“My business isn’t big enough to attract the attention of hackers.”
If this is something you’ve said to yourself of late, take note that you’re not the only one. The majority of small to midsized companies just don’t believe they are big enough or have data that is valuable enough for hackers to want to get into their systems.
What these companies don’t know, however, is that sometimes the hackers aren’t after their data. In a recent New York Times piece, “mom-and-pop” shop Cate Machine & Welding provides exactly the example of how—and why—hackers want to target small and midsized companies.
The story profiles the company, which is based in rural Belleville, Wisconsin, as they discovered that an old computer in their back office was being used by Chinese hacker group Codoso to plan and stage attacks against more profitable targets.
The Cates might have never known their back office was a launch point for cyber attacks but for the fact that threat intelligence startup Area 1 had tracked a number of attacks on larger companies back to the back-office computer. That’s because Codoso wasn’t after the Cate’s data. They were after a quiet, nearly undetectable launch point.
According to the New York Times piece, “many attacks rely on a tangled maze of compromised computers including those mom-and-pop shops like Cate Machine & Welding. The hackers aren’t after the Cates’ data. Rather, they have converted their server, and others like it, into launchpads for their attacks. These servers offer the perfect cover. They aren’t terribly well protected, and rarely, if ever, do the owners discover that their computers have become conduits for spies and digital thieves. And who would suspect the Cate family?”
The Cate’s experience isn’t uncommon, and their tale should be cause for concern among small and midsized business owners. Verizon’s 2016 Data Breach Investigations Report suggests that in 80 percent of breach cases, victims didn’t find the breach for weeks or months—and even then, only when a third party discovered signs of a data breach.
For the Cate family, the breach may not have had a direct impact on their business or revenue, but they were nonetheless unwilling—and unwitting—participants in an attack infrastructure that targeted everything from law firms to airlines, universities and private businesses around the country. Those companies almost certainly felt an impact.
So what does an experience like the Cate’s mean for your small or midsized business? In short: you’re probably more vulnerable to a hack than you think.
Infections that allow your in-house equipment, like dusty back office computers, to become launch points often occur either because you have lax cyber security protection or employees who have unknowingly clicked an infected hyperlink (either in email or on the web). A gateway is thus opened to hacker groups, who can then either use your systems as attack launch points or sneak in and gather important data—say, for example, your employees’ social security numbers.
If you’re concerned about infection, the best course of action you can take is to schedule a proactive evaluation of your network and follow up with the remediation recommendations offered by an assessment. If you’re interested in learning more about how we can help you evaluation your threat risk, contact us here to get started.