Most of the businesses are still behind on the basics. How would your security program run differently if your view was formed around attack-surface reduction? It's a great way to reframe the way your organization addresses security, particularly when it comes to achieving the same basic directions that continue to be your very best line of defense against cyberattacks.
The breaches causing headlines today come from the same problems we've been seeing in cybersecurity for the past 20+ years. They're the outcome of unpatched vulnerabilities, human error, lapses in system updates, misconfigurations, and other run-of-the-mill oversights. In 2020, much of the world is still behind on the basics.
Every company has a different attack surface. But an expanding number of organizations have one thing in common: improving infrastructure. Modern enterprises are embracing new systems and rolling out new settings, including the cloud and the Internet of Things. The types of devices that we're trying to protect today have grown from what we've had in the past. We've always had to shield servers, laptops, endpoints, databases, and applications. Today we have to expand that to include cloud offerings, a very large array of services that are continually evolving in shifting public cloud and private cloud platforms.
Out with the old, in with the same old
New infrastructure means new attack vectors, thereby raising the organization's overall attack surface. But it's not just the surface; the ways that people are going to attack these systems are also developing. The range and complexity of cyberattacks are both developing every year, with a higher magnitude of vulnerabilities to match. With global breaches that disclose millions of private records at once, it's plain to see that cyber attackers have quickly mastered how to leverage the cloud on a level that might've been incomprehensible a decade ago. The circumstance calls for security practitioners to ask themselves how they can increase the coverage of their present infrastructure into these new system environments.
Can you handle the truth?
The truth is we're only perceiving more complexity with the advancement of new technologies, along with the increase of security sectors due to niche startups. Combining the number of new security tools with the increased attack surface and the increase in attack vectors, it's clear that the complexity of what we're trying to defend increases year over year. When you have more complexity, you have more risk. However, system complexity doesn't need to be the reason for security failures if the correct basic controls are being implemented consistently across the whole environment. One of the most significant things to be aware of is whether or not you're applying the right cybersecurity framework. To be successful now, you must focus on your framework and on evolving in different security areas, making sure you're getting the basics right first and foremost.