One of the excuses which companies use for not being proactive in providing adequate security is “I have nothing of value.” Although this excuse is expected for smaller companies that may have difficulty raising the funds required for an effective defence of the company, the view is understandable… but also fundamentally wrong.
In a society where people pay for almost everything on credit and debit cards every company that provides this service is a potential target. To cite a recent example, the American restaurant chain Arby’s was hacked and over 350,000 credit and debit card accounts may have been impacted by the breach. This was a restaurant chain, albeit a large one. Certainly not an industry holding billions of pounds, or state secrets, but it was a tempting target just the same. In this regard smaller companies are an even more appealing; Arby’s is a large company which should be able to afford the most up to date security measures, a smaller company will not have the same level of protection and may be easier to breach. The data that was taken from Arby’s included compromised customer card details, companies in other industries will possess further information which will be attractive to cyber criminals. A car retailer’s database for instance, will have payment details, personal addresses and insurance details.
All of this information is extremely valuable to hackers who will use it to enact e-scams and fraud using information to create convincing emails to facilitate their criminal enterprises. Smaller companies possess all this information and (for the most part) older, less capable security measures. It is obvious that smaller companies will actually provide a far more tempting target, not only for information but to gain access to larger companies as part of the supply chain. A strategy cyber criminals have developed is to infiltrate smaller supply companies to gain access to the larger company at the top at the supply chain. Therefore, to say that you have nothing of value is erroneous because what is most valuable may be your relationship in the first place.
In conclusion, it is obvious that smaller companies have to be as vigilant if not more so in their defences. Should a breach be discovered and the route to the final breach lead back to a smaller company- the reputation and business of the small concern that hadn’t bothered to secure its IT systems (with inadequate processes and neglectingto have any real policies) would be in tatters.