May 7, 2020

Last Updated on January 12, 2024

Despite all evidence to the contrary, many of our SMB clients and prospects still think their business is “too small” to be targeted by hackers. Is “security through obscurity” still possible in today’s coronavirus-laced threat landscape?
In a recent episode of The Virtual CISO Podcast, host John Verry, Pivot Point’s CISO and Managing Partner, discussed this timely topic with Danielle Russell, Director of Product Marketing Management for AT&T Cybersecurity.
As John points out, a large percentage of attacks are automated or opportunistic in nature. Hackers are scanning the global internet wholesale for known vulnerabilities, such as unpatched our outdated systems and applications. If they happen upon your exposed infrastructure, you’re squarely in the crosshairs whatever the size of your organization.

Danielle likens this to being chased by a pack of lions: “You want to make sure you’re not the slowest runner… Overall, the question is, ‘Who’s the low-hanging fruit?’ Because cybercriminals today are able to operate at scale and use a lot of automation and even machine learning and other types of capabilities… Organizations small to large—it’s equal opportunity attacks today.”

“You want to make sure you’re not the slowest runner…

Yet SMBs are also routinely victimized by sophisticated, targeted attacks like phishing gambits. “Folks within church groups I’ve spoken to said, ‘We had a new pastor come into our congregation and we realized then we were victimized by an attacker who sent out a malicious email looking like it was coming from the new pastor,’ notes Danielle. “Even if you’re a small organization, putting any type of public information out can be enough for an attacker who understands the financial economics of being able to prey on a congregation…”
A given SMB or nonprofit or faith-based organization may not have deep pockets, but it probably has enough resources to interest hackers who have little to lose by trying a phishing or malware exploit that they can put together with little time and effort. Seemingly innocuous information on social media just makes their job that much easier.

And once the attack is launched, SMBs often have few security-aware staff or technology to protect them.

John sums it up this way: “Generally speaking, change equals risk at some level. When we reach a point where we’ve architected a really strong information security posture, what we’ve done is balance the risk that we know about with the controls that we’ve implemented. Anything that changes [external or internal] to your organization can present a risk.”
So the question is not, “Are you too small to be targeted?” but “How strong is your information security posture?” Because rest assured, you’re being targeted.
This blog post is based on an episode of The Virtual CISO Podcast, featuring Danielle Russell. To hear this episode in its entirety and others like it, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can access all our episodes here.
For more information:

When your network goes through a penetration test

it’s a little like taking a journey on The Oregon Trail… Think of your network as an eager adventurer looking to prove its prowess and demonstrate to its administrators that it can “securely” traverse the treacherous terrain of today’s threat landscape.
Download our Penetration Test Trail now!