As well as strong passwords, the authentication can ask a personal question only the right person would know or send a verification code through SMS or email.
This also applies to APIs when granting access to app data and reducing vulnerabilities. For example, OAuth and OpenID are advanced standards to authenticate the credentials of third parties with MFA or privileged access management.
The Human Element
Ultimately, protecting systems always comes down to us. While an organization expands, it opens the door to more people, thus more attack surfaces to protect. A simple click on a phishing email can deeply hurt a company’s assets. And although it feels like an outdated age-old scam, phishing attempts via email, websites, and mobile devices increased by 61% in 2022.
To test workers, a simulator program can send out fake phishing emails to see how workers respond to them. This measures how well-prepared teams are to face these seemingly harmless threats and allows security teams to launch action plans to train staff.
Ensuring that your attack surfaces are protected and constantly monitored to search for new entry points is necessary for growing businesses. You’ve put enough work into scaling your business, so you might as well put in some elbow grease to keep your assets safe. With the right measures, you’ll be able to oversee possible threats and train your team to keep your business operating without any mishaps.
How are you protecting your attack surfaces? Are cyber risks threatening your scaling plans? Share with us on Facebook, Twitter, and LinkedIn.
MORE ON CYBER RISKS:
Image Source: Shutterstock