[BreachExchange] The ‘I’m Too Small to be a Target’ Fallacy

[Audrey McNeil]

http://www.tripwire.com/state-of-security/security-data-
protection/cyber-security/the-im-too-small-to-be-a-target-fallacy/

When retailer Target was hacked in 2013, the damage was so extensive that
direct costs exceeded $250 million. To its credit, Target’s external-facing
cybersecurity wasn’t too bad; the attack came through a mom-and-pop HVAC
vendor with unnecessary access to the retailer’s network.

Smaller enterprises like the HVAC company are often under the illusion that
they have no reason to be targeted by a cyberattack. Not only is this
blatantly false, as the Target example illustrates, but for firms serving
narrow vertical markets, the potential harm from such incidents is
magnified.

For instance, consider a law practice that deals almost exclusively in
mergers and acquisitions. Why would the firm need anything beyond
rudimentary security measures? After all, its network doesn’t store much
financial data, and it only maintains personal information on its several
dozen attorneys and staff.

How could it possibly be a target? Cybersecurity isn’t necessary unless
you’re a nation-wide retailer or a bank, right? Wrong. Hackers make their
bones on that very misconception.

As it turns out, if you have something worth selling, you have something
worth stealing. In the case of our law firm, the practice is at a
heightened risk of a breach because investment-savvy cybercriminals are
always on the prowl for the undisclosed details of a merger or acquisition.
One leaked email can confirm a deal is pending: a windfall for our
hacker-turned insider trader.

So while the data might not be as plentiful or yield the immediate returns
that information stolen from a bank might, it’s still valuable. And not
only is it valuable, but the “I’m too small to be a target” fallacy makes
it easier to steal than from a bank that spends millions on cybersecurity.

This confluence of financial motive and easy access should be alarming not
only for small firms but also their customers in the narrow vertical
markets that they serve. A medical device manufacturer that focuses on
engineering drug infusion pumps for hospitals takes care to secure
machinery schematics and other intellectual property stored on its servers,
but its interest in cybersecurity stops there.

Once the devices get to hundreds of hospitals nation-wide, the devices’
anachronistic software and security features jeopardize the lives of
thousands of patients that interface with their own drug delivery machines.

The effects of breaches on companies serving small verticals are
disproportionately severe. In the Target hack, the retailer’s sporting
goods customers were just as much affected as its electronics or clothing
customers. Fortunately for all of us, there are hundreds of retailers that
can sell us those products. But when it comes to medical device
manufacturers that can produce and sell internet-enabled drug infusion
pumps at scale, the number shrinks considerably smaller.

Therefore, a serious breach at such a company can send shockwaves through
the narrow vertical market that it serves, putting a strain on the crucial
but often-overlooked gears that drive the modern economy forward.

Fortunately, firms serving niche markets can take concrete, actionable
steps to protect themselves and their customers:

INCENTIVIZE CYBERSECURITY

Target has billions of dollars in annual revenue, and it can afford its own
robust IT and security departments. Most of the companies we’re talking
about don’t come close to that, so incentivizing adequate cybersecurity –
through tax benefits or even regulation and non-compliance fines – can help
smaller enterprises afford, at the very least, a cybersecurity partner that
has the expertise and scale necessary to improve security and resiliency.

THREAT INFORMATION SHARING

While the idea of sharing information with competitors is an unnatural one,
intra-industry intelligence sharing on cyber threats unique to a particular
type of vertical has proven effective at forestalling attacks while
fostering trust. Medical device manufacturers and hospitals, for instance,
should share threat information and best practices so that the producers
can build necessary security features into their next generation of
products that are responsive to the actual attacks that the hospitals are
seeing daily.

CULTURE REEVALUATION

A firm serving a small market will typically be small itself. A clerk at a
Fortune 500 company probably can’t forward a phishing email to his CEO, but
at a small device manufacturer, it’s more likely than not. That means it’s
incumbent on every employee to be diligent and exercise good cyber hygiene.
And get educated/stay up to date.

INSURANCE

A final step in mitigating the cyber risk to firms serving crucial narrow
vertical markets is to simply pass off the risk to an insurer. Insurance
companies are increasingly getting into the cyber insurance market, and for
good reason. Without some indemnification, a serious breach at a small firm
could lead to insolvency and send ripples through the narrow market it
serves. A little bit of coverage protects not only the company but also the
larger economy.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160829/60e972e5/attachment.html>