“Hackers and Cyber criminal groups target small companies”...You have probably heard or read about something similar before. And of course there’s a reason for it.
While corporations and big companies have the budget for investing hundreds of thousands of dollars in cutting edge technologies for cyber defense, it has always been said that small businesses (or even mid size ones) just doesn’t have the kind of money for defending against advanced persistent cyber-threats...Hence cyber criminals taking advantage of this by using advanced hacking tools against them.
But during all my years of experience working with big and small companies as a cyber security consultant, let me be the first to tell you that such idea isn’t true!
While is true that hackers and cyber criminals may rather using advanced techniques against less defended targets, the notion that small businesses are doom when facing a cyber attack is false!
But if that’s so, why having any of those advanced cyber security solutions? That’s a fair question and it does beg for some explanation...
The idea behind this comes from some of the core concepts of cyber security; least privilege and attack surface, both proportionally equal to flexibility.
The more system privilege is given the more flexibility exists and thus the bigger the attack surface. The greater the attack surface the more entry points available.
Companies offering cyber security solutions have to deal with this proportion all the time, as they have to offer not just security to their costumers, but also great flexibility. And in term, such solutions should defend a very ample attack surface.
I’ll give you an easy example; smartphones offer great flexibility, some may argue even more than certain PCs or Laptops, but in return offer an insanely big attack surface. And in consequence developing a set of solutions for defending such device from each and all attack vectors is quite expensive (secure smartphones cost around $2500.0 USD).
With this idea in mind, one of the biggest mistakes I have seen small companies doing when they find themselves under a cyber attack, specially when these are persistent, is attempting to operate with the same level of privilege and flexibility as high executives in corporations (sometimes even more), while not counting with a fraction of the budget for implementing cyber security solutions that can properly defend the great attack surface that they have exposed themselves to.
Doing such thing is a fast lane for first allowing the attackers to keep hitting your company and second, never get enough control for allowing sales to recover...This is a very common situation in businesses whose major revenue comes from online sales.
But again, this shouldn’t be mistaken with the idea that there aren’t security solutions that can protect small companies enough so they can operate and recover. And most importantly defend against a persistent cyber attack..
Rather, it means that a small business, specially one whose revenue is in peril, should take a minimalist approach to what is needed to function as a business, work with costumers, marketing and sales.
Or in other words, with the least system and network privilege as possible.
So once that first process is finished, it can escalate to a more flexible set of solutions.
Actually this has been the approach that we have taken to help small companies who find themselves fighting advanced cyber threats and that has helped them to successfully recover.
Of course a concept such as being “minimalist” in terms of system and network infrastructure needed is easier said that done, as they are many ways to go about it.
For further information about cyber security and how to protect your business against advanced cyber threats please visit www.taloncyberdefense.com
Talon Cyber Defense.