The big companies make news headlines. Companies like Nvidia, Experian, and Sony all made news headlines across the nation. However, the other 2,000 or more companies that were also hacked each year did not even get a second of airtime. This is not to say that those companies were affected any less than the giants. In fact, I would argue that they were affected even more. The giant companies have resources poured into cybersecurity, incident response plans, data backups, cyber insurance, full time security staff and possibly even security assessments and testing that play to their favor to recover from a cyber incident. Small and medium-sized businesses may not have the budget or resources for all of those. However, these do not make a small business any less likely than a large to be hit with cyber-attacks.
| 623.3 Million Ransomware Attacks in 20221 | 78% Increase In Ransomware Payments2 | 73% Targeted by At Least One Ransomware Attack3 |
The “I’m a small organization. Why would they attack me?” Myth
“Why me? I’m just a small company without large profit margins.” Sometimes the attackers aren’t sure who they hacked until they start digging through your data. Regardless, all companies have data that threat actors want. Even if it is only important to the data owner. Companies also have social security numbers, email addresses, contact information, customer or client information, and intellectual property. Some of these can trigger reporting requirements to government agencies. All of this is valuable information. If threat actors can gain access to your network, they can scrape credentials which they can resell to others. They can sell personally identifiable information (PII) or use for identity theft. Regardless of your company’s size or net worth, all companies can fall victim to cyber-attacks.
“How can they attack me?”
There are multiple ways attackers will gain access to your network. They can purchase access to compromised credentials that are listed for sale on the dark web. These compromised credentials could be reused within your network and therefore give an attacker a quick way to log in and authenticate. Attackers may scan the entire internet for a specific vulnerability. This is common when a major vulnerability is disclosed to the public. Phishing emails are also extremely common attack vectors that allow bad guys to compromise your employees by playing to their emotions or tricking them into doing something. These are just a few of the ways that attackers can break into your network.
What to do?
Through my experience, many small and medium businesses are not sure what is on their network, they have older operating systems, and immature cyber security policies. Chief Information Security Officers, CISO, drafts policies, procedures, and administrative controls to know and understand what is on the network, how best to protect those devices, how to respond to an incident, and the procedure for reporting incidents or suspicious activity. The CISO also overseas software patches, vulnerability scans, and security audits. This person can assist in creating policies, procedures, and guidelines to help frame the organization’s cyber security program to enforce industry standards and best practices. Chief Information Security Officers understand the threat landscape, understand business priorities, and know how to use cyber security to be a business enabler.
The SEC also recently posted this press release regarding risk management and reporting requirements following a “material incident” for publicly traded companies. The SEC is requiring reporting within 4 days of a “material incident”. “The new rules will require registrants to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant”4. These are required for publicly traded companies only, however, following the guidelines, processes, and procedures would be beneficial for private companies as well.
By having a security leader available to advise executives and train employees, the organization can manage and lower their cyber security risk which can prevent bad actors from wreaking havoc inside the network. The security experts can be internal. However, for SMBs this is not feasible. The IT department is strained for time and resources. They are busy assisting end users with issues, repairing computers, resetting passwords, etc. To add security monitoring, auditing, vulnerability assessments, and incident response to their already full plate would be detrimental to their productivity.
Hiring an external party to handle some or all of those functions is best, even if it requires additional up front costs. Third parties can have multiple pricing tiers, options, and opportunities for a variety of cyber security related tasks. MSSPs, Managed Security Service Providers, are organizations built specifically for cyber security requirements that can support threat detection and monitoring, penetration testing, auditing, and more. vCISOs or fractional CISOs are part time CISOs that can help transform or build your cyber security programs.
All organizations are at risk of an attack, but by using cyber security executive leadership or third party MSSPs it will increase the threshold required by the threat actor to gain access. The goal is to make it as hard for them as possible, while also supporting business requirements.
- Conner, B. (2022). 2022 SonicWall Cyber Threat Report. ↩︎
- Unit42. (2022). 2022 Unit42 Ransomware Threat Report. ↩︎
- CyberReason. (2022). Ransomware The True Cost to Business 2022. ↩︎
- SEC. (2023). SEC.gov | SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies. https://www.sec.gov/news/press-release/2023-139
↩︎