Last Updated on March 16, 2023
To the ongoing amazement of security professionals, many SMB executives still believe that their business is “too small” to be targeted by hackers. But given an ever-escalating barrage of opportunistic, automated attacks going out across all of cyberspace every minute of every day, every organization with a connection to the internet is a target. Yes, this includes you.
To debunk harmful cybersecurity myths and share proven, practical approaches to enhance security, a recent episode of The Virtual CISO Podcast features Dr. Eric Cole, well-known author and Founder/CEO of Secure Anchor Consulting. John Verry, Pivot Point Security CISO and Managing Partner, hosts the show.
Eric puts it right on the line: “The biggest problems you face with individuals and organizations—small, medium and large—is, ‘We are not a target,’ and ‘Cybersecurity is not my responsibility.’
SMBs are much easier to attack
“For smaller organizations, there are two important points that they always miss,” Eric continues. “First, if I’m a billion-dollar organization, can you break in? Yes. But I’m probably spending millions of dollars a year on cyber, and I have a team of 40 or 50 people. Good luck with that. You can do it, but it’s going to be pretty hard, and there’s a high probability of getting caught.
“If you’re a small company, you’re probably spending maybe $20,000 or $30,000 on security, if that. And your security team is probably your niece, your nephew, your neighbor, or your kid who’s doing it… So, nobody’s really watching. From an attacker standpoint, it’s much easier and simpler to break into a smaller organization, and not get noticed,” Eric points out.
Data breaches can destroy SMBs
“The second important point is if a big company has a breach, they’re going to survive,” Eric observes. “We’ve seen where major companies lose hundreds of millions of records, or an entire infrastructure is taken down for a week. They’re going to survive because they’re big enough and have enough revenue to absorb it. But if you’re a small company—I see this all the time—and you have a breach, and you lose your customer confidence, you go out of business.
“I know many local doctors’ offices, from chiropractors to dentists to general practitioners, that had a thriving practice. Their patient records got compromised. The entire community turned on them saying, ‘This person violated our trust. We now have identity theft.’ People’s bank accounts were wiped out because of the breach. Nobody goes back to this person. Not only did they go out of business, but essentially they had to move out of the area because nobody liked them anymore. It’s crazy stuff. To me, the smaller your business, the more you should pay attention because the bigger the impact, and the bigger the exposure,” Eric asserts.
Opportunistic attacks are prevalent
“The other thing which I always point out to folks is that there’s a difference between a targeted attack and an opportunistic attack,” responds John. “There’s not a hacker on the Kavado network in France saying, ‘Hey! I’m going to break into Bill’s Chiropractic Institute.’ But he might be running a scan, looking for a WordPress form or a Joomla vuln, and just happened to happen upon them. That’s how a lot of these opportunistic attacks take place. [What] they don’t realize is that opportunistic attacks are a large percentage of the attacks. An opportunistic attack can hit anyone who’s got any infrastructure that’s public-facing.”
Take the example of a person who sends a package via FedEx and then shortly gets an email saying, ‘Hi, this is FedEx and we have a problem with your package.’ They click the link and boom! They end up with ransomware or other malware. It wasn’t that the hackers knew they just sent a FedEx. They sent that email to a million people, knowing a good number of them had recently used FedEx.
Hackers are great at playing the odds, and they study psychology, too. Both Eric and John share stories of how they made a quick mistake and got caught by phishing scams, though of course they “knew better.” Anybody can make a mistake, and when they do, hackers are waiting.
Why security is so important for SMBs
Opportunistic attacks are “equal opportunity,” but SMBs are generally more susceptible to them because they have more vulnerabilities. Second, SMBs have fewer resources to minimize the impact of an attack, and are at a much higher risk of failing to recover. This is why SMBs need to put significant attention on cybersecurity… not try to hide behind the myth of “security through obscurity.”
If you’re an SMB exec or security professional, you’ll really appreciate this compelling podcast episode with Dr. Eric Cole.