IDX CEO, Tom Kelly, Discusses the Ugly Truth of Expanded Attack Surfaces for Businesses

In our digital-first environment, no organization is safe from cybercrime. Just recently, cybercriminals compromised the New York transit agency’s computer system, and a New York Law Department had its systems infiltrated after sloppy cybersecurity gave hackers an easy entry point.

Our digital systems certainly make our work easier, but they also entail significant new cybersecurity risks. Every new digital service, platform, portal or internet-connected device is expanding the attack surface that cybercriminals use to infiltrate an organization’s network, compromise its security, and disrupt its operations.

The problem is that cybersecurity is changing more quickly than organizations are keeping up. Traditionally, enterprise-level cybersecurity was conceptually simple. Most company networks had physical boundaries, meaning that their perimeters could be protected, and access by authenticated and secured devices was simpler. Cybersecurity was a matter of maintaining strong firewalls and keeping unauthorized network traffic out.

But widespread digitalization with the cloud and broad adoption of digital platforms completely upends the traditional cybersecurity paradigm. Today, company networks are much more porous. And the cybersecurity protections most companies have in place are no longer sufficient, nor effective.

In a digital business, every Wi-Fi-enabled printer, mobile device and company laptop is a network access point for a hacker or bad actor. Employees become a critical vulnerability, often connecting to their company’s network through multiple devices, frequently using public and home Wi-Fi networks for access.

That’s exactly happened when cyberhackers managed to gain access to the New York City Law department’s network. All they needed was one employee’s email password, and all it took was one vulnerable employee. Although the breach was caught early, the hackers could have gained access to extremely sensitive information affecting hundreds of people by just targeting one person’s computer.

That’s a big problem for digital-first companies in New York. These companies now run hybrid networks that incorporate IT assets over which they don’t have direct oversight or control. Many companies rely on cloud computing services like Microsoft Exchange to provide key network functionalities like email. More often than not, they also employ cloud applications and storage services like Zoom and Google Drive.

Forty-eight percent of enterprise workloads now occur on the public cloud, and the Flexera 2021 State of the Cloud Report found that the average company uses around five different cloud services. But the expanded attack surface for businesses doesn’t stop there.

Every online account maintained by a company or company employee is yet another element of the cyberattack surface. Social media accounts, video services, private emails, and e-commerce accounts can all be compromised, often with sophisticated social engineering attacks, giving cybercriminals access to crucial personal information or login credentials that they can use to better infiltrate a company’s network.

And once cybercriminals gain access to a company network, they can move sneakily between devices until they find the information they need or can install the malware they’ve brought with them. In this new threat environment, cybersecurity needs to be proactive, holistic, multi-faceted and identity based. Companies need to secure employees and teams, not just individual devices and networks. Further, they must adopt a full lifecycle approach to cybersecurity with continuous protection and continuous response.

Many companies are being swept up into digital transformation trends before they’ve carefully weighed the cybersecurity risks involved and prepared an appropriate cybersecurity response. The coronavirus pandemic, in particular, accelerated digital transformation faster than businesses could keep up; a recent security report by Hacker One found that:

Places like New York, where a lot of organizations have gone digital, are particular targets for cybercriminals. In 2019, 90% of reported data breaches in the U.S. occurred in New York and California.

Digital transformation is a bell that can’t be unrung, and there’s no going back. But going forward, companies have a limited window of opportunity to start securing their expanded attack surfaces before they fall victim to cybercrime. It won’t be easy, but with the right tools, it will be possible to mitigate exposure and minimize the damage of a potential cyberattack. If cybersecurity isn’t one of your company’s top priorities alongside digital transformation, it ought to become one.

Tom Kelly is president and CEO of IDX, a Portland, Oregon-based provider of data breach and consumer privacy services such as IDX Privacy. He is a Silicon Valley serial entrepreneur and an expert in cybersecurity technologies.