How to reduce a company's attack surface

Avoid vulnerabilities, identify them at an early stage and minimise them in good time. How to increase cyber resilience and meet new compliance requirements

Fabian Faistauer
Director, Head Cybersecurity Technology & Transformation, PwC Switzerland

Serious cyberattacks are in the news almost on a daily basis. They often result in data loss or companies or organisations being unable to provide their services. An understanding of how much we rely on a functioning IT system is growing fast, both in our daily lives and in the workplace. The increasingly complex and distributed IT structures offer more and more attack surfaces, which are shamelessly exploited by cybercriminals.

The weak defence capabilities in many companies have led to increased regulatory pressure. For “critical infrastructure” in particular, regulators are increasingly demanding that companies increase their cyber resilience. There is a broad agreement that 100% protection cannot be achieved, and a way of dealing with the never-ending attacks must be found instead.

Traditionally, the financial industry has been the most regulated industry. For example, FINMA has revised the circular on operational risk and resilience, and the credit and debit card standard-setting body has issued the new PCI DSS 4.0 standard. Many other regulations also aim to make organisations more diligent and assertive in identifying cyber risks and reducing them to an acceptable level.

Cybersecurity and Privacy

Cybersecurity and Privacy

At PwC, we help clients evaluate their ability to deal with the main cyber risks and threats of the digital world in an easy and understandable way.

Learn more

Five steps to cyber resilience

Know the attack surface and actively reduce it

Every company needs transparency with regard to the IT environments it uses. This entails an inventory of IT assets with all devices, versions of firmware, operating systems and all other important software. To reduce the attack surface:

  • only up-to-date versions are used
  • functions that are not used are deactivated
  • known vulnerabilities are minimised

Detect attacks quickly and reliably

Fast and reliable detection of cyberattacks is only successful if an organisation is able to monitor the following aspects and identify anomalies or known attack patterns based on them:

  • The directory or directories containing all user IDs used by the organisation and used by external parties to access IT and data
  • Client endpoints (PCs, tablets, smartphones) with which legitimate users access the data
  • The server endpoints on which the data is stored and processed
  • All network connections from/to the Internet, the server zones, the partner networks and the cloud services

Aggregating logs from different systems can help, but is definitely not enough for the quick detection of anomalies. This requires modern (nowadays mostly cloud-based) “extended detection and response” systems and a highly effective team. However, this does not mean that every organisation must set up a “Security Operations Centre” (SOC) itself. After all, not every organisation has built up its own fire brigade.

Respond to attacks quickly and effectively

As soon as an attack, an anomaly or a suspicious data leak is detected, the “Incident Response Team” must be able to react quickly and take effective measures. Cyber crises in particular need to be trained for, since people can only deal with crises if they also understand them. A cyberattack scenario differs from other crisis situations such as floods, fires or earthquakes in precisely this respect – the crisis is not visible and is difficult to “grasp”.

Enhancing the ability to restore operations in the event of a failure

Despite all precautions, attacks or failures of the IT infrastructure can still occur. The ability to restore from “bare metal” after a ransomware attack as well as understanding the interdependence of the individual IT components and their orderly restoration is something that requires concepts and practice.

The continuous improvement process and learning from incidents

As the saying goes: “No master has been trained in one day”. That is why every organisation should first strive to quickly protect the most important data and IT systems and then constantly improve and expand the scope of protection. Very few succeed in creating the ideal solution right from the start, since the environment and an organisation’s own IT landscape are subject to such rapid change.

Start with the first step to cyber resilience – and get off on the right foot

The first step to cyber resilience requires knowing your attack surface and minimising it to an acceptable level. The following aspects play a decisive role in this first step:

Get an overview of the IT landscape and create an inventory

Get an overview of the IT landscape and create an inventory of IT assets:

  • User IDs: How many users are registered in your organisation? How many of them are IT administrators, which are external partners and how many customers have access to sensitive data?
  • Device management: How many “managed” devices such as PCs and laptops does the IT system administer? What is the state of the operating systems and what standard or custom software is installed?
  • On-premises data centre: What IT equipment is in your data centre/IT room? How many network segments does the IT system manage and where exactly are the interfaces to the outside world? What is the state of the operating systems and what standard or custom software is installed? Do you use software solutions that you have developed yourself?
  • Outsourcing: Which parts of your IT system are outsourced? What tasks do your partners perform and what is your role in these activities? We are reminded that everything can be outsourced – except responsibility. Responsibility is always borne by the company that outsources something.
  • Cloud: Cloud is also a type of outsourcing. First and foremost, you need to be clear about what service you are getting through the cloud, whether it’s Software as a Service (SaaS), Platform as a Service (PaaS) or Infrastructure as a Service (IaaS). Protecting data and managing access rights is always your responsibility as a cloud customer. With IaaS, you will probably even have to patch the operating system and software of your VMs.
  • List of data collections: On the one hand, this includes personal identifying data which is subject to the respective data protection law or has to meet even more far-reaching protection requirements such as professional secrecy (e.g. for doctors or lawyers) or the protection of bank customer data. An additional category is “critical” data, which a company needs for ongoing business operations. These may be business secrets or procedural instructions. This data must be categorised, then classified and finally subjected to a protection requirement analysis – regardless of whether it is stored in the cloud or in a company’s own data centre.

This inventory as a breakdown of your IT assets is the prerequisite for an organisation to be able to monitor which users, with which devices, over which networks, access which applications and ultimately data. If there is no transparency, no anomalies can be detected.

Only use up-to-date versions 

Every IT landscape has a life cycle. If you use an IT device or an operating system, then you will be aware of how long the manufacturer will provide support for it. If you overlook this, your vendors will usually make you aware of when a system will no longer be supported (“end of support”). After that, you will no longer receive security updates or “patches” to close possible security vulnerabilities. It may sound banal, but everyday reality has shown that in many cases systems are still in productive use even though they are no longer supported by the manufacturers, which significantly weakens the security of a company’s IT system.

There may be operational reasons to justify not replacing equipment that has this status. In these cases, however, the additional risks must be identified, evaluated and reduced to an acceptable level. It is very risky to operate an “end of support” device without taking further measures. It is better to replace devices and software versions that are no longer supported at an early stage.

Hardening standards/Security configuration baselines

Each manufacturer as well as various organisations such as CIS, NIST, etc. provide baselines on how to configure devices and systems to enable only the functions that are needed and protect against known attack vectors as much as possible. This means that a company creates hardening standards for its servers, PCs and network devices, and regularly checks and adjusts them. It is not enough to write the standard down and publish it. The respective company organisations must ensure that new installations comply with the specifications.

Furthermore, it is necessary to check at regular intervals (according to PCI DSS, for example, at least every three months) whether the hardening on the running systems still complies with the specifications.

You can read more about state-of-the-art security compliance management, and how to implement it smoothly in our blog.

Regular vulnerability scan and management

In addition to hardening, regular checks must also be made to ensure that known vulnerabilities are detected on the systems. These must then be eliminated in an orderly process based on the risks they present or be mitigated by compensatory measures.

Vulnerability Management white paper

Learn how to manage software vulnerabilites efficiently and effectively in our white paper.Download your copy

IT and security governance

All these things can only be done reliably if roles and responsibilities are clear and tasks are assigned to teams with sufficient resources and skills. For this purpose, an IT service management/IT security process landscape should be created in accordance with ITIL 4 so that the roles and responsibilities for the respective process steps are formalised, documented and assigned to individuals. They must also be accountable if the specifications are not met.

Integrated tools and interfaces

Cyber resilience requires transparency with regard to the IT landscape and the status of the components. To do this, the inventory and the vulnerability scanner must be linked to verify whether the information listed in the inventory matches the key items scanned in the network. This is the only way to keep the inventory up to date and keep the data quality high.


A customised solution

Our solution approach covers your entire cyber resilience journey.

In the assessment, we establish how far along your organisation is on the path to cyber resilience. For this purpose, common “best practices” and maturity models that identify the biggest gaps are used as a reference.

A transformation is planned and initiated in a project to close the gaps identified. This is comprehensive and takes into account the “tooling” as well as processes and governance aspects.

A solution is only as good as it is integrated into an organisation’s operational processes. To this end, we support you with different models such as “early life support”, “managed service” or whatever makes the most sense for your specific environment and needs.

Thanks to our managed service, you can concentrate on your core business

In Vulnerability Management and Hardening Standards/Security Configuration Baseline Management as well as Managed Cyber Defence, PwC has extensive experience and expertise which we are happy to offer at attractive prices in a “pay per use” model which includes tooling. This will enable your organisation to benefit in a very short space of time and take a significant step towards resilience.

Contact us

Fabian Faistauer

Director, Cybersecurity Technology & Transformation, PwC Switzerland

+41 58 792 13 33


Jannis Louw

Manager, Cybersecurity Technology & Transformation, PwC Switzerland

+41 58 792 15 92


Building trust to succeed

Trust in a team that truly helps your organisation transform by designing, implementing, and continuously monitoring the right cybersecurity solutions. Together, we create sustainable value and trust – now and in the future.

Explore our offering