How Large is Your Target? Advice for the Smallest Businesses


Most cybersecurity professionals will often try to cybersplain the importance of protection to their friends. In most social circles, many of the businesses that people work in are small businesses. Perhaps you are the owner of a small delicatessen, a dry cleaner, or you run a yoga studio, or some similar individually owned operation.

Many of these small business owners will respond to cybersecurity conversations with either the resignation that they can’t afford protection or worse, a shrug and a comment that their business is too small to be an attractive target.  Both of these assumptions are flawed.

Smaller Targets Could Net Higher Yields

No target is too small for an enterprising criminal. In fact, most cybercrimes are not carried out by state actors. Cybercriminals may be stirred by a variety of motives, however, most are simply profit driven.  According to one source, nearly half of the cyberattacks in recent years have targeted small businesses. Accompanying that sobering statistic is that more than half of those targets go out of business within 6 months after an attack.

While ransomware is the prevalent attack technique, it would seem that cybercriminals know that small businesses cannot afford the high cryptocurrency often demanded in such an attack, so they use smaller, real currency attacks, such as Zelle scams, and banking Trojans to make their money in smaller payouts, but with a broader attack field.  One could assume that the prevailing logic is that there are more vulnerable small businesses with weak security, making these small targets more lucrative than large businesses with strong security. Also, the power of a small business to pursue justice following an attack is nothing like that of a large business.

Easy, Low Cost Protection

It is not as difficult for a small organization to achieve good security as one might think. Of, course, the usual easy solutions include good real-time malware protection as well as reliable online and offline backup software.

Since most local businesses cannot afford to hire an established security assessment firm, an unorthodox method would be to get a security assessment from a cybersecurity student. Contact your local trade school that has a cybersecurity program, or a local college, and see if any of the students would perform a walkthrough security assessment to help your business fill some of the less obvious gaps.

A cybersecurity student can help you improve your protection by assessing something as simple as outdated firmware and missing security patches, to website exposures, such as unnecessarily exposed DNS records.  You need someone with more knowledge than you to look at your security practices and offer suggestions to help you to be better than you are today. A cybersecurity student could also offer advice to your staff about online security for your business. An introductory session about security awareness can lead the staff to thirst for more.

Besides any small payment that you can negotiate, this can also serve a reciprocal function of allowing a student to obtain real-world experience in performing a simple security assessment, adding to their resume to help them start their career. You can take the assessment further, and draw up a simple contract to work with the student to help implement the recommendations. You are not looking for a penetration test or a red team exercise. That can come at a much later time, and you may never need to graduate to that level of protection.

Shrinking Your Target

When you hear about small businesses, it is often referring to companies that have 100 employees, however, there are many smaller businesses that are equally, if not more vulnerable. Whatever business you own or manage, cybersecurity must be a high priority. It is easy and affordable to shrink your attack surface to the point where you don’t have to be resigned to the false security posture of being an unattractive target.


Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.



Source link