Circle 01
Circle 02
Circle 03

Join our mailing list

Subscribe to the TSC newsletter to receive exclusive news and advice
  • 02 September 2021
  • 4 min read

CISO Guide: What can you do if cyber attack surfaces are expanding?

As businesses move to the cloud and digitisation becomes the norm, the role of the CISO becomes even more complex. Constant growth in technology equates...

As businesses move to the cloud and digitisation becomes the norm, the role of the CISO becomes even more complex.

Expanding cyber attack surfaces are a continuous threat

Constant growth in technology equates to continuously growing cyber attack surfaces. Cybercriminals have more opportunities than ever to launch attacks and find vulnerabilities in places that may not have even existed before.

These expanding cyber attack surfaces fit into two broad groups:

1. The physical attack surface

The physical attack surface covers all endpoint devices, such as USB ports, smartphones, tablets, and laptops. Our day-to-day work typically now demands a wide range of devices. This in turn provides more opportunities for attackers to gain access to sensitive data through different methods including phishing, DDoS and ransomware attacks. The recent massive shift to remote working has accelerated the use of multiple devices, particularly in sectors such as healthcare and pharmaceuticals.

But has cybersecurity education and awareness in organisations kept up?

It’s essential to ensure that your employees understand how IT environments work and how they can work cyber-safely to avoid giving open doors to attackers. Remote working is here to stay. However, a Cyber Threats Report by Netwrix found 85% of CISOs admitted they had sacrificed security to enable remote working.

2. The digital attack surface

The digital attack surface refers to vulnerabilities across all hardware and software. This includes everything outside firewalls and hosts which are permitted to have access through the firewall, for example, internet-facing assets like email servers and mobile applications.

Third-party assets are a key cause of concern for CISOs and IT teams. Missing a single manual update can create a vulnerability that attackers can breach easily. The digital attack surface subdivides into two groups:

  • Known assets:
    Managed assets such as your website and servers.

  • Unknown assets:
    Also known as shadow IT. These include forgotten websites and software installed by employees that the security team are not aware of.

These attack surfaces extend way beyond internal networks. This is why robust information security and cybersecurity processes, and behaviour are vital.

What can CISOs do?

Recent damaging cyberattacks such as those against the European Medicines Agency and the SolarWinds hack pose critical questions on how CISOs can mitigate and manage these most pervasive attacks. There are, however, many ways in which IT security teams can stay ahead of the game. Crucially, companies need to consider the combined impact of technology and people when looking for the best approach.

The tech factor

Technology is the key factor in the growth of the attack surface but appropriately managed, is the best form of defence too. As the attack surface expands, so do the methods to defend against it. With the right policies and processes in place, you can protect your business against most vulnerabilities. Key actions to consider are:

Training on how to use the Cloud securely

Migrating to the cloud offers flexibility, scalability and more efficiency. However, the cloud can create a range of vulnerabilities, new security risks and threats. Some 88% of organisations currently use the cloud in some way. Your people need to understand how to use it securely. The right training — when onboarding and ongoing — is crucial.


Automation should be the aim whenever possible. The right automation minimises the risk of human error, which evidence suggests can account for as much as 95% of successful hack incidents. Minimising the number of human interactions with your server minimises the human risk factor.

Advanced Authentication

Many businesses still do not ensure their employees create complex passwords. It’s a basic point but still a critical security weakness in many organisations. Users should also be limited to three password attempts before being locked out of the system. Companies should also consider identity management solutions and other two or three-step authentication processes for increasing security.


Always use SSL encryption for all authentication and authorisation processes. Additionally, always encrypt all data, including in transit and in storage. Built-in encryption technologies make this possible without excessive complexity.

New technology

Attackers are already using new technologies such as artificial intelligence (AI). Attackers leverage AI as both an attack vector and attack surface according to a new report from Europol, the United Nations Interregional Crime and Justice Research Institute (UNICRI) and Trend Micro.

CISOs need to be up-to-speed in every new tech development. Because, without doubt, potential attackers are too. The next step is sharing and presenting this information to the wider team to increase understanding across your business of the changing nature of cyberattacks.

The people factor

Every decision, however small, that an employee makes has an impact on your company’s overall security position. The human attack surface is a critical security point. CISOs and their teams are instrumental in ensuring that wider workforces have the right systems in place, as well as the knowledge and training they need.

Automation and authentication are key tech-driven ways of minimising the human risk factor. Equally important are your training processes and a proactive approach to awareness and education. The rate at which new attack vectors develop means regular and updated training is essential to ensure employees have the knowledge they need to work safely and securely.

Tailored and individualised training is key

Tailored and individualised training is key to ensuring employees engage with new information. Cyber training must evolve with your business. It cannot be limited to the onboarding process or a single training event every few years. Training and education must develop ahead of cyber attack surfaces as they grow.

The threat landscape is evolving at a rate that can seem alarming. However, with adaptability and a commitment to continuous and rigorous training, security risks do not have to be a constant worry hanging over your business.

To find out more about how we can help your employees feel confident and knowledgeable about cybersecurity, with bespoke and practical training programmes, contact Jenny Mandley or your TSC Client Project Manager.

Conor 172
Written by
Conor Mckenna
I have a variety of experience within marketing covering multiple sectors, from large consumer goods and FMCG businesses to working as a marketing consultant in the IT service management industry.
View Profile

See how we can help you protect your organisation today?

Circle 01
Circle 02
Circle 03

Join our mailing list

Subscribe to the TSC newsletter to receive exclusive news and advice