Scenario #1

So, you work in a large or enterprise sized company in the IT team. You have an enormous budget and feel that you’ve got everything in place to keep you out of the hacker’s line of fire. You have all the big brand security solutions in place. You have a dedicated IT team that’s focused on security, and an entire team devoted to procedural security and compliance. You have 24/7/365 monitoring in place and are paying dearly for it. On paper, you’ve done everything right.

Scenario #2

You work for a small or mid-sized company where the budget is tight, but you do what you can. You have some security basics in place that have been inherited from the last IT guy. It’s a family-owned business so you might even be working with the owners, children, siblings, cousins or distant relatives. It’s a cozy company, well off the radar of hackers because you think you are small enough and unimportant so as not to be on the radar of a hacker.

What do these companies have in common? They both are at risk of attack for different reasons.

For the past 24 years we have had the pleasure of working with different sized companies, some as large as 45,000 employees and some as small as 2 or 3 people. We’ve worked in practically every industry, spanning three continents. We’ve seen it all. So, what’s my point and why am I bringing this up?

Size doesn’t matter to a hacker.

Let’s first talk about large & enterprise corporations and the challenges they face in terms of security risk. What makes most of these companies equally at risk compared to a smaller company? What are the reasons these giants fall victim to a breach?

Attack Surface

Large companies are unique in the sense that many have multiple departments that function independently from one another. Each department or division supports the overall company and contributes to its success. One common problem occurs when there is not a unified approach or agreement as to the direction of security or the importance of it based on the division. Sales or marketing doesn’t think about security the same way the IT department might. HR, middle management, production, warehouse, field operations, part time employees, casuals, and temps rarely even think of security as one of their individual risks. This problem is on a local level.

Now consider the same company that has many locations in country and out of country. Now you have communication issues, different leaders with very different ideas about security, managing their departments just out of reach of Head Office. You may have cultural or language barriers that you need to overcome, or may even have equipment supply issues and or budgetary constraints in certain countries. There will be knowledge gaps and limited access to qualified resources. This is a huge attack surface to a hacker. So many variables and so many opportunities to exploit.

Technology blunders

Now let’s talk about technology. In a larger company where budget is of less concern, companies are spending a lot of money on the best security solutions that their budget can afford, and sometimes multiple solutions that serve similar purposes. They are putting a ton of faith in technology assuming that it will make them secure.

Often, the first solution they buy is the one with the best marketing. It may be at the top of google or they are the biggest sponsors with the largest booth at the security conference.

Many purchase this equipment and have the vendor “set things up” for them and validate that it’s working as it should be, while others with more confidence set their own new application up, alongside of the dozens of others they already have in place collecting technological dust.

What’s the problem?

Simply speaking, a skilled hacker doesn’t care what brand you buy or what technology you have in place. They only care if it’s set up properly or not, as a properly set up security solution can deter a hacker quicker then anything else. Sadly, this is not the case. On a weekly basis my team is poking holes through very elaborate and complex technologies much to the dismay of the manufacturer or person that bought the solution.

In fact, one of my team admitted they don’t even see a firewall, or care what brand of EDR, XDR or MDR the customer might have in place as they can nearly predict that it will be misconfigured due to some hasty vendor or manufacturer setup or an overzealous IT personnel that wanted to take on a challenge and do it themselves.

Why does this happen?

Overmarketing, over promising, human error, and blind faith in technology. Security companies that are cashed up, pummel the marketing channels with their solution knowing that someone is going to drink the cool aid. The same companies make bold claims about their solutions capabilities, often suggesting that their product will perform multiple functions, eliminating the need for other solutions, likely their direct competitors.

Human error plays a big role in the insecurity of many companies, as the folks setting the solution up are rarely trained to do so properly. They may be hesitant to take on the responsibility, but they have been given the duty by their peers and feel they can’t refuse, and then they are in way over their head. They are probably overworked already, and this may be one more duty they must perform.

The last one is probably the one we see the most. That is where the person or persons that purchased the security solution truly believes that it will work flawlessly and defend their infrastructure from attack with little else in place. They wouldn’t second guess it.

Now let’s address a smaller sized company.

I wrote a recent blog called Why hackers target SMB’s which I highly recommend reading. It goes into more detail than I do here.

The main problem with smaller companies is that they assume they are off the hacker’s radar simply due to their size or what they have in terms of value.

Bluntly speaking, another problem is that they don’t take security seriously. They may be a family-owned business that feels safe from attack. Work is casual, and so is the environment! Everyone knows each other’s birthdays and treats one another on special occasions. They break bread together and talk about the family vacation they are going to take this year. There is just no reason to fear the worst because those incidents always happen to other companies because they have something of value and SMBs assume that they do not.

Due to budget constraints (or lack of fear) they don’t have many security measures in place. They may be using Hotmail as their corporate email accounts, they might be using their own laptops loaded with unprotected corporate information, that they also use at home and while on vacation. VPN is like a four-letter word and 2FA is a nuisance. They may have built their own website using the amateur talents of their friends or family that did it on the cheap using word press.

SMB’s are often overlooked by security vendors.

Due to vendor license restrictions, many SMB’s do not meet the users counts many security vendors require to qualify for discounts etc. Many of the security products or solutions offered are cost prohibitive leaving the SMB with fewer choices.

By now you may see where I am going with this blog. Both sized companies are making mistakes that keep the hackers hacking and coming back for more. So, what can be done? What can both sized companies do to minimize their exposure to risk and prevent a security incident?

There is no silver bullet, but with some careful research and planning, improved communication, implementation of policies, and validation, you can substantially elevate your security, whether you’re a large enterprise or a SMB.

Check back next week to read part 2 when I offer some advice on how to mitigate risk in both the large enterprise and SMB environments. As always, we are here to help. Reach out for a no cost, no obligation discussion today!