The Fallacy of Thinking You’re “Too Small” to be targeted by Cybercriminals
In the “good old days” this adage may have been somewhat true – with so many big juicy corporations to target, why would any cybercriminal bother with the lowly small or medium business? Well the truth is nowadays, anyone and everyone can be a target – and the reasons for this being true are quite obvious once you think about it.
To quote John Maddison, a senior VP from Trend Micro security “People expect targeted attacks to go after large enterprises, but the bad guys and the crooks don’t really care where the money comes from… If they’ve managed to get identity and credentials and information from a small business, they’ll go after them as well.”
The statistics also back up this assertion – for example according to Verizon’s 2013 Data Breach Investigations Report more than 77% of confirmed data breaches occurred in companies with fewer than 1000 employees. Of the numbers remaining, 17% where a classified as “companies of unknown size” – leaving a mere 5% of confirmed breaches being linked to companies with more than 1000 employees.
Why is this so do you ask? Well part of this is of course because there are many more small businesses out there, though this only really tells part of the story. The major reason for the difference is because the larger companies invest much more heavily in protecting their data assets and infrastructure – which makes them that much harder to target profitably. Money is of course, a primary motivator in most attacks.
Put simply – the smaller businesses are generally considered to be the “low hanging fruit” for cybercriminals. This evidence is further supported by the Verizon report, which finds that the vast majority of data breaches (78% to be exact) are classified as Low or Very Low when measured using Verizon’s VERIS difficulty scale. This rating means that no special skills or resources were required for successful intrusion.
Another side to consider here is that your standard set of “hacker” tools has become increasingly automated, and able to scan the entire internet for any weak points. Literally “set it and forget it” type of deals.
This is exactly why the smaller businesses are such good targets for cybercriminals, and a very good reason why 75% of successful attacks are opportunistic rather than predetermined – pure “luck” in other words. Someone simply found a weak point somewhere and then exploited it – and this weak point could easily be within your own business if you are not careful.
Recommendations to mitigate these risks
As we’ve stated before – no security system is perfect – but there is a lot you can do to avoid being one of the “easy targets of opportunity”. Hiring a professional to audit your security systems or conduct a risk assessment will also go a long way to solving these issues before they can become real problems.
Here are also some things you can do to improve the strength of your security systems:
- Use stronger passwords / credentials and change them often – 76% of intrusions were due to weak or stolen credentials.
- Use a hosted email security service – one small monthly fee for a lot of peace of mind.
- Use a reputation-based antivirus – these rely on determining where any malware is coming from, rather than traditional identifying signatures.
- Automate your patching and updates – old exploits are the easiest thing to use when infiltrating a network, ergo automating the installation of patches and updates takes the pressure of you to do it manually while drastically improving your security.
- Use whole disk encryption – this protects sensitive data on lost / stolen laptops and devices.
- Customize your firewall configuration – another easy exploit is using the “out-of-box” configuration on your firewall (similar to having your admin username and password as admin / admin) but when you customize this configuration it can help improve your security quite a bit.