Guest author – Terry Allen, company director.
The flipside of risk is opportunity. When we are confident in our cyber security, we are not just avoiding risk; we can use our competence as a competitive advantage and differentiator. Businesses, insurers, and ecosystems are increasingly taking a much greater interest in the security status of those they partner with.
Most of us board members are happy to discuss whether MFA, antivirus, and firewalls are operating effectively. While these tools are essential, a broader understanding of the security landscape (and the tools required to secure our organizations) will help us perform better as boards.
For instance, many organizations I've talked to have a good handle on securing parts of their environment but do not have a good understanding of their entire attack surface.
What is an attack surface?
An attack surface can be thought of in this way. If we consider every bit of IT that a company uses – be that a hardware device or a piece of software - and think of each as a piece of real estate, we start to get a sense of our attack surface. The more assets we have, the more real estate we own (and need to defend). In medieval times, we built walls to protect our land and relied on the (fire)wall to keep us safe. Now we have suburban sprawl! There's probably still a core of things behind the wall, but there's a lot of real estate outside it too. And it's not just what we own, but our SaaS solutions, supply chain partners, and businesses we acquire that extend our surface even further.
External attack surface monitoring
So, when we think about security and managing our attack surface, we need to consider whether we have all parts of it covered.
Yes, we should have security software that runs on all our devices. Yes, we should protect our internal services with firewalls. Yes, we need training and policies for incidents and breaches. What about the outer perimeters of our organization? The things in the suburbs that are accessible to every attacker on the internet? Do we even know what they are? Do we know if they are safe from attack? How are we managing and monitoring them?
This part of our organization's attack surface is called our external attack surface, and the tools that help us monitor and manage it are External Attack Surface Management tools. You might know some techniques used to test for issues in this territory - like vulnerability scanning and penetration testing. These form part of the story and are important (though they are often not done frequently enough). There is also a host of other issues like email security, breached accounts, Domain Name Service security, expired certificates and more that are covered by scanning and monitoring tools.
Understanding inventory is important too. Just knowing all the software and hardware we have is increasingly hard. Tools that help us track everything and reduce our real estate down to what is necessary are very helpful in managing risk. But it's dangerous to think that occasional stocktakes will be enough to capture the moving, shifting nature of attack surfaces.
That's because our attack surface constantly changes (just one misconfigured email server puts us at risk), and attackers move incredibly fast. New vulnerabilities are exposed and exploited at an order of magnitude faster than any other changes an organization can rollout. Managing it requires a different approach.
Questions to ask
The key questions you could ask as a board member about your external attack surface are:
- Do we understand our external attack surface risks as well as our internal attack surface?
- What are our key assets that are internet/external facing?
- How frequently are we looking at our risks in this space? Is that frequency appropriate?
- Are we proactive or reactive to changes?
- Can we track our risks and issues and see meaningful reductions in exposure over time?
External attack surface management is a less well-known function of cyber security. Many organizations have maturity in managing their devices and servers to detect and prevent attacks. From a risk reduction perspective, the next cab off the rank must be external attack surface management.
Back to my earlier point, organizations (including insurers) are looking more closely at the security of their business partners and ecosystems. Alongside bad actors, your B2B partners will increasingly scan you to see how visible your external surface security is. Pay attention and get this right; and your organization is better protected and more attractive to deal with.
These are the discussions I'm having with boards right now. For me personally, I’m glad we've flipped the conversation from cyber risk to how cyber security competence is a business differentiator.