Recently, a colleague told me that while at a party with a group of friends, they concluded that instead of asking a “pretty woman” to dance or talk to, it was better to opt for a “less attractive woman” since the probability of being rejected by a “pretty woman” was high, but with “less attractive” women, the chances of success were higher; this was because the number of beautiful women was lower relative to the total number of women present. Additionally, because all the men (or women) in the room would have “the prettiest woman” as their main objective. And he started with this idea, which is not intended to be a sexist debate or anything like that, but rather to use it as an analogy. In the business world, there are “beautiful women” and “less beautiful women.” However, from a security perspective, we make the mistake of thinking that the duty of protection and cyberattacks only affect large companies (aka beautiful ones) and that medium-sized, small, and micro-sized businesses (aka less beautiful ones) are less likely to experience this, apparently because they are less conspicuous to adversaries or criminals and because they don’t require a higher level of protection.
This is because when talking about information security and cyberattacks, unless the person observing the situation is part of the affected company, news and media reports that a company was attacked primarily occur if it concerns large, well-known companies. But let’s remember that every large company started as a smaller business; in many cases, several started as garage companies.
And it turns out that while many security professionals and business leaders don’t prioritize the “less attractive” companies because doing business, working with, or protecting large companies is more tempting, profitable, or considered a focal point, there are adversaries or criminals who, if they have them within their scope of analysis, identify that they are unattended and a good point of attack with a greater probability of success.
For an attacker, designing an attack targeting a large company may require greater sophistication due to the nature of its security controls compared to what it would entail on a similar scale for a smaller company. For example, a ransomware attack on a company with network segmentation and an isolated backup system may require the attacker to make greater efforts to encrypt production data and equally access backups. If the same attack is considered in a company with a home Wi-Fi network and no backups, or in some cases, they have them but are accessible on the same network, it can lead to the encryption of both production data and backup data, if it exists.
The bad news is that both the first and second companies, with their customized controls, can still be affected by the attack. Regardless of the company’s size, there is no absolute guarantee of protection, but the first company, by going a little further with its controls, is more likely to handle the incident better. Some might think, but in the second case, security measures were still implemented, so what more do they want from us as smaller companies?
In this case, what these companies should consider is to stop thinking that it won’t happen to them and that they won’t be the target of an attack. They should also learn about security and seek advice from either internal or external personnel on the best way to implement controls. In the 21st century, information security is no longer an option for companies; it’s an obligation.
I have known companies that aren’t classified as large and have been victims of this type of attack, having inadequate security measures, whose solution ends up being to rebuild almost from scratch. Only then did they become aware and allocated resources based on their capabilities to implement controls, which allowed them to reduce the likelihood of being exposed to the same incidents or have greater recovery capabilities. However, some companies, even after experiencing these situations, still fail to recognize the importance of allocating resources for their protection.
This is why the implementation of security measures is associated with large companies because they have greater resources. Medium-sized, small, and micro-sized businesses, in various circumstances, don’t usually consider implementing security because their main concern is obtaining the resources to operate and, in many cases, live day-to-day, making security an add-on or luxury.
The problem with the above is that we normalize the idea that security isn’t within the reach of every company and that every company isn’t responsible for protecting the data it owns.
It deals with clients, users, and consumers. Part of the commitments and responsibility that companies have when selling products and services in return for the profit they obtain from them is to perform due diligence to protect information within their operational, human, and economic capabilities.
Therefore, security is not just a matter for large companies; it is a matter for companies regardless of their size, industry, income, location, or any other factor, and it is the responsibility of entrepreneurs to implement it regardless of the circumstances. This is even more so in the current circumstances, where the use of information technologies geared toward digital transformation is being adopted more frequently, with the integration of tools such as artificial intelligence, e-commerce, and the widespread use of social media for business.
These technologies allow companies to improve productivity and customer engagement, but also allow attackers to have other attack vectors to exploit companies, especially those that still believe that information security does not apply to them and use their size as an excuse for not implementing it.