Historically, the defence against cyber-attacks was to enclose all data and devices within the perimeter you control – deploy firewalls, antivirus, mail filtering and web filtering – whilst ensuring all employees remain predominantly office-based and all software is patched and up to date. This became the basic risk management profile of most organisations, with budgets and IT team sizes set against this. As attacks evolved, phishing became more prevalent. This meant User Awareness Training became a basic staple of a cyber security plan; often outsourced to an automated solution.
Cloud came next, with Cloud Access Security Brokers (CASB) being the next hot topic to secure access to SaaS applications and shadow IT problems. This then evolved into Cloud Security Posture Management and Cloud Workload Protection to secure what you have in your own public or private cloud.
The problem is these defences are predicated on most employees being in the office (or on a VPN) and using endpoints and devices owned by the organisation. Fast-forward to 2022 and, without much notice, all employees can now theoretically be anywhere in the world and connected or not connected to the corporate VPN. As they can potentially use their credentials on their own personal devices, the question is: are all the previously mentioned protections still as effective?
For most organisations the answer is something like “Well, they have worked in the past and we’ve not had a cyber-attack yet”.
The problem here is that the Attack Surface is no longer limited to what you have chosen to allow through the permitter firewall and what you are consuming in the cloud. It’s now expanded to every single corporate device in employee’s homes and any non-corporate device that an employee chooses to log in from and, by extension, every username and password (or identity) in use throughout your organisation. This is on top of all assets already in use within the cloud, datacentres and all web applications exposed to the internet – and lately, all supply chain routes.
When factoring this in, quite often just understanding what the attack surface is, becomes a significant challenge – and this is before establishing how to reduce and secure it.