The biggest tech attack surface in your company and how to reduce it
Here is an article which we thought you might find interesting…
Security is all about managing risk. In other words, there are some things that you should really worry about, some things that are kind of important to keep an eye on, and some things that you don’t need to lose much sleep over. Once you’ve prioritized the risks facing your environment, you can then proactively deal with each of them.
When it comes to IT infrastructures, what are the main areas of risk you should be concerned about? Or in other words, where should you spend a good portion of your time, energy, and money you have budgeted for risk protection? System and network administrators will differ on how they answer this question, but it’s an important question to ask–and not just to ask but also have an evidence-based answer for.
To help us navigate this topic, I reached out to a colleague with lots of experience in IT management. Kelvin Jones is a seasoned veteran in the IT industry with over 20 years of experience. He is a certified IT Manager at the University of Cape Town, South Africa, and over the years has accumulated an array of 20+ certifications from Novell, Microsoft, Cisco, and others. He is originally from Canada and spent several years working on IT projects for UN agencies in Geneva, Switzerland, before settling in Durban, South Africa, where he currently manages cloud services for CLOUD29. Let’s see what we can learn now from Kelvin’s experience with minimizing the attack surface faced by a typical IT infrastructure.
You might be surprised, or maybe not
Email. This is, in my opinion, the biggest attack surface in any company.
After that opener, you might agree or perhaps you’re ready to jump up and disagree that email is not the biggest attack surface, but think about the endpoints it touches and exposes. You might then say “hold on, browsing the internet is even more pervasive, and by your definition, an even bigger attack surface!” Well, feel free to disagree but the difference between email and a browser is this:
Firstly, most employees today understand that they don’t want to visit certain websites.
Secondly, the company firewall already blocks visits to the known dodgy areas of the world wide interweb.
The size of your company doesn’t matter either, from the home office to the enterprise, email is the biggest attack surface in your company.
I initially thought that with Office 365 (O365), or even its competitor, Gmail for Business, would take over and help businesses move to a safer email system that’s not based on POP or an insecure IMAP platform. After all, O365 has been growing by leaps and bounds and Google seems to corner a lot of the market.
While the move is happening, not all small-to-medium businesses are on board yet, mainly due to cost. I single out POP and IMAP based systems because these are typically cheap today and they are cheap because the anti-virus (AV) and anti-spam (AS) engines are usually free and not as well maintained as their paid-for counterparts.
In fact, on the cloud apps solution (CloudApps & Desktops) that we build for our customers, we don’t allow POP and IMAP email to be used, the protocols are blocked at the datacenter firewall by default. We encourage the use of our own hosted Exchange in the datacenter or some form of O365 mail. We do allow POP and IMAP if they can prove they are using a well-known or trusted platform like O365 or Gmail for Business or have a reliable security system for inbound mail. If they don’t have any of the above, we offer them a value-added service that’s been sanitizing our email for years.
As in the material world, there are also no perfect security systems for the virtual. That said, there are still a number of systems that when combined to create a defense-in-depth strategy, can be very effective.
If you would like help to increase your email security then please get in touch.