Data breaches are like opinions — these days, it seems like everyone has one.
But that’s not great news for the business landscape, particularly as critical infrastructure providers are increasingly targeted by bad actors.
And with the news Tuesday (Sept. 17) that the Federal Communications Commission (FCC) announced a $13 million settlement with AT&T to resolve an Enforcement Bureau investigation, reducing the attack surface and entry points that hackers seek to exploit is top of mind for service providers and businesses. That investigation focused on the company’s supply chain integrity and whether it failed to protect the information of AT&T customers in connection with a data breach of a vendor’s cloud environment.
While traditionally, businesses have focused on internal cybersecurity measures, today’s interconnected digital ecosystem demands a more holistic approach.
With third-party vendors, cloud-based services and intricate supply chains playing key roles in day-to-day operations, the attack surface has expanded, giving threat actors more entry points to exploit. As these breaches have shown, protecting data is no longer just a matter of internal IT security; it requires a broad, collective effort among businesses, service providers and the vendors they rely on.
“Today’s announcement should send a strong message that the Enforcement Bureau will not hesitate to take action against service providers that choose to put their customers’ data in the cloud, share that data with their vendors, and then fail to be responsible custodians of that data,” Enforcement Bureau Chief Loyaan A. Egal, who also serves as Chair of the FCC’s Privacy and Data Protection Task Force, said in a statement.
Underscoring the broader impact these data breaches can have, news also broke Tuesday that cybercriminals are brute-forcing passwords for highly privileged accounts on an accounting software provider widely used in the construction industry.
The report found active and ongoing corporate network breaches through these attacks at plumbing, HVAC, concrete and other sub-industry companies.
Read more: Aligning Payments and Data Operations With Compliance and Cyber Risks
In the wake of high-profile data breaches, including AT&T and other major companies, cybersecurity has become a central concern for organizations of all sizes, serving as a stark reminder that no company, no matter its size or resources, is immune to cyber threats.
These breaches have not only exposed millions of personal data records but also revealed vulnerabilities in the systems used by businesses and their service providers. As cyberattacks grow in frequency and sophistication, the responsibility to reduce the attack surface — the totality of vulnerabilities that hackers could exploit — is increasingly falling on businesses and their service providers.
The breaches have also proven to be costly. Outside of AT&T’s $13 million FCC settlement, news broke Sunday (Sept. 15) that 23andMe will pay $30 million to settle a lawsuit tied to a data breach that exposed the private information of almost 7 million customers.
For service providers, the obligation to secure their infrastructure and reduce attack surfaces is particularly urgent. As key facilitators of business operations, service providers often handle sensitive customer data, making them prime targets for cybercriminals. Moreover, their clients depend on the integrity of their systems to maintain secure operations. If service providers fail to prevent data breaches, the ripple effects extend beyond their own operations to impact countless businesses and consumers downstream.
See also: Guarding the Gate: Cyberattacks Won’t Stop, but Their Fallout Can Be Prevented
In the current digital era, the battle against cyber threats is constant, and the attack surface will continue to evolve as businesses and service providers adopt new technologies. With the rise of artificial intelligence (AI), quantum computing and the Internet of Things (IoT), the number of potential entry points for cybercriminals will grow exponentially. This means that the task of reducing the attack surface will only become more challenging over time.
As the AT&T vendor breach and construction industry’s woes have demonstrated, cybersecurity can no longer be confined to the walls of a single organization. The interconnected nature of modern business means that one company’s vulnerabilities can easily become another’s liabilities. As a result, service providers and businesses must work together to secure the entire supply chain.
The growing complexity of service providers’ infrastructures — ranging from legacy systems that are difficult to patch to expansive cloud services that open up new vulnerabilities — creates multiple layers of potential entry points for cybercriminals.
Reducing this attack surface involves not only securing internal systems but also ensuring that third-party vendors and partners adhere to stringent security protocols. Service providers must move from reactive cybersecurity measures to proactive, risk-based approaches that anticipate and mitigate potential threats before they can be exploited.