You know the number one excuse given for not having stronger security measures?
“Who would want to hack us?”
This is used to justify not having 2FA for everyday logons, not having a better firewall service, not having better internal security controls – everything, really. And it’s so naive and wrong.
Let’s take the most humble non-retail business you can imagine (I exclude retail because they deal with credit cards, which everyone wants to hack; any retailer who thinks they don’t have valuable information on-hand should be punished). Let’s say it’s a pest control company that only accepts cash (because again, credit cards are valuable information). Who would possibly want to hack the network of a mom-and-pop pest control shop?
For example, let’s say Pop sprays for bugs outside – not inside, just outside! – a big car dealership. If I can hack Mom’s server or email, I can get customer billing records, including information for that big car dealership. From there, I’ll have the information I need to conduct a social engineering attack on that dealership – such as calling them and pretending to be Mom, informing them that we’ll be sending invoices in the emails from now on. I then send a phony invoice, which is a phishing attempt. Because I’ve pre-engineered the phishing attempt, it’s more likely to be successful, and I can gather some good information from the car dealer.
Well, because that dealer has several fleet accounts with other large businesses. Now it’s easier for me to social engineer attacks against those businesses, sending phishing attacks (“Vehicles due for service, click here to confirm appointment”) and so on. The whole point of hacking is to go after your target with some preparation and some information in hand, convince someone to give you a little bit more information, and eventually worm your way into the actual target that you were after.
And these things do get traced back, Mr. Target HVAC Contractor. So it’s not like Mom and Pop Bugkiller won’t have zero potential for liability or concern. Which is why it’s important for everyone to be safer. Mom and Pop, for example, probably don’t have an IT department (Junior went to school for opera, and he’s pursuing girls in Paris this summer, not helping to set up a server). So they might outsource their IT needs to Office 365, for example – and if they’re smart about using 2FA, then they might be as secure as they need to be.
The point is to never accept the argument that We’re Too Small To Hack, because it isn’t true.