When it comes to cyberattacks, you’re never too small to be a target
Back in 2008, there was a popular saying that certain financial institutions were “too big to fail.” Nowadays, there is a similar belief that most small businesses are “too small” to be targets of cyber attacks. This is a dangerous fallacy.
The recent Colonial Pipeline Ransomware attack got me thinking about the vulnerability of our nation’s infrastructure, and how small businesses can often be a tempting back door for cyber gangs to create mammoth amounts of havoc..
In fact, the worst known hack into the nation’s power system involved attacks on hundreds of small contractors. One such company was All-Ways Excavating USA of Oregon.
The Russian-orchestrated cyberattack on the 15-person company near Salem, Ore., which works with utilities and government agencies, was an early thrust in the worst known hack by a foreign government into the nation’s electric grid.
Rather than strike the utilities head on, the hackers went after the system’s unprotected underbelly—hundreds of contractors and subcontractors like All-Ways who naively thought they had no reason to be on high alert against foreign agents.
From these tiny footholds, the hackers worked their way up the supply chain. Some experts believe two dozen or more utilities were ultimately breached.
At Net Compliance Solutions, we know there is no such thing as a company too small to be hacked, but this is a difficult perception to overcome.
These small contractors were targets of value to the Russians. Two of the energy companies that were targeted build systems that supply emergency power to Army bases. All-Ways Excavating is a government contractor and bids for jobs with agencies including the U.S. Army Corps of Engineers, which operates dozens of federally owned hydroelectric facilities.
Federal officials say the attackers looked for ways to bridge the divide between the utilities’ corporate networks, which are connected to the internet, and their critical-control networks, which are walled off from the web for security purposes.
In March 2018, the U.S. government released a report that pinned responsibility for the hostile activities on “cyber actors” working for the Russian government, saying they had been active since at least March 2016. Last fall, All-Ways Excavating was again hacked.
And now, industry experts say Russian government hackers likely remain inside some systems, undetected and awaiting further orders.
The moral of the story being, if you think your business is too small or too obscure to be a target for cyber crime, you’re not the only one. In fact, there are criminal gangs counting on it. If you want to learn more about cyber security and how to protect your company’s interests, email Net Compliance Solutions at info@trustncs.com. Or give us a call at (855) 879-2373.