We support browsers, not dinosaurs. Please update your browser if you want to see the content of this webpage correctly.

What is an attack surface?

An attack surface is simply the number of possible ways an attacker can get into a device or network and extract data. An attack surface is an especially important measure for small and medium-sized businesses. Most businesses think they are too small to be a target but a quick look at their attack surface shows that it is often quite large, which increases their exposure to risk.

Two primary attack surfaces: devices and people

Devices - Because businesses are using more and more devices, there are more gateways for cybercriminals to carry out a cyberattack. Predictions are that by 2020, businesses will account for six billion devices connected to the internet, ranging from laptops and phones to the Internet of Things. This inevitably means that the use of vulnerable operating systems and applications will profoundly increase a typical SMB’s attack surface.

The number one security threat to devices is a hybrid ransomware attack. A ransomware attack on its own is bad enough as it allows hackers to take control of a device, after which they demand a ransom from the user before they can regain control. But today, ransomware is also spread in hybrid form. By combining ransomware with the capabilities of a virus, it does not just infect one device but easily spreads throughout the entire network.

People - Sophisticated cyberattacks primarily target employees because they are the weakest link in the digital security chain. In fact, 37% of security breaches can be attributed to human error. Password policies and other safeguards designed to protect people, such as multi-factor authentication, are not standard practice within most SMB organizations. In fact, research by the Ponemon Institute showed that 57% of SMBs do not have a password policy in place which no doubt increases the size of an attack surface.

The number one threat affecting people is targeted social engineering, which tricks people into handing over confidential company information. The hacker often contacts employees via email, pretending to be a credible organization, such as FedEx, a bank, or even a colleague. Most employees do not have the knowledge to defend themselves against these advanced social engineering attacks.

Best practices to reduce your attack surface

To reduce the attack surface, SMBs should regularly assess vulnerabilities, secure weak points, and monitor anomalies.

Assess - The first step in assessing potential vulnerabilities is to identify all the physical and virtual computing devices within the organization. That list should include all of these possible attack surfaces:

  • Workstations and laptops
  • Network file servers
  • Network application servers
  • Corporate firewalls and switches
  • Multi-function printers
  • Mobile devices

This infrastructure assessment should distinguish between cloud and on-premise systems and devices. This makes it easier for you to determine all possible storage locations for data.

Now, categorize all business data and divide it into three locations: cloud, on-premise systems, and devices. For example:


  • Cloud email & applications
  • Cloud storage
  • Websites & social media

On-Premise systems

  • Databases
  • File sharing and storage
  • Intellectual property


  • Presentations
  • Company memos
  • Statistics and reports

Next look at who has access and what kind of access they have. This third and final attack surface assessment is used to gain insight into the behaviors of each department or user within an organization, even if these users are unknown. These findings can be divided into the same three categories and should include the following aspects:

  • Specific-user access
  • Multi-user access
  • Unknown-user access

Secure - After conducting the assessment, the next step is to determine what security you need in light of your current attack surface. Below is an overview of the key security services a typical SMB requires.


Content filtering
Content filtering allows you to regulate which websites are safe for employees to visit and which are not.

Email encryption
With end-to-end encryption, only the sender and receiver with a decryption key can view the contents of the email and any attachments.

Data loss prevention
A DLP solution prevents end users from sharing sensitive data outside the company network by regulating what data they can transfer.

Cloud backup
Even though you have taken every precaution, it is important to have a solid BDR solution in place that can restore operations quickly, at the push of a button.


Installing and monitoring antivirus on all devices – from PCs to mobile phones – is critical to reducing an attack surface.

Patch Management
All software systems come with vulnerabilities, but they can be resolved by installing patches and by keeping the software up to date.

Regular vulnerability scans
Vulnerability scans should be done regularly and include the status of antivirus software, password policies, and software updates.

Web server hardening
Web servers usually sit at the edge of the network making them more vulnerable to attacks. Proper hardening ensures default configurations are changed and that certain services and displays are disabled.


Secure authentication
There are many ways to achieve this but defining password policies and using SSO and MFA are good first steps for an SMB.

Secure remote working
Remote workers need a VPN connection to their company network that encrypts all traffic to provide them with secure access to company data and applications.

Define processes and policies
Define what data needs protecting and how. Make this information available so everyone understands their role in keeping the business safe.

Provide security training
People cannot defend themselves against threats they are unaware of. Therefore, it is crucial to educate employees on ways to protect themselves, for example by creating strong passwords and recognizing phishing scams.

In conclusion

SMBs face a threat landscape that is ever evolving. Knowing exactly what your attack surface is and how to reduce that surface is critical. The sophisticated threats and lack of awareness among employees often results in insufficient security and protection. Managed security presents an opportunity to provide the strong, cost-effective cybersecurity protection that SMBs require in order to reduce their attack surface and exposure to risk in today's online business world.