You can’t protect something if you don’t know it exists. To control customer data endpoints, companies need to understand their attack surface, including the “unknowns” that are putting their data at risk.
A common unknown for enterprise businesses is legacy applications that were never fully decommissioned. These systems endure because no one currently at the company knows they exist, or because someone along the way decided not to prioritize their decommission. Reasons for deferral of decommissioning range from lack of resources, to fear of what might happen if you hit the “off” button. (The lights might go off somewhere in Ohio, but you won’t know where until your team is sitting in the dark.) Or, sometimes a business decides to keep a redundant application because other applications depend on it, and leaving things as they are might seem simpler than managing the decommissioning process.
Whatever the reason, enterprise businesses need strategies for discovering these unknowns, or to put it more accurately – these “unknown no-longer knowns.” The problem is not the decision to keep an application running – the problem is that organizations forget these decisions were ever made, and this leaves them vulnerable to data breaches. In fact, unknown legacy applications play a leading role in the majority of high-profile data breaches.
Smaller companies may be able to mitigate the risks posed by legacy applications by updating their exit interview process – making a point to ask employees about all the applications they have used, or used to use – so they can keep better tabs on their systems. But for tech companies and larger businesses where technology decisions are made almost hourly, it is not realistic to expect an employee to recount all their IT-related knowledge. Businesses are better off acknowledging that they have, and will have, “unknown unknowns.” Then they can go about finding and securing them.
First, “follow the money”
To find these latent applications, look at your bills. Your finance team may not have a comprehensive understanding of all the technology you are paying for, and whether a charge is for a current or outdated system. You need to be sure to review the invoices with someone who knows your IT architecture.
Sometimes, legacy applications become recurring line items on an invoice that everyone is used to seeing, so no one thinks to challenge them. But be warned, these charges can be combined with other costs, making them harder to pinpoint. It is worth the digging, though. Uncovering these unknowns allows you to better protect customer data, and if you find a system to decommission, you will unearth additional value—the budget saved by terminating that contract.
Companies that store data on owned hardware on premises will have fewer bills to review. These businesses will need to ask their IT team for an inventory of all servers and systems, and review this alongside cloud computing bills to understand what is being stored where.
Then, follow network traffic
To protect customer endpoints, you need to conduct an exhaustive enumeration of your network infrastructure, working from the outside in to find all your databases. Then, you can follow your network traffic to identify other applications that are connected to your systems. Once you find all the access points, you can test for vulnerabilities and patch as needed.
Remember, vulnerability tools only test what you tell them to test, so if you haven’t found all your “unknown unknowns,” you can’t assess them. That is why it is imperative to be meticulous as you review your IT inventory.
You can’t afford to put this off
Business leaders want to look forward – not backwards. While it may be more appealing to prioritize innovation over investing in cyber security, you need to find and protect customer end points for the same reasons you get routine physicals – to protect yourself. In fact, you’re more likely to experience a data breach of at least 10,000 records (27.9 percent) than you are to catch the flu (5 to 20 percent). And the consequences go beyond what it will cost you to manage the breach. You also have to factor in the potentially devastating reputational damage.
Given the lighting-fast pace of business today, finding and securing your applications is not a one-time exercise – unless you have a rigorous process in place for decommissioning applications. Your best defense is accepting that you need an ongoing approach to finding, managing and securing your attack surface. If the price of freedom is eternal vigilance, so too, is the price of data protection.