Balancing Security And Costs In Attack Surface Management

Forbes

14-05-2025

Al Kingsley MBE is CEO of NetSupport, Chair of a multi-academy trust in the U.K, tech writer, speaker & author of multiple education books.
getty
Security is important to all of us—no matter who or where we are.
Think of a regular home. The doors will have locks (and probably the windows, too), which is usually enough to keep things safe and secure. However, a more upscale residence might house an extensive jewelry collection, priceless paintings or designer clothing. The owner of these will be more likely to install an alarm system, cameras and even security laser beam triggers.
There are three components to balance when considering protecting precious possessions: their value, the likelihood of criminals targeting them and the cost of the security measures needed to protect them proportionate to that value.
When it comes to protecting your company's attack surface, the smaller the window of vulnerability, the smaller the chance threat actors have of breaking through and putting systems, data or sensitive company information at risk.
Aside from the practical aspects of protecting critical systems, there are additional elements at stake. It may not be obvious until a cyberattack happens, but reputation and customer trust are both intrinsically connected to company technology. If your business experiences a data breach or significant downtime, customers will go elsewhere, and you'll have to work hard to regain their trust and win them back. IT security isn't just a business expense—it's a critical investment in future growth.
Your security costs are all about context and finding the right fit for your business. In addition, the sector you operate in will determine the type and extent of the safeguards you need. Seek out solutions that will integrate with your infrastructure without friction and deliver the most value for your operations. For example, if you implement a new e-commerce platform that has top-grade security but requires users to go through numerous steps to use it, this additional friction may cost you customers in the long run.
Any disruption to your business costs money. Consider taking the following actions to help prevent them.
• Know the patterns of your company's activity so you can spot anything untoward at the earliest opportunity. You could employ a dedicated IT asset management (ITAM) solution and/or behavioral AI analytics to help with this. Automated scanning will help ensure nothing serious gets missed, and patch management solutions can prevent issues from becoming more significant problems.
• Understanding the types of threats you may encounter will save you time if your organization experiences a cyberattack. Identification is the first step in understanding which attacks pose the most significant danger and what steps you should take to ensure your best defense.
• Ensure you know what to do in the event of a security incident. Implement a strategy for fixing and recovering from the aftermath—and practice it regularly. If you're well prepared, your recovery will be much quicker.
Although these components form the foundation of any security investment, businesses must also consider compliance requirements (such as ISO 27001 or GDPR), industry best practices and the potential monetary impact of a data breach.
With so many businesses having remote and mobile employees and devices active outside the four walls of the company's network, having a solution for supporting them is vital. Hackers can exploit vulnerabilities in the communication channels between the support technician and the remote device by taking control of the session, intercepting data in transit or injecting malware into the network.
So, check for support tools that are secure by design and built on a zero-trust architecture to give you confidence that your remote support sessions aren't providing cybercriminals with a convenient attack vector. Beyond this, adding mechanisms such as enforced multifactor authentication and session logging can also help fortify your posture.
Employees must be regularly reminded of their responsibility not to expose the business to risk and the requirement to be active participants in keeping its systems safe. Clear explanations, guidelines, policies and procedures will lay the groundwork for training, helping staff see why they should do things the way the business requires.
Cybersecurity training is critical and must outline the dangers of social engineering techniques that take advantage of our human condition (e.g., phishing, smishing and vishing), alongside the importance of password hygiene. Department managers should also be reminded to remove former team members' access from business systems promptly so that these otherwise dormant channels don't provide a convenient inroad for hackers.
Protecting your organization's attack surface isn't about the amount of money you spend; it's about spending wisely in the areas of most need. Every business has unique characteristics and areas of vulnerability, so taking a measured, informed approach will help ensure you invest in the right areas.
Balancing value, the likelihood of security compromise and the cost to the business allows organizations to be prepared for possible cyber incidents in a fiscally sustainable way. However, the measures you take at the start need not be set in stone. With constant developments in the technological environment, flexibility is key, so with all your metrics in hand, don't be afraid to recalibrate your cybersecurity defense position if needed. A proactive approach not only safeguards your operations but also helps maintain customer trust, promoting long-term business success.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?