Defense strategists for millennia have relied on a straightforward tactic to create advantage against invaders: reduce the attack surface. That is, limit the number of different points where an enemy can potentially gain entry to attack.
Those same principles hold today when it comes to protecting your bank’s technology and data from the escalating barrage of cyberattacks.
Reducing your Technology Attack Surface (TAS) leaves potential adversaries with a smaller number of targets – which can be more effectively monitored and defended.
The TAS is the total of all the different points where an unauthorized user can try to enter to cause mayhem. The effect of a successful attack can run the gamut from compromising systems operability to stealing, destroying or preventing data from being used.
A useful way to visualize about your financial institution’s TAS is to relate it to the windows and doors on your house. The more entry and exit points you have in your house, the greater the security challenge. Large TASs are difficult to defend because of the amount of ongoing effort needed to monitor, analyze, and respond to anomalies. Unfortunately, many banks are creating more risk for themselves with large TASs because they continue to layer in legacy technology components and multiple outside vendors.
The good news is that you can take steps to reduce your TAS. A bonus is that you may be able to lower your ongoing operating costs at the same time, since complexity is a big driver of security vulnerabilities and costs.
You can think about TAS in these categories:
- Hardware – ports, connections, devices, interfaces, cloud servers and even data, systems and processes for network operation.
- Mitigate: Reduce the number of connections and vendors. Pro tip – make sure you understand the sub-vendors your vendors may use and their TAS profile. Eliminate vendors that are simply re-sellers or amalgamations of other vendors you don’t have visibility into.
- Software – applications, email services, operating systems, compliance policies, patch maintenance and perhaps “invisible software” that is a sub-component of a tech vendor’s offering.
- Mitigate: Reducing the number of applications and providers is a good starting place. Pro tip for financial institutions – look for security applications that are specialized for your sector. Russians hackers are thought to have infiltrated a wide array of businesses and government entities via ubiquitous software provided by a single, not-so-secure entity.
- People -- Granted, any individual employee creates a small vulnerability in your “house.” But consider that while a keyhole is one of the smallest openings in your house, it opens the door. Collectively, individual employees constitute a lot of small openings – and opportunity for cybercriminals (in-house or external) to gain access through human engineering to your network and information. Cons and scams in the form of phishing emails that can “trick to get a click” are potential entry points into your house.
- Mitigate: Defenses include spam filters; continuing employee education on cybersecurity; effective processes; and “least” privileges – limiting individuals’ data access to the least amount needed to perform their job function.
In this era of complex bank infrastructures and sophisticated malware, it’s important to stay vigilant to reduce your TAS and limit the opportunities available to cybercriminals.