In cyber security, the “Small Target Strategy” is gaining traction as a proactive approach to defence. This strategy focuses on making an organisation a less appealing target for hackers by strategically adjusting various aspects of its operations. The core idea is to “shrink” in ways that reduce risk and cost.
What is the Small Target Strategy?
The Small Target Strategy is about implementing changes that make your organisation less attractive to cyber attackers. This can be achieved through a combination of approaches, including reducing the attack surface, the perceived value of assets, the actual value of data, and compliance obligations. Ultimately, it’s a method to improve your risk posture while also saving money.
Benefits of a Small Target Strategy
Implementing a Small Target Strategy offers several key advantages:
- Reducing your threat surface: Organisations should aim to minimise the amount of data they store, and simplify their systems to reduce their vulnerability to cyberattacks.
- Cybersecurity is a team sport: Everyone in an organisation is responsible for cybersecurity, not just the IT department.
- Moving beyond fear-based messaging: While important, fear is not a sustainable motivator for long-term cybersecurity compliance. Regulations, and a cultural shift that views security as a necessary cost of doing business, are also crucial.
- Improve board awareness: Boards need greater cybersecurity awareness to allocate appropriate budgets. This can be achieved through education, specialised board members, and better communication from CIOs and CISOs.
How to Implement a Small Target Strategy
There are several methods to “shrink” your organisation and enhance security:
- Reduce Attack Surface: This involves minimising the points where an attacker can enter your systems. Tactics include removing legacy systems, reducing business scope, and consolidating systems and third-party vendors. As Bruce Schneier says, “Complexity is the worst enemy of security”.
- Reduce Perceived Value: This strategy aims to make your organisation appear less enticing to potential attackers.
- Marketing and Messaging: The way your organisation presents itself – and the data it holds – can influence how valuable it seems.
- Business Strategy Changes: Strategic decisions, such as avoiding certain markets, business lines, or geographies, can reduce perceived value.
- Post-Breach Value Destruction: While reactive, having plans in place to quickly devalue stolen data after a breach can deter attackers.
- Reduce Actual Value: This focuses on decreasing the actual aggregated value of the data held by the organisation.
- Data Backburning/Removal: Proactively deleting data that is no longer needed significantly reduces the potential damage from a data breach. “Backburning” is a term borrowed from bushfire management, where a controlled fire is set to clear fuel – in this case, unwanted data is “burned” to reduce risk of a data breach.
- Tokenisation: Replacing sensitive data with non-sensitive tokens can make the breached data valueless to attackers if they gain access.
- Post-Breach Value Destruction: Similar to reducing perceived value, having incident response plans that include steps to invalidate or devalue compromised data can mitigate the impact of a breach.
- Reduce Compliance Obligations: Organisations can actively reduce the burden and cost of compliance by making strategic decisions about their business, technology, and operations. Examples include system or technology changes, business location or operation changes, and outsourcing. As seen in real-world examples, companies are beginning to divest parts of their business to reduce their compliance overheads
- Centralise and Consolidate: Centralising critical environments, as was done previously for the cardholder data environment in the PCI-DSS world, can streamline security. Somewhat counter-intuitively, in certain situations, both consolidation and de-consolidation can help to shrink attack surface by reducing complexity.
Asking the Important Questions
A crucial element of the Small Target Strategy is to frequently ask “why” a security control is required and “why not” change a strategic direction that has a material impact on security requirements. Challenge the necessity of storing certain data or continuing a minor business line that results in specific regulatory burden.
Security needs to be involved early in business decisions to ensure these questions are addressed proactively – we’ve argued the case for “shifting left” in the development pipeline; we now need to “shift left” to get security involved earlier in business strategy.
By embracing the Small Target Strategy, organisations can proactively enhance their security posture, reduce costs, and become a less desirable target for cyberattacks.