I’ve heard variations of sentiments like these way too many times:
- “I don’t need to worry about security because my business is too small for hackers to go after”
- “Hackers wouldn’t even bother breaking into my network, they’d rather go after big companies”
- “I don’t have anything of value to hackers so there’s no reason my network would be attacked”
- “I won’t get attacked because no one’s ever heard of my company so hackers wouldn’t even know I exist.”
Unfortunately, those are all invalid logic. They’re based on assumptions that just aren’t true.
The first assumption, that if a business doesn’t have valuable information like credit cards or health records no one will try to get access to their network, is false for a couple reasons:
- It assumes attackers know who has information they want and who doesn’t
- It assumes that information is the only thing attackers want
First, attackers don’t always know who has what information and so they may be willing to break into networks in order to find what they can.
Second, attackers may also be looking to break in just to have additional computers under their control to use in launching further attacks and covering their tracks.
So this assumption is a bit like saying you don’t need to lock your house because you don’t live in an upscale neighborhood so thieves would never bother with your house.
The second assumption, is that a person makes a choice to target your network based on how valuable of a target you are. The reality is that this often isn’t the case.
Sure there are cases where attackers are specifically going after a major target. However, there is also a constant assault against every IP on the Internet by automated attacks and hacking scripts. These programs are launched from attackers’ networks and from various infected (and hacked) machines across the network.
These automated attacks don’t care if your network is a big business or small, high priority or low, holds credit card data or not, they just scan for vulnerabilities and attempt to penetrate into every IP address they can.
If your network is connected to the Internet and has vulnerabilities, there’s a good chance that it will eventually be found and cracked by one of these automated scanning attacks. If that happens to you it can be costly, embarrassing, and time consuming to clean up the damage and secure your network better.
Being small doesn’t mean you’re safe from security attacks any more than saying “I’m not rich” means you don’t need to lock your house or cars.
– Weston Henry
Have you ever known someone to believe this myth? Have you ever believed it yourself?
How will this change your thinking about network security?