No Different Than Locking the Door

Do you consider yourself “security minded”? Do you lock your doors, and roll up the windows when you get out of your car? Do you have a burglar alarm at your business to protect you, and your employees from harm? Great! How is your cybersecurity? Cybersecurity is possibly the most critical piece of I.T. planning, yet is something that small and medium-sized businesses often ignore. Some of the most common things I hear out on the trail are:

“Security is great, but it’s so expensive, and unless something happens it is a waste!”

These statements reveal to me two common themes:

The problem with this line of thinking is that it reveals a gap in our understanding of technology. My goal in this article is to address the first of the two themes mentioned above, and hopefully fill the information gap so business owners can start thinking pragmatically about cybersecurity.

“I’m Not a Target”

At a previous job as the systems administrator at a medium-sized manufacturing company, I quickly learned the harsh reality of this statement. This company was valued at several million dollars, but when I brought up the idea of purchasing advanced firewalls and investing in enterprise-grade end-point and mobile protection I was quickly met with this:

“Do you really think someone would try to hack [company name]?
I mean, it’s not like we are Amazon or Microsoft – there is nothing worth stealing!”

Since that time, I have met dozens of business owners with this same mentality who believe that they are not a target because they are not a global brand, however, this mentality fails to acknowledge two key things:

1. The less secure you are, the more of a target you become, and
2. Hackers are seldom targeting your bank account, they are most often targeting sensitive data that can be quickly sold on the dark web.

The first point almost seems obvious, but is often forgotten about. Just like a house with the doors unlocked, an attacker is more likely to target you if you have unsecure communications originating from, or going to your network. There are tools out there that allow attackers to quickly and easily sniff out organizations that do not have basic protections, and once found, these organizations become a focus for the attacker.

The company I spoke on above had about 40 employees, and their sensitive information was stored unencrypted on network shares throughout the organization. These shares were protected with basic Windows protections, but anyone with administrator rights on the network could access those files, and copy them without a trace. Consider that once hackers breach your network, they can gain elevated privileges within a matter of minutes. In this case, a hacker would have had access to employee files containing SSNs, bank account numbers, birthdays, driver’s license numbers, EVERYTHING! With the above in mind, now consider the value of that information to a hacker. According to bankrate.com, the value of personal information on the black market:

Let’s do some basic math. This company had 40 employees with full ‘kitz’ residing on the network:

40 employees * $1,200 per ‘kit’ = $48,000

Now consider that a hacker who does nothing besides commit cybercrime all day could steal $48,000 worth of information from a poorly protected company with minimal effort – and tell me that your organization is not a potential target.

Millions of cyber-attacks happen every year, yet you only hear about the three or four that are major. That is because just like the situation above, small-time hackers will target smaller organizations because they have less capability to protect themselves, and track the attack back to the attacker.