Selling Cybersecurity: What MSPs Can Tell Clients About Attack Surface

In the realm of cybersecurity, understanding your attack surface is akin to understanding your enemy. This goes for both you, as a managed service provider (MSP), and your small and medium-sized business (SMBs) clients.

While you may have a firm grasp of how expansive the attack surface of your average business has become, we’d argue many SMBs do not know the full scope of vectors that put them at risk of a cyber breach. As many of our clients can attest, however, cyber risk awareness is growing fast, fueled by news of high-profile attacks. Sandeep Kaushal, president of a leading TeamLogic IT franchise in Hartford, Conn., has found the message of cybersecurity so effective that he has made it the lead topic of every sales conversation.

Rather than fear-based sales tactics, he tells us the most fruitful discussions involve a matter-of-fact approach to educating customers and prospects about cyber risk and the actions needed to mitigate it.

In this context, the concept of “attack surface” is fundamental to helping business owners understand what’s at stake. By speaking about a “digital fort,” you can break down this complex topic and provide an image that’s easy to comprehend. Here’s what your SMB customers should know.

Defining Attack Surface

At its core, the attack surface of a system or network refers to the collective sum of vulnerabilities that could potentially be exploited by a threat actor. It includes all the points of interaction — the doors and windows of your digital fortress — which, if left unsecured, could grant unauthorized access to sensitive data or resources.

The Vectors That Leave Businesses Vulnerable

The attack surface consists of numerous vectors, each representing a different route that attackers might take to infiltrate your systems. These vectors can be broadly classified into software, network, and human vectors.

1. Software Vectors: These involve vulnerabilities in an application's code, configuration errors, or outdated software that could be exploited. Software vectors can include system-level software, user-level applications, and even firmware at the hardware level.
2. Network Vectors: These are the points of entry associated with your organization’s network connectivity. Open ports, insecure protocols, or misconfigured firewalls are some examples of network vectors. As organizations move towards cloud-based services, network attack surfaces have expanded to include cloud storage and Software-as-a-Service (SaaS) applications.
3. Human Vectors: Sometimes, the most significant vulnerabilities lie not in the code or network but in people. Attackers often exploit human elements using social engineering tactics, such as phishing scams or impersonation, to trick users into giving away sensitive information. As remote working becomes more commonplace, human vectors are becoming more challenging to manage.

Attack Surface and Risk of Exploitation

A larger attack surface typically translates into a higher risk of exploitation. Each additional vector is another door an attacker could potentially unlock. From a security standpoint, the goal is to minimize the attack surface — to close and lock as many doors as possible. This process, known as attack surface reduction (ASR), involves a combination of patch management, network configuration, user education, and continuous vulnerability assessment.

The Changing Attack Surface Over Time

Over the years, the attack surface of organizations has grown exponentially. In the early days of the internet, it was typically limited and easy to define; the networks were generally contained and the websites few in numbers. If you asked your SMB clients to define attack surface, some may still believe this is the extent of it.

They may forget that with digital transformation trends like cloud computing, the Internet of Things (IoT), e-commerce, and remote work, they are, in reality, accumulating an ever-increasing number of potential entry points for attackers. At the same time, the price for not keeping up has skyrocketed in the face of tightening privacy and data-sharing regulations as well as a raft of industry-specific compliance directives.

For instance, the move towards cloud computing has introduced a new range of software and network vectors. While cloud providers generally have robust security measures in place, the shared responsibility model means businesses still have to ensure their data is protected in the cloud.

And let's not forget the human element. The shift towards remote work means employees are no longer protected by the company's security perimeter. Instead, they're accessing corporate resources from home networks that may not be as secure, thereby broadening the attack surface.

Final Word

You can help your customers close and lock the windows and doors to their digital fortress. To drive this message home, they need to understand the meaning of attack surface and the dynamic, ongoing process required to identify and remediate vulnerabilities. As small and midsize business owners become increasingly aware of cyber threats, you can fill their knowledge and technology gap and secure their business.

ConnectSecure cybersecurity platform now includes Attack Surface Scanning, providing a 360-degree view of network vulnerabilities.  Sign up for a free 14-day trial today.

Read more:
How the Cyber Defense Matrix helps MSPs select cybersecurity solutions
Biden’s cybersecurity strategy: Will MSPs have to take responsibility?
Vulnerability management basics: What businesses should know