SaRB for SMO's blog pages contain between 3000-4500 words, as a non-subscribers you only have access to 800-1000 words.

(Reading time: 6 - 11 minutes)

The Small Organisation Attack Surface


SaRB for SMOs Action Info

Security Management Group

Replace This Image

The ubiquity of today’s technology has enabled unrivalled connectivity, which has brought with it unrivalled opportunities for attack.

This is edited content from Sarb Sembhi and co-host Nick Ioannou. Also in video and podcast media.

 Glossary Terms in this Blog Article - hover to view, click for full glossary.



Every new technology an organisation takes on directly and indirectly contributes to the total attack surface which can be leveraged by attackers. Small Organisations are not only not immune from having their attack surface growing, but are also more likely to be at risk, due to the fact that unlike larger organisations will have a better understanding of their attack surface and both the resources and risk management process to respond.

As usual we are going to start with what Small Organisations get wrong. 

Default sample awareness and knowledge infographic

What Small Organisations get wrong about their Attack Surface!

The list we are presenting today, won’t be a surprise, as many of the items are based on the lack of awareness, knowledge and or experience of the security field. Which is totally understandable, as security is not the reason anyone sets up a Small Organisation, it is just something they end up having to deal with.

  • Not appreciating that their lack of knowledge of their current and growing attack surface may be detrimental to managing threats to the organisation. Before doing anything about an organisation’s attack surface, it important to understand the impact it has to the overall security of the organisation.
  • Not understanding that the global attack surface for everyone and everything connecting to the internet is growing on a daily basis. This growing global attack surface has an impact whether an individual or organisation changed its behaviour from yesterday to today, and it continues to grow.
  • Small Organisation myths and misconceptions about attacks, attackers, the attack surface all contribute to either doing nothing or doing the wrong things. The perception many have is that the risks are always much lower than the resources required to deal with them. But perceptions based in untruths are very detrimental where they lead to reactive responses after attacks.
    • Key amongst these is the assumption that their technology has built-in security because of the high price they paid for it. There are hardly any vendors which go to the trouble of including security functionality or controls without identifying a need or to just include them and then not make a big deal about them. The fact is that unless it is clearly promoted as included functionality, it is best to assume that there isn’t any security built-in – which is the fact with most technology devices and services.
    • Not observing basic cyber security hygiene. Similar to bad assumptions of security is to not observe the very basic practices. For example, purchasing a secure device but then not using a secure password, or using lock screens, or the biometric functionality to access the device.
    • Not applying critical security patches. In some cases, this may be an element of cyber hygiene, but as the organisation grows and instils other aspects of cyber hygiene, patch management is a discipline in its own right as an organisation grows.
    • Linked to several of the above is the issue of purchasing habits of buying technology with limited security functionality and options. Many people purchase on the basis of price and future proofing technology functionality, but not future proofing on security controls and functionality.
  • Every additional individual or organisation your Small Organisation connects or works with increases your overall attack surface. In today’s world most Small Organisations will have at least 20-50 people relationships which would be part of the overall attack surface.
  • A lack of understanding of vendor bad practices – including some of the following:
    • Not ensuring that there are no known vulnerabilities in their products or services.
    • Not restricting potential areas of unknown vulnerabilities through architecture and other controls.
    • Using code libraries with known vulnerabilities
    • Hard-coding passwords which may be easily identified in code analysis.
    • Not allowing changes to default passwords.
    • Using weak default passwords.
    • Not using secure coding practices.
  • Understanding that the greater the number of devices and services you use and allow onto your network and infrastructure, each one adds to the overall attack surface. Every device, network connection, account, service, etc. has its own contribution to the overall attack surface.
  • Non-technology connections and associations can also add to the attack surface, for example, association with certain political or social causes can bring you and or your organisation to the attention of activists with contrary views. Your organisation’s willingness to respond to charitable causes may mean that when there is an appeal following a major international disaster, several people may accidentally respond to phishing scams appeals for charitable donations to give to the people affected by the disaster.
  • Attackers know more about your attack surface than you do. Research has shown that attackers look for common vulnerabilities in popular and upcoming technologies, which includes everything from hosting software and services, to popular and vulnerable web pages and forms, to vulnerable website configurations, and the list goes on. While attackers many come across your organisation due to your attack surface by chance, if your organisation is a target, the likelihood is that the attack will aim to understand the whole of your attack surface and pick whichever approach requires the least effort and detection.

In considering the attack surface of your organisation, a little bit of caution goes a long way, rather than to allow anyone to do anything, it is better to understand what is being requested, by whom and what is it that they or the device or service are expecting to be able to do? Understanding these things just helps understand a little more of what you need to protect. 

Importance of Understand your Attack Surface?

For Small Organisations it is important to understand their attack surface as the information and process used to understand it helps in identifying cost effective responses. Such information can help guide some of the following:

  • Whether to allow BYOD, and if so, what the restrictions should be about the devices, will you only allow mobile phones and tablets, or will you also allow home hubs, or cars, for example.
  • The controls you will implement into your guest network and whether you allow staff to use it for personal use.
  • Which technologies you add to protect physical access to your organisations. For example, you may decide that you accept that the risks of extending your attack surface created by the CCTV system that you can currently afford, as it doesn’t have the security functionality or controls you are willing to accept.
  • Which security technologies you wish to utilise. For example, you may wish to protect all data on staff mobile devices by utilising a mobile devices management (MDM) service because many of your staff spend a considerable amount of time outside of the office with access to personal client data.
  • What controls you want to put into place where you have third party suppliers managing services for you. For example, you may want to mandate the use of a virtual private network (VPN) and two or multi-factor authentication, amongst other controls.
  • Which ecommerce solutions are best suited for your organisation for future growth. For example, some solutions have complete security managed by the service provider, others allow you to more flexibility by purchasing each functionality separately.

Being able to select solutions based on security requirements which reduce your attack surface is one of the most important benefits of understanding your attack surface.

Default sample Threat Map infographic

This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.

Infographic images are copyright of Virtually Informed, and available to registered users for download during the publication week of the blog article together with other downloadable resources, including: all related infographics on this page, example policy templates, posters, screen savers and much more. 

Actions and Activities

Now, on SaRB for SMOs:

  • Help us to help you by completing our short poll on this topic (only available when article is published).
  • Let us know which FAQs you would like us to answer.

Later, in your Organisation:

  • Complete Board level Policy Review
  • Update Policy
  • Present to the Board for Agreement

Finally, if you know anyone who could benefit from the information you have viewed, please invite them to register for SaRB for SMOs and share our resources with them.

Follow-up Resources:

Virtually Informed Resources:

  • Glossary - at the top of this blog article (link to items).
  • Infographics (Downloadable in the week of publication).
  • Download Items - Policy Templates, etc. (Downloadable in the week of publication).
  • FAQ’s (Available soon).
  • Blog articles (link to items )
  • How To articles (links only available to Premium subscribers).
  • Other content (available soon)

External Resources:

  • Ponemon Institute Survey
  • Other Survey information


Images from