This is a common question, especially from smaller companies. Often it comes from organizations that have been told they have some vulnerability or that they need to pay for a particular security service. Usually, it’s followed by other statements such as “I’m too small,” “I don’t have anything of value,” or “We’ve never been hacked before.” While these statements may be true, they’re generally misleading because they’re founded on a misunderstanding on the motivation of attackers. Let’s break down each one of these flawed ideas:
I grew up in small-town Kansas, so I get the idea of security by obscurity. There is some security in being relatively unknown to the majority of the world. That doesn’t make you more difficult to attack, just less likely to be attacked. The entire insurance industry is built on the idea of actuarial tables that demonstrate likelihood. And if you’re a small organization, it’s easy to assume that no one knows about you.
But in reality, with the Internet, you’re not as obscure as you think you are. As soon as your systems are connected to the Internet, they become accessible, to some degree, to the entire world. And though an attacker may not directly target you intentionally, they will use automated tools to attack millions of people at once. You don’t have to be known personally to represent a valuable target, which leads us to the next point.
This belief may even be more prevalent than the last. Many folks only consider certain types of data, like payment card data or health records, as worthy of protection. If that data doesn’t exist on the network or is sufficiently protected, then additional controls seem unnecessary. But the truth is that criminals can find a number of reasons to attack you that you may not have considered. Here are a few examples:
Regardless of the potential, sometimes people still struggle to accept the likelihood. Another comment that often comes up in those conversations is that…
This thought is insidious because the logic is clearly fallacious. We all recognize that the lack of something happening in the past doesn’t prevent it in the future. And yet human psychology classifies risk based on experience, so until we see first-hand the impact of an attack, it’s very hard to accept the potential risk. Fortunately, or unfortunately, the news is full of examples of breaches and compromises. It doesn’t take much reading to realize that without a plan, you could be next.
While we’re on the topic, there are a few other points to consider.
Scanning - The internet seems like a really big place; there are nearly 4 billion public IPv4 addresses. But it’s also very easy to scan that entire space. A number of scanners constantly scan the entire internet and catalog every host and service. If you happen to be running a service that is found to be vulnerable, you become a target almost instantly.
Compliance - Legal and contractual regulations have become a significant driver of security. This includes government requirements such as HIPAA, contractual relationships such as PCI, and often legal arrangements with clients. In order to continue operating, many organizations must comply with some set of standards or face crippling penalties.
Hopefully, this article has helped clarify why it’s important to consider the security of your organization. If you have questions or would like to discuss the particulars of your situation, we would love to talk further.