I’m too small to be attacked.
I hear this all the time, a small company, whether 2 people or 10, think that because they are small they wouldn’t be an enviable target for a cyber-attack. The thing to keep in mind is that the attackers may not want to target you specifically, but to use your data to help facilitate a much larger attack.
Customers of a nationally known online shopping service receive an email stating there was an issue with their recent order. The email has all the indications that it should be legitimate, and the website it links too looks real, however both have been faked in an effort to get you to give up personal information when you connect to the website. Sometimes it is only your logon information is it “phishing” for, sometimes it is even more personal, like social security or other banking information.
The reason these emails work, is by sending to such a large audience, and from a well-known company, someone is going to click through and give up that information. It’s a numbers game for the attackers, send to enough and even a small percentage is a big win.
So how does that affect the smaller businesses out there? The more intimate details the attacker has, the higher the success rate. By using your data, they can target a very specific group with even more personalization, which as coined the term “spear-phishing”.
Your data, no matter how small, becomes a tool to increase the attackers’ successes. You aren’t the ultimate target, just a pawn in the process of getting to the larger (more valuable) target.
So, no, you are not too small to be attacked. You need to do due diligence in securing your network against these data breaches, and it doesn’t have to be complex, but it needs to be thorough and multi-leveled.
A properly configured firewall at the edge of your network is the first line of defense, and this shouldn’t be a consumer grade router from your local department store, it should be a “firewall” that has several internal levels of security, port and protocol blocking and possibly additional services such as; Intrusion Prevention, Gateway Anti-Virus and Application Filtering.
Your second defense is properly configured credentials on your devices, whether it is on each device or managed on the network by a central service, a good password policy is a must. Work backwards from your password, is there anything in it that helps determine where the password came from? Then it probably isn’t a good password.
Your third line of defense is good anti-virus/anti-malware software. The free version that came on your PC probably has or will expire, so it should be something that you know is current, you know is updated frequently and you know where to check on it or have someone else checking on it for you. There are 1000s to choose from, but if you keep your selection down to tier 1 providers you will have a better managed AV solution.
Your final step is education, teach your users; if you didn’t request the message or were expecting it, don’t click on the links without further research. When in doubt throw it out. When you think it might be legit, go directly to the vendor’s website, don’t use the supplied link. And NEVER give up personal information on a website that you aren’t sure belongs there.