We hear it a lot. Business owners and executives, especially of smaller organizations, are almost guaranteed to recite it at least once during a conversation about backup and cybersecurity. "I'm not really worried about being breached. I don't have anything anyone would really want."
Is this actually true though? Do cybercriminals and/or attackers really not care about a given business just because they're small or don't have a wealth of information which could be considered "sensitive"? If you're guessing our answer to that question is "no" then you're right. Here are three ways even the smallest of businesses can be victimized by a cyber attack.
1. Operations Prevention
This one tends to be the most common, but also the least thought about, when it comes to ways an attacker can hurt your business. They may not care about stealing your data so much as leveraging it over you. Case-in-point: Several years ago, a small service company in northeast Nebraska was hit by a ransomware attack. Of course, this company didn't have any recent backups because the only thing they were worried about was computer failure. In fact, in our initial conversation, the owner straight-up said "I wasn't worried about cyber attacks, what would they take? my inventory of parts?".
Well, turns out that's exactly what they went after, plus their templates for purchase orders and bills of sale as well as their QuickBooks accounting file. Except, instead of stealing it for themselves, they simply made it unusable for the business and then dangled the "solution" in front of them for a price tag of over $5000 (a price that's cheap compared to what is being demanded today). Now the good news is, this particular attack didn't force the company under. It did however require hundreds of hours of work to rebuild their inventory tracking, 7 months of accounts and about a dozen different forms (the completed versions were irrevocably lost).
The moral of this story is to not think about what data may be valuable to the attacker, but to think about what data is valuable to you and how difficult life would be if it was to be lost.
2. Relational Targeting
Another popular angle for cybercriminals to take is to abuse your organization to attack your clients or even vendors. We've seen a massive uptick in this type of activity over the last 2 years and suspect the prevalence of Work from Home has had a hand in it. The premise is simple, an attacker is successful in breaching one or more accounts (email, etc)and then uses those accounts to send much more authentic looking attacks to your clients/vendors/contacts.
We've seen several instances over the past year with some of our clients employees submitting emails to us asking about their legitimacy (training helps a lot here!). The email is from a contact or client and is often times a response to a previous/older email thread. These emails contain a malware-laden attachment designed to attack the recipient.
In these cases, it's not the email or other accounts which the attack wants to comb through (although they may do that as well). It's the trust you've built up with others through that account which they can abuse to victimize 100 people instead of just you.
This one isn't as common (yet) outside of places like accounting or legal offices, or healthcare clinics but it's still a threat and a potentially devastating one. The idea is the attacker breaches your system(s) and looks for anything containing PII (Personally Identifiable Information). They then make a copy of this data, and then contact you, threatening to contact those who's information they've stolen and report you for a breach. This can potentially put you in legal hot water as businesses are generally liable for the security of their contact's information.
Blackmail information can also be about employees or even yourself so be sure to think about all aspects of information kept on your systems.
Not always as simple as you'd think
Attack vectors for cyber criminals continues to increase as do the angles they use to coerce and extort. Our recommendation is to conduct an annual business impact assessment. This helps pinpoint what areas are actually important to your organization (and thus, attackers) and how bad things would be if something happened. It can also help you focus on what areas to improve security and/or continuity which, when using this targeted approach, can help you maximize your dollars spent on risk mitigation.