If you believe your small business doesn’t need to worry about a cyberattack, you aren’t alone. An unbelievable 84 percent of small business owners believe that a cyberattack on their company is unlikely. And that belief could seriously harm an organization.
Most small businesses believe that they can simply hide in the crowd, and that hackers will take notice of the companies that stick out — Fortune 500 corporations and billion-dollar multinationals.
The truth is, size and scale have nothing to do with being a target for a cyberattack. Your business is just as much at risk as the big fish, and here’s why.
The Myth of Obscurity
When most people think about hackers attacking a company, they think of it like a home robbery. Thieves would rather have the good loot from mansions, not a few scraps from a tiny single-bedroom house. They’re going to target the rich neighborhoods so they can score big, and the small size of your business makes you an unattractive mark. You don’t have that many assets, so why would someone break into your system?
But that’s not how hackers approach a cyberattack. They do it randomly. Like a random dialer machine, attackers have programs that dial up computer (IP) addresses connected to the internet. They try one address and see if they can find an open port, or open connectivity on a server. If not, they go on to another one randomly, and so forth, until they find an IP address they can exploit.
If you have any connection to the Internet, these bad guys will eventually find it. And because it’s done randomly, your server is just as exposed as the largest companies on the planet. In fact, you may be more exposed, because large companies are more likely to have a cybersecurity policy.
When hackers find a hit, they don’t have any clue whether it belongs to a billion-dollar corporation or a small five-person business. What’s more, they don’t care. Attackers can find information to exploit in either case.
A REALLY Close Call
Years ago (prior to really getting into the security and compliance space) I led the IT department at a small company. One of my people called me and said, “You need to come into the server room and see what’s going on here. NOW.”
When I got there, the server I was looking at had all sorts of scripts running and activity flashing on the screen. I asked if anyone was remoted into the machine. “No one from here,” they said. Without wasting another second, we pulled the network cable out of the server.
When we ran the analysis on the machine and looked into the logs, we could see exactly what happened, and it was eye opening.
The first scan that hit the box came out of the Ukraine. Someone there scanned all of our ports and discovered which ones were open. About 30 seconds later, a group from France and a group from Venezuela came in and did targeted attacks on the specific open ports that the first scan had found. That was another 30-45 seconds, or so. Then they went quiet, and more groups came in 30 seconds later and did additional targeted attacks based on the results from the prior rounds.
It was a well-orchestrated machine that we just happened to catch by blind luck. Fortunately, we were able to preserve the state of that system. To put this luck in perspective, by the time we pulled the plug, they had only been on the machine for five minutes. In that time, there were at least 15 different groups doing round robin attacks on the server. That was well over a decade ago, and hacking groups have become much faster, smarter, more sophisticated since then.
You’ve Already Been Hacked
Small organizations tell me all the time that they’ve never had a problem before, so they don’t need to invest more fully into their security and compliance efforts. The truth is, they’ve never had a problem that they have known about. Attackers don’t announce with a bullhorn that they’ve been in your system. They don’t leave behind a calling card or a thank-you note. These aren’t the Wet Bandits from “Home Alone” that you’re dealing with.
When they attack a system, hackers go in, breach it, grab what they can, and pull it back their way. They won’t destroy the information, they’ll make a copy of it. And the last step is to cover up their tracks. They clean up the log and any traces that they were there. You may never know they were there.
Considering two-thirds of small companies were attacked in 2019, how do you know for certain that you haven’t had an issue?
Even if you discover an issue, it could be months after the fact. According to Ponemon Institute’s latest report, the average data breach goes undetected for 280 days, or nine months. Your company could have already been hacked, and you won’t know it for several more months — assuming you discover it at all.
Security Is an Investment, Not an Expense
Companies are often reluctant to invest in security and compliance because it isn’t cheap. Many executive leaders see that investment purely as a cost center. Granted, this is a time when many companies need to be frugal and watch their bottom line. There are very few businesses that can spend with abandon. They look at the costs of security and compliance, and it’s very hard to justify the spend.
If your organization possesses any sensitive data — including personally identifiable information (e.g., names, addresses, emails, phone numbers, drivers licenses or Social Security Numbers), credit cards, medical data, and customer data — then you can’t afford not to be taking your security seriously.
Security and compliance isn’t merely a cost. It’s one of the only activities you can do to actually proactively protect your organization. Cyber liability insurance doesn’t actively protect you from anything — it only comes into play after you’ve been attacked, and it can only disburse money IF you’ve been taking your security seriously. The fallout from a cyberattack involves so much more than finances.
Get the details: Your Cyber Liability Insurance May Not Be Protecting You
No business would fail to have locks on their doors and windows. Most companies also invest in security systems for the building, even though the cost is significant. Neglecting cybersecurity and compliance is like leaving the doors and windows of your data wide open for anyone who’s passing by.
The investment that you put into security and compliance will put you in a far stronger position to live up to your responsibilities, protect your organization and the sensitive data you’re charged with protecting.
Need to take your security and compliance to the next level? Total Compliance Tracking can help you get there. We’ll guide you the whole way and help you protect your company with confidence.