‘Cybersecurity by obscurity' isn't good business strategy
Until recently, small- and medium-sized businesses have not been specifically targeted by hackers and could avoid cyberattacks by simply employing the concept of “security by obscurity.”
If your business was not large, or in politically charged industry, then it was generally safe from targeted cyberattacks. But those days are over.
Here are a few reasons why size of your organization no longer matters.
First, the prevalence of criminal ransomware attacks (where the attacker encrypts the victim's data and then extorts a payment to decrypt it and make it accessible again) has proven to be profitable for attackers against businesses of all sizes. In many cases, attackers don't even know who they've successfully encrypted, and they don't really care. If the cyber criminals can encrypt your hard drive's contents, and you're willing to pay to get the drive decrypted, then your business is big enough for them.
Recently, during the course of the well-publicized ransomware attack against Hollywood Presbyterian Medical Center, (see https://www.wired.com/2016/03/ransomware-why-hospitals-are-the-perfect-targets/) it became clear that the bad guys didn't even know they were attacking a hospital. Many other examples of small to medium-sized ransomware attacks quickly followed. This type of indiscriminate attack undermines the whole concept of small business cybersecurity by obscurity.
Next, foreign nation-state sponsored attackers, e.g. the Syrian Electronic Army or the Digital Caliphate, are targeting absolutely every commercial entity they can identify operating within the United States. Until a few years ago, their efforts primarily focused on government, law enforcement and utilities, but not anymore.
As those primary targets have hardened their cyberdefenses, attackers have moved down the food chain to smaller entities – and these foreign nation-state attacks are often covert. Foreign sponsored entities such as The Lazarus Group, which is believed to be sponsored by the North Korean government, is not interested in holding your company for ransom or monetizing your sensitive data. These types of attackers simply want to place dormant logic bombs on your business network that remain inactive until receiving a “go” sign, at which time all the bombs will all launch at once, with the intention of crippling our nation's communications infrastructure.
Or maybe a foreign government sponsored entity just wants to enlist your company's network equipment into their “botnet” army. By turning your network gear into an automated zombie awaiting orders, your company may become part of a much wider attack against a third party, such as a hardened government agency. The fact that your business is small or medium-sized acts as no defense against this type of attack.
Finally, your small to medium-sized business now faces the challenge of attackers with staggering computing resources at their disposal. Until recently, a decent password protecting remote access to your business was sufficient, because cracking passwords requires significant computing power. Attackers wouldn't bother targeting the small guys, because the cost of all those computers was prohibitively expensive given the limited return on investment.
Now that password-cracking processor cycles can be rented for pennies a minute from Amazon Web Services and similar cloud vendors, attackers can cost-effectively launch password cracking breaches, and similar automated attacks, against business entities of all sizes.
Tactically speaking, avoiding ransomware attacks involves imposing strict prohibitions on inbound email attachments/links and performing frequent, offline backups. Defending against logic bomb and botnet threats requires up-to-date patching of network gear and hardening of weak vendor default configurations.
Avoiding password-cracking attacks against remote access services demands long (i.e. longer than 12 characters) and strong (i.e. not just dictionary words without substitutions) passwords – we recommend passphrases, which are long, easy to remember and surprisingly easy to type. These tactics alone will not protect you against targeted attacks, but they are a good starting point.
There is a tried and true larger-scale strategy your business can employ to defend against these types of attacks. You must begin by inventorying your computing assets, identifying what is visible to the entire Internet (vs. those assets that are hidden behind your company firewall), and where your sensitive data are stored and transmitted.
Then, you must consider all of the threats against those assets, including attacks against the confidentiality, integrity, and availability of your business' key computing systems and information. Armed with the knowledge of the types of threats faced by your business, and what you're trying to protect, you can begin the process of prioritizing cybersecurity efforts in a meaningful and cost-effective manner.
