All of these are common myths, but only one has dangerous misinformation. Can you figure it out?
- George Washington chopped down a cherry tree.
- After you die, your fingernails continue to grow.
- You don’t have to worry about your small business getting hacked because you don’t have anything of value to hackers.
If you guessed c, you’re a winner! As evidenced by our recent interview with the former CTO of the FBI, small and mid-size businesses are coming under attack with increasing frequency.
Business owners and the people that manage small organizations have a range of skills, but they are typically not security experts. That’s okay, as long as they prepare for an incident. I’m willing to bet most of these executives aren’t firefighters, either. Still, these owners and managers likely respect the danger of fire enough to have a smoke detector in the office as well as to leave the building if the unit next door were ablaze. The problem begins when small business owners think they, their employees, and customers are all “fireproof” in terms of information security.
While my experiences are merely anecdotal, I think it is fair to say that one of the most common reasons small organizations do not exercise Due Diligence is that they undervalue security policies and best practices. The popular myth that small organizations are not principal targets for evil hackers is not only misguided but it generates a dangerously false sense of security and safety.
How do we help medium or small-sized organizations understand that they are at high risk of being hacked? I suppose I could just say “Trust me, I am a security professional.” Perhaps “You have to believe me. Look, I have my credentials listed alphabetically on my LinkedIn profile!” but I think we all know that this appeal is fruitless.
I am not going to bombard you with statistics and abstract charts. Instead, I am going to tell you how to identify and understand some factors which may be leaving your organization vulnerable to motivated hackers.
I don’t like this slang term because few hackers write all of their own scripts today, but these such individuals are either new to the hobby/job of hacking or experienced hackers who are trying out and learning new tools. For Script Kiddies, small organizations are the target of choice. These individuals are not trying to “pull the big job and retire.” In fact, it is most likely they are not after anything monetary at all, only seeking the experience.
Speaking of scripts, automated systems such as phishing and ransomware attacks have no care for who you are as long as you or an individual working for you can be tricked into clicking on a bad link or opening an infected email attachment.
Hacktivists are not motivated by money or trade secrets but by notoriety and anarchy. Small organizations are rarely the targets of Hacktivist exploits. You may ask, “If small organizations are not who Hacktivists are targeting, then what is the big deal?” The big deal is that small organizations are the favorite TOOL that hacktivists use to leverage their campaigns against their intended targets. In other words, the principal innocent bystander that is affected in Hacktivist activities are small organizations.
To a hacktivist and many other types of hackers, small organizations are the ideal beachhead from which to launch an attack or exploit other targets. This can be done in more ways than we have room for describing in this article, but common themes are running traffic through your internet connection or users’ computers to hide identities or to use “bots,” a form of malware used to disrupt communications on remote systems.
Due Care and Due Diligence
Let’s say that you are still not concerned about information security best practices for your organization and you don’t feel any of the risks mentioned so far are a concern for you. I would then ask you to imagine what might happen when one of these large organizations gets hacked and it is discovered that that attack was launched through YOUR laptops, tablets or cloud account. If you don’t have information security policies, then you did not execute Due Diligence to prevent it. Though you did not launch the attack you could still be found culpable in some way. You may believe that some other company would never use you as a scapegoat to protect their own reputation… and you might be incorrect.
Let’s pretend that no matter the facts, I can’t convince you of the value of protecting your organization from evil hackers. What, then, about your customers, your reputation, or that of your partners? If you can’t prove that you have followed through with Due Care and Due Diligence with your customers’ or clients’ data (or personally identifiable information) you may find that legal actions are more of a threat to your livelihood than the hackers, themselves. Establishing and employing some basic policies regarding Due Diligence can go a very long way to protect you in these instances.
While your organization might not currently be affected by laws such as HIPPA or other government regulation, that could change in the next few years. Laying your groundwork now will save you great effort and perhaps expense later. Nearly all government policies are derived from NIST best practices, so any work done now is likely to be compatible with future legislation.
I believe small organizations are the bedrock of this country and also the first tools many evil hackers will reach for to carry out their schemes and plans. Spending time with a trusted security advisor can sort out just these kinds of risks -- and that is no myth!