Mapping Out Your Enterprise Digital Footprint to Avoid Cyber Risks

By Gerard D’Onofrio [ Join Cybersecurity Insiders ]
1738

By Gerard D’Onofrio, Country Manager, Dialpad Australia

Most people have an approximate idea of what a digital footprint is. They know that it’s got something to do with the impact a person’s identity has on the internet. What most don’t realize is the potential extent of a digital footprint. They’re not dainty little deer hoofprints. They’re large hippo prints. By knowing just how big your digital footprint is you’ll be in a better position to guard your business against cyber incursion.   

The Top-to-Toe of Digital Footprints

A digital footprint finds its way into more than you might expect. The majority of people have a trace in servers that are currently active; this is a given. All our browsing, purchases, social media, emails, and more will leave a trail that culminates in a heap of intel.  

What might be forgotten about is that there will also be evidence of these people in back-ups, phones, memory sticks, CDs, and all kinds of obsolete devices and drives worldwide. It’s pretty overwhelming. 

It’s the same with organizations, in fact, more so. It is because a business digital footprint is likely to contain more content online. Contact details containing email addresses, chat options, or telephone numbers taking customers through to an IVR (interactive voice response) service will all be there on the net. 

There will also be a wealth of comments related to the company from individuals and other bodies. In other words, opinions regarding a business posted by customers and others will be rifewhich all contributes to its footprint. Here’s the dilemma, however: Digital footprints can be instrumental in raising a business’s vulnerability to cyber risk – which is growing every day. 

But a business needs a decent digital footprint for people to find out about them. One option to combat this is to use an Enterprise VPN Solution.  

After all, if a retail business owner is searching for a system that can help with ecommerce, they’re not going to be much interested in a retail IT solution that nobody knows. Impact is important. 

It’s valuable to learn from the experiences that others may have had with a product, especially where a large outlay is concerned. In this way, footprints can lead the way to sales. So, there has to be a way that a business can have a digital footprint large enough for customers to find but not overly vulnerable to cyber risk. This is known as mapping. 

Digital Footprint Mapping

A digital footprint effectively contains a reasonably thorough picture of a company’s digital assets, through which attacks may be directed. What’s worse is that this is on display for all to see via the internet. With this vulnerability in mind, savvy businesses are constantly looking to optimize their cybersecurity. For instance, 49% of businesses report that they are planning to replace their Attack Surface Management (ASM) solution in the next year. 

Assessing the precise extent of a footprint allows those charged with rendering a business secure to understand the look of things. Think of a general who is directing armies in a battle. They need an appreciation of exactly where the weak points are and exactly where all army parts are located to optimize their force’s strength. 

There are three steps in digital footprint mapping. 

1. Discovery

It is the stage wherein the entire range of a business’s digital assets that are exposed to the public domain (hence possible entry points for attack) are listed. 

It includes open ports, external domain websites, cloud networks, data APIs, broken links, mobile apps, social media profiles, customer-facing e-commerce assets, vendor digital identity, and countless other possibilities. 

So, the discovery process can take some time. It has to be exhaustive or its usefulness is compromised. Everything, from a customer contact form aimed primarily at US customers to a webpage offering a toll-free number in Australia needs assessment. 

Once a definitive list of these points is generated, it shouldn’t be treated as a fait accompli. One of the tricky things about a digital footprint is that it develops and grows all the time, so this list needs to be able to grow organically with the number of digital assets present.

All these assets are potential attack vectors, so the company’s digital team should conduct regular, frequent tests and scans for incursion. It’s crucial not to forget out-of-date assets that, although no longer used, can constitute attack points in an organization’s structure. Same with some third-party vendor networks. These testing and scanning operations can reveal several threats, such as fake accounts. 

2. Mapping

Once a list of assets has been created, it’s important to be clear about how they interact with each other and what elements of the business are most affected. To clarify their relationships, the elements are mapped out so that connections are underlined.  

For instance, to take telephony as a parallel, how does an automatic call distributor system link with other elements of the business? It’s a clear point of entry and is a veritable web of connections, all of which would need to be mapped out by an engineer looking at the structure of the telephone system to assess its weaknesses.

This map of connection is crucial as it is in the connectivity and the gateways between assets and systems that threats tend to be directed. It’s helpful if the IT professional looking to eradicate vulnerabilities adopts the same mindset as a criminal looking for the best attack points. It will give good protection against the most likely attacks. 

Beyond this, it can be advantageous to be able to map out third-party structures too. It can be easier said than done – not all businesses are happy to expose their construction to those outside the organization. It’s wise to address this possibly thorny area with an emphasis on mutual gain. 

There are resources available to assist this kind of approach, for instance, this mutual cooperation agreement template. Such elements can represent tremendous savings on a company’s limited time and staffing, so it is always a good idea to see what’s out there that can be of immediate and significant help. 

3. Scoring

Now’s the time to assess the relative threat levels and apply scores. It is helpful in effectively triaging instances of threat based on urgency and severity. It is vital to direct resources firstly where they are needed most immediately. 

This process can be dealt with internally by the organization involved if the business is lucky enough to retain a good cybersecurity team or outsource it to an external party. Whoever does it, the scoring tends to fall into three categories of risk.

Acceptable Risks

These are the dangers that a business can live with. In a perfect world, they’d be eliminated, but, realistically, it’s not worth the time, effort, and expense involved in dealing with them. Crucially, the resources devoted to tackling them might do a lot more good in fighting one of the more serious risks. For this reason, it’s a good idea to park these trivial risks, otherwise, they may get in the way of the fight against far more system-critical dangers. 

Tolerable Risks

These are risks that should be dealt with but not as a matter of urgency. They can pose a difficulty to the organization given certain conditions, or they may already pose a threat but not a debilitating one. As soon as resources permit, tolerable risks should be eradicated. 

Unacceptable Risks

These are risks that, by their toxicity and/or their imminence, have to be met and taken apart now. They will often pose obstacles to a particular process or department of the business, which may then have a knock-on effect leaving the organization in severe difficulty.

Such risks can turn up in the most unexpected corners. Let’s say your business is looking to assess customer satisfaction, but the interactive means used, expose the business to a real and severe risk of attack. It’s in these unlikely avenues that unacceptable risk can reside. 

As well as these categories, a business should be aware of the difference between inherent and residual risk. Inherent refers to the kind of risk that is present before security controls are implemented. Residual refers to the risk that remains after security controls are administered. 

The inherent/residual taxonomy is useful, in that it’s often tempting to apply security controls and consider the matter dealt with. For instance, if you install a smart lock, you may feel confident that one’s security is taken care of. But it makes sense to consider the residual risk of unauthorized entry to your premises. What about those windows?

To think in terms of inherent and residual risk gives the impetus to think about how security measures can be improved. It’s also the case that with threats continually evolving, the residual risk can, in turn, develop, so it needs to be looked at frequently.  

Don’t Be Caught Out! 

So, a digital footprint can be nothing short of a huge ‘come on in’ dished out to cybercriminals bent on heinous incursion. It is why it’s vitally important to know how far your enterprise’s digital footprint extends and then to know what to do about it. It’s also good to stay on top of developments in the area of cybersecurity. It certainly helps with knowing what threats are current. 

The truth is digital footprints are so enormous they could be left by clown shoes. By adopting these actions as soon as possible, you can ensure you are not the clown wearing them. 

About the author

Gerard D’Onofrio – Country Manager, Australia, Dialpad

Gerard D’Onofrio is the Country Manager for Dialpad Australia, an AI-equipped business communications solutions platform for better communications at work. Gerard is experienced in discovering world-class developments and turning them into effective business advancements, wherever he goes. Gerard D’Onofrio also published articles for domains such as the Spa Industry Association. Here is his LinkedIn.

Ad
Join over 500,000 cybersecurity professionals in our LinkedIn group "Information Security Community"!

No posts to display