< Back

Be A Smaller Target: Shrinking Your Attack Surface

Feb 2, 2026

Most attacks don’t start with a genius hacker and a zero-day. They start with something boring:

  • A forgotten VPN account
  • An exposed remote desktop port
  • A cloud storage bucket with the wrong setting
  • An old website plugin nobody updates
  • A laptop that never got encrypted

Attackers love organizations with lots of stuff hanging out on the internet, lots of accounts, lots of software, and lots of exceptions. If you want a simple, high-ROI security strategy, it’s this:

Be smaller. Be tighter. Be less interesting.

That’s what “shrinking your attack surface” actually means.

What is an attack surface?

Your attack surface is everything that could be used to get into your environment or move around inside it. A useful way to think about it is in three buckets:

  1. External exposure: Anything reachable from the internet (web apps, VPNs, remote access, email, DNS, public cloud services).
  2. Identity exposure: Accounts, passwords, MFA coverage, admin roles, stale users, vendor access.
  3. Internal exposure: Endpoints, servers, network paths, old protocols, over-permissioned systems, unpatched apps.

You don’t need perfect security. You need less opportunity.

Why being “small” works

Most real-world attackers operate like businesses: they want easy wins. If your environment requires extra effort—MFA everywhere, no public RDP, limited admin access, fewer exposed service, many attackers will simply move on.

By shrinking your attack surface you:

  • Reduce the number of entry points
  • Reduce the “blast radius” if an account is compromised
  • Improve detection (less noise, fewer unknowns)
  • Make incident response faster (you actually know what you have)

The quick-win approach: remove, restrict, harden

If you’re not sure where to start, use this simple order of operations:

1. Remove what you don’t need

This is the cheapest security control: deleting it

  • Decommission old servers and test systems
  • Remove unused SaaS tools
  • Delete stale user accounts
  • Retire unsupported operating systems/software
  • Remove browser extensions and “helper” apps that crept in over time

If nobody would notice it’s gone, it probably shouldn’t be there. There are situations where you aren’t sure, and there are plenty of strategies to test if it will be missed. But the bottom line is it does no one any good laying around, it only serves to increase your technical debt, and attack surface.

2. Restrict what must exist

If you can’t remove it, limit its reach.

  • No public RDP or other remote services (ever). Use VPN + MFA or a controlled remote access tool
  • Put admin interfaces behind a VPN or allowlist trusted IPs
  • Segment networks so one compromised device can’t talk to everything
  • Limit vendor access to time-bound and scoped permissions
  • Require MFA for all externally accessible services (email, VPN, admin portals)

3. Harden what remains

Now apply the classic basics—consistently.

  • Patch OS + apps (especially edge devices: firewalls, VPNs, NAS, routers)
  • Encrypt laptops and mobile devices
  • Use password managers and strong unique passwords
  • Disable legacy authentication (old mail protocols, weak ciphers, SMBv1, etc.)

A practical attack surface checklist

Here’s a quick self-audit. You don’t need to do it all today, you can pick the top 3.

Internet-facing

  • Do we have any ports exposed to the internet that we don’t absolutely need?
  • Is remote access (VPN/portal) protected with MFA?
  • Are website plugins/themes/frameworks actively maintained?
  • Do we have a list of domains, subdomains, and external services we own?

Identity and access

  • Do all users have MFA on email and core apps?
  • Are there shared accounts? (Try to eliminate them.)
  • How many admin accounts exist—and are they separate from daily-use accounts?
  • Are former employees and vendors fully offboarded?

Devices and software

  • Are all laptops encrypted and centrally managed?
  • Are servers/endpoints patched on a defined schedule?
  • Do we have unsupported OS versions anywhere?
  • Do we know what software is installed across devices?

Data and recovery

  • Do we have backups that are tested (not just “we think we do”)?
  • Are backups protected from ransomware (immutable/offline/isolated)?
  • Do we know where our sensitive data lives (email, file shares, cloud drives)?

What “good” looks like

You’ll know you’re shrinking your attack surface when you can say things like:

  • “We don’t expose remote desktop to the internet.”
  • “MFA is required everywhere it matters.”
  • “We removed X unused accounts and Y old systems this quarter.”
  • “We can name every internet-facing service we run.”
  • “Admins use separate privileged accounts.”
  • “Backups are tested and protected from ransomware.”

Security has measurable metrics that can be checked against. This is a distinction that businesses looking to mature their security posture make against the “feeling” of security.

The biggest mistake: adding security without removing risk

A lot of organizations try to stack tools on top of sprawl: Another security product.

Another dashboard.

Another agent.

Another exception.

But the easiest environments to secure are the ones with fewer moving parts.

Before you buy anything new, ask: “What can we turn off?” This is the time to think small, think easy wins. Where can you consolidate?

Want help shrinking your attack surface?

If you’d like a structured approach, Vitrasec can help you:

  • Inventory your external exposure and identity risks
  • Identify the highest-risk entry points
  • Prioritize quick wins vs. longer projects
  • Implement controls that reduce real-world attack paths

To get help today, reach out with your current setup (Office suite, firewall/VPN type, number of endpoints & employees, any cloud hosting) and Vitrasec can help you make your attack surface reduction plan!