Too Small to be Hacked?

Too Small to be Hacked?

A lot of small and medium sized business owners and even their IT staff are still under the mindset that they’re either too small for an attacker to go after, or they have nothing of value. I cannot even count how many times I’ve had a system administrator say “who would want to hack us, we have nothing of value?”

Additionally, it’s important for all businesses to understand that once an attacker is successful, often times they will try to maintain access for as long as possible.  According to Richard Bejtlich, chief security officer for computer security firm Mandiant, the average cyberespionage attack goes on for 416 days.  Simply put, the attackers aren’t going to notify you when they break in.  It will be up to you to find out if you’ve been breached.

The simple fact is that small companies accounted for the largest number of data breaches according to the 2012 Verizon Data Breach Report. Companies with 11 to 100 employees reported 570 data breaches, which was followed by 101 to 1,000 employee companies reporting 48 breaches. The numbers aren’t really that surprising when you start to think about why this is occurring.

  1. Larger companies probably have defined Information Technology budgets, with funds also allocated to Information Security.
  2. Larger companies are more likely to ensure compliance such as PCI or GLBA.
  3. Larger companies are more likely to have dedicated staff for information security.

While the large company may have more resources, smaller businesses still need to ensure they have proper defenses.  Using consultants who have a strong background in information security is always a good place to start, as is conducting a risk assessment.

The risk assessment will help show your company where you’re weak, along with where your strong.  This can then translate into smart spending of your resources.  For example, if the assessment shows that your routers and switches have old firmware which has exploitable vulnerabilities, you can wisely spend money to fix that issue. The assessments will also offer the review of policies, employee training, human resource review, and more.

One thing is very clear that these attacks will not be diminishing anytime soon.  For the past few years we’ve seen the attacks increase in volume and there aren’t any signs of them slowing down soon.

Posted by Jack Gerbs in Information Security, Small Business