Half a billion hacked accounts sound like an improbable number of users. Yet, when you look at the user counts of some leading websites, Ticketmaster doesn’t stand out as a target for cyberattack. After all, thus half a billion hacked accounts don’t stand out if you compare the company to the size of Microsoft 365 or Instagram.
Contrary to popular belief, small entities like consumers and small businesses are not immune to cyberattacks. For instance, a small utility provider or an individual patent law office might think they have little to offer, but are they safe?
Let us look at why there is no such thing as too big or too small.
Too Big of a Target
When looking at the cyberattacks that have made the news in recent years, you find various large-scale attacks. Millions of entries or dollars are newsworthy from the US Government’s Criminal database to the MGM Grand. Consequently, we hear about them.
The payout of these heists makes the targets especially attractive. Companies are willing and able to pay top dollar to protect their reputation and remain productive. Even if the affected companies or organizations are unwilling to pay, the secondary market often looks for the credit card data or social security numbers associated with these heists.
At the same time, the difficulty seldom increases with size. Human errors and interactions still account for the majority of data breaches. A fact that doesn’t change much with larger organizations. More employees often mean more possible targets for scam attempts.
Likewise, the after-fact risk only plateaus after a specific size. Otherwise, attacks on US Government Databases and large conglomerates would never happen. Yet, there is little difference in investigation and prosecution between the US’s most valuable company and the 5000 that follow afterward. Consequently, the risk-reward trade-offs favor attacks on the bigger and more rewarding targets.
Too Small of a Target
By the same measure, smaller targets should be safe from attacks. That was the case for the longest time. It simply wasn’t lucrative enough to attack a small business using a personalized attack. Unfortunately, AI has made it possible to send hundreds of personalized messages for a few dollars. Consequently, cybercriminals can attack many small businesses, each with a lesser chance of detection and retribution than large enterprises.
The cybersecurity stance of many smaller companies likewise enhances the likelihood of an attack. Enterprises often have dedicated IT departments and thought-out plans, including backup strategies and recovery plans. Small businesses and even some mid-size ones lack in this department. Their IT budget barely covers the essential computers, leaving nothing for backup strategies or dedicated identities.
Another issue is cybersecurity training. Most SMBs don’t invest in any. Thus, the combination of technological equipment, organizational blind spots, and governmental prosecution makes the smaller organizations a significantly less risky target.
The Human Element
Ultimately, our perception of being too big or too small comes down to human psychology and the very technical nature of cyber attacks. For most of us, cyber attacks aren’t anything we can imagine. They happen to this mythical device called a computer. Thus, we develop wrong ideas and think we are either too unimportant to be hit by it or too well prepared and protected to be a worthwhile target.
At the same time, the shame of having been hit by a successful cyberattack hinders information sharing by anyone not required to share their data. Thus, privately held companies seldom share anything beyond the bare minimum needed. Consequently, business leaders lack the perception of how common attacks are in their peer group.
Prepare Now
Ultimately, we have to accept that incidents will happen. It doesn’t matter whether our companies are big or small—someone will attack us. Thus, the only thing left for us is to prepare our organizations to face the inevitable. Well-defined identity management systems, clear backup strategies, and solid training can go a long way in turning a catastrophe into an inconvenience.
Let us get started and ensure we are ready when an attack hits us because no one is too big or too small.