There is a misconception that I have come to see in my time working in IT that is more prevalent than any other: We are safe because we are small. Small businesses feel like they are shielded because they are small and not a known or big named target. This may have been true in the early days of the Internet, but it hasn’t been for quite some time. Let’s break this down a bit. There’s typically two types of attack that a smaller business can expect:
An opportunistic attack
This kind of attack is when the attacker is simply looking for anyone who has a vulnerability exposed so that they can take advantage of it. Like when a hacker scans every single IP address on the internet looking for open ports or doors to get in, and trying to identify devices to build essentially a database of computers that they can attack. There’s a lot of different ways that they can do that. In this case, your size or your brand is completely irrelevant, since they are just out there hunting. They’re not looking for you specifically, they’re just looking for anything that’s vulnerable.
A Targeted attack
This is where the hacker has a very specific goal in mind for a specific person or a company or a brand that they’re trying to attack. Small businesses don’t typically spend a lot of money on IT security. Because of this, hackers like to target small businesses, because they leave themselves more open than a larger organization that might have resources to protect themselves. So since many small businesses work and deal with larger organizations, this is where a hacker might look at those smaller organizations as a way to get to the bigger company.
Imagine a law firm in Silicon Valley who handles most of the big tech companies there, let’s say for patents. They have all of this information in one place about all these wonderful juicy targets. The law firm doesn’t have to be big, they just have to have the information. If you want a real life example of this, look at the 2015 story about the Panama Papers. Millions of incriminating documents about notable people and companies all over the world were leaked from one place, the law firm that all these people use, over 200,000 clients. So that’s a great example of how going after a smaller company gets you to information that may be valuable from a larger target.
Small businesses account for the majority of the companies in the U.S. resulting in a tremendous amount of transactional and personal data transferring between parties, systems and consumers on a daily basis. This presents a rich target for identity, financial and information theft. With small businesses typically spending less time and money on security, being small actually makes them a big target.