Why Today No Business is “Too Small to be Hacked”

“I’m too small to be interesting to attackers”

The argument goes, I’ve got nothing of interest to attackers, little old me. Why would anyone care? The answer is that if you are in North America, you’ve got stuff that’s of interest and you always have high speed Internet and so that’s very interesting indeed. The other argument is security is already solved by my vendor, Microsoft, Cisco. I paid money to them; they’ve taken care of it. I’ve got news for you that is simply not true.

A third argument is, look, I mean the users are the weakest link, but my users are pretty smart. They don’t click on foolish e-mail that says some prince in Africa is going to give them $50,000. They know not to do stupid things. Well, the bad news is that you’re staying away from danger. Doesn’t mean the danger stays away from you, especially when all of your assets are plugged into always on high-speed Internet. And you know what you’re using? Things like Office 365 or Dropbox or Google Docs or even just e-mail. And who doesn’t have e-mail these days? Guess what? You are a target. It’s because of how the cybercrime economy works.

Cybercrime Economy

It’s based on attacking small and weak targets. You’ve seen the National Geographic Channel, right? What does the predator chase? They don’t chase the big old elephant. They chase in fact, the slowest gazelle in the back and you see them coming down. That’s just the way it works.

Big companies have the ability to mount serious defenses, and while it would be nice to get one of them down, it’s unlikely to happen. The wolves and the cheetahs are chasing after that slowest gazelle. They know that a small company, if they get ransomware for instance, probably not going to hire a data recovery specialist. That they’re probably not going to file lawsuits, which big companies might.

Instead, they will feel intense pressure to get back to business because survival depends on it. Every day that goes by that you can’t run your network becomes a question mark whether you will survive this episode at all. Therefore, you’re much more likely to pay a ransom or do what the attacker wants you to do. We used to see this in the whole movie. It’s a mafia tactic for protection, right? How the racket went was the guy would show up and say nice business you have here to the mom and pop be ashamed of it, burned up and extort them for protection money. This is that way.

So, what’s an SMB to do?

Well, first, before you spend another penny, why don’t you optimize a small IT team and maximize what you’ve already paid for and have? For instance, if you’ve purchased Windows 10, Windows 11, guess what? Microsoft has built in a bunch of security tools. They’re free. They just need to be enabled. Or they may be already enabled. Make sure you use that. If you’re using Office 365, for example, you can enable multifactor authentication.

Yes, it’s a problem. Every time you need to log in, you have to also look at your phone and put in a 6-digit code. Maybe, but that’s very important to improve your security. If you’re using Office 365, you also happen to have free of charge Azure Active Directory. Are you still depending on that old rickety Active Directory machine that you have back at the office or why? Why not take advantage of what it is that Microsoft has already given you? Much more hardened and kept up to date, no extra cost to you if you’ve paid for firewalls and network devices, all those vendors provide guidelines on how to harden them. Please do follow those. But you know what? In 2023 you cannot stop here simply because all the bad guys know that this is par for the course and so you need to think about just a few additional things. For example, vulnerability assessment, a good way to identify if patches are missing so that you can do it. All the bad guys are looking for weaknesses and so if you look for those weaknesses yourself. And that would be a good thing.

Adopt and assume breach paradigm. That means you know that despite all the defenses you laid down, at some point there is going to be a successful attack. Are you performing detection? Do you have some mechanism for response? Are you able to perform mitigation? All of these are expected outcomes of a Managed Detection & Response (MDR) service, and this would put you in the middle of that pack of gazelles. You don’t want to be toward the end, because those are the guys that get picked off.