You wouldn’t leave the front door to your house open when you went out for the day would you? Well that’s the physical equivalent of not being careful with your business’s cybersecurity.
Today we’re investigating just who is a target of cyber security attacks, and it might not be who you think it is…
This is part two in our Cybersecurity series, which is designed to keep businesses like yours informed of today’s risks and what you can do to mitigate threats.
Defining a Cybersecurity target
What is a cybersecurity target? It’s an individual or business that is specifically chosen for an attempted attack by a ‘malicious actor.‘
These malicious actors can act for a number of reasons: fraud, intellectual property theft, customer data theft, nuisance reasons, and more. There may be multiple reasons behind an attempted attack. [We’ll cover these reasons a little closer in part 3: What cyber crims do with the compromised data they uncover]
These malicious actors can be individuals, organised crime groups, anti-state actors, unscrupulous competitors, or even disgruntled insiders within your company itself!
So, the who part of who is behind the attack is important for determining a target.
Targeted attacks in focus
When we talk about targeted attacks, it’s where a specific business or individual is targeted. While in the past, there has been plenty of ‘spray and pray’ attacks, where anyone is a target (think: mass-blast emails purporting to be from the bank), cyber attackers are becoming more sophisticated.
A type of attack that can net a large payload is a spearphishing attack: where the bad guys get in through a complex social manipulation technique, that usually worms its way into a company through a non-insidious looking email purporting to be from someone known to the company.
In Symantec’s February 2019 Internet Security Threat Report, it found that “nearly one in ten targeted attack groups now use malware to destroy and disrupt business operations, a 25 percent increase from the previous year.”
Another targeted attack might be if a cyberattacker learns you have plenty of server resources, and wants to direct these towards their cypto-mining efforts (unbeknownst to you, of course!)
We chatted about the different cyber attacks that can occur in last week’s piece, so brush up on your knowledge here.
Big banks and businesses have better security practices
While hooking a huge target (like getting inside NAB’s systems and accessing customer funds) might seem like the ideal score – and it probably is – the likelihood of it happening is next to zero.
In blockbuster movies, sure, hackers are getting into all sorts of big systems: banks, power grids, top secret government agencies – however this is all overinflated imagery for the most part. It’s a plot device used to build excitement for the viewer.
In real life, these are the companies that have the most fortified cybersecurity defence systems. They have large teams of people in charge of small pieces of the cybersecurity stack, working groups to strategise about future threats, complete corporate plans including risk mitigation for each perceived threat, outside assessments by security firms, mandated governance efforts, etc. etc.
In short, it’s very hard to target these types of entities.
So who’s the Cybersecurity target, then?
Is it medium-sized businesses? Yes, medium sized businesses can be a target. The 2018 Cisco Cybersecurity Report found that “53% of midmarket companies have experienced a breach.”
This can depend particularly on their perceived level of security. For instance, a medium-sized IT services provider you would assume would have better security practices than a chain of nurseries, for instance.
So the type of company or their core business, particularly for medium-sized businesses, is a considered factor for cyberattackers.
Who does that leave as the best target, the lowest hanging fruit to pick?
That would be small businesses. And small businesses have even higher stakes, because as Cisco say, “Smaller businesses are less likely to have multiple locations or business segments, and their core systems are typically more interconnected. When these organizations experience an attack, the threat can quickly and easily spread from the network to other systems.”
Small businesses don’t have the budget to assign considerable funds to cybersecurity efforts. They may not have anyone on the team with experience in security practices to help setup systems. Even if a professional is brought in to help out and set things up, it may have been years since this was the case.
Cybersecurity isn’t a task where you can just implement a system, or purchase a product, and you’re protected. Cyberattacks are always evolving. This means that updating needs to be done continually: patches and updates need to be performed on a daily basis.
How can small and medium sized businesses guard against cyberattacks?
It’s important that SMBs implement security best practices that are right for their business. Not all businesses are alike, after all – you have different systems, different data assets, different types of employees, etc.
Getting a security professional to assess your business and make recommendations is often a first step towards a more cybersecure workplace.
However, as we mentioned, cybersecurity is ongoing. Taking the recommendations of an expert, if they’re not kept up to date, means that you aren’t keeping up with best practices.
Another option is to hire staff that how the knowledge to help you govern cybersecurity within the workplace. However, this may be a costly exercise, depending on your operation. Hiring a cybersecurity professional or team without knowing the skills they need can result in mishiring.
The third option is to choose a managed security service. Yes, it’s possible to outsource your business cybersecurity so you’re assured that coverage is ongoing and up to date. It’s simply another business process you can outsource, much like your customer service call centre. You’ll have to keep in mind that, like your outsourced customer service call centre, the effectiveness of the service will depend on the provider you choose.
Well again cover this in a little more depth later in our cybersecurity series, where we talk about what you can do to mitigate risks, both on the ground right now, as well as looking at services in a little more detail.
Keep reading for more on cybersecurity, or get in touch for a security consult for your business today with A1 Technologies.
Subscribe to our newsletter
Enter your email and stay in touch with the latest updates from A1.
You might also like…
- Whaling Attacks and How to Prevent Them A whaling attack is a clever little play on words that has its roots in phishing....
- Productivity is the word on everyone’s lips. By increasing productivity in the workplace, you can achieve more in less time with the same...
- Identified a data breach? Or worried about what would happen if you did find one? What cyberattackers actually do with your compromised data...