Is My Business Too Small to Hack?

Article Header Image

“Size Matters Not.” — Yoda

We’ve said it many times: Security is Job #1. You only need to read the business headlines to understand that the internet is a dangerous place. But the problem with headlines is that hacking, phishing, and ransomware attacks only make the news when there are millions of identity victims or a big billion-dollar company has been the target. This gives a lot of people the impression that hackers don’t attack Small to Medium-sized Businesses (SMBs).

The truth is that small businesses are attacked far more frequently than large ones and the consequences are severe. Recent reporting from Inc. Magazine cited authoritative sources that found:

  • Nearly 50% of SMBs have experienced at least one cyber-security attack.
  • More than 70% of all attacks target SMBs.
  • Nearly 60% of SMBs that are cyber-compromised go out of business within 6 months after the attack.

Let’s talk about why this is the case.

“It’s Not Personal, It’s Strictly Business” — Michael Corleone, The Godfather

Ultimately, hackers target businesses based on simple economics. They calculate and plan attacks against the softest targets with the greatest potential for return. Ten easy hacks worth $100k each can be economically better than one difficult hack worth $1 million.

It’s not “just” about money. Data has value too, even if you don’t have much in your bank account. If there is one lesson we’ve all learned from the age of the cloud and social media it’s that the data in your systems can be worth more on the open market than your entire business for the unscrupulous who know how to use it. And it is the business of hackers to know how to maximize the return on stolen data.

Want proof of the economic calculation? In 2021 a group of hackers performed a ransomware attack on Colonial Pipeline. As reported by the BBC, they were brazen enough to make a public statement saying that, rather than some social or environmental  statement, “Our goal is to make money ….”

And it’s not “just you.” There is an entire ecosystem of malicious actors who make it their business to disrupt companies for a host of economic reasons. And they might extend their animosity toward one of your customers or suppliers to your business. You can’t afford to be the weakest data security link in the supply chain.

This brings us to the “Bear Joke.”

Put On Your Running Shoes

Two men are walking in a forest. Suddenly, they see an angry grizzly bear preparing to charge. The first guy stopped and quickly put on his running shoes.

“What are you doing!?” said the other man. “Do you think you can out-run that bear?”

“I don’t have to,” he replied. “I just have to run faster than you.”

It’s an old joke, but it makes the point. Criminals are the same whether they are hacking websites or mugging tourists on the street. A guy who is walking down a dark, unfamiliar street unaware of his surroundings is more likely to be attacked than the guy walking a well-lit street looking in every direction. This is true no matter how much each man has in his wallet.

A hacker is not likely to take the time to run a Dunn & Bradstreet report on your business in advance. If you are the softest target the hacker comes across today, your servers and sites will be attacked. It’s what criminals do. Don’t be the softest target.

The Practice Hack

So-called “ethical” or “white hat” hackers have set up fake target sites and servers to practice on and learn new technologies. They even sponsor contests like ”Capture the Flag” events to test their skills and speed against other hackers.

Malicious “black-hat” hackers need to practice for the same reasons. They create automated bots that patrol the internet looking for sites and servers that they want to practice against — sometimes generally, sometimes in preparation for a specific target. So, even if you believe that your business is too small to hack or that your customer data is not valuable enough to warrant concern, if your site is built using a technology that a hacker wants to practice against you could be collateral damage.

And if the hacker makes a few bucks off of the effort in the process, even better for them.

And remember that it is not just the host, platform, or operating system that hackers practice on. Even the most basic business website utilizes apps, widgets, and code called from services like Github. Your site might be pulling fonts from one of dozens of third-party services. The images might be stored on a separate device. Your site might integrate with MailChimp, Hubspot, Privy, or another one of hundreds of marketing tools. There might be an integration with your accounting package.

Each and every one of these items is a potential attack vector and a hacker may want to practice against any one or combination of these apps and services in order to chase bigger game later.

Hack One, Get Two Free

Sometimes the relative size and value of a business doesn’t matter at all.

What if a burglar spent months preparing to rob a huge mansion. To do that, he had to find a way around their electronic alarm. Eventually he does and successfully robs the mansion. What would he do next?

If you were that burglar, you would do it try to locate every other house in town with the same alarm system because you are now an expert at breaking into those houses. You can get in and out and make a quick buck. This is what hackers do. Remember, hacking is a form of organized crime. One hacker figures out how to break into a system successfully and then uses that knowledge again and again to maximize the return. There is even an entire secondary market where the new hacking tools are shared and sold so that other hackers can cash in too.

The biggest hack of 2020 — and what we think will end up being one of the largest data compromise events ever — was the SolarWinds supply chain compromise. Hackers managed to crack into one small window of a service that was integrated with other applications. Learning how to do that took a long time. But once they had it figured out, they needed to maximize the return as quickly as possible. Many sites remained open and without critical patches and updates. This lead directly to the compromise of thousands of websites and servers for businesses of all sizes across the industrialized world. That one hack gave teams of hackers access to email servers, collaboration tools, databases, and more at nearly zero marginal cost in time or effort. For them, hacking all those additional servers and sites was like bending over to pick up dollars laying on the ground.

Conclusion — There's No Such Thing As "Too Small to Hack"

We still hear — far too often — that businesses believe that their sites and servers are “Too small to hack.” Not only is this demonstrably not true, the consequences of ignoring system security can be dire.

We’ve been helping businesses protect their websites and data for more than a decade. If you want to talk about the security of your website, data, and systems or schedule a security audit, just give us a call. We are always happy to help.

Links and Resources

We’ve published several white papers on security best practices for business websites. You can find them here:

This is our recent article on “The Hidden Security Risks of Dirty Website Code:”

In our review of 2020 we discussed “Systemic Global Network Rick & Vulnerability” as the biggest story of the year, including the SolarWinds compromise:

The article in Inc. Magazine citing the national Security Alliance statistics:

The article from the BBC mentioning the economic reasons for organized crime hacking: