January 5, 2017

Last Updated on January 19, 2024

Everyone is an InfoSec target. Although big companies are often more vulnerable to strategic attacks, small business cyber attacks are also common because many attackers use an opportunistic approach that puts everyone at risk.
Despite what Vogue magazine tells women and what most executives of small companies think: size doesn’t matter (much).
It’s remarkable (to me) how often, when I am discussing risk and information security controls, the CxO I am chatting with will make a comment of the sort “Yeah, but, it’s not like we are big or important enough that we are a target…” The implication being that small business cyber security isn’t as important and their security controls don’t need to be all that robust. While I often agree that they are not a “strategic” target, the problem is that we are all “opportunistic” targets.
Fishing is a good way to understand the difference between strategic and opportunistic hacking when it comes to small business cyber security. Let’s say that you are looking to catch one of the most sought-after of all fish—a Yellowfin Tuna. Here are two potential approaches:

  • The Maldivians take a wonderful “strategic” approach to fishing: all tuna are hand-caught on a pole. There is virtually no “bycatch” because any unwanted fish are immediately returned to the ocean. They are after tuna and that is all they are going to catch.
  • Commercial fisheries still (it’s increasingly restricted now because of the ecosystem damage) take a horrible “opportunistic” approach to fishing called trawling, wherein you drag giant nets through the water. While you would love to catch tuna in the process, you will take whatever you can catch and see if you can monetize it. If not, you will throw what’s left of it away.

The point is that even if your company isn’t “tuna,” you are still vulnerable to being trawled. Like ocean trawling, information security trawling is a much broader scale operation than Maldivian pole fishing, with significant damage to small businesses.
The recent ransomware attack against San Francisco’s Light Rail System that allowed riders to ride free for three days is a great example. The attacker had been using a number of tools that enabled the scanning of large portions of the Internet for specific vulnerabilities. While the attacker had successfully ransomed a number of small construction companies and was actually hoping to identify others, he couldn’t resist poking at the Light Rail System.
In this case, his trawling ended up with him compromising a system that he had not been targeting. So instead of tuna, he ended up dining on calamari (especially tasty when fried and served over a bed of arugula with sliced hot cherry peppers).
Organizations that are smaller and/or have less “valuable” data need to understand that while reduced size and data value does indeed reduce their exposure to a targeted cyber attack, it does very little to reduce the risk of an opportunistic, trawling-style attack.
That false sense of safety can often result in less than optimal security practices, which yields a higher risk profile than if yours actually was a larger, more important company.
For more information and tips on small business cyber security, contact Pivot Point.

Business Continuity Management

Ensures that your organizations critical business functions will continue to operate in spite of incident or disaster. The ISO 22301 roadmap will help you understand what a Business Continuity Information Security Management System is and guide you, step by step, from preparation through certification.