17.48 – Minimize the Attack Surface

There is much to be gained from simplicity. Complexity adds risk, so the goal should be to use as much technology as needed, but no more.

Anything which is not useful or necessary to the practice should be minimized or eliminated. For example, although devices like security cameras or smart speakers might be interesting, they can open new paths to infection of the entire office network. Anything which connects to the Internet needs to be carefully assessed, kept up to date, and possibly removed if risks cannot be managed.

Similarly, only install software packages on devices which are required and delete anything not work-related. An unused program is a potential security risk.